Sec+ pt.2

¡Supera tus tareas y exámenes ahora con Quizwiz!

A Chief Information Security Officer (CISO) has tasked a security analyst with assessing the security posture of an organization and which internal factors would contribute to a security compromise. The analyst performs a walk-through of the organization and discovers there are multiple instances of unlabeled optical media on office desks. Employees in the vicinity either do not claim ownership or disavow any knowledge concerning who owns the media. Which of the following is the MOST immediate action to be taken? A. Confiscate the media and dispose of it in a secure manner as per company policy. B. Confiscate the media, insert it into a computer, find out what is on the disc, and then label it and return it to where it was found. C. Confiscate the media and wait for the owner to claim it. If it is not claimed within one month, shred it. D. Confiscate the media, insert it into a computer, make a copy of the disc, and then return the original to where it was found.

A

A company wishes to move all of its services and applications to a cloud provider but wants to maintain full control of the deployment, access, and provisions of its services to its users. Which of the following BEST represents the required cloud deployment model? A. SaaS B. IaaS C. MaaS D. Hybrid E. Private

A

A security analyst receives a notification from the IDS after working hours, indicating a spike in network traffic. Which of the following BEST describes this type of IDS? A. Anomaly-based B. Stateful C. Host-based D. Signature-based

A

A security technician has been given the task of preserving emails that are potentially involved in a dispute between a company and a contractor. Which of the following BEST describes this forensic concept? A. Legal hold B. Chain of custody C. Order of volatility D. Data acquisition

A

QUESTION 688 Given the following requirements: -Help to ensure non-repudiation -Capture motion in various formats Which of the following physical controls BEST matches the above descriptions? A. Camera B. Mantrap C. Security guard D. Motion sensor

A

QUESTION 703 Which of the following control types would a backup of server data provide in case of a system issue? A. Corrective B. Deterrent C. Preventive D. Detective

A

QUESTION 706 A systems administrator needs to integrate multiple IoT and small embedded devices into the company's wireless network securely. Which of the following should the administrator implement to ensure low-power and legacy devices can connect to the wireless network? A. WPS B. WPA C. EAP-FAST D. 802.1X

A

Which of the following can occur when a scanning tool cannot authenticate to a server and has to rely on limited information obtained from service banners? A. False positive B. Passive reconnaissance C. Access violation D. Privilege escalation

A

Which of the following differentiates ARP poisoning from a MAC spoofing attack? A. ARP poisoning uses unsolicited ARP replies. B. ARP poisoning overflows a switch's CAM table. C. MAC spoofing uses DHCPOFFER/DHCPACK packets. D. MAC spoofing can be performed across multiple routers.

A

Which of the following is an example of resource exhaustion? A. A penetration tester requests every available IP address from a DHCP server. B. An SQL injection attack returns confidential data back to the browser. C. Server CPU utilization peaks at 100% during the reboot process. D. System requirements for a new software package recommend having 12GB of RAM, but only BGB are available.

A

Which of the following is being used when a malicious actor searches various social media websites to find information about a company's system administrators and help desk staff? A. Passive reconnaissance B. Initial exploitation C. Vulnerability scanning D. Social engineering

A

Which of the following is the proper order for logging a user into a system from the first step to the last step? A. Identification, authentication, authorization B. Identification, authorization, authentication C. Authentication, identification, authorization D. Authentication, identification, authorization E. Authorization, identification, authentication

A

Which of the following should a security analyst perform FIRST to determine the vulnerabilities of alegacy system? A. Passive scan B. Aggressive scan C. Credentialed scan D. Intrusive scan

A

Which of the following solutions should an administrator use to reduce the risk from an unknown vulnerability in a third-party software application? A. Sandboxing B. Encryption C. Code signing D. Fuzzing

A

A company is planning to utilize its legacy desktop systems by converting them into dummy terminals and moving all heavy applications and storage to a centralized server that hosts all of the company's required desktop applications. Which of the following describes the BEST deployment method to meet these requirements? A. IaaS B. VM sprawl C. VDI D. PaaS

C

QUESTION 537 A security auditor is testing perimeter security in a building that is protected by badge readers. Which of the following types of attacks would MOST likely gain access? A. Phishing B. Man-in-the-middle C. Tailgating D. Watering hole E. Shoulder surfing

C

QUESTION 712 A developer has incorporated routines into the source code for controlling the length of the input passed to the program. Which of the following types of vulnerabilities is the developer protecting the code against? A. DLL injection B. Memory leak C. Buffer overflow D. Pointer dereference

C

A penetration testing team deploys a specifically crafted payload to a web server, which results in opening a new session as the web server daemon. This session has full read/write access to the file system and the admin console. Which of the following BEST describes the attack? A. Domain hijacking B. Injection C. Buffer overflow D. Privilege escalation

D

A salesperson often uses a USB drive to save and move files from a corporate laptop. The coprorate laptop was recently updated, and now the files on the USB are read-only. Which of the following was recently added to the laptop? A. Antivirus software B. File integrity check C. HIPS D. DLP

D

A customer calls a technician and needs to remotely connect to a web server to change some code manually. The technician needs to configure the user's machine with protocols to connect to the Unix web server, which is behind a firewall. Which of the following protocols does the technician MOST likely need to configure? A. SSH B. SFTP C. HTTPS D. SNMP

A

A remote intruder wants to take inventory of a network so exploits can be researched. The intruder is looking for information about software versions on the network. Which of the following techniques is the intruder using? A. Banner grabbing B. Port scanning C. Packet sniffing D. Virus scanning

A

A security administrator wants to implement least privilege access for a network share that stores sensitive company data. The organization is particularly concerned with the integrity of data and implementing discretionary access control. The following controls are available: • Read = A user can read the content of an existing file. • White = A user can modify the content of an existing file and delete an existing file. • Create = A user can create a new file and place data within the file. A missing control means the user does not have that access. Which of the following configurations provides the appropriate control to support the organization/s requirements? A. Owners: Read, Write, Create Group Members: Read, Write Others: Read, Create B. Owners: Read, Create Group Members: Read, Write, Create Others: Read C. Owners: Read, Write Group Members: Read, Create Others: Read, Create D. Owners: Write, Create Group Members: Read, Create Others: Read, Write, Create Others: Read, Write, Create

A

A security analyst is implementing PKI-based functionality to a web application that has the following requirements: -File contains certificate information -Certificate chains -Root authority certificates -Private key All of these components will be part of one file and cryptographically protected with a password. Given this scenario, which of the following certificate types should the analyst implement to BEST meet these requirements? A. .pfx certificate B. .cer certificate C. .der certificate D. .crt certificate

A

A user needs to transmit confidential information to a third party. Which of the following should be used to encrypt the message? A. AES B. SHA-2 C. SSL D. RSA

A

After discovering the /etc/shadow file had been rewritten, a security administrator noticed an application insecurely creating files in / tmp. Which of the following vulnerabilities has MOST likely been exploited? A. Privilege escalation B. Resource exhaustion C. Memory leak D. Pointer dereference

A

An attachment that was emailed to finance employees contained an embedded message. The security administrator investigates and finds the intent was to conceal the embedded information from public view. Which of the following BEST describes this type of message? A. Obfuscation B. Stenography C. Diffusion D. BCRYPT

A

An organization wants to implement a solution that allows for automated logical controls for network defense. An engineer plans to select an appropriate network security component, which automates response actions based on security threats to the network. Which of the following would be MOST appropriate based on the engineer's requirements? A. NIPS B. HIDS C. Web proxy D. Elastic load balancer E. NAC

A

Ann, a security analyst, wants to implement a secure exchange of email. Which of the following is the BEST option for Ann to implement? A. PGP B. HTTPS C. WPA D. TLS

A

Corporations choose to exceed regulatory framework standards because of which of the following incentives? A. It improves the legal defensibility of the company. B. It gives a social defense that the company is not violating customer privacy laws. C. It proves to investors that the company takes APT cyber actors seriously D. It results in overall industrial security standards being raised voluntarily.

A

During a recent audit, several undocumented and unpatched devices were discovered on the internal network. Which of the following can be done to prevent similar occurrences? A. Run weekly vulnerability scans and remediate any missing patches on all company devices B. Implement rogue system detection and configure automated alerts for new devices C. Install DLP controls and prevent the use of USB drives on devices D. Configure the WAPs to use NAC and refuse connections that do not pass the health check

A

QUESTION 685 A company wants to ensure users are only logging into the system from their laptops when they are on site. Which of the following would assist with this? A. Geofencing B. Smart cards C. Biometrics D. Tokens

A

QUESTION 429 Which of the following components of printers and MFDs are MOST likely to be used as vectors of compromise if they are improperly configured? A. Embedded web server B. Spooler C. Network interface D. LCD control panel

A

QUESTION 430 A hacker has a packet capture that contains: Which of the following tools will the hacker use against this type of capture? A. Password cracker B. Vulnerability scanner C. DLP scanner D. Fuzzer

A

QUESTION 431 A user downloads and installs an MP3 converter, and runs the application. Upon running the application, the antivirus detects a new port in a listening state. Which of the following has the user MOST likely executed? A. RAT B. Worm C. Ransomware D. Bot

A

QUESTION 433 A security analyst is securing smartphones and laptops for a highly mobile workforce. Priorities include: -Remote wipe capabilities -Geolocation services -Patch management and reporting -Mandatory screen locks -Ability to require passcodes and pins -Ability to require encryption Which of the following would BEST meet these requirements? A. Implementing MDM software B. Deploying relevant group policies to the devices C. Installing full device encryption D. Removing administrative rights to the devices

A

QUESTION 436 An organization plans to implement multifactor authentication techniques within the enterprise network architecture. Each authentication factor is expected to be a unique control. Which of the following BEST describes the proper employment of multifactor authentication? A. Proximity card, fingerprint scanner, PIN B. Fingerprint scanner, voice recognition, proximity card C. Smart card, user PKI certificate, privileged user certificate D. Voice recognition, smart card, proximity card

A

QUESTION 442 A user typically works remotely over the holidays using a web-based VPN to access corporate resources. The user reports getting untrusted host errors and being unable to connect. Which of the following is MOST likely the case? A. The certificate has expired B. The browser does not support SSL C. The user's account is locked out D. The VPN software has reached the seat license maximum

A

QUESTION 443 When it comes to cloud computing, if one of the requirements for a project is to have the most control over the systems in the cloud, which of the following is a service model that would be BEST suited for this goal? A. Infrastructure B. Platform C. Software D. Virtualization

A

QUESTION 449 A network administrator needs to allocate a new network for the R&D group. The network must not be accessible from the Internet regardless of the network firewall or other external misconfigurations. Which of the following settings should the network administrator implement to accomplish this? A. Configure the OS default TTL to 1 B. Use NAT on the R&D network C. Implement a router ACL D. Enable protected ports on the switch

A

QUESTION 457 A Chief Information Officer (CIO) recently saw on the news that a significant security flaws exists with a specific version of a technology the company uses to support many critical application. The CIO wants to know if this reported vulnerability exists in the organization and, if so, to what extent the company could be harmed. Which of the following would BEST provide the needed information? A. Penetration test B. Vulnerability scan C. Active reconnaissance D. Patching assessment report

A

QUESTION 466 Joe, a salesman, was assigned to a new project that requires him to travel to a client site. While waiting for a flight, Joe, decides to connect to the airport wireless network without connecting to a VPN, and the sends confidential emails to fellow colleagues. A few days later, the company experiences a data breach. Upon investigation, the company learns Joe's emails were intercepted. Which of the following MOST likely caused the data breach? A. Policy violation B. Social engineering C. Insider threat D. Zero-day attack

A

QUESTION 468 A company wants to ensure confidential data from storage media is sanitized in such a way that the drive cannot be reused. Which of the following method should the technician use? A. Shredding B. Wiping C. Low-level formatting D. Repartitioning E. Overwriting

A

QUESTION 472 User from two organizations, each with its own PKI, need to begin working together on a joint project. Which of the following would allow the users of the separate PKIs to work together without connection errors? A. Trust model B. Stapling C. Intermediate CA D. Key escrow

A

QUESTION 474 A security analyst is reviewing an assessment report that includes software versions, running services, supported encryption algorithms, and permission settings. Which of the following produced the report? A. Vulnerability scanner B. Protocol analyzer C. Network mapper D. Web inspector

A

QUESTION 475 A Chief Information Officer (CIO) asks the company's security specialist if the company should spend any funds on malware protection for a specific server. Based on a risk assessment, the ARO value of a malware infection for a server is 5 and the annual cost for the malware protection is $2500. Which of the following SLE values warrants a recommendation against purchasing the malware protection? A. $500 B. $1000 C. $2000 D. $2500

A

QUESTION 478 Two users must encrypt and transmit large amounts of data between them. Which of the following should they use to encrypt and transmit the data? A. Symmetric algorithm B. Hash function C. Digital signature D. Obfuscation

A

QUESTION 481 An application was recently compromised after some malformed data came in via web form. Which of the following would MOST likely have prevented this? A. Input validation B. Proxy server C. Stress testing D. Encoding

A

QUESTION 482 While working on an incident, Joe, a technician, finished restoring the OS and applications on a workstation from the original media. Joe is about to begin copying the user's files back onto the hard drive. Which of the following incident response steps is Joe working on now? A. Recovery B. Eradication C. Containment D. Identification

A

QUESTION 483 A systems administrator found a suspicious file in the root of the file system. The file contains URLs, usernames, passwords, and text from other documents being edited on the system. Which of the following types of malware would generate such a file? A. Keylogger B. Rootkit C. Bot D. RAT

A

QUESTION 484 A computer emergency response team is called at midnight to investigate a case in which a mail server was restarted. After an initial investigation, it was discovered that email is being exfiltrated through an active connection. Which of the following is the NEXT step the team should take? A. Identify the source of the active connection B. Perform eradication of active connection and recover C. Performance containment procedure by disconnecting the server D. Format the server and restore its initial configuration

A

QUESTION 486 A security technician is configuring an access management system to track and record user actions. Which of the following functions should the technician configure? A. Accounting B. Authorization C. Authentication D. Identification

A

QUESTION 499 A systems administrator has isolated an infected system from the network and terminated the malicious process from executing. Which of the following should the administrator do NEXT according to the incident response process? A. Restore lost data from a backup. B. Wipe the system. C. Document the lessons learned. D. Determine the scope of impact.

A

QUESTION 509 A business sector is highly competitive, and safeguarding trade secrets and critical information is paramount. On a seasonal basis, an organization employs temporary hires and contractor personnel to accomplish its mission objectives. The temporary and contract personnel require access to network resources only when on the clock. Which of the following account management practices are the BEST ways to manage these accounts? A. Employ time-of-day restrictions. B. Employ password complexity. C. Employ a random key generator strategy. D. Employ an account expiration strategy. E. Employ a password lockout policy

A

QUESTION 511 Ann, a customer, is reporting that several important files are missing from her workstation. She recently received communication from an unknown party who is requesting funds to restore the files. Which of the following attacks has occurred? A. Ransomware B. Keylogger C. Buffer overflow D. Rootkit

A

QUESTION 522 A company stores highly sensitive data files used by the accounting system on a server file share. The accounting system uses a service account named accounting-svc to access the file share. The data is protected will a full disk encryption, and the permissions are set as follows: File system permissions: Users = Read Only Share permission: accounting-svc = Read Only Given the listed protections are in place and unchanged, to which of the following risks is the data still subject? A. Exploitation of local console access and removal of data B. Theft of physical hard drives and a breach of confidentiality C. Remote exfiltration of data using domain credentials D. Disclosure of sensitive data to third parties due to excessive share permissions

A

QUESTION 536 A user receives an email from ISP indicating malicious traffic coming from the user's home network is detected. The traffic appears to be Linux-based, and it is targeting a website that was recently featured on the news as being taken offline by an Internet attack. The only Linux device on the network is a home surveillance camera system. Which of the following BEST describes what is happening? A. The camera system is infected with a bot. B. The camera system is infected with a RAT. C. The camera system is infected with a Trojan. D. The camera system is infected with a backdoor.

A

QUESTION 549 A highly complex password policy has made it nearly impossible to crack account passwords. Which of the following might a hacker still be able to perform? A. Pass-the-hash attack B. ARP poisoning attack C. Birthday attack D. Brute force attack

A

QUESTION 552 Which of the following methods minimizes the system interaction when gathering information to conduct a vulnerability assessment of a router? A. Download the configuration B. Run a credentialed scan. C. Conduct the assessmenet during downtime D. Change the routing to bypass the router.

A

QUESTION 560 Users are attempting to access a company's website but are transparently redirected to another websites. The users confirm the URL is correct. Which of the following would BEST prevent this issue in the futue? A. DNSSEC B. HTTPS C. IPSec D. TLS/SSL

A

QUESTION 561 Which of the following is a compensating control that will BEST reduce the risk of weak passwords? A. Requiring the use of one-time tokens B. Increasing password history retention count C. Disabling user accounts after exceeding maximum attempts D. Setting expiration of user passwords to a shorter time

A

QUESTION 572 Which of the following is a major difference between XSS attacks and remote code exploits? A. XSS attacks use machine language, while remote exploits use interpreted language B. XSS attacks target servers, while remote code exploits target clients C. Remote code exploits aim to escalate attackers' privileges, while XSS attacks aim to gain access only D. Remote code exploits allow writing code at the client side and executing it, while XSS attacks require no code to work

A

QUESTION 573 An employee workstation with an IP address of 204.211.38.211/24 reports it is unable to submit print jobs to a network printer at Assuming port numbers have not been changed from their defaults, which of the following should be modified to allow printing to the network printer? A. The permit statement for 204.211.38.52/24 should be changed to TCP port 631 instead of UDP B. The deny statement for 204.211.38.52/24 should be changed to a permit statement C. The permit statement for 204.211.38.52/24 should be changed to UDP port 443 instead of 631 D. The permit statement for 204.211.38.211/24 should be changed to TCP port 631 only instead of ALL

A

QUESTION 585 Which of the following is a technical preventive control? A. Two-factor authentication B. DVR-supported cameras C. Acceptable-use MOTD D. Syslog server

A

QUESTION 588 A Chief Information Security Officer (CISO) asks the security architect to design a method for contractors to access the company's internal network securely without allowing access to systems beyond the scope of their project. Which of the following methods would BEST fit the needs of the CISO? A. VPN B. PaaS C. IaaS D. VDI

A

QUESTION 590 While investigating a virus infection, a security analyst discovered the following on an employee laptop: -Multiple folders containing a large number of newly released movies and music files -Proprietary company data -A large amount of PHI data -Unapproved FTP software -Documents that appear to belong to a competitor Which of the following should the analyst do FIRST? A. Contact the legal and compliance department for guidance B. Delete the files, remove the FTP software, and notify management C. Back up the files and return the device to the user D. Wipe and reimage the device

A

QUESTION 594 Which of the following encryption algorithms is used primarily to secure data at rest? A. AES B. SSL C. TLS D. RSA

A

QUESTION 607 A security administrator has replaced the firewall and notices a number of dropped connections. After looking at the data the security administrator sees the following information that was flagged as a possible issue: "SELECT * FROM" and '1'='1' Which of the following can the security administrator determine from this? A. An SQL injection attack is being attempted B. Legitimate connections are being dropped C. A network scan is being done on the system D. An XSS attack is being attempted

A

QUESTION 618 A company recently updated its website to increase sales. The new website uses PHP forms for leads and provides a directory with sales staff and their phone numbers. A systems administrator is concerned with the new website and provides the following log to support the concern: Which of the following is the systems administrator MOST likely to suggest to the Chief Information Security Officer (CISO) based on the above? A. Changing the account standard naming convention B. Implementing account lockouts C. Discontinuing the use of privileged accounts D. Increasing the minimum password length from eight to ten characters

A

QUESTION 627 A member of the human resources department received the following email message after sending an email containing benefit and tax information to a candidate: "Your message has been quarantined for the following policy violation: external potential_PII. Please contact the IT security administrator for further details". Which of the following BEST describes why this message was received? A. The DLP system flagged the message. B. The mail gateway prevented the message from being sent to personal email addresses. C. The company firewall blocked the recipient's IP address. D. The file integrity check failed for the attached files.

A

QUESTION 628 A security analyst is checking log files and finds the following entries: Which of the following is MOST likely happening? A. A hacker attempted to pivot using the web server interface. B. A potential hacker could be banner grabbing to determine what architecture is being used. C. The DNS is misconfigured for the server's IP address. D. A server is experiencing a DoS, and the request is timing out,

A

QUESTION 644 An audit found that an organization needs to implement job rotation to be compliant with regulatory requirements. To prevent unauthorized access to systems after an individual changes roles or departments, which of the following should the organization implement? A. Permission auditing and review B. Exit interviews C. Offboarding D. Multifactor authentication

A

QUESTION 656 A company is performing an analysis of the corporate enterprise network with the intent of identifying any one system, person, function, or service that, when neutralized, will cause or cascade disproportionate damage to the company's revenue, referrals, and reputation. Which of the following an element of the BIA that this action is addressing? A. Identification of critical systems B. Single point of failure C. Value assessment D. Risk register

A

QUESTION 660 In a lessons learned report, it is suspected that a well-organized, well-funded, and extremely sophisticated group of attackers may have been responsible for a breach at a nuclear facility. Which of the following describes the type of actors that may have been implicated? A. Nation state B. Hacktivist C. Insider D. Competitor

A

QUESTION 669 A security specialist is notified about a certificate warning that users receive when using a new internal website. After being given the URL from one of the users and seeing the warning, the security specialist inspects the certificate and realizes it has been issued to the IP address, which is how the developers reach the site. Which of the following would BEST resolve the issue? A. OSCP B. OID C. PEM D. SAN

A

QUESTION 670 Joe, an employee, asks a coworker how long ago Ann started working at the help desk. The coworker expresses surprise since nobody named Ann works at the help desk. Joe mentions that Ann called several people in the customer service department to help reset their passwords over the phone due to unspecified "server issues". Which of the following has occurred? A. Social engineering B. Whaling C. Watering hole attack D. Password cracking

A

QUESTION 676 A security consultant is setting up a new electronic messaging platform and wants to ensure the platform supports message integrity validation. Which of the following protocols should the consultant recommend? A. S/MIME B. DNSSEC C. RADIUS D. 802.11x

A

QUESTION 684 Which of the following enables sniffing attacks against a switched network? A. ARP poisoning B. IGMP snooping C. IP spoofing D. SYN flooding

A

QUESTION 609 A corporation is concerned that, if a mobile device is lost, any sensitive information on the device could be accessed by third parties. Which of the following would BEST prevent this from happening? A. Initiate remote wiping on lost mobile devices B. Use FDE and require PINs on all mobile devices C. Use geolocation to track lost devices D. Require biometric logins on all mobile devices

A QUESTION 610

QUESTION 666 Which of the following strategies helps reduce risk if a rollback is needed when upgrading a critical system platform? A. Non-persistent configuration B. Continuous monitoring C. Firmware updates D. Fault tolerance

A QUESTION 667

A company has critical systems that are hosted on an end-of-life OS. To maintain operations and mitigate potential vulnerabilities, which of the following BEST accomplishes this objective? A. Use application whitelisting. B. Employ patch management. C. Disable the default administrator account. D. Implement full-disk encryption.

A QUESTION 698

A company's IT staff is given the task of securely disposing of 100 server HDDs. The security team informs the IT staff that the data must not be accessible by a third party after disposal. Which of the following is the MOST time-efficient method to achieve this goal? A. Use a degausser to sanitize the drives. B. Remove the platters from the HDDs and shred them. C. Perform a quick format of the HDD drives. D. Use software to zero fill all of the hard drives.

A QUESTION 700

QUESTION 583 A security administrator is reviewing the following firewall configuration after receiving reports that users are unable to connect to remote websites: 10 PERMIT FROM ANY TO:ANY PORT: 80 20 PERMIT FROM:ANY TO:ANY PORT: 443 30 DENY FROM: ANY TO:ANY PORT:ANY Which of the following is the MOST secure solution the security administrator can implement to fix this issue? A. Add the following rule to the firewall: 5 PERMIT FROM:ANY TO:ANY PORT:53 B. Replace rule number 10 with the following rule: 10 PERMIT FROM:ANY TO:ANY PORT:22 C. Insert the following rule in the firewall: 25 PERMIT FROM:ANY TO:ANY PORTS:ANY D. Remove the following rule from the firewall: 30 DENY FROM:ANY TO:ANY PORT:ANY

A , as port 53 is for the DNS

QUESTION 539 An organization has implemented an IPSec VPN access for remote users. Which of the following IPSec modes would be the MOST secure for this organization to implement? A. Tunnel mode B. Transport mode C. AH-only mode D. ESP-only mode

A Explanation: In both ESP and AH cases with IPSec Transport mode, the IP header is exposed. The IP header is not exposed in IPSec Tunnel mode.

A company is performing an analysis of the corporate enterprise network with the intent of identifying what will cause losses in revenue, referrals, and/or reputation when out of commission. Which of the following is an element of a BIA that is being addressed? A. Mission-essential function B. Single point of failure C. backup and restoration plans D. Identification of critical systems

A Explanation: The BIA is composed of the following three steps: Determine mission/business processes and recovery criticality. Mission/ business processes supported by the system are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime.

A company is performing an analysis of which corporate units are most likely to cause revenue loss in the event the unit is unable to operate. Which of the following is an element of the BIA that this action is addressing? A. Critical system inventory B. Single point of failure C. Continuity of operations D. Mission-essential functions

A QUESTION 697

QUESTION 515 An analyst is using a vulnerability scanner to look for common security misconfigurations on devices. Which of the following might be identified by the scanner? (Select TWO). A. The firewall is disabled on workstations. B. SSH is enabled on servers. C. Browser homepages have not been customized. D. Default administrator credentials exist on networking hardware. E. The OS is only set to check for updates once a day.

AB

QUESTION 668 A company is executing a strategy to encrypt and sign all proprietary data in transit. The company recently deployed PKI services to support this strategy. Which of the following protocols supports the strategy and employs certificates generated by the PKI? (Choose three.) A. S/MIME B. TLS C. SFTP D. SAML E. SIP F. IPSec G. Kerberos

ABC

QUESTION 574 A security analyst is doing a vulnerability assessment on a database server. A scanning tool returns the following information: There have been several security breaches on the web server that accesses this database. The security team is instructed to mitigate the impact of any possible breaches. The security team is also instructed to improve the security on this database by making it less vulnerable to offline attacks. Which of the following would BEST accomplish these goals? (Choose two.) A. Start using salts to generate MD5 password hashes B. Generate password hashes using SHA-256 C. Force users to change passwords the next time they log on D. Limit users to five attempted logons before they are locked out E. Require the web server to only use TLS 1.2 encryption

AC

An organization employee resigns without giving adequate notice. The following day, it is determined that the employees is still in possession of several company-owned mobile devices. Which of the following could have reduced the risk of this occurring? (Choose two.) A. Proper offboarding procedures B. Acceptable use policies C. Non-disclosure agreements D. Exit interviews E. Background checks F. Separation of duties

AD

An organization is expanding its network team. Currently, it has local accounts on all network devices, but with growth, it wants to move to centrally managed authentication. Which of the following are the BEST solutions for the organization? (Select TWO) A. TACACS+ B. CHAP C. LDAP D. RADIUS E. MSCHAPv2

AD

QUESTION 568 Which of the following are used to substantially increase the computation time required to crack a password? (Choose two.) A. BCRYPT B. Substitution cipher C. ECDHE D. PBKDF2 E. Diffie-Hellman

AD

QUESTION 611 After a security assessment was performed on the enterprise network, it was discovered that: 1. Configuration changes have been made by users without the consent of IT. 2. Network congestion has increased due to the use of social media. 3. Users are accessing file folders and network shares that are beyond the scope of their need to know. Which of the following BEST describe the vulnerabilities that exist in this environment? (Choose two.) A. Poorly trained users B. Misconfigured WAP settings C. Undocumented assets D. Improperly configured accounts E. Vulnerable business processes

AD

A systems administrator has been assigned to create accounts for summer interns. The interns are only authorized to be in the facility and operate computers under close supervision. They must also leave the facility at designated times each day. However, the interns can access intern file folders without supervision. Which of the following represents the BEST way to configure the accounts? (Select TWO.) A. Implement time-of-day restrictions. B. Modify archived data. C. Access executive shared portals. D. Create privileged accounts. E. Enforce least privilege.

AD QUESTION 622

QUESTION 649 A user is unable to open a file that has a grayed-out icon with a lock. The user receives a pop-up message indicating that payment must be sent in Bitcoin to unlock the file. Later in the day, other users in the organization lose the ability to open files on the server. Which of the following has MOST likely occurred? (Choose three.) A. Crypto-malware B. Adware C. Botnet attack D. Virus E. Ransomware F. Backdoor G. DDoS attack

ADE

QUESTION 595 A security auditor is performing a vulnerability scan to find out if mobile applications used in the organization are secure. The auditor discovers that one application has been accessed remotely with no legitimate account credentials. After investigating, it seems the application has allowed some users to bypass authentication of that application. Which of the following types of malware allow such a compromise to take place? (Choose two.) A. RAT B. Ransomware C. Worm D. Trojan E. Backdoor

AE

A CSIRT has completed restoration procedures related to a breach of sensitive data is creating documentation used to improve the organization's security posture. The team has been specifically tasked to address logical controls in their suggestions. Which of the following would be MOST beneficial to include in lessons learned documentation? (Choose two.) A. A list of policies, which should be revised to provide better clarity to employees regarding acceptable use B. Recommendations relating to improved log correlation and alerting tools C. Data from the organization's IDS/IPS tools, which show the timeline of the breach and the activities executed by the attacker D. A list of potential improvements to the organization's NAC capabilities, which would improve AAA within the environment E. A summary of the activities performed during each phase of the incident response activity F. A list of topics that should be added to the organization's security awareness training program based on weaknesses exploited during the attack

AF

QUESTION 546 A security analyst is hardening a large-scale wireless network. The primary requirements are the following: -Must use authentication through EAP-TLS certificates -Must use an AAA server -Must use the most secure encryption protocol Given these requirements, which of the following should the analyst implement and recommend? (Select TWO.) A. 802.1X B. 802.3 C. LDAP D. TKIP E. CCMP F. WPA2-PSK

AF

A security administrator is analyzing a user report in which the computer exhibits odd network-related outages. The administrator, however, does not see any suspicious process running. A prior technician's notes indicate the machine has been remediated twice, but the system still exhibits odd behavior. Files were deleted from the system recently. Which of the following is the MOST likely cause of this behavior? A. Crypto-malware B. Rootkit C. Logic bomb D. Session hijacking

B

A security administrator is creating a risk assessment with regard to how to harden internal communications in transit between servers. Which of the following should the administrator recommend in the report? A. Configure IPSec in transport mode. B. Configure server-based PKI certificates. C. Configure the GRE tunnel. D. Configure a site-to-site tunnel.

B

A security analyst is reviewing the password policy for a service account that is used for a critical network service. The password policy for this account is as follows: Which of the following adjustments would be the MOST appropriate for the service account? A. Disable account lockouts B. Set the maximum password age to 15 days C. Set the minimum password age to seven days D. Increase password length to 18 characters

B

A software developer is concerned about DLL hijacking in an application being written. Which of the following is the MOST viable mitigation measure of this type of attack? A. The DLL of each application should be set individually B. All calls to different DLLs should be hard-coded in the application C. Access to DLLs from the Windows registry should be disabled D. The affected DLLs should be renamed to avoid future hijacking

B

A systems administrator has implemented multiple websites using host headers on the same server. The server hosts two websites that require encryption and other websites where encryption is optional. Which of the following should the administrator implement to encrypt web traffic for the required websites? A. Extended domain validation B. TLS host certificate C. OCSP stapling D. Wildcard certificate

B

QUESTION 708 Management wants to ensure any sensitive data on company-provided cell phones is isolated in a single location that can be remotely wiped if the phone is lost. Which of the following technologies BEST meets this need? A. Geofencing B. Containerization C. Device encryption D. Sandboxing

B

An analyst receives an alert from the SIEM showing an IP address that does not belong to the assigned network can be seen sending packets to the wrong gateway. Which of the following network devices is misconfigured and which of the following should be done to remediate the issue? A. Firewall; implement an ACL on the interface B. Router; place the correct subnet on the interface C. Switch; modify the access port to trunk port D. Proxy; add the correct transparent interface

B

An office recently completed digitizing all its paper records. Joe, the data custodian, has been tasked with the disposal of the paper files, which include: • Intellectual property • Payroll records • Financial information • Drug screening results Which of the following is the BEST way to dispose of these items? A. Schredding B. Pulping C. Deidentifying D. Recycling

B

Due to regulatory requirements, server in a global organization must use time synchronization. Which of the following represents the MOST secure method of time synchronization? A. The server should connect to external Stratum 0 NTP servers for synchronization B. The server should connect to internal Stratum 0 NTP servers for synchronization C. The server should connect to external Stratum 1 NTP servers for synchronization D. The server should connect to external Stratum 1 NTP servers for synchronization

B

QUESTION 434 A technician receives a device with the following anomalies: Frequent pop-up ads Show response-time switching between active programs Unresponsive peripherals The technician reviews the following log file entries: File Name Source MD5 Target MD5 Status antivirus.exe F794F21CD33E4F57890DDEA5CF267ED2 F794F21CD33E4F57890DDEA5CF267ED2 Automatic iexplore.exe 7FAAF21CD33E4F57890DDEA5CF29CCEA AA87F21CD33E4F57890DDEAEE2197333 Automatic service.exe 77FF390CD33E4F57890DDEA5CF28881F 77FF390CD33E4F57890DDEA5CF28881F Manual USB.exe E289F21CD33E4F57890DDEA5CF28EDC0 E289F21CD33E4F57890DDEA5CF28EDC0 Stopped Based on the above output, which of the following should be reviewed? A. The web application firewall B. The file integrity check C. The data execution prevention D. The removable media control

B

QUESTION 437 Upon entering an incorrect password, the logon screen displays a message informing the user that the password does not match the username provided and is not the required length of 12 characters. Which of the following secure coding techniques should a security analyst address with the application developers to follow security best practices? A. Input validation B. Error handling C. Obfuscation D. Data exposure

B

QUESTION 444 A security analyst is acquiring data from a potential network incident. Which of the following evidence is the analyst MOST likely to obtain to determine the incident? A. Volatile memory capture B. Traffic and logs C. Screenshots D. System image capture

B

QUESTION 456 Which of the following refers to the term used to restore a system to its operational state? A. MTBF B. MTTR C. RTO D. RPO

B

QUESTION 473 A security analyst is mitigating a pass-the-hash vulnerability on a Windows infrastructure. Given the requirement, which of the following should the security analyst do to MINIMIZE the risk? A. Enable CHAP B. Disable NTLM C. Enable Kerebos D. Disable PAP

B

QUESTION 494 A company has two wireless networks utilizing captive portals. Some employees report getting a trust error in their browsers when connecting to one of the networks. Both captive portals are using the same server certificate for authentication, but the analyst notices the following differences between the two certificate details: Certificate 1 Certificate Path: Geotrust Global CA *company.com Certificate 2 Certificate Path: *company.com Which of the following would resolve the problem? A. Use a wildcard certificate. B. Use certificate chaining. C. Use a trust model. D. Use an extended validation certificate.

B

QUESTION 495 Company A has acquired Company B. Company A has different domains spread globally, and typically migrates its acquisitions infrastructure under its own domain infrastructure. Company B, however, cannot be merged into Company A's domain infrastructure. Which of the following methods would allow the two companies to access one another's resources? A. Attestation B. Federation C. Single sign-on D. Kerberos

B

QUESTION 497 An organization's employees currently use three different sets of credentials to access multiple internal resources. Management wants to make this process less complex. Which of the following would be the BEST option to meet this goal? A. Transitive trust B. Single sign-on C. Federation D. Secure token

B

QUESTION 498 An external attacker can modify the ARP cache of an internal computer. Which of the following types of attacks is described? A. Replay B. Spoofing C. DNS poisoning D. Client-side attack

B

QUESTION 503 Which of the following is a deployment concept that can be used to ensure only the required OS access is exposed to software applications? A. Staging environment B. Sandboxing C. Secure baseline D. Trusted OS

B

QUESTION 507 Which of the following threats has sufficient knowledge to cause the MOST danger to an organization? A. Competitors B. Insiders C. Hacktivists D. Script kiddies

B

QUESTION 508 While troubleshooting a client application connecting to the network, the security administrator notices the following error: Certificate is not valid. Which of the following is the BEST way to check if the digital certificate is valid? A. PKI B. CRL C. CSR D. IPSec

B

QUESTION 512 Every morning, a systems administrator monitors failed login attempts on the company's log management server. The administrator notices the DBAdmin account has five failed username and/or password alerts during a ten-minute window. The systems administrator determines the user account is a dummy account used to attract attackers. Which of the following techniques should the systems administrator implement? A. Role-based access control B. Honeypot C. Rule-based access control D. Password cracker

B

QUESTION 513 Joe, a user, has been trying to send Ann, a different user, an encrypted document via email. Ann has not received the attachment but is able to receive the header information. Which of the following is MOST likely preventing Ann from receiving the encrypted file? A. Unencrypted credentials B. Authentication issues C. Weak cipher suite D. Permission issues

B

QUESTION 514 A systems administrator is configuring a system that uses data classification labels. Which of the following will the administrator need to implement to enforce access control? A. Discretionary access control B. Mandatory access control C. Role-based access control D. Rule-based access control

B

QUESTION 526 A company wants to implement an access management solution that allows employees to use the same usernames and passwords for multiple applications without having to keep multiple credentials synchronized. Which of the following solutions would BEST meet these requirements? A. Multifactor authentication B. SSO C. Biometrics D. PKI E. Federation

B

QUESTION 538 An organization wants to upgrade its enterprise-wide desktop computer solution. The organization currently has 500 PCs active on the network. the Chief Information Security Officer (CISO) suggests that the organization employ desktop imaging technology for such a large scale upgrade. Which of the following is a security benefit of implementing an imaging solution? A. it allows for faster deployment B. it provides a consistent baseline C. It reduces the number of vulnerabilities D. It decreases the boot time

B

QUESTION 554 A small-to medium-sized company wants to block the use of USB devices on its network. Which of the following is the MOST cost-effective way for the security analyst to prevent this? A. Implement a DLP system B. Apply a GPO C. Conduct user awareness training D. Enforce the AUP.

B

QUESTION 559 A buffer overflow can result in: A. loss of data caused by unauthorized command execution. B. privilege escalation caused by TPN override. C. reduced key strength due to salt manipulation. D. repeated use of one-time keys.

B

QUESTION 562 A consumer purchases an exploit from the dark web. The exploit targets the online shopping cart of a popular website, allowing the shopper to modify the price of an item as checkout. Which of the following BEST describes this type of user? A. Insider B. Script kiddie C. Competitor D. Hacktivist E. APT

B

QUESTION 570 A network administrator is brute forcing accounts through a web interface. Which of the following would provide the BEST defense from an account password being discovered? A. Password history B. Account lockout C. Account expiration D. Password complexity

B

QUESTION 604 A member of the human resources department is searching for candidate resumes and encounters the following error message when attempting to access popular job search websites: Which of the following would resolve this issue without compromising the company's security policies? A. Renew the DNS settings and IP address on the employee's computer B. Add the employee to a less restrictive group on the content filter C. Remove the proxy settings from the employee's web browser D. Create an exception for the job search sites in the host-based firewall on the employee's computer

B

QUESTION 615 An analyst is currently looking at the following output: Which of the following security issues has been discovered based on the output? A. Insider threat B. License compliance violation C. Unauthorized software D. Misconfigured admin permissions

B

QUESTION 616 A company has purchased a new SaaS application and is in the process of configuring it to meet the company's needs. The director of security has requested that the SaaS application be integrated into the company's IAM processes. Which of the following configurations should the security administrator set up in order to complete this request? A. LDAP B. RADIUS C. SAML D. NTLM

B

QUESTION 619 A company hired a firm to test the security posture of its database servers and determine if any vulnerabilities can be exploited. The company provided limited information pertaining to the infrastructure and database server. Which of the following forms of testing does this BEST describe? A. Black box B. Gray box C. White box D. Vulnerability scanning

B

QUESTION 620 When considering IoT systems, which of the following represents the GREATEST ongoing risk after a vulnerability has been discovered? A. Difficult-to-update firmware B. Tight integration to existing systems C. IP address exhaustion D. Not using industry standards

B

QUESTION 630 A security analyst is specifying requirements for a wireless network. The analyst must explain the security features provided by various architecture choices. Which of the following is provided by PEAP, EAP-TLS, and EAP-TTLS? A. Key rotation B. Mutual authentication C. Secure hashing D. Certificate pinning

B

QUESTION 632 A staff member contacts the help desk because the staff member's device is currently experiencing the following symptoms: • Long delays when launching applications • Timeout errors when loading some websites • Errors when attempting to open local Word documents and photo files • Pop-up messages in the task bar stating that antivirus is out-of-date • VPN connection that keeps timing out, causing the device to lose connectivity • Which of the following BEST describes the root cause of these symptoms? A. The user has disabled the antivirus software on the device, and the hostchecker for the VPN is preventing access. B. The device is infected with crypto-malware, and the files on the device are being encrypted. C. The proxy server for accessing websites has a rootkit installed, and this is causing connectivity issues. D. A patch has been incorrectly applied to the device and is causing issues with the wireless adapter on the device.

B

QUESTION 645 A company has just completed a vulnerability scan of its servers. A legacy application that monitors the HVAC system in the datacenter presents several challenges, as the application vendor is no longer in business. Which of the following secure network architecture concepts would BEST protect the other company servers if the legacy server were to be exploited? A. Virtualization B. Air gap C. VLAN D. Extranet

B

QUESTION 673 A security analyst monitors the syslog server and notices the following: A. Memory leak B. Buffer overflow C. Null pointer deference D. Integer overflow

B

QUESTION 677 Datacenter employees have been battling alarms in a datacenter that has been experiencing hotter than normal temperatures. The server racks are designed so all 48 rack units are in use, and servers are installed in any manner in which the technician can get them installed. Which of the following practices would BEST alleviate the heat issues and keep costs low? A. Utilize exhaust fans. B. Use hot and cold aisles. C. Airgap the racks. D. Use a secondary AC unit.

B

QUESTION 689 Which of the following is a random value appended to a credential that makes the credential less susceptible to compromise when hashed? A. Nonce B. Salt C. OTP D. Block cipher E. IV

B

QUESTION 702 The Chief Executive Officer (CEO) received an email from the Chief Financial Officer (CFO), asking the CEO to send financial details. The CEO thought it was strange that the CFO would ask for the financial details via email. The email address was correct in the "From" section of the email. The CEO clicked the form and sent the financial information as requested. Which of the following caused the incident? A. Domain hijacking B. SPF not enabled C. MX records rerouted D. Malicious insider

B

QUESTION 715 A network technician is designing a network for a small company. The network technician needs to implement an email server and web server that will be accessed by both internal employees and external customers. Which of the following would BEST secure the internal network and allow access to the needed servers? A. Implementing a site-to-site VPN for server access. B. Implementing a DMZ segment for the server. C. Implementing NAT addressing for the servers. D. Implementing a sandbox to contain the servers.

B

QUESTION 716 When used together, which of the following qualify as two-factor authentication? A. Password and PIN B. Smart card and PIN C. Proximity card and smart card D. Fingerprint scanner and iris scanner

B

To get the most accurate results on the security posture of a system, which of the following actions should the security analyst do prior to scanning? A. Log all users out of the system B. Patch the scanner C. Reboot the target host D. Update the web plugins

B

Upon learning about a user who has reused the same password for the past several years, a security specialist reviews the logs. The following is an extraction of the report after the most recent password change requirement: Which of the following security controls is the user's behaviour targeting? A. Password expiration B. Password history C. Password complexity D. Password reuse

B

Which of the following needs to be performed during a forensics investigation to ensure the data contained in a drive image has not been compromised? A. Follow the proper chain of custody procedures. B. Compare the image hash to the original hash. C. Ensure a legal hold has been placed on the image. D. Verify the time offset on the image file.

B

QUESTION 623 If two employees are encrypting traffic between them using a single encryption key, which of the following agorithms are they using? A. RSA B. 3DES C. DSA D. SHA-2

B QUESTION 624

QUESTION 634 Which of the following is used to encrypt web application data? A. MD5 B. AES C. SHA D. DHA

B QUESTION 635

Which of the following terms BEST describes an exploitable vulnerability that exists but has not been publicly disclosed yet? A. Design weakness B. Zero-day C. Logic bomb D. Trojan

B QUESTION 699

QUESTION 506 Which of the following types of penetration test will allow the tester to have access only to password hashes prior to the penetration test? A. Black box B. Gray box C. Credentialed D. White box

B Explanation

QUESTION 477 A security analyst is attempting to identify vulnerabilities in a customer's web application without impacting the system or its data. Which of the following BEST describes the vulnerability scanning concept performed? A. Aggressive scan B. Passive scan C. Non-credentialed scan D. Compliance scan

B Explanation Passive scanning is a method of vulnerability detection that relies on information gleaned from network data that is captured from a target computer without direct interaction. Packet sniffing applications can be used for passive scanning to reveal information such as operating system, known protocols running on non-standard ports and active network applications with known bugs. Passive scanning may be conducted by a network administrator scanning for security vulnerabilities or by an intruder as a preliminary to an active attack. For an intruder, passive scanning's main advantage is that it does not leave a trail that could alert users or administrators to their activities. For an administrator, the main advantage is that it doesn't risk causing undesired behavior on the target computer, such as freezes. Because of these advantages, passive scanning need not be limited to a narrow time frame to minimize risk or disruption, which means that it is likely to return more information. Passive scanning does have limitations. It is not as complete in detail as active vulnerability scanning and cannot detect any applications that are not currently sending out traffic; nor can it distinguish false information put out for obfuscation.

QUESTION 640 Which of the following access management concepts is MOST closely associated with the use of a password or PIN?? A. Authorization B. Authentication C. Accounting D. Identification

B QUESTION 641

Joe, a backup administrator, wants to implement a solution that will reduce the restoration time of physical servers. Which of the following is the BEST method for Joe to use? A. Differential B. Incremental C. Full D. Snapshots

C

A security administrator is diagnosing a server where the CPU utilization is at 100% for 24 hours. The main culprit of CPU utilization is the antivirus program. Which of the following issue could occur if left unresolved? (Select TWO) A. MITM attack B. DoS attack C. DLL injection D. Buffer overflow E. Resource exhaustion

BE

A security administrator is configuring a RADIUS server for wireless authentication. The configuration must ensure client credentials are encrypted end-to-end between the client and the authenticator. Which of the following protocols should be configured on the RADIUS server? (Choose two.) A. PAP B. MSCHAP C. PEAP D. NTLM E. SAML

BC

As part of a corporate merger, two companies are combining resources. As a result, they must transfer files through the Internet in a secure manner. Which of the following protocols would BEST meet this objective? (Choose two.) A. LDAPS B. SFTP C. HTTPS D. DNSSEC E. SRTP

BC

QUESTION 492 When attempting to secure a mobile workstation, which of the following authentication technologies rely on the user's physical characteristics? (Select TWO) A. MAC address table B. Retina scan C. Fingerprint scan D. Two-factor authentication E. CAPTCHA F. Password string

BC

QUESTION 529 Which of the following metrics are used to calculate the SLE? (Select TWO) A. ROI B. ARO C. ALE D. MTBF E. MTTF F. TCO

BC

QUESTION 550 Which of the following is the main difference an XSS vulnerability and a CSRF vulnerability? A. XSS needs the attacker to be authenticated to the trusted server. B. XSS does not need the victim to be authenticated to the trusted server. C. CSRF needs the victim to be authenticated to the trusted server. D. CSRF does not need the victim to be authenticated to the trusted server. E. CSRF does not need the attacker to be authenticated to the trusted server.

BC

QUESTION 447 A security analyst conducts a manual scan on a known hardened host that identifies many non-compliant items. Which of the following BEST describe why this has occurred? (Select TWO) A. Privileged-user certificated were used to scan the host B. Non-applicable plugins were selected in the scan policy C. The incorrect audit file was used D. The output of the report contains false positives E. The target host has been compromised

BD

Which of the following are considered to be "something you do"? (Choose two.) A. Iris scan B. Handwriting C. CAC card D. Gait E. PIN F. Fingerprint

BD

A cybersecurity analyst is looking into the payload of a random packet capture file that was selected for analysis. The analyst notices that an internal host had a socket established with another internal host over a non-standard port. Upon investigation, the origin host that initiated the socket shows this output: Given the above output, which of the following commands would have established the questionable socket? A. traceroute 8.8.8.8 B. ping -1 30 8.8.8.8 -a 600 C. nc -1 192.168.5.1 -p 9856 D. pskill pid 9487

C

A recent internal audit is forcing a company to review each internal business unit's VMs because the cluster they are installed on is in danger of running out of computer resources. Which of the following vulnerabilities exist? A. Buffer overflow B. End-of-life systems C. System sprawl D. Weak configuration

C

A security administrator needs to configure remote access to a file share so it can only be accessed between the hours of 9:00 a.m. and 5:00 p.m. Files in the share can only be accessed by members of the same department as the data owner. Users should only be able to create files with approved extensions, which may differ by department. Which of the following access controls would be the MOST appropriate for this situation? A. RBAC B. MAC C. ABAC D. DAC

C

A security engineer wants to add SSL to the public web server. Which of the following would be the FIRST step to implement the SSL certificate? A. Download the web certificate B. Install the intermediate certificate C. Generate a CSR D. Encrypt the private key

C

A systems administrator is configuring a new network switch for TACACS+ management and authentication. Which of the following must be configured to provide authentication between the switch and the TACACS+ server? A. 802.1X B. SSH C. Shared secret D. SNMPv3 E. CHAP

C

An application developer has neglected to include input validation checks in the design of the company's new web application. An employee discovers that repeatedly submitting large amounts of data, including custom code, to an application will allow the execution of the custom code at the administrator level. Which of the following BEST identifies this application attack? A. Cross-site scripting B. Clickjacking C. Buffer overflow D. Replay

C

An attacker exploited a vulnerability on a mail server using the code below. Which of the following BEST explains what the attacker is doing? A. The attacker is replacing a cookie. B. The attacker is stealing a document. C. The attacker is replacing a document. D. The attacker is deleting a cookie.

C

An organization wants to implement a method to correct risks at the system/application layer. Which of the following is the BEST method to accomplish this goal? A. IDS/IPS B. IP tunneling C. Web application firewall D. Patch management

C

Confidential corporate data was recently stolen by an attacker who exploited data transport protections. Which of the following vulnerabilities is the MOST likely cause of this data breach? A. Resource exhaustion on VPN concentrators B. Weak SSL cipher strength C. Improper input handling on FTP site D. Race condition on packet inspection firewall

C

During a lessons learned meeting regarding a previous incident, the security team receives a follow-up action item with the following requirements: -Allow authentication from within the United States anytime -Allow authentication if the user is accessing email or a shared file system -Do not allow authentication if the AV program is two days out of date -Do not allow authentication if the location of the device is in two specific countries Given the requirements, which of the following mobile deployment authentication types is being utilized? A. Geofencing authentication B. Two-factor authentication C. Context-aware authentication D. Biometric authentication

C

QUESTION 441 Which of the following is used to validate the integrity of data? A. CBC B. Blowfish C. MD5 D. RSA

C

QUESTION 452 The help desk received a call after hours from an employee who was attempting to log into the payroll server remotely. When the help desk returned the call the next morning, the employee was able to log into the server remotely without incident. However, the incident occurred again the next evening. Which of the following BEST describes the cause of the issue? A. The password expired on the account and needed to be reset B. The employee does not have the rights needed to access the database remotely C. Time-of-day restrictions prevented the account from logging in D. The employee's account was locked out and needed to be unlocked

C

QUESTION 459 An active/passive configuration has an impact on: A. confidentiality B. integrity C. availability D. non-repudiation

C

QUESTION 462 Which of the following uses precomputed hashes to guess passwords? A. Iptables B. NAT tables C. Rainbow tables D. ARP tables

C

QUESTION 487 A security administrator installed a new network scanner that identifies new host systems on the network. Which of the following did the security administrator install? A. Vulnerability scanner B. Network-based IDS C. Rogue system detection D. Configuration compliance scanner

C

QUESTION 491 An audit reported has identifies a weakness that could allow unauthorized personnel access to the facility at its main entrance and from there gain access to the network. Which of the following would BEST resolve the vulnerability? A. Faraday cage B. Air gap C. Mantrap D. Bollards

C

QUESTION 493 Systems administrator and key support staff come together to simulate a hypothetical interruption of service. The team updates the disaster recovery processes and documentation after meeting. Which of the following describes the team's efforts? A. Business impact analysis B. Continuity of operation C. Tabletop exercise D. Order of restoration

C

QUESTION 502 A security administrator is trying to eradicate a worm, which is spreading throughout the organization, using an old remote vulnerability in the SMB protocol. The worm uses Nmap to identify target hosts within the company. The administrator wants to implement a solution that will eradicate the current worm and any future attacks that may be using zero-day vulnerabilities. Which of the following would BEST meet the requirements when implemented? A. Host-based firewall B. Enterprise patch management system C. Network-based intrusion prevention system D. Application blacklisting E. File integrity checking

C

QUESTION 517 A security administrator is reviewing the following PowerShell script referenced in the Task Scheduler on a database server: Which of the following did the security administrator discover? A. Ransomeware B. Backdoor C. Logic bomb D. Trojan

C

QUESTION 523 A bank uses a wireless network to transmit credit card purchases to a billing system. Which of the following would be MOST appropriate to protect credit card information from being accessed by unauthorized individuals outside of the premises? A. Air gap B. Infrared detection C. Faraday cage D. Protected distributions

C

QUESTION 524 A help desk technician receives a phone call from an individual claiming to be an employee of the organization and requesting assistance to access a locked account. The help desk technician asks the individual to provide proof of identity before access can be granted. Which of the following types of attack is the caller performing? A. Phishing B. Shoulder surfing C. Impersonation D. Dumpster diving

C

QUESTION 528 Which of the following authentication concepts is a gait analysis MOST closely associated? A. Somewhere you are B. Something you are C. Something you do D. Something you know

C

QUESTION 531 When sending messages using symmetric encryption, which of the following must happen FIRST? A. Exchange encryption key B. Establish digital signatures C. Agree on an encryption method D. Install digital certificates

C

QUESTION 532 Which of the following scenarios BEST describes an implementation of non-repudiation? A. A user logs into a domain workstation and access network file shares for another department B. A user remotely logs into the mail server with another user's credentials C. A user sends a digitally signed email to the entire finance department about an upcoming meeting D. A user access the workstation registry to make unauthorized changes to enable functionality within an application

C

QUESTION 534 Which of the following is an asymmetric function that generates a new and separate key every time it runs? A. RSA B. DSA C. DHE D. HMAC E. PBKDF2

C

QUESTION 541 A security administrator suspects that a DDoS attack is affecting the DNS server. The administrator accesses a workstation with the hostname of workstation01 on the network and obtains the following output from the ipconfig command: The administrator successfully pings the DNS server from the workstation. Which of the following commands should be issued from the workstation to verify the DDoS attack is no longer occuring? A. dig www.google.com B. dig 192.168.1.254 C. dig workstation01.com D. dig 192.168.1.26

C

QUESTION 543 A number of employees report that parts of an ERP application are not working. The systems administrator reviews the following information from one of the employee workstations: Execute permission denied: financemodule.dll Execute permission denied: generalledger.dll Which of the following should the administrator implement to BEST resolve this issue while minimizing risk and attack exposure? A. Update the application blacklist B. Verify the DLL's file integrity C. Whitelist the affected libraries D. Place the affected employees in the local administrator's group

C

QUESTION 567 Which of the following development models entails several iterative and incremental software development methodologies such as Scrum? A. Spiral B. Waterfall C. Agile D. Rapid

C

QUESTION 569 Which of the following describes the maximum amount of time a mission essential function can operate without the systems it depends on before significantly impacting the organization? A. MTBF B. MTTR C. RTO D. RPO

C

QUESTION 596 An organization electronically processes sensitive data within a controlled facility. The Chief Information Security Officer (CISO) wants to limit emissions from emanating from the facility. Which of the following mitigates this risk? A. Upgrading facility cabling to a higher standard of protected cabling to reduce the likelihood of emission spillage B. Hardening the facility through the use of secure cabinetry to block emissions C. Hardening the facility with a Faraday cage to contain emissions produced from data processing D. Employing security guards to ensure unauthorized personnel remain outside of the facility

C

QUESTION 598 A company is deploying a file-sharing protocol access a network and needs to select a protocol for authenticating clients. Management requests that the service be configured in the most secure way possible. The protocol must also be capable of mutual authentication, and support SSO and smart card logons. Which of the following would BEST accomplish this task? A. Store credentials in LDAP B. Use NTLM authentication C. Implement Kerberos D. Use MSCHAP authentication

C

QUESTION 599 A company wants to provide centralized authentication for its wireless system. The wireless authentication system must integrate with the directory back end. Which of the following is a AAA solution that will provide the required wireless authentication? A. TACACS+ B. MSCHAPv2 C. RADIUS D. LDAP

C

QUESTION 603 An organization is providing employees on the shop floor with computers that will log their time based on when they sign on and off the network. Which of the following account types should the employees receive? A. Shared account B. Privileged account C. User account D. Service account

C

QUESTION 614 A company needs to implement a system that only lets a visitor use the company's network infrastructure if the visitor acceps the AUP. Which of the following should the company use? A. WiFi-protected setup B. Password authentication protocol C. Captive portal D. RADIUS

C

QUESTION 665 A company utilizes 802.11 for all client connectivity within a facility. Users in one part of the building are reporting they are unable to access company resources when connected to the company SSID. Which of the following should the security administrator use to assess connectivity? A. Sniffer B. Honeypot C. Routing tables D. Wireless scanner

C

QUESTION 686 During a penetration test, the tester performs a preliminary scan for any responsive hosts. Which of the following BEST explains why the tester is doing this? A. To determine if the network routes are improperly forwarding request packets B. To identify the total number of hosts and determine if the network can be victimized by a DoS attack C. To identify servers for subsequent scans and further investigation D. To identify the unresponsive hosts and determine if those could be used as zombies in a follow-up scan.

C

QUESTION 692 A network technician is setting up a new branch for a company. The users at the new branch will need to access resources securely as if they were at the main location. Which of the following networking concepts would BEST accomplish this? A. Virtual network segmentation B. Physical network segmentation C. Site-to-site VPN D. Out-of-band access E. Logical VLANs

C

QUESTION 693 A water utility company has seen a dramatic increase in the number of water pumps burning out. A malicious actor was attacking the company and is responsible for the increase. Which of the following systems has the attacker compromised? A. DMZ B. RTOS C. SCADA D. IoT

C

QUESTION 694 An organization's Chief Executive Officer (CEO) directs a newly hired computer technician to install an OS on the CEO's personal laptop. The technician performs the installation, and a software audit later in the month indicates a violation of the EULA occurred as a result. Which of the following would address this violation going forward? A. Security configuration baseline B. Separation of duties C. AUP D. NDA

C

QUESTION 695 Which of the following attackers generally possesses minimal technical knowledge to perform advanced attacks and uses widely available tools as well as publicly available information? A. Hacktivist B. White hat hacker C. Script kiddle D. Penetration tester

C

QUESTION 707 When backing up a database server to LTO tape drives, the following backup schedule is used. Backups take one hour to complete: Sunday (7 PM): Full backup Monday (7 PM): Incremental Tuesday (7 PM): Incremental Wednesday (7 PM): Differential Thursday (7 PM): Incremental Friday (7 PM): Incremental Saturday (7 PM): Incremental On Friday at 9:00 p.m., there is a RAID failure on the database server. The data must be restored from backup. Which of the following is the number of backup tapes that will be needed to complete this operation? A. 1 B. 2 C. 3 D. 4 E. 6

C

Which of the following can the technician conclude after reviewing the above logs? A. The server is under a DDoS attack from multiple geographic locations. B. The server is compromised, and is attacking multiple hosts on the Internet. C. The server is under an IP spoofing resource exhaustion attack. D. The server is unable to complete the TCP three-way handshake and send the last ACK.

C

Which of the following is the FIRST step in remediating the vulnerability? A. Implement stored procedures. B. Implement proper error handling. C. Implement input validations. D. Implement a WAF.

C

Which of the following methods is used by internal security teams to assess the security of internally developed applications? A. Active reconnaissance B. Pivoting C. White box testing D. Persistence

C

Which of the following types of security testing is the MOST cost-effective approach used to analyze existing code and identity areas that require patching? A. Black box B. Gray box C. White box D. Red team

C

Which of the following would be considered multifactor authentication? A. Hardware token and smart card B. Voice recognition and retina scan C. Strong password and fingerprint D. PIN and security questions

C

QUESTION 451 When attackers use a compromised host as a platform for launching attacks deeper into a company's network, it is said that they are: A. escalating privilege B. becoming persistent C. fingerprinting D. pivoting

D

QUESTION 504 A procedure differs from a policy in that it: A. is a high-level statement regarding the company's position on a topic. B. sets a minimum expected baseline of behavior. C. provides step-by-step instructions for performing a task. D. describes adverse actions when violations occur.

C Explanation

QUESTION 505 Ann, a user, reports she is unable to access an application from her desktop. A security analyst verifies Ann's access and checks the SIEM for any errors. The security analyst reviews the log file from Ann's system and notices the following output: Which of the following is MOST likely preventing Ann from accessing the application from the desktop? A. Web application firewall B. DLP C. Host-based firewall D. UTM E. Network-based firewall

C Explanation

QUESTION 438 Which of the following is the BEST reason to run an untested application is a sandbox? A. To allow the application to take full advantage of the host system's resources and storage B. To utilize the host systems antivirus and firewall applications instead of running it own protection C. To prevent the application from acquiring escalated privileges and accessing its host system D. To increase application processing speed so the host system can perform real-time logging

C QUESTION 439

QUESTION 555 Which of the following is the BEST way for home users to mitigate vulnerabilities associated with IoT devices on their home networks? A. Power off the devices when they are not in use, B. Prevent IoT devices from contacting the Internet directly. C. Apply firmware and software updates upon availability. D. Deploy a bastion host on the home network.

C QUESTION 556

QUESTION 577 Management wishes to add another authentication factor in addition to fingerprints and passwords in order to have three-factor authentication. Which of the following would BEST satisfy this request? A. Retinal scan B. Passphrase C. Token fob D. Security question

C QUESTION 578

Which of the following uses tokens between the identity provider and the service provider to authenticate and authorize users to resources? A. RADIUS B. SSH C. OAuth D. MSCHAP

C QUESTION 636

A company has won an important government contract. Several employees have been transferred from their existing projects to support a new contract. Some of the employees who have transferred will be working long hours and still need access to their project information to transition work to their replacements. Which of the following should be implemented to validate that the appropriate offboarding process has been followed? A. Separation of duties B. Time-of-day restrictions C. Permission auditing D. Mandatory access control

C QUESTION 637

QUESTION 651 A security engineer implements multiple technical measures to secure an enterprise network. The engineer also works with the Chief Information Officer (CIO) to implement policies to govern user behavior. Which of the following strategies is the security engineer executing? A. Baselining B. Mandatory access control C. Control diversity D. System hardening

C QUESTION 652 A security analyst identified an SQL injection attack.

QUESTION 657 An analyst generates the following color-coded table shown in the exhibit to help explain the risk of potential incidents in the company. The vertical axis indicates the likelihood or an incident, while the horizontal axis indicates the impact. Which of the following is this table an example of? A. Internal threat assessment B. Privacy impact assessment C. Qualitative risk assessment D. Supply chain assessment

C QUESTION 658

QUESTION 680 A systems administrator has created network file shares for each department with associated security groups for each role within the organization. Which of the following security concepts is the systems administrator implementing? A. Separation of duties B. Permission auditing C. Least privilege D. Standard naming conversation

C QUESTION 681

Confidential emails from an organization were posted to a website without the organization's knowledge. Upon investigation, it was determined that the emails were obtained from an internal actor who sniffed the emails in plain text. Which of the following protocols, if properly implemented, would have MOST likely prevented the emails from being sniffed? (Select TWO) A. Secure IMAP B. DNSSEC C. S/MIME D. SMTPS E. HTTPS

CD

QUESTION 542 A security administrator has configured a RADIUS and a TACACS+ server on the company's network. Network devices will be required to connect to the TACACS+ server for authentication and send accounting information to the RADIUS server. Given the following information: RADIUS IP: 192.168.20.45 TACACS+ IP: 10.23.65.7 Which of the following should be configured on the network clients? (Select two.) A. Accounting port: TCP 389 B. Accounting port: UDP 1812 C. Accounting port: UDP 1813 D. Authentication port: TCP 49 E. Authentication port: TCP 88 F. Authentication port: UDP 636

CD

QUESTION 606 An employee in the finance department receives an email, which appears to come from the Chief Financial Officer (CFO), instructing the employee to immediately wire a large sum of money to a vendor. Which of the following BEST describes the principles of social engineering used? (Choose two.) A. Familiarity B. Scarcity C. Urgency D. Authority E. Consensus

CD

QUESTION 446 A security administrator has written a script that will automatically upload binary and text-based configuration files onto a remote server using a scheduled task. The configuration files contain sensitive information. Which of the following should the administrator use? (Select TWO) A. TOPT B. SCP C. FTP over a non-standard pot D. SRTP E. Certificate-based authentication F. SNMPv3

CE

QUESTION 464 A company has noticed multiple instances of proprietary information on public websites. It has also observed an increase in the number of email messages sent to random employees containing malicious links and PDFs. Which of the following changes should the company make to reduce the risks associated with phishing attacks? (Select TWO) A. Install an additional firewall B. Implement a redundant email server C. Block access to personal email on corporate systems D. Update the X.509 certificates on the corporate email server E. Update corporate policy to prohibit access to social media websites F. Review access violation on the file server

CE

QUESTION 576 Which of the following are considered among the BEST indicators that a received message is a hoax? (Choose two.) A. Minimal use of uppercase letters in the message B. Warnings of monetary loss to the receiver C. No valid digital signature from a known security organization D. Claims of possible damage to computer hardware E. Embedded URLs

CE

QUESTION 581 A security analyst is assessing a small company's internal servers against recommended security practices. Which of the following should the analyst do to conduct the assessment? (Choose two.) A. Compare configurations against platform benchmarks B. Confirm adherence to the company's industry-specific regulations C. Review the company's current security baseline D. Verify alignment with policy related to regulatory compliance E. Run an exploitation framework to confirm vulnerabilities

CE

A call center company wants to implement a domain policy primarily for its shift workers. The call center has large groups with different user roles. Management wants to monitor group performance. Which of the following is the BEST solution for the company to implement? A. Reduced failed logon attempts B. Mandatory password changes C. Increased account lockout time D. Time-of-day restrictions

D

A security technician has been receiving alerts from several servers that indicate load balancers have had a significant increase in traffic. The technician initiates a system scan. The scan results illustrate that the disk space on several servers has reached capacity. The scan also indicates that incoming internet traffic to the servers has increased. Which of the following is the MOST likely cause of the decreased disk space? A. Misconfigured devices B. Logs and events anomalies C. Authentication issues D. Unauthorized software

D

A small organization has implemented a rogue system detection solution. Which of the following BEST explains the organization's intent? A. To identify weak ciphers being used on the network B. To identify assets on the network that are subject to resource exhaustion C. To identify end-of-life systems still in use on the network D. To identify assets that are not authorized for use on the network

D

A stock trading company had the budget for enhancing its secondary datacenter approved. Since the main site is a hurricane affected area and the disaster recovery site is 100 mi (161 km) away, the company wants to ensure its business is always operational with the least amount of man hours needed. Which of the following types of disaster recovery sites should the company implement? A. Hot site B. Warm site C. Cold site D. Cloud-based site

D

A technician has installed a new AAA server, which will be used by the network team to control access to a company's routers and switches. The technician completes the configuration by adding the network team members to the NETWORK_TEAM group, and then adding the NETWORK_TEAM group to the appropriate ALLOW_ACCESS access list. Only members of the network team should have access to the company's routers and switches. Members of the network team successfully test their ability to log on to various network devices configured to use the AAA server. Weeks later, an auditor asks to review the following access log sample: Which of the following should the auditor recommend based on the above information? A. Configure the ALLOW_ACCESS group logic to use AND rather than OR. B. Move the NETWORK_TEAM group to the top of the ALLOW_ACCESS access list. C. Disable groups nesting for the ALLOW_ACCESS group in the AAA server. D. Remove the DOMAIN_USERS group from ALLOW_ACCESS group.

D

QUESTION 454 A home invasion occurred recently in which an intruder compromised a home network and accessed a WiFI-enabled baby monitor while the baby's parents were sleeping. Which of the following BEST describes how the intruder accessed the monitor? A. Outdated antivirus B. WiFi signal strength C. Social engineering D. Default configuration

D

QUESTION 460 Which of the following would provide additional security by adding another factor to a smart card? A. Token B. Proximity badge C. Physical key D. PIN

D

An analyst is part of a team that is investigating a potential breach of sensitive data at a large financial services organization. The organization suspects a breach occurred when proprietary data was disclosed to the public. The team finds servers were accessed using shared credentials that have been in place for some time. In addition, the team discovers undocumented firewall rules, which provided unauthorized external access to a server. Suspecting the activities of a malicious insider threat, which of the following was MOST likely to have been utilized to exfiltrate the proprietary data? A. Keylogger B. Botnet C. Crypto-malware D. Backdoor E. Ransomware F. DLP

D

QUESTION 450 To help prevent one job role from having sufficient access to create, modify, and approve payroll data, which of the following practices should be employed? A. Least privilege B. Job rotation C. Background checks D. Separation of duties

D

QUESTION 465 A security analyst is investigating a potential breach. Upon gathering, documenting, and securing the evidence, which of the following actions is the NEXT step to minimize the business impact? A. Launch an investigation to identify the attacking host B. Initiate the incident response plan C. Review lessons learned captured in the process D. Remove malware and restore the system to normal operation

D

QUESTION 469 A forensic expert is given a hard drive from a crime scene and is asked to perform an investigation. Which of the following is the FIRST step the forensic expert needs to take the chain of custody? A. Make a forensic copy B. Create a hash of the hard rive C. Recover the hard drive data D. Update the evidence log

D

QUESTION 470 An incident response manager has started to gather all the facts related to a SIEM alert showing multiple systems may have been compromised. The manager has gathered these facts: -The breach is currently indicated on six user PCs -One service account is potentially compromised -Executive management has been notified In which of the following phases of the IRP is the manager currently working? A. Recovery B. Eradication C. Containment D. Identification

D

QUESTION 479 A new Chief Information Officer (CIO) has been reviewing the badging and decides to write a policy that all employees must have their badges rekeyed at least annually. Which of the following controls BEST describes this policy? A. Physical B. Corrective C. Technical D. Administrative

D

QUESTION 488 A Chief Information Officer (CIO) has decided it is not cost effective to implement safeguards against a known vulnerability. Which of the following risk responses does this BEST describe? A. Transference B. Avoidance C. Mitigation D. Acceptance

D

QUESTION 489 A technician is investigating a potentially compromised device with the following symptoms: -Browser slowness -Frequent browser crashes -Hourglass stuck -New search toolbar -Increased memory consumption Which of the following types of malware has infected the system? A. Man-in-the-browser B. Spoofer C. Spyware D. Adware

D

QUESTION 490 A penetration tester has written an application that performs a bit-by-bit XOR 0xFF operation on binaries prior to transmission over untrusted media. Which of the following BEST describes the action performed by this type of application? A. Hashing B. Key exchange C. Encryption D. Obfusication

D

QUESTION 496 A technician is configuring a load balancer for the application team to accelerate the network performance of their applications. The applications are hosted on multiple servers and must be redundant. Given this scenario, which of the following would be the BEST method of configuring the load balancer? A. Round-robin B. Weighted C. Least connection D. Locality-based

D

QUESTION 500 A new security administrator ran a vulnerability scanner for the first time and caused a system outage. Which of the following types of scans MOST likely caused the outage? A. Non-intrusive credentialed scan B. Non-intrusive non-credentialed scan C. Intrusive credentialed scan D. Intrusive non-credentialed scan

D

QUESTION 501 A security analyst is hardening a WiFi infrastructure. The primary requirements are the following: -The infrastructure must allow staff to authenticate using the most secure method. -The infrastructure must allow guests to use an "open" WiFi network that logs valid email addresses before granting access to the Internet. Given these requirements, which of the following statements BEST represents what the analyst should recommend and configure? A. Configure a captive portal for guests and WPS for staff. B. Configure a captive portal for staff and WPA for guests. C. Configure a captive portal for staff and WEP for guests. D. Configure a captive portal for guest and WPA2 Enterprise for staff

D

QUESTION 510 Which of the following locations contain the MOST volatile data? A. SSD B. Paging file C. RAM D. Cache memory

D

QUESTION 516 A security analyst is reviewing patches on servers. One of the servers is reporting the following error message in the WSUS management console: The computer has not reported status in 30 days. Given this scenario, which of the following statements BEST represents the issue with the output above? A. The computer in question has not pulled the latest ACL policies for the firewall. B. The computer in question has not pulled the latest GPO policies from the management server. C. The computer in question has not pulled the latest antivirus definitions from the antivirus program. D. The computer in question has not pulled the latest application software updates.

D

QUESTION 518 A bank is experiencing a DoS attack against an application designed to handle 500 IP-based sessions. in addition, the perimeter router can only handle 1Gbps of traffic. Which of the following should be implemented to prevent a DoS attacks in the future? A. Deploy multiple web servers and implement a load balancer B. Increase the capacity of the perimeter router to 10 Gbps C. Install a firewall at the network to prevent all attacks D. Use redundancy across all network devices and services

D

QUESTION 519 A malicious system continuously sends an extremely large number of SYN packets to a server. Which of the following BEST describes the resulting effect? A. The server will be unable to server clients due to lack of bandwidth B. The server's firewall will be unable to effectively filter traffic due to the amount of data transmitted C. The server will crash when trying to reassemble all the fragmented packets D. The server will exhaust its memory maintaining half-open connections

D

QUESTION 520 A systems administrator is deploying a new mission essential server into a virtual environment. Which of the following is BEST mitigated by the environment's rapid elasticity characteristic? A. Data confidentiality breaches B. VM escape attacks C. Lack of redundancy D. Denial of service

D

QUESTION 527 An external auditor visits the human resources department and performs a physical security assessment. The auditor observed documents on printers that are unclaimed. A closer look at these documents reveals employee names, addresses, ages, and types of medical and dental coverage options each employee has selected. Which of the following is the MOST appropriate actions to take? A. Flip the documents face down so no one knows these documents are PII sensitive B. Shred the documents and let the owner print the new set C. Retrieve the documents, label them with a PII cover sheet, and return them to the printer D. Report to the human resources manager that their personnel are violating a privacy policy

D

QUESTION 533 An office manager found a folder that included documents with various types of data relating to corporate clients. The office manager notified the data included dates of birth, addresses, and phone numbers for the clients. The office manager then reported this finding to the security compliance officer. Which of the following portions of the policy would the security officer need to consult to determine if a breach has occurred? A. Public B. Private C. PHI D. PII

D

QUESTION 545 An instructor is teaching a hands-on wireless security class and needs to configure a test access point to show students an attack on a weak protocol. Which of the following configurations should the instructor implement? A. WPA2 B. WPA C. EAP D. WEP

D

QUESTION 547 A company recently experienced data exfiltration via the corporate network. In response to the breach, a security analyst recommends deploying an out-of-band IDS solution. The analyst says the solution can be implemented without purchasing any additional network hardware. Which of the following solutions will be used to deploy the IDS? A. Network tap B. Network proxy C. Honeypot D. Port mirroring

D

QUESTION 551 A group of developers is collaborating to write software for a company. The developers need to work in subgroups and control who has access to their modules. Which of the following access control methods is considered user-centric? A. Time-based B. Mandatory C. Rule-based D. Discretionary

D

QUESTION 557 A security administrator is implementing a new WAF solution and has placed some of the web servers behind the WAF, with the WAF set to audit mode. When reviewing the audit logs of external requests and posts to the web servers, the administrator finds the following Based on this data, which of the following actions should the administrator take? A. Alert the web server administrators to a misconfiguration. B. Create a blocking policy based on the parameter values. C. Change the parameter name 'Account_Name' identified in the log. D. Create an alert to generate emails for abnormally high activity.

D

QUESTION 579 A network administrator is creating a new network for an office. For security purposes, each department should have its resources isolated from every other department but be able to communicate back to central servers. Which of the following architecture concepts would BEST accomplish this? A. Air gapped network B. Load balanced network C. Network address translation D. Network segmentation

D

QUESTION 582 Joe recently assumed the role of data custodian for this organization. While cleaning out an unused storage safe, he discovers several hard drives that are labeled "unclassified" and awaiting destruction. The hard drives are obsolete and cannot be installed in any of his current computing equipment. Which of the following is the BEST method for disposing of the hard drives? A. Burning B. Wiping C. Purging D. Pulverizing

D

QUESTION 586 A security administrator is performing a risk assessment on a legacy WAP with a WEP-enabled wireless infrastructure. Which of the following should be implemented to harden the infrastructure without upgrading the WAP? A. Implement WPA and TKIP B. Implement WPS and an eight-digit pin C. Implement WEP and RC4 D. Implement WPA2 Enterprise

D

QUESTION 587 A systems administrator is installing a new server in a large datacenter. Which of the following BEST describes the importance of properly positioning servers in the rack to maintain availability? A. To allow for visibility of the servers' status indicators B. To adhere to cable management standards C. To maximize the fire suppression system's efficiency D. To provide consistent air flow

D

QUESTION 591 Which of the following penetration testing concepts is an attacker MOST interested in when placing the path of a malicious file in the Windows/CurrentVersion/Run registry key? A. Persistence B. Pivoting C. Active reconnaissance D. Escalation of privilege

D

QUESTION 592 An organization has an account management policy that defines parameters around each type of account. The policy specifies different security attributes, such as longevity, usage auditing, password complexity, and identity proofing. The goal of the account management policy is to ensure the highest level of security while providing the greatest availability without compromising data integrity for users. Which of the following account types should the policy specify for service technicians from corporate partners? A. Guest account B. User account C. Shared account D. Privileged user account E. Default account F. Service account

D

QUESTION 600 An incident response analyst at a large corporation is reviewing proxy data log. The analyst believes a malware infection may have occurred. Upon further review, the analyst determines the computer responsible for the suspicious network traffic is used by the Chief Executive Officer (CEO). Which of the following is the best NEXT step for the analyst to take? A. Call the CEO directly to ensure awareness of the event B. Run a malware scan on the CEO's workstation C. Reimage the CEO's workstation D. Disconnect the CEO's workstation from the network

D

QUESTION 601 A law office has been leasing dark fiber from a local telecommunications company to connect a remote office to company headquarters. The telecommunications company has decided to discontinue its dark fiber product and is offering an MPLS connection, which the law office feels is too expensive. Which of the following is the BEST solution for the law office? A. Remote access VPN B. VLAN C. VPN concentrator D. Site-to-site VPN

D

QUESTION 612 A security administrator wants to determine if a company's web servers have the latest operating system and application patches installed. Which of the following types of vulnerability scans should be conducted? A. Non-credentialed B. Passive C. Port D. Credentialed E. Red team F. Active

D

QUESTION 631 A company is planning to build an internal website that allows for access to outside contracts and partners. A majority of the content will only be to internal employees with the option to share. Which of the following concepts is MOST appropriate? A. VPN B. Proxy C. DMZ D. Extranet

D

QUESTION 639 A security analyst believes an employee's workstation has been compromised. The analyst reviews the system logs, but does not find any attempted logins. The analyst then runs the diff command, comparing the C:\Windows\System32 directory and the installed cache directory. The analyst finds a series of files that look suspicious. One of the files contains the following commands: Which of the following types of malware was used? A. Worm B. Spyware C. Logic bomb D. Backdoor

D

QUESTION 643 A security administrator has completed a monthly review of DNS server query logs. The administrator notices continuous name resolution attempts from a large number of internal hosts to a single Internet addressable domain name. The security administrator then correlated those logs with the establishment of persistent TCP connections out to this domain. The connections seem to be carrying on the order of kilobytes of data per week. Which of the following is the MOST likely explanation for this company? A. An attacker is infiltrating large amounts of proprietary company data. B. Employees are playing multiplayer computer games. C. A worm is attempting to spread to other hosts via SMB exploits. D. Internal hosts have become members of a botnet.

D

QUESTION 647 A company wants to implement a wireless network with the following requirements: • All wireless users will have a unique credential. • User certificates will not be required for authentication. • The company's AAA infrastructure must be utilized. • Local hosts should not store authentication tokens. Which of the following should be used in the design to meet the requirements? A. EAP-TLS B. WPS C. PSK D. PEAP

D

QUESTION 648 A technician has discovered a crypto-virus infection on a workstation that has access to sensitive remote resources. Which of the following is the immediate NEXT step the technician should take? A. Determine the source of the virus that has infected the workstation. B. Sanitize the workstation's internal drive. C. Reimage the workstation for normal operation. D. Disable the network connections on the workstation.

D

QUESTION 671 Hacktivists are most commonly motivated by: A. curiosity B. notoriety C. financial gain D. political cause

D

QUESTION 674 A security, who is analyzing the security of the company's web server, receives the following output: Which of the following is the issue? A. Code signing B. Stored procedures C. Access violations D. Unencrypted credentials

D

QUESTION 678 When accessing a popular website, a user receives a warming that the certificate for the website is not valid. Upon investigation, it was noted that the certificate is not revoked and the website is working fine for other users. Which of the following is the MOST likely cause for this? A. The certificate is corrupted on the server. B. The certificate was deleted from the local cache. C. The user needs to restart the machine. D. The system date on the user's device is out of sync.

D

QUESTION 683 Which of the following outcomes is a result of proper error-handling procedures in secure code? A. Execution continues with no notice or logging of the error condition. B. Minor fault conditions result in the system stopping to preserve state. C. The program runs through to completion with no detectable impact or output. D. All fault conditions are logged and do not result in a program crash.

D

QUESTION 701 Two companies are enabling TLS on their respective email gateways to secure communications over the Internet. Which of the following cryptography concepts is being implemented? A. Perfect forward secrecy B. Ephemeral keys C. Domain validation D. Data in transit

D

QUESTION 710 Joe, a user, reports to the help desk that he can no longer access any documents on his PC. He states that he saw a window appear on the screen earlier, but he closed it without reading it. Upon investigation, the technician sees high disk activity on Joe's PC. Which of the following types of malware is MOST likely indicated by these findings? A. Keylogger B. Trojan C. Rootkit D. Crypto-malware

D

QUESTION 714 Which of the following identity access methods creates a cookie on the first login to a central authority to allow logins to subsequent applications without re-entering credentials? A. Multifactor authentication B. Transitive trust C. Federated access D. Single sign-on

D

Several workstations on a network are found to be on OS versions that are vulnerable to a specific attack. Which of the following is considered to be a corrective action to combat this vulnerability? A. Install an antivirus definition patch B. Educate the workstation users C. Leverage server isolation D. Install a vendor-supplied patch E. Install an intrusion detection system

D

Students at a residence hall are reporting Internet connectivity issues. The university's network administrator configured the residence hall's network to provide public IP addresses to all connected devices, but many student devices are receiving private IP addresses due to rogue devices. The network administrator verifies the residence hall's network is correctly configured and contacts the security administrator for help. Which of the following configurations should the security administrator suggest for implementation? A. Router ACLs B. BPDU guard C. Flood guard D. DHCP snooping

D

Which of the following BEST explains why sandboxing is a best practice for testing software from an untrusted vendor prior to an enterprise deployment? A. It allows the software to run in an unconstrained environment with full network access. B. It eliminates the possibility of privilege escalation attacks against the local VM host. C. It facilitates the analysis of possible malware by allowing it to run until resources are exhausted. D. It restricts the access of the software to a contained logical space and limits possible damage.

D

QUESTION 455 A security engineer must install the same x.509 certificate on three different servers. The client application that connects to the server performs a check to ensure the certificate matches the host name. Which of the following should the security engineer use? A. Wildcard certificate B. Extended validation certificate C. Certificate chaining D. Certificate utilizing the SAN file

D Explanation: SAN = Subject Alternate Names

An organization hosts a public-facing website that contains a login page for users who are registered and authorized to access a secure, non-public section of the site. That non-public site hosts information that requires multifactor authentication for access. Which of the following access management approaches would be the BEST practice for the organization? A. Username/password with TOTP B. Username/password with pattern matching C. Username/password with a PIN D. Username/password with a CAPTCHA

D QUESTION 625

QUESTION 653 Joe, a contractor, is hired by a firm to perform a penetration test against the firm's infrastructure. When conducting the scan, he receives only the network diagram and the network list to scan against the network. Which of the following scan types is Joe performing? A. Authenticated B. White box C. Automated D. Gray box

D QUESTION 654

QUESTION 662 Joe, a member of the sales team, recently logged into the company servers after midnight local time to download the daily lead form before his coworkers did. Management has asked the security team to provide a method for detecting this type of behavior without impeding the access for sales employee as they travel overseas. Which of the following would be the BEST method to achieve this objective? A. Configure time-of-day restrictions for the sales staff. B. Install DLP software on the devices used by sales employees. C. Implement a filter on the mail gateway that prevents the lead from being emailed. D. Create an automated alert on the SIEM for anomalous sales team activity.

D QUESTION 663

QUESTION 461 A systems administrator wants to implement a wireless protocol that will allow the organization to authenticate mobile devices prior to providing the user with a captive portal login. Which of the following should the systems administrator configure? A. L2TP with MAC filtering B. EAP-TTLS C. WPA2-CCMP with PSK D. RADIUS federation

D Explanation: RADIUS generally includes 802.1X that pre-authenticates devices.

QUESTION 704 A recent penetration test revealed several issues with a public-facing website used by customers. The testers were able to: -Enter long lines of code and special characters -Crash the system -Gain unauthorized access to the internal application server -Map the internal network The development team has stated they will need to rewrite a significant portion of the code used, and it will take more than a year to deliver the finished product. Which of the following would be the BEST solution to introduce in the interim? A. Content fileting B. WAF C. TLS D. IPS/IDS E. UTM

E


Conjuntos de estudio relacionados

AP Micro Economics Exam Multiple Choice 2014, 2015, 2016, 2017

View Set

Business Ethics Final Exam - Padgett

View Set

Chapter 6 The Integumentary System Review

View Set

Nutritional Bases of Health - Health CSET #2

View Set

Chapter 21: Family-Centered Care of the Child During Illness and Hospitalization

View Set