Topic 6 (newest questions) Flashcards

1
Q

A Chief Information Security Officer (CISO) asks the security architect to design a method for contractors to
access the company’s internal wiki, corporate directory, and email services securely without allowing access to systems beyond the scope of their project. Which of the following methods would BEST fit the needs of the
CISO?

VPN
PaaS
laaS
VDI

A

VPN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A security analyst wishes to scan the network to view potentially vulnerable systems the way an attacker
would. Which of the following would BEST enable the analyst to complete the objective?

Perform a non-credentialed scan.
Conduct an intrusive scan.
Attempt escalation of privilege.
Execute a credentialed scan.

A

Perform a non-credentialed scan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A contracting company recently completed its period of performance on a government contract and would like to destroy all information associated with contract performance. Which of the following is the best NEXT step for the company to take?

Consult data disposition policies in the contract.
Use a pulper or pulverizer for data destruction
Retain the data for a period no more than one year
Burn hard copies containing Pll or PHI.

A

Consult data disposition policies in the contract.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A threat actor motivated by political goals that is active for a short period of time but has virtually unlimited
resources is BEST categorized as a:

hacktivist.
nation-state
script kiddie
APT

A

nation-state

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following types of security testing is the MOST cost-effective approach used to analyze existing code and identity areas that require patching?

Black box
Gray box
White box
Red team
Blue team
A

White box

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A security analyst is assessing a small company’s internal servers against recommended security practices.
Which of the following should the analyst do to conduct the assessment? (Select TWO).

Compare configurations against platform benchmarks,
Confirm adherence to the company’s industry-specific regulations.
Review the company’s current security baseline,
Verify alignment with policy related to regulatory compliance
Run an exploitation framework to confirm vulnerabilities

A

Review the company’s current security baseline.

and

Run an exploitation framework to confirm vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A security analyst is emailing PII in a spreadsheet file to an audit validator for after-actions related to a
security assessment. The analyst must make sure the PII data is protected with the following minimum
requirements:

*Ensure confidentiality at rest.
* Ensure the integrity of the original email message.
Which of the following controls would ensure these data security requirements are carried out?

Encrypt and sign the email using S/MIME.
Encrypt the email and send it using TLS.
Hash the email using SHA-1.
Sign the email using MD5

A

Encrypt and sign the email using S/MIME

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A member of the human resources department received the following email message after sending an email containing benefit and tax information to a candidate:

“Your message has been quarantined for the following policy violation: external_potential_Pll. Please contact
the IT security administrator for further details.”
Which of the following BEST describes why this message was received?

The DLP system flagged the message
The mail gateway prevented the message from being sent to personal email addresses.
The company firewall blocked the recipient’s IP address.
The file integrity check failed for the attached files.

A

The DLP system flagged the message

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is the MOST likely motivation for a script kiddie threat actor?

Financial gain
Notoriety
Political expression
Corporate espionage

A

Notoriety

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A Chief Information Security Officer (CISO) for a school district wants to enable SSL to protect all of the
public-facing servers in the domain. Which of the following is a secure solution that is the MOST cost
effective?

Create and install a self-signed certificate on each of the servers in the domain.
Purchase a load balancer and install a single certificate on the load balancer.
Purchase a wildcard certificate and implement it on every server.
Purchase individual certificates and apply them to the individual servers.

A

Purchase a load balancer and install a single certificate on the load balancer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following would provide a safe environment for an application to access only the resources needed to function while not having access to run at the system level?

Sandbox
Honey pot
GPO
DMZ

A

Sandbox

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following is a technical preventive control?

Two-factor authentication
DVR-supported cameras
Acceptable-use MOTD
Syslog server

A

Two-factor authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A security administrator is reviewing the following firewall configuration after receiving reports that users are
unable to connect to remote websites:
10 PERMIT FROM ANY TO:ANY PORT: 80
20 PERMIT FROM:ANY TO:ANY PORT: 443
30 DENY FROM: ANY TO:ANY PORT:ANY
Which of the following is the MOST secure solution the security administrator can implement to fix this issue
?

A. Add the following rule to the firewall: 5 PERMIT FROM: ANY TO:ANY PORT:53
B. Replace rule number 10 with the following rule: 10 PERMIT FROM: ANY TO:ANY PORT:22
C. Insert the following rule in the firewall: 25 PERMIT FROM ANY TO:ANY PORTS:ANY
D. Remove the following rule from the firewall: 30 DENY FROM:ANY TO:ANY PORT:ANY

A

B. Replace rule number 10 with the following rule: 10 PERMIT FROM: ANY TO:ANY PORT:22

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A security analyst is hardening a large-scale wireless network. The primary requirements are the following

  • Must use authentication through EAP-TLS certificates
  • Must use an AAA server
  • Must use the most secure encryption protocol

Given these requirements, which of the following should the analyst implement and recommend? (Select
TWO).

802.1X
802.3
LDAP
TKIP
CCMP
WPA2-PSK

A

802.1X

and

WPA2-PSK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A systems engineer is configuring a wireless network. The network must not require installation of third-party
software. Mutual authentication of the client and the server must be used. The company has an internal PKI.
Which of the following configuration should the engineer choose?

EAP-TLS
EAP-TTLS
EAP-FAST
EAP-MD5
PEAP
A

EAP-TLS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following is the MOST significant difference between intrusive and non-intrusive vulnerability scanning?

One uses credentials, but the other does not
One has a higher potential for disrupting system operations.
One allows systems to activate firewall countermeasures.
One returns service banners, including running versions

A

One has a higher potential for disrupting system operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A systems administrator wants to configure an enterprise wireless solution that supports authentication over HTTPS and wireless encryption using AES. Which of the following should the administrator configure to support these requirements? (Select TWO).

802.1X
RADIUS federation
WPS
Captive portal
WPA2
WDS
A

802.1X

and

WPA2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A company needs to fix some audit findings related to its physical security. A key finding was that multiple
people could physically enter a location at the same time. Which of the following is the BEST control to address this audit finding?

Faraday cage
Mantrap
Biometrics
Proximity cards

A

Mantrap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

During a forensics investigation, which of the following must be addressed FIRST according to the order of
volatility?

Hard drive
RAM
Network-attached storage
USB flash drive

A

RAM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

During a security audit of a company’s network, unsecure protocols were found to be in use. A network
administrator wants to ensure browser-based access to company switches is using the most secure protocol.
Which of the following protocols should be implemented?

SSH2
TLS1.2
SSL1.3
SNMPv3

A

TLS 1.2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A security administrator has received multiple calls from the help desk about customers who are unable to
access the organization’s web server. Upon reviewing the log files the security administrator determines
multiple open requests have been made from multiple IP addresses, which is consuming system resources.
Which of the following attack types does this BEST describe?

DDoS
DoS
Zero day
Logic bomb

A

DDoS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The security administrator has installed a new firewall which implements an implicit DENY policy by default.
Click on the firewall and configure it to allow ONLY the following communication.

See PDF 374

A

PDF 374

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

A company utilizes 802.11 for all client connectivity within a facility. Users in one part of the building are
reporting they are unable to access company resources when connected to the company SSID. Which of the following should the security administrator use to assess connectivity?

Sniffer
Honeypot
Routing tables
Wireless scanner

A

Routing tables

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A user loses a COPE device. Which of the following should the user do NEXT to protect the data on the
device?

Call the company help desk to remotely wipe the device.
Report the loss to authorities
Check with corporate physical security for the device.
Identify files that are potentially missing on the device.

A

Call the company help desk to remotely wipe the device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following represents a multifactor authentication system?

An iris scanner coupled with a palm print reader and fingerprint scanner with liveness detection.
A secret passcode that prompts the user to enter a secret key if entered correctly.
A digital certificate on a physical token that is unlocked with a secret passcode.
A one-time password token combined with a proximity badge.

A

A one-time password token combined with a proximity badge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

A security team has downloaded a public database of the largest collection of password dumps on the Internet. This collection contains the cleartext credentials of every major breach for the last four years. The security team pulls and compares users’ credentials to the database and discovers that more than 30% of the users were still using passwords discovered in this list. Which of the following would be the BEST combination to reduce the risks discovered?

Password length, password encryption, password complexity
Password complexity, least privilege, password reuse
Password reuse, password complexity, password expiration
Group policy, password history, password encryption

A

Password length, password encryption, password complexity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

A Chief Information Officer (CIO) is concerned that encryption keys might be exfiltrated by a contractor. The CIO wants to keep control over key visibility and management. Which of the following would be the BEST solution for the CIO to implement?”

HSM
CA
SSH
SSL

A

HSM (hardware security module)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

A technician has been asked to document which services are running on each of a collection of 200 servers.
Which of the following tools BEST meets this need while minimizing the work required?

Nmap
Nslookup
Netcat
Netstat

A

Netcat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which of the following BEST describes a security exploit for which a vendor patch is not readily available?

Integer overflow
Zero-day
End of life
Race condition

A

Zero-day

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

A systems administrator is increasing the security settings on a virtual host to ensure users on one VM cannot access information from another VM. Which of the following is the administrator protecting against?

VM sprawl
VM escape
VM migration
VM sandboxing

A

VM escape

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which of the following BEST distinguishes Agile development from other methodologies in terms of
vulnerability management?

Cross-functional teams
Rapid deployments
Daily standups
Peer review
Creating user stories
A

Daily standups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

An organization wishes to allow its users to select devices for business use but does not want to overwhelm the service desk with requests for too many different device types and models. Which of the following deployment models should the organization use to BEST meet these requirements?

VDI environment
CYOD model
DAC mode
BYOD model

A

CYOD model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

A security analyst wishes to scan the network to view potentially vulnerable systems the way an attacker
would. Which of the following would BEST enable the analyst to complete the objective?

Perform a non-credentialed scan.
Conduct an intrusive scan.
Attempt escalation of privilege
Execute a credentialed scan.

A

Perform a non-credentialed scan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

An organization’s IRP prioritizes containment over eradication. An incident has been discovered where an attacker outside of the organization has installed cryptocurrency mining software on the organization’s web servers. Given the organization’s stated priorities, which of the following would be the NEXT step?

Remove the affected servers from the network.
Review firewall and IDS logs to identify possible source IPs.
Identify and apply any missing operating system and software patches.
Delete the malicious software and determine if the servers must be reimaged.

A

Remove the affected servers from the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Which of the following is the proper use of a Faraday cage?

To block electronic signals sent to erase a cell phone
To capture packets sent to a honeypot during an attack
To protect hard disks from access during a forensics investigation
To restrict access to a building allowing only one person to enter at a time

A

To block electronic signals sent to erase a cell phone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

A security technician is configuring a new firewall appliance for a production environment. The firewall must support secure web services for client workstations on the 10.10.10.0/24 network. The same client workstations are configured to contact a server at 192.168.1.15/24 for domain name resolution. Which of the
following rules should the technician add to the firewall to allow this connectivity for the client workstations?
(Select TWO).

Permit 10.10.10.0/24 0.0.0.0 -p tcp –dport 22
Permit 10.10.10.0/24 0.0.0.0 -p tcp –dport 80
Permit 10.10.10.0/24192.168.1.15/24 -p udp –dport 21
Permit 10.10.10.0/24 0.0.0.0-p tcp –dport 443
Permit 10.10.10.0/24 192.168.1.15/24 -p tcp –dport 53
Permit 10.10.10.0/24 192.168.1.15/24 -p udp –dport 53

A

Permit 10.10.10.0/24 0.0.0.0-p tcp –dport 443

and

Permit 10.10.10.0/24 192.168.1.15/24 -p tcp –dport 53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

A computer forensics analyst collected a flash drive that contained a single file with 500 pages of text. Which of the following algorithms should the analyst use to validate the integrity of the file?

3DES
AES
MD5
RSA

A

MD5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

A technician, who is managing a secure B2B connection, noticed the connection broke last night. All
networking equipment and media are functioning as expected, which leads the technician to QUESTION NO: certain PKI components. Which of the following should the technician use to validate this assumption?
(Choose two.)

PEM
CER
SCEP
CRL
OCSP
PFX
A

CRL

and

OCSP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

The exploitation of a buffer-overrun vulnerability in an application will MOST likely lead to:

arbitrary code execution.
resource exhaustion.
exposure of authentication credentials.
dereferencing of memory pointers.

A

Arbitrary code execution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Company engineers regularly participate in a public Internet forum with other engineers throughout the
industry. Which of the following tactics would an attacker MOST likely use in this scenario?

Watering-hole attack
Credential harvesting
Hybrid warfare
Pharming

A

Watering hole attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

A contracting company recently completed its period of performance on a government contract and would like to destroy all information associated with contract performance. Which of the following is the best NEXT step for the company to take?

Consult data disposition policies in the contract.
Use a pulper or pulverizer for data destruction.
Retain the data for a period no more than one year.
Burn hard copies containing PII or PHI

A

Consult data disposition policies in the contract

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

A company has a team of penetration testers. This team has located a file on the company file server that they believe contains cleartext usernames followed by a hash. Which of the following tools should the penetration testers use to learn more about the content of this file?

Exploitation framework
Vulnerability scanner
Netcat
Password cracker

A

Password cracker

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

An incident response analyst in a corporate security operations center receives a phone call from an SOC
analyst. The SOC analyst explains the help desk recently reimaged a workstation that was suspected of being infected with an unknown type of malware; however, even after reimaging, the host continued to generate SIEM alerts. Which of the following types of malware is MOST likely responsible for producing the SIEM alerts?

Ransomware
Logic bomb
Rootkit
Adware

A

Rootkit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

A public relations team will be taking a group of guests on a tour through the facility of a large e-commerce
company. The day before the tour, the company sends out an email to employees to ensure all whiteboards are cleaned and all desks are cleared. The company is MOST likely trying to protect against.

loss of proprietary information
damage to the company’s reputation
social engineering
credential exposure

A

Social engineering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

A security analyst runs a monthly file integrity check on the main web server. When analyzing the logs, the
analyst observed the following entry:
No OS patches were applied to this server during this period. Considering the log output, which of the
following is the BEST conclusion?

The cmd.exe was executed on the scanned server between the two dates. An incident ticket should be
created
The iexplore.exe was executed on the scanned server between the two dates. An incident ticket should
be created.
The cmd.exe was updated on the scanned server. An incident ticket should be created
The iexplore.exe was updated on the scanned server. An incident ticket should be created.

A

The cmd.exe was updated on the scanned server. An incident ticket should be created.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

An employee opens a web browser and types a URL into the address bar. Instead of reaching the requested
site, the browser opens a completely different site. Which of the following types of attacks have MOST likely occurred? (Choose two.)

DNS hijacking
Cross-site scripting
Domain hijacking
Man-in-the-browser
Session hijacking
A

DNS hijacking

and

Session hijacking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

An attacker has obtained the user ID and password of a datacenter’s backup operator and has gained access to a production system. Which of the following would be the attacker’s NEXT action?

Perform a passive reconnaissance of the network.
Initiate a confidential data exfiltration process.
Look for known vulnerabilities to escalate privileges.
Create an alternate user ID to maintain persistent access.

A

Initiate a confidential data exfiltration process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Which of the following documents would provide specific guidance regarding ports and protocols that should be disabled on an operating system?

Regulatory requirements
Secure configuration guide
Application installation guides
User manuals

A

Secure configuration guide

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

A technician is investigating a report of unusual behavior and slow performance on a company-owned laptop.
The technician runs a command and reviews the following information:

Based on the above information, which of the following types of malware should the technician report?

Spyware
Rootkit
RAT
Logic bomb

A

Spyware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

After a ransomware attack. a forensics company needs to review a cryptocurrency transaction between the
victim and the attacker. Which of the following will the company MOST likely review to trace this
transaction?

The public ledger
The NetFlow data
A checksum
The event log

A

The event log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

During an audit, the auditor requests to see a copy of the identified mission-critical applications as well as their disaster recovery plans. The company being audited has an SLA around the applications it hosts. With which of the following is the auditor MOST likely concerned?

ARO/ALE
MTTR/MTBF
RTO/RPO
Risk assessment

A

RTO/RPO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Which of the following provides PFS?

AES
RC4
DHE
HMAC

A

DHE (Ephemeral Diffie-Hellman)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Joe, a contractor, is hired by a firm to perform a penetration test against the firm’s infrastructure. While
conducting the scan, he receives only the network diagram and the network list to scan against the network.
Which of the following scan types is Joe performing?

Authenticated
White box
Automated
Gray box

A

Gray box

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

A company has drafted an Insider-threat policy that prohibits the use of external storage devices. Which of the following would BEST protect the company from data exfiltration via removable media?

Monitoring large data transfer transactions in the firewall logs
Developing mandatory training to educate employees about the removable media policy
Implementing a group policy to block user access to system files
Blocking removable-media devices and write capabilities using a host-based security tool

A

Developing mandatory training to educate employees about removable media policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Given the information below:
MD5HASH document.doc 049eab40fd36caadlfab10b3cdf4a883
MD5HASH image.jpg 049eab40fd36caadlfab10b3cdf4a883

Which of the following concepts are described above? (Choose two.)

Salting
Collision
Steganography
Hashing
Key stretching
A

Collision

and

Hashing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Which of the following are the BEST selection criteria to use when assessing hard drive suitability for
time-sensitive applications that deal with large amounts of critical information? (Select TWO).

MTBF
MTTR
SLA
RTO
MTTF
RPO
A

MTBF (mean time between failures)

and

MTTR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

An organization has hired a new remote workforce. Many new employees are reporting that they are unable to
access the shared network resources while traveling. They need to be able to travel to and from different
locations on a weekly basis. Shared offices are retained at the headquarters location. The remote workforce will have identical file and system access requirements, and must also be able to log in to the headquarters location remotely. Which of the following BEST represent how the remote employees should have been set up initially? (Select TWO).

User-based access control
Shared accounts
Group-based access control
Mapped drives
Individual accounts
Location-based policies
A

Group=based access control

and

Individual accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

A systems administrator is installing and configuring an application service that requires access to read and
write to log and configuration files on a local hard disk partition. The service must run as an account with
authorization to interact with the file system. Which of the following would reduce the attack surface added by the service and account? (Select TWO)

Use a unique managed service account
Utilize a generic password for authenticating
Enable and review account audit logs
Enforce least possible privileges for the account
Add the account to the local administrator’s group.
Use a guest account placed in a non-privileged users’ group

A

Use a unique managed service account

and

Enforce least possible privileges for the account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

A vulnerability assessment report will include the CVSS score of the discovered vulnerabilities because the score allows the organization to better:

validate the vulnerability exists in the organization’s network through penetration testing.
research the appropriate mitigation techniques in a vulnerability database.
find the software patches that are required to mitigate a vulnerability.
prioritize remediation of vulnerabilities based on the possible impact.

A

Prioritize remediation of vulnerabilities based on the possible impact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

A security engineer is analyzing the following line of JavaScript code that was found in a comment field on a web forum, which was recently involved in a security breach:

Given the line of code above, which of the following BEST represents the attack performed during the breach?

CSRF
DDoS
Dos
XSS

A

XSS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

A startup company is using multiple SaaS and laaS platforms to stand up a corporate infrastructure and build out a customer-facing web application. Which of the following solutions would be BEST to provide security, manageability, and visibility into the platforms?

SIEM
DLP
CASB
SWG

A

CASB

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

A company employee recently retired, and there was a schedule delay because no one was capable of filling
the employee’s position. Which of the following practices would BEST help to prevent this situation in the future?

Mandatory vacation
Separation of duties
Job rotation
Exit interviews

A

Job rotation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

See PDF 395

A

395

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

A system in the network is used to store proprietary secrets and needs the highest level of security possible.
Which of the following should a security administrator implement to ensure the system cannot be reached
from the Internet?

VLAN
Air gap
NAT
Firewall

A

Air gap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

After successfully breaking into several networks and infecting multiple machines with malware. hackers
contact the network owners, demanding payment to remove the infection and decrypt files. The hackers
threaten to publicly release information about the breach if they are not paid. Which of the following BEST describes these attackers?

Gray hat hackers
Organized crime
Insiders
Hacktivists

A

Organized crime

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

A system uses an application server and database server Employing the principle of least privilege, only
database administrators are given administrative privileges on the database server, and only application team members are given administrative privileges on the application server. Audit and log file reviews are
performed by the business unit (a separate group from the database and application teams).

The organization wants to optimize operational efficiency when application or database changes are needed, but it also wants to enforce least privilege, prevent modification of log files, and facilitate the audit and log review performed by the business unit. Which of the following approaches would BEST meet the organization’s goals?

-Restrict privileges on the log file directory to “read only” and use a service account to send a copy of
these files to the business unit.

-Switch administrative privileges for the database and application servers. Give the application team
administrative privileges on the database servers and the database team administrative privileges on the
applicationservers.

-Remove administrative privileges from both the database and application servers, and give the business unit “read only” privileges on the directories where the log files are kept.

-Give the business unit administrative privileges on both the database and application servers so they can
Independently monitor server activity.

A

Restrict privileges on the log file directory to “read only” and use a service account to send a copy of
these files to the business unit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

The president of a company that specializes in military contracts receives a request for an interview. During
the interview, the reporter seems more interested in discussing the president’s family life and personal history than the details of a recent company success. Which of the following security concerns is this MOST likely an example of?

Insider threat
Social engineering
Passive reconnaissance
Phishing

A

Social engrineering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

After segmenting the network, the network manager wants to control the traffic between the segments. Which of the following should the manager use to control the network traffic?

A DMZ
A VPN
A VLAN
An ACL

A

A VLAN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

A state-sponsored threat actor has launched several successful attacks against a corporate network. Although the target has a robust patch management program in place, the attacks continue in depth and scope, and the security department has no idea how the attacks are able to gain access. Given that patch management and vulnerability scanners are being used, which of the following would be used to analyze the attack methodology?

Rogue system detection
Honeypots
Next-generation firewall
Penetration test

A

Honeypots

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

An organization’s policy requires users to create passwords with an uppercase letter, lowercase letter, number, and symbol. This policy is enforced with technical controls, which also prevents users from using any of their previous 12 passwords. The quantization does not use single sign-on, nor does it centralize storage of passwords.
The incident response team recently discovered that passwords for one system were compromised. Passwords for a completely separate system have NOT been compromised, but unusual login activity has been detected for that separate system. Account login has been detected for users who are on vacation.
Which of the following BEST describes what is happening?

Some users are meeting password complexity requirements but not password length requirements.
The password history enforcement is insufficient, and old passwords are still valid across many different
systems.
Some users are reusing passwords, and some of the compromised passwords are valid on multiple
systems.
The compromised password file has been brute-force hacked, and the complexity requirements are not
adequate to mitigate this risk.

A

The compromised password file has been brute-force hacked, and the complexity requirements are not
adequate to mitigate this risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

A security analyst is running a credential-based vulnerability scanner on a Windows host. The vulnerability scanner is using the protocol NetBIOS over TCP/IP to connect to various systems, However, the scan does not return any results. To address the issue, the analyst should ensure that which of the following default ports is open on systems?

135
137
3389
5060

A

137

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Which of the following describes the BEST approach for deploying application patches?

Apply the patches to systems in a testing environment, then to systems in a staging environment, and
finally to production systems.
Test the patches in a staging environment, develop against them in the development environment, and
then apply them to the production systems
Test the patches in a test environment, apply them to the production systems, and then apply them to a
staging environment.
Apply the patches to the production systems, apply them in a staging environment, and then test all of
them in a testing environment.

A

Apply the patches to the production systems, apply them in a staging environment, and then test all of them in a testing environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

A systems administrator is auditing the company’s Active Directory environment. It is quickly noted that the username “company\bsmith” is interactively logged into several desktops across the organization. Which of
the following has the systems administrator MOST likely come across?

Service account
Shared credentials
False positive
Local account

A

Shared credentials

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

During a forensic investigation, which of the following must be addressed FIRST according to the order of
volatility?

Hard drive
RAM
Network attached storage
USB flash drive

A

RAM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

A company uses an enterprise desktop imaging solution to manage deployment of its desktop computers. Desktop computer users are only permitted to use software that is part of the baseline image. Which of the following technical solutions was MOST likely deployed by the company to ensure only known-good software can be installed on corporate desktops?

Network access control
Configuration manager
Application whitelisting
File integrity checks

A

Configuration manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

Which of the following scenarios would make a DNS sinkhole effective in thwarting an attack?

-An attacker is sniffing traffic to port 53, and the server is managed using unencrypted usernames and passwords.
-An organization is experiencing excessive traffic on port 53 and suspects an attacker is trying to DoS the
domain name server.
-Malware is trying to resolve an unregistered domain name to determine if it is running in an isolated
sandbox.
-DNS routing tables have been compromised, and an attacker is rerouting traffic to malicious websites.

A

DNS routing tables have been compromised, and an attacker is rerouting traffic to malicious websites

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

After a systems administrator installed and configured Kerberos services, several users experienced
authentication issues. Which of the following should be installed to resolve these issues?

RADIUS server
NTLM service
LDAP service
NTP server

A

LDAP service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

An organization wants to set up a wireless network in the most secure way. Budget is not a major
consideration, and the organization is willing to accept some complexity when clients are connecting. It is also
willing to deny wireless connectivity for clients who cannot be connected in the most secure manner.

Which of the following would be the MOST secure setup that conforms to the organization’s requirements?

Enable WPA2-PSK for older clients and WPA2-Enterprise for all other clients.
Enable WPA2-PSK, disable all other modes, and implement MAC filtering along with port security.
Use WPA2-Enterprise with RADIUS and disable pre-shared keys.
Use WPA2-PSK with a 24-character complex password and change the password monthly.

A

Use WPA2-PSK with a 24-character complex password and change the password monthly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

A company just implemented a new telework policy that allows employees to use personal devices for official email and file sharing while working from home. Some of the requirements are:

  • Employees must provide an alternate work location (i.e., a home address).
  • Employees must install software on the device that will prevent the loss of proprietary data but will not
    restrict any other software from being installed.

Which of the following BEST describes the MDM options the company is using?

Geofencing, content management, remote wipe, containerization, and storage segmentation
Content management, remote wipe, geolocation, context-aware authentication, and containerization
Application management, remote wipe, geofencing, context-aware authentication, and containerization
Remote wipe, geolocation, screen locks, storage segmentation, and full-device encryption

A

Application management, remote wipe, geofencing, context-aware authentication, and containerization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

A company has just experienced a malware attack affecting a large number of desktop users. The antivirus solution was not able to block the malware, but the HIDS alerted to C2 calls as ‘Troj.Generic’. Once the security team found a solution to remove the malware, they were able to remove the malware files
successfully, and the HIDS stopped alerting. The next morning, however, the HIDS once again started alerting
on the same desktops, and the security team discovered the files were back. Which of the following BEST describes the type of malware infecting this company’s network?

Trojan
Spyware
Rootkit
Botnet

A

Trojan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

A researcher has been analyzing large data sets for the last ten months. The researcher works with colleagues from other institutions and typically connects via SSH to retrieve additional data. Historically, this setup has
worked without issue, but the researcher recently started getting the following message:

Which of the following network attacks Is the researcher MOST likely experiencing?

MAC cloning
Evil twin
Man-in-the-middle
ARP poisoning

A

Man-in-the-middle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

After being alerted to potential anomalous activity related to trivial DNS lookups, a security analyst looks at the following output of implemented firewall rules:
The analyst notices that the expected policy has no hit count for the day. Which of the following MOST likely
occurred?

Data execution prevention is enabled
The VLAN is not trunked properly
There is a policy violation for DNS lookups
The firewall policy is misconfigured

A

The firewall policy is misconfigured

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

The Chief Financial Officer (CFO) of an insurance company received an email from Ann, the company’s Chief Executive Officer (CEO), requesting a transfer of $10,000 to an account. The email states Ann is on vacation and has lost her purse, containing cash and credit cards. Which of the following social-engineering techniques is the attacker using?

Phishing
Whaling
Typo squatting
Pharming

A

Whaling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

Which of the following is a security consideration for IoT devices?

IoT devices have built-in accounts that users rarely access.
IoT devices have less processing capabilities.
IoT devices are physically segmented from each other.
IoT devices have purpose-built applications.

A

IoT devices have built-in accounts that users rarely access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

A forensics analyst is investigating a hard drive for evidence of suspected illegal activity. Which of the
following should the analyst do FIRST?

Create a hash of the hard drive.
Export the Internet history.
Save a copy of the case number and date as a text file in the root directory.
Back up the pictures directory for further inspection.

A

Save a copy of the case number and date as a text file in the root directory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

An organization’s research department uses workstations in an air-gapped network. A competitor released products based on files that originated in the research department. Which of the following should management do to improve the security and confidentiality of the research files?

Implement multifactor authentication on the workstations.
Configure removable media controls on the workstations.
Install a web application firewall in the research department.
Install HIDS on each of the research workstations.

A

Configure removable media controls on the workstation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

A user recently entered a username and password into a recruiting application website that had been forged to look like the legitimate site. Upon Investigation, a security analyst identifies the following:

  • The legitimate website’s IP address is 10.1.1.20 and eRecruit.local resolves to this IP.
  • The forged website’s IP address appears to be 10.2.12.99. based on NetFlow records.
  • All three of the organization’s DNS servers show the website correctly resolves to the legitimate IP.
  • DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the
    approximate time of the suspected compromise.

Which of the following MOST likely occurred?

A reverse proxy was used to redirect network traffic.
An SSL strip MITM attack was performed.
An attacker temporarily poisoned a name server.
An ARP poisoning attack was successfully executed.

A

An SSL strip MITM attack was performed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

When considering loT systems, which of the following represents the GREATEST ongoing risk after a
vulnerability has been discovered?

Difficult-to-update firmware
Tight integration to existing systems
IP address exhaustion
Not using industry standards

A

Tight integration to existing systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

Which of the following BEST explains the reason why a server administrator would place a document named
password.txt on the desktop of an administrator account on a server?

The document is a honeyfile and is meant to attract the attention of a cyberintruder.
The document is a backup file if the system needs to be recovered
The document is a standard file that the OS needs to verify the login credentials.
The document is a keylogger that stores all keystrokes should the account be compromised.

A

The document is a honeyfile and is meant to attract the attention of a cyber intruder.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

A Security analyst has received an alert about PII being sent via email. The analyst’s Chief Information
Security Officer (CISO) has made it clear that PII must be handled with extreme care. From which of the
following did the alert MOST likely originate?

S/MIME
DLP
IMAP
HIDS

A

HIDS (host-based intrusion detection system)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

A company is examining possible locations for a hot site. Which of the following considerations is of MOST
concern if the replication technology being used is highly sensitive to network latency?

Connection to multiple power substations
Location proximity to the production site
Ability to create separate caged space
Positioning of the site across international borders

A

Location proximity to the production site

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

Which of the following command line tools would be BEST to identify the services running in a server?

Traceroute
Nslookup
Ipconfig
Netstat

A

Netstat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

A technician is recommending preventive physical security controls for a server room. Which of the technician MOST likely recommend? (Select Two).

Geofencing
Video Surveillance
Protected cabinets
Mantrap
Key exchange
Authorized personnel signage
A

Protected cabinets

and

mantrap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

A security analyst has received several reports of an issue on an internal web application. Users state they are having to provide their credentials twice to log in. The analyst checks with the application team and notes this is not an expected behavior. After looking at several logs, the analyst decides to run some commands on the gateway and obtains the following output:

Which of the following BEST describes the attack the company is experiencing?
MAC flooding
URL redirection
ARP poisoning
DNS hijacking
A

ARP poisoning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

A company moved into a new building next to a sugar mil. Cracks have been discovered in the walls of the
server room, which is located on the same side as the sugar mill loading docks. The cracks are believed to
have been caused by heavy trucks. Moisture has begun to seep into the server room, causing extreme
humidification problems and equipment failure. Which of the following BEST describes the type of threat the
organization faces?

Foundational
Man-made
Environmental
Natural

A

Foundational

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

Which of the following access management concepts is MOST closely associated with the use of a password
or PIN?

Authorization
Authentication
Accounting
Identification

A

Authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

A security administrator receives alerts from the perimeter UTM. Upon checking the logs, the administrator finds the following output:

Time: 12/25 0300
From Zone: Untrust
To Zone: DMZ
Attacker: externalip.com
Victim: 172.16.0.20
To Port: 80
Action: Alert
Severity: Critical
When examining the PCAP associated with the event, the security administrator finds the following
information:

alert (“Click
here for important information regarding your account! http://externalip.com/account.php
“);
Which of the following actions should the security administrator take?

-Upload the PCAP to the IDS in order to generate a blocking signature to block the traffic.
-Manually copy the data from the PCAP file and generate a blocking signature in the HIDS to
block the traffic for future events.
-Implement a host-based firewall rule to block future events of this type from occurring.
-Submit a change request to modify the XSS vulnerability signature to TCP reset on future attempts.

A

Manually copy the data from the PCAP file and generate a blocking signature in the HIDS to block the traffic for future events

98
Q

A university with remote campuses, which all use different service providers, loses Internet connectivity
across all locations. After a few minutes, internet and VoIP services are restored, only to go offline again at
random intervals. typically, within four minutes of services being restored. Outages continue throughout the day. impacting all inbound and outbound connections and services. Services that are limited to the local LAN or WiFi network are not impacted, but all WAN and VoIP services are affected.
Later that day. the edge-router manufacturer releases a CVE outlining the ability of an attacker to exploit the
SIP protocol handling on devices, leading to resource exhaustion and system reloads. Which of the following
BEST describe this type of attack? (Select TWO).

DOS
SSL Stripping
Memory leak
Race condition
Shimming
Refactoring
A

DOS

and

SSL stripping

99
Q

A security administrator needs to create a RAID configuration that is focused on high read speeds and fault tolerance. It is unlikely that multiple drives will fail simultaneously. Which of the following RAID
configurations should the administrator use?

RAID 0
RAID 1
RAID 5
RAID 10

A

RAID 10

100
Q

An administrator is disposing of media that contains sensitive information. Which of the following will
provide the MOST effective method to dispose of the media while ensuring the data will be unrecoverable?

Wipe the hard drive.
Shred the hard drive.
Sanitize all of the data.
Degauss the hard drive.

A

Shred the hard drive

101
Q

An organization has decided to host its web application and database in the cloud. Which of the following
BEST describes the security concerns for this decision?

Access to the organization’s servers could be exposed to other cloud-provider clients.
The cloud vendor is a new attack vector within the supply chain.
Outsourcing the code development adds risk to the cloud provider.
Vendor support will cease when the hosting platforms reach EOL.

A

The cloud vendor is a new attack vector within the supply chain

102
Q

Which of the following serves to warn users against downloading and installing pirated software on company devices?

AUP
NDA
ISA
BPA

A

AUP

103
Q

A systems administrator is auditing the company’s Active Directory environment. It is quickly noted that the username “company\bsmith” is interactively logged into several desktops across the organization. Which of
the following has the systems administrator MOST likely come across?

Service account
Shared credentials
False positive
Local account

A

Shared credentials

104
Q

A security consultant was asked to revise the security baselines that are utilized by a large organization.
Although the company provides different platforms for its staff, including desktops, laptops, and mobile
devices, the applications do not vary by platform. Which of the following should the consultant recommend? (Select Two).

Apply patch management on a daily basis.
Allow full functionality for all applications that are accessed remotely
Apply default configurations of all operating systems
Apply application whitelisting.
Disable default accounts and/or passwords.

A

Apply patch management on a daily basis

and

Disable default accounts and/or passwords

105
Q

A security engineer is analyzing the following line of JavaScript code that was found in a comment field on a
web forum, which was recently involved in a security breach:

Given the line of code above, which of the following BEST represents the attack performed during the breach?

CSRF
DDoS
DoS
XSS

A

XSS

106
Q

Which of the following is unique to a stream cipher?

It encrypt 128 bytes at a time.
It uses AES encryption.
It performs bit-level encryption.
It is used in HTTPS.

A

It performs bit-level encryption

107
Q

Fuzzing is used to reveal which of the following vulnerabilities in web applications?

Weak cipher suites
Improper input handling
DLL injection
Certificate signing flaws

A

Improper input handling

108
Q

A first responder needs to collect digital evidence from a compromised headless virtual host. Which of the
following should the first responder collect FIRST?

Virtual memory
BIOS configuration
Snapshot
RAM

A

Snapshot

109
Q

Which of the following would MOST likely support the integrity of a voting machine?

Asymmetric encryption
Blockchain
Transport Layer Security
Perfect forward secrecy

A

Perfect forward secrecy

110
Q

A small business just recovered from a ransomware attack against its file servers by purchasing the decryption keys from the attackers. The issue was triggered by a phishing email and the IT administrator wants to ensure it does not happen again. Which of the following should the IT administrator do FIRST after recovery?

Scan the NAS for residual or dormant malware and take new dally backups that are tested on a frequent
basis.
Restrict administrative privileges and patch all systems and applications.
Rebuild all workstations and Install new antivirus software.
Implement application whitelisting and perform user application hardening.

A

Scan the NAS for residual or dormant malware and take new dally backups that are tested on a frequent basis.

111
Q

Which of the following are considered to be “something you do”? (Select TWO).

Iris scan
Handwriting
Common Access Card
Gait
PIN
Fingerprint
A

Handwriting

and

Gait

112
Q

See PDF 417

A

ssh-keygen ~t rsa
ssh-copy -id -i ~/ .ssh/id_rsa.pub user@server
scp ~/.ssh/id_rsa user_server; .ssh/authorized_keys
chmod 777 ~/.ssh/authorized_keys
ssh root@server

113
Q

A company recently installed fingerprint scanners at all entrances to increase the facility’s security. The
scanners were installed on Monday morning, and by the end of the week it was determined that 1.5% of valid users were denied entry. Which of the following measurements do these users fall under?

FRR
FAR
CER
SLA

A

FRR (false rejection rate)

114
Q

Which of the following is an example of resource exhaustion?

A penetration tester requests every available IP address from a DHCP server.
A SQL injection attack returns confidential data back to the browser.
Server CPU utilization peaks at 100% during the reboot process
System requirements for a new software package recommend having 12GB of RAM, but only 8GB are
available.

A

A penetration tester requests every available IP address from a DHCP server.

115
Q

A security administrator found the following piece of code referenced on a domain controller’s task scheduler:

$var = GetDomainAdmins
If $var != ‘fabio’
SetDomainAdmins = NULL
With which of the following types of malware is the code associated?

RAT
Backdoor
Logic bomb
Crypto-malware

A

Logic bomb

116
Q

A company network is currently under attack. Although security controls are in place to stop the attack, the
security administrator needs more information about the types of attacks being used. Which of the following
network types would BEST help the administrator gather this information?

DMZ
Guest network
Ad hoc
Honeynet

A

Honeynet

117
Q

A network administrator was concerned during an audit that users were able to use the same passwords the day after a password change policy took effect. The following settings are in place:

  • Users must change their passwords every 30 days.
  • Users cannot reuse the last 10 passwords.

Which of the following settings would prevent users from being able to immediately reuse the same
passwords?

Minimum password age of five days
Password history of ten passwords
Password length greater than ten characters
Complex passwords must be used

A

Password history of ten passwords

118
Q

An administrator is beginning an authorized penetration test of a corporate network. Which of the following tools would BEST assist in identifying potential attacks?

Netstat
Honey pot
Company directory
Nmap

A

Nmap

119
Q

After patching computers with the latest application security patches/updates, users are unable to open certain applications. Which of the following will correct the issue?

Modifying the security policy for patch management tools
Modifying the security policy for HIDS/HIPS
Modifying the security policy for DLP
Modifying the security policy for media control

A

Modifying the security policy for DLP

120
Q

A company has had a BYOD policy in place for many years and now wants to roll out an MDM solution. The
company has decided that end users who wish to utilize their personal devices for corporate use must opt in to the MDM solution. End users are voicing concerns about the company having access to their personal devices via the MDM solution. Which of the following should the company implement to ease these concerns?

Sideloading
Full device encryption
Application management
Containerization

A

Application management

121
Q

While monitoring the SIEM, a security analyst observes traffic from an external IP to an IP address of the
business network on port 443. Which of the following protocols would MOST likely cause this traffic?

HTTP
SSH
SSL
DNS

A

SSL

122
Q

A security administrator suspects there may be unnecessary services running on a server. Which of the
following tools will the administrator MOST likely use to confirm the suspicions?

Nmap
Wireshark
Autopsy
DNSEnum

A

Nmap

123
Q

An email recipient is unable to open a message encrypted through PKI that was sent from another
organization. Which of the following does the recipient need to decrypt the message?

The sender’s private key
The recipient’s private key
The recipient’s public key
The CA’s root certificate
The sender’s public key
An updated CRL
A

The sender’s public key

124
Q

Which of the following algorithms would be used to provide non-repudiation of a file transmission?

AES
RSA
MD5
SHA

A

MD5

125
Q

A security engineer is installing a WAF to protect the company’s website from malicious web requests over
SSL. Which of the following is needed to meet the objective?

A reverse proxy
A decryption certificate
A split-tunnel VPN
Load-balanced servers

A

A decryption certificate

126
Q

A technician needs to prevent data loss in a laboratory. The laboratory is not connected to any external
networks. Which of the following methods would BEST prevent the exfiltration of data? (Select TWO).

VPN
Drive encryption
Network firewall
File-level encryption
USB blocker
MFA
A

Drive encryption

and

Network firewall

127
Q

Which of the following BEST explains how the use of configuration templates reduces organization risk?

It ensures consistency of configuration for initial system implementation.
It enables system rollback to a last known-good state if patches break functionality.
It facilitates fault tolerance since applications can be migrated across templates.
It improves vulnerability scanning efficiency across multiple systems.

A

It facilitates fault tolerance since applications can be migrated across templates

128
Q

A small enterprise decides to implement a warm site to be available for business continuity in case of a
disaster. Which of the following BEST meets its requirements?

A fully operational site that has all the equipment in place and full data backup tapes on site
A site used for its data backup storage that houses a full-time network administrator
An operational site requiring some equipment to be relocated as well as data transfer to the site
A site staffed with personnel requiring both equipment and data to be relocated there in case of disaster

A

An operational site requiring some equipment to be relocated as well as data transfer to the site.

129
Q

Ann. a user, reported to the service desk that many files on her computer will not open or the contents are not readable. The service desk technician asked Ann if she encountered any strange messages on boot-up or login, and Ann indicated she did not. Which of the following has MOST likely occurred on Ann’s computer?

The hard drive is falling, and the files are being corrupted.
The computer has been infected with crypto-malware.
A replay attack has occurred.
A keylogger has been installed.

A

The computer has been infected with crypto-malware

130
Q

A network administrator has been asked to install an IDS to improve the security posture of an organization.
Which of the following control types Is an IDS?

Corrective
Physical
Detective
Administrative

A

Detective

131
Q

The help desk received a call from a user who was trying to access a set of files from the day before but
received the following error message: File format not recognized. Which of the following types of malware
MOST likely caused this to occur?

Ransomware
Polymorphic virus
Rootkit
Spyware

A

Ransomware

132
Q

An organization is building a new customer services team, and the manager needs to keep the team focused on customer issues and minimize distractions. The users have a specific set of tools installed, which they must use to perform their duties. Other tools are not permitted for compliance and tracking purposes. Team members have access to the Internet for product lookups and to research customer issues.

Which of the following should a security engineer employ to fulfill the requirements for the manager?

Install a web application firewall.
Install HIPS on the team’s workstations.
Implement containerization on the workstations.
Configure whitelisting for the team.

A

Implement containerization on the workstations

133
Q

While reviewing system logs, a security analyst notices that a large number of end users are changing their
passwords four times on the day the passwords are set to expire. The analyst suspects they are cycling their passwords to circumvent current password controls.

Which of the following would provide a technical control to prevent this activity from occurring?

Set password aging requirements.
Increase the password history from three to five.
Create an AUP that prohibits password reuse.
Implement password complexity requirements.

A

Set password aging requirements

134
Q

Which of the following is the BEST use of a WAF?

To protect sites on web servers that are publicly accessible
To allow access to web services of internal users of the organization
To maintain connection status of all HTTP requests
To deny access to all websites with certain contents

A

To protect sites on web servers that are publicly accessible

135
Q

While testing a new vulnerability scanner, a technician becomes concerned about reports that list security
concerns that are not present on the systems being tested. Which of the following BEST describes this flaw?

False positives
Crossover error rate
Uncredentialed scan
Passive security controls

A

False positives

136
Q

An employee workstation with an IP address of 204 211.38.211/24 reports it is unable to submit print jobs to a network printer at 204.211.38.52/24 after a firewall upgrade. The active firewall rules are as follows:

Assuming port numbers have not been changed from their defaults, which of the following should be modified to allow printing to the network printer?

A) The permit statement for 204.211.38.52/24 should be changed to TCP port 631 instead of UDP.
B) The deny statement for 204 211.38.52/24 should be changed to a permit statement
C) The permit statement for 204.211.38.52/24 should be changed to UDP port 443 instead of 631
D) The permit statement for 204.211.38 211/24 should be changed to TCP port 631 only instead of ALL

A

The permit statement for 204.211.38.52/24 should be changed to TCP port 631 instead of UDP.

137
Q

Which of the following is the MOST significant difference between intrusive and non-intrusive vulnerability
scanning?

One uses credentials, but the other does not.
One has a higher potential for disrupting system operations.
One allows systems to activate firewall countermeasures.
One returns service banners, including running versions.

A

One has a higher potential for disrupting system operations

138
Q

A penetration tester is checking to see if an internal system is vulnerable to an attack using a remote listener.
Which of the following commands should the penetration tester use to verify if this vulnerability exists? (Choose two.)

tcpdump
nc
nmap
nslookup
tail
tracert
A

nc

and

nmap

139
Q

A government agency with sensitive information wants to virtualize its infrastructure. Which of the following
cloud deployment models BEST fits the agency’s needs?

Public
Community
Private
Hybrid

A

Community

140
Q

A systems engineer is setting up a RADIUS server to support a wireless network that uses certificate
authentication. Which of the following protocols must be supported by both the RADIUS server and the
WAPs?

CCMP
TKIP
WPS
EAP

A

EAP

141
Q

The CSIRT is reviewing the lessons learned from a recent incident A worm was able to spread unhindered
throughout the network and infect a large number of computers and servers. Which of the following
recommendations would be BEST to mitigate the impacts of a similar incident in the future?

Install a NIDS device at the boundary.
Segment the network with firewalls
Update all antivirus signatures daily
Implement application blacklisting.

A

Update all antivirus signatures daily

142
Q

A network administrator is implementing multifactor authentication for employees who travel and use
company devices remotely by using the company VPN. Which of the following would provide the required
level of authentication?

802.1X and OTP
Fingerprint scanner and voice recognition
RBAC and PIN
Username/Password and TOTP

A

802.1X and OTP

143
Q

A security professional wants to test a piece of malware that was isolated on a user’s computer to document its effect on a system. Which of the following is the FIRST step the security professional should take?

Create a sandbox on the machine.
Open the file and run it.
Create a secure baseline of the system state.
Harden the machine.

A

Create a secure baseline of the system state

144
Q

Which of the following encryption algorithms require one encryption key? (Choose two.)

MD5
3DES
BCRYPT
RC4
DSA
A

3DES

and

RC4

145
Q

Which of the following BEST describes the concept of perfect forward secrecy?

Using quantum random number generation to make decryption effectively impossible
Preventing cryptographic reuse so a compromise of one operation does not affect other operations
Implementing elliptic curve cryptographic algorithms with true random numbers
The use of NDAs and policy controls to prevent disclosure of company secrets

A

Preventing cryptographic reuse so a compromise of one operation does not affect other operations

146
Q

A security operations team recently detected a breach of credentials. The team mitigated the risk and followed proper processes to reduce risk. Which of the following processes would BEST help prevent this issue from happening again?

Risk assessment
Chain of custody
Lessons learned
Penetration test

A

Lessons learned

147
Q

A manufacturing company updates a policy that instructs employees not to enter a secure area in groups and requires each employee to swipe their badge to enter the area. When employees continue to ignore the policy, a mantrap is installed. Which of the following BEST describe the controls that were implemented to address this
issue? (Select TWO).

Detective
Administrative
Deterrent
Physical
Corrective
A

Deterrent

and

Corrective

148
Q

A cryptographer has developed a new proprietary hash function for a company and solicited employees to test
the function before recommending its implementation. An employee takes the plaintext version of a document and hashes it, then changes the original plaintext document slightly and hashes it, and continues repeating this process until two identical hash values are produced from two different documents. Which of the following BEST describes this cryptographic attack?

Brute force
Known plaintext
Replay
Collision

A

Collision

149
Q

Which of the following is the proper use of a Faraday cage?

To block electronic signals sent to erase a cell phone
To capture packets sent to a honeypot during an attack
To protect hard disks from access during a forensics investigation
To restrict access to a building allowing only one person to enter at a time

A

To block electronic signals sent to erase a cell phone

150
Q

Which of the following should a technician use to protect a cellular phone that is needed for an investigation, to ensure the data will not be removed remotely?

Air gap
Secure cabinet
Faraday cage
Safe

A

Faraday cage

151
Q

A network administrator has been alerted that web pages are experiencing long load times. After determining it is not a routing or DNS issue, the administrator logs in to the router, runs a command, and receives the output:

CPU 0 perfect busy, from 300 secds ago
1 sec ave: 99 percent busy
5 sec ave: 97 percent busy
1 min ave: 83 percent busy
Which of the following is the router experiencing?

DDoS attack
Memory leak
Buffer overflow
Resource exhaustion

A

Resource exhaustion

152
Q

An organization plans to transition the intrusion detection and prevention techniques on a critical subnet to an anomaly-based system. Which of the following does the organization need to determine for this to be successful?

The baseline
The endpoint configurations
The adversary behavior profiles
The IPS signatures

A

The IPS signatures

153
Q

The Chief Information Officer (CIO) has determined the company’s new PKI will not use OCSP. The purpose
of OCSP still needs to be addressed. Which of the following should be implemented?

Build an online intermediate CA.
Implement a key escrow.
Implement stapling.
Install a CRL.

A

Implement a key escrow

154
Q

The president of a company that specializes in military contracts receives a request for an interview. During
the interview, the reporter seems more interested in discussing the president’s family life and personal history than the details of a recent company success. Which of the following security concerns is this MOST likely an example of?

Insider threat
Social engineering
Passive reconnaissance
Phishing

A

Social engineering

155
Q

An attacker is able to capture the payload for the following packet:

IP 192.168.1.22:2020 10.10.10.5:443
IP 192.166.1.10:1030 10.10.10.1:21
IP 192.168.1.57:5217 10.10.10.1:3389

During an investigation, an analyst discovers that the attacker was able to capture the information above and
use it to log on to other servers across the company. Which of the following is the MOST likely reason?

The attacker has exploited a vulnerability that is commonly associated with TLS1.3.
The application server is also running a web server that has been compromised.
The attacker is picking off unencrypted credentials and using those to log in to the secure server.
User accounts have been improperly configured to allow single sign-on across multiple servers.

A

The attacker has exploited a vulnerability that is commonly associated with TLS1.3

156
Q

A systems administrator needs to configure an SSL remote access VPN according to the following
organizational guidelines:

  • The VPN must support encryption of header and payload.
  • The VPN must route all traffic through the company’s gateway.

Which of the following should be configured on the VPN concentrator?

Full tunnel
Transport mode
Tunnel mode
IPSec

A

Full tunnel

157
Q

Using a one-time code that has been texted to a smartphone is an example of:

something you have.
something you know.
something you do.
something you are.

A

Something you have

158
Q

Which of the following methods is used by internal security teams to assess the security of internally
developed applications?

Active reconnaissance
Pivoting
White-box testing
Persistence

A

White-box testing

159
Q

A Chief Information Security Officer (CISO) is concerned about the organization’s ability to continue business operations in the event of a prolonged DDoS attack on its local datacenter that consumes server. Which of the following will the CISO MOST likely recommend to mitigate this risk?

Upgrade the bandwidth available into the datacenter.
Migrate to a geographically dispersed cloud datacenter.
Implement a hot-site failover location.
Switch to a complete SaaS offering to customers.
Implement a challenge response test on all end-user queries.

A

Implement a host site failover location

160
Q

A manager makes an unannounced visit to the marketing department and performs a walk-through of the office. The manager observes unclaimed documents on printers. A closer look at these documents reveals employee names, addresses ages, birth dates, marital/dependent statuses, and favorite ice cream flavors. The manager brings this to the attention of the marketing department head. The manager believes this information to be Pll, but the marketing head does not agree. Having reached a stalemate, which of the following is the most appropriate action to take NEXT?

Elevate to the Chief Executive Officer (CEO) for redress, change from the top down usually succeeds.
Find the privacy officer in the organization and let the officer act as the arbiter.
Notify employees whose names are on these files that their personal infor-mation is being compromised.
To maintain a working relationship with marketing, quietly record the incident in the risk register.

A

Find the privacy officer in the organization and let the officer act as the arbiter.

161
Q

A coffee company has hired an IT consultant to set up a WiFi network that will provide Internet access to
customers who visit the company’s chain of cafés. The coffee company has provided no requirements other
than that customers should be granted access after registering via a web form and accepting the terms of
service. Which of the following is the MINIMUM acceptable configuration to meet this single requirement?

Captive portal
WPA with PSK
Open WiFi
WPS

A

Captive portal

162
Q

A buffer overflow can result in:

loss of data caused by unauthorized command execution privilege escalation caused by TPM override.
reduced key strength due to salt manipulation
repeated use of one-time keys.

A

Privilege escalation caused by TPM override

163
Q

An incident response analyst at a large corporation is reviewing proxy log data. The analyst believes a
malware infection may have occurred. Upon further review, the analyst determines the computer responsible for the suspicious network traffic is used by the Chief Executive Officer (CEO). Which of the following is the best NEXT step for the analyst to take?

Call the CEO directly to ensure awareness of the event
Run a malware scan on the CEO’s workstation
Reimage the CEO’s workstation
Disconnect the CEO’s workstation from the network.

A

Disconnect the CEO’s workstation from the network

164
Q

A systems administrator has installed a new UTM that is capable of inspecting SSL/TLS traffic for malicious
payloads. All inbound network traffic coming from the Internet and terminating on the company’s secure web
servers must be inspected. Which of the following configurations would BEST support this requirement?

The web servers’ CA full certificate chain must be installed on the UTM.
The UTM certificate pair must be installed on the web servers.
The web servers’ private certificate must be installed on the UTM.
The UTM and web servers must use the same certificate authority.

A

The web servers’ CA full certificate chain must be installed on the UTM

165
Q

A security engineer at a manufacturing company is implementing a third-party cloud application. Rather than creating users manually in the application, the engineer decides to use the SAML protocol. Which of the following is being used for this implementation?

-The manufacturing company is the service provider, and the cloud company is the identity provider.
-The manufacturing company is the authorization provider, and the cloud company is the service
provider.
-The manufacturing company is the identity provider, and the cloud company is the OAuth provider.
-The manufacturing company is the identity provider, and the cloud company is the service provider.
-The manufacturing company is the service provider, and the cloud company is the authorization
provider.

A

The manufacturing company is the service provider, and the cloud company is the identity provider.

166
Q

A security analyst is investigating a call from a user regarding one of the websites receiving a 503: Service
Unavailable error. The analyst runs a netstat -an command to discover if the web server is up and listening.
The analyst receives the following output:

TCP 10.1.5.2:80 192.168.2.112:60973 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60974 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60975 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60976 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60977 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60978 TIME_WAIT

Which of the following types of attack is the analyst seeing?

Buffer overflow
Domain hijacking
Denial of service
ARP poisoning

A

Denial of Service

167
Q

A security operations learn recently detected a breach of credentials. The team mitigated the risk and followed proper processes to reduce risk. Which of the following processes would BEST help prevent this issue from happening again?

Risk assessment
Chain of custody
Lessons learned
Penetration test

A

Lessons learned

168
Q

A preventive control differs from a compensating control in that a preventive control is:

put in place to mitigate a weakness in a user control.
deployed to supplement an existing control that is EOL.
relied on to address gaps in the existing control structure.
designed to specifically mitigate a risk.

A

relied on to address gaps in the existing control structure.

169
Q

A healthcare company is revamping its IT strategy in light of recent regulations. The company is concerned
about compliance and wants to use a pay-per-use model. Which of the following is the BEST solution?

On-premises hosting
Community cloud
Hosted infrastructure
Public SaaS

A

Public SaaS

170
Q

Moving laterally within a network once an initial exploit is used to gain persistent access for the purpose of
establishing further control of a system is known as:

pivoting.
persistence.
active reconnaissance.
a backdoor.

A

Active reconnaissance

171
Q

When a malicious user is able to retrieve sensitive information from RAM, the programmer has failed to
implement:

session keys.
encryption of data at rest
encryption of data in use.
ephemeral keys.

A

Encryption of data in use

172
Q

During an incident, a company’s CIRT determines it is necessary to observe the continued network-based
transactions between a callback domain and the malware running on an enterprise PC. Which of the following techniques would be BEST to enable this activity while reducing the risk of lateral spread and the risk that the adversary would notice any changes?

Physically move the PC to a separate Internet point of presence.
Create and apply microsegmentation rules.
Emulate the malware in a heavily monitored DMZ segment.
Apply network blacklisting rules for the adversary domain.

A

Create and apply microsegmentation rules

173
Q

An organization needs to integrate with a third-party cloud application. The organization has 15000 users and does not want to allow the cloud provider to query its LDAP authentication server directly. Which of the
following is the BEST way for the organization to integrate with the cloud application?

Upload a separate list of users and passwords with a batch import.
Distribute hardware tokens to the users for authentication to the cloud.
Implement SAML with the organization’s server acting as the identity provider.
Configure a RADIUS federation between the organization and the cloud provider.

A

Configure a RADIUS federation between organization and the cloud provider

174
Q

A technician is required to configure updates on a guest operating system while maintaining the ability to
quickly revert the changes that were made while testing the updates. Which of the following should the
technician implement?

Snapshots
Revert to known state
Rollback to known configuration
Shadow copy

A

Snapshots

175
Q

An attacker has gathered information about a company employee by obtaining publicly available information from the Internet and social networks. Which of the following types of activity is the attacker performing?

Pivoting
Exfiltration of data
Social engineering
Passive reconnaissance

A

Passive reconnaissance

176
Q

An organization has hired a security analyst to perform a penetration test. The analyst captures 1GB worth of
inbound network traffic to the server and transfers the pcap back to the machine for analysis. Which of the
following tools should the analyst use to future review the pcap?

Nmap
cURL
Netcat
Wireshark

A

Wireshark

177
Q

Select the appropriate attack and remediation from each drop-down list to label the corresponding attack with its remediation. See PDF 445

A

PDF 445

178
Q

Which of the following is a benefit of credentialed vulnerability scans?

Credentials provide access to scan documents to identify possible data theft.
The vulnerability scanner is able to inventory software on the target.
A scan will reveal data loss in real time.
Black-box testing can be performed.

A

The vulnerability scanner is able to inventory software on the target.

179
Q

Users are attempting to access a company’s website but are transparently redirected to another website. The
users confirm the URL is correct. Which of the following would BEST prevent this issue in the future?

DNSSEC
HTTPS
IPSec
TLS/SSL

A

DNSSEC

180
Q

Which of the following describes the ability of code to target a hypervisor from inside a guest OS?

Fog computing
VM escape
Software-defined networking
Image forgery
Container breakout
A

VM escape

181
Q

A security administrator is implementing a new WAF solution and has placed some of the web servers behind
the WAF, with the WAF set to audit mode. When reviewing the audit logs of external requests and posts to the web servers, the administrator finds the following entry:

Based on this data, which of the following actions should the administrator take?

Alert the web server administrators to a misconfiguration
Create a blocking policy based on the parameter values
Change the parameter name ‘Account_Name’ identified in the log.
Create an alert to generate emails for abnormally high activity.

A

Create an alert to generate emails for abnormally high activity

182
Q

Which of the following serves to warn users against downloading and installing pirated software on company devices?

AUP
NDA
ISA
BPA

A

AUP (acceptance user policy)

183
Q

An accountant is attempting to log in to the internal accounting system and receives a message that the
website’s certificate is fraudulent. The accountant finds instructions for manually installing the new trusted
root onto the local machine. Which of the following would be the company’s BEST option for this situation in the future?

Utilize a central CRL.
Implement certificate management.
Ensure access to KMS.
Use a stronger cipher suite.

A

Implement certificate management

184
Q

A junior systems administrator noticed that one of two hard drives in a server room had a red error
notification. The administrator removed the hard drive to replace it but was unaware that the server was
configured in an array. Which of the following configurations would ensure no data is lost?

RAID 0
RAID 1
RAID 2
RAID 3

A

RAID 1

185
Q

Which of the following types of attack is being used when an attacker responds by sending the MAC address of the attacking machine to resolve the MAC to IP address of a valid server?

Session hijacking
IP spoofing
Evil twin
ARP poisoning

A

ARP Poisoning

186
Q

Whitelist USB\VID_13FE&PID_4127&REV_0100

A company recently implemented a new security system. In the course of configuration, the security
administrator adds the following entry:

Which of the following security technologies is MOST likely being configured?

Application whitelisting
HIDS
Data execution prevention
Removable media control

A

Removable media control

187
Q

A security administrator is configuring a RADIUS server for wireless authentication. The configuration must
ensure client credentials are encrypted end-to-end between the client and the authenticator. Which of the
following protocols should be configured on the RADIUS server? (Select TWO).

PAP
MSCHAP
PEAP
NTLM
SAML
A

MSCHAP

and

PEAP

188
Q

Which of the following is the MOST likely motivation for a script kiddie threat actor?

Financial gain
Notoriety
Political expression
Corporate espionage

A

Notoriety

189
Q

In which of the following risk management strategies would cybersecurity insurance be used?

Transference
Avoidance
Acceptance
Mitigation

A

Avoidance

190
Q

A systems developer needs to provide machine-to-machine interface between an application and a database server in the production environment. This interface will exchange data once per day. Which of the following access control account practices would BEST be used in this situation?

Establish a privileged interface group and apply read-write permission to the members of that group.
Submit a request for account privilege escalation when the data needs to be transferred.
Install the application and database on the same server and add the interface to the local administrator
group.
Use a service account and prohibit users from accessing this account for development work.

A

User a service account and prohibit users from accessing this account for development work

191
Q

Which of the following is unique to a stream cipher?

It encrypts 128 bytes at a time.
It uses AES encryption
It performs bit-level encryption
It is used in HTTPS

A

It performs bit-level encryption

192
Q

A systems engineer wants to leverage a cloud-based architecture with low latency between network-connected devices that also reduces the bandwidth that is required by performing analytics directly on the endpoints.

Which of the following would BEST meet the requirements? (Select TWO).

Private cloud
SaaS
Hybrid cloud
laaS
DRaaS
Fog computing
A

Hybrid cloud

and

Fog computing

193
Q

A government organization recently contacted three different vendors to obtain cost quotes for a desktop PC refresh. The quote from one of the vendors was significantly lower than the other two and was selected for the purchase. When the PCs arrived, a technician determined some NICs had been tampered with. Which of the following MOST accurately describes the security risk presented in this situation?

Hardware root of trust
UEFI
Supply chain
TPM
Crypto-malware
ARP poisoning
A

Supply chain

194
Q

A security administrator in a bank is required to enforce an access control policy so no single individual is allowed to both initiate and approve financial transactions. Which of the following BEST represents the impact the administrator is deterring?

Principle of least privilege
External intruder
Conflict of Interest
Fraud

A

Principle of least privilege

195
Q

An organization is concerned about video emissions from users’ desktops. Which of the following is the BEST solution to implement?

Screen filters
Shielded cables
Spectrum analyzers
Infrared detection

A

Screen filters

196
Q

A user receives a security alert pop-up from the host-based IDS, and a few minutes later notices a document on the desktop has disappeared and in its place is an odd filename with no icon image. When clicking on this icon, the user receives a system notification that it cannot find the correct program to use to open this file.

Which of the following types of malware has MOST likely targeted this workstation?

Rootkit
Spyware
Ransomware
Remote-access Trojan

A

Ransomware

197
Q

An organization is drafting an IRP and needs to determine which employees have the authority to take systems offline during an emergency situation. Which of the following is being outlined?

Reporting and escalation procedures
Permission auditing
Roles and responsibilities
Communication methodologies

A

Roles and responsibilities

198
Q

A systems administrator needs to configure an SSL remote access VPN according to the following
organizational guidelines:

  • The VPN must support encryption of header and payload.
  • The VPN must route all traffic through the company’s gateway.
    Which of the following should be configured on the VPN concentrator?

Full tunnel
Transport mode
Tunnel mode
IPSec

A

Full tunnel

199
Q

An incident responder is preparing to acquire images and files from a workstation that has been compromised.

The workstation is still powered on and running. Which of the following should be acquired LAST?

Application files on hard disk
Processor cache
Processes in running memory
Swap space

A

Processes in running memory

200
Q

A company network is currently under attack. Although security controls are in place to stop the attack, the
security administrator needs more information about the types of attacks being used. Which of the following network types would BEST help the administrator gather this information?

DMZ
Guest network
Ad hoc
Honeynet

A

ad-hoc

201
Q

A security administrator is investigating a report that a user is receiving suspicious emails. The user’s machine
has an old functioning modem installed. Which of the following security concerns need to be identified and
mitigated? (Choose two.)

Vishing
Whaling
Spear phishing
Pharming
War dialing
Hoaxing
A

War dialing

and

hoaxing

202
Q

In highly secure environments where the risk of malicious actors attempting to steal data is high, which of the following is the BEST reason to deploy Faraday cages?

To provide emanation control to prevent credential harvesting
To minimize signal attenuation over distances to maximize signal strength
To minimize external RF interference with embedded processors
To protect the integrity of audit logs from malicious alteration

A

To minimize external RF interference with embedded processors.

203
Q

After entering a username and password, an administrator must draw a gesture on a touch screen. Which of the following demonstrates what the administrator is providing?

Multifactor authentication
Something you can do
Biometrics
Two-factor authentication

A

Something you can do

204
Q

A security analyst is interested in setting up an IDS to monitor the company network. The analyst has been
told there can be no network downtime to implement the solution, but the IDS must capture all of the network
traffic. Which of the following should be used for the IDS implementation?

Network tap
Honeypot
Aggregation
Port mirror

A

network tap

205
Q

While reviewing the wireless router, the systems administrator of a small business determines someone is spoofing the MAC address of an authorized device. Given the table below:

Which of the following should be the administrator’s NEXT step to detect if there is a rogue system without
impacting availability?

Conduct a ping sweep.
Physically check each system.
Deny Internet access to the “UNKNOWN” hostname.
Apply MAC filtering.

A

Conduct a ping sweep

206
Q

Which of the following implements two-factor authentication on a VPN?

Username, password, and source IP
Public and private keys
HOTP token and logon credentials
Source and destination IP addresses

A

username, password, and source IP

207
Q

A company is experiencing an increasing number of systems that are locking up on Windows startup. The
security analyst clones a machine, enters into safe mode, and discovers a file in the startup process that runs Wstart.bat.

@echo off
\:asdhbawdhbasdhbawdhb
start notepad.exe
start notepad.exe
start calculator.exe
start calculator.exe
goto asdhbawdhbasdhbawdhb

Given the file contents and the system’s issues, which of the following types of malware is present?

Rootkit
Logic bomb
Worm
Virus

A

Logic bomb

208
Q

After discovering a security incident and removing the affected files, an administrator disabled an unneeded
service that led to the breach. Which of the following steps in the incident response process has the
administrator just completed?

Containment
Eradication
Recovery
Identification

A

Eradication

209
Q

Which of the following BEST explains the difference between a credentialed scan and a non-credentialed
scan?

A credentialed scan sees devices in the network, including those behind NAT, while a non-credentialed
scan sees outward-facing applications.
A credentialed scan will not show up in system logs because the scan is running with the necessary
authorization, while non-credentialed scan activity will appear in the logs.
A credentialed scan generates significantly more false positives, while a non-credentialed scan generates
fewer false positives.
A credentialed scan sees the system the way an authorized user sees the system, while a noncredentialed
scan sees the system as a guest.

A

A credentialed scan sees the system the way an authorized user sees the system, while a non-credentialed scan sees the system as a guest.

210
Q

Which of the following vulnerabilities can lead to unexpected system behavior, including the bypassing of security controls, due to differences between the time of commitment and the time of execution?

Buffer overflow
DLL injection
Pointer dereference
Race condition

A

Buffer overflow

211
Q

A systems administrator has implemented multiple websites using host headers on the same server. The server hosts two websites that require encryption and other websites where encryption is optional. Which of the following should the administrator implement to encrypt web traffic for the required websites?

Extended domain validation
TLS host certificate
OCSP stapling
Wildcard certificate

A

Wildcard certificate

212
Q

An IT manager is estimating the mobile device budget for the upcoming year. Over the last five years, the
number of devices that were replaced due to loss, damage, or theft steadily increased by 10%. Which of the following would BEST describe the estimated number of devices to be replaced next year?

ALE
ARO
RPO
SLE

A

SLE

213
Q

An application developer has neglected to include input validation checks in the design of the company’s new web application. An employee discovers that repeatedly submitting large amounts of data, including custom code to an application will allow the execution of the custom code at the administrator level. Which of the following BEST identifies this application attack?

Cross-site scripting
Clickjacking
Buffer overflow
Replay

A

Buffer overflow

214
Q

Which of the following is a risk that is specifically associated with hosting applications in the public cloud?

Unsecured root accounts
Zero-day
Shared tenancy
Insider threat

A

Insider threat

215
Q

Which of the following is a passive method to test whether transport encryption is implemented?

Black box penetration test
Port scan
Code analysis
Banner grabbing

A

Port scan

216
Q

A systems administrator is receiving multiple alerts from the company NIPS. A review of the NIPS logs shows the following:

reset both: 70.32.200.2:3194 –> 10.4.100.4:80 buffer overflow attempt
reset both: 70.32.200.2:3230 –> 10.4.100.4:80 directory traversal attack
reset client: 70.32.200.2:4019 –> 10.4.100.4:80 Blind SQL injection attack

Which of the following should the systems administrator report back to management?

The company web server was attacked by an external source, and the NIPS blocked the attack.
The company web and SQL servers suffered a DoS caused by a misconfiguration of the NIPS.
An external attacker was able to compromise the SQL server using a vulnerable web application.
The NIPS should move from an inline mode to an out-of-band mode to reduce network latency.

A

The company web server was attacked by an external source, and the NIPS blocked the attack.

217
Q

During a risk assessment, results show that a fire in one of the company’s datacenters could cost up to $20 million in equipment damages and lost revenue. As a result, the company insures the datacenter for up to $20 million in damages for the cost of $30,000 a year. Which of the following risk response techniques has the company chosen?

Transference
Avoidance
Mitigation
Acceptance

A

Transference

218
Q

A coding error has been discovered on a customer-facing website. The error causes each request to return
confidential PHI data for the incorrect organization. The IT department is unable to identify the specific
customers who are affected. As a result, all customers must be notified of the potential breach. Which of the
following would allow the team to determine the scope of future incidents?

Intrusion detection system
Database access monitoring
Application fuzzing
Monthly vulnerability scans

A

Application fuzzing

219
Q

A Chief Security Officer’s (CSO’s) key priorities are to improve preparation response, and recovery practices
to minimize system downtime and enhance organizational resilience to ransomware attacks. Which of the following would BEST meet the CSO’s objectives?

Use email-filtering software and centralized account management, patch high-risk systems, and restrict administration privileges on fileshares.

Purchase cyber insurance from a reputable provider to reduce expenses during an incident

Invest in end-user awareness training to change the long-term culture and behavior of staff and
executives, reducing the organization’s susceptibility to phishing attacks

Implement application whitelisting and centralized event-log management and perform regular testing
and validation of full backups.

A

Use email-filtering software and centralized account management, patch high-risk systems, and restrict administration privileges on fileshares.

220
Q

Which of the following attacks is used to capture the WPA2 handshake?

Replay
IV
Evil twin
Disassociation

A

Replay

221
Q

A hospital has received reports from multiple patients that their PHI was stolen after completing forms on the
hospital’s website. Upon investigation, the hospital finds a packet analyzer was used to steal data. Which of the following protocols would prevent this attack from reoccurring?

SFTP
HTTPS
FTPS
SRTP

A

SFTP

222
Q

A hospital has received reports from multiple patients that their PHI was stolen after completing forms on the
hospital’s website. Upon investigation, the hospital finds a packet analyzer was used to steal data. Which of the following protocols would prevent this attack from reoccurring?

SFTP
HTTPS
FTPS
SRTP

A

SFTP

223
Q

The SOC is reviewing processes and procedures after a recent incident. The review indicates it took more than 30 minutes to determine that quarantining an infected host was the best course of action. This allowed the malware to spread to additional hosts before it was contained. Which of the following would be BEST to improve the incident response process?

Updating the playbooks with better decision points
Dividing the network into trusted and untrusted zones
Providing additional end-user training on acceptable use
Implementing manual quarantining of infected hosts

A

Providing additional end-user training on acceptable use

224
Q

A mobile application developer wants to secure an application that transmits sensitive information Which of the following should the developer implement to prevent SSL MITM attacks?

Stapling
Chaining
Signing
Pinning

A

Pinning

225
Q

A Chief Information Security Officer (CISO) is performing a BIA for the organization in case of a natural disaster. Which of the following should be at the top of the CISO’s list?

Identify redundant and high-availability systems.
Identity mission-critical applications and systems.
Identify the single point of failure in the system.
Identity the impact on safety of the property.

A

Identity mission-critical applications and systems

226
Q

A technician is designing a solution that will be required to process sensitive information, including classified government data. The system needs to be common criteria certified. Which of the following should the technician select?

Security baseline
Hybrid cloud solution
Open-source software applications
Trusted operating system

A

Trusted operating system

227
Q

During a security audit of a company’s network, unsecure protocols were found to be in use. A network
administrator wants to ensure browser-based access to company switches is using the most secure protocol.
Which of the following protocols should be implemented?

SSH2
TLS12
SSL13
SNMPv3

A

SSH2

228
Q

A security administrator suspects an employee has been emailing proprietary information to a competitor.
Company policy requires the administrator to capture an exact copy of the employee’s hard disk. Which of the following should the administrator use?

dd
chmod
dnaenum
logger

A

dd

229
Q

A recent audit uncovered a key finding regarding the use of a specific encryption standard in a web application that is used to communicate with business customers. Due to the technical limitations of its customers, the company is unable to upgrade the encryption standard. Which of the following types of controls should be used to reduce the risk created by this scenario?

Physical
Detective
Preventive
Compensating

A

Compensating

230
Q

A security administrator is investigating a possible account compromise. The administrator logs onto a desktop
computer, executes the command notepad.exe c:\Temp\qkakforlkgfkja.1og, and reviews the following:

Lee,\rI have completed the task that was assigned to me\rrespectfully\rJohn\r
https://www.portal.com\rjohnuser\rilovemycat2

Given the above output, which of the following is the MOST likely cause of this compromise?

Virus
Worm
Rootkit
Keylogger

A

Keylogger

231
Q

The application team within a company is asking the security team to investigate why its application is slow
after an upgrade. The source of the team’s application is 10.13.136.9. and the destination IP is 10.17.36.5. The
security analyst pulls the logs from the endpoint security software but sees nothing is being blocked. The analyst then looks at the UTM firewall logs and sees the following:

Which of the following should the security analyst request NEXT based on the UTM firewall analysis?

Request the application team to allow TCP port 87 to listen on 10.17.36.5.
Request the network team to open port 1433 from 10.13.136.9 to 10.17.36.5.
Request the network team to turn of IPS for 10.13.136.8 going to 10.17.36.5.
Request the application team to reconfigure the application and allow RPC communication.

A

Request the network team to open port 1433 from 10.13.136.9 to 10.17.36.5.

232
Q

A security administrator needs to conduct a full inventory of all encryption protocols and cipher suites. Which of the following tools will the security administrator use to conduct this inventory MOST efficiently?

tcpdump
Protocol analyzer
Netstat
Nmap

A

Nmap

233
Q

Which of the following is MOST likely caused by improper input handling?

Loss of database tables
Untrusted certificate warning
Power off reboot loop
Breach of firewall ACLs

A

Loss of database tables

234
Q

A systems administrator needs to install the same X.509 certificate on multiple servers. Which of the
following should the administrator use?

D18912E1457D5D1DDCBD40AB3BF70D5D

Key escrow
A self-signed certificate
Certificate chaining
An extended validation certificate

A

An extended validation certificate

235
Q

Which of the following is an example of federated access management?

Windows passing user credentials on a peer-to-peer network
Applying a new user account with a complex password
Implementing a AAA framework for network access
Using a popular website login to provide access to another website

A

Using a popular website login to provide access to another website

236
Q

Which of the following is the MAIN disadvantage of using SSO?

The architecture can introduce a single point of failure.
Users need to authenticate for each resource they access.
It requires an organization to configure federation.
The authentication is transparent to the user.

A

The architecture can introduce a single point of failure.

237
Q

An organization recently acquired an ISO 27001 certification. Which of the following would MOST likely be considered a benefit of this certification?

It allows for the sharing of digital forensics data across organizations.
It provides insurance in case of a data breach.
It provides complimentary training and certification resources to IT security staff.
It certifies the organization can work with foreign entities that require a security clearance.
It assures customers that the organization meets security standards.

A

It assures customers that the organization meets security standards.

238
Q

If two employees are encrypting traffic between them using a single encryption key, which of the following
algorithms are they using?

RSA
3DES
DSA
SHA-2

A

SHA-2

239
Q

A highly complex password policy has made it nearly impossible to crack account passwords. Which of the
following might a hacker still be able to perform?

Pass-the-hash attack
ARP poisoning attack
Birthday attack
Brute-force attack

A

Pass-the-hash attack

240
Q

A company that processes sensitive information has implemented a BYOD policy and an MDM solution to
secure sensitive data that is processed by corporate and personally owned mobile devices. Which of the
following should the company implement to prevent sensitive data from being stored on mobile devices?

VDI
Storage segmentation
Containerization
USB OTG
Geofencing
A

Storage segmentation

241
Q

To further secure a company’s email system, an administrator is adding public keys to DNS records in the company’s domain. Which of the following is being used?

PFS
SPF
DMARC
DNSSEC

A

DNSSEC