wk4-other-252-301

Question 1

QUESTION: 251
During a recent company safety stand-down, the cyber-awareness team gave a presentation on
the importance of cyber hygiene. One topic the team covered was best practices for printing
centers.
Which of the following describes an attack method that relates to printing centers?
A. Whaling
B. Credential harvesting
C. Prepending
D. Dumpster diving

Answer 1

D. Dumpster diving

Question 2

QUESTION: 252
Which of the following considerations is the most important regarding cryptography used in an
IoT device?
A. Resource constraints
B. Available bandwidth
C. The use of block ciphers
D. The compatibility of the TLS version

Answer 2

A. Resource constraints

Question 3

QUESTION: 253
A coffee shop owner wants to restrict internet access to only paying customers by prompting them for a receipt number.
Which of the following is the best method to use given this requirement?
A. WPA3
B. Captive portal
C. PSK
D. IEEE 802.1X

Answer 3

B. Captive portal

Question 4

QUESTION: 254
While performing digital forensics, which of the following is considered the most volatile and
should have the contents collected first?
A. Hard drive
B. RAM
C. SSD
D. Temporary files

Answer 4

B. RAM

Question 5

QUESTION: 255
A hosting provider needs to prove that its security controls have been in place over the last six
months and have sufficiently protected customer data.
Which of the following would provide the best proof that the hosting provider has met the
requirements?
A. NIST CSF
B. SOC 2 Type 2 report
C. CIS Top 20 compliance reports
D. Vulnerability report

Answer 5

B. SOC 2 Type 2 report

Question 6

QUESTION: 256
A city municipality lost its primary data center when a tornado hit the facility.
Which of the following should the city staff use immediately after the disaster to handle essential
public services?
A. BCP
B. Communication plan
C. DRP
D. IRP

Answer 6

C. DRP

Question 7

QUESTION: 258
A systems administrator notices that a testing system is down.
While investigating, the systems administrator finds that the servers are online and accessible
from any device on the server network. The administrator reviews the following information from
the monitoring system:
Which of the following is the most likely cause of the outage?
A. Denial of service
B. ARP poisoning
C. Jamming
D. Kerberoasting

Answer 7

A. Denial of service

Question 8

QUESTION: 259
A security team has been alerted to a flood of incoming emails that have various subject lines
and are addressed to multiple email inboxes. Each email contains a URL shortener link that is
redirecting to a dead domain.
Which of the following is the best step for the security team to take?
A. Create a blocklist for all subject lines.
B. Send the dead domain to a DNS sinkhole.
C. Quarantine all emails received and notify all employees.
D. Block the URL shortener domain in the web proxy.

Answer 8

D. Block the URL shortener domain in the web proxy.

Question 9

QUESTION: 260
A security administrator is working to secure company data on corporate laptops in case the
laptops are stolen.
Which of the following solutions should the administrator consider?
A. Disk encryption
B. Data loss prevention
C. Operating system hardening
D. Boot security

Answer 9

A. Disk encryption

Question 10

QUESTION: 257
Which of the following is considered a preventive control?
A. Configuration auditing
B. Log correlation
C. Incident alerts
D. Segregation of duties

Answer 10

D. Segregation of duties

Question 11

QUESTION: 261
A company needs to keep the fewest records possible, meet compliance needs, and ensure
destruction of records that are no longer needed.
Which of the following best describes the policy that meets these requirements?
A. Security policy
B. Classification policy
C. Retention policy
D. Access control policy

Answer 11

C. Retention policy

Question 12

QUESTION: 262
Which of the following is a common source of unintentional corporate credential leakage in
cloud environments?
A. Code repositories
B. Dark web
C. Threat feeds
D. State actors
E. Vulnerability databases

Answer 12

A. Code repositories

Question 13

QUESTION: 263
Which of the following is the best reason an organization should enforce a data classification
policy to help protect its most sensitive information?
A. End users will be required to consider the classification of data that can be used in
documents.
B. The policy will result in the creation of access levels for each level of classification.
C. The organization will have the ability to create security requirements based on classification
levels.
D. Security analysts will be able to see the classification of data within a document before
opening it.

Answer 13

C. The organization will have the ability to create security requirements based on classification
levels.

Question 14

QUESTION: 264
An analyst is performing a vulnerability scan against the web servers exposed to the internet
without a system account.
Which of the following is most likely being performed?
A. Non-credentialed scan
B. Packet capture
C. Privilege escalation
D. System enumeration
E. Passive scan

Answer 14

A. Non-credentialed scan

Question 15

QUESTION: 265
A security administrator is hardening corporate systems and applying appropriate mitigations by
consulting a real-world knowledge base for adversary behavior.
Which of the following would be best for the administrator to reference?
A. MITRE ATT&CK
B. CSIRT
C. CVSS
D. SOAR

Answer 15

A. MITRE ATT&CK

Question 16

QUESTION: 266
An architect has a request to increase the speed of data transfer using JSON requests
externally. Currently, the organization uses SFTP to transfer data files.
Which of the following will most likely meet the requirements?
A. A website-hosted solution
B. Cloud shared storage
C. A secure email solution
D. Microservices using API

Answer 16

D. Microservices using API

Question 17

QUESTION: 267
Which of the following addresses individual rights such as the right to be informed, the right of
access, and the right to be forgotten?
A. GDPR
B. PCI DSS
C. NIST
D. ISO

Answer 17

A. GDPR

Question 18

QUESTION: 268
An administrator is installing an LDAP browser tool in order to view objects in the corporate
LDAP directory. Secure connections to the LDAP server are required.
When the browser connects to the server, certificate errors are being displayed, and then the
connection is terminated.
Which of the following is the most likely solution?
A. The administrator should allow SAN certificates in the browser configuration.
B. The administrator needs to install the server certificate into the local truststore.
C. The administrator should request that the secure LDAP port be opened to the server.
D. The administrator needs to increase the TLS version on the organization’s RA.

Answer 18

B. The administrator needs to install the server certificate into the local truststore.

Question 19

QUESTION: 269
Which of the following is the most important security concern when using legacy systems to
provide production service?
A. Instability
B. Lack of vendor support
C. Loss of availability
D. Use of insecure protocols

Answer 19

B. Lack of vendor support

Question 20

QUESTION: 270
A security investigation revealed that malicious software was installed on a server using a
server administrator’s credentials. During the investigation, the server administrator explained
that Telnet was regularly used to log in.
Which of the following most likely occurred?
A. A spraying attack was used to determine which credentials to use.
B. A packet capture tool was used to steal the password.
C. A remote-access Trojan was used to install the malware.
D. A dictionary attack was used to log in as the server administrator.

Answer 20

B. A packet capture tool was used to steal the password.

Question 21

QUESTION: 271
A user is requesting Telnet access to manage a remote development web server. Insecure
protocols are not allowed for use within any environment.
Which of the following should be configured to allow remote access to this server?
A. HTTPS
B. SNMPv3
C. SSH
D. RDP
E. SMTP

Answer 21

C. SSH

Question 22

QUESTION: 272
A security administrator is working to find a cost-effective solution to implement certificates for a
large number of domains and subdomains owned by the company.
Which of the following types of certificates should the administrator implement?
A. Wildcard
B. Client certificate
C. Self-signed
D. Code signing

Answer 22

A. Wildcard

Question 23

QUESTION: 273
An auditor discovered multiple insecure ports on some servers. Other servers were found to
have legacy protocols enabled.
Which of the following tools did the auditor use to discover these issues?
A. Nessus
B. curl
C. Wireshark
D. netcat

Answer 23

A. Nessus

Question 24

QUESTION: 274
A security analyst received a tip that sensitive proprietary information was leaked to the public.
The analyst is reviewing the PCAP and notices traffic between an internal server and an
external host that includes the following:
…
12:47:22.327233 PPPoE [ses 0x8122] IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto IPv6
(41), length 331) 10.5.1.1 > 52.165.16.154: IP6 (hlim E3, next-header TCP (6) paylcad length:
271) 2001:67c:2158:a019::ace.53104 > 2001:0:5ef5:79fd:380c:dddd:a601:24fa.13788: Flags
[P.], cksum 0xd7ee (correct), seq 97:348, ack 102, win 16444, length 251
…
Which of the following was most likely used to exfiltrate the data?
A. Encapsulation
B. MAC address spoofing
C. Steganography
D. Broken encryption
E. Sniffing via on-path position

Answer 24

A. Encapsulation

Question 25

QUESTION: 275
A company wants to reduce the time and expense associated with code deployment.
Which of the following technologies should the company utilize?
A. Serverless architecture
B. Thin clients
C. Private cloud
D. Virtual machines

Answer 25

A. Serverless architecture

Question 26

QUESTION: 276
A security administrator is performing an audit on a stand-alone UNIX server, and the following
message is immediately displayed:
(Error 13): /etc/shadow: Permission denied.
Which of the following best describes the type of tool that is being used?
A. Pass-the-hash monitor
B. File integrity monitor
C. Forensic analysis
D. Password cracker

Answer 26

B. File integrity monitor

Question 27

QUESTION: 277
A security administrator needs to create firewall rules for the following protocols: RTP, SIP,
H.323. and SRTP.
Which of the following does this rule set support?
A. RTOS
B. VoIP
C. SoC
D. HVAC

Answer 27

B. VoIP

Question 28

QUESTION: 278
Which of the following best describes a social engineering attack that uses a targeted electronic
messaging campaign aimed at a Chief Executive Officer?
A. Whaling
B. Spear phishing
C. Impersonation
D. Identity fraud

Answer 28

A. Whaling

Question 29

QUESTION: 279
During a penetration test, a flaw in the internal PKI was exploited to gain domain administrator
rights using specially crafted certificates.
Which of the following remediation tasks should be completed as part of the cleanup phase?
A. Updating the CRL
B. Patching the CA
C. Changing passwords
D. Implementing SOAR

Answer 29

A. Updating the CRL

Question 30

QUESTION: 280
A company wants to implement MFA. Which of the following enables the additional factor while
using a smart card?
A. PIN
B. Hardware token
C. User ID
D. SMS

Answer 30

A. PIN

Question 31

QUESTION: 281
A company hired an external consultant to assist with required system upgrades to a critical
business application. A systems administrator needs to secure the consultant’s access without
sharing passwords to critical systems.
Which of the following solutions should most likely be utilized?
A. TACACS+
B. SAML
C. An SSO platform
D. Role-based access control
E. PAM software

Answer 31

E. PAM software

Question 32

QUESTION: 282
A newly implemented wireless network is designed so that visitors can connect to the wireless
network for business activities. The legal department is concerned that visitors might connect to
the network and perform illicit activities.
Which of me following should the security team implement to address this concern?
A. Configure a RADIUS server to manage device authentication.
B. Use 802.1X on all devices connecting to wireless.
C. Add a guest captive portal requiring visitors to accept terms and conditions.
D. Allow for new devices to be connected via WPS.

Answer 32

C. Add a guest captive portal requiring visitors to accept terms and conditions.

Question 33

QUESTION: 283
Which of the following data roles is responsible for identifying risks and appropriate access to
data?
A. Owner
B. Custodian
C. Steward
D. Controller

Answer 33

A. Owner

Question 34

QUESTION: 284
Which of the following physical controls can be used to both detect and deter? (Choose two.)
A. Lighting
B. Fencing
C. Signage
D. Sensor
E. Bollard
F. Lock

Answer 34

A. Lighting
D. Sensor

Question 35

QUESTION: 285
A multinational bank hosts several servers in its data center. These servers run a business-
critical application used by customers to access their account information.
Which of the following should the bank use to ensure accessibility during peak usage times?
A. Load balancer
B. Cloud backups
C. Geographic dispersal
D. Disk multipathing

Answer 35

A. Load balancer

Question 36

QUESTION: 286
The author of a software package is concerned about bad actors repackaging and inserting
malware into the software. The software download is hosted on a website, and the author
exclusively controls the website’s contents.
Which of the following techniques would best ensure the software’s integrity?
A. Input validation
B. Code signing
C. Secure cookies
D. Fuzzing

Answer 36

B. Code signing

Question 37

QUESTION: 287
A third-party vendor is moving a particular application to the end-of-life stage at the end of the
current year.
Which of the following is the most critical risk if the company chooses to continue running the
application?
A. Lack of security updates
B. Lack of new features
C. Lack of support
D. Lack of source code access

Answer 37

A. Lack of security updates

Question 38

QUESTION: 288
A security analyst recently read a report about a flaw in several of the organization’s printer
models that causes credentials to be sent over the network in cleartext, regardless of the
encryption settings.
Which of the following would be best to use to validate this finding?
A. Wireshark
B. netcat
C. Nessus
D. Nmap

Answer 38

A. Wireshark

Question 39

QUESTION: 289
A development team is launching a new public-facing web product. The Chief Information
Security Officer has asked that the product be protected from attackers who use malformed or
invalid inputs to destabilize the system.
Which of the following practices should the development team implement?
A. Fuzzing
B. Continuous deployment
C. Static code analysis
D. Manual peer review

Answer 39

A. Fuzzing

Question 40

QUESTION: 290
During an annual review of the system design, an engineer identified a few issues with the
currently released design.
Which of the following should be performed next according to best practices?
A. Risk management process
B. Product design process
C. Design review process
D. Change control process

Answer 40

C. Design review process

Question 41

QUESTION: 291
Which of the following is best to use when determining the severity of a vulnerability?
A. CVE
B. OSINT
C. SOAR
D. CVSS

Answer 41

D. CVSS

Question 42

QUESTION: 292
An organization experienced a security breach that allowed an attacker to send fraudulent wire
transfers from a hardened PC exclusively to the attacker’s bank through remote connections. A
security analyst is creating a timeline of events and has found a different PC on the network
containing malware. Upon reviewing the command history, the analyst finds the following:

PS>.\mimikatz.exe “sekurlsa::pth /user:localadmin /domain:corp-domain.com
/ntlm:B4B9B02E1F29A3CF193EAB28C8D617D3F327

Which of the following best describes how the attacker gained access to the hardened PC?
A. The attacker created fileless malware that was hosted by the banking platform.
B. The attacker performed a pass-the-hash attack using a shared support account.
C. The attacker utilized living-off-the-land binaries to evade endpoint detection and response
software.
D. The attacker socially engineered the accountant into performing bad transfers.

Answer 42

B. The attacker performed a pass-the-hash attack using a shared support account.

Question 43

QUESTION: 293
Which of the following is the best resource to consult for information on the most common
application exploitation methods?
A. OWASP
B. STIX
C. OVAL
D. Threat intelligence feed
E. Common Vulnerabilities and Exposures

Answer 43

A. OWASP

Question 44

QUESTION: 294
A security analyst is reviewing the logs on an organization’s DNS server and notices the
following unusual snippet:
Which of the following attack techniques was most likely used?
A. Determining the organization’s ISP-assigned address space
B. Bypassing the organization’s DNS sinkholing
C. Footprinting the internal network
D. Attempting to achieve initial access to the DNS server
E. Exfiltrating data from fshare.int.complia.org

Answer 44

C. Footprinting the internal network

Question 45

QUESTION: 295
A security analyst at an organization observed several user logins from outside the
organization’s network. The analyst determined that these logins were not performed by
individuals within the organization.
Which of the following recommendations would reduce the likelihood of future attacks? (Choose
two.)
A. Disciplinary actions for users
B. Conditional access policies
C. More regular account audits
D. Implementation of additional authentication factors
E. Enforcement of content filtering policies
F. A review of user account permissions

Answer 45

B. Conditional access policies
D. Implementation of additional authentication factors

Question 46

QUESTION: 296
A security team is addressing a risk associated with the attack surface of the organization’s web
application over port 443. Currently, no advanced network security capabilities are in place.
Which of the following would be best to set up? (Choose two.)
A. NIDS
B. Honeypot
C. Certificate revocation list
D. HIPS
E. WAF
F. SIEM

Answer 46

E. WAF
F. SIEM

Question 47

QUESTION: 297
A systems administrator would like to create a point-in-time backup of a virtual machine.
Which of the following should the administrator use?
A. Replication
B. Simulation
C. Snapshot
D. Containerization

Answer 47

C. Snapshot

Question 48

QUESTION: 298
A security administrator notices numerous unused, non-compliant desktops are connected to
the network.
Which of the following actions would the administrator most likely recommend to the
management team?
A. Monitoring
B. Decommissioning
C. Patching
D. Isolating

Answer 48

B. Decommissioning

Question 49

QUESTION: 299
Which of the following is a common data removal option for companies that want to wipe
sensitive data from hard drives in a repeatable manner but allow the hard drives to be reused?
A. Sanitization
B. Formatting
C. Degaussing
D. Defragmentation

Answer 49

A. Sanitization

Question 50

QUESTION: 300
An organization wants to improve the company’s security authentication method for remote
employees. Given the following requirements:
* Must work across SaaS and internal network applications
* Must be device manufacturer agnostic
* Must have offline capabilities
Which of the following would be the most appropriate authentication method?
A. Username and password
B. Biometrics
C. SMS verification
D. Time-based tokens

Answer 50

D. Time-based tokens

Question 51

QUESTION: 301
A security officer is implementing a security awareness program and has placed security-
themed posters around the building and assigned online user training.
Which of the following will the security officer most likely implement?
A. Password policy
B. Access badges
C. Phishing campaign
D. Risk assessment

Answer 51

C. Phishing campaign

Question 52

QUESTION: 302
A malicious update was distributed to a common software platform and disabled services at
many organizations.
Which of the following best describes this type of vulnerability?
A. DDoS attack
B. Rogue employee
C. Insider threat
D. Supply chain

Answer 52

D. Supply chain

Question 53

QUESTION: 303
A company web server is initiating outbound traffic to a low-reputation, public IP on non-
standard pat. The web server is used to present an unauthenticated page to clients who upload
images the company. An analyst notices a suspicious process running on the server hat was
not created by the company development team.
Which of the following is the most likely explanation for his security incident?
A. A web shell has been deployed to the server through the page.
B. A vulnerability has been exploited to deploy a worm to the server.
C. Malicious insiders are using the server to mine cryptocurrency.
D. Attackers have deployed a rootkit Trojan to the server over an exposed RDP port.

Answer 53

A. A web shell has been deployed to the server through the page.

Question 54

QUESTION: 304
An organization requests a third-party full-spectrum analysis of its supply chain.
Which of the following would the analysis team use to meet this requirement?
A. Vulnerability scanner
B. Penetration test
C. SCAP
D. Illumination tool

Answer 54

D. Illumination tool

Question 55

QUESTION: 305
A systems administrator deployed a monitoring solution that does not require installation on the
endpoints that the solution is monitoring.
Which of the following is described in this scenario?
A. Agentless solution
B. Client-based soon
C. Open port
D. File-based solution

Answer 55

A. Agentless solution