Security+ 701 Flashcards

Question 1

Q

Which of the following threat actors is the most likely to be hired by a foreign government to attack
critical systems located in other countries?
A. Hacktivist
B. Whistleblower
C. Organized crime
D. Unskilled attacker

Answer

A

Answer: C
Explanation:
Organized crime is a type of threat actor that is motivated by financial gain and often operates across
national borders. Organized crime groups may be hired by foreign governments to conduct
cyberattacks on critical systems located in other countries, such as power grids, military networks, or
financial institutions. Organized crime groups have the resources, skills, and connections to carry out
sophisticated and persistent attacks that can cause significant damage and
disruption12. Reference = 1: Threat Actors - CompTIA Security+ SY0-701 - 2.1 2:

Question 2

Q

Which of the following is used to add extra complexity before using a one-way data transformation
algorithm?
A. Key stretching
B. Data masking
C. Steganography
D. Salting

Answer

A

Answer: D
Explanation:
Salting is the process of adding extra random data to a password or other data before applying a one-
way data transformation algorithm, such as a hash function. Salting increases the complexity and
randomness of the input data, making it harder for attackers to guess or crack the original data using
precomputed tables or brute force methods. Salting also helps prevent identical passwords from
producing identical hash values, which could reveal the passwords to attackers who have access to
the hashed data. Salting is commonly used to protect passwords stored in databases or transmitted
over networks. Reference =
Passwords technical overview
Encryption, hashing, salting – what’s the difference?
Salt (cryptography)

Question 3

Q

An employee clicked a link in an email from a payment website that asked the employee to update
contact information. The employee entered the log-in information but received a “page not found”
error message. Which of the following types of social engineering attacks occurred?

A. Brand impersonation
B. Pretexting
C. Typosquatting
D. Phishin

Answer

A

Answer: D
Explanation:
Phishing is a type of social engineering attack that involves sending fraudulent emails that appear to
be from legitimate sources, such as payment websites, banks, or other trusted entities. The goal of
phishing is to trick the recipients into clicking on malicious links, opening malicious attachments, or
providing sensitive information, such as log-in credentials, personal data, or financial details. In this
scenario, the employee received an email from a payment website that asked the employee to
update contact information. The email contained a link that directed the employee to a fake website
that mimicked the appearance of the real one. The employee entered the log-in information, but
received a “page not found” error message. This indicates that the employee fell victim to a phishing
attack, and the attacker may have captured the employee’s credentials for the payment
website. Reference = Other Social Engineering Attacks – CompTIA Security+ SY0-701 – 2.2, CompTIA
Security+: Social Engineering Techniques & Other Attack … - NICCS, [CompTIA Sec

Question 4

Q

An enterprise is trying to limit outbound DNS traffic originating from its internal network. Outbound
DNS requests will only be allowed from one device with the IP address 10.50.10.25. Which of the
following firewall ACLs will accomplish this goal?
A. Access list outbound permit 0.0.0.0 0 0.0.0.0/0 port 53 Access list outbound deny 10.50.10.25 32
0.0.0.0/0 port 53
B. Access list outbound permit 0.0.0.0/0 10.50.10.25 32 port 53 Access list outbound deny 0.0.0.0 0
0.0.0.0/0 port 53
C. Access list outbound permit 0.0.0.0 0 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0
10.50.10.25 32 port 53
D. Access list outbound permit 10.50.10.25 32 0.0.0.0/0 port 53 Access list outbound deny
0.0.0.0.0.0.0.0.0/0 port 53

Answer

A

The correct answer is D because it allows only the device with the IP address 10.50.10.25 to send
outbound DNS requests on port 53, and denies all other devices from doing so. The other options are
incorrect because they either allow all devices to send outbound DNS requests (A and C), or they
allow no devices to send outbound DNS requests (B). Reference = You can learn more about firewall
ACLs and DNS in the following resources:
CompTIA Security+ SY0-701 Certification Study Guide, Chapter 4: Network Security1
Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section 3.2: Firewall Rules2
TOTAL: CompTIA Security+ Cert (SY0-701) | Udemy, Section 6: Network Security, Lecture 28: Firewall
Rules3

Question 5

Q

A data administrator is configuring authentication for a SaaS application and would like to reduce the
number of credentials employees need to maintain. The company prefers to use domain credentials
to access new SaaS applications. Which of the following methods would allow this functionality?
A. SSO
B. LEAP
C. MFA
D. PEAP

Answer

A

Answer: A
Questions and Answers PDF 5/297

Explanation:
SSO stands for single sign-on, which is a method of authentication that allows users to access
multiple applications or services with one set of credentials. SSO reduces the number of credentials
employees need to maintain and simplifies the login process. SSO can also improve security by
reducing the risk of password reuse, phishing, and credential theft. SSO can be implemented using
various protocols, such as SAML, OAuth, OpenID Connect, and Kerberos, that enable the exchange of
authentication information between different domains or systems. SSO is commonly used for
accessing SaaS applications, such as Office 365, Google Workspace, Salesforce, and others, using
domain credentials123.

Question 6

Q

LEAP

Answer

A

Lightweight Extensible Authentication Protocol, which is a Cisco proprietary
protocol that provides authentication for wireless networks. LEAP is not related to SaaS applications
or domain credentials4.

Question 7

Q

MFA

Answer

A

multi-factor authentication, which is a method of authentication that requires
users to provide two or more pieces of evidence to prove their identity. MFA can enhance security by
adding an extra layer of protection beyond passwords, such as tokens, biometrics, or codes. MFA is
not related to SaaS applications or domain credentials, but it can be used in conjunction with SSO.

Question 8

Q

PEAP

Answer

A

Protected Extensible Authentication Protocol, which is a protocol that provides
secure authentication for wireless networks. PEAP uses TLS to create an encrypted tunnel between
the client and the server, and then uses another authentication method, such as MS-CHAPv2 or EAP-
GTC, to verify the user’s identity. PEAP is not related to SaaS applications or domain credentials.

Question 9

Q

Which of the following scenarios describes a possible business email compromise attack?
A. An employee receives a gift card request in an email that has an executive’s name in the display
field of the email.
B. Employees who open an email attachment receive messages demanding payment in order to
access files.
C. A service desk employee receives an email from the HR director asking for log-in credentials to a
cloud administrator account.
D. An employee receives an email with a link to a phishing site that is designed to look like the
company’s email portal.

Answer

A

Answer: A

A business email compromise (BEC) attack is a type of phishing attack that targets employees who
have access to company funds or sensitive information. The attacker impersonates a trusted person,
such as an executive, a vendor, or a client, and requests a fraudulent payment, a wire transfer, or
confidential data. The attacker often uses social engineering techniques, such as urgency, pressure,
or familiarity, to convince the victim to comply with the request12

Question 10

Q

A company prevented direct access from the database administrators’ workstations to the network
segment that contains database servers. Which of the following should a database administrator use
to access the database servers?

A. Jump server
B. RADIUS
C. HSM
D. Load balancer

Answer

A

Answer: A
Explanation:
A jump server is a device or virtual machine that acts as an intermediary between a user’s
workstation and a remote network segment. A jump server can be used to securely access servers or
devices that are not directly reachable from the user’s workstation, such as database servers. A jump
server can also provide audit logs and access control for the remote connections. A jump server is
also known as a jump box or a jump host12

Question 11

Q

RADIUS

Answer

A

protocol for authentication, authorization, and accounting of network access. RADIUS is
not a device or a method to access remote servers, but rather a way to verify the identity and
permissions of users or devices that request network access34.

Question 12

Q

HSM

Answer

A

acronym for Hardware Security Module, which is a physical device that provides secure
storage and generation of cryptographic keys. HSMs are used to protect sensitive data and
applications, such as digital signatures, encryption, and authentication. HSMs are not used to access
remote servers, but rather to enhance the security of the data and applications that reside on
them5

Question 13

Q

load balancer

Answer

A

device or software that distributes network traffic across multiple servers or
devices, based on criteria such as availability, performance, or capacity. A load balancer can improve
the scalability, reliability, and efficiency of network services, such as web servers, application servers,
or database servers. A load balancer is not used to access remote servers, but rather to optimize the
delivery of the services that run on them

Question 14

Q

An organization’s internet-facing website was compromised when an attacker exploited a buffer
overflow. Which of the following should the organization deploy to best protect against similar
attacks in the future?
A. NGFW
B. WAF
C. TLS
D. SD-WAN

Answer

A

Answer: B
Explanation:
A buffer overflow is a type of software vulnerability that occurs when an application writes more
data to a memory buffer than it can hold, causing the excess data to overwrite adjacent memory
locations. This can lead to unexpected behavior, such as crashes, errors, or code execution. A buffer
overflow can be exploited by an attacker to inject malicious code or commands into the application,
which can compromise the security and functionality of the system. An organization’s internet-facing
website was compromised when an attacker exploited a buffer overflow. To best protect against
similar attacks in the future, the organization should deploy a web application firewall (WAF). A WAF
is a type of firewall that monitors and filters the traffic between a web application and the internet. A
WAF can detect and block common web attacks, such as buffer overflows, SQL injections, cross-site
scripting (XSS), and more. A WAF can also enforce security policies and rules, such as input
validation, output encoding, and encryption. A WAF can provide a layer of protection for the web
application, preventing attackers from exploiting its vulnerabilities and compromising its
data. Reference = Buffer Overflows – CompTIA Security+ SY0-701 – 2.3, Web Application Firewalls –
CompTIA Security+ SY0-701 – 2.4,

Question 15

Q

An administrator notices that several users are logging in from suspicious IP addresses. After
speaking with the users, the administrator determines that the employees were not logging in from
those IP addresses and resets the affected users’ passwords. Which of the following should the
administrator implement to prevent this type of attack from succeeding in the future?
A. Multifactor authentication
B. Permissions assignment
C. Access management
D. Password complexity

Answer

A

Answer: A
Explanation:
The correct answer is A because multifactor authentication (MFA) is a method of verifying a user’s
identity by requiring more than one factor, such as something the user knows (e.g., password),
something the user has (e.g., token), or something the user is (e.g., biometric). MFA can prevent
unauthorized access even if the user’s password is compromised, as the attacker would need to
provide another factor to log in. The other options are incorrect because they do not address the root
cause of the attack, which is weak authentication. Permissions assignment (B) is the process of
granting or denying access to resources based on the user’s role or identity. Access management © is
the process of controlling who can access what and under what conditions. Password complexity (D)
is the requirement of using strong passwords that are hard to guess or crack, but it does not prevent
an attacker from using a stolen password.

Question 16

Q

An employee receives a text message that appears to have been sent by the payroll department and
is asking for credential verification. Which of the following social engineering techniques are being
attempted? (Choose two.)
A. Typosquatting
B. Phishing
C. Impersonation
D. Vishing
E. Smishing
F. Misinformation

Answer

A

Answer: B E
Explanation:
Smishing is a type of social engineering technique that uses text messages (SMS) to trick victims into
revealing sensitive information, clicking malicious links, or downloading malware. Smishing
messages often appear to come from legitimate sources, such as banks, government agencies, or
service providers, and use urgent or threatening language to persuade the recipients to take
action12. In this scenario, the text message that claims to be from the payroll department is an
example of smishing.
Impersonation is a type of social engineering technique that involves pretending to be someone else,
such as an authority figure, a trusted person, or a colleague, to gain the trust or cooperation of the
target. Impersonation can be done through various channels, such as phone calls, emails, text
messages, or in-person visits, and can be used to obtain information, access, or money from the
victim34. In this scenario, the text message that pretends to be from the payroll department is an
example of impersonation.

Question 17

Q

Typosquatting

Answer

A

type of cyberattack that involves registering domain names that are similar to
popular or well-known websites, but with intentional spelling errors or different extensions. Typosquatting aims to exploit the common mistakes that users make when typing web
addresses, and redirect them to malicious or fraudulent sites that may steal their information, install
malware, or display ads56. Typosquatting is not related to text messages or credential verification

Question 18

Q

Misinformation

Answer

A

type of social engineering technique that involves spreading false or
misleading information to influence the beliefs, opinions, or actions of the target. Misinformation
can be used to manipulate public perception, create confusion, damage reputation, or promote an
agenda . Misinformation is not related to text messages or credential verification.

Question 19

Q

Several employees received a fraudulent text message from someone claiming to be the Chief
Executive Officer (CEO). The message stated:
“I’m in an airport right now with no access to email. I need you to buy gift cards for employee
recognition awards. Please send the gift cards to following email address.”
Which of the following are the best responses to this situation? (Choose two).
A. Cancel current employee recognition gift cards.
B. Add a smishing exercise to the annual company training.
C. Issue a general email warning to the company.
D. Have the CEO change phone numbers.
E. Conduct a forensic investigation on the CEO’s phone.
F. Implement mobile device management

Answer

A

Answer: B, C
Explanation:
This situation is an example of smishing, which is a type of phishing that uses text messages (SMS) to
entice individuals into providing personal or sensitive information to cybercriminals. The best
responses to this situation are to add a smishing exercise to the annual company training and to issue
a general email warning to the company. A smishing exercise can help raise awareness and educate
employees on how to recognize and avoid smishing attacks. An email warning can alert employees to
the fraudulent text message and remind them to verify the identity and legitimacy of any requests
for information or money.

Question 20

Q

A company is required to use certified hardware when building networks. Which of the following
best addresses the risks associated with procuring counterfeit hardware?
A. A thorough analysis of the supply chain
B. A legally enforceable corporate acquisition policy
C. A right to audit clause in vendor contracts and SOWs
D. An in-depth penetration test of all suppliers and vendors

Answer

A

Answer: A
Explanation:
Questions and Answers PDF 13/297

Counterfeit hardware is hardware that is built or modified without the authorization of the original
equipment manufacturer (OEM). It can pose serious risks to network quality, performance, safety,
and reliability12. Counterfeit hardware can also contain malicious components that can compromise
the security of the network and the data that flows through it3. To address the risks associated with
procuring counterfeit hardware, a company should conduct a thorough analysis of the supply chain,
which is the network of entities involved in the production, distribution, and delivery of the
hardware. By analyzing the supply chain, the company can verify the origin, authenticity, and
integrity of the hardware, and identify any potential sources of counterfeit or tampered products. A
thorough analysis of the supply chain can include the following steps:
Establishing a trusted relationship with the OEM and authorized resellers
Requesting documentation and certification of the hardware from the OEM or authorized resellers
Inspecting the hardware for any signs of tampering, such as mismatched labels, serial numbers, or
components
Testing the hardware for functionality, performance, and security
Implementing a tracking system to monitor the hardware throughout its lifecycle

Question 21

Q

Which of the following provides the details about the terms of a test with a third-party penetration
tester?
A. Rules of engagement
B. Supply chain analysis
C. Right to audit clause
D. Due diligence

Answer

A

Rules of engagement are the detailed guidelines and constraints regarding the execution of
information security testing, such as penetration testing. They define the scope, objectives, methods,
and boundaries of the test, as well as the roles and responsibilities of the testers and the clients.
Rules of engagement help to ensure that the test is conducted in a legal, ethical, and professional
manner, and that the results are accurate and reliable. Rules of engagement typically include the
following elements:
The type and scope of the test, such as black box, white box, or gray box, and the target systems,
networks, applications, or data.
The client contact details and the communication channels for reporting issues, incidents, or
emergencies during the test.
The testing team credentials and the authorized tools and techniques that they can use.
The sensitive data handling and encryption requirements, such as how to store, transmit, or dispose
of any data obtained during the test.
The status meeting and report schedules, formats, and recipients, as well as the confidentiality and
non-disclosure agreements for the test results.
The timeline and duration of the test, and the hours of operation and testing windows.
The professional and ethical behavior expectations for the testers, such as avoiding unnecessary
damage, disruption, or disclosure of information

Question 22

Q

Supply chain analysis

Answer

A

Supply chain analysis is the process of evaluating the security
and risk posture of the suppliers and partners in a business network.

Question 23

Q

Right to audit clause

Answer

A

provision in a contract that gives one party the right to audit another party to verify their compliance
with the contract terms and conditions.

Question 24

Q

Due diligence

Answer

A

process of identifying and addressing the
cyber risks that a potential vendor or partner brings to an organization.

Question 25

Q

A penetration tester begins an engagement by performing port and service scans against the client
environment according to the rules of engagement. Which of the following reconnaissance types is
the tester performing?
A. Active
B. Passive
C. Defensive
D. Offensive

Answer

A

Answer: A
Explanation:
Active reconnaissance is a type of reconnaissance that involves sending packets or requests to a
target and analyzing the responses. Active reconnaissance can reveal information such as open ports,
services, operating systems, and vulnerabilities. However, active reconnaissance is also more likely to
be detected by the target or its security devices, such as firewalls or intrusion detection systems. Port
and service scans are examples of active reconnaissance techniques, as they involve probing the
target for specific information.

Question 26

Q

Which of the following is required for an organization to properly manage its restore process in the
event of system failure?
A. IRP
B. DRP
C. RPO
D. SDLC

Answer

A

Answer: B
Explanation:
A disaster recovery plan (DRP) is a set of policies and procedures that aim to restore the normal
operations of an organization in the event of a system failure, natural disaster, or other emergency. A
DRP typically includes the following elements:
A risk assessment that identifies the potential threats and impacts to the organization’s critical assets
and processes.
A business impact analysis that prioritizes the recovery of the most essential functions and data.
A recovery strategy that defines the roles and responsibilities of the recovery team, the resources
and tools needed, and the steps to follow to restore the system.
A testing and maintenance plan that ensures the DRP is updated and validated regularly. A DRP is
required for an organization to properly manage its restore process in the event of system failure, as
it provides a clear and structured framework for recovering from a disaster and minimizing the
downtime and data loss.

Question 27

Q

DRP

Answer

A

disaster recovery plan (DRP) is a set of policies and procedures that aim to restore the normal
operations of an organization in the event of a system failure, natural disaster, or other emergency.

Question 28

Q

Which of the following vulnerabilities is associated with installing software outside of a
manufacturer’s approved software repository?
A. Jailbreaking
B. Memory injection
C. Resource reuse
D. Side loading

Answer

A

Answer: D
Explanation:
Side loading is the process of installing software outside of a manufacturer’s approved software
repository. This can expose the device to potential vulnerabilities, such as malware, spyware, or
unauthorized access. Side loading can also bypass security controls and policies that are enforced by
the manufacturer or the organization. Side loading is often done by users who want to access
applications or features that are not available or allowed on their devices.

Question 29

Q

A security analyst is reviewing the following logs:
Which of the following attacks is most likely occurring?
A. Password spraying
B. Account forgery
C. Pass-t he-hash
D. Brute-force

Answer

A

Answer: A
Explanation:
Password spraying is a type of brute force attack that tries common passwords across several
Questions and Answers PDF 18/297

accounts to find a match. It is a mass trial-and-error approach that can bypass account lockout
protocols. It can give hackers access to personal or business accounts and information. It is not a
targeted attack, but a high-volume attack tactic that uses a dictionary or a list of popular or weak
passwords12.
The logs show that the attacker is using the same password (“password123”) to attempt to log in to
different accounts (“admin”, “user1”, “user2”, etc.) on the same web server. This is a typical pattern
of password spraying, as the attacker is hoping that at least one of the accounts has a weak password
that matches the one they are trying.

Question 30

Q

Pass-the-hash

Answer

A

involves stealing a hashed user credential and
using it to create a new authenticated session on the same network. Pass-the-hash does not require
the attacker to know or crack the password, as they use the stored version of the password to initiate
a new session4.

Question 31

Q

An analyst is evaluating the implementation of Zero Trust principles within the data plane. Which of
the following would be most relevant for the analyst to evaluate?
A. Secured zones
B. Subject role
C. Adaptive identity
D. Threat scope reduction

Answer

A

Answer: D
Explanation:
The data plane, also known as the forwarding plane, is the part of the network that carries user
traffic and data. It is responsible for moving packets from one device to another based on the routing
and switching decisions made by the control plane. The data plane is a critical component of the Zero
Trust architecture, as it is where most of the attacks and breaches occur. Therefore, implementing
Zero Trust principles within the data plane can help to improve the security and resilience of the
network.
One of the key principles of Zero Trust is to assume breach and minimize the blast radius and
segment access. This means that the network should be divided into smaller and isolated segments
or zones, each with its own security policies and controls. This way, if one segment is compromised,
the attacker cannot easily move laterally to other segments and access more resources or data. This
principle is also known as threat scope reduction, as it reduces the scope and impact of a potential
threat.

Question 32

Q

Secured zones

Answer

A

concept related to the control plane, which is the part of the network that makes routing and
switching decisions.

Question 33

Q

Subject role

Answer

A

concept related to the identity plane, which is the part of the
network that authenticates and authorizes users and devices

Question 34

Q

Adaptive identity

Answer

A

concept related
to the policy plane, which is the part of the network that defines and enforces the security policies
and rules.

Question 35

Q

An engineer needs to find a solution that creates an added layer of security by preventing
unauthorized access to internal company resources. Which of the following would be the best
solution?

A. RDP server
B. Jump server
C. Proxy server
D. Hypervisor

Answer

A

Answer: B
Explanation:
= A jump server is a server that acts as an intermediary between a user and a target system. A jump
server can provide an added layer of security by preventing unauthorized access to internal company
resources. A user can connect to the jump server using a secure protocol, such as SSH, and then
access the target system from the jump server. This way, the target system is isolated from the
external network and only accessible through the jump server. A jump server can also enforce
security policies, such as authentication, authorization, logging, and auditing, on the user’s
connection. A jump server is also known as a bastion host or a jump box.

Question 36

Q

A company’s web filter is configured to scan the URL for strings and deny access when matches are
found. Which of the following search strings should an analyst employ to prohibit access to non-
encrypted websites?
A. encryption=off\
B. http://
C. www.*.com
D. :443

Answer

A

Answer: B
Explanation:
A web filter is a device or software that can monitor, block, or allow web traffic based on predefined
rules or policies. One of the common methods of web filtering is to scan the URL for strings and deny
access when matches are found. For example, a web filter can block access to websites that contain
the words “gambling”, “porn”, or “malware” in their URLs. A URL is a uniform resource locator that
identifies the location and protocol of a web resource. A URL typically consists of the following
components: protocol://domain:port/path?query#fragment. The protocol specifies the
communication method used to access the web resource, such as HTTP, HTTPS, FTP, or SMTP. The
domain is the name of the web server that hosts the web resource, such as www.google.com or
www.bing.com. The port is an optional number that identifies the specific service or application
running on the web server, such as 80 for HTTP or 443 for HTTPS. The path is the specific folder or file
name of the web resource, such as /index.html or /images/logo.png. The query is an optional string
that contains additional information or parameters for the web resource, such as ?q=security or
?lang=en. The fragment is an optional string that identifies a specific part or section of the web
resource, such as #introduction or #summary.
To prohibit access to non-encrypted websites, an analyst should employ a search string that matches
the protocol of non-encrypted web traffic, which is HTTP. HTTP stands for hypertext transfer protocol,
and it is a standard protocol for transferring data between web servers and web browsers. However,
HTTP does not provide any encryption or security for the data, which means that anyone who
intercepts the web traffic can read or modify the data. Therefore, non-encrypted websites are
vulnerable to eavesdropping, tampering, or spoofing attacks. To access a non-encrypted website, the
URL usually starts with http://, followed by the domain name and optionally the port number. For
example, http://www.example.com or http://www.example.com:80. By scanning the URL for the
string http://, the web filter can identify and block non-encrypted websites.

Question 37

Q

During a security incident, the security operations team identified sustained network traffic from a
malicious IP address:
10.1.4.9. A security analyst is creating an inbound firewall rule to block the IP address from accessing
the organization’s network. Which of the following fulfills this request?
A. access-list inbound deny ig source 0.0.0.0/0 destination 10.1.4.9/32
B. access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0
C. access-list inbound permit ig source 10.1.4.9/32 destination 0.0.0.0/0
D. access-list inbound permit ig source 0.0.0.0/0 destination 10.1.4.9/32

Answer

A

Answer: B
Explanation:
A firewall rule is a set of criteria that determines whether to allow or deny a packet to pass through
the firewall. A firewall rule consists of several elements, such as the action, the protocol, the source
address, the destination address, and the port number. The syntax of a firewall rule may vary
depending on the type and vendor of the firewall, but the basic logic is the same. In this question,
the security analyst is creating an inbound firewall rule to block the IP address 10.1.4.9 from
accessing the organization’s network. This means that the action should be deny, the protocol should
be any (or ig for IP), the source address should be 10.1.4.9/32 (which means a single IP address), the
destination address should be 0.0.0.0/0 (which means any IP address), and the port number should
be any. Therefore, the correct firewall rule is:
access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0

Question 38

Q

A company needs to provide administrative access to internal resources while minimizing the traffic
allowed through the security boundary. Which of the following methods is most secure?
A. Implementing a bastion host
B. Deploying a perimeter network
C. Installing a WAF
D. Utilizing single sign-on

Answer

A

Answer: A
Explanation:
A bastion host is a special-purpose server that is designed to withstand attacks and provide secure
access to internal resources. A bastion host is usually placed on the edge of a network, acting as a
gateway or proxy to the internal network. A bastion host can be configured to allow only certain
types of traffic, such as SSH or HTTP, and block all other traffic. A bastion host can also run security
software such as firewalls, intrusion detection systems, and antivirus programs to monitor and filter
incoming and outgoing traffic. A bastion host can provide administrative access to internal resources
by requiring strong authentication and encryption, and by logging all activities for auditing
purposes12.
A bastion host is the most secure method among the given options because it minimizes the traffic
allowed through the security boundary and provides a single point of control and defense. A bastion
host can also isolate the internal network from direct exposure to the internet or other untrusted
networks, reducing the attack surface and the risk of compromise3

Question 39

Q

Deploying a perimeter network

Answer

A

a perimeter network is a network
segment that separates the internal network from the external network. A perimeter network
usually hosts public-facing services such as web servers, email servers, or DNS servers that need to
be accessible from the internet. A perimeter network does not provide administrative access to
internal resources, but rather protects them from unauthorized access. A perimeter network can also
increase the complexity and cost of network management and security4

Question 40

Q

WAF

Answer

A

WAF is a security tool that protects web
Questions and Answers PDF 24/297

applications from common web-based attacks by monitoring, filtering, and blocking HTTP traffic. A
WAF can prevent attacks such as cross-site scripting, SQL injection, or file inclusion, among others. A
WAF does not provide administrative access to internal resources, but rather protects them from
web application vulnerabilities. A WAF is also not a comprehensive solution for network security, as
it only operates at the application layer and does not protect against other types of attacks or
threats5

Question 41

Q

A security analyst is reviewing alerts in the SIEM related to potential malicious network traffic
coming from an employee’s corporate laptop. The security analyst has determined that additional
data about the executable running on the machine is necessary to continue the investigation. Which
of the following logs should the analyst use as a data source?
A. Application
B. IPS/IDS
C. Network
D. Endpoint

Answer

A

Answer: D
Explanation:
An endpoint log is a file that contains information about the activities and events that occur on an
end-user device, such as a laptop, desktop, tablet, or smartphone. Endpoint logs can provide
valuable data for security analysts, such as the processes running on the device, the network
connections established, the files accessed or modified, the user actions performed, and the
applications installed or updated. Endpoint logs can also record the details of any executable files
running on the device, such as the name, path, size, hash, signature, and permissions of the
executable

Question 42

Q

application log

Answer

A

file that contains information about the events that occur within a software
application, such as errors, warnings, transactions, or performance metrics. Application logs can help
developers and administrators troubleshoot issues, optimize performance, and monitor user
behavior. However, application logs may not provide enough information about the executable files
running on the device, especially if they are malicious or unknown

Question 43

Q

IPS/IDS log

Answer

A

file that contains information about the network traffic that is monitored and
analyzed by an intrusion prevention system (IPS) or an intrusion detection system (IDS). IPS/IDS logs
can help security analysts identify and block potential attacks, such as exploit attempts, denial-of-
service (DoS) attacks, or malicious scans. However, IPS/IDS logs may not provide enough information
about the executable files running on the device, especially if they are encrypted, obfuscated, or use
legitimate protocols

Question 44

Q

network log

Answer

A

file that contains information about the network activity and communication that
occurs between devices, such as IP addresses, ports, protocols, packets, or bytes. Network logs can
help security analysts understand the network topology, traffic patterns, and bandwidth usage.
However, network logs may not provide enough information about the executable files running on
the device, especially if they are hidden, spoofed, or use proxy servers

Question 45

Q

A cyber operations team informs a security analyst about a new tactic malicious actors are using to
compromise networks.
SIEM alerts have not yet been configured. Which of the following best describes what the security
analyst should do to identify this behavior?

A. [Digital forensics
B. E-discovery
C. Incident response
D. Threat hunting

Answer

A

Answer: D
Explanation:
Threat hunting is the process of proactively searching for signs of malicious activity or compromise in
a network, rather than waiting for alerts or indicators of compromise (IOCs) to appear. Threat
hunting can help identify new tactics, techniques, and procedures (TTPs) used by malicious actors, as
well as uncover hidden or stealthy threats that may have evaded detection by security tools. Threat
hunting requires a combination of skills, tools, and methodologies, such as hypothesis generation,
data collection and analysis, threat intelligence, and incident response. Threat hunting can also help
improve the security posture of an organization by providing feedback and recommendations for
security improvements.

Question 46

Q

A company purchased cyber insurance to address items listed on the risk register. Which of the
following strategies does this represent?
A. Accept
B. Transfer
C. Mitigate
D. Avoid

Answer

A

Answer: B

Cyber insurance is a type of insurance that covers the financial losses and liabilities that result from
cyberattacks, such as data breaches, ransomware, denial-of-service, phishing, or malware. Cyber
insurance can help a company recover from the costs of restoring data, repairing systems, paying
ransoms, compensating customers, or facing legal actions. Cyber insurance is one of the possible
strategies that a company can use to address the items listed on the risk register. A risk register is a
document that records the identified risks, their probability, impact, and mitigation strategies for a
project or an organization.

Question 47

Q

Accept risk mitigation strategy:

Answer

A

The company acknowledges the risk and decides to accept the consequences without taking
any action to reduce or eliminate the risk. This strategy is usually chosen when the risk is low or the
cost of mitigation is too high.

Question 48

Q

Mitigate risk mitigation strategy:

Answer

A

The company implements controls or measures to reduce the likelihood or impact of the
risk. This strategy is usually chosen when the risk is moderate or the cost of mitigation is reasonable

Question 49

Q

Avoid risk mitigation strategy:

Answer

A

The company eliminates the risk by changing the scope, plan, or design of the project or the
organization. This strategy is usually chosen when the risk is unacceptable or the cost of mitigation is
too high

Question 50

Q

A security administrator would like to protect data on employees’ laptops. Which of the following
encryption techniques should the security administrator use?
A. Partition
B. Asymmetric
C. Full disk
D. Database

Answer

A

Answer: C
Explanation:
Full disk encryption (FDE) is a technique that encrypts all the data on a hard drive, including the
operating system, applications, and files. FDE protects the data from unauthorized access in case the
laptop is lost, stolen, or disposed of without proper sanitization. FDE requires the user to enter a
password, a PIN, a smart card, or a biometric factor to unlock the drive and boot the system. FDE can
be implemented by using software solutions, such as BitLocker, FileVault, or VeraCrypt, or by using
hardware solutions, such as self-encrypting drives (SEDs) or Trusted Platform Modules (TPMs). FDE is
a recommended encryption technique for laptops and other mobile devices that store sensitive data.

Question 51

Q

Partition encryption

Answer

A

technique that encrypts only a specific partition or volume on a hard drive,
leaving the rest of the drive unencrypted. Partition encryption is less secure than FDE, as it does not
protect the entire drive and may leave traces of data on unencrypted areas. Partition encryption is
also less convenient than FDE, as it requires the user to mount and unmount the encrypted partition
manually

Question 52

Q

Asymmetric encryption

Answer

A

technique that uses a pair of keys, one public and one private, to encrypt
and decrypt data. Asymmetric encryption is mainly used for securing communication, such as email,
web, or VPN, rather than for encrypting data at rest. Asymmetric encryption is also slower and more
computationally intensive than symmetric encryption, which is the type of encryption used by FDE
and partition encryption.

Question 53

Q

Database encryption

Answer

A

technique that encrypts data stored in a database, such as tables, columns,
rows, or cells. Database encryption can be done at the application level, the database level, or the
file system level. Database encryption is useful for protecting data from unauthorized access by
database administrators, hackers, or malware, but it does not protect the data from physical theft or
loss of the device that hosts the database.

Question 54

Q

Which of the following security control types does an acceptable use policy best represent?
A. Detective
B. Compensating
C. Corrective
D. Preventive

Answer

A

Answer: D
Explanation:
An acceptable use policy (AUP) is a set of rules that govern how users can access and use a corporate
network or the internet. The AUP helps companies minimize their exposure to cyber security threats
and limit other risks. The AUP also serves as a notice to users about what they are not allowed to do
and protects the company against misuse of their network. Users usually have to acknowledge that
they understand and agree to the rules before accessing the network1.
An AUP best represents a preventive security control type, because it aims to deter or stop potential
security incidents from occurring in the first place. A preventive control is proactive and anticipates
possible threats and vulnerabilities, and implements measures to prevent them from exploiting or
harming the system or the data. A preventive control can be physical, technical, or administrative in
nature2.
Some examples of preventive controls are:
Locks, fences, or guards that prevent unauthorized physical access to a facility or a device
Firewalls, antivirus software, or encryption that prevent unauthorized logical access to a network or a
system
Policies, procedures, or training that prevent unauthorized or inappropriate actions or behaviors by
users or employees
An AUP is an example of an administrative preventive control, because it defines the policies and
procedures that users must follow to ensure the security and proper use of the network and the IT
resources. An AUP can prevent users from engaging in activities that could compromise the security,
performance, or availability of the network or the system, such as:
Downloading or installing unauthorized or malicious software Accessing or sharing sensitive or confidential information without authorization or encryption
Using the network or the system for personal, illegal, or unethical purposes
Bypassing or disabling security controls or mechanisms
Connecting unsecured or unapproved devices to the network
By enforcing an AUP, a company can prevent or reduce the likelihood of security breaches, data loss,
legal liability, or reputational damage caused by user actions or inactions3.

Question 55

Q

An IT manager informs the entire help desk staff that only the IT manager and the help desk lead will
have access to the administrator console of the help desk software. Which of the following security
techniques is the IT manager setting up?
A. Hardening
B. Employee monitoring
C. Configuration enforcement
D. Least privilege

Answer

A

Answer: D
Explanation:
The principle of least privilege is a security concept that limits access to resources to the minimum
level needed for a user, a program, or a device to perform a legitimate function. It is a cybersecurity
best practice that protects high-value data and assets from compromise or insider threat. Least
privilege can be applied to different abstraction layers of a computing environment, such as
processes, systems, or connected devices. However, it is rarely implemented in practice.
In this scenario, the IT manager is setting up the principle of least privilege by restricting access to
the administrator console of the help desk software to only two authorized users: the IT manager
and the help desk lead. This way, the IT manager can prevent unauthorized or accidental changes to
the software configuration, data, or functionality by other help desk staff. The other help desk staff
will only have access to the normal user interface of the software, which is sufficient for them to
perform their job functions

Question 56

Q

Hardening

Answer

A

process of securing a system by reducing its
surface of vulnerability, such as by removing unnecessary software, changing default passwords, or
disabling unnecessary services.

Question 57

Q

Employee monitoring

Answer

A

surveillance of workers’ activity, such as
by tracking web browsing, application use, keystrokes, or screenshots

Question 58

Q

Configuration enforcement

Answer

A

process of ensuring that a system adheres to a predefined set of security settings, such as by
applying a patch, a policy, or a template

Question 59

Q

Which of the following is the most likely to be used to document risks, responsible parties, and
thresholds?
A. Risk tolerance
B. Risk transfer
C. Risk register
D. Risk analysis

Answer

A

Answer: C
Explanation:
A risk register is a document that records and tracks the risks associated with a project, system, or
organization. A risk register typically includes information such as the risk description, the risk owner,
the risk probability, the risk impact, the risk level, the risk response strategy, and the risk status. A
risk register can help identify, assess, prioritize, monitor, and control risks, as well as communicate
them to relevant stakeholders. A risk register can also help document the risk tolerance and
thresholds of an organization, which are the acceptable levels of risk exposure and the criteria for
escalating or mitigating risks.

Question 60

Q

Which of the following should a security administrator adhere to when setting up a new set of
firewall rules?
A. Disaster recovery plan
B. Incident response procedure
C. Business continuity plan
D. Change management procedure

Answer

A

A change management procedure is a set of steps and guidelines that a security administrator should
adhere to when setting up a new set of firewall rules. A firewall is a device or software that can filter,
block, or allow network traffic based on predefined rules or policies. A firewall rule is a statement
that defines the criteria and action for a firewall to apply to a packet or a connection. For example, a
firewall rule can allow or deny traffic based on the source and destination IP addresses, ports,
protocols, or applications. Setting up a new set of firewall rules is a type of change that can affect the
security, performance, and functionality of the network. Therefore, a change management
procedure is necessary to ensure that the change is planned, tested, approved, implemented,
documented, and reviewed in a controlled and consistent manner. A change management procedure
typically includes the following elements

Question 61

Q

business continuity plan

Answer

A

set of strategies and actions that aim to maintain
the essential functions and operations of an organization during and after a disruptive event, such as
a pandemic, power outage, or civil unrest

Question 62

Q

company is expanding its threat surface program and allowing individuals to security test the
company’s internet-facing application. The company will compensate researchers based on the
vulnerabilities discovered. Which of the following best describes the program the company is setting
up?
A. Open-source intelligence
B. Bug bounty
C. Red team
D. Penetration testing

Answer

A

Answer: B
Explanation:
A bug bounty is a program that rewards security researchers for finding and reporting vulnerabilities
in an application or system. Bug bounties are often used by companies to improve their security
posture and incentivize ethical hacking. A bug bounty program typically defines the scope, rules, and
compensation for the researchers.

Question 63

Q

Which of the following threat actors is the most likely to use large financial resources to attack critical
systems located in other countries?
A. Insider
B. Unskilled attacker
C. Nation-state
D. Hacktivist

Answer

A

Answer: C
Explanation:
A nation-state is a threat actor that is sponsored by a government or a political entity to conduct
cyberattacks against other countries or organizations. Nation-states have large financial resources,
advanced technical skills, and strategic objectives that may target critical systems such as military,
energy, or infrastructure

Question 64

Q

Which of the following enables the use of an input field to run commands that can view or
manipulate data?
A. Cross-site scripting
B. Side loading
C. Buffer overflow
D. SQL injection

Answer

A

Answer: D
Explanation:
= SQL injection is a type of attack that enables the use of an input field to run commands that can
view or manipulate data in a database. SQL stands for Structured Query Language, which is a
language used to communicate with databases. By injecting malicious SQL statements into an input
field, an attacker can bypass authentication, access sensitive information, modify or delete data, or
execute commands on the server. SQL injection is one of the most common and dangerous web
application vulnerabilities.

Answer 65

A

Answer: B
Explanation:
Intellectual property is a type of data that consists of ideas, inventions, designs, or other creative
works that have commercial value and are protected by law. Employees in the research and
development business unit are most likely to use intellectual property data in their day-to-day work
activities, as they are involved in creating new products or services for the company. Intellectual
property data needs to be protected from unauthorized use, disclosure, or theft, as it can give the
company a competitive advantage in the market. Therefore, these employees receive extensive
training to ensure they understand how to best protect this type of data

Answer 66

A

Answer: A, F
Explanation:
Labeling all laptops with asset inventory stickers and associating them with employee IDs can
provide several security benefits for a company. Two of these benefits are:
A . If a security incident occurs on the device, the correct employee can be notified. An asset
inventory sticker is a label that contains a unique identifier for a laptop, such as a serial number, a
barcode, or a QR code. By associating this identifier with an employee ID, the security team can
easily track and locate the owner of the laptop in case of a security incident, such as a malware
infection, a data breach, or a theft. This way, the security team can notify the correct employee about
the incident, and provide them with the necessary instructions or actions to take, such as changing
passwords, scanning for viruses, or reporting the loss. This can help to contain the incident, minimize
the damage, and prevent further escalation.
F . Company data can be accounted for when the employee leaves the organization. When an
employee leaves the organization, the company needs to ensure that all the company data and
assets are returned or deleted from the employee’s laptop. By labeling the laptop with an asset
inventory sticker and associating it with an employee ID, the company can easily identify and verify
the laptop that belongs to the departing employee, and perform the appropriate data backup, wipe,
or transfer procedures. This can help to protect the company data from unauthorized access,
disclosure, or misuse by the former employee or any other party.

Answer 67

A

Answer: C
Explanation:
Recurring training is a type of security awareness training that is conducted periodically to refresh
and update the knowledge and skills of the users. Recurring training can help improve the situational
and environmental awareness of existing users as they transition from remote to in-office work, as it
can cover the latest threats, best practices, and policies that are relevant to their work environment.
Modifying the content of recurring training can ensure that the users are aware of the current
security landscape and the expectations of their roles.

Answer 68

A

Answer: D
Explanation:
A dashboard is a graphical user interface that provides a visual representation of key performance
indicators, metrics, and trends related to security events and incidents. A dashboard can help the
board of directors to understand the number and impact of incidents that affected the organization
in a given period, as well as the status and effectiveness of the security controls and processes. A
dashboard can also allow the board of directors to drill down into specific details or filter the data by
various criteria12.

Answer 69

A

A packet capture is a method of capturing and analyzing the network traffic that passes through a
device or a network segment. A packet capture can provide detailed information about the source,
destination, protocol, and content of each packet, but it is not a suitable way to present a summary
of incidents to the board of directors1

Answer 70

A

A vulnerability scan is a process of identifying and assessing the weaknesses and exposures in a
system or a network that could be exploited by attackers. A vulnerability scan can help the
organization to prioritize and remediate the risks and improve the security posture, but it is not a
relevant way to report the number of incidents that occurred in a quarter14

Answer 71

A

Metadata is data that describes other data, such as its format, origin, structure, or context. Metadata
can provide useful information about the characteristics and properties of data, but it is not a
meaningful way to communicate the impact and frequency of incidents to the board of
directors

Answer 72

A

Answer: D
Explanation:
A rootkit is a type of malware that modifies or replaces system files or processes to hide its presence
and activity. A rootkit can change the hash of the cmd.exe file, which is a command-line interpreter
for Windows systems, to avoid detection by antivirus or file integrity monitoring tools. A rootkit can
also grant the attacker remote access and control over the infected system, as well as perform
malicious actions such as stealing data, installing backdoors, or launching attacks on other systems. A rootkit is one of the most difficult types of malware to remove, as it can persist even after rebooting
or reinstalling the OS.

Answer 73

A

Answer: A
Explanation:
According to the shared responsibility model, the client and the cloud provider have different roles
and responsibilities for securing the cloud environment, depending on the service model. In an IaaS
(Infrastructure as a Service) model, the cloud provider is responsible for securing the physical
infrastructure, such as the servers, storage, and network devices, while the client is responsible for
securing the operating systems, applications, and data that run on the cloud infrastructure.
Therefore, the client is responsible for securing the company’s database in an IaaS model for a cloud
environment, as the database is an application that stores data. The client can use various security
controls, such as encryption, access control, backup, and auditing, to protect the database from
unauthorized access, modification, or loss. The third-party vendor and the DBA (Database
Administrator) are not roles defined by the shared responsibility model, but they may be involved in
the implementation or management of the database security.

Answer 74

A

Answer: D
Explanation:
An ISOW is a document that outlines the project, the cost, and the completion time frame for a
security company to provide a service to a client. ISOW stands for Information Security Operations
Work, and it is a type of contract that specifies the scope, deliverables, milestones, and payment
terms of a security project. An ISOW is usually used for one-time or short-term projects that have a
clear and defined objective and outcome. For example, an ISOW can be used for a security
assessment, a penetration test, a security audit, or a security training.

Answer 75

A

. A MSA is a
master service agreement, which is a type of contract that establishes the general terms and
conditions for a long-term or ongoing relationship between a security company and a client. A MSA
does not specify the details of each individual project, but rather sets the framework for future
projects that will be governed by separate statements of work (SOWs)

Answer 76

A

A SLA is a service level
agreement, which is a type of contract that defines the quality and performance standards for a
security service provided by a security company to a client. A SLA usually includes the metrics,
targets, responsibilities, and penalties for measuring and ensuring the service level.

Answer 77

A

A BPA is a
business partnership agreement, which is a type of contract that establishes the roles and
expectations for a strategic alliance between two or more security companies that collaborate to
provide a joint service to a client. A BPA usually covers the objectives, benefits, risks, and obligations
of the partnership.

Answer 78

A

Answer: C
Explanation:
Input validation is a technique that checks the user input for any malicious or unexpected data before
processing it by the web application. Input validation can prevent cross-site scripting (XSS) attacks,
which exploit the vulnerability of a web application to execute malicious scripts in the browser of a
victim. XSS attacks can compromise the confidentiality, integrity, and availability of the web
application and its users. Input validation can be implemented on both the client-side and the
server-side, but server-side validation is more reliable and secure. Input validation can use various
methods, such as whitelisting, blacklisting, filtering, escaping, encoding, and sanitizing the input
data.

Answer 79

A

Answer: A, E
Explanation:
A high-availability network is a network that is designed to minimize downtime and ensure
continuous operation even in the event of a failure or disruption. A high-availability network must
consider the following factors12:
Ease of recovery: This refers to the ability of the network to restore normal functionality quickly and
efficiently after a failure or disruption. Ease of recovery can be achieved by implementing backup
and restore procedures, redundancy and failover mechanisms, fault tolerance and resilience, and
disaster recovery plans.
Attack surface: This refers to the amount of exposure and vulnerability of the network to potential
threats and attacks. Attack surface can be reduced by implementing security controls such as
firewalls, encryption, authentication, access control, segmentation, and hardening.

Answer 80

A

Answer: C
Explanation:
= A change control request is a document that describes the proposed change to a system, the
reason for the change, the expected impact, the approval process, the testing plan, the
implementation plan, the rollback plan, and the communication plan. A change control request is a best practice for applying any patch to a production system, especially a high-priority one, as it
ensures that the change is authorized, documented, tested, and communicated. A change control
request also minimizes the risk of unintended consequences, such as system downtime, data loss, or
security breaches.

Answer 81

A

Answer: D
Explanation:
Root cause analysis is a process of identifying and resolving the underlying factors that led to an
incident. By conducting root cause analysis as part of incident response, security professionals can
learn from the incident and implement corrective actions to prevent future incidents of the same
nature. For example, if the root cause of a data breach was a weak password policy, the security
team can enforce a stronger password policy and educate users on the importance of password
security. Root cause analysis can also help to improve security processes, policies, and procedures,
and to enhance security awareness and culture within the organization. Root cause analysis is not
meant to gather loCs (indicators of compromise) for the investigation, as this is a task performed
during the identification and analysis phases of incident response. Root cause analysis is also not
meant to discover which systems have been affected or to eradicate any trace of malware on the network, as these are tasks performed during the containment and eradication phases of incident
response.

Answer 82

A

Answer: A
Explanation:
PCI DSS is the Payment Card Industry Data Security Standard, which is a set of security requirements
for organizations that store, process, or transmit cardholder data. PCI DSS aims to protect the
confidentiality, integrity, and availability of cardholder data and prevent fraud, identity theft, and
data breaches. PCI DSS is enforced by the payment card brands, such as Visa, Mastercard, American
Express, Discover, and JCB, and applies to all entities involved in the payment card ecosystem, such
as merchants, acquirers, issuers, processors, service providers, and payment applications.

Answer 83

A

Answer: A
Explanation:
Capacity planning is the process of determining the resources needed to meet the current and
future demands of an organization. Capacity planning can help a company develop a business
continuity strategy by estimating how many staff members would be required to sustain the business
in the case of a disruption, such as a natural disaster, a cyberattack, or a pandemic. Capacity planning
can also help a company optimize the use of its resources, reduce costs, and improve
performance

Answer 84

A

Answer: C
Explanation:
A geolocation policy is a policy that restricts or allows access to data or resources based on the
geographic location of the user or device. A geolocation policy can be implemented using various
methods, such as IP address filtering, GPS tracking, or geofencing. A geolocation policy can help the
company’s legal department to prevent unauthorized access to sensitive documents from individuals
in high-risk countries12

Answer 85

A

Answer: A
Explanation:
Firmware is a type of software that is embedded in a hardware device, such as a router, a printer, or a
BIOS chip. Firmware controls the basic functions and operations of the device, and it can be updated
or modified by the manufacturer or the user. Firmware version is a hardware-specific vulnerability, as
it can expose the device to security risks if it is outdated, corrupted, or tampered with. An attacker
can exploit firmware vulnerabilities to gain unauthorized access, modify device settings, install
malware, or cause damage to the device or the network. Therefore, it is important to keep firmware
updated and verify its integrity and authenticity

Answer 86

A

Answer: B
Explanation:
A firewall policy is a set of rules that defines what traffic is allowed or denied on a network. A firewall
policy should be carefully designed and tested before being implemented, as a misconfigured policy
can cause network disruptions or security breaches. A common best practice is to test the policy in a
non-production environment, such as a lab or a simulation, before enabling the policy in the
production network. This way, the technician can verify the functionality and performance of the
policy, and identify and resolve any issues or conflicts, without affecting the live network. Testing the
policy in a non-production environment would prevent the issue of the ‘deny any’ policy causing
several company servers to become unreachable, as the technician would be able to detect and
correct the problem before applying the policy to the production network

Answer 87

A

Answer: C
Explanation:
A cold site is a type of backup data center that has the necessary infrastructure to support IT
operations, but does not have any pre-configured hardware or software. A cold site is the cheapest
option among the backup data center types, but it also has the longest recovery time objective (RTO) and recovery point objective (RPO) values. A cold site is suitable for scenarios where the cost-benefit
is the primary requirement and the RTO and RPO values are not very stringent. A cold site can take
up to two days or more to restore the normal operations after a disaster

Answer 88

A

Answer: B
Explanation:
Sanitization is the process of removing sensitive data from a storage device or a system before it is
disposed of or reused. Sanitization can be done by using software tools or hardware devices that
overwrite the data with random patterns or zeros, making it unrecoverable. Sanitization is different
from destruction, which is the physical damage of the storage device to render it unusable.
Sanitization is also different from enumeration, which is the identification of network resources or
devices, and inventory, which is the tracking of assets and their locations. The policy of securely
wiping hard drives before sending decommissioned systems to recycling is an example of
sanitization, as it ensures that no confidential data can be retrieved from the recycled
devices.

Answer 89

A

Answer: C
Explanation:
Data classification is a process of categorizing data based on its level of sensitivity, value, and impact
to the organization if compromised. Data classification helps to determine the appropriate security
controls and policies to protect the data from unauthorized access, disclosure, or modification.
Different organizations may use different data classification schemes, but a common one is the four-
tier model, which consists of the following categories: public, private, sensitive, and critical.

Answer 90

A

Answer: A
Explanation:
Local data protection regulations are the first thing that a cloud-hosting provider should consider
before expanding its data centers to new international locations. Data protection regulations are
laws or standards that govern how personal or sensitive data is collected, stored, processed, and
transferred across borders.

Answer 91

A

Answer: B
Explanation:
An application allow list is a security technique that specifies which applications are permitted to run
on a system or a network. An application allow list can block unknown programs from executing by
only allowing the execution of programs that are explicitly authorized and verified. An application
allow list can prevent malware, unauthorized software, or unwanted applications from running and
compromising the security of the system or the network

Answer 92

A

This is a security technique that specifies which users or groups are granted or
denied access to a resource or an object. An access control list can control the permissions and
privileges of users or groups, but it does not directly block unknown programs from executing

Answer 93

A

This is a security device that monitors and filters the incoming and outgoing
network traffic on a single host or system. A host-based firewall can block or allow network
connections based on predefined rules, but it does not directly block unknown programs from
executing1

Answer 94

A

This is a security system that detects and prevents the unauthorized transmission or
leakage of sensitive data. A DLP solution can protect the confidentiality and integrity of data, but it does not directly block unknown programs from executing

Answer 95

A

Answer: D
Explanation:
A red team is a group of security professionals who perform offensive security assessments covering
penetration testing and social engineering. A red team simulates real-world attacks and exploits the
vulnerabilities of a target organization, system, or network. A red team aims to test the effectiveness
of the security controls, policies, and procedures of the target, as well as the awareness and response
of the staff and the blue team. A red team can be hired as an external consultant or formed internally
within the organization.

Answer 96

A

Answer: B
Explanation:
Code signing is a technique that uses cryptography to verify the authenticity and integrity of the code
created by the company. Code signing involves applying a digital signature to the code using a private
key that only the company possesses. The digital signature can be verified by anyone who has the
corresponding public key, which can be distributed through a trusted certificate authority. Code
signing can prevent unauthorized modifications, tampering, or malware injection into the code, and
it can also assure the users that the code is from a legitimate source.

Answer 97

A

Answer: A
Explanation:
A honey pot is a system or a network that is designed to mimic a real production server and attract
potential attackers. A honey pot can be used to identify the attacker’s methods, techniques, and
objectives without affecting the actual production servers. A honey pot can also divert the attacker’s
attention from the real targets and waste their time and resources

Answer 98

A

This is a security strategy that assumes that no user, device, or network is trustworthy by
default and requires strict verification and validation for every request and transaction. Zero Trust can
help to improve the security posture and reduce the attack surface of an organization, but it does not
directly identify the attacker’s activities on the network or the servers

Answer 99

A

This is a security technique that uses geographic location as a criterion to restrict or
allow access to data or resources. Geofencing can help to protect the data sovereignty and
compliance of an organization, but it does not directly identify the attacker’s activities on the
network or the servers

Answer 100

A

Answer: A
Explanation:
Questions and Answers PDF 60/297

Analysis is the incident response activity that describes the process of understanding the source of
an incident. Analysis involves collecting and examining evidence, identifying the root cause,
determining the scope and impact, and assessing the threat actor’s motives and capabilities. Analysis
helps the incident response team to formulate an appropriate response strategy, as well as to
prevent or mitigate future incidents. Analysis is usually performed after detection and before
containment, eradication, recovery, and lessons learned

Answer 101

A

Answer: C
Explanation:
After completing a vulnerability assessment and remediating the identified vulnerabilities, the next
step is to rescan the network to verify that the vulnerabilities have been successfully fixed and no
new vulnerabilities have been introduced. A vulnerability assessment is a process of identifying and evaluating the weaknesses and exposures in a network, system, or application that could be
exploited by attackers. A vulnerability assessment typically involves using automated tools, such as
scanners, to scan the network and generate a report of the findings. The report may include
information such as the severity, impact, and remediation of the vulnerabilities. The operations team
is responsible for applying the appropriate patches, updates, or configurations to address the vulnerabilities and reduce the risk to the network. A rescan is necessary to confirm that the remediation actions have been effective and that the network is secure.

Answer 102

A

Answer: D
Questions and Answers PDF 62/297

Explanation:
An insider threat is a security risk that originates from within the organization, such as an employee,
contractor, or business partner, who has authorized access to the organization’s data and systems. An
insider threat can be malicious, such as stealing, leaking, or sabotaging sensitive data, or unintentional, such as falling victim to phishing or social engineering. An insider threat can cause
significant damage to the organization’s reputation, finances, operations, and legal compliance. The
user’s activity of logging in remotely after hours and copying large amounts of data to a personal
device is an example of a malicious insider threat, as it violates the organization’s security policies and compromises the confidentiality and integrity of the data.

Answer 103

A

Answer: B
Explanation:
Non-repudiation is the ability to prove that a message or document was sent or signed by a
particular person, and that the person cannot deny sending or signing it. Non-repudiation can be
achieved by using cryptographic techniques, such as hashing and digital signatures, that can verify
the authenticity and integrity of the message or document. Non-repudiation can be useful for legal,
financial, or contractual purposes, as it can provide evidence of the origin and content of the
message or document.

Answer 104

A

Answer: A
Explanation:
Automation is the best way to consistently determine on a daily basis whether security settings on servers have been modified. Automation is the process of using software, hardware, or other tools to
perform tasks that would otherwise require human intervention or manual effort. Automation can
help to improve the efficiency, accuracy, and consistency of security operations, as well as reduce human errors and costs. Automation can be used to monitor, audit, and enforce security settings on servers, such as firewall rules, encryption keys, access controls, patch levels, and configuration
files. Automation can also alert security personnel of any changes or anomalies that may indicate a
security breach or compromise

Answer 105

A

This is a document that lists the security requirements, standards, or best practices that an organization must follow or adhere to. A compliance checklist can help to ensure that the security settings on servers are aligned with the organizational policies and regulations, but
it does not automatically detect or report any changes or modifications that may occur on a daily
basis

Answer 106

A

This is a process of verifying or confirming the validity or accuracy of a statement, claim,
or fact. Attestation can be used to provide assurance or evidence that the security settings on servers
are correct and authorized, but it does not continuously monitor or audit any changes or
modifications that may occur on a daily basis

Answer 107

A

This is a process of examining or reviewing the security settings on servers by human
inspectors or auditors. A manual audit can help to identify and correct any security issues or
discrepancies on servers, but it is time-consuming, labor-intensive, and prone to human errors. A
manual audit may not be feasible or practical to perform on a daily basis

Answer 108

A

Answer: D
Explanation:
DLP stands for Data Loss Prevention, which is a tool that can assist with detecting and preventing the unauthorized transmission or leakage of sensitive data, such as a customer’s PII (Personally `Identifiable Information). DLP can monitor, filter, and block data in motion (such as emails), data at
rest (such as files), and data in use (such as applications). DLP can also alert the sender, the recipient,
or the administrator of the data breach, and apply remediation actions, such as encryption,
quarantine, or deletion. DLP can help an organization comply with data protection regulations, such
as GDPR, HIPAA, or PCI DSS, and protect its reputation and assets.

Answer 109

A

Answer: C
Explanation:
Input validation is a security technique that checks the user input for any malicious or unexpected
data before processing it by the application. Input validation can prevent various types of attacks,
such as injection, cross-site scripting, buffer overflow, and command execution, that exploit the
vulnerabilities in the application code. Input validation can be performed on both the client-side and
the server-side, using methods such as whitelisting, blacklisting, filtering, sanitizing, escaping, and
encoding. By including regular expressions in the source code to remove special characters from the
variables set by the forms in the web application, the organization adopted input validation as a
security technique. Regular expressions are patterns that match a specific set of characters or strings,
and can be used to filter out any unwanted or harmful input. Special characters, such as $, |, ;, &, `,
and ?, can be used by attackers to inject commands or scripts into the application, and cause damage
or data theft. By removing these characters from the input, the organization can reduce the risk of
such attacks

Answer 110

A

Answer: C
Explanation:
An endpoint detection and response (EDR) system is a security tool that monitors and analyzes the
activities and behaviors of endpoints, such as computers, laptops, mobile devices, and servers. An
EDR system can detect, prevent, and respond to various types of threats, such as malware,
ransomware, phishing, and advanced persistent threats (APTs). One of the features of an EDR system
is to block the automatic execution of downloaded programs, which can prevent malicious code from running on the endpoint when a user clicks on a link in a phishing message. This can reduce the impact of a phishing attack and protect the endpoint from compromise. Updating the EDR policies to
block automatic execution of downloaded programs is a technical control that can mitigate the risk of
phishing, regardless of the user’s awareness or behavior. Therefore, this is the best answer among
the given options.

Answer 111

A

Answer: A
Explanation:
A compensating control is a security measure that is implemented to mitigate the risk of a
vulnerability or a weakness that cannot be resolved by the primary control. A compensating control
does not prevent or eliminate the vulnerability or weakness, but it can reduce the likelihood or
impact of an attack. A host-based firewall on a legacy Linux system that allows connections from only specific internal IP addresses is an example of a compensating control, as it can limit the exposure of
the system to potential threats from external or unauthorized sources. A host-based firewall is a
software application that monitors and filters the incoming and outgoing network traffic on a single
host, based on a set of rules or policies.

Answer 112

A

Answer: D
Explanation:
A user provisioning script is an automation technique that uses a predefined set of instructions or
commands to create, modify, or delete user accounts and assign appropriate access or
permissions. A user provisioning script can help to streamline account creation by reducing manual
errors, ensuring consistency and compliance, and saving time and resources

Answer 113

A

This is a script that monitors and enforces the security policies and rules on a
system or a network. A guard rail script can help to prevent unauthorized or malicious actions, such
as changing security settings, accessing restricted resources, or installing unwanted software

Answer 114

A

This is a process that tracks and manages the requests, issues, or incidents that
are reported by users or customers. A ticketing workflow can help to improve the communication,
collaboration, and resolution of problems, but it does not automate the account creation process

Answer 115

A

This is a script that triggers an alert or a notification when a certain condition or
threshold is met or exceeded. An escalation script can help to inform the relevant parties or
authorities of a critical situation, such as a security breach, a performance degradation, or a service
outage.

Answer 116

A

nswer: C
Explanation:
A detective control is a type of control that monitors and analyzes the events and activities in a system or a network, and alerts or reports when an incident or a violation occurs. A SIEM (Security Information and Event Management) system is a tool that collects, correlates, and analyzes the logs
from various sources, such as firewalls, routers, servers, or applications, and provides a centralized view of the security status and incidents. An analyst who reviews the logs on a weekly basis can
identify and investigate any anomalies, trends, or patterns that indicate a potential threat or a
breach. A detective control can help the company to respond quickly and effectively to the incidents, and to improve its security posture and resilience.

Answer 117

A

Answer: A
Explanation:
A serverless framework is a cloud-based application-hosting solution that meets the requirements of
low-cost and cloud-based. A serverless framework is a type of cloud computing service that allows
developers to run applications without managing or provisioning any servers. The cloud provider
handles the server-side infrastructure, such as scaling, load balancing, security, and maintenance,
and charges the developer only for the resources consumed by the application. A serverless
framework enables developers to focus on the application logic and functionality, and reduces the
operational costs and complexity of hosting applications. Some examples of serverless frameworks
are AWS Lambda, Azure Functions, and Google Cloud Functions.

Answer 118

A

a software layer that runs
directly on the hardware and creates multiple virtual machines that can run different operating
systems and applications. A type 1 hypervisor is not a cloud-based service, but a virtualization
technology that can be used to create private or hybrid clouds. A type 1 hypervisor also requires the
developer to manage and provision the servers and the virtual machines, which can increase the
operational costs and complexity of hosting applications. Some examples of type 1 hypervisors are
VMware ESXi, Microsoft Hyper-V, and Citrix XenServer.

Answer 119

A

network architecture that uses software to dynamically route traffic across multiple WAN connections, such as broadband, LTE, or MPLS. SD-WAN is not a cloud-based service, but a network optimization technology that can improve the performance, reliability, and security of WAN connections. SD-WAN can be used to connect remote sites or users to cloud-based applications, but it does not host the applications itself. Some examples
of SD-WAN vendors are Cisco, VMware, and Fortinet.

Answer 120

A

network architecture that decouples the control plane from the data plane, and uses a centralized controller to programmatically manage and configure the
network devices and traffic flows. SDN is not a cloud-based service, but a network automation
technology that can enhance the scalability, flexibility, and efficiency of the network. SDN can be used to create virtual networks or network functions that can support cloud-based applications, but
it does not host the applications itself. Some examples of SDN vendors are OpenFlow, OpenDaylight,
and OpenStack.

Answer 121

A

Answer: A
Explanation:
Tuning is the activity of adjusting the configuration or parameters of a security tool or system to
optimize its performance and reduce false positives or false negatives. Tuning can help to filter out
the normal or benign activity that is detected by the security tool or system, and focus on the
malicious or anomalous activity that requires further investigation or response. Tuning can also help to improve the efficiency and effectiveness of the security operations center by reducing the
workload and alert fatigue of the analysts. Tuning is different from aggregating, which is the activity
of collecting and combining data from multiple sources or sensors to provide a comprehensive view
of the security posture.

Answer 122

A

Answer: C
Explanation:
Questions and Answers PDF 73/297

Brute force is a type of attack that tries to guess the password or other credentials of a user account
by using a large number of possible combinations. An attacker can use automated tools or scripts to perform a brute force attack and gain unauthorized access to the account. The domain activity logs show that the user ismith has failed to log in 10 times in a row within a short period of time, which is a strong indicator of a brute force attack. The logs also show that the source IP address of the failed logins is different from the usual IP address of ismith, which suggests that the attacker is using a different device or location to launch the attack. The security analyst should take immediate action to
block the attacker’s IP address, reset ismith’s password, and notify ismith of the
incident

Answer 123

A

Answer: B
Explanation:
Geographic dispersion is a strategy that involves distributing the servers or data centers across
different geographic locations. Geographic dispersion can help the company to mitigate the risk of
weather events causing damage to the server room and downtime, as well as improve the
availability, performance, and resilience of the network.

Answer 124

A

Answer: D
Explanation:
Jailbreaking is a primary security concern for a company setting up a BYOD (Bring Your Own Device)
program. Jailbreaking is the process of removing the manufacturer’s or the carrier’s restrictions on a
device, such as a smartphone or a tablet, to gain root access and install unauthorized or custom software. Jailbreaking can compromise the security of the device and the data stored on it, as well as
expose it to malware, viruses, or hacking. Jailbreaking can also violate the warranty and the terms of
service of the device, and make it incompatible with the company’s security policies and standards.
Therefore, a company setting up a BYOD program should prohibit jailbreaking and enforce device compliance and encryption.

Answer 125

A

Answer: C
Explanation:
ARO (Annualized Rate of Occurrence) is an analysis element that measures the frequency or
likelihood of an event happening in a given year. ARO is often used in risk assessment and
management, as it helps to estimate the potential loss or impact of an event. A company can use
ARO to calculate the annualized loss expectancy (ALE) of an event, which is the product of ARO and
the single loss expectancy (SLE). ALE represents the expected cost of an event per year, and can be
used to compare with the cost of implementing a security control or purchasing an insurance policy.

Answer 126

A

Answer: A
Explanation:
A security awareness program is a set of activities and initiatives that aim to educate and inform the users and employees of an organization about the security policies, procedures, and best practices. A security awareness program can help to reduce the human factor in security risks, such as social engineering, phishing, malware, data breaches, and insider threats. A security awareness program should include various elements of communication, such as newsletters, posters, videos, webinars,
quizzes, games, simulations, and feedback mechanisms, to deliver the security messages and reinforce the security culture. One of the most likely elements of communication to be included in a
security awareness program is reporting phishing attempts or other suspicious activities, as this can help to raise the awareness of the users and employees about the common types of cyberattacks and
how to respond to them. Reporting phishing attempts or other suspicious activities can also help to alert the security team and enable them to take appropriate actions to prevent or mitigate the impact of the attacks

Answer 127

A

Answer: C
Explanation:
A buffer overflow is a vulnerability that occurs when an application writes more data to a memory
buffer than it can hold, causing the excess data to overwrite adjacent memory locations. A register is
a small storage area in the CPU that holds temporary data or instructions. An attacker can exploit a
buffer overflow to overwrite a register with a malicious address that points to a shellcode, which is a
piece of code that gives the attacker control over the system.

Answer 128

A

Answer: B
Explanation:
A legacy server is a server that is running outdated or unsupported software or hardware, which may
pose security risks and compatibility issues. A critical business application is an application that is
essential for the operation and continuity of the business, such as accounting, payroll, or inventory
management. A legacy server running a critical business application may be difficult to replace or
upgrade, but it should not be left unsecured or exposed to potential threats.

Answer 129

A

Answer: D
Explanation:
Steganography is the process of hiding information within another medium, such as an image, audio,
video, or text file. The hidden information is not visible or noticeable to the casual observer, and can only be extracted by using a specific technique or key. Steganography can be used for various
purposes, such as concealing secret messages, watermarking, or evading detection by antivirus software

Answer 130

A

Answer: B
Explanation:
A legal hold (also known as a litigation hold) is a notification sent from an organization’s legal team
to employees instructing them not to delete electronically stored information (ESI) or discard paper
documents that may be relevant to a new or imminent legal case. A legal hold is intended to
preserve evidence and prevent spoliation, which is the intentional or negligent destruction of
evidence that could harm a party’s case. A legal hold can be triggered by various events, such as a
lawsuit, a regulatory investigation, or a subpoena

Answer 131

A

Answer: C
Explanation:
The correct answer is C. Password, authentication token, thumbprint. This combination of
authentication factors satisfies the manager’s goal of implementing multifactor authentication that
uses something you know, something you have, and something you are.
Something you know is a type of authentication factor that relies on the user’s knowledge of a secret
or personal information, such as a password, a PIN, or a security question. A password is a common
example of something you know that can be used to access a VPN12
Questions and Answers PDF 93/297

Something you have is a type of authentication factor that relies on the user’s possession of a
physical object or device, such as a smart card, a token, or a smartphone. An authentication token is
a common example of something you have that can be used to generate a one-time password (OTP)
or a code that can be used to access a VPN12
Something you are is a type of authentication factor that relies on the user’s biometric
characteristics, such as a fingerprint, a face, or an iris. A thumbprint is a common example of
something you are that can be used to scan and verify the user’s identity to access a VPN

Answer 132

A

Answer: D
Explanation:
A tabletop exercise is a simulated scenario that tests the effectiveness of a security incident response
plan. It involves gathering the relevant stakeholders and walking through the steps of the plan,
identifying any gaps or issues that need to be addressed. A tabletop exercise is a good way to
validate the documentation created by the security manager and ensure that the team is prepared
for various types of security incidents.

Answer 133

A

Answer: D
Explanation:
A content filter is a device or software that blocks or allows access to web content based on
predefined rules or categories. In this case, the new retail website is mistakenly categorized as
gambling by the content filter, which prevents users from accessing it. To resolve this issue, the
content filter’s categorization needs to be updated to reflect the correct category of the website,
such as shopping or retail. This will allow the content filter to allow access to the website instead of
blocking it.

Answer 134

A

Answer: A
Explanation:
An insider threat is a type of attack that originates from someone who has legitimate access to an
organization’s network, systems, or data. In this case, the domain user who encrypted the files on the database server is an example of an insider threat, as they abused their access privileges to cause harm to the organization. Insider threats can be motivated by various factors, such as financial gain, revenge, espionage, or sabotage

Answer 135

A

Answer: B
Explanation:
Disabling access is an automation use case that would best enhance the security posture of an
organization by rapidly updating permissions when employees leave a company. Disabling access is
the process of revoking or suspending the access rights of a user account, such as login credentials,
email, VPN, cloud services, etc. Disabling access can prevent unauthorized or malicious use of the
account by former employees or attackers who may have compromised the account. Disabling access
can also reduce the attack surface and the risk of data breaches or leaks. Disabling access can be
automated by using scripts, tools, or workflows that can trigger the action based on predefined events, such as employee termination, resignation, or transfer. Automation can ensure that the access is disabled in a timely, consistent, and efficient manner, without relying on manual
intervention or human error.

Answer 136

A

Answer: AE
Explanation:
A high-availability network is a network that is designed to minimize downtime and ensure
continuous operation of critical services and applications. To achieve this goal, a high-availability
network must consider two important factors: ease of recovery and attack surface.
Ease of recovery refers to the ability of a network to quickly restore normal functionality after a
failure, disruption, or disaster. A high-availability network should have mechanisms such as
redundancy, failover, backup, and restore to ensure that any single point of failure does not cause a
complete network outage. A high-availability network should also have procedures and policies for incident response, disaster recovery, and business continuity to minimize the impact of any network
issue on the organization’s operations and reputation.

Answer 137

A

Answer: C
Explanation:
Masking is a method to secure credit card data that involves replacing some or all of the digits with symbols, such as asterisks, dashes, or Xs, while leaving some of the original digits visible. Masking is best to use when a requirement is to see only the last four numbers on a credit card, as it can prevent
unauthorized access to the full card number, while still allowing identification and verification of the
cardholder. Masking does not alter the original data, unlike encryption, hashing, or tokenization,
which use algorithms to transform the data into different formats.

Answer 138

A

Answer: D
Explanation:
Ransomware is a type of malware that encrypts the victim’s files and demands a ransom for the
decryption key. The ransomware usually displays a message on the infected system with instructions
on how to pay the ransom and recover the files. The .ryk extension is associated with a ransomware
variant called Ryuk, which targets large organizations and demands high ransoms

Answer 139

A

Answer: B
Explanation:
Availability is the ability of a system or service to be accessible and usable when needed. For a web
application that allows individuals to digitally report health emergencies, availability is the most important consideration during development, because any downtime or delay could have serious
consequences for the health and safety of the users. The web application should be designed to handle high traffic, prevent denial-of-service attacks, and have backup and recovery plans in case of
failures

Answer 140

A

Answer: A
Explanation:
A partially known environment is a type of penetration test where the tester has some information
about the target, such as the IP address, the operating system, or the device type. This can help the
tester focus on specific vulnerabilities and reduce the scope of the test. A partially known
environment is also called a gray box test

Answer 141

A

Answer: D
Explanation:
Whaling is a type of phishing attack that targets high-profile individuals, such as executives,
celebrities, or politicians. The attacker impersonates someone with authority or influence and tries
to trick the victim into performing an action, such as transferring money, revealing sensitive
information, or clicking on a malicious link. Whaling is also called CEO fraud or business email
compromise

Answer 142

A

Answer: D

Answer 143

A

Answer: B
Explanation:
Data in transit is data that is moving from one location to another, such as over a network or through
the air. Data in transit is vulnerable to interception, modification, or theft by malicious actors. A VPN
(virtual private network) is a technology that protects data in transit by creating a secure tunnel
between two endpoints and encrypting the data that passes through it

Answer 144

A

Answer: A
Explanation:
Shadow IT is the term used to describe the use of unauthorized or unapproved IT resources within an
organization. The marketing department set up its own project management software without telling
the appropriate departments, such as IT, security, or compliance. This could pose a risk to the
organization’s security posture, data integrity, and regulatory compliance1

Answer 145

A

Answer: D
Explanation:
A firewall ACL (access control list) is a set of rules that determines which traffic is allowed or denied
by the firewall. The rules are processed in order, from top to bottom, until a match is found. The
syntax of a firewall ACL rule is:
Access list <direction> <action> <source></source> <destination> <protocol> <port>
To limit outbound DNS traffic originating from the internal network, the firewall ACL should allow
only the device with the IP address 10.50.10.25 to send DNS requests to any destination on port 53,
and deny all other outbound traffic on port 53. The correct firewall ACL is:
Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0
0.0.0.0/0 port 53
The first rule permits outbound traffic from the source address 10.50.10.25/32 (a single host) to any
destination address (0.0.0.0/0) on port 53 (DNS). The second rule denies all other outbound traffic on
port 53</port></protocol></destination></action></direction>

Answer 146

A

Answer: B
Explanation:
A NAC (network access control) platform is a technology that enforces security policies on devices
that attempt to access a network. A NAC platform can verify the identity, role, and compliance of the
devices, and grant or deny access based on predefined rules. A NAC platform can protect both wired
and wireless networks, but in this scenario, the systems administrator is trying to protect the wired
attack surface, which is the set of vulnerabilities that can be exploited through a physical connection
to the network

Answer 147

A

Answer: CE
Explanation:
A training curriculum plan for a security awareness program should address the following factors:
The threat vectors based on the industry in which the organization operates. This will help the
employees to understand the specific risks and challenges that their organization faces, and how to
protect themselves and the organization from cyberattacks. For example, a healthcare organization
may face different threat vectors than a financial organization, such as ransomware, data breaches,
or medical device hacking.
The cadence and duration of training events. This will help the employees to retain the information
and skills they learn, and to keep up with the changing security landscape. The training events should
be frequent enough to reinforce the key concepts and behaviors, but not too long or too short to lose
the attention or interest of the employees.

Answer 148

A

Answer: D

Answer 149

A

Answer: A
Explanation:
A regulatory requirement is a mandate imposed by a government or an authority that must be
followed by an organization or an individual. In a banking environment, audits are often required by
regulators to ensure compliance with laws, standards, and policies related to security, privacy, and
financial reporting. Audits help to identify and correct any gaps or weaknesses in the security posture
and the internal controls of the organization.

Answer 150

A

Answer: C
Explanation:
Data classification is the process of assigning labels or tags to data based on its sensitivity, value, and
risk. Data classification is the first step in a data loss prevention (DLP) solution, as it helps to identify
what data needs to be protected and how. By applying classifications to the data, the security
administrator can define appropriate policies and rules for the DLP solution to prevent the
exfiltration of sensitive customer data

Answer 151

A

Answer: A
Explanation:
SIEM stands for Security Information and Event Management. It is a security alerting and monitoring
tool that collects system, application, and network logs from multiple sources in a centralized
system. SIEM can analyze the collected data, correlate events, generate alerts, and provide reports
and dashboards. SIEM can also integrate with other security tools and support compliance
requirements. SIEM helps organizations to detect and respond to cyber threats, improve security
posture, and reduce operational costs

Answer 152

A

Answer: EF
Explanation:
An engineer should recommend the decommissioning of a network device when the device poses a
security risk or a compliance violation to the enterprise environment. A device that cannot meet the
encryption standards or receive authorized updates is vulnerable to attacks and breaches, and may
expose sensitive data or compromise network integrity. Therefore, such a device should be removed
from the network and replaced with a more secure and updated one.

Answer 153

A

Answer: B
Explanation:
A data retention policy is a set of rules that defines how long data should be stored and when it
should be deleted or archived. An administrator assists the legal and compliance team with ensuring
information about customer transactions is archived for the proper time period by following the data retention policy of the organization. This policy helps the organization to comply with legal and
regulatory requirements, optimize storage space, and protect data privacy and security

Answer 154

A

Answer: A
Explanation:
Zero Trust is a security model that assumes no trust for any entity inside or outside the network
perimeter and requires continuous verification of identity and permissions. Zero Trust can provide a
secure zone by isolating and protecting sensitive data and resources from unauthorized access. Zero
Trust can also enforce a company-wide access control policy by applying the principle of least
privilege and granular segmentation for users, devices, and applications. Zero Trust can reduce the
scope of threats by preventing lateral movement and minimizing the attack surface.

Answer 155

A

Answer: D
Explanation:
FIM stands for File Integrity Monitoring, which is a method to secure data by detecting any changes
or modifications to files, directories, or registry keys. FIM can help a security administrator track any
unauthorized or malicious changes to the data, as well as verify the integrity and compliance of the
data. FIM can also alert the administrator of any potential breaches or incidents involving the data.
Some of the benefits of FIM are:
It can prevent data tampering and corruption by verifying the checksums or hashes of the files.
It can identify the source and time of the changes by logging the user and system actions.
It can enforce security policies and standards by comparing the current state of the data with the
baseline or expected state.
It can support forensic analysis and incident response by providing evidence and audit trails of the changes.

Answer 156

A

Answer: A
Explanation:
Preparation is the phase in the incident response process when a security analyst reviews roles and
responsibilities, as well as the policies and procedures for handling incidents. Preparation also involves gathering and maintaining the necessary tools, resources, and contacts for responding to incidents. Preparation can help a security analyst to be ready and proactive when an incident occurs,
as well as to reduce the impact and duration of the incident

Answer 157

A

Answer: A
Explanation:
The company should request a certification from the vendor that confirms the storage array has been
disposed of securely and in compliance with the company’s policies and standards. A certification
provides evidence that the vendor has followed the proper procedures and methods to destroy the classified data and prevent unauthorized access or recovery

Answer 158

A

Answer: CD
Explanation:
Badge access and access control vestibule are two of the best ways to ensure only authorized
personnel can access a secure facility. Badge access requires the personnel to present a valid and authenticated badge to a reader or scanner that grants or denies access based on predefined rules and permissions. Access control vestibule is a physical security measure that consists of a small room or chamber with two doors, one leading to the outside and one leading to the secure area. The personnel must enter the vestibule and wait for the first door to close and lock before the second door can be opened. This prevents tailgating or piggybacking by unauthorized individuals.

Answer 159

A

Answer: C
Explanation:
According to the CompTIA Security+ SY0-701 Certification Study Guide, data subjects are the
individuals whose personal data is collected, processed, or stored by an organization. Data subjects
have certain rights and expectations regarding how their data is handled, such as the right to access,
correct, delete, or restrict their data. Data subjects are different from data owners, who are the
individuals or entities that have the authority and responsibility to determine how data is classified,
protected, and used. Data subjects are also different from data processors, who are the individuals or
entities that perform operations on data on behalf of the data owner, such as collecting, modifying,
storing, or transmitting data. Data subjects are also different from data custodians, who are the
individuals or entities that implement the security controls and procedures specified by the data
owner to protect data while in transit and at rest.

Answer 160

A

Answer: C
Explanation:
A watering-hole attack is a type of cyberattack that targets groups of users by infecting websites that
they commonly visit. The attackers exploit vulnerabilities to deliver a malicious payload to the
organization’s network. The attack aims to infect users’ computers and gain access to a connected
corporate network. The attackers target websites known to be popular among members of a
particular organization or demographic. The attack differs from phishing and spear-phishing attacks,
which typically attempt to steal data or install malware onto users’ devices

Answer 161

A

Answer: B
Explanation:
Detective controls are security measures that are designed to identify and monitor any malicious
activity or anomalies on a system or network. They can help to discover the source, scope, and
impact of an attack, and provide evidence for further analysis or investigation. Detective controls
include log files, security audits, intrusion detection systems, network monitoring tools, and antivirus
software. In this case, the administrator used log files as a detective control to review the
ransomware attack on the company’s system. Log files are records of events and activities that occur
on a system or network, such as user actions, system errors, network traffic, and security alerts. They
can provide valuable information for troubleshooting, auditing, and forensics

Answer 162

A

Answer: B
Explanation:
A service level agreement (SLA) is a type of agreement that defines the expectations and
responsibilities between a service provider and a customer. It usually includes the quality,
availability, and performance metrics of the service, as well as the time frame in which the provider
needs to respond to service requests, incidents, or complaints. An SLA can help ensure that the
customer receives the desired level of service and that the provider is accountable for meeting the
agreed-upon standards.

Answer 163

A

Answer: D
Explanation:
Questions and Answers PDF 118/297

Full packet capture is a technique that records all network traffic passing through a device, such as a router or firewall. It allows for detailed analysis and investigation of network events, such as SQLi attacks, by providing the complete content and context of the packets. Full packet capture can help
identify the source, destination, payload, and timing of an SQLi attack, as well as the impact on the server and database. Logging NetFlow traffic, network traffic sensors, and endpoint and OS-specific security logs can provide some information about network activity, but they do not capture the full content of the packets, which may limit the scope and depth of the investigation.

Answer 164

A

Answer: D
Explanation:
A service level agreement (SLA) is a document that defines the level of service expected by a
customer from a service provider, indicating the metrics by which that service is measured, and the
remedies or penalties, if any, should the agreed-upon levels not be achieved. An SLA can specify the
minimum uptime or availability of a service, such as 99.99%, and the consequences for failing to
meet that standard. A memorandum of agreement (MOA), a statement of work (SOW), and a
memorandum of understanding (MOU) are other types of documents that can be used to establish a
relationship between parties, but they do not typically include the details of service levels and
performance metrics that an SLA does.

Answer 165

A

Answer: C
Explanation:
Jailbreaking is the process of removing the restrictions imposed by the manufacturer or carrier on a
mobile device, such as an iPhone or iPad. Jailbreaking allows users to install unauthorized
applications, modify system settings, and access root privileges. However, jailbreaking also exposes
the device to potential security risks, such as malware, spyware, unauthorized access, data loss, and
voided warranty. Therefore, an organization may prohibit employees from jailbreaking their mobile
devices to prevent these vulnerabilities and protect the corporate data and network.

Answer 166

A

Answer: D
Explanation:
Peer review and approval is a practice that involves having other developers or experts review the
code before it is deployed or released. Peer review and approval can help detect and prevent
malicious code, errors, bugs, vulnerabilities, and poor quality in the development process. Peer
review and approval can also enforce coding standards, best practices, and compliance
requirements. Peer review and approval can be done manually or with the help of tools, such as code
analysis, code review, and code signing.

Answer 167

A

Answer: B
Explanation:
Orchestration is the process of automating multiple tasks across different systems and applications. It
can help save time and reduce human error by executing predefined workflows and scripts. In this
case, the systems administrator can use orchestration to create accounts for a large number of end
users without having to manually enter their information and assign
permissions.

Answer 168

A

Answer: D
Explanation:
Access control lists (ACLs) are rules that specify which users or groups can access which resources on a file server. They can help restrict access to confidential data by granting or denying permissions
based on the identity or role of the user. In this case, the administrator can use ACLs to quickly
modify the access rights of the users and prevent them from accessing the data they are not
authorized to see.

Answer 169

A

Answer: D
Explanation:
Ransomware-as-a-service is a type of cybercrime where hackers sell or rent ransomware tools or
services to other criminals who use them to launch attacks and extort money from victims. This is a
typical example of organized crime, which is a group of criminals who work together to conduct
illegal activities for profit. Organized crime is different from other types of threat actors, such as
insider threats, hacktivists, or nation-states, who may have different motives, methods, or
targets

Answer 170

A

Answer: A
Explanation:
End-of-life operating systems are those that are no longer supported by the vendor or manufacturer,
meaning they do not receive any security updates or patches. This makes them vulnerable to exploits and attacks that take advantage of known or unknown flaws in the software. Patch availability is the
security implication of using end-of-life operating systems, as it affects the ability to fix or prevent security issues. Other factors, such as product software compatibility, ease of recovery, or cost of replacement, are not directly related to security, but rather to functionality, availability, or budget.

Answer 171

A

Answer: BF
Explanation:
Data classification is the process of assigning labels to data based on its sensitivity and business
impact. Different organizations and sectors may have different data classification schemes, but a
common one is the following1:
Public: Data that can be freely disclosed to anyone without any harm or risk.
Private: Data that is intended for internal use only and may cause some harm or risk if disclosed.
Confidential: Data that is intended for authorized use only and may cause significant harm or risk if
disclosed.
Restricted: Data that is intended for very limited use only and may cause severe harm or risk if
disclosed

Answer 172

A

Answer: A
Explanation:
Questions and Answers PDF 125/297

A false positive is a result that indicates a vulnerability or a problem when there is none. In this case,
the vulnerability scanning report shows that the telnet service on port 23 is open and uses an
insecure network protocol. However, the security analyst performs a test using nmap and a script
that checks for telnet encryption support. The result shows that the telnet server supports
encryption, which means that the data transmitted between the client and the server can be
protected from eavesdropping. Therefore, the reported vulnerability is a false positive and does not
reflect the actual security posture of the server. The security analyst should verify the encryption
settings of the telnet server and client and ensure that they are configured properly

Answer 173

A

Answer: C
Explanation:
IPSec is a protocol suite that provides secure communication over IP networks. IPSec can be used to
create virtual private networks (VPNs) that encrypt and authenticate the data exchanged between
two or more parties. IPSec can also provide data integrity, confidentiality, replay protection, and
access control. A security consultant can use IPSec to gain secure, remote access to a client
environment by establishing a VPN tunnel with the client’s network.

Answer 174

A

Answer: B
Explanation:
Scheduled downtime is a planned period of time when a system or service is unavailable for
maintenance, updates, upgrades, or other changes. Scheduled downtime gives administrators a set
period to perform changes to an operational system without disrupting the normal business
operations or affecting the availability of the system or service. Scheduled downtime also allows
administrators to inform the users and stakeholders about the expected duration and impact of the
changes.

Answer 175

A

Answer: D
Explanation:
Endpoint management software is a tool that allows security engineers to monitor and control the
configuration, security, and performance of workstations and servers from a central console.
Endpoint management software can help detect and prevent unauthorized changes and software
installations, enforce policies and compliance, and provide reports and alerts on the status of the
endpoints. The other options are not as effective or comprehensive as endpoint management
software for this purpose.

Answer 176

A

Answer: C
Explanation:
Social engineering is the practice of manipulating people into performing actions or divulging
confidential information, often by impersonating someone else or creating a sense of urgency or
trust. The suspicious caller in this scenario was trying to use social engineering to trick the user into
giving away credit card information by pretending to be the CFO and asking for a payment. The user
recognized this as a potential scam and reported it to the IT help desk.

Answer 177

A

Answer: A
Explanation:
A tabletop exercise is a simulated scenario that tests the organization’s incident response plan and
procedures. It involves key stakeholders and decision-makers who discuss their roles and actions in
response to a hypothetical incident. It can help identify gaps, weaknesses, and improvement areas in
the incident response process.

Answer 178

A

Answer: A
Explanation:
OCSP stands for Online Certificate Status Protocol. It is a protocol that allows applications to check
the revocation status of a certificate in real-time. It works by sending a query to an OCSP responder,
which is a server that maintains a database of revoked certificates. The OCSP responder returns a
response that indicates whether the certificate is valid, revoked, or unknown.

Answer 179

A

Answer: C
Explanation:
Segmentation is a technique that divides a network into smaller subnetworks or segments, each with
its own security policies and controls. Segmentation can help mitigate network access vulnerabilities
in legacy loT devices by isolating them from other devices and systems, reducing their attack surface
and limiting the potential impact of a breach.

Answer 180

A

Answer: A
Explanation:
Encryption at rest is a strategy that protects data stored on a device, such as a laptop, by converting it
into an unreadable format that can only be accessed with a decryption key or password. Encryption
at rest can prevent data loss on stolen laptops by preventing unauthorized access to the data, even if
the device is physically compromised. Encryption at rest can also help comply with data privacy
regulations and standards that require data protection.

Answer 181

A

Answer: B
Explanation:
Containers are a method of virtualization that allows applications to run in isolated environments
with their own dependencies, libraries, and configurations. Containers are best suited for constantly
changing environments because they are lightweight, portable, scalable, and easy to deploy and
update.

Answer 182

A

Answer: B
Explanation:
A VPN is a virtual private network that creates a secure tunnel between two or more devices over a
public network. A VPN can encrypt and authenticate the data, as well as hide the IP addresses and
locations of the devices.

Answer 183

A

Answer: B
Explanation:
SQL injection is a type of attack that exploits a database misconfiguration or a flaw in the application
code that interacts with the database. An attacker can inject malicious SQL statements into the user
input fields or the URL parameters that are sent to the database server. These statements can then
execute unauthorized commands, such as reading, modifying, deleting, or creating data, or even
taking over the database server

Answer 184

A

Answer: A
Explanation:
Segmentation is a network design technique that divides the network into smaller and isolated
segments based on logical or physical boundaries. Segmentation can help improve network security
by limiting the scope of an attack, reducing the attack surface, and enforcing access control policies.
Segmentation can also enhance network performance, scalability, and manageability.

Answer 185

A

Answer: B
Explanation:
CVSS stands for Common Vulnerability Scoring System, which is a framework that provides a
standardized way to assess and communicate the severity and risk of vulnerabilities. CVSS uses a set of metrics and formulas to calculate a numerical score ranging from 0 to 10, where higher scores indicate higher criticality. CVSS can help organizations prioritize remediation efforts and compare vulnerabilities across different systems and vendors.

Answer 186

A

Answer: C
Explanation:
A supply chain vendor is a third-party entity that provides goods or services to an organization, such
as a SaaS provider. A supply chain vendor can pose a risk to the new system if the vendor has poor security practices, breaches, or compromises that could affect the confidentiality, integrity, or
availability of the system or its data.

Answer 187

A

Answer: C
Explanation:
Confidentiality is the security concept that ensures data is protected from unauthorized access or disclosure. The principle of least privilege is a technique that grants users or systems the minimum level of access or permissions that they need to perform their tasks, and nothing more. By applying the principle of least privilege to a human resources fileshare, the permissions can be restricted to
only those who have a legitimate need to access the sensitive data, such as HR staff, managers, or
auditors.

Answer 188

A

Answer: C
Explanation:
Safety controls are security controls that are designed to protect human life and physical assets from
harm or damage. Examples of safety controls include fire alarms, sprinklers, emergency exits, backup
generators, and surge protectors. Safety controls should fail open, which means that they should
remain operational or allow access when a failure or error occurs. Failing open can prevent or
minimize the impact of a disaster, such as a fire, flood, earthquake, or power outage, on human life and physical assets. For example, if a fire alarm fails, it should still trigger the sprinklers and unlock
the emergency exits, rather than remain silent and locked.

Answer 189

A

Answer: D
Explanation:
An air-gapped network is a network that is physically isolated from other networks, such as the
internet, to prevent unauthorized access and data leakage. However, an air-gapped network can still be compromised by removable devices, such as USB drives, CDs, DVDs, or external hard drives, that are used to transfer data between the air-gapped network and other networks.

Answer 190

A

Answer: D
Explanation:
An application allow list is a security technique that specifies which applications are authorized to
run on a system and blocks all other applications. An application allow list can best protect against an
employee inadvertently installing malware on a company system because it prevents the execution
of any unauthorized or malicious software, such as viruses, worms, trojans, ransomware, or
spyware.

Answer 191

A

Answer: A
Explanation:
SASE stands for Secure Access Service Edge. It is a cloud-based service that combines network and
security functions into a single integrated solution. SASE can help reduce traffic on the VPN and
internet circuit by providing secure and optimized access to the data center and cloud applications for remote employees. SASE can also monitor and enforce security policies on the remote employee
internet traffic, regardless of their location or device

Answer 192

A

Answer: D
Explanation:
A reflected denial of service (RDoS) attack is a type of DDoS attack that uses spoofed source IP
addresses to send requests to a third-party server, which then sends responses to the victim server. The attacker exploits the difference in size between the request and the response, which can amplify the amount of traffic sent to the victim server. The attacker also hides their identity by using the victim’s IP address as the source. A RDoS attack can target DNS servers by sending forged DNS queries that generate large DNS responses.

Answer 193

A

Answer: A
Explanation:
RBAC stands for Role-Based Access Control, which is a method of restricting access to data and resources based on the roles or responsibilities of users. RBAC simplifies the management of
permissions by assigning roles to users and granting access rights to roles, rather than to individual
users. RBAC can help enforce the principle of least privilege and reduce the risk of unauthorized
access or data leakage.

Answer 194

A

Answer: B
Explanation:
Firmware is a type of software that is embedded in hardware devices, such as BIOS, routers, printers,
or cameras. Firmware controls the basic functions and operations of the device, and can be updated or patched to fix bugs, improve performance, or enhance security. Firmware vulnerabilities are flaws
or weaknesses in the firmware code that can be exploited by attackers to gain unauthorized access,
modify settings, or cause damage to the device or the network.

Answer 195

A

Answer: D
Explanation:
Metadata is data that describes other data, such as its format, origin, creation date, author, and
other attributes. Video files, like other types of files, can contain metadata that can provide useful
information for forensic analysis. For example, metadata can reveal the camera model, location, date and time, and software used to create or edit the video file.

Answer 196

A

Answer: D
Explanation:
Web-based administration is a feature that allows users to configure and manage routers through a
web browser interface. While this feature can provide convenience and ease of use, it can also pose a security risk, especially if the web interface is exposed to the internet or uses weak authentication or encryption methods. Web-based administration can be exploited by attackers to gain unauthorized access to the router’s settings, firmware, or data, or to launch attacks such as cross-site scripting (XSS) or cross-site request forgery (CSRF)

Answer 197

A

Answer: B
Explanation:
Infrastructure as code (IaC) is a method of using code and automation to manage and provision cloud resources, such as servers, networks, storage, and applications. IaC allows for easy deployment,
scalability, consistency, and repeatability of cloud environments. IaC is also a key component of
DevSecOps, which integrates security into the development and operations processes

Answer 198

A

Answer: D
Explanation:
An intrusion prevention system (IPS) is a security device that monitors network traffic and blocks or modifies malicious packets based on predefined rules or signatures. An IPS can prevent attacks that
exploit known vulnerabilities in older browser versions by detecting and dropping the malicious
packets before they reach the target system. An IPS can also perform other functions, such as rate
limiting, encryption, or redirection.

Answer 199

A

Answer: AC
Explanation:
Federation is an access management concept that allows users to authenticate once and access multiple resources or services across different domains or organizations. Federation relies on a
trusted third party that stores the user’s credentials and provides them to the requested resources or services without exposing them. Password complexity is a security measure that requires users to
create passwords that meet certain criteria, such as length, character types, and uniqueness. Password complexity can help prevent brute-force attacks, password guessing, and
credential stuffing by making passwords harder to crack or guess.

Answer 200

A

Answer: A
Explanation:

A brute-force attack is a type of attack that involves systematically trying all possible combinations of
passwords or keys until the correct one is found. The log file shows multiple failed login attempts in a
short amount of time, which is a characteristic of a brute-force attack. The attacker is trying to guess
the password of the Administrator account on the server. The log file also shows the event ID 4625,
which indicates a failed logon attempt, and the status code 0xC000006A, which means the user
name is correct but the password is wrong. These are indicators of compromise (IoC) that suggest a brute-force attack is taking place

Answer 201

A

Answer: AB
Explanation:
Key escrow is a method of storing encryption keys in a secure location, such as a trusted third party
or a hardware security module (HSM). Key escrow is important for FDE because it allows the recovery of encrypted data in case of lost or forgotten passwords, device theft, or hardware failure. Key
escrow also enables authorized access to encrypted data for legal or forensic purposes.
TPM presence is a feature of some laptops that have a dedicated chip for storing encryption keys and other security information. TPM presence is important for FDE because it enhances the security and performance of encryption by generating and protecting the keys within the chip, rather than relying
on software or external devices. TPM presence also enables features such as secure boot, remote
attestation, and device authentication.

Answer 202

A

Answer: A
Explanation:
IPS stands for intrusion prevention system, which is a network security device that monitors and
blocks malicious traffic in real time. IPS is different from IDS, which only detects and alerts on
malicious traffic, but does not block it. IPS would have mitigated the spread of ransomware by
preventing the hacker from accessing the system via the phishing link, or by stopping the
ransomware from communicating with its command and control server or encrypting the files.

Answer 203

A

Answer: D
Explanation:
The least privilege principle states that users and processes should only have the minimum level of
access required to perform their tasks. This helps to prevent unauthorized or unnecessary actions
that could compromise security. In this case, the patch transfer might be failing because the user or
process does not have the appropriate permissions to access the critical system or the network
resources needed for the transfer. Applying the least privilege principle can help to avoid this issue
by granting the user or process the necessary access rights for the patching activity.

Answer 204

A

Answer: C
Explanation:
Endpoint detection and response (EDR) is a technology that monitors and analyzes the activity and behavior of endpoints, such as computers, laptops, mobile devices, and servers. EDR can help to detect and prevent malicious software, such as viruses, malware, and Trojans, from infecting the
endpoints and spreading across the network. EDR can also provide visibility and response capabilities
to contain and remediate threats

Answer 205

A

Answer: A
Explanation:
A host-based firewall is a software application that runs on an individual endpoint and filters the
incoming and outgoing network traffic based on a set of rules. A host-based firewall can help to
mitigate the threat posed by suspicious connections between internal endpoints by blocking or
allowing the traffic based on the source, destination, port, protocol, or application. A host-based
firewall is different from a web application firewall, which is a type of firewall that protects web
applications from common web-based attacks, such as SQL injection, cross-site scripting, and session
hijacking

Answer 206

A

Answer: D
Explanation:
Security of architecture is the process of designing and implementing a secure infrastructure that
meets the business objectives and requirements. Security of architecture should be considered first
when migrating to an off-premises solution, such as cloud computing, because it can help to identify
and mitigate the potential risks and challenges associated with the migration, such as data security,
compliance, availability, scalability, and performance.

Answer 207

A

Answer: A
Explanation:
Geographic dispersion is the practice of having backup data stored in different locations that are far enough apart to minimize the risk of a single natural disaster affecting both sites. This ensures that the company can recover its regulated data in case of a disaster at the primary site.

Answer 208

A

Answer: B
Explanation:
Data exfiltration is a technique that attackers use to steal sensitive data from a target system or
network by transmitting it through DNS queries and responses. This method is often used in
advanced persistent threat (APT) attacks, in which attackers seek to persistently evade detection in
the target environment. A large amount of unusual DNS queries to systems on the internet over
short periods of time during non-business hours is a strong indicator of data exfiltration.

Answer 209

A

Answer: B
Explanation:
Smishing is a type of phishing attack that uses text messages or common messaging apps to trick
victims into clicking on malicious links or providing personal information. The scenario in the question describes a smishing attack that uses pretexting, which is a form of social engineering that
involves impersonating someone else to gain trust or access. The unknown number claims to be the
company’s CEO and asks the employee to purchase gift cards, which is a common scam
tactic.

Answer 210

A

Answer: A
Explanation:
A full inventory of all hardware and software is essential for measuring the overall risk to an
organization when a new vulnerability is disclosed, because it allows the security analyst to identify
which systems are affected by the vulnerability and prioritize the remediation efforts. Without a full
inventory, the security analyst may miss some vulnerable systems or waste time and resources on irrelevant ones.

Answer 211

A

Answer: B
Explanation:
A group policy object (GPO) is a mechanism for applying configuration settings to computers and
users in an Active Directory domain. By pushing a GPO update, the systems administrator can quickly and uniformly enforce the new password policy across all systems in the domain. Deploying
PowerShell scripts, enabling PAP, and updating EDR profiles are not the most efficient or effective ways to change the password policy within an enterprise environment.

Answer 212

A

Answer: C
Explanation:
A detective control is a type of security control that monitors and analyzes events to detect and report on potential or actual security incidents. A SIEM system is an example of a detective control,
as it collects, correlates, and analyzes security data from various sources and generates alerts for
security teams.

Answer 213

A

Answer: A
Explanation:
A physical security control is a device or mechanism that prevents unauthorized access to a physical location or asset. An access control vestibule, also known as a mantrap, is a physical security control
that consists of a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens. This prevents unauthorized individuals from following authorized individuals into the facility, a practice known as piggybacking or tailgating. A photo ID check is another form of physical security control that verifies the identity of visitors.

Answer 214

A

Answer: C
Explanation:
Encryption is a method of transforming data in a way that makes it unreadable without a secret key
necessary to decrypt the data back into plaintext. Encryption is one of the most common and
effective ways to protect data at rest, as it prevents unauthorized access, modification, or theft of the data.

Answer 215

A

Answer: D
Explanation:
Risk threshold is the maximum amount of risk that an organization is willing to accept for a given
activity or decision. It is also known as risk appetite or risk tolerance. Risk threshold helps an
organization to prioritize and allocate resources for risk management.

Answer 216

A

Answer: B
Explanation:
Chain of custody is the process of documenting and preserving the integrity of evidence collected during an incident response. It involves recording the details of each person who handled the evidence, the time and date of each transfer, and the location where the evidence was stored. Chain of custody ensures that the evidence is admissible in legal proceedings and can be traced back to its
source.

Answer 217

A

Answer: A
Explanation:
Mitigate is the risk management strategy that involves reducing the likelihood or impact of a risk. If a legacy application is critical to business operations and there are preventative controls that are not yet implemented, the enterprise should adopt the mitigate strategy first to address the existing
vulnerabilities and gaps in the application.

Answer 218

A

Answer: C
Explanation:
Purple is the team that combines both offensive and defensive testing techniques to protect an
organization’s critical systems. Purple is not a separate team, but rather a collaboration between the red team and the blue team.

Answer 219

A

The yellow team is the team that builds software solutions, scripts, and other programs that the blue team uses in the security testing

Answer 220

A

Answer: A
Explanation:
A statement of work (SOW) is a document that defines the scope, objectives, deliverables, timeline,
and costs of a project or service. It typically includes an estimate of the number of hours required to
complete the engagement, as well as the roles and responsibilities of the parties involved. A SOW is
often used for penetration testing projects to ensure that both the client and the vendor have a clear
and mutual understanding of what is expected and how the work will be performed.

Answer 221

A

Answer: B
Explanation:
Changing the default password for the local administrator account on a VPN appliance is a basic
security measure that would have most likely prevented the unexpected login to the remote
management interface. Default passwords are often easy to guess or publicly available, and attackers can use them to gain unauthorized access to devices and systems. Changing the default password to a strong and unique one reduces the risk of brute-force attacks and credential theft.

Answer 222

A

Answer: D
Explanation:
The Annual Loss Expectancy (ALE) is most useful in determining whether the long-term cost to transfer a risk is less than the impact of the risk. ALE is calculated by multiplying the Single Loss
Expectancy (SLE) by the Annualized Rate of Occurrence (ARO), which provides an estimate of the annual expected loss due to a specific risk, making it valuable for long-term financial planning and risk management decisions.

Answer 223

A

Answer: A
Explanation:
Memory injection vulnerabilities allow unauthorized code or commands to be executed within a software program, leading to abnormal behavior such as generating outbound traffic over random
high ports. This issue often arises from software not properly validating or encoding input, which can
be exploited by attackers to inject malicious code.

Answer 224

A

Answer: A
Explanation:
Validating the code signature is the best way to verify software authenticity, as it ensures that the software has not been tampered with and that it comes from a verified source. Code signatures are digital signatures applied by the software vendor, and validating them confirms the software’s integrity and origin.

Answer 225

A

Answer: D
Explanation:
Adding a random string of characters, known as a “salt,” to a password before hashing it is known as salting. This technique strengthens passwords by ensuring that even if two users have the same
password, their hashes will be different due to the unique salt, making it much harder for attackers
to crack passwords using precomputed tables.

Answer 226

A

To configure the site-to-site VPN between the two branch offices according to the provided
requirements, here are the detailed steps and settings that need to be applied to the VPN
concentrators:
Requirements:
Most secure algorithms should be selected.
All traffic should be encrypted over the VPN.
A secret password will be used to authenticate the two VPN concentrators.
VPN Concentrator 1 Configuration:
Questions and Answers PDF 168/297

Phase 1:
Peer IP address: 5.5.5.10 (The IP address of VPN Concentrator 2)
Auth method: PSK (Pre-Shared Key)
Negotiation mode: MAIN
Encryption algorithm: AES256
Hash algorithm: SHA256
DH key group: 14
Phase 2:
Mode: Tunnel
Protocol: ESP (Encapsulating Security Payload)
Encryption algorithm: AES256
Hash algorithm: SHA256
Local network/mask: 192.168.1.0/24
Remote network/mask: 192.168.2.0/24
VPN Concentrator 2 Configuration:
Phase 1:
Peer IP address: 5.5.5.5 (The IP address of VPN Concentrator 1)
Auth method: PSK (Pre-Shared Key)
Negotiation mode: MAIN
Encryption algorithm: AES256
Hash algorithm: SHA256
DH key group: 14
Phase 2:
Mode: Tunnel
Protocol: ESP (Encapsulating Security Payload)
Encryption algorithm: AES256
Hash algorithm: SHA256
Local network/mask: 192.168.2.0/24
Remote network/mask: 192.168.1.0/24
Summary:
Peer IP Address: Set to the IP address of the remote VPN concentrator.
Auth Method: PSK for using a pre-shared key.
Negotiation Mode: MAIN for the initial setup.
Encryption Algorithm: AES256, which is a strong and secure algorithm.
Hash Algorithm: SHA256, which provides strong hashing.
DH Key Group: 14 for strong Diffie-Hellman key exchange.
Phase 2 Protocol: ESP for encryption and integrity.
Local and Remote Networks: Properly configure the local and remote network addresses to match
each branch office subnet.
By configuring these settings on both VPN concentrators, the site-to-site VPN will meet the
requirements for strong security algorithms, encryption of all traffic, and authentication using a pre-
shared key.

Answer 227

A

Answer: B
Explanation:
The installation of a RADIUS server (Remote Authentication Dial-In User Service) is primarily
associated with the security concept of AAA, which stands for Authentication, Authorization, and
Accounting. RADIUS servers are used to manage user credentials and permissions centrally, ensuring that only authenticated and authorized users can access network resources, and tracking user
activity for accounting purposes.
Authentication: Verifies the identity of a user or device. When a user tries to access a network, the
RADIUS server checks their credentials (username and password) against a database.
Authorization: Determines what an authenticated user is allowed to do. After authentication, the
RADIUS server grants permissions based on predefined policies.
Accounting: Tracks the consumption of network resources by users. This involves logging session
details such as the duration of connections and the amount of data transferred.

Answer 228

A

Answer: A
Explanation:

To verify the integrity of downloaded files, a software developer should post hashes on the website.
A hash is a fixed-length string or number generated from input data, such as a file. When users
download the application files, they can generate their own hash from the downloaded files and
compare it with the hash provided by the developer. If the hashes match, it confirms that the files
have not been altered or corrupted during the download process.
Hashes: Ensure data integrity by allowing users to verify that the downloaded files are identical to the original ones. Common hashing algorithms include MD5, SHA-1, and SHA-256.

Answer 229

A

Answer: A
Explanation:
Given the scenario where an Intrusion Detection System (IDS) has detected a high rate of SQL
injection attacks and the perimeter firewall is at capacity, the best action would be to set the
appliance to Intrusion Prevention System (IPS) mode and place it in front of the company firewall.

Answer 230

A

Answer: D
Explanation:
To restrict activity from employees after hours, the systems administrator should implement time-of-
day restrictions. This method allows access to network resources to be limited to specific times,
ensuring that employees can only access systems during approved working hours. This is an effective
part of a defense-in-depth strategy to mitigate risks associated with unauthorized access during off-
hours, which could be a time when security monitoring might be less stringent.

Answer 231

A

Answer: A
Explanation:
For an organization that wants to protect its intellectual property, adding insider threat detection to
the security awareness training program would be most beneficial. Insider threats can be particularly
dangerous because they come from trusted individuals within the organization who have legitimate
access to sensitive information.
Insider threat detection: Focuses on identifying and mitigating threats from within the organization,
including employees, contractors, or business partners who might misuse their access.

Answer 232

A

Answer: B
Explanation:
HTTP headers can be used to mitigate risks associated with Cross-Site Scripting (XSS). Security-
related HTTP headers such as Content Security Policy (CSP) and X-XSS-Protection can be configured
to prevent the execution of malicious scripts in the context of a web page.

Answer 233

A

Answer: D
Explanation:
The category of data that is most impacted when it is lost is “Critical.” Critical data is essential to the
organization’s operations and often includes sensitive information such as financial records,
proprietary business information, and vital operational data. The loss of critical data can severely
disrupt business operations and have significant financial, legal, and reputational consequences.

Answer 234

A

Answer: B
Explanation:
When calculating risk ratings, the concepts of impact and likelihood are most likely to be considered.
Risk assessment typically involves evaluating the potential impact of a threat (how severe the
consequences would be if the threat materialized) and the likelihood of the threat occurring (how
probable it is that the threat will occur).

Answer 235

A

Answer: A
Explanation:
To increase the resilience of an application by splitting the traffic between two identical sites, a systems administrator should set up load balancing. Load balancing distributes network or application traffic across multiple servers or sites, ensuring no single server becomes overwhelmed and enhancing the availability and reliability of applications.
Load balancing: Distributes traffic across multiple servers to ensure high availability and reliability. It
helps in managing the load efficiently and can prevent server overloads.

Answer 236

A

Answer: D
Explanation:
Mean time to repair (MTTR) describes the time needed to resolve a hardware issue with a server.
MTTR is a key metric in risk management and maintenance that measures the average time required
to repair a failed component or system and restore it to operational status.

Answer 237

A

Answer: C
Explanation:
A honeypot is most likely to be deployed to obtain and analyze attacker activity and techniques. A
honeypot is a decoy system set up to attract attackers, providing an opportunity to study their
methods and behaviors in a controlled environment without risking actual systems.
Honeypot: A decoy system designed to lure attackers, allowing administrators to observe and analyze
attack patterns and techniques.

Answer 238

A

Answer: B
Explanation:
A UPS (Uninterruptible Power Supply) would most likely mitigate the impact of an extended power
outage on a company’s environment. A UPS provides backup power and ensures that systems
continue to run during short-term power outages, giving enough time to perform an orderly
shutdown or switch to a longer-term power solution like a generator.
Hot site: A fully operational offsite data center that can be used if the primary site becomes unavailable. It’s more suitable for disaster recovery rather than mitigating short-term power outages.
UPS: Provides immediate backup power, protecting against data loss and hardware damage during
power interruptions.

Answer 239

A

Answer: A
Explanation:
The most likely reason the download was blocked, resulting in a false positive, is a misconfiguration
in the endpoint protection software. False positives occur when legitimate actions are incorrectly
identified as threats due to incorrect settings or overly aggressive rules in the security software.
Misconfiguration in the endpoint protection software: Common cause of false positives, where
legitimate activities are flagged incorrectly due to improper settings.

Answer 240

A

Answer: A
Explanation:
The organization should implement a retention policy to ensure that financial data records are kept for three years and customer data for five years. A retention policy specifies how long different types of data should be maintained and when they should be deleted.
Retention: Ensures that data is kept for a specific period to comply with legal, regulatory, or business
requirements.

Answer 241

A

Answer: D
Explanation:
The activity described, where a department is not using the company VPN when accessing various
company-related services and systems, is an example of Shadow IT. Shadow IT refers to the use of IT systems, devices, software, applications, and services without explicit IT department approval.

Answer 242

A

Answer: D
Explanation:
In a cloud environment, high availability is typically ensured through the use of a load balancer. A
load balancer distributes network or application traffic across multiple servers, ensuring that no
single server becomes overwhelmed and that services remain available even if one or more servers fail. This setup enhances the reliability and availability of applications.
Load balancer: Ensures high availability by distributing traffic across multiple servers or instances,
preventing overload and ensuring continuous availability.

Answer 243

A

Answer: B
Explanation:
To secure an on-site data center against intrusion from an insider, the best measure is to use an
access badge system. Access badges control who can enter restricted areas by verifying their identity
and permissions, thereby preventing unauthorized access from insiders.
Access badge: Provides controlled and monitored access to restricted areas, ensuring that only
authorized personnel can enter.

Answer 244

A

Answer: D
Explanation:
To prevent an accounting clerk from sending money to an attacker’s bank account due to fraudulent
instructions, the most effective measure would be updating the processes for sending wire transfers.
This can include implementing verification steps, such as requiring multiple approvals for changes in payment instructions and directly confirming new account details with trusted sources.
Updating processes for sending wire transfers: Involves adding verification and approval steps to prevent fraudulent transfers.

Answer 245

A

Answer: B
Explanation:
An NGFW (Next-Generation Firewall) utilizing application inspection could have identified and blocked the unusual use of HTTP over port 53. Application inspection allows NGFWs to analyze traffic at the application layer, identifying and blocking suspicious or non-standard protocol usage, such as HTTP traffic on DNS port 53.
NGFW utilizing application inspection: Inspects traffic at the application layer and can block non-
standard protocol usage, such as HTTP over port 53.

Answer 246

A

Answer: B
Explanation:
Patch availability most impacts an administrator’s ability to address Common Vulnerabilities and
Exposures (CVEs) discovered on a server. If a patch is not available for a discovered vulnerability, the administrator cannot remediate the issue directly through patching, which leaves the system
exposed until a patch is released.
Patch availability: Directly determines whether a discovered vulnerability can be fixed promptly.
Without available patches, administrators must look for other mitigation strategies.

Answer 247

A

Answer: A
Explanation:
A false positive occurs when a vulnerability scan identifies a vulnerability that is not actually present
on the systems that were scanned. This means that the scan has incorrectly flagged a system as
vulnerable.
False positive: Incorrectly identifies a vulnerability that does not exist on the scanned systems.

Answer 248

A

Answer: A
Explanation:
Configuring devices to log to an off-site location for possible future reference is best described as log
aggregation. Log aggregation involves collecting logs from multiple sources and storing them in a
centralized location, often off-site, to ensure they are preserved and can be analyzed in the future.
Log aggregation: Centralizes log data from multiple devices, making it easier to analyze and ensuring logs are available for future reference.

Answer 249

A

Answer: A
Explanation:
When implementing a product that offers protection against Distributed Denial of Service (DDoS)
attacks, the security concept being followed is availability. DDoS protection ensures that systems and services remain accessible to legitimate users even under attack, maintaining the availability of
network resources.
Availability: Ensures that systems and services are accessible when needed, which is directly
addressed by DDoS protection.

Answer 250

A

Answer: B
Explanation:
Reviewing the source code of an application to identify misconfigurations and vulnerabilities is best
described as static analysis. Static analysis involves examining the code without executing the
program. It focuses on finding potential security issues, coding errors, and vulnerabilities by
analyzing the code itself.
Static analysis: Analyzes the source code or compiled code for vulnerabilities without executing the program.
Dynamic analysis: Involves testing and evaluating the program while it is running to identify
vulnerabilities.

Answer 251

A

Answer: B, F
Explanation:
When a company is developing a critical system for the government and storing project information on a fileshare, the data will most likely be classified as Confidential and Restricted.
Confidential: Indicates that the data is sensitive and access is limited to authorized individuals. This classification is typically used for information that could cause harm if disclosed.
Restricted: Indicates that access to the data is highly controlled and limited to those with a specific
need to know. This classification is often used for highly sensitive information that requires stringent protection measures.

Answer 252

A

Answer: A
Explanation:
To detect an employee who is emailing a customer list to a personal account before leaving the
company, a Data Loss Prevention (DLP) system would be used. DLP systems are designed to detect and prevent unauthorized transmission of sensitive data.
DLP (Data Loss Prevention): Monitors and controls data transfers to ensure sensitive information is not sent to unauthorized recipients.

Answer 253

A

Answer: A
Explanation:
The most likely access control causing the lack of access is role-based access control (RBAC). In RBAC,
access to resources is determined by the roles assigned to users. Since the engineer’s account was
not moved to the new group’s role, the engineer does not have the necessary permissions to access the new team’s shared folders.
Role-based access control (RBAC): Assigns permissions based on the user’s role within the
organization. If the engineer’s role does not include the new group’s permissions, access will be
denied.

Answer 254

A

Answer: B
Explanation:
Red teams are focused only on trying to compromise an organization using an attacker’s tactics. They
simulate real-world attacks to test the effectiveness of the organization’s security defenses and identify vulnerabilities.
Red team: Acts as adversaries to simulate attacks and find security weaknesses.

Answer 255

A

Answer: A
Explanation:
The security practice that helped the manager identify the suspicious link is end-user training.
Training users to recognize phishing attempts and other social engineering attacks, such as hovering
over links to check the actual URL, is a critical component of an organization’s security awareness program.
End user training: Educates employees on how to identify and respond to security threats, including
suspicious emails and phishing attempts.

Answer 256

A

Answer: BF
Explanation:
The CCTV system and signs about the possibility of being filmed serve as both deterrent and
detective controls.
Deterrent controls: Aim to discourage potential attackers from attempting unauthorized actions.
Posting signs about CCTV serves as a deterrent by warning individuals that their actions are being
monitored.
Detective controls: Identify and record unauthorized or suspicious activity. The CCTV system itself
functions as a detective control by capturing and recording footage that can be reviewed later.

Answer 257

A

Answer: C
Explanation:
To prevent the issuance of an MFA bypass code to an attacker posing as an employee, implementing
identity proofing would be most effective. Identity proofing involves verifying the identity of
individuals before granting access or providing sensitive information.
Identity proofing: Ensures that the person requesting the MFA bypass is who they claim to be,
thereby preventing social engineering attacks where attackers pose as legitimate employees.

Answer 258

A

Answer: A
Explanation:
The marketing department setting up its own project management software without informing the
appropriate departments is an example of Shadow IT. Shadow IT refers to the use of IT systems,
devices, software, applications, and services without explicit approval from the IT department.
Shadow IT: Involves the use of unauthorized systems and applications within an organization, which can lead to security risks and compliance issues.

Answer 259

A

Answer: D
Explanation:
Deploying a load balancer in the company’s cloud environment primarily fulfills the fundamental
security requirement of availability. A load balancer distributes incoming network traffic across
multiple servers, ensuring that no single server becomes overwhelmed and that the service remains available even if some servers fail.
Availability: Ensures that services and resources are accessible when needed, which is directly
supported by load balancing.

Answer 260

A

Answer: B
Explanation:
To minimize the impact of the increasing number of various traffic types during attacks, a security
engineer is most likely to configure behavioral-based rules on a Next-Generation Firewall (NGFW).
Behavioral-based rules analyze the behavior of traffic patterns and can detect and block unusual or malicious activity that deviates from normal behavior.
Behavioral-based: Detects anomalies by comparing current traffic behavior to known good behavior,
making it effective against various traffic types during attacks.

Answer 261

A

Answer: A
Explanation:
The vulnerability likely present in the application that is storing data using MD5 is a cryptographic
vulnerability. MD5 is considered to be a weak hashing algorithm due to its susceptibility to collision attacks, where two different inputs produce the same hash output, compromising data integrity and
security.
Cryptographic: Refers to vulnerabilities in cryptographic algorithms or implementations, such as the weaknesses in MD5.

Answer 262

A

Answer: D
Explanation:
For a company located in an area prone to hurricanes and needing to immediately continue
operations, the best type of site is a hot site. A hot site is a fully operational offsite data center that is
equipped with hardware, software, and network connectivity and is ready to take over operations
with minimal downtime.
Hot site: Fully operational and can take over business operations almost immediately after a disaster.

Answer 263

A

Answer: C
Explanation:
When a critical legacy server is segmented into a private network, the security control being used is compensating. Compensating controls are alternative measures put in place to satisfy a security requirement when the primary control is not feasible or practical. In this case, segmenting the legacy server into a private network serves as a compensating control to protect it from potential
vulnerabilities that cannot be mitigated directly.
Compensating: Provides an alternative method to achieve the desired security outcome when the primary control is not possible.

Answer 264

A

Answer: B
Explanation:
When a security manager is hired from outside the organization to lead security operations, the first action should be to review the existing security policies. Understanding the current security policies provides a foundation for identifying strengths, weaknesses, and areas that require improvement,
ensuring that the security program aligns with the organization’s goals and regulatory requirements.
Review security policies: Provides a comprehensive understanding of the existing security
framework, helping the new manager to identify gaps and areas for enhancement.

Answer 265

A

Answer: B
Explanation:
To reduce the number of individual operating systems while decommissioning physical servers, the company should use containerization. Containerization allows multiple applications to run in isolated
environments on a single operating system, significantly reducing the overhead compared to running multiple virtual machines, each with its own OS.

Answer 266

A

Answer: B
Explanation:
To ensure the integrity of compiled binaries in the production environment, the best security
measure is code signing. Code signing uses digital signatures to verify the authenticity and integrity
of the software, ensuring that the code has not been tampered with or altered after it was signed.
Code signing: Involves signing code with a digital signature to verify its authenticity and integrity,
ensuring the compiled binaries have not been altered.

Answer 267

A

Answer: A
Explanation:
To demonstrate that the system can be restored to a working state in the event of a performance
issue after deploying a change, the systems administrator must submit a backout plan. A backout
plan outlines the steps to revert the system to its previous state if the new deployment causes
problems.
Backout plan: Provides detailed steps to revert changes and restore the system to its previous state in
case of issues, ensuring minimal disruption and quick recovery

Answer 268

A

Answer: C
Explanation:
The security administrator’s actions of removing default permissions and adding permissions only for
users who need access as part of their job duties best describe the principle of least privilege. This
principle ensures that users are granted the minimum necessary access to perform their job
functions, reducing the risk of unauthorized access or data breaches.
Least privilege: Limits access rights for users to the bare minimum necessary for their job duties, enhancing security by reducing potential attack surfaces.

Answer 269

A

nswer: B
Explanation:
Effective change management procedures include having a backout plan when a patch fails. A
backout plan ensures that there are predefined steps to revert the system to its previous state if the new change or patch causes issues, thereby minimizing downtime and mitigating potential negative impacts.
Having a backout plan when a patch fails: Essential for ensuring that changes can be safely reverted in case of problems, maintaining system stability and availability

Answer 270

A

Answer: A
Explanation:
Estimating the recovery time of systems is a task typically included in the Business Impact Analysis
(BIA) process. BIA involves identifying the critical functions of a business and determining the impact of a disruption. This includes estimating how long it will take to recover systems and resume normal
operations.

Answer 271

A

Answer: A, C
Explanation:
To perform server hardening before deployment, the administrator should disable default accounts
and remove unnecessary services. These steps are crucial to reducing the attack surface and
enhancing the security of the server.
Disable default accounts: Default accounts often come with default credentials that are well-known and can be exploited by attackers. Disabling these accounts helps prevent unauthorized access.
Remove unnecessary services: Unnecessary services can introduce vulnerabilities and be exploited by attackers. Removing them reduces the number of potential attack vectors.

Answer 272

A

Answer: A
Explanation:
To provide employees with computers that do not have access to the internet and prevent
information leaks to an online forum, implementing an air gap would be the best solution. An air gap physically isolates the computer or network from any outside connections, including the internet, ensuring that data cannot be transferred to or from the system.
Air gap: A security measure that isolates a computer or network from the internet or other networks, preventing any form of electronic communication with external systems.

Answer 273

A

Answer: D
Explanation:
An unknown environment in penetration testing, also known as a black-box test, simulates an actual
external attack where the tester has no prior knowledge of the system. This type of penetration test is designed to mimic real-world attack scenarios, where an attacker has little to no information about the target environment. The tester must rely on various reconnaissance and attack techniques to uncover vulnerabilities, much like a real-world attacker would. This approach helps organizations understand their security posture from an external perspective, providing insights into how their defenses would hold up against a true outsider threat.

Answer 274

A

Answer: B
Explanation:
The company should implement Security Assertion Markup Language (SAML) to integrate the
vendor’s security tool with their existing user directory. SAML is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP), enabling Single Sign-On
(SSO). This allows the company to use its existing directory services for authentication, avoiding the need to manage a separate set of user credentials for the new tool.

Answer 275

A

Answer: D
Explanation:
The scenario describes an attacker who obtained credentials from a compromised system’s memory and used them without cracking to move laterally within the network. This technique is known as a “pass-the-hash” attack, where the attacker captures hashed credentials (e.g., NTLM hashes) and uses them to authenticate and gain access to other systems without needing to know the plaintext password. This is a common attack method in environments where weak security practices or outdated protocols are in use.

Answer 276

A

Answer: A
Explanation:
Serverless architecture allows companies to deploy code without managing the underlying
infrastructure. This approach significantly reduces the time and expense involved in code
deployment because developers can focus solely on writing code, while the cloud provider manages the servers, scaling, and maintenance. Serverless computing also enables automatic scaling and pay-per-execution billing, which further optimizes costs.

Answer 277

A

Answer: D
Explanation:
The document described in the question is a Disaster Recovery Plan (DRP). A DRP outlines the
process and procedures for restoring critical systems and operations after a major disruption or
outage. It includes the order in which systems should be brought back online to ensure minimal
impact on business operations, prioritizing the most critical systems to recover first.

Answer 278

A

Answer: E
Explanation:
Software as a Service (SaaS) represents an application that is hosted in the cloud and accessible via the internet from anywhere, with no requirement for on-premises infrastructure. SaaS applications
are managed by a third-party provider, allowing users to access them through a web browser, making them highly scalable and flexible for remote access.

Answer 279

A

Answer: A
Explanation:
Virtual Desktop Infrastructure (VDI) allows a company to host desktop environments on a centralized server. Offshore teams can access these virtual desktops remotely, ensuring that sensitive data stays
within the company’s infrastructure without the need to provide physical devices to the team. This
solution is ideal for maintaining data security while enabling remote work, as all data processing occurs on the company’s secure servers.

Answer 280

A

Answer: A
Explanation:
The questions listed are part of a Risk Control Self-Assessment (RCSA), which is a process where
teams evaluate the risks associated with their operations and assess the effectiveness of existing
controls. The questions focus on aspects such as patch management, the use of open-source code,
external access, and compliance with corporate standards, all of which are critical for identifying and
mitigating risks.

Answer 281

A

Answer: D
Explanation:
Cryptojacking is the likely cause in this scenario. It involves malware that hijacks the resources of
infected computers to mine cryptocurrency, usually without the user’s knowledge. This type of attack doesn’t typically degrade performance significantly or result in obvious system failures, which matches the situation described, where the machines showed no signs of degraded performance or
excessive failed logins.

Answer 282

A

Answer: A
Explanation:
A hash is an algorithm used to verify data integrity by generating a fixed-size string of characters from input data. If even a single bit of the input data changes, the hash value will change, allowing users to detect any modification to the data. Hashing algorithms like SHA-256 and MD5 are
commonly used to ensure data has not been altered.

Answer 283

A

Answer: A
Explanation:
Job rotation is a security control that involves regularly moving employees to different roles within an organization. This practice helps prevent incidents where a single employee has too much control
or knowledge about a specific job function, reducing the risk of disruption when an employee leaves.
It also helps in identifying any hidden issues or undocumented processes that could cause problems
after an employee’s departure.

Answer 284

A

Answer: E, F
Explanation:
Multi-Factor Authentication (MFA) and patch management are both examples of preventative and
technical controls. MFA prevents unauthorized access by requiring multiple forms of verification, and
patch management ensures that systems are protected against vulnerabilities by applying updates.
Both of these controls are implemented using technical methods, and they work to prevent security incidents before they occur.

Answer 285

A

Answer: B
Explanation:
Secure Real-Time Transport Protocol (SRTP) is a security protocol used to encrypt and authenticate the streaming of audio and video over IP networks. It ensures that the video streams from the IP cameras are both encrypted to prevent unauthorized access and authenticated to verify the integrity of the stream, making it the ideal choice for securing video surveillance.

Answer 286

A

Answer: B
Explanation:
The scenario suggests that only the employees who used the kiosks inside the building had their
credentials compromised. Since the time-keeping website is accessible from the internet, it is
possible that a malicious actor exploited an unpatched vulnerability in the site, allowing them to
inject malicious code that captured the credentials of those who logged in from the kiosks. This is a
common attack vector for stealing credentials from web applications.

Answer 287

A

Answer: B
Explanation:
The presence of another device providing internet access that bypasses the content filtering system
indicates the existence of a rogue access point. Rogue access points are unauthorized devices that
can create a backdoor into the network, allowing users to bypass security controls like content
filtering. This presents a significant security risk as it can expose the network to unauthorized access
and potential data breaches.

Answer 288

A

Answer: D
Explanation:
Shadow IT refers to the use of information technology systems, devices, software, applications, and
services without explicit IT department approval. This is the most likely cause of introducing
vulnerabilities on a corporate network by deploying unapproved software, as such software may not have been vetted for security compliance, increasing the risk of vulnerabilities.

Answer 289

A

Answer: C
Explanation:
A Cybersecurity Framework (CSF) provides a structured approach to standardizing and aligning
security programs across different organizations. By both companies adopting the same CSF, they can
ensure that their security measures, policies, and practices are consistent, which is essential during a
merger when aligning two different security programs.

Answer 290

A

Answer: D
Explanation:
The tool that the network administrator deployed is described as one that logs suspicious websites
and sends a daily report based on various weighted metrics. This fits the description of a detective
control. Detective controls are designed to identify and log security events or incidents after they
have occurred. By analyzing these logs and generating reports, the tool helps in detecting potential security breaches, thus allowing for further investigation and response.

Answer 291

A

Answer: D
Explanation:
Job rotation is a strategy used in organizations to detect and prevent fraud by periodically assigning
employees to different roles within the organization. This approach helps ensure that no single employee has exclusive control over a specific process or set of tasks for an extended period, thereby
reducing the opportunity for fraudulent activities to go unnoticed. By rotating roles, organizations
can uncover irregularities and discrepancies that might have been concealed by an employee who had prolonged access to sensitive functions. Job rotation also promotes cross-training, which can
enhance the organization’s overall resilience and flexibility.

Answer 292

A

Answer: D
Explanation:
An image backup, also known as a full system backup, captures the entire contents of a system, including the operating system, applications, settings, and all data. This type of backup allows for a
complete recovery of the system in case of a disaster, as it includes everything needed to restore the system to its previous state. This makes it the ideal choice for a systems administrator who needs to ensure the ability to recover the entire system, including the OS.

Answer 293

A

Answer: C
Explanation:
A self-signed certificate is a certificate that is signed by its own private key rather than by a trusted
certificate authority (CA). This means that the authenticity of the certificate relies solely on the issuer’s own authority. If a spoofed identity was detected, it could indicate that a private key
associated with a self-signed certificate was compromised. Self-signed certificates are often used
internally within organizations, but they carry higher risks since they are not validated by a third-party CA, making them more susceptible to spoofing.

Answer 294

A

Answer: C
Explanation:
Data Loss Prevention (DLP) systems are typically configured to protect sensitive data such as
Personally Identifiable Information (PII) within an organization. DLP tools enforce policies that
monitor, detect, and block the unauthorized transmission of sensitive data. By leveraging the
organization’s existing labeling and classification system, DLP solutions can identify and protect data
based on its classification, ensuring that PII is appropriately secured according to organizational policies.

Answer 295

A

Answer: A
Explanation:
To determine whether the connection was successful after a user clicked on a link in a phishing
email, the most relevant log source to analyze would be the network logs. These logs would provide
information on outbound and inbound traffic, allowing the analyst to see if the user’s system
connected to the remote server specified in the phishing link. Network logs can include details such
as IP addresses, domains accessed, and the success or failure of connections, which are crucial for
understanding the impact of the phishing attempt.

Answer 296

A

Answer: D
Explanation:
Before applying any updates or patches to a production VM, especially one with a 99% uptime SLA, it is crucial to first take a snapshot of the VM. This snapshot serves as a backup that can be quickly
restored in case the update causes any issues, ensuring that the system can be returned to its
previous state without violating the SLA. This step mitigates risk and is a standard best practice in
change management for critical systems.

Answer 297

A

Answer: A
Explanation:
When multiple Wireless Access Points (WAPs) are using similar frequencies with high power settings,
it can cause channel overlap, leading to interference and connectivity issues. This is likely the reason
why mobile users are unable to access the internet in the lobby. Evaluating and adjusting the channel
settings on the WAPs to avoid overlap is crucial to resolving the connectivity problems.

Answer 298

A

Answer: D
Explanation:
The scenario describes an instance where an employee receives a fraudulent invoice from a vendor that is not recognized in the company’s vendor management system. This is a classic example of an
invoice scam, where attackers attempt to trick organizations into making payments for fake or non-
existent services. These scams often rely on social engineering tactics to bypass financial controls.

Answer 299

A

Answer: E
Explanation:
Software as a Service (SaaS) is the cloud model that best meets the goal of outsourcing the
management, including patching, of firmware, operating systems, and applications to the cloud
vendor. In a SaaS environment, the cloud provider is responsible for maintaining and updating the entire software stack, allowing the organization to focus on using the software rather than managing
its infrastructure.

Answer 300

A

Answer: A
Explanation:
hping is a specialized tool designed specifically for crafting custom packets. It allows security analysts to create custom TCP, UDP, or ICMP packets with various parameters like source and destination IP addresses, port numbers, packet sizes, and specific flags. This flexibility enables them to simulate different attack scenarios and test the firewall’s response to unusual or malicious traffic.

Answer 301

A

Answer: B
Explanation:
Monitoring outbound traffic is essential for detecting unauthorized data exfiltration from a system. A new vulnerability that allows malware to move data unauthorizedly would typically attempt to send
this data out of the network. By monitoring outbound traffic, security tools can detect unusual data transfers, trigger alerts, and help prevent the exfiltration of sensitive information.

Answer 302

A

Answer: B
Explanation:
The Common Vulnerability Scoring System (CVSS) is a standardized framework for assessing the
severity of security vulnerabilities. It helps organizations prioritize vulnerability patching by providing a numerical score that reflects the potential impact and exploitability of a vulnerability. CVSS scores
are used to gauge the urgency of patching vulnerabilities within a company’s IT environment.

Answer 303

A

Answer: A
Explanation:
Air-gapping is the most effective way to protect an application server running unsupported software
from network threats. By physically isolating the server from any network connection (no wired or
wireless communication), it is protected from external cyber threats. While other options like port security or a screened subnet can provide some level of protection, an air gap offers the highest level
of security by preventing any network-based attacks entirely.

Answer 304

A

Answer: B
Explanation:
The most important security concern when using legacy systems is the lack of vendor support.
Without support from the vendor, systems may not receive critical security patches and updates,
leaving them vulnerable to exploitation. This lack of support can result in increased risk of security
breaches, as vulnerabilities discovered in the software may never be addressed.

Answer 305

A

Answer: B
Explanation:
If cadets are using company phone numbers to make unsolicited calls, and the logs confirm the
numbers are not being spoofed, it suggests that the SIP (Session Initiation Protocol) server’s security
settings might be weak. This could allow unauthorized access or exploitation of the company’s
telephony services, potentially leading to misuse by unauthorized individuals.

Answer 306

A

Answer: B
Explanation:
To mitigate the risk of confidential documents being left unattended in Multi-Function Printers
(MFPs), implementing an authentication factor that requires in-person action before printing (such as
PIN codes or badge scanning) is the most effective measure. This ensures that documents are only printed when the authorized user is present to collect them, reducing the risk of sensitive
information being exposed.

Answer 307

A

Answer: A
Explanation:
The chmod command is used to change file permissions on Unix and Linux systems. If the
/etc/shadow file has permissions beyond the baseline recommendation, the systems administrator
should use chmod to modify the file’s permissions, ensuring it adheres to the security baseline and limits access to authorized users only.

Answer 308

A

Answer: D
Explanation:
Dumpster diving is an attack method where attackers search through physical waste, such as
discarded documents and printouts, to find sensitive information that has not been properly
disposed of. In the context of printing centers, this could involve attackers retrieving printed
documents containing confidential data that were improperly discarded without shredding or other
secure disposal methods. This emphasizes the importance of proper disposal and physical security measures in cyber hygiene practices.

Answer 309

A

Answer: B
Explanation:
An obfuscation toolkit is used by developers to make source code difficult to understand and reverse
engineer. This technique involves altering the code’s structure and naming conventions without
changing its functionality, making it much harder for attackers to decipher the code or use debugging
tools to analyze it. Obfuscation is an important practice in protecting proprietary software and
intellectual property from reverse engineering.

Answer 310

A

Answer: A
Explanation:
Code repositories are a common source of unintentional corporate credential leakage, especially in
cloud environments. Developers may accidentally commit and push sensitive information, such as
API keys, passwords, and other credentials, to public or poorly secured repositories. These
credentials can then be accessed by unauthorized users, leading to security breaches. Ensuring that
repositories are properly secured and that sensitive data is never committed is critical for protecting
against this type of leakage.

Answer 311

A

Answer: D
Explanation:
Using a Privileged Access Management (PAM) vault to secure domain administrator credentials and enforcing role-based access control (RBAC) is the most comprehensive solution. PAM systems help manage and control access to privileged accounts, ensuring that only authorized personnel can access sensitive credentials. This approach also facilitates password rotation, auditing, and ensures that credentials are not misused or left unchanged. Integrating PAM with RBAC ensures that access is granted based on the user’s role, further enhancing security.

Answer 312

A

Answer: D
Explanation:
A honeypot is a security mechanism set up to attract and detect potential attackers by simulating
vulnerable assets. By hosting a part of the infrastructure online with known vulnerabilities that
appear to be company assets, the company can observe and analyze the behavior of attackers
conducting reconnaissance. This approach allows the company to get alerts and gather intelligence
on potential threats.

Answer 313

A

Answer: C
Explanation:
The SMS OTP (One-Time Password) method is more vulnerable to interception compared to TOTP
(Time-based One-Time Password) because SMS messages can be intercepted through various attack
vectors like SIM swapping or SMS phishing. TOTP, on the other hand, generates codes directly on the
device and does not rely on a communication channel like SMS, making it less susceptible to
interception.

Answer 314

A

Answer: A
Explanation:
The scenario describes a situation where a user unknowingly triggers an unwanted action, such as
changing their password, by clicking a malicious link. This is indicative of a Cross-Site Request Forgery
(CSRF) attack, where an attacker tricks the user into executing actions they did not intend to perform
on a web application in which they are authenticated.

Answer 315

A

Answer: B
Explanation:
A Cloud Access Security Broker (CASB) solution is the most suitable option for securing an
organization that has adopted a cloud-first strategy and does not have an on-premises IT
infrastructure. CASBs provide visibility and control over shadow IT services, enforce security policies, and protect data across cloud services.

Answer 316

A

Answer: A
Explanation:
The first step in responding to a cybersecurity incident, particularly when malware is detected, is to contain the impacted hosts. This action prevents the spread of malware to other parts of the network, limiting the potential damage while further investigation and remediation actions are
planned

Answer 317

A

Answer: A
Explanation:
When conducting a forensic analysis after an incident, it’s essential to prioritize the data collection process based on the “order of volatility.” This principle dictates that more volatile data (e.g., data in memory, network connections) should be captured before less volatile data (e.g., disk drives, logs).
The idea is to preserve the most transient and potentially valuable evidence first, as it is more likely to be lost or altered quickly

Answer 318

A

Answer: D
Explanation:
The security analyst is creating a “secure configuration guide,” which is a set of instructions or
guidelines used to configure devices securely before deployment. This guide ensures that the devices are set up according to best practices to minimize vulnerabilities and protect against potential security threats.

Answer 319

A

Answer: C
Explanation:
Tokenization is a process that replaces sensitive data, such as credit card information, with a non-
sensitive equivalent (token) that can be used in place of the actual data. This technique is particularly useful in securely storing payment information because the token can be safely stored and transmitted without exposing the original credit card number.

Answer 320

A

Answer: C
Explanation:
The scenario shows MD5 hashed password values. The most likely reason the security administrator is focusing on these values is to protect against pass-the-hash attacks. In this type of attack, an
attacker can use a captured hash to authenticate without needing to know the actual plaintext password. By managing and monitoring these hashes, the administrator can implement strategies to
mitigate this type of threat

Answer 321

A

Answer: A, F
Explanation:
Secure Shell (SSH) is a protocol used for secure command-line access to remote systems, while
Secure File Transfer Protocol (SFTP) is an extension of SSH used specifically for securely transferring files. Both SSH and SFTP ensure that data is encrypted during transmission, protecting it from interception or tampering.

Answer 322

A

Answer: A
Explanation:
The data owner is the role responsible for identifying risks to data and determining who should have access to that data. The owner has the authority to make decisions about the protection and usage of
the data, including setting access controls and ensuring that appropriate security measures are in
place.

Answer 323

A

Answer: C
Explanation:
A tabletop exercise is a discussion-based exercise where stakeholders gather to walk through the
roles and responsibilities they would have during a specific situation, such as a security incident or
disaster. This type of exercise is designed to identify gaps in planning and improve coordination
among team members without the need for physical execution.

Answer 324

A

Answer: C
Explanation:
The file left by the external vendor, containing detailed architecture information and code snippets, is best described as proprietary data. Proprietary data is information that is owned by a company and is
essential to its competitive advantage. It includes sensitive business information such as trade
secrets, intellectual property, and confidential data that should be protected from unauthorized access.

Answer 325

A

Answer: A
Explanation:
Password spraying is a type of attack where an attacker tries a small number of commonly used
passwords across a large number of accounts. The event logs showing failed login attempts for many
user accounts from the same IP address are indicative of a password spraying attack, where the
attacker is attempting to gain access by guessing common passwords.

Answer 326

A

Answer: B
Explanation:
Salting is a technique used to enhance the security of hashed passwords by adding a unique, random
value (salt) to each password before hashing it. This prevents attackers from easily decrypting
passwords using rainbow tables, which are precomputed tables for reversing cryptographic hash functions. Since each password has a unique salt, the same password will produce different hash
values, making rainbow table attacks ineffective.

Answer 327

A

Answer: A
Explanation:
Push notifications offer a seamless and user-friendly method of multi-factor authentication (MFA)
that can easily integrate into a user’s workflow. This method leverages employee-owned devices,
like smartphones, to approve authentication requests through a push notification. It’s convenient, quick, and doesn’t require the user to input additional codes, making it a preferred choice for seamless integration with existing workflows.

Answer 328

A

Answer: C
Explanation:
Homomorphic encryption allows data to be encrypted and manipulated without needing to decrypt
it first. This cryptographic technique would allow the financial institution to store customer data
securely in the cloud while still permitting operations like searching and calculations to be performed on the encrypted data. This ensures that the cloud service provider cannot decipher the sensitive
data, meeting the institution’s security requirements.

Answer 329

A

Answer: D
Explanation:
A backup strategy that combines weekly full backups with daily incremental backups stored on a NAS
(Network Attached Storage) drive is likely to meet an organization’s Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs). This approach ensures that recent data is regularly backed up and that recovery can be done efficiently, without significant data loss or lengthy downtime.

Answer 330

A

Answer: C
Explanation:
A two-person integrity security control is implemented to minimize the risk of errors or unauthorized actions. This control ensures that at least two individuals are involved in critical operations, which
helps to verify the accuracy of the process and prevents unauthorized users from acting alone. It’s a security measure commonly used in sensitive operations, like financial transactions or access to critical systems, to ensure accountability and accuracy.

Answer 331

A

Answer: A
Explanation:
A Secure Web Gateway (SWG) protects users by filtering unwanted software/malware from user-initiated web traffic and enforcing corporate and regulatory policy compliance. This technology allows the company to secure remote users’ data and web traffic without relying on a VPN, making it ideal for organizations supporting remote work.

Answer 332

A

Answer: D
Explanation:
Risk appetite refers to the level of risk that an organization is willing to accept in order to achieve its objectives. In this scenario, the security engineer is concerned that the timeframe for implementing a new application does not allow for sufficient cybersecurity due diligence. This reflects a situation where the organization’s risk appetite might be too high if it proceeds without the necessary security
checks.

Answer 333

A

Answer: D
Explanation:
Baseline configuration is the process of standardizing the configuration settings for a system or network. In this scenario, the organization needs to standardize the operating system configurations before deploying them across the network. Establishing a baseline configuration ensures that all systems adhere to the organization’s security policies and operational requirements.

Answer 334

A

Answer: A
Explanation:
Security Orchestration, Automation, and Response (SOAR) systems help organizations automate
repetitive security tasks, reduce manual intervention, and improve the efficiency of security
operations. By integrating with various security tools, SOAR can automatically respond to incidents,
helping to enhance threat detection while reducing the manual workload on security analysts.

Answer 335

A

Answer: A
Explanation:
802.1X is a network access control protocol that provides an authentication mechanism to devices
trying to connect to a LAN or WLAN. It supports the use of certificates for authentication, can
quarantine unapproved devices, and ensures that only approved and updated devices can access network resources. This protocol best meets the requirements of securing both wired and wireless networks with internal certificates.

Answer 336

A

Answer: C, E

Answer 337

A

Answer: B
Explanation:
Integrating each SaaS solution with an Identity Provider (IdP) is the most effective way to address the security issue. This approach allows for Single Sign-On (SSO) capabilities, where users can access
multiple SaaS applications with a single set of credentials while maintaining strong password policies
across all services. It simplifies the user experience and ensures consistent security enforcement across different SaaS platforms

Answer 338

A

Answer: A
Explanation:
The most likely way a rogue device was able to connect to the network is through a MAC cloning
attack. In this attack, a personal device copies the MAC address of an authorized device, bypassing the 802.1X access control that relies on known hardware addresses for network access. The matching
MAC addresses in the audit report suggest that this technique was used to gain unauthorized
network access.

Answer 339

A

Answer: B
Explanation:
The first step in creating an anomaly detection process is building a baseline of normal behavior within the system. This baseline serves as a reference point to identify deviations or anomalies that could indicate a security incident. By understanding what normal activity looks like, security teams can more effectively detect and respond to suspicious behavior.

Answer 340

A

Answer: A
Explanation:
The final step in the incident response process is “Lessons learned.” This step involves reviewing and analyzing the incident to understand what happened, how it was handled, and what could be improved. The goal is to improve future response efforts and prevent similar incidents from occurring. It’s essential for refining the incident response plan and enhancing overall security posture.

Answer 341

A

Answer: B
Explanation:
Input sanitization is a critical security measure to prevent SQL injection attacks, which occur when an attacker exploits vulnerabilities in a website’s input fields to execute malicious SQL code. By properly
sanitizing and validating all user inputs, developers can prevent malicious code from being executed,
thereby securing the website against such attacks.

Answer 342

A

Answer: D
Explanation:
A staging environment is a controlled setting that closely mirrors the production environment but uses a subset of customer data. It is used to test major system upgrades, assess their impact, and demonstrate new features before they are rolled out to the live production environment. This ensures that any issues can be identified and addressed in a safe environment before affecting end-users.

Answer 343

A

Answer: C
Explanation:
The security engineer is likely to deploy a Web Application Firewall (WAF) to protect the new web
portal service. A WAF specifically protects web applications by filtering, monitoring, and blocking
HTTP requests based on a set of rules. This is crucial for preventing common attacks such as SQL
injection, cross-site scripting (XSS), and other web-based attacks that could compromise the web service.

Answer 344

A

Answer: A
Explanation:
The IT manager is creating a Business Continuity Plan (BCP). A BCP describes how an organization
will continue to operate during and after a disaster or global incident. It ensures that critical business functions remain operational despite adverse conditions, with a focus on minimizing downtime and maintaining essential services.

Answer 345

A

Answer: B
Explanation:
Within an organization’s Software Development Life Cycle (SDLC), an Information Security Policy is a vital component. It outlines the rules and procedures for ensuring that the organization’s IT assets and data are protected throughout the development process. Ensuring secure coding practices, access controls, and regular security testing is fundamental in preventing vulnerabilities in applications.

Answer 346

A

Answer: A
Explanation:
A Service Level Agreement (SLA) is a formal document between a service provider and a client that
defines the expected level of service, including what resources will be provided and the agreed-upon
time frames. It typically includes metrics to evaluate performance, uptime guarantees, and response times.

Answer 347

A

Answer: C
Explanation:
A tabletop exercise involves the executive team or key stakeholders discussing and testing the
company’s incident response plan in a simulated environment. These exercises are low-stress, discussion-based, and help to validate the plan’s effectiveness by walking through different scenarios without disrupting actual operations. It is an essential part of testing business continuity and incident response strategies.

Answer 348

A

Answer: B
Explanation:
A vulnerability scan is the most likely method to identify legacy systems. These scans assess an
organization’s network and systems for known vulnerabilities, including outdated or unsupported
software (i.e., legacy systems) that may pose a security risk. The scan results can highlight systems that are no longer receiving updates, helping IT teams address these risks.

Answer 349

A

Answer: C
Explanation:
The most important consideration when establishing a data privacy program is defining the
organization’s role as a controller or processor. These roles, as outlined in privacy regulations such as
the General Data Protection Regulation (GDPR), determine the responsibilities regarding the handling of personal data. A controller is responsible for determining the purpose and means of data
processing, while a processor acts on behalf of the controller. This distinction is crucial for
compliance with data privacy laws.

Answer 350

A

Answer: B
Explanation:
The scenario described, where client files are only accessible to employees who “need to know” the
information, reflects the concept of confidentiality. Confidentiality ensures that sensitive information
is only accessible to those who are authorized to view it, preventing unauthorized access.

Answer 351

A

Answer: C
Explanation:
Jailbreaking is the process of removing restrictions imposed by the manufacturer on a smartphone, allowing the user to install unauthorized software and features not available through official app stores. This action typically voids the warranty and can introduce security risks by bypassing built-in
protections.

Answer 352

A

Answer: B
Explanation:
Port security is the best mitigation technique for preventing an attacker from flooding the MAC
address table of network switches. Port security can limit the number of MAC addresses learned on a
port, preventing an attacker from overwhelming the switch’s MAC table (a form of MAC flooding attack). When the allowed number of MAC addresses is exceeded, port security can block additional devices or trigger alerts.

Answer 353

A

Answer: C
Explanation:
In this scenario, employees are attempting to navigate to spoofed websites, which is being blocked by the web filter. To address this issue, the administrator should implement security awareness training. Training helps employees recognize phishing and other social engineering attacks, reducing the likelihood that they will attempt to access malicious websites in the future.

Answer 354

A

Answer: B
Explanation:
An Acceptable Use Policy (AUP) is an example of a managerial control. Managerial controls are
policies and procedures that govern an organization’s operations, ensuring security through
directives and rules. The AUP defines acceptable behavior and usage of company resources, setting guidelines for employees.

Answer 355

A

Firewalls or encryption

Answer 356

A

Backups or Recovery Plans

Answer 357

A

Answer: A
Explanation:
This example of a script injection attack would be best mitigated by input sanitization. Input
sanitization involves cleaning or filtering user inputs to ensure that they do not contain harmful data, such as malicious scripts. This prevents attackers from executing script-based attacks (e.g., Cross-Site Scripting or XSS).

Answer 358

A

Answer: D
Explanation:
To block signature-based attacks, the Intrusion Prevention System (IPS) must be in active mode. In
this mode, the IPS can actively monitor and block malicious traffic in real time based on predefined
signatures. This is the best mode to prevent known attack types from reaching the internal network.

Answer 359

A

Answer: B
Explanation:
To limit the potential impact on the log-in database in case of a breach, the security team would most likely recommend hashing. Hashing converts passwords into fixed-length strings of characters, which cannot be easily reversed to reveal the original passwords. Even if the database is breached,
attackers cannot easily retrieve the actual passwords if they are properly hashed (especially with techniques like salting).

Answer 360

A

Answer: A
Explanation:
Port security is the best solution to prevent unauthorized devices, like a visitor’s laptop, from
connecting to the company’s network. Port security can limit the number of devices that can connect to a network switch port and block unauthorized MAC addresses, effectively stopping unauthorized access attempts.

Answer 361

A

Answer: D
Explanation:
Attempting to enter an unauthorized area using an access badge during a penetration test is an
example of a physical test. This type of test evaluates the effectiveness of physical security controls,
such as access badges, security guards, and locks, in preventing unauthorized access to restricted areas.

Answer 362

A

Answer: C, E
Explanation:
To identify the impacted host in a command-and-control (C2) server incident, the following logs
should be analyzed:
DHCP logs: These logs record IP address assignments. By reviewing DHCP logs, an organization can determine which host was assigned a specific IP address during the time of the attack.
Firewall logs: Firewall logs will show traffic patterns, including connections to external C2 servers.
Analyzing these logs helps to identify the IP address and port numbers of the communicating host.

Answer 363

A

Answer: A
Explanation:
A playbook is a documented set of procedures that outlines the step-by-step response to specific types of cybersecurity incidents. Security Operations Centers (SOCs) use playbooks to improve
consistency, efficiency, and accuracy during incident response. Playbooks help ensure that the correct
procedures are followed based on the type of incident, ensuring swift and effective remediation.

Answer 364

A

Answer: A
Explanation:
The administrator is using a Data Loss Prevention (DLP) tool, which is designed to identify, monitor, and protect sensitive data. By fingerprinting specific files, DLP ensures that these files cannot be
emailed or sent outside the organization without triggering an alert or blocking the action. This is a key feature of DLP systems, which prevent data exfiltration and ensure data security compliance

Answer 365

A

Answer: B
Explanation:
Since the logs on the endpoint were deleted, the next best option for the analyst is to examine firewall logs. Firewall logs can reveal external communication, including outbound traffic to a
command-and-control (C2) server. These logs would contain information about the IP addresses, ports, and protocols used, which can help in identifying suspicious connections.

Answer 366

A

Answer: A
Explanation:
When hosting an on-premises software application in a cloud-based service, ensuring visualization and isolation of resources is crucial for maintaining security best practices. This involves using virtualization techniques to create isolated environments (e.g., virtual machines or containers) for different applications and services, reducing the risk of cross-tenant attacks or resource leakage.

Answer 367

A

Answer: C
Explanation:
The lessons learned phase of an incident response process involves reviewing the incident and generating reports. This phase helps identify what went well, what needs improvement, and what
changes should be made to prevent future incidents. Documentation and reporting are essential
parts of this phase to ensure that the findings are recorded and used for future planning.

Answer 368

A

Answer: C
Explanation:
A warm site is the best option for a business that does not require immediate failover but wants to reduce the workload required for recovery. A warm site has some pre-installed equipment and data,
allowing for quicker recovery than a cold site, but it still requires some setup before becoming fully operational.

Answer 369

A

Answer: C
Explanation:
Due diligence refers to the process of researching and understanding the laws, regulations, and best
practices that govern information security within a specific industry. Organizations are required to conduct due diligence to ensure compliance with legal and regulatory requirements, which helps
mitigate risks and avoid penalties.

Answer 370

A

Answer: D
Explanation:
Ensuring that other team members understand how a script works is essential to prevent a single point of failure. If only one person knows how the script operates, the organization risks being unable to maintain or troubleshoot it if that person is unavailable. Sharing knowledge ensures
continuity and reduces dependence on one individual.

Answer 371

A

Answer: C
Explanation:
To ensure that sensitive data, such as Personally Identifiable Information (PII), is not modified, the
bank should implement file integrity monitoring (FIM). FIM tracks changes to files and provides alerts if unauthorized modifications are detected, ensuring data integrity.

Answer 372

A

Answer: D
Explanation:
When a legacy device is no longer receiving updates or patches, it is considered to be at the end of life (EOL). This means the manufacturer has ceased support for the device, and it will no longer receive updates, security patches, or technical assistance. EOL devices pose security risks and are often decommissioned or replaced.

Answer 373

A

Answer: C
Explanation:
A Virtual Private Network (VPN) is the best solution to allow remote employees secure access to company resources without interception concerns. A VPN establishes an encrypted tunnel over the internet, ensuring that data transferred between remote employees and the company is secure from
eavesdropping.

Answer 374

A

Answer: C
Explanation:
A false positive is an alert that incorrectly identifies benign activity as malicious. Over time, if an
alerting system generates too many false positives, security teams are likely to ignore these alerts,
resulting in “alert fatigue.” This increases the risk of missing genuine threats.

Answer 375

A

Answer: D
Explanation:
An external examination (also known as an external audit or external review) is the best method for
the Chief Information Security Officer (CISO) to gain an understanding of how the company’s security policies compare to external regulatory requirements. External examinations are conducted by third-
party entities that assess an organization’s compliance with laws, regulations, and industry
standards.

Answer 376

A

Answer: B
Explanation:
To enhance security for a system running an end-of-life operating system, placing the system in an
isolated VLAN is the most effective approach. By isolating the system from the rest of the network,
you can limit its exposure to potential threats while maintaining its functionality. This segmentation helps protect the rest of the network from any vulnerabilities in the outdated system.

Answer 377

A

Answer: D
Explanation:
The first step in reducing the number of credentials each employee must maintain when using
multiple SaaS applications is to select an Identity Provider (IdP). An IdP provides a centralized
authentication service that supports Single Sign-On (SSO), enabling users to access multiple applications with a single set of credentials.

Answer 378

A

Answer: A
Explanation:
Running daily vulnerability scans on all corporate endpoints is primarily done to track the status of
patching installations. These scans help identify any missing security patches or vulnerabilities that could be exploited by attackers. Keeping the endpoints up-to-date with the latest patches is critical
for maintaining security.

Answer 379

A

Answer: A
Explanation:
Unidentified removable devices, such as USB drives, are a common threat vector for insider threat actors attempting data exfiltration. Insiders can easily use these devices to transfer sensitive data out
of the organization undetected, making it one of the most commonly utilized methods for data theft.

Answer 380

A

Answer: B
Explanation:
The employee notices that the links in the email do not correspond to the company’s official URLs,
indicating that this is likely a social engineering attack. Social engineering involves manipulating individuals into divulging confidential information or performing actions that may compromise security. Phishing emails, like the one described, often contain fraudulent links to trick the recipient into providing sensitive information or downloading malware.

Answer 381

A

Answer: C
Explanation:
To mitigate the risk of sensitive data being exfiltrated from the environment, the IT manager should
implement a Data Loss Prevention (DLP) solution. DLP monitors and controls the movement of sensitive data, ensuring that unauthorized transfers are blocked and potential data breaches are prevented.

Answer 382

A

Answer: A
Explanation:
To ensure that all systems requiring the patch are updated, the systems administrator must maintain an accurate asset inventory. This inventory lists all hardware and software assets within the
organization, allowing the administrator to identify which systems are affected by the patch and ensuring that none are missed during the update process.

Answer 383

A

Answer: B

Simpler calculation without decimals:
$15,000 SLE x 2 occurrences = $30,000.
$30,000 / 3 years = $10,000 ALE

Answer 384

A

Answer: C

Answer 385

A

Answer: B. Off-site replication

Answer 386

A

Answer: D. SLA

Answer 387

A

B. A packet capture tool was used to steal the password.

Answer 388

A

D. The software contained a backdoor.

Answer 389

A

D. Compensating controls

Answer 390

A

A. Misconfiguration

Answer 391

A

C. Cloud-native

Answer 392

A

C. Honeypots
E. DNS sinkhole

Answer 393

A

A. Regularly updating server software and patches

D. Utilizing a web-application firewall

Answer 394

A

B. Risk register

Answer 395

A

A. Permission restrictions

Answer 396

A

C. Scan email traffic inline.

Answer 397

A

A. Compensating control

Answer 398

A

D. Virtualization

Answer 399

A

C. Intrusion prevention systems

Answer 400

A

C. Impersonation
E. Smishing

Answer 401

A

A. The system has vulnerabilities that are not being detected

Answer 402

A

B. Containerization

Answer 403

A

A. Encapsulation

Answer 404

A

B. Conditional access policies

D. Implementation of additional authentication factors

Answer 405

A

C. Independent audit

Answer 406

A

D. Version control

Answer 407

A

D. Confidentiality

Answer 408

A

A. Fuzzing

Answer 409

A

B. Bollards

Answer 410

A

A. Detective

Answer 411

A

D. Directory traversal

Answer 412

A

C. TLS 1.3

Answer 413

A

A. Input sanitization

Answer 414

A

B. Adding automated alerting when anomalies occu

Answer 415

A

D. Self-signed

Answer 416

A

B. Certification
E. Sanitization

Answer 417

A

B. Transitioning the platform to an IaaS provider

Answer 418

A

A. Determining the root cause of the inciden

Answer 419

A

C. Internal auditing

Answer 420

A

C. Voice and fingerprint verification with an SMS one-time passcode

Answer 421

A

C. A DNS sinkhole can be used to capture traffic to known-malicious domains used by attackers.

Answer 422

A

C. Notify the applicable parties of the breach

Answer 423

A

D. Blackmail

Answer 424

A

C. Improved scalability of the system
D. Increased compartmentalization of the system

Answer 425

A

D. It acts as a workforce multiplier.

Answer 426

A

B. To determine the impact in the event of a breach

Answer 427

A

D. To ensure non-repudiation

Answer 428

A

A. Enabling threat prevention features on the firewall

Answer 429

A

B. Risk identification

Answer 430

A

A. Lighting
D. Sensor

Answer 431

A

A. Preservation

Answer 432

A

B. DNS poisoning

Answer 433

A

E. PAM software

Answer 434

A

B. Patch availability

Answer 435

A

C. Footprinting the internal network

Answer 436

A

C. Tokenization

Answer 437

A

B. Memory injection

Answer 438

A

B. Custodian

Answer 439

A

B. Something you have

Answer 440

A

A. Detection

Answer 441

A

B. Searching and processing data to identify patterns of malicious activity

Answer 442

A

A. Harden the virtual host

Answer 443

A

D. Supply chain

Answer 444

A

B. Code signing

Answer 445

A

C. Standard operating procedure

Answer 446

A

A. Lack of security updates

Answer 447

A

B. Access badge

Answer 448

A

B. Internal audit

Answer 449

A

D. Hot site

Answer 450

A

A. Data sovereignty

Answer 451

A

A. Code repositories

Answer 452

A

Remote wipe

Answer 453

A

A. Memory injection

Answer 454

A

A. Load balancing

Answer 455

A

B. Software versions

Answer 456

A

A. Agentless solution

Answer 457

A

D. Time-based tokens

Answer 458

A

C. Add a guest captive portal requiring visitors to accept terms and conditions.

Answer 459

A

B. Captive portal

Answer 460

A

D. Network
E. Firewall

Answer 461

A

B. Compliance attestation

Answer 462

A

D. User activity logs

Answer 463

A

A. Honeytoken

Answer 464

A

A. Nessus

Answer 465

A

C. Memory injection

Answer 466

A

E. MFA
F. VPN

Answer 467

A

C. Malicious update

Answer 468

A

C. The organization will have the ability to create security requirements based on classification levels.

Answer 469

A

D. Production failover

Answer 470

A

A. Analyze firewall and network logs for large amounts of outbound traffic to external IP addresses or domains.

Answer 471

A

A. Lead a simulated failover.

Answer 472

A

D. Conduct a site survey

Answer 473

A

C. If the root certificate is installed

Answer 474

A

B. Implement a privileged access management solution.

Answer 475

A

A. A web shell has been deployed to the server through the page.

Answer 476

A

B. An attacker can access the hypervisor and compromise other VMs.

Answer 477

A

A. Wildcard

Answer 478

A

D. Microservices using API

Answer 479

A

A. To test the integrity of the file

Answer 480

A

A. Increasing the minimum password length to 14 characters.

F. Including a requirement for at least one special character.

Answer 481

A

A. MITRE ATT&CK

Answer 482

A

C. SSH tunneling
D. Segmentation

Answer 483

A

C. Playbook

Answer 484

A

C. Jailbreaking

Answer 485

A

D. Known exploits

Answer 486

A

A. Recognizing phishing

Answer 487

A

D. Resource consumption

Answer 488

A

B. Patching the CA

Answer 489

A

A. In use

Answer 490

A

A. Agent-based

Answer 491

A

D. Branch protection requirements

Answer 492

A

B. Develop and provide training on data protection policies

Answer 493

A

B. The administrator needs to install the server certificate into the local truststore.

Answer 494

A

D. End of Life

Brainscape's Knowledge GenomeTM

Security+ 701 Flashcards

Brainscape's Knowledge Genome^TM