S+ 1050-1100

A. Network tap

QUESTION 1033 A security analyst is interested in setting up an IDS to monitor the company network. The analyst has been told there can be no network downtime to implement the solution, but the IDS must capture all of the network traffic. Which of the following should be used for the IDS implementation? A. Network tap B. Honeypot C. Aggregation D.Port mirror

A. nslookup server2 192.168.1.10

QUESTION 1034 A systems administrator wants to determine if two DNS servers are configured to have the same record for IP address 192.168.1.10. The systems administrator has verified the record on Server1 and now needs to verify the record on Server2. Which of the following commands should the systems administrator run? A. nslookup server2 192.168.1.10 B. nc -1 -p 53 192.168.1.10 -e server2 C. tcpdump -1nv host 192.168.1.10 or host server2 D.dig -x 192.168.1.10 @server2

A. A nation-state

QUESTION 1035 A sensitive manufacturing facility has recently noticed an abnormal number of assembly-line robot failures. Upon intensive investigation, the facility discovers many of the SCADA controllers have been infected by a new strain of malware that uses a zero-day flaw in the operating system. Which of the following types of malicious actors is MOST likely behind this attack? A. A nation-state B. A political hacktivist C. An insider threat D.A competitor

D. Use a service account and prohibit users from accessing this account for development work.

QUESTION 1036 A systems developer needs to provide machine-to-machine interface between an application and a database server in the production environment. This interface will exchange data once per day. Which of the following access control account practices would BEST be used in this situation? A. Establish a privileged interface group and apply read-write permission to the members of that group. B. Submit a request for account privilege escalation when the data needs to be transferred. C. Install the application and database on the same server and add the interface to the local administrator group. D.Use a service account and prohibit users from accessing this account for development work.

A. something you have.

QUESTION 1037 Using a one-time code that has been texted to a smartphone is an example of: A. something you have. B. something you are. C. something you know. D.something you do.

C. Implement containerization on the workstations.

QUESTION 1038 An organization is building a new customer services team, and the manager needs to keep the team focused on customer issues and minimize distractions. The users have a specific set of tools installed, which they must use to perform their duties. Other tools are not permitted for compliance and tracking purposes. Team members have access to the Internet for product lookups and to research customer issues. Which of the following should a security engineer employ to fulfill the requirements for the manager? A. Install a web application firewall. B. Install HIPS on the team's workstations. C. Implement containerization on the workstations. D.Configure whitelisting for the team.

A. The web servers' CA full certificate chain must be installed on the UTM.

QUESTION 1039 A systems administrator has installed a new UTM that is capable of inspecting SSL/TLS traffic for malicious payloads. All inbound network traffic coming from the Internet and terminating on the company's secure web servers must be inspected. Which of the following configurations would BEST support this requirement? ' A. The web servers' CA full certificate chain must be installed on the UTM. B. The UTM's certificate pair must be installed on the web servers. C. The web servers' private certificate must be installed on the UTM. D.The UTM and web servers must use the same certificate authority.

C. Snapshot

QUESTION 1040 A first responder needs to collect digital evidence from a compromised headless virtual host. Which of the following should the first responder collect FIRST? A. Virtual memory B. BIOS configuration C. Snapshot D.RAM

C. Use WPA2-Enterprise with RADIUS and disable pre-shared keys.

QUESTION 1041 An organization wants to set up a wireless network in the most secure way. Budget is not a major consideration, and the organization is willing to accept some complexity when clients are connecting. It is also willing to deny wireless connectivity for clients who cannot be connected in the most secure manner. Which of the following would be the MOST secure setup that conforms to the organization's requirements? A. Enable WPA2-PSK for older clients and WPA2-Enterprise for all other clients. B. Enable WPA2-PSK, disable all other modes, and implement MAC filtering along with port security. C. Use WPA2-Enterprise with RADIUS and disable pre-shared keys. D.Use WPA2-PSK with a 24-character complex password and change the password monthly.

A. lot devices have built-in accounts that users rarely access.

QUESTION 1042 which of the following is a security consideration for lot devices? A. lot devices have built-in accounts that users rarely access. B. lot devices have less processing capabilities. C. lot devices are physically segmented from each other. D.lot devices have purpose-built applications.

A. Loss of database tables

QUESTION 1043 Which of the following is MOST likely caused by improper input handling? A. Loss of database tables B. Untrusted certificate warning C. Power off reboot loop D.Breach of firewall ACLs

B. Honeypots

QUESTION 1044 A state-sponsored threat actor has launched several successful attacks against a corporate network. Although the target has a robust patch management program in place, the attacks continue in depth and scope, and the security department has no idea how the attacks are able to gain access. Given that patch management and vulnerability scanners are being used, which of the following would be used to analyze the attack methodology? A. Rogue system detection B. Honeypots C. Next-generation firewall D.Penetration test

D. Configure a RADIUS federation between the organization and the cloud provider.

QUESTION 1045 An organization needs to integrate with a third-party cloud application. The organization has 15000 users and does not want to allow the cloud provider to query its LDAP authentication server directly. Which of the following is the BEST way for the organization to integrate with the cloud application? A. Upload a separate list of users and passwords with a batch import. B. Distribute hardware tokens to the users for authentication to the cloud. C. Implement SAML with the organization's server acting as the identity provider. D.Configure a RADIUS federation between the organization and the cloud provider.

B. Location proximity to the production site

QUESTION 1046 A company is examining possible locations for a hot site. Which of the following considerations is of MOST concern if the replication technology being used is highly sensitive to network latency? A. Connection to multiple power substations B. Location proximity to the production site C. Ability to create separate caged space D.Positioning of the site across international borders

B. Review firewall and IDS logs to identify possible source IPs.

QUESTION 1047 An organization's IRP prioritizes containment over eradication. An incident has been discovered where an attacker outside of the organization has installed cryptocurrency mining software on the organization's web servers. Given the organization's stated priorities, Which of the following would be the NEXT step? A. Remove the affected servers from the network. B. Review firewall and IDS logs to identify possible source IPs. C. Identify and apply any missing operating system and software patches. D.Delete the malicious software and determine if the servers must be reimaged.

C. Supply chain

QUESTION 1049 A government organization recently contacted three different vendors to obtain cost quotes for a desktop PC refresh. The quote from one of the vendors was significantly lower than the other two and was selected for the purchase. When the PCs arrived, a technician determined some NICs had been tampered with. Which of the following MOST accurately describes the security risk presented in this situation? A. Hardware root of trust B. UEFI C. Supply chain D. TPM E. Crypto-malware F.ARP poisoning

A. Spyware

QUESTION 1050 A technician is investigating a report of unusual behavior and slow performance on a company- owned laptop. The technician runs a command and reviews the following information: Based on the above information, which of the following types of malware should the technician report? A. Spyware B. Rootkit C. RATD. D.Logic bomb

A. Perform a non-credentialed scan.

QUESTION 1051 A security analyst wishes to scan the network to view potentially vulnerable systems the way an attacker would. Which of the following would BEST enable the analyst to complete the objective? A. Perform a non-credentialed scan. B. Conduct an intrusive scan. C. Attempt escalation of privilege. D.Execute a credentialed scan.

A. Without the same configuration in both development and production, there are no assurances that changed made in development will have the same effect as production.

QUESTION 1052 Which of the following BEST explains why a development environment should have the same database server secure baseline that exists in production even if there is not PII in the database? A. Without the same configuration in both development and production, there are no assurances that changed made in development will have the same effect as production. B. Attackers can extract sensitive, personal information from lower development environment database just as easily as they can from production databases. C. Databases are unique in their need to have secure configurations applied in all . environments because they are attacked more often D.Laws stipulate that database with the ability to store personal information must be secure regardless of the environment or if they actual have PII.

B. Secure configuration guide

QUESTION 1053 Which of the following documents would provide specific guidance regarding ports and protocols that should be disabled on an operating system? A. Regulatory requirements B. Secure configuration guide C. Application installation guides D.User manuals

C. Implement TACACS on the organization's network.

QUESTION 1054 An organization utilizes network devices that only support a remote administration protocol that sends credentials in cleartext over the network. Which of the following should the organization do to improve the security of the remote administration sessions? A. Upgrade the devices to models that support SSH. B. Enforce PPTP with CHAP for network devices. C. Implement TACACS on the organization's network. D.Replace SNMPv1 with SNMPv2c on network devices.

C. To minimize external RF interference with embedded processors

QUESTION 1055 In highly secure environments where the risk of malicious actors attempting to steal data is high, which of the following is the BEST reason to deploy Faraday cages? A. To provide emanation control to prevent credential harvesting B. To minimize signal attenuation over distances to maximize signal strength C. To minimize external RF interference with embedded processors D.To protect the integrity of audit logs from malicious alteration

D. Remove the DOMAIN_ADMINS group from the ALLOW_ACCESS group.

QUESTION 1056 A technician has installed a new AAA server, which will be used by the network team to control access to a company's routers and switches. The technician completes the configuration by adding the network team members to the NETWORK_TEAM group, and then adding the NETWORK_TEAM group to the appropriate ALLOW_ACCESS access list. Only members of the network team should have access to the company's routers and switches. NETWORK_TEAM Joe Anne Joanna ALLOW_ACCESS DOMAIN_USERS AUTHENTICATED_USERS NETWORK TEAM Members of the network team successfully test their ability to log on to various network devices that are configured to use the AAA server. Weeks later, an auditor asks to review the following access log sample: 5/26/2017 10:20 PERMIT: JOE 5/27/2017 13:45 PERMIT: ANNE 5/27/2017 09:12 PERMIT: JOE 5/28/2017 16:37 PERMIT: JOHN 5/29/2017 08:53 PERMIT: JOE Which of the following should the auditor recommend based on the above information? A. Configure the ALLOW_ACCESS group logic to use AND rather than OR. B. Move the NETWORK_TEAM group to the top of the ALLOW_ACCESS access list. C. Disable groups nesting for the ALLOW_ACCESS group in the AAA server. D.Remove the DOMAIN_ADMINS group from the ALLOW_ACCESS group.

A. Set password aging requirements.

QUESTION 1057 While reviewing system logs, a security analyst notices that a large number of end users are changing their passwords four times on the day the passwords are set to expire. The analyst suspects they are cycling their passwords to circumvent current password controls. Which of the following would provide a technical control to prevent this activity from occurring? A. Set password aging requirements. B. Increase the password history from three to five. C. Create an AUP that prohibits password reuse. D.Implement password complexity requirements.

A. 802.1X and OTP

QUESTION 1058 A network administrator is implementing multifactor authentication for employees who travel and use company devices remotely by using the company VPN. Which of the following would provide the required level of authentication? A. 802.1X and OTP B. Fingerprint scanner and voice recognition C. RBAC and PIN D.Username/Password and TOTP

C. Daily standups

QUESTION 1059 Which of the following BEST distinguishes Agile development from other methodologies in terms of vulnerability management? A. Cross-functional teams B. Rapid deployments C. Daily standups D. Peer review E.Creating user stories

A. Non-persistent configuration

QUESTION 1060 Which of the following strategies helps reduce risk if a rollback is needed when upgrading a critical system platform? A. Non-persistent configuration B. Continuous monitoring C. Firmware updates D.Platform diversity schemes

A. SaaS solutions offer users a complete computing solution that encompasses the software and underlying infrastructure, while the other cloud approaches offer a partial computing solution.

QUESTION 1061 Which of the following BEST explains the difference between SaaS. PaaS, and laaS? A. SaaS solutions offer users a complete computing solution that encompasses the software and underlying infrastructure, while the other cloud approaches offer a partial computing solution. B. laaS solutions provide users with the interfaces for accessing software applications hosted on a remote platform, while the other cloud approaches require users to develop their own applications. C. PaaS solutions provide users with ready-made application products that do not require any additional development, while the other cloud approaches require software development before they are useful. D. SaaS provides a common set of services but not the application products; while PaaS provides the application products but not the common services, and laaS provides Internet connectivity for the customer.

A. nmap

QUESTION 1062 A systems administrator suspects that a MITM attack is underway on the local LAN. Which of the following commands should the administrator use to confirm this hypothesis and determine which workstation is launching the attack? A. nmap B. tracert C. arp D.netstat

D. A credentialed scan sees the system the way an authorized user sees the system, while a non- credentialed scan sees the system as a guest.

QUESTION 1063 Which of the following BEST explains the difference between a credentialed scan and a non- credentialed scan? A. A credentialed scan sees devices in the network, including those behind NAT, while a non- credentialed scan sees outward-facing applications. B. A credentialed scan will not show up in system logs because the scan is running with the necessary authorization, while non-credentialed scan activity will appear in the logs. C. A credentialed scan generates significantly more false positives, while a non-credentialed scan generates fewer false positives. D.A credentialed scan sees the system the way an authorized user sees the system, while a non- credentialed scan sees the system as a guest.

D. SSL VPN

QUESTION 1064 A network administrator is selecting a remote access solution. The company employees often access the network from client sites that only allow for web traffic. Which of the following remote access solutions BEST meets this need? A. PPTP B. GRE tunnel C. L2TP D.SSL VPN

A. x.mary.smith 7 B.sv. unicycleinventory_dev

QUESTION 1065 An organization has established the following account management practices with respect to naming conventions: ⦁ User accounts must have firstname.lastname ⦁ Privileged user accounts must be named kfirstname.lastname ⦁ Service accounts must be named sv.applicationname_environment There is an application called "Unicycle Inventory" running in the development (dev), staging (stg), and production (prod) environments. Mary Smith, the systems administrator, is checking account permissions on the application servers in the development environment. Which of the following accounts should she expect to see? (Select TWO). A. x.mary.smith 7 B. sv. unicycleinventory_dev C. sv. unicycleinventory_stg 7 D. sv. unicycleinventoryprod E.mary.smith

B. RTOS

QUESTION 1066 In the event of a breach. intrusion into which of the following systems is MOST likely to cause damage to critical infrastructure? A. SCADA B. RTOS C. UAV D.HVAC

B. Enable WPA2.

QUESTION 1067 A security administrator successfully used a tool to guess a six-digit code and retrieve the WPA master password from a SOHO access point. Which of the following should the administrator configure to prevent this type of attack? A. Disable WPS. B. Enable WPA2. C. Configure CCMP. D.Implement TKIP.

D. HMAC

QUESTION 1068 Which of the following can be used to obfuscate malicious code without the need to use a key to reverse the encryption process? A. ROT13 B. MD4 C. ECDHE D.HMAC

D. Network vulnerability database

QUESTION 1069 The director of security at an organization has begun reviewing vulnerability scanner results and notices a wide range of vulnerabilities scattered across the company. Most systems appear to have OS patches applied on a consistent basis_ but there is a large variety of best practices that do not appear to be in place. Which of the following would be BEST to ensure all systems are adhering to common security standards? A. Configuration compliance B. Patch management C. Exploitation framework D.Network vulnerability database

B. SNMPv3

QUESTION 1070 A security administrator is configuring parameters on a device. The administrator fills out the following information: username uauser auth SHA1 Y3SoR0i3&1xM priv AES128 *@IOtx43qK Which of the following protocols is being configured? A. DNSSEC B. SNMPv3 C. LDAPS D. Secure IMAP E.Secure POP

D. Port 636 E.Search filter: (cn=JoeAdmin)(ou=admins)(dc=company)(dc=com)

QUESTION 1071 A company recently purchased a new application and wants to enable LDAP-based authentication for all employees using the application. Which of the following should be set to connect the application to the company LDAP server in a secure manner? (Select TWO). A. LDAP Path: ou=users,dc=company,dc=com B. LDAP Path: dc=com,dc=company,ou=users C. Port 88 D. Port 636 E. Search filter: (cn=JoeAdmin)(ou=admins)(dc=company)(dc=com) F.Search filter: (cn=dc01)(ou=computers)(dc=com)(dc=company)

A. Preventive

QUESTION 1072 Which of the following control types are alerts sent from a SIEM fulfilling based on vulnerability signatures? A. Preventive B. Corrective C. Compensating D.Detective

A. The security engineer suspects the photos contain viruses.

QUESTION 1073 During routine maintenance. a security engineer discovers many photos on a company-issued laptop. Several of the photos appear to be the same. except the file sizes are noticeably different and the image resolution is lower. The security engineer confiscates the user's laptop. Which of the following threats is the security engineer MOST likely concerned about? A. The security engineer suspects the photos contain viruses. B. The photos are taking up too much space on the user's hard drive. C. The security engineer suspects the photos contain rootkits. D.The security engineer suspects steganography is being used.

B. White box

QUESTION 1074 A security technician is evaluating a new application-vulnerability-scanning service in the cloud. This service can only be configured to scan external URLs. and this is the only information the technician has. Which of the following tests can the security technician perform? A. Black box B. White box C. Gray box D. Source code E.Regression

B. Organized crime

QUESTION 1075 After successfully breaking into several networks and infecting multiple machines with malware, hackers contact the network owners, demanding payment to remove the infection and decrypt files. The hackers threaten to publicly release information about the breach if they are not paid. Which of the following BEST describes these attackers? A. Gray hat hackers B. Organized crime C. Insiders D.Hacktivists

B. Preventing cryptographic reuse so a compromise of one operation does not affect other operations

QUESTION 1076 Which of the following BEST describes the concept of perfect forward secrecy? A. Using quantum random number generation to make decryption effectively impossible B. Preventing cryptographic reuse so a compromise of one operation does not affect other operations C. Implementing elliptic curve cryptographic algorithms with true random numbers D.The use of NDAs and policy controls to prevent disclosure of company secrets

B. Air gap

QUESTION 1077 A security technician is reviewing packet captures. The technician is aware that there is unencrypted traffic on the network. so sensitive information may be present. Which of the following physical security controls should the technician use? A. Key management B. Air gap C. Faraday cage D.Screen filter

B. RAM

QUESTION 1078 During a forensic investigation, which of the following must be addressed FIRST according to the order of volatility? A. Hard drive B. RAM C. Network attached storage D.USB flash drive

A. Screen locks C. Containerization

QUESTION 1079 All account executives are being provided with COPE devices for their use. Which of the following mobile device security practices should be enabled for these devices to protect company data? (Select TWO). A. Screen locks B. Remote wipe C. Containerization D. Full device encryption E.Push notification services

D. Nmap

QUESTION 1080 An administrator is beginning an authorized penetration test of a corporate network. Which of the following tools would BEST assist in identifying potential attacks? A. Netstat B. Honeypot C. Company directory D.Nmap

B. Username

QUESTION 1081 Which of the following is used during the identification phase when a user is trying to access a resource? A. Password B. Username C. Permission D.Ticket

C. Enabling port security

QUESTION 1082 A security administrator's review of network logs indicates unauthorized network access, the source of which appears to be wired data jacks in the lobby area. Which of the following represents the BEST course of action to prohibit this access? A. Enabling BDPU guard B. Enabling loop prevention C. Enabling port security D.Enabling anti-spoofing

A. To block electronic signals sent to erase a cell phone

QUESTION 1083 Which of the following is the proper use of a Faraday cage? A. To block electronic signals sent to erase a cell phone B. To capture packets sent to a honeypot during an attack C. To protect hard disks from access during a forensics investigation D.To restrict access to a building allowing only one person to enter at a time