Security+ 2020
If two employees are encrypting traffic between them using a single encryption key, which of the following algorithms are they using?
3DES
Which of the following security controls provides an alternative solution to a control that would be considered unpractical or excessively expensive?
: Compensating
Which of the following is used to encrypt web application data?
AES
Which of the following BEST describes the purpose of authorization?
Authorization provides permissions to a resource and comes after authentication
A user loses a COPE device. Which of the following should the user do NEXT to protect the data on the device?
Call the company help desk to remotely wipe the devic
A Chief Information Security Officer (CISO) has instructed the information assurance staff to act upon a fast-spreading virus. Which of the following steps in the incident response process should be taken NEXT?
Containment
When backing up a database server to LTO tape drives, the following backup schedule is used. Backups take one hour to complete: Sunday (7PM) : Full backup Monday (7PM) : Incremental Tuesday (7PM) : Incremental Wednesday (7PM) : Differential Thursday (7PM) : Incremental Friday (7PM) : Incremental Saturday (7PM) : Incremental On Friday at 9:00 p.m. there is a RAID failure on the database server. The data must be restored from backup. Which of the following is the number of backup tapes that will be needed to complete this operation?
4
After a significant amount of hiring, an organization would like to simplify the connection process to its wireless network for employees while ensuring maximum security. The Chief Information Officer (CIO) wants to get rid of any shared network passwords and require employees to use their company credentials when connecting. Which of the following should be implemented to BEST meet this requirement?
802.1X
Which of the following occurs when a vulnerability scan fails to identify a existing vulnerability?
: False negative
A security analyst is performing a BIA. The analyst notes that in a disaster, failover systems must be up and running within 30 minutes. The failover systems must use backup data that is no older than one hour. Which of the following should the analyst include in the business continuity plan?
A maximum RPO of 60 minutes
1 Which of the following serves to warn users against downloading and installing pirated software on company devices?
AUP
A manufacturing company updates a policy that instructs employees not to enter a secure area in groups and require each employee to swipe their badge to enter the area. When employees continue to ignore the policy, a mantrap is installed. Which of the following BEST describe the controls that were implemented to address this issue? (Select TWO)
Administrative, Physical
Which of the following development models entails several iterative and incremental software development methodologies such as Scrum?
Agile
An incident responder is preparing to acquire images and files from a workstation that has been compromised. The workstation is still powered on and running. Which of the following should be acquired LAST?
Application files on hard disk
Which of the following access management concepts is associated with file permissions?
Authorization
The Chief Information Security Officer (CISO) of an organization has tasked the security analysis team with researching and developing a multifactor authentication alternative to the existing single-factor version. The team decides that multifactor, for this organization, will mean three separate and distinct authentication methods. Which of the following options BEST meets this requirement?
C) Fingerprint, token, challenge question
The Chief Information Security Officer (CISO) at a large company tasks a security administrator to provide additional validation for website customers. Which of the following should the security administrator implement?
Captive portal
An organization was recently compromised by an attacker who used a server certificate with the company's domain issued by an irreputable CA. Which of the following should be used to mitigate this risk in the future?
Certificate pinning
A security engineer must install the same X.509 certificate on servers in three different domains. The client application that connects to the server performs a check to ensure the certificate matches the hostname. Which of the following should the security engineer use?
Certificate utilizing the SAN field
Which of the following control types would a backup of server data provide in case of a system issue?
Corrective
A security administrator wants to determine if a company's web servers have the latest operating system and application patches installed. Which of the following types of vulnerability scan should be conducted?
Credentialed
A vulnerability scan is being conducted against a desktop system. The scan is looking for files, versions, and registry values that are known to be associated with system vulnerabilities. Which of the following BEST describes the type of scan being performed?
Credentialed
An employee opens a web browser and types a URL into the address bar. Instead of reaching the requested site, the browser opens a completely different site. Which of the following types of attacks have MOST likely occurred? (Select TWO)
DNS hijacking , Man-in-the-browser
Users are attempting to access a company's website but are transparently redirected to another website. The users confirm the URL is correct. Which of the following would BEST prevent this issue in the future?
DNSSEC
A first responder needs to collect digital evidence from a compromised headless virtual host. Which of the following should the first responder collect FIRST?
RAM
A company wants to ensure confidential data from storage media is sanitized in such a way that the drive cannot be reused. Which of the following method should the technician use?
Shredding
Performing a penetration test without any advance knowledge of what will be found is an example of a:
black box test
A Chief Security Office's (CSO's) key priorities are to improve preparation, response, and recovery practices to minimize system downtime and enhance organizational resilience to ransomware attacks. Which of the following would BEST meet the CSO's objectives?
Implement application whitelisting and centralized event-log management, and perform regular testing and validation of full backups.
An accountant is attempting to log in to the internal accounting system and receives a message that the website's certificate is fraudulent. The accountant finds instructions for manually installing the new trusted root onto the local machine. Which of the following would be the company's BEST option for this situation in the future?
Implement certificate management
As part of a new BYOD rollout, a security analyst has been asked to find a way to securely store company data on personal devices. Which of the following would BEST help to accomplish this?
Implement containerization of company data.
During an assessment of a manufacturing plant, security analyst finds several end-of-life programmable logic controllers (PLCs), which have firmware that was last updated three years ago and known vulnerabilities.Which of the following BEST mitigates the risks associated with the PLCs?
Implement network segmentation to isolate the devices.
During a recent audit, several undocumented and unpatched devices were discovered on the internal network. Which of the following can be done to prevent similar occurrences?
Implement rogue system detection and configure automated alerts for new devices
A network administrator at a large organization is reviewing methods to improve the security of the wired LAN. Any security improvement must be centrally managed and allow corporateowned devices to have access to the intranet but limit others to Internet access only. Which of the following should the administrator recommend?
802.1X utilizing the current PKI infrastructure
A systems administrator just issued the ssh-keygen-t rsa command on a Linux terminal. Which of the following BEST describes what the rsa portion of the command represents?
A key generation algorithm
A security analyst wants to ensure the integrity of a file downloaded from the Internet The name of the file is code.zip. The analyst uses the vendor website to determine the 160-bit fingerrint of the input, and then reviews the following output:8532f8c0bcb335cf231ec09e02da8f77e921e4c0 code.zipWhich of the following can be determined from this output?
A message digest of 160 bits should be SHA-1 hash
Which of the following is the best example of reputation impact identified during a risk assessment?
A misconfigured firewall exposing intellectual property to the Internet
A member of the human resources department is searching for candidate resumes and encounters the following error message when attempting to access popular job search websites: Site Cannot Be Displayed: Unauthorized Access Policy Violation: Job Search User Group: Retail_Employee_Access Client Address: 10.13.78.145 DNS Server: 10.1.1.9 Proxy IP Address: 10.1.1.29 Contact your systems administrator for assistance. Which of the following would resolve this issue without compromising the company's security policies?
Add the employee to a less restrictive group on the content filter
Which of the following has the potential to create a DoS attack on a system?
A wireless access point with WPA2 connected to the network
A user needs to transmit confidential information to a third party. Which of the following should be used to encrypt the message?
AES
Which of the following encryption algorithms is used primarily to secure data at rest?
AES
An IT manager is estimating the mobile device budget for the upcoming year. Over the last five years, the number of devices that were replaced due to loss, damage, or theft steadily increased by 10%. Which of the following would BEST describe the estimated number of devices to be replaced next year?
ARO
A security analyst has received several reports of an issue on an internal web application. Users state they are having to provide their credentials twice to log in. The analyst checks with the application team and notes this is not an expected behavior. After looking at several logs, the analyst decides to run some commands on the gateway and obtains the following output: Which of the following BEST describes the attack the company is experiencing?
ARP poisoning
Which of the following types of attack is being used when an attacker responds by sending the MAC address of the attacking machine to resolve the MAC to IP address of a valid server?
ARP poisoning
The network information for a workstation is as follows: IP address/subnet mask Default gateway DNS server 172.16.17.200/24 172.16.17.254 172.16.17.254 When the workstation's user attempts to access www.example.com, the URL that actual opens is www.notexample.com. The user successfully connects to several other legitimate URLs. Which of the following have MOST likely occurred? (Select TWO).
ARP poisoning , DNS poisoning
An organization's Chief Executive Officer (CEO) directs a newly hired computer technician to install an OS on the CEO's personal laptop. The technician performs the installation, and a software audit later in the month indicates a violation of the EULA occurred as a result. Which of the following would address this violation going forward?
AUP
Which of the following categories would the use of proximity cards, smart cards, and RSA tokens be considered when they are used together?
Access control
Which of the following BEST represents the difference between white-box and black-box penetration testing methodologies?
Access to source code
A network administrator is brute forcing accounts through a web interface. Which of the following would provide the BEST defense from an account password being discovered?
Account lockout
Which of the following concepts ensure ACL rules on a directory are functioning as expected? (Select TWO).
Accounting Authorization
After segmenting the network, the network manager wants to control the traffic between the segments. Which of the following should the manager use to control the network traffic?
An ACL
A security administrator has replaced the firewall and notices a number of dropped connections, After looking at the data the security administrator sees the following information that was flagged as a possible issue:"SELECT " FROM" and '1' ='1' Which of the following can the security administrator determine from his?
An SQL injection attack is being attempted
An organization just experienced a major cyberattack incident. The attack was well coordinated, sophisticated, and highly skilled. Which of the following targeted the organization?
An advanced persistent threat
A user recently entered a username and password into a recruiting application website that had been forged to look like the legitimate site. Upon Investigation, a security analyst identifies the following: -The legitimate website's IP address is 10.1.1.20 and eRecruit.local resolves to this IP. -The forget websites IP address appears to be 10.2.12.99 based on NetFlow records. -All three of the organization's DNS servers show the website correctly resolves to the legitimate IP. -DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the approximate time of the suspect compromise. Which of the following MOST likely occurred?
An attacker temporarily poisoned a name server
A security administrator has been conducting an account permissions review that has identified several users who belong to functional groups and groups responsible for auditing the functional groups' actions. Several recent outages have not been able to be traced to any user. Which of the following should the security administrator recommend to preserve future audit log integrity?
Applying least privilege to user group membership
An organization wants to separate permissions for individuals who perform system changes from individuals who perform auditing of those system changes. Which of the following access control approaches is BEST suited for this?
Assign administrators and auditors to different groups and restrict permissions on system log files to read-only for the auditor group
A startup company is using multiple SaaS and laaS platforms to stand up a corporate infrastructure and build out a customer facing web application. Which of the following solutions would be BEST to provide security, manageability, and visibility into the platforms?
CASB
When an initialization vector is added to each encryption cycle, it is using the:
CBC cipher mode
A security administrator wants to implement a biometric system that can produce fewer false positives and negatives. When evaluating different biometric systems, which of the following is the MOST important factor to consider?
CER
A new PKI is being built at a company, but the network administrator has concerns about spikes of traffic occurring twice a day due to client checking the status of the certificates. Which of the following should be implemented to reduce the spikes in traffic?
CRL
A new PKI is being built at a company, but the network administrator has concerns about spikes of traffic occurring twice a day due to clients checking the status of the certificates. Which of the following should be implemented to reduce the spikes in traffic?
CRL
A security engineer at an offline government facility is concerned about the validity of an SSL certificate. The engineer wants to perform the fastest check with the least delay to determine if the certificate has been revoked. Which of the following would BEST meet these requirements?
CRL
A forensics investigator is examining a number of unauthorized payments that were reported on the company's website. Some unusual log entries show users received an email for an unwanted mailing attempt to unsubscribe. One of the users reported the email to the phishing team, and the forwarded email revealed the link to be: [a href='https://www.company.com/payto.do? routing=00001111&acct=22223334&amount=250'] Click here to unsubscribe[/a] Which of the following will the forensics investigator MOST likely determine has occurred?
CSRF
Which of the following is the main difference between an XSS vulnerability and a CSRF vulnerability?
CSRF needs the victim to be authenticated to the trusted server
A security analyst is reviewing information regarding recent vulnerabilities. Which of the following will the analyst MOST likely consult to validate which platforms have been affected?
CVE
An organization wishes to allow its users to select devices for business use but does not want to overwhelm the service desk with requests for too many different devices types and models. Which of the following deployment models should the organization use to BEST meet these requirements?
CYOD model
A university is opening a facility in a location where there is an elevated risk of theft. The university wants to protect the desktops in its classrooms and labs. Which of the following should the university use to BEST protect these assets deployed in the facility?
Cable locks
Given the following requirements: -Help to ensure non-repudiation -Capture motion in various formats Which of the following physical controls BEST matches the above descriptions?
Camera
A coffee company has hired an IT consultant to set up a WiFi network that will provide Internet access to customers who visit the company's chain of cafes. The coffee company had provided no requirements other than that customers should be granted access after registering via a web form and accepting the terms of service. Which of the following is the minimum acceptable configuration to meet this single requirement?
Captive portal
A company is implementing an authentication system for its wireless network. The system will be for public use and must be able to track how long a person is connected to the WiFi system for billing purposes. Which of the following would be BEST to implement in this situation?
Captive portal
A company needs to implement a system that only lets a visitor use the company's network infrastructure if the visitor accepts the AUP. Which of the following should the company use?
Captive portal
A technician wants to add wireless guest capabilities to an enterprise wireless network that is currently implementing 802.1X EAP-TLS. The guest network must: Support client isolation. Issue a unique encryption key to each client. Allow guest to register using their personal email addresses. Which of the followng should the technician implement? (Select TWO).
Captive portal , A separate guest SSID
Which of the following provides the ability to attest to the integrity of a system from the initiation of an incident to the time incident is litigated?
Chain Of Custody
A forensic analyst needs to collect physical evidence that may be used in legal proceedings. Which of the following should be used to ensure the evidence remains admissible in court?
Chain of custody
A company has users and printers in multiple geographic locations, and the printers are located in common areas of the office. To preserve the confidentiality of PII, a security administrator, needs to implement the appropriate controls. Which of the following would BEST meet the confidentiality requirements of the data?
Enforcing location-based policy restrictions
A company moved into a new building next to a sugar mill Cracks have been discovered in the walls of the server room, which is located on the same side as the sugar mill loading docks. The cracks are believed to have been caused by heavy trucks. Moisture has begin to seep into the server room, causing extreme humidification problems and equipment failure. Which of the following BEST describes the type of threat the organization faces?
Environmental
After discovering a security incident and removing the affected files, an administrator disabled an unneeded service that led to the breach. Which of the following steps in the incident response process has the administrator just completed?
Eradication
Two companies need to exchange a large number of confidential files. Both companies run high availability UTM devices. They do not want to use email systems to exchange the data. Since the data needs to be exchanged in both directions, which of the following solutions should a security analyst recommend?
Establishing a site-to-site VPN between the two companies
Joe, a contractor, is hired by a firm to perform a penetration test against the firm's infrastructure. When conducting the scan, he receives only the network diagram and the network list to scan against the network. Which of the following scan types is Joe performing?
Gray box
During the penetration testing of an organization, the tester was provided with the names of a few key servers, along with their IP address. Which of the following is the organization conducting?
Gray box testing
A security engineer needs to Implement the following requirements: -All Layer 2 switches should leverage Active Directory tor authentication. -All Layer 2 switches should use local fallback authentication If Active Directory Is offline. -All Layer 2 switches are not the same and are manufactured by several vendors. Which of the following actions should the engineer take to meet these requirements? (Select TWO).
Implement RADIUS., Configure AAA on the switch with local login as secondary
A network administrator needs to prevent users from accessing the accounting department records. All users are connected to the same layer 2 device and access the internet through the same router. Which of the following should be implemented to segment the accounting department from the rest of the users?
Implement VLANs and an ACL
A security administrator is performing a risk assessment on a legacy WAP with a WEP-enabled wireless infrastructure. Which of the following should be implemented to harden the infrastructure without upgrading the WAP?
Implement WPA and TKIP
A security administrator is developing a methodology for tracking staff access to patient data. Which of the following would be the BEST method for creating audit trails for usage reports?
Implement a database activity monitoring system
A security administrator is developing a methodology for tracking staff access to patient data. Which of the following would be the BEST method for creating audit traits for usage reports?
Implement a database activity monitoring system
A security administrator is adding a NAC requirement for all VPN users to ensure the devices connecting are compliant with company policy. Which of the following items provides the HIGHEST assurance to meet this requirement?
Implement a permanent agent
A financial institution would like to store its customer data in the cloud but still allow the data to be accessed and manipulated while encrypted. Doing so would prevent the cloud service provider from being able to decipher the data due to its sensitivity. The financial institution is not concerned about computational overheads and slow speeds. Which of the following cryptographic techniques would BEST meet the requirements?
Homomorphic
A company network is currently under attack. Although security controls are in place to stop the attack, the security administrator needs more information about the types of attacks being used. Which of the following network types would BEST help the administrator gather this information?
Honeynet
After a breach, a company has decided to implement a solution to better understand the technique used by the attackers. Which of the following is the BEST solution to be deployed?
Honeypot network
A state-sponsored threat actor has launched several successful attacks against a corporate network. Although the target has a robust patch management program in place, the attacks continue in depth and scope, and the security department has no idea how the attacks are able to gain access. Given that patch management and vulnerability scanner are being used, which of the following would be used to analyze the attack methodology?
Honeypots
A security analyst is reviewing the following log: Which of the following should the analyst report to the security manager?
Host 192.168.214.10 is performing a scan of well-known ports
An organization wants to host an externally accessible web server that will not contain sensitive user information. Any sensitive information will be hosted on file servers. Which of the following is the BEST architecture configuration for this organization?
Host the web server in a DMZ and the file servers behind a firewall
In order to prevent the possibility of a thermal shutdown, which of the following physical controls should be implemented in the datacenter?
Hot and cold aisles
Joe, a user at a company, clicked an email link that led to a website that infected his workstation. Joe was connected to the network, and the virus spread to the network shares. The protective measures failed to stop this virus, and it has continued to evade detection. Which of the following should a security administrator implement to protect the environment from this malware?
Implement an IDS/IPS
A network administrator is concerned about users being exposed to malicious content when accessing company cloud applications. The administrator wants to be able to block access to sites based on an AUP. The users must also be protected because many of them work from home or at remote locations, providing on-site technical support. Which of the following should the administrator employ to meet these criteria?
Implement an SWG
The Chief Executive Officer (CEO) of a fast-growing company no longer knows all the employees and is concerned about the copany's intellectual property being stolen by an empoyee. Employees are allowed to work remotely with flexible hours, creating unpredictable schedules. Roles are poorly defined due to frequent shifting needs across the company. Which of the following new initiatives by the information security team would BEST secure the company and mitigate the CEO's concerns?
Implement DLP to monitor data transfer between employee accounts and external parties and services
A network administrator needs to restrict the users of the company's WAPs to the sales department. The network administrator changes and hides the SSID and then discovers several employees had connected their personal devices to the wireless network. Which of the following would limit access to the wireless network to only organization-owned devices in the sales department?
Implement MAC filtering
A security administrator is hardening a VPN connection. Recently, company pre-shared keys were hijacked during an MITM attack and reused to breach the VPN connection. Which of the following should the security administrator do to BEST address this issue?
Implement PFS
An incident response analyst at a company is reviewing a SIEM alert that indicates an employee received a message containing a potentially malicious attachment. The analyst confirms the attachment is malicious. After removing the malware, the same incident reoccurs. Which of the following responses should have been done to address the situation correctly?
Lessors learned
An analyst is currently looking at the following output: Software Name Status Licensed Used Software 1 Approved 100 91 Software 2 Approved 50 52 Software 3 Approved 100 87 Software 4 Approved 50 46 Software 5 Denied 0 0 Which of the following security issues has been discovered based on the output?
License compliance violation
A network technician identified a web server that has high network utilization and crashes during peak business hours. After making a duplicate of the server, which of the following should be installed to reduce the business impact caused by these outages?
Load balancer
Which of the following impacts MOST likely results from poor exception handling?
Local disruption of services
A network administrator wants to gather information on the security of the network servers in the DMZ. The administrator runs the following command: Telnet www.example.com 80 Which of the following actions is the administrator performing?
Logging into the web server
A company has just completed a vulnerability scan of its servers. A legacy application that monitors the HVAC system is the datacenter presents several challenges, as the application vendor is no longer in business. Which of the following secure network architect concepts would BEST protect the other company if the legacy server were to be exploited?
Logic bomb
A company notices that at 10 a.m. every Thursday, three users' computers become inoperable. The security analyst team discovers a file called where.pdf.exe that runs on system startup. The contents of where.pdf.exe are shown below: @echo off if [c:\file.txt] deltree C:\ Based on the above information, which of the following types of malware was discovered?
Logic bomb
A security administrator found the following piece of code referenced on a domain controller's task scheduler: $var = GetDomainAdmins If $var != 'fabio' SetDomainAdmins = NULL With which of the following types of malware is the code associated?
Logic bomb
Which of the following is MOST likely caused by improper input handling?
Loss of database tables
A security engineer is looking to purchase a fingerprint scanner to improve the security of a datacenter. Which of the following scanner characteristics is the MOST critical to successful implementation?
Low crossover error rate
A computer forensics analyst collected a flash drive that contained a single file with 500 pages of text. Which of the following algorithms should the analyst use to validate the integrity of the file?
MD5
A security analyst is hardening access to a company portal and must ensure that when username and password combinations are used, a OTP is utilized to complete authentication and provide access to resources. Which of the following should the analyst configure on the company portal to BEST meet this requirement?
MFA
A user receives a security alert pop-up from the host-based IDS, and a few minutes later notices a document on the desktop has disappeared and in its place is an odd filename with no icon image. When clicking on this icon, he receives a system notification that it cannot find the correct program to use to open this file. Which of the following types of malware has MOST likely targeted this workstation?
Ransomware
An organization had implemented a two-step verification process to protect user access to data that is stored in the cloud. Each employee now uses an email address or mobile number to receive a code to access the data. Which of the following authentication methods did the organization implement?
Push notification
A company is implementing MFA for all applications that store sensitive data. The IT manager wants MFA to be non-disruptive and user friendly. Which of the following technologies should the IT manager use whenimplementing MFA?
Push notifications
An analyst generates the following color-coded table shown in the exhibit to help explain the risk of potential incidents in the company. The vertical axis indicates the likelihood of an incident, while the horizontal axis indicates the impact. High Yellow Red Pink Medium Green Yellow Red Low Green Green Yellow Low Medium High Which of the following is this table an example of?
Qualitative risk assessment
A company wants to provide centralized authentication for its wireless system. The wireless authentication system must integrate with the directory back end. Which of the following is a AAA solution that will provide the required wireless authentication?
RADIUS
Two large organizations have signed a cooperative agreement that will require their employees to log on each others' networks on a regular basis. Each company implements NAC. Which of the following should be implemented if each company wants to continue using its own separate credentials while using the other company's network?
RADIUS FederationRADIUS Federation
A technician is implementing 802.1X with dynamic VLAN assignment based on a user Active Directory group membership. Which of the following configurations supports the VLAN definitions?
RADIUS attributes
University A offers an AAA-based SSO service that allows students to access all wireless and VPN services with the standard university credentials. University A wants to partner with University B to allow its students who are taking classes at University B to sign into either university's wireless network and VPN services with their home university credentials. Which of the following should be implemented to achieve the desired results?
RADIUS federation
A junior systems administrator noticed that one of two hard drives in a server room had a red error notification. The administrator removed the hard drive to replace it but was unaware that the server was configured in an array. Which of the following configurations would ensure no data is lost?
RAID 1
A security administrator needs to create a RAID configuration that is focused on high read speeds and fault tolerance. It is unlikely that multiple drives will fail simultaneously. Which of the following RAID configurations should the administrator use?
RAID 5
A datacenter engineer wants to ensure an organization's servers have high speed and high redundancy and can sustain the loss of two physical disks in an array. Which of the following RAID configurations should the engineer implement to deliver this functionality?
RAID 50
A network administrator is trying to provide the most resilient hard drive configuration in a server. With five hard drives, which of the following is the MOST fault-tolerant configuration?
RAID 6
During a forensic investigation, which of the following must be addressed FIRST according to the order of volatility?
RAM
Ann a new employee, received an email from an unknown source indicating she needed to click on the provided link to update her company's profile. Once Ann clicked the link, a command prompt appeared with the following output: C:\Users\Ann\Documents\File1.pgp C:\Users\Ann\Documents\AdvertisingReport.pgp C:\Users\Ann\Documents\FinancialReport.pgp Which of the following types of malware was executed?
Ransomware
Ann, a new employee, received an email from an unknown source indicating she needed to click on the provided link to update her company profile. Once Ann clicked the link, a command prompt appeared with the following output: C:\Users\Ann\Documents\File.pgp C:\Users\Ann\Documents\AdvertisingReport.pgp C:\Users\Ann\Documents\FinancialReport.pgp Which of the following types of malware was executed?
Ransomware
The help desk received a call from a user who was trying to access a set of files from the day before, but received the following error message: File format not recognized. Which of the following types of malware MOST likely caused this to occur?
Ransomware
A company recently experienced a security incident in which its domain controllers were the target of a DoS attack. In which of the following steps should technicians connect domain controllers to the network and begin authenticating users again?
Recovery
A newly hired Chief Security Officer (CSO) is reviewing the company's IRP and notices the procedures for zero-day malware attacks are being poorly executed, resulting in the CSIRT failing to address and coordinate malware removal from the system. Which of the following phases would BEST address these shortcomings?
Recovery
A security administrator is implementing a secure method that allows developers to place files or objects onto a Linux server. Developers are required to log in using a username, password, and asymmetric key. Which of the following protocols should be implemented?
SFTP
As part of a corporate merger, two companies are combining resources. As a result, they must transfer files through the Internet in a secure manner. Which of the following protocols would BEST meet this objective? (Select TWO).
SFTP , HTTPS
As part of a corporate merger, two companies are combining resources. As a result, they must transfer files through the Internet in a secure manner. Which of the following protocols would BEST meet this objective? (Select TWO)
SFTP, HTTPS
A security administrator is choosing an algorithm to generate password hashes. Which of the following would offer the BEST protection against offline brute force attacks?
SHA-1
An organization is struggling to differentiate threats from normal traffic and access to systems. A security engineer has been asked to recommend a system that will aggregate data and provide metrics that will assist in identifying malicious actions or other anomalous activity throughout the environment. Which of the following solutions should the engineer recommend?
SIEM
A company recently installed fingerprint scanners at all entrances to increase the facility's security. The scanners were installed on Monday morning, and by the end of the week it was determined that 1.5% of valid users were denied entry. Which of the following measurements do these users fall under?
SLA
Which of the following should be put in place when negotiating with a new vendor about the timeliness of the responses to a significant outage or incident?
SLA
A security administrator is configuring parameters on a device. The administrator fills out the following information: username uauser auth SHA1 Y3$oR0i3&1xM priv AES128 *@IOtx43qK Which of the following protocols is being configured?
SNMPv3
A security technician is configuring a new access switch. The switch will be managed through software that will send status reports and logging details to a central management console. Which of the following protocols should the technician configure to BEST meet these requirements? (Select TWO).
SNMPv3, Syslog
The Chief Executive Officer (CEO) received an email from the Chief Financial Officer (CFO), asking the CEO to send financial details. The CEO thought it was strange that the CFO would ask for the financial details via email. The email address was correct in the "From" section of the email. The CEO clicked the form and sent the financial information as requested. Which of the following caused the incident?
SPF not enabled
A customer calls a technician and needs to remotely connect to a web server to change some code manually. The technician needs to configure the user's machine with protocols to connect to the Unix web server, which is behind a firewall. Which of the following protocols does the technician MOST likely need to configure?
SSH
A security analyst has been asked to implement secure protocols to prevent cleartext credentials from being transmitted over the internal network. Which of the following protocols is the security analyst MOST likely to implement? (Select TWO).
SSH, SFTP
While monitoring the SIEM, a security analyst observes traffic from an external IP to an IP address of the business network on port 443. Which of the following protocols would MOST likely cause this traffic?
SSL
A security administrator at a large company is installing a Shibboleth component to enable its employees to use the company's credentials when working at other peer organizations that support the same federation model. Which of the following are required components that the administrator must install at the local company? (Select TWO)
SSL/TLS certificate , IdP
A Chief Security Officer (CSO) was notified that a customer was able to access confidential internal company files on a commonly used file-sharing service. The file sharing service is the same one used by the company staff as one of the approved third-party applications. After further investigation, the the security team determines that the sharing of confidential files was accidental and not malicious. However the CSO want to implement changes to minimize this type of incident from reoccurring but does not want to impact existing business processes. Which of the following would BEST meet the CSO's objectives?
SWG
To reduce costs and overhead, an organization wants to move from an on-premises email solution to a cloud- based email solution. At this time, no other services will be moving. Which of the following cloud models would BEST meet the needs of the organization?
SaaS
Which of the following is a random value appended to a credential that makes the credential less susceptible to compromise when hashed?
Salt
Which of the following would provide a safe environment for an application to access only the resources needed to function while not having access to run at the system level?
Sandbox
A security analyst needs a solution that can execute potential malware in a restricted and isolated environment for analysis. In which of the following technologies is the analyst interested?
Sandboxing
Which of the following is a deployment concept that can be used to ensure only the required OS access is exposed to software applications?
Sandboxing
A critical web application experiences slow response times during the end of a company's fiscal year. This web application typically sees a 35% increase in utilization during this time. The chief information officer wants an automated solution in place to deal with the annual spike. Which of the following does the CIO MOST likely want to implement?
Scalability
A small business just recovered from a ransomware attack against its file servers by purchasing the decryption keys from the attackers. The issue was triggered by a phishing email and the IT administrator wants to ensure it does not happen again. Which of the following should the IT administrator do FIRST after recovery?
Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis.
An organization is concerned about video emissions from users' desktops. Which of the following is the BEST solution to implement?
Screen filters
A document that appears to be malicious has been discovered in an email that was sent to a company'sChief Financial Officer (CGO). Which of the following would be BEST to allow a security analyst to gather information and confirm it is a malicious document without executing any code it may contain?
Search for matching file hashes on malware websites
Which of the following documents would provide specific guidance regarding ports and protocols that should be disabled on an operating system?
Secure configuration guide
When building a hosted data center, which of the following is the most important consideration for physical security within the data center?
Secure enclosures
Which of the following best represents detective controls? (Select two)
Security guard., Camera
A security administrator is researching ways to improve the security of a manufacturing company's systems within the next three to six months.Which of the following would provide the security administrator with the MOST diverse perspective?
Security regulations from other industry verticals
The CSIRT is reviewing the lessons learned from a recent incident. A worm was able to spread unhindered throughout the network and infect a large number of computers and servers. Which of the following recommendations would be BEST to mitigate the impacts of a similar incident in the number of computers and servers. Which of the following recommendations would be BEST to mitigate the impacts of a similar incident in the future?
Segment the network with firewalls
A security analyst is investigating a security breach involving the loss of sensitive data. A user passed the information through social media as vacation photos. Which of the following was used to encode the data?
Steganography
A security analyst is investing a security breach involving the loss of sensitive data. A user passed the information through social media as vacation photos. Which of the following methods was used to encode the data?
Steganography
Which of the following BEST describes the process of altering the bits of a media file to embed a hidden message?
Steganography
A security administrator receives alerts from the perimeter UTM. Upon checking the logs, the administrator finds the following output: Time: 12/25 0300 From Zone: Untrusted To Zone: DMZ Attacker: externalip.com Victim: 172.16.0.20 To Port: 80 Action: Alert Severity: Critical Upon examining the PCAP associated with the event, the security administrator finds the following information: Which of the following actions should the security administrator take?
Submit a change request to modify the XSS vulnerability signature to TCP reset on future attempts
The IT departments on-site developer has been with the team for many years. Each time an application is released, the security team is able to identify multiple vulnerabilities. Which of the following would BEST help the team ensure the application is ready to be released to production?
Submit the application to QA before releasing it
A penetration tester was able to connect to a company's internal network and perform scans and staged attacks for the duration of the testing period without being noticed. The SIEM didn't alert the security team to the presence of the penetration tester's devices on the network. Which of the following would provide the security team with notification in a timely manner?
Implement rogue system detection and sensors
A security analyst discovers that a company's username and password database was posted on an Internet forum. The usernames and password are stored in plain text. Which of the following would mitigate the damage done by this type of data exfiltration in the future?
Implement salting and hashing.
The Chief Information Officer (CIO) has determined the company's new PKI will not use OCSP. The purpose of OCSP still needs to be addressed. Which of the following should be implemented?
Implement stapling
Buffer overflow can be avoided using proper:
Implementation of ASLR
A network administrator needs to restrict the users of the company's WAPs to the sales department. The network administrator changes and hides the SSID and then discovers several employees had connected their personal devices to the wireless network. Which of the following would limit access to the wireless network to only organization -owned devices in the sales department?
Implementing MAC filtering
Which of the following is an example of federated access monagement?
Implementing a AAA framework from network access
A network technician is designing a network for a small company. The network technician needs to implement an email server and web server that will be accessed by both internal employees and external customers. Which of the following would BEST secure the internal network and allow access to the needed servers?
Implementing a DMZ segment for the server
Which of the following is being described when a security professional develops and publishes a password policy specifically tailored to a company, and enforces the policy through technical means?
Implementing security control diversity.
Fuzzing is used to reveal which of the following vulnerabilities in web applications?
Improper input handling
A security researcher is tracking an adversary by noting its attacks and techniques based on its capabilities, infrastructure, and victims. Which of the following is a researcher MOST likely using?
The Diamond Model of Intrusion Analysis
A security administrator is investigating many recent incidents of credential theft for users accessing the company's website, despite the hosting web server requiring HTTPS for access. The server's logs show the website leverages the HTTP POST method for carrying user authentication details. Which of the following is the MOST likely reason for compromise?
The HTTP POST method is not protected by HTTPS.
Which of the following could occur when both strong and weak ciphers are configured on a VPN concentrator? (Select TWO)
The IPSec payload reverted to 16-bit sequence numbers., An attacker could potentially perform a downgrade attack.
A security engineer at a manufacturing company is implementing a third-party cloud application. Rather than create users manually in the application, the engineer decides to use the SAML protocol. Which of the following is being used for this implementation?
The Manufacturing company is the identity provider, and the cloud company is the service provider
Which of the following are disadvantages of full backups? Select three
They require the most storage. , They demand the most bandwidth. , They are time consuming to complete
The security administrator of a small firm wants to stay current on the latest security vulnerabilities and attack vectors being used by crime syndicates and nation-states. The information must be actionable and reliable. Which of the following would BEST meet the needs of the security administrator?
Threat data subscription
A security analyst is using a recently released security advisory to review historical logs, looking for the specific activity that was outlined in the advisory. Which of the following is the analyst doing?
Threat hunting
Which of the following is the proper use of a Faraday cage?
To block electronic signals sent to erase a cell phone
Which of the following is a reason why an organization would define an AUP?
To define the set of rules and behaviors for users of the organization's IT systems
During a penetration test, the tester performs a preliminary scan for any responsive hosts. Which of the following BEST explains why the tester is doing this?
To identify servers for subsequent scans and further investigation
which of the following is the BEST use of a WAF?
To protect sites on web servers that are publicly accessible
In highly secure environments where the risk of malicious actors attempting to steal data is high, which of the following is the BEST reason to deploy Faraday cages?
To provide emanation control to prevent credential harvesting
Which of the following BEST explains why an application team might take a VM snapshot before applying patches in the production environment?
To reduce operational risk so the team can quickly restore the application to a previous working condition if the patch fails
A security administrator is concerned about the increasing number of users who click on malicious links contained within phishing emails. Although the company has implemented a process to block these links at the network perimeter, many accounts are still becoming compromised. Which of the following should be implemented to further reduce the number of account compromises caused by remote users who click these links?
URL rewriting
A security analyst wants to obfuscate some code and decides to use ROT13. Which of the following is an example of the text "HELLO WORLD" in ROT13?
URYYB JBEYQ
Penetration testing is distinct from vulnerability scanning primarily because penetration testing:
Involves multiple active exploitation techniques
A security analyst is performing a manual audit of captured data from a packet analyzer. The analyst looks for base64 encoded strings and applies the filter http authbasic. Which of the following BEST describes what the analyst is looking for?
Unencrypted credentials
Proprietary information was sent by an employee to a distribution list that included external email addresses. Which of the following BEST describes the incident that occurred and the threat actor in this scenario?
Unintentional disclosure by an insider
A company recently purchased a new application and wants to enable LDAP-based authentication for all employees using the application. Which of the following should be set to connect the application to the company LDAP server in a secure manner? (Select twO).
LDAP Path: ou=users, dc=company,dc=com Port 636
A company recently contracted a penetration testing firm to conduct an assessment. During the assessment, the penetration testers were able to capture unencrypted communication between directory servers. The penetration testers recommended encrypting this communication to fix the vulnerability. Which of the following protocols should the company implement to close this finding?
LDAPS
A network administrator receives a support ticket from the security operations team to implement secure access to the domain. The support ticket contains the following information: Source: 192.168.1.137 Destination: 10.113.10.8 Protocol: TCP Ports: 636 Time-of-day restriction: None Proxy bypass required: Yes'' Which of the following is being requested to be implemented?
LDAPS
The Chief Information Security Officer (CISO) of a university is concerned about potential transmission of usernames and passwords in cleartext when authenticating to a directory server. Which of the following would BEST mitigate the CISO's concerns?
LDAPS
A technician is investigating a report of unusual behavior and slow performance on a company-owned Laptop. The technician runs a command and reviews the following information: Proto Local Address Foreign Address State TCP 0.0.0.0:445 Listening RpcS TCP 0.0.0.0:80 Listening httpd.exe TCP 0.0.0.0:443 192.168.1.20:1301 Established httpd.exe TCP 0.0.0.0:90328 172.55.80.22:9090 Established notepadexe Based on the above information, which of the following types of malware should the technician report?
RAT
Which of the following algorithms would be used to provide nonrepudiation of a file transmission?
RSA
A security engineer wants to further secure a sensitive VLAN on the network by introducing MFA. Which of the following is the BEST example of this?
RSA token and password
A company has determined that if its computer-based manufacturing is not functioning for 12 consecutive hours, it will lose more money that it costs to maintain the equipment. Which of the following must be less than 12 hours to maintain a positive total cost of ownership?
RTO
During an audit, the auditor requests to see a copy of the identified mission-critical applications as well as their disaster recovery plans. The company being audited has an SLA around the applications it hosts. With which of the following is the auditor MOST likely concerned?
RTO/RPO
Which of the following vulnerabilities can lead to unexpected system behavior, including the bypassing of security controls, due to differences between the time of commitment and the time of execution?
Race condition
A company help desk has received several reports that employees have experienced identity theft and compromised accounts. This occurred several times after receiving an email asking them to update their personal work information. Which of the following is a vulnerability that has been exploited?
Untrained users
The SOC is reviewing processes and procedures after a recent incident. The review indicates it took more than 40 minutes to determine that quarantining an infected host was the best course of action. This allowed the malware to spread to additional hosts before it was contained. Which of the following would be BEST to improve the incident response process?
Updating the playbooks for better decision points
An organization utilizes network devices that only support a remote administration protocol that sends credentials in cleartext over the network. Which of the following should the organization do to improve the security of the remote administration sessions?
Upgrade the devices to models that support SSH
As a security measure, an organization has disabled all external media from accessing the network. Since some users may have data that needs to be transferred to the network, which of the following would best assist a security administrator in transferring the data while keeping the internal network secure?
Upload the data in a separate VLAN
A Chief Executive Officer (CEO) is staying at a hotel during a business trip. The hotel's wireless network does not show a lock symbol. Which of the following precautions should the CEO take? (Select TWO)
Use a VPN , Tether to a mobile phone
A systems developer needs to provide machine-to-machine interface between an application and a database server in the production environment. This interface will exchange data once per day. Which of the following access control account practices would BEST be used in this situation?
Use a service account and prohibit users from accessing this account for development work.
A systems administrator is installing and configuring an application service that requires access to read and write to log and configuration files on a local hard disk partition. The service must run as an account with authorization to interact with the file system. Which of the following would reduce the attack surface added by the service and account? (Select TWO)
Use a unique managed service account., Enforce least possible privileges for the accounts
A company has critical systems that are hosted on an end-of-life OS. To maintain operations and mitigate potential vulnerabilities, which of the following BEST accomplishes this objective?
Use application whitelisting
Datacenter employees have been battling alarms in a datacenter that has been experiencing hotter than normal temperatures. The server racks are designed so all 48 rack units are in use, and servers are installed in any manner in which the technician can get them installed. Which of the following practices would BEST alleviate the heat issues and keep costs low?
Use hot and cold aisles.
An organization is providing employees on the shop floor with computers that will log their time based on when they sign on and off the network. Which of the following account types should the employee receive?
User account
A network administrator is implementing multifactor authentication for employees who travel and use company devices remotely by using the company VPN. Which of the following would provide the required level of authentication?
Username/Password and TOTP
A security operations engineer at a bank must ensure all automated teller machines execute only the boot loader in the OS specified by the bank to ensure the security of the machines. Which of the following would BEST meet the engineer's goal?
Using the TPM to verify digitally signed files of the boot loade
A security operations engineer at a bank must ensure all automated teller machines execute only the boot loader and the OS specified by the bank to ensure the security of the machines. Which of the following would BEST meet the engineer's goal?
Using the TPM to verify digitally signed files of the boot loader
A company is planning to utilize its legacy desktop systems by converting them into dummy terminals and moving all heavy applications and storage to a centralized server that hosts all of the company's requireddesktop applications. Which of the following describes the BEST deployment method to meet these requirements?
VDI
A company that processes sensitive information has implemented a BYOD policy and an MDM solution to secure sensitive data that is processed by corporate and personally owned devices. Which of the following should the company implement to prevent system data from being stored on mobile devices?
VDI
A commercial cyber-threat intelligence organization observes IoCs across a variety of unrelated customers. Prior to releasing specific threat intelligence to other paid subscribers, the organization is MOST likely obligated by contracts to:
anonymize any PII that is observed within the IoC data
The exploitation of buffer-overrun vulnerability in a application will MOST likely lead to:
arbitrary code execution.
A public relations team will be taking a group of guests on a tour through the facility of a large ecommerce company. The day before the tour, the company sends out an email to employees to ensure all whiteboards are cleaned and all desks are cleared. The company is MOST likely trying to protect against.
loss of proprietary information
A security analyst is investigating a vulnerability in which a default file permission was set incorrectly. The company uses noncredentialed scanning for vulnerability management. Which of the following tools can the analyst use to verify the permissions?
ls
A threat actor motivated by political goals that is active for a short period of time but has virtually unlimited resources is BEST categorized as a:
nation-state
An organization is considering utilizing a third-party web-hosting service for a human resources application. The organization's Chief Information Officer (CIO) is concerned the web-hosting service may not have a sufficient level of security. The sales representative for the web-hosting service suggests that the CIO use banner grabbing to test the security levels of an existing website hosted by the company (www.example.com). Which of the following commands should the CIO use? (Select TWO).
nc, telnet
A systems administrator wants to determine if two DNS servers are configured to have the same record for IP address 192.168.1.10. The systems administrator has verified the record on Server1 and now needs to verify the record on Server2. Which of the following commands should the systems administrator run?
nslookup server2 192.168.1.10
A security analyst is asked to check the configuration of the company's DNS service on the server. Which of the following command line tools should the analyst use to perform the initial assessment?
nslookup/dig
Using an ROT13 cipher to protect confidential information for unauthorized access is known as
obfuscation
Exercising various programming responses for the purpose of gaining insight into a system's security posture without exploiting the system is BEST described as:
passive-security control testing
A security analyst is implementing PKI-based functionality to a web application that has the following requirements: File contains certificate information Certificate chains Root authority certificates Private key All of these components will be part of one file and cryptographically protected with a password. Given this scenario, which of the following certificate types should the analyst implement to BEST meet these requirements?
pfx certificate
Moving laterally within a network once an initial exploit is used to gain persistent access for the purpose of establishing further control of a system is known as:
pivoting
A vulnerability assessment report will include the CVSS score of the discovered vulnerabilities because the score allows the organization to better:
prioritize remediation of vulnerabilities based on the possible impact.
A technician is recommending preventive physical security controls for a server room. Which of the following would the technician MOST likely recommend? (Select TWO).
protected cabinets, Mantrap
A symmetric encryption algorithm Is BEST suited for:
protecting large amounts of data
An administrator is configuring a wireless network. Security policy states that deprecated cryptography should not be used when there is an alternative choice. Which of the following should the administrator use for the wireless network's cryptographic protocol?
CCMP
Two companies are enabling TLS on their respective email gateways to secure communications over the Internet. Which of the following cryptography concepts is being implemented?
Data in transit
A coding error has been discovered on a customer-facing website. The error causes each request to return confidential PHI data for the incorrect organization. The IT department is unable to identify the specific customers who are affected. As a result, all customers must be notified of the potential breach. Which of the following would allow the team to determine the scope of future incidents?
Database access monitoring
A CSIRT has completed restoration procedures related to a breach of sensitive data is creating documentation used to improve future response activities and coordination among team members. Which of the following information would be MOST beneficial to include in lessons learned documentation? (Select TWO).
Details of any communication challenges that hampered initial response times, Details regarding system restoration activities completed during the response activity
When considering IoT systems, which of the following represents the GREATEST ongoing risk after a vulnerability has been discovered?
Difficult-to-update firmware
A security analyst is mitigating a pass-the-hash vulnerability on a Windows infrastructure. Given the requirement, which of the following should the security analyst do to MINIMIZE the risk?
Disable NTLM
Exploitation of a system using widely known credentials and network addresses that results in DoS is an example of:
Default configurations
A security analyst is investigating a call from a user regarding one of the websites receiving a 503: Service Unavailable error. The analyst runs a netstat-an command to discover if the web server is up and listening. The analyst receives the following output: TCP 10.1.5.2:80 192.168.2.112.60973 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112.60974 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112.60975 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112.60976 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112.60977 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112.60978 TIME_WAIT Which of the following types of attack is the analyst seeing?
Denial of service
Which of the following is most likely the security impacts of continuing to operate end of life systems?
Denial of service due to Patch availability
A bank is experiencing a DoS attack against an application designed to handle 500 IP-based sessions. In addition, the perimeter router can only handle 1Gbps of traffic. Which of the following should be implemented to prevent DoS attacks in the future?
Deploy multiple web servers and implement a load balancer.
One has a higher potential for disrupting system operations
Consult data disposition policies in the contract
A network administrator has been asked to improve the security posture of an organization. Which of the following control types is an IDS?
Detective
Which of the following systems, if compromised, may cause great danger to the integrity of water supplies and their chemical levels?
SCADA
A security analyst is investigating a security breach involving the loss of sensitive data. A user passed the information through social media as vacation photos. Which of the following methods was used to encode the data?
Steganography
A security administrator is setting up a SIEM to help monitor for notable events across the enterprise. Which of the following control types does this BEST represent?
Detective
Which of the following control types are alerts sent from a SIEM fulfilling based on vulnerability signatures?
Detective
Which of the following describes the BEST approach for deploying application patches?
Apply the patches to systems in a testing environment, then to systems in a staging environment, and finally to production
An organization with a low tolerance for user inconvenience want to protect laptop hard drives against loss of data theft. Which of the following would be MOST acceptable?
SED
An organization requires employees to insert their identification cards into a reader so chips embedded in the cards can be read to verify their identities. Which of the following BEST describes this authentication control?
CAC
Which of the following is a passive method to test whether transport encryption is enabled?
Code analysi
A company is looking for an all-in-one solution to provide identification, authentication, authorization, and accounting services. Which of the following technologies should the company use?
Diameter
Which of the following algorithms can be used to exchange a secret key securely and remotely?
Diffie Hellman
Which of the following attacks can be mitigated by proper data retention policies?
Dumpster diving
A systems engineer is setting up a RADIUS server to support a wireless network that uses certificate authentication. Which of the following protocols must be supported by both the RADIUS server and the WAPs?
EAP
An organization is looking to build its second head office in another city, which has a history of flooding with an average of two floods every 100 years. The estimated building cost is $1 million, and the estimated damage due to flooding is half of the building's cost. Given this information, which of the following is the SLE?
$500,000
During certain vulnerability scanning scenarios, it is possible for the target system to react in unexpected ways. This type of scenario is MOST commonly known as:
Intrusive testing
A security analyst is hardening a large-scale wireless network. the primary requirements are the following: Must use authentication through EAP-TLS certificates Must use an AAA server Must use the most secure protocol Given these requirements, which of the following should the analyst implement and recommend? (Select TWO)
802.1X , CCMP
A network administrator was provided the following output from a vulnerability scan: Plugin ID Severity Count Description Risk Score 10 Critical 1 CentOS 7 rpm (CTSA-2014:1980) 3.4 11 Low 178 Microsoft Windows Update 1.3 12 Medium 120 open SUSE Security Update: python3 / rpm 1.8 13 High 15 Microsoft Windows Update Reboot Required 3.6 14 Low 1389 RHEL 4 : RPM (rhsa-2016:0678) 2.1 The network administrator has been instructed to prioritize remediation efforts based on overall risk to the enterprise. Which of the following plugin IDs should be remediated FIRST?
13
A security analyst is running a credential-based vulnerability scanner on a Windows host. The vulnerability scanner is using the protocol NetBIOS over TCP/IP to connect to various systems. however, the scan does not return any results. To address the issue, the analyst should ensure that which of the following default ports is open on systems?
137
Which of the following encryption algorithms require one encryption key? (Select TWO).
3DES , RC4
A company is implementing an authentication system for its wireless network. The system will be for public use and must be able to track how long a person is connected to the WiFi system for billing purposes. Which of the following would be BEST to implement in this situation?
802.1X
A network administrator is setting up wireless access points in all the conference rooms and wants to authenticate devices using PKI. Which of the following should the administrator configure?
802.1X
A global pandemic is forcing a private organization to close some business units and reduce staffing at others. Which of the following would be BEST to help the organization's executives determine their next course of action?
: A business continuity plan
Which of the following BEST explains the difference between a credentialed scan and a non-credentialed scan?
: A credentialed scan sees the system the way an authorized user sees the system, while a non- credentialed scan sees the system as a guest
Which of the following attacks can be used to exploit a vulnerability that was created by untrained users?
: A spear phishing email with a file attachment
A company provides mobile devices to its users to permit access to email and enterprise applications. The company recently started allowing users to select from several different vendors and device models. When configuring the MDM, which of the following is a key security implication of this heterogeneous device approach?
: All devices will need to support SCEP-based enrollment, therefore, the heterogeneity of the chosen architecture may unnecessarily expose private keys to adversaries.
A highly complex password policy has made it nearly impossible to crack account password. Which of the following might a hacker still be able to perform?
: Brute force attack
An organization's research department uses workstations in an airgapped network. A computer released products based on files that originated in the research department. Which of the following should management do to improve the security and confidentiality of the research files?
: Configure removable media controls on the workstations
A security engineer implements multiple technical measures to secure an enterprise network. The engineer also works with the Chief Information Officer (CIO) to implement policies to govern user behavior. Which of the following strategies is the security engineer executing?
: Control diversity
An organization prefers to apply account permission to groups and not individual users, but allows for exceptions that are justified. Some systems require a machine to machine data exchange and an associated account to perform this data exchange. One particular system has data in a folder that must be modified by another system. No user requires access to this folder, only the other system needs access to this folder. Which of the following is the BEST account management practice?
: Create a service account and apply this necessary permissions directly to the service account itself.
An incident response analyst at a large corporation is reviewing proxy log data. The analyst believes a malware infection may have occurred. Upon further review, the analyst determines the computer responsible for the suspicious network traffic is used by the Chief Executive Officer (CEO). Which of the following is the best NEXT step for the analyst to take?
: Disconnect the CEO's workstation from the network
A technician wants to implement PKI based authentication on an enterprise wireless network. Which of the following should the technician configure to enforce the use of client-side certificates?
: EAP-TLS
A security administrator is creating a risk assessment on BYOD. One of the requirements of the risk assessments is to address the following: -Centrally managing mobile devices -Data loss prevention Which of the following recommendations should the administrator include in the assessments? (Select TWO).
: Implement encryption, Implement an MDM with mobile device hardening.
A company has limited storage space available and an online presence that cannot be down for more than four hours. Which of the following backup methodologies would the company implement to allow for the FASTEST database restore time in the event of a failure, while being mindful of the limited available storage space?
: Implement full backups every Sunday at 8:00 p.m. and nightly differential backups at 8:00 p.m
Which of the following is the primary reason for implementing layered security measures in a cybersecurity architecture?
: It increases the number of controls required to subvert a system
During a routine check, a security analyst discovered the script responsible for the backup of the corporate file server had been changed to the following: date = get_currentdate() if date = $userA.Birthdate then exec 'rm -rf/' end if Which of the following BEST describes the type of malware the analyst discovered?
: Logic bomb
A security administrator plans to conduct a vulnerability scan on the network to determine if system applications are up to date. The administrator wants to limit disruptions to operations but not consume too many resources. Which of the following types of vulnerability scans should be conducted?
: Non-Intrusive
Which of the following is the main difference between symmetric and asymmetric cryptographic algorithms?
: Only one key used in symmetric algorithms
Which of the following is being used when a malicious actor searches various social media websites to find information about a company's systems administrators and help desk staff?
: Passive reconnaissance
An organization has created a review process to determine how to best handle data with different sensitivity levels. The process includes the following requirements: Soft copy PII must be encrypted. Hard copy PII must be placed in a locked container. Soft copy PHI must be encrypted and audited monthly. Hard copy PHI must be placed in a locked container and intentioned monthly. Locked containers must be approved and designated for document storage. Any violations must be reported to the Chief Security Officer While searching for coffee in the kitchen, an employee unlocks a cabinet and discovers a list of customer names and phone numbers. Which of the following actions should the employee take?
: Put the document back in the cabinet, lock the cabinet, and report the incident to the CSO
A system uses an application server and database server. Employing the principle of least privilege, only database administrators are given administrative privileges on the database server, and only application team members are given administrative privileges on the application server. Audit and log file reviews are performed by the business unit (a separate group from the database and application teams).The organization wants to optimize operational efficiency when application or database changes are needed, but it also wants to enforce least privilege, prevent modification of log files, and facilitate the audit and log review performed by the business unit. Which of the following approaches would BEST meet the organization's goals?
: Remove administrative privileges from both the database and application servers and give the business unit "read only" privileges on the directories where the log files are kept
An organization's IRP prioritizes containment over eradication. An incident has been discovered where an attacker outside of the organization has installed cryptocurrency mining software on the organization's web servers. Given the organization's stated priorities, which of the following would be the NEXT step?
: Remove the affected servers from the network
An organizations' policy requires users to create passwords with an uppercase letter, lowercase letter, number, and symbol. This policy is enforced with technical controls, which also prevents users from using any of their previous 12 passwords. The organization does not use single sign-on, nor does it centralize storage of passwords.The incident response team recently discovered that passwords for one system were compromised. Passwords for a completely separate system have NOT been compromised, but unusual login activity has been detected for that separate system. Account login has been detected for users who are on vacation.Which of the following BEST describes what is happening?
: Some users are reusing passwords, and some of the compromised passwords are valid on multiple systems.
A user enters a password to log in to a workstation and is prompted for an authentication code. Which of the following MFA factors or attributes are being utilized in the authentication process? (Select TWO).
: Something you know, Something you have You did not provide any answer to this questio
A security analyst received an after-hours alert indicating that a large number of accounts with the suffix 'admin' were locked out. The accounts were all locked out after five unsuccessful login attempts, and no other accounts on the network triggered the same alert. Which of the following is the BEST explanation for these alerts?
: The standard naming conventions makes administrator accounts easy to identify, and they were targeted for an attack.
The website of a bank that an organization does business with is being reported as untrusted by the organization's web browser. A security analyst has been assigned to investigate. The analyst discovers the bank recently merged with another local bank and combined names. Additionally, the user's bookmark automatically redirects to the website of the newly named bank. Which of the following is the MOST likely cause of the issue?
: The website's certificate still has the old bank's name
Which of the following is the purpose of an industry-standard framework?
: To provide guidance across common system implementations
A company's IT staff is given the task of securely disposing off 100 server HDDs. The security team informs the IT staff that the data must not be accessible by a third party after disposal. Which of the following is the MOST time-efficient method to achieve this goal?
: Use a degausser to sanitize the drives
A company wishes to deploy a wireless network. Management insists that each individual user should have to authenticate with a unique username and password before being able to associate with the wireless access points. Which of the following wireless features would be the MOST appropriate to achieve this objective?
: WPA Enterprise
A credentialed vulnerability scan is often preferred over a noncredentialed scan because credentialed scans:
: provide more accurate data
A large financial services firm recently released information regarding a security breach within its corporate network that began several years before. During the time frame in which the breach occurred, indicators show an attacker gained administrative access to the network through a file download from a social media site and subsequently installed it without the user's knowledge. Since the compromise, the attacker was able to take command and control of the computer systems anonymously while obtaining sensitive corporate and personal employee information. Which of the following methods did the attacker MOST likely use to gain access?
A RAT
Given the following output: NMAP -p 80 --script hostmap-bfk.nse company.com starting NMAP 6.46 NMAP scan report for company.com (172.255.240.169) Port State Service 80/TCP open http Host script results hostmap-bfk host: 172.255.240.169 web1.company.com swebdb1.company.com web3.company.com swebdb2.company.com NMAP done: scanned in 2.10 seconds Which of the following best describes the scanned environment?
A host was identified as a web server that is hosting multiple domains
In which of the following situations would it be BEST to use a detective control type for mitigation?
A company purchased an IPS system, but after reviewing the requirements, the appliance was supposed to monitor, not block the traffic
A security analyst is reviewing logs on a server and observes the following output: 01/01/2020 03:33:23 admin attempted login with password sneak 01/01/2020 03:33:32 admin attempted login with password sneaked 01/01/2020 03:33:41 admin attempted login with password sneaker 01/01/2020 03:33:50 admin attempted login with password sneer 01/01/2020 03:33:59 admin attempted login with password sneeze 01/01/2020 03:34:08 admin attempted login with password sneezy Which of the following is the security analyst observing?
A dictionary attack
Which of the following represents a multifactor authentication system?
A digital certificate on a physical token that is unlocked with a secret passcode
A security analyst performs a vulnerability scan on the local network. Several items are flagged on the report as being critical issues. The security analyst researches each of the vulnerabilities and discovers that one of the critical issues on the report was mitigated in a previous scan. Which of the following most likely happened?
A false positive occurred
A security analyst performs a vulnerability scan on the local network. Several items are flagged on the report as being critical issues. The security analyst researches each of the vulnerabilities and discovers that one of the critical issues on the report was mitigated in a previous scan. Which of the following MOST likely happened?
A false positive occurred.
Ann, a user, reports she is receiving emails that appear to be from organizations to which she belongs, but the emails contain links to websites that do not belong to those organizations. Which of the following security scenarios does this describe?
A hacker is using Ann's social media information to create a spear phishing attack
A pharmaceutical sales representative logs on to a laptop and connects to the public WiFi to check emails and update reports. Which of the following would be BEST to prevent other devices on the network from directly accessing the laptop? (Select TWO).
A host-based firewall , A VPN
A sensitive manufacturing facility has recently noticed an abnormal number of assemble-line robot failures. Upon intensive investigation, the facility discovers many of the SCADA controllers have been infected by a new strain of malware that uses a zero-day flaw in the operating system. Which of the following types of malicious actions is MOST likely behind this attack?
A nation-state
Which of the following is an example of resource exhaustion?
A penetration tester requests every available IP address from a DHCP server.
A company has forbidden the use of external media within its headquarters location. A security analyst is working on adding additional repositories to a server in the environment when the analyst notices some odd processes running on the system. The analyst runs a command and sees the following: $ history ifconfig -a netstat -n pskill 1788 pskill 914 mkdir /tmp/1 mount -u sda101 /tmp/1
A policy violation
A security analyst is checking log files and finds the following entries: C:\.nc -vv192.168.118.13080 192.168.118.130 : inverse host lookup failed: h_errno 11004 : NO_DATA (UNKNOWN) [192.168.118.130] 80 (http) open HEAD / HTTP/1.0 HTTP/1.1 408 Request Time-out Date: Thu, 29 Nov 2017 07:15:37 GMT Server: Apache/2.2.14 (Ubuntu) Vary: AcceptEncoding Connection: close Content-Type: text/html; charset=iso8859-1 sent 16, rcvd 189: NOTSOCK C:\> Which of the following is MOST likely happening?
A potential hacker could be banner grabbing to determine what architecture is being used
After installing new freeware, a user's workstation with IP address 192.168.10.1 is flagged by the SIEM for review. The security administrator reviews the following logs: 192.168.10.1:3388 -> 183.56.84.211:443 - 5kb sent - 12649 kb received. 192.168.10.1:1845 -> 88.45.133.203:443 -21kb sent - 19744 kb received. 192.168.10.1:2095 -> 183.56.84.211:443 -54948 Mb sent - 10069 kb received. 192.168.10.1.9454 -> 145.86.104.92:443 - 74 kb sent - 3059 kb received. Based on the information above, which of the following types of malware has infected the workstation?
A remote access Trojan
A security engineer is installing a WAF to protect the company's website from malicious web requests over SSL. Which of the following is needed to meet the objective?
A reverse proxy
Which of the following BEST describes a defense-in-depth strategy?
A security administrator places a web server behind two firewalls from two different vendors with only ports 80 and 443 open
A systems administrator needs to install the same X.509 certificate on multiple servers. Which of the following should the administrator use?
A self-signed certificate
A security administrator is reviewing the following firewall configuration after receiving reports that users are unable to connect to remote websites: 10 PERMIT FROM:ANY TO:ANY PORT:80 20 PERMIT FROM:ANY TO:ANY PORT:443 30 DENY FROM:ANY TO:ANY PORT:ANY Which of the following is the MOST secure solution the security administrator can implement to fix this issue?
Add the following rule to the firewall: 5 PERMIT FROM : ANY TO : ANY PORT : 53
A new Chief Information Officer (CIO) has been reviewing the badging and decides to write a policy that all employees must have their badges re-keyed at least annually. Which of the following controls BEST describes this policy?
Administrative
An analysis of the threat actor which has been active for several years reveals the threat actor has high levels of funding, motivation, and sophistication. Which of the following types of threat actors does this best describe?
Advanced persistent threat
Which of the following models is considered an iterative approach with frequent testing
Agile
Which of the following models is considered as iterative approach with frequent testing?
Agile
A system in the network is used to store proprietary secrets and needs the highest level of security possible. Which of the following should a security administrator implement to ensure the system cannot be reached from the Internet?
Air gap
Which of the following outcomes is a result of proper errorhandling procedures in secure mode?
All fault conditions are logged and do not result in a program crash.
Joe, an employee, knows he is going to be fired in three days. Which of the following is Joe?
An insider threat
An organization recently implemented an account-lockout policy on its portal. The portal was configured to display a banner instructing locked-out users to contact the help desk. Which of the following tools should the security administrator use to test whether the account lockout policy is working correctly?
An online password cracker
A small enterprise decides to implement a warm site to be available for business continuity in case of a disaster. Which of the following BEST meets its requirements?
An operational site requiring some equipment to be relocated as well as data transfer to the site.
A company just implemented a new telework policy that allows employees to use personal devices for official email and file sharing while working from home. Some of the requirements are: * Employees must provide an alternate work location (i.e., a home address). * Employees must install software on the device that will prevent the loss of proprietary data but will not restrict any other software from being installed. Which of the following BEST describes the MDM options the company is using?
Application management, remote wipe, geofencing, context-aware authentication, and containerization
A company uses an enterprise desktop imaging solution to manage deployment of its desktop computers. Desktop computer users are only permitted to use software that is part of the baseline image. Which of the following technical solutions was MOST likely deployed by the company to ensure only known-good software can be installed on corporate desktops?
Application whitelisting
While reviewing the wireless router, the systems administrator of a small business determines someone is spoofing the MAC address of an authorized device. Given the table below. Hostname IP address MAC MAC filter PCI 192.168.1.20 00:1E:1B:43:21:B2 On PC2 192.168.1.23 31:1C:3C:13:25:C4 Off PC3 192.168.1.25 20:A2:22:45:11:D2 On UNKNOWN 192.168.1.21 12:44:B2:FF:A1:22 Off Which of the following should be the administrator's NEXT step to detect if there is a rogue system without impacting availability?
Apply MAC filtering
A small- to medium-sized company wants to block the use of USB devices on its network. Which of the following is the MOST cost effective way for the security analyst to prevent this?
Apply a GPO
A security administrator is working with the Human resources Department to classify data held by the company. The administrator has determined that data contains a variety of data types, including health information, employee names and addresses, trade secrets, and confidential customer information. Which of the following should the security administrator do next?
Apply a predefined set of labels from government sources to all data within the company
A security consultant was asked to revise the security baselines that are utilized by a large organization. Although the company provides different platforms for its staff, including desktops, laptops, and mobile devices, the applications do not vary by platform. Which of the following should the consultant recommend? (Select TWO).
Apply application whitelisting. , Disable default accounts and/or passwords
Which of the following is the BEST way for home users to mitigate vulnerabilities associated with IoT devices on their home network?
Apply firmware and software updates upon availabilit
An organization is deploying loT locks, sensors, and cameras, which operate over 802.11, to replace legacy building access control systems. These devices are capable of triggering physical access changes, including locking and unlocking doors and gates. Unfortunately, the devices have known vulnerabilities for which the vendor has yet to provide firmware updates. Which of the following would BEST mitigate this risk?
Associate the devices with an isolated wireless network configured for WPA2 and EAP-TLS
Which of the following access management concepts is MOST closely associated with the use of a password or PIN?
Authentication
Which of the following can be used to increase the time needed to brute force a hashed password?
BCRYPT
Which of the following are used to substantially increase the computation time required to crack a password? (Select TWO)
BCRYPT , PBKDF2
A security analyst is reviewing the following company requirements prior to selecting the appropriate technical control configuration parameter: RTO: 2 days RPO: 36 hours MTTR: 24 hours MTBF: 60 days Which of the following solutions will address the RPO requirements?
Backup solution that implements daily snapshots
A remote intruder wants to take inventory of a network so exploits can be researched. The intruder is looking for information about software versions on the network. Which of the following techniques is the intruder using?
Banner grabbing
A technician needs to document which application versions are listening on open ports. Which of the following is MOST likely to return the information the technician needs?
Banner grabbing
An enterprise has hired an outside security firm to conduct penetration testing on its network and applications. The firm has not received information about the internal architecture. Which of the following BEST represents the type of testing that will occur?
Black-Box
A security administrator wants to implement a system that will issue digital security tokens, which require the following: The token-generating system must be distributed and decentralized. The validity of each token must be verifiable. Transaction and token integrity are more important than the confidentiality of the token. Which of the following should the administrator implement?
Blockchain
Which of the following would MOST likely support the integrity of a voting machine?
Blockchain
A company has drafted an insider-threat policy that prohibits the use of external storage devices. Which of the following would BEST protect the company from data exfiltration via removable media?
Blocking removable-media devices and write capabilities using a host-based security tool
A security administrator is enhancing the security controls in an organization with respect to the allowed devices policy. The administrator wrote a .reg file with the code below: HKEY_LOCAL_MACHINE\System\Current control set\Services\USBSTOR "Start = dword: 00000004 Which of the following BEST represents what the administrator is doing?
Blocking the use of USB devices
A developer has incorporated routines into the source code for controlling the length of the input passed to the program. Which of the following types of vulnerabilities is the developer protecting the code against?
Buffer overflow
A security analyst monitors the syslog server and notices the following: pinging 10.25.27.31 with 65500 bytes of data Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Which of the following attacks is occurring?
Buffer overflow
An application developer has neglected to include input validation checks in the design of the company's new web application. An employee discovers that repeatedly submitting large amounts of data, including custom code, to an application will allow the execution of the custom code at the administrator level. Which of the following BEST identifies this application attack?
Buffer overflow
An employee on the internet-facing part of a company's website submits a 20-character phrase in a small textbox on a web-form. The website returns a message back to the browser stating: Error: Table 'advprofile' entry into column 'lname' has exceeded number of allowed characters. Error sending database information Of which of the following is this an example?
Buffer overflow
Which of the following could an attacker use to overwrite instruction pointers in order to execute malicious code?
Buffer overflow
A smart switch has the ability to monitor electrical levels and shut off power to a building in the event of power surge or other fault situation. The switch was installed on a wired network in a hospital and is monitored by the facilities department via a cloud application. The security administrator isolated the switch on a separate VLAN and set up a patching routine. Which of the following steps should also be taken to harden the smart switch?
Change the default password for the switch
A company recently updated its website to increase sales. The new website uses PHP forms for leads and provides a directory with sales staff and their phone numbers. A systems administrator is concerned with the new website and provides the following log to support the concern: username JohnD does not exist, password prompt not supplied username DJohn does not exist, password prompt not supplied username JohnDoe exists, invalid password supplied username JohnDoe exists, invalid password supplied username JohnDoe exists, invalid password supplied username JohnDoe exists, account locked Which of the following is the systems administrator MOST likely to suggest to the Chief Information Security Officer (CISO) based on the above?
Changing the account standard naming convention
After deploying an antivirus solution on some network-isolated industrial computers, the service desk team received a trouble ticket about the following message being displayed on the computers' screens: Your AV protection has blocked an unknown application while performing suspicious activities. The application was put in quarantine. Which of the following would be the SAFEST next step to address the issue?
Check the antivirus vendor's documentation about the security modules, incompatibilities, and software whitelisting
A security administrator needs to address the following audit recommendations for a public-facing SFTP server: -Users should be restricted to upload and download files to their own home directories only. -Users should not be allowed to use interactive shell login. Which of the following configuration parameters should be implemented? (Select TWO)
ChrootDirectory , PermitTTY
Which of the following disaster recovery sites would require the MOST time to get operations back online?
Cold
A cryptographer has developed a new proprietary hash function for a company and solicited employees to test the function before recommending its implementation. An employee takes the plaintext version of a document and hashes it, then changes the original plaintext document slightly and hashes it, and continues repeating this process until two identical hash values are produced from two different documents. Which of the following BEST describes this cryptographic attack?
Collision
Given the following: > md5.exe file1.txt > AD1FAB1033773DC6A1E6021B7F503A210 > md5.exe file2.txt > AD1FAB1033773DC6A1E6021B7F503A210 Which of the following concepts of cryptography is shown?
Collision
Given the information below: MD5HASH document.doc 049eab40fd36casd1fab10b3cdf4a883 MD5HASH image.jpg 049eab40fd36caad1fab10b3cdf4a883 Which of the following concepts are described above? (Select TWO).
Collision , Hashing
When implementing automation with IoT devices, which of the following should be considered FIRST to keep the network secure?
Communication protocols
Which of the following cloud models is used to share resources and information with business partners and like businesses without allowing everyone else access?
Community
A healthcare company is revamping its IT strategy in light of recent regulations. The company is concerned about compliance and wants to use a pay-per-use model. Which of the following is the BEST solution?
Community cloud
Which of the following needs to be performed during a forensics investigation to ensure the data contained in a drive image has not been compromised?
Compare the image hash to the original hash
A recent audit uncovered a key finding regarding the use of a specific encryption standard in a web application that is used to communicate with business customers. Due to the technical limitations of its customers the company is unable to upgrade the encryption standard. Which of the following types of controls should be used to reduce the risk created by this scenario?
Compensating
Which of the following controls is implemented in lieu of the primary security controls?
Compensating
An organization is building a new customer services team, and the manager needs to keep the team focused on customer issues and minimize distractions. The users have a specific set of tools installed, which they must use to perform their duties. Other tools are not permitted for compliance and tracking purposes. Team members have access to the Internet for product lookups and to research customer issues. Which of the following should a security engineer employ to fulfull the requirements for the manager?
Configure whitelisting for the team. You did not provide any answer to this question.
An organization relies on third-party video conferencing to conduct daily business. Recent security changes now require all remote workers to utilize a VPN to corporate resources. Which of the following would BEST maintain high-quality video conferencing while minimizing latency when connected to the VPN?
Configuring QoS properly on the VPN concentrators
After running an online password cracking tool, an attacker recovers the following passwords: gh ;j SKSTOi;618& Based on the above information, which of the following technical controls have been implemented (Select TWO).
Complexity, Length
An administrator wants to implement two-factor authentication. Which of the following methods would provide two-factor authentication when used with a user's fingerprint?
Complicated password
A security administrator wants to better prepare the incident response team for possible security events. The IRP has been updated and distributed to incident response team members. Which of the following is the BEST option to fulfill the administrator's objective?
Conduct a tabletop test
A company occupies the third floor of a leased building that has other tenants. The path from the demarcation point to the company's controlled space runs through unsecured areas managed by other companies. Which of the following could be used to protect the company's cabling as it passes through uncontrolled spaces?
Conduits
A security administrator is creating a risk assessment with regard to how to harden internal communications in transit between servers. Which of the following should the administrator recommend in the report?
Configure IPSec in transport mode
A security admistrator is creating a risk assessment with regard to how to harden internal communications in transit between servers. Which of the following should the administrator recommend in the report?
Configure IPSec in transport mode
An organization needs to integrate with a third-party cloud application. The organization has 15000 users and does not want to allow the cloud provider to query its LDAP authentication server directly. Which of the following is the BEST way for the organization to integrate with the cloud application?
Configure a RADIUS federation between the organization and the cloud provider.
A security engineer is working to secure an organization's VMs. While reviewing the workflow for creating VMs on demand, the engineer raises a concern about the integrity of the secure boot process of the VM guest. Which of the following would BEST address this concern?
Configure file integrity monitoring of the guest OS
An organization's research department uses workstations in an airgapped network. A computer released products based on files that originated in the research department. Which of the following should management do to improve the security and confidentiality of the research files?
Configure removable media controls on the workstations
A technician has installed a new AAA server, which will be used by the network team to control access to a company's routers and switches. The technician completes the configuration by adding the network team members to the NETWORK_TEAM group, and then adding the NETWORK_TEAM group to the appropriate ALLOW_ACCESS access list. Only members of the team should have access to the company's routers and switches. NETWORK_TEAM Lee Andrea Pete ALLOW_ACCESS - DOMAIN_USERS - AUTHENTICATED_USERS - NETWORK_TEAM Members of the network team successfully test their ability to log in to various network devices configured to use the AAA server. Weeks later, an auditor asks to review the following access log sample. 5/26/2017 10:20 PERMITS: Lee 5/27/2017 13:45 PERMITS: Andrea 5/27/2017 09:12 PERMITS: Lee 5/28/2017 16:37 PERMITS: John 5/29/2017 08:53 PERMITS: Lee Which of the following should the auditor recommend based on the above information?
Configure the ALLOW_ACCESS group logic to use AND rather than OR.
A financial organization has adopted a new secure, encrypted document-sharing application to help with its customer loan process. Some important PII needs to be shared across this new platform, but it is getting blocked by the DLP systems. Which of the following actions will BEST allow the PII to be shared with the secure application without compromising the organization's security posture?
Configure the DLP policies to whitelist this application with the specific PII
A new network administrator is establishing network circuit monitoring guidelines to catch potentially malicious traffic. The administrator begins monitoring the NetFlow statistics for the critical Internet circuit and notes the following data after two weeks: Circuit Name Min Max Avg Internet 20Mbps 100mbps 35Mbps However after checking the statistics from the weekend following the compiled statistics, the administrator notices a spike in traffic to 250Mbps, sustained for one hour. The administrator is able to track the source of the spike to a server in the DMZ. Which of the following is the next BEST course of action the administrator is able to track the source of the spike to a server in the DMZ
Consult the NetFlow logs on the NetFlow server to determine what data was being transferred
An engineer in a network operations center correctly determined that malware was running on a production server. Which of the following should the engineer do NEXT?
Contact incident response
When investigating a virus infection, a security analyst discovered the following on an employee laptop: Multiple folders containing a large number of newly released movies and music files Proprietary company data A large amount of PHI data Unapproved FTP software Documents that appear to belong to a competitorWhich of the following should the analyst do FIRST?
Contact the legal and compliance department for guidance
A company has had a BYOD policy in place for many years and now wants to roll out a MDM solution. End users are voicing concerns about the company having access to their personal devices vis the MDM solution. Which of the following should the company implement to ease these concerns?
Containerization
A root cause analysis reveals that a web application outage was caused by one of the company's developers uploading a newer version of the third-party libraries that were shared among several applications. Which of the following implementations would be BEST to prevent this issue from reoccurring?
Containerization
Management wants to ensure any sensitive data on companyprovided cell phones is isolated in a single location that can be remotely wiped if the phone is lost. Which of the following technologies BEST meets this need?
Containerization
A security analyst, who is analyzing the security of the company's web server, receives the following output: POST http://www.acme.com/AuthenticationServlet HTTP/1.1 HOST: www.acme.com accept: text/xml, application/xml, application/xhtml + xml KeepAlive: 300 Connection: keep-alive Referer: http//acme.com/index.jsp Cookie: JSESSIONID+LvzZRJJXgwyWPWEQMhS49vtW1yJdvn78CG1Kp5jTvvChDy ! Content-type: application/x-www-form-urlencoded
Content-length: 64 delegate_service=131&user=acme1&pass=test&submit=SUBMIT Which of the following is the issue?
During a lessons learned meeting regarding a previous incident, the security team receives a follow-up action item with the following requirements: Allow authentication from within the United States anytime. Allow authentication if the user is accessing email or a shared file system. Do not allow authentication if the AV program is two days out of date. Do not allow authentication if the location of the device is in two specific countries. Given the requirements, which of the following mobile deployment authentication types is being utilized?
Context-aware authentication
A fire that occurred after-hours created significant damage to a company's server room. The Chief Information Officer (CIO) was notified of the fire the next morning and was instructed to relocated the computer center to the corporate hot site. Which of the following should the CIO activate?
Continuity of operations plan
A development team employs a practice of bringing all the code changes from multiple team members into the same development project through automation. A tool is utilized to validate the code and track source code through version control. Which of the following BEST describes this process?
Continuous validation
A security engineer implements multiple technical measures to secure an enterprise network. The engineer also works with the Chief Information Officer (CIO) to implement policies to govern user behavior. Which of the following strategies is the security engineer executing?
Control diversity
A systems engineer is configuring a wireless network. The network must not require installation of third-party software. Mutual authentication of the client and the server must be used. The company has an internal PKI. Which of the following configurations should the engineer choose?
EAP-FAST
A company is deploying a wireless network. It is a requirement that client devices must use X.509 certifications to mutually authenticate before connecting to the wireless network. Which of the following protocols would be required to accomplish this?
EAP-TLS
A systems administrator wants to implement a secure wireless network requiring wireless clients to pre- register with the company and install a PKI client certificate prior to being able to connect to the wireless network. Which of the following should the systems administrator configure?
EAP-TLS
A systems administrator wants to implement a secure wireless network requiring wireless clients to pre-register with the company and install a PKI client certificate prior to being able to connect to the wireless network. Which of the following should the systems administrator configure?
EAP-TLS
An organization requires that workstations be issued client computer certificates from the organization's PKI. Which of the following configurations should be implemented?
EAP-TLS
An organization would like to set up a more robust network access system. The network administrator suggests the organization move to a certificate-based authentication setup in which a client-side certificate is used while connecting. Which of the following EAP types should be used to meet these criteria?
EAP-TLS
A network administrator would like to configure a site-to-site VPN utilizing IPSec. The administrator wants the tunnel to be established with data integrity, encryption, authentication, and antireplay functions. Which of the following should the administrator use when configuring the VPN?
ESP
A security operations team recently detected a breach of credentials. The team mitigated the risk and followed proper processes to reduce risk. Which of the following processes would BEST help prevent this issue from happening again?
Lessons learned
Which of the following provides the BEST protection for sensitive information and data stored in cloud-based services but still allows for full functionality and searchability of data within the cloudbased services?
Data encryption
A security analyst wants to limit the use of USB and external drives to protect against malware, as well as protect files leaving a user's computer. Which of the following is the BEST method to use?
Data loss prevention
A company is implementing a tool to mask all PII when moving data from a production server to a testing server. Which of the following security techniques is the company applying?
Data obfuscation
A company is implementing a tool to mask all Pll when moving data from a production server to a testing server. Which of the following security techniques is the company applying?
Data obfuscation
After patching computers with the latest application security patches/updates, users are unable to open certain applications. Which of the following will correct the issue?
Modifying the security policy for patch management tools
New legal requirements have been announced regarding the storage of PII. An organization is concerned about the protections in place, and only authorized individuals have access. Which of the following roles is responsible for defining which individuals should be permitted access to data sets?
Data owner
A security administrator is implementing a new WAF solution and has placed some of the web servers behind the WAF, with the WAF set to audit mode. When reviewing the audit logs of external requests and posts to the web servers, the administrator finds the following entry: Context Details for Signature 20000018334 Context: Parameter Actual Parameter Name: Account_Name Parameter Value: SELECT * FROM Users WHERE Username='1' OR '1'='1' AND Password='1' OR '1'='1' Based on this data, which of the following actions should the administrator take?
Create a blocking policy based on the parameter values.
A forensics analyst is investigating a hard drive for evidence of suspected illegal activity. Which of the following should the analyst do first?
Create a hash of the hard drive
A security professional wants to test a piece of malware that was isolated on a user's computer to document its effect on a system. Which of the following is the FIRST step the security professional should take?
Create a sandbox on the machine
Joe, a member of the sales team, recently logged into the company servers after midnight local time to download the daily lead form before his co-workers did. Management has asked the security team to provide a method for detecting this type of behavior without impeding the access for sales employees as they travel overseas. Which of the following would be the BEST method to achieve this objective?
Create an automated alert on the SIEM for anomalous sales team activit
During an incident, a company's CIRT determines it is necessary to observe the continued network-based transactions between a callback domain and the malware running on an enterprise PC. Which of the following techniques would be BEST to enable this activity while reducing the risk of lateral spread and the risk that the adversary would notice any changes?
Create and apply microsegmentation rules
Which of the following types of vulnerability scans typically returns more detailed and thorough insights into actual system vulnerabilities?
Credentialed
Joe, a user, reports to the help desk that he can no longer access any documents on his PC. He states that he saw a window appear on the screen earlier, but he closed it without reading it. Upon investigation, the technician sees high disk activity on Joe's PC. Which of the following types of malware is MOST likely indicated by these findings?
Crypto-malware
A security administrator has received multiple calls from the help desk about customers who are unable to access the organization's web server. Upon reviewing the log files, the security administrator determines multiple open requests have been made from multiple IP addresses, which is consuming system resources. Which of the following attack types does this BEST describe?
DDoS
An attacker has gained control of several systems on the Internet and is using them to attack a website causing it to stop responding to legitimate traffic. Which of the following BEST describes the attack?
DDoS
Students at a residence hall are reporting Internet connectivity issues. The university's network administrator configured the residence hall's network to provide public IP addresses to all connected devices, but many student devices are receiving private IP addresses due to rogue devices. The network administrator verifies the residence hall's network is correctly configured and contacts the security administrator for help. Which of the following configurations should the security administrator suggest for implementation?
DHCP snooping
Which of the following provides PFS?
DHE
A company is having issues with intellectual property being sent to a competitor from its system. The information being sent is not random but has an identifiable pattern. Which of the following should be implemented in the system to stop the content from being sent?
DLP
A salesperson often uses a USB drive to save and move files from a corporate laptop. The corporate laptop was recently updated, and now the files on the USB are read-only. Which of the following was recently added to the laptop?
DLP
A security analyst has received an alert about PII being sent via email. The analyst's Chief Information Security Officer (CISO) has made it clear that PII must be handled with extreme care. From which of the following did the alert MOST likely originate?
DLP
A user attempts to send an email to an external domain and quickly receives a bounce-back message. The user then contacts the help desk stating the message is important and needs to be delivered immediately. While digging through the email logs, a systems administrator finds the email and bounce-back details: Your email has been rejected because it appears to contain SSN information. Sending SSN information via email to external recipients violates company policy. Which of the following technologies successfully stopped the email from being sent?
DLP
Which of the following would BEST identify and remediate a dataloss event in an enterprise using third-party, web-based services and file-sharing platforms?
DLP
The director of information security at a company has recently directed the security engineering team to implement new security technologies aimed at reducing the impact of insider threats. Which of the following tools has the team MOST likely deployed? (Select TWO)
DLP, UTM
Which of the following scenarios would make a DNS sinkhole effective in thwarting an attack?
DNS routing tables have been compromised, and an attacker is rerouting traffic to malicious websites
An organization's Chief Executive Officer (CEO) read an article that identified leading hacker trends and attacks, one of which is the alteration of URLs to IP addresses resulting in users being recited to malicious websites. To reduce the chances of this happening in the organization, which of the following secure protocols should be implemented?
DNSSEC
To further secure a company's email system, an administrator is adding public keys to DNS records in the company's domain.Which of the following is being used?
DNSSEC
Phishing and spear-phishing attacks have been occurring more frequently against a company's staff. Which of the following would MOST likely help mitigate this issue?
DNSSEC and DMARC
A university with remote campuses, which all use different service providers, loses Internet connectivity across all locations. After a few minutes, internet and VoIP services are restored, only to go offline again at random intervals. typically, within four minutes of services being restored. Outages continue throughout the day. impacting all inbound and outbound connections and services. Services that are limited to the local LAN or Wi-Fi network are not impacted, but all WAN and VoIP services are affected. Later that day. the edge-router manufacturer releases a CVE outlining the ability of an attacker to exploit the SIP protocol handling on devices, leading to resource exhaustion and system reloads. Which of the following BEST describe this type of attack? (Select TWO)
DOS, Memory leak
Which of the following BEST destinguishes Agile development from other methodologies in terms of vulnerability management?
Daily standups
A company is determining where to host a hot site, and one of the locations being considered is in another country. Which of the following should be considered when evaluating this option?
Data Sovereignt
During an incident response, a security analyst observes the following log entry on the web server: GET http://www.companysite.com/product_infor.phy? show=../../../../etc/password HTTP/1.1 Host: www.companysite.com Which of the following BEST describes the type of attack the analyst is experiencing?
Directory traversal
A government contracting company issues smartphones to employees to enable access to corporate resources. Several employees will need to travel to a foreign country for business purposes and will require access to their phones. However, the company recently received intelligence that its intellectual property is highly desired by the same country's government. Which of the following MDM configurations would BEST reduce the risk of compromise while on foreign soil?
Disable location services
A security team has completed the installation of a new server. The OS and applications have been patched and tested, and the server is ready to be deployed. Which of the following actions should be taken before deploying the new server?
Disable the default accounts
Which of the following attacks is used to capture the WPA2 handshake?
Disassociation
An organization is developing a plan in the event of a complete loss of critical systems and data. Which of the following plans is the organization MOST likely developing?
Disaster recovery
A group of developers is collaborating to write software for a company. The developers need to work in subgroups and control who has access to their modules. Which of the following access control methods is considered user-centric?
Discretionar
An organization is facing budget constraints. The Chief Technology Officer (CTO) wants to add a new marketing platform, but the organization does not have the resources to obtain separate servers to run the new platform. The CTO recommends running the new marketing platform on a virtuatlized video- conferencing server because video conferencing is rarely used. The Chief Information Security Officer (CISO) denies this request. Which of the following BEST explains the reason why the CISO has not approved the request?
Disparate security requirements
A technician needs to prevent data loss in a laboratory. The laboratory is not connected to an external networks. Which of the following methods would BEST prevent the exfiltration of data? (Select TWO).
Drive encryption , MFA
A technician wants to configure a wireless router at a small office that manages a family -owned dry cleaning business. The router will support five laptops, personal smartphones, a wireless printer, and occasional guests. Which of the following wireless configurations is BEST implemented in this scenario?
Dual SSID with WPA2-PSK
A network administrator needs to build out a new datacenter, with a focus on resiliency and uptime. Which of the following would BEST meet this objective? (Select TWO)
Dual power supply, NIC teaming
A malicious actor recently penetrated a company's network and moved laterally to the datacenter. Upon investigation, a forensics firm wants to know what was in the memory on the compromised server. Which of the following files should be given to the forensics firm?
Dump
A developer is creating a new web application on a public cloud platform and wants to ensure the application can respond to increases in load while minimizing costs during periods and low usage. Which of the following strategies is MOST relevant to the use-case?
Elasticity
Which of the following is a resiliency strategy that allows a system to automatically adapt to workload changes?
Elasticity
Which of the following ready resources is a cold site MOST likely to have?
Electricity
Given the output: Date/time Computer name User ID Website 3-15-18 2:00 Officedesktop CompanyUser www.comptia.org 3-15-18 2:13 Officedesktop CompanyUser www.companysite.com 3-15-18 2:22 Officedesktop CompanyUser www.localbank.org 3-15-18 2:46 Officedesktop CompanyUser www.myschool.edu Which of the following account management practices should the security engineer use to mitigate the identified risk?
Eliminate shared accounts
Which of the following is an algorithm family that was developed for use cases in which power consumption and lower computing power are constraints?
Elliptic curve
A business sector is highly competitive, and safeguarding trade secrets and critical information is paramount. On a seasonal basis, an organization employs temporary hires and contractor personnel to accomplish its mission objectives. The temporary and contract personnel require access to network resources only when on the clock. Which of the following account management practices are the BEST ways to manage these accounts? (Select TWO)
Employ time-of-day restrictions., Employ an account expiration strategy
A security analyst is deploying a next-generation firewall. The analyst wants to protect against malicious payloads found on TLSenabled websites. After enabling the firewall to scan encrypted HTTP traffic, the users receive an error message on the browser, stating the connection is not private. Which of the following would allow the analyst to inspect this traffic while preventing this error from appearing?
Enable TLS inspection in the firewall's configuration settings
A security administrator's review of network logs indicates unauthorized network access, the source of which appears to be wired data jacks in the lobby area. Which of the following represents the BEST course of action to prohibit this access?
Enabling port security
An organization routes all of its traffic through a VPN. Most users are remote and connect into a corporate datacenter that houses confidential information. There is a firewall at the Internet border followed by a DLP appliance, the VPN server and the datacenter itself. Which of the following is the WEAKEST design element?
Encrypted VPN traffic will not be inspected when
A forensic analyst is creating a report of findings for litigation purposes. The analyst must ensure data is preserved using all elements of the CIA triad. Given this scenario, which of the following should the analyst use to BEST meet these requirements?
Encryption for confidentiality, hashing for integrity, and full backups for availability
A RAT that was used to compromise an organization's banking credentials was found on a user's computer. The RAT evaded antivirus detection. It was installed by a user who has local administrator rights to the system as part of a remote management tool set. Which of the following recommendations would BEST prevent this from reoccurring?
Enforce application whitelisting
A systems administrator has been assigned to create accounts for summer interns. The interns are only authorized to be in the facility and operate computers under close supervision. They must also leave the facility at designated times each day. However, the interns can access intern file folders without supervision. Which of the following represents the BEST way to configure the accounts? (Select TWO)
Enforce least privilege, Implement time-of-day restrictions
A user contacts the help desk to report the following:Two days ago, a pop-up browser window prompted the user for a name and password after connecting to the corporate wireless SSID. This had never happened before, but the user entered the information as requested.The user was able to access the Internet but had trouble accessing the department share until the next day.The user is now getting notifications from the bank about unauthorized transactions.Which of the following attack vectors was MOST likely used in this scenario?
Evil twin
A security engineer needs to obtain a recurring log of changes to system files. The engineer is most concerned with detecting unauthorized changes to system data. Which of the following tools can be used to fulfill the requirements that were established by the engineer?
File integrity monitor
A company is planning to build an internal website that allows for access to outside contractors and partners. A majority of the content will only be available to internal employees with the option to share. Which of the following concepts is MOST appropriate?
Extranet
Which of the following can occur when a scanning tool cannot authenticate to a server and has to rely on limited information obtained from service banners?
False positive
While testing a new vulnerability scanner, a technician becomes concerned about reports that list security concerns that are not present on the systems being tested. Which of the following BEST describes this flaw?
False positives
An organization has decided to implement biometric controls for improved access management. However, a significant number of authorized users are being denied access to networked resources. Which of the following is the MAIN biometric factor that requires attention?
False rejection
Which of the following should a technician use to protect a cellular phone that is needed for an investigation, to ensure the data will not be removed remotely?
Faraday cage
Which of the following identity access methods creates a cookie on the first login to a central authority to allow logins to subsequent applications without re-entering credentials?
Federated access
A manager makes an unannounced visit to the marketing department and performs a walk-through of the office. The manager observes unclaimed documents on printers. A closer look at these documents reveals employee names, addresses, ages, birth dates, marital/dependent statuses, and favorite ice cream flavors. The manager brings this to the attention of the marketing department head. The manager believes this information to be PII, but the marketing head does not agree. Having reached a stalemate, which of the following is the MOST appropriate action to take NEXT?
Find the privacy officer in the organization and let the officer act as the arbiter
A systems engineer wants to leverage a cloud-based architecture with low latency between network- connected devices that also reduces the bandwidth that is required by performing analytics directly on the endpoints. Which of the following would BEST meet the requirements? (Choose two.)
Fog computing, Hybrid cloud
A dumpster diver was able to retrieve hard drives from a competitor's trash bin. After installing the hard drives and running common data recovery software, sensitive information was recovered. In which of the following ways did the competitor apply media sanitation?
Formatting
A security administrator in a bank is required to enforce an access control policy so no single individual is allowed to both initiate and approve financial transactions. Which of the following BEST represents the impact the administrator is deterring?
Fraud
Which of the following is MOST likely to outline the roles and responsibilities of data controllers and processors?
GDPR
A security engineer wants to add SSL to the public server. Which of the following would be the FIRST step to implement the SSL certificate?
Generate a CSR
A company, wants to ensure users are only logging into the system from their laptops when they are on site. Which of the following would assist with this?
Geofencing
The Chief Executive Officer (CEO) of an organization would like staff members to have the flexibility to work from home anytime during business hours, including during a pandemic or crisis. However, the CEO is concerned that some staff members may take advantage of the flexibility and work from high-risk countries while on holiday or outsource work to a third-party organization in another country. The Chief Information Officer (CIO) believes the company can implement some basic controls to mitigate the majority of the risk. Which of the following would be BEST to mitigate the CEO's concerns? (Choose two.)
Geolocation, Time-of-day restrictions
A company hired a firm to test the security posture of its database servers and determine if any vulnerabilities can be exploited. The company provided limited information pertaining to the infrastructure and database server. Which of the following forms of testing does this BEST describe?
Grey Box
An organization has hired a new remote workforce. Many new employees are reporting that they are unable to access the shared network resources while traveling. They need to be able to travel to and from different locations on a weekly basis. Shared offices are retained at the headquarters location. The remote workforce will have identical file and system access requirements, and must also be able to log in to the headquarters location remotely. Which of the following BEST represent how the remote employees should have been set up initially? (Select TWO)
Group-based access control , Individual accounts
When choosing a hashing algorithm for storing passwords in a web server database, which of the following is the best explanation for choosing HMAC-MD5 over simple MD5?
HMAC-MD5 is more resistant to brute forcing
Which of the following implements two-factor authentication on a VPN?
HOTP token and logon credentials
A Chief Information Officer (CIO) is concerned that encryption keys might be exfiltrated by a contractor. The CIO wants to keep control over key visibility and management. Which of the following would be the BEST solution for the CIO to implement?
HSM
A security engineer is concerned about susceptibility to HTTP downgrade attacks because the current customer portal redirects users from port 80 to the secure site on port 443. Which of the following would be MOST appropriate to mitigate the attack?
HSTS
Users have reported that an internally developed web application is acting erratically, and the response output is inconsistent. The issue began after a web application dependency patch was applied to improve security.Which of the following would be the MOST appropriate tool to help identify the issue?
HTTP interceptor
A hospital has received reports from multiple patients that their PHI was stolen after completing forms on the hospital's website. Upon investigation, the hospital finds a packet analyzer was used to steal data. Which of the following protocols would prevent this attack from reoccurring?
HTTPS
Which of the following are considered to be "something you do" (Select TWO)
Handwriting , Gait
A company is executing a strategy to encrypt and sign all proprietary data in transit. The company recently deployed PKI services to support this strategy. Which of the following protocols supports the strategy and employs certificates generated by PKI? (Select THREE).
IPSec, S/MIME, TLS
A company wishes to move all of its services and applications to a cloud provider but wants to maintain full control of the deployment access provisions of its services. Which of the following BEST represents the required cloud deployment model?
IaaS
Which of the following cloud models provides clients with servers, storage, and networks but nothing else?
IaaS
A security analyst is reviewing the password policy for a service account that is used for a critical network service. The password policy for this account is as follows: Enforce password history. Three passwords remembered Maximum password age: 30 days Minimum password age: Zero days Complexity requirements: At least one special character, one uppercase Minimum password length: Seven characters Lockout duration: One day Lockout threshold: Five failed attempts in 15 minutes Which of the following adjustments would be the MOST appropriate for the service account?
Increase password length to 18 characters
A tester was able to leverage a pass-the-hash attack during a recent penetration test. The tester gained a foothold and moved laterally through the network. Which of the following would prevent this type of attack from reoccurring?
Increasing the password complexity requirements and setting account expiration dates
Which of the following are the primary differences between an incremental and differential backup? (Select TWO).
Incremental backups take less time to complete. Differential backups only back up files since the last full backup.
A security administrator has completed a monthly review of DNS server query logs. The administrator notices continuous name resolution attempts from a large number of internal hosts to a single Internet addressable domain name. The security administrator then correlated those logs with the establishment of persistent TCP connections out to this domain. The connections seem to be carrying on the order of kilobytes of data per week. Which of the following is the MOST likely explanation for this anomaly?
Internal hosts have become members of a botnet
A corporation is concerned that, if a mobile device is lost, any sensitive information on the device could be accessed by third parties. Which of the following would BEST prevent this from happening? (Select TWO).
Initiate remote wiping on lost mobile devices., Use FDE and require PINs on all mobile devices.
While testing a new application, a developer discovers that the inclusion of an apostrophe in a username causes the application to crash. Which of the following secure coding techniques would be most useful to avoid this problem?
Input validation
A network technician needs to monitor and view the websites that are visited by an employee. The employee is connected to a network switch.Which of the following would allow the technician to monitor the employee's web traffic?
Install and configure a transparent proxy server.
A small contracting company'ss IT infrastructure enables the processing of various levels of sensitive data forwhich not all employees have access. However, the employees share physical office space. Which of the following controls would help reduce the risk of accidental spillage of sensitive data?
Install screen filters
A systems administrator recently issued a public/private key pair that will be used for the company's DNSSEC implementation. Which of the following configurations should the systems administrator implement NEXT?
Install the private key using the RRSIG record
A security administrator has generated an SSH key pair to authenticate to a new server. Which of the following should the security administrator do NEXT to use the keys securely for authentication? (Select TWO)
Install the public key on the server., Encrypt the private key
A systems administrator wants to disable the use of usernames and passwords for SSH authentication and enforce key-based authentication. Which of the following should the administrator do NEXT to enforce this new configuration?
Instruct users on how to create a public/private key pair and install users' public keys on the server.
A security administrator has created a new group policy object that utilizes the trusted platform module to compute a hash of system files and compare the value to a known-good value. Which of the following security concepts is this an example of?
Integrity measurement
An organization recently acquired an ISO 27001 certification. Which of the following would MOST likely be considered a benefit?
It assures customers that the organization meets security standards.
Which of the following BEST explains how the use of configuration templates reduces organizations risk?
It ensures consistency of configuration for initial system implementation
Corporations choose to exceed regulatory framework standards because of which of the following incentives?
It improves the legal defensibility of the company.
Which of the following is unique to a stream cipher?
It performas bit-level encryption.
Which of the following BEST describes why an air gap is a useful security control?
It physically isolates two or more network, therefore helping prevent across contamination or accidental data spillage
Which of the following BEST explains why sandboxing is a best practice of testing software from an untrusted vendor prior to an enterprise deployment?
It restricts the access of the software to a contained logical space and limits possible damage.
A company employee recently retired, and there was a schedule delay because no one was capable of filling the employee's position. Which of the following practices would BEST help to prevent this situation in the future?
Job rotation
An internal Intranet site is required to authenticate users and restrict access to content to only those who are authorized to view it. The site administrator previously encountered issues with credential spoofing when using the default NTLM setting, it wants to move to a system that will be more resilient to replay attacks. Which of the following should the administrator implement?
Kerberos
A security administrator is investigating a possible account compromise. The administrator logs onto a desktop computer, executes the command notepad.exe c:\Temp\qkakforlkgfkja.log, and reviews the following: Lee,\rI have completed the task that was assigned to me\rrespectfully\rJohn\r https://www.portal.com\rjohnuser\rilovemycat2 Given the above output, which of the following is the MOST likely cause of this compromise?
Keylogger
A security administrator is configuring a network switch to support group-based VLAN assignments via a remote NAC server. The NAC server will determine the user's VLAN based on a directory service group membership upon authentication and will push the VLAN to the switch. Which of the following features should be configured on the switch to support this requirement?
LDAP
A small retail business has a local store and a newly established and growing online storefront. A recent storm caused a power outage to the business and the local ISP, resulting in several hours of lost sales and delayed order processing. The business owner now needs to ensure two things:Protection from power outagesAlways-available connectivity in case of an outage.The owner has decided to implement battery backup for the computer equipment. Which of the following would BEST fulfill the owner's second need?
Lease a telecommunications line to provide POTS for dial-up access
A security analyst wants to prevent current employees who previously worked in different departments from accessing resources that are no longer necessary for their present job rules, which of the following policies would meet this objective?
Least privilege
A systems administrator has created network file shares for each department with associated security groups for each role within the organization. Which of the following security concepts is the systems administrator implementing?
Least privilege
A security technician has been given the task of preserving emails that are potentially involved in a disputed between a company and a contractor. Which of the following BEST describes this forensic concept?
Legal hold
A company recently experienced a security breach. The security staff determined that the intrusion was due to an out-of-date proprietary software program running on a non-compliant server. The server was imaged and copied onto a hardened VM, with the previous connections re-established. Which of the following is the NEXT step in the incident response process?
Lessons learned
Which of the following agreement types is a non-contractual agreement between two or more parties and outlines each party's requirements and responsibilities?
MOU
A security administrator is configuring a RADIUS server for wireless authentication. The configuration must ensure client credentials are encrypted end-to-end between the client and the authenticator. Which of the following protocols should be configured on the RADIUS sever? (Select TWO).
MSCHAP , PEAP
A cybersecurity administrator has a reduced team and needs to operate an on-premises network and security infrastructure efficiently. To help the situation, the administrator decides to hire a service provider. Which of the following should the administrator use?
MSSP
Which of the following are the BEST selection criteria to use when assessing hard drive suitability for time- sensitive applications that deal amounts of critical information? (Select TWO).
MTTF, MTTR
An organization wants to move its operations to the cloud. The organization's systems administrator will still maintain control of the servers, firewalls and load balancers in the cloud environment. Which of the following models is the organization considering?
MaaS
A network administrator has determined that a spam filter is not configured properly. Which of the following devices needs to be reconfigured?
Mail gateway
A researcher has been analyzing large data sets for the last ten months. The researcher works with colleagues from other institutions and typically connects via SSH to retrieve additional data. Historically, this setup has worked without issue, but the researcher recently started getting the following message: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMTHING NASTY! The fingerprint for the RSA key sent by the remote host SHA 256: cBqYja16Tov3jEIJHUSKtjjVziqnVd4Cz+1fhTM6+k4. Please contact your system administrator. RSA host key for 18.231.33.78 has changed and you have requested strict checking. Host key verification failed
Man-in-the-middle
An administrator is implementing a secure web server and wants to ensure that if the web server application is compromised, the application does not have access to other parts of the server or network. Which of the following should the administrator implement? (Select TWO)
Mandatory access control , Rule-based access control
Which of the following policies would help an organization identify and mitigate potential single points of failure in the company's IT/security operations?
Mandatory vacation
A company needs to fix some audit findings related to its physical security. A key finding was that multiple people could physically enter a location at the same time. Which of the following is the BEST control to address this audit finding?
Mantrap
An auditor recommends implementing a physical security access control that will allow a guard to isolate and screen users before they enter or exit a secure area. Which of the following would be BEST fulfill this recommendation?
Mantrap
Which of the following would be MOST effective in reducing tailgating incidents?
Mantrap
A network administrator was concerned during an audit that users were able to use the same passwords the day after a password change policy took effect. The following setting are in place:-Users must change their password every 30 days.-Users cannot reuse the last 10 passwords.Which of the following settings would prevent users from being able to immediately reuse the same passwords?
Minimum password age of five-days
A company is performing an analysis of which corporate units are most likely to cause revenue loss in the event the unit is unable to operate. Which of the following is an element of the BIA that this action is addressing?
Mission-essential functions
When selecting a technical solution for identity management, an architect chooses to go from an in-house solution to a third-party SaaS provider. Which of the following risk management strategies is this an example of?
Mitigation
A Chief Information Security Officer (CISO) is concerned about the organization's ability to continue business operations in the event of a prolonged DDoS attack on its local datacenter that consumes server resources. Which of the following will the CISO MOST likely recommend to mitigate this risk?
Migrate to a geographically dispersed cloud datacenter. You did not provide any answer t
Which of the following settings would prevent users from being able to immediately reuse the same passwords?
Minimum password age of five days
A security analyst is specifying requirements for a wireless network. The analyst must explain the security features provided by various architecture choices. Which of the following is provided by PEAP, EAP-TLS, and EAP-TTLS?
Mutual authentication
Which of the following should a company require prior to performing a penetration test?
NDA
An organization wants to implement a solution that allows for automated logical controls for network defense. An engineer plans to select an appropriate network security component, which automates response actions based on security threats to the network. Which of the following would be MOST appropriate based on the engineer's requirements?
NIPS
A security administrator is implementing a SIEM and needs to ensure events can be compared against each other based on when the events occurred and were collected. Which of the following does the administrator need to implement to ensure this can be accomplished?
NTP
After a systems administrator installed and configured Kerberos services, several users experienced authentication issues. Which of the following should be installed to restore these issues?
NTP server
After systems administrator installed and configured Kerberos services, several users experienced authentication issues. Which of the following should be installed to restore these issues?
NTP server
In a lessons learned report, It is suspected that a well-organized, well-funded, and extremely sophisticated group of attackers may have been responsible for a breach at a nuclear facility.. Which of the following describes the type of actors that may have been implicated?
Nation state
Which of the following command line tools would be BEST to identify the services running in a server?
Netstat
A security administrator needs to conduct a full inventory of all encryption protocols and cipher suites. Which of the following tools will the security administrator use to conduct this inventory MOST efficiently?
Nmap
A security administrator suspects there may be unnecessary services running on a server. Which of the following tools will the administrator MOST likely use to confirm the suspicions?
Nmap
A technician has been asked to document which services are running on each of a collection of 200 servers. Which of the following tools BEST meets this need while minimizing the work required?
Nmap
An administrator is beginning an authorized penetration test of a corporate network. Which of the following tools would BEST assist in identifying potential attacks?
Nmap
A penetration tester is testing passively for vulnerabilities on a company's network. Which of the following tools should the penetration tester use? (SELECT TWO)
Nmap, Nikto
A security analyst conducts a manual scan on a known hardened host that identifies many non-compliant items. Which of the following BEST describe why this has occurred? (Select TWO)
Non-applicable plug ins were selected in the scan policy , The output of the report contains false positives
Which of the following is a penetration tester performing when running an SMB NULL session scan of a host to determine valid usernames and share names?
Non-credentialed scan
A security technician must prevent unauthorized external access from stolen passwords. Which of the following authentication methods would allow users to use their current passwords while enhancing security?
One-time password
Which of the following is the main difference between symmetric and asymmetric cryptographic algorithms?
Only one key used in symmetric algorithms
Which of the following is the MOST likely motivation for a script kiddie threat action?
Noteriety
Which of the following uses tokens between the identity provider and the service provider to authenticate and authorize users to resources?
OAuth
A systems administrator wants to replace the process of using a CRL to verify certificate validity. Frequent downloads are becoming problematic. Which of the following would BEST suit the administrator's needs?
OCSP
An auditor is requiring an organization to perform real time validation of SSL certificates. Which of the following should the organization implement?
OCSP
A technician, who is managing a secure B2B connection, noticed the connection broke last night. All networking equipment and media are functioning as expected, which leads the technician to question certain PKI components. Which of the following should the technician use to validate this assumption? (Select TWO).
OCSP, CRL
Which of the following is a component of multifactor authentication?
OTP
An attachment that was emailed to finance employees contained an embedded message. The security administrator investigates and finds the intent was to conceal the embedded information from public view. Which of the following BEST describes this type of message?
Obfuscation
An administrator needs to protect 5 websites with SSL certificates. Three of the websites have different domain names and two of the websites share the domain name but have different sub domain prefixes. Which of the following SSL certificates should the administrator purchased to protect all the websites and be able to administer them easily at a later time?
One SAN certificate
Which of the following is the MOST significant difference between intrusive and non-intrusive vulnerability scanning?
One has a higher potential for disrupting system operations
An attacker had obtained the user ID and password of a datacenter's backup operator and has gained access to a production system. Which of the following would be the attacker's NEXT action?
Options
A company has migrated to two-factor authentication for accessing the corporate network, VPN, and SSO. Several legacy applications cannot support multifactor authentication and must continue to use usernames and passwords. Which of the following should be implemented to ensure the legacy applications are as secure as possible while ensuring functionality? (Select TWO)
Options: Passwords reuse restrictions, Password complexity requirement
After successfully breaking into several networks and infecting multiple machines with malware, hackers contact the network owners, demanding payment to remove the infection and decrypt files. The hackers threaten to publicly release information about the breach if they are not paid. Which of the following BEST bescribes these attackers?
Organized crime
Ann is the IS manager for several new systems in which the classification of the systems' data are being decided. She is trying to determine the sensitivity level of the data being processed. Which of the following people should she consult to determine the data classification?
Owner
A network administrator is configuring a honeypot in a company's DMZ. To provide a method for hackers to access the system easily, the company needs to configure a plaintext authentication method that will send only the username and password to a service in the honeypot. Which of the following protocols should the company use?
PAP
A security engineer wants to introduce key stretching techniques to the account database to make password guessing attacks more difficult. Which of the following should be considered to achieve this? (Select TWO).
PBKDF2, bcrypt
A company wants to configure its wireless network to require username and password authentication. Which of the following should the systems administrator implement?
PEAP
A security administrator receives a request from a customer for certificates to access servers securely. The customer would like a single encrypted file that supports PKCS and contains the private key. Which of the following formats should the technician use?
PFX
Ann, security analyst, wants to implement a secure exchange of email. Which of the following is the BEST option for Ann to implement?
PGP
A security analyst is performing a forensic investigation involving compromised account credentials. Using the Event Viewer, the analyst was able to detect the following message: "Special privileges assigned to new logon." Several of those messages did not have a valid logon associated with the user before these privileges were assigned. Which of the following attacks is MOST likely being detected?
Pass-the-hash
An attacker has gathered information about a company employee by obtaining available information from the Internet and social networks. Which of the following types of activity is the attacker performing?
Passive reconnaissance
Which of the following is being used when a malicious actor searches various social media websites to find information about a company's systems administrators and help desk staff?
Passive reconnaissance
The Chief Information Officer (CIO) has heard concerns from the business and the help desk about frequent user account lockouts. Which of the following account management practices should be modified to ease the burden?
Password complexity
A company has a team of penetration testers. This team has located a file on the company file server that they believe contains cleartext usernames followed by a hash. Which of the following tools should the penetration testers use to learn more about the content of this file?
Password cracker
A security administrator wants to audit the login page of a newly developed web application to determine if default accounts have been disabled. Which of the following is BEST suited to perform this audit?
Password cracker
A security team has downloaded a public database of the largest collection of password dumps on the Internet. This collection contains the cleartext credentials of every major breach for the last four years. The security team pulls and compares users' credentials to the database and discovers that more that 30% of the users were still using passwords discovered in this list. Which of the following would be the BEST combination to reduce the risks discovered?
Password reuse, password complexity, password expiration
A security analyst needs to determine how an attacker was able to use User3 to gain a foothold within a company's network. The company's lockout policy requires that an account be locked out for a minimum of 15 minutes after three unsuccessful attempts. While reviewing the log files, the analyst discovers the following: 3/16/20 3:31:10 AM Audit Failure: CompanyNetwork\User1 Unknown username or bad password. 3/16/20 3:31:11 AM Audit Failure: CompanyNetwork\User1 Unknown username or bad password. 3/16/20 3:31:12 AM Audit Failure: CompanyNetwork\User1 Unknown username or bad password. 3/16/20 3:31:13 AM Audit Failure: CompanyNetwork\User1 Account locked out.. 3/16/20 3:31:14 AM Audit Failure: CompanyNetwork\User2 Unknown username or bad password. 3/16/20 3:31:15 AM Audit Failure: CompanyNetwork\User2 Unknown username or bad password. 3/16/20 3:31:16 AM Audit Failure: CompanyNetwork\User2 Unknown username or bad password. 3/16/20 3:31:18 AM Audit Failure: CompanyNetwork\User2 Account locked out... 3/16/20 3:31:19 AM Audit Failure: CompanyNetwork\User3 Unknown username or bad password. 3/16/20 3:31:20 AM Audit Failure: CompanyNetwork\User3 Unknown username or bad password. 3/16/20 3:31:22 AM Audit Failure: CompanyNetwork\User3 Unknown username or bad password. 3/16/20 3:31:22 AM Audit Success: CompanyNetwork\User3 Successful login. 3/16/20 3:31:10 AM Audit Failure: CompanyNetwork\User4 Unknown username or bad password. 3/16/20 3:31:22 AM Audit Failure: CompanyNetwork\User4 Unknown username or bad password. 3/16/20 3:32:40 AM Audit Failure: CompanyNetwork\User4 Unknown username or bad password. 3/16/20 3:33:25 AM Audit Success: CompanyNetwork\User4 Successful login. Which of the following attacks MOST likely occurred?
Password-spraying
An organization wants to implement a method to correct risks at the system/application layer. Which of the following is the BEST method to accomplish this goal?
Patch management
If a current private key is compromised, which of the following would ensure it cannot be used to decrypt all historical data?
Perfect forward secrecy
A security analyst wishes to scan the network to view potentially vulnerable systems the way an attacker would. Which of the following would BEST enable the analyst to complete the objective?
Perform a non-credentialed scan
A network administrator is ensuring current account policies and procedures are following best practices and will not be flagged in an upcoming audit. While running reports on current group memberships, the network administrator logs the following access: User Current Job title Accounting group HR group IT group Research group User1 IT help desk rep x x x User2 Senior Accountant x x x x User3 Product development Mgr x x x User4 HR representative x x Upon further review, the network administrator discovers all of these employees have been in their current positions for at least two years. Which of the following practices should the network administrator recommend for this scenario?
Permission and usage reviews that occur on a regularly scheduled basis
A company has won an important government contract. Several employees have been transferred from their existing projects to support a new contract. Some of the employees who have transferred will be working longhours and still need access to their project information to transition work to their replacements. Which of the following should be implemented to validate that the appropriate offboarding process has been followed?
Permission auditing
A security technician is configuring a new firewall appliance for a production environment. The firewall must support secure web services for client workstations on the 10.10.10.0/24 network. The same clientworkstations are configured to contact a server at 192.168.1.15/24 for domain name resolution. Which of the following rules should the technician add to the firewall to all this connectivity for the client workstations? (Select TWO).
Permit 10.10.10.0/24 192.168.1.15.24 -p udp -- dport 53 , Permit 10.10.10.0/24 0.0.0.0 -p tcp -- dport 443
A penetration tester uses an exploited network printer as a base of operations to expand access to various workstations. Which of the following BEST describes the tester's actions?
Persistence
Which of the following penetration testing concepts is an attacker MOST interested in when placing the path of a malicious file in the windows/Current Version.run registry key?
Persistence
Which of the following controls does a mantrap BEST represent?
Physica
A mobile application developer wants to secure an application that transmits sensitive information. Which of the following should the developer implement to prevent SSL MITM attacks?
Pinning
A company has an AUP in place that employees must adhere to while using the corporate network. A captive portal links the AUP every time an employee accesses any external network resource, limiting how much company time can be spent on social media sites to less than one-hour per-day total. A security analyst had pulled logs and is analyzing the current output: Date Username Website Category Time utilized 03/01/2018 joe.smith www.corporatesite.com Business 1H 36M 03/01/2018 joe.smith www.localbank.com Business 0H 13M 03/01/2018 stacey.jones www.corporatesite.com Business 0H 36M 03/01/2018 stacey.jones www.facebook.com Social Media 1H 27M 03/01/2018 eric.lee www.twitter.com Social Media 0H 37M 03/01/2018 mike.henry www.espn.com Social Media 1H 03M 03/01/2018 peter.rabbit www.corporatesite.com Business 3H 27M 03/01/2018 georgia.difabio university.com Education 4H 17M Based on this output, which of the following is MOST likely security issue that has been discovered by the security team?
Policy violation
During a company sponsored phishing exercise, more than 25% of the employees clicked on the link embedded in the message. Of the employees who clicked the link. 75% then entered their user credentials on the website provided. Which of the following would be the BEST way to improve the metrics for the next exercise?
Provide security awareness training focused on identifying and responding to phishing messages.
A systems administrator wants to enforce the use of HTTPS on a new website. Which of the following should the systems administrator do NEXT after generating the CSR?
Provide the public key to the CA
A web server, which is configured to use TLS with AES-GCM-256, SHA-384, and ECDSA, recently suffered an information loss breach. Which of the following is MOST likely the cause?
Poor implementation
After a security assessment was performed on the enterprise network, it was discovered that: 1. Configuration changes have been made by users without the consent of IT. 2. Network congestion has increased due to the use of social media. 3. Users are accessing file folders and network shares that are beyond the scope of their need to know. Which of the following BEST describe the vulnerabilities that exist in this environments? (Select TWO).
Poorly trained users , I mproperly configured accounts
A security analyst is interested in setting up an IDS to monitor the company network. The analyst has been told there can be no network downtime to implement the solution, but the IDS must capture all of the network traffic. Which of the following should be used for the IDS implementation?
Port mirror
A company recently experienced data exfiltration via the corporate network. In response to the breach, a security analyst recommends deploying an out-of-band IDS solution, The analyst says the solution can be implemented without purchasing any additional network hardware. Which of the following solutions will be used to deploy the IDS?
Port mirroring
A technician is auditing network security by connecting a laptop to open hardwired jacks within the facility to verify they cannot connect. Which of the following is being tested?
Port security
A company is examining possible locations for a hot site. Which of the following considerations is of MOST concern if the replication technology being used is highly sensitive to network latency?
Positioning of the site across international borders
Which of the following BEST describes the concept of perfect forward secrecy?
Preventing cryptographic reuse so a compromise of one operation does not affect other operations
A government agency with sensitive information wants to virtualize its infrastructure. Which of the following cloud deployment models BEST fits the agency's needs?
Private
After discovering the /etc/shadow file had been rewritten, a security administrator noticed an application insecurely creating files in /trap. Which of the following vulnerabilities has MOST likely been exploited?
Privilege escalation
Which of the following would MOST likely be a result of improperly configured user accounts?
Privilege escalation
Joe, an employee, recently assumed the role of data custodian for his organization. While cleaning out an unused storage safe, he discovers several hard drives that are labeled 'unclassified' and awaiting destruction. The hard drives are obsolete and cannot be installed in any of his current computing equipment. Which of the following is the BEST method for disposing of the hard drives?
Pulverizing
A chief Information Security Officer (CISO) for a school district wants to enable SSL to protect all of the public- facing servers in the domain. Which of the following is a secure solution that is the MOST cost effective?
Purchase a wildcard certificate and implement it on every server
An organization requires secure configuration baselines for all platforms and technologies that are used. If any system cannot confirm to the secure baseline, the organization must process a risk acceptance and receive approval before the system is placed into production. It may have non-conforming systems in its lower environments (development and staging) without risk acceptance, but must receive risk approval before the system is placed in production. Weekly scan reports identify systems that do not confirm to any secure baseline. The application team receives a report with the following results: Host Environment Baseline deviation ID (criticality) NYAccounting DEV Development DYAccounting Stg Staging NYAccounting Prod Production 2633 (low), 3124 (high) There are currently no risk acceptances for baseline deviations. This is a mission-critical application, and the organization cannot operate if the application is not running. The application fully functions in the development and staging environments. Which of the following actions should the application team take?
Process a risk acceptance for 2633 and remediate 3124.
An employee resigns from a company without giving adequate notice. The following day, it is determined that the employee is still possession of several company-owned mobile devices. Which of the following would have reduced the risk of this occurring? (Select TWO)
Proper offboarding procedures , Exit interviews
A technician is recommending preventative physical security controls for the server room. Which of the following would the technician MOST likely recommend? (Select TWO)
Protected cabinets, Mantrap
All account executives are being provided with COPE devices for their use. Which of the following mobile device security practices should be enabled for these devices to protect company data? (Select TWO).
Remote wipe , Full device encryption
A company recently implemented a new security system. in the course of configuration, the security administrator adds the followng entry: #Whitelist USB\VID_13FE&PID_4127&REV_0100 Which of the following security technologies is MOST likely being configured?
Removable media control
Which of the following impacts are associated with vulnerabilities in embedded systems? (Select TWO).
Repeated exploitation due to unpatchable firmware, Key reuse and collision issues due to decentralized management
An employee is observed taking photos of sensitive documents, but the employee is reportedly on a special assignment. The company's policies are: No photography is allowed in the building without authorization. If photographs are taken, do not confront the offender. Report incidents to the compliance officer. Which of the following actions should be taken?
Report a policy violation
The application team within a company is asking the security team to investigate why its application is slow after an upgrade. The source of the team's application is 10.13.136.9, and the destination IP is 10.17.36.5, The security analyst pulls the logs from the endpoint security software but sees nothing is being blocked. The analyst then looks at the UTM firewall logs and sees the following: Session Source Destination Protocol Port Action IPS DoS 12699 10.13.136.9 10.17.36.5 TCP 80 ALLOW YES NO 12699 10.13.136.9 10.17.36.5 TCP 443 ALLOW YES NO 12699 10.13.136.9 10.17.36.5 TCP 1433 DENY YES NO 12719 10.13.136.8 10.17.36.5 TCP 87 DENY YES NO 12719 10.13.136.9 10.17.36.5 TCP 88 ALLOW YES NO 12719 10.13.136.9 10.17.36.5 TCP 636 ALLOW YES NO 12899 10.13.136.6 10.17.36.9 UDP 9877 DENY NO NO Which of the following should the security analyst request NEXT based on the UTM firewall analysis?
Request the network team to open port 1433 from 10.13.136.9 to 10.17.36.5
A software development company needs to augment staff by hiring consultants for high stakes project. The project has the following requirements: · Consultants will have access to highly confidential, proprietary data. · Consultants will not be provided with company owned assets. · Work needs to be start immediately. · Consultants will be provided with internal email addresses for communications. Which of the following solutions is the best method for controlling data exfiltration during this project?
Required that all consultant activity be restricted to a secure VDI environment.
A network administrator has been alerted that web pages are experiencing long load times. After determining it is not a routing or DNS issue, the administrator logs in to the router, runs a command, and receives the following output: CPU 0 P percent busy, from 300 sec ago 1 sec ave: 99 percent busy 5 sec ave: 97 percent busy 1 sec ave: 83 percent busy Which of the following is the router experiencing?
Resource exhaustion
A user is unable to obtain an IP address from the corporate DHCP server. Which of the following is MOST likely the cause?
Resource exhaustion
A security analyst is determining the point of compromise after a company is hacked. The analyst checks the server logs and sees that a user account was logged in at night, and several large compressed files were exfiltrated. The analyst then discovers the user last logged in four years ago and was terminated. Which of the following should the security analyst recommend to prevent this type of attack in the future? (Select two)
Restrict the compromised user account , Perform an audit of all company user accounts
Which of the following incident response steps involves actions to protect critical systems while maintaining business operations?
Result ID 79839 https://rapidtestprep.com/result/view_result/79839#reviewboard 3/4 Correct Options: C
When attempting to secure a mobile workstation, which of the following authentication technologies rely on the user's physical characteristics? (Select TWO)
Retina scan Fingerprint scan
A consultant is planning an assessment of a customer-developed system. The system consists of a custom- engineered board with modified open-source drivers and a one-off management GUI. The system relies on two-factor authentication for interactive sessions, employs strong certificate-based data-in-transit encryption, and randomly switches ports for each session. Which of the following would yield the MOST useful information?
Reverse engineering principles
A security analyst is assessing a small company's internal servers against recommended security practices. Which of the following should the analyst do to conduct the assessment? (Select TWO)
Review the company's current security baseline
An email system administrator is configuring the mail server to prevent spear phishing attacks through email messages. Which of the following refers to what the administrator is doing?
Risk mitigation
A human resources manager needs to be able to view all employee's salary and annual increase information, but the payroll manager needs view and edit access to the employee's salary and benefits selections. Which of the following is the BEST access control method to implement?
Role-based control
An organization is drafting an IRP and needs to determine which employees have the authority to take systems offline during an emergency situation. Which of the following is being outlined?
Roles and responsibilitie
A company has just experienced a malware attack affecting a large number of desktop users. The antivirus solution was not able to block the malware, but the HIDS alerted to C2 calls as ,Troj.Generic'. Once the security team found a solution to remove the malware, they wer able to remove the malware files successfully, and the HIDS stopped alerting. The next morning, however, the HIDS once again started alerting on the same desktops, and the security team discovered the files were back. which of the following BEST describes the type of malware infecting this company's network?
Rootkit
An incident response analyst in a corporate security operations center receives a phone call from an SOC analyst. The SOC analyst explains the help desk recently reimaged a workstation that was suspected of being infected with an unknown type of malware, however, even after reimaging, the host continued to generate SIEM alerts. Which of the following types of malware is MOST likely responsible for producing the SIEM alerts?
Rootkit
During the incident handling process, an analyst runs the following command: PS c:\>get-filehash c:\windows\system32\cmd.exe SHA1 cmd.exe cda52a0faca4ac7df32cfb6c8fa09acf42ad5cb7 The original file hash for cmd.exe was: ab5d7c8faca4ac7df32cfb6c8fa09acf42ad5f12 Which of the following is MOST associated with this indicator of compromise
Rootkit
A security consultant is setting up a new new electronic messaging platform and wants to ensure the platform supports message integrity validation. Which of the following protocols should the consultant recommend?
S/MIME
A user wants to send a confidential message to a customer to ensure unauthorized users cannot access the information. Which of the following can be used to ensure the security of the document while in transit and at rest?
S/MIME
A local coffee shop runs a small WiFi hotspot for its customers that utilizes WPA2-PSK. The coffee shop would like to stay current with security trends and wants to implement WPA3 to make its WiFi even more secure. Which of the following technologies should the coffee shop use in place of PSK?
SAE
A company has purchased a new SaaS application and is in the process of configuring it to meet the company's needs. The director of security has requested that the SaaS application be integrated into the company's IAM processes. Which of the following configurations should the security administrator set up in order to complete this request?
SAML
A security specialist is notified about a certificate warning that users receive when using a new internal website. After being given the URL from one of the users and seeing the warning, the security specialist inspects the certificate and realizes it has been issued to the IP address, which is how the developers reach the site. Which of the following would BEST resolve the issue?
SAN
A water utility company has seen a dramatic increase in the number of water pumps burning out. A malicious actor was attacking the company and is responsible for the increase. Which of the following systems has the attacker compromised?
SCADA
A developer is building a new web portal for internal use. The web portal will only be accessed by internal users and will store operational documents. Which of the following certificate types should the developer install if the company is MOST interested in minimizing costs?
Self-signed
A company is deploying MFDs in its office to improve employee productivity when dealing with paperwork. Which of the following concerns is MOST likely to be raised as a possible security issue in relation to these devices?
Sensitive scanned materials being saved on the local hard drive
An organization has a policy in place that states the person who approves firewall controls/changes cannot be the one implementing the changes. Which of the following is this an example of?
Separation of duties
Which of the following would have the greatest impact on the supporting database server if input handling is not properly implemented on a web application?
Server side request forgery
While reviewing system logs, a security analyst notices that a large number of end users are changing their passwords four times on the day the passwords are set to expire. The analyst suspects they are cycling their passwords to circumvent current password controls. Which of the following would provide a technical control to prevent this activity from occurring?
Set password aging requirements
The IT Department at a university is concerned about professors placing servers on the university network in an attempt to bypass security controls. Which of the following BEST represents this threat?
Shadow IT
A systems administrator is auditing the company's Active Directory environment. It is quickly noted that the username "company\bsmith" is interactively logged into several desktops across the organization. Which of the following has the systems administrator MOST likely come across?
Shared credentials
A systems administrator is configuring a new network switch for TACACS+ management and authentication. Which of the following must be configured to provide authentication between the switch and the TACACS+ server
Shared secre
Which of the following is a risk that is specifically associated with hosting applications in the public cloud?
Shared tenancy
An administrator is disposing off the media that contains sensitive information. Which of the following will provide the MOST effective method of dispose off the media while ensuring the data will be unrecoverable
Shred the hard drive.
A company wants to ensure confidential data from storage media is sanitized in such a way that the drive cannot be reused. Which of the following methods should the technician use?
Shredding
A security technician has been assigned data destruction duties. The hard drives that are being disposed off contain highly sensitive information. Which of the following data destruction techniques is MOST appropriate?
Shredding
An organization handling highly confidential information needs to update its systems. Which of the following is the BEST method to prevent data compromise?
Shredding
A company is performing an analysis of the corporate enterprise network with the intent of identifying what will cause losses in revenue, referrals, and/or reputation when out of commission. Which of the following is an element of a BIA that is being addressed?
Single point of failure
A security analyst was performing a BIA for a web commerce company and identified that one server in the entire network is responsible for the front-end site. Which of the following BEST describes the potential impact this poses to the organization? (Select TWO).
Single point of failure, Application overload
An organization is setting up a satellite office and wishes to extend the corporate network to the new site. Which of the following is the BEST solution to allow the users to access corporate resources while focusing on usability and security
Site to site VPN
A law office has been leasing dark fiber from a local telecommunications company to connect a remote office to company headquarters. The telecommunications company has decided to discontinue its dark fiber product and is offering an MPLS connection, which the law office feels is too expensive. Which of the following is the BEST solution for the law office?
Site-to-site VPN
A network technician is setting up a new branch for a company. The users at the new branch will need to access resources securely as if they were at the main location. Which of the following networking concepts would BEST accomplish this?
Site-to-site VPN
When used together, which of the following qualify as two-factor authentication?
Smart card and PIN
A user receives an SMS on a mobile phone that asked for bank details. Which of the following social- engineering techniques was used in this case?
Smishing
A technician is required to configure updates on a guest operating system while maintaining the ability to quickly revert the changes that were made while testing the updates. Which of the following should the technician implement?
Snapshots
Joe, a new employee, discovered a thumb drive with the company's logo on it while walking in the parking lot. Joe was curious as to the contents of the drive and placed it into his work computer. Shortly after accessing the contents, he noticed the machine was running slower, started to reboot, and displayed new icons on the screen. Which of the following types of attacks occurred?
Social engineering
The president of a company that specializes in military contracts receives a request for an interview. During the interview, the reporter seems more interested in discussing the president's family life and personal history than the details of a recent company success. Of which of the following security concerns is this MOST likely an example?
Social engineering
A company has developed a business critical system for its core automation process with a software vendor. Which of the following can provide access to the source code if the licensor declares bankruptcy?
Software escrow
An organization is updating its access control standards for SSL VPN login to include multifactor authentication. The security administrator assigned to this project has been given the following guidelines to use when selecting a solution: High security Lowest false acceptance rate Quick provisioning time for remote users and offshore consultants Which of the following solutions will BEST fit the organizations requirements?
Software tokens
An organization discovers that unauthorized applications have been installed on company-provided mobile phones. The organization issues these devices, but some users have managed to bypass the security controls. Which of the following is the MOST likely issue, and how can the organization BEST prevent this from happening?
Some advanced users are upgrading the devices OS and installing the applications. The organization should create an AUP that prohibits this activity
An organization has the following password policies: Passwords must be at least 16 characters long. A password cannot be the same as any previous 20 passwords. Three failed login attempts will lock the account for 5 minutes. Passwords must have one uppercase letter, one lowercase letter, and one non-alphanumeric symbol. A database server was recently breached, and the incident response team suspects the passwords were compromised. Users with permission on that database server were forced to change their passwords for that server. Unauthorized and suspicious logins are now being detected on a completely separate server. Which of the following is MOST likely the issue and the best solution
Some users are reusing passwords for different systems, the organization should scan for password reuse across systems
Which of the following involves the use of targeted and highly crafted custom attacks against a population of users who may have access to a particular service or program?
Spear phishing
Some call center representatives' workstations were recently updated by a contractor who was able to collect customer information from the call center workstation. Which of the following types of malware was installed on the call center users' systems?
Spyware
A security analyst is writing views for the SIEM. Some of the views are focused on activities of service accounts and shared accounts. Which of the following account management practices would BEST aid the analyst's efforts?
Standard naming convention
In the event of a security incident, which of the following should be captured first?
System memory
Apply a predefined set of labels from government sources to all data within the company
TACACS +
A systems administrator is implementing a remote access method for the system that will utilize GUI. Which of the following protocols would be BEST suited for this?
TLS
An organization's Chief Information Officer (CIO) recently received an email from human resources that contained sensitive information. The CIO noticed the email was sent via unsecure means. A policy has since been put into place stating all emails must be transmitted using secure technologies. Which of the following should be implemented to address the new policy?
TLS
During a security audit of a company's network, unsecure protocols were found to be in use. A network administrator wants to ensure browser-based access to company switches is using the most secure protocol. Which of the following protocols should be implemented?
TLS 1.2
A systems administrator has implemented multiple websites using host headers on the same server. The server host two websites that require encryption and other websites where encryption is optional. Which of the following should the administrator implement to encrypt web traffic for the required websites?
TLS host certificate
A video-game developer has received reports of players who are cheating. All game players each have five capabilities that are ranked on a scale of 1 to 10 points, with 10 total points available for balance. Players can move these points between capabilities at any time. The programming logic is as follows:A player asks to move points from one capability to another.The source capability must have enough points to allow the move. The destination capability must not exceed 10 after the move.The move from source capability to destination capability is then completed.The time stamps of the game logs show each step of the transfer process takes about 900ms. However, the time stamps of the cheating players show capability transfers at the exact same time. The cheating players have 10 points in multiple capabilities. Which of the following is MOST likely being exploited to allow these capabilities transfers?
TOC/TOU
A new employee attempts to enter a secure door utilizing a company-issued proximity card. The employee is greeted by someone claiming to be late for a job interview and wanting to enter. Which of the following type of attack does this BEST describe?
Tailgating
An organization wants to ensure servers and applications can be deployed rapidly, in a consistent manner, and allow for flexible configuration changes. Which of the following should the organization use to make this process repeatable across multiple locations?
Templates
A host was infected with malware. During the incident response, Joe, a user, reported that he did not receive any emails with links, but he had been browsing the Internet all day. Which of the following would MOST likely show where the malware originated?
The DNS logs
A computer forensics team is performing an integrity check on key system files. The team is comparing the signatures of the original baseline files with the latest signatures. The original baseline was taken on March 2, 2016 and was established to be clean of malware and uncorrupted. The latest file signatures were generated yesterday. One file is known to be corrupted, but when the team compares the signatures of the original and latest files, the team sees the following: Original: 2d da b1 4a 98 fc f1 98 06 b1 e5 26 b2 df e5 5b 3e cb 83 e1 Latest 2d da b1 4a 98 fc f1 98 06 b1 e5 26 b2 df e5 5b 3e cb 83 e1 Which of the following is MOST likely the situation?
The algorithm used to calculate the hash has a collision weakness and an attacker has exploited it.
A security analyst will be performing gray box testing on a company's web application to discover vulnerabilities and weaknesses. Which of the following BEST describes the access the analyst will be granted?
The analyst will be given a limited amount of information and access regarding the web application
Which of the following is the MAIN disadvantage of using SSO?
The architecture can introduce a single point of failure.
An attacker is able to capture the payload for the following packet: IP 192.168.1.22:2020 10.10.10.5:443 IP 192.168.1.10:1030 10.10.10.1:21 IP 192.168.1.57:5217 10.10.10.1:3389 During an investigation, an analyst discovers that the attacker was able to capture the information above and use it to log on to other servers across the company. Which of the following is the MOST likely reason?
The attacker is picking off unencrypted credentials and using those to log in to the secure server
Following a breach, a forensic analyst reviewed system logs and determined that an attacker used an unknown account with elevated privileges on a computer to access organization files. Which of the following MOST likely occurred to allow the attacker to access the files?
The attacker used an active default administrator account to create new accounts with rights to access the files.
An organization plans to transition the intrusion detection and prevention techniques on a critical subnet to an anomaly-based system. Which of the following does the organization need to determine for this to be successful?
The baseline
A security engineer deploys a certificate from a commercial CA to the RADIUS server for use with the EAP-TLS wireless network. Authentication is failing, so the engineer examines the certificate's properties: Issuer: ( A commercial CA) Valid from: (yesterday's date) Valid to : (One year from yesterday's date) Subject: CN=smithco.com Public key: RSA (2048 bits) Enhanced Key Usage: Client authentication (1.3.6.1.5.5.7.3.2) Key Usage: Digital signature, key encipherment (a0) Which of the following is the MOST likely cause of the failure?
The certificate is missing the proper OID
When accessing a popular website, a user receives a warning that the certificate for the website is not valid. Upon investigation, it was noted that the certificate is not revoked and the website is working fine for other users. Which of the following is the MOST likely cause for this?
The certificate was deleted from the local cache
An organization has decided to host its web application and database in the cloud. Which of the following BEST describes the security concerns for this decision?
The cloud vendor is a new attack vector within the supply chain.
A security analyst runs a monthly file integrity check on the main web server. When analyzing the logs, the analyst observed the following entry: File Previous hash Current hash cmd.exe c4ca6a34c5e3a0f98dc03d4f8adf56a3 a24f5a34c5e3a0f98dc03d4f8ac5c0e2 iexplore.exe b9c8e3f24b38c94a7c5f3d9d8d4e7ab3 b9c8e3f24b38c94a7c5f3d9d8d4e7ab3 No OS patches were applied to this server during this period. Considering the log output, which of the following is the BEST
The cmd.exe was updated on the scanned server. An incident ticket should be created.
A systems administrator is receiving multiple alerts from the company NIPS. A review of the NIPS logs shows the following: reset both: 70.32.200.2:3194 --> 10.4.100.4:80 buffer overflow attempt reset both: 70.32.200.2:3230 --> 10.4.100.4:80 directory traversal attack reset client: 70.32.200.2:4019 --> 10.4.100.4:80 Blind SQL injection attack Which of the following should the systems administrator report back to management?
The company web server was attacked by an external source, and the NIPS blocked the attack
Ann, a user reported to the service desk that many files on her computer will not open or the contents are not readable. The service desk technician asked Ann if she encountered any strange messages on boot up or login, and Ann indicated that she did not. Which of the following has MOST likely occurred on Ann's computer?
The computer has been infected with crypto-malware
Ann, a user, reported to the service desk that many files on her computer will not open or the contents are not readable. The service desk technician asked Ann if she encountered any strange messages on boot-up or login, and Ann indicated she did not. Which of the following has MOST likely occurred n Ann's computer?
The computer has been infected with cryptomalware
Which of the following job roles would sponsor data quality and data entry initiatives that ensure business and regulatory requirements are met?
The data owner
Which of the following BEST explains the difference between a data owner and a data custodian?
The data owner is responsible for determining how the data will be used, while the data custodian for implementing the protections on the data
An application developer is working on a new calendar and scheduling application. The developer wants to test new functionally that is time/date dependent and set the local system time to one year in the future. The application also has a feature that uses SHA-256 hashing and AES encryption for data exchange. The application attempts to connect to a separate remote server using SSL, but the connection fails. Which of the following is the MOST likely cause and next step?
The date is past the certificate expiration, reset the system to the current time and see if the connection still fails.
A staff member contacts the help desk because the staff member's device is currently experiencing the following symptoms: -Long delays when launching applications - Timeout errors when loading some websites -Errors when attempting to open local Word documents and photo files -Pop-up messages in the task bar stating that antivirus is out-ofdate -VPN connection that keeps timing out causing the device to lose connectivity Which of the following BEST describes the root cause of the symptoms?
The device is infected with cryto-malware , and the files on the device are being encrypted
Which of the following BEST explains the reason why a server administrator would place a document named password.txt on the desktop of an administrator account on a server?
The document is a honeyfile and is meant to attract the attention of a cyberintruder
A network administrator is downloading the latest software for the organization's core switch. The downloads page allows users to view the checksum values for the available files. The network administrator shows the following when viewing the checksum values for the TB_16.swi.file: Checksum values for the downloaded file: MD5 d50b2b04cfb168eec8 SHA1 6a49065705a43de83dfa9e94 SHA256 7123fb644fbabdda6a73f6e6bc833e2cf12 After downloading the file, the network administrator runs a command to show the following output: Algorithm Hash Patch SHA256 5fdbbfb644fbabdda000006e6bc833e2c968 C:\Users\bsmith\TB_16.swi SHA256 64ccbfbaf4fb96dda6a7373e9bcf62e3c244 C:\Users\bsmith\AA_15.swi SHA1 12fec6aabc9ce87fee654abc C:\Users\bsmith\KB_09.swi MD5 5fdbbfb644fbadda6 C:\Users\bsmith\KA_01.swi Which of the following can be determined from the above output?
The download file has been corrupted or tampered with.
A company's IT department began receiving calls from users reporting that critical customer files were missing from the file server. As more calls came in, technicians realized the files and folders were being deleted. The administrator isolated the file server from the network and noticed files were still being deleted. As the IT department began investigating and remediating, a technician discovered the files were being deleted by a script put in place by an employee who was recently terminated. Which of the following is the MOST likely cause of the incident?
The employee placed a logic bomb on the file server to delete the files
A company's IT department began receiving calls from users reporting that critical customers files were missing from the file server. As more calls came in the technicians realized the files and folders were being deleted. The administrator isolated the file server from the network and noticed files were still being deleted. As the IT department began investigating and remediating, a technician discovered the files were being deleted by a script put in place by an employee who was recently terminated. Which of the following is the MOST likely cause of the incident?
The employee placed a logic bomb on the server to delete files
An end user reports a computer has been acting slower than normal for a few weeks. During an investigation, an analyst determines the system is sending the user's email address and a ten-digit number to an IP address once a day. The only recent log entry regarding the user's computer is the following: Time: 06:32:29 UTC Event Description: The file meets the ML algorithm's mediumconfidence threshold. Process Blocked: False Operating System: Windows 10 File Name: \Device\HarddiskVolume4\Users\jdoe\AppData\Local\Microsoft\Windows \NetCache\IE\pdftodocx.msi Connection Details: 35.242.219.202:80 Which of the following is the MOST likely cause of the issue?
The end user purchased and installed a PUP from a web browser
A user from the financial aid office is having trouble interacting with the finaid directory on the university's ERP system. The system administrator who took the call ran a command and received the following output: dr-xrwx---11 admin common 4.0K Feb 20 2017 . drw-rwx-w-31 admin common 4.0K Feb 20 2017 . . -rwxr--r -x 1 admin common 295 Jul 23 1997 .Makefile -rwxrwxrwx 1 admin common 69 Dec 4 2017 .makevar.mak -rwxr-x-wx 1 admin common 84K Feb 25 2017 Deploy.carsi.Out -rw--wxrwx 1 admin common 295 Feb 25 1992 Makefile drwx--x---4 admin admiss 4.0K Mar 4 14:31 admissions drwx---r--4 admin common 12K Feb 8 15:43 common drwxrw---x 4 admin develo 4.0K Jan19 16:16 development drwx---r--4 admin common 12K Feb 1 15:23 finaid drwxrwx---4 admin hr 4.0K Feb 27 11:59 hr drwxrwx---4 admin kpi 4.0K Mar 5 01:50 kpi drwx---rwx 4 admin common 4.0K Feb 20 2017 matric drwxrwxrw-2 admin common 4.0K Sep 23 2017 obsolete drwxrwx-w-4 admin studen 20K Jan 15 16:56 student Subsequently, the systems administrator has also confirmed the user is a member of the finaid group on the ERP system. Which of the following is the MOST likely reason for the issue?
The finaid directory has absent important group assignment
The IT department receives a call one morning about users being unable to access files on the network shared drives. An IT technician investigates and determines the files became encrypted at 12:00 a.m. While the files are being recovered from backups, one of the IT supervisors realizes the day is the birthday of a technician that was fired two months prior. Which of the following describes what most likely occurred?
The fired technician placed a logic bomb
After being alerted to potential anomalous activity related to trivial DNS lookups, a security analyst looks at the following output of implemented firewall rules: Rule # Source Destination Port(s) Protocol Action Hit Count 13 192.168.1.99 10.5.10.254 80, 443, 53 TCP ALLOW 0 27 192.168.1.99 10.5.10.254 5799,5798,5800 TCP ALLOW 9169 99 192.168.1.99 ANY ANY TCP,UDP DENY 10988 What is the issue with the firewall rules?
The firewall policy is misconfigured.
A security analyst receives the following output: Time Action Host File Name User 12/15/2017 Policy: Endpoint USB Transfer - Blocked Host1 Q1- Financials.PDF User1 Which of the following most likely occurred to produce this output?
The host DLP prevented a file from being moved off a computer
A developer wants to use an open source, third-party plug-in. The developer downloads the plug-in from the provider's website and from a mirror site that runs the files through an integrity-checking hash. The output of each file is shown below: fileA: BA411c782AD521740123456789ABCDEF fileB: BA411c782AD521740123456789ABCDEF Which of the following statements BEST summarizes what conclusion the developer can draw from the above results?
The integrity checksum is MD5 and cannot be assumed reliable.
An employee workstation with an IP address of 204.211.38.211/24 reports it is unable to submit print jobs to a network printer at 204.211.38.52/24 after a firewall upgrade. The active firewall rules are as follows: IP Address Protocol Port Number Action 204.211.38.1/24 ALL ALL Permit 204.211.38.211/24 ALL ALL Permit 204.211.38.52/24 UDP 631 Permit 204.211.38.52/24 TCP 25 Deny Which of the following is likely to fix the issue?
The permit statement for 204.211.38.52/24 should be changed to TCP port 631 instead of UDP
Which of the following BEST explains 'likelihood of occurrence'?
The probability that a threat actor will target and attempt to exploit an organization systems
After a ransomware attack. a forensics company needs to review a cryptocurrency transaction between the victim and the attacker. Which of the following will the company MOST likely review to trace this transaction?
The public ledger
An email recipient is unable to open a message encrypted through PKI that was sent from another organization. Which of the following does the recipient need to decrypt the message?
The recipient's private key
Ann, a security analyst from a large organization, has been instructed to use another, more effective scanning tool. After installing the tool on her desktop, she started a full vulnerability scan. After running the scan for eight hours, Ann finds that there were no vulnerabilities identified. Which of the following is the MOST likely cause of not receiving any vulnerabilities on the network?
The security analyst credentials did not allow full administrative rights for the scanning tool
Which of the following explains why a vulnerability scan might return a false positive?
The signature matches the product but not the version information
An organization has the following written policies: Users must request approval for non-standard software installation. Administrators will perform all software installations. Software must be installed from a trusted repository. A recent security audit identified crypto-currency software installed on one user's machine. There are no indications of compromise on this machine. Which of the following is the MOST likely cause of this policy violation and the BEST remediation to prevent a reoccurrence?
The user installed the software on the machine; implement technical controls to enforce the written policies
A user has lost access to all organization resources on a mobile device but can still get to personal email, the interned, and other applications. The organization uses MDM on company devices. The user contacts the services desk for assistance, but there are no other issues reported or outages of company email or mobile application. Which of the following has MOST likely occurred to cause this issue?
The user rooted the mobile device, which caused the MDM software to disable all company access.
Which of the following may indicate a configuration item has reached end-of-life?
The vendor has not published security patches recently
An auditor is performing an assessment of a security appliance with an embedded OS that was vulnerable during the last two assessments. Which of the following BEST explains the appliance's vulnerable state?
The vendor has not supplied a patch for the appliance
Which of the following is a benefit of credentialed vulnerability scans?
The vulnerability scanner is able to inventory software on the target
A systems administrator has installed a new UTM that is capable of inspecting SSL/TLS traffic for malicious payloads. All inbound network traffic coming from the Internet and terminating on the company's secure web servers must be inspected. Which of the following configurations would BEST support this requirement?
The web servers' CA full certificate chain must be installed on the UTM
An organization uses application whitelisting to help prevent zeroday attacks. Malware was recently identified on one client, which was able to run despite the organization's application whitelisting approach. The forensics team has identified the malicious file, conducted a post-incident analysis, and compared this with the original system baseline. The team sees the following output: filename hash original winSCP.exe 2d da b1 4a 98 fc f1 98 06 b1 e5 26 b2 df e5 5b 3e cb 83 e1 latest winSCP.exe a3 4a c2 4b 85 fa f2 dd 0b ba f4 16 b2 df f2 4b 3f ac 4a e1 Which of the following identifies the flaw in the team's application whitelisting approach?
Their approach uses executable names and not hashes for the whitelist
During a risk assessment, results show that a fire in one of the company's datacenters could cost up to $20 million in equipment damages and lost revenue. As a result, the company insures the datacenter for up to $20 million in damages for the cost of $30,000 a year. Which of the following risk response techniques has the company chosen?
Transference
In which of the following risk management strategies would cybersecurity insurance be used?
Transference
Users from two organizations, each with its own PKI, need to begin working together on a joint project. Which of the following would allow the users of the separate PKIs to work together without connection errors?
Trust model
A technician is designing a solution that will be required to process sensitive information, including classified government data. The system needs to be common criteria certified. Which of the following should the technician select?
Trusted operating system
A systems administrator needs to configure an SSL remote access VPN according to the following organizational guidelines: The VPN must support encryption of header and payload. The VPN must route all traffic through the company's gateway. Which of the following should be configured on the VPN concentrator?
Tunnel mode
After entering a username and password, an administrator must draw a gesture on a touch screen. Which of the following demonstrates what the administrator is providing?
Two-factor authentication
Which of the following is a technical preventive control?
Two-factor authentication
The phones at a business are being replaced with VoIP phones that get plugged in-line between the switch and PC. The voice and data networks still need to be kept separate. Which of the following would allow for this?
VLAN
A systems administrator is increasing the security settings on a virtual host to ensure users on one VM cannot access information from another VM. Which of the following is the administrator protecting against?
VM escape
Which of the following describes the ability of code to target a hypervisor from inside a guest OS?
VM escape
Which of the following should be implemented to stop an attacker from interacting with the hypervisor through another guest?
VM escaped protection
A Chief Information Security Officer (CISO) asks the security architect to design a method for contractors to access the company's internal network securely without allowing access to systems beyond the scope of their project. Which of the following methods would BEST fit the needs of the CISO?
VPN
A software developer needs to perform code-execution testing black-box testing and non-functional testing on a new product before its general release. Which of the following BEST describe the tasks the developer is conducting?
Validation
An organization uses an antivirus scanner from Company A on its firewall, an email system antivirus scanner from Company B, and an endpoint antivirus scanner from company C. This is an example of:
Vendor diversity
A security administrator begins assessing a network with software that checks the available exploits against a known database, using both credentials and external scripts. A report will be compiled and used to confirm patching levels. This is an example of:
Vulnerability scanning.
A recent penetration test revealed several issues with a publicfacing website used by customers. The testers were able to: Enter long lines of code and special characters. Crash the system. Gain unauthorized access to the internal application server. Map the internal network The development team has stated they will need to rewrite a significant portion of the code used, and it will take more than a year to deliver the finished product. Which of the following would be the BEST solution to introduce in the interim?
WAF
An instructor is teaching a hands-on wireless security class and needs to configure a test access point to show students an attack on a weak protocol. Which of the following configurations should the instructor implement?
WEP
A company uses wireless for all laptops and keeps a very detailed record of its assets, along with a comprehensive list of devices that are authorized to be on the wireless network. The Chief Information Officer (CIO) is concerned about a script kiddie potentially using an unauthorized device to brute force the wireless PSK and obtain access to the internal network. Which of the following should the company implement to BEST prevent this from occurring?
WPA-EAP
A systems administrator wants to configure an enterprise wireless solution that supports authentication over HTTPS and wireless encryption using AES. Which of the following should the administrator configure to support these requirements? (Select TWO)
WPA2, WDS
A systems administrator needs to integrate multiple IoT and small embedded devices into the company's wireless network securely. Which of the following should the administrator implement to ensure low-power and legacy devices can connect to the wireless network?
WPS
A security administrator is investigating a report that a user is receiving suspicious emails. The user's machine had an old functioning modem installed. Which of the following security concerns need to be identified and mitigated? (Select TWO).
War dialing , Spear phishing
Which of the following are considered among the BEST indicators that a received message is a hoax? (Select TWO).
Warnings of monetary loss to the receiver, Clams of possible damage to computer hardware
A developer wants to use a life-cycle model that utilizes a cascade model and has a definite beginning and end to each stage. Which of the following models BEST meets this need?
Waterfall
Which of the following is one of the fundamental differences between the Agile and waterfall development models?
Waterfall development takes place in well-defined linear cycles planned in advance of the entire project
A malicious actor compromises a legitimate website, configuring it to deliver malware to visitors of the website. Which of the following attacks does this describe?
Watering hole
Company engineers regularly participate in a public Internet forum with other engineers throughout the industry. Which of the following tactics would an attacker MOST likely use in this scenario?
Watering-hole attack
Confidential corporate data was recently stolen by an attacker who exploited data transport protections. Which of the following vulnerabilities is the MOST likely cause of this data breach?
Weak SSL cipher strength
A Chief Executive Officer (CEO) of an organization receives an email stating the CEO's account may have been compromised. The email further directs the CEO to click on a link to update the account credentials. Which of the following types of attacks has MOST likely occurred?
Whaling
The Chief Financial Officer (CFO) of an insurance company received an email from Ann, the company's Chief Executive Officer (CEO), requesting a transfer of $10,000 to an account. The email states Ann is on vacation and has lost her purse, containing cash and credit cards. Which of the following social-engineering techniques is the attacker using?
Whaling
Which of the following types of security testing is the MOST costeffective approach used to analyze existing code and identify areas that require patching?
White box
Which of the following methods is used by internal security teams to assess the security of internally developed applications?
White box testing
An authorized user is conducting a penetration scan of a system for an organization. The tester has a set of network diagrams, source code, version number of applications, and other information about the system, including hostnames and network addresses. Which of the following BEST describes this type of penetration test?
White-box testing
An authorized user is conducting a penetration scan of a system for an organization. The tester has a set of network diagrams, source code, version numbers of applications, and other information about the system, including hostnames and network addresses. Which of the following BEST describes this type of penetration test?
White-box testing
A service provider recently upgraded one of the storage clusters that houses non-confidential data for clients. The storage provider wants the hard drives back in working condition. Which of the following is the BEST method for sanitizing the data given the circumstances?
Wiping
A company utilizes 802.11 for all client connectivity within a facility. Users in one part of the building are reporting they are unable to access company resources when connected to the company SSID. Which of the following should the security administrator use to assess connectivity?
Wireless scanner
A penetration tester is testing passively for vulnerabilities on a company's network. Which of the following tools should the penetration tester use?
Wireshark
An organization has hired a security analyst to perform a penetration test. The analyst captures 1GB worth of inbound network traffic to the server and transfers the pcap back to the machine for analysis. Which of the following tools should the analyst use to further review the pcap?
Wireshark
Which of the following BEST explains why a development environment should have the same database server secure baseline that exists in production even if there is no PII in the database?
Without the same configuration in both development and production, there are no assurance that changes made in development will have the same effect in production
A security analyst has identified malware that is propagating automatically to multiple systems on the network.Which of the following types of malware is most likely impacting the network?
Worm
An engineer is configuring a wireless network using PEAP for the authentication protocol. Which of the following is required?
X.509 certificate on the server
A security engineer is analyzing the following line of JavaScript code that was found in a comment field on a web forum, which was recently involved in a security breach: Given the line of code above, which of the following BEST represents the attack performed during the breach?
XSS
Which of the following BEST describes a security exploit for which a vendor patch is not readily available?
Zero-day
Which of the following terms BEST describes an exploitable vulnerability that exists but has not been publicly disclosed yet?
Zero-day
A critical enterprise component whose loss or destruction would significantly impede business operations or have an outsized impact on corporate revenue is known as:
a mission-essential function
During a OpenVAS scan, it was noted that the RDP port was open. Upon further investigation, the port was verified as being open. This is an example of:
a true positive
A company has a backup site with equipment on site without any data. This is an example of:
a warm site.
The manager who is responsible for a data set has asked a security engineer to apply encryption to the data on a hard disk. The security engineer is an example of a:
data custodian
A security administrator suspects an employee has been emailing proprietary information to a competitor. Company policy requires the administrator to capture an exact copy of the employee's hard disk. Which of the following should the administrator use?
dd
A preventive control differs from a compensating control in that a preventive control is:
designed to specifically mitigate a risk
A company policy regarding the shredding of proprietary documents is MOST likely designed to prevent:
dumpster diving
When a malicious user is able to retrieve sensitive information from RAM, the programmer has failed to implement.
encryption of data in use
The concept of connecting a user account across the systems of multiple enterprises is BEST known as:
federation
Ann a user, reports she is receiving emails that appear to be from organizations to which she belongs, but the emails contain links to websites that do not belong to those organizations. Which of the following security scenarios does this describe?
hacker is using Ann's social media information to create a spear phishing attack
A transitive trust:
is automatically established between a parent and a child
Which of the following BEST describes why an air gap is a useful security control?
it physically isolates two or more networks, therefore helping prevent cross contamination or accidental data spillage
A technician suspects that a desktop was compromised with a rootkit. After removing the hard drive from the desktop and running an offline file integrity check, the technician review the following output: Based on the above output, which of the following is the malicious file?
kernel.dll
A security administrator is reviewing the following information from a file that was found on a compromised host: cat suspiciousfile.text www.comptia.org\njohn\miloveyou\n$200\nWorking Late\nJohn\nI%20will%20be%20in%20the%20office%20till%206pm%20to% Which of the following types of malware is MOST likely installed on the compromised host?
keylogger
A pass-the-hash attack is commonly used to:
laterally move across the network
Which of the following is a security consideration for loT devices?
loT devices have built-in accounts that users rarely access
A company is experiencing an increasing number of systems that are locking up on Windows startup. The security analyst clones a machine, enters into safe mode, and discovers a file in the startup process that runs Wstart.bat. @echo off Lasdhbawdhbasdhbawdhb start notepad.exe start notepad.exe start calculator.exe start calculator.exe goto asdhbawdhbasdhbawdhb Given the file contents and the system's access, which of the following types of malware is present?
rootkit
A security analyst is trying to improve the security posture of an organization. The analyst has determined there is a significant risk of pass-the-hash attacks on the desktop computers within the company. Which of the following would help to reduce the risk of this type of attack?
s: Use salts on the password hashes to prevent offline cracking attempts
Using a one-time code that has been texted to a smartphone is an example of
something you have
Requiring a user to enter a password as part of a multifactor authentication approach is an example of:
something you know
A security analyst wants to verify that a client-server (non-web) application is sending encrypted traffic. Which of the following should the analyst use?
tcpdump
A penetration tester is checking to see if an internal system is vulnerable to an attack using a remote listener. Which of the following commands should the penetration tester use to verify if this vulnerability exists? (Select TWO).
tcpdump , nc
After the integrity of a patch has been verified, but before being deployed to production, it is important to:
test it in a staging environment
When conducting a penetration test, a pivot is used to describe a scenario in which :
the penetration tester uses pass-the-hash to gain access to a server via SMB, and then uses this server to SSH to another server
A system administrator suspects that a MITM attack is underway on the local LAN. Which of the following commands should the administrator use to confirm the hypothesis and determine which workstation is launching the attack?
tracert
A network technician discovered the usernames and passwords used for network device configuration have been comprimised by a user with a packet sniffer. Which of the following would secure the credentials from sniffing?
use SSH for remote access.
An organization wants to set up a wireless network in the most secure way. Budget is not a major consideration, and the organization is willing to accept some complexity when clients are connecting. It is also willing to deny wireless connectivity for clients who cannot be connected in the most secure manner. Which of the following would be the MOST secure setup that conforms to the organizations's requirements
use WPA2-Enterprise with RADIUS and disable pre-shared k
A security analyst is responsible for assessing the security posture of a new high-stakes application that is currently in the production environment but has not yet been made available to systems users. Which of the following would provide the security analyst with the most comprehensive assessment of the application's ability to withstand unauthorized access attempts?
vulnerability scanning
A systems administrator has isolated an infected system from the network and terminated the malicious process from executing. Which of the following should the administrator do NEXT according to the incident response process?
wipe the system
An organization has established the following account management practices with respect to naming conventions:User accounts must have firstname.lastnamePrivileged user accounts must be named x.firstname.lastname Service accounts must be named sv.applicationname_environmentThere is an application called "Unicycle inventory" running in the development (dev), staging (stg), and production (prod) environments. Mary Smith, the systems administrator, is checking account permissions on the application servers in the development environment. Which of the following accounts should she expect to see? (Select TWO).
x.mary.smith, sv.unicycleinventory_dev