256-339
296. A large company with a very complex IT environment is considering a move from an on-premises, internally managed proxy to a cloud solution managed by an external vendor. The current proxy provides caching, content filtering, malware analysis, and URL categorization connected behind the proxy. Staff members connect directly to the Internet outside of the corporate network. The cloud-based version would provide content filtering, TLS decryption, malware analysis, and URL categorization. After migrating to the cloud solution, all internal proxy servers would be decommissioned. Which of the following would MOST likely change the company's risk profile? (A). 1. There would be a loss of internal intellectual knowledge regarding proxy configurations and application data flow. 2. There would be a greater likelihood of Internet access outages due to lower resilience of cloud gateways. 3. There would be a data sovereignty concerns due to changes required in routing and proxy PAC files. (B). 1. The external vendor would have access to inbound and outbound gateway traffic. 2. The services would provide some level of protection for staff working from home. 3. Outages would be likely to occur for systems or applications with hard-coded proxy information. (C). 1. The loss of local caching would dramatically increase ISP charges and impact existing bandwidth. 2. There would be a greater likelihood of Internet access outages due to lower resilience of cloud gateways. 3. There would be a loss of internal intellectual knowledge regarding proxy configurations and application data (D). 1. Outages would be likely to occur for systems or applications with hard-coded proxy information. 2. The service would provide some level of protection for staff members working from home. 3. Malware detection times would decrease due to third-party management of the service.
(B). 1. The external vendor would have access to inbound and outbound gateway traffic. 2. The service would provide some level of protection for staff working from home 3. Outages would be likely to occur for systems or applications with hard-coded proxy information
293. A security administrator is troubleshooting RADIUS authentication issues from a newly implemented controller-based wireless deployment. The RADIUS server contains the following information in its logs: A RADIUS message was received from the invalid RADIUS client IP address 10.35.55.10 Based on this information, the administrator reconfigures the RADIUS server, which results in the following log data: An Access-Request was received from RADIUS client 10.35.55.10 with a Message-Authenticator attribute that is not valid To correct this error message, the administrator makes an additional change to the RADIUS server. Which of the following did the administrator reconfigure on the RADIUS server? (Select TWO) A. Added the controller address as an authorized client B. Registered the RADIUS server to the wireless controller C. Corrected a mismatched shared secret D. Renewed the expired client certificate E. Reassigned the RADIUS policy to the controller F. Modified the client authentication method
A. Added the controller address as an authorized client & C. Corrected a mismatched shared secret
298. A government organization operates and maintains several ICS environments. The categorization of one of the ICS environments led to a moderate baseline. The organization has complied a set of applicable security controls based on this categorization. Given that this is a unique environment, which of the following should the organization do NEXT to determine if other security controls should be considered? A. Check for any relevant or required overlays. B. Review enhancements within the current control set. C. Modify to a high-baseline set of controls. D. Perform continuous monitoring.
A. Check for any relevant or required overlays.
282. A PaaS Provider deployed a new product using a DevOps methodology. Because DevOps is used to support both development and production assets, inherent separation of duties is limited. To ensure compliance with security frameworks that require a specific set of controls relating to separation of duties, the organization must design and implement appropriate compensating control. Which of the following would be MOST suitable in this scenario? A. Configuration of increased levels of logging, monitoring, and alerting on production access. B. Configuration of MFA and context-based login restrictions for all DevOps personnel. C. Development of standard code libraries and usage of the WS-security module on all web servers. D. Implementation of peer review, static code analysis, and web application penetration testing against the staging environment.
A. Configuration of increased levels of logging, monitoring, and alerting on production access.
289. A security engineer is working to secure an organization's VMs. While reviewing the workflow for creating VMs on demand, the engineer raises a concern about the integrity of the secure boot process of the VM guest. Which of the following would BEST address this concern? A. Configure file integrity monitoring of the guest OS B. Enable the VTPM on a Type 2 Hypervisor C. Only deploy servers that are based on a hardened image D. Protect the memory allocation of a Type 1 hypervisor
A. Configure file integrity monitoring of the guest OS
332. Which of the following attacks can be mitigated by proper data retention policies? A. Dumpster diving B. Man-in-the browser C. Spear phishing D. Watering hole
A. Dumpster diving
286. A company's user community is being adversely affected by various types of emails whose authenticity cannot be trusted. The Chief information security officer (CISO) must address the problem. Which of the following solutions would BEST support trustworthy communication solutions? A. Enabling spam filtering and DMARC B. Using MFA when logging into email clients and the domain C. Enforcing HTTPS everywhere so Web traffic, including email is secure D. Enabling SPF and DKIM on company servers E. Enforcing data classification labels before an email is sent to an outside party.
A. Enabling spam filtering and DMARC
317. A company wants to secure a newly developed application that is used to access sensitive information and data from corporate resources. The application was developed by a third-party organization and it is now being used heavily despite lacking the following controls: -certificate pinning -Tokenization -Biometric authentication The company has already implemented the following controls: -Full device encryption -Screen lock -Device password -Remote wipe The company wants to defend against insert interception of data attacks. which of the following compensation controls should the company implement next? A. Enforce the use a VPN while using newly developed application B. Implement Geo fencing solution that disables application according to the company requirements C. Implement out of band second factor to authenticate authorize users D. Install the application in a secure container requiring additional authentication controls
A. Enforce the use a VPN while using newly developed application
261. During an audit, it was determined from a sample that four out of 20 former employees were still accessing their email accounts. An information security analyst is reviewing the access to determine if the audit was valid. Which of the following is the necessary documentation to audit? A. Examining the termination notification process from human resources and employee account access logs. B. Checking social media platforms for disclosure of company sensitive and proprietary information. C. Sending a test email to the former employees to document and undeliverable email and review the ERP access. D. Review the email global account list and the collaboration platform for recent activity.
A. Examining the termination notification process from human resources and employee account access logs.
276. Providers at a healthcare system with many geographically dispersed clinics have been fined five times this year after an auditor received notice of the following SMS messages: ---Date ||||||||||||Subject|||||||||||||||||||||||||Message 1 5/12/2017 | Change of room | Patient John Doe is now in room 201 2 5/12/2017 | Prescription change | Ann Smith — add 5mg 3 5/13/2017 | Appointment cancelled | John Doe cancelled 4 5/14/2017 | Follow-up visit | Ann Smith scheduled a follow-up 5 5/20/2017 | Emergency room | Ann Doe — patient #37125 critical 6 5/25/2017 | Prescription overdose | John Smith — patient #25637 in room 37 Which of the following represents the BEST solution for preventing future files? A. Implement a secure text-messaging application for mobile devices and workstations. B. Write a policy requiring this information to be given over the phone only. C. Provide a courier service to deliver sealed documents containing public health informatics. D. Implement FTP services between clinics to transmit text documents with the information. E. Implement a system that will tokenize patient numbers.
A. Implement a secure text-messaging application for mobile devices and workstations.
263. A company enlists a trusted agent to implement a way to authenticate email senders positively. Which of the following is the BEST method for the company to prove the authenticity of the message? A. Issue PIN-enabled hardware tokens. B. Create a CA with all users. C. Configure the server to encrypt all messages in transit. D. Include a hash in the body of the message.
A. Issue PIN-enabled hardware tokens.
271. Confidential information related to Application A, Application B and Project X appears to have been leaked to a competitor. After consulting with the legal team, the IR team is advised to take immediate action to preserve evidence for possible litigation and criminal charges. While reviewing the rights and group ownership of the data involved in the breach, the IR team inspects the following distribution group access lists: Case Study Title (Case Study): Group Name: Product-updates-applicaiton-a Members: administrator, app-support, dev-ops, jdoe, jsmith, mpeters Group Name: pending-bug-fixes-application-a Members: administrator, app-support, dev-ops, jsmith, jdoe, mpeters rwilliams Group Name: inflight-updates-application-b Members: app-support, dev-ops, jdoe, nbrown, jsmith Group Name: POC-project-x Which of the following actions should the IR team take the FIRST? A. Remove all members from the distribution groups immediately. B. Place a mailbox for jsmith on legal hold C. Implement a proxy server on the network to inspect all outbound SMTP traffic for the DevOps group D. Install DLP software on all developer laptops to prevent data from leaving the network.
A. Remove all members from the distribution groups immediately.
316. An internal penetration tester finds a legacy application that takes measurement input made in a text box and outputs a specific string of text related to industry requirements. There is no documentation about how this application works, and the source code has been lost. Which of the following would BEST allow the penetration tester to determine the input and output relationship? A. Running an automated fuzzer B. Constructing a known cipher text attack C. Attempting SQL injection commands D. Performing a full packet capture E. Using the application in a malware sandbox
A. Running an automated fuzzer
295. A company is a victim of phishing and spear-phishing campaign. Users are clicking on website links that look like common bank sites and entering their credentials accidentally. A security engineer decides to use a layered defense to prevent the phishing or lessen its impact. Which of the following should the security engineer implement? (Select TWO) A. Spam filter B. Host intrusion prevention C. Client certificates D. Content filter E. Log monitoring F. Data loss prevention
A. Spam filter & D. Content filter
283. A software development firm wants to validate the use of standard libraries as part of the software unit testing prior to committing changes to the code repository. Which of the following activities would be BEST to perform after a commit but before the creation of a breach? A. Static heuristic B. Heuristic analysis C. Dynamic Analysis D. Web application vulnerability scanning E. Penetration testing
A. Static heuristic
303. A small firm's newly created website has several design flaws. The developer created the website to be fully compatible with ActiveX scripts in order to use various digital certificate authorities. However, vulnerabilities testing indicates sandboxes were enabled, which restricts the code access to resource within the user's computer. Which of the following is the MOST likely cause of the error? A. The developer inadvertently used Java applets. B. The developer established a corporate account with non-reputable certification authority. C. The developer used fuzzy login to determine how the web browser would respond once-points 80 and 443 were both open. D. The developer did not consider that mobile code would be transmitted across the network.
A. The developer inadvertently used Java applets.
285. A company is moving all of its web applications to an SSO configuration using SAML. Some employees report that when signing in to an application, they get an error message on the login screen after entering their username and password, ans are denied access. When they access another system that has been converted to the new SSO authentication model, they are able to authenticate successfully without being prompted for login. Which of the following is the MOST likely issue? A. The employees are using old link that does not use the new SAML authentication. B. The XACML for problematic application is not in the proper format or may be using an older schema. C. The web services methods and properties are missing the required WSDL to complete the request after displaying the login page. D. A threat actor is implementing an MITM attack to harvest credentials.
A. The employees are using old link that does not use the new SAML authentication.
321. A software company is releasing a new mobile application to a broad set of external customers. Because the software company is rapidly releasing new features, it has built in an over-the-air software update process that can automatically update the application at launch time. Which of the following security controls should be recommended by the company's security architect to protect the integrity of the update process? (Choose two.) A. Validate cryptographic signatures applied to software updates B. Perform certificate pinning of the associated code signing key C. Require HTTPS connections for downloads of software updates D. Ensure there are multiple download mirrors for availability E. Enforce a click-through process with user opt-in for new features
A. Validate cryptographic signatures applied to software updates & B. Perform certificate pinning of the associated code signing key
323. An internal application has been developed to increase the efficiency of an operational process global manufacturer. New code was implemented to fix a security bug, but it has caused operations to halt. The executive team decided fixing the security bug is less important that continuing operations. Which of the following would BEST support immediate rollback of the failed fix? (SELECT TWO) A. Version Control B. Agile Development C. Waterfall Development D. Change management E. Continuous integration F. Regression testing
A. Version Control & D. Change management
264. A company policy prohibits users from installing software and services on personal devices that may expose their computers to the Internet by allowing an extemal IP address to establish connection to the personal device. The company uses a local web server farm and email gateway to enforce this policy, a private IP address is being used by the company, and a next generation firewall was deployed at the company's perimeter. The firewall implemented an implicit dervy and is configured as follows: 10 PAT 10.0.0.0/24 TO 100.101..1.1 20 PERMIT TCP FROM ANY ANY TO 10.0.0.10 25 30 PERMIT TCP FROM ANY ANY TO 10.0.0.11 [80, 443] 40 DENY TCP FROM 10.0.0.0/8 ANY TO 0.0.0.0 [25, 135-139, 445] 50 PERMIT IP FROM 10.0.0.0/8 ANY TO 0.0.0.0/0 ANY Despite the above configuration, some personal devices appear to be exposed to the Internet. The security administrator confirmed the finding by inspecting network traffic and the following firewall logs: 102.5.80.33:2001 -> 10.0.0.10:25 ALLOW, 12.3Kb Transfer 102.5.80.33:1055 -> 10.0.0.10:25 ALLOW, 475Kb Transfer 10.0.0.45:4031 -> 120.2.30.90:445 DENY 75.45.83.44:7655 -> 10.0.0.11:80 ALLOW, 4.32Mb Transfer 10.54.233.5:3544 -> 105.9.200.3:3544 ALLOW, 35Mb Transfer 10.0.0.20:4051 -> 120.2.30.90:25 DENY 34.89.12.196:4303 -> 10.0.0.10:25 ALLOW, 1933Kb Transfer 10.75.33.1.20:4053 -> 94.43.1.44:80 ALLOW, 4.4Mb Transfer 10.0.0.10:40433 -> 54.9.23.44:25 ALLOW 954Kb Transfer 93.12.10.100:4051 -> 10.0.0.11:3389 DENY Which of the following should the security administrator implement to remediate this while still allowing employee access to internet resources? A. 5 DENY ICMP FROM 10.0.0.0/8 To 0.0.0.0/0 B. 35 DENY UDP FROM 10.0.0.0/8 ANY TP 0.0.0.0 3544 C. 35 DENY TCP 0.0.0.0/0 TO 10.0.0.0/8 [25.80.433] D. 60 DENY IP FROM 0.0.0.0/0 TO 10.0.0.0/8
B. 35 DENY UDP FROM 10.0.0.0/8 ANY TP 0.0.0.0 3544
322. A healthcare company want to increase the value of the data it collects on its patients by making the data available to third-party researchers for a fee. Which if the following BEST mitigates the risk to the company? A. Log all access to the data and correlate with the researcher. B. Anonymize identifiable information using keyed strings C. Ensure all data is encrypted in transit to the researcher D. Ensure all researcher sign and abide by non-disclosure agreement E. Sanitize date and time stamp information in the records
B. Anonymize identifiable information using keyed strings
334. A smart switch has the ability to monitor electrical levels and shut off power to building in the event of power surge or other fault situation. The switch was installed on a wired network in a hospital and is monitored by the facilities department via a cloud application. The security administrator isolated the switch on a separate VLAN and set up a patching routine. Which of the following steps should also be taken to harden the smart switch? A. Set up an air gap for switch. B. Change the default password for the switch. C. Place the switch in a Faraday cage. D. Install a cable lock on the switch.
B. Change the default password for the switch.
324. An international e-commerce company has identified attack traffic originating from a whitelisted third party's IP address used to mask the third party's internal network. The security team needs to block the attack traffic without impacting the vendor's services. Which of the following is the BEST approach to identify the threat? A. Ask the third-party vendor to block the attack traffic B. Configure the third party's proxy to begin sending X-Forwarded-For headers C. Configure the e-commerce company's IPS to inspect HTTP traffic D. Perform a vulnerability scan against the network perimeter and remediate any issues identified
B. Configure the third party's proxy to begin sending X-Forwarded-For headers
259. A creative Services firm has limited security budget and staff. Due to its business model, the company sends and receives a higher volume of files everyday through the preferred method defined by its customers. These include email, secure file transfer, and various cloud service providers. Which of the following would best reduce the risk of malware infection well meeting a company's resource requirements and maintaining its current workflow? A. Configure a network-based intrusion prevention system. B. Contract cloud-based sandbox security service. C. Enable customers to send and receive files via SFTP. D. Implement appropriate DLP systems with strict policies.
B. Contract cloud-based sandbox security service.
291. An organization is currently working with a client to migrate data between a legacy ERP system and a cloud-based ERP tools using a global PaaS provider. As part of the engagement, the organization is performing data deduplication and sanitization of client data to ensure compliance wit regulatory requirements. Which of the following is the MOST likely reason for the need to sanitize the client data? A. Data aggregation B. Data sovereignty C. Data isolation D. Data volume E. Data analytics
B. Data sovereignty
337. A government contracting company issues smartphones to employees to enable access to corporate resources. Several employees will need to travel to a foreign country for business purposes and will require access to their phones. However, the company recently received intelligence that its intellectual property is highly desired by the same country's government. Which of the following MDM configurations would BEST reduce the risk of compromise while on foreign soil? A. Disable firmware OTA updates. B. Disable location services. C. Disable push notification services. D. Disable wipe.
B. Disable location services.
265. A security engineer reviews the table below: Switchport MAC address IP address lease start lease length Gi1/0 EB:04:18:20:18:54 192.168.1.5 4/16 14:00 24 hours Gi1/0 EB:04:18:20:18:55 192.168.1.6 4/16 14:00 24 hours Gi1/0 EB:04:18:20:18:56 192.168.1.8 4/16 14:00 24 hours Gi1/0 EB:04:18:20:18:57 192.168.1.9 4/16 14:00 24 hours Gi1/0 EB:04:18:20:18:58 192.168.1.13 4/16 14:00 24 hours Gi1/0 EB:04:18:20:18:59 192.168.1.14 4/16 14:00 24 hours Gi1/1 01:49:D9:B2:22:F6 192.168.1.11 4/16 17:30 24 hours Gi1/2 C3:59:29:B9:A2:F3 192.168.1.4 4/16 12:30 24 hours Gi1/2 98:82:11:Fl:E9:AA 192.168.1.7 4/16 9:20 24 hours Gi1/2 28:48:29:CA:B2:31 192.168.1.2 4/16 11:15 24 hours Gi1/3 E3:FA:B0:82:18:BD 192.168.1.12 4/16 18:29 24 hours Gi1/4 DB:29:D7:A3:32:03 192.168.1.3 4/16 22:30 24 hours The engineer realizes there is an active attack occurring on the network. Which of the following would BEST reduce the risk of this attack reoccurring in the future? A. Upgrading device firmware B. Enabling port security C. Increasing DHCP pool size D. Disabling dynamic trunking E. Reducing DHCP lease length
B. Enabling port security
309. A network engineer is upgrading the network perimeter and installing a new firewall, IDS, and external edge router. The IDS is reporting elevated UDP traffic, and the internal routers are reporting high utilization. Which of the following is the BEST solution? A. Reconfigure the firewall to block external UDP traffic. B. Establish a security baseline on the IDS. C. Block echo reply traffic at the firewall. D. Modify the edge router to not forward broadcast traffic.
B. Establish a security baseline on the IDS.
330. A large industrial systems smart generator monitors the system status and sends alerts to third-party maintenance personnel when critical failures occur. While reviewing the network logs, the company's security manager notices the generator's IP is sending packets to an internal file server's IP. Which of the following mitigations would be BEST for the security manager to implement while while maintaining alerting capabilities? A. Segmentation B. Firewall whitelisting C. Containment D. Isolation
B. Firewall whitelisting
336. A Chief Information Officer Officer (CISO) needs to create a policy set that meets international standards for data privacy and sharing. Which of the following should the CISO read and understand before writing the policies? A. PCI DSS B. GDPR C. NIST D. ISO 31000
B. GDPR
260. A ransomware attack at a warehouse has encrypted a large amount of data including human resources, accounting, and shares. A security specialist shuts down three infected hosts and the file server at the warehouse immediately in response to the incident. Which of the following steps of the incident response process should have been performed FIRST? A. Investigation B. Identification C. Containment D. Recovery
B. Identification
277. A security analyst is classifying data based on input from data owners and other stakeholders. The analyst has identified three data types:1. Financially sensitive data2. Project data3. Sensitive project dataThe analyst proposes that the data be protected in two major groups, with further access control separating the financially sensitive data from the sensitive project data. The normal project data will be stored in a separate, less secure location. Some stakeholders are concerned about the recommended approach and insist that commingling data from different sensitive projects would leave them vulnerable to industrial espionage.Which of the following is the BEST course of action for the analyst to recommend? A. Conduct a quantitative evaluation of the risks associated with commingling the data and reject or accept the concerns raised by the stakeholders. B. Meet with the affected stakeholders and determine which security controls would be sufficient to address the newly raised risks. C. Use qualitative methods to determine aggregate risk scores for each project and use the derived scores to more finely segregate the data. D. Increase the number of available data storage devices to provide enough capacity for physical separation of non-sensitive project data.
B. Meet with the affected stakeholders and determine which security controls would be sufficient to address the newly raised risks.
325. A company wants to configure its wireless network to require username and password authentication. Which of the following should the systems administrator implement? A. WPS B. PEAP C. TKIP D. PKI
B. PEAP
315. Following the most recent patch deployment a security engineer receives reports that the ERP application is no longer accessible. The security engineer reviews the situation and determined a critical security patch that has applied to the ERP server is the cause. The patch is subsequently backed out. Which of the following security controls would be best to implement to mitigate the threat caused by the missing patch? A. Anti-malware B. Patch testing C. HIPS D. Vulnerability scanner
B. Patch testing
278. A corporate forensic investigator has been asked to acquire five forensic images of an employee database application. There are three images to capture in the United States, one in the United Kingdom, and one in Germany. Upon completing the work, the forensics investigator saves the images to a local workstation.Which of the following types of concerns should the forensic investigator have about this work assignment? A. Environmental B. Privacy C. Ethical D. Criminal
B. Privacy
299. An organization is in the process of evaluating service providers for an upcoming migration to cloud-based services for the organization's ERP system. As part of the requirements defined by the project team, regulatory requirements specify segmentation and isolation of the organization's data/ Which of the following should the vendor management team identify as a requirement during the procurement process? A. Public cloud services with single-tenancy IaaS architectures. B. Private cloud services with single-tenancy PaaS services C. Private cloud services with multi-tenancy in place for private SaaS envirnements D. Public cloud services with private SaaS environments supported by private IaaS backbones
B. Private cloud services with single-tenancy PaaS services
273. The CISO of a large company wants to improve the security program's understanding of business processes and increase the security culture within the company. Which of the following BEST achieve this objective? A. Require all IT procurement to be reviewed and approved by the security team B. Promote security awareness training and simulated testing for all employees C. Change the reporting structure of some security resources into the product line team D. Attend executive board meetings and relay business and strategic direction to security staff.
B. Promote security awareness training and simulated testing for all employees
292. During a sprint, developers are responsible for ensuring the expected outcome of a change is thoroughly evaluated for any security impacts. Any impacts must be reported to the team lead. Before changes are made to the source code, which of the following MUST be performed to provide the required information to the team lead? A. Risk assessment B. Regression testing C. User story development D. Data abstraction E. Business impact assessment
B. Regression testing
287. A cybersecurity consulting company supports a diverse customer base. Which of the following types of constraints is MOST important for the consultancy to consider when advising a regional healthcare provider versus a global conglomerate? A. Return on investment B. Regulatory standards C. Pre-existing service agreements D. Insider threats
B. Regulatory standards
333. An organization is struggling to differentiate threats from normal traffic and access to systems. A security engineer has been asked to recommend a system that will aggregate data and provide metrics that will assist in identifying malicious actors or other anomalous activity throughout the environment. Which of the following solutions should the engineer recommend? A. Web application firewall B. SIEM C. IPS D. UTM E. File integrity monitor
B. SIEM
269. The CFO of an organization wants the IT department to add the CFO's account to the domain administrator's group. The IT department thinks this is risky and wants support from the security manager before proceeding. Which of the following BEST supports the argument against providing the CFO with the domain administrator access? A. Discretionary access control B. Separation of duties C. Data classification D. Mandatory access control
B. Separation of duties
280. The CFO of an organization wants the IT department too add the CFO's account to the domain administrator group. The IT department thinks this is risky and wants support from the security manager before proceeding. Which of the following BEST supports the argument against providing the CFO with domain administrator access? A. Discretionary access control B. Separation of duties C. Data Classification D. Mandatory Access control
B. Separation of duties
268. During a recent incident, sensitive data was disclosed and subsequently destroyed through a properly secured cloud based storage platform. An incident response technician is working with management to develop an after-action report that conveys critical metrics regarding the incident. Which of the following would be MOST important to senior leadership to determine the impact of the breach? A. The likely per record cost of the breach to the organization. B. The legal or regulatory exposure that exists due to the breach. C. The amount of downtime required to restore the data. D. The number of records compromised.
B. The legal or regulatory exposure that exists due to the breach.
331. Which of the following may indicate a configuration item has reached end-of-life? A. The device will no longer turn and indicated an error. B. The vendor has not published security patches recently. C. The object has been removed the Active Directory. D. Logs shows a performance degradation of the component.
B. The vendor has not published security patches recently.
284. The IR team at a financial institution is performing a root cause analysis on a breach that appeared to originate from within the internal network. While doing the investigation, video footage was found showing an unknown individual sitting down at a desk and using an employee's desktop while the employee was at lunch. Which of the following technical controls can be used to prevent this scenario from occurring again? A. Require 2 factor authentication for network access B. User group policy to enforce inactivity timeouts C. Implement password-protected, full-disk encryption on employee workstations D. Install HIDS/HIPS on employee workstations and NIPS/NIDS on the network
B. User group policy to enforce inactivity timeouts
262. A technician uses an old SSL server due to budget constraints and discovers performance degrades dramatically after enabling PFS. The technician cannot determine why performance degraded so dramatically. A newer version of the SSL server does not suffer the same performance degradation. Performance rather than security is the main priority for the technician. The system specifications and configuration of each system are listed below. Old server New server Decryption chips 8 10 System RAM 16GB 8GB Disk size 1TB 6TB Algorithm RSA ECC Connection 500 450 Which of the following is the most likely the cause of the degradation in performance and should be changed? A. Using ECC B. Using RSA C. Disk size D. Memory size E. Decryption chips F. Connection reuqest
B. Using RSA
306. A security engineer is assessing a new IoT product. The product interfaces with the ODBII port of a vehicle and uses a Bluetooth connection to relay data to an onboard data logger located in the vehicle. The data logger can only transfer data over a custom USB cable. The engineer suspects a relay attack is possible against the cryptographic implementation used to secure messages between segments of the system. Which of the following tools should the engineer use to confirm the analysis? A. Binary decompiler B. Wireless protocol analyzer C. Log analysis and reduction tools D. Network-based fuzzer
B. Wireless protocol analyzer
301. Company.org has requested a black-box security assessment be performed on key cyber terrain. On area of concern is the company's SMTP services. The security assessor wants to run reconnaissance before taking any additional action and wishes to determine which SMTP server is Internet-facing.Which of the following commands should the assessor use to determine this information? A. dnsrecon ""d company.org ""t SOA B. dig company.org mx C. nc ""v company.org D. whois company.org
B. dig company.org mx
279. A security administrator is investigating an incident involving suspicious word processing documents on an employee's computer, which was found powered off in the employee's office. Which of the following tools is BEST suited for extracting full or partial word processing document from unallocated disk space? A. memdump B. foremost C. dd D. nc
B. foremost
266. A new security policy states all wireless and wired authentication must include the use of certificates when connecting to internal resources within the enterprise LAN by all employees. Which of the following should be configured to comply with new security policy? (Select TWO) A. SSO B. New pre-shared key C. 802.1x D. OAuth E. Push-based suthentication F. PKI
C. 802.1x & F. PKI
328. A security manager needed to protect a high-security data center, so the manager installed a mantrap that can detect an employee's heartbeat, weight, and badge. Which of the following did the security manager implement? A. A physical control B. A corrective control C. A compensating control D. A managerial control
C. A compensating control
338. A company uses an enterprise desktop imaging solution to manage deployment of its desktop computers. Desktop computer users are only permitted to use software that is part of the baseline image. Which of the following technical solutions was MOST likely deployed by the company to ensure only known-good software can be installed on corporate desktops? A. Network access control B. Configuration Manager C. Application whitelisting D. File integrity checks
C. Application whitelisting
300. A security analyst is reviewing the following packet capture of communication between a host and a company's router: 1. 192.168.1.10 -> 10.5.10.1 icmp echo request 33 bytes sent ABCDEFGHIJKLMNOPQRSTUVWXYZ 2 2. 10.5.10.1 -> 192.168.1.10 Lamp echo reply 34 bytes sent ABCDEFGHIJKLMNOPQRSTUVWXYZAWDXF8 Which of the following actions should the security analyst take to remove this vulnerability? A. Update the router code B. Implement a router ACL C. Disconnect the host from the network D. Install the latest antivirus definitions E. Deploy a network-based IPS
C. Disconnect the host from the network
314. A security engineer is analyzing an application during a security assessment to ensure it is configured toprotect against common threats. Given the output below: Response Headers Cache-Control:no-cache Content-Type:text/event-stream Date:Mon, 17 Sep 2018 15:58:37 GMT Expires:-1 Pragma:no-cache Transfer-Encoding:chunlked X-Content-Type-Options:nosniff X=Prame-Options:SAMEORIGIN Request: Headers Host: secure.comptia.org Connection: keep-alive Accept: text/event-stream Cache-Control: no-cache Accept-Encoding: gzip, deflate, br Accept-Language: en-US, en;q=0.9 Which of the following tools did the security engineer MOST likely use to generate this output? A. Application fingerprinter B. Fuzzer C. HTTP interceptor D. Vulnerability scanner
C. HTTP interceptor
335. A financial institution would like to store its customer data in a cloud but still allow the data to be accessed and manipulated while encrypted, Doing so would prevent the cloud service provider from being able to decipher the data due to its sensitivity. The financial institution is not concerned about computational overheads and slows speeds. Which of the following cryptographic techniques would BEST meet the requirement? A. Asymmetric B. Symmetric C. Homomorphic D. Ephemeral
C. Homomorphic
257. A company is in the process of re-architecture its sensitive system infrastructure to take advantage of on-demand computing through a public cloud provider. The system to be migrated is sensitive with respect to latency, availabilty, and integrity. The infrastructure team agreed to the following: Application and middleware servers will migrate to the cloud. Database servers will remain on-site. Data backup will be stored in the cloud. Which of the following solutions would ensure system and security requirements are met? A. Implement a direct connection from the company to the cloud provider. B. Use a cloud orchestration tool and implementation appropriate change control processes C. Implementation a standby database on the cloud using a CASB for data-at-rest security. D. Use multizone geographic distribution with satellite relays
C. Implementation a standby database on the cloud using a CASB for data-at-rest security.
318. An attacker has been compromising banking institution targets across a regional area. The Chief Information Security Officer (CISO) at a local bank wants to detect and prevent an attack before the bank becomes a victim. Which of the following actions should the CISO take? A. Utilize cloud-based threat analytics to identify anomalous behavior in the company's B2B and vendor traffic B. Purchase a CASB solution to identify and control access to cloud-based applications and services and integrate them with on-premises legacy security monitoring. C. Instruct a security engineer to configure the is to consume threat intelligence feeds from an information-sharing association in the banking sector D. Attend and present at the regional banking association lobbying group meetings each month and facilitate a discussion on the topic
C. Instruct a security engineer to configure the is to consume threat intelligence feeds from an information-sharing association in the banking sector
320. A security researcher is gathering information about a recent spike in the number of targeted attacks against multi-national banks. The spike is on top of already sustained attacks against the banks. Some of the previous attacks have resulted in the loss of sensitive data, but as of yet the attackers have not successfully stolen any funds. Based on the information available to the researcher, which of the following is the MOST likely threat profile? A. Nation-state-sponsored attackers conducting espionage for strategic gain B. Insiders seeking to gain access to funds for illicit purposes C. Opportunists seeking notoriety and fame for personal gain D. Hacktivists rolling out a marketing campaign to change landing pages
C. Opportunists seeking notoriety and fame for personal gain
275. A mid-sized company serving an international market had its long-distance calling abilities suspended by its telecom provider after incurring charges for long-distances calls that increased 4000% within a time span of two weeks. While investigating the spike in usage, the IR team discovers the changes are related a pool of five numbers commonly used for public webinars and international client conferences calls. The IR team also discovers the lines are being used after hours by multiple parties in countries where the company does not have clients. As part of the lessons learned, the IR team must harden the current conference bridge configuration. Which of the following configuration settings will reduce the risk of future incidents? A. Play hold music and call lobbies to prevent conversations B. Limit the number of attendees allowed for each call C. Prevent conference calls from starting until host provide a PIN D. Restricted calls allow domestic phone numbers only E. Automatically disconnect all calls after the car is active for more than 60 minutes
C. Prevent conference calls from starting until host provide a PIN
281. nn, a retiring employee, cleaned out her desk. The next day, Ann\\'s manager notices company equipment that wassupposed to remain at her desk is now missing. Which of the following would reduce the risk of this occurring in the future? A. Regular auditing of the clean desk policy B. Employee awareness and training policies C. Proper employee separation procedures D. Implementation of an acceptable use policy
C. Proper employee separation procedures
256. An engineer wants to assess the OS security configurations on a company's servers. The engineer has downloaded some files to orchestrate configuration checks. When the engineer opens a file in a text editorm teh following except appears: Which of the following capabilities would a configuration compliance check need to support to interpret this file? A. Nessus B. Swagger File C. SCAP D. Netcat E. WSDL
C. SCAP
267. A security administrator performed the role of security incident commander at a ransomware incident the affected the SAN and NAS, and encrypted 900GB of data that affected legal, human resources, and accounting files. The data was recovered to a last known good state, but three days of data were lost. The administrator has finished the lessons learned and is creating the after-action report. The administrator wants to gain visibility earlier is the identification stage to contain the incident before encryption occurs. Which of the following events should monitored? (Select TWO) A. Patient zero communication as a member of a botnet B. User of a host machine checking for write permissions on mapped drives C. Sandboxing all files that come from outside the network D. Disabling or deleting of the volume shadow admin account E. Trojan being dropped onto a machine to initiate the ransomware process F. Real-time communication of any displays of ransom payment messages
C. Sandboxing all files that come from outside the network & E. Trojan being dropped onto a machine to initiate the ransomware process
294. A security analyst notices that an unusually large amount of traffic is going to an unknown external destination. The source IP address is a file server that contains financial data. All traffic between the source and destination in on port 5800. The analyst is unable to determine what data is being transmitted. No alerts came from the security appliances regarding this traffic. Which of the following would allow the security analyst to determine what data is being transmitted and ensure its legitimate? A. Host-based Intrusion Detection System B. Web Application Firewall C. Transport Layer Security Inspection D. File integrity Monitoring E. Netflow Analysis
C. Transport Layer Security Inspection
326. A security administrator is adding a NAC requirement for all VPN users to ensure the devices connecting are compliant with company policy. Which of the following items provides the HIGHEST assurance to meet this requirement? A. Implement a permanent agent. B. Install antivirus software. C. Use an agentless implementation. D. Implement PKI.
C. Use an agentless implementation.
272. A Chief Information Security Officer (CISO) is creating a security committee involving multiple business units of a corporation. Which of the following is the best justification to ensure collaboration across business units? A. A risk to business unit is a risk avoided by all business units, and liberal BYOD policies create new unexpected avenues for attackers to exploit Enterprises B. A single point of coordination is required to ensure cyber-security issues are addressed in protected, compartmentalize groups C. Without business unit collaboration, risks introduced by one unit that affect another unit may go without compensating controls D. The CISO is uniquely positioned to control the flow of vulnerability information between business units
C. Without business unit collaboration, risks introduced by one unit that affect another unit may go without compensating controls
327. An organization is concerned that its hosted web servers are not running the most updated version of software. Which of the following would work BEST to help identify potential vulnerabilities? A. hping -S comptia.org -p 80 B. nc -1 -v comptia.org -p 80 C. nmap comptia.org -p 80 -sV D. nslookup -port=80 comptia.org
C. nmap comptia.org -p 80 -sV
308. A security engineer is making certain URLs from an internal application available on the internet. The development team requires the following: The URLs are accessible only from internal IP addresses Certain countries are restricted TLS is implemented system users transparently access internal application services in in a round-robin to maximize performance Which of the following should the security engineer deploy? A. DNS to direct traffic and a WAF with only the specific external URL configured B. A load balancer with GeoIP restrictions and least load sensing traffic distribution C. An application - aware firewall with geofencing and certificate services using DNS for traffic direction D. A load balancer with IP ACL restrictions and a commercially available PKI certificate
D. A load balancer with IP ACL restrictions and a commercially available PKI certificate
311. An online bank has contracted with a consultant to perform a security assessment of the bank's web portal. The consultant notices the login page is linked from the main page with HTTP, but when the URL is changed to HTTP, the browser is automatically redirected back to the HTTPS site. Which of the following is a concern for the consultant and how can it be mitigated? A. XSS could be used to inject code into the login page during the redirect to the HTTPS site. The consultant should implement a WAF to prevent this. B. The consultant is concerned the site is using n older version of SSL 3.0 protocol that is vulnerable to a variety of attacks. Upgrading the site to TLS 1.0 would mitigate is issue. C. The HTTP is is vulnerable to network sniffing, which could disclose usernames and passwords to an attacker. The consultant should recommend disabling HTTP on the web server. D. A successful MITM attack could intercept the redirect and use sslstrip to decrypt further HTTPS traffic. Implementing HSTS on the web server would prevent this.
D. A successful MITM attack could intercept the redirect and use sslstrip to decrypt further HTTPS traffic. Implementing HSTS on the web server would prevent this.
313. A security administrator wants to implement a system that will issue digital security tokens, which require the following:- The token-generating system must be distributed and decentralized.- The validity of each token must be verifiable.- Transaction and token integrity are more important that the confidentiality of the token.'Which of the following should the administrator implement? A. PKI with OCSP B. GPG C. Web of trust D. Blockchain E. Cryptographic service provider
D. Blockchain
302. Ann, a terminated employee, left personal photos on a company-issued laptop and no longer has access to them. Ann emails her previous manager and asks to get her personal photos back.Which of the following BEST describes how the manager should respond? A. Determine if the data still exists by inspecting to ascertain if the laptop has already been wiped and if the storage team has recent backups. B. Inform Ann that the laptop was for company data only and she should not have stored personal photos on a company asset. C. Report the email because it may have been a spoofed request coming from an attacker who is trying to exfiltrate data from the company laptop. D. Consult with the legal and/or human resources department and check company policies around employment and termination procedures.
D. Consult with the legal and/or human resources department and check company policies around employment and termination procedures.
274. An organization is facing budget constraints. The Chief Technology Officer (CTO) wants to add a new marketing platform, but the organization does not have the resources to obtain separate servers to run the new platform. The CTO recommends running the new marketing platform on a virtualized video-conferencing server because video conferencing is rarely used. The Chief Information Security Officer (CISO) denies this request. Which of the following BEST explains the reason why the CISO has not approved the request? A. Privilege escalation attacks B. Performance and availability C. Weak DAR encryption D. Disparate security requirements
D. Disparate security requirements
304. After a recent compromise of a CA, a security administrator is concerned about attacks that are aimed at impersonating the company's server. Which of the following should the administrator implement to reduce the risk of impersonation from malicious actor? A. OCSP B. Stapling C. SHTTP D. HPKP E. OUIC
D. HPKP
297. Users have reported that an internally developed web application is acting erratically, and the response output is inconsistent. The issue began after a web application dependency patch was applied to improve security. Which of the following would be the MOST appropriate tool to help identify the issue? A. Fuzzer B. SCAP scanner C. Vulnerability D. HTTP interceptor
D. HTTP interceptor
319. A Security administrator is opening connectivity on a firewall between organization A and organization B. Organization B just acquired organization, which of the following risk mitigation strategies should the administrator Implement to reduce the risk involved with this change? A. DLP on internal network nodes B. A network traffic analyzer for incoming traffic C. A proxy server to examine outgoing web traffic D. IPS/IDS monitoring on all new connections
D. IPS/IDS monitoring on all new connections
329. Which of the following are the MOST likely vectors for the unauthorized for unintentional inclusion of vulnerable code in a software company's final software releases? (Choose Two.) A. Unsecure protocols B. Use of penetration-testing utilities C. Weak passwords D. Included third-party libraries E. Vendors/supply chain F. Outdated anti-malware software
D. Included third-party libraries & E. Vendors/supply chain
290. After employee was terminated, the company discovered the employee still had access to emails and attached content that should have been destroyed during the off-boarding . The employee's laptop and cell phone were confiscated and accounts were disabled promptly. Forensic investigation suggests the company's DLP was effective, and the content in question was not sent outside of work or transferred to removable media. Personally owned devices are not permitted to access company systems or information. Which of the following would be the MOST efficient control to prevent this from occurring in the future? A. Install application whitelist on mobile devices B. Disallow side loading of applications on mobile devices C. Restrict access to company systems to expected times of day and geographic locations D. Prevent backup of mobile devices to personally owned computers
D. Prevent backup of mobile devices to personally owned computers
270. An employee decides to log into an authorization system. The system does not prompt the employee for authentication prior to granting access to the console, and it cannot authenticate the network resources. Which of the following attacks types can this lead to if it is not mitigated? A. Memory leak B. Race condition C. Smurf D. Resource exhaustion
D. Resource exhaustion
307. A security engineer has been hired to design a device that will enable the exfiltration of data from within a well-defended network perimeter during an authorized test. The device must bypass all firewalls and NIDS in place, as well as allow for the upload of commands from a centralized command and control answer. The total cost of the device must be kept to a minimum in case the device is discovered during an assessment. Which of the following tools should the engineer load onto the device being designed? A. Custom firmware with rotating key generation B. Automatic MITM proxy C. TCP beacon broadcast software D. Reverse shell endpoint listener
D. Reverse shell endpoint listener
310. The SOC has noticed an unusual volume of traffic coming form an open WiFi guest network that appears correlated with a broader network slowdown. The network team is unavailable to capture traffic, but logs from network services are available. No users have authenticated recently through the guest network captive portal DDoS mitigation systems are not alerting. DNS resolver logs show some very long domain names. Which of the following is the BEST step for a security analyst to take next? A. Block all outbound traffic from the guest network at the border firewall B. Verify the passphrase on the guest network has not been changed. C. Search antivirus logs for evidence of a compromised company device. D. Review access point logs to identify potential zombie services
D. Review access point logs to identify potential zombie services
312. Social workers at an outreach center are responsible for maintaining the security privacy of the residents who are in their care, The social workers often have the residents participate in activities online, such as web conference and social media for games and entertainment. Employees often share their mobile devices if residents do not have one of those functions. The outreach center recently moved to a BYOD policy to reduce costs while increasing employee acceptance of mobile devices. The compliance department issued several guidelines: *Resident privacy must be maintained *All corporate application should be loaded under a single application icon. *All resident case updates must be done using the corporate application. Which of the following controls should IT implement to BEST meet the compliance needs? (Select two) A. Administrative control policy to inform residents to refrain from posting on social media B. Technical control for remote wipe capability to erase all data C. Administrative control policy restricting the use of devices to the center only D. Technical control to remove geotagging feature to feature from devices E. Administrative control to require a pin or passphrase to unlock the device F. Technical control for an application blacklist to restrict social media
D. Technical control to remove geotagging feature to feature from devices & F. Technical control for an application blacklist to restrict social media
305. An engineer needs to provide access to company resources for several offshore contractors. The contractors require: Access to a number of applications, including internal websites Access to database data and the ability to manipulate it The ability to log into Linux and Windows servers remotelyWhich of the following remote access technologies are the BEST choices to provide all of this access securely? (Choose two.) A. VTC B. VRRP C. VLAN D. VDI E. VPN F. Telnet
D. VDI & E. VPN
288. A production manager is concerned about unintentional sharing of company's intellectual property through employees' use of social media. Which of the following would BEST mitigate this risk? A. Virtual desktop enviornment B. Network segmentation C. Web application firewall D. Web content filter
D. Web content filter
339. A company recently experienced a security incident in which its domain controllers were the target of a DoS attack. In which of the following steps should technicians connect domain controllers to the network and begin authenticating users again? A. Preparation B. Identification C. Containment D. Eradication E. Recovery F. Lessons Learned
E. Recovery
258. As part of an organization's ongoing vulnerability assessment program, the Chief Information Security Officer (CISO) wants to evaluate the organization's system, personnel, and facilities for various threats. As part of the assessment, the CISO plans to engage an independent cybersecurity assessment fir to perform social engineering and physical penetration testing against the organization's corporate offices and remote locations. Which of the following techniques would MOST likely employed as part of this assessment? (Select THREE) A. Privilege escalation B. SQL injection C. TOC/TOU exploitation D. Rogue AP substitution E. Tailgating F. Vulnerability scanning G. Vishing H. Badge skimming
E. Tailgating & G. Vishing & H. Badge skimming