Comptia Security + Part 1
NO.101 A software developer used open-source libraries to streamline development. Which of the following is the greatest risk when using this approach? A. Unsecure root accounts B. Lack of vendor support C. Password complexity D. Default settings
Answer: A
NO.111 A security analyst is reviewing computer logs because a host was compromised by malware After the computer was infected it displayed an error screen and shut down. Which of the following should the analyst review first to determine more information? A. Dump file B. System log C. Web application log D. Security too
Answer: A
NO.119 After a hardware incident, an unplanned emergency maintenance activity was conducted to rectify the issue. Multiple alerts were generated on the SIEM during this period of time. Which of the following BEST explains what happened? A. The unexpected traffic correlated against multiple rules, generating multiple alerts. B. Multiple alerts were generated due to an attack occurring at the same time. C. An error in the correlation rules triggered multiple alerts. D. The SIEM was unable to correlate the rules, triggering the alerts
Answer: A
NO.58 A company needs to centralize its logs to create a baseline and have visibility on its security events Which of the following technologies will accomplish this objective? A. Security information and event management B. A web application firewall C. A vulnerability scanner D. A next-generation firewall
Answer: A
NO.59 Which of the following processes would most likely help an organization that has conducted an incident response exercise to improve performance and identify challenges? A. Lessons learned B. Identification C. Simulation D. Containmen
Answer: A
NO.61 A data cento has experienced an increase in under-voltage events Mowing electrical grid maintenance outside the facility These events are leading to occasional losses of system availability Which of the following would be the most cost-effective solution for the data center 10 implement'' A. Uninterruptible power supplies with battery backup B. Managed power distribution units lo track these events C. A generator to ensure consistent, normalized power delivery D. Dual power supplies to distribute the load more evenly
Answer: A
NO.62 Which of the following describes business units that purchase and implement scripting software without approval from an organization's technology Support staff? A. Shadow IT B. Hacktivist C. Insider threat D. script kiddie
Answer: A
NO.66 Which of the following would be the best resource for a software developer who is looking to improve secure coding practices for web applications? A. OWASP B. Vulnerability scan results C. NIST CSF D. Third-party librarie
Answer: A
NO.75 A security analyst must enforce policies to harden an MDM infrastructure. The requirements are as follows: * Ensure mobile devices can be tracked and wiped. * Confirm mobile devices are encrypted. Which of the following should the analyst enable on all the devices to meet these requirements? A. A Geofencing B. Biometric authentication C. Geolocation D. Geotagging
Answer: A
NO.78 An organization recently released a software assurance policy that requires developers to run code scans each night on the repository. After the first night, the security team alerted the developers that more than 2,000 findings were reported and need to be addressed. Which of the following is the MOST likely cause for the high number of findings? A. The vulnerability scanner was not properly configured and generated a high number of false positives B. Third-party libraries have been loaded into the repository and should be removed from the codebase. C. The vulnerability scanner found several memory leaks during runtime, causing duplicate reports for the same issue. D. The vulnerability scanner was not loaded with the correct benchmarks and needs to be updated
Answer: A
NO.79 Which of the following models offers third-party-hosted, on-demand computing resources that can be shared with multiple organizations over the internet? A. Public cloud B. Hybrid cloud C. Community cloud D. Private cloud
Answer: A
NO.80 An annual information security has revealed that several OS-level configurations are not in compliance due to Outdated hardening standards the company is using Which Of the following would be best to use to update and reconfigure the OS.level security configurations? A. CIS benchmarks B. GDPR guidance C. Regional regulations D. ISO 27001 standards
Answer: A
NO.82 Which of the following terms should be included in a contract to help a company monitor the ongo-ing security maturity Of a new vendor? A. A right-to-audit clause allowing for annual security audits B. Requirements for event logs to kept for a minimum of 30 days C. Integration of threat intelligence in the companys AV D. A data-breach clause requiring disclosure of significant data loss
Answer: A
NO.88 A business is looking for a cloud service provider that offers a la carte services, including cloud backups, VM elasticity, and secure networking. Which of the following cloud service provider types should business engage? A. A laaS B. PaaS C. XaaS D. SaaS
Answer: A
NO.91 An enterprise needs to keep cryptographic keys in a safe manner. Which of the following network appliances can achieve this goal? A. HSM B. CASB C. TPM D. DLP
Answer: A
NO.97 A company is developing a business continuity strategy and needs to determine how many staff members would be required to sustain the business in the case of a disruption. Which of the following best describes this step? A. Capacity planning B. Redundancy C. Geographic dispersion D. Tabletop exercise
Answer: A
NO.109 As part of annual audit requirements, the security team performed a review of exceptions to the company policy that allows specific users the ability to use USB storage devices on their laptops The review yielded the following results. * The exception process and policy have been correctly followed by the majority of users * A small number of users did not create tickets for the requests but were granted access * All access had been approved by supervisors. * Valid requests for the access sporadically occurred across multiple departments. * Access, in most cases, had not been removed when it was no longer needed Which of the following should the company do to ensure that appropriate access is not disrupted but unneeded access is removed in a reasonable time frame? A. Create an automated, monthly attestation process that removes access if an employee's supervisor denies the approval B. Remove access for all emp
Answer: A Explanation
NO.13 A security analyst notices an unusual amount of traffic hitting the edge of the network. Upon examining the logs, the analyst identifies a source IP address and blocks that address from communicating with the network. Even though the analyst is blocking this address, the attack is still ongoing and coming from a large number of different source IP addresses. Which of the following describes this type of attack? A. DDoS B. Privilege escalation C. DNS poisoning D. Buffer overflow
Answer: A Explanation: A distributed denial-of-service (DDoS) attack is an attempt to make a computer or network resource unavailable to its intended users. This is accomplished by overwhelming the target with a flood of traffic from multiple sources.
NO.43 Which of the following environments can be stood up in a short period of time, utilizes either dummy data or actual data, and is used to demonstrate and model system capabilities and functionality for a fixed, agreed-upon duration of time? A. PoC B. Production C. Test D. Development
Answer: A Explanation: A proof of concept (PoC) environment can be stood up quickly and is used to demonstrate and model system capabilities and functionality for a fixed, agreed-upon duration of time
NO.12 A company has hired an assessment team to test the security of the corporate network and employee vigilance. Only the Chief Executive Officer and Chief Operating Officer are aware of this exercise, and very little information has been provided to the assessors. Which of the following is taking place? A. A red-team test B. A white-team test C. A purple-team test D. A blue-team test
Answer: A Explanation: A red-team test is a type of security assessment that simulates a real-world attack on an organization's network, systems, applications, and people. The goal of a red-team test is to evaluate the organization's security posture, identify vulnerabilities and gaps, and test the effectiveness of its detection and response capabilities. A red-team test is usually performed by a group of highly skilled security professionals who act as adversaries and use various tools and techniques to breach the organization's defenses. A red-team test is often conducted without the knowledge or consent of most of the organization's staff, except for a few senior executives who authorize and oversee the exercise.
NO.132 A security analyst is investigating multiple hosts that are communicating to external IP addresses during the hours of 2:00 a.m - 4:00 am. The malware has evaded detection by traditional antivirus software. Which of the following types of malware is MOST likely infecting the hosts? A. A RAT B. Ransomware C. Polymophic D. A worm
Answer: A Explanation: Based on the given information, the most likely type of malware infecting the hosts is a RAT (Remote Access Trojan
NO.17 Which of the following incident response phases should the proper collection of the detected 'ocs and establishment of a chain of custody be performed before? A. Containment B. Identification C. Preparation D. Recovery
Answer: A Explanation: Containment is the phase where the incident response team tries to isolate and stop the spread of the incident12. Before containing the incident, the team should collect and preserve any evidence that may be useful for analysis and investigation12.
NO.16 A company installed several crosscut shredders as part of increased information security practices targeting data leakage risks. Which of the following will this practice reduce? A. Dumpster diving B. Shoulder surfing C. Information elicitation D. Credential harvesting
Answer: A Explanation: Crosscut shredders are used to destroy paper documents and reduce the risk of data leakage through dumpster diving. Dumpster diving is a method of retrieving sensitive information from paper waste by searching through discarded documents.
NO.45 Which of the following should customers who are involved with Ul developer agreements be concerned with when considering the use of these products on highly sensitive projects? A. Weak configurations B. Integration activities C. Unsecure user accounts D. Outsourced code development
Answer: A Explanation: Customers who are involved with Ul developer agreements should be concerned with weak configurations when considering the use of these products on highly sensitive projects. Weak configurations can lead to security vulnerabilities, which can be exploited by malicious actors. It is important to ensure that all configurations are secure and up-to-date in order to protect sensitive data. Source:
NO.135 A Chief information Officer is concerned about employees using company-issued laptops to steal data when accessing network shares Which of the following should the company implement? A. DLP B. CASB C. HIDS D. EDR E. UEFI
Answer: A Explanation: Detailed Data Loss Prevention (DLP) can help prevent employees from stealing data by monitoring and controlling access to sensitive data. DLP can also detect and block attempts to transfer sensitive data outside of the organization, such as via email, file transfer, or cloud storage.
NO.5 The Chief Executive Officer announced a new partnership with a strategic vendor and asked the Chief Information Security Officer to federate user digital identities using SAML-based protocols. Which of the following will this enable? A. SSO B. MFA C. PKI D. OLP
Answer: A Explanation: Federating user digital identities using SAML-based protocols enables Single Sign-On (SSO), which allows users to log in once and access multiple applications without having to enter their credentials for each one. Reference: CompTIA Security+ Certification Exam Objectives 1.3: Explain authentication and access controls. CompTIA Security+ Study Guide, Sixth Edition, pages 41-42
NO.26 A company acquired several other small companies The company thai acquired the others is transitioning network services to the cloud The company wants to make sure that performance and security remain intact Which of the following BEST meets both requirements? A. High availability B. Application security C. Segmentation D. Integration and auditing
Answer: A Explanation: High availability refers to the ability of a system or service to remain operational and available to users with minimal downtime. By ensuring high availability, the company can maintain good performance and ensure that users have access to the network services they need. High availability can also improve security, as it helps to prevent disruptions that could potentially be caused by security incidents or other issues
NO.53 As part of the building process for a web application, the compliance team requires that all PKI certificates are rotated annually and can only contain wildcards at the secondary subdomain level. Which of the following certificate properties will meet these requirements? A. HTTPS://.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022 B. HTTPS://app1.comptia.org, Valid from April 10 00:00:00 2021-April 8 12:00:00 2022 C. HTTPS:// app1.comptia.org, Valid from April 10 00:00:00 2021-April 8 12:00:00 2022 D. HTTPS://.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00
Answer: A Explanation: PKI certificates are digital certificates that use public key infrastructure (PKI) to verify the identity and authenticity of a sender and a receiver of data1. PKI certificates can be used to secure web applications with HTTPS, which is a protocol that encrypts and protects the data transmitted over the internet1.
NO.18 A security researcher is tracking an adversary by noting its attacks and techniques based on its capabilities, infrastructure, and victims. Which of the following is the researcher MOST likely using? A. The Diamond Model of Intrusion Analysis B. The Cyber Kill Chain C. The MITRE CVE database D. The incident response process
Answer: A Explanation: The Diamond Model is a framework for analyzing cyber threats that focuses on four key elements: adversary, capability, infrastructure, and victim. By analyzing these elements, security researchers can gain a better understanding of the threat landscape and develop more effective security strategies
NO.29 A security incident has been resolved Which of the following BEST describes the importance of the final phase of the incident response plan? A. It examines and documents how well the team responded discovers what caused the incident, and determines how the incident can be avoided in the future B. It returns the affected systems back into production once systems have been fully patched, data restored and vulnerabilities addressed C. It identifies the incident and the scope of the breach how it affects the production environment, and the ingress point D. It contains the affected systems and disconnects them from the network, preventing further spread of the attack or breach
Answer: A Explanation: The final phase of an incident response plan is the post-incident activity, which involves examining and documenting how well the team responded, discovering what caused the incident, and determining how the incident can be avoided in the future.
NO.102 A company uses a drone for precise perimeter and boundary monitoring. Which of the following should be MOST concerning to the company? A. Privacy B. Cloud storage of telemetry data C. GPS spoofing D. Weather events
Answer: A Explanation: The use of a drone for perimeter and boundary monitoring can raise privacy concerns, as it may capture video and images of individuals on or near the monitored premises. The company should take measures to ensure that privacy rights are not violated. Reference
NO.103 An administrator is configuring a firewall rule set for a subnet to only access DHCP, web pages, and SFTP, and to specifically block FTP. Which of the following would BEST accomplish this goal? A. [Permission Source Destination Port]Allow: Any Any 80 -Allow: Any Any 443 -Allow: Any Any 67 - Allow: Any Any 68 -Allow: Any Any 22 -Deny: Any Any 21 -Deny: Any Any B. [Permission Source Destination Port]Allow: Any Any 80 -Allow: Any Any 443 -Allow: Any Any 67 - Allow: Any Any 68 -Deny: Any Any 22 -Allow: Any Any 21 -Deny: Any Any C. [Permission Source Destination Port]Allow: Any Any 80 -Allow: Any Any 443 -Allow: Any Any 22 - Deny: Any Any 67 -Deny: Any Any 68 -Deny: Any Any 21 -Allow: Any Any D. [Permission Source Destination Port]Allow: Any Any 80 -Allow: Any Any 443 -Deny: Any Any 67 - Allow: Any Any 68 -Allow: Any Any 22 -Allow: Any Any 21 -Allow: Any Any
Answer: A Explanation: This firewall rule set allows a subnet to only access DHCP, web pages, and SFTP, and specifically blocks FTP by allowing or denying traffic based on the source, destination, and port. The rule set is as follows: Allow any source and any destination on port 80 (HTTP) Allow any source and any destination on port 443 (HTTPS) Allow any source and any destination on port 67 (DHCP server) Allow any source and any destination on port 68 (DHCP client) Allow any source and any destination on port 22 (SFTP) Deny any source and any destination on port 21 (FTP) Deny any source and any destination on any other port
NO.136 During an investigation, the incident response team discovers that multiple administrator accounts were suspected of being compromised. The host audit logs indicate a repeated brute-force attack on a single administrator account followed by suspicious logins from unfamiliar geographic locations. Which of the following data sources would be BEST to use to assess the accounts impacted by this attack? A. User behavior analytics B. Dump files C. Bandwidth monitors D. Protocol analyzer output
Answer: A Explanation: User behavior analytics (UBA) would be the best data source to assess the accounts impacted by the attack, as it can identify abnormal activity, such as repeated brute-force attacks and logins from unfamiliar geographic locations, and provide insights into the behavior of the impacted accounts.
NO.6 Which of the following function as preventive, detective, and deterrent controls to reduce the risk of physical theft? (Select TWO). A. Mantraps B. Security guards C. Video surveillance D. Fences E. Bollards F. Antivirus
Answer: A,B Explanation: A - a mantrap can trap those personnal with bad intension(preventive), and kind of same as detecting, since you will know if someone is trapped there(detective), and it can deter those personnal from approaching as well(deterrent) B - security guards can sure do the same thing as above, preventing malicious personnel from entering(preventive+deterrent), and notice those personnel as well(detective)
NO.52 A user enters a password to log in to a workstation and is then prompted to enter an authentication code Which of the following MFA factors or attributes are being utilized in the authentication process? {Select two). A. Something you know B. Something you have C. Somewhere you are D. Someone you know E. Something you are F. Something you can do
Answer: A,B Explanation: MFA (Multi-Factor Authentication) is a method of verifying a user's identity by requiring two or more factors or attributes that belong to different categories. The categories are something you know (such as a password or a PIN), something you have (such as a token or a smart card), something you are (such as a fingerprint or an iris scan), something you do (such as a gesture or a voice command), and somewhere you are (such as a location or an IP address). In this case, the user enters a password (something you know) and then receives an authentication code (something you have) to log in to a workstation
NO.3 Which of the following are common VoIP-associated vulnerabilities? (Select two). A. SPIM B. Vishing C. VLAN hopping D. Phishing E. DHCP snooping F. Tailgating
Answer: A,B Explanation: SPIM (Spam over Internet Messaging) is a type of VoIP-associated vulnerability that involves sending unsolicited or fraudulent messages over an internet messaging service, such as Skype or WhatsApp. It can trick users into clicking on malicious links, downloading malware, providing personal or financial information, etc., by impersonating a legitimate entity or creating a sense of urgency or curiosity. Vishing (Voice Phishing) is a type of VoIP-associated vulnerability that involves making unsolicited or fraudulent phone calls over an internet telephony service, such as Google Voice or Vonage. It can trick users into disclosing personal or financial information, following malicious instructions, transferring money, etc., by using voice spoofing, caller ID spoofing, or interactive voice response systems
NO.122 A manager for the development team is concerned about reports showing a common set of vulnerabilities. The set of vulnerabilities is present on almost all of the applications developed by the team. Which of the following approaches would be most effective for the manager to use to address this issue? A. Tune the accuracy of fuzz testing. B. Invest in secure coding training and application security guidelines. C. Increase the frequency of dynamic code scans 1o detect issues faster. D. Implement code signing to make code immutable.
Answer: B
NO.60 A company would like to protect credit card information that is stored in a database from being exposed and reused. However, the current POS system does not support encryption. Which of the following would be BEST suited to secure this information? A. Masking B. Tokenization C. DLP D. SSL/TLS
Answer: B
NO.63 Which of the following environments typically hosts the current version configurations and code, compares user-story responses and workflow, and uses a modified version of actual data for testing? A. Development B. Staging C. Production D. Test
Answer: B
NO.67 Which of the following best describes a tool used by an organization to identi-fy, log, and track any potential risks and corresponding risk information? A. Quantitative risk assessment B. Risk register C. Risk control assessment D. Risk matrix
Answer: B
NO.68 A security analyst is investigating a report from a penetration test. During the penetration test, consultants were able to download sensitive data from a back-end server. The back-end server was exposing an API that should have only been available from the company's mobile application. After reviewing the back-end server logs, the security analyst finds the following entries: Which of the following is the most likely cause of the security control bypass? A. IP address allow list B. User-agent spoofing C. WAF bypass D. Referrer manipulation
Answer: B
NO.69 Which of the following would produce the closet experience of responding to an actual incident response scenario? A. Lessons learned B. Simulation C. Walk-through D. Tabletop
Answer: B
NO.72 Which of the following uses six initial steps that provide basic control over system security by including hardware and software inventory, vulnerability management, and continuous monitoring to minimize risk in all network environments? A. ISO 27701 B. The Center for Internet Security C. SSAE SOC 2 D. NIST Risk Management Framework
Answer: B
NO.76 A company is implementing a new SIEM to log and send alerts whenever malicious activity is blocked by its antivirus and web content filters. Which of the following is the primary use case for this scenario? A. Implementation of preventive controls B. Implementation of detective controls C. Implementation of deterrent controls D. Implementation of corrective controls
Answer: B
NO.81 Sales team members have been receiving threatening voicemail messages and have reported these incidents to the IT security team. Which of the following would be MOST appropriate for the IT security team to analyze? A. Access control B. Syslog C. Session Initiation Protocol traffic logs D. Application logs
Answer: B
NO.85 A security analyst is investigating a report from a penetration test. During the penetration test, consultants were able to download sensitive data from a back-end server. The back-end server was exposing an API that should have only been available from the companVs mobile application. After reviewing the back-end server logs, the security analyst finds the following entries Which of the following is the most likely cause of the security control bypass? A. IP address allow list B. user-agent spoofing C. WAF bypass D. Referrer manipulation
Answer: B
NO.92 Security engineers are working on digital certificate management with the top priority of making administration easier. Which of the following certificates is the best option? A. User B. Wildcard C. Self-signed D. Root
Answer: B
NO.98 Which Of the following is the best method for ensuring non-repudiation? A. SSO B. Digital certificate C. Token D. SSH key
Answer: B
NO.7 Law enforcement officials sent a company a notification that states electronically stored information and paper documents cannot be destroyed. Which of the following explains this process ? A. Accountability B. Legal hold C. Chain of custody D. Data breach notification
Answer: B Explanation: A legal hold is a process that requires an organization to preserve electronically stored information and paper documents that are relevant to a pending or anticipated litigation or investigation. It suspends the normal retention and destruction policies and procedures for such information and documents until the legal hold is lifted or released.
NO.137 Which of the following identifies the point in time when an organization will recover data in the event of an outage? A. SLA B. RPO C. MTBF D. ARO
Answer: B Explanation: Detailed Recovery Point Objective (RPO) is the maximum duration of time that an organization can tolerate data loss in the event of an outage. It identifies the point in time when data recovery must begin, and any data loss beyond that point is considered unacceptable.
NO.124 A security team is engaging a third-party vendor to do a penetration test of a newproprietary application prior to its release. Which of the following documents would the third-party vendor most likely be required to review and sign? A. SLA B. NDA C. MOU D. AUP
Answer: B Explanation: NDA stands for Non-Disclosure Agreement, which is a legal contract that binds the parties to keep confidential information secret and not to disclose it to unauthorized parties
NO.46 A junior human resources administrator was gathering data about employees to submit to a new company awards program The employee data included job title business phone number location first initial with last name and race Which of the following best describes this type of information? A. Sensitive B. Non-Pll C. Private D. Confidential
Answer: B Explanation: Non-PII stands for non-personally identifiable information, which is any data that does not directly identify a specific individual. Non-PII can include information such as job title, business phone number, location, first initial with last name, and race. Non-PII can be used for various purposes, such as statistical analysis, marketing, or research. However, non-PII may still pose some privacy risks if it is combined or linked with other data that can reveal an individual's identity.
NO.50 A new security engineer has started hardening systems. One of the hardening techniques the engineer is using involves disabling remote logins to the NAS. Users are now reporting the inability to use SCP to transfer files to the NAS, even through the data is still viewable from the user's PCs. Which of the following is the most likely cause of this issue? A. TFTP was disabled on the local hosts B. SSH was turned off instead of modifying the configuration file C. Remote login was disabled in the networkd.config instead of using the sshd.conf D. Network services are no longer running on the NAS
Answer: B Explanation: SSH stands for Secure Shell Protocol, which is a cryptographic network protocol that allows secure remote login and command execution on a network device12. SSH can encrypt both the authentication information and the data being exchanged between the client and the server2. SSH can be used to access and manage a NAS device remotely3
NO.20 A security administrator is working on a solution to protect passwords stored in a database against rainbow table attacks Which of the following should the administrator consider? A. Hashing B. Salting C. Lightweight cryptography D. Steganography
Answer: B Explanation: Salting is a technique that adds random data to a password before hashing it. This makes the hash output more unique and unpredictable, and prevents attackers from using precomputed tables (such as rainbow tables) to crack the password hash. Salting also reduces the risk of collisions, which occur when different passwords produce the same hash.
NO.4 An organization wants to integrate its incident response processes into a workflow with automated decision points and actions based on predefined playbooks. Which of the following should the organization implement? A. SIEM B. SOAR C. EDR D. CASB
Answer: B Explanation: Security Orchestration, Automation, and Response (SOAR) should be implemented to integrate incident response processes into a workflow with automated decision points and actions based on predefined playbooks. Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 9
NO.34 Which of the following is the MOST secure but LEAST expensive data destruction method for data that is stored on hard drives? A. Pulverizing B. Shredding C. Incinerating D. Degaussing
Answer: B Explanation: Shredding may be the most secure and cost-effective way to destroy electronic data in any media that contain hard drives or solid-state drives and have reached their end-of-life1. Shredding reduces electronic devices to pieces no larger than 2 millimeters2. Therefore, shredding is the most secure but least expensive data destruction method for data that is stored on hard drives.
NO.33 A government organization is developing an advanced Al defense system. Develop-ers are using information collected from third-party providers Analysts are no-ticing inconsistencies in the expected powers Of then learning and attribute the Outcome to a recent attack on one of the suppliers. Which of the following IS the most likely reason for the inaccuracy of the system? A. Improper algorithms security B. Tainted training data C. virus D. Cryptomalware
Answer: B Explanation: Tainted training data is a type of data poisoning attack that involves modifying or injecting malicious data into the training dataset of a machine learning or artificial intelligence system. It can cause the system to learn incorrect or biased patterns and produce inaccurate or malicious outcomes. It is the most likely reason for the inaccuracy of the system that is using information collected from third- party providers that have been compromised by an attacker
NO.25 A help desk technician receives an email from the Chief Information Officer (C/O) asking for documents. The technician knows the CIO is on vacation for a few weeks. Which of the following should the technician do to validate the authenticity of the email? A. Check the metadata in the email header of the received path in reverse order to follow the email's path. B. Hover the mouse over the CIO's email address to verify the email address. C. Look at the metadata in the email header and verify the "From." line matches the CIO's email address. D. Forward the email to the CIO and ask if the CIO sent the email requesting the documents
Answer: B Explanation: The "From" line in the email header can be easily spoofed or manipulated by an attacker to make it look like the email is coming from the CIO's email address. However, this does not mean that the email address is actually valid or that the email is actually sent by the CIO. A better way to check the email address is to hover over it and see if it matches the CIO's email address exactly.
NO.114 A security researcher has alerted an organization that its sensitive user data was found for sale on a website. Which of the following should the organization use to inform the affected parties? A. A An incident response plan B. A communications plan C. A business continuity plan D. A disaster recovery plan
Answer: B Explanation: The organization should use a communications plan to inform the affected parties. A communications plan is a document that outlines how an organization will communicate with internal and external stakeholders during a crisis or incident.
NO.9 A network-connected magnetic resonance imaging (MRI) scanner at a hospital is controlled and operated by an outdated and unsupported specialized Windows OS. Which of the following is most likely preventing the IT manager at the hospital from upgrading the specialized OS? A. The time needed for the MRI vendor to upgrade the system would negatively impact patients. B. The MRI vendor does not support newer versions of the OS. C. Changing the OS breaches a support SLA with the MRI vendor. D. The IT team does not have the budget required to upgrade the MRI scanner
Answer: B Explanation: This option is the most likely reason for preventing the IT manager at the hospital from upgrading the specialized OS. The MRI scanner is a complex and sensitive device that requires a specific OS to control and operate it. The MRI vendor may not have developed or tested newer versions of the OS for compatibility and functionality with the scanner. Upgrading the OS without the vendor's support may cause the scanner to malfunction or stop working altogether
NO.86 The spread of misinformation surrounding the outbreak of a novel virus on election day led to eligible voters choosing not to take the risk of going the polls. This is an example of: A. prepending. B. an influence campaign. C. a watering-hole attack. D. intimidation. E. information elicitation.
Answer: B Explanation: This scenario describes an influence campaign, where false information is spread to influence or manipulate people's beliefs or actions. In this case, the misinformation led eligible voters to avoid polling places, which influenced the outcome of the election
NO.73 The new Chief Information Security Officer at a company has asked the security learn to implement stronger user account policies. The new policies require: * Users to choose a password unique to their last ten passwords * Users to not log in from certain high-risk countries Which of the following should the security team implement? (Select two). A. Password complexity B. Password history C. Geolocation D. Geospatial E. Geotagging F. Password reuse
Answer: B,C
NO.14 An information security officer at a credit card transaction company is conducting a framework-mapping exercise with the internal controls. The company recently established a new office in Europe. To which of the following frameworks should the security officer map the existing controls' (Select two). A. ISO B. PCI DSS C. SOC D. GDPR E. CSA F. NIST
Answer: B,D Explanation: PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards and requirements for organizations that store, process, or transmit payment card data
NO.55 A security analyst needs to recommend a solution that will allow current Active Directory accounts and groups to be used for access controls on both network and remote-access devices. Which of the following should the analyst recommend? (Select two). A. TACACS+ B. RADIUS C. OAuth D. OpenlD E. Kerberos F. CHAP
Answer: B,E
NO.138 A small, local company experienced a ransomware attack. The company has one web-facing server and a few workstations. Everything is behind an ISP firewall. A single web-facing server is set up on the router to forward all ports so that the server is viewable from the internet. The company uses an older version of third-party software to manage the website. The assets were never patched. Which of the following should be done to prevent an attack like this from happening again? (Select three). A. Install DLP software to prevent data loss. B. Use the latest version of software. C. Install a SIEM device. D. Implement MDM. E. Implement a screened subnet for the web server. F. Install an endpoint security solution. G. Update the website certificate and revoke the existing ones. H. Deploy additional network sensors
Answer: B,E,F
NO.100 Which of the following allow access to remote computing resources, a operating system. and centrdized configuration and data A. Containers B. Edge computing C. Thin client D. Infrastructure as a service
Answer: C
NO.110 Which Of the following vulnerabilities is exploited an attacker Overwrite a reg-ister with a malicious address that changes the execution path? A. VM escape B. SQL injection C. Buffer overflow D. Race condition
Answer: C
NO.112 After a WiFi scan of a local office was conducted, an unknown wireless signal was identified Upon investigation, an unknown Raspberry Pi device was found connected to an Ethernet port using a single connection. Which of the following BEST describes the purpose of this device? A. loT sensor B. Evil twin C. Rogue access point D. On-path attack
Answer: C
NO.115 Which of the following measures the average time that equipment will operate before it breaks? A. SLE B. MTBF C. RTO D. ARO
Answer: C
NO.116 A network penetration tester has successfully gained access to a target machine. Which of the following should the penetration tester do next? A. Clear the log files of all evidence B. Move laterally to another machine. C. Establish persistence for future use. D. Exploit a zero-day vulnerability
Answer: C
NO.118 A security assessment found that several embedded systems are running unsecure protocols. These Systems were purchased two years ago and the company that developed them is no longer in business Which of the following constraints BEST describes the reason the findings cannot be remediated? A. Lack of computing power B. inability to authenticate C. Unavailable patch D. Implied trust
Answer: C
NO.120 Which of the following would satisfy three-factor authentication requirements? A. Password, PIN, and physical token B. PIN, fingerprint scan, and ins scan C. Password, fingerprint scan, and physical token D. PIN, physical token, and ID card
Answer: C
NO.123 An enterprise has hired an outside security firm to facilitate penetration testing on its network and applications. The firm has agreed to pay for each vulnerability that ts discovered. Which of the following BEST represents the type of testing that is being used? A. White-box B. Red-leam C. Bug bounty D. Gray-box E. Black-box
Answer: C
NO.64 During an incident, a company's CIRT determines it is necessary to observe the continued network-based transactions between a callback domain and the malware running on an enterprise PC. Which of the following techniques would be BEST to enable this activity while reducing the nsk of lateral spread and the risk that the adversary would notice any changes? A. Physically move the PC to a separate Internet point of presence. B. Create and apply microsegmentation rules, C. Emulate the malware in a heavily monitored DMZ segment D. Apply network blacklisting rules for the adversary domain
Answer: C
NO.90 Security analysts notice a server login from a user who has been on vacation for two weeks, The an-alysts confirm that the user did not log in to the system while on vacation After reviewing packet capture the analysts notice the following: Which of the following occurred? A. A buffer overflow was exploited to gain unauthorized access. B. The user's account was con-promised, and an attacker changed the login credentials. C. An attacker used a pass-the-hash attack to gain access. D. An insider threat with username logged in to the account.
Answer: C
NO.99 A security team will be outsourcing several key functions to a third party and will require that : * Several of the functions will carry an audit burden. * Attestations will be performed several times a year. * Reports will be generated on a monthly basis. Which of the following BEST describes the document that is used to define these requirements and stipulate how and when they are performed by the third party? A. MOU B. AUP C. SLA D. MSA
Answer: C
NO.129 Which of the following roles would MOST likely have direct access to the senior management team? A. Data custodian B. Data owner C. Data protection officer D. Data controller
Answer: C Explanation: A data protection officer (DPO) is a role that oversees the data protection strategy and compliance of an organization. A DPO is responsible for ensuring that the organization follows data protection laws and regulations, such as the General Data Protection Regulation (GDPR), and protects the privacy rights of data subjects. A DPO also acts as a liaison between the organization and data protection authorities, as well as data subjects and other stakeholders.
NO.104 An engineer recently deployed a group of 100 web servers in a cloud environment. Per the security policy, all web-server ports except 443 should be disabled. Which of the following can be used to accomplish this task? A. Application allow list B. Load balancer C. Host-based firewall D. VPN
Answer: C Explanation: A host-based firewall is a software application that runs on each individual host and controls the incoming and outgoing network traffic based on a set of rules. A host-based firewall can be used to block or allow specific ports, protocols, IP addresses, or applications. An engineer can use a host-based firewall to accomplish the task of disabling all web-server ports except 443 on a group of 100 web servers in a cloud environment. The engineer can configure the firewall rules on each web server to allow only HTTPS traffic on port 443 and deny any other traffic. Alternatively, the engineer can use a centralized management tool to deploy and enforce the firewall rules across all web servers
NO.130 A network engineer and a security engineer are discussing ways to monitor network operations. Which of the following is the BEST method? A. Disable Telnet and force SSH B. Establish a continuous ping. C. Utilize an agentless monitor D. Enable SNMPv3 With passwords
Answer: C Explanation: An agentless monitor is the best method to monitor network operations because it does not require any software or agents to be installed on the devices being monitored, making it less intrusive and less likely to disrupt network operations. This method can monitor various aspects of network operations, such as traffic, performance, and security.
NO.125 A security analyst is investigating network issues between a workstation and a company server. The workstation and server occasionally experience service disruptions, and employees are forced to reconnect to the server. In addition, some reports indicate sensitive information is being leaked from the server to the public. The workstation IP address is 192.168.1.103, and the server IP address is 192.168.1.101. The analyst runs arp -a On a separate workstation and obtains the following results: Which of the following is most likely occurring? A. Evil twin attack B. Domain hijacking attack C. On-path attack D. MAC flooding attack
Answer: C Explanation: An on-path attack is a type of attack where an attacker places themselves between two devices (such as a workstation and a server) and intercepts or modifies the communications between them.
NO.2 A security analyst reviews a company's authentication logs and notices multiple authentication failures. The authentication failures are from different usernames that share the same source IP address. Which of the password attacks is MOST likely happening? A. Dictionary B. Rainbow table C. Spraying D. Brute-force
Answer: C Explanation: Detailed Password spraying is an attack where an attacker tries a small number of commonly used passwords against a large number of usernames. The goal of password spraying is to avoid detection by avoiding too many failed login attempts for any one user account. The fact that different usernames are being attacked from the same IP address is a strong indication that a password spraying attack is underway
NO.24 A junior security analyst is reviewing web server logs and identifies the following pattern in the log file: Which ol the following types of attacks is being attempted and how can it be mitigated? A. XSS. mplement a SIEM B. CSRF. implement an IPS C. Directory traversal implement a WAF D. SQL infection, mplement an IDS
Answer: C Explanation: Detailed The attack being attempted is directory traversal, which is a web application attack that allows an attacker to access files and directories outside of the web root directory. A WAF can help mitigate this attack by detecting and blocking attempts to access files outside of the web root directory.
NO.42 A company is implementing MFA for all applications that store sensitive dat a. The IT manager wants MFA to be non-disruptive and user friendly Which of the following technologies should the IT manager use when implementing MFA? A. One-time passwords B. Email tokens C. Push notifications D. Hardware authentication
Answer: C Explanation: Push notifications are a type of technology that allows an application or a service to send messages or alerts to a user's device without requiring the user to open the application or the service. They can be used for multi-factor authentication (MFA) by sending a prompt or a code to the user's device that the user has to approve or enter to verify their identity. They can be non-disruptive and user friendly because they do not require the user to remember or type anything, and they can be delivered instantly and securely
NO.47 A security manager needs to assess the security posture of one of the organization's vendors. The contract with the vendor does not allow for auditing of the vendor's security controls. Which of (he following should the manager request to complete the assessment? A. A service-level agreement B. A business partnership agreement C. A SOC 2 Type 2 report D. A memorandum of understanding
Answer: C Explanation: SOC 2 (Service Organization Control 2) is a type of audit report that evaluates the controls of service providers to verify their compliance with industry standards for security, availability, processing integrity, confidentiality, and privacy. A Type 2 report is based on an audit that tests the effectiveness of the controls over a period of time, unlike a Type 1 report which only evaluates the design of the controls at a specific point in time.
NO.48 A customer has reported that an organization's website displayed an image of a smiley (ace rather than the expected web page for a short time two days earlier. A security analyst reviews log tries and sees the following around the lime of the incident: Which of the following is MOST likely occurring? A. Invalid trust chain B. Domain hijacking C. DNS poisoning D. URL redirection
Answer: C Explanation: The log entry shows the IP address for "www.example.com" being changed to a different IP address, which is likely the result of DNS poisoning. DNS poisoning occurs when an attacker is able to change the IP address associated with a domain name in a DNS server's cache, causing clients to connect to the attacker's server instead of the legitimate server.
NO.30 A desktop support technician recently installed a new document-scanning software program on a computer. However, when the end user tried to launch the program, it did not respond. Which of the following is MOST likely the cause? A. A new firewall rule is needed to access the application. B. The system was quarantined for missing software updates. C. The software was not added to the application whitelist. D. The system was isolated from the network due to infected software
Answer: C Explanation: The most likely cause of the document-scanning software program not responding when launched by the end user is that the software was not added to the application whitelist. An application whitelist is a list of approved software applications that are allowed to run on a system. If the software is not on the whitelist, it may be blocked from running by the system's security policies.
NO.54 A security analyst is concerned about traffic initiated to the dark web from the corporate LAN. Which of the following networks should the analyst monitor? A. SFTP B. AIS C. Tor D. loC
Answer: C Explanation: Tor (The Onion Router) is a network and a software that enables anonymous communication over the internet. It routes the traffic through multiple relays and encrypts it at each layer, making it difficult to trace or monitor. It can access the dark web, which is a part of the internet that is hidden from conventional search engines and requires special software or configurations to access
NO.128 A company is required to continue using legacy software to support a critical service. Which of the following BEST explains a risk of this practice? A. Default system configuration B. Unsecure protocols C. Lack of vendor support D. Weak encryption
Answer: C Explanation: Using legacy software to support a critical service poses a risk due to lack of vendor support. Legacy software is often outdated and unsupported, which means that security patches and upgrades are no longer available.
NO.39 Which of the following cloud models provides clients with servers, storage, and networks but nothing else? A. SaaS B. PaaS C. laaS D. DaaS
Answer: C Explanation: laaS (Infrastructure as a Service) is a cloud model that provides clients with servers, storage, and networks but nothing else. It allows clients to have more control and flexibility over the configuration and management of their infrastructure resources, but also requires them to install and maintain their own operating systems, applications, etc.
NO.113 Which of the following can best protect against an employee inadvertently installing malware on a company system? A. Host-based firewall B. System isolation C. Least privilege D. Application allow list
Answer: C Explanation:Least privilege is a security principle that states that users should only be granted the permissions they need to do their job. This helps to protect against malware infections by preventing users from installing unauthorized software
NO.22 A developer is building a new portal to deliver single-pane-of-glass management capabilities to customers with multiple firewalls. To Improve the user experience, the developer wants to implement an authentication and authorization standard that uses security tokens that contain assertions to pass user Information between nodes. Which of the following roles should the developer configure to meet these requirements? (Select TWO). A. Identity processor B. Service requestor C. Identity provider D. Service provider E. Tokenized resource F. Notarized referral
Answer: C,D Explanation: An identity provider (IdP) is responsible for authenticating users and generating security tokens containing user information. A service provider (SP) is responsible for accepting security tokens and granting access to resources based on the user's identity.
NO.107 Which of the following in a forensic investigation should be priorities based on the order of volatility? (Select TWO). A. Page files B. Event logs C. RAM D. Cache E. Stored files
Answer: C,D Explanation: In a forensic investigation, volatile data should be collected first, based on the order of volatility. RAM and Cache are examples of volatile data
NO.105 An employee's company account was used in a data breach Interviews with the employee revealed: * The employee was able to avoid changing passwords by using a previous password again. * The account was accessed from a hostile, foreign nation, but the employee has never traveled to any other countries. Which of the following can be implemented to prevent these issues from reoccuring? (Select TWO) A. Geographic dispersal B. Password complexity C. Password history D. Geotagging E. Password lockout F. Geofencing
Answer: C,F Explanation: two possible solutions that can be implemented to prevent these issues from reoccurring are password history and geofencing12. Password history is a feature that prevents users from reusing their previous passwords1. This can enhance password security by forcing users to create new and unique passwords periodically1. Password history can be configured by setting a policy that specifies how many previous passwords are remembered and how often users must change their passwords1. Geofencing is a feature that restricts access to a system or network based on the geographic location of the user or device2. This can enhance security by preventing unauthorized access from hostile or foreign regions2. Geofencing can be implemented by using GPS, IP address, or other methods to determine the location of the user or device and compare it with a predefined set of boundaries2
NO.117 A client sent several inquiries to a project manager about the delinquent delivery status of some critical reports. The project manager claimed the reports were previously sent via email, but then quickly generated and backdated the reports before submitting them as plain text within the body of a new email message thread. Which of the following actions MOST likely supports an investigation for fraudulent submission? A. Establish chain of custody. B. Inspect the file metadata C. Reference the data retention policy. D. Review the email event logs
Answer: D
NO.121 A web architect would like to move a company's website presence to the cloud. One of the management team's key concerns is resiliency in case a cloud provider's data center or network connection goes down. Which of the following should the web architect consider to address this concern? A. Containers B. Virtual private cloud C. Segmentation D. Availability zones
Answer: D
NO.126 A security engineer is reviewing the logs from a SAML application that is configured to use MFA, during this review the engineer notices a high volume of successful logins that did not require MFA from users who were traveling internationally. The application, which can be accessed without a VPB, has a policy that allows time-based tokens to be generated. Users who changed locations should be required to reauthenticate but have been Which of the following statements BEST explains the issue? A. OpenID is mandatory to make the MFA requirements work B. An incorrect browser has been detected by the SAML application C. The access device has a trusted certificate installed that is overwriting the session token D. The user's IP address is changing between logins, bur the application is not invalidating the token
Answer: D
NO.131 A security analyst reviews web server logs and notices the following line: 104.35. 45.53 - [22/May/2020:07 : 00:58 +0100] "GET . UNION ALL SELECT user login, user _ pass, user email from wp users-- HTTP/I.I" 200 1072 http://www.example.com/wordpress/wp-admin/ Which of the following vulnerabilities is the attacker trying to exploit? A. SSRF B. CSRF C. xss D. SQLi
Answer: D
NO.134 The management team has requested that the security team implement 802.1X into the existing wireless network setup. The following requirements must be met: * Minimal interruption to the end user * Mutual certificate validation Which of the following authentication protocols would meet these requirements? A. EAP-FAST B. PSK C. EAP-TTLS D. EAP-TLS
Answer: D
NO.56 A security administrator is seeking a solution to prevent unauthorized access to the internal network. Which of the following security solutions should the administrator choose? A. MAC filtering B. Anti-malware C. Translation gateway D. VPN
Answer: D
NO.65 Which of the following involves the inclusion of code in the main codebase as soon as it is written? A. Continuous monitoring B. Continuous deployment C. Continuous Validation D. Continuous integration
Answer: D
NO.70 one of the attendees starts to notice delays in the connection. and the HTTPS site requests are reverting to HTTP. Which of the following BEST describes what is happening? A. Birthday collision on the certificate key B. DNS hacking to reroute traffic C. Brute force to the access point D. A SSL/TLS downgrade
Answer: D
NO.71 To reduce and limit software and infrastructure costs the Chief Information Officer has requested to move email services to the cloud. The cloud provider and the organization must have secunty controls to protect sensitive data Which of the following cloud services would best accommodate the request? A. laaS B. PaaS C. DaaS D. SaaS
Answer: D
NO.74 A security administrator is setting up a SIEM to help monitor for notable events across the enterprise. Which of the following control types does this BEST represent? A. Preventive B. Compensating C. Corrective D. Detective
Answer: D
NO.77 A company is launching a website in a different country in order to capture user information that a marketing business can use. The company itself will not be using the information. Which of the following roles is the company assuming? A. Data owner B. Data processor C. Data steward D. Data collector
Answer: D
NO.83 After multiple on-premises security solutions were migrated to the cloud, the incident response time increased The analysts are spending a long time trying to trace information on different cloud consoles and correlating data in different formats. Which of the following can be used to optimize the incident response time? A. CASB B. VPC C. SWG D. CMS
Answer: D
NO.87 A security architect is working on an email solution that will send sensitive dat a. However, funds are not currently available in the budget for building additional infrastructure. Which of the following should the architect choose? A. POP B. IPSec C. IMAP D. PGP
Answer: D
NO.89 Developers are writing code and merging it into shared repositories several times a day, where it is tested automatically. Which of the following concepts does this BEST represent? A. Functional testing B. Stored procedures C. Elasticity D. Continuous integration
Answer: D
NO.94 Which of the following would most likely include language prohibiting end users from accessing personal email from a company device? A. SLA B. BPA C. NDA D. AUP
Answer: D
NO.95 Which of the following environments utilizes dummy data and is MOST likely to be installed locally on a system that allows code to be assessed directly and modified easily with each build? A. Production B. Test C. Staging D. Development
Answer: D
NO.96 A company is moving to new location. The systems administrator has provided the following server room requirements to the facilities staff: Consistent power levels in case of brownouts or voltage spikes A minimum of 30 minutes runtime following a power outage Ability to trigger graceful shutdowns of critical systems Which of the following would BEST meet the requirements? A. Maintaining a standby, gas-powered generator B. Using large surge suppressors on computer equipment C. Configuring managed PDUs to monitor power levels D. Deploying an appropriately sized, network-connected UPS device
Answer: D
NO.31 A company has numerous employees who store PHI data locally on devices. The Chief Information Officer wants to implement a solution to reduce external exposure of PHI but not affect the business. The first step the IT team should perform is to deploy a DLP solution: A. for only data in transit. B. for only data at reset. C. in blocking mode. D. in monitoring mode.
Answer: D Explanation: A DLP solution in monitoring mode is a good first step to deploy for data loss prevention. It allows the IT team to observe and analyze the data flows and activities without blocking or interfering with them. It helps to identify the sources and destinations of sensitive data, the types and volumes of data involved, and the potential risks and violations. It also helps to fine-tune the DLP policies and rules before switching to blocking mode, which can disrupt business operations if not configured properly.
NO.40 A security administrator needs to inspect in-transit files on the enterprise network to search for PI I credit card data, and classification words Which of the following would be the best to use? A. IDS solution B. EDR solution C. HIPS software solution D. Network DLP solution
Answer: D Explanation: A network DLP (Data Loss Prevention) solution is a tool that monitors and controls the data that is transmitted over a network. It can inspect in-transit files on the enterprise network to search for PII (Personally Identifiable Information), credit card data, and classification words by using predefined rules and policies, and then block, encrypt, quarantine, or alert on any sensitive data that is detected or leaked
NO.28 A security administrator wants to implement a program that tests a user's ability to recognize attacks over the organization's email system Which of the following would be BEST suited for this task? A. Social media analysis B. Annual information security training C. Gamification D. Phishing campaign
Answer: D Explanation: A phishing campaign is a simulated attack that tests a user's ability to recognize attacks over the organization's email system. Phishing campaigns can be used to train users on how to identify and report suspicious emails.
NO.41 A backup operator wants to perform a backup to enhance the RTO and RPO in a highly time- and storage-efficient way that has no impact on production systems. Which of the following backup types should the operator use? A. Tape B. Full C. Image D. Snapshot
Answer: D Explanation: A snapshot backup is a type of backup that captures the state of a system at a point in time. It is highly time- and storage-efficient because it only records the changes made to the system since the last backup. It also has no impact on production systems because it does not require them to be offline or paused during the backup process.
NO.38 The help desk has received calls from users in multiple locations who are unable to access core network services The network team has identified and turned off the network switches using remote commands. Which of the following actions should the network team take NEXT? A. Disconnect all external network connections from the firewall B. Send response teams to the network switch locations to perform updates C. Turn on all the network switches by using the centralized management software D. Initiate the organization's incident response plan
Answer: D Explanation: An incident response plan is a set of procedures and guidelines that defines how an organization should respond to a security incident. An incident response plan typically includes the following phases: preparation, identification, containment, eradication, recovery, and lessons learned. If the help desk has received calls from users in multiple locations who are unable to access core network services, it could indicate that a network outage or a denial-of-service attack has occurred
NO.44 During an assessment, a systems administrator found several hosts running FTP and decided to immediately block FTP communications at the firewall. Which of the following describes the greatest risk associated with using FTP? A. Private data can be leaked B. FTP is prohibited by internal policy. C. Users can upload personal files D. Credentials are sent in cleartext
Answer: D Explanation: Credentials are sent in cleartext is the greatest risk associated with using FTP. FTP is an old protocol that does not encrypt the data or the credentials that are transmitted over the network. This means that anyone who can capture the network traffic can see the usernames and passwords of the FTP users, as well as the files they are transferring.
NO.51 A user is trying to upload a tax document, which the corporate finance department requested, but a security program IS prohibiting the upload A security analyst determines the file contains Pll, Which of the following steps can the analyst take to correct this issue? A. Create a URL filter with an exception for the destination website. B. Add a firewall rule to the outbound proxy to allow file uploads C. Issue a new device certificate to the user's workstation. D. Modify the exception list on the DLP to allow the upload
Answer: D Explanation: Data Loss Prevention (DLP) policies are used to identify and protect sensitive data, and often include a list of exceptions that allow certain types of data to be uploaded or shared. By modifying the exception list on the DLP, the security analyst can allow the tax document to be uploaded without compromising the security of the system.
NO.133 Which of the technologies is used to actively monitor for specific file types being transmitted on the network? A. File integrity monitoring B. Honeynets C. Tcpreplay D. Data loss prevention
Answer: D Explanation: Data loss prevention (DLP) is a technology used to actively monitor for specific file types being transmitted on the network.
NO.32 Which of the following incident response steps occurs before containment? A. Eradication B. Recovery C. Lessons learned D. Identification
Answer: D Explanation: Identification is the first step in the incident response process, which involves recognizing that an incident has occurred. Containment is the second step, followed by eradication, recovery, and lessons learned
NO.127 A systems engineer thinks a business system has been compromised and is being used to exfiltrated data to a competitor The engineer contacts the CSIRT The CSIRT tells the engineer to immediately disconnect the network cable and to not do anything else Which of the following is the most likely reason for this request? A. The CSIRT thinks an insider threat is attacking the network B. Outages of business-critical systems cost too much money C. The CSIRT does not consider the systems engineer to be trustworthy D. Memory contents including fileles malware are lost when the power is turned off
Answer: D Explanation: Memory contents including files and malware are lost when the power is turned off. This is because memory is a volatile storage device that requires constant power to retain data.
NO.1 Which of the following provides a catalog of security and privacy controls related to the United States federal information systems? A. GDPR B. PCI DSS C. ISO 27000 D. NIST 800-53
Answer: D Explanation: NIST 800-53 provides a catalog of security and privacy controls related to the United States federal information systems. Reference: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 3: Architecture and Design, pp. 123-125
NO.19 The security team received a report of copyright infringement from the IP space of the corporate network. The report provided a precise time stamp for the incident as well as the name of the copyrighted files. The analyst has been tasked with determining the infringing source machine and instructed to implement measures to prevent such incidents from occurring again. Which of the following is MOST capable of accomplishing both tasks? A. HIDS B. Allow list C. TPM D. NGFW
Answer: D Explanation: Next-Generation Firewalls (NGFWs) are designed to provide advanced threat protection by combining traditional firewall capabilities with intrusion prevention, application control, and other security features. NGFWs can detect and block unauthorized access attempts, malware infections, and other suspicious activity. They can also be used to monitor file access and detect unauthorized copying or distribution of copyrighted material
NO.36 A security architect is designing a remote access solution for a business partner. The business partner needs to access one Linux server at the company. The business partner wants to avid managing a password for authentication and additional software installation. Which of the following should the architect recommend? A. Soft token B. Smart card C. CSR D. SSH key
Answer: D Explanation: SSH key is a pair of cryptographic keys that can be used for authentication and encryption when connecting to a remote Linux server via SSH protocol. SSH key authentication does not require a password and is more secure than password-based authentication. SSH key authentication also does not require additional software installation on the client or the server, as SSH is a built-in feature of most Linux distributions. A business partner can generate an SSH key pair on their own computer and send the public key to the company, who can then add it to the authorized_keys file on the Linux server. This way, the business partner can access the Linux server without entering a password or installing any software
NO.27 When planning to build a virtual environment, an administrator need to achieve the following, * Establish polices in Limit who can create new VMs * Allocate resources according to actual utilization' * Require justification for requests outside of the standard requirements. * Create standardized categories based on size and resource requirements Which of the following is the administrator MOST likely trying to do? A. Implement IaaS replication B. Product against VM escape C. Deploy a PaaS D. Avoid VM sprawl
Answer: D Explanation: The administrator is most likely trying to avoid VM sprawl, which occurs when too many VMs are created and managed poorly, leading to resource waste and increased security risks. The listed actions can help establish policies, resource allocation, and categorization to prevent unnecessary VM creation and ensure proper management
NO.8 A store receives reports that shoppers' credit card information is being stolen. Upon further analysis, those same shoppers also withdrew money from an ATM in that store. The attackers are using the targeted shoppers' credit card information to make online purchases. Which of the following attacks is the MOST probable cause? A. Identity theft B. RFID cloning C. Shoulder surfing D. Card skimming
Answer: D Explanation: The attackers are using card skimming to steal shoppers' credit card information, which they use to make online purchases. Reference: CompTIA Security+ Study Guide Exam SY0-601, Chapter 5
NO.49 A retail company that is launching @ new website to showcase the company's product line and other information for online shoppers registered the following URLs: * www companysite com * shop companysite com * about-us companysite com contact-us. companysite com secure-logon company site com Which of the following should the company use to secure its website if the company is concerned with convenience and cost? A. A self-signed certificate B. A root certificate C. A code-signing certificate D. A wildcard certificate E. An extended validation certificate
Answer: D Explanation: The company can use a wildcard certificate to secure its website if it is concerned with convenience and cost. A wildcard certificate can secure multiple subdomains, which makes it cost-effective and convenient for securing the various registered domains.
NO.23 A network analyst is setting up a wireless access point for a home office in a remote, rural location. The requirement is that users need to connect to the access point securely but do not want to have to remember passwords Which of the following should the network analyst enable to meet the requirement? A. MAC address filtering B. 802.1X C. Captive portal D. WPS
Answer: D Explanation: The network analyst should enable Wi-Fi Protected Setup (WPS) to allow users to connect to the wireless access point securely without having to remember passwords. WPS allows users to connect to a wireless network by pressing a button or entering a PIN instead of entering a password.
NO.11 A security researcher is using an adversary's infrastructure and TTPs and creating a named group to track those targeted Which of the following is the researcher MOST likely using? A. The Cyber Kill Chain B. The incident response process C. The Diamond Model of Intrusion Analysis D. MITRE ATT&CK
Answer: D Explanation: The researcher is most likely using the MITRE ATT&CK framework. MITRE ATT&CK is a globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real- world observations. It helps security teams better understand and track adversaries by creating a named group, which aligns with the scenario described in the question
NO.106 An organization's Chief Information Security Officer is creating a position that will be responsible for implementing technical controls to protect data, including ensuring backups are properly maintained. Which of the following roles would MOST likely include these responsibilities? A. Data protection officer B. Data owner C. Backup administrator D. Data custodian E. Internal auditor
Answer: D Explanation: The responsibilities of ensuring backups are properly maintained and implementing technical controls to protect data are the responsibilities of the data custodian role. Reference: CompTIA Security+ Study Guide by Emmett Dulaney, Chapter 7: Securing Hosts and Data, Data Custodian
NO.108 A network administrator has been alerted that web pages are experiencing long load times After determining it is not a routing or DNS issue the administrator logs in to the router, runs a command, and receives the following output: CPU 0 percent busy, from 300 sec ago 1 sec ave: 99 percent busy 5 sec ave: 97 percent busy 1 min ave: 83 percent busy Which of the following is The router experiencing? A. DDoS attack B. Memory leak C. Buffer overflow D. Resource exhaustion
Answer: D Explanation: The router is experiencing a resource exhaustion issue. The output from the command indicates that the CPU is consistently busy, with a 1-second average of 99 percent busy and a 1-minute average of 83 percent busy. This indicates that the router is struggling to keep up with the demands placed on it, potentially due to a high volume of traffic or other factors. As a result, web pages are experiencing long load times. This is an example of resource exhaustion, where the router's resources are being overwhelmed and are unable to meet the demands placed on them. A DDoS attack, memory leak, or buffer overflow would not typically cause the symptoms described in the scenario
NO.93 Which of the following would a security analyst use to determine if other companies in the same sector have seen similar malicious activity against their systems? A. Vulnerability scanner B. Open-source intelligence C. Packet capture D. Threat feeds
Answer: D Explanation: Threat feeds, also known as threat intelligence feeds, are a source of information about current and emerging threats, vulnerabilities, and malicious activities targeting organizations. Security analysts use threat feeds to gather information about attacks and threats targeting their industry or sector
NO.21 A desktop computer was recently stolen from a desk located in the lobby of an office building. Which of the following would be the best way to secure a replacement computer and deter future theft? A. Installing proximity card readers on all entryway doors B. Deploying motion sensor cameras in the lobby C. Encrypting the hard drive on the new desktop D. Using cable locks on the hardware
Answer: D Explanation: Using cable locks on the hardware can be an effective way to secure a desktop computer and deter future theft. Cable locks are physical security devices that attach to the computer case and to a nearby stationary object, such as a desk or wall. This makes it more difficult for a thief to remove the computer without damaging it or attracting attention
NO.37 An organization has hired a security analyst to perform a penetration test The analyst captures 1Gb worth of inbound network traffic to the server and transfers the pcap back to the machine for analysis. Which of the following tools should the analyst use to further review the pcap? A. Nmap B. CURL C. Neat D. Wireshark
Answer: D Explanation: Wireshark is a tool that can analyze pcap files, which are files that capture network traffic. Wireshark can display the packets, protocols, and other details of the network traffic in a graphical user interface. Nmap is a tool that can scan networks and hosts for open ports and services. CURL is a tool that can transfer data from or to a server using various protocols. Neat is a tool that can test network performance and quality.
