Security+ Review Questions
QUESTION 10 A security analyst needs to make a recommendation for restricting access to certain segments of the network using only data-link layer security. Which of the following controls will the analyst MOST likely recommend? A. MAC B. ACL C. BPDU D. ARP
Correct Answer:A
QUESTION 103 Which of the following should a data owner require all personnel to sign to legally protect intellectual property? A. An NDA B. An AUP C. An ISA D. An MOU
Correct Answer:A
QUESTION 107 A security administrator suspects an employee has been emailing proprietary information to a competitor. Company policy requires the administrator to capture an exact copy of the employee's hard disk. Which of the following should the administrator use? A. dd B. chmod C. dnsenum D. logger
Correct Answer:A
QUESTION 109 A developer is concerned about people downloading fake malware-infected replicas of a popular game. Which of the following should the developer do to help verify legitimate versions of the game for users? A. Digitally sign the relevant game files B. Embed a watermark using steganography C. Implement TLS on the license activation server D. Fuzz the application for unknown vulnerabilities
Correct Answer:A
QUESTION 11 In which of the following common use cases would steganography be employed? A. Obfuscation B. Integrity C. Non-repudiation D. Blockchain
Correct Answer:A
QUESTION 111 A security analyst is performing a forensic investigation involving compromised account credentials. Using the Event Viewer, the analyst was able to detect the following message: "Special privileges assigned to new logon." Several of these messages did not have a valid logon associated with the user before these privileges were assigned. Which of the following attacks is MOST likely being detected? A. Pass-the-hash B. Buffer overflow C. Cross-site scripting D. Session replay
Correct Answer:A
QUESTION 12 An enterprise needs to keep cryptographic keys in a safe manner. Which of the following network appliances can achieve this goal? A. HSM B. CASB C. TPM D. DLP
Correct Answer:A
QUESTION 13 A public relations team will be taking a group of guests on a tour through the facility of a large e-commerce company. The day before the tour, the company sends out an email to employees to ensure all whiteboards are cleaned and all desks are cleared. The company is MOST likely trying to protect against: A. loss of proprietary information. B. damage to the company's reputation. C. social engineering. D. credential exposure.
Correct Answer:A
QUESTION 2 A network engineer is troubleshooting wireless network connectivity issues that were reported by users. The issues are occurring only in the section of the building that is closest to the parking lot. Users are intermittently experiencing slow speeds when accessing websites and are unable to connect to network drives. The issues appear to increase when laptop users return to their desks after using their devices in other areas of the building. There have also been reports of users being required to enter their credentials on web pages in order to gain access to them. Which of the following is the MOST likely cause of this issue? A. An external access point is engaging in an evil-twin attack. B. The signal on the WAP needs to be increased in that section of the building. C. The certificates have expired on the devices and need to be reinstalled. D. The users in that section of the building are on a VLAN that is being blocked by the firewall.
Correct Answer:A
QUESTION 27 A user must introduce a password and a USB key to authenticate against a secure computer, and authentication is limited to the state in which the company resides. Which of the following authentication concepts are in use? A. Something you know, something you have, and somewhere you are B. Something you know, something you can do, and somewhere you are C. Something you are, something you know, and something you can exhibit D. Something you have, somewhere you are, and someone you know
Correct Answer:A
QUESTION 28 A company is implementing a DLP solution on the file server. The file server has PII, financial information, and health information stored on it. Depending on what type of data that is hosted on the file server, the company wants different DLP rules assigned to the data. Which of the following should the company do to help to accomplish this goal? A. Classify the data B. Mask the data C. Assign the application owner D. Perform a risk analysis
Correct Answer:A
QUESTION 34 An organization with a low tolerance for user inconvenience wants to protect laptop hard drives against loss or data theft. Which of the following would be the MOST acceptable? A. SED B. HSM C. DLP D. TPM
Correct Answer:A
QUESTION 36 A company's Chief Information Security Officer (CISO) recently warned the security manager that the company's Chief Executive Officer (CEO) is planning to publish a controversial opinion article in a national newspaper, which may result in new cyberattacks. Which of the following would be BEST for the security manager to use in a threat model? A. Hacktivists B. White-hat hackers C. Script kiddies D. Insider threats
Correct Answer:A
QUESTION 42 A security researcher is tracking an adversary by nothing its attacks and techniques based on its capabilities, infrastructure, and victims. Which of the following is the researcher MOST likely using? A. The Diamond Model of Intrusion Analysis B. The Cyber Kill Chain C. The MITRE CVE database D. The incident response process
Correct Answer:A
QUESTION 44 A major clothing company recently lost a large amount of proprietary information. The security officer must find a solution to ensure this never happens again. Which of the following is the BEST technical implementation to prevent this from happening again? A. Configure DLP solutions B. Disable peer-to-peer sharing C. Enable role-based D. Mandate job rotation E. Implement content filters
Correct Answer:A
QUESTION 54 A company is adopting a BYOD policy and is looking for a comprehensive solution to protect company information on user devices. Which of the following solutions would BEST support the policy? A. Mobile device management B. Full-device encryption C. Remote wipe D. Biometrics
Correct Answer:A
QUESTION 58 To mitigate the impact of a single VM being compromised by another VM on the same hypervisor, an administrator would like to utilize a technical control to further segregate the traffic. Which of the following solutions would BEST accomplish this objective? A. Install a hypervisor firewall to filter east-west traffic B. Add more VLANs to the hypervisor network switches C. Move exposed or vulnerable VMs to the DMZ D. Implement a Zero Trust policy and physically segregate the hypervisor servers
Correct Answer:A
QUESTION 6 A company recently set up an e-commerce portal to sell its product online. The company wants to start accepting credit cards for payment, which requires compliance with a security standard. Which of the following standards must the company comply with before accepting credit cards on its e-commerce platform? A. PCI DSS B. ISO 22301 C. ISO 27001 D. NIST CSF
Correct Answer:A
QUESTION 61 In which of the following risk management strategies would cybersecurity insurance be used? A. Transference B. Avoidance C. Acceptance D. Mitigation
Correct Answer:A
QUESTION 67 A company has determined that if its computer-based manufacturing machinery is not functioning for 12 consecutive hours, it will lose more money than it costs to maintain the equipment. Which of the following must be less than 12 hours maintain a positive total cost of ownership? A. MTBF B. RPO C. RTO D. MTTR
Correct Answer:A
QUESTION 71 Company engineers regularly participate in a public Internet forum with other engineers throughout the industry. Which of the following tactics would an attacker MOST likely use in this scenario? A. Watering-hole attack B. Credential harvesting C. Hybrid warfare D. Pharming
Correct Answer:A
QUESTION 8 Which of the following types of controls is a CCTV camera that is not being monitored? A. Detective B. Deterrent C. Physical D. Preventive
Correct Answer:A
QUESTION 85 An organization's help desk is flooded with phone calls from users stating they can no longer access certain websites. The help desk escalates the issue to the security team, as these websites were accessible the previous day. The security analysts run the following command: ipconfig /flushdns, but the issue persists. Finally, an analyst changes the DNS server for an impacted machine, and the issue goes away. Which of the following attacks MOST likely occurred on the original DNS server? A. DNS cache poisoning B. Domain hijacking C. Distributed denial-of-service D. DNS tunneling
Correct Answer:A
QUESTION 86 A recently discovered zero-day exploit utilizes an unknown vulnerability in the SMB network protocol to rapidly infect computers. Once infected, computers are encrypted and held for ransom. Which of the following would BEST prevent this attack from reoccurring? A. Configure the perimeter firewall to deny inbound external connections to SMB ports. B. Ensure endpoint detection and response systems are alerting on suspicious SMB connections. C. Deny unauthenticated users access to shared network folders. D. Verify computers are set to install monthly operating system, updates automatically.
Correct Answer:A
QUESTION 90 A manufacturer creates designs for very high security products that are required to be protected and controlled by the government regulations. These designs are not accessible by corporate networks or the Internet. Which of the following is the BEST solution to protect these designs? A. An air gap B. A Faraday cage C. A shielded cable D. A demilitarized zone
Correct Answer:A
QUESTION 91 Several employees have noticed other bystanders can clearly observe a terminal where passcodes are being entered. Which of the following can be eliminated with the use of a privacy screen? A. Shoulder surfing B. Spear phishing C. Impersonation attack D. Card cloning
Correct Answer:A
QUESTION 97 A host was infected with malware. During the incident response, Joe, a user, reported that he did not receive any emails with links, but he had been browsing the Internet all day. Which of the following would MOST likely show where the malware originated? A. The DNS logs B. The web server logs C. The SIP traffic logs D. The SNMP logs
Correct Answer:A
QUESTION 94 A bank detects fraudulent activity on user's account. The user confirms transactions completed yesterday on the bank's website at https:/www.company.com. A security analyst then examines the user's Internet usage logs and observes the following output: Date;username;url;destinationport;responsecode 2022-2-5;userjane;http://www.company.foo/;80;302 2022-2-5;userjane;http://www.company.foo/secure_login/;80;200 2022-2-5;userjane;http://www.company.foo/dashboard/;80;200 Which of the following has MOST likely occurred? A. Replay attack B. SQL injection C. SSL stripping D. Race conditions
Correct Answer:A Explanation- A web application might maintain a user's session based on the value of a parameter in the request, for example: http://example.com/home/show.php?SESSIONID=MYSESSION, where MYSESSION is the session ID. Unprotected, this method is vulnerable to a specific type of Session Replay attack, called Session Fixation attack. For more, see reference below. Explanation/Reference: https://campus.barracuda.com/product/webapplicationfirewall/doc/49058327/session-replay-attack/
QUESTION 75 A small business just recovered from a ransomware attack against its file servers by purchasing the decryption keys from the attackers. The issue was triggered by a phishing email and the IT administrator wants to ensure it does not happen again. Which of the following should the IT administrator do FIRST after recovery? A. Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis. B. Restrict administrative privileges and patch all systems and applications. C. Rebuild all workstations and install new antivirus software. D. Implement application whitelisting and perform user application hardening.
Correct Answer:A - you should always be on high alert for another attack attempt / dormant malware to be triggered immediately following the recovery of a cyber attack.
QUESTION 31 A network administrator needs to build out a new datacenter, with a focus on resiliency and uptime. Which of the following would BEST meet this objective? (Choose two.) A. Dual power supply B. Off-site backups C. Automatic OS upgrades D. NIC teaming E. Scheduled penetration testing F. Network-attached storage
Correct Answer:AB
QUESTION 79 A user enters a password to log in to a workstation and is then prompted to enter an authentication code. Which of the following MFA factors or attributes are being utilized in the authentication process? (Choose two.) A. Something you know B. Something you have C. Somewhere you are D. Someone you know E. Something you are F. Something you can do
Correct Answer:AB
QUESTION 33 A company has discovered unauthorized devices are using its WiFi network, and it wants to harden the access point to improve security. Which of the following configurations should an analyst enable to improve security? (Choose two.) A. RADIUS B. EAP-PEAP C. WPS D. WPA-TKIP E. SSL F. WPA2-PSK
Correct Answer:AF
QUESTION 1 A company just developed a new web application for a government agency. The application must be assessed and authorized prior to being deployed. Which of the following is required to assess the vulnerabilities resident in the application? A. Repository transaction logs B. Common Vulnerabilities and Exposures C. Static code analysis D. Non-credentialed scans
Correct Answer:B
QUESTION 104 Which of the following BEST explains the difference between a data owner and a data custodian? A. The data owner is responsible for adhering to the rules for using the data, while the data custodian is responsible for determining the corporate governance regarding the data B. The data owner is responsible for determining how the data may be used, while the data custodian is responsible for implementing the protection to the data C. The data owner is responsible for controlling the data, while the data custodian is responsible for maintaining the chain of custody when handling the data D. The data owner grants the technical permissions for data access, while the data custodian maintains the database access controls to the data
Correct Answer:B
QUESTION 108 A security analyst has received an alert about PII being sent via email. The analyst's Chief Information Security Officer (CISO) has made it clear that PII must be handled with extreme care. From which of the following did the alert MOST likely originate? A. S/MIME B. DLP C. IMAP D. HIDS
Correct Answer:B
QUESTION 14 Which of the following would be BEST for a technician to review to determine the total risk an organization can bear when assessing a "cloud-first" adoption strategy? A. Risk matrix B. Risk tolerance C. Risk register D. Risk appetite
Correct Answer:B
QUESTION 15 A user reports constant lag and performance issues with the wireless network when working at a local coffee shop. A security analyst walks the user through an installation of Wireshark and gets a five-minute pcap to analyze. The analyst observes the following output: Which of the following attacks does the analyst MOST likely see in this packet capture? A. Session replay B. Evil twin C. Bluejacking D. ARP poisoning
Correct Answer:B
QUESTION 16 While reviewing the wireless router, a systems administrator of a small business determines someone is spoofing the MAC address of an authorized device. Given the table below: HostName IP Address Mac Mac Filter PC1 192.168.1.20 00:1E:1B:43:21:B2 On PC2 192.162.1.23 31:1C:3C:13:25:C4 Off PC2 192.168.1.25 20:A2:22:45:11:D2 On Unknown 192.168.1.21 12:44:B2:FF:A1:22 Off Which of the following should be the administrator's NEXT step to detect if there is a rogue system without impacting availability? A. Conduct a ping sweep. B. Physically check each system. C. Deny Internet access to the "UNKNOWN" hostname. D. Apply MAC filtering.
Correct Answer:B
QUESTION 32 A company's bank has reported that multiple corporate credit cards have been stolen over the past several weeks. The bank has provided the names of the affected cardholders to the company's forensics team to assist in the cyber-incident investigation. An incident responder learns the following information: The timeline of stolen card numbers corresponds closely with affected users making Internet-based purchases from diverse websites via enterprise desktop PCs. All purchase connections were encrypted, and the company uses an SSL inspection proxy for the inspection of encrypted traffic of the hardwired network. Purchases made with corporate cards over the corporate guest WiFi network, where no SSL inspection occurs, were unaffected. Which of the following is the MOST likely root cause? A. HTTPS sessions are being downgraded to insecure cipher suites B. The SSL inspection proxy is feeding events to a compromised SIEM C. The payment providers are insecurely processing credit card charges D. The adversary has not yet established a presence on the guest WiFi network
Correct Answer:B
QUESTION 4 Which of the following scenarios BEST describes a risk reduction technique? A. A security control objective cannot be met through a technical change, so the company purchases insurance and is no longer concerned about losses from data breaches. B. A security control objective cannot be met through a technical change, so the company implements a policy to train users on a more secure method of operation. C. A security control objective cannot be met through a technical change, so the company performs regular audits to determine if violations have occurred. D. A security control objective cannot be met through a technical change, so the Chief Information Officer decides to sign off on the risk.
Correct Answer:B
QUESTION 41 A company uses wireless for all laptops and keeps a very detailed record of its assets, along with a comprehensive list of devices that are authorized to be on the wireless network. The Chief Information Officer (CIO) is concerned about a script kiddie potentially using an unauthorized device to brute force the wireless PSK and obtain access to the internal network. Which of the following should the company implement to BEST prevent this from occurring? A. A BPDU guard B. WPA-EAP C. IP filtering D. A WIDS
Correct Answer:B
QUESTION 5 A security engineer is installing a WAF to protect the company's website from malicious web requests over SSL. Which of the following is needed to meet the objective? A. A reverse proxy B. A decryption certificate C. A split-tunnel VPN D. Load-balanced servers
Correct Answer:B
QUESTION 50 A company has been experiencing very brief power outages from its utility company over the last few months. These outages only last for one second each time. The utility company is aware of the issue and is working to replace a faulty transformer. Which of the following BEST describes what the company should purchase to ensure its critical servers and network devices stay online? A. Dual power supplies B. A UPS C. A generator D. A PDU
Correct Answer:B
QUESTION 57 A network engineer needs to create a plan for upgrading the wireless infrastructure in a large office. Priority must be given to areas that are currently experiencing latency and connection issues. Which of the following would be the BEST resource for determining the order of priority? A. Nmap B. Heat maps C. Network diagrams D. Wireshark
Correct Answer:B
QUESTION 59 A global company is experiencing unauthorized logins due to credential theft and account lockouts caused by brute-force attacks. The company is considering implementing a third-party identity provider to help mitigate these attacks. Which of the following would be the BEST control for the company to require from prospective vendors? A. IP restrictions B. Multifactor authentication C. A banned password list D. A complex password policy
Correct Answer:B
QUESTION 62 While reviewing pcap data, a network security analyst is able to locate plaintext usernames and passwords being sent from workstations to network switches. Which of the following is the security analyst MOST likely observing? A. SNMP traps B. A Telnet session C. An SSH connection D. SFTP traffic
Correct Answer:B
QUESTION 68 A major political party experienced a server breach. The hacker then publicly posted stolen internal communications concerning campaign strategies to give the opposition party an advantage. Which of the following BEST describes these threat actors? A. Semi-authorized hackers B. State actors C. Script kiddies D. Advanced persistent threats
Correct Answer:B
QUESTION 7 A security analyst reviews the datacenter access logs for a fingerprint scanner and notices an abundance of errors that correlate with users' reports of issues accessing the facility. Which of the following MOST likely indicates the cause of the access issues? A. False rejection B. Cross-over error rate C. Efficacy rate D. Attestation
Correct Answer:B
QUESTION 73 Which of the following allows for functional test data to be used in new systems for testing and training purposes to protect the real data? A. Data encryption B. Data masking C. Data deduplication D. Data minimization
Correct Answer:B
QUESTION 76 Which of the following BEST describes a security exploit for which a vendor patch is not readily available? A. Integer overflow B. Zero-day C. End of life D. Race condition
Correct Answer:B
QUESTION 84 Which of the following threat actors is MOST likely to be motivated by ideology? A. Business competitor B. Hacktivist C. Criminal syndicate D. Script kiddie E. Disgruntled employee
Correct Answer:B
QUESTION 88 Which of the following describes the ability of code to target a hypervisor from inside a guest OS? A. Fog computing B. VM escape C. Software-defined networking D. Image forgery E. Container breakout
Correct Answer:B
QUESTION 98 Which of the following environments utilizes dummy data and is MOST likely to be installed locally on a system that allows code to be assessed directly and modified easily with each build? A. Production B. Test C. Staging D. Development
Correct Answer:B
QUESTION 65 An organization is developing an authentication service for use at the entry and exit ports of country borders. The service will use data feeds obtained from passport systems, passenger manifests, and high-definition video feeds from CCTV systems that are located at the ports. The service will incorporate machine-learning techniques to eliminate biometric enrollment processes while still allowing authorities to identify passengers with increasing accuracy over time. The more frequently passengers travel, the more accurately the service will identify them. Which of the following biometrics will MOST likely be used, without the need for enrollment? (Choose two.) A. Voice B. Gait C. Vein D. Facial E. Retina F. Fingerprint
Correct Answer:BD
QUESTION 100 A technician needs to prevent data loss in a laboratory. The laboratory is not connected to any external networks. Which of the following methods would BEST prevent the exfiltration of data? (Choose two.) A. VPN B. Drive encryption C. Network firewall D. File-level encryption E. USB blocker F. MFA
Correct Answer:BE
QUESTION 60 A company is designing the layout of a new datacenter so it will have an optimal environmental temperature. Which of the following must be included? (Choose two.) A. An air gap B. Hot/cold aisles C. Removable doors D. A humidity monitor E. An IoT thermostat
Correct Answer:BE
QUESTION 46 A new vulnerability in the SMB protocol on the Windows systems was recently discovered, but no patches are currently available to resolve the issue. The security administrator is concerned that servers in the company's DMZ will be vulnerable to external attack; however, the administrator cannot disable the service on the servers, as SMB is used by a number of internal systems and applications on the LAN. Which of the following TCP ports should be blocked for all external inbound connections to the DMZ as a workaround to protect the servers? (Choose two.) A. 135 B. 139 C. 143 D. 161 E. 443 F. 445
Correct Answer:BF
QUESTION 106 An organization that is located in a flood zone is MOST likely to document the concerns associated with the restoration of IT operations in a: A. business continuity plan. B. communications plan. C. disaster recovery plan. D. continuity of operations plan.
Correct Answer:C
QUESTION 110 Which of the following is a risk that is specifically associated with hosting applications in the public cloud? A. Unsecured root accounts B. Zero-day C. Shared tenancy D. Insider threat
Correct Answer:C
QUESTION 19 An external forensics investigator has been hired to investigate a data breach at a large enterprise with numerous assets. It is known that the breach started in the DMZ and moved to the sensitive information, generating multiple logs as the attacker traversed through the network? Which of the following will BEST assist with this investigation? A. Perform a vulnerability scan to identify the weak spots B. Use a packet analyzer to investigate the NetFlow traffic C. Check the SIEM to review the correlated logs D. Require access to the routers to view current sessions
Correct Answer:C
QUESTION 20 A security analyst has received several reports of an issue on an internal web application. Users state they are having to provide their credentials twice to log in. The analyst checks with the application team and notes this is not an expected behavior. After looking at several logs, the analyst decides to run some commands on the gateway and obtains the following output: Internet Address Physical Address type 192.168.1.1 ff-ec-ab-00-aa-78 dynamic 192.168.1.5 ff-00-5e-48-00-fb dynamic 192.168.1.8 00-0c-29-1a-e7-fa dynamic 192.168.1.10 fc-00-5e-48-00-fb dynamic 224.215.54.47 fc-41-5e-48-00-ff static Which of the following BEST describes the attack the company is experiencing? A. MAC flooding B. URL redirection C. ARP poisoning D. DNS hijacking
Correct Answer:C
QUESTION 24 A desktop support technician recently installed a new document-scanning software program on a computer. However, when the end user tried to launch the program, it did not respond. Which of the following is MOST likely the cause? A. A new firewall rule is needed to access the application B. The system was quarantined for missing software updates C. The software was not added to the application whitelist D. The system was isolated from the network due to infected software
Correct Answer:C
QUESTION 25 Under GDPR, which of the following is MOST responsible for the protection of privacy and website user rights? A. The data protection officer B. The data processor C. The data owner D. The data controller
Correct Answer:C
QUESTION 38 A financial analyst has been accused of violating the company's AUP and there is forensic evidence to substantiate the allegation. Which of the following would dispute the analyst's claim of innocence? A. Legal hold B. Order of volatility C. Non-repudiation D. Chain of custody
Correct Answer:C
QUESTION 39 Which of the following will MOST likely cause machine-learning and AI-enabled systems to operate with unintended consequences? A. Stored procedures B. Buffer overflows C. Data bias D. Code reuse
Correct Answer:C
QUESTION 40 An auditor is performing an assessment of a security appliance with an embedded OS that was vulnerable during the last two assessments. Which of the following BEST explains the appliance's vulnerable state? A. The system was configured with weak default security settings. B. The device uses weak encryption ciphers. C. The vendor has not supplied a patch for the appliance. D. The appliance requires administrative credentials for the assessment.
Correct Answer:C
QUESTION 43 Which of the following distributes data among nodes, making it more difficult to manipulate the data while also minimizing downtime? A. MSSP B. Public cloud C. Hybrid cloud D. Fog computing
Correct Answer:C
QUESTION 47 When used at design stage, which of the following improves the efficiency, accuracy, and speed of a database? A. Tokenization B. Data masking C. Normalization D. Obfuscation
Correct Answer:C
QUESTION 48 Which of the following cloud models provides clients with servers, storage, and networks but nothing else? A. SaaS B. PaaS C. IaaS D. DaaS
Correct Answer:C
QUESTION 55 An organization has expanded its operations by opening a remote office. The new office is fully furnished with office resources to support up to 50 employees working on any given day. Which of the following VPN solutions would BEST support the new office? A. Always-on B. Remote access C. Site-to-site D. Full tunnel
Correct Answer:C
QUESTION 72 A root cause analysis reveals that a web application outage was caused by one of the company's developers uploading a newer version of the third-party libraries that were shared among several applications. Which of the following implementations would be BEST to prevent the issue from reoccurring? A. CASB B. SWG C. Containerization D. Automated failover
Correct Answer:C
QUESTION 78 An employee has been charged with fraud and is suspected of using corporate assets. As authorities collect evidence, and to preserve the admissibility of the evidence, which of the following forensic techniques should be used? A. Order of volatility B. Data recovery C. Chain of custody D. Non-repudiation
Correct Answer:C
QUESTION 80 After segmenting the network, the network manager wants to control the traffic between the segments. Which of the following should the manager use to control the network traffic? A. A DMZ B. A VPN C. A VLAN D. An ACL
Correct Answer:C
QUESTION 81 After consulting with the Chief Risk Officer (CRO), a manager decides to acquire cybersecurity insurance for the company. Which of the following risk management strategies is the manager adopting? A. Risk acceptance B. Risk avoidance C. Risk transference D. Risk mitigation
Correct Answer:C
QUESTION 82 A malicious actor recently penetrated a company's network and moved laterally to the datacenter. Upon investigation, a forensics firm wants to know what was in the memory on the compromised server. Which of the following files should be given to the forensics firm? A. Security B. Application C. Dump D. Syslog
Correct Answer:C
QUESTION 83 A security analyst notices several attacks are being blocked by the NIPS but does not see anything on the boundary firewall logs. The attack seems to have been thwarted. Which of the following resiliency techniques was applied to the network to prevent this attack? A. NIC teaming B. Port mirroring C. Defense in depth D. High availability E. Geographic dispersal
Correct Answer:C
QUESTION 89 A security analyst is concerned about traffic initiated to the dark web form the corporate LAN. Which of the following networks should the analyst monitor? A. SFTP B. AIS C. Tor D. IoC
Correct Answer:C
QUESTION 9 To secure an application after a large data breach, an e-commerce site will be resetting all users' credentials. Which of the following will BEST ensure the site's users are not compromised after the reset? A. A password reuse policy B. Account lockout after three failed attempts C. Encrypted credentials in transit D. A geofencing policy based on login history
Correct Answer:C
QUESTION 92 Which of the following is MOST likely to outline the roles and responsibilities of data controllers and data processors? A. SSAE SOC 2 B. PCI DSS C. GDPR D. ISO 31000
Correct Answer:C
QUESTION 93 Customers reported their antivirus software flagged one of the company's primary software products as suspicious. The company's Chief Information Security Officer has tasked the developer with determining a method to create a trust model between the software and the customer's antivirus software. Which of the following would be the BEST solution? A. Code signing B. Domain validation C. Extended validation D. Self-signing
Correct Answer:C
QUESTION 99 A network administrator is setting up wireless access points in all the conference rooms and wants to authenticate devices using PKI. Which of the following should the administrator configure? A. A captive portal B. PSK C. 802.1X D. WPS
Correct Answer:C
QUESTION 51 A cybersecurity manager has scheduled biannual meetings with the IT team and department leaders to discuss how they would respond to hypothetical cyberattacks. During these meetings, the manager presents a scenario and injects additional information throughout the session to replicate what might occur in a dynamic cybersecurity event involving the company, its facilities, its data, and its staff. Which of the following describes what the manager is doing? A. Developing an incident response plan B. Building a disaster recovery plan C. Conducting a tabletop exercise D. Running a simulation exercise
Correct Answer:C Section: (none) Explanation Explanation/Reference:
QUESTION 77 A security engineer has enabled two-factor authentication on all workstations. Which of the following approaches are the MOST secure? (Choose two.) A. Password and security question B. Password and CAPTCHA C. Password and smart card D. Password and fingerprint E. Password and one-time token F. Password and voice
Correct Answer:CD
QUESTION 105 An organization suffered an outage, and a critical system took 90 minutes to come back online. Though there was no data loss during the outage, the expectation was that the critical system would be available again within 60 minutes. Which of the following is the 60-minute expectation an example of? A. MTBF B. RPO C. MTTR D. RTO
Correct Answer:D
QUESTION 112 Which of the following is not a consideration when selecting an encryption method for data that needs to remain confidential for a specific length of time? A. The key length of the encryption algorithm B. The encryption algorithm's longevity C. A method of introducing entropy into key calculations D. The computational overhead of calculating the encryption key
Correct Answer:D
QUESTION 113 The Chief Security Officer (CSO) at a major hospital wants to implement SSO to help improve security in the environment and protect patient data, particularly at shared terminals. The Chief Risk Officer (CRO) is concerned that training and guidance have not been provided to frontline staff, and a risk analysis has not been performed. Which of the following is the MOST likely cause of the CRO's concerns? A. SSO would simplify username and password management, making it easier for hackers to guess accounts. B. SSO would reduce password fatigue, but staff would still need to remember more complex passwords. C. SSO would reduce the password complexity for frontline staff. D. SSO would reduce the resilience and availability of systems if the identity provider goes offline.
Correct Answer:D
QUESTION 17 A retail executive recently accepted a job with a major competitor. The following week, a security analyst reviews the security logs and identifies successful logon attempts to access the departed executive's accounts. Which of the following security practices would have addressed the issue? A. A non-disclosure agreement B. Least privilege C. An acceptable use policy D. Offboarding
Correct Answer:D
QUESTION 18 A company has drafted an insider-threat policy that prohibits the use of external storage devices. Which of the following would BEST protect the company from data exfiltration via removable media? A. Monitoring large data transfer transactions in the firewall logs B. Developing mandatory training to educate employees about the removable media policy C. Implementing a group policy to block user access to system files D. Blocking removable-media devices and write capabilities using a host-based security tool
Correct Answer:D
QUESTION 29 The IT department's on-site developer has been with the team for many years. Each time an application is released, the security team is able to identify multiple vulnerabilities. Which of the following would BEST help the team ensure the application is ready to be released to production? A. Limit the use of third-party libraries. B. Prevent data exposure queries. C. Obfuscate the source code. D. Submit the application to QA before releasing it.
Correct Answer:D
QUESTION 3 After entering a username and password, an administrator must draw a gesture on a touch screen. Which of the following demonstrates what the administrator is providing? A. Multifactor authentication B. Something you can do C. Biometrics D. Two-factor authentication
Correct Answer:D
QUESTION 30 A security analyst wants to verify that a client-server (non-web) application is sending encrypted traffic. Which of the following should the analyst use? A. openssl B. hping C. netcat D. tcpdump
Correct Answer:D
QUESTION 37 A security analyst needs to be proactive in understanding the types of attacks that could potentially target the company's executives. Which of the following intelligence sources should the security analyst review? A. Vulnerability feeds B. Trusted automated exchange of indicator information C. Structured threat information expression D. Industry information-sharing and collaboration groups
Correct Answer:D
QUESTION 45 A security analyst is reviewing the following command-line output: Internet address: physical address: type 192.168.1.1 aa-bb-cc-00-11-22 dynamic 192.168.1.2 aa-bb-cc-00-11-22 dynamic 192.168.1.3 aa-bb-cc-00-11-22 dynamic 192.168.1.4 aa-bb-cc-00-11-22 dynamic -omitted a few records----------------------------------------------- 192.168.1.252 aa-bb-cc-00-11-22 dynamic 192.168.1.253 aa-bb-cc-00-11-22 dynamic 192.168.1.254 aa-bb-cc-00-11-22 dynamic 192.168.1.255 ff-ff-ff-ff-ff-ff dynamic Which of the following is the analyst observing? A. ICMP spoofing B. URL redirection C. MAC address cloning D. DNS poisoning
Correct Answer:D
QUESTION 49 Which of the following would MOST likely support the integrity of a voting machine? A. Asymmetric encryption B. Blockchain C. Transport Layer Security D. Perfect forward secrecy
Correct Answer:D
QUESTION 66 A recent audit uncovered a key finding regarding the use of a specific encryption standard in a web application that is used to communicate with business customers. Due to the technical limitations of its customers, the company is unable to upgrade the encryption standard. Which of the following types of controls should be used to reduce the risk created by this scenario? A. Physical B. Detective C. Preventive D. Compensating
Correct Answer:D
QUESTION 87 A critical file server is being upgraded, and the systems administrator must determine which RAID level the new server will need to achieve parity and handle two simultaneous disk failures. Which of the following RAID levels meet this requirement? A. RAID 0+1 B. RAID 2 C. RAID 5 D. RAID 6
Correct Answer:D
QUESTION 96 A security administrator currently spends a large amount of time on common security tasks, such as report generation, phishing investigations, and user provisioning and deprovisioning. This prevents the administrator from spending time on other security projects. The business does not have the budget to add more staff members. Which of the following should the administrator attempt? A. DAC B. ABAC C. SCAP D. SOAR
Correct Answer:D
QUESTION 70 A Chief Security Officer (CSO) is concerned about the volume and integrity of sensitive information that is exchanged between the organization and a third party through email. The CSO is particularly concerned about an unauthorized party who is intercepting information that is in transit between the two organizations. Which of the following would address the CSO's concerns? A. SPF B. DMARC C. SSL D. DKIM E. TLS
Correct Answer:D -Domain Key Identification Mail (DKIM) is a standard email authentication method that adds a digital signature to outgoing messages.
QUESTION 64 A security analyst is reviewing information regarding recent vulnerabilities. Which of the following will the analyst MOST likely consult to validate which platforms have been affected? A. OSINT B. SIEM C. CVSS D. CVE
Correct Answer:D -The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.
QUESTION 101 A company wants to modify its current backup strategy to minimize the number of backups that would need to be restored in case of data loss. Which of the following would be the BEST backup strategy to implement? A. Incremental backups followed by differential backups B. Full backups followed by incremental backups C. Delta backups followed by differential backups D. Incremental backups followed by delta backups E. Full backups followed by differential backups
Correct Answer:E
QUESTION 21 During a security assessment, a security analyst finds a file with overly permissive permissions. Which of the following tools will allow the analyst to reduce the permissions for the existing users and groups and remove the set-user-ID bit from the file? A. ls B. chflags C. chmod D. lsof E. setuid
Correct Answer:E
QUESTION 63 A company recently moved sensitive videos between on-premises, company-owned websites. The company then learned the videos had been uploaded and shared to the Internet. Which of the following would MOST likely allow the company to find the cause? A. Checksums B. Watermarks C. Order of volatility D. A log analysis E. A right-to-audit clause
Correct Answer:E -a Right-to-audit clause would ALLOW the company to find the cause, though they may use certain methods like a log analysis in HOW they find the cause.
QUESTION 23 Which of the following will provide the BEST physical security countermeasures to stop intruders? (Choose two.) A. Alarms B. Signage C. Lighting D. Mantraps E. Fencing F. Sensors
Correct Answer:EF
QUESTION 52 On which of the following is the live acquisition of data for forensic analysis MOST dependent? (Choose two.) A. Data accessibility B. Legal hold C. Cryptographic or hash algorithm D. Data retention legislation E. Value and volatility of data F. Right-to-audit clauses
Correct Answer:EF
QUESTION 26 In the middle of a cyberattack, a security engineer removes the infected devices from the network and locks down all compromised accounts. In which of the following incident response phases is the security engineer currently operating? A. Identification B. Preparation C. Lessons learned D. Eradication E. Recovery F. Containment
Correct Answer:F
QUESTION 56 A security analyst needs to determine how an attacker was able to use User3 to gain a foothold within a company's network. The company's lockout policy requires that an account be locked out for a minimum of 15 minutes after three unsuccessful attempts. While reviewing the log files, the analyst discovers the following: 5/3/21 3:43:10 AM Audit Failure: CompanyNetwork\User1 Unknown username or bad password. 5/3/21 3:43:11 AM Audit Failure: CompanyNetwork\User1 Unknown username or bad password. 5/3/21 3:43:12 AM Audit Failure: CompanyNetwork\User1 Unknown username or bad password. 5/3/21 3:43:13 AM Audit Failure: CompanyNetwork\User1 account locked out. 5/3/21 3:43:14 AM Audit Failure: CompanyNetwork\User2 Unknown username or bad password. 5/3/21 3:43:15 AM Audit Failure: CompanyNetwork\User2 Unknown username or bad password. 5/3/21 3:43:16 AM Audit Failure: CompanyNetwork\User2 Unknown username or bad password. 5/3/21 3:43:17 AM Audit Failure: CompanyNetwork\User2 account locked out. 5/3/21 3:43:18 AM Audit Failure: CompanyNetwork\User3 Unknown username or bad password. 5/3/21 3:43:19 AM Audit Failure: CompanyNetwork\User3 Unknown username or bad password. 5/3/21 3:43:20 AM Audit Success: CompanyNetwork\User3 Successful logon. 5/3/21 3:43:21 AM Audit Failure: CompanyNetwork\User4 Unknown username or bad password. 5/3/21 3:43:22 AM Audit Success: CompanyNetwork\User4 Successful logon. Which of the following attacks MOST likely occurred? A. Dictionary B. Credential-stuffing C. Password-spraying D. Brute-force
Correct Answer:c
QUESTION 95 A user recently entered a username and password into a recruiting application website that had been forged to look like the legitimate site. Upon investigation, a security analyst identifies the following: -The legitimate website's IP address is 10.1.1.20 and eRecruit.local resolves to this IP. -The forged website's IP address appears to be 10.2.12.99, based on NetFlow records. -All three of the organization's DNS servers show the website correctly resolves to the legitimate IP. -DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the approximate time of the suspected compromise. Which of the following MOST likely occurred? A. A reverse proxy was used to redirect network traffic. B. An SSL strip MITM attack was performed. C. An attacker temporarily poisoned a name server. D. An ARP poisoning attack was successfully executed.
Correct Answer:c