Security + Part 1 questions (CORRECTED ANSWERS)
A security engineer needs to implement the following requirements:✑ All Layer 2 switches should leverage Active Directory for authentication.✑ All Layer 2 switches should use local fallback authentication of Active Directory is offline.✑ All Layer 2 switches are not the same and are manufactured by several vendors.Which of the following actions should the engineer take to meet these requirements? (Choose two.) A. Implement RADIUS. B. Configure AAA on the switch with local login as secondary. C. Configure port security on the switch with the secondary login method. D. Implement TACACS+. E. Enable the local firewall on the Active Directory server. F. Implement a DHCP server.
A. Implement RADIUS. C. Configure port security on the switch with the secondary login method.
Which of the following BEST describes the method a security analyst would use to confirm a file that is downloaded from a trusted security website is not altered in transit or corrupted using a verified checksum? A. Hashing B. Salting C. Integrity D. Digital signature
A. Hashing
A security administrator checks the table of a network switch, which shows the following output: Which of the following is happening to this switch? A. MAC flooding B. DNS poisoning C. MAC cloning D. ARP poisoning
A. MAC flooding
A company recently set up an e-commerce portal to sell its product online. The company wants to start accepting credit cards for payment, which requires compliance with a security standard. Which of the following standards must the company comply with before accepting credit cards on its e-commerce platform? A. PCI DSS B. ISO 22301 C. ISO 27001 D. NIST CSF
A. PCI DSS
A small business just recovered from a ransomware attack against its file servers by purchasing the decryption keys from the attackers. The issue was triggered by a phishing email and the IT administrator wants to ensure it does not happen again. Which of the following should the IT administrator do FIRST after recovery? A. Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis. B. Restrict administrative privileges and patch all systems and applications. C. Rebuild all workstations and install new antivirus software. D. Implement application whitelisting and perform user application hardening.
A. Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis.
A host was infected with malware. During the incident response, Joe, a user, reported that he did not receive any emails with links, but he had been browsing theInternet all day. Which of the following would MOST likely show where the malware originated? A. The DNS logs B. The web server logs C. The SIP traffic logs D. The SNMP logs
A. The DNS logs
A security analyst needs to determine how an attacker was able to use User3 to gain a foothold within a companyג€™s network. The companyג€™s lockout policy requires that an account be locked out for a minimum of 15 minutes after three unsuccessful attempts. While reviewing the log files, the analyst discovers the following: Which of the following attacks MOST likely occurred? A. Dictionary B. Credential-stuffing C. Password-spraying D. Brute-force
B. Credential-stuffing
A security analyst has received an alert about PII being sent via email. The analystג€™s Chief Information Security Officer (CISO) has made it clear that PII must be handled with extreme care. From which of the following did the alert MOST likely originate? A. S/MIME B. DLP C. IMAP D. HIDS
B. DLP
A technician needs to prevent data loss in a laboratory. The laboratory is not connected to any external networks. Which of the following methods would BEST prevent the exfiltration of data? (Choose two.) A. VPN B. Drive encryption C. Network firewall D. File-level encryption E. USB blocker F. MFA
B. Drive encryption E. USB blocker
A Chief Security Officer (CSO) is concerned about the amount of PII that is stored locally on each salespersonג€™s laptop. The sales department has a higher-than- average rate of lost equipment. Which of the following recommendations would BEST address the CSOג€™s concern? A. Deploy an MDM solution. B. Implement managed FDE. C. Replace all hard drives with SEDs. D. Install DLP agents on each laptop.
B. Implement managed FDE.
A security analyst discovers that a companyג€™s username and password database was posted on an Internet forum. The usernames and passwords are stored in plain text. Which of the following would mitigate the damage done by this type of data exfiltration in the future? A. Create DLP controls that prevent documents from leaving the network. B. Implement salting and hashing. C. Configure the web content filter to block access to the forum. D. Increase password complexity requirements.
B. Implement salting and hashing.
A client sent several inquiries to a project manager about the delinquent delivery status of some critical reports. The project manager claimed the reports were previously sent via email, but then quickly generated and backdated the reports before submitting them as plain text within the body of a new email message thread. Which of the following actions MOST likely supports an investigation for fraudulent submission? A. Establish chain of custody B. Inspect the file metadata C. Reference the data retention policy D. Review the email event log
B. Inspect the file metadata
A security analyst needs to complete an assessment. The analyst is logged into a server and must use native tools to map services running on it to the serverג€™s listening ports. Which of the following tools can BEST accomplish this task? A. Netcat B. Netstat C. Nmap D. Nessus
B. Netstat
Which of the following would be BEST for a technician to review to determine the total risk an organization can bear when assessing a ג€cloud-firstג€ adoption strategy? A. Risk matrix B. Risk tolerance C. Risk register D. Risk appetite
B. Risk tolerance
A security analyst is reviewing a new website that will soon be made publicly available. The analyst sees the following in the URL: http://dev-site.comptia.org/home/show.php?sessionID=77276554&loc=usThe analyst then sends an internal user a link to the new website for testing purposes, and when the user clicks the link, the analyst is able to browse the website with the following URL: http://dev-site.comptia.org/home/show.php?sessionID=98988475&loc=usWhich of the following application attacks is being tested? A. Pass-the-hash B. Session replay C. Object deference D. Cross-site request forgery
B. Session replay
Which of the following environments utilizes dummy data and is MOST likely to be installed locally on a system that allows code to be assessed directly and modified easily with each build? A. Production B. Test C. Staging D. Development
B. Test
Users have been issued smart cards that provide physical access to a building. The cards also contain tokens that can be used to access information systems.Users can log in to any thin client located throughout the building and see the same desktop each time. Which of the following technologies are being utilized to provide these capabilities? (Choose two.) A. COPE B. VDI C. GPS D. TOTP E. RFID F. BYOD
B. VDI E. RFID
An enterprise has hired an outside security firm to conduct penetration testing on its network and applications. The firm has been given all the developerג€™s documentation about the internal architecture. Which of the following BEST represents the type of testing that will occur? A. Bug bounty B. White-box C. Black-box D. Gray-box
B. White-box
A security analyst receives a SIEM alert that someone logged in to the appadmin test account, which is only used for the early detection of attacks. The security analyst then reviews the following application log: Which of the following can the security analyst conclude? A. A replay attack is being conducted against the application. B. An injection attack is being conducted against a user authentication system. C. A service account password may have been changed, resulting in continuous failed logins within the application. D. A credentialed vulnerability scanner attack is testing several CVEs against the application.
C. A service account password may have been changed, resulting in continuous failed logins within the application.
A security engineer at an offline government facility is concerned about the validity of an SSL certificate. The engineer wants to perform the fastest check with the least delay to determine if the certificate has been revoked. Which of the following would BEST meet these requirements? A. RA B. OCSP C. CRL D. CSR
C. CRL
An external forensics investigator has been hired to investigate a data breach at a large enterprise with numerous assets. It is known that the breach started in theDMZ and moved to the sensitive information, generating multiple logs as the attacker traversed through the network? Which of the following will BEST assist with this investigation? A. Perform a vulnerability scan to identify the weak spots B. Use a packet analyzer to investigate the NetFlow traffic C. Check the SIEM to review the correlated logs D. Require access to the routers to view current sessions
C. Check the SIEM to review the correlated logs
A root cause analysis reveals that a web application outage was caused by one of the companyג€™s developers uploading a newer version of the third-party libraries that were shared among several applications. Which of the following implementations would be BEST to prevent the issue from reoccurring? A. CASB B. SWG C. Containerization D. Automated failover
C. Containerization
Which of the following technical controls is BEST suited for the detection and prevention of buffer overflows on hosts? A. DLP B. HIDS C. EDR D. NIPS
C. EDR
A network administrator would like to configure a site-to-site VPN utilizing IPsec. The administrator wants the tunnel to be established with data integrity, encryption, authentication, and anti-replay functions. Which of the following should the administrator use when configuring the VPN? A. AH B. EDR C. ESP D. DNSSEC
C. ESP
An organization routes all of its traffic through a VPN. Most users are remote and connect into a corporate datacenter that houses confidential information. There is a firewall at the Internet border, followed by a DLP appliance, the VPN server, and the datacenter itself. Which of the following is the WEAKEST design element? A. The DLP appliance should be integrated into a NGFW B. Split-tunnel connections can negatively impact the DLP applianceג€™s performance C. Encrypted VPN traffic will not be inspected when entering or leaving the network D. Adding two hops in the VPN tunnel may slow down remote connections
C. Encrypted VPN traffic will not be inspected when entering or leaving the network
A RAT that was used to compromise an organizationג€™s banking credentials was found on a userג€™s computer. The RAT evaded antivirus detection. It was installed by a user who has local administrator rights to the system as part of a remote management tool set. Which of the following recommendations would BEST prevent this from reoccurring? A. Create a new acceptable use policy. B. Segment the network into trusted and untrusted zones. C. Enforce application whitelisting. D. Implement DLP at the network boundary.
C. Enforce application whitelisting.
Customers reported their antivirus software flagged one of the companyג€™s primary software products as suspicious. The companyג€™s Chief Information SecurityOfficer has tasked the developer with determining a method to create a trust model between the software and the customerג€™s antivirus software. Which of the following would be the BEST solution? A. Code signing B. Domain validation C. Extended validation D. Self-signing
C. Extended validation
Which of the following would MOST likely support the integrity of a voting machine? Which of the following would MOST likely support the integrity of a voting machine? A. Asymmetric encryption B. Blockchain C. Transport Layer Security D. Perfect forward secrecy
B. Blockchain
Which of the following should be put in place when negotiating with a new vendor about the timeliness of the response to a significant outage or incident? A. MOU B. MTTR C. SLA D. NDA
C. SLA
A database administrator needs to ensure all passwords are stored in a secure manner, so the administrator adds randomly generated data to each password before storing. Which of the following techniques BEST explains this action? A. Predictability B. Key stretching C. Salting D. Hashing
C. Salting
An organization needs to implement more stringent controls over administrator/root credentials and service accounts. Requirements for the project include:✑ Check-in/checkout of credentials✑ The ability to use but not know the password✑ Automated password changes✑ Logging of access to credentialsWhich of the following solutions would meet the requirements? A. OAuth 2.0 B. Secure Enclave C. A privileged access management system D. An OpenID Connect authentication system
D. An OpenID Connect authentication system
When planning to build a virtual environment, an administrator needs to achieve the following:✑ Establish policies to limit who can create new VMs.✑ Allocate resources according to actual utilization.✑ Require justification for requests outside of the standard requirements.✑ Create standardized categories based on size and resource requirements.Which of the following is the administrator MOST likely trying to do? A. Implement IaaS replication B. Protect against VM escape C. Deploy a PaaS D. Avoid VM sprawl
D. Avoid VM sprawl
A financial organization has adopted a new secure, encrypted document-sharing application to help with its customer loan process. Some important PII needs to be shared across this new platform, but it is getting blocked by the DLP systems. Which of the following actions will BEST allow the PII to be shared with the secure application without compromising the organizationג€™s security posture? A. Configure the DLP policies to allow all PII B. Configure the firewall to allow all ports that are used by this application C. Configure the antivirus software to allow the application D. Configure the DLP policies to whitelist this application with the specific PII E. Configure the application to encrypt the PII
D. Configure the DLP policies to whitelist this application with the specific PII
An engineer wants to access sensitive data from a corporate-owned mobile device. Personal data is not allowed on the device. Which of the following MDM configurations must be considered when the engineer travels for business? A. Screen locks B. Application management C. Geofencing D. Containerization
D. Containerization
A security analyst needs to perform periodic vulnerability scans on production systems. Which of the following scan types would produce the BEST vulnerability scan report? A. Port B. Intrusive C. Host discovery D. Credentialed
D. Credentialed
A security engineer is reviewing log files after a third party discovered usernames and passwords for the organizationג€™s accounts. The engineer sees there was a change in the IP address for a vendor website one week earlier. This change lasted eight hours. Which of the following attacks was MOST likely used? A. Man-in-the-middle B. Spear phishing C. Evil twin D. DNS poisoning
D. DNS poisoning
An organization regularly scans its infrastructure for missing security patches but is concerned about hackers gaining access to the scannerג€™s account. Which of the following would be BEST to minimize this risk while ensuring the scans are useful? A. Require a complex, eight-character password that is updated every 90 days. B. Perform only non-intrusive scans of workstations. C. Use non-credentialed scans against high-risk servers. D. Log and alert on unusual scanner account logon times.
D. Log and alert on unusual scanner account logon times.
A cybersecurity administrator has a reduced team and needs to operate an on-premises network and security infrastructure efficiently. To help with the situation, the administrator decides to hire a service provider. Which of the following should the administrator use? A. SDP B. AAA C. IaaS D. MSSP E. Microservices
D. MSSP
The Chief Security Officer (CSO) at a major hospital wants to implement SSO to help improve security in the environment and protect patient data, particularly at shared terminals. The Chief Risk Officer (CRO) is concerned that training and guidance have not been provided to frontline staff, and a risk analysis has not been performed. Which of the following is the MOST likely cause of the CROג€™s concerns? A. SSO would simplify username and password management, making it easier for hackers to guess accounts. B. SSO would reduce password fatigue, but staff would still need to remember more complex passwords. C. SSO would reduce the password complexity for frontline staff. D. SSO would reduce the resilience and availability of systems if the identity provider goes offline.
D. SSO would reduce the resilience and availability of systems if the identity provider goes offline.
Which of the following BEST describes the MFA attribute that requires a callback on a predefined landline? A. Something you exhibit B. Something you can do C. Something you know D. Something you are
D. Something you are
A privileged user at a company stole several proprietary documents from a server. The user also went into the log files and deleted all records of the incident. The systems administrator has just informed investigators that other log files are available for review. Which of the following did the administrator MOST likely configure that will assist the investigators? A. Memory dumps B. The syslog server C. The application log D. The log retention policy
D. The log retention policy
The manager who is responsible for a data set has asked a security engineer to apply encryption to the data on a hard disk. The security engineer is an example of a: A. data controller. B. data owner. C. data custodian. D. data processor.
D. data processor.
A vulnerability assessment report will include the CVSS score of the discovered vulnerabilities because the score allows the organization to better: A. validate the vulnerability exists in the organizationג€™s network through penetration testing. B. research the appropriate mitigation techniques in a vulnerability database. C. find the software patches that are required to mitigate a vulnerability. D. prioritize remediation of vulnerabilities based on the possible impact.
D. prioritize remediation of vulnerabilities based on the possible impact.
Several employees return to work the day after attending an industry trade show. That same day, the security manager notices several malware alerts coming from each of the employeeג€™s workstations. The security manager investigates but finds no signs of an attack on the perimeter firewall or the NIDS. Which of the following is MOST likely causing the malware alerts? A. A worm that has propagated itself across the intranet, which was initiated by presentation media B. A malicious PowerShell script that was attached to an email and transmitted to multiple employees C. A Trojan that has passed through and executed malicious code on the hosts D. A USB flash drive that is trying to run malicious code but is being blocked by the host firewall
A. A worm that has propagated itself across the intranet, which was initiated by presentation media
A manufacturer creates designs for very high security products that are required to be protected and controlled by the government regulations. These designs are not accessible by corporate networks or the Internet. Which of the following is the BEST solution to protect these designs? A. An air gap B. A Faraday cage C. A shielded cable D. A demilitarized zone
A. An air gap
Ann, a customer, received a notification from her mortgage company stating her PII may be shared with partners, affiliates, and associates to maintain day-to-day business operations. Which of the following documents did Ann receive? A. An annual privacy notice B. A non-disclosure agreement C. A privileged-user agreement D. A memorandum of understanding
A. An annual privacy notice
Which of the following describes the BEST approach for deploying application patches? A. Apply the patches to systems in a testing environment, then to systems in a staging environment, and finally to production systems. B. Test the patches in a staging environment, develop against them in the development environment, and then apply them to the production systems. C. Test the patches in a test environment, apply them to the production systems, and then apply them to a staging environment. D. Apply the patches to the production systems, apply them in a staging environment, and then test all of them in a testing environment.
A. Apply the patches to systems in a testing environment, then to systems in a staging environment, and finally to production systems.
A company is implementing a DLP solution on the file server. The file server has PII, financial information, and health information stored on it. Depending on what type of data that is hosted on the file server, the company wants different DLP rules assigned to the data. Which of the following should the company do to help to accomplish this goal? A. Classify the data B. Mask the data C. Assign the application owner D. Perform a risk analysis
A. Classify the data
During a routine scan of a wireless segment at a retail company, a security administrator discovers several devices are connected to the network that do not match the companyג€™s naming convention and are not in the asset inventory. WiFi access is protected with 256-bit encryption via WPA2. Physical access to the companyג€™s facility requires two-factor authentication using a badge and a passcode. Which of the following should the administrator implement to find and remediate the issue? (Choose two.) A. Check the SIEM for failed logins to the LDAP directory. B. Enable MAC filtering on the switches that support the wireless network. C. Run a vulnerability scan on all the devices in the wireless network. D. Deploy multifactor authentication for access to the wireless network. E. Scan the wireless network for rogue access points. F. Deploy a honeypot on the network.
B. Enable MAC filtering on the switches that support the wireless network. E. Scan the wireless network for rogue access points.
A security administrator is analyzing the corporate wireless network. The network only has two access points running on channels 1 and 11. While using airodump-ng. the administrator notices other access points are running with the same corporate ESSID on all available channels and with the same BSSID of one of the legitimate access points. Which of the following attacks is happening on the corporate network? A. Man in the middle B. Evil twin C. Jamming D. Rogue access point E. Disassociation
B. Evil twin
A user contacts the help desk to report the following:Two days ago, a pop-up browser window prompted the user for a name and password after connecting to the corporate wireless SSID. This had never happened before, but the user entered the information as requested. The user was able to access the Internet but had trouble accessing the department share until the next day. The user is now getting notifications from the bank about unauthorized transactions.Which of the following attack vectors was MOST likely used in this scenario? A. Rogue access point B. Evil twin C. DNS poisoning D. ARP poisoning
B. Evil twin
A large industrial systemג€™s smart generator monitors the system status and sends alerts to third-party maintenance personnel when critical failures occur. While reviewing the network logs, the companyג€™s security manager notices the generatorג€™s IP is sending packets to an internal file serverג€™s IP. Which of the following mitigations would be BEST for the security manager to implement while maintaining alerting capabilities? A. Segmentation B. Firewall whitelisting C. Containment D. Isolation
B. Firewall whitelisting
A security analyst needs to generate a server certificate to be used for 802.1X and secure RDP connections. The analyst is unsure what is required to perform the task and solicits help from a senior colleague. Which of the following is the FIRST step the senior colleague will most likely tell the analyst to perform to accomplish this task? A. Create an OCSP B. Generate a CSR. C. Create a CRL. D. Generate a .pfx file.
B. Generate a CSR.
A network administrator is concerned about users being exposed to malicious content when accessing company cloud applications. The administrator wants to be able to block access to sites based on the AUP. The users must also be protected because many of them work from home or at remote locations, providing on- site customer support. Which of the following should the administrator employ to meet these criteria? A. Implement NAC. B. Implement an SWG. C. Implement a URL filter. D. Implement an MDM.
B. Implement an SWG.
