Study Guide Questions Flashcards
Which of the following is an algorithm performed to verify that data has not been modified?
A. Hash
B. Code check
C. Encryption
D. Checksum
Hash
A company decided to reduce the cost of its annual cyber insurance policy by removing the coverage for ransomware attacks. Which of the following analysis elements did the company most likely use in making this decision?
A. MTTR
B. RTO
C. ARO
D. MTBF
ARO (Annualized Rate of Occurrence)
A visitor plugs a laptop into a network jack in the lobby and is able to connect to the company’s network. Which of the following should be configured on the existing network infrastructure to best prevent this activity?
A. Port security
B. Web application firewall
C. Transport layer security
D. Virtual private network
Port security
A website user is locked out of an account after clicking an email link and visiting a different website Web server logs show the user’s password was changed, even though the user did not change the password. Which of the following is the most likely cause?
A. Cross-site request forgery
B. Directory traversal
C. ARP poisoning
D. SQL injection
Cross-site request forgery
An employee receives a text message from an unknown number claiming to be the company’s Chief Executive Officer and asking the employee to purchase several gift cards. Which of the following types of attacks does this describe?
A. Vishing
B. Smishing
C. Pretexting
D. Phishing
Smishing
Which of the following is used to protect a computer from viruses, malware, and Trojans being installed and moving laterally across the network?
A. IDS
B. ACL
C. EDR
D. NAC
EDR (Endpoint Detection and Response)
After a security incident, a systems administrator asks the company to buy a NAC platform. Which of the following attack surfaces is the systems administrator trying to protect?
A. Bluetooth
B. Wired
C. NFC
D. SCADA
Bluetooth
A company is utilizing an offshore team to help support the finance department. The company wants to keep the data secure by keeping it on a company device but does not want to provide equipment to the offshore team. Which of the following should the company implement to meet this
requirement?
A. VDI
B. MDM
C. VPN
D. VPC
VDI (Virtual Desktop Infrastructure)
An engineer needs to find a solution that creates an added layer of security by preventing unauthorized access to internal company resources. Which of the following would be the best solution?
A. RDP server
B. Jump server
C. Proxy server
D. Hypervisor
Jump server
Which of the following incident response activities ensures evidence is properly handled?
A. E-discovery
B. Chain of custody
C. Legal hold
D. Preservation
Chain of custody
Which of the following is used to add extra complexity before using a one-way data transformation algorithm?
A. Key stretching
B. Data masking
C. Steganography
D. Salting
Salting
An IT security team is concerned about the confidentiality of documents left unattended in MFPs. Which of the following should the security team do to mitigate the situation?
A. Educate users about the importance of paper shredder devices.
B. Deploy an authentication factor that requires ln-person action before printing.
C. Install a software client m every computer authorized to use the MFPs.
D. Update the management software to utilize encryption.
Deploy an authentication factor that requires ln-person action before printing.
Cadets speaking a foreign language are using company phone numbers to make unsolicited phone calls to a partner organization. A security analyst validates through phone system logs that the calls are occurring and the numbers are not being spoofed. Which of the following is the most likely
explanation?
A. The executive team is traveling internationally and trying to avoid roaming charges
B. The company’s SIP server security settings are weak.
C. Disgruntled employees are making calls to the partner organization.
D. The service provider has assigned multiple companies the same numbers
The company’s SIP server security settings are weak.
A systems administrator is looking for a low-cost application-hosting solution that is cloud based. Which of the following meets these requirements?
A. Serverless framework
B. Type 1 hvpervisor
C. SD-WAN
D. SDN
Serverless framework
A recent penetration test identified that an attacker could flood the MAC address table of network switches. Which of the following would best mitigate this type of attack?
A. Load balancer
B. Port security
C. IPS
D. NGFW
Port security
A company is working with a vendor to perform a penetration test Which of the following includes an estimate about the number of hours required to complete the engagement?
A. SOW
B. BPA
C. SLA
D. NDA
SOW (Statement of Work)
Which of the following should a systems administrator use to ensure an easy deployment of resources within the cloud provider?
A. Software as a service
B. Infrastructure as code
C. Internet of Things
D. Software-defined networking
Infrastructure as code
Which of the following is the best reason to complete an audit in a banking environment?
A. Regulatory requirement
B. Organizational change
C. Self-assessment requirement
D. Service-level requirement
Regulatory requirement
A company is planning to set up a SIEM system and assign an analyst to review the logs on a weekly basis. Which of the following types of controls is the company setting up?
A. Corrective
B. Preventive
C. Detective
D. Deterrent
Detective
Which of the following scenarios describes a possible business email compromise attack?
A. An employee receives a gift card request in an email that has an executive’s name in the display field of the email.
B. Employees who open an email attachment receive messages demanding payment in order to access files.
C. A service desk employee receives an email from the HR director asking for log-in credentials to a cloud administrator account.
D. An employee receives an email with a link to a phishing site that is designed to look like the company’s email portal.
A service desk employee receives an email from the HR director asking for log-in credentials to a cloud administrator account.
Which of the following security controls is most likely being used when a critical legacy server is segmented into a private network?
A. Deterrent
B. Corrective
C. Compensating
D. Preventive
Compensating
Which of the following agreement types defines the time frame in which a vendor needs to respond?
A. SOW
B. SLA
C. MOA
D. MOU
SLA (Service Level Agreement)
Which of the following best describes the practice of researching laws and regulations related to information security operations within a specific industry?
A. Compliance reporting
B. GDPR
C. Due diligence
D. Attestation
Due diligence
A Chief Information Security Officer wants to monitor the company’s servers for SQLi attacks and allow for comprehensive investigations if an attack occurs. The company uses SSL decryption to allow traffic monitoring. Which of the following strategies would best accomplish this goal?
A. Logging all NetFlow traffic into a SIEM
B. Deploying network traffic sensors on the same subnet as the servers
C. Logging endpoint and OS-specific security logs
D. Enabling full packet capture for traffic entering and exiting the servers
Enabling full packet capture for traffic entering and exiting the servers
Two companies are in the process of merging. The companies need to decide how to standardize their information security programs. Which of the following would best align the security programs?
A. Shared deployment of CIS baselines
B. Joint cybersecurity best practices
C. Both companies following the same CSF
D. Assessment of controls in a vulnerability report
Both companies following the same CSF (Cybersecurity Framework)
A network manager wants to protect the company’s VPN by implementing multifactor authentication that uses:
. Something you know
. Something you have
. Something you are
Which of the following would accomplish the manager’s goal?
A. Domain name, PKI, GeolP lookup
B. VPN IP address, company ID, facial structure
C. Password, authentication token, thumbprint
D. Company URL, TLS certificate, home address
Password, authentication token, thumbprint
After a company was compromised, customers initiated a lawsuit. The company’s attorneys have requested that the security team initiate a legal hold in response to the lawsuit. Which of the following describes the action the security team will most likely be required to take?
A. Retain the emails between the security team and affected customers for 30 days.
B. Retain any communications related to the security breach until further notice.
C. Retain any communications between security members during the breach response.
D. Retain all emails from the company to affected customers for an indefinite period of time.
Retain any communications related to the security breach until further notice.
Which of the following would be the best way to handle a critical business application that is running on a legacy server?
A. Segmentation
B. Isolation
C. Hardening
D. Decommissioning
Isolation
A company hired a consultant to perform an offensive security assessment covering penetration testing and social engineering.
Which of the following teams will conduct this assessment activity?
A. White
B. Purple
C. Blue
D. Red
Red
The Chief Information Security Officer wants to put security measures in place to protect PII. The organization needs to use its existing labeling and classification system to accomplish this goal. Which of the following would most likely be configured to meet the requirements?
A. Tokenization
B. S/MIME
C. DLP
D. MFA
DLP (Data Loss Prevention)
Which of the following is required for an organization to properly manage its restore process in the event of system failure?
A. IRP
B. DRP
C. RPO
D. SDLC
DRP (Disaster Recovery Plan)
Which of the following security concepts is accomplished with the installation of a RADIUS server?
A. CIA
B. AAA
C. ACL
D. PEM
AAA (Authorization, Authentication, Accounting)
A U.S.-based cloud-hosting provider wants to expand its data centers to new international locations. Which of the following should the hosting provider consider first?
A. Local data protection regulations
B. Risks from hackers residing in other countries
C. Impacts to existing contractual obligations
D. Time zone differences in log correlation
Local data protection regulations
An IT manager informs the entire help desk staff that only the IT manager and the help desk lead will have access to the administrator console of the help desk software. Which of the following security techniques is the IT manager setting up?
A. Hardening
B. Employee monitoring
C. Configuration enforcement
D. Least privilege
Least privilege
A security consultant needs secure, remote access to a client environment. Which of the following should the security consultant most likely use to gain access?
A. EAP
B. DHCP
C. IPSec
D. NAT
IPSec
In which of the following scenarios is tokenization the best privacy technique to use?
A. Providing pseudo-anonymization tor social media user accounts
B. Serving as a second factor for authentication requests
C. Enabling established customers to safely store credit card Information
D. Masking personal information inside databases by segmenting data
Enabling established customers to safely store credit card Information
An administrator assists the legal and compliance team with ensuring information about customer transactions is archived for the proper time period. Which of the following data policies is the administrator carrying out?
A. Compromise
B. Retention
C. Analysis
D. Transfer
E. Inventory
Retention
A security analyst needs to propose a remediation plan for each item in a risk register. The item with the highest priority requires employees to have separate logins for SaaS solutions and different password complexity requirements for each solution. Which of the following implementation plans will most likely resolve this security issue?
A. Creating a unified password complexity standard
B. Integrating each SaaS solution with the Identity provider
C. Securing access to each SaaS by using a single wildcard certificate
D. Configuring geofencing on each SaaS solution
Integrating each SaaS solution with the Identity provider
An enterprise is trying to limit outbound DNS traffic originating from its internal network. Outbound DNS requests will only be allowed from one device with the IP address 10.50.10.25. Which of the following firewall ACLs will accomplish this goal?
A. Access list outbound permit 0.0.0.0 0 0.0.0.0/0 port 53
Access list outbound deny 10.50.10.25/32 0.0.0.0/0 port 53
B. Access list outbound permit 0.0.0.0/0 10.50.10.25/32 port 53
Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53
C. Access list outbound permit 0.0.0.0/0 0.0.0.0/0 port 53
Access list outbound deny 0.0.0.0/0 10.50.10.25/32 port 53
D. Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53
Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53
Access list outbound permit 10.50.10.25 32 0.0.0.0/0 port 53
Access list outbound deny 0.0.0.0.0.0.0.0.0/0 port 53
Which of the following must be considered when designing a high-availability network?
(Select two).
A. Ease of recovery
B. Ability to patch
C. Physical isolation
D. Responsiveness
E. Attack surface
F. Extensible authentication
Ease of recovery
Attack surface
Which of the following are cases in which an engineer should recommend the decommissioning of a network device? (Select two).
A. The device has been moved from a production environment to a test environment.
B. The device is configured to use cleartext passwords.
C. The device is moved to an isolated segment on the enterprise network.
D. The device is moved to a different location in the enterprise.
E. The device’s encryption level cannot meet organizational standards.
F. The device is unable to receive authorized updates.
The device’s encryption level cannot meet organizational standards.
The device is unable to receive authorized updates.
After an audit, an administrator discovers all users have access to confidential data on a file server. Which of the following should the administrator use to restrict access to the data quickly?
A. Group Policy
B. Content filtering
C. Data loss prevention
D. Access control lists
Access control lists
An IT manager is increasing the security capabilities of an organization after a data classification initiative determined that sensitive data could be exfiltrated from the environment. Which of the following solutions would mitigate the risk?
A. XDR
B. SPF
C. DLP
D. DMARC
DLP (Data Loss Prevention)
While considering the organization’s cloud-adoption strategy, the Chief Information Security Officer sets a goal to outsource patching of firmware, operating systems, and applications to the chosen cloud vendor. Which of the following best meets this goal?
A. Community cloud
B. PaaS
C. Containerization
D. Private cloud
E. SaaS
F. laaS
SaaS
A systems administrator receives the following alert from a file integrity monitoring tool:
- The hash of the cmd.exe file has changed.
- The systems administrator checks the OS logs and notices that no patches were applied in the last two months.
Which of the following most likely occurred?
A. The end user changed the file permissions.
B. A cryptographic collision was detected.
C. A snapshot of the file system was taken.
D. A rootkit was deployed.
A rootkit was deployed.
An employee in the accounting department receives an email containing a demand for payment for services performed by a vendor However, the vendor is not in the vendor management database. Which of the following in this scenario an example of?
A. Pretexting
B. Impersonation
C. Ransomware
D. Invoice scam
Invoice scam
During a security incident, the security operations team identified sustained network traffic from a malicious IP address: 10.1.4.9.
A security analyst is creating an inbound firewall rule to block the IP address from accessing the organization’s network. Which of the following fulfills this request?
A. access-list inbound deny ig source 0.0.0.0/0 destination 10.1.4.9/32
B. access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0
C. access-list inbound permit ig source 10.1.4.9/32 destination 0.0.0.0/0
D. access-list inbound permit ig source 0.0.0.0/0 destination 10.1.4.9/32
access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0
An employee fell for a phishing scam, which allowed an attacker to gain access to a company PC. The attacker scraped the PC’s memory to find other credentials. Without cracking these credentials, the attacker used them to move laterally through the corporate network. Which of the
following describes this type of attack?
A. Privilege escalation
B. Buffer overflow
C. SQL injection
D. Pass-the-hash
Pass-the-hash
Which of the following tasks is typically included in the BIA process?
A. Estimating the recovery time of systems
B. Identifying the communication strategy
C. Evaluating the risk management plan
D. Establishing the backup and recovery procedures
E. Developing the incident response plan
Estimating the recovery time of systems
Which of the following should a security administrator adhere to when setting up a new set of firewall rules?
A. Disaster recovery plan
B. Incident response procedure
C. Business continuity plan
D. Change management procedure
Change management procedure
Various stakeholders are meeting to discuss their hypothetical roles and responsibilities in a specific situation, such as a security incident or major disaster. Which of the following best describes this meeting?
A. Penetration test
B. Continuity of operations planning
C. Tabletop exercise
D. Simulation
Tabletop exercise
A company is currently utilizing usernames and passwords, and it wants to integrate an MFA method that is seamless, can Integrate easily into a user’s workflow, and can utilize employee-owned devices. Which of the following will meet these requirements?
A. Push notifications
B. Phone call
C. Smart card
D. Offline backup codes
Push notifications
Which of the following factors are the most important to address when formulating a training curriculum plan for a security awareness program? (Select two).
A. Cadence and duration of training events
B. Secure software development training for all personnel
C. The reporting mechanisms for ethics violations
D. Threat vectors based on the industry in which the organization operates
E. Channels by which the organization communicates with customers
F. Retraining requirements for individuals who fail phishing simulations
Cadence and duration of training events
Threat vectors based on the industry in which the organization operates
A company is discarding a classified storage array and hires an outside vendor to complete the disposal. Which of the following should the company request from the vendor?
A. Certification
B. Inventory list
C. Classification
D. Proof of ownership
Certification
Which of the following is the best way to secure an on-site data center against intrusion from an insider?
A. Bollards
B. Access badge
C. Motion sensor
D. Video surveillance
Access badge
Which of the following is the most common data loss path for an air-gapped network?
A. Bastion host
B. Unsecured Bluetooth
C. Unpatched OS
D. Removable devices
Removable devices
Employees in the research and development business unit receive extensive training to ensure they understand how to best protect company data. Which of the following is the type of data these employees are most likely to use in day-to-day work activities?
A. Encrypted
B. Intellectual property
C. Critical
D. Data in transit
Intellectual property
An employee clicked a link in an email from a payment website that asked the employee to update contact information. The employee entered the log-in information but received a “page not found” error message. Which of the following types of social engineering attacks occurred?
A. Brand impersonation
B. Pretexting
C. Typosquatting
D. Phishing
Phishing
Which of the following allows for the attribution of messages to individuals?
A. Adaptive identity
B. Non-repudiation
C. Authentication
D. Access logs
Non-repudiation
The Cruel Information Security Officer (CISO) asks a security analyst to install an OS update to a production VM that has a 99% uptime SLA. The CISO tells me analyst the installation must be done as quickly as possible. Which of the following courses of action should the security analyst take first?
A. Log in to the server and perform a health check on the VM.
B. Install the patch Immediately.
C. Confirm that the backup service is running.
D. Take a snapshot of the VM.
Take a snapshot of the VM.
Which of the following teams combines both offensive and defensive testing techniques to protect an organization’s critical systems?
A. Red
B. Blue
C. Purple
D. Yellow
Purple
A security engineer is installing an IPS to block signature-based attacks in the environment. Which of the following modes will best accomplish this task?
A. Monitor
B. Sensor
C. Audit
D. Active
Active
An administrator is Investigating an incident and discovers several users’ computers were Infected with malware after viewing files that were shared with them. The administrator discovers no degraded performance in the infected machines and an examination of the log files does not show excessive failed logins. Which of the following attacks Is most likely the
cause of the malware?
A. Malicious flash drive
B. Remote access Trojan
C. Brute-forced password
D. Cryptojacking
Remote Access Trojan
A vendor needs to remotely and securely transfer files from one server to another using the command line. Which of the following protocols should be Implemented to allow for this type of access? (Select two).
A. SSH
B. SNMP
C. RDP
D. S/MIME
E. SMTP
F. SFTP
SSH / SFTP
A security analyst is creating base for the server team to follow when hardening new devices for deployment. Which of the following beet describes what the analyst is creating?
A. Change management procedure
B. Information security policy
C. Cybersecurity framework
D. Secure configuration guide
Secure configuration guide
A business received a small grant to migrate its infrastructure to an off-premises solution. Which of the following should be considered first?
A. Security of cloud providers
B. Cost of implementation
C. Ability of engineers
D. Security of architecture
Security of architecture
A security analyst is reviewing the source code of an application in order to identify misconfigurations and vulnerabilities. Which of the following kinds of analysis best describes this review?
A. Dynamic
B. Static
C. Gap
D. Impact
Static
A security analyst is investigating a workstation that is suspected of outbound communication to a command- and-control server. During the investigation, the analyst discovered that logs on the endpoint were deleted. Which of the following logs would the analyst most likely look at next?
A. IPS
B. Firewall
C. ACL
D. Windows security
Firewall
Malware spread across a company’s network after an employee visited a compromised industry blog. Which of the following best describes this type of attack?
A. Impersonation
B. Disinformation
C. Watering-hole
D. Smishing
Watering-hole
Which of the following data roles is responsible for identifying risks and appropriate access to data?
A. Owner
B. Custodian
C. Steward
D. Controller
Owner
An organization maintains intellectual property that it wants to protect. Which of the following concepts would be most beneficial to add to the company’s security awareness training program?
A. Insider threat detection
B. Simulated threats
C. Phishing awareness
D. Business continuity planning
Insider threat detection
After conducting a vulnerability scan, a systems administrator notices that one of the identified vulnerabilities is not present on the systems that were scanned. Which of the following describes this example?
A. False positive
B. False negative
C. True positive
D. True negative
False positive
Which of the following should a security operations center use to improve its incident response procedure?
A. Playbooks
B. Frameworks
C. Baselines
D. Benchmarks
Playbooks
A security analyst is investigating an application server and discovers that software on the server is behaving abnormally. The software normally runs batch jobs locally and does not generate traffic, but the process is now generating outbound traffic over random high ports. Which of the
following vulnerabilities has likely been exploited in this software?
A. Memory injection
B. Race condition
C. Side loading
D. SQL injection
Memory injection
Which of the following is the final step of the incident response process?
A. Lessons learned
B. Eradication
C. Containment
D. Recovery
Lessons learned
Which of the following automation use cases would best enhance the security posture of an organization by rapidly updating permissions when employees leave a company?
A. Provisioning resources
B. Disabling access
C. Reviewing change approvals
D. Escalating permission requests
Disabling access
Users at a company are reporting they are unable to access the URL for a new retail website because it is flagged as gambling and is being blocked.
Which of the following changes would allow users to access the site?
A. Creating a firewall rule to allow HTTPS traffic
B. Configuring the IPS to allow shopping
C. Tuning the DLP rule that detects credit card data
D. Updating the categorization in the content filter
Updating the categorization in the content filter
An analyst is evaluating the implementation of Zero Trust principles within the data plane. Which of the following would be most relevant for the analyst to evaluate?
A. Secured zones
B. Subject role
C. Adaptive identity
D. Threat scope reduction
Secured zones
A bank insists all of its vendors must prevent data loss on stolen laptops. Which of the following strategies is the bank requiring?
A. Encryption at rest
B. Masking
C. Data classification
D. Permission restrictions
Encryption at rest
A security analyst reviews domain activity logs and notices the following:
Which of the following is the best explanation for what the security analyst has discovered?
UserID jsmith, password auth: succeeded, MFA: Failed (invalid code)
UserID jsmith, password auth: succeeded, MFA: Failed (invalid code)
UserID jsmith, password auth: succeeded, MFA: Failed (invalid code)
UserID jsmith, password auth: succeeded, MFA: Failed (invalid code)
A. The user jsmith’s account has been locked out.
B. A keylogger is installed on [smith’s workstation
C. An attacker is attempting to brute force ismith’s account.
D. Ransomware has been deployed in the domain.
An attacker is attempting to brute force ismith’s account.
A company wants to verify that the software the company is deploying came from the vendor the company purchased the software from. Which of the following is the best way for the company to confirm this information?
A. Generate a hash of the files.
B. Execute the code in a sandbox.
C. Validate the code signature.
D. Search the executable for ASCII strings.
Validate the code signature.
A company tested and validated the effectiveness of network security appliances within the corporate network. The IDS detected a high rate of SQL injection attacks against the company’s servers, and the company’s perimeter firewall is at capacity. Which of the following would be the
best action to maintain security and reduce the traffic to the perimeter firewall?
A. Set the appliance to IPS mode and place it in front of the company firewall.
B. Convert the firewall to a WAF and use IPSec tunnels to increase throughput.
C. Set the firewall to fail open if it is overloaded with traffic and send alerts to the SIEM.
D. Configure the firewall to perform deep packet inspection and monitor TLS traffic.
Set the appliance to IPS mode and place it in front of the company firewall.
Which of the following is the most likely to be used to document risks, responsible parties, and thresholds?
A. Risk tolerance
B. Risk transfer
C. Risk register
D. Risk analysis
Risk register
Which of the following threat vectors is most commonly utilized by insider threat actors attempting data exfiltration?
A. Unidentified removable devices
B. Default network device credentials
C. Spear phishing emails
D. Impersonation of business units through typosquatting
Unidentified removable devices
A security operations center determines that the malicious activity detected on a server is normal. Which of the following activities describes the act of ignoring detected activity in the future?
A. Tuning
B. Aggregating
C. Quarantining
D. Archiving
Tuning
Which of the following explains why an attacker cannot easily decrypt passwords using a rainbow table attack?
A. Digital signatures
B. Salting
C. Hashing
D. Perfect forward secrecy
Salting
A systems administrator notices that one of the systems critical for processing customer transactions is running an end-of-life operating system. Which of the following techniques would increase enterprise security?
A. Installing HIDS on the system
B. Placing the system in an isolated VLAN
C. Decommissioning the system
D. Encrypting the system’s hard drive
Placing the system in an isolated VLAN
A security team is reviewing the findings in a report that was delivered after a third party performed a penetration test. One of the findings indicated that a web application form field is vulnerable to cross-site scripting. Which of the following application security techniques should the
security analyst recommend the developer implement to prevent this vulnerability?
A. Secure Cookies
B. Version control
C. Input validation
D. Code signing
Input validation
A healthcare organization wants to provide a web application that allows individuals to digitally report health emergencies. Which of the following is the most important consideration during development?
A. Scalability
B. Availability
C. Cost
D. Ease of deployment
Availability
Which of the following best describe why a process would require a two-person integrity security control?
A. To Increase the chance that the activity will be completed in half of the time the process would take only one user to complete
B. To permit two users from another department to observe the activity that is being performed by an authorized user
C. To reduce the risk that the procedures are performed incorrectly or by an unauthorized user
D. To allow one person to perform the activity while being recorded on the CCTV camera
To reduce the risk that the procedures are performed incorrectly or by an unauthorized user
A manager receives an email that contains a link to receive a refund. After hovering over the link, the manager notices that the domain’s URL points to a suspicious link. Which of the following security practices helped the manager to identify the attack?
A. End user training
B. Policy review
C. URL scanning
D. Plain text email
End user training
An employee receives a text message that appears to have been sent by the payroll department and is asking for credential verification. Which of the following social engineering techniques are being attempted?
(Choose two.)
A. Typosquatting
B. Phishing
C. Impersonation
D. Vishing
E. Smishing
F. Misinformation
Impersonation / Smishing
Which of the following most impacts an administrator’s ability to address CVEs discovered on a server?
A. Rescanning requirements
B. Patch availability
C. Organizational impact
D. Risk tolerance
Patch availability
A systems administrator is working on a defense-in-depth strategy and needs to restrict activity from employees after hours. Which of the following should the systems administrator implement?
A. Role-based restrictions
B. Attribute-based restrictions
C. Mandatory restrictions
D. Time-of-day restrictions
Time-of-day restrictions
To improve the security at a data center, a security administrator implements a CCTV system and posts several signs about the possibility of being filmed. Which of the following best describe these types of controls? (Select two).
A. Preventive
B. Deterrent
C. Corrective
D. Directive
E. Compensating
F. Detective
Deterrent / Detective
A systems administrator wants to prevent users from being able to access data based on their responsibilities. The administrator also wants to apply the required access structure via a simplified format. Which of the following should the administrator apply to the site recovery resource group?
A. RBAC
B. ACL
C. SAML
D. GPO
RBAC (Role Based Access Control)
Which of the following would be most useful in determining whether the long-term cost to transfer a risk is less than the impact of the risk?
A. ARO
B. RTO
C. RPO
D. ALE
E. SLE
ALE (Annual Loss Expectancy)
An enterprise has been experiencing attacks focused on exploiting vulnerabilities in older browser versions with well-known exploits. Which of the following security solutions should be configured to best provide the ability to monitor and block these known signature-based attacks?
A. ACL
B. DLP
C. IDS
D. IPS
IPS (Intrusion Prevention System)
A security analyst and the management team are reviewing the organizational performance of a recent phishing campaign. The user click-through rate exceeded the acceptable risk threshold, and the management team wants to reduce the impact when a user clicks on a link in a phishing message. Which of the following should the analyst do?
A. Place posters around the office to raise awareness of common phishing activities.
B. Implement email security filters to prevent phishing emails from being delivered.
C. Update the EDR policies to block automatic execution of downloaded programs.
D. Create additional training for users to recognize the signs of phishing attempts.
Update the EDR policies to block automatic execution of downloaded programs.
Which of the following examples would be best mitigated by input sanitization?
A.
alert ("Warning!") ,-
B. nmap - 10.11.1.130
C. Email message: “Click this link to get your free gift card.”
D. Browser message: “Your connection is not private.”
<script> alert ("Warning!") ,- </script>
A security administrator is configuring fileshares. The administrator removed the default permissions and added permissions for only users who will need to access the fileshares as part of their job duties. Which of the following best describes why the administrator performed these
actions?
A. Encryption standard compliance
B. Data replication requirements
C. Least privilege
D. Access control monitoring
Least privilege
A company requires hard drives to be securely wiped before sending decommissioned systems to recycling. Which of the following best describes this policy?
A. Enumeration
B. Sanitization
C. Destruction
D. Inventory
Sanitization
A systems administrator works for a local hospital and needs to ensure patient data is protected and secure. Which of the following data classifications should be used to secure patient data?
A. Private
B. Critical
C. Sensitive
D. Public
Sensitive
A security team created a document that details the order in which critical systems should be through back online after a major outage. Which of the following documents did the team create?
A. Communication plan
B. Incident response plan
C. Data retention policy
D. Disaster recovery plan
Disaster recovery plan
A company hired a security manager from outside the organization to lead security operations. Which of the following actions should the security manager perform first in this new role?
A. Establish a security baseline.
B. Review security policies.
C. Adopt security benchmarks.
D. Perform a user ID revalidation.
Review security policies.
Which of the following must be considered when designing a high-availability network? (Choose two).
A. Ease of recovery
B. Ability to patch
C. Physical isolation
D. Responsiveness
E. Attack surface
F. Extensible authentication
Ease of recovery / Attack Surface
The marketing department set up its own project management software without telling the appropriate departments. Which of the following describes this scenario?
A. Shadow IT
B. Insider threat
C. Data exfiltration
D. Service disruption
Shadow IT
A client demands at least 99.99% uptime from a service provider’s hosted security services. Which of the following documents includes the information the service provider should return to the
client?
A. MOA
B. SOW
C. MOU
D. SLA
SLA
Which of the following topics would most likely be included within an organization’s SDLC?
A. Service-level agreements
B. Information security policy
C. Penetration testing methodology
D. Branch protection requirements
Information security policy
A systems administrator wants to implement a backup solution. the solution needs to allow recovery of the entire system, including the operating system, in case of a disaster. Which of the following backup types should the administrator consider?
A. Incremental
B. Storage area network
C. Differential
D. Image
Image
An organization recently updated its security policy to include the following statement:
Regular expressions are included in source code to remove special characters such as $, |, ;. &, `, and ? from variables set by forms in a web application. Which of the following best explains the security technique the organization adopted by making this addition to the policy?
A. Identify embedded keys
B. Code debugging
C. Input validation
D. Static code analysis
Input validation
A company implemented an MDM policy to mitigate risks after repeated instances of employees losing company-provided mobile phones. In several cases. The lost phones were used maliciously to perform social engineering attacks against other employees. Which of the following MDM features should be configured to best address this issue? (Select two).
A. Screen locks
B. Remote wipe
C. Full device encryption
D. Push notifications
E. Application management
F. Geolocation
Screen locks / Remote Wipe
Which of the following is the best way to consistently determine on a daily basis whether security settings on servers have been modified?
A. Automation
B. Compliance checklist
C. Attestation
D. Manual audit
Automation
A security administrator is deploying a DLP solution to prevent the exfiltration of sensitive customer data. Which of the following should the administrator do first?
A. Block access to cloud storage websites.
B. Create a rule to block outgoing email attachments.
C. Apply classifications to the data.
D. Remove all user permissions from shares on the file server.
Apply classifications to the data.
Which of the following best describe a penetration test that resembles an actual external attack?
A. Known environment
B. Partially known environment
C. Bug bounty
D. Unknown environment
Unknown environment
Which of the following vulnerabilities is exploited when an attacker overwrites a register with a malicious address?
A. VM escape
B. SQL injection
C. Buffer overflow
D. Race condition
Buffer overflow
A company’s legal department drafted sensitive documents in a SaaS application and wants to ensure the documents cannot be accessed by individuals in high-risk countries. Which of the following is the most effective way to limit this access?
A. Data masking
B. Encryption
C. Geolocation policy
D. Data sovereignty regulation
Geolocation policy
A security engineer is implementing FDE for all laptops in an organization. Which of the following are the most important for the engineer to consider as part of the planning process? (Select two).
A. Key escrow
B. TPM presence
C. Digital signatures
D. Data tokenization
E. Public key management
F. Certificate authority linking
Key Escrow / TPM presence
The Chief Information Security Officer of an organization needs to ensure recovery from ransomware would likely occur within the organization’s agreed-upon RPOs and RTOs. Which of the following backup scenarios would best ensure recovery?
A. Hourly differential backups stored on a local SAN array
B. Daily full backups stored on premises in magnetic offline media
C. Daily differential backups maintained by a third-party cloud provider
D. Weekly full backups with daily incremental stored on a NAS drive
Daily differential backups maintained by a third-party cloud provider
A security engineer is working to address the growing risks that shadow IT services are introducing to the organization. The organization has taken a cloud-first approach end does not have an on-premises IT infrastructure. Which of the following would best secure the organization?
A. Upgrading to a next-generation firewall
B. Deploying an appropriate in-line CASB solution
C. Conducting user training on software policies
D. Configuring double key encryption in SaaS platforms
Deploying an appropriate in-line CASB solution
Which of the following describes the process of concealing code or text inside a graphical image?
A. Symmetric encryption
B. Hashing
C. Data masking
D. Steganography
Stenography
A company would like to provide employees with computers that do not have access to the internet in order to prevent information from being leaked to an online forum. Which of the following would be best for the systems administrator to implement?
A. Air gap
B. Jump server
C. Logical segmentation
D. Virtualization
Air gap
An organization wants to limit potential impact to its log-in database in the event of a breach. Which of the following options is the security team most likely to recommend?
A. Tokenization
B. Hashing
C. Obfuscation
D. Segmentation
Hashing
A security administrator would like to protect data on employees’ laptops. Which of the following encryption techniques should the security administrator use?
A. Partition
B. Asymmetric
C. Full disk
D. Database
Full disk
A spoofed identity was detected for a digital certificate. Which of the following are the type of unidentified key and the certificate that could be in use on the company domain?
A. Private key and root certificate
B. Public key and expired certificate
C. Private key and self-signed certificate
D. Public key and wildcard certificate
Private key and self-signed certificate
An organization disabled unneeded services and placed a firewall in front of a business critical legacy system. Which of the following best describes the actions taken by the organization?
A. Exception
B. Segmentation
C. Risk transfer
D. Compensating controls
Compensating controls
A software developer released a new application and is distributing application files via the developer’s website. Which of the following should the developer post on the website to allow users to verify the integrity of the downloaded files?
A. Hashes
B. Certificates
C. Algorithms
D. Salting
Hashes
An organization has too many variations of a single operating system and needs to standardize the arrangement prior to pushing the system image to users. Which of the following should the organization implement first?
A. Standard naming convention
B. Mashing
C. Network diagrams
D. Baseline configuration
Baseline configuration
A hacker gained access to a system via a phishing attempt that was a direct result of a user clicking a suspicious link. The link laterally deployed ransomware, which laid dormant for multiple weeks, across the network. Which of the following would have mitigated the spread?
A. IPS
B. IDS
C. WAF
D. UAT
IPS
A security team is setting up a new environment for hosting the organization’s on-premises software application as a cloud-based service. Which of the following should the team ensure is in place in order for the organization to follow security best practices?
A. Visualization and isolation of resources
B. Network segmentation
C. Data encryption
D. Strong authentication policies
Data encryption
A security analyst scans a company’s public network and discovers a host is running a remote desktop that can be used to access the production network. Which of the following changes should the security analyst recommend?
A. Changing the remote desktop port to a non-standard number
B. Setting up a VPN and placing the jump server inside the firewall
C. Using a proxy for web connections from the remote desktop server
D. Connecting the remote server to the domain and increasing the password length
Setting up a VPN and placing the jump server inside the firewall