SY601 Flashcards
The SOC is reviewing process and procedures after a recent incident. The review indicates it took more
than 30 minutes to determine that quarantining an infected host was the best course of action. The
allowed the malware to spread to additional hosts before it was contained.
Which of the following would be BEST to improve the incident response process?
A. Updating the playbooks with better decision points
B. Dividing the network into trusted and untrusted zones
C. Providing additional end-user training on acceptable use
D. Implementing manual quarantining of infected hosts
Answer: A
Which of the following would be BEST to establish between organizations that have agreed cooperate
and are engaged in early discussion to define the responsibilities of each party, but do not want to
establish a contractually binding agreement?
A. An SLA B. AnNDA C. ABPA D. AnMOU Answer: D
Phishing and spear-phishing attacks have been occurring more frequently against a company’s staff.
Which of the following would MOST likely help mitigate this issue?
A. DNSSEC and DMARC
B. DNS query logging
C. Exact mail exchanger records in the DNS
D. The addition of DNS conditional forwarders
Answer: C
Which of the following control sets should a well-written BCP include? (Select THREE)
A. Preventive B. Detective C. Deterrent D. Corrective E. Compensating F. Physical G. Recovery Answer: A,D,G
A security engineer needs to Implement the following requirements:
• All Layer 2 switches should leverage Active Directory tor authentication.
• All Layer 2 switches should use local fallback authentication If Active Directory Is offline.
• All Layer 2 switches are not the same and are manufactured by several vendors.
Which of the following actions should the engineer take to meet these requirements? (Select TWO).
A. Implement RADIUS.
B. Configure AAA on the switch with local login as secondary.
C. Configure port security on the switch with the secondary login method.
D. Implement TACACS+
E. Enable the local firewall on the Active Directory server.
F. Implement a DHCP server.
Answer: A,B
A company wants to deploy PKI on its Internet-facing website.
The applications that are currently deployed are:
✑ www.company.com (main website)
✑ contactus.company.com (for locating a nearby location)
✑ quotes.company.com (for requesting a price quote)
The company wants to purchase one SSL certificate that will work for all the existing applications and any
future applications that follow the same naming conventions, such as store.company.com.
Which of the following certificate types would BEST meet the requirements?
A. SAN B. Wildcard C. Extended validation D. Self-signed Answer: B
A security engineer needs to enhance MFA access to sensitive areas in a building. A key card and
fingerprint scan are already in use.
Which of the following would add another factor of authentication?
A. Hard token B. Retina scan C. SMS text D. Keypad PIN Answer: B
A cybersecurity manager has scheduled biannual meetings with the IT team and department leaders to
discuss how they would respond to hypothetical cyberattacks. During these meetings, the manager
presents a scenario and injects additional information throughout the session to replicate what might occur
in a dynamic cybersecurity event involving the company, its facilities, its data, and its staff.
Which of the following describes what the manager is doing?
A. Developing an incident response plan B. Building a disaster recovery plan C. Conducting a tabletop exercise D. Running a simulation exercise Answer: C
Entering a secure area requires passing through two doors, both of which require someone who is
already inside to initiate access.
Which of the following types of physical security controls does this describe?
A. Cameras B. Faraday cage C. Access control vestibule D. Sensors E. Guards Answer: C
A company recently moved sensitive videos between on-premises. Company-owned websites. The
company then learned the videos had been uploaded and shared to the internet.
Which of the following would MOST likely allow the company to find the cause?
A. Checksums B. Watermarks C. Oder of volatility D. A log analysis E. A right-to-audit clause Answer: D
A user recently entered a username and password into a recruiting application website that had been
forged to look like the legitimate site Upon investigation, a security analyst the identifies the following:
• The legitimate websites IP address is 10.1.1.20 and eRecruit local resolves to the IP
• The forged website’s IP address appears to be 10.2.12.99. based on NetFtow records
• AH three at the organization’s DNS servers show the website correctly resolves to the legitimate IP
• DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the approximate time of the suspected compromise.
Which of the following MOST likely occurred?
A. A reverse proxy was used to redirect network traffic
B. An SSL strip MITM attack was performed
C. An attacker temporarily pawned a name server
D. An ARP poisoning attack was successfully executed
Answer: B
A security analyst needs to make a recommendation for restricting access to certain segments of the network using only data-link layer security.
Which of the following controls will the analyst MOST likely recommend?
A. MAC B. ACL C. BPDU D. ARP Answer: A
A network engineer notices the VPN concentrator overloaded and crashes on days when there are a
lot of remote workers. Senior management has placed greater importance on the availability of VPN
resources for the remote workers than the security of the end users’ traffic.
Which of the following would be BEST to solve this issue?
A. iPSec B. Always On C. Split tunneling D. L2TP Answer: B
The Chief Security Officer (CSO) at a major hospital wants to implement SSO (Single sign-on) to help improve in the
environment patient data, particularly at shared terminals. The Chief Risk Officer (CRO) is concerned that
training and guidance have been provided to frontline staff, and a risk analysis has not been performed.
Which of the following is the MOST likely cause of the CRO’s concerns?
A. SSO would simplify username and password management, making it easier for hackers to pass guess
accounts.
B. SSO would reduce password fatigue, but staff would still need to remember more complex passwords.
C. SSO would reduce the password complexity for frontline staff.
D. SSO would reduce the resilience and availability of system if the provider goes offline.
Answer: D
Which of the following should a data owner require all personnel to sign to legally protect intellectual property?
A. An NDA B. An AUP C. An ISA D. An MOU Answer: D
The process of passively gathering information prior to launching a cyberattack is called:
A. tailgating B. reconnaissance C. pharming D. prepending Answer: B
A university with remote campuses, which all use different service providers, loses Internet
connectivity across all locations. After a few minutes, Internet and VoIP services are restored, only to go
offline again at random intervals, typically within four minutes of services being restored. Outages
continue throughout the day, impacting all inbound and outbound connections and services. Services that
are limited to the local LAN or WiFi network are not impacted, but all WAN and VoIP services are affected.
Later that day, the edge-router manufacturer releases a CVE outlining the ability of an attacker to exploit
the SIP protocol handling on devices, leading to resource exhaustion and system reloads.
Which of the following BEST describe this type of attack? (Choose two.)
A. DoS B. SSL stripping C. Memory leak D. Race condition E. Shimming F. Refactoring Answer: A,D
A network administrator at a large organization Is reviewing methods to improve the security of the
wired LAN Any security improvement must be centrally managed and allow corporate-owned devices to
have access to the intranet but limit others to Internet access only.
Which of the following should the administrator recommend?
A. 802.1X utilizing the current PKI infrastructure
B. SSO to authenticate corporate users
C. MAC address filtering with ACLs on the router
D. PAM for user account management
Answer: A
While checking logs, a security engineer notices a number of end users suddenly downloading files
with the .tar.gz extension. Closer examination of the files reveals they are PE32 files. The end users state
they did not initiate any of the downloads. Further investigation reveals the end users all clicked on an
external email containing an infected MHT file with an href link a week prior.
Which of the following is MOST likely occurring?
A. A RAT was installed and is transferring additional exploit tools.
B. The workstations are beaconing to a command-and-control server.
C. A logic bomb was executed and is responsible for the data transfers.
D. A fireless virus is spreading in the local network environment.
Answer: A
An organization has been experiencing outages during holiday sales and needs to ensure availability
of its point-of-sale systems The IT administrator has been asked to improve both server-data fault
tolerance and site availability under high consumer load.
Which of the following are the BEST options to accomplish this objective’? (Select TWO)
A. Load balancing B. Incremental backups C. UPS D. RAID E. Dual power supply F. NIC teaming Answer: A,D
A company Is concerned about is security after a red-team exercise. The report shows the team was
able to reach the critical servers due to the SMB being exposed to the Internet and running NTLMV1.
Which of the following BEST explains the findings?
A. Default settings on the servers B. Unsecured administrator accounts C. Open ports and services D. Weak Data encryption Answer: C
The IT department at a university is concerned about professors placing servers on the university
network in an attempt to bypass security controls.
Which of the following BEST represents this type of threat?
A. A script kiddie B. Shadow IT C. Hacktivism D. White-hat Answer: B
A cybersecurity analyst needs to implement secure authentication to third-party websites without
users’ passwords.
Which of the following would be the BEST way to achieve this objective?
A. OAuth B. SSO C. SAML D. PAP Answer: C
A security analyst has received an alert about being sent via email. The analyst’s Chief information
Security Officer (CISO) has made it clear that PII must be handle with extreme care.
From which of the following did the alert MOST likely originate?.
A. S/MIME B. DLP ( Data Loss Prevention ) C. IMAP D. HIDS Answer: B
Which of the following are the MOST likely vectors for the unauthorized inclusion of vulnerable code in
a software company’s final software releases? (Select TWO.)
A. Unsecure protocols B. Use of penetration-testing utilities C. Weak passwords D. Included third-party libraries E. Vendors/supply chain F. Outdated anti-malware software Answer: A,D
Which of the following incident response steps involves actions to protect critical systems while
maintaining business operations?
A. Investigation B. Containment C. Recovery D. Lessons learned Answer: B
An engineer is setting up a VDI ( Virtual Desktop Infrastructure ) environment for a factory location, and the business wants to deploy a
low-cost solution to enable users on the shop floor to log in to the VDI environment directly.
Which of the following should the engineer select to meet these requirements?
A. Laptops B. Containers C. Thin clients D. Workstations Answer: C
Users have been issued smart cards that provide physical access to a building. The cards also contain
tokens that can be used to access information systems. Users can log m to any thin client located
throughout the building and see the same desktop each time.
Which of the following technologies are being utilized to provide these capabilities? (Select TWO)
A. COPE B. VDI C. GPS D. TOTP E. RFID F. BYOD Answer: B,E
A Chief Security Office’s (CSO’s) key priorities are to improve preparation, response, and recovery
practices to minimize system downtime and enhance organizational resilience to ransomware attacks.
Which of the following would BEST meet the CSO’s objectives?
A. Use email-filtering software and centralized account management, patch high-risk systems, and restrict
administration privileges on fileshares.
B. Purchase cyber insurance from a reputable provider to reduce expenses during an incident.
C. Invest in end-user awareness training to change the long-term culture and behavior of staff and
executives, reducing the organization’s susceptibility to phishing attacks.
D. Implement application whitelisting and centralized event-log management, and perform regular testing
and validation of full backups.
Answer: D
The security administrator has installed a new firewall which implements an implicit DENY policy by
default.
INSTRUCTIONS:
Click on the firewall and configure it to allow ONLY the following communication.
1. The Accounting workstation can ONLY access the web server on the public network over the default
HTTPS port. The accounting workstation should not access other networks.
2. The HR workstation should be restricted to communicate with the Financial server ONLY, over the default SCP port
3. The Admin workstation should ONLY be able to access the servers on the secure network over the
default TFTP port.
Instructions: The firewall will process the rules in a top-down manner in order as a first match. The port
number must be typed in and only one port number can be entered per rule Type ANY for all ports. The
original firewall configuration can be reset at any time by pressing the reset button. Once you have met
the simulation requirements, click save and then Done to submit.
Network Diagram
Instructions: The firewall will process the rules in a top-down manner in order as a first match.
The port number must be typed in and only one port number can be entered per rule. Type ANY for
all ports. The original firewall configuration can be reset at any time by pressing the reset
button. Once you have met the simulation requirements, click save and then Done to submit.
PIC
A local coffee shop runs a small WiFi hot-spot for its customers that utilizes WPA2-PSK. The coffee
shop would like to stay current with security trends and wants to implement WPA3 to make its WiFi even
more secure.
Which of the following technologies will the coffee shop MOST likely use in place of PSK?
A. WEP B. MSCHAP C. WPS D. SAE Answer: D
A manufacturer creates designs for very high security products that are required to be protected and
controlled by the government regulations. These designs are not accessible by corporate networks or the
Internet.
Which of the following is the BEST solution to protect these designs?
A. An air gap B. A Faraday cage C. A shielded cable D. A demilitarized zone Answer: A
A company uses specially configured workstations tor any work that requires administrator privileges
to its Tier 0 and Tier 1 systems. The company follows a strict process to harden systems immediately
upon delivery. Even with these strict security measures in place, an incident occurred from one of the
workstations. The root cause appears to be that the SoC was tampered with or replaced.
Which of the following MOST likely occurred?
A. Fileless malware B. A downgrade attack C. A supply-chain attack D. A logic bomb E. Misconfigured BIOS Answer: C
A nationwide company is experiencing unauthorized logins at all hours of the day. The logins appear to
originate from countries in which the company has no employees.
Which of the following controls should the company consider using as part of its IAM strategy? (Select
TWO).
A. A complex password policy B. Geolocation C. An impossible travel policy D. Self-service password reset E. Geofencing F. Time-based logins Answer: A,B
A systems analyst is responsible for generating a new digital forensics chain-of-custody form.
Which of the following should the analyst Include in this documentation? (Select TWO).
A. The order of volatility B. A checksum C. The location of the artifacts D. The vendor's name E. The date and time F. A warning banner Answer: A,E
An attacker was easily able to log in to a company’s security camera by performing a basic online
search for a setup guide for that particular camera brand and model.
Which of the following BEST describes the configurations the attacker exploited?
A. Weak encryption B. Unsecure protocols C. Default settings D. Open permissions Answer: C
An information security incident recently occurred at an organization, and the organization was
required to report the incident to authorities and notify the affected parties. When the organization’s
customers became of aware of the incident, some reduced their orders or stopped placing orders entirely.
Which of the following is the organization experiencing?
A. Reputation damage B. Identity theft C. Anonymlzation D. Interrupted supply chain Answer: A
A financial analyst is expecting an email containing sensitive information from a client. When the email
arrives, the analyst receives an error and is unable to open the encrypted message.
Which of the following is the MOST likely cause of the issue?
A. The S/MME plug-in is not enabled. B. The SLL certificate has expired. C. Secure IMAP was not implemented D. POP3S is not supported. Answer: A
A company recently experienced a data breach and the source was determined to be an executive
who was charging a phone in a public area.
Which of the following would MOST likely have prevented this breach?
A. A firewall B. A device pin C. A USB data blocker D. Biometrics Answer: C
A security analyst is reviewing the following attack log output:
Which of the following types of attacks does this MOST likely represent?
A. Rainbow table B. Brute-force C. Password-spraying D. Dictionary Answer: C
A security analyst is configuring a large number of new company-issued laptops.
The analyst received the following requirements:
• The devices will be used internationally by staff who travel extensively.
• Occasional personal use is acceptable due to the travel requirements.
• Users must be able to install and configure sanctioned programs and productivity suites.
• The devices must be encrypted
• The devices must be capable of operating in low-bandwidth environments.
Which of the following would provide the GREATEST benefit to the security posture of the devices?
A. Configuring an always-on VPN
B. Implementing application whitelisting
C. Requiring web traffic to pass through the on-premises content filter
D. Setting the antivirus DAT update schedule to weekly
Answer: A
Which of the following job roles would sponsor data quality and data entry initiatives that ensure
business and regulatory requirements are met?
A. The data owner B. The data processor C. The data steward D. The data privacy officer. Answer: C
A company is launching a new internet platform for its clients. The company does not want to
implement its own authorization solution but instead wants to rely on the authorization provided by
another platform.
Which of the following is the BEST approach to implement the desired solution?
A. OAuth B. TACACS+ C. SAML D. RADIUS Answer: D
A security assessment determines DES and 3DES at still being used on recently deployed production
servers.
Which of the following did the assessment identify?
A. Unsecme protocols B. Default settings C. Open permissions D. Weak encryption Answer: D
A network administrator has been asked to design a solution to improve a company’s security posture.
The administrator is given the following, requirements?
• The solution must be inline in the network
• The solution must be able to block known malicious traffic
• The solution must be able to stop network-based attacks
Which of the following should the network administrator implement to BEST meet these requirements?
A. HIDS B. NIDS C. HIPS D. NIPS Answer: D
An attacker is trying to gain access by installing malware on a website that is known to be visited by
the target victims.
Which of the following is the attacker MOST likely attempting?
A. A spear-phishing attack B. A watering-hole attack C. Typo squatting D. A phishing attack Answer: B
A security analyst is investigating an incident to determine what an attacker was able to do
on a compromised laptop.
The analyst reviews the following SIEM log:
Which of the following describes the method that was used to compromise the laptop?
A. An attacker was able to move laterally from PC1 to PC2 using a pass-the-hash attack
B. An attacker was able to bypass application whitelisting by emailing a spreadsheet attachment with an
embedded PowerShell in the file
C. An attacker was able to install malware to the CAasdf234 folder and use it to gam administrator nights
and launch Outlook
D. An attacker was able to phish user credentials successfully from an Outlook user profile
Answer: A
Which of the following algorithms has the SMALLEST key size?
A. DES B. Twofish C. RSA D. AES Answer: B
A security engineer obtained the following output from a threat intelligence source that recently
performed an attack on the company’s server:
Which of the following BEST describes this kind of attack?
A. Directory traversal B. SQL injection C. API D. Request forgery Answer: D
A database administrator needs to ensure all passwords are stored in a secure manner, so the
administrate adds randomly generated data to each password before string.
Which of the following techniques BEST explains this action?
A. Predictability B. Key stretching C. Salting D. Hashing Answer: C
A Chief Security Officer (CSO) is concerned about the amount of PII that is stored locally on each
salesperson’s laptop. The sales department has a higher-than-average rate of lost equipment.
Which of the following recommendations would BEST address the CSO’s concern?
A. Deploy an MDM solution. B. Implement managed FDE. C. Replace all hard drives with SEDs. D. Install DLP agents on each laptop. Answer: B
An attacker is attempting, to harvest user credentials on a client’s website. A security analyst notices
multiple attempts of random usernames and passwords. When the analyst types in a random username
and password. the logon screen displays the following message:
Which of the following should the analyst recommend be enabled?
A. Input validation B. Obfuscation C. Error handling D. Username lockout Answer: B
A cybersecurity analyst reviews the log files from a web server and sees a series of files that indicates
a directory-traversal attack has occurred.
Which of the following is the analyst MOST likely seeing?
PIC
A. Option A B. Option B C. Option C D. Option D Answer: B
A commercial cyber-threat intelligence organization observes IoCs across a variety of unrelated
customers.
Prior to releasing specific threat intelligence to other paid subscribers, the organization is MOST likely
obligated by contracts to:
A. perform attribution to specific APTs and nation-state actors.
B. anonymize any PII that is observed within the IoC data.
C. add metadata to track the utilization of threat intelligence reports.
D. assist companies with impact assessments based on the observed data.
Answer: B
A security administrator is analyzing the corporate wireless network. The network only has two access
points running on channels 1 and 11. While using airodump-ng. the administrator notices other access
points are running with the same corporate ESSID on all available channels and with the same BSSID of
one of the legitimate access ports.
Which erf the following attacks in happening on the corporate network?
A. Man in the middle B. Evil twin C. Jamming D. Rogue access point E. Disassociation Answer: B
A network engineer needs to create a plan for upgrading the wireless infrastructure in a large office
Priority must be given to areas that are currently experiencing latency and connection issues.
Which of the following would be the BEST resource for determining the order of priority?
A. Nmapn B. Heat maps C. Network diagrams D. Wireshark Answer: C
A document that appears to be malicious has been discovered in an email that was sent to a
company’s Chief Financial Officer (CFO).
Which of the following would be BEST to allow a security analyst to gather information and confirm it is a
malicious document without executing any code it may contain?
A. Open the document on an air-gapped network
B. View the document’s metadata for origin clues
C. Search for matching file hashes on malware websites
D. Detonate the document in an analysis sandbox
Answer: D
A company has determined that if its computer-based manufacturing is not functioning for 12
consecutive hours, it will lose more money that it costs to maintain the equipment.
Which of the following must be less than 12 hours to maintain a positive total cost of ownership?
A. MTBF B. RPO C. RTO D. MTTR Answer: C
An analyst needs to identify the applications a user was running and the files that were open before
the user’s computer was shut off by holding down the power button.
Which of the following would MOST likely contain that information?
A. NGFW B. Pagefile C. NetFlow D. RAM Answer: B
A network administrator needs to build out a new datacenter, with a focus on resiliency and uptime.
Which of the following would BEST meet this objective? (Choose two.)
A. Dual power supply B. Off-site backups C. Automatic OS upgrades D. NIC teaming E. Scheduled penetration testing F. Network-attached storage Answer: A,B
The Chief Executive Officer (CEO) of an organization would like staff members to have the flexibility to
work from home anytime during business hours, incident during a pandemic or crisis, However, the CEO
is concerned that some staff members may take advantage of the of the flexibility and work from high-risk
countries while on holidays work to a third-party organization in another country. The Chief information
Officer (CIO) believes the company can implement some basic to mitigate the majority of the risk.
Which of the following would be BEST to mitigate CEO’s concern? (Select TWO).
A. Geolocation B. Time-of-day restrictions C. Certificates D. Tokens E. Geotagging F. Role-based access controls Answer: A,E
Given the following logs:
Which of the following BEST describes the type of attack that is occurring?
A. Rainbow table B. Dictionary C. Password spraying D. Pass-the-hash Answer: C
An organization is having difficulty correlating events from its individual AV. EDR. DLP. SWG. WAF.
MOM. HIPS, and CASB systems.
Which of the following is the BEST way to improve the situation?
A. Remove expensive systems that generate few alerts.
B. Modify the systems to alert only on critical issues.
C. Utilize a SIEM to centralize togs and dashboards.
D. Implement a new syslog/NetFlow appliance.
Answer: C
A security analyst is investigation an incident that was first reported as an issue connecting to network
shares and the internet, while reviewing logs and tool output, the analyst sees the following:
Which of the following attacks has occurred?
A. IP conflict B. Pass-the-hash C. MAC flooding D. Directory traversal E. ARP poisoning Answer: E
A security analyst is performing a packet capture on a series of SOAP HTTP requests for a security
assessment. The analyst redirects the output to a file After the capture is complete, the analyst needs to
review the first transactions quickly and then search the entire series of requests for a particular string.
Which of the following would be BEST to use to accomplish the task? (Select TWO).
A. head B. Tcpdump C. grep D. rail E. curl F. openssi G. dd Answer: A,B
Which of the following will MOST likely adversely impact the operations of unpatched traditional
programmable-logic controllers, running a back-end LAMP server and OT systems with
human-management interfaces that are accessible over the Internet via a web interface? (Choose two.)
A. Cross-site scripting B. Data exfiltration C. Poor system logging D. Weak encryption E. SQL injection F. Server-side request forgery Answer: D,F
A symmetric encryption algorithm Is BEST suited for:
A. key-exchange scalability. B. protecting large amounts of data. C. providing hashing capabilities, D. implementing non-repudiation. Answer: D
A company’s Chief Information Security Officer (CISO) recently warned the security manager that the
company’s Chief Executive Officer (CEO) is planning to publish a controversial option article in a national
newspaper, which may result in new cyberattacks.
Which of the following would be BEST for the security manager to use in a threat mode?
A. Hacktivists B. White-hat hackers C. Script kiddies D. Insider threats Answer: A
In which of the following common use cases would steganography be employed?
A. Obfuscation B. Integrity C. Non-repudiation D. Blockchain Answer: A
A security analyst receives the configuration of a current VPN profile and notices the authentication is
only applied to the IP datagram portion of the packet.
Which of the following should the analyst implement to authenticate the entire packet?
A. AH B. ESP C. SRTP D. LDAP Answer: B
A security operations analyst is using the company’s SIEM solution to correlate alerts.
Which of the following stages of the incident response process is this an example of?
A. Eradication B. Recovery C. Identification D. Preparation Answer: C
A Chief Information Security Officer (CISO) is concerned about the organization’s ability to continue
business operation in the event of a prolonged DDoS attack on its local datacenter that consumes
database resources.
Which of the following will the CISO MOST likely recommend to mitigate this risk?
A. Upgrade the bandwidth available into the datacenter
B. Implement a hot-site failover location
C. Switch to a complete SaaS offering to customers
D. Implement a challenge response test on all end-user queries
Answer: B
Some laptops recently went missing from a locked storage area that is protected by keyless
RFID-enabled locks. There is no obvious damage to the physical space. The security manager identifies
who unlocked the door, however, human resources confirms the employee was on vacation at the time of
the incident.
Which of the following describes what MOST likely occurred?
A. The employee’s physical access card was cloned.
B. The employee is colluding with human resources
C. The employee’s biometrics were harvested
D. A criminal used lock picking tools to open the door.
Answer: A
An auditor is performing an assessment of a security appliance with an embedded OS that was
vulnerable during the last two assessments.
Which of the following BEST explains the appliance’s vulnerable state?
A. The system was configured with weak default security settings.
B. The device uses weak encryption ciphers.
C. The vendor has not supplied a patch for the appliance.
D. The appliance requires administrative credentials for the assessment.
Answer: C
A recent audit uncovered a key finding regarding the use of a specific encryption standard in a web
application that is used to communicate with business customers. Due to the technical limitations of its
customers the company is unable to upgrade the encryption standard.
Which of the following types of controls should be used to reduce the risk created by this scenario?
A. Physical B. Detective C. Preventive D. Compensating Answer: D
A security analyst needs to generate a server certificate to be used for 802.1X and secure RDP
connections. The analyst is unsure what is required to perform the task and solicits help from a senior
colleague.
Which of the following is the FIRST step the senior colleague will most likely tell the analyst to perform to
accomplish this task?
A. Create an OCSP B. Generate a CSR C. Create a CRL D. Generate a .pfx file Answer: B
A financial organization has adopted a new secure, encrypted document-sharing application to help
with its customer loan process. Some important PII needs to be shared across this new platform, but it is
getting blocked by the DLP systems.
Which of the following actions will BEST allow the PII to be shared with the secure application without
compromising the organization’s security posture?
A. Configure the DLP policies to allow all PII
B. Configure the firewall to allow all ports that are used by this application
C. Configure the antivirus software to allow the application
D. Configure the DLP policies to whitelist this application with the specific PII
E. Configure the application to encrypt the PII
Answer: D
A security engineer is reviewing log files after a third discovered usernames and passwords for the
organization’s accounts. The engineer sees there was a change in the IP address for a vendor website
one earlier. This change lasted eight hours.
Which of the following attacks was MOST likely used?
A. Man-in- the middle B. Spear-phishing C. Evil twin D. DNS poising Answer: D
Which of the following would a European company interested in implementing a technical, hands-on
set of security standards MOST likely choose?
A. GOPR B. CIS controls C. ISO 27001 D. ISO 37000 Answer: A
A malicious actor recently penetration a company’s network and moved laterally to the datacenter.
Upon investigation, a forensics firm wants to know was in the memory on the compromised server.
Which of the following files should be given to the forensics firm?
A. Security B. Application C. Dump D. Syslog Answer: C
A critical file server is being upgraded and the systems administrator must determine which RAID level
the new server will need to achieve parity and handle two simultaneous disk failures.
Which of the following RAID levels meets this requirements?
A. RAID 0+1 B. RAID 2 C. RAID 5 D. RAID 6 Answer: C
A security analyst has been reading about a newly discovered cyber attack from a known threat actor.
Which of the following would BEST support the analyst’s review of the tactics, techniques, and protocols
the threat actor was observed using in previous campaigns?
A. Security research publications B. The MITRE ATT&CK framework C. The Diamond Model of Intrusion Analysis D. The Cyber Kill Chain Answer: B
A small company that does not have security staff wants to improve its security posture.
Which of the following would BEST assist the company?
A. MSSP B. SOAR C. IaaS D. PaaS Answer: B
A500 is implementing an insider threat detection program. The primary concern is that users may be
accessing confidential data without authorization.
Which of the fallowing should be deployed to detect a potential insider threat?
A. A honeyfile B. A DMZ C. ULF D. File integrity monitoring Answer: A
A company provides mobile devices to its users to permit access to email and enterprise applications.
The company recently started allowing users to select from several different vendors and device models.
When configuring the MDM, which of the following is a key security implication of this heterogeneous
device approach?
A. The most common set of MDM configurations will become the effective set of enterprise mobile
security controls.
B. All devices will need to support SCEP-based enrollment; therefore, the heterogeneity of the chosen
architecture may unnecessarily expose private keys to adversaries.
C. Certain devices are inherently less secure than others, so compensatory controls will be needed to
address the delta between device vendors.
D. MDMs typically will not support heterogeneous deployment environments, so multiple MDMs will need
to be installed and configured.
Answer: C
Which of the following terms should be included in a contract to help a company monitor the ongoing
security maturity of a new vendor?
A. A right-to-audit clause allowing for annual security audits
B. Requirements for event logs to be kept for a minimum of 30 days
C. Integration of threat intelligence in the company’s AV
D. A data-breach clause requiring disclosure of significant data loss
Answer: A
A security engineer at an offline government facility is concerned about the validity of an SSL
certificate. The engineer wants to perform the fastest check with the least delay to determine if the
certificate has been revoked.
Which of the following would BEST these requirement?
A. RA B. OCSP C. CRL D. CSR Answer: C
A well-known organization has been experiencing attacks from APIs. The organization is concerned
that custom malware is being created and emailed into the company or installed on USB sticks that are dropped in parking lots.
Which of the following is the BEST defense against this scenario?
A. Configuring signature-based antivirus io update every 30 minutes
B. Enforcing S/MIME for email and automatically encrypting USB drives upon insertion.
C. Implementing application execution in a sandbox for unknown software.
D. Fuzzing new files for vulnerabilities if they are not digitally signed
Answer: C
A security auditor is reviewing vulnerability scan data provided by an internal security team.
Which of the following BEST indicates that valid credentials were used?
A. The scan results show open ports, protocols, and services exposed on the target host
B. The scan enumerated software versions of installed programs
C. The scan produced a list of vulnerabilities on the target host
D. The scan identified expired SSL certificates
Answer: B
During a routine scan of a wireless segment at a retail company, a security administrator discovers
several devices are connected to the network that do not match the company’s naming convention and
are not in the asset Inventory. WiFi access Is protected with 255-Wt encryption via WPA2. Physical
access to the company’s facility requires two-factor authentication using a badge and a passcode.
Which of the following should the administrator implement to find and remediate the Issue? (Select TWO).
A. Check the SIEM for failed logins to the LDAP directory.
B. Enable MAC filtering on the switches that support the wireless network.
C. Run a vulnerability scan on all the devices in the wireless network
D. Deploy multifactor authentication for access to the wireless network
E. Scan the wireless network for rogue access points.
F. Deploy a honeypot on the network
Answer: B,E
An end user reports a computer has been acting slower than normal for a few weeks. During an
investigation, an analyst determines the system is sending the user’s email address and a ten-digit
number to an IP address once a day.
The only recent log entry regarding the user’s computer is the following:
Which of the following is the MOST likely cause of the issue?
A. The end user purchased and installed a PUP from a web browser
B. A bot on the computer is brute forcing passwords against a website
C. A hacker is attempting to exfiltrate sensitive data
D. Ransomware is communicating with a command-and-control server.
Answer: A
In the middle of a cybersecurity, a security engineer removes the infected devices from the network
and lock down all compromised accounts.
In which of the following incident response phases is the security engineer currently operating?
A. Identification B. Preparation C. Eradiction D. Recovery E. Containment Answer: E
Which of the following allows for functional test data to be used in new systems for testing and training
purposes to protect the read data?
A. Data encryption B. Data masking C. Data deduplication D. Data minimization Answer: B
A manufacturing company has several one-off legacy information systems that cannot be migrated to a
newer OS due to software compatibility issues. The Oss are still supported by the vendor, but the
industrial software is no longer supported. The Chief Information Security Officer (CISO) has created a
resiliency plan for these systems that will allow OS patches to be installed in a non-production
environment, while also creating backups of the systems for recovery.
Which of the following resiliency techniques will provide these capabilities?
A. Redundancy B. RAID 1+5 C. Virtual machines D. Full backups Answer: D
After consulting with the Chief Risk Officer (CRO). a manager decides to acquire cybersecurity
insurance for the company.
Which of the following risk management strategies is the manager adopting?
A. Risk acceptance B. Risk avoidance C. Risk transference D. Risk mitigation Answer: C
To reduce costs and overhead, an organization wants to move from an on-premises email solution to a
cloud-based email solution. At this time, no other services will be moving.
Which of the following cloud models would BEST meet the needs of the organization?
A. MaaS B. laaS C. SaaS D. PaaS Answer: D
A security architect at a large, multinational organization is concerned about the complexities and
overhead of managing multiple encryption keys securely in a multicloud provider environment. The
security architect is looking for a solution with reduced latency to allow the incorporation of the
organization’s existing keys and to maintain consistent, centralized control and management regardless
of the data location.
Which of the following would BEST meet the architect’s objectives?
A. Trusted Platform Module B. laaS C. HSMaaS D. PaaS E. Key Management Service Answer: E
A network engineer is troubleshooting wireless network connectivity issues that were reported by
users. The issues are occurring only in the section of the building that is closest to the parking lot. Users
are intermittently experiencing slow speeds when accessing websites and are unable to connect to
network drives. The issues appear to increase when laptop users return desks after using their devices in
other areas of the building. There have also been reports of users being required to enter their credentials
on web pages in order to gain access to them.
Which of the following is the MOST likely cause of this issue?
A. An external access point is engaging in an evil-twin attack.
B. The signal on the WAP needs to be increased in that section of the building.
C. The certificates have expired on the devices and need to be reinstalled.
D. The users in that section of the building are on a VLAN that is being blocked by the firewall.
Answer: A
Which of the following provides the BEST protection for sensitive information and data stored in
cloud-based services but still allows for full functionality and searchability of data within the cloud-based
services?
A. Data encryption B. Data masking C. Anonymization D. Tokenization Answer: A
A security administrator has noticed unusual activity occurring between different global instances and
workloads and needs to identify the source of the unusual traffic.
Which of the following log sources would be BEST to show the source of the unusual traffic?
A. HIDS B. UEBA C. CASB D. VPC Answer: C
The facilities supervisor for a government agency is concerned about unauthorized access to
environmental systems in the event the staff WiFi network is breached.
Which of the blowing would BEST address this security concern?
A. install a smart meter on the staff WiFi.
B. Place the environmental systems in the same DHCP scope as the staff WiFi.
C. Implement Zigbee on the staff WiFi access points.
D. Segment the staff WiFi network from the environmental systems network.
Answer: D
An organization just experienced a major cyberattack modem. The attack was well coordinated
sophisticated and highly skilled.
Which of the following targeted the organization?
A. Shadow IT B. An insider threat C. A hacktivist D. An advanced persistent threat Answer: D
Joe, an employee, receives an email stating he won the lottery. The email includes a link that
requests a name, mobile phone number, address, and date of birth be provided to confirm Joe’s identity
before sending him the prize.
Which of the following BEST describes this type of email?
A. Spear phishing B. Whaling C. Phishing D. Vishing Answer: C
An organization wants to implement a third factor to an existing multifactor authentication. The
organization already uses a smart card and password.
Which of the following would meet the organization’s needs for a third factor?
A. Date of birth B. Fingerprints C. PIN D. TPM Answer: B
Which of the following ISO standards is certified for privacy?
A. ISO 9001 B. ISO 27002 C. ISO 27701 D. ISO 31000 Answer: C
The CSIRT is reviewing the lessons learned from a recent incident. A worm was able to spread
unhindered throughout the network and infect a large number of computers and servers.
Which of the following recommendations would be BEST to mitigate the impacts of a similar incident in
the future?
A. Install a NIDS device at the boundary.
B. Segment the network with firewalls.
C. Update all antivirus signatures daily.
D. Implement application blacklisting.
Answer: B
A RAT that was used to compromise an organization’s banking credentials was found on a user’s
computer. The RAT evaded antivirus detection. It was installed by a user who has local administrator
rights to the system as part of a remote management tool set.
Which of the following recommendations would BEST prevent this from reoccurring?
A. Create a new acceptable use policy.
B. Segment the network into trusted and untrusted zones.
C. Enforce application whitelisting.
D. Implement DLP at the network boundary.
Answer: C
A network manager is concerned that business may be negatively impacted if the firewall in
its datacenter goes offline.
The manager would like to Implement a high availability pair to:
A. decrease the mean ne between failures B. remove the single point of failure C. cut down the mean tine to repair D. reduce the recovery time objective Answer: B
Which of the following organizational policies are MOST likely to detect fraud that is being conducted
by existing employees? (Select TWO).
A. Offboarding B. Mandatory vacation C. Job rotation D. Background checks E. Separation of duties F. Acceptable use Answer: B,C
Accompany deployed a WiFi access point in a public area and wants to harden the configuration to
make it more secure. After performing an assessment, an analyst identifies that the access point is
configured to use WPA3, AES, WPS, and RADIUS.
Which of the following should the analyst disable to enhance the access point security?
A. WPA3 B. AES C. RADIUS D. WPS Answer: D
A security audit has revealed that a process control terminal is vulnerable to malicious users installing
and executing software on the system. The terminal is beyond end-of-life support and cannot be
upgraded, so it is placed on a projected network segment.
Which of the following would be MOST effective to implement to further mitigate the reported
vulnerability?
A. DNS sinkholding B. DLP rules on the terminal C. An IP blacklist D. Application whitelisting Answer: D
Which of the following scenarios would make a DNS sinkhole effective in thwarting an attack?
A. An attacker is sniffing traffic to port 53, and the server is managed using unencrypted usernames and
passwords.
B. An organization is experiencing excessive traffic on port 53 and suspects an attacker is trying to DoS
the domain name server.
C. Malware trying to resolve an unregistered domain name to determine if it is running in an isolated
sandbox
D. Routing tables have been compromised, and an attacker is rerouting traffic to malicious websites
Answer: D
The website http://companywebsite.com requires users to provide personal information including
security responses, for registration.
Which of the following would MOST likely cause a date breach?
A. LACK OF INPUT VALIDATION B. OPEN PERMISSIONS C. UNSCECURE PROTOCOL D. MISSING PATCHES Answer: A
The IT department’s on-site developer has been with the team for many years. Each time an
application is released, the security team is able to identify multiple vulnerabilities.
Which of the following would BEST help the team ensure the application is ready to be released to
production?
A. Limit the use of third-party libraries.
B. Prevent data exposure queries.
C. Obfuscate the source code.
D. Submit the application to QA before releasing it.
Answer: D
The following are the logs of a successful attack.
Which of the following controls would be BEST to use to prevent such a breach in the future?
A. Password history B. Account expiration C. Password complexity D. Account lockout Answer: D
Which of the following cloud models provides clients with servers, storage, and networks but nothing
else?
A. SaaS B. PaaS C. IaaS D. DaaS Answer: C
A forensics examiner is attempting to dump password cached in the physical memory of a live system
but keeps receiving an error message.
A. The examiner does not have administrative privileges to the system
B. The system must be taken offline before a snapshot can be created
C. Checksum mismatches are invalidating the disk image
D. The swap file needs to be unlocked before it can be accessed
Answer: D
To secure an application after a large data breach, an e-commerce site will be resetting all users’
credentials.
Which of the following will BEST ensure the site’s users are not compromised after the reset?
A. A password reuse policy
B. Account lockout after three failed attempts
C. Encrypted credentials in transit
D. A geofencing policy based on login history
Answer: C
A security analyst has been asked to investigate a situation after the SOC started to receive alerts
from the SIEM.
The analyst first looks at the domain controller and finds the following events: {{ PIC }}
To better understand what is going on, the analyst runs a command and receives the following output: {{ PIC }}
Based on the analyst’s findings, which of the following attacks is being executed?
A. Credential harvesting B. Keylogger C. Brute-force D. Spraying Answer: D
An attacker has successfully exfiltrated several non-salted password hashes from an online system.
Given the logs below:
Which of the following BEST describes the type of password attack the attacker is performing?
A. Dictionary B. Pass-the-hash C. Brute-force D. Password spraying Answer: A
An organization’s corporate offices were destroyed due to a natural disaster, so the organization is
now setting up offices in a temporary work space.
Which of the following will the organization MOST likely consult?
A. The business continuity plan B. The disaster recovery plan C. The communications plan D. The incident response plan Answer: A
Which of the following is the purpose of a risk register?
A. To define the level or risk using probability and likelihood
B. To register the risk with the required regulatory agencies
C. To identify the risk, the risk owner, and the risk measures
D. To formally log the type of risk mitigation strategy the organization is using
Answer: C
The spread of misinformation surrounding the outbreak of a novel virus on election day ted to eligible
voters choosing not to take the risk of going to the polls.
This is an example of:
A. prepending. B. an influence campaign C. a watering-hole attack D. intimidation E. information elicitation Answer: D
A security analyst needs to find real-time data on the latest malware and locs.
Which of the following best describe the solution the analyst should persue?
A. Advisories and bulletins B. Threat fEEDS C. SECURITY NEWS ARTICLES D. PEER-REVIEWED CONTENT Answer: B
A startup company is using multiple SaaS and IaaS platform to stand up a corporate infrastructure
and build out a customer-facing web application.
Which of the following solutions would be BEST to provide security, manageability, and visibility into the
platforms?
A. SIEM B. DLP C. CASB D. SWG Answer: C
An enterprise has hired an outside security firm to conduct penetration testing on its network and
applications. The firm has only been given the documentation available to the customers of the
applications.
Which of the following BEST represents the type of testing that will occur?
A. Bug bounty B. Black-box C. Gray-box D. White-box Answer: A
Which of the following would cause a Chief Information Security Officer (CISO) the MOST concern
regarding newly installed Internet-accessible 4K surveillance cameras?
A. An inability to monitor 100%, of every facility could expose the company to unnecessary risk.
B. The cameras could be compromised if not patched in a timely manner.
C. Physical security at the facility may not protect the cameras from theft.
D. Exported videos may take up excessive space on the file servers.
Answer: A
Which of the following describes the ability of code to target a hypervisor from inside
A. Fog computing B. VM escape C. Software-defined networking D. Image forgery E. Container breakout Answer: B
After reading a security bulletin, a network security manager is concerned that a malicious actor may
have breached the network using the same software flaw. The exploit code is publicly available and has
been reported as being used against other industries in the same vertical.
Which of the following should the network security manager consult FIRST to determine a priority list for
forensic review?
A. The vulnerability scan output B. The IDS logs C. The full packet capture data D. The SIEM alerts Answer: A
A network administrator is setting up wireless access points in all the conference rooms and wants to
authenticate device using PKI.
Which of the following should the administrator configure?
A. A captive portal B. PSK C. 802.1X D. WPS Answer: C
A workwide manufacturing company has been experiencing email account compromised. In one
incident, a user logged in from the corporate office in France, but then seconds later, the same user
account attempted a login from Brazil.
Which of the following account policies would BEST prevent this type of attack?
A. Network location B. Impossible travel time C. Geolocation D. Geofencing Answer: D
A security analyst needs to produce a document that details how a security incident occurred, the
steps that were taken for recovery, and how future incidents can be avoided.
During which of the following stages of the response process will this activity take place?
A. Recovery B. Identification C. Lessons learned D. Preparation Answer: C
A system administrator needs to implement an access control scheme that will allow an object’s
access policy be determined by its owner.
Which of the following access control schemes BEST fits the requirements?
A. Role-based access control B. Discretionary access control C. Mandatory access control D. Attribute-based access control Answer: B
CORRECT TEXT
A systems administrator needs to install a new wireless network for authenticated guest access. The
wireless network should support 802. IX using the most secure encryption and protocol available.
Perform the following slops:
1. Configure the RADIUS server.
2. Configure the WiFi controller.
3. Preconfigure the client for an incoming guest. The guest AD credentials are:
User: guest01
Password: guestpass
{{ PIC }}
Which of the following should be put in place when negotiating with a new vendor about the
timeliness of the response to a significant outage or incident?
A. MOU B. MTTR C. SLA D. NDA Answer: C
A company is implementing MFA for all applications that store sensitive data. The IT manager wants
MFA to be non-disruptive and user friendly.
Which of the following technologies should the IT manager use when implementing MFA?
A. One-time passwords B. Email tokens C. Push notifications D. Hardware authentication Answer: C
An information security officer at a credit card transaction company is conducting a
framework-mapping exercise with the internal controls. The company recently established a new office in
Europe.
To which of the following frameworks should the security officer map the existing controls? (Select TWO).
A. ISO B. PCI DSS C. SOC D. GDPR E. CSA F. NIST Answer: B,D
A security analyst is running a vulnerability scan to check for missing patches during a suspected
security rodent.
During which of the following phases of the response process is this activity MOST likely occurring?
A. Containment B. Identification C. Recovery D. Preparation Answer: D
Which of the following would be the BEST method for creating a detailed diagram of wireless access
points and hot-spots?
A. Footprinting B. White-box testing C. A drone/UAV D. Pivoting Answer: A
Which of the following policies would help an organization identify and mitigate potential single points
of failure in the company’s IT/security operations?
A. Least privilege B. Awareness training C. Separation of duties D. Mandatory vacation Answer: C
After entering a username and password, and administrator must gesture on a touch screen.
Which of the following demonstrates what the administrator is providing?
A. Multifactor authentication B. Something you can do C. Biometric D. Two-factor authentication Answer: D
A security administrator suspects an employee has been emailing proprietary information to a
competitor. Company policy requires the administrator to capture an exact copy of the employee’s hard
disk.
Which of the following should the administrator use?
A. dd B. chmod C. dnsenum D. logger Answer: A
A global company is experiencing unauthorized logging due to credential theft and account lockouts
caused by brute-force attacks. The company is considering implementing a third-party identity provider to
help mitigate these attacks.
Which of the following would be the BEST control for the company to require from prospective vendors’?
A. IP restrictions B. Multifactor authentication C. A banned password list D. A complex password policy Answer: B
Which of the following types of controls is a turnstile?
A. Physical B. Detective C. Corrective D. Technical Answer: A
A technician needs to prevent data loss in a laboratory. The laboratory is not connected to any
external networks.
Which of the following methods would BEST prevent data? (Select TWO)
A. VPN B. Drive encryption C. Network firewall D. File-level encryption E. USB blocker F. MFA Answer: B,E
Which of the following scenarios BEST describes a risk reduction technique?
A. A security control objective cannot be met through a technical change, so the company purchases insurance and is no longer concerned about losses from data breaches.
B. A security control objective cannot be met through a technical change, so the company implements a
policy to train users on a more secure method of operation.
C. A security control objective cannot be met through a technical change, so the company changes as
method of operation
D. A security control objective cannot be met through a technical change, so the Chief Information Officer
(CIO) decides to sign off on the risk.
Answer: B
A global pandemic is forcing a private organization to close some business units and reduce staffing
at others.
Which of the following would be BEST to help the organization’s executives determine the next course of
action?
A. An incident response plan B. A communications plan C. A disaster recovery plan D. A business continuity plan Answer: D
A security analyst reviews the datacenter access logs for a fingerprint scanner and notices an
abundance of errors that correlate with users’ reports of issues accessing the facility.
Which of the following MOST likely the cause of the cause of the access issues?
A. False rejection B. Cross-over error rate C. Efficacy rale D. Attestation Answer: B
A security analyst needs to implement an MDM solution for BYOD users that will allow the company
to retain control over company emails residing on the devices and limit data exfiltration that might occur if
the devices are lost or stolen.
Which of the following would BEST meet these requirements? (Select TWO).
A. Full-device encryption B. Network usage rules C. Geofencing D. Containerization E. Application whitelisting F. Remote control Answer: A,B
An organization’s Chief Security Officer (CSO) wants to validate the business’s involvement in the
incident response plan to ensure its validity and thoroughness.
Which of the following will the CSO MOST likely use?
A. An external security assessment B. A bug bounty program C. A tabletop exercise D. A red-team engagement Answer: C
A security analyst needs to perform periodic vulnerably scans on production systems.
Which of the following scan types would produce the BEST vulnerability scan report?
A. Port B. Intrusive C. Host discovery D. Credentialed Answer: D
While reviewing the wireless router, the systems administrator of a small business determines
someone is spoofing the MAC address of an authorized device.
Given the table below:
Which of the following should be the administrator’s NEXT step to detect if there is a rogue system without
impacting availability?
A. Conduct a ping sweep. B. Physically check each system, C. Deny Internet access to the "UNKNOWN" hostname. D. Apply MAC filtering, Answer: D
