Multiple Choice
A company recently experienced a security incident in which its domain controllers were the target of a DoS attack. In which of the following steps should technicians connect domain controllers to the network and begin authenticating users again? A. Preparation B. Identification C. Containment D. Eradication E. Recovery F. Lessons learned
E. Recovery
A local coffee shop runs a small WiFi hotspot for its customers that utilizes WPA2-PSK. The coffee shop would like to stay current with security trends and wants to implement WPA3 to make its WiFi even more secure. Which of the following technologies should the coffee shop use in place of PSK? A. WEP B. EAP C. WPA D. SAE
Explanation/Reference: In January 2018, the Wi-Fi Alliance announced WPA3 as a replacement to WPA2. The new standard uses 128-bit encryption in WPA3-Personal mode (192-bit in WPA3-Enterprise) and forward secrecy. The WPA3 standard also replaces the Pre-Shared Key exchange with Simultaneous Authentication of Equals as defined in IEEE 802.11-2016 resulting in a more secure initial key exchange in personal mode. The Wi-Fi Alliance also claims that WPA3 will mitigate security issues posed by weak passwords and simplify the process of setting up devices with no display interface. With WPA3 Wi-Fi Alliance also unveiled Wi-Fi Easy Connect, a feature that's supposed to simplify the process of pairing Wi-Fi devices without displays, such as IoT devices; and Wi-Fi Enhanced Open, an optional feature that allows for seamless encryption on open Wi-Fi hotspot networks.
A security analyst is hardening a large-scale wireless network. The primary requirements are the following: - Must use authentication through EAP-TLS certificates. - Must use an AAA server. - Must use the most secure encryption protocol. Given these requirements, which of the following should the analyst implement and recommend? (Select TWO). A. 802.1X B. 802.3 C. LDAP D. TKIP E. CCMP F. WPA2-PSK
A. 802.1X E. CCMP
A network administrator at a large organization is reviewing methods to improve the security of the wired LAN. Any security improvement must be centrally managed and allow corporate-owned devices to have access to the intranet but limit others to Internet access only. Which of the following should the administrator recommend? A. 802.1X utilizing the current PKI infrastructure. B. SSO to authenticate corporate users. C. MAC address filtering with ACLs on the router. D. PAM for users account management.
A. 802.1X utilizing the current PKI infrastructure
A sensitive manufacturing facility has recently noticed an abnormal number of assemble-line robot failures. Upon intensive investigation, the facility discovers many of the SCADA controllers have been infected by a new strain of malware that uses a zero-day flaw in the operating system. Which of the following types of malicious actions is MOST likely behind this attack? A. A nation-state B. A political hacktivist C. An insider threat D. A competitor
A. A nation-state
Which of the following is an example of resource exhaustion? A. A penetration tester requests every available IP address from a DHCP server. B. A SQL injection attack returns confidential data back to the browser. C. Server CPU utilization peaks at 100% during the reboot process. D. System requirements for a new software package recommend having 12GB or RAM, but only 8GB are available.
A. A penetration tester requests every available IP address from a DHCP server.
A security Administrator is reviewing the following firewall configuration after receiving reports that users are unable to connect to remote websites: 10 PERMIT FROM:ANY TO:ANY PORT:80 20 PERMIT FROM:ANY TO:ANY PORT:443 30 DENY FROM:ANY TO:ANY PORT:ANY Which of the following is MOST secure solution the administrator can implement to fix this issue? A. Add the following rule to the firewall: 5 PERMIT FROM:ANY TO:ANY PORT:53 B. Replace rule number 10 with the following: 10 PERMIT FROM:ANY TO:ANY PORT:22 C. Insert the following rule in the firewall: 25 PERMIT FROM:ANY TO:ANY PORTS:ANY D. Remove the following rule from the firewall: 30 DENY FROM:ANY TO:ANY PORT:ANY
A. Add the following rule to the firewall: 5 PERMIT FROM:ANY TO:ANY PORT:53
An organization recently implemented an account-lockout policy on its portal. The portal was configured to display a banner instructing locked-out users to contact the help desk. Which of the following tools should the security administrator use to test whether the account lockout policy is working correctly? A. An online password cracker B. A banner grabbing tool C. A port scanning tool D. A protocol analyzer
A. An online password cracker
An incident responder is preparing to acquire images and files from a workstation that has been compromised. The workstation is still powered on and running. Which of the following should be acquired LAST? A. Application files on hard disk B. Processor cache C. Processes in running memory D. Swap space
A. Application files on hard disk
A coffee company has hired an IT consultant to set up a WiFi network that will provide Internet access to customers who visit the company's chain of cafes. The coffee company had provided no requirements other than that customers should be granted access after registering via a web form and accepting the terms of service. Which of the following is the minimum acceptable configuration to meet this single requirement? A. Captive portal B. WPA with PSK C. Open WiFi D. WPS
A. Captive portal
A security analyst is assessing a small company's internal servers against recommended security practices. Which of the following should the analyst do to conduct the assessment? (Select TWO). A. Compare configurations against platform benchmarks B. Confirm adherence to the company's industry-specific regulations. C. Review the company's current baseline. D. Verify alignment with policy related to regulatory compliance. E. Run an exploitation framework to confirm vulnerabilities.
A. Compare configurations against platform benchmarks C. Review the company's current baseline.
A technician has installed a new AAA server, which will be used by the network team to control access to a company's routers and switches. The technician completes the configuration by adding the network team members to the NETWORK_TEAM group, and then adding the NETWORK_TEAM group to the appropriate ALLOW_ACCESS access list. Only members of the network team should have access to the company's routers and switches. NETWORK_TEAM Lee Andrea Pete ALLOW_ACCESS DOMAIN_USERS AUTHENTICATED_USERS NETWORK_TEAM Members of the network team successfully test their ability to log on to various network devices configured to use the AAA server. Weeks later, an auditor asks to review the following access log sample: 5/26/2017 10:20 PERMIT: LEE 5/27/2017 13:45 PERMIT: ANDREA 5/27/2017 09:12 PERMIT: LEE 5/28/2017 16:37 PERMIT: JOHN 5/29/2017 08:53 PERMIT: LEE A. Configure the ALLOW_ACCESS group logic to use AND rather than OR. B. Move the NETWORK_TEAM group to the top of the ALLOW_ACCESS access list. C. Disable group nesting for ALLOW_ACCESS group in the AAA server. D. Remove the DOMAIN_USERS group from the ALLOW_ACCESS group.
A. Configure the ALLOW_ACCESS group logic to use AND rather than OR.
A forensics analyst is investigating a hard drive for evidence of suspected illegal activity. Which of the following should the analyst do FIRST? A. Create a hash of the hard drive. B. Export the Internet history. C. Save a copy of the case number and date as a text file in the root directory. D. Back up the pictures directory for further inspection.
A. Create a hash of the hard drive.
A security professional wants to test a piece of malware that was isolated on a user's computer to document its effect on a system. Which of the following is the FIRST step the security professional should take? A. Create a sandbox on the machine. B. Open the file and run it. C. Create a secure baseline of the system state. D. Harden the machine.
A. Create a sandbox on the machine.
While testing a new vulnerability scanner, a technician becomes concerned about reports that list security concerns that are not present on the systems being tested. Which of the following BEST describes this flaw? A. False positives B. Crossover error rate C. Uncredentialed scan D. Passive security controls
A. False positives
A Chief Information Officer (CIO) is concerned that encryption keys might be exfiltrated by a contractor. The CIO wants to keep control over key visibility and management. Which of the following would be the BEST solution for the CIO to implement? A. HSM (Hardware Security Module) B. CA (Certificate Authority) C. SSH D. SSL
A. HSM (Hardware Security Module)
An organization wants to host an externally accessible web server that will not contain sensitive user information. Any sensitive information will be hosted on file servers. Which of the following is the BEST architecture configuration for this organization? A. Host the web server in a DMZ and the file servers behind a firewall. B. Host the web server and the file servers in a DMZ. C. Host the web server behind a firewall and the file servers in a DMZ. D. Host both the web server and file servers behind a firewall.
A. Host the web server in a DMZ and the file servers behind a firewall.
In order to prevent the possibility of a thermal shutdown, which of the following physical controls should be implemented in the datacenter? A. Hot and cold aisles B. Air-gapped servers C. Infrared detection D. Halon suppression
A. Hot and cold aisles
A security administrator is adding a NAC requirement for all VPN users to ensure the devices connecting are compliant with company policy. Which of the following items provides the HIGHEST assurance to meet this requirement? A. Implement a permanent agent. B. Install antivirus software. C. Use an agentless implementation. D. Implement PKI.
A. Implement a permanent agent.
A corporation is concerned that, if a mobile device is lost, any sensitive information on the device could be accessed by third parties. Which of the following would BEST prevent this from happening? (Select TWO). A. Initiate remote wiping on lost mobile devices. B. Use FDE and require PINs on all mobile devices. C. Use geolocation to track lost devices D. Require biometric logins on all mobile devices. E. Install antivirus on mobile endpoints. F. Patch cirtical vulnerabilities at least daily.
A. Initiate remote wiping on lost mobile devices. B. Use FDE and require PINs on all mobile devices.
A corporation is concerned that, if a mobile device is lost, any sensitive information on the device could be accessed by third parties. Which of the following would BEST prevent this from happening? (Select TWO). A. Initiate remote wiping on lost mobile devices. B. Use FDE and require PINs on all mobile devices. C. Use geolocation to track lost devices. D. Require biometric logins on all mobile devices. E. Install antivirus on mobile endpoints. F. Patch critical vulnerabilities at least daily.
A. Initiate remote wiping on lost mobile devices. B. Use FDE and require PINs on all mobile devices.
A small contracting company's IT infrastructure enables the processing of various levels of sensitive data for which not all employees have access. However, the employees share physical office space. Which of the following controls would help reduce the risk of accidental spillage of sensitive data? A. Install screen filters. B. Install cable locks for computers. C. Use an IDS within the employees' offices. D. Segment the network into VLANs E. Implement a DLP solution.
A. Install screen filters. Explanation/Reference: The key here is "sharing physical office space".
A security administrator has generated an SSH key pair to authenticate to a new server. Which of the following should the security administrator do NEXT to use the keys securely for authentication? (Select TWO). A. Install the public key on the server. B. Install the private key on the server. C. Encrypt the public key. D. Encrypt the private key. E. Install both keys on the server. F. Securely wipe the certificate signing request.
A. Install the public key on the server. D. Encrypt the private key.
Which of the following is a security consideration for IoT devices? A. IoT devices have built-in accounts that users rarely access. B. IoT devices have less processing capabilities. C. IoT devices are physically segmented from each other. D. IoT devices have purpose-built applications.
A. IoT devices have built-in accounts that users rarely access. Explanation/Reference: Top 10 IoT vulnerabilities - Weak, guessable, or hardcoded passwords. ... - Insecure network services. ... - Insecure ecosystem interfaces. ... - Lack of secure update mechanisms. ... - Use of insecure or outdated components. ... - Insufficient privacy protection. ... - Insecure data transfer and storage. ... - Lack of device management.
A company recently purchased a new application and wants to enable LDAP-based authentication for all employees using the application. Which of the following should be set to connect the application to connect the application to the company LDAP server in a secure in a secure manner? (Select two). A. LDAP Path: ou=users, dc=company,dc=com B. LDAP Path:dc=com,dc=company,ou=users C. Port 88 D. Port 636 E. Search filter: (cn=JoeAdmin)(ou=admins)(dc=company)(dc=com) F. Search filter: (cn=dc01)(ou=computers)(dc=com)(dc=company)
A. LDAP Path: ou=users, dc=company,dc=com D. Port 636
A network technician identified a web server that has high network utilization and crashes during peak business hours. After making a duplicate of the server, which of the following should be installed to reduce the business impact caused by these outages? A. Load balancer B. Layer 3 switch C. Traffic shaper D. Application proxy
A. Load balancer
Which of the following is MOST likely caused by improper input handling? A. Loss of database tables B. Untrusted certificate warning C. Power of reboot loop D. Breach of firewall ACLs
A. Loss of database tables
A security analyst is hardening access to a company portal and must ensure that when username and password combinations are used, a OTP is utilized to complete authentication and provide access to resources. Which of the following should the analyst configure on the company portal to BEST meet this requirement? A. MFA B. Secure PIN C. PKI D. Security questions
A. MFA
A network administrator was concerned during an audit that users were able to use the same passwords the day after a password change policy took effect. The following setting are in place: - Users must change their every 30 days. - Users cannot reuse the last 10 passwords. Which of the following settings would prevent users from being able to immediately reuse the same passwords? A. Minimum password age of five-days B. Password history of ten passwords C. Password length greater than ten characters D. Complex passwords must be used
A. Minimum password age of five-days
After patching computers with the latest application security patches/updates, users are unable to open certain applications. Which of the following will correct the issue? A. Modifying the security policy for patch management tools B. Modifying the security policy for HIDS/HIPS C. Modifying the security policy for DLP D. Modifying the security policy for media control
A. Modifying the security policy for patch management tools
A security administrator suspects there may be unnecessary services running on a server. Which of the following tools will the administrator MOST likely use to confirm the suspicions? A. Nmap B. Wireshark C. Autopsy D. DNSEnum
A. Nmap
A systems administrator wants to replace the process of using a CRL to verify certificate validity. Frequent downloads are becoming problematic. Which of the following would BEST suit the administrator's needs? A. OCSP B. CSR C. Key escrow D. CA
A. OCSP (Online Certificate Status Protocol)
After discovering the /etc/shadow file had been rewritten, a security administrator noticed an application insecurely creating files in /tmp. Which of the following vulnerabilities has MOST likely been exploited? A. Privilege escalation B. Resource exhaustion C. Memory leak D. Pointer dereference
A. Privilege escalation
A technician wants to add wireless guest capabilities to an enterprise wireless network that is currently implementing 802.1X EAP-TLS. The guest network must: - Support client isolation. - Issue a unique encryption key to each client. - Allow guest to register using their personal email addresses. Which of the following should the technician implement? (Select TWO). A. RADIUS Federation B. Captive portal C. EAP-PEAP D. WPA2-PSK E. A separate guest SSID F. P12 certificate format
A. RADIUS Federation B. Captive portal
The help desk received a call from a user who was trying to access a set of files from the day before, but received the following error message: File format not recognized. Which of the following types of malware MOST likely caused this to occur? A. Ransomware B. Polymorphic virus C. Rootkit D. Spyware
A. Ransomware
An organization's IRP prioritizes containment over eradication. An incident has been discovered where an attacker outside of the organization has installed cryptocurrency mining software on the organization's web servers. Given the organization's stated priorities, which of the following would be the NEXT step? A. Remove the affected servers from the network. B. Review firewall and IDS logs to identify possible source IPs. C. Identify and apply any missing operating system and software patched. D. Delete the malicious software and determine if the servers must be reimaged.
A. Remove the affected servers from the network.
Which of the following impacts are associated with vulnerabilities in embedded systems? (Select TWO). A. Repeated exploitation due to unpatchable firmware. B. Denial of service due to an integrated legacy operating system. C. Loss of inventory accountability due to device deployment. D. Key reuse and collision issues due to decentralized management. E. Exhaustion of network resources resulting from poor NIC management.
A. Repeated exploitation due to unpatchable firmware. D. Key reuse and collision issues due to decentralized management.
A system uses an application server and database server. Employing the principle of least privilege, only database administrators are given administrative privileges on the database server, and only application team members are given administrative privileges on the application server. Audit and log file reviews are performed by the business unit (a separate group from the database and application teams). The organization wants to optimize operational efficiency when application or database changes are needed, but it also wants to enforce least privilege, prevent modification of log files, and facilitate the audit and log review performed by the business unit. Which of the following approaches would BEST meet the organization's goals? A. Restrict privileges on the log file directory to "read only" and use a service account to send a copy of these files to the business unit. B. Switch administrative privileges for the database and application services. Give the application team administrative privileges on the database servers and the database team administrative privileges on the application servers. C. Remove administrative privileges from both the database and application servers and give the business unit "read only" privileges on the directories where the log files are kept. D. Give the business unit administrative privileges on both the database and application servers so they can independently monitor server activity.
A. Restrict privileges on the log file directory to "read only" and use a service account to send a copy of these files to the business unit.
Which of the following would provide a safe environment for an application to access only the resources needed to function while not having access to run at the system level? A. Sandbox B. Honeypot C. GPO D. DMZ
A. Sandbox
An organization is concerned about video emissions from users' desktops. Which of the following is the BEST solution to implement? A. Screen filters B. Shielded cables C. Spectrum analyzers D. Infrared detection
A. Screen filters
A company is deploying MFDs in its office to improve employee productivity when dealing with paperwork. Which of the following concerns is MOST likely to be raised as a possible security issue in relation to these devices? A. Sensitive scanned materials being saved on the local hard drive B. Faulty printer drivers causing PC performance degradation C. Improperly configured NIC settings interfering with network security D. Excessive disk space consumption due to storing large documents
A. Sensitive scanned materials being saved on the local hard drive
An organization has the following password policies: - Passwords must be at least 16 characters long. - A password cannot be the same as any previous 20 passwords. - Three failed login attempts will lock the account for 5 minutes. - Passwords must have one uppercase letter, one lowercase letter, and one non-alphanumeric symbol. A database server was recently breached, and the incident response team suspects the passwords were compromised. Users with permission on that database server were forced to change their passwords for that server. Unauthorized and suspicious logins are now being detected on a completely separate server. Which of the following is MOST likely the issue and the best solution? A. Some users are reusing passwords for different systems, the organization should scan for password reuse across systems. B. The organization has improperly configured single sign-on, the organization should implement a RADIUS server to control account logins. C. User passwords are not sufficiently long or complex the organization should increase the complexity and length requirements for passwords. D. The trust relationship between the two servers had been compromised; the organization should place each server on a separate VLAN.
A. Some users are reusing passwords for different systems, the organization should scan for password reuse across systems.
A user enters a password to log in to a workstation and is prompted for an authentication code. Which of the following MFA factors or attributes are being utilized in the authentication process? (Select TWO). A. Something you know B. Something you have C. Somewhere you are D. Someone you know E. Something you are F. Something you can do
A. Something you know B. Something you have
A security analyst is writing views for the SIEM. Some of the views are focused on activities of service accounts and shared accounts. Which of the following account management practices would BEST aid the analyst's efforts? A. Standard naming convention B. Role-based access control C. Rule-based access control D. Least-privilege standard
A. Standard naming convention
Which of the following is the MAIN disadvantage of using SSO? A. The architecture can introduce a single point of failure. B. Users need to authenticate for each resource they access. C. It requires an organization to configure federation. D. The authentication is transparent to the user.
A. The architecture can introduce a single point of failure.
A systems administrator is receiving multiple alerts from the company NIPS. A review of the NIPS (Network Intrusion Prevention System) logs shows the following: - reset both: 70.32.200.2:3194 -> 10.4.100.4:80 buffer overflow attempt - reset both: 70.32.200.2:3230 -> 10.4.100.4:80 directory traversal attack - reset client: 70.32.200.2:4019 -> 10.4.100.4:80 Blind SQL injection attack Which of the following should the systems administrator report back to management? A. The company web server was attacked by an external source, and the NIPS blocked the attack. B. The company web and SQL servers suffered a DoS caused by a misconfiguration of the NIPS. C. An external attacker was able to compromise the SQL server using a vulnerable web application. D. The NIPS should move from an inline mode to an out-of-band mode to reduce network latency.
A. The company web server was attacked by an external source, and the NIPS blocked the attack.
An application developer is working on a new calendar and scheduling application. The developer wants to test new functionally that is time/date dependent and set the local system time to one year in the future. The application also has a feature that uses SHA-256 hashing and AES encryption for data exchange. The application attempts to connect to a separate remote server using SSL, but the connection fails. Which of the following is the MOST likely cause and next step? A. The date is past the certificate expiration, reset the system to the current time and see if the connection still fails. B. The remote server cannot support SHA-256; try another hashing algorithm like SHA-1 and see if the application can correct. C. AES is date/time dependent, either reset the system time to the correct time or try a different encryption approach. D. SSL is not the correct protocol to use in this situation, change to TLS and try the client-server connection again.
A. The date is past the certificate expiration, reset the system to the current time and see if the connection still fails.
Which of the following BEST explains the reason why a server administrator would place a document named password.txt on the desktop of an administrator account on a server? A. The document is a honeyfile and is meant to attract the attention of a cyberintruder. B. The document is a backup file if the system needs to be recovered. C. The document is a standard file that the OS needs to verify the login credentials. D. The document is a keylogger that stores all keystrokes should the account be compromised.
A. The document is a honeyfile and is meant to attract the attention of a cyberintruder.
The IT department receives a call one morning about users being unable to access files on the network shared drives. An IT technician investigates and determines the files became encrypted at 12:00 a.m. While the files are being recovered from backups, one of the IT supervisors realizes the day is the birthday of a technician that was fired two months prior. Which of the following describes what most likely occurred? A. The fired technician placed a logic bomb B. The fired technician installed a rootkit on all the affected user's computers C. The fired technician installed ransomware on the file server D. The fired technician left a network worm on an old work computer
A. The fired technician placed a logic bomb. Explanation/Reference: Logic bombs go off at a certain day/time.
Which of the following is the proper use of a Faraday cage? A. To block electronic signals sent to erase a cell phone B. To capture packets sent to a honeypot during an attack C. To protect hard disks from access during a forensics investigation D. To restrict access to a building allowing only one person to enter at a time
A. To block electronic signals sent to erase a cell phone
which of the following is the BEST use of a WAF? A. To protect sites on web servers that are publicly accessible B. To allow access to web services of internal users of the organization C. To maintain connection status of all HTTP requests D. To deny access to all websites with certain contents
A. To protect sites on web servers that are publicly accessible
In highly secure environments where the risk of malicious actors attempting to steal data is high, which of the following is the BEST reason to deploy Faraday cages? A. To provide emanation control to prevent credential harvesting B. To minimize signal attenuation over distances to maximize signal strength C. To minimize external RF interference with embedded processors D. To protect the integrity of audit logs from malicious alteration
A. To provide emanation control to prevent credential harvesting
During a risk assessment, results show that a fire in one of the company's datacenters could cost up to $20 million in equipment damages and lost revenue. As a result, the company insures the datacenter for up to $20 million in damages for the cost of $30,000 a year. Which of the following risk response techniques has the company chosen? A. Transference B. Avoidance C. Mitigation D. Acceptance
A. Transference
In which of the following risk management strategies would cybersecurity insurance be used? A. Transference B. Avoidance C. Acceptance D. Mitigation
A. Transference
An organization utilizes network devices that only support a remote administration protocol that sends credentials in cleartext over the network. Which of the following should the organization do to improve the security of the remote administration sessions? A. Upgrade the devices to models that support SSH. B. Enforce PPTP with CHAP for network devices. C. Implement TACACS+ on the organization's network. D. Replace SNMPv1 with SNMPv2c on network devices.
A. Upgrade the devices to models that support SSH.
A systems administrator is installing and configuring an application service that requires access to read and write to log and configuration files on a local hard disk partition. The service must run as an account with authorization to interact with the file system. Which of the following would reduce the attack surface added by the service and account? (Select TWO). A. Use a unique managed service account. B. Utilize a generic password for authenticating. C. Enable and review account audit logs. D. Enforce least possible privileges for the accounts. E. Add the account to the local administrators group. F. Use a guest account placed in a non-privileged users group.
A. Use a unique managed service account. D. Enforce least possible privileges for the accounts.
The exploitation of buffer-overrun vulnerability in a application will MOST likely lead to: A. arbitrary code execution. B. resource exhaustion. C. exposure of authentication credentials. D. dereferencing of memory pointers.
A. arbitrary code execution.
A transitive trust: A. is automatically established between a parent and a child. B. is used to update DNS records. C. allows access to untrusted domains. D. can be used in place of a hardware token for logins.
A. is automatically established between a parent and a child.
A systems administrator wants to determine if two DNS servers are configured to have the same record for IP address 192.168.1.10. The systems administrator has verified the record on Server1 and now needs to verify the record on Server2. Which of the following commands should the systems administrator run? A. nslookup server2 192.168.1.10 B. nc -1 -p 53 192.168.1.10 -e server2 C. tcpdump 01nv host 192.168.1.10 on host server2 D. dig -x 192.168.1.10 @server2
A. nslookup server2 192.168.1.10 Explanantion/Reference: - dig = Linux. - nslookup = Windows. If it doesn't say Linux, assume Windows.
A network administrator is ensuring current account policies and procedures are following best practives and will not be flagges in an upcoming audit. While running reports on current group memberships, the network administrator logs the following access: *Table* Upon further review, the network administrator discovers all of these employees have been in their current positions for at least two years. Which of the following practices should the network administrator recommend for this scenario? A. permission and usage reviews that occur on a regularly scheduled basis B. Separating of duties and time-of-day restrictions for accounts with privileged access C. Inactive account disablement and setting of expiration dates for all new service accounts D. Immediate review of group nesting policies to prevent excessive permissions from occurring again
A. permission and usage reviews that occur on a regularly scheduled basis
Moving laterally within a network once an initial exploit is used to gain persistent access for the purpose of establishing further control of a system is known as: A. pivoting B. persistence C. active reconnaissance D. a backdoor
A. pivoting
A company is experiencing an increasing number of systems that are locking up on Windows startup. The security analyst clones a machine, enters into safe mode, and discovers a file in the startup process that runs Wstart.bat. @echo off Lasdhbawdhbasdhbawdhb start notepad.exe start notepad.exe start calculator.exe start calculator.exe goto asdhbawdhbasdhbawdhb Given the file contents and the system's ensures, which of the following types of malware is present? A. rootkit B. Logic bomb C. Worm D. Virus
A. rootkit
Using a one-time code that has been texted to a smartphone is an example of: A. something you have. B. something you are. C. something you know. D. something you do.
A. something you have.
Requiring a user to enter a password as part of a multifactor authentication approach is an example of: A. something you know. B. something you have. C. something you are. D. something you do.
A. something you know.
An organization has established the following account management practices with respect to naming conventions: - User accounts must have firstname.lastname - Privileged user accounts must be named x.firstname.lastname - Service accounts must be named sv.applicationname_environment There is an application called "Unicycle inventory" running in the development (dev), staging (stg), and production (prod) environments. Mary Smith, the systems administrator, is checking account permissions on the application servers in the development environment. Which of the following accounts should she expect to see? (Select TWO). A. x.mary.smith B. sv.unicycleinventory_dev C. sv.unicycleinventory_stg D. sv.unicycleinventory_prod E. mary.smith
A. x.mary.smith B. sv.unicycleinventory_dev
A security analyst is running a credential-based vulnerability scanner on a Windows host. The vulnerability scanner is using the protocol NetBIOS over TCP/IP to connect to various systems. however, the scan does not return any results. To address the issue, the analyst should ensure that which of the following default ports is open on systems? A. 135 B. 137 C. 3389 D. 5060
B. 137
Which of the following encryption algorithms require one encryption key? (Select TWO). A. MD5 B. 3DES C. BCRYPT D. RC4 E. DSA
B. 3DES D. RC4
A security analyst wants to ensure the integrity of a file downloaded from the Internet The name of the file is code.zip. The analyst uses the vendor website to determine the 160-bit fingerprint of the input, and then reviews the following output: 8532f8c0bcb335cf231ec09e02da8f77e921e4c0 code.zip Which of the following can be determined from this output? A. A message digest of 160 bits should be SHA-1 hash. The message digest listed is for MD5. B. A message digest of 160 bits should be SHA-1 hash. The message digest listed is for SHA-1. C. A message digest of 160 bits should be MD5 hash. The message digest listed is for MD5. D. A message digest of 160 bits should be MD5 hash. The message digest listed is for SHA-1.
B. A message digest of 160 bits should be SHA-1 hash. The message digest listed is for SHA-1.
Which of the following BEST represents the difference between white-box and black-box penetration testing methodologies? A. The use of NDAs B. Access to source code C. Internal vs. external access D. Authenticated vs. unauthenticated
B. Access to source code
A forensics investigator is examining a number of unauthorized payments that were reported on the company's website. Some unusual log entries show users received an email for an unwanted mailing attempt to unsubscribe. One of the users reported the email to the phishing team, and the forwarded email revealed the link to be: <a href="https://www.company.com/payto.do?routing=00001111&acct=22223334&amount=250">Click here to unsubscribe</a> Which of the following will the forensics investigator MOST likely determine has occurred? A. SQL injection B. CSRF C. XSS D. XSRF
B. CSRF Explanation/Reference: CSRFs are typically conducted using malicious social engineering, such as an email or link that tricks the victim into sending a forged request to a server. As the unsuspecting user is authenticated by their application at the time of the attack, it's impossible to distinguish a legitimate request from a forged one.
An organization wishes to allow its users to select devices for business use but does not want to overwhelm the service desk with requests for too many different devices types and models. which of the following deployment models should the organization use to BEST meet these requirements? A. VDI environment B. CYOD model C. DAC model D. BYOD model
B. CYOD model
A forensic analyst needs to collect physical evidence that may be used in legal proceedings. Which of the following should be used to ensure the evidence remains admissible in court? A. Bit-level image B. Chain of custody C. Log capture D. Incident response plan
B. Chain of custody
A healthcare company is revamping its IT strategy in light of recent regulations. The company is concerned about compliance and wants to use a pay-per-use model. Which of the following is the BEST solution? A. On-premise hosting B. Community cloud C. Hosted infrastucture D. Public SaaS
B. Community cloud
An administrator wants to implement two-factor authentication. Which of the following methods would provide two-factor authentication when used with a user's fingerprint? A. Voice print B. Complicated password C. Iris scan D. Facial recognition
B. Complicated password
Which of the following incident response steps involves actions to protect critical systems while maintaining business operations? A. Investigation B. Containment C. Recovery D. Lessons learned
B. Containment
New legal requirements have been announced regarding the storage of PII. An organization is concerned about the protections in place, and only authorized individuals have access. Which of the following roles is responsible for defining which individuals should be permitted access to data sets? A. Custodian B. Data owner C. Administrator D. Compliance officer
B. Data owner
A technician needs to prevent data loss in a laboratory. The laboratory is not connected to any external networks. Which of the following methods would BEST prevent the exfiltration of data? (Select TWO). A. VPN B. Drive Encryption C. Network firewall D. File-level encryption E. USB blocker F. MFA
B. Drive Encryption E. USB blocker
A state-sponsored threat actor has launched several successful attacks against a corporate network. Although the target has a robust patch management program in place, the attacks continue in depth and scope, and the security department has no idea how the attacks are able to gain access. Given that patch management and vulnerability scanner are being used, which of the following would be used to analyze the attack methodology? A. rogue system detection B. Honeypots C. Next-generation firewall D. Penetration test
B. Honeypots
Fuzzing is used to reveal which of the following vulnerabilities in web applications? A. Weak cipher suites B. Improper input handling C. DLL injection D. Certificate signing flaws
B. Improper input handling
A network technician needs to monitor and view the websites that are visited by an employee. The employee is connected to a network switch. Which of the following would allow the technician to monitor the employee's web traffic? A. Implement promiscuous mode on the NIC of the employee's computer. B. Install and configure a transparent proxy server. C. Run a vulnerability scanner to capture DNS packets on the router. D. Configure the VPN to forward packets to the technician's computer.
B. Install and configure a transparent proxy server.
A security administrator is configuring a RADIUS server for wireless authentication. The configuration must ensure client credentials are encrypted end-to-end between the client and the authenticator. Which of the following protocols should be configured on the RADIUS server? (Select TWO). A. PAP (Password Auth. Protocol) B. MSCHAP C. PEAP D. NTLM E. SAML
B. MSCHAP C. PEAP
Which of the following is the MOST likely motivation for a script kiddie threat action? A. Financial gain B. Notoriety C. Political expression D. Corporate espionage
B. Notoriety
A company has an AUP (Acceptable Use Policy) in place that employees must adhere to while using the corporate network. A captive portal links the AUP every time an employee accesses any external network resource, limiting how much company time can be spent on social media sites to less than one-hour per-day total. A security analyst had pulled logs and is analyzing the current output: *Table - New Q40* Based on this output, which of the following is MOST likely security issue that has been discovered by the security team? A. Insider threat B. Policy violation C. Social engineering D. Content filter failure
B. Policy violation
A technician is auditing network security by connecting a laptop to open hardwired jacks within the facility to verify they cannot connect. Which of the following is being tested? A. Layer 3 routing B. Port security C. Secure IMAP D. SMIME
B. Port security
Which of the following BEST describes the concept of perfect forward secrecy? A. Using quantum random numbers generation to make decryption effectively impossible B. Preventing cryptographic reuse so a compromise of one operation does not affect other operations C. Implementing elliptic curve cryptographic algorithms with true random numbers D. The use of NDAs and policy controls to prevent disclosure of company secrets
B. Preventing cryptographic reuse so a compromise of one operation does not affect other operations
During a forensic investigation, which of the following must be addressed FIRST according to the order of volatility? A. Hard drive B. RAM C. Network attached storage D. USB flash drive
B. RAM
Which of the following BEST distinguishes Agile development from other methodologies in terms of vulnerability management? A. Cross-functional teams B. Rapid deployments C. Daily standups D. Peer review E. Creating user stories
B. Rapid deployments
All account executives are being provided with COPE (corporate-owned personally-enabled) devices for their use. Which of the following mobile device security practices should be enabled for these devices to protect company data? (Select TWO). A. Screen locks B. Remote wipe C. Containerization D. Full device encryption E. Push notification services
B. Remote wipe D. Full device encryption
An organization is struggling to differentiate threats from normal traffic and access to systems. A security engineer has been asked to recommend a system that will aggregate data and provide metrics that will assist in identifying malicious actions or other anomalous activity throughout the environment. Which of the following solutions should the engineer recommend? A. Web application firewall B. SIEM C. IPS D. UTM E. File integrity monitor
B. SIEM
A security administrator is configuring parameters on a device. The administrator fills out the following information: username uauserauth SHA1 Y3$oR0i3&1xM priv AES128 *@IOtx43qK Which of the following protocols is being configured? A. DNSSEC B. SNMPv3 C. LDAPS D. Secure IMAP E. Secure POP
B. SNMPv3
A Chief Security Officer (CSO) was notified that a customer was able to access confidential internal company files on a commonly used file-sharing service. The file sharing service is the same one used by the company staff as one of the approved third-party applications. After further investigation, the the security team determines that the sharing of confidential files was accidental and not malicious. However the CSO want to implement changes to minimize this type of incident from reoccurring but does not want to impact existing business processes. Which of the following would BEST meet the CSO's objectives? A. DLP (Data Loss Prevention) B. SWG (Secure Web Gateway) C. CASB (Cloud Access Security Broker) D. Virtual network segmentation E. Container security
B. SWG Explanation/Reference: Secure Web Gateway A secure web gateway offers protection against online security threats by enforcing company security policies and filtering malicious internet traffic in real-time. At a minimum, a secure web gateway offers URL filtering, application controls for web applications and the detection and filtering of malicious code. Data leak prevention features are also essential.
Which of the following is a deployment concept that can be used to ensure only the required OS access is exposed to software applications? A. Staging environment B. Sandboxing C. Secure baseline D. Trusted OS
B. Sandboxing
Which of the following documents would provide specific guidance regarding ports and protocols that should be disabled on an operating system? A. Regulatory requirements B. Secure configuration guide C. Application installation guide D. User manuals
B. Secure configuration guide
The IT Department at a university is concerned about professors placing servers on the university network in an attempt to bypass security controls. Which of the following BEST represents this threat? A. A script kiddie B. Shadow IT C. Hacktivism D. White hat
B. Shadow IT
A systems administrator is auditing the company's Active Directory environment. It is quickly noted that the username "company\bsmith" is interactively logged into several desktops across the organization. Which of the following has the systems administrator MOST likely come across? A. Service account B. Shared credentials C. False positive D. Local account
B. Shared credentials
An administrator is disposing of media that contains sensitive information. Which of the following will provide the MOST effective method to dispose of the media while ensuring the data will be unrecoverable? A. Wipe the hard drive. B. Shred the hard drive. C. Sanitize all of the data. D. Degauss the hard drive.
B. Shred the hard drive.
A security analyst was performing a BIA for a web commerce company and identified that one server in the entire network is responsible for the front-end site. Which of the following BEST describes the potential impact this poses to the organization? (Select TWO). A. Privacy non-compliance B. Single point of failure C. Application overload D. Low recovery point objective E. Short MTTR metrics
B. Single point of failure C. Application overload
Ann a user reported to the service desk that many files on her computer will not open or the contents are not readable. The service desk technician asked Ann if she encountered any strange messages on boot up or login, and Ann indicated that she did not. which of the following has MOST likely occurred on Ann's computer? A. The hard drive is failing and files are being corrupted. B. The computer has been infected with crypto-malware. C. A replay attack has occurred. D. A keylogger has been installed.
B. The computer has been infected with crypto-malware.
Which of the following BEST explains the difference between a data owner and a data custodian? A. The data owner is responsible for adhering to the rules for using the data, while the data custodian is responsible for determining the corporate governance regarding the data. B. The data owner is responsible for determining how the data will be used, while the data custodian for implementing the protections on the data. C. The data owner is responsible for controlling the data, while the data custodian is responsible for maintaining the chain of custody when handling the data. D. The data owner grants the technical permissions for data access, while the data custodian maintains the database access controls to the data.
B. The data owner is responsible for determining how the data will be used, while the data custodian for implementing the protections on the data.
An email recipient is unable to open a message encrypted through PKI that was sent from another organization. Which of the following does the recipient need to decrypt the message? A. The sender's private key B. The recipient's private key C. The recipient's public key D. The CA's root certificate E. The sender's public key F. An updated CRL
B. The recipient's private key Correction: E. The sender's public key Explanation/Reference: Encrypted with senders private key, decrypt with senders public key.
Which of the following may indicate a configuration item has reached end-of-life? A. The device will no longer turn on and indicates an error. B. The vendor has not published security patches recently. C. The object has been removed from the Active Directory. D. Logs show a performance degradation of the component.
B. The vendor has not published security patches recently.
Which of the following is a reason why an organization would define an AUP? A. To define the lowest level of privileges needed for access and use of the companies resources B. To define the set of rules and behaviors for users of the organization's IT systems C. To define the partnership between two organizations D. To define the availability and reliability characteristics between an IT provider and a consumer
B. To define the set of rules and behaviors for users of the organization's IT systems
A network technician discovered the usernames and passwords used for network device configuration have been compromised by a user with a packet sniffer. Which of the following would secure the credentials from sniffing? A. Implement complex passwords. B. Use SSH for remote access. C. Configure SNMPv2 for device management. D. Use TFTP to copy device configuration
B. Use SSH for remote access.
An organization relies on third-party video conferencing to conduct daily business. Recent security changes now require all remote workers to utilize a VPN to corporate resources. Which of the following would BEST maintain high-quality video conferencing while minimizing latency when connected to the VPN? A. Using geographic diversity to have VPN terminators closer to end users. B. Using split tunneling so only for corporate offices is encrypted. C. Purchasing higher bandwidth connections to meet the increased demand. D. Configuring QoS properly on the VPN concentrators.
B. Using split tunneling so only for corporate offices is encrypted.
A service provider recently upgraded one of the storage clusters that houses non-confidential data for clients. The storage provider wants the hard drives back in working condition. Which of the following is the BEST method for sanitizing the data given the circumstances? A. Hashing B. Wiping C. Purging D. Degaussing
B. Wiping Explanation/Reference: Wiping refers to overwriting a drive with all 0's, all 1's, or random data. It's important to wipe a drive once before disposing of it to make your data unrecoverable, but additional wipes offer a false sense of security. Advantages of Overwrite: There are several benefits to sanitizing storage devices by overwriting the data. First, overwriting offers the ability to securely erase user data. In addition, there is a feedback mechanism to ensure the drive is correctly sanitized. This feedback is accomplished by reading every byte on the device to ensure it is of a certain value that matches the overwrite pattern. Overwrite allows traceability by generating a serialized log of each affected storage device. The overwrite software can read the drive serial number automatically and generate a log to verify the process. Additionally, a significant benefit, especially to businesses, is preserving the economic value of the device and the ability to reuse the equipment or re-sell it. The ability to reuse devices without compromising sensitive data can be a significant cost factor especially for large organizations.
A penetration tester is checking to see if an internal system is vulnerability to an attack using a remote listener. Which of the following commands should the penetration tester use to verify if this vulnerability exists? (Select TWO). A. tcpdump B. nc C. nmap D. nslookup E. tail F. tracert
B. nc C. nmap
A system administrator suspects that a MITM attack is underway on the local LAN. Which of the following commands should the administrator use to confirm the hypothesis and determine which workstation is launching the attack? A. nmap B. tracert C. arp D. netstat
B. tracert
A security analyst is responsible for assessing the security posture of a new high-stakes application that is currently in the production environment but has not yet been made available to systems users. Which of the following would provide the security analyst with the most comprehensive assessment of the application's ability to withstand unauthorized access attempts? A. Dynamic analysis. B. vulnerability scanning. C. Static code scanning. D. Stress testing.
B. vulnerability scanning.
Which of the following represents a multifactor authentication system? A. An iris scanner coupled with a palm print reader and fingerprint scanner with liveness detection. B. A secret passcode that prompts the user to enter a secret key if entered correctly. C. A digital certificate on a physical token that is unlocked with a secret passcode. D. A one-time password token combined with a proximity badge.
C. A digital certificate on a physical token that is unlocked with a secret passcode.
Which of the following categories would the use of proximity cards, smart cards, and RSA tokens be considered when they are used together? A. Multifactor authenticatoin B. Administrative control C. Access control D. Biometrics
C. Access control
Joe, a contractor, is hired by a firm to perform a penetration test against the firm's infrastructure. While conducting the scan, he receives only the network diagram and the network list to scan against the network. Which of the following scan types is Joe performing? A. Authenticated B. White box C. Automated D. Grey box
C. Automated
A security engineer at an offline government facility is concerned about the validity of an SSL certificate. The engineer wants to perform the fastest check with the least delay to determine if the certificate has been revoked. Which of the following would BEST meet these requirements? A. RA B. OCSP (Online Certificate Status Protocol) C. CRL (Certificate Revocation List) D. CSR
C. CRL (Certificate Revocation List) Explanation/Reference: The key is. fastest check with least delay.
Which of the following is a passive method to test whether transport encryption is enabled? A. Black box penetration test B. Port scan C. Code analysis D. Banner grabbing
C. Code analysis
A security analyst is investigating a call from a user regarding one of the websites receiving a 503: Service Unavailable error. The analyst runs a netstat-an command to discover if the web server is up and listening. The analyst receives the following output. TCP 10.1.5.2:80 192.168.2.112.60973 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112.60974 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112.60975 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112.60976 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112.60977 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112.60978 TIME_WAIT Which of the following types of attack is the analyst seeing? A. Buffer overflow B. Domain hijacking C. Denial of service D. ARP poisoning
C. Denial of service
A malicious actor recently penetrated a company's network and moved laterally to the datacenter. Upon investigation, a forensics firm wants to know what was in the memory on the compromised server. Which of the following files should be given to the forensics firm? A. Security B. Application C. Dump D. Syslog
C. Dump
A security administrator's review of network logs indicates unauthorized network access, the source of which appears to be wired data jacks in the lobby area. Which of the following represents the BEST course of action to prohibit this access? A. Enabling BDPU guard B. Enabling loop prevention C. Enabling port security D. Enabling anti-spoofing
C. Enabling port security
A company moved into a new building next to a sugar mill Cracks have been discovered in the walls of the server room, which is located on the same side as the sugar mill loading docks. The cracks are believed to have been caused by heavy trucks. Moisture has begin to seep into the server room, causing extreme humidification problems and equipment failure. Which of the following BEST describes the type of threat the organization faces? A. Foundational B. Man-made C. Environmental D. Natural
C. Environmental
The Chief Executive Officer (CEO) of a fast-growing company no longer knows all the employees and is concerned about the company's intellectual property being stolen by an employee. Employees are allowed to work remotely with flexible hours, creating unpredictable schedules. Roles are poorly defined due to frequent shifting needs across the company. Which of the following new initiatives by the information security team would BEST secure the company and mitigate the CEO's concerns? A. Begin simulation phishing campaigns for employees and follow up with additional security awareness training. B. Seed company fileshares and servers with text documents containing fake passwords and then monitor for their use. C. Implement DLP to monitor data transfer between employee accounts and external parties and services. D. Report data from a user-behavior monitoring tool and assign security analysis to review it daily.
C. Implement DLP to monitor data transfer between employee accounts and external parties and services. Explanation/Reference: The key is to PREVENT the exfiltration of data.
A company employee recently retired, and there was a schedule delay because no one was capable of filling the employee's position. Which of the following practices would BEST help to prevent this situation in the future? A. Mandatory vacation B. Separation of duties C. Job rotation D. Exit interviews
C. Job rotation
A company notices that at 10 a.m. every Thursday, three users' computers become inoperable. The security analyst team discovers a file called where.pdf.exe that runs on system startup. The contents of where.pdf.exe are shown below: @echo off if [c:\file.txt] deltree C:\ Based on the above information, which of the following types of malware was discovered? A. Rootkit B. Backdoor C. Logic bomb D. RAT
C. Logic bomb Explanation/Reference: 'if' means logic bomb because a logical condition must be met because the script executes.
An attacker had obtained the user ID and password of a datacenter's backup operator and has gained access to a production system. Which of the following would be the attacker's NEXT action? A. Perform a passive reconnaissance of the network. B. Initiate a confidential data exfiltration process. C. Look for known vulnerabilities to escalate privileges. D. Create an alternate user ID to maintain persistent access.
C. Look for known vulnerabilities to escalate privileges. Explanation/Reference: Step 3 in penetration testing or hacking is gaining access: This stage uses web application attacks, such as cross-site scripting, SQL injection and backdoors, to uncover a target's vulnerabilities. Testers then try and exploit these vulnerabilities, typically by escalating privileges, stealing data, intercepting traffic, etc., to understand the damage they can cause.
A computer forensics analyst collected a flash drive that contained a single file with 500 pages of text. Which of the following algorithms should the analyst use to validate the integrity of the file? A. 3DES B. AES C. MD5 D. RSA
C. MD5
A security team has downloaded a public database of the largest collection of password dumps on the Internet. This collection contains the cleartext credentials of every major breach for the last four years. The security team pulls and compares users' credentials to the database and discovers that more that 30% of the users were still using passwords discovered in this list. Which of the following would be the BEST combination to reduce the risks discovered? A. Password length, password encryption, password complexity. B. Password complexity, least privilege, password reuse. C. Password reuse, password complexity, password expiration. D. Group policy, password history, password encryption.
C. Password reuse, password complexity, password expiration.
A government agency with sensitive information wants to virtualize its infrastructure. Which of the following cloud deployment models BEST fits the agency's needs? A. Public B. Community C. Private D. Hybrid
C. Private
A technician is recommending preventative physical security controls for the server room. Which of the following would the technician MOST likely recommend? (Select TWO) A. Geofencing B. Video surveillance C. Protected cabinets D. Mantrap E. Key exchange F. Authorized personnel signage
C. Protected cabinets D. Mantrap
A chief Information Security Officer (CISO) for a school district wants to enable SSL to protect all of the public-facing servers in the domain. Which of the following is a secure solution that is the MOST cost effective? A. Create and install a self-signed certificate on each of the servers in the domain. B. Purchase a load balancer and install a single certificate on the load balancer. C. Purchase a wildcard certificate and implement it on every server. D. Purchase individual certificates and apply them to the individual servers.
C. Purchase a wildcard certificate and implement it on every server.
A small retail business has a local store and a newly established and growing online storefront. A recent storm caused a power outage to the business and the local ISP, resulting in several hours of lost sales and delayed order processing. The business owner now needs to ensure two things: - Protection from power outages. - Always-available connectivity in case of an outage. The owner has decided to implement battery backup for the computer equipment. Which of the following would BEST fulfill the owner's second need? A. Lease a telecommunications line to provide POTS for dial-up access. B. Connect the business router to its own dedicated UPS. C. Purchase services from a cloud provider for high availability. D. Replace the business's wired network with a wireless network.
C. Purchase services from a cloud provider for high availability.
A company is implementing MFA for all applications that store sensitive data. The IT manager wants MFA to be non-disruptive and user friendly. Which of the following technologies should the IT manager use when implementing MFA? A. Onetime passwords B. Email tokens C. Push notifications D. Hardware authentication
C. Push notifications
A technician is investigating a report of unusual behivior and slow performance on a company-owned Laptop. The technician runs a command and reviews the following information: *Table - New Q36* Based on the above information, which of the following types of malware should the technician report? A. Spyware B. Rootkit C. RAT D. Logic bomb
C. RAT
A user receives a security alert pop-up from the host-based IDS, and a few minutes later notices a document on the desktop has disappeared and in its place is an odd filename with no icon image. When clicking on this icon, the receives a system notification that it cannot find the correct program to use to open this file. Which of the following types of malware has MOST likely targeted this workstation? A. Rootkit B. Spyware C. Ransomware D. Remote-Access Trojan
C. Ransomware
A human resources manager needs to be able to view all employees' salary and annual increase information, but the payroll manager needs view and edit access to the employee's salary and benefits selections. Which of the following is the BEST access control method to implement? A. Mandatory access control B. Rule-based access control C. Role-based control D. Discretionary access control
C. Role-based control
An organization is drafting an IRP and needs to determine which employees have the authority to take systems offline during an emergency situation. Which of the following is being outlined? A. Reporting and escalation procedures B. Permission auditing C. Roles and responsibilities D. Communication methodologies
C. Roles and responsibilities
A company has just experienced a malware attack affecting a large number of desktop users. The antivirus solution was not able to block the malware, but the HIDS alerted to C2 calls as ,Troj.Generic'. Once the security team found a solution to remove the malware, they were able to remove the malware files successfully, and the HIDS stopped alerting. The next morning, however, the HIDS once again started alerting on the same desktops, and the security team discovered the files were back. which of the following BEST describes the type of malware infecting this company's network? A. Trojan B. Spyware C. Rootkit D. Botnet
C. Rootkit
An incident response analyst in a corporate security operation center receives a phone call from an SOC analyst. The SOC analyst explains the help desk recently reimaged a workstation that was suspected of being infected with an unknown type of malware, however, even after reimaging the host continued to generate SIEM alerts. Which of the following types of malware is MOST likely responsible for producing the SIEM alerts? A. Ransomware B. Logic bomb C. Rootkit D. Adware
C. Rootkit
An intruder sniffs network traffic and captures a packet of internal network transactions that add funds to a game card. The intruder pushes the same packet multiple times across the network, which increments the funds on the game card. Which of the following should a security administrator implement to BEST protect against this type of attack? A. An IPS B. A WAF C. SSH D. An IPsec VPN
C. SSH
While monitoring the SIEM, a security analyst observes traffic from an external IP to an IP address of the business network on port 443. Which of the following protocols would MOST likely cause this traffic? A. HTTP B. SSH C. SSL D. DNS
C. SSL
An organizations' policy requires users to create passwords with an uppercase letter, lowercase letter, number, and symbol. This policy is enforced with technical controls, which also prevents users from using any of their previous 12 passwords. The organization does not use single sign-on, nor does it centralize storage of passwords. The incident response team recently discovered that passwords for one system were compromised. Passwords for a completely separate system have NOT been compromised, but unusual login activity has been detected for that separate system. Account login has been detected for users who are on vacation. Which of the following BEST describes what is happening? A. Some users are meeting password complexity requirements but not password length requirements. B. The password history is insufficient, and old passwords are still valid across many different systems. C. Some users are reusing passwords, and some of the compromised passwords are valid on multiple systems. D. The compromised password file has been brute-force hacked, and the complexity requirements are not adequate to mitigate this risk.
C. Some users are reusing passwords, and some of the compromised passwords are valid on multiple systems.
An attacker is able to capture the payload for the following packet: IP 192.168.1.22:2020 10.10.10.5:443 IP 192.168.1.10:1030 10.10.10.1:21 IP 192.168.1.57:5217 10.10.10.1:3389 During an investigation, an analyst discovers that the attacker was able to capture the information above and use it to log on to other servers across the company. Which of the following is the MOST likely reason? A. The attacker has exploited a vulnerability that is common associated with TLS1.3. B. The application server is also running a web server that has been compromised. C. The attacker is picking off unencrypted credentials and using those to log in to the secure server. D. User accounts have been improperly configured to allow single sign-on across multiple servers.
C. The attacker is picking off unencrypted credentials and using those to log in to the secure server. Explanation/Reference: 443 = HTTPS 21 = FTP 3389 = RDS
A developer wants to use a life-cycle model that utilizes a cascade model and has a definite beginning and end to each stage. Which of the following models BEST meets this need? A. Agile B. Iterative C. Waterfall D. Spiral
C. Waterfall
Which of the following is one of the fundamental differences between the Agile and waterfall development models? A. Agile development sprints do not end until all tasks assigned to a sprint are completed. B. Waterfall models account for schedule slippage by moving individual tasks to later phases. C. Waterfall development takes place in well-defined linear cycles planned in advance of the entire project. D. Agile development plans all sprints in advance of the initial project kickoff.
C. Waterfall development takes place in well-defined linear cycles planned in advance of the entire project.
During a OpenVAS scan, it was noted that the RDP port was open. Upon further investigation, the port was verified as being open. This is an example of: A. a false positive. B. a false negative. C. a true positive. D. a true negative.
C. a true positive.
When a malicious user is able to retrieve sensitive information from RAM, the programmer has failed to implement. A. session keys. B. encryption of data at rest. C. encryption of data in use. D. ephemeral keys.
C. encryption of data in use.
An organization wants to set up a wireless network in the most secure way. Budget is not a major consideration, and the organization is willing to accept some complexity when clients are connecting. It is also willing to deny wireless connectivity for clients who cannot be connected in the most secure manner. Which of the following would be the MOST secure setup that conforms to the organizations's requirements? A. Enable WPA2-PSK for older clients and WPA2-Enterprise for all other clients. B. Enable WPA2-PSK, disable all other modes, and implement MAC filtering along with port security. C. use WPA2-Enterprise with RADIUS and disable pre-shared keys. D. Use WPA2-PSK with a 24-character complex password and change the password monthly.
C. use WPA2-Enterprise with RADIUS and disable pre-shared keys.
A network administrator was provided the following output from a vulnerability scan: *Table - New Q70* The network administrator has been instructed to prioritize remediation efforts based on overall risk to the enterprise. Which of the following plugin IDs should be remediated FIRST? A. 10 B. 11 C. 12 D. 13 E. 14
D. 13 Explanation/Reference: 1 < 4 - low 4 < 6 - Medium 6 < 10 - High 10 - Critical
A large financial services firm recently released information regarding a security breach within its corporate network that began several years before. During the time frame in which the breach occurred, indicators show an attacker gained administrative access to the network through a file download from a social media site and subsequently installed it without the user's knowledge. Since the compromise, the attacker was able to take command and control of the computer systems anonymously while obtaining sensitive corporate and personal employee information. Which of the following methods did the attacker MOST likely use to gain access? A. A bot B. A fileless virus C. A logic bomb D. A RAT
D. A RAT Explanation/Reference: A Remote Access Trojan (RAT) is a type of malware that allows hackers to monitor and control your computer or network. But how does a RAT work, why do hackers use them, and how do you avoid them?
A security analyst is performing a BIA. The analyst notes that in a disaster, failover systems must be up and running within 30 minutes. The failover systems must use backup data that is no older than one hour. Which of the following should the analyst include in the business continuity plan? A. A maximum MTTR (Mean Time To Recovery) of 30 minutes B. A maximum MTBF (Mean Time Between Failure) of 30 minutes C. A maximum RTO (Recovery Time Objective) of 60 minutes D. A maximum RPO (Recovery Point Objective) of 60 minutes E. An SLA (Service Level Agreement) guarantee of 60 minutes
D. A maximum RPO (Recovery Point Objective) of 60 minutes
A security administrator wants to implement a system that will issue digital security tokens, which require the following: - The token-generating system must be distributed and decentralized. - The validity of each token must be verifiable. - Transaction and token integrity are more important that the confidentiality of the token.' Which of the following should the administrator implement? A. PKI with OCSP B. GPG C. Web of trust D. Blockchain E. Cryptographic service provider
D. Blockchain
A security administrator wants to better prepare the incident response team for possible security events. The IRP has been updated and distributed to incident response team members. Which of the following is the BEST option to fulfill the administrator's objective? A. Identify the members' roles and responsibilities. B. Select a backup/failover location. C. Determine the order of restoration. D. Conduct a tabletop test.
D. Conduct a tabletop test.
An organization needs to integrate with a third-party cloud application. The organization has 15000 users and does not want to allow the cloud provider to query its LDAP authentication server directly. Which of the following is the BEST way for the organization to integrate with the cloud application? A. Upload a separate list of users and passwords with a batch import. B. Distribute hardware tokens to the users for authentication to the cloud. C. Implement SAML with the organization's server acting as the identity provider. D. Configure a RADIUS federation between the organization and the cloud provider.
D. Configure a RADIUS federation between the organization and the cloud provider.
An organization is building a new customer services team, and the manager needs to keep the team focused on customer issues and minimize distractions. The users have a specific set of tools installed, which they must use to perform their duties. Other tools are not permitted for compliance and tracking purposes. Team members have access to the Internet for product lookups and to research customer issues. Which of the following should a security engineer employ to fulfill the requirements for the manager? A. Install a web application firewall. B. Install HIPS on the team's workstations. C. Implement containerization on the workstations. D. Configure whitelisting for the team.
D. Configure whitelisting for the team.
A company has had a BYOD policy in place for many years and now wants to role out a MDM solution. End users are voicing concerns about the company having access to their personal devices vis the MDM solution. Which of the following should the company implement to ease these concerns? A. Sideloading B. Full disk encryption C. Application management D. Containerization
D. Containerization
A fire that occurred after-hours created significant damage to a company's server room. The Chief Information Officer (CIO) was notified of the fire the next morning and was instructed to relocated the computer center to the corporate hot site. Which of the following should the CIO activate? A. Business impact analysis B. Succession plan C. Reporting requirements/escalation D. Continuity of operations plan
D. Continuity of operations plan
To further secure a company's email system, an administrator is adding public keys to DNS records in the company's domain.Which of the following is being used? A. PFS B. SPF C. DMARC D. DNSSEC
D. DNSSEC
A security administrator is setting up a SIEM to help monitor for notable events across the enterprise. Which of the following control types does this BEST represent? A. Preventative B. Compensating C. Corrective D. Detective
D. Detective
Which of the following control types are alerts sent from a SIEM fulfilling based on vulnerability signatures? A. Preventive B. Corrective C. Compensating D. Detective
D. Detective
Which of the following attacks is used to capture the WPA2 handshake? A. Replay B. IV C. Evil twin D. Disassociation
D. Disassociation
Which of the following ready resources is a cold site MOST likely to have? A. Servers B. Workstations C. Internet access D. Electricity
D. Electricity
A forensic analyst is creating a report of findings for litigation purposes. The analyst must ensure data is preserved using all elements of the CIA triad. Given this scenario, which of the following should the analyst use to BEST meet these requirements? A. Hashing for confidentiality, full backups for integrity, and encryption for availability B. Full backups for confidentiality, encryption for integrity, and hashing for availability C. Hashing for confidentiality, encryption for integrity, and full backup for availability D. Encryption for confidentiality, hashing for integrity, and full backups for availability
D. Encryption for confidentiality, hashing for integrity, and full backups for availability
A dumpster diver was able to retrieve hard drives from a competitor's trash bin. After installing the hard drives and running common data recovery software, sensitive information was recovered. In which of the following ways did the competitor apply media sanitation? A. Pulverizing B. Degaussing C. Encrypting D. Formatting
D. Formatting
A security administrator in a bank is required to enforce an access control policy so no single individual is allows to both initiate and approve financial transactions. Which of the following BEST represents the impact the administrator is deterring? A. Principle of least privilege B. External intruder C. Conflict of interest D. Fraud
D. Fraud
A company network is currently under attack. Although security controls are in place to stop the attack, the security administrator needs more information about the types of attacks being used. Which of the following network types would BEST help the administrator gather this information? A. DMZ B. Guest network C. Ad hoc D. Honeynet
D. Honeynet
A Chief Security Office's (CSO's) key priorities are to improve preparation, response, and recovery practices to minimize system downtime and enhance organizational resilience to ransomware attacks. Which of the following would BEST meet the CSO's objectives? A. Use email-filtering software and centralized account management, patch high-risk systems, and restrict administration privileges on fileshares. B. Purchase cyber insurance from a reputable provider to reduce expenses during an incident. C. Invest in end-user awareness training to change the long-term culture and behavior of staff and executives, reducing the organization's susceptibility to phishing attacks. D. Implement application whitelisting and centralized event-log management, and perform regular testing and validation of full backups.
D. Implement application whitelisting and centralized event-log management, and perform regular testing and validation of full backups.
A security administrator has completed a monthly review of DNS server query logs. The administrator notices continuous name resolution attempts from a large number of internal hosts to a single Internet addressable domain name. The administrator then correlates those logs with the establishment of persistent TCP connections out to this domain. The connections seem to be carrying on the order of kilobytes of data per week. Which of the following is the MOST likely explanation for this anomaly? A. An attacker is exfiltrating large amounts of proprietary company data. B. Employees are playing multiplayer computer games. C. A worm is attempting to spread to other hosts via SMB exploits. D. Internal hosts have become members of a botnet.
D. Internal hosts have become members of a botnet.
A security administrator is investigating a possible account compromise. The administrator logs onto a desktop computer, executes the command notepad.exe c:\Temp\qkakforlkgfkja.log and reviews the following: - Lee,\rI have completed the task that was assigned to me\rrespectfully\rJohn\r - https://www.portal.com\rjohnuser\rilovemycat2 Given the above output, which of the following is the MOST likely cause of this compromise? A. Virus B. Worm C. Rootkit D. Keylogger
D. Keylogger
A security administrator is configuring a network switch to support group-based VLAN assignments via a remote NAC server. The NAC server will determine the user's VLAN based on a directory service group membership upon authentication and will push the VLAN to the switch. Which of the following features should be configured on the switch to support this requirement? A. SNMP B. SCP C. SFTP D. LDAP
D. LDAP
After a systems administrator installed and configured Kerberos services, several users experienced authentication issues. Which of the following should be installed to restore these issues? A. RADIUS server B. NTLM service C. LDAP service D. NTP server
D. NTP server
Which of the following command line tools would be BEST to identify the services running in a server? A. Traceroute B. Nslookup C. lpconfig D. Netstat
D. Netstat
A security administrator needs to conduct a full inventory of all encryption protocols and cipher suites. Which of the following tools will the security administrator use to conduct this inventory MOST efficiently? A. tcpdump B. Protocol analyzer C. Netstat D. Nmap
D. Nmap
A security technician must prevent unauthorized external access from stolen passwords. Which of the following authentication methods would allow users to use their current passwords while enhancing security? A. Biometrics B. Cognitive passwords C. Trusted platform module D. One-time password
D. One-time password Explanation/Reference: A one-time password (OTP), also known as one-time pin or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid a number of shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has (such as a small keyring fob device with the OTP calculator built into it, or a smartcard or specific cellphone) as well as something a person knows (such as a PIN). The most important advantage that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable to replay attacks. This means that a potential intruder who manages to record an OTP that was already used to log into a service or to conduct a transaction will not be able to abuse it, since it will no longer be valid. A second major advantage is that a user who uses the same (or similar) password for multiple systems, is not made vulnerable on all of them, if the password for one of these is gained by an attacker. A number of OTP systems also aim to ensure that a session cannot easily be intercepted or impersonated without knowledge of unpredictable data created during the previous session, thus reducing the attack surface further. OTPs have been discussed as a possible replacement for, as well as enhancer to, traditional passwords. On the downside, OTPs are difficult for human beings to memorize. Therefore, they require additional technology to work.
A security technician is configuring a new firewall appliance for a production environment. The firewall must support secure web services for client workstations on the 10.10.10.0/24 network. The same client workstations are configured to contact a server at 192.168.1.15/24 for domain name resolution. Which of the following rules should the technician add to the firewall to all this connectivity for the client workstations? (Select TWO). A. Permit 10.10.10.0/24 0.0.0.0 -p tcp -- dport 22 B. Permit 10.10.10.0/24 0.0.0.0 -p tcp -- dport 80 C. Permit 10.10.10.0/24 192.168.1.15/24 -p udp -- dport 21 D. Permit 10.10.10.0/24 0.0.0.0 -p tcp -- dport 443 E. Permit 10.10.10.0/24 192.168.1.15/24 -p tcp -- dport 53 F. Permit 10.10.10.0/24 192.168.1.15.24 -p udp -- dport 53
D. Permit 10.10.10.0/24 0.0.0.0 -p tcp -- dport 443 F. Permit 10.10.10.0/24 192.168.1.15.24 -p udp -- dport 53 Explanation/Reference: HTTPS is secure on TCP Port 443. DNS name lookups are on UDP Port 53
A mobile application developer wants to secure an application that transmits sensitive information. Which of the following should the developer implement to prevent SSL MITM attacks? A. Stapling B. Chaining C. Signing D. Pinning
D. Pinning
A security analyst is interested in setting up an IDS (Intrusion Detection System) to monitor the company network. The analyst has been told there can be no network downtime to implement the solution, but the IDS must capture all of the network traffic. Which of the following should be used for the IDS implementation? A. network tap B. Honeypot C. Aggregation D. Port mirror
D. Port mirror Explanation/Reference: A network tap is a hardware device that's installed on your network. It enables network traffic to pass through unimpeded while duplicating all data to a monitor port where it can be accessed by a network analyzer. Port mirroring, on the other hand, is a capability built into many high-end networking devices.
A company is examining possible locations for a hot site. Which of the following considerations is of MOST concern if the replication technology being used is highly sensitive to network latency? A. Connection to multiple power substations B. Location proximity to the production site C. Ability to create separate caged space D. Positioning of the site across international borders
D. Positioning of the site across international borders
Which of the following would MOST likely be a result of improperly configured user accounts? A. Resource exhaustion B. Buffer overflow C. Session hijacking D. Privilege escalation
D. Privilege escalation
During a company sponsored phishing exercise, more than 25% of the employees clicked on the link embedded in the message. Of the employees who clicked the link. 75% then entered their user credentials on the website provided. Which of the following would be the BEST way to improve the metrics for the next exercise? A. Implement stringent mail filters and controls at the mail gateway to prevent phishing messages from reaching employees. B. Block the website contained in the phishing message on the proxy to prevent employees from entering their credentials. C. Increase the complexity requirements for employee passwords and deactivate inactive accents to reduce the attack surface. D. Provide security awareness training focused on identifying and responding to phishing messages.
D. Provide security awareness training focused on identifying and responding to phishing messages. Explanation/Reference: Must address the weakest link - humans.
A company recently implemented a new security system. in the course of configuration, the security administrator adds the following entry: #Whitelist USB\VID_13FE&PID_4127&REV_0100 Which of the following security technologies is MOST likely being configured? A. Application whitelisting B. HIDS C. Data execution prevention D. Removable media control
D. Removable media control
A user wants to send a confidential message to a customer to ensure unauthorized users cannot access the information. Which of the following can be used to ensure the security of the document while in transit and at rest? A. BCRYPT B. PGP C. FTPS D. S/MIME
D. S/MIME
After being alerted to potential anomalous activity related to trivial DNS lookups, a security analyst looks at the following output of implemented firewall rules: *Table - New Q175* The analyst notices that the expected policy has no hit count for the day. Which of the following MOST likely occurred? A. Data execution prevention is enabled. B. The VLAN is not trunked properly. C. There is a policy violation for DNS lookups. D. The firewall policy is misconfigured.
D. The firewall policy is misconfigured. Explanation/Reference: Misconfigured because UDP is not available on the first line.
A user has lost access to all organization resources on a mobile device but can still get to personal email, the internet, and other applications. The organization uses MDM on company devices. The user contacts the services desk for assistance, but there are no other issues reported or outages of company email or mobile application. Which of the following has MOST likely occurred to cause this issue? A. Allowable authentication methods were set to pattern, but the user changed it to a complex password. B. The organization enabled encryption for the devices through the MDM. C. The organization enabled screen lock for the devices through the MDM. D. The user rooted the mobile device, which caused the MDM software to disable all company access.
D. The user rooted the mobile device, which caused the MDM software to disable all company access.
Which of the following is the purpose of an industry-standard framework? A. To promulgate compliance requirements for sales of common IT systems B. To provide legal relief to participating organizations in the event of a security breach C. To promulgate security settings on a vendor-by-vendor basis D. To provide guidance across common system implementations
D. To provide guidance across common system implementations
A technician is designing a solution that will be required to process sensitive information, including classified government data. The system needs to be common criteria certified. Which of the following should the technician select? A. Security baseline B. Hybrid cloud solution C. Open-source software applications D. Trusted operating system
D. Trusted operating system
A security analyst is trying to improve the security posture of an organization. The analyst has determined there is a significant risk of pass-the-hash attacks on the desktop computers within the company. Which of the following would help to reduce the risk of this type of attack? A. Require the desktop OS to use a stronger password hash. B. Prevent credentials from being cached on the desktops. C. Use TLS encryption in which plain text credentials are transmitted. D. Use salts on the password hashes to prevent offline cracking attempts. E. Require that passwords meet high length and complexity requirements.
D. Use salts on the password hashes to prevent offline cracking attempts.
A network administrator is implementing multifactor authentication for employees who travel and use company devices remotely by using the company VPN. Which of the following would provide the required level of authentication? A. 802.1X and OTP B. Fingerprint scanner and voice recognition C. RBAC and PIN D. Username/Password and TOTP
D. Username/Password and TOTP
An organization has hired a security analyst to perform a penetration test. The analyst captures 1GB worth of inbound network traffic to the server and transfers the pcap back to the machine for analysis. Which of the following tools should the analyst use to further review the pcap? A. Nmap B. cURL C. Netcat D. Wireshark
D. Wireshark
A company has a backup site with equipment on site without any data. This is an example of: A. a hot site. B. a cold site. C. a hot standby. D. a warm site.
D. a warm site.
A preventive control differs from a compensating control in that a preventive control is: A. put in place to mitigate a weakness in a user control. B. deployed to supplement an existing control that is EOL. C. relied on to address gaps in the existing control structure. D. designed to specifically mitigate a risk.
D. designed to specifically mitigate a risk.
A credentialed vulnerability scan is often preferred over a non-credentialed scan because credentialed scans: A. generate more false positives. B. rely solely on passive measures. C. are always non-intrusive. D. provide more accurate data.
D. provide more accurate data.
Which of the following is an example of federated access management? A. Windows passing user credentials on a peer-to-peer network B. Applying a new user account with a complex password C. Implementing a AAA framework from network access D. using a popular website login to provide access to another website
D. using a popular website login to provide access to another website