86-170

101. A legacy web application, which is being used by a hospital, cannot be upgraded for 12 months. A newvulnerability is found in the legacy application, and the networking team is tasked with mitigation. Middlewarefor mitigation will cost $100,000 per year. Which of the following must be calculated to determine ROI?(Choose two.) A. ALE B. RTO C. MTBF D. ARO E. RPO

A. ALE & D. ARO

154. A firewall specialist has been newly assigned to participate in red team exercises and needs to ensure the skills represent real-world threats.Which of the following would be the BEST choice to help the new team member learn bleeding-edge techniques? A. Attend hacking conventions. B. Research methods while using Tor. C. Interview current red team members. D. Attend web-based training.

A. Attend hacking conventions.

165. First responders, who are part of a core incident response team, have been working to contain an outbreak of ransomware that also led to data loss in a rush to isolate the three hosts that were calling out to the NAS to encrypt whole directories, the hosts were shut down immediately without investigation and then isolated.Which of the following were missed? (Choose two.) A. CPU, process state tables, and main memory dumps B. Essential information needed to perform data restoration to a known clean state C. Temporary file system and swap space D. Indicators of compromise to determine ransomware encryption E. Chain of custody information needed for investigation

A. CPU, process state tables, and main memory dumps & D. Indicators of compromise to determine ransomware encryption

143. An organization designs and develops safety-critical embedded firmware (inclusive of embedded OS and services) for the automotive industry. The organization has taken great care to exercise secure software development practices for the firmware of paramount importance is the ability to defeat attacks aimed at replacing or corrupting running firmware once the vehicle leaves productions and is in the field Integrating which of the following host and OS controls would BEST protect against this threat? A. Configure the host to require measured boot with attestation using platform configuration registers extended through the OS and into application space. B. Implement out- of- band monitoring to analyze the state of running memory and persistent storage and, and a failure mode, signal a check engine light condition for the operator. C. Perform reverse engineering of the hardware to assess for any implanted logic or other supply chain Integrity violations. D. Ensure the firmware includes anti-malware services that will Monitor and respond to any introduction of malicious logic. E. Require software Engineers to adhere to a coding standard, leverage static and dynamic analysis within the development environment, and perform exhausted State space analysis before deployment.

A. Configure the host to require measured boot with attestation using platform configuration registers extended through the OS and into application space.

99. Legal counsel has notified the information security manager of a legal matter that will require the preservation of electronic records for 2000 sales force employees. Source records will be email, PC, network shares, and applications.After all restrictions have been lifted, which of the following should the information manager review? A. Data retention policy B. Legal hold C. Chain of custody D. Scope statement

A. Data retention policy

110. A security analyst is reviewing the following pseudo-output snippet after running the command less /temp/file.tmp. JFIF40 42.8562N74 0.3582WDLLA;SSKFAKFSFAJFSUTHWNVUNVNUVNUVWVN RWEIMVMIOWEMVWVMMVVMVMOWMVOMMIOMVMMM ELRWIOURITU8U4DFVUR9W8UVOFW9JVKVWOVN The information above was obtained from a public-facing website and used to identify military assets. Which of the following should be reduced the risk of a similar compromised? A. Deploy a solution to sanitize geotagging information B. Install software to wipe data remnants on servers C. Enforce proper input validation on mission-critical software D. Implement a digital watermarking solution

A. Deploy a solution to sanitize geotagging information

170. A company has created a policy to allow employees to use their personally owned devices. The Chief Information Officer (CISO) is getting reports of company data appearing on unapproved forums and an increase in theft of personal electronic devices.Which of the following security controls would BEST reduce the risk of exposure? A. Disk encryption on the local drive B. Group policy to enforce failed login lockout C. Multifactor authentication D. Implementation of email digital signatures

A. Disk encryption on the local drive

124. A security engineer is helping the web developers asses a new corporate web application. The application will be internet facing, so the engineer makes the following recommendation: In an .htaccess file or the site config, add: HeadereditSet_Cookie ^(.*) $HTTPOnly:Secure or Add to teh location block: proxy_cookie_path /"/ HttpOnly; SameSite=strict; Which of the following is the security engineer trying to accomplish via cookies? (Select TWO). A. Ensure session IDs are generated dynamically with each cookie request. B. Prevent cookies from being transmitted to other domain names. C. Create a temporary space on the user's drive root for ephemeral cookie storage D. Enforce the use of plain text HTTP transmission with secure local cookie storage. E. Add a sequence ID to the cookie session ID while in transit to prevent CSRF. F. Allow cookie creation or updates only over TLS connections.

A. Ensure session IDs are generated dynamically with each cookie request. and D. Enforce the use of plain text HTTP transmission with secure local cookie storage.

138. A company consults a security engineer when the web service on a server will not run. The log file states: Error, file cannot he opened. User www-data attempts to read file httpd.conf. The permissions on the file are listed as: # ls -z httpd.conf -rw-r--r--. www-data www-data unconfined_u:object_r:http_conf_t:s0 httpd.conf Which of the following is MOST likely the cause of the error and should be changed? A. File permissions B. Group owner C. User context D. Owner account E. Object type

A. File permissions

155. A penetration tester noticed special characters in a database table. The penetration tester configured the browser to use an HTTP interceptor to verify that the front-end user registration web form accepts invalid input in the user's age field. The developer was notified and asked to fix the issue.Which of the following is the MOST secure solution for the developer to implement? A. IF $AGE == [1234567890] {1,3} THEN CONTINUE B. IF $AGE == [1-0] {0,2} THEN CONTINUE C. IF $AGE != "a-bA-Z!@#$%^&*()_+<>?"{}[]"THEN CONTINUE D. IF $AGE == "!@#%^&*()_+<>?":{}[]" THEN ERROR

A. IF $AGE == [1234567890] {1,3} THEN CONTINUE

117. A new database application was added to a company's hosted VM environment. Firewall ACLs were modified to allow database users to access the server remotely. The company's cloud security broker then identified abnormal from a database user on-site. Upon further investigation, the security team noticed the user ran code on a VM that provided access to the hypervisor directly and access to other sensitive data. Which of the following should the security do to help mitigate future attacks within the VM environment? (Choose two.) A. Install the appropriate patches. B. Install perimeter NGFW. C. Configure VM isolation. D. Deprovision database VM. E. Change the user's access privileges. F. Update virus definitions on all endpoints.

A. Install the appropriate patches. & E. Change the user's access privileges.

114. Ann, a security administrator, is conducting an assessment on a new firewall, which was placed at the perimeter of a network containing PII. Ann runs the following commands on a server (10.0.1.19) behind the firewall: Service iptables stop service sshd stop From her own workstation (192.168.2.45) outside the firewall, Ann then runs a port scan against the server and records the following packet capture of the port scan: 0.872299 192.168.2.45 -> 10.0.1.19 TCP 62 49188 > 22 [SIN] Seq=0 Len=0 MSS=1460 0.872899 10.0.1.19 -> 192.168.2.45 TCP 62 22 > 49188 [SYN] Seq=0 Len=0 MSS=1460 0.891308 192.168.2.45 ->10.0.1.19 TCP 62 49189 > 23 [SYN] Seq=0 Len=0 MSS=1460 0.891809 10.0.1.19 -> 192.168.2.45 TCP 62 23 > 49189 [SYN] Seq=0 Len=0 MSS=1460 0.901234 192.168.2.45 -> 10.0.1.19 TCP 62 49190 > 24 (SYN) Seq=0 Len=0 MSS=1460 0.901454 10.0.1.19 -> 192.168.2.45 TCP 62 24 > 49190 (SYN) Seq=0 Len=0 MSS=1460 0.925657 192.168.2.45 -> 10.0.1.19 TCP 62 49191 > 25 [SYN] Seq=0 Len=0 MSS=1460 0.929872 10.0.1.19 -> 192.168.2.45 TCP 62 25 > 49191 [SYN] Seq=0 Len=0 MSS=1460 Connectivity to the server from outside the firewall worked as expected prior to executing these commands.Which of the following can be said about the new firewall? A. It is correctly dropping all packets destined for the server. B. It is not blocking or filtering any traffic to the server. C. Iptables needs to be restarted. D. The IDS functionality of the firewall is currently disabled.

A. It is correctly dropping all packets destined for the server.

136. Following the successful response to a data-leakage incident, the incident team lead facilitates an exercise that focuses on continuous improvement of the organizations incident response capabilities. Which of the following activities has the incident team lead executed? A. Lessons learned review B. Root cause analysis C. Incident audit D. Corrective action exercise

A. Lessons learned review

152. A company wants to confirm sufficient executable space protection is in place for scenarios in which malware may be attempting buffer overflow attacks. Which of the following should the security engineer check? A. NX/XN B. ASLR C. strcpy D. ECC

A. NX/XN

125. A new employee is plugged into the network on a BYOD machine but cannot access the network. Which of the following must be configured so the employee can connect to the network? A. Port security B. Firewall C. Remote Access D. VPN

A. Port security

160. An analyst is investigating behavior on a corporate-owned, corporate-managed mobile device with application whitelisting enabled, based on a name string. The employee to whom the device is assigned reports the approved email client is displaying warning messages that can launch browser windows and is adding unrecognized email addresses to the "compose" window.Which of the following would provide the analyst the BEST chance of understanding and characterizing the malicious behavior? A. Reverse engineer the application binary. B. Perform static code analysis on the source code. C. Analyze the device firmware via the JTAG interface. D. Change to a whitelist that uses cryptographic hashing. E. Penetration test the mobile application.

A. Reverse engineer the application binary.

133. An enterprise solution requires a central monitoring platform to address the growing networks of various departments and agencies that connect to the network. The current vendor products are not adequate due to the growing number of heterogeneous devices. Which of the following is the primary concern? A. Scalability B. Usability C. Accountability D. Performance

A. Scalability

91. A security engineer is designing a system in which offshore, outsourced staff can push code from the development environment to the production environment securely. The security engineer is concerned with data loss, while the business does not want to slow down its development process. Which of the following solutions BEST balances security requirements with business need? A. Set up a VDI environment that prevents copying and pasting to the local workstations of outsourced staff members B. Install a client side VPN on the staff laptops and limit access to the development network C. Create an IPSec VPN tunnel from the development network to the office of the outsourced staff D. Use online collaboration tools to initiate workstation-sharing sessions with local staff who have access to the development network

A. Set up a VDI environment that prevents copying and pasting to the local workstations of outsourced staff members

115. A system administrator has deployed the latest patches for a window-based machines. However, the users on the network are experiencing exploits from various threat actors, which the patches should have answered. Which of the following is the MOST likely scenario? A. The machines were infected with malware B. The users did not reboot the computer after the patches were deployed C. The systems administrator used invalid credentials to deploy the patches D. The patches were deployed on non-Windows machines

A. The machines were infected with malware

148. A security analyst is inspecting pseudocode of the following multithreaded application: 1. perform daily ETL of data 1.1 validate that yesterday's data model file exists 1.2 validate that today's data model file does not exist 1.2 extract yesterday's data model 1.3 transform the format 1.4 load the transformed data into today's data model file 1.5 exit Which of the following security concerns is evident in the above pseudocode? A. Time of check/time of use B. Resource exhaustion C. Improper storage of sensitive data D. Privilege escalation

A. Time of check/time of use

145. An organization's mobile device inventory recently provided notification that zero-day vulnerability was identified in the code used to control the base band of the devices. The device manufacturer is expected to send a patch but the rollout will take several months. Additionally several mobile users recently returned from overseas trip and reported their phones now contain unknown applications, slowing device performance. Users have been unable to uninstall these applications, which persist after wiping the device. Which of the following most likely occurred and provides mitigation until the patches are released? A. Unauthentic firmware was installed disable OTA updates and carrier roaming via MDM. B. Users opened spear fishing email; disable third-party application stores and validate all signed code prior to execution. C. An attacker downloaded monitoring applications; perform a factory reset of affected devices D. Users received improperly encoded emergency broadcast message, leading to an integrity loss condition; disable emergency broadcast messages

A. Unauthentic firmware was installed disable OTA updates and carrier roaming via MDM.

168. A security analyst works for a defense contractor that produces classified research on drones. The contractor faces nearly constant attacks from sophisticated nation-state actors and other APIs. Which of the following would help protect the confidentiality of the research data? A. Use diverse components in layers throughout the architecture. B. Implement non-heterogeneous components at the network perimeter. C. Purge all data remnants from client devices' volatile memory at regularly scheduled intervals. D. Use only in-house developed applications that adhere to strict SDLC security requirements.

A. Use diverse components in layers throughout the architecture.

130. After analyzing code, two developers at a company bring these samples to the security operations manager: Example Language: Java # Java Web App ResourceBundle properties file ... webapp.ldap.username=secretUsername webapp.ldap.password-secretPassword ... The following example shows a portion of a configuration file for an ASP.Net application. Example Language: ASP.NET ... <connectionStrings> <add name="ud DEV" connectionstring="connectDB=uDB; uid=db2 admin; pwd-password; dbalias=uDB;" providerName="System.Data.odbc" </connectionStrings> ... Which of the following would best solve these coding problems? A. Use privileged access management system. B. Prompt the administrator for the password. C. Use salted hashes with PBKDF2. D. Increase the complexity and the length of the password.

A. Use privileged access management system.

126. An organization is integrating an ICS and wants to ensure the system is cyber-resilient. Unfortunately, many of the specialized components are legacy systems that cannot be patched. The existing enterprise consists of mission-critical systems that require 99.9% uptime. To assist in the appropriate design of the system given the constraints, which of the following MUST be assumed? A. Vulnerable components B. Operational impact due to attack C. Time critically systems D. Presence of open-source software

A. Vulnerable components

135. Following a recent security incident on a web server, the security analyst takes HTTP traffic captures for further investigation. The analyst suspects certain .jpg files have important data hidden within them. Which of the following tools will help get all the pictures from within the HTTP traffic captured to a specified folder? A. tshark B. memdump C. nbstat D. dd

A. tshark

140. As part of the asset management life cycle, a company engages a certified equipment disposal vendor to appropriately recycle and destroy company assets that are no longer in use. As part of the company's vendor due diligence, which of the following would be MOST important to obtain from the vendor? A. A copy of the vendor's information security policies. B. A copy of the current audit reports and certifications held by the vendor. C. A signed NDA that covers all the data contained on the corporate systems. D. A copy of the procedures used to demonstrate compliance with certification requirements.

B. A copy of the current audit reports and certifications held by the vendor.

98. While investigating suspicious activity on a server a security administrator runs the following report: File system integrity check report Total numbers of files: 3321 Added files: 12 Removed files: 0 Changed Files: 1 Change files: changed:/etc/passwd --------------------------------------------------------- Detailed information about changes: File: /etc/passwd Perm: -rw-r--r-- , -rw-r---rw- Hash: md5:ab0e9acb928dfac35de2ac2bef918cae, md5:def9a24cdbeaf4cb15acfed93eedb In addition, the administrator notices changes to the /etc/shadow file that were not listed in the report. Which of the following BEST describe this scenario? (Select TWO) A. An attacker compromised the server and may have used a collision hash in the MD5 algorithm to hand the changes to the /etc/shadow file. B. An attacker compromised the server and may have also compromised the file integrity database to hide changes in the /etc/shadow file. C. An attacker compromised the server and may have installed a rootkit to always generate valid MD5 hashes to hide the changes to the /etc/shadow file. D. An attacker compromised the server and may have used MD5 collision hashes to generate valid passwords, allowing further access to administrator accounts on the server. E. An attacker compromised the server and may have used SELinux mandatory access controls to hide the changes to the /etc/shadow file.

B. An attacker compromised the server and may have also compromised the file integrity database to hide changes in the /etc/shadow file. & D. An attacker compromised the server and may have used MD5 collision hashes to generate valid passwords, allowing further access to administrator accounts on the server.

103. A Chief Information Security Officer (CISO) requests the following external hosted services be scanned for malware, unsecured PII, and healthcare data: Corporate intranet site Online storage application Email and collaboration suite Security policy also is updated to allow the security team to scan and detect any bulk downloads of corporate data from the company's intranet and online storage site. Which of the following is needed to comply with the corporate security policy and the CISO's request? A. Port scanner B. CASB C. DLP agent D. Application sandbox E. SCAP scanner

B. CASB

151. Users have been reporting unusual automated phone calls, including names and phone numbers, that appear to come from devices internal to the company.Which of the following should the systems administrator do to BEST address this problem? A. Add an ACL to the firewall to block VoIP. B. Change the settings on the phone system to use SIP-TLS. C. Have the phones download new configurations over TFTP. D. Enable QoS configuration on the phone VLAN.

B. Change the settings on the phone system to use SIP-TLS.

112. A school contracts with a vendor to devise a solution that will enable the school library to lend out tablet computers to students while on site. The tablets must adhere to string security and privacy practices. The school's key requirements are to: Maintain privacy of students in case of lossHave a theft detection control in place Be compliant with defined disability requirements Have a four-hour minimum battery life Which of the following should be configured to BEST meet the requirements? (Choose two.) A. Secure Boot B. Geofencing C. Antivirus software D. TPM E. FDE F. Tokenization

B. Geofencing & E. FDE

109. Staff members are reporting an unusual number of device thefts associated with time out of the office. Thefts increased soon after the company deployed a new social networking app. Which of the following should the Chief Information Security Officer (CISO) recommend implementing? A. Automatic location check-ins B. Geolocated presence privacy C. Integrity controls D. NAC checks to quarantine devices

B. Geolocated presence privacy

164. To meet a SLA, which of the following document should be drafted, defining the company's internal interdependent unit responsibilities and delivery timelines? A. BPA B. OLA C. MSA D. MOU

B. OLA

122. A security engineer implemented a key generation algorithm with PRNG whereby a master key used to generate multiple session keys. The approach worked well for the first two years, until the master key was inadvertently leaked. an analysis was performed, and it was determined that due to the key leakage, an attacker with access to encrypted sessions would be able to decrypt them. Which of the following would be required in the algorithm to better protect the encrypted sessions? A. Stronger PRNG B. Perfect forward secrecy C. Message authentication codes D. Watermarking

B. Perfect forward secrecy

96. A security engineer is performing an assessment again for a company. The security engineer examines the following output from the review: Password complexity -> Disabled Require authentication from a domain controller before sign-in -> Enabled Allow guest user access -> Enabled Allow anonymous enumeration of groups -> Disabled Which of the following tools is the engineer utilizing to perform this assessment? A. Vulnerability scanner B. SCAP scanner C. Port scanner D. Interception proxy

B. SCAP scanner

162. The audit team was only provided the physical and logical addresses of the network without any type of access credentials. Which of the following methods should the audit team use to gain initial access during the security assessment? (Select TWO) A. Tabletop exercise B. Social engineering C. Runtime debugging D. Reconnaissance E. Code review F. Remote access tool

B. Social engineering & D. Reconnaissance

134. A security engineer is looking at a DNS server following a known incident. The engineer sees the following command as the most recent entry in the servers show history: Dd if=dev/sda of=/dev/sda Which of the following most likely occurred? A. A tape back up of the server was performed. B. The drive was clone for forensic analysis. C. The hard drive was formatted after the incident. D. The DNS log files were rolled daily as expected.

B. The drive was clone for forensic analysis.

107. A security engineer successfully exploits an application during a penetration test. As proof of the exploit, the security engineer takes screenshots of how data was compromised in the application. Given the information below from the screenshot. 2019-11-21 13:11:45 POST https://company.com/store <-- 200 text/plain 2.02kB 0.9s .......Request...... **Response** ..... Detail....... :Status: 200 Content-Types:text/plain Content-Length: 2022 Date: Sun, 21 Nov 2019 18:11:45 GMT ................RAW...................... Method: POST Protocol: HTTP/2.0 RemoteAddr: v10.10.45.00:443 RequestURI: "/store" ...................... "product": [ { "item": "745" "name": "Deluxe Pencil Case" "price": "0.10" "discount": "0.10" } , } Which of the following tools was MOST likely used to exploit the application? A. The engineer captured the data with a protocol analyzer, and then utilized Python to edit the data B. The engineer queried the server and edited the data using an HTTP proxy interceptor C. The engineer used a cross-site script sent via curl to edit the data D. The engineer captured the HTTP headers, and then replaced the JSON data with a banner-grabbing tool

B. The engineer queried the server and edited the data using an HTTP proxy interceptor

129. A company has deployed MFA. Some employees, however, report they are not getting a notification on their mobile device. Other employees, report they downloaded a common authenticator application, but when they tap the code in the application, it just copies the code to memory instead of confirming the authentication attempt. Which of the following are the MOST likely is for these scenarios? (Select TWO) A. The company is using a claims-based authentication system for MFA B. These are symptoms of known compatibility issues with OAuth 1.0. C. OpenID Connect requires at least one factor to be biometric. D. The company does not allow an SMS authentication method. E. The WAYF method requires a third factor before the authentication process can complete. F. A vendor-specific authentication application is needed for push notifications.

B. These are symptoms of known compatibility issues with OAuth 1.0. & F. A vendor-specific authentication application is needed for push notifications.

137. An attacker wants to gain information about a company's database structure by probing the database listener. The attacker tries to manipulate the companies database to see if it has any vulnerabilities that can be exploited to help carry out and attack. To prevent this type of attack which of the following should the company do to security database? A. Master database banner. B. Tighten database authentication and limit table access. C. Harden web and Internet resources. D. Implement challenge based authentication.

B. Tighten database authentication and limit table access

141. The IR team at a financial institution is performing a root cause analysis on a breach that appeared to originate from within the internal network. While doing the investigation, video footage was found showing an unknown individual sitting down at a desk and using an employee's desktop while the employee was at lunch. Which of the following technical controls can be used to prevent this scenario form occurring again? A. Require two-factor authentication for network access. B. Use Group Policy to enforce inactivity timeouts. C. Implement password-protected, full-disk encryption on employee workstations D. Install HIDS/HIPS on employee workstations and NIP/NIDS on the network.

B. Use Group Policy to enforce inactivity timeouts.

102. An incident responder wants to capture volatile memory comprehensively from a running machine for forensic purposes. The machine is running a very recent release of the Linux OS. Which of the following technical approaches would be the MOST feasible way to accomplish this capture? A. Run the memdump utility with the -k flag. B. Use a loadable kernel module capture utility, such as LiME. C. Run dd on/dev/mem. D. Employ a stand-alone utility, such as FTK Imager.

B. Use a loadable kernel module capture utility, such as LiME.

161. An incident responder wants to capture volatile memory comprehensively from a running machine for forensic purposes. The machine is running a very recent release of the Linux OS.Which of the following technical approaches would be the MOST feasible way to accomplish this capture? A. Run the memdump utility with the -k flag. B. Use a loadable kernel module capture utility, such as LiME. C. Run dd on/dev/mem. D. Employ a stand-alone utility, such as FTK Imager.

B. Use a loadable kernel module capture utility, such as LiME.

111. A company recently implemented a variety of security services to detect various types of traffic that pose a threat to the company. The following services were enabled within the network: • Scan of specific subsets for vulnerabilities • Categorizing and logging of website traffic • Enabling specific ACLs based on application traffic • Sending suspicious files to a third-party site for validation A report was sent to the security team that identified multiple incidents of users sharing large amounts of data from an on-premise server to a public site. A small percentage of that data also contained malware and spyware Which of the following services MOST likely identified the behavior and sent the report? A. Content Filter B. User Behavioral Analytics C. Application Sandbox D. Web Application firewall E. Endpoint Protection F. Cloud security broker

B. User Behavioral Analytics

95. As part of the development process for a new system, the organization plans to perform requirements analysis and risk assessment. The new system will replace a legacy system, which the organization has used to perform data analytics. Which of the following is MOST likely to be part of the activities conducted by management during this phase of the project? A. Static code analysis and peer review of all application code B. Validation of expectations relating to system performance and security C. Load testing the system to ensure response times is acceptable to stakeholders D. Design reviews and user acceptance testing to ensure the system has been deployed properly E. Regression testing to evaluate interoperability with the legacy system during the deployment

B. Validation of expectations relating to system performance and security

113. A company's security policy states any remote connections must be validated using two forms of networkbasedauthentication. It also states local administrative accounts should not be used for any remote access.PKI currently is not configured within the network. RSA tokens have been provided to all employees, as well asa mobile application that can be used for 2FA authentication. A new NGFW has been installed within thenetwork to provide security for external connections, and the company has decided to use it for VPNconnections as well. Which of the following should be configured? (Choose two.) A. Certificate-based authentication B. TACACS+ C. 802.1X D. RADIUS E. LDAP F. Local user database

C. 802.1X & D. RADIUS

139. An information security officer reviews a report and notices a steady increase in outbound network traffic over the past ten months There is no clear explanation for the increase The security officer interviews several business units and discovers an unsanctioned cloud storage provider was used to share marketing materials with potential customers Which of the following services would be BEST for the security officer to recommend to the company? A. NIDS B. HIPS C. CASB D. SFTP

C. CASB

89. During the decommissioning phase of a hardware project, a security administrator is tasked with ensuring no sensitive data is released inadvertently. All paper records are scheduled to be shredded in a crosscut shredded, and the waste will be burned. The system drives and removable media have been removed prior to e-cycling the hardware.Which of the following would ensure no data is recovered from the system droves once they are disposed of? A. Overwriting all HDD blocks with an alternating series of data. B. Physically disabling the HDDs by removing the dive head. C. Demagnetizing the hard drive using a degausser. D. Deleting the UEFI boot loaders from each HDD.

C. Demagnetizing the hard drive using a degausser.

144. A penetration tester is given an assignment to gain physical access to a secure facility with perimeter cameras. The secure facility does not accept visitors, and entry is available only through a door protected by an RFID key and a guard stationed inside the door. Which of the following would be BEST for the penetration tester to attempt? A. Gain entry into the building by posing as a contractor who is performing routine building maintenance. B. Tailgate into the facility with an employee who has a valid RFID badge to enter. C. Duplicate an employee's RFID badge and use an IR camera to see when the guard leaves the post. D. Look for an open window that can be used to gain unauthorized entry into the facility.

C. Duplicate an employee's RFID badge and use an IR camera to see when the guard leaves the post.

104. An external red team is brought into an organization to perform a penetration test of a new network-based application. The organization deploying the network application wants the red team to act like remote, external attackers, and instructs the team to use a black-box approach. Which of the following is the BEST methodology for the red team to follow? A. Run a protocol analyzer to determine what traffic is flowing in and out of the server, and look for ways to alter the data stream that will result in information leakage or a system failure. B. Send out spear-phishing emails against users who are known to have access to the network-based application, so the red team can go on-site with valid credentials and use the software. C. Examine the application using a port scanner, then run a vulnerability scanner against open ports looking for known, exploitable weaknesses the application and related services may have. D. Ask for more details regarding the engagement using social engineering tactics in an attempt to get the organization to disclose more information about the network application to make attacks easier.

C. Examine the application using a port scanner, then run a vulnerability scanner against open ports looking for known, exploitable weaknesses the application and related services may have.

153. A power company has become increasingly concerned about APT action against the portion of the grid it manages. After investing significantly in the hardening of assets, the company wants to focus on the overall resilience of its architecture to cyber attack. The company is investing in design techniques that reduce the likelihood an APT can reuse exploits on multiple assets during an attack. Which of the following techniques would BEST accomplish this objective? (Select TWO). A. Machine learning algorithms applied to training data collected over months of activity B. Non-persistent OS configurations with monthly refresh cycles C. Functionally redundant components with heterogeneous software loads D. NIDS with advanced behavioral analytics E. Attack prevention systems with automated threat indicator sharing F. Netflow, packet capture, and host-based event logging fed to a SIEM for human-in-the-loop review

C. Functionally redundant components with heterogeneous software loads & F. Netflow, packet capture, and host-based event logging fed to a SIEM for human-in-the-loop review

166. A company relies on an ICS to perform equipment monitoring functions that are federally mandated for operation of the facility. Fines for non-compliance could be costly. The ICS has known vulnerabilities and can no longer be patched or updated. Cyber-liability insurance cannot be obtained because insurance companies will not insure this equipment.Which of the following would be the BEST option to manage this risk to the company's production environment? A. Avoid the risk by removing the ICS from production B. Transfer the risk associated with the ICS vulnerabilities C. Mitigate the risk by restricting access to the ICS D. Accept the risk and upgrade the ICS when possible

C. Mitigate the risk by restricting access to the ICS

149. A Chief Information Security Officer (CISO) is reviewing technical documentation from various regional offices and notices some key differences between these groups. The CISO has not discovered any governance documentation. The CISO creates the following chart to visualize the differences among the networking used.Which of the following would be the CISO's MOST immediate concern? A. There are open standards in use on the network. B. Network engineers have ignored defacto standards. C. Network engineers are not following SOPs. D. The network has competing standards in use.

C. Network engineers are not following SOPs.

90. Joe, a penetration tester, is assessing the security of an application binary provided to him by his client. Which of the following methods would be the MOST effective in reaching this objective? A. Employ a fuzzing utility B. Use a static code analyzer C. Run the binary in an application sandbox D. Manually review the binary in a text editor

C. Run the binary in an application sandbox

88. A technician is validating compliance with organizational policies. The user and machine accounts in the AD are not set to expire, which is non-compliant. Which of the following network tools would provide this type of information? A. SIEM server B. IDS appliance C. SCAP scanner D. HTTP interceptor

C. SCAP scanner

128. A hospital is using a functional magnetic resonance imaging (fMRI) scanner, which is controlled by a legacy desktop connected to the network. The manufacturer of the fMRI will not support pathing of the legacy system. The legacy desktop needs to be network accessible on TCP port 445. A security administrator is concerned the legacy system will be vulnerable to exploits. Which of the following would be the BEST strategy to reduce the risk of an outage while still providing for security? A. Install HIDS and disable unused services. B. Enable application whitelisting and disable SMB. C. Segment the network and configure a controlled interface. D. Apply only critical security patches for known vulnerabilities.

C. Segment the network and configure a controlled interface.

157. A penetration tester is trying to gain access to a remote system. The tester is able to see the secure login page and knows one user account and email address, but has not yet discovered a password. Which of the following would be the BEST way to access the password for the known account? A. Man-in-the-middle B. Reverse engineering C. Social engineering D. Hash cracking

C. Social engineering

146. A development team releases updates to an application regularly. The application is complied with several standard, open source security products that require a minimum version for compatibility. During the security review portion of the assessment what should be done to minimize possible application vulnerabilities? A. The developers should require an exact version of the open-source security products, preventing the introduction of new vulnerabilities. B. The application development team should move to an Agile development approach to identify security concerns faster. C. The change logs for the third-party libraries should be reviewed for security patches, which may need to be included in the release. D. The application should eliminate the use of open-source libraries and products to prevent known vulnerabilities from being included.

C. The change logs for the third-party libraries should be reviewed for security patches, which may need to be included in the release.

132. A regional transportation and logistics company recently hired its first Chief Information Security Officer (CISO). The CISO's first project after onboarding involved performing a vulnerability assessment against the company's public facing network. The completed scan found a legacy collaboration platform application with a critically rated vulnerability. While discussing this issue with the line of business, the CISO learns the vulnerable application cannot be updated without the company incurring significant losses due to downtime or new software purchases.Which of the following BEST addresses these concerns? A. The company should plan future maintenance windows such legacy application can be updated as needed. B. The CISO must accept the risk of the legacy application, as the cost of replacing the application greatly exceeds the risk to the company. C. The company should implement a WAF in front of the vulnerable application to filter out any traffic attempting to exploit the vulnerability. D. The company should build a parallel system and perform a cutover from the old application to the new application, with less downtime than an upgrade.

C. The company should implement a WAF in front of the vulnerable application to filter out any traffic attempting to exploit the vulnerability.

167. Due to a recent acquisition, the security team must find a way to secure several legacy applications. During a review of the applications the following issues were documented. · The applications are considered mission Critical · The application are written in code languages not currently supported by the development staff. · Security updates and patches will not be made available for the applications · Usernames and passwords do not meet corporate standards · The data contained within the applications includes both PII and PHI · The applications communicate using TLS 1.0 · Only internal users access the application Which of the following should be utilized to reduce the risk associated with these applications and their current architecture? A. Update the company policies to reflect the current state of the application so they are not out of compliance B. create a group policy to enforce password complexity and username requirements C. Use Network segmentation to Isolate the application and control access. D. Move the applications to virtual servers that meet the password and account standard.

C. Use Network segmentation to Isolate the application and control access.

106. A Chief Information Security Officer (CISO) is developing a new BIA for the organization. The CISO wants to gather requirements to determine the appropriateRTO and RPO for the organization's ERP. Which of the following should the CISO interview as MOST qualified to provide RTO/RPO metrics? A. Data Custodian B. Data Owner C. Security Analyst D. Business Unit director E. Chief Executive Officer (CEO)

D. Business Unit Director

156. A security analyst has been asked to create a list of external IT security concerns, which are applicable to the organization. The intent is to show the different types of external actors, their attack vectors, and the types of vulnerabilities that would cause business impact. The Chief Information Security Officer (CISO) will then present this list to the board to request funding for controls in areas that have insufficient coverage.Which of the following exercise types should the analyst perform? A. Summarize the most recently disclosed vulnerabilities. B. Research industry best practices and latest RFCs. C. Undertake an external vulnerability scan and penetration test. D. Conduct a threat modeling exercise.

D. Conduct a threat modeling exercise.

118. A customer reports a security flaw to a SaaS provider, claiming a response to a web request included data from another customer. A security engineer investigates the report and analyzes the code base. The engineer discovers that, under very specific and uncommon circumstances, there is a missing authorization check. Which of the following should the security engineer recommend to MOST effectively detect these types of flaws in the future? A. Unit testing with security test cases and measurement of code coverage B. Manual code review of all codes bases that deal that deal with customer data C. More iterations of penetration testing prior to product launches D. Continuous vulnerability scanning against systems that perform authorization.

D. Continuous vulnerability scanning against systems that perform authorization.

94. After several industry competitors suffered data loss as a result of cyberattacks, the Chief Operating Officer (COO) of a company reached out to the information security manager to review the organization's security stance. As a result of the discussion, the COO wants the organization to meet the following criteria: Blocking of suspicious websites Prevention of attacks based on threat intelligence Reduction in spam Identity-based reporting to meet regulatory compliance Prevention of viruses based on signature Protect applications from web-based threats Which of the following would be the BEST recommendation the information security manager could make? A. Reconfigure existing IPS resources B. Implement a WAF C. Deploy a SIEM solution D. Deploy a UTM solution E. Implement an EDR platform

D. Deploy a UTM solution

87. A security incident responder discovers an attacker has gained access to a network and has overwritten key system files with backdoor software. The server was reimaged and patched offline. Which of the following tools should be implemented to detect similar attacks? A. Vulnerability scanner B. TPM C. Host-based firewall D. File integrity monitor E. NIPS

D. File integrity monitor

158. A company has decided to replace all the T-1 uplinks at each regional office and move away from using the existing MPLS network. All regional sites will use high-speed connections and VPNs to connect back to the main campus. Which of the following devices would MOST likely be added at each location? A. SIEM B. IDS/IPS C. Proxy server D. Firewall E. Router

D. Firewall

86. An administrator has noticed mobile devices from an adjacent company on the corporate wireless network. Malicious activity is being reported from those devices. To add another layer of security in an enterprise environment, an administrator wants to add contextual authentication to allow users to access enterprise resources only while present in corporate buildings. Which of the following technologies would accomplish this? A. Port security B. Rogue device detection C. Bluetooth D. GPS

D. GPS

127. An application development company implements object reuse to reduce life-cycle costs for the company and its clients. Despite the overall cost savings, which of the following BEST describes a security risk to customers inherent within this model? A. Configurations of applications will affect multiple products. B. Reverse engineering of applications will lead to intellectual property loss. C. Software patch deployment will occur less often. D. Homogeneous vulnerabilities will occur across multiple products.

D. Homogeneous vulnerabilities will occur across multiple products.

123. A security analyst for a bank received an anonymous tip on the external banking website showing the following: Protocols supported TLS 1.0 SSL 3 SSL 2 Cipher suites supported TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ECDH p256r1 TLS_DHE_RSA_WITH_AES_256_CBC_SHA - DH 1024bit TLS_RSA_WITH_RC4_128_SHA TLS_FALLBACK_SCSV not supported POODLE Weak PFS OCSP stapling supported Which of the following should the analyst use to reproduce these findings comprehensively? A. Query the OCSP responder and review revocation information for the user certificates B. Review CA-supported ciphers and inspect the connection through an HTTP proxy C. Perform a POODLE (SSLv3) attack using an exploitation framework and inspect the output. D. Inspect the server certificate and simulate SSL/TLS handshakes for enumeration.

D. Inspect the server certificate and simulate SSL/TLS handshakes for enumeration.

92. With which of the following departments should an engineer for a consulting firm coordinate when determining the control and reporting requirements for storage of sensitive, proprietary customer information? A. Human resources B. Financial C. Sales D. Legal counsel

D. Legal counsel

131. A company is concerned about disgruntled employees transferring its intellectual property data through covert channels. Which of the following tools would allow employees to write data into ICMP echo response packets? A. Thor B. Jack the Ripper C. Burp Suite D. Loki

D. Loki

142. A SaaS provider decides to offer data storage as a service. For simplicity, the company wants to make the service available over industry standards APIs, routable over public Internet. Which of the following controls offers the MOST protection to the company and its customers' information? A. Detailed application logging B. Use of non-standard ports C. Web application firewall D. Multifactor authentication

D. Multifactor authentication

97. After investigating virus outbreaks that have cost the company $1,000 per incident, the company's Chief Information Security Officer (CISO) has been researching new antivirus software solutions to use and be fully supported for the next two years. The CISO has narrowed down the potential solutions to four candidates that meet all the company's performance and capability requirements: ************|Solution Cost| Yr. 1 | Yr. 2 | Est Yearly Incidents | Product A | $10,000 | $3,000 | $1,000 | 1 | Product B | $14,250 | $1,000 | $1,000 | 0 | Product C | $ 9,500 | $2,000 | $2,000 | 1 | Product D | $ 7,000 | $1,000 | $2,000 | 2 | Product E | $ 7,000 | $4,000 | $4,000 | 0 | Using the table above, which of the following would be the BEST business-driven choice among five possible solutions? A. Product A B. Product B C. Product C D. Product D E. Product E

D. Product D

116. A security analyst who is concerned about sensitive data exfiltration reviews the following: A security analyst who is concerned about sensitive data exfiltration reviews the following: 10:01:32 . 384853 (tos 0x0, ttl 64, id 40587, offfset 0, flags [DF], proto ICMP (1), length 1500) 192.168.1.20 -> 100.61.100.2: ICMP echo reply, id 1592, seq 8, length 1500 Which of the following tools would allow the analyst to confirm if data exfiltration is occurring? A. Port scanner B. SCAP tool C. File integrity monitor D. Protocol analyzer

D. Protocol analyzer

163. An External red team member conducts a penetration test, attempting to gain physical access to a large organization 's server room in a branch office. During reconnaissance, the red team member sees a clearly marked door to the server room, located next to the lobby, with tumbler lock. Which of the following is BEST for the red team member to bring on site to open the lock door as quickly as possible without casing significant damage? A. Screwdriver set B. Bump key C. RFID duplicator D. Rake picking

D. Rake picking

159. Which of the following is an external pressure that causes companies to hire security assessors and penetration testers? A. Lack of adequate in-house testing skills. B. Requirements for geographically based assessments C. Cost reduction measures D. Regulatory insistence on independent reviews.

D. Regulatory insistence on independent reviews.

93. Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in secure environment? A. NDA B. MOU C. BIA D. SLA

D. SLA

100. A CASB provides the application proxy and web application firewall to a large retailer. All access to the retailer cloud application must originate from the CASB- designated IP addresses. The CASB has known geolocations with known IP addresses. Suddenly, all customers are not able to access the retailer cloud applications. Which of the following is MOST likely the reason for the issue? A. Additional CASB IP addresses were added to the authorized pool B. All of the CASB's European datacenters are down C. There was federation and SSO misconfiguration D. The CASB's SSL/TLS certificate expired

D. The CASB's SSL/TLS certificate expired

169. A university's help desk is receiving reports that Internet access on campus is not functioning. The network administrator looks at the management tools and sees the 1Gbps Internet is completely saturated with ingress traffic. The administrator sees the following output on the Internet router: 13:45.12857 156.34.99.54.2343 > 192.168.23.78.443 S 37483928:37483928 (0) win 16384 13.45.12890 145.24.78.34.2343 > 192.168.23.78.443 S 58457854:58457854 (0) win 36638 13:45.12890 89.25.68.12.2343 > 192.168.23.78.443 S 32987488:32987488 (0) win 25411 13:45.12923 178.78.189.1.2343 > 192.168.23.78.443 S 36214896:36214869 (0) win 12225 13:45.12934 147.22.98.156.2343 > 192.168.23.78.443 S 21558745:21558745 (0) win 32663 13:45.12956 121.45.56.79.2343 > 192.168.23.78.443 S 86441289:86441289 (0) win 33225 13:45.12989 126.88.125.117.2343 > 192.168.23.78.443 S 48741688:48741688 (0) win 18412 The administrator calls the university's ISP for assistance, but it takes more than four hours to speak to a network engineer who can resolve the problem. Based on the information above, which of the following should the ISP engineer do to resolve the issue? A. The ISP engineer should null route traffic to the web server immediately to restore Internet connectivity. The university should implement a remotely triggered black hole with the ISP to resolve this more quickly in the future. B. A university web server is under increased load during enrollment. The ISP engineer should immediately increase bandwidth to 2Gbps to restore Internet connectivity. In the future, the university should pay for more bandwidth to handle spikes in web server traffic. C. The ISP engineer should immediately begin blocking IP addresses that are attacking the web server to restore Internet connectivity. In the future, the university should install a WAF to prevent this attack from happening again. D. The ISP engineer should begin refusing network connections to the web server immediately to restore Internet connectivity on campus. The university should purchase an IPS device to stop DDoS attacks in the future.

D. The ISP engineer should begin refusing network connections to the web server immediately to restore Internet connectivity on campus. The university should purchase an IPS device to stop DDoS attacks in the future.

121. Which of the following is the GREATEST security concern with respect to BYOD? A. The filtering of sensitive data out of data flows at geographic boundaries. B. Removing potential bottlenecks in data transmission paths. C. The transfer of corporate data onto mobile corporate devices. D. The migration of data into and out of the network in an uncontrolled manner.

D. The migration of data into and out of the network in an uncontrolled manner.

120. Company leadership believes employees are experiencing an increased number of cyber attacks; however, the metrics do not show this. Currently, the company uses "Number of successful phishing attacks" as a KRI, but it does not show an increase.Which of the following additional information should be the Chief Information Security Officer (CISO) include in the report? A. The ratio of phishing emails to non-phishing emails B. The number of phishing attacks per employee C. The number of unsuccessful phishing attacks D. The percent of successful phishing attacks

D. The percent of successful phishing attacks

150. A Chief Information Security Officer (CISO) is reviewing the controls in place to support the organization's vulnerability management program. The CISO finds patching and vulnerability scanning policies and procedures are in place. However, the CISO is concerned the organization is siloed and is not maintaining awareness of new risks to the organization. The CISO determines systems administrators need to participate in industry security events. Which of the following is the CISO looking to improve? A. Vendor diversification B. System hardening standards C. Bounty programs D. Threat awareness E. Vulnerability signatures

D. Threat awareness

108. A Chief Information Security Officer (CISO) is working with a consultant to perform a gap assessment prior toan upcoming audit. It is determined during the assessment that the organization lacks controls to effectivelyassess regulatory compliance by third-party service providers. Which of the following should be revised toaddress this gap? A. Privacy policy B. Work breakdown structure C. Interconnection security agreement D. Vendor management plan E. Audit report

D. Vendor management plan

147. A network administrator deploys multiple network sensors. However, an attacker then compromises the console and launches a DoS attack against an unpatched mail server. Which of the following security considerations should be addressed to prevent future attacks. A. Lack of email filtering B. Network utilization monitoring C. Data aggregation D. Weak authentication

D. Weak authentication

105. An organization wants to arm its cybersecurity defensive suite automatically with intelligence on zero-day threats shortly after they emerge. Acquiring tools and services that support which of the following data standards would BEST enable the organization to meet this objective? A. XCCDF B. OVAL C. STIX D. CWE E. CVE

E. CVE

119. While conducting online research about a company to prepare for an upcoming penetration test, a security analyst discovers detailed financial information on an investor website the company did not make public. The analyst shares this information with the Chief Financial Officer (CFO), who confirms the information is accurate, as it was recently discussed at a board of directors meeting. Many of the details are verbatim discussion comments captured by the board secretary for purposes of transcription on a mobile device. Which of the following would MOST likely prevent a similar breach in the future? A. Remote wipe B. FDE C. Geolocation D. eFuse E. VPN

E. VPN