Everything Cyber Sec+ 501
11. Which of the following is an example of the second A in the AAA model?
A domain controller confirms membership in the appropriate group
19. A security analyst performs a vulnerability scan on the local network. Several items are flagged on the report as being critical issues. The security analyst researches each of the vulnerabilities and discovers that one of the critical issues on the report was mitigated in a previous scan. Which of the following MOST likely happened?
A false positive occurred
Ann, a user, reports she is receiving emails that appear to be from organizations to which she belongs, but the emails contain links to websites that do not belong to those organizations. Which of the following security scenarios does this describe?
A hacker is using Ann's social media information to create a spear phishing attack
Given the following output: NMAP -P 80 --script hostmap-bfk.nse company.com starting NMAP 6.46 NMAP scan report for company.com (172.255.240.169) Port State Service 80/TCP open http Host script results hostmap-bfk hosts: 172.255.240.169 web1.company.com swebdb1.company.com web3.company.com swebdb2.company.com NMAP done: scanned in 2.10 seconds Which of the following BEST describes the scanned environment?
A host was identified as a web server that is hosting multiple domains
33. A systems administrator just issued the ssh-keygen -t rsa command on a Linux terminal. Which of the following BEST describes what the rsa portion of the command represents?
A key generation algorithm
69. An organization is collecting logs from its critical infrastructure, and a large number of the events are common system activities with identical logs. This is causing the SIEM to consume a large amount of disk space, which may result in the organization having to purchase additional disks to store the logs. Which of the following should the organization do to help mitigate this problem?
Enable event deduplication
A company has users and printers in multiple geographic locations, and the printers are located in common areas of the offices. To preserve the confidentiality of PII, a security administrator needs to implement the approriate controls. Which of the following would BEST meet the confidentiality requirements of the data?
Enforcing location-based policy restrictions
A security analyst is investigating a report from an employee in the human resources (HR) department who is having sporadic issues with Internet access. When the security analyst pulls the UTM logs for the IP addresses in the HR group, the following activity is shown: 10.1.13.45 165.35.23.129 8080 News/Journalism General Block 10.1.13.45 89.23.45.11 443 Banking General Allow 10.1.13.46 76.4.3.19 8080 Business HR Users Allow 10.1.13.45 145.29.173 8080 Business General Block 10.1.13.45 10.1.29 443 Internal General Allow 10.1.13.46 19.34.1.189 443 Banking HR Users Allow 10.1.13.45 45.1.39.118 8080 Job Search General Block 10.1.13.46 45.1.39.118 8080 Job Search HR Users Allow Which of the following actions should the security analyst take?
Ensure the HR employee is in the appropriate user group
30. Users at a company clicked on a link that was embedded in a phishing email, which then downloaded a rootkit onto their devices. Which of the following incident response phases would be appropriate for removing the malware from the end-user devices?
Eradication
61. During an assessment, a security analyst was asked to use a service account to perform a vulnerability scan against the main application server. Which of the following BEST classifies this type of test?
Escalation of privilege test
Two companies need to exchange a large number of confidential files. Both companies run high availability UTM devices. They do not want to use email systems to exchange the data. Since the data needs to be exchanged in both directions, which of the following solutions should a security analyst recommend?
Establishing a site-to-site VPN between the two companies
A company has forbidden the use of external media within its headquarters location. a security analyst is working on adding additional repositories to a server in the environment when the analyst notices some odd procedures running on the system. The analyst runs a command and sees the following: $ history ifconfig -a netstat -n pskill 1788 pskill 914 mkdir /tmp/1 mount -u ada101 /tmp/1 cp /tmp/1/+ ~/1/ umount /tmp/1 ls -al 1/1/ apt-get update apt-get upgrade clear Given this output, which of the following security issues has been discovered?
A malware installation
59. After installing new freeware, a user's workstation with IP address 192.168.10.1 is flagged by the SIEM for review. The security administrator reviews the following logs: 192.168.10.1.3388 -> 183.56.84.211:443 - 5 Kb Sent - 12649 KbReceived 192.168.10.1:1845 -> 88.45.133.203:443 - 21 Kb Sent - 19744 Kb Received 192.168.10.1:2095 -> 183.56.84.211:443 - 54958 Mb Sent - 10069 Kb Received 192.168.10.1:9454 -> 145.86.104.92:443 - 74 Kb Sent - 3059 Kb Received Additionally, the administrator reviews the following output from the workstation: Proto Local Address Foreign Address State TCP 192.168.10.1:135 192.168.10.200:64833 ESTABLISHED RpcSs TCP 192.168.10.1:2095 183.56.84.211:443 ESTABLISHED notepad.exe TCP 192.168.10.1 192.168.10.143:47331 ESTABLISHED lsass.exe TCP 192.168.10.1 145.86.104.92:443 TIME WAIT chrome.exe Based on the information above, which of the following types of malware has infected the workstation?
A remote access Trojan
57. Which of the following threat actors is motivated primarily by a desire for personal recognition and a sense of accomplishment?
A script kiddie
Which of the following has the potential to create a DoS attack on a system?
A server room WiFi thermostat with default credentials
56. Which of the following generates reports that show the number of systems that are associated with POODLE, 3DES, and SMBv1 listings?
A vulnerability scanner
Which of the following generates reports that show the number of systems that are assciated with POODLE, 3DES, and SMBv1 listings?
A vulnerability scanner
An analyisis of a threat actor, which has been active for several years, reveals the threat actor hs high levels of funding, motivation, and sophistication. Which of the following types of threat actors does this BEST describe?
Advanced persistent threat
13. A user opens a web browser and accesses the corporate intranet. Immediately, several pop-up windows appear, displaying content that is not related to the company. The user's computer is MOST likely infected with?
Adware
36. After downloading third-party software, a user begins receiving continuous pop-up messages stating the Windows antivirus is outdated. The user is unable to access any files or programs until the subscription is renewed with Bitcoin. Which of the following types of attacks is being executed?
Adware
Which of the following models is considered an iterative approach with frequent testing?
Agile
64. A network administrator at a bank needs to create zones that will prevent an attacker from freely traversing the network in the event of a perimeter firewall breach. The zones should allow the bank tellers to communicate with each other but prevent them from accessing Internet resources. Which of the following should the network administrator implement?
Air gaps
14. A security analyst for a large human resources company is setting up a vulnerability scan that mimics what an external attacker would see. Which of the following would BEST emulate an external attacker?
An active scan from servers in different points outside the company network
8. A systems administrator wants to secure a backup environment so backups are less prone to ransomware attacks. The administrator would like to have a fully isolated set of backups. Which of the following would be the MOST secure option for the administrator to implement?
An air gap
A systems administrator wants to secure a backup environment so backups are less prone to ransomware attacks. The administrator would like to have a fully isolated set of backups. Which of the following would be the MOST secure option for the administrator to implement?
An air gap
38. After discovering a buffer overflow vulnerability in an application, the security analyst needs to report it to the development team leader. Which of the following are MOST likely to appear in the impact section of the report? (Select TWO)
An attacker can obtain privileged data handled by the application. An attacker can execute arbitrary code using the application.
Which of the following is the BEST example of a reputation impact identified during a risk assessment?
An attacker defacing the e-commerce portal
20. After deploying an antivirus solution on some network-isolated industrial computers, the service disk team received a trouble ticket about the following message being displayed on the computers' screen: Your AV protection has blocked an unknown application while performing suspicious activities. The application was put in quarantine. Which of the following would be the SAFEST next step to address the issue?
Check the antivirus vendor's documentation about the security modules, incompatibilities, and software whitelisting
2. Given the following: > md5.exe file1.txt >AD1FAB103773DC6A1E6021B7F503A210 > md5.exe file2.txt >AD1FAB103773DC6A1E6021B7F503A210 Which of the following concepts of cryptography is shown?
Collision
9. Which of the following would have the GREATEST impact on the supporting database server if input handling is not properly implemented on a web application?
Command injection
Which of the following cloud models is used to share resources and information with business partners and like businesses without allowing everyone else access?
Community
16. Which of the following will ensure the integrity of a file is preserved during the process of forensic acquisition?
Compute the hashes for all files and recompute on the destination end.
45. An employee of a large payroll company has a machine that recently started locking up randomly with greatly increased processor consumption. Which of the following is the FIRST action an analyst should take to investigate this potential IoC?
Capture a memory dump of the system for further evaluation of malicious processes
70. Which of the following provides the ability to attest to the integrity of a system from the initiation of an incident to the time the incident is litigated?
Chain of custody
68. A law firm wants to protect its custmers' individual information, which is stored at a remote facility, from inadvertently being compromised through a violation of the security objectives. Which of the following BEST describes the customer information that is being stored at this facility?
Confidential
Which of the following is the BEST tool to utilize to comply with the request in an ongoing manner?
Configuration compliance scan
18. A company wants to provide a guest wireless system for its visitors. The system should have a captive portal for guest self-registration and protect guest devices from spreading malware to other connected devices. Which of the following should be done on the wireless network to satisfy these requirements? (Select TWO)
Configure WPA2-PSK Enable client isolation
13. A company recently experienced a significant malware attack that caused all business operations to stop. After an investigation, a single PC was identified as the root cause, and a security analyst on the IR team disconnected the machine from the corporate network, both the wired and wireless connections. Which of the following incident response phases was just completed?
Containment
A company recently experienced a significant malware attack that caused all business operations to stop. After an investigation, a single PC was identified as the root cause, and a security analyst on the IR team disconnected the machine from the corporate network, both the wired and wireless connections. Which of the following incident response phases was just completed?
Containment
24. Poor inventory control practices can lead to undetected and potentially catastrophic system exploitation due to?
Control gaps resulting from unmanaged hosts.
A security administrator is working with the human resources department to classify data held by the company. The adminisrator has determined the data contains a variety of data types, including health information, employee names and addresses, trade secrets, and confidential customer information. Which of the following should the security administrator do NEXT?
Create a custom set of data labels to group the data by sensitivity and protection requirements
31. An organization prefers to apply account permisions to groups and not individual users, but allows for exceptions that are justified. Some systems require a machine-to-machine data exchange and an associated account to perform this data exchange. One particular system has data in a folder that must be modified by another system. No user requires access to this folder, only the other system needs access to this folder. Which of the following is the BEST account management practice?
Create a service account group, place the service account in the group, and apply the permissions on the group
A tester was able to leverage a pass-the-hash attack during a recent penetration test. the tester gained a foothold and moved laterally through the network. Which of the fllowing would prevent this type of attack from reoccurring?
Creating separate accounts for privileged access that are not used to log on to local machines
28. A security administrator plans to conduct a vulnerability scan on the network to determine if the system applications are up to date. The administrator wants to limit disruptions to operations but not consume too many resources. Which of the following types of vulnerability scans should be conducted?
Credentialed
Which of the following types of vulerability scans typically returns more detailed and thorough insights into actual system vulerabilities?
Credentialed
Which of the following types of vulnerability scans typically returns more detailed and thorough insignts into actual system vulnerabilities?
Credentialed
53. Which of the following data types is specifically protected when implementing the PCI DSS framework?
Credit Card Data
Joe, a user, visited a banking website from a saved bookmark and logged in with his credentials. After logging in, Joe discovered that he could not access any resources, and none of his account information would display. The next day, the bank called to report his account had been compromised. Which of the following MOST likely would have prevented this from occurring?
DNSSEC
29. An organization's Chief Information Security Officer (CISO) is implementing a policy to govern who will maintain proper backups of PHI to comply with local regulations. Which of the following roles is BEST suited to perform this task?
Data Custodian
41. A security analyst reviews the following log entry: 2017-01-13 1622CST 10.11.24.18 93242 148 TCP_HIT 200.200.0.223 OBSERVED POST HTTP/1.1.0 "Mozilla 1.0" www.dropbox.com Financial_Report_2016_CONFID.pdf, 13MB, MS-RTC LM8; .NET CLR 3.0.4509.1392, Jane.Doe Which of the following security issues can the analyst identify?
Data exfiltration
A company is determining where to host a hot site, and one of the locations being considered is in another country. Which of the following should be considered when evaluating this option?
Data sovereignty
11. Smart home devices that are always on or connected, such as HVAC system components, introduce SOHO networks to risks because of:
Default factory settings and constant communication channels to cloud servers.
27. Which of the following is MOST likely the security impact of continuing to operate end-of-life systems?
Denial of service due to patch availability
31. Which of the following would be MOST effective at stopping zero-day attacks on an endpoint? (Select TWO)
Deploying multivendor NGFWs Removing administrator rights from users
A company is looking for an all-in-one solution to provide identification, authentication, authorization, and accounting services. Which of the following technologies should the company use?
Diameter
22. A systems administrator is trying to reduce the amount of time backups take every night. Which of the following backup types only includes changes since the most recent backup of any type?
Differential
A security analyst is determining the point of compromise after a company was hacked. The analyst checks the server logs and sees that a user account was logged in at night, and several large compressed files were exfiltrated. The analyst then discovers the user last logged in four years ago and was terminated. Which of the following should the security analyst recommend to prevent this type of attack in the future? (Select TWO)
Disable all user accounts that are not logged in to for 180 days Perform an audit of all company user accounts
A security team has completed the installation of a new server. The OS and applications have been patched and tested, and the server is ready to be deployed. Which of the following actions should be taken before deploying the new server?
Disable the default accounts
6. A long-time employee at a small company recently quit. The employee had access to many files and services. The IT department has been informed that a new hire will be starting the following day and will need access to all the same resources. Which of the following steps should the IT department perform to secure the network and prepare for the new employee?
Disable the former employee's user account and replicate the permissions.
22. An auditor asks the security team to provide tangible proof that the following hardening principles are applied to the servers in a DMZ. Some examples of items the auditor is looking for include:
Disabling anonymous share access Disabling null sessions Disabling NTLM usage
44. Joe, a security analyst, needs to determine why the wireless network appears to be randomly connecting and disconnecting. Joe notes that only the expected SSID appears, and the WAP MAC address matches. Given that the WAP connection has to be confirmed, which of the following is MOST likely the type of wireless attack being seen?
Disassociation
Joe, a security analyst, needs to determine why the wireless network appears to be randomly connecting and disconnecting. Joe notes that only the expected SSID appears, and the WAP.MAC address matches. Given that he WAP connection has to be confirmed, which of the following is MOST likely the type of wireless attack being seen?
Disassociation
A red team initiated a DoS attack on the management interface of a switch using a known vulnerability. The monitoring solution then raised an alert, prompting a network engineer to log in to the switch to diagnose the issue. When the engineer logged in, the red team was able to capture the credentials and subsequently log in to the switch. Which of the following actions should the network team take to prevent this type of breach from reoccurring?
Enable Secure Shell and disable Telnet
A penetration tester is testing passively for vulnerabilities on a company's network. Which of the following tools should the penetration tester use?
nikto
A security analyst is asked to check the configuration of the company's DNS service on the server. Which of the following command line tools should the analyst use to perform the initial assessment?
nslookup/dig
Exercising various programming responses for the purpose of gaining insignt into a system's security posture without exploiting the system is BEST described as:
passive security control testing
24. A penetration tester has successfully accessed a web server using an exploit in the user-agent string for Apache Struts. The tester then brute forces a credential that provides access to the back-end database server in a different subnet. This is an example of:
pivoting
A penetration tester has uccessfully accessed a web server using an exploit in the user-agent string for Apache Struts. The tester then brute forces a credential that provides access to the back-end database server in a different subnet. This is an example of:
pivoting
12. Race conditions can:
result in arbitrary code execution in protected memory spaces
21. The use of a unique attribute inherent to a user as part of an MFA system is BEST described as:
something you are
23. The use of a unique attribute inherent to a user as part of an MFA system is BEST described as:
something you are
39. Which of the following does MFA prevent?
Fraud that is perpetuated remotely.
35. A company is deploying a new MDM solution to protect and mange company mobile devices. Which of the following is the BEST option to prevent data loss if a mobile device is lost or stolen?
Full-device Encryption
6. A developer has just finished coding a custom web application and would like to test it for bugs by automatically injecting malformed data into it. Which of the following is the developer looking to perform?
Fuzzing
A developer has just finished coding a custom web application and would like to test it for bugs by automatically injecting malformed data into it. Which of the following is the developer looking to perform?
Fuzzing
52. A large organization has recently noticed an increase in the number of corporate mobile devices that are being lost. These mobile devices are used exclusively for on-campus communication at the organization's international headquarters using the wireless network. Per the organization's policy the devices should not be taken off campus. The security team must find a solution that will encourage users to leave the devices on campus. Which of the following is the BEST solution?
Geofencing
A network administrator wants to gather information on the security of the network servers in the DMZ. The administrator runs the following command: Telnet www.example.com 80 Which of the following actions is the administrator performing?
Grabbing the web server banner
During the penetration testing of an organization, the tester was provided with th names of a few key servers, along with their IP address. Which of the following is the organization conducting?
Gray box testing
When choosing a hashing algorithm for storing passwords in a web server database, which of the following is the BEST explanation for choosing HMAC-MD5 over simple MD5?
HMAC adds a transport layer handshake, which improves authentication
After a breach, a company has decided to implement a solution to better understand the techniquie used by the attackers. Which of the following is the BEST solution to be deployed?
Honeypot network
9. A security administrator recently discovered the AAA server is receiving cleartext credentials from network infrastructure devices. Which of the following should the administrator configure to enable encryption?
IPSec
50. Which of the following BEST describes suspicious emails that are sent to high-level executives while falsely claiming to be from the IT department?
Impersonating
A network administrator needs to prevent users from acessing the accounting department records. All users are connected to the same Layer 2 device and access the Internet through the same router. Which of the following should be implemented to segment the accounting department from the rest of the users?
Implement VLANs and an ACL
21. A network engineer needs to allow an organization's users to connect their laptops to wired and wireless networks from multiple locations and facilites, while preventing unauthorized connections to the corporate networks. Which of the following should be implemented to fulfill the engineer's requirements?
Implement a VPN concentrator
67. An organization has defined secure baselines for all servers and applications. Before any servers or applications are placed into production, they must be reviewed for compliance deviations. Which of the following actions would streamline the process and provide more consistent results?
Implement a configuration scanner that automatically reviews every server and application against the established baselines
A Chief Information Officer (CIO) wants to eliminate the number of calls the help desk is receiving for password resets when users log on to internal portals. Which of the following is the BEST solution?
Implement a self-service portal
17. A company needs to implement an on-premises system that allows partner organizations to exchange order and inventory data electronically with the company over the internet. The security architect must ensure the data is protected while minimizing the overhead associated with managing individual partner connections. Which of the following should the security architect recommend?
Implement an authentication SFTP server
16. A penetration tester was able to connect to a company's internal network and perform scans and staged attacks for the duration of the testing period without being noticed. The SIEM did not alert the security team to the presence of the penetration tester's devices on the network. Which of the following would provide the security team with notification in a timely manner?
Implement rogue system detection and sensors
A network administrator needs to restrict the users of the company's WAPs to the sales department. The network administrator changes and hides the SSID and then discovers several employees had connected their personal devices to the wireless network. Which of the following would limit access to the wireless network to only organization-owned devices in the sales department?
Implementing MAC filtering
44. An administrator is trying to inspect SSL traffic to evaluate if it has a malicious code injection. The administrator is planning to use the inspection features of a firewall solution. Which of the following should be done after the implementation of the firewall solution?
Import the private certificate of each user to the firewall
An employee on the Internet-facing part of a company's website submits a 20-character phrase in a small textbox on a web form. The website returns a message back to the browser stating: Error: Table 'advprofile'entry into column 'lname' has exceeded number of allowed characters. Error saving database information. Of which of the following is this an example?
Improper error handling
23. Which of the following can be used to mitigate SQL injection?
Input validation
While testing a new appliction, a developer discovers that the inclusion of an apostrophe in a username causes the application to crash. Which of the following secure coding techniques would be MOST useful to avoid this problem?
Input validation
4. A systems administrator wants to enforce the use of HTTPS on a new website. Which of the following should the systems administrator do NEXT after generating the CSR?
Install the certificate on the server
33. A security analyst discovers one of the business processes, which generates 75% of the annual revenue, uses a legacy system. This creates a tolerable risk that can contribute to a 2% drop in revenue generation every quarter. Which of the following would be the BEST response to this risk?
Insurance
A security analyst discovers one of the business processes, which generates 75% of the annual revenue, uses a legacy system. This creates a risk that can contribute to a 2% drop in revenue generation every quarter. Which of the following would be the BEST response to this risk?
Insurance
A security administrator has created a new group policy object that utilizes the trusted platform module to compute a hash of system files and compare the value to a known-good value. Which of the following security conceps is this an example of?
Integrity measurement
42. Which of the following systems, if compromised, may cause a denial of service to the use of a smart TV?
IoT
66. A security analyst is reviewing the logs from a NGFW's automated correlation engine and sees the following: Match time Object name Source address Summary 2019-07-23 Possible Beacon Detection 10.202.10.89 Host is generating unknown TCP or UDP network 10:14:33 traffic. 2019-07-23 Possible Beacon Detection 10.202.88.88 Host is generating unknown TCP or UDP network 10:14:52 traffic. 2019-07-23 Potential C2 Communication 10.202.55.3 Host repeatedly visited malware domains (100) 10:19:12 Detected 2019-07-23 Compromised Asset 10.202.100.12 Host is compromised based on a sequence of 10:21:21 recent threat log activity 2019-07-23 Possible Beacon Detection 10.202.123.99 Host is generating unknown TCP or UDP network 10:30:37 traffic 2019-07-23 Possible Beacon Detection. 10.202.44.107 Host visited known malware URL (15) 10:32:03 Which of the following should the analyst perform FIRST?
Isolate the compromised host from the network
16. Which of the following explains the importance of patching servers in a test environment?
It identifies potential availability and stability issues before they affect production systems
Which of the following BEST describes why an air gap is a useful security control?
It physically isolates two or more networks, therefore helping prevent cross contamination or accidental data spillage
15. A bank with a high-profile customer account is concerned about collusion and fraud occurring between staff and customers at a specific branch. Which of the following best practices would help detect any fraudulent activities?
Job rotation
31. An organization wants to use a ticket-based approach to access management for an internal network. The organization would like the solution to be vendor-independant and use a widely supported protocol, but it does not want to use an XML-based approach. Which of the following access protocols should the organization choose?
Kerberos
An internal intranet site is required to authenticate users and restrict access to content to only those who are authorized to view it. The site administrator previously encountered issues with credential spoofing when using the default NTLM setting and wants to move to a system that will be more resilient to replay attacks. Which of the following should the administrator implement?
Kerberos
An organization wants to use a ticket-based approach to access management for an internal network. The organization would like the solution to be vendor-imdependent and use a widely supported protocol, but it does not want to use an XML-based approach. Which of the following access protocols should the organization choose?
Kerberos
A security administrator is reviewing the following information from a file that was found on a compromised host: cat suspiciousfile.txt www.CompTIA.org\njohn\miloveyou\n$200\nWorking Late\nJohn\nI%20will%20be%20in%20the%20office%20till%206pm%20to%20finish%20the%20report\n Which of the following types of malware is MOST likely installed on the compromised item?
Keylogger
Which of the following configurations supports the VLAN definitions?
LDAP path
A company recently contracted a penetration tseting firm to conduct an assessment. During the asessment, the penetration testers were able to capture unencrypted communication betwen the directory servers. The penetration testers recommend encrypting this communication to fix the vulnerability. Which of the following protocols should the company implement to close this finding?
LDAPS
32. A security analyst wants to prevent current employees who previously worked in different departments from accessing resources that are no longer necessary for their present job roles. Which of the following policies would meet this objective?
Least privilege
25. During an investigation of a recent security breach, a team learned that a similar breach occurred eight months ago and was successfully mitigated. Which of the following steps of the incident response process did the organization fail to implement?
Lessons Learned
A company recently experienced a security breach. The security staff determined that the intrusion was due to an out-of-date proprietary software program running on an non-compliant server. The server was imaged and copied onto a hardened VM, with the previous connections re-established. Which of the following is the NEXT step in the incident response process?
Lessons learned
A newly hired Chief Security Officer (CSO) is reviewing the companys IRP and notices the procedures for zero-day malware attacks are being poorly executed, resulting in the CSIRT failing to address and coordinate malware removal from the system. Which of the following phases would BEST address these shortcomings?
Lessons learned
32. A new desktop support staff member recently completed onboarding. Which of the following account types should be created for the member while following the company's policy of the principle of least privilege?
Local Admin
10. A company notices that at 10 am every Thursday, three users' computers become inoperable. The security analyst team discovers a file called where.pdf.exe that runs on system startup. The contents of where.pdf.exe are shown below: @echo off if (c:\file.txt) deltree C:\ Based on the above information, which of the following types of malware was discovered?
Logic bomb
A company notices that at 10 a.m. every Thursday, three users' computers become inoperable. The security analyst team discovers a file called where.pdf.exe that runs on system startup. The contents of where.pdf.exe are shown below: @echo off if (c:\file.txt) deltree C:\ Based on the above information, which of the following types of malware was discovered?
Logic bomb
During a routine check, a security analyst discovered the script responsible for the backup of the corporate file server had been changed to the following: date = get_currentdate() if date = $userA.Birthdate then exec ' rm -rf /' end if Which of the following BEST describes the type of malware the analyst discovered?
Logic bomb
Which of the following agreement types is a non-contractual agreement between two or more parties and outlines each party's requirements and responsibilities?
MOU
19. Which of the following has a direct impact on whether a company can meet the RTO?
MTTR
52. Which of the following is the security threat a hiring manager is trying to prevent by performing a background screening of a job candidate?
Malicious Insider
23. Which of the following is a characteristic unique to a Type 1 hypervisor?
Memory is directly controlled by the hypervisor
14. A company's datacenter was damaged by coastal flooding. Which of the following risk responses would BEST describe the company's decision to relocate the datacenter 30mi (48km) from the coast?
Mitigation
Which of the following should a company require prior to performing a penetration test?
NDA
Which of the following is a component of multifactor authentication?
OTP
An administrator needs to protect five websites with SSL certificates. Three of the websites have different domain names, and two of the websites share the domain name but have different subdomain prefixes. Which of the following SSL certificates should the administrator purchase to protect all of the websites and be able to administer them easily at a later time?
One SAN certificate
35. In which of the following ways does phishing and smishing differ?
One uses SMS as a delivery mechanism, and the other uses email
Which of the following is the main difference between symmetric and asymmetric cryptographic algorithms?
Only one key used in symmetric algorithms
4. A security analyst just discovered that developers have access to production systems that are used for deployment and troubleshooting. One developer, who recently left the company, abused this access to obtain sensitive information. Which of the following is the BEST account management strategy to prevent this from reoccurring?
Perform an account review and ensure least privilege is being followed for production access
26. An attacker has recently compromised an executive's laptop and installed a RAT. The attacker used a registry key to ensure the RAT starts every time the laptop is powered on. Of which of the following is this an example of?
Persistence
Which of the following controls does a mantrap BEST represent?
Physical
4. An administrator needs to apply a secure WiFi network for an organization. The solution must work for domain users only. Which of the following should the administrator apply in addition to WPA?
RADIUS
40. A corporation wants to allow users who work for its affiliate companies to sign on to each other's wireless networks with their own company's credentials. Which of the following architectures would support this requirement?
RADIUS Federation
A security engineer wants to further secure a sensitive VLAN on the network by introducing MFA. Which of the following is the BEST example of this?
RSA token and password
49. Which of the following attacks uses precomputed hashes?
Rainbow Tables
6. A security consultant is analyzing data from a recent compromise. The following data points are documented: - Access to data on share drives and certain network hosts was lost after an employee logged in to an interactive session as a privileged user -The data was unreadable by any known commercial software -The issue spread through the enterprise via SMB only when certain users accessed data -Removal instructions were not available from any major antivirus vendor Which of the following types of malware is this an example of?
Ransomware
Ann, a new employee, received an email from an unkonwn source indicating she needed to click on the provided link to update her company's profile. Once Ann clicked the link, a command prompt appeared with the following output: C:\Users\Ann\Documents\File1.pgp C:\Users\Ann\Documents\AdvertisingReport.pgp C:\Users\Ann\Documents\FinancialReport.pgp Which of the following types of malware was executed?
Ransomware
A coffee company, which operates a chain of stores across a large geographical area, is deploying tablets to use as point-of-sale devices. A security consultant has been given the following requirements: -The cashiers must be able to log in to the devices quickly -The devices must be compliant with applicable regulations for credit card usage -The risk of loss or theft on the devices must be minimized -If devices are lost or stolen, all data must be removed from the device -The devices must be capable of being managed from a centralized location Which of the following should the security consultant configure in the MDM policies for the tablets? (Select TWO)
Remote wipe Cable locks
5. A Chief Security Officer (CSO) has implemented a policy to prevent the reuse of hard drives due to the risk of information spillage to unauthorized users. Which of the following would be the MOST practical process to decommission the workstations?
Remove all the hard drives and degauss them
55. Which of the following is a type of attack in which a hacker leverages previously obtained packets to gain access to a wireless network?
Replay attack
A software development company needs to augment staff by hiring consultants for a high-stakes project. The project has the following requirements: -Consultants will have access to highly confidential, proprietary data -Consultants will not be provided with company-owned assets -Work needs to start immediately -Consultants will be provided with internal email addresses for communications Which of the following solutions is the BEST method for controlling data exfiltration during this project?
Require that all consultant activity be restricted to a secure VDI environment
20. A security specialist is notified about a certificate warning that users receive when using a new internal website. After being given the URL from one of the users and seeing the warning, the security specialist inspects the certificate and realizes it has been issued to the IP address, which is how the developers reach the site. Which of the following would BEST resolve the issue?
SAN
29. Which of the following systems, if compromised, may cause great danger to the integrity of water supplies and their chemical levels?
SCADA
65. Which of the following would a security analyst use to check the integrity of some sensitive files on an organization's file server?
SHA-1
34. A network administrator has been tasked with monitoring all the information systems on a distributed network. The administrator must be able to securely monitor whether the system is up and operational but is not required to configure or access the system remotely. Which of the following would allow the administrator to BEST perform this function?
SNMPv3
54. A security engineer wants to be able to monitor and configure network devices remotely and securely. Which of the following would be the BEST option for this objective?
SNMPv3
A security analyst has been asked to implement secure protocols to prevent cleartext credentials from being transmitted over the internal network. Which of the following protocols is the security analyst MOST likely to implement? (Select TWO)
SSH SFTP
5. A security analyst needs a solution that can execute potential malware in a restricted and isolated environment for analysis. In which of the following technologies is the analyst interested?
Sandboxing
15. When building a hosted datacenter, which of the following is the MOST important consideration for physical security within the datacenter?
Secure enclosures
36. Which of the following BEST represent detective controls? (Select TWO)
Security guard Camera
An organization is setting up a satellite office and wishes to extend the corporate network to the new site. Which of the following is the BEST solution to allow the users to access corporate resources while focusing on usability and security?
Site-to-site VPN
Joe, a new employee, discovered a thumb drive with the company's logo on it while walking in the parking lot. Joe was curious as to the contents of the drive and placed it into his work computer. Shortly after accessing the contents, he noticed the machine was running slower, started to reboot, and displayed new icons on the screen. Which of the following types of attacks occurred?
Social engineering
The following ports are open for a production Internet web server: 22, 23, 80, 443, 3389, and 8080. Which of the following mitigation strategies should a penetration tester recommend?
System hardening
26. In the event of a security incident, which of the following should be captured FIRST?
System memory
58. Which of the following is of MOST concern when securing SCADA/ICS?
Systems are often unpatchable
63. A network administrator wants to further secure the routers and switches that are used on the company network. The administrator would like to achieve full packet encryption and full command logging when interacting with these devices. Which of the following technologies should be implemented?
TACACS+
30. A security administrator recently discovered the AAA server is receiving cleartext credentials from network infrastructure devices. Which of the following should the administrator configure to enable encryption?
TACACS+ attributes
22. Which of the following helps find current and future gaps in an existing COOP?
Tabletop exercise
27. Which of the following helps find current and future gaps in an existing COOP?
Tabletop exercise
A security engineer deploys a certificate from a commercial CA to the RADIuS server for use wiht the EAP-TLS wireless network. Authentication is failing, so the engineer examines the certificate's properties: Issuer: (A commercial CA) Valid from: (yesterday's date) Subject: CN=smithco.com Public key: RSA (2048 bits) Enhanced key usage: Client authentication (1.3.6.1.5.5.7.3.2) Key usage: Digital signature, key encipherment (a0) Which of the following is the MOST likely cause of the failure?
The certificate is missing the proper OID
29. An organization deploys code on Linux servers with SSH disabled but does not patch those servers. Which of the following is the MOST likely reason for this control gap?
The organization has an immature patch management process
2. A recent credentialed vulnerability scan returned the following results: 192.168.2.100 - C:\Program Files\Microsoft SQL Server\MSAS10.MSSQLServer\OLAP\bin Msmdsrve.exe is not patched. Current Version: 10.0.1600.22 Should be: 10.0.2841.0 When asked to remediate the findings, the network team responded that the most recent patch management report showed the following results: Patch Status: Up to date 192.168.2.100 - No new patches available Which of the following BEST describes why these results were returns and which action should be taken?
The patch management software is reporting a false negative, and the server should be patched.
Which of the following BEST explains "likelihood of occurrence"?
The probability that a threat actor will target and attempt to exploit an organization's systems
Ann, a security analyst from a large organization, has been instructed to use another, more effective scanning tool. After installing the tool on her desktop, she started a full vulnerability scan. After running the scan for eight hours, Ann finds that there were no vulnerabilities identified. Which of the following is the MOST likely cause of not receiving any vulnerabilities on the network?
The security analyst credentials did not allow full adminstrative rights for the scanning tool
3. Which of the following BEST describes a defense-in-depth strategy?
The security team configures an application-whitelisting program on endpoints and installs NIDS
A security analyst received an after-hours alert indicating tha a large number of accounts with the suffix "admin" were locked out. The accounts were all locked out after five unsuccessful login attempts, and no other accounts on the network triggered the same alert. Which of the following is the BEST explanation for these alerts?
The standard naming convention makes administrator accounts easy to identify, and they were targeted for an attack
20. A security administrator is reviewing the following report from an organization's patch management system that has only wired workstations, which are utilized daily: PC Name Finance App Browser AntiVirus Last IP Address Last Connection Version Version Version Acct-1 2.0 57.20 1.0 172.16.4.18/16 6 days Acct-2 2.30 56.80 1.2 172.17.30.17/16 8 hours HR-1 2.0 56.80 1.2 172.16.4.27/16 1 hour Sales-1 2.30 56.80 1.2 172.16.4.9/16 2 hours Sales-2 N/A 56.80 1.2 172.16.4.16/16 1 day Which of the following is the GREATEST security concern for the administrator?
The status of ACCT-1 is not accurately reported
48. A security analyst used a vulnerability scanning tool to scan a company's network. The analyst was able to identify network devices, their IP addresses, MAC addresses, and open ports. However, when running a scan to identify elevated permission levels for user accounts in the domain, the scan could not complete. Which of the following is the MOST likely cause of this error?
The tool ran a passive vulnerability scan.
An organization has the following written policies: -Users must request approval for non-standard software installation -Administrators will perfrm all software installations -Software must be installed from a trusted repository A recent security audit identified crypto-currency software installed on one user's machine. Which of the following is the MOST likely cause of this policy violation and the BEST remediation to prevent a reoccurrence?
The user installed the software on the machine; implement technical controls to enforce the written policies
3. The website of a bank that an organization does business with is being reported as untrusted by the organization's web browser. A security analyst has been assigned to investigate. The analyst discovers the bank recently merged with another local bank and combined names. Additionally, the user's bookmark automatically redirects to the website of the newly named bank. Which of the following is the MOST likely cause of the issue?
The website's certificate still has the old bank's name
Which of the following are disadvantages of full backups (Select THREE)
They require the most storage They have the slowest recovery time They are time-consuming to complete
62. A security analyst wants to obfuscate some code and decides to use ROT13. Which of the following is an example of the text "HELLO WORLD" in ROT13?
URYYB JBEYQ
Proprietary information was sent by an employee to a distribution list that included external email addresses. Which of the following BEST describes the incident that occurred and the threat actor in this scenario?
Unintentional disclosure by an insider
A company help desk has received several reports that employees have experienced identity theft and compromised accounts. This occurred several days after receiving an email asking them to update their personal bank information. Which of the following is a vulnerability that has been exploited?
Untrained users
42. A wireless infrastructure is being designed for a university campus. The network client will consist of: Students' personal devices Corporate laptops used by staff An IoT sensor distributed within the campus area A WLAN will be created for each client profile. Which of the following will provide the MOST secure environment?
Use 802.1x authentication with WPA2-Enterprise for the staff WLAN.
51. A security administrator at a software development company received the following IoC: simplefile.exe 493AC4A18AD1FAB103021AD34BC374AA simplefile.cnf 30DA11377ACB3845DD1A35AD1FAB1032 simplefile.txt 104ABC5469AD59FE593DAD1FAB10D3A1 simplefile.png 848D49D12AA2F408CAD1FAB10EEA292B Which of the following is the BEST and fastest solution that will protect the company's computers from executing the malware without impacting the business?
Use a GPO to blacklist 493AC4A18AD1FAB103021AD34BC374AA
18. As a security measure, an organization has disabled all external media from accessing the network. Since some use may have data that needs to be transferred to the network, which of the following would BEST assist a seurity administrator with tansferring the data while keeping the internal network secure?
Use a standalone scanning system
An audit revealed that a privileged account accessed a large number of systems multiple times in a short period. The acount was promptly deactivated. The unexpected changes stopped happening, but some systems ceased to perform their scheduled tasks. Which of the following was incorrectly performed?
Use and documentation of service accounts
33. A security analyst recommends implementing SSL for an existing web service. A technician installs the SSL certificate and successfully tests the connection on the server. Soon after, the help desk begins receiving calls from users who are unable to log in. After further investigation, it becomes clear that no users have successfully connected to the web server since the certificate installation. Which of the following is MOST likely the issue?
Users are still accessing the IP address and not the HTTPS address.
53. During a recent security audit, an organization discovered that server configurations were changed without documented approval. The investigators have confirmed that configuration changes require elevated permissions, and the investigation has failed to identify specific user accounts that are making the configuration changes. Which of the following is MOST likely occurring?
Users have been sharing superuser account passwords
37. Employees receive a benefits enrollment email from the company's human resources department at the beginning of each year. Several users have reported receiving the email but are unable to log in to the website with their usernames and passwords. Users who enter the URL for the human resources website can log in without issue. Which of the following security issues is occurring?
Users received a social engineering email and were directed to an external website
38. The legal department of a cafe chain wants to ensure customers who are using the free WiFi system acknowledge review of the AUP. Which of the following would BEST meet this goal?
Utilize a captive portal whenever someone connects to WiFi
21. Which of the following is considered passive reconnaissance?
Utilizing WHOIS
28. Which of the following is considered passive reconnaissance?
Utilizing WHOIS
The phones at a business are being replaced with VoIP phones that get plugged in-line between the switch and PC. The voice and data networks still need to be kept separate. Which of the following would allow for this?
VLAN
Which of the following should be implemeneted to stop an attacker from interacting with the hypervisor through another guest?
VM escape protection
28. Which of the following must be updated prior to conducting weekly cyber hygiene scans of a network?
Vulnerability signatures
25. A malicious actor compromises a legitimate website, configuring it to deliver malware to visitors of the website. Which of the following attacks does this describe?
Watering hole
45. A corporation with 35,000 employees replaces its staff laptops every three years. The social responsibility director would like to reduce the organization's carbon footprint and e-waste by donating the old equipment to a charity. Which of the following would be the MOST cost-and time- effective way for the corporation to prevent accidental disclosure of data and minimize additional cost to the charity?
Wiping
A security analyst has identified malware that is propagating automatically to multiple systems on the network. Which of the following types of malware is MOST likely impacting the network?
Worm
An engineer is configuring a wireless network using PEAP for the authentication protocol. Which of the following is required?
X 509 certificate on the server
12. A web-server application does not properly validate user input and is therefore vulnerable to injection-type attacks. Which of the following is MOST likely to be successful as a result?
XSS
15. A security administrator needs to have third-party connections for limited time periods on site. Which of the following solutions would MOST likely need to be created to segregate those connections from the corporate network?
a Wireless guest network
During incident response procedures, technicians capture a unique identifier for a piece of malware running in memory. This captured information is referred to as:
a hash value
A critical enterprise component whose loss or destruction would significantly impede business operations or have an outsized impact on corporate revenue is known as:
a mission-essential function
43. A security analyst is reviewing system logs to look for potential attacks against a website that is used to share trade secrets with vendors. The analyst notes there are many HTTPS sessions that have been downgraded from TLS 1.2 to SSl 3.0 as requested by the client. An attacker is MOST likely trying to exploit:
a poor implementation of cryptographic protocols.
1. Exploitation of a system using widely known credentials and network addresses that results in DoS is an example of:
default configurations
32. Smart home devices that are always on or connected, such as HVAC system components, introduce SOHO networks to risks because of:
default factory settings and constant communication channels to cloud servers
Buffer overflow can be avoided using proper:
input validation
During certain vulnerability scanning scenarios, it is possible for target system to react in unexpected ways. This type of scenario is MOST commonly known as:
intrusive testing
Penetration testing is distinct from vulnerability scaning primarily because penetration testing:
involves multiple active exploitation techniques
8. A pass-the-hash attack is commonly used to:
laterally move across the network
34. An organization has the following account naming conventions: -User accounts must be generated in firstname.lastname format -Privileged user accounts must be generated in x.firstname.lastname format The organization's policy stipulates logins to production systems must use privileged accounts, but logins to lower environment systems may use either a regular or a privileged user account. The organization has the following servers: HOSTNAME ENVIRONMENT devops1 development devops2 development staging server staging prod1 production prod2 production When auditing accounts, which of the following accounts would violate the organization's policy?
mary.smith on prod1
1. A company wants to use internal directory services to authenticate users to the wireless network. Which of the following components can be used for part of the authentication architecture? (Select TWO)
802.1x RADIUS
Which of the following is a symmetric encryption algorithm that applies to the encryption over multiple iterations?
3DES
A company uses WPA2-PSK, and it appears there are multiple unauthorized devices connected to the wireless network. A technician suspects this is because the wireless password has been shared with unauthorized individuals. Which of the following should the technician implement to BEST reduce the risk of this happening in the future?
802.1X
46. A penetration tester has been hired to scan a company's network for potentially active hosts. The company's IPS system blocks the ICMP echo reply and echo request packets. Which of the following can be used to scan the network?
ARP
10. A computer forensics analyst collected a thumb drive that contained a single file with 500 pages of text. To ensure the file maintains its confidentiality, which of the following should the analyst use?
AES
7. Which of the following cryptographic algorithms can be used for full-disk encryption?
AES
40. A systems administrator performing routine maintenance notices a user's profile is sending GET requests to an external IP address. Which of the following BEST fits this IOC?
Bots
Which of the following can be used to increase the time needed to brute force a hashed password?
BCRYPT
10. A manager decides to terminate the DBA due to poor performance. Before the DBA's account is disabled, the DBA configured a daily task to perform the following on the database server: killall netcat netcat -l -p 4430 -e /bin/bash Which of the following did the DBA install?
Backdoor
19. An administrator performs a workstation audit and finds one that has non-standard software installed. The administrator then requests a report to see if a change request was completed for the installed software. The report shows a request was completed. Which of the following has the administrator found?
Baseline Deviation
18. Which of the following enables a corporation to extend local security policies to corporate resources hosted in a CSP's infrastructure?
CASB
9. When an initialization vector is added to each encryption cycle, it is using the:
CBC cipher mode
An organization's Chief Information Offcer (CIO) read an article that identified leading hacker trends and attacks, one of which is the alteration of URLs to IP addresses resulting in users being redirected to malicious websites. To reduce the changes of this happening in the organization, which of the following secure protocols should be implemented?
DNSSEC
A user attempts to send an email to an external domain and quickly receives a bounce-back message. The user then contacts the help desk stating the message is important and needs to be delivered immediately. While digging through the email logs, a system administrator finds the email and bounce-back details: Your email has been rejected because it appears to contain SSN information. Sending SSN information via email to external recipients violates company policy. Which of the following technologise successfully stopped the emai lfrom being sent?
DLP
2. Joe, a user, visited a banking website from a saved bookmark and logged in with his credentials. After logging in, Joe discovered he could not access any resources, and none of his account information would display. The next day, the bank called to report his account had been compromised. Which of the following MOST likely would have prevented this from occurring?
DNSSEC
14. An attacker has gained control of several systems on the internet and is using them to attack a website, causing it to stop responding to legitimate traffic. Which of the following BEST describes the attack?
DDoS
A NIPS administrator needs to install a new signature to observe the behavior of a worm that may be spreading over SMB. Which of the following signatures should be installed on the NIPS?
DENY from ANY:ANY to ANY:445 regex '.*SMB.*'
54. Users are being redirected to unusual sites while trying to access their company's benefits portal on the Internet. Which of the following protocols should the company enact to validate responses to queries using a form of digital signatures before returning them to the client?
DNSSEC
3. An organization allows the use of open source software as long as users perform a file integrity check on the executables and verify the file against hashes of known malware. A user downloads the following files from an open source website: FILE NAME MD5 webserver_81.exe 1E39 2210 FAEC 6AE4 243F 22CD 33DA 62E4 opendatabase_43.exe 2F36 12E0 123C 52E2 1A3E 10AE 23BB 72A3 webserver_82.exe 2F40 3221 33AD 8F34 1032 1ADC 13EF 51A4 opendatabase_44.exe 2A22 10AC 36AC 7789 10AF 12AA 23AA 51E6 After submitting the hashes to the malware registry, the user is alerted that 2F40 3221 33AD 8F34 1032 1ADC 13EF 51A4 matches a known malware signature. The organization has been running all of the above software with no known issues. Which of the following actions should the user take and why?
Do not run webserver_82.exe and notify the organization's cybersecurity office. The software is malware.
A technician wants to configure a wireless router at a small office that manages a family-owned dry cleaning business. The router will support five laptops, personal smartphones, a wireless printer and occasional guests. Which of the following wireless configurations is BEST implemented in this scenario?
Dual SSID with WPA2-PSK
1. A user's laptop is being analyzed because malware was discovered. The forensics analyst has taken the laptop off the corporate network. Following order of volatility, which of the following actions should be performed FIRST?
Dump the contents of the laptop's memory
47. An organization would like to set up a more robust network access system. The network administrator suggests the organization move to a certificate-based authentication setup in which a client-side certificate is used while connecting. Which of the following EAP types should be used to meet these criteria?
EAP-TLS
A technician wants to implement PKI-based authentication on an enterprise wireless network. Which of the following should the technician configure to enforce the use of client-side certificates?
EAP-TLS
8. A critical web application experiences slow response times during the end of a company's fiscal year. The web application typically sees a 35% increase in utilization during this time. The Chief Information Officer (CIO) wants an automated solution in place to deal with the annual spike. Which of the following does the CIO MOST likely want to implement?
Elasticity
A developer is creating a new web application on a public cloud platform and wants to ensure the application can respond to increases in load while minimizing costs during periods of low usage. Which of the follownig strategies is MOST relevant to the use-case?
Elasticity
Which of the following is a resiliency strategy that allows a system to automatically adapt to workload changes?
Elasticity
30. A common asymmetric algorithm utilizes the user's login name to create the key to encrypt communications. To ensure the key is different each time the user encrypts data, which of the following should be added to the login name?
Nonce
A new PKI is being built at a company, but the network adminstrator has concerns about spikes of traffic occurring twice a day due to clients chcking the status of the certificates. Which of the following should be implemented to reduce the spikes in traffic?
OCSP
An auditor is requiring an organzation to perform realtime validation of SSL certificates. Whch of the following should the organization implement?
OCSP
51. A user accessing the ERP are indicating they cannot log on due to a certificate error. An analyst determines the current SSL certificate was compromised. Which of the following can the analyst use to revoke the certificate? (Select TWO)
OCSP A CRL
A network administrator is configuring a honeypot in a company's DMZ. To provide a method for hackers to access the system easily, the company needs to configure a plaintext authentication method that will send only the username and password to a service in the honeypot. Which of the following protocols should the company use?
PAP
7. A penetration tester has accessed a publicly available search engine that is designed for security to look up the target's open vulnerabilities that can be exploited. Which of the following does this describe?
Passive Reconnaissance
Which of the following impacts MOST likely results from poor exception handling?
Privilege escalation
11. Which of the following are examples of two-factor authentication? (Select THREE)
Proximity reader and password Smart card and PIN Password and TOTP
A security administrator has been conducting an account permissions review that has identified several users who belong to functional groups and groups responsible for audiing the functional groups' actions. Several recent outages have not been able to be traced to any user. Which of the following should the security administrator recommend to preserve future audit log integrity?
Restricting audit group membership to service accounts
A company is implementing a remote access portal so employees can work remotely from home. The company wants to impleent a solution that would securely integrate with a third party. Which of the following is the BEST solution?
SAML
26. After a risk analysis, an administrator is told that additional controls must be imlemented to track user accountability. Which of the following accounts was MOST likely audited?
Shared
49. A company would like to transition its directory service from an OpenLDAP solution to Active Directory. The main goal for this project is security. All authentications to the domain controllers must be as secure as possible. Which of the following should the company use to achieve this goal?
Shibboleth
12. A company wants to ensure confidential data from storage media is sanitized in such a way that the drive cannot be reused. Which of the following methods should the technician use?
Shredding
An organization handling highly confidential information needs to update its systems. Which of the following is the BEST method to prevent data compromise?
Shredding
17. An administrator wants to increase the ease of use for the employees by allowing a successful authentication from the network through LDAP to be passed to the ERP system for access. This implementation is an example of?
Single Sign-on
24. Which of the following involves the use of targeted and highly crafted custom attacks against a population of users who may have access to a particular service or program?
Spear phishing
17. All employees of an organization received an email message from the Chief Executive Oficer (CEO) asking them for an urgent meeting in the main conference room. When the employees assembled, they learned the message received was not actually from the CEO. Which of the following BEST represents what happened?
Spear phishing attack
37. All employees of an organization received an email message from the Chief Executive Officer (CEO) asking them for an urgent meeting in the main conference room. When the employees assembled, they learned the message received was not actually from the CEO. Which of the following BEST represents what happened?
Spear-phishing attack
48. All employees of an organization received an email message from the Chief Executive Officer (CEO) asking them for an urgent meeting in the main conference room. When the employees assembled, they learned the message received was not actually from the CEO. Which of the following BEST represents what happened?
Spear-phishing attack
7. A security analyst is investigating a security breach involving the loss of sensitive data. A user pased the information through social media as vacation photos. Which of the following methods was used to encode their data?
Steganography
An organization has created a review process to determine how to best handle data with different sensitivity levels. The process includes the following requirements: -Soft copy PII must be encrypted -Hard copy PII must be placed in a locked container -Soft copy PHI must be encrypted and audited monthly -Hard copy PHI must be placed in a locked container and inventoried monthly Locked containers must be approved and designated for document storage. Any violations must be reported to the Chief Security Officer (CSO). While searching for coffee in the kitchen, an employee unlocks a cabinet and discovers a list of customer names and phone numbers. Which of the following actions should the employee take?
Take custody of the document and immediately report the incident to the CSO
47. A healthcare company is determining which controls are required to meet a specific regulation. The company must not allow staff to utilize any third-party file-sharing services. Which of the following control types BEST meet the company's needs? (Select TWO)
Technical Preventative
60. An analyst is trying to obtain a signed certificate from a CA by psting a public key into the CA's web request form; however, it does not work, and an error is generated. Which of the following does the analyst need to paste into the web request form?
The OID
An analyst is trying to obtain a signed certiicate from a CA by pasting a public key into the CA's web request form; however, it does not work, and an error is generated. Which of the following does the analyst need to paste into the web request form?
The OID
50. The web platform team is deploying a new web application. During testing, the team notices the web application is unable to create a TLS connection to the API gateway. The administrator created a firewall rule that permits TLS traffic from the web application server to the API gateway. However, the firewall logs show all traffic is being dropped. Which of the following is MOST likely causing the issue?
The TLS connection is running over a non-standard port
43. Which of the following BEST describes the concept of persistence in the context of penetration testing?
The ability of an attacker to retain access to a system despite the best efforts to dislodge an attacker
25. Following a breach, a forensic analyst reviewed system logs and determined that an attacker used an unknown account with elevated privileges on a computer to access organization files. Which of the following MOST likely occurred to allow the attacker to access the files?
The attacker used an active default administrator account to create new accounts with rights to access the files
39. A security analyst is conducting a vulnerability scan and comes across a scheduled task that runs a batch script. The analyst sees the following text when viewing the batch script's contents: net use \\dc01\publicshare\files 1q2w3e4r /USER:ServiceAcct copy \*.bak \\dc01\publicshare\files\*.bak Which of the following is the MOST likely reason for the analyst to flag this task?
The credentials are not encrypted
27. A vulnerability scan was run multiple times. The first time, the scan detected multiple operating system flaws. The second time, the scan indicated that a few third-party application programs required patching and no operating system flaws. Which of the following is the MOST likely cause for the different scan results?
The first scan had full-system scanning capabilities
A security analyst receives the following output: Time: 12/15/2017 Action: Policy: Endpoint USB Transfer - Blocked Host: Host1 File Name: Q3-Financials.PDF User: User1 Which of the following MOST likely occurred to produce his output?
The host DLP prevented a file from being moved off a computer
46. A company recently hired several new help desk technicians. The security team has set the following requirements for the administrator accounts used by the new technicians: -They are granted a separate administrator account to perform administrative duties -They must not be allowed to log on to local machines with the administrator account. -They must set a password with a minimum length of eight characters and include one number and one special character -They must not be allowed to access systems after their predefined shift has ended -They must be placed in the help desk administrator user group Which of the following technical controls should be configured to BEST meet these requirements?
Time-of-day restrictions
41. The Chief Security Officer (CSO) for an online retailer received a report from a penetration test that was performed against the company's servers. After reviewing the report, the CSO decided not to implement the recommended changes due to cost; instead, the CSO increased the insurance coverage for data breaches. Which of the following describes how the CSO managed the risk?
Transference
5. An organization has the following account-naming conventions: User Accounts must be generated in firstname.lastname format. Privileged user accounts must be generated in x.firstname.lastname format. Service accounts must be generated in sv.application_environment format. The organization has the following account policies: Logins to lower environment servers must use non-privileged accounts. Logins to production servers must use privileged accounts. The organization has the application "Unicycles" running on the following servers: HOSTNAME ENVIRONMENT accountingServer Development gamingServer Staging prodServer Production Which of the following accounts would violate either the organization's policy or naming convention? (Select TWO)
sv.unicycles_dev on gamingServer sv.unicycles_dev on accountingServer
When conducting a penetration test, a pivot is used to describe a scenario in which:
the penetration tester uses pass-the-hash to gain access to a server via SMB, and then uses this server to SSH to another server
An organization uses an antivirus scanner from Company A on its firewall, an email system antivirus scanner from Company B, and an endpoint antivirus scanner from Company C. This is an example of:
vendor diversity
13. A security administrator begins assessing a network with software that checks for available exploits against a known database, using both credentials and external scripts A report will be compiled and used to confirm patching levels. This is an example of:
vulnerability scaning