SEC+ 4/4
QUESTION 873 In which of the following risk management strategies would cybersecurity insurance be used? A. Transference B. Avoidance C. Acceptance D. Mitigation
A
QUESTION 906 Which of the following is a component of multifactor authentication? A. RADIUS B. SSO C. Transitive trust D. OTP
A
QUESTION 754 Which of the following provides PFS? A. AES B. RC4 C. DHE D. HMAC
C
QUESTION 862 Which of the following attacks is used to capture the WPA2 handshake? A. Replay B. IV C. Evil twin D. Disassociation
D
QUESTION 1000 Which of the following attacks can be mitigated by proper data retention policies? A. Dumpster diving B. Man-in-the-browser C. Spear phishing D. Watering hole BD663BA4DCC6C24D0ADDFDC59A530F15
A
QUESTION 951 Which of the following are the BEST selection criteria to use when assessing hard drive suitability for time-sensitive applications that deal with large amounts of critical information? (Select TWO). A. MTBF B. MTTR C. SLA D. RTO E. MTTF F. RPO
A, B
QUESTION 1010 An analyst has determined that a server was not patched and an external actor exfiltrated data on port 139. Which of the following sources should the analyst review to BEST ascertain how the incident could have been prevented? A. The vulnerability scan output B. The security logs C. The baseline report D. The correlation of events
B
QUESTION 1012 A security analyst needs to generate a server certificate to be used for 802.1X and secure RDP connections. The analyst is unsure what is required to perform the task and solicits help from a senior colleague. Which of the following is the FIRST step the senior colleague will most likely tell the analyst to perform to accomplish this task? A. Create an OCSP B. Generate a CSR C. Create a CRL D. Generate a .pfx file.
B
QUESTION 1014 A technician is auditing network security by connecting a laptop to open hardwired jacks within the facility to verify they cannot connect. Which of the following is being tested? A. Layer 3 routing B. Port security C. Secure IMAP D. S/MIME
B
QUESTION 1015 A network technician discovered the usernames and passwords used for network device configuration have been compromised by a user with a packet sniffer. Which of the following would secure the credentials from sniffing? A. Implement complex passwords B. Use SSH for remote access C. Configure SNMPv2 for device management D. Use TFTP to copy device configuration
B
QUESTION 1016 A company is looking for an all-in-one solution to provide identification, authentication, authorization, and accounting services. Which of the following technologies should the company use? A. Diameter B. SAML C. Kerberos D. CHAP
B
QUESTION 1027 An organization discovers that unauthorized applications have been installed on company-provided mobile phones. The organization issues these devices, but some users have managed to bypass the security controls. Which of the following is the MOST likely issue, and how can the organization BEST prevent this from happening? A. The mobile phones are being infected with malware that covertly installs the applications. Implement full disk encryption and integrity-checking software. B. Some advanced users are jailbreaking the OS and bypassing the controls. Implement an MDM solution to control access to company resources. C. The mobile phones have been compromised by an APT and can no longer be trusted. Scan the devices for the unauthorized software, recall any compromised devices, and issue completely new ones. D. Some advanced users are upgrading the devices' OS and installing the applications. The organization should create an AUP that prohibits this activity.
B
QUESTION 1028 A user is unable to obtain an IP address from the corporate DHCP server. Which of the following is MOST likely the cause? A. Default configuration B. Resource exhaustion C. Memory overflow D. Improper input handling
B
QUESTION 1029 A security engineer is concerned about susceptibility to HTTP downgrade attacks because the current customer portal redirects users from port 80 to the secure site on port 443. Which of the following would be MOST appropriate to mitigate the attack? A. DNSSEC B. HSTS C. Certificate pinning D. OCSP
B
QUESTION 751 A state-sponsored threat actor has launched several successful attacks against a corporate network. Although the target has a robust patch management program in place, the attacks continue in depth and scope, and the security department has no idea how the attacks are able to gain access. Given that patch management and vulnerability scanners are being used, which of the following would be used to analyze the attack methodology? A. Rogue system detection B. Honeypots C. Next-generation firewall D. Penetration test
B
QUESTION 767 The president of a company that specializes in military contracts receives a request for an interview. During the interview, the reporter seems more interested in discussing the president's family life and personal history than the details of a recent company success. Which of the following security concerns is this MOST likely an example of? A. Insider threat B. Social engineering C. Passive reconnaissance D. Phishing
B
QUESTION 769 A company is experiencing an increasing number of systems that are locking up on Windows startup. The security analyst clones a machine, enters into safe mode, and discovers a file in the startup process that runs Wstart.bat. @echo off :asdhbawdhbasdhbawdhb start notepad.exe start notepad.exe start calculator.exe start calculator.exe goto asdhbawdhbasdhbawdhb Given the file contents and the system's issues, which of the following types of malware is present? A. Rootkit B. Logic bomb C. Worm D. Virus
B
QUESTION 771 A company is examining possible locations for a hot site. Which of the following considerations is of MOST concern if the replication technology being used is highly sensitive to network latency? A. Connection to multiple power substations B. Location proximity to the production site C. Ability to create separate caged space D. Positioning of the site across international borders
B
QUESTION 775 The Chief Information Officer (CIO) has determined the company's new PKI will not use OCSP. The purpose of OCSP still needs to be addressed. Which of the following should be implemented? A. Build an online intermediate CA. B. Implement a key escrow. C. Implement stapling. D. Install a CRL.
B
QUESTION 780 An attacker has obtained the user ID and password of a datacenter's backup operator and has gained access to a production system. Which of the following would be the attacker's NEXT action? A. Perform a passive reconnaissance of the network. B. Initiate a confidential data exfiltration process. C. Look for known vulnerabilities to escalate privileges. D. Create an alternate user ID to maintain persistent access.
B
QUESTION 781 An organization's IRP prioritizes containment over eradication. An incident has been discovered where an attacker outside of the organization has installed cryptocurrency mining software on the organization's web servers. Given the organization's stated priorities, which of the following would be the NEXT step? A. Remove the affected servers from the network. B. Review firewall and IDS logs to identify possible source IPs. C. Identify and apply any missing operating system and software patches. D. Delete the malicious software and determine if the servers must be reimaged.
B
QUESTION 782 During a security audit of a company's network, unsecure protocols were found to be in use. A network administrator wants to ensure browser-based access to company switches is using the most secure protocol. Which of the following protocols should be implemented? A. SSH2 B. TLS1.2 C. SSL1.3 D. SNMPv3
B
QUESTION 787 An administrator is disposing of media that contains sensitive information. Which of the following will provide the MOST effective method to dispose of the media while ensuring the data will be unrecoverable? A. Wipe the hard drive. B. Shred the hard drive. C. Sanitize all of the data. D. Degauss the hard drive.
B
QUESTION 788 Which of the following is the MOST likely motivation for a script kiddie threat actor? A. Financial gain B. Notoriety C. Political expression D. Corporate espionage
B
QUESTION 789 After discovering a security incident and removing the affected files, an administrator disabled an unneeded service that led to the breach. Which of the following steps in the incident response process has the administrator just completed? A. Containment B. Eradication C. Recovery D. Identification
B
QUESTION 797 Which of the following documents would provide specific guidance regarding ports and protocols that should be disabled on an operating system? A. Regulatory requirements B. Secure configuration guide C. Application installation guides D. User manuals
B
QUESTION 813 A coding error has been discovered on a customer-facing website. The error causes each request to return confidential PHI data for the incorrect organization. The IT department is unable to identify the specific customers who are affected. As a result, all customers must be notified of the potential breach. Which of the following would allow the team to determine the scope of future incidents? A. Intrusion detection system B. Database access monitoring C. Application fuzzing D. Monthly vulnerability scans
B
QUESTION 821 Which of the following BEST describes the concept of perfect forward secrecy? A. Using quantum random number generation to make decryption effectively impossible B. Preventing cryptographic reuse so a compromise of one operation does not affect other operations C. Implementing elliptic curve cryptographic algorithms with true random numbers D. The use of NDAs and policy controls to prevent disclosure of company secrets
B
QUESTION 824 Which of the following is a reason why an organization would define an AUP? A. To define the lowest level of privileges needed for access and use of the organization's resources B. To define the set of rules and behaviors for users of the organization's IT systems C. To define the intended partnership between two organizations D. To define the availability and reliability characteristics between an IT provider and consumer
B
QUESTION 834 Fuzzing is used to reveal which of the following vulnerabilities in web applications? A. Weak cipher suites B. Improper input handling C. DLL injection D. Certificate signing flaws
B
QUESTION 839 Ann, a user, reported to the service desk that many files on her computer will not open or the contents are not readable. The service desk technician asked Ann if she encountered any strange messages on boot-up or login, and Ann indicated she did not. Which of the following has MOST likely occurred on Ann's computer? A. The hard drive is falling, and the files are being corrupted. B. The computer has been infected with crypto-malware. C. A replay attack has occurred. D. A keylogger has been installed.
B
QUESTION 844 A systems administrator is auditing the company's Active Directory environment. It is quickly noted that the username "company\bsmith" is interactively logged into several desktops across the organization. Which of the following has the systems administrator MOST likely come across? A. Service account B. Shared credentials C. False positive D. Local account
B
QUESTION 846 During a forensic investigation, which of the following must be addressed FIRST according to the order of volatility? A. Hard drive B. RAM C. Network attached storage D. USB flash drive
B
QUESTION 849 Which of the following incident response steps involves actions to protect critical systems while maintaining business operations? A. Investigation B. Containment C. Recovery D. Lessons learned
B
QUESTION 859 Which of the following is a benefit of credentialed vulnerability scans? A. Credentials provide access to scan documents to identify possible data theft. B. The vulnerability scanner is able to inventory software on the target. C. A scan will reveal data loss in real time. D. Black-box testing can be performed.
B
QUESTION 867 The CSIRT is reviewing the lessons learned from a recent incident. A worm was able to spread unhindered throughout the network and infect a large number of computers and server. Which of the following recommendations would be BEST to mitigate the impacts of a similar incident in the future? A. Install a NIDS device at the boundary. B. Segment the network with firewalls. C. Update all antivirus signatures daily. D. Implement application blacklisting.
B
QUESTION 869 A forensics investigator is examining a number of unauthorized payments that were reported on the company's website. Some unusual log entries show users received an email for an unwanted mailing attempt to unsubscribe. One of the users reported the email to the phishing team, and the forwarded email revealed the link to be: <a href="https://www.company.com/payto.do?routing=00001111&acct=22223334&amount=250">Clickhere to unsubscribe</a> Which of the following will the forensics investigator MOST likely determine has occurred? A. SQL injection B. CSRF C. XSS D. XSRF
B
QUESTION 874 A security engineer at an offline government facility is concerned about the validity of an SSL certificate. The engineer wants to perform the fastest check with the least delay to determine if the certificate has been revoked. Which of the following would BEST meet these requirements? A. RA B. OCSP C. CRI D. CSR
B
QUESTION 875 A company needs to fix some audit findings related to its physical security. A key finding was that multiple people could physically enter a location at the same time. Which of the following is the BEST control to address this audit finding? A. Faraday cage B. Mantrap C. Biometrics D. Proximity cards
B
QUESTION 885 An organization has decided to host its web application and database in the cloud. Which of the following BEST describes the security concerns for this decision? A. Access to the organization's servers could be exposed to other cloud-provider clients. B. The cloud vendor is a new attack vector within the supply chain. C. Outsourcing the code development adds risk to the cloud provider. D. Vendor support will cease when the hosting platforms reach EOL.
B
QUESTION 886 Which of the following describes the ability of code to target a hypervisor from inside a guest OS? A. Fog computing B. VM escape C. Software-defined networking D. Image forgery E. Container breakout
B
QUESTION 888 Which of the following BEST describes a security exploit for which a vendor patch is not readily available? A. Integer overflow B. Zero-day C. End of life D. Race condition
B
QUESTION 896 A security analyst monitors the syslog server and notices the following pinging 10.25.27.31 with 65500 bytes of data Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Which of the following attacks is occurring? A. Memory leak B. Buffer overflow C. Null pointer deference D. Integer overflow
B
QUESTION 898 An accountant is attempting to log in to the internal accounting system and receives a message that the website's certificate is fraudulent. The accountant finds instructions for manually installing the new trusted root onto the local machine. Which of the following would be the company's BEST option for this situation in the future? A. Utilize a central CRL B. Implement certificate management C. Ensure access to KMS D. Use a stronger cipher suite
B
QUESTION 899 A security analyst is performing a manual audit of captured data from a packet analyzer. The analyst looks forbase64 encoded strings and applies the filter http.authbasic. Which of the following describes what the analysts looking for? A. Unauthorized software B. Unencrypted credentials C. SSL certificate issues D. Authentication tokens
B
QUESTION 921 The Chief Financial Officer (CFO) of an insurance company received an email from Ann, the company's Chief Executive Officer (CEO), requesting a transfer of $10,000 to an account. The email states Ann is on vacation and has lost her purse, containing cash and credit cards. Which of the following social-engineering techniques is the attacker using? A. Phishing B. Whaling C. Typo squatting D. Pharming
B
QUESTION 924 A user recently entered a username and password into a recruiting application website that had been forged to look like the legitimate site. Upon Investigation, a security analyst identifies the following: * The legitimate website's IP address is 10.1.1.20 and eRecruit.local resolves to this IP. * The forged website's IP address appears to be 10.2.12.99. based on NetFlow records. * All three of the organization's DNS servers show the website correctly resolves to the legitimate IP. * DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the approximate time of the suspected compromise. Which of the following MOST likely occurred? A. A reverse proxy was used to redirect network traffic. B. An SSL strip MITM attack was performed. C. An attacker temporarily poisoned a name server. D. An ARP poisoning attack was successfully executed.
B
QUESTION 927 A company has drafted an Insider-threat policy that prohibits the use of external storage devices. Which of the following would BEST protect the company from data exfiltration via removable media? A. Monitoring large data transfer transactions in the firewall logs B. Developing mandatory training to educate employees about the removable media policy C. Implementing a group policy to block user access to system files D. Blocking removable-media devices and write capabilities using a host-based security tool
B
QUESTION 940 A junior systems administrator noticed that one of two hard drives in a server room had a red error notification. The administrator removed the hard drive to replace it but was unaware that the server was configured in an array. Which of the following configurations would ensure no data is lost? A. RAID 0 B. RAID 1 C. RAID 2 D. RAID 3
B
QUESTION 944 During a forensics investigation, which of the following must be addressed FIRST according to the order of volatility? A. Hard drive B. RAM C. Network-attached storage D. USB flash drive
B
QUESTION 960 A security analyst discovers that a company's username and password database was posted on an Internet forum. The username and passwords are stored in plain text. Which of the following would mitigate the damage done by this type of data exfiltration in the future? A. Create DLP controls that prevent documents from leaving the network B. Implement salting and hashing. C. Configure the web content filter to block access to the forum. D. Increase password complexity requirements.
B
QUESTION 963 A hospital has received reports from multiple patients that their PHI was stolen after completing forms on the hospital's website. Upon investigation, the hospital finds a packet analyzer was used to steal data. Which of the following protocols would prevent this attack from reoccurring? A. SFTP B. HTTPS C. FTPS D. SRTP
B
QUESTION 978 Which of the following may indicate a configuration item has reached end-of-life? A. The device will no longer turn on and indicated an error. B. The vendor has not published security patches recently. C. The object has been removed from the Active Directory. D. Logs show a performance degradation of the component.
B
QUESTION 979 Using an ROT13 cipher to protect confidential information for unauthorized access is known as: A. steganography. B. obfuscation. C. non-repudiation. D. diffusion.
B
QUESTION 983 A government contracting company issues smartphones to employees to enable access to corporate resources. Several employees will need to travel to a foreign country for business purposes and will require access to their phones. However, the company recently received intelligence that its intellectual property is highly desired by the same country's government. Which of the following MDM configurations would BEST reduce the disk of compromise while on foreign soil? A. Disable firmware OTA updates. B. Disable location services. C. Disable push notification services. D. Disable wipe.
B
QUESTION 984 A security analyst is performing a manual audit of captured data from a packet analyzer. The analyst looks for Base64 encoded strings and applies the filter http.authbasic. Which of the following BEST describes what the analyst is looking for? A. Unauthorized software B. Unencrypted credentials C. SSL certificate issues D. Authentication tokens
B
QUESTION 986 Given the output: Which of the following account management practices should the security engineer use to mitigate the identified risk? A. Implement least privilege B. Eliminate shared accounts. C. Eliminate password reuse. D. Implement two-factor authentication
B
QUESTION 992 A network technician needs to monitor and view the websites that are visited by an employee. The employee is connected to a network switch. Which of the following would allow the technician to monitor the employee's web traffic? A. Implement promiscuous mode on the NIC of the employee's computer. B. Install and configured a transparent proxy server. C. Run a vulnerability scanner to capture DNS packets on the router. D. Configure a VPN to forward packets to the technician's computer.
B
QUESTION 995 An organization is struggling to differentiate threats from normal traffic and access to systems. A security engineer has been asked to recommend a system that will aggregate data and provide metrics that will assist in identifying malicious actors or other anomalous activity throughout the environment. Which of the following solutions should the engineer recommend? A. Web application firewall B. SIEM C. IPS D. UTM E. File integrity monitor
B
QUESTION 997 Joe, a user at a company, clicked an email link that led to a website that infected his workstation. Joe was connected to the network, and the virus spread to the network shares. The protective measures failed to stop this virus, and it has continued to evade detection. Which of the following should a security administrator implement to protect the environment from this malware? A. Install a definition-based antivirus. B. Implement an IDS/IPS. C. Implement a heuristic behavior-detection solution. D. Implement CASB to protect the network shares.
B
QUESTION 998 A systems administrator wants to implement a secure wireless network requiring wireless clients to pre-register with the company and install a PKI client certificate prior to being able to connect to the wireless network. Which of the following should the systems administrator configure? A. EAP-TTLS B. EAP-TLS C. EAP-FAST D. EAP with PEAP E. EAP with MSCHAPv2
B
QUESTION: 970 A university is opening a facility in a location where there is an elevated risk of theft. The university wants to protect the desktops in its classrooms and labs. Which of the following should the university use to BEST protect these assets deployed in the facility? A. Visitor logs B. Cable locks C. Guards D. Disk encryption E. Motion detection
B
QUESTION 949 A system in the network is used to store proprietary secrets and needs the highest level of security possible. Which of the following should a security administrator implement to ensure the system cannot be reached from the Internet? A. VLAN B. Air gap C. NAT D. Firewall
B Explanation: An air gap, air wall or air gapping is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network.
QUESTION 953 A security engineer is installing a WAF to protect the company's website from malicious web requests over SSL. Which of the following is needed to meet the objective? A. A reverse proxy B. A decryption certificate C. A split-tunnel VPN D. Load-balanced servers
B Explanation: By deploying a WAF in front of a web application, a shield is placed between the web application and the Internet. While a proxy server protects a client machine's identity by using an intermediary, a WAF is a type of reverse-proxy, protecting the server from exposure by having clients pass through the WAF before reaching the server. A WAF operates through a set of rules often called policies. These policies aim to protect against vulnerabilities in the application by filtering out malicious traffic. The value of a WAF comes in part from the speed and ease with which policy modification can be implemented, allowing for faster response to varying attack vectors; during a DDoS attack, rate limiting can be quickly implemented by modifying WAF policies.
QUESTION 942 An accountant is attempting to log in to the internal accounting system and receives a message that the website's certificate is fraudulent. The accountant finds instructions for manually installing the new trusted root onto the local machine. Which of the following would be the company's BEST option for this situation in the future? A. Utilize a central CRL. B. Implement certificate management. C. Ensure access to KMS. D. Use a stronger cipher suite.
B Explanation: The Certificate Management System (CMS) is a networked system for generation, distribution, storage and verification of certificates for use in a variety
QUESTION 877 After successfully breaking into several networks and infecting multiple machines with malware, hackers contact the network owners, demanding payment to remove the infection and decrypt files. The hackers threaten to publicly release information about the breach if they are not paid. Which of the following BEST describes these attackers? A. Gray hat hackers B. Organized crime C. Insiders D. Hacktivists
B Explanation: A person who gains unauthorized access to computer files or networks in order to further social or political ends.
QUESTION 933 After entering a username and password, an administrator must draw a gesture on a touch screen. Which of the following demonstrates what the administrator is providing? A. Multifactor authentication B. Something you can do C. Biometrics D. Two-factor authentication
B Explanation: https://www.androidcentral.com/android-home-screen-gestures
QUESTION: 969 A technician needs to prevent data loss in a laboratory. The laboratory is not connected to any external networks. Which of the following methods would BEST prevent the exfiltration of data? (Select TWO). A. VPN B. Drive encryption C. Network firewall D. File-level encryption E. USB blocker F. MFA
B, C
QUESTION 881 During an incident, a company's CIRT determines it is necessary to observe the continued network-based transactions between a callback domain and the malware running on an enterprise PC. Which of the following techniques would be BEST to enable this activity while reducing the risk of lateral spread and the risk that the adversary would notice any changes? A. Physically move the PC to a separate Internet point of presence. B. Create and apply microsegmentation rules. C. Emulate the malware in a heavily monitored DMZ segment. D. Apply network blacklisting rules for the adversary domain.
BA
QUESTION 757 A penetration tester is checking to see if an internal system is vulnerable to an attack using a remote listener. Which of the following commands should the penetration tester use to verify if this vulnerability exists? (Choose two.) A. tcpdump B. nc C. nmap D. nslookup E. tail F. tracert
BC
QUESTION 1021 A security analyst is implementing mobile device security for a company. To save money, management has decided on a BYOD model. The company is most concerned with ensuring company data will not be exposed if a phone is lost or stolen. Which of the following techniques BEST accomplish this goal? (Choose two.) A. Containerization B. Full device encryption C. Geofencing D. Remote wipe E. Application management F. Storage segmentation
BD
QUESTION 865 An organization is developing its mobile device management policies and procedures and is concerned about vulnerabilities that are associated with sensitive data being saved to a mobile device, as well as weak authentication when using a PIN. As part of some discussions on the topic, several solutions are proposed. Which of the following controls, when required together, will address the protection of data-at-rest as well as strong authentication? (Choose two.) A. Containerization B. FDE C. Remote wipe capability D. MDM E. MFA F. OTA updates
BE
QUESTION 1008 A root cause analysis reveals that a web application outage was caused by one of the company's developers uploading a newer version of the third-party libraries that were shared among several applications. Which of the following implementations would be BEST to prevent this issue from reoccurring? A. CASB B. SWG C. Containerization D. Automated failover
C
QUESTION 1011 A cybersecurity analyst needs to implement secure authentication to third-party websites without users' passwords. Which of the following would be the BEST way to achieve this objective? A. OAuth B. SSO C. SAML D. PAP
C
QUESTION 1024 The Chief Information Officer (CIO) has decided to add two-factor authentication along with the use of passwords when logging on to the network. Which of the following should be implemented to BEST accomplish this requirement? A. Require users to enter a PIN B. Require users to set complex passwords C. Require users to insert a smart card when logging on D. Require the system to use a CAPTCHA
C
QUESTION 1026 A company occupies the third floor of a leased building that has other tenants. The path from the demarcation point to the company's controlled space runs through unsecured areas managed by other companies. Which of the following could be used to protect the company's cabling as it passes through uncontrolled spaces? A. Plenum-rated cables B. Cable locks C. Conduits D. Bayonet Neill-Concelman
C
QUESTION 1030 A help desk technician is trying to determine the reason why several high-level officials' account passwords need to be reset shortly after implementing a self-service password reset process. Which of the following would BEST explain the issue? A. The system asked for publicly available information B. The self-service system was compromised C. The account passwords expired D. A spear phishing attack occurred
C
QUESTION 1036 A company notices that at 10 a.m. every Thursday, three users' computers become inoperable. The security analyst team discovers a file called where.pdf.exe that runs on system startup. The contents of where.pdf.exe are shown below: @echo off if [c:\file.txt] deltree C:\ Based on the above information, which of the following types of malware was discovered? A. Rootkit B. Backdoor C. Logic bomb D. RAT
C
QUESTION 763 Which of the following is unique to a stream cipher? A. It encrypt 128 bytes at a time. B. It uses AES encryption. C. It performs bit-level encryption. D. It is used in HTTPS.
C
QUESTION 770 A government organization recently contacted three different vendors to obtain cost quotes for a desktop PC refresh. The quote from one of the vendors was significantly lower than the other two and was selected for the purchase. When the PCs arrived, a technician determined some NICs had been tampered with. Which of the following MOST accurately describes the security risk presented in this situation? A. Hardware root of trust B. UEFI C. Supply chain D. TPM E. Crypto-malware F. ARP poisoning
C
QUESTION 783 While monitoring the SIEM, a security analyst observes traffic from an external IP to an IP address of the business network on port 443. Which of the following protocols would MOST likely cause this traffic? A. HTTP B. SSH C. SSL D. DNS
C
QUESTION 786 An organization is building a new customer services team, and the manager needs to keep the team focused on customer issues and minimize distractions. The users have a specific set of tools installed, which they must use to perform their duties. Other tools are not permitted for compliance and tracking purposes. Team members have access to the Internet for product lookups and to research customer issues. Which of the following should a security engineer employ to fulfill the requirements for the manager? A. Install a web application firewall. B. Install HIPS on the team's workstations. C. Implement containerization on the workstations. D. Configure whitelisting for the team.
C
QUESTION 790 A company employee recently retired, and there was a schedule delay because no one was capable of filling the employee's position. Which of the following practices would BEST help to prevent this situation in the future? A. Mandatory vacation B. Separation of duties C. Job rotation D. Exit interviews
C
QUESTION 794 Which of the following BEST distinguishes Agile development from other methodologies in terms of vulnerability management? A. Cross-functional teams B. Rapid deployments C. Daily standups D. Peer review E. Creating user stories
C
QUESTION 798 A security analyst is investigating a call from a user regarding one of the websites receiving a 503: Service Unavailable error. The analyst runs a netstat-an command to discover if the web server is up and listening. The analyst receives the following output: TCP 10.1.5.2:80 192.168.2.112:60973 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112:60974 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112:60975 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112:60976 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112:60977 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112:60978 TIME_WAIT Which of the following types of attack is the analyst seeing? A. Buffer overflow B. Domain hijacking C. Denial of service D. ARP poisoning
C
QUESTION 800 An organization wants to set up a wireless network in the most secure way. Budget is not a major consideration, and the organization is willing to accept some complexity when clients are connecting. It is also willing to deny wireless connectivity for clients who cannot be connected in the most secure manner. Which of the following would be the MOST secure setup that conforms to the organization's requirements? A. Enable WPA2-PSK for older clients and WPA2-Enterprise for all other clients. B. Enable WPA2-PSK, disable all other modes, and implement MAC filtering along with port security. C. Use WPA2-Enterprise with RADIUS and disable pre-shared keys. D. Use WPA2-PSK with a 24-character complex password and change the password monthly.
C
QUESTION 801 A first responder needs to collect digital evidence from a compromised headless virtual host. Which of the following should the first responder collect FIRST? A. Virtual memory B. BIOS configuration C. Snapshot D. RAM
C
QUESTION 805 A security professional wants to test a piece of malware that was isolated on a user's computer to document its effect on a system. Which of the following is the FIRST step the security professional should take? A. Create a sandbox on the machine. B. Open the file and run it. C. Create a secure baseline of the system state. D. Harden the machine.
C
QUESTION 806 In highly secure environments where the risk of malicious actors attempting to steal data is high, which of the following is the BEST reason to deploy Faraday cages? A. To provide emanation control to prevent credential harvesting B. To minimize signal attenuation over distances to maximize signal strength C. To minimize external RF interference with embedded processors D. To protect the integrity of audit logs from malicious alteration
C
QUESTION 808 A security administrator found the following piece of code referenced on a domain controller's task scheduler: $var = GetDomainAdmins If $var != 'fabio' SetDomainAdmins = NULL With which of the following types of malware is the code associated? A. RAT B. Backdoor C. Logic bomb D. Crypto-malware
C
QUESTION 816 A small retail business has a local store and a newly established and growing online storefront. A recent storm caused a power outage to the business and the local ISP, resulting in several hours of lost sales and delayed order processing. The business owner now needs to ensure two things: - Protection from power outages - Always-available connectivity in case of an outage The owner has decided to implement battery backups for the computer equipment. Which of the following would BEST fulfill the owner's second need? A. Lease a telecommunications line to provide POTS for dial-up access. B. Connect the business router to its own dedicated UPS. C. Purchase services from a cloud provider for high availability. D. Replace the business's wired network with a wireless network.
C
QUESTION 818 A security operations team recently detected a breach of credentials. The team mitigated the risk and followed proper processes to reduce risk. Which of the following processes would BEST help prevent this issue from happening again? A. Risk assessment B. Chain of custody C. Lessons learned D. Penetration test
C
QUESTION 827 The application team within a company is asking the security team to investigate why its application is slow after an upgrade. The source of the team's application is 10.13.136.9, and the destination IP is 10.17.36.5. The security analyst pulls the logs from the endpoint security software but sees nothing is being blocked. The analyst then looks at the UTM firewall logs and sees the following: A screenshot of a cell phone Description automatically generated Which of the following should the security analyst request NEXT based on the UTM firewall analysis? A. Request the application team to allow TCP port 87 to listen on 10.17.36.5. B. Request the network team to open port 1433 from 10.13.136.9 to 10.17.36.5. C. Request the network team to turn off IPS for 10.13.136.8 going to 10.17.36.5. D. Request the application team to reconfigure the application and allow RPC communication.
C
QUESTION 833 A malicious actor recently penetrated a company's network and moved laterally to the datacenter. Upon investigation, a forensics firm wants to know what was in the memory on the compromised server. Which of the following files should be given to the forensics firm? A. Security B. Application C. Dump D. Syslog
C
QUESTION 835 An attacker is able to capture the payload for the following packet: IP 192.168.1.22:2020 10.10.10.5:443 IP 192.168.1.10:1030 10.10.10.1:21 IP 192.168.1.57:5217 10.10.10.1:3389 During an investigation, an analyst discovers that the attacker was able to capture the information above and use it to log on to other servers across the company. Which of the following is the MOST likely reason? A. The attacker has exploited a vulnerability that is commonly associated with TLS1.3. B. The application server is also running a web server that has been compromised. C. The attacker is picking off unencrypted credentials and using those to log in to the secure server. D. User accounts have been improperly configured to allow single sign-on across multiple servers.
C
QUESTION 845 A systems administrator needs to configure an SSL remote access VPN according to the following organizational guidelines: - The VPN must support encryption of header and payload. - The VPN must route all traffic through the company's gateway. Which of the following should be configured on the VPN concentrator? A. Full tunnel B. Transport mode C. Tunnel mode D. IPSec
C
QUESTION 847 A computer forensics analyst collected a flash drive that contained a single file with 500 pages of text. Which of the following algorithms should the analyst use to validate the integrity of the file? A. 3DES B. AES C. MD5 D. RSA
C
QUESTION 852 An incident response analyst in a corporate security operations center receives a phone call from an SOC analyst. The SOC analyst explains the help desk recently reimaged a workstation that was suspected of being infected with an unknown type of malware; however, even after reimaging, the host continued to generate SIEM alerts. Which of the following types of malware is MOST likely responsible for producing the SIEM alerts? A. Ransomware B. Logic bomb C. Rootkit D. Adware
C
QUESTION 855 A security team has downloaded a public database of the largest collection of password dumps on the Internet. This collection contains the cleartext credentials of every major breach for the last four years. The security team pulls and compares users' credentials to the database and discovers that more than 30% of the users were still using passwords discovered in this list. Which of the following would be the BEST combination to reduce the risks discovered? A. Password length, password encryption, password complexity B. Password complexity, least privilege, password reuse C. Password reuse, password complexity, password expiration D. Group policy, password history, password encryption
C
QUESTION 857 An organization is drafting an IRP and needs to determine which employees have the authority to take systems offline during an emergency situation. Which of the following is being outlined? A. . Reporting and escalation procedures B. Permission auditing C. Roles and responsibilities D. Communication methodologies
C
QUESTION 860 A company is implementing MFA for all applications that store sensitive data. The IT manager wants MFA to be non-disruptive and user friendly. Which of the following technologies should the IT manager use when implementing MFA? A. Onetime passwords B. Email tokens C. Push notifications D. Hardware authentication
C
QUESTION 864 A government agency with sensitive information wants to virtualize its infrastructure. Which of the following cloud deployment models BEST fits the agency's needs? A. Public B. Community C. Private D. Hybrid
C
QUESTION 882 An organization has a policy in place that states the person who approves firewall controls/changes cannot be the one implementing the changes. Which of the following is this an example of? A. Change management B. Job rotation C. Separation of duties D. Least privilege
C
QUESTION 887 An auditor is performing an assessment of a security appliance with an embedded OS that was vulnerable during the last two assessments. Which of the following BEST explains the appliance's vulnerable state? A. The system was configured with weak default security settings. B. The device uses weak encryption ciphers. C. The vendor has not supplied a patch for the appliance. D. The appliance requires administrative credentials for the assessment.
C
QUESTION 894 An organization is looking to build its second head office another city, which has a history flooding with an average of two flooding every 100 years. The estimated building cost is $1 million, an the estimated damage due to flooding is half of the building's cost. Given this information, which of the following is the SLE? A. $50,000 B. $250,000 C. $500,000 D. $1,000,000
C
QUESTION 895 A company is implementing a tool to mask all PII when moving data from a production server to a testing server. Which of the following security techniques is the company applying? A. Data wiping B. Steganograpgy C. Data obfuscation D. Data sanitization
C
QUESTION 901 A security administrator is developing a methodology for tracking staff access to patient data. Which of the following would be the BEST method of creating audit trails for usage reports? A. Deploy file integrity checking B. Restrict access to the database by following the principle of least privilege C. Implementing a database activity monitoring system D. Created automated alerts on the IDS system for the database server
C
QUESTION 903 During an audit, the auditor requests to see a copy of the identified mission-critical applications as well as their disaster recovery plans. The company being audited has an SLA around the applications it hosts. With which of the following is the auditor MOST likely concerned? A. ARO/ALE B. MTTR/MTBF C. RTO/RPO D. Risk assessment
C
QUESTION 904 A network administrator is trying to provide the most resilient hard drive configuration in a server. With five hard drives which of the following is the MOST fault-tolerant configuration? A. RAID 1 B. RAID 5 C. RAID 6 D. RAID 10
C
QUESTION 905 An organization requires employees to insert their identification cards into a reader so chips embedded in the cards can be read to verify their identities prior to accessing computing resources. Which of the following BEST describes this authentication control? A. TPM B. Token C. Proximity card D. CAC
C
QUESTION 912 A public relations team will be taking a group of guests on a tour through the facility of a large ecommerce company. The day before the tour, the company sends out an email to employees to ensure all whiteboards are cleaned and all desks are cleared. The company is MOST likely trying to protect against. A. loss of proprietary information B. damage to the company's reputation C. social engineering D. credential exposure
C
QUESTION 913 A network administrator is setting up wireless access points in all the conference rooms and wants to authenticate devices using PKI. Which of the following should the administrator configure? A. A captive portal B. PSK C. 802.1X D. WPS
C
QUESTION 914 After segmenting the network, the network manager wants to control the traffic between the segments. Which of the following should the manager use to control the network traffic? A. A DMZ B. A VPN C. A VLAN D. An ACL
C
QUESTION 928 A network administrator has been asked to install an IDS to improve the security posture of an organization. Which of the following control types Is an IDS? A. Corrective B. Physical C. Detective D. Administrative
C
QUESTION 929 A startup company is using multiple SaaS and laaS platforms to stand up a corporate infrastructure and build out a customer-facing web application. Which of the following solutions would be BEST to provide security, manageability, and visibility into the platforms? A. SIEM B. DLP C. CASB D. SWG
C
QUESTION 930 A Chief Information Security Officer (CISO) is concerned about the organization's ability to continue business operations in the event of a prolonged DDoS attack on its local datacenter that consumes server resources. Which of the following will the CISO MOST likely recommend to mitigate this risk? A. Upgrade the bandwidth available into the datacenter. B. Migrate to a geographically dispersed cloud datacenter. C. Implement a hot-site failover location. D. Switch to a complete SaaS offering to customers. E. Implement a challenge response test on all end-user queries.
C
QUESTION 936 A user receives a security alert pop-up from the host-based IDS, and a few minutes later notices a document on the desktop has disappeared and in its place is an odd filename with no icon image. When clicking on this icon, the user receives a system notification that it cannot find the correct program to use to open this file. Which of the following types of malware has MOST likely targeted this workstation? A. Rootkit B. Spyware C. Ransomware D. Remote-access Trojan
C
QUESTION 956 Which of the following is unique to a stream cipher? A. It encrypts 128 bytes at a time. B. It uses AES encryption C. It performs bit-level encryption D. It is used in HTTPS
C
QUESTION 957 A company has just experienced a malware attack affecting a large number of desktop users. The antivirus solution was not able to block the malware, but the HIDS alerted to C2 calls as 'Troj.Generic'. Once the security team found a solution to remove the malware, they were able to remove the malware files successfully, and the HIDS stopped alerting. The next morning, however, the HIDS once again started alerting on the same desktops, and the security team discovered the files were back. Which of the following BEST describes the type of malware infecting this company's network? A. Trojan B. Spyware C. Rootkit D. Botnet
C
QUESTION 959 A security analyst runs a monthly file integrity check on the main web server. When analyzing the logs, the analyst observed the following entry: No OS patches were applied to this server during this period. Considering the log output, which of the following is the BEST conclusion? A. The cmd.exe was executed on the scanned server between the two dates. An incident ticket should be created B. The iexplore.exe was executed on the scanned server between the two dates. An incident ticket should be created. C. The cmd.exe was updated on the scanned server. An incident ticket should be created D. The iexplore.exe was updated on the scanned server. An incident ticket should be created.
C
QUESTION 966 The SOC is reviewing processes and procedures after a recent incident. The review indicates it took more than 30 minutes to determine that quarantining an infected host was the best course of action. This allowed the malware to spread to additional hosts before it was contained. Which of the following would be BEST to improve the incident response process? A. Updating the playbooks with better decision points B. Dividing the network into trusted and untrusted zones C. Providing additional end-user training on acceptable use D. Implementing manual quarantining of infected hosts
C
QUESTION 973 A company uses an enterprise desktop imaging solution to manage deployment of its desktop computers. Desktop computer users are only permitted to use software that is part of the baseline image. Which of the following technical solutions was MOST likely deployed by the company to ensure only known-good software can be installed on corporate desktops? A. Network access control B. Configuration manager C. Application whitelisting D. File integrity checks
C
QUESTION 977 Which of the following policies would help an organization identify and mitigate potential single points of failure in the company's IT/security operations? A. Least privilege B. Awareness training C. Separation of duties D. Mandatory vacation
C
QUESTION 980 A company is implementing a tool to mask all PII when moving data from a production server to a testing server. Which of the following security techniques is the company applying? A. Data wiping B. Steganography C. Data obfuscation D. Data sanitization BD663BA4DCC6C24D0ADDFDC59A530F15
C
QUESTION 981 A security analyst has received several reports of an issue on an internal web application. Users state they are having to provide their credentials twice to log in. The analyst checks with the application team and notes this is not an expected behavior. After looking at several logs, the analyst decides to run some commands on the gateway and obtains the following output: Which of the following BEST describes the attack the company is experiencing? A. MAC flooding B. URL redirection C. ARP poisoning D. DNS hijacking
C
QUESTION 990 An organization requires secure configuration baselines for all platforms and technologies that are used. If any system cannot conform to the secure baseline, the organization must process a risk acceptance and receive approval before the system is placed into production. It may have non-conforming systems in its lower environments (development and staging) without risk acceptance, but must receive risk approval before the system is placed in production. Weekly scan reports identify systems that do not conform to any secure baseline. The application team receives a report with the following results: Table Description automatically generated There are currently no risk acceptances for baseline deviations. This is a mission-critical application, and the organization cannot operate if the application is not running. The application fully functions in the development and staging environments. Which of the following actions should the application team take? A. Remediate 2633 and 3124 immediately. B. Process a risk acceptance for 2633 and 3124. C. Process a risk acceptance for 2633 and remediate 3124. D. Shut down NYAccountingProd and investigate the reason for the different scan results.
C
QUESTION: 931 A systems administrator needs to configure an SSL remote access VPN according to the following organizational guidelines: * The VPN must support encryption of header and payload. * The VPN must route all traffic through the company's gateway. Which of the following should be configured on the VPN concentrator? A. Full tunnel B. Transport mode C. Tunnel mode D. IPSec
C
QUESTION 946 A small enterprise decides to implement a warm site to be available for business continuity in case of a disaster. Which of the following BEST meets its requirements? A. A fully operational site that has all the equipment in place and full data backup tapes on site B. A site used for its data backup storage that houses a full-time network administrator C. An operational site requiring some equipment to be relocated as well as data transfer to the site D. A site staffed with personnel requiring both equipment and data to be relocated there in case of disaster
C Explanation: Cold site Space and associated infrastructure (e.g., power, telecoms and environmental controls to support IT systems), which will only be installed when disaster recovery (DR) services are activated. Warm site Site that's partially equipped with some of the equipment (e.g., computing hardware and software, and supporting personnel); organizations install additional equipment, computing hardware and software, and supporting personnel when DR services are activated. Hot site Fully equipped site with the required equipment, computing hardware/software and supporting personnel; it's also fully functional and manned on a 24x7 basis so that it's ready for organizations to operate their IT systems when DR services are activated.
QUESTION 935 A company just implemented a new telework policy that allows employees to use personal devices for official email and file sharing while working from home. Some of the requirements are: * Employees must provide an alternate work location (i.e., a home address). * Employees must install software on the device that will prevent the loss of proprietary data but will not restrict any other software from being installed. Which of the following BEST describes the MDM options the company is using? A. Geofencing, content management, remote wipe, containerization, and storage segmentation B. Content management, remote wipe, geolocation, context-aware authentication, and containerization C. Application management, remote wipe, geofencing, context-aware authentication, and containerization D. Remote wipe, geolocation, screen locks, storage segmentation, and full-device encryption
C Explanation: A screenshot of a cell phone Description automatically generated
QUESTION 948 A security analyst has received several reports of an issue on an internal web application. Users state they are having to provide their credentials twice to log in. The analyst checks with the application team and notes this is not an expected behavior. After looking at several logs, the analyst decides to run some commands on the gateway and obtains the following output: Which of the following BEST describes the attack the company is experiencing? A. MAC flooding B. URL redirection C. ARP poisoning D. DNS hijacking
C Explanation: ARP Poisoning (also known as ARP Spoofing) is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN in order to change the pairings
QUESTION 950 When a malicious user is able to retrieve sensitive information from RAM, the programmer has failed to implement: A. session keys. B. encryption of data at rest C. encryption of data in use. D. ephemeral keys.
C Explanation: Compromising data in use enables access to encrypted data at rest and data in motion. For example, someone with access to random access memory (RAM) can parse that memory to locate the encryption key for data at rest. Once they have obtained that encryption key, they can decrypt encrypted data at rest.
QUESTION 954 Which of the following algorithms would be used to provide non-repudiation of a file transmission? A. AES B. RSA C. MD5 D. SHA
C Explanation: Non-repudiation is the ability to prove that the file uploaded and the file downloaded are identical. Non-repudiation is an essential part of any secure file transfer solution End-to-end file non-repudiation is the ability to prove who uploaded a specific file, who downloaded it, and that the file uploaded and the file downloaded are identical. It is a security best practice and required by Federal Information Security Management Act (FISMA), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accounta-bility Act (HIPAA), Sarbanes-Oxley Act (SOX), and others. The ability to provide end-to-end file non-repudiation is an essential part of any secure file transfer solution because it provides the following benefits. * Guarantees the integrity of the data being transferred * Plays a valuable forensic role if a dispute arises about the file * Provides a capability that is required for Guaranteed Delivery Providing end-to-end file non-repudiation requires using a secure file transfer server that can perform all of the following activities: * Authenticate each user who uploads or downloads a file * Check the integrity of each file when uploaded and downloaded * Compare the server and client-generated integrity check results * Associate and log the authentication and check results The cryptographically valid SHA1 and MD5 algorithms are widely used to do file integri-ty checking. SHA1 is the stronger of these, and is approved for file integrity checking under US Federal Information Processing Standard FIPS 140-2. MOVEit secure file transfer server and MOVEit Automation MFT automation server each have built-in FIPS 140-2 validated cryptographic modules that include the SHA1 and MD5 algorithms, which they use for file integrity checking.
QUESTION 919 A researcher has been analyzing large data sets for the last ten months. The researcher works with colleagues from other institutions and typically connects via SSH to retrieve additional data. Historically, this setup has worked without issue, but the researcher recently started getting the following message: A close up of a newspaper Description automatically generated Which of the following network attacks Is the researcher MOST likely experiencing? A. MAC cloning B. Evil twin C. Man-in-the-middle D. ARP poisoning
C Explanation: This is alarming because it could actually mean that you're connecting to a different server withoutknowing it. If this new server is malicious then it would be able to view all data sent to and from your connection, which could be used by whoever set up the server. This is called a man-in-the-middle attack. This scenario is exactly what the "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" message is trying to warn you about.
QUESTION 1025 A Chief Executive Officer (CEO) is staying at a hotel during a business trip. The hotel's wireless network does not show a lock symbol. Which of the following precautions should the CEO take? (Choose two.) A. Change the connection type to WPA2 B. Change TKIP to CCMP C. Use a VPN D. Tether to a mobile phone E. Create a tunnel connection with EAP-TTLS
CD
QUESTION 840 A technician is recommending preventive physical security controls for a server room. Which of the following would the technician MOST likely recommend? (Choose two.) A. Geofencing B. Video surveillance C. Protected cabinets D. Mantrap E. Key exchange F. Authorized personnel signage
CD
QUESTION 915 A manufacturing company updates a policy that instructs employees not to enter a secure area in groups and requires each employee to swipe their badge to enter the area When employees continue to ignore the policy, a mantrap is installed. Which of the following BEST describe the controls that were implemented to address this issue? (Select TWO). A. Detective B. Administrative C. Deterrent D. Physical E. Corrective
CE
QUESTION 1004 The IT department's on-site developer has been with the team for many years. Each time an application is released, the security team is able to identify multiple vulnerabilities. Which of the following would BEST help the team ensure the application is ready to be released to production? A. Limit the use of third-party libraries. B. Prevent data exposure queries. C. Obfuscate the source code. D. Submit the application to QA before releasing it.
D
QUESTION 1006 The Chief Security Officer (CSO) at a major hospital wants to implement SSO to help improve security in the environment and protect patient data, particularly at shared terminals. The Chief Risk Officer (CRO) is concerned that training and guidance have not been provided to frontline staff, and a risk analysis has not been performed. Which of the following is the MOST likely cause of the CRO's concerns? A. SSO would simplify username and password management, making it easier for hackers to guess accounts. B. SSO would reduce password fatigue, but staff would still need to remember more complex passwords. C. SSO would reduce the password complexity for frontline staff. D. SSO would reduce the resilience and availability of systems if the identity provider goes offline.
D
QUESTION 1007 Which of the following control types are alerts sent from a SIEM fulfilling based on vulnerability signatures? A. Preventive B. Corrective C. Compensating D. Detective
D
QUESTION 1009 A security analyst needs to be proactive in understanding the types of attacks that could potentially target the company's executives. Which of the following intelligence sources should the security analyst review? A. Vulnerability feeds B. Trusted automated exchange of indicator information C. Structured threat information expression D. Industry information-sharing and collaboration groups
D
QUESTION 1020 A company is deploying a wireless network. It is a requirement that client devices must use X.509 certifications to mutually authenticate before connecting to the wireless network. Which of the following protocols would be required to accomplish this? A. EAP-TTLS B. EAP-MD5 C. LEAP D. EAP-TLS E. EAP-TOTP
D
QUESTION 1037 A network administrator was provided the following output from a vulnerability scan: The network administrator has been instructed to prioritize remediation efforts based on overall risk to the enterprise. Which of the following plugin IDs should be remediated FIRST? A. 10 B. 11 C. 12 D. 13 E. 14
D
QUESTION 1038 A security administrator wants to better prepare the incident response team for possible security events. The IRP has been updated and distributed to incident response team members. Which of the following is the BEST option to fulfill the administrator's objective? A. Identify the member's roles and responsibilities B. Select a backup/failover location C. Determine the order of restoration D. Conduct a tabletop test
D
QUESTION 756 A company recently implemented a new security system. In the course of configuration, the security administrator adds the following entry: #Whitelist USB\VID_13FE&PID_4127&REV_0100 Which of the following security technologies is MOST likely being configured? A. Application whitelisting B. HIDS C. Data execution prevention D. Removable media control
D
QUESTION 759 A security administrator is investigating a possible account compromise. The administrator logs onto a desktop computer, executes the command notepad.exe c:\Temp\qkakforlkgfkja.log, and reviews the following: Lee,\rI have completed the task that was assigned to me\rrespectfully\rJohn\r https://www.portal.com\rjohnuser\rilovemycat2 Given the above output, which of the following is the MOST likely cause of this compromise? A. Virus B. Worm C. Rootkit D. Keylogger
D
QUESTION 760 Which of the following command line tools would be BEST to identify the services running in a server? A. Traceroute B. Nslookup C. Ipconfig D. Netstat
D
QUESTION 761 A security administrator needs to conduct a full inventory of all encryption protocols and cipher suites. Which of the following tools will the security administrator use to conduct this inventory MOST efficiently? A. tcpdump B. Protocol analyzer C. Netstat D. Nmap
D
QUESTION 762 A systems developer needs to provide machine-to-machine interface between an application and a database server in the production environment. This interface will exchange data once per day. Which of the following access control account practices would BEST be used in this situation? A. Establish a privileged interface group and apply read-write permission to the members of that group. B. Submit a request for account privilege escalation when the data needs to be transferred. C. Install the application and database on the same server and add the interface to the local administrator group. D. Use a service account and prohibit users from accessing this account for development work.
D
QUESTION 764 Which of the following is an example of federated access management? A. Windows passing user credentials on a peer-to-peer network B. Applying a new user account with a complex password C. Implementing a AAA framework for network access D. Using a popular website login to provide access to another website
D
QUESTION 772 An attacker has gathered information about a company employee by obtaining publicly available information from the Internet and social networks. Which of the following types of activity is the attacker performing? A. Pivoting B. Exfiltration of data C. Social engineering D. Passive reconnaissance
D
QUESTION 773 An organization needs to integrate with a third-party cloud application. The organization has 15000 users and does not want to allow the cloud provider to query its LDAP authentication server directly. Which of the following is the BEST way for the organization to integrate with the cloud application? A. Upload a separate list of users and passwords with a batch import. B. Distribute hardware tokens to the users for authentication to the cloud. C. Implement SAML with the organization's server acting as the identity provider. D. Configure a RADIUS federation between the organization and the cloud provider.
D
QUESTION 776 A healthcare company is revamping its IT strategy in light of recent regulations. The company is concerned about compliance and wants to use a pay-per-use model. Which of the following is the BEST solution? A. On-premises hosting B. Community cloud C. Hosted infrastructure D. Public SaaS
D
QUESTION 777 An organization's policy requires users to create passwords with an uppercase letter, lowercase letter, number, and symbol. This policy is enforced with technical controls, which also prevents users from using any of their previous 12 passwords. The quantization does not use single sign-on, nor does it centralize storage of passwords. The incident response team recently discovered that passwords for one system were compromised. Passwords for a completely separate system have NOT been compromised, but unusual login activity has been detected for that separate system. Account login has been detected for users who are on vacation. Which of the following BEST describes what is happening? A. Some users are meeting password complexity requirements but not password length requirements. B. The password history enforcement is insufficient, and old passwords are still valid across many different systems. C. Some users are reusing passwords, and some of the compromised passwords are valid on multiple systems. D. The compromised password file has been brute-force hacked, and the complexity requirements are not adequate to mitigate this risk.
D
QUESTION 778 Which of the following represents a multifactor authentication system? A. An iris scanner coupled with a palm print reader and fingerprint scanner with liveness detection. B. A secret passcode that prompts the user to enter a secret key if entered correctly. C. A digital certificate on a physical token that is unlocked with a secret passcode. D. A one-time password token combined with a proximity badge.
D
QUESTION 796 A security engineer is analyzing the following line of JavaScript code that was found in a comment field on a web forum, which was recently involved in a security breach: <.script src=http://gotcha.com/hackme.js></.script> Given the line of code above, which of the following BEST represents the attack performed during the breach? A. CSRF B. DDoS C. DoS D. XSS
D
QUESTION 802 Which of the following BEST explains the difference between a credentialed scan and a non-credentialed scan? A. A credentialed scan sees devices in the network, including those behind NAT, while a non-credentialed scan sees outward-facing applications. B. A credentialed scan will not show up in system logs because the scan is running with the necessary authorization, while non-credentialed scan activity will appear in the logs. C. A credentialed scan generates significantly more false positives, while a non-credentialed scan generates fewer false positives. D. A credentialed scan sees the system the way an authorized user sees the system, while a non-credentialed scan sees the system as a guest.
D
QUESTION 815 A systems engineer is setting up a RADIUS server to support a wireless network that uses certificate authentication. Which of the following protocols must be supported by both the RADIUS server and the WAPs? A. CCMP B. TKIP C. WPS D. EAP
D
QUESTION 823 An intruder sniffs network traffic and captures a packet of internal network transactions that add funds to a game card. The intruder pushes the same packet multiple times across the network, which increments the funds on the game card. Which of the following should a security administrator implement to BEST protect against this type of attack? A. An IPS B. A WAF C. SSH D. An IPSec VPN
D
QUESTION 825 After a systems administrator installed and configured Kerberos services, several users experienced authentication issues. Which of the following should be installed to resolve these issues? A. RADIUS server B. NTLM service C. LDAP service D. NTP server
D
QUESTION 826 A Chief Security Office's (CSO's) key priorities are to improve preparation, response, and recovery practices to minimize system downtime and enhance organizational resilience to ransomware attacks. Which of the following would BEST meet the CSO's objectives? A. Use email-filtering software and centralized account management, patch high-risk systems, and restrict administration privileges on fileshares. B. Purchase cyber insurance from a reputable provider to reduce expenses during an incident. C. Invest in end-user awareness training to change the long-term culture and behavior of staff and executives, reducing the organization's susceptibility to phishing attacks. D. Implement application whitelisting and centralized event-log management, and perform regular testing and validation of full backups.
D
QUESTION 829 After being alerted to potential anomalous activity related to trivial DNS lookups, a security analyst looks at the following output of implemented firewall rules: The analyst notices that the expected policy has no hit count for the day. Which of the following MOST likely occurred? A. Data execution prevention is enabled. B. The VLAN is not trunked properly. C. There is a policy violation for DNS lookups. D. The firewall policy is misconfigured.
D
QUESTION 830 A security analyst is performing a BIA. The analyst notes that in a disaster, failover systems must be up and running within 30 minutes. The failover systems must use backup data that is no older than one hour. Which of the following should the analyst include in the business continuity plan? A. A maximum MTTR of 30 minutes B. A maximum MTBF of 30 minutes C. A maximum RTO of 60 minutes D. A maximum RPO of 60 minutes E. An SLA guarantee of 60 minutes
D
QUESTION 831 A security administrator in a bank is required to enforce an access control policy so no single individual is allowed to both initiate and approve financial transactions. Which of the following BEST represents the impact the administrator is deterring? A. Principle of least privilege B. External intruder C. Conflict of interest D. Fraud
D
QUESTION 837 Which of the following is a passive method to test whether transport encryption is implemented? A. Black box penetration test B. Port scan C. Code analysis D. Banner grabbing
D
QUESTION 842 A company has had a BYOD policy in place for many years and now wants to roll out an MDM solution. The company has decided that end users who wish to utilize their personal devices for corporate use must opt in to the MDM solution. End users are voicing concerns about the company having access to their personal devices via the MDM solution. Which of the following should the company implement to ease these concerns? A. Sideloading B. Full device encryption C. Application management D. Containerization
D
QUESTION 848 A mobile application developer wants to secure an application that transmits sensitive information. Which of the following should the developer implement to prevent SSL MITM attacks? A. Stapling B. Chaining C. Signing D. Pinning
D
QUESTION 850 A technician is designing a solution that will be required to process sensitive information, including classified government data. The system needs to be common criteria certified. Which of the following should the technician select? A. Security baseline B. Hybrid cloud solution C. Open-source software applications D. Trusted operating system
D
QUESTION 854 To further secure a company's email system, an administrator is adding public keys to DNS records in the company's domain. Which of the following is being used? A. PFS B. SPF C. DMARC D. DNSSEC
D
QUESTION 858 A cryptographer has developed a new proprietary hash function for a company and solicited employees to test the function before recommending its implementation. An employee takes the plaintext version of a document and hashes it, then changes the original plaintext document slightly and hashes it, and continues repeating this process until two identical hash values are produced from two different documents. Which of the following BEST describes this cryptographic attack? A. Brute force B. Known plaintext C. Replay D. Collision
D
QUESTION 878 When implementing automation with IoT devices, which of the following should be considered FIRST to keep the network secure? A. Z-Wave compatibility B. Network range C. Zigbee configuration D. Communication protocols
D
QUESTION 879 A local coffee shop runs a small WiFi hotspot for its customers that utilizes WPA2-PSK. The coffee shop would like to stay current with security trends and wants to implement WPA3 to make its WiFi even more secure. Which of the following technologies should the coffee shop use in place of PSK? A. WEP B. EAP C. WPS D. SAE
D
QUESTION 883 An organization just experienced a major cyberattack incident. The attack was well coordinated, sophisticated, and highly skilled. Which of the following targeted the organization? A. Shadow IT B. An insider threat C. A hacktivist D. An advanced persistent threat
D
QUESTION 889 A systems administrator needs to install the same X.509 certificate on multiple servers. Which of the following should the administrator use? A. Key escrow B. A self-signed certificate C. Certificate chaining D. An extended validation certificate
D
QUESTION 890 A network administrator has been alerted that web pages are experiencing long load times. After determining it is not a routing or DNS issue, the administrator logs in to the router, runs a command, and receives the following output: CPU 0 P percent busy, from 300 sec ago 1 sec ave: 99 percent busy 5 sec ave: 97 percent busy 1 sec ave: 83 percent busy Which of the following is the router experiencing? A. DDoS attack B. Memory leak C. Buffer overflow D. Resource exhaustion
D
QUESTION 892 Which of the following scenarios would make a DNS sinkhole effective in thwarting an attack? A. An attacker is sniffing traffic to port 53, and the server is managed using unencrypted usernames and passwords. B. An organization is experiencing excessive traffic on port 53 and suspects an attacker is trying to DoS the domain name server. C. Malware is trying to resolve an unregistered domain name to determine if it is running in an isolated sandbox. D. DNS routing tables have been compromised, and an attacker is rerouting traffic to malicious websites.
D
QUESTION 908 After the integrity of a patch has been verified, but before being deployed to production, it is important to: A. perform static analysis B. reverse engineer it for embedded malware. C. run dynamic analysis on the executable. D. test it in a staging environment
D
QUESTION 911 An organization has hired a security analyst to perform a penetration test. The analyst captures 1GB worth of inbound network traffic to the server and transfers the pcap back to the machine for analysis. Which of the following tools should the analyst use to future review the pcap? A. Nmap B. cURL C. Netcat D. Wireshark
D
QUESTION 917 An administrator is beginning an authorized penetration test of a corporate network. Which of the following tools would BEST assist in identifying potential attacks? A. Netstat B. Honey pot C. Company directory D. Nmap
D
QUESTION 922 After a ransomware attack. a forensics company needs to review a cryptocurrency transaction between the victim and the attacker. Which of the following will the company MOST likely review to trace this transaction? A. The public ledger B. The NetFlow data C. A checksum D. The event log
D
QUESTION 923 A security administrator needs to create a RAID configuration that is focused on high read speeds and fault tolerance. It is unlikely that multiple drives will fail simultaneously. Which of the following RAID configurations should the administrator use? A. RAID 0 B. RAID 1 C. RAID 5 D. RAID 10
D
QUESTION 925 Which of the following would MOST likely support the integrity of a voting machine? A. Asymmetric encryption B. Blockchain C. Transport Layer Security D. Perfect forward secrecy
D
QUESTION 926 A vulnerability assessment report will include the CVSS score of the discovered vulnerabilities because the score allows the organization to better: A. validate the vulnerability exists in the organization's network through penetration testing. B. research the appropriate mitigation techniques in a vulnerability database. C. find the software patches that are required to mitigate a vulnerability. D. prioritize remediation of vulnerabilities based on the possible impact.
D
QUESTION 952 An incident response analyst at a large corporation is reviewing proxy log data. The analyst believes a malware infection may have occurred. Upon further review, the analyst determines the computer responsible for the suspicious network traffic is used by the Chief Executive Officer (CEO). Which of the following is the best NEXT step for the analyst to take? A. Call the CEO directly to ensure awareness of the event B. Run a malware scan on the CEO's workstation C. Reimage the CEO's workstation D. Disconnect the CEO's workstation from the network.
D
QUESTION 964 An IT manager is estimating the mobile device budget for the upcoming year. Over the last five years, the number of devices that were replaced due to loss, damage, or theft steadily increased by 10%. Which of the following would BEST describe the estimated number of devices to be replaced next year? A. ALE B. ARO C. RPO D. SLE
D
QUESTION 976 An organization has implemented a two-step verification process to protect user access to data that is stored in the cloud. Each employee now uses an email address or mobile number to receive a code to access the data. Which of the following authentication methods did the organization implement? A. Token key B. Static code C. Push notification D. HOTP
D
QUESTION 989 A datacenter engineer wants to ensure an organization's servers have high speed and high redundancy and can sustain the loss of two physical disks in an array. Which of the following RAID configurations should the engineer implement to deliver this functionality? A. RAID 0 B. RAID 1 C. RAID 5 D. RAID 10 E. RAID 50
D
QUESTION 991 A company is having issues with intellectual property being sent to a competitor from its system. The information being sent is not random but has an identifiable pattern. Which of the following should be implemented in the system to stop the content from being sent? A. Encryption B. Hashing C. IPS D. DLP
D
QUESTION 947 Which of the following is a risk that is specifically associated with hosting applications in the public cloud? A. Unsecured root accounts B. Zero-day C. Shared tenancy D. Insider threat
D Explanation: Insider Threat An attack from inside your organization may seem unlikely, but the insider threat does exist. Employees can use their authorized access to an organization's cloud-based services to misuse or access information such as customer accounts, financial forms, and other sensitive information. Additionally, these insiders don't even need to have malicious intentions. A study by Imperva, "Inside Track on Insider Threats" found that an insider threat was the misuse of information through malicious intent, accidents or malware. The study also examined four best practices companies could follow to implement a secure strategy, such as business partnerships, prioritizing initiatives, controlling access, and implementing technology.
QUESTION 943 A recent audit uncovered a key finding regarding the use of a specific encryption standard in a web application that is used to communicate with business customers. Due to the technical limitations of its customers, the company is unable to upgrade the encryption standard. Which of the following types of controls should be used to reduce the risk created by this scenario? A. Physical B. Detective C. Preventive D. Compensating
D Explanation: Preventative Preventative controls are designed to be implemented prior to a threat event and reduce and/or avoid the likelihood and potential impact of a successful threat event. Examples of preventative controls include policies, standards, processes, procedures, encryption, firewalls, and physical barriers. Detective Detective controls are designed to detect a threat event while it is occurring and provide assistance during investigations and audits after the event has occurred. Examples of detective controls include security event log monitoring, host and network intrusion detection of threat events, and antivirus identification of malicious code. Corrective Corrective controls are designed to mitigate or limit the potential impact of a threat event once it has occurred and recover to normal operations. Examples of corrective controls include automatic removal of malicious code by antivirus software, business continuity and recovery plans, and host and network intrusion prevention of threat events.
QUESTION 945 Which of the following types of attack is being used when an attacker responds by sending the MAC address of the attacking machine to resolve the MAC to IP address of a valid server? A. Session hijacking B. IP spoofing C. Evil twin D. ARP poisoning
D Explanation: An ARP spoofing, also known as ARP poisoning, is a Man in the Middle (MitM) attack that allows attackers to intercept communication between network devices. The attack works as follows: The attacker must have access to the network.
QUESTION 910 A Security analyst has received an alert about PII being sent via email. The analyst's Chief Information Security Officer (CISO) has made it clear that PII must be handled with extreme care. From which of the following did the alert MOST likely originate? A. S/MIME B. DLP C. IMAP D. HIDS
D Explanation: An intrusion detection system is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management system.
QUESTION 1039 Which of the following is the purpose of an industry-standard framework? A. To promulgate compliance requirements for sales of common IT systems B. To provide legal relief to participating organizations in the event of a security breach C. To promulgate security settings on a vendor-by-vendor basis D. To provide guidance across common system implementations
D *** *** *** *** *** *** ***
QUESTION 958 A security technician is configuring a new firewall appliance for a production environment. The firewall must support secure web services for client workstations on the 10.10.10.0/24 network. The same client workstations are configured to contact a server at 192.168.1.15/24 for domain name resolution. Which of the following rules should the technician add to the firewall to allow this connectivity for the client workstations? (Select TWO). A. Permit 10.10.10.0/24 0.0.0.0 -p tcp --dport 22 B. Permit 10.10.10.0/24 0.0.0.0 -p tcp --dport 80 C. Permit 10.10.10.0/24192.168.1.15/24 -p udp --dport 21 D. Permit 10.10.10.0/24 0.0.0.0-p tcp --dport 443 E. Permit 10.10.10.0/24 192.168.1.15/24 -p tcp --dport 53 F. Permit 10.10.10.0/24 192.168.1.15/24 -p udp --dport 53
D, E
QUESTION 752 A technician, who is managing a secure B2B connection, noticed the connection broke last night. All networking equipment and media are functioning as expected, which leads the technician to QUESTION certain PKI components. Which of the following should the technician use to validate this assumption? (Choose two.) A. PEM B. CER C. SCEP D. CRL E. OCSP F. PFX
DE
QUESTION 941 A security consultant was asked to revise the security baselines that are utilized by a large organization. Although the company provides different platforms for its staff, including desktops, laptops, and mobile devices, the applications do not vary by platform. Which of the following should the consultant recommend? (Select Two). A. Apply patch management on a daily basis. B. Allow full functionality for all applications that are accessed remotely C. Apply default configurations of all operating systems D. Apply application whitelisting. E. Disable default accounts and/or passwords.
DE
QUESTION 809 An email recipient is unable to open a message encrypted through PKI that was sent from another organization. Which of the following does the recipient need to decrypt the message? A. The sender's private key B. The recipient's private key C. The recipient's public key D. The CA's root certificate E. The sender's public key F. An updated CRL
E
QUESTION 880 An organization recently acquired an ISO 27001 certification. Which of the following would MOST likely be considered a benefit of this certification? A. It allows for the sharing of digital forensics data across organizations. B. It provides insurance in case of a data breach. C. It provides complimentary training and certification resources to IT security staff. D. It certifies the organization can work with foreign entities that require a security clearance. E. It assures customers that the organization meets security standards.
E
QUESTION 974 A company recently experienced a security incident in which its domain controllers were the target of a DoS attack. In which of the following steps should technicians connect domain controllers to the network and begin authenticating users again? A. Preparation B. Identification C. Containment D. Eradication E. Recovery F. Lessons learned
E
QUESTION 753 A security administrator is investigating a report that a user is receiving suspicious emails. The user's machine has an old functioning modem installed. Which of the following security concerns need to be identified and mitigated? (Choose two.) A. Vishing B. Whaling C. Spear phishing D. Pharming E. War dialing F. Hoaxing
EF
QUESTION 1001 SIMULATION A company recently added a DR site and is redesigning the network. Users at the DR site are having issues browsing websites. INSTRUCTIONS Click on each firewall to do the following: 1. Deny cleartext web traffic. 2. Ensure secure management protocols are used. 3. Resolve issues at the DR site. The ruleset order cannot be modified due to outside constraints. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Firewall 1: DNS Rule - ANY ANY DNS PERMIT HTTPS Outbound - 10.0.0.1/24 ANY HTTPS PERMIT Management - ANY ANY SSH PERMIT HTTPS Inbound - ANY ANY HTTPS PERMIT HTTP Inbound - ANY ANY HTTP DENY Firewall 2: No changes should be made to this firewall Firewall 3: DNS Rule - ANY ANY DNS PERMIT HTTPS Outbound - 192.168.0.1/24 ANY HTTPS PERMIT Management - ANY ANY SSH PERMIT HTTPS Inbound - ANY ANY HTTPS PERMIT HTTP Inbound - ANY ANY HTTP DENY
QUESTION 1002 While checking logs, a security engineer notices a number of end users suddenly downloading files with the .tar.gz extension. Closer examination of the files reveals they are PE32 files. The end users state they did not initiate any of the downloads. Further investigation reveals the end users all clicked on an external email containing an infected MHT file with an href link a week prior. Which of the following is MOST likely occurring? A. A RAT was installed and is transferring additional exploit tools. B. The workstations are beaconing to a command-and-control server. C. A logic bomb was executed and is responsible for the data transfers. D. A fireless virus is spreading in the local network environment.
A
QUESTION 1003 A consultant is configuring a vulnerability scanner for a large, global organization in multiple countries. The consultant will be using a service account to scan systems with administrative privileges on a weekly basis, but there is a concern that hackers could gain access to the account and pivot throughout the global network. Which of the following would be BEST to help mitigate this concern? A. Create different accounts for each region, each configured with push MFA notifications. B. Create one global administrator account and enforce Kerberos authentication. C. Create different accounts for each region, limit their logon times, and alert on risky logins. D. Create a guest account for each region, remember the last ten passwords, and block password reuse.
A
QUESTION 1005 In a lessons-learned report, it is suspected that a well-organized, well-funded, and extremely sophisticated group of attackers may have been responsible for a breach at a nuclear facility. Which of the following describes the type of actors that may have been implicated? A. Nation-state B. Hacktivist C. Insider D. Competitor
A
QUESTION 1013 A security researcher is tracking an adversary by noting its attacks and techniques based on its capabilities, infrastructure, and victims. Which of the following is the researcher MOST likely using? A. The Diamond Model of Intrusion Analysis B. The Cyber Kill Chain C. The MITRE CVE database D. The incident response process
A
QUESTION 1017 An organization has the following password policies: - Passwords must be at least 16 characters long. - A password cannot be the same as any previous 20 passwords. - Three failed login attempts will lock the account for five minutes. - Passwords must have one uppercase letter, one lowercase letter, and one non-alphanumeric symbol. A database server was recently breached, and the incident response team suspects the passwords were compromised. Users with permission on that database server were forced to change their passwords for that server. Unauthorized and suspicious logins are now being detected on a completely separate server. Which of the following is MOST likely the issue and the best solution? A. Some users are reusing passwords for different systems; the organization should scan for password reuse across systems. B. The organization has improperly configured single sign-on; the organization should implement a RADIUS server to control account logins. C. User passwords are not sufficiently long or complex; the organization should increase the complexity and length requirements for passwords. D. The trust relationship between the two servers has been compromised; the organization should place each server on a separate VLAN.
A
QUESTION 1018 Ann, a user, reports she is receiving emails that appear to be from organizations to which she belongs, but the emails contain links to websites that do not belong to those organizations. Which of the following security scenarios does this describe? A. A hacker is using Ann's social media information to create a spear phishing attack B. The DNS servers for the organizations have been hacked and are pointing to malicious sites C. The company's mail system has changed the organization's links to point to a proxy server for security D. Ann's computer is infected with adware that has changed the email links
A
QUESTION 1019 An application developer is working on a new calendar and scheduling application. The developer wants to test new functionality that is time/date dependent and set the local system time to one year in the future. The application also has a feature that uses SHA-256 hashing and AES encryption for data exchange. The application attempts to connect to a separate remote server using SSL, but the connection fails. Which of the following is the MOST likely cause and next step? A. The date is past the certificate expiration; reset the system to the current time and see if the connection still fails B. The remote server cannot support SHA-256; try another hashing algorithm like SHA-1 and see if the application can connect C. AES is date/time dependent; either reset the system time to the correct time or try a different encryption approach D. SSL is not the correct protocol to use in this situation; change to TLS and try the client-server connection again
A
QUESTION 1022 Which of the following is an algorithm family that was developed for use cases in which power consumption and lower computing power are constraints? A. Elliptic curve B. RSA C. Diffie-Hellman D. SHA
A
QUESTION 1023 An organization has created a review process to determine how to best handle data with different sensitivity levels. The process includes the following requirements: - Soft copy PII must be encrypted. - Hard copy PII must be placed in a locked container. - Soft copy PHI must be encrypted and audited monthly. - Hard copy PHI must be placed in a locked container and inventoried monthly. Locked containers must be approved and designated for document storage. Any violations must be reported to the Chief Security Officer (CSO). While searching for coffee in the kitchen, an employee unlocks a cabinet and discovers a list of customer names and phone numbers. Which of the following actions should the employee take? A. Put the document back in the cabinet, lock the cabinet, and report the incident to the CSO B. Take custody of the document, secure it at a desk, and report the incident to the CSO C. Take custody of the document and immediately report the incident to the CSO D. Put the document back in the cabinet, inventory the contents, lock the cabinet, and report the incident to the CSO
A
QUESTION 1031 Which of the following controls is implemented in lieu of the primary security controls? A. Compensating B. Corrective C. Detective D. Deterrent
A
QUESTION 1032 A transitive trust: A. is automatically established between a parent and a child B. is used to update DNS records C. allows access to untrusted domains D. can be used in place of a hardware token for logins
A
QUESTION 1033 An email systems administrator is configuring the mail server to prevent spear phishing attacks through email messages. Which of the following refers to what the administrator is doing? A. Risk avoidance B. Risk mitigation C. Risk transference D. Risk acceptance
A
QUESTION 1034 Which of the following BEST explains why a development environment should have the same database server secure baseline that exists in production even if there is no PII in the database? A. Without the same configuration in both development and production, there are no assurances that changes made in development will have the same effect in production B. Attackers can extract sensitive, personal information from lower development environment databases just as easily as they can from production databases C. Databases are unique in their need to have secure configurations applied in all environments because they are attacked more often D. Laws stipulate that databases with the ability to store personal information must be secured regardless of the environment or if they actually have PII
A
QUESTION 755 A Chief Information Officer (CIO) is concerned that encryption keys might be exfiltrated by a contractor. The CIO wants to keep control over key visibility and management. Which of the following would be the BEST solution for the CIO to implement?" A. HSM B. CA C. SSH D. SSL
A
QUESTION 758 Which of the following is MOST likely caused by improper input handling? A. Loss of database tables B. Untrusted certificate warning C. Power off reboot loop D. Breach of firewall ACLs
A
QUESTION 765 A security analyst wishes to scan the network to view potentially vulnerable systems the way an attacker would. Which of the following would BEST enable the analyst to complete the objective? A. Perform a non-credentialed scan. B. Conduct an intrusive scan. C. Attempt escalation of privilege. D. Execute a credentialed scan.
A
QUESTION 766 A company moved into a new building next to a sugar mil. Cracks have been discovered in the walls of the server room, which is located on the same side as the sugar mill loading docks. The cracks are believed to have been caused by heavy trucks. Moisture has begun to seep into the server room, causing extreme humidification problems and equipment failure. Which of the following BEST describes the type of threat the organization faces? A. Foundational B. Man-made C. Environmental D. Natural
A
QUESTION 768 A Chief Information Security Officer (CISO) for a school district wants to enable SSL to protect all of the public-facing servers in the domain. Which of the following is a secure solution that is the MOST cost effective? A. Create and install a self-signed certificate on each of the servers in the domain. B. Purchase a load balancer and install a single certificate on the load balancer. C. Purchase a wildcard certificate and implement it on every server. D. Purchase individual certificates and apply them to the individual servers.
A
QUESTION 774 Which of the following is a security consideration for IoT devices? A. IoT devices have built-in accounts that users rarely access. B. IoT devices have less processing capabilities. C. IoT devices are physically segmented from each other. D. IoT devices have purpose-built applications.
A
QUESTION 779 A company recently installed fingerprint scanners at all entrances to increase the facility's security. The scanners were installed on Monday morning, and by the end of the week it was determined that 1.5% of valid users were denied entry. Which of the following measurements do these users fall under? A. FRR B. FAR C. CER D. SLA
A
QUESTION 784 A technician is required to configure updates on a guest operating system while maintaining the ability to quickly revert the changes that were made while testing the updates. Which of the following should the technician implement? A. Snapshots B. Revert to known state C. Rollback to known configuration D. Shadow copy
A
QUESTION 785 A technician is investigating a report of unusual behavior and slow performance on a company-owned laptop. The technician runs a command and reviews the following information: A screenshot of a cell phone Description automatically generated Based on the above information, which of the following types of malware should the technician report? A. Spyware B. Rootkit C. RAT D. Logic bomb
A
QUESTION 791 A security analyst is interested in setting up an IDS to monitor the company network. The analyst has been told there can be no network downtime to implement the solution, but the IDS must capture all of the network traffic. Which of the following should be used for the IDS implementation? A. Network tap B. Honeypot C. Aggregation D. Port mirror
A
QUESTION 792 A contracting company recently completed its period of performance on a government contract and would like to destroy all information associated with contract performance. Which of the following is the best NEXT step for the company to take? A. Consult data disposition policies in the contract. B. Use a pulper or pulverizer for data destruction. C. Retain the data for a period no more than one year. D. Burn hard copies containing PII or PHI
A
QUESTION 793 A systems administrator is receiving multiple alerts from the company NIPS. A review of the NIPS logs shows the following: reset both: 70.32.200.2:3194 -> 10.4.100.4:80 buffer overflow attempt reset both: 70.32.200.2:3230 -> 10.4.100.4:80 directory traversal attack reset client: 70.32.200.2:4019 -> 10.4.100.4:80 Blind SQL injection attack Which of the following should the systems administrator report back to management? A. The company web server was attacked by an external source, and the NIPS blocked the attack. B. The company web and SQL servers suffered a DoS caused by a misconfiguration of the NIPS. C. An external attacker was able to compromise the SQL server using a vulnerable web application. D. The NIPS should move from an inline mode to an out-of-band mode to reduce network latency.
A
QUESTION 795 An organization is concerned about video emissions from users' desktops. Which of the following is the BEST solution to implement? A. Screen filters B. Shielded cables C. Spectrum analyzers D. Infrared detection
A
QUESTION 799 Which of the following serves to warn users against downloading and installing pirated software on company devices? A. AUP B. NDA C. ISA D. BPA
A
QUESTION 803 Using a one-time code that has been texted to a smartphone is an example of: A. something you have. B. something you know. C. something you do. D. something you are.
A
QUESTION 804 The exploitation of a buffer-overrun vulnerability in an application will MOST likely lead to: A. arbitrary code execution. B. resource exhaustion. C. exposure of authentication credentials. D. dereferencing of memory pointers.
A
QUESTION 807 Which of the following is the proper use of a Faraday cage? A. To block electronic signals sent to erase a cell phone B. To capture packets sent to a honeypot during an attack C. To protect hard disks from access during a forensics investigation D. To restrict access to a building allowing only one person to enter at a time
A
QUESTION 817 A systems engineer is configuring a wireless network. The network must not require installation of third-party software. Mutual authentication of the client and the server must be used. The company has an internal PKI. Which of the following configurations should the engineer choose? A. EAP-TLS B. EAP-TTLS C. EAP-FAST D. EAP-MD5 E. PEAP
A
QUESTION 819 An organization plans to transition the intrusion detection and prevention techniques on a critical subnet to an anomaly-based system. Which of the following does the organization need to determine for this to be successful? A. The baseline B. The endpoint configurations C. The adversary behavior profiles D. The IPS signatures
A
QUESTION 820 Joe, an employee, knows he is going to be fired in three days. Which of the following is Joe? A. An insider threat B. A competitor C. A hacktivist D. A state actor
A
QUESTION 822 Which of the following is the MAIN disadvantage of using SSO? A. The architecture can introduce a single point of failure. B. Users need to authenticate for each resource they access. C. It requires an organization to configure federation. D. The authentication is transparent to the user.
A
QUESTION 828 Which of the following types of controls is a turnstile? A. Physical B. Detective C. Corrective D. Technical
A
QUESTION 832 An incident responder is preparing to acquire images and files from a workstation that has been compromised. The workstation is still powered on and running. Which of the following should be acquired LAST? A. Application files on hard disk B. Processor cache C. Processes in running memory D. Swap space
A
QUESTION 836 A forensics analyst is investigating a hard drive for evidence of suspected illegal activity. Which of the following should the analyst do FIRST? A. Create a hash of the hard drive. B. Export the Internet history. C. Save a copy of the case number and date as a text file in the root directory. D. Back up the pictures directory for further inspection.
A
QUESTION 838 The help desk received a call from a user who was trying to access a set of files from the day before but received the following error message: File format not recognized. Which of the following types of malware MOST likely caused this to occur? A. Ransomware B. Polymorphic virus C. Rootkit D. Spyware
A
QUESTION 841 A system uses an application server and database server. Employing the principle of least privilege, only database administrators are given administrative privileges on the database server, and only application team members are given administrative privileges on the application server. Audit and log file reviews are performed by the business unit (a separate group from the database and application teams). The organization wants to optimize operational efficiency when application or database changes are needed, but it also wants to enforce least privilege, prevent modification of log files, and facilitate the audit and log review performed by the business unit. Which of the following approaches would BEST meet the organization's goals? A. Restrict privileges on the log file directory to "read only" and use a service account to send a copy of these files to the business unit. B. Switch administrative privileges for the database and application servers. Give the application team administrative privileges on the database servers and the database team administrative privileges on the application servers. C. Remove administrative privileges from both the database and application servers, and give the business unit "read only" privileges on the directories where the log files are kept. D. Give the business unit administrative privileges on both the database and application servers so they can independently monitor server activity.
A
QUESTION 843 A large financial services firm recently released information regarding a security breach within its corporate network that began several years before. During the time frame in which the breach occurred, indicators show an attacker gained administrative access to the network through a file download from a social media site and subsequently installed it without the user's knowledge. Since the compromise, the attacker was able to take command and control of the computer systems anonymously while obtaining sensitive corporate and personal employee information. Which of the following methods did the attacker MOST likely use to gain access? A. A bot B. A fileless virus C. A logic bomb D. A RAT
A
QUESTION 851 While testing a new vulnerability scanner, a technician becomes concerned about reports that list security concerns that are not present on the systems being tested. Which of the following BEST describes this flaw? A. False positives B. Crossover error rate C. Uncredentialed scan D. Passive security controls
A
QUESTION 853 During a risk assessment, results show that a fire in one of the company's datacenters could cost up to $20 million in equipment damages and lost revenue. As a result, the company insures the datacenter for up to $20 million damages for the cost of $30,000 a year. Which of the following risk response techniques has the company chosen? A. Transference B. Avoidance C. Mitigation D. Acceptance
A
QUESTION 861 Which of the following would provide a safe environment for an application to access only the resources needed to function while not having access to run at the system level? A. Sandbox B. Honeypot C. GPO D. DMZ
A
QUESTION 863 A user loses a COPE device. Which of the following should the user do NEXT to protect the data on the device? A. Call the company help desk to remotely wipe the device. B. Report the loss to authorities. C. Check with corporate physical security for the device. D. Identify files that are potentially missing on the device.
A
QUESTION 866 Which of the following is the BEST use of a WAF? A. To protect sites on web servers that are publicly accessible B. To allow access to web services of internal users of the organization C. To maintain connection status of all HTTP requests D. To deny access to all websites with certain contents
A
QUESTION 868 A small business just recovered from a ransomware attack against its file servers by purchasing the decryption keys from the attackers. The issue was triggered by a phishing email and IT administrator wants to ensure it does not happen again. Which of the following should the IT administrator do FIRST after recovery? A. Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis. B. Restrict administrative privileges and patch all systems and applications. C. Rebuild all workstations and install new antivirus software. D. Implement application whitelisting and perform user application hardening.
A
QUESTION 870 A security administrator suspects there may be unnecessary services running on a server. Which of the following tools will the administrator MOST likely use to confirm the suspicions? A. Nmap B. Wireshark C. Autopsy D. DNSEnum
A
QUESTION 871 A network administrator at a large organization is reviewing methods to improve the security of the wired LAN. Any security improvement must be centrally managed and allow corporate-owned devices to have access to the intranet but limit others to Internet access only. Which of the following should the administrator recommend? A. 802.1X utilizing the current PKI infrastructure B. SSO to authenticate corporate users C. MAC address filtering with ACLs on the router D. PAM for users account management
A
QUESTION 872 Which of the following BEST explains the reason why a server administrator would place a document named password.txt on the desktop of an administrator account on a server? A. The document is a honeyfile and is meant to attract the attention of a cyberintruder. B. The document is a backup file if the system needs to be recovered. C. The document is a standard file that the OS needs to verify the login credentials. D. The document is a keylogger that stores all keystrokes should the account be compromised.
A
QUESTION 876 A network administrator was concerned during an audit that users were able to use the same passwords the day after a password change policy took effect. The following settings are in place: - Users must change their passwords every 30 days. - Users cannot reuse the last 10 passwords. Which of the following settings would prevent users from being able to immediately reuse the same passwords? A. Minimum password age of five days B. Password history of ten passwords C. Password length greater than ten characters D. Complex passwords must be used
A
QUESTION 893 While reviewing the wireless router, the systems administrator of a small business determines someone is spoofing the MAC address of an authorized device. Given the table below: A close up of text on a white background Description automatically generated Which of the following should be the administrator's NEXT step to detect if there is a rogue system without impacting availability? A. Conduct a ping sweep. B. Physically check each system. C. Deny Internet access to the "UNKNOWN" hostname. D. Apply MAC filtering.
A
QUESTION 897 Using an ROT13 cipher to protocol confidential information for unauthorized access is known as: A. Steganography B. Obfuscation C. Non repudiation D. diffusion
A
QUESTION 900 Which of the following BEST explains why a development environment should have the same database server secure baseline that exist in production even if there is no PII in the database? A. Without the same configuration in both development and production, there are no assurance that changes made in development will have the same effect in production. B. Attackers can extract sensitive, personal information from lower development environment databases just as easily as they can from production databases. C. Databases are unique in their need to have secure configurations applied in all environment because they are attacked more often. D. Laws stipulate that databases with the ability to store personal information must be secured regardless of the environment or if they actually have PII.
A
QUESTION 916 Which of the following describes the BEST approach for deploying application patches? A. Apply the patches to systems in a testing environment, then to systems in a staging environment, and finally to production systems. B. Test the patches in a staging environment, develop against them in the development environment, and then apply them to the production systems C. Test the patches in a test environment, apply them to the production systems, and then apply them to a staging environment. D. Apply the patches to the production systems, apply them in a staging environment, and then test all of them in a testing environment.
A
QUESTION 918 A security administrator suspects an employee has been emailing proprietary information to a competitor. Company policy requires the administrator to capture an exact copy of the employee's hard disk. Which of the following should the administrator use? A. dd B. chmod C. dnaenum D. logger
A
QUESTION 938 A technician has been asked to document which services are running on each of a collection of 200 servers. Which of the following tools BEST meets this need while minimizing the work required? A. Nmap B. Nslookup C. Netcat D. Netstat
A
QUESTION 939 A security engineer at a manufacturing company is implementing a third-party cloud application. Rather than creating users manually in the application, the engineer decides to use the SAML protocol. Which of the following is being used for this implementation? A. The manufacturing company is the service provider, and the cloud company is the identity provider. B. The manufacturing company is the authorization provider, and the cloud company is the service provider. C. The manufacturing company is the identity provider, and the cloud company is the OAuth provider. D. The manufacturing company is the identity provider, and the cloud company is the service provider. E. The manufacturing company is the service provider, and the cloud company is the authorization provider.
A
QUESTION 962 A company that processes sensitive information has implemented a BYOD policy and an MDM solution to secure sensitive data that is processed by corporate and personally owned mobile devices. Which of the following should the company implement to prevent sensitive data from being stored on mobile devices? A. VDI B. Storage segmentation C. Containerization D. USB OTG E. Geofencing
A
QUESTION 967 A threat actor motivated by political goals that is active for a short period of time but has virtually unlimited resources is BEST categorized as a: A. hacktivist. B. nation-state C. script kiddie D. APT
A
QUESTION 968 Company engineers regularly participate in a public Internet forum with other engineers throughout the industry. Which of the following tactics would an attacker MOST likely use in this scenario? A. Watering-hole attack B. Credential harvesting C. Hybrid warfare D. Pharming
A
QUESTION 971 Which of the following is the primary reason for implementing layered security measures in a cybersecurity architecture? A. It increases the number of controls required to subvert a system B. It decreases the time a CERT has to respond to a security incident. C. It alleviates problems associated with EOL equipment replacement. D. It allows for bandwidth upgrades to be made without user disruption.
A
QUESTION 972 Which of the following attacks can be used to exploit a vulnerability that was created by untrained users? A. A spear-phishing email with a file attachment. B. A DoS using IoT devices C. An evil twin wireless access point D. A domain hijacking of a bank website BD663BA4DCC6C24D0ADDFDC59A530F15
A
QUESTION 975 Which of the following explains why a vulnerability scan might return a false positive? A. The scan is performed at a time of day when the vulnerability does not exist. B. The test is performed against the wrong host. C. The signature matches the product but not the version information. D. The hosts are evaluated based on an OS-specific profile.
A
QUESTION 982 A technician needs to document which application versions are listening on open ports. Which of the following is MOST likely to return the information the technician needs? A. Banner grabbing B. Steganography tools C. Protocol analyzer D. Wireless scanner
A
QUESTION 987 An organization wants to separate permissions for individuals who perform system changes from individuals who perform auditing of those system changes. Which of the following access control approaches is BEST suited for this? BD663BA4DCC6C24D0ADDFDC59A530F15 A. Assign administrators and auditors to different groups and restrict permissions on system log files to read-only for the auditor group. B. Assign administrators and auditors to the same group, but ensure they have different permissions based on the function they perform. C. Create two groups and ensure each group has representation from both the auditors and the administrators so they can verify any changes that were made. D. Assign file and folder permissions on an individual user basis and avoid group assignment altogether.
A
QUESTION 994 A company wants to configure its wireless network to require username and password authentication. Which of the following should the systems administrator implement? A. WPS B. PEAP C. TKIP D. PKI
A
QUESTION 996 The concept of connecting a user account across the systems of multiple enterprises is BEST known as: A. federation. B. a remote access policy. C. multifactor authentication. D. single sign-on.
A
QUESTION 999 A systems administrator wants to replace the process of using a CRL to verify certificate validity. Which of the following would BEST suit the administrator's needs? A. OCSP B. CSR C. Key escrow D. CA
A
QUESTION: 902 A systems administrator is implementing a remote access method for the system that will utilize GUI. Which of the following protocols would be BEST suited for this? A. TLS B. SSH C. SFTP D. SRTP
A
QUESTION: 907 An organization uses application whitelisting to help prevent zero-day attacks. Malware was recently identified on one client, which was able to run despite the organization's application whitelisting approach. The forensics team has identified the malicious file, conducted a post-incident analysis, and compared this with the original system baseline. The team sees the following output: filename hash (SHA-1) original: winSCP.exe 2d da b1 4a 98 fc f1 98 06 b1 e5 26 b2 df e5 f5 3e cb 83 el latest: winSCP.exe a3 4a c2 4b 85 fa f2 dd 0b ba f4 16 b2 df f2 4b 3f ac 4a e1 Which of the following identifies the flaw in the team's application whitelisting approach? A. Their approach uses executable names and not hashes for the whitelist. B. SHA-1 has known collision vulnerabilities and should not be used. C. The original baseline never captured the latest file signature D. Zero-day attacks require the latest file signatures
A
QUESTION: 955 After patching computers with the latest application security patches/updates, users are unable to open certain applications. Which of the following will correct the issue? A. Modifying the security policy for patch management tools B. Modifying the security policy for HIDS/HIPS C. Modifying the security policy for DLP D. Modifying the security policy for media control
A
x QUESTION 812 A security administrator has received multiple calls from the help desk about customers who are unable to access the organization's web server. Upon reviewing the log files, the security administrator determines multiple open requests have been made from multiple IP addresses, which is consuming system resources. Which of the following attack types does this BEST describe? A. DDoS B. DoS C. Zero day D. Logic bomb
A
QUESTION 961 A coffee company has hired an IT consultant to set up a WiFi network that will provide Internet access to customers who visit the company's chain of cafés. The coffee company has provided no requirements other than that customers should be granted access after registering via a web form and accepting the terms of service. Which of the following is the MINIMUM acceptable configuration to meet this single requirement? A. Captive portal B. WPA with PSK C. Open WiFi D. WPS
A Explanation: A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources.
QUESTION 937 Which of the following implements two-factor authentication on a VPN? A. Username, password, and source IP B. Public and private keys C. HOTP token and logon credentials D. Source and destination IP addresses
A Explanation: What is the process for logging in? Setting up two-factor authentication for a user for the first time: 1. A user will go to the URL given to them by OT support and enter their username and password. 2. After logging in, they'll be prompted to input their phone number and verify it with a simple phone call or text message. 3. The next step is to install Duo Mobile, a smartphone app that generates passcodes and supports Duo Push (on iPhone and Android). 4. After installing the app, it needs to be activated in order to be linked to the user's account. 5. Lastly, the user is shown a success message and the login prompt that they'll normally see when logging in. To connect via VPN using two-factor authentication after set-up: Go to the URL and login with their username and password. 1. Choose which authentication method: Duo Push, phone call, text or passcode. 2. If they choose Duo Push, a notification will be sent to their phone. They simply have to select the "Approve" button to redirect their browser to the SSL VPN ser-vice homepage. 3. Then they can launch "Tunnel Mode" to direct traffic through their VPN. 4. See What are the authentication choices? for more information on how each method works.
QUESTION 934 Which of the following vulnerabilities can lead to unexpected system behavior, including the bypassing of security controls, due to differences between the time of commitment and the time of execution? A. Buffer overflow B. DLL injection C. Pointer dereference D. Race condition
A Explanation: Buffer overflow protection is any of various techniques used during software development to enhance the security of executable programs by detecting buffer overflows on stack-allocated variables, and preventing them from causing program misbehavior or from becoming serious security vulnerabilities. DLL injection is a technique which allows an attacker to run arbitrary code in the context of the address space of another process. If this process is running with excessive privileges then it could be abused by an attacker in order to execute malicious code in the form of a DLL file in order to elevate privileges.
QUESTION 993 A security administrator is adding a NAC requirement for all VPN users to ensure the connecting devices are compliant with company policy. Which of the following items provides the HIGHEST assurance to meet this requirement? A. Implement a permanent agent. B. Install antivirus software. C. Use an agentless implementation. D. Implement PKI.
A *** *** *** *** *** *** *** BD663BA4DCC6C24D0ADDFDC59A530F15
QUESTION 811 DRAG DROP An attack has occurred against a company. INSTRUCTIONS You have been tasked to do the following: Identify the type of attack that is occurring on the network by clicking on the attacker's tablet and reviewing the output. (Answer Area 1) Identify which compensating controls should be implemented on the assets, in order to reduce the effectiveness of future attacks by dragging them to the correct server. (Answer area 2) All objects will be used, but not all placeholders may be filled. Objects may only be used once. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. A screenshot of a cell phone Description automatically generated A screenshot of a cell phone Description automatically generated Select and Place: A screenshot of a cell phone Description automatically generated
A screenshot of a cell phone Description automatically generated
QUESTION 909 HOTSPOT Select the appropriate attack and remediation from each drop-down list to label the corresponding attack with its remediation. INSTRUCTIONS Not all attacks and remediation actions will be used. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. A screenshot of a cell phone Description automatically generated
A screenshot of a cell phone Description automatically generated Explanation: A screenshot of a cell phone Description automatically generated
QUESTION 884 HOTSPOT The security administration has installed a new firewall which implements an implicit DENY policy by default. INSTRUCTIONS Click on the firewall and configure it to allow ONLY the following communication: - The Accounting workstation can ONLY access the web server on the public network over the default HTTPS port. The accounting workstation should not access other networks. - The HR workstation should be restricted to communicate with the Financial server ONLY, over the default SCP port. - The Admin workstation should ONLY be able to access the server on the secure network over the default TFTP port. The firewall will process the rules in a top-down manner in order as a first match. The port number must be typed in and only one port number can be entered per rule. Type ANY for all ports. (If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. ) A screenshot of a cell phone Description automatically generated Hot Area: A screenshot of a cell phone Description automatically generated
A screenshot of a cell phone Description automatically generated Explanation: Section: Network Security Implicit deny is the default security stance that says if you aren't specifically granted access or privileges for a resource, you're denied access by default. Rule #1 allows the Accounting workstation to ONLY access the web server on the public network over the default HTTPS port, which is TCP port 443. Rule #2 allows the HR workstation to ONLY communicate with the Financial server over the default SCP port, which is TCP Port 22 Rule #3 & Rule #4 allow the Admin workstation to ONLY access the Financial and Purchasing servers located on the secure network over the default TFTP port, which is Port 69. References: Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 26, 44 http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
QUESTION 920 A university with remote campuses, which all use different service providers, loses Internet connectivity across all locations. After a few minutes, internet and VoIP services are restored, only to go offline again at random intervals. typically, within four minutes of services being restored. Outages continue throughout the day. impacting all inbound and outbound connections and services. Services that are limited to the local LAN or WiFi network are not impacted, but all WAN and VoIP services are affected. Later that day. the edge-router manufacturer releases a CVE outlining the ability of an attacker to exploit the SIP protocol handling on devices, leading to resource exhaustion and system reloads. Which of the following BEST describe this type of attack? (Select TWO). A. DOS B. SSL Stripping C. Memory leak D. Race condition E. Shimming F. Refactoring
A, B
QUESTION 965 A systems administrator wants to configure an enterprise wireless solution that supports authentication over HTTPS and wireless encryption using AES. Which of the following should the administrator configure to support these requirements? (Select TWO). A. 802.1X B. RADIUS federation C. WPS D. Captive portal E. WPA2 F. WDS
A, E
QUESTION 856 A systems administrator is installing and configuring an application service that requires access to read and write to log and configuration files on a local hard disk partition. The service must run as an account with authorization to interact with the file system. Which of the following would reduce the attack surface added by the service and account? (Choose two.) A. Use a unique managed service account. B. Utilize a generic password for authenticating. C. Enable and review account audit logs. D. Enforce least possible privileges for the account. E. Add the account to the local administrators group. F. Use a guest account placed in a non-privileged users group.
A,D
QUESTION 814 A systems engineer wants to leverage a cloud-based architecture with low latency between network-connected devices that also reduces the bandwidth that is required by performing analytics directly on the endpoints. Which of the following would BEST meet the requirements? (Choose two.) A. Private cloud B. SaaS C. Hybrid cloud D. IaaS E. DRaaS F. Fog computing
AB
QUESTION 891 The Chief Executive Officer (CEO) of an organization would like staff members to have the flexibility to work from home anytime during business hours, including during a pandemic or crisis. However, the CEO is concerned that some staff members may take advantage of the flexibility and work from high-risk countries while on holiday or outsource work to a third-party organization in another country. The Chief Information Officer (CIO) believes the company can implement some basic controls to mitigate the majority of the risk. Which of the following would be BEST to mitigate the CEO's concerns? (Choose two.) A. Geolocation B. Time-of-day restrictions C. Certificates D. Tokens E. Geotagging F. Role-based access controls
AB
QUESTION 988 Which of the following concepts ensure ACL rules on a directory are functioning as expected? (Choose two.) A. Accounting B. Authentication C. Auditing D. Authorization E. Non-repudiation
AC
QUESTION 1035 After running an online password cracking tool, an attacker recovers the following password: gh ;j SKSTOi;618& Based on the above information, which of the following technical controls have been implemented? (Choose two.) A. Complexity B. Encryption C. Hashing D. Length E. Salting F. Stretching
AD
QUESTION 985 Which of the following impacts are associated with vulnerabilities in embedded systems? (Choose two.) A. Repeated exploitation due to unpatchable firmware B. Denial of service due to an integrated legacy operating system. C. Loss of inventory accountability due to device deployment D. Key reuse and collision issues due to decentralized management. E. Exhaustion of network resources resulting from poor NIC management.
AD
QUESTION 810 An employee opens a web browser and types a URL into the address bar. Instead of reaching the requested site, the browser opens a completely different site. Which of the following types of attacks have MOST likely occurred? (Choose two.) A. DNS hijacking B. Cross-site scripting C. Domain hijacking D. Man-in-the-browser E. Session hijacking
AE