SY 51-100

Question 1

A Chief Security Officer (CSO) is concerned about the amount of PII that is stored locally on each
salesperson’s laptop. The sales department has a higher-than-average rate of lost equipment.
Which of the following recommendations would BEST address the CSO’s concern?

Answer 1

A. Deploy an MDM solution.
B. Implement managed FDE.
C. Replace all hard drives with SEDs.
D. Install DLP agents on each laptop.
Answer: B

Question 2

An attacker is attempting, to harvest user credentials on a client’s website. A security analyst notices
multiple attempts of random usernames and passwords. When the analyst types in a random username
and password. the logon screen displays the following message:
Which of the following should the analyst recommend be enabled?

Answer 2

A. Input validation
B. Obfuscation
C. Error handling
D. Username lockout
Answer: B

Question 3

A cybersecurity analyst reviews the log files from a web server and sees a series of files that indicates
a directory-traversal attack has occurred.
Which of the following is the analyst MOST likely seeing?

Answer 3

PIC

A. Option A
B. Option B
C. Option C
D. Option D
Answer: B

Question 4

A commercial cyber-threat intelligence organization observes IoCs across a variety of unrelated
customers.
Prior to releasing specific threat intelligence to other paid subscribers, the organization is MOST likely
obligated by contracts to:

Answer 4

A. perform attribution to specific APTs and nation-state actors.
B. anonymize any PII that is observed within the IoC data.
C. add metadata to track the utilization of threat intelligence reports.
D. assist companies with impact assessments based on the observed data.
Answer: B

Question 5

A security administrator is analyzing the corporate wireless network. The network only has two access
points running on channels 1 and 11. While using airodump-ng. the administrator notices other access
points are running with the same corporate ESSID on all available channels and with the same BSSID of
one of the legitimate access ports.
Which erf the following attacks in happening on the corporate network?

Answer 5

A. Man in the middle
B. Evil twin
C. Jamming
D. Rogue access point
E. Disassociation
Answer: B

Question 6

A network engineer needs to create a plan for upgrading the wireless infrastructure in a large office
Priority must be given to areas that are currently experiencing latency and connection issues.
Which of the following would be the BEST resource for determining the order of priority?

Answer 6

A. Nmapn
B. Heat maps
C. Network diagrams
D. Wireshark
Answer: C

Question 7

A document that appears to be malicious has been discovered in an email that was sent to a
company’s Chief Financial Officer (CFO).
Which of the following would be BEST to allow a security analyst to gather information and confirm it is a
malicious document without executing any code it may contain?

Answer 7

A. Open the document on an air-gapped network
B. View the document’s metadata for origin clues
C. Search for matching file hashes on malware websites
D. Detonate the document in an analysis sandbox
Answer: D

Question 8

A company has determined that if its computer-based manufacturing is not functioning for 12
consecutive hours, it will lose more money that it costs to maintain the equipment.
Which of the following must be less than 12 hours to maintain a positive total cost of ownership?

Answer 8

A. MTBF
B. RPO
C. RTO
D. MTTR
Answer: C

Question 9

An analyst needs to identify the applications a user was running and the files that were open before
the user’s computer was shut off by holding down the power button.
Which of the following would MOST likely contain that information?

Answer 9

A. NGFW
B. Pagefile
C. NetFlow
D. RAM
Answer: B

Question 10

A network administrator needs to build out a new datacenter, with a focus on resiliency and uptime.
Which of the following would BEST meet this objective? (Choose two.)

Answer 10

A. Dual power supply
B. Off-site backups
C. Automatic OS upgrades
D. NIC teaming
E. Scheduled penetration testing
F. Network-attached storage
Answer: A,B

Question 11

The Chief Executive Officer (CEO) of an organization would like staff members to have the flexibility to
work from home anytime during business hours, incident during a pandemic or crisis, However, the CEO
is concerned that some staff members may take advantage of the of the flexibility and work from high-risk
countries while on holidays work to a third-party organization in another country. The Chief information
Officer (CIO) believes the company can implement some basic to mitigate the majority of the risk.
Which of the following would be BEST to mitigate CEO’s concern? (Select TWO).

Answer 11

A. Geolocation
B. Time-of-day restrictions
C. Certificates
D. Tokens
E. Geotagging
F. Role-based access controls
Answer: A,E

Question 12

Given the following logs:

Which of the following BEST describes the type of attack that is occurring?

Answer 12

A. Rainbow table
B. Dictionary
C. Password spraying
D. Pass-the-hash
Answer: C

Question 13

An organization is having difficulty correlating events from its individual AV. EDR. DLP. SWG. WAF.
MOM. HIPS, and CASB systems.
Which of the following is the BEST way to improve the situation?

Answer 13

A. Remove expensive systems that generate few alerts.
B. Modify the systems to alert only on critical issues.
C. Utilize a SIEM to centralize togs and dashboards.
D. Implement a new syslog/NetFlow appliance.
Answer: C

Question 14

A security analyst is investigation an incident that was first reported as an issue connecting to network
shares and the internet, while reviewing logs and tool output, the analyst sees the following:
Which of the following attacks has occurred?

Answer 14

A. IP conflict
B. Pass-the-hash
C. MAC flooding
D. Directory traversal
E. ARP poisoning
Answer: E

Question 15

A security analyst is performing a packet capture on a series of SOAP HTTP requests for a security
assessment. The analyst redirects the output to a file After the capture is complete, the analyst needs to
review the first transactions quickly and then search the entire series of requests for a particular string.
Which of the following would be BEST to use to accomplish the task? (Select TWO).

Answer 15

A. head
B. Tcpdump
C. grep
D. rail
E. curl
F. openssi
G. dd
Answer: A,B

Question 16

Which of the following will MOST likely adversely impact the operations of unpatched traditional
programmable-logic controllers, running a back-end LAMP server and OT systems with
human-management interfaces that are accessible over the Internet via a web interface? (Choose two.)

Answer 16

A. Cross-site scripting
B. Data exfiltration
C. Poor system logging
D. Weak encryption
E. SQL injection
F. Server-side request forgery
Answer: D,F

Question 17

A symmetric encryption algorithm Is BEST suited for:

Answer 17

A. key-exchange scalability.
B. protecting large amounts of data.
C. providing hashing capabilities,
D. implementing non-repudiation.
Answer: D

Question 18

A company’s Chief Information Security Officer (CISO) recently warned the security manager that the
company’s Chief Executive Officer (CEO) is planning to publish a controversial option article in a national
newspaper, which may result in new cyberattacks.
Which of the following would be BEST for the security manager to use in a threat mode?

Answer 18

A. Hacktivists
B. White-hat hackers
C. Script kiddies
D. Insider threats
Answer: A

Question 19

In which of the following common use cases would steganography be employed?

Answer 19

A. Obfuscation
B. Integrity
C. Non-repudiation
D. Blockchain
Answer: A

Question 20

A security analyst receives the configuration of a current VPN profile and notices the authentication is
only applied to the IP datagram portion of the packet.
Which of the following should the analyst implement to authenticate the entire packet?

Answer 20

A. AH
B. ESP
C. SRTP
D. LDAP
Answer: B

Question 21

A security operations analyst is using the company’s SIEM solution to correlate alerts.
Which of the following stages of the incident response process is this an example of?

Answer 21

A. Eradication
B. Recovery
C. Identification
D. Preparation
Answer: C

Question 22

A Chief Information Security Officer (CISO) is concerned about the organization’s ability to continue
business operation in the event of a prolonged DDoS attack on its local datacenter that consumes
database resources.
Which of the following will the CISO MOST likely recommend to mitigate this risk?

Answer 22

A. Upgrade the bandwidth available into the datacenter
B. Implement a hot-site failover location
C. Switch to a complete SaaS offering to customers
D. Implement a challenge response test on all end-user queries
Answer: B

Question 23

Some laptops recently went missing from a locked storage area that is protected by keyless
RFID-enabled locks. There is no obvious damage to the physical space. The security manager identifies
who unlocked the door, however, human resources confirms the employee was on vacation at the time of
the incident.
Which of the following describes what MOST likely occurred?

Answer 23

A. The employee’s physical access card was cloned.
B. The employee is colluding with human resources
C. The employee’s biometrics were harvested
D. A criminal used lock picking tools to open the door.
Answer: A

Question 24

An auditor is performing an assessment of a security appliance with an embedded OS that was
vulnerable during the last two assessments.
Which of the following BEST explains the appliance’s vulnerable state?

Answer 24

A. The system was configured with weak default security settings.
B. The device uses weak encryption ciphers.
C. The vendor has not supplied a patch for the appliance.
D. The appliance requires administrative credentials for the assessment.
Answer: C

Question 25

A recent audit uncovered a key finding regarding the use of a specific encryption standard in a web
application that is used to communicate with business customers. Due to the technical limitations of its
customers the company is unable to upgrade the encryption standard.
Which of the following types of controls should be used to reduce the risk created by this scenario?

Answer 25

A. Physical
B. Detective
C. Preventive
D. Compensating
Answer: D

Question 26

A security analyst needs to generate a server certificate to be used for 802.1X and secure RDP
connections. The analyst is unsure what is required to perform the task and solicits help from a senior
colleague.
Which of the following is the FIRST step the senior colleague will most likely tell the analyst to perform to
accomplish this task?

Answer 26

A. Create an OCSP
B. Generate a CSR
C. Create a CRL
D. Generate a .pfx file
Answer: B

Question 27

A financial organization has adopted a new secure, encrypted document-sharing application to help
with its customer loan process. Some important PII needs to be shared across this new platform, but it is
getting blocked by the DLP systems.
Which of the following actions will BEST allow the PII to be shared with the secure application without
compromising the organization’s security posture?

Answer 27

A. Configure the DLP policies to allow all PII
B. Configure the firewall to allow all ports that are used by this application
C. Configure the antivirus software to allow the application
D. Configure the DLP policies to whitelist this application with the specific PII
E. Configure the application to encrypt the PII
Answer: D

Question 28

A security engineer is reviewing log files after a third discovered usernames and passwords for the
organization’s accounts. The engineer sees there was a change in the IP address for a vendor website
one earlier. This change lasted eight hours.
Which of the following attacks was MOST likely used?

Answer 28

A. Man-in- the middle
B. Spear-phishing
C. Evil twin
D. DNS poising
Answer: D

Question 29

Which of the following would a European company interested in implementing a technical, hands-on
set of security standards MOST likely choose?

Answer 29

A. GOPR
B. CIS controls
C. ISO 27001
D. ISO 37000
Answer: A

Question 30

A malicious actor recently penetration a company’s network and moved laterally to the datacenter.
Upon investigation, a forensics firm wants to know was in the memory on the compromised server.
Which of the following files should be given to the forensics firm?

Answer 30

A. Security
B. Application
C. Dump
D. Syslog
Answer: C

Question 31

A critical file server is being upgraded and the systems administrator must determine which RAID level
the new server will need to achieve parity and handle two simultaneous disk failures.
Which of the following RAID levels meets this requirements?

Answer 31

A. RAID 0+1
B. RAID 2
C. RAID 5
D. RAID 6
Answer: C

Question 32

A security analyst has been reading about a newly discovered cyber attack from a known threat actor.
Which of the following would BEST support the analyst’s review of the tactics, techniques, and protocols
the threat actor was observed using in previous campaigns?

Answer 32

A. Security research publications
B. The MITRE ATT&CK framework
C. The Diamond Model of Intrusion Analysis
D. The Cyber Kill Chain
Answer: B

Question 33

A small company that does not have security staff wants to improve its security posture.
Which of the following would BEST assist the company?

Answer 33

A. MSSP
B. SOAR
C. IaaS
D. PaaS
Answer: B

Question 34

A500 is implementing an insider threat detection program. The primary concern is that users may be
accessing confidential data without authorization.
Which of the fallowing should be deployed to detect a potential insider threat?

Answer 34

A. A honeyfile
B. A DMZ
C. ULF
D. File integrity monitoring
Answer: A

Question 35

A company provides mobile devices to its users to permit access to email and enterprise applications.
The company recently started allowing users to select from several different vendors and device models.
When configuring the MDM, which of the following is a key security implication of this heterogeneous
device approach?

Answer 35

A. The most common set of MDM configurations will become the effective set of enterprise mobile
security controls.
B. All devices will need to support SCEP-based enrollment; therefore, the heterogeneity of the chosen
architecture may unnecessarily expose private keys to adversaries.
C. Certain devices are inherently less secure than others, so compensatory controls will be needed to
address the delta between device vendors.
D. MDMs typically will not support heterogeneous deployment environments, so multiple MDMs will need
to be installed and configured.
Answer: C

Question 36

Which of the following terms should be included in a contract to help a company monitor the ongoing
security maturity of a new vendor?

Answer 36

A. A right-to-audit clause allowing for annual security audits
B. Requirements for event logs to be kept for a minimum of 30 days
C. Integration of threat intelligence in the company’s AV
D. A data-breach clause requiring disclosure of significant data loss
Answer: A

Question 37

A security engineer at an offline government facility is concerned about the validity of an SSL
certificate. The engineer wants to perform the fastest check with the least delay to determine if the
certificate has been revoked.
Which of the following would BEST these requirement?

Answer 37

A. RA
B. OCSP
C. CRL
D.CSR
Answer: C

Question 38

A well-known organization has been experiencing attacks from APIs. The organization is concerned
that custom malware is being created and emailed into the company or installed on USB sticks that are dropped in parking lots.
Which of the following is the BEST defense against this scenario?

Answer 38

A. Configuring signature-based antivirus io update every 30 minutes
B. Enforcing S/MIME for email and automatically encrypting USB drives upon insertion.
C. Implementing application execution in a sandbox for unknown software.
D. Fuzzing new files for vulnerabilities if they are not digitally signed
Answer: C

Question 39

A security auditor is reviewing vulnerability scan data provided by an internal security team.
Which of the following BEST indicates that valid credentials were used?

Answer 39

A. The scan results show open ports, protocols, and services exposed on the target host
B. The scan enumerated software versions of installed programs
C. The scan produced a list of vulnerabilities on the target host
D. The scan identified expired SSL certificates
Answer: B

Question 40

During a routine scan of a wireless segment at a retail company, a security administrator discovers
several devices are connected to the network that do not match the company’s naming convention and
are not in the asset Inventory. WiFi access Is protected with 255-Wt encryption via WPA2. Physical
access to the company’s facility requires two-factor authentication using a badge and a passcode.
Which of the following should the administrator implement to find and remediate the Issue? (Select TWO).

Answer 40

A. Check the SIEM for failed logins to the LDAP directory.
B. Enable MAC filtering on the switches that support the wireless network.
C. Run a vulnerability scan on all the devices in the wireless network.
D. Deploy multifactor authentication for access to the wireless network.
E. Scan the wireless network for rogue access points.
F. Deploy a honeypot on the network.
Answer: B, E

Question 41

An end user reports a computer has been acting slower than normal for a few weeks. During an
investigation, an analyst determines the system is sending the user’s email address and a ten-digit
number to an IP address once a day.
The only recent log entry regarding the user’s computer is the following:
Which of the following is the MOST likely cause of the issue?

Answer 41

A. The end user purchased and installed a PUP from a web browser
B. A bot on the computer is brute forcing passwords against a website
C. A hacker is attempting to exfiltrate sensitive data
D. Ransomware is communicating with a command-and-control server.
Answer: A

Question 42

In the middle of a cybersecurity, a security engineer removes the infected devices from the network
and lock down all compromised accounts.
In which of the following incident response phases is the security engineer currently operating?

Answer 42

A. Identification
B. Preparation
C. Eradiction
D. Recovery
E. Containment
Answer: E

Question 43

Which of the following allows for functional test data to be used in new systems for testing and training
purposes to protect the read data?

Answer 43

A. Data encryption
B. Data masking
C. Data deduplication
D. Data minimization
Answer: B

Question 44

A manufacturing company has several one-off legacy information systems that cannot be migrated to a
newer OS due to software compatibility issues. The Oss are still supported by the vendor, but the
industrial software is no longer supported. The Chief Information Security Officer (CISO) has created a
resiliency plan for these systems that will allow OS patches to be installed in a non-production
environment, while also creating backups of the systems for recovery.
Which of the following resiliency techniques will provide these capabilities?

Answer 44

A. Redundancy
B. RAID 1+5
C. Virtual machines
D. Full backups
Answer: D

Question 45

After consulting with the Chief Risk Officer (CRO). a manager decides to acquire cybersecurity
insurance for the company.
Which of the following risk management strategies is the manager adopting?

Answer 45

A. Risk acceptance
B. Risk avoidance
C. Risk transference
D. Risk mitigation
Answer: C

Question 46

To reduce costs and overhead, an organization wants to move from an on-premises email solution to a
cloud-based email solution. At this time, no other services will be moving.
Which of the following cloud models would BEST meet the needs of the organization?

Answer 46

A. MaaS
B. laaS
C. SaaS
D. PaaS
Answer: D

Question 47

A security architect at a large, multinational organization is concerned about the complexities and
overhead of managing multiple encryption keys securely in a multicloud provider environment. The
security architect is looking for a solution with reduced latency to allow the incorporation of the
organization’s existing keys and to maintain consistent, centralized control and management regardless
of the data location.
Which of the following would BEST meet the architect’s objectives?

Answer 47

A. Trusted Platform Module
B. laaS
C. HSMaaS
D. PaaS
E. Key Management Service
Answer: E

Question 48

A network engineer is troubleshooting wireless network connectivity issues that were reported by
users. The issues are occurring only in the section of the building that is closest to the parking lot. Users
are intermittently experiencing slow speeds when accessing websites and are unable to connect to
network drives. The issues appear to increase when laptop users return desks after using their devices in
other areas of the building. There have also been reports of users being required to enter their credentials
on web pages in order to gain access to them.
Which of the following is the MOST likely cause of this issue?

Answer 48

A. An external access point is engaging in an evil-twin attack.
B. The signal on the WAP needs to be increased in that section of the building.
C. The certificates have expired on the devices and need to be reinstalled.
D. The users in that section of the building are on a VLAN that is being blocked by the firewall.
Answer: A

Question 49

Which of the following provides the BEST protection for sensitive information and data stored in
cloud-based services but still allows for full functionality and searchability of data within the cloud-based
services?

Answer 49

A. Data encryption
B. Data masking
C. Anonymization
D. Tokenization
Answer: A

Question 50

A security administrator has noticed unusual activity occurring between different global instances and
workloads and needs to identify the source of the unusual traffic.
Which of the following log sources would be BEST to show the source of the unusual traffic?

Answer 50

A. HIDS
B. UEBA
C. CASB
D. VPC
Answer: C