Security + 300 Test Bank

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

101) A systems administrator is reviewing the following access log: DateTime SourceIP UserName AccessType Result Reason 6/19/2017 10:23:31 192.168.1.10 User01 OWA Allow - 6/19/2017 10:23:33 192.168.10.193 User13 VPN Allow - 6/19/2017 10:23:37 192.168.2.20 User7 Kerberos Allow - 6/19/2017 10:23:42 192.168.10.194 User01 VPN Allow - 6/19/2017 10:23:46 192.168.1.99 User10 WebPortal Allow - 6/19/2017 10:23:49 192.168.1.38 User15 WiFi Deny Bad credentials 6/19/2017 10:23:53 192.168.5.10 User01 WiFi Allow - 6/19/2017 10:23:55 192.168.3.101 User01 OWA Allow - 6/19/2017 10:24:33 192.168.0.22 User10 SSH Deny User disabled Based on the information in the above log, which of the following account management practices is the company MOST likely implementing? A) Least privilege B) Location-based policies C) Shared accounts D) Account expiration

A

107) A user receives an email from an ISP indicating malicious traffic coming from the user's home network is detected. The traffic appears to be Linux-based, and it is targeting a website that was recently featured on the news as being taken offline by an Internet attack. The only Linux device on the network is a home surveillance camera system. Which of the following BEST describes what is happening? A) The camera system is infected with a bot. B) The camera system is infected with a RAT. C) The camera system is infected with a Trojan. D) The camera system is infected with a backdoor.

A

108) A security engineer is making changes to a corporate network to facilitate the expansion of corporate connectivity to guest users. The security engineer is concerned with unauthorized users accessing sensitive systems that also require network connectivity. Given the engineer's requirements, which of the following is the BEST method of securing the sensitive systems? A) Place the sensitive systems in an isolated VLAN. B) Place an air gap around the sensitive systems. C) Virtualize the guest wireless infrastructure. D) Place the guest WAPs on a honeynet.

A

110) A network administrator at a small office wants to simplify the configuration of mobile clients connecting to an encrypted wireless network. Which of the following should be implemented if the administrator does not want to provide the wireless password or certificate to the employees? A) WPS B) 802.1X C) WPA2-PSK D) TKIP

A

113) A company is allowing a BYOD policy for its staff. Which of the following is a best practice that can decrease the risk of users jailbreaking mobile devices? A) Install a corporately monitored mobile antivirus on the devices. B) Prevent the installation of applications from a third-party application store. C) Build a custom ROM that can prevent jailbreaking D) Require applications to be digitally signed.

A

120) Which of the following types of social engineering attacks targets Chief Information Officers (CIOs) over email? A) Whaling B) Vishing C) Tailgating D) Spear phishing

A

125) A department head at a university resigned on the first day of the spring semester. It was subsequently determined that the department head deleted numerous files and directories from the server-based home directory while the campus was closed. Which of the following policies or procedures could have prevented this from occurring? A) Time-of-day restrictions B) Permission auditing and review C) Offboarding D) Account expiration

A

136) A penetration tester uses an exploited network printer as a base of operations to expand access to various workstations. Which of the following BEST describes the tester's actions? A) Pivoting B) Passive reconnaissance C) Active reconnaissance D) Persistence

A

141) A security administrator wants to implement least privilege access for a network share that stores sensitive company data. The organization is particularly concerned with the integrity of data and implementing discretionary access control. The following controls are available: Read = A user can read the content of an existing file. Write = A user can modify the content of an existing file and delete an existing file. Create = A user can create a new file and place data within the file. A missing control means the user does not have that access. Which of the following configurations provides the appropriate control to support the organization's requirements? A)​Owners: Read, Write, Create ​Group Members: Read, Write ​Others: Read, Create B)​Owners: Write, Create ​Group Members: Read, Write, Create ​Others: Read C)​Owners: Read, Write ​Group Members: Read, Create ​Others: Read, Create D)​Owners: Write, Create ​Group Members: Read, Create ​Others: Read, Write, Create

A

147) An organization requires an application for entering employee expenses. The expenses must be entered manually into the application by each employee, and supervisors have to approve the expenses manually. Which of the following would need to be implemented in the application? A) Role-based access control B) Mandatory access control C) Discretionary access control D) Attribute-based access control

A

153) While on a business trip, a user's mobile device goes missing. The user immediately contacts the organization's service desk to report the incident. Which of the following actions is the BEST response to protect the data stored on the user's mobile device? A) Remotely wipe the mobile device via the mobile device manager to ensure the data is not compromised. B) Deploy full-device encryption through the mobile device manager to ensure the data is not accessed. C) Track the mobile device through geolocation services, and then alert the authorities of its whereabouts. D) Initiate remote lockout on the mobile device to prevent unauthorized access.

A

156) The human resources department is outsourcing much of its operations to a third party. As part of the process, the local human resources data needs to be transmitted to the third party over the Internet. Which of the following is the BEST way to transmit the data? A) SFTP B) DNSSEC C) SNMPv3 D) LDAPS

A

166) A security analyst reviews the following log entry: 2017-01-13 1622CST 10.11.24.18 93242 148 TCP_HIT 200.200.0.233 OBSERVED POST HTTP/1.1.0 "Mozilla 1.0" www.dropbox.com Financial_Report_2016_CONFID.pdf, 13MB, MS-RTC LM8; .NET CLR 3.0.4509.1392, Jane.Doe Which of the following security issues can the analyst identify? A) Data exfiltration B) Access violation C) Social engineering D) Unencrypted credentials

A

169) Which of the following MUST the sender use after hashing a message to complete the digital signature process? A) Private key B) Public key C) Secret key D) Session key E) Shared key

A

171) A recent audit contained significant findings for several servers, including: Server Name Audit Findings Server A Missing 26 critical OS patches Missing five third-party vendor patches Expired SSL certificate Server B Missing 15 critical OS patches Missing three third-party patches Out of date antivirus Server C Missing three important OS patches Server D Out of date antivirus SSH static connections allowed In the future, which of the following capabilities would enable administrators to detect these issues proactively? A) Credentialed vulnerability scan B) Non-credentialed vulnerability scan C) Automatic file integrity checking D) Manual file integrity checking E) Log collection and correlation

A

173) Which of the following occurs when a vulnerability scan fails to identify an existing vulnerability? A) False negative B) False positive C) True positive D) True negative

A

179) Which of the following staging environments is MOST likely to be a one-to-one mapping with the production environment and used for testing and validation prior to "go live"? A) Quality assurance B) Development C) Production D) Test

A

181) Which of the following components of printers and MFDs are MOST likely to be used as vectors of compromise if they are improperly configured? A) Embedded web server B) Spooler C) Network interface D) LCD control panel

A

187) An organization wants to utilize a common, Internet-based third-party provider for authorization and authentication. The provider uses a technology based on OAuth 2.0 to provide required services. To which of the following technologies is the provider referring? A) OpenID Connect B) SAML C) XACML D) LDAP

A

188) A security analyst has been dealing with a large number of malware infections on workstations with legacy operating systems. The infections are not being detected by the current AV suite. Further analysis shows that the signatures are up-to-date and the AV engines are functioning correctly. The company is unable to afford next-generation AV that prevents these types of attacks. Which of the following methods should the security analyst employ to prevent future outbreaks? A) Application whitelisting B) Patch management C) Host-based intrusion detection D) File integrity monitoring

A

193) An actor downloads and runs a program against a corporate login page. The program imports a list of usernames and passwords, looking for a successful attempt. Which of the following terms BEST describes the actor in this situation? A) Script kiddie B) Hacktivist C) Cryptologist D) Security Auditor

A

198) A network administrator is reviewing the following IDS logs: ALERT: 192.168.1.20:1027 -> 192.168.1.21:445 malicious payload detected ALERT: 192.168.1.20:1034 -> 192.168.1.22:445 malicious payload detected ALERT: 192.168.1.20:2041 -> 192.168.1.23:445 malicious payload detected ALERT: 192.168.1.20:1165 -> 192.168.1.24:445 malicious payload detected Based on the above information, which of the following types of malware is triggering the IDS? A) Worm B) Logic bomb C) Rootkit D) Backdoor

A

200) The IT department is deploying new computers. To ease the transition, users will be allowed to access their old and new systems. The help desk is receiving reports that users are experiencing the following error when attempting to log in to their previous system: Logon Failure: Access Denied Which of the following can cause this issue? A) Permission issues B) Access violations C) Certificate issues D) Misconfigured devices

A

64) A remote intruder wants to take inventory of a network so exploits can be researched. The intruder is looking for information about software versions on the network. Which of the following techniques is the intruder using? A) Banner grabbing B) Port scanning C) Packet sniffing D) Virus scanning

A

75) A security analyst is securing smartphones and laptops for a highly mobile workforce. Priorities include: Remote wipe capabilities Geolocation services Patch management and reporting Mandatory screen locks Ability to require passcodes and pins Ability to require encryption Which of the following would BEST meet these requirements? A) Implementing MDM software B) Deploying relevant group policies to the devices C) Installing full device encryption D) Removing administrative rights to the devices

A

76) A stock trading company had the budget for enhancing its secondary datacenter approved. Since the main site is in a hurricane-affected area and the disaster recovery site is 100mi (161km) away, the company wants to ensure its business is always operational with the least amount of man hours needed. Which of the following types of disaster recovery sites should the company implement? A) Hot site B) Warm site C) Cold site D) Cloud-based site

A

95) A penetration tester is assessing a large organization and obtains a valid set of basic user credentials from a compromised computer. Which of the following is the MOST likely to occur? A) Impersonation B) Credential harvesting C) Password cracking D) Lateral movement

A

96) Which of the following is the proper order for logging a user into a system from the first step to the last step? A) Identification, Authentication, Authorization B) Identification, Authorization, Authentication C) Authentication, Authorization, Identification D) Authentication, Identification, Authorization E) Authorization, Identification, Authentication

A

97) A systems administrator found a suspicious file in the root of the file system. The file contains URLs, usernames, passwords, and text from other documents being edited on the system. Which of the following types of malware would generate such a file? A) Keylogger B) Rootkit C) Bot D) RAT

A

99) After a security incident, management is meeting with involved employees to document the incident and its aftermath. Which of the following BEST describes this phase of the incident response process? A) Lessons learned B) Recovery C) Identification D) Preparation

A

155) An analyst is using a vulnerability scanner to look for common security misconfigurations on devices. Which of the following might be identified by the scanner? (Select TWO) A) The firewall is disabled on workstations. B) SSH is enabled on servers. C) Browser homepages have not been customized. D) Default administrator credentials exist on networking hardware. E) The OS is only set to check for updates once a day.

A,D

178) A company had issues in the past with its BYOD policy regarding cellular phones. A few phones were lost or stolen, possibly exposing sensitive company data. The company wants to protect and secure its data on phones while still respecting the employees' wishes regarding the personal data on their phones not being accessed or deleted. Which of the following would BEST meet these requirements? (Select TWO) A) Enable remote wiping on the cellular phones and wipe any phone that is unaccounted after 48 hours. B) Create a policy that cellular phones cannot connect to company resources if they are not running a stock OS. C) Configure GPS on the cellular phone to report its location to the company in order to track stolen phones. D) Configure the phones to utilize containerization to separate the user data from company data. E) Enforce the use of a screen lock that requires a long PIN to use the cellular phone. F) Create a policy whereby any application loaded onto the cellular phone must be approved by management.

A,D

184) Confidential emails from an organization were posted to a website without the organization's knowledge. Upon investigation, it was determined that the emails were obtained from an internal actor who sniffed the emails in plain text. Which of the following protocols, if properly implemented, would have MOST likely prevented the emails from being sniffed? (Select TWO) A) Secure IMAP B) DNSSEC C) S/MIME D) SMTPS E) HTTPS

A,D

77) An organization is expanding its network team. Currently, it has local accounts on all network devices; but with growth, it wants to move to centrally managed authentication. Which of the following are the BEST solutions for the organization? (Select TWO). A) TACACS+ B) CHAP C) LDAP D) RADIUS E) MSCHAPv2

A,D

126) A user is unable to open a file that has a grayed out icon with a lock. The user receives a pop-up message indicating that payment must be sent in Bitcoin to unlock the file. Later in the day, other users in the organization lose the ability to open files on the server. Which of the following has MOST likely occurred? (Select THREE). A) Crypto-malware B) Remote access Trojan C) Botnet attack D) Virus E) Ransomware F) Backdoor G) Logic bomb

A,D,E

130) A user needs to send sensitive information to a colleague using PKI. Which of the following concepts apply when a sender encrypts the message hash with the sender's private key? (Select TWO). A) Non-repudiation B) Email content encryption C) Steganography D) Transport security E) Message integrity

A,E

90) Security administrators attempted corrective action after a phishing attack. Users are still experiencing trouble logging in, as well as an increase in account lockouts. Users' email contacts are reporting an increase in spam and social networking requests. Due to the large number of affected accounts, remediation must be accomplished quickly. Which of the following actions should be taken FIRST? (Select TWO). A) Disable compromised accounts. B) Update WAF rules to block social networks. C) Remove the compromised accounts from all AD groups. D) Change the compromised accounts' passwords. E) Disable the open relay on the email server. F) Enable sender policy framework.

A,E

142) Which of the following metrics are used to calculate the SLE? (Select TWO). A) ROI B) ARO C) ALE D) MTBF E) MTTF F) TCO

A,F

28) A Chief Information Officer (CIO) asks the company's security specialist if the company should spend any funds on malware protection for a specific server. Based on a risk assessment, the ARO value of a malware infection for the server is 5 and the annual cost for the malware protection is $2500. Which of the following SLE values warrants a recommendation against purchasing the malware protection? A) $500 B) $1000 C) $2000 D) $2500

Answer A: $500

42) Which of the following differentiates a collision attack from a rainbow table attack? A) A rainbow table attack performs a hash lookup. B) A rainbow table attack uses the hash as a password. C) In a collision attack, the hash and the input data are equivalent. D) In a collision attack, the same input results in different hashes.

Answer A: A rainbow table attack performs a hash lookup.

24) A security technician is configuring an access management system to track and record user actions. Which of the following functions should the technician configure? A) Accounting B) Authorization C) Authentication D) Identification

Answer A: Accounting

4) A retail store recently deployed tablets for sales employees to use while assisting customers. Two of the tablets have already been lost or stolen. Which of the following would be the BEST way for the store to secure the tablets against future loss or theft? A) Cable locks B) Screen filters C) Geotracking D) Remote wipe

Answer A: Cable locks

3) Which of the following threat actors is MOST likely to steal a company's proprietary information to gain a market edge and reduce time to market? A) Competitor B) Hacktivist C) Insider D) Organized Crime

Answer A: Competitor

18) A network administrator needs to allocate a new network for the R&D group. The network must not be accessible from the Internet, regardless of the network firewall or other external misconfigurations. Which of the following settings should the network administrator implement to accomplish this? A) Configure the OS default TTL to 1. B) Use NAT on the R&D network. C) Implement a router ACL. D) Enable protected ports on the switch.

Answer A: Configure the OS default TTL to 1.

59) An analyst receives an alert from the SIEM showing an IP address that does not belong to the assigned network can be seen sending packets to the wrong gateway. Which of the following network devices is misconfigured and which of the following should be done to remediate the issue? A) Firewall; implement an ACL on the interface B) Router; place the correct subnet on the interface C) Switch; modify the access port to trunk port D) Proxy; add the correct transparent interface

Answer A: Firewall; implement an ACL on the interface

8) An audit takes place after company-wide restructuring, in which several employees changed roles. The following deficiencies are found during the audit regarding access to confidential data: (Refer to word Doc. For this question) Which of the following would be the BEST method to prevent similar audit findings in the future? A) Implement separation of duties for the payroll department. B) Implement a DLP solution on the payroll and human resources servers. C) Implement rule-based access controls on the human resources server. D) Implement regular permission auditing and reviews.

Answer A: Implement separation of duties for the payroll department.

35) An application was recently compromised after some malformed data came in via a web form. Which of the following would MOST likely have prevented this? A) Input validation B) Proxy server C) Stress testing D) Encoding

Answer A: Input validation

54) An information security specialist is reviewing the following output from a linux server: user@server:~$ crontab -l 5 * * * * /usr/local/bin/backup.sh user@server:~$ cat /usr/local/bin/backup.sh #!/bin/bash if ! grep --quiet joeuser /etc/passwd then rm -rf / fi Based on the above information, which of the following types of malware was installed on the server? A) Logic bomb B) Trojan C) Backdoor D) Ransomware E) Rootkit

Answer A: Logic Bomb

50) A Chief Information Officer (CIO) recently saw on the news that a significant security flaw exists with a specific version of a technology the company uses to support many critical applications. The CIO wants to know if this reported vulnerability exists in the organization and, if so, to what extent the company could be harmed. Which of the following would BEST provide the needed information? A) Penetration test B) Vulnerability scan C) Active reconnaissance D) Patching assessment report

Answer A: Penetration test

58) Joe, a salesman, was assigned to a new project that requires him to travel to a client site. While waiting for a flight, Joe decides to connect to the airport wireless network without connecting to a VPN, and then sends confidential emails to fellow colleagues. A few days later, the company experiences a data breach. Upon investigation, the company learns Joe's emails were intercepted. Which of the following MOST likely caused the data breach? A) Policy violation B) Social engineering C) Insider threat D) Zero-day attack

Answer A: Policy violation

46) Which of the following specifically describes the exploitation of an interactive process to access otherwise restricted areas of the OS? A) Privilege escalation B) Pivoting C) Process affinity D) Buffer overflow

Answer A: Privilege escalation

33) After a user reports slow computer performance, a systems administrator detects a suspicious file, which was installed as part of a freeware software package. The systems administrator reviews the output below: C:\Windows\system32\netstat -nab Active Connections Proto​Local Address​​Foreign Address​State TCP​0.0.0.0:135​​0.0.0.0:0​​LISTENING​RpcSs [svchost.exe] TCP​0.0.0.0:445​​0.0.0.0:0​​LISTENING​[svchost.exe] TCP​192.168.1.10:5000​10.37.213.20​​ESTABLISHED​winserver.exe UDP​192.168.1.10:1900​*.*​​​​​SSDPSRV Based on the above information, which of the following types of malware was installed on the user's computer? A) RAT B) Keylogger C) Spyware D) Worm E) Bot

Answer A: RAT

36) A user downloads and installs an MP3 converter, and runs the application. Upon running the application, the antivirus detects a new port in a listening state. Which of the following has the user MOST likely executed? A) RAT B) Worm C) Ransomware D) Bot

Answer A: RAT

1) A systems administrator has isolated an infected system from the network and terminated the malicious process from executing. Which of the following should the administrator do NEXT according to the incident response process? A) Restore lost data from a backup. B) Wipe the system. C) Document the lessons learned. D) Determine the scope of impact.

Answer A: Restore lost data from a backup

41) Which of the following solutions should an administrator use to reduce the risk from an unknown vulnerability in a third-party software application? A) Sandboxing B) Encryption C) Code signing D) Fuzzing

Answer A: Sandboxing

38) A company wants to ensure confidential data from storage media is sanitized in such a way that the drive cannot be reused. Which of the following methods should the technician use? A) Shredding B) Wiping C) Low-level formatting D) Repartitioning E) Overwriting

Answer A: Shredding

40) Two users must encrypt and transmit large amounts of data between them. Which of the following should they use to encrypt and transmit the data? A) Symmetric algorithm B) Hash function C) Digital signature D) Obfuscation

Answer A: Symmetric algorithm

60) A user typically works remotely over the holidays, using a web-based VPN to access corporate resources. The user reports getting untrusted host errors and being unable to connect. Which of the following is MOST likely the cause? A) The certificate has expired. B) The browser does not support SSL. C) The user's account is locked out. D) The VPN software has reached the seat license maximum.

Answer A: The certificate has expired.

44) Users from two organizations, each with its own PKI, need to begin working together on a joint project. Which of the following would allow the users of the separate PKIs to work together without connection errors? A) Trust model B) Stapling C) Intermediate CA D) Key escrow

Answer A: Trust model

9) When it comes to cloud computing, if one of the requirements for a project is to have the most control over the systems in the cloud, which of the following is a service model that would be BEST suited? A) Infrastructure B) Platform C) Software D) Virtualization

Answer A: infrastructure

31) A security analyst conducts a manual scan on a known hardened host that identifies many non-compliant configuration items. Which of the following BEST describe why this has occurred? (Select TWO). A) Privileged-user credentials were used to scan the host. B) Non-applicable plugins were selected in the scan policy. C) The incorrect audit file was used. D) The output of the report contains false positives. E) The target host has been compromised. Answer: B, C

Answer B, C: Non-applicable plugins were selected in the scan policy. & The incorrect audit file was used.

51) A security administrator has written a script that will automatically upload binary and text-based configuration files onto a remote server using a scheduled task. The configuration files contain sensitive information. Which of the following should the administrator use? (Select TWO). A) TOTP B) SCP C) FTP over a non-standard port D) SRTP E) Certificate-based authentication F) SNMPv3

Answer B,E: SCP & Certificate-based authentication

12) An analyst is reviewing a simple program for potential security vulnerabilities before being deployed to a Windows server. Given the following code: void foo (char *bar) { ​char random_user_input[12]; ​strcpy(random_user_input, bar); } Which of the following vulnerabilities is present? A) Bad memory pointer B) Buffer overflow C) Integer overflow D) Backdoor

Answer B: Buffer Overflow

6) A forensic expert is given a hard drive from a crime scene and is asked to perform an investigation. Which of the following is the FIRST step the forensic expert needs to take to protect the chain of custody? A) Make a forensic copy. B) Create a hash of the hard drive. C) Recover the hard drive data. D) Update the evidence log.

Answer B: Create a hash of the hard drive.

17) A security analyst is mitigating a pass-the-hash vulnerability on a Windows infrastructure. Given the requirement, which of the following should the security analyst do to MINIMIZE the risk? A) Enable CHAP B) Disable NTLM C) Enable Kerberos D) Disable PAP

Answer B: Disable NTLM

14) Upon entering an incorrect password, the logon screen displays a message informing the user that the password provided does not match the username provided and is not the required length of 12 characters. Which of the following secure coding techniques should a security analyst address with the application developers to follow security best practices? A) Input validation B) Error handling C) Obfuscation D) Data exposure

Answer B: Error Handling

56) The Chief Information Security Officer (CISO) of a regional banking institution has just been informed that the organization's public website has been compromised, and the purported actors made modifications to the site's home page to display a politically motivated message about environmental cause. Based on motive, which of the following BEST describes the type of actor? A) Script kiddie B) Hacktivist C) Insider threat D) Nation state

Answer B: Hacktivist

20) An organization requires user to provide their fingerprints to access an application. To improve security, the application developers intend to implement multifactor authentication. Which of the following should be implemented? A) Use a camera for facial recognition. B) Have users sign their name naturally. C) Require a palm geometry scan. D) Implement iris recognition.

Answer B: Have users sign their name naturally

55) Which of the following refers to the term used to restore a system to its operational state? A) MTBF B) MTTR C) RTO D) RPO

Answer B: MTTR

39) A systems administrator is configuring a system that uses data classification labels. Which of the following will the administrator need to implement to enforce access control? A) Discretionary access control B) Mandatory access control C) Role-based access control D) Rule-based access control

Answer B: Mandatory access control

15) Multiple organizations operating in the same vertical want to provide seamless wireless access for their employees as they visit the other organizations. Which of the following should be implemented if all the organizations use the native 802.1x client on their mobile devices? A) Shibboleth B) RADIUS federation C) SAML D) OAuth E) OpenID connect

Answer B: RADIUS federation

49) A company has noticed multiple instances of proprietary information on public websites. It has also observed an increase in the number of email messages sent to random employees containing malicious links and PDFs. Which of the following changes should the company make to reduce the risks associated with phishing attacks? (Select TWO). A) Install an additional firewall. B) Implement a redundant email server. C) Block access to personal email on corporate systems. D) Update the X.509 certificates on the corporate email server. E) Update corporate policy to prohibit access to social media websites F) Review access violations on the file server.

Answer C,E: Block access to personal email on corporate systems. &. Update corporate policy to prohibit access to social media websites

52) When sending messages using symmetric encryption, which of the following must happen FIRST? A) Exchange encryption keys. B) Establish digital signatures. C) Agree on an encryption method. D) Install digital certificates.

Answer C: Agree on an encryption method.

2) An active / passive configuration has an impact on: A) Confidentiality. B) Integrity. C) Availability. D) Non-repudiation.

Answer C: Availability.

22) A company has a data classification system with definitions for "Private" and "Public." The company's security policy outlines how data should be protected based on type. The company recently added the data type "Proprietary." Which of the following is the MOST likely reason the company added this data type? A) Reduced cost B) More searchable data C) Better data classification D) Expanded authority of the privacy officer

Answer C: Better data classification

13) A penetration tester has written an application that performs a bit-by-bit XOR 0xFF operation on binaries prior to transmission over untrusted media. Which of the following BEST describes the action performed by this type of application? A) Hashing B) Key exchange C) Encryption D) Obfuscation

Answer C: Encryption

27) Which of the following is used to validate the integrity of data? A) CBC B) Blowfish C) MD5 D) RSA

Answer C: MD5

11) An audit report has identified a weakness that could allow unauthorized personnel access to the facility at its main entrance and from there gain access to the network. Which of the following would BEST resolve the vulnerability? A) Faraday cage B) Air gap C) Mantrap D) Bollards

Answer C: Mantrap

32) A security analyst is reviewing an assessment report that includes software versions, running services, supported encryption algorithms, and permission settings. Which of the following produced the report? A) Vulnerability scanner B) Protocol analyzer C) Network mapper D) Web inspector

Answer C: Network mapper

21) A computer emergency response team is called at midnight to investigate a case in which a mail server was restarted. After an initial investigation, it was discovered that email is being exfiltrated through an active connection. Which of the following is the NEXT step the team should take? A) Identify the source of the active connection. B) Perform eradication of the active connection and recover. C) Perform a containment procedure by disconnecting the server. D) Format the server and restore its initial configuration.

Answer C: Perform a containment procedure by disconnecting the server.

16) A company was recently audited by a third party. The audit revealed the company's network devices were transferring files in the clear. Which of the following protocols should the company use to transfer files? A) HTTPS B) LDAPS C) SCP D) SNMPv3

Answer C: SCP

34) Which of the following BEST describes a network-based attack that can allow an attacker to take full control of a vulnerable host? A) Remote exploit B) Amplification C) Sniffing D) Man-in-the-middle

Answer C: Sniffing

45) A technician is investigating a potentially compromised device with the following symptoms: ​Browser slowness ​Frequent browser crashes ​Hourglass stuck ​New search toolbar ​Increased memory consumption Which of the following types of malware has infected the system? A) Man-in-the-browser B) Spoofer C) Spyware D) Adware

Answer C: Spyware

23) A systems administrator wants to provide balance between the security of a wireless network and usability. The administrator is concerned with wireless encryption compatibility of older devices used by some employees. Which of the following would provide strong security and backward compatibility when accessing the wireless network? A) Open wireless network and SSL VPN B) WPA using a preshared key C) WPA2 using a RADIUS back-end for 802.1x authentication D) WEP with a 40-bit key

Answer C: WPA2 using a RADIUS back-end for 802.1x authentication

47) Which of the following attack types BEST describes a client-side attack that is used to manipulate an HTML iframe with JavaScript code via a web browser? A) Buffer overflow B) MITM C) XSS D) SQLI

Answer C: XSS

19) A cybersecurity analyst is looking into the payload of a random packet capture file that was selected for analysis. The analyst notices that an internal host had a socket established with another internal host over a non-standard port. Upon investigation, the origin host that initiated the socket shows this output: userA@host>history ​mkdir /local/usr/bin/somedirectory ​nc -l 192.168.5.1 -p 9856 ​ping -c 30 8.8.8.8 -s 600 ​rm /etc/dir2/somefile ​rm -rm /etc/dir2/ ​traceroute 8.8.8.8 ​pskill pid 9487 usera@host> Given the above output, which of the following commands would have established the questionable socket? A) traceroute 8.8.8.8 B) ping -l 8.8.8.8 -s 600 C) nc -l 192.168.5.1 -p 9856 D) pskill pid 9487

Answer C: nc -l 192.168.5.1 -p 9856

30) A Chief Information Officer (CIO) has decided it is not cost effective to implement safeguards against a known vulnerability. Which of the following risk responses does this BEST describe? A) Transference B) Avoidance C) Mitigation D) Acceptance

Answer D: Acceptance

53) A new Chief Information Officer (CIO) has been reviewing the badging procedures and decides to write a policy that all employees must have their badges rekeyed at least annually. Which of the following controls BEST describes this policy? A) Physical B) Corrective C) Technical D) Administrative

Answer D: Administrative

29) Which of the following locations contains the MOST volatile data? A) SSD B) Paging file C) RAM D) Cache memory

Answer D: Cache memory

26) A security engineer must install the same x.509 certificate on three different servers. The client application that connects to the server performs a check to ensure the certificate matches the host name. Which of the following should the security engineer use? A) Wildcard certificate B) Extended validation certificate C) Certificate chaining D) Certificate utilizing the SAN field

Answer D: Certificate utilizing the SAN field

62) A home invasion occurred recently in which an intruder compromised a home network and accessed a WiFi-enabled baby monitor while the baby's parents were sleeping. Which of the following BEST describes how the intruder accessed the monitor? A) Outdated antivirus B) WiFi signal strength C) Social engineering D) Default configurations

Answer D: Default configurations

57) An office manager found a folder that included documents with various types of data relating to corporate clients. The office manager noticed the data included dates of birth, addresses, and phone numbers for the clients. The office manager then reported this finding to the security compliance officer. Which of the following portions of the policy would the security officer need to consult to determine if a breach has occurred? A) Public B) Private C) PHI D) PII

Answer D: PII

7) Which of the following would provide additional security by adding another factor to a smart card? A) Token B) Proximity badge C) Physical key D) PIN

Answer D: Pin

25) When attackers use a compromised host as a platform for launching attacks deeper into a company's network, it is said that they are: A) Escalating privilege. B) Becoming persistent. C) Fingerprinting. D) Pivoting.

Answer D: Pivoting

5) A security analyst is investigating a potential breach. Upon gathering, documenting, and securing the evidence, which of the following actions is the NEXT step to minimize the business impact? A) Launch an investigation to identify the attacking host. B) Initiate the incident response plan. C) Review lessons learned captured in the process. D) Remove malware and restore the system to normal operation.

Answer D: Remove malware and restore the system to normal operation.

48) To help prevent one job role from having sufficient access to create, modify, and approve payroll data, which of the following practices should be employed? A) Least privilege B) Job rotation C) Background checks D) Separation of duties

Answer D: Separation of duties

10) A systems administrator wants to provide for and enforce wireless access accountability during events where external speakers are invited to make presentations to a mixed audience of employees and non-employees. Which of the following should the administrator implement? A) Shared accounts B) Preshared passwords C) Least privilege D) Sponsored guest

Answer D: Sponsor guest

61) In determining when it may be necessary to perform a credentialed scan against a system instead of a non-credentialed scan, which of the following requirements is MOST likely to influence this decision? A) The scanner must be able to enumerate the host OS of devices scanned. B) The scanner must be able to footprint the network. C) The scanner must be able to check for open ports with listening services. D) The scanner must be able to audit file system permissions.

Answer D: The scanner must be able to audit file system permissions

37) A security technician has been receiving alerts from several servers that indicate load balancers have had a significant increase in traffic. The technician initiates a system scan. The scan results illustrate that the disk space on several servers has reached capacity. The scan also indicates that incoming Internet traffic to the servers has increased. Which of the following is the MOST likely cause of the decreased disk space? A) Misconfigured devices B) Logs and events anomalies C) Authentication issues D) Unauthorized software

Answer D: Unauthorized software

43) A Security administrator is developing controls for creating audit trails and tracking if a PHI data breach is to occur. The administrator has been given the following requirements: ​All access must be correlated to a user account. ​All user accounts must be assigned to a single individual. ​User access to the PHI data must be recorded. ​Anomalies in PHI data access must be reported. ​Logs and records cannot be deleted or modified. Which of the following should the administrator implement to meet the above requirements? (Select THREE). A) Eliminate shared accounts. B) Create a standard naming convention for accounts. C) Implement usage auditing and review. D) Enable account lockout thresholds. E) Copy logs in real time to a secured WORM drive. F) Implement time-of-day restrictions. G) Perform regular permission audits and reviews.

Answer: A, C, E

106) A security analyst is acquiring data from a potential network incident. Which of the following evidence is the analyst MOST likely to obtain to determine the incident? A) Volatile memory capture B) Traffic and logs C) Screenshots D) System image capture

B

119) A security analyst is conducting a web application vulnerability scan against the company website. Which of the following is considered an intrusive scan? A) Ping sweep B) Time-delay port scanning C) Service identification D) Cipher suite order

B

121) After attempting to harden a web server, a security analyst needs to determine if an application remains vulnerable to SQL injection attacks. Which of the following would BEST assist the analyst in making this determination? A) tracert B) Fuzzer C) nslookup D) Nmap E) netcat

B

127) An employee has been writing a secure shell around software used to secure executable files. The employee has conducted the appropriate self-test and is ready to move the software into the next environment. Within which of the following environments is the employee currently working? A) Staging B) Test C) Development D) Production

B

140) A third-party penetration testing company was able to successfully use an ARP cache poison technique to gain root access on a server. The tester successfully moved to another server that was not in the original network. Which of the following is the MOST likely method used to gain access to the other host? A) Backdoor B) Pivoting C) Persistence D) Logic bomb

B

143) Which of the following is the BEST choice for a security control that represents a preventive and corrective logical control at the same time? A) Security awareness training B) Antivirus C) Firewalls D) Intrusion detection system

B

159) Which of the following would an online retailer consider when selecting a backup facility, should there be a natural disaster that destroys its existing production datacenter? A) Off-site backups B) Hot site C) Warm site D) Cold site

B

160) Emails containing the URL of a popular technology forum were sent from an external source to a research and development company. When users at the company load the page, malware infects their system. Which of the following BEST describes this scenario? A) The email is intended to spread information that is a hoax. B) The email is intended to bait users into accessing a watering hole. C) The email is intended to promote shoulder surfing. D) The email is intended to disrupt productivity.

B

165) A security analyst has received the following alert snippet from the HIDS appliance: PROTOCOL SIG SRC. PORT DST. PORT TCP XMAS SCAN 192.168.1.1:1091 192.168.1.2:8891 TCP XMAS SCAN 192.168.1.1:649 192.168.1.2:9001 TCP XMAS SCAN 192.168.1.1:2264 192.168.1.2:6455 TCP XMAS SCAN 192.168.1.1:3464 192.168.1.2:8744 Given the above logs, which of the following is the cause of the attack? A) The TCP ports on destination are all open. B) FIN, URG, and PSH flags are set in the packet header. C) TCP MSS is configured improperly. D) There is improper Layer 2 segmentation.

B

168) While troubleshooting a client application connecting to the network, the security administrator notices the following error: Certificate is not valid. Which of the following is the BEST way to check if the digital certificate is valid? A) PKI B) CRL C) CSR D) IPSec

B

183) A systems administrator wants to generate a self-signed certificate for an internal website. Which of the following steps should the systems administrator complete prior to installing the certificate on the server? A) Provide the private key to a public CA. B) Provide the public key to the internal CA. C) Provide the public key to a public CA. D) Provide the private key to the internal CA. E) Provide the public/private key pair to the internal CA. F) Provide the public/private key pair to a public CA.

B

185) A user is attempting to view an older sent email, but is unable to open the email. Which of the following is the MOST likely cause? A) The email backup file was not properly imported following computer migration. B) The private certificate used to sign the email has expired. C) The email is protected by data loss prevention software. D) The user has not authenticated to the email server.

B

189) An organization wants to ensure servers and applications can be deployed rapidly, in a consistent manner, and allow for flexible configuration changes. Which of the following should the organization use to make this process repeatable across multiple locations? A) Redundancy B) Templates C) Snapshots D) Elasticity E) Configuration validation

B

192) A security engineer is working with the CSIRT to investigate a recent breach of client data due to the improper use of cloud-based tools. The engineer finds that an employee was able to access a cloud-based storage platform from the office and upload data for the purposes of doing work from home after hours. Such activity is prohibited by policy, but no preventive control is in place to block such activities. Which of the following controls would have prevented this breach? A) Network-based IPS B) Host-based DLP C) Host-based IDS D) NAC using TACACS+

B

195) Vendor diversity is considered an architectural best practice because: A) it prevents vulnerabilities from spreading from device to device in a crisis. B) it mitigates the risk of a programming flaw affecting the entire architecture. C) it allows for more user training to be conducted on different equipment. D) it transfers the risk associated with vulnerable devices to multiple vendors.

B

196) Which of the following types of penetration test will allow the tester to have access to only password hashes prior to the penetration test? A) Black box B) Gray box C) Credentialed D) White box

B

197) After a recent security breach at a hospital, it was discovered that nursing staff members, who were working the overnight shift, searched for and accessed private health information for local celebrities who were patients at the hospital. Which of the following would have enabled the hospital to discover this behavior BEFORE a breach occurred? A) Time-of-day restrictions B) Usage reviews C) Periodic permission audits D) Location-based policy enforcement

B

66) A security administrator has found a hash in the environment known to belong to malware. The administrator then finds this file to be in the preupdate area of the OS, which indicates it was pushed from the central patch system. ​File: winx86_adobe_flash_upgrade.exe ​Hash: 99ac28bede43ab869b853ba62c4ea243 The administrator pulls a report from the patch management system with the following output: Install Date Package Name​​ Target Devices​Hash 10/10/2017 java_11.2_x64.exe​ HQ PC's​​01ab28bbde63aa879b35bba62cdea283 10/10/2017 winx86_adobe_flash_upgrade.exe HQ PC's​99ac28bede43ab869b853ba62c4ea243 Given the above outputs, which of the following MOST likely happened? A) The file was corrupted after it left the patch system. B) The file was infected when the patch manager downloaded it. C) The file was not approved in the application whitelist system. D) The file was embedded with a logic bomb to evade detection.

B

70) A security administrator receives an alert from a third-party vendor that indicates a certificate that was installed in the browser has been hijacked at the root of a small public CA. The security administrator knows there are at least four different browsers in use on more than a thousand computers in the domain worldwide. Which of the following solutions would be BEST for the security administrator to implement to most efficiently assist with this issue? A) SSL B) CRL C) PKI D) ACL

B

78) A security engineer wants to implement a site-to-site VPN that will require SSL certificates for mutual authentication. Which of the following should the engineer implement if the design requires client MAC addresses to be visible across the tunnel? A) Tunnel mode IPSec B) Transport mode VPN IPsec C) L2TP D) SSL VPN

B

81) A software developer is concerned about DLL hijacking in an application being written. Which of the following is the MOST viable mitigation measure of this type of attack? A) The DLL of each application should be set individually. B) All calls to different DLLs should be hard-coded in the application. C) Access to DLLs from Windows registry should be disabled. D) The affected DLLs should be renamed to avoid future hijacking.

B

92) A security analyst is securing a CA server. One of the requirements is network isolation with no access to the Internet or networked computers. Given this scenario, which of the following should the analyst implement to BEST address the requirement? A) Set up a firewall rule blocking ports 80 and 443. B) Set up an air-gapped environment. C) Set up a router and configure an ACL. D) Set up a segmented VLAN.

B

145) Which of the following are used to increase the computing time it takes to brute force a password using an offline attack? (Select TWO). A) XOR B) PBKDF2 C) bcrypt D) HMAC E) RIPEMD

B,C

157) A security administrator learns that PII, which was gathered by the organization, has been found in an open forum. As a result, several C-level executives found their identities were compromised, and they were victims of a recent whaling attack. Which of the following would prevent these problems in the future? (Select TWO) A) Implement a reverse proxy. B) Implement an email DLP C) Implement a spam filter. D) Implement a host-based firewall E) Implement a HIDS.

B,C

162) A security analyst finished drafting an official response to a security assessment report, which must be sent to the head of the auditing department. The security analyst needs to assure the head of the auditing department that the response came from the security analyst, and the contents of the response must be kept confidential. Which of the following are the LAST steps the security analyst should perform prior to electronically sending the message? (Select TWO) A) Hash the message. B) Encrypt the message. C) Digitally sign the message. D) Label the email as "Confidential." E) Perform key exchange with the recipient.

B,C

182) A security administrator is configuring a RADIUS server for wireless authentication. The configuration must ensure client credentials are encrypted end-to-end between the client and authenticator. Which of the following protocols should be configured on the RADIUS server? (Select TWO) A) PAP B) MSCHAP C) PEAP D) NTLM E) SAML

B,C

80) Which of the following are the primary differences between an incremental and differential backup? (Select TWO). A) Incremental backups take more time to complete. B) Incremental backups take less time to complete. C) Differential backups only back up files since the last full backup. D) Differential backups use less disk space on the storage drive. E) Incremental backups are less secure than differential backups. F) Differential backups are faster than incremental backups.

B,C

111) Which of the following could help detect trespassers in a secure facility? (Select TWO). A) Faraday cages B) Motion-detection sensors C) Tall, chain-link fencing D) Security guards E) Smart cards

B,D

175) A company wants to implement an access management solution that allows employees to use the same username and passwords for multiple applications without having to keep multiple credentials synchronized. Which of the following solutions would BEST meet these requirements? (Select TWO) A) Multifactor authentication B) SSO C) Biometrics D) PKI E) Federation

B,E

68) A security administrator is diagnosing a server where the CPU utilization is at 100% for 24 hours. The main culprit of CPU utilization is the antivirus program. Which of the following issues could occur if left unresolved? (Select TWO). A) MITM Attack B) DoS attack C) DLL injection D) Buffer overflow E) Resource exhaustion

B,E

102) While trying to manage a firewall's ACL, a security administrator (User3) receives an "Access Denied" error. The manager reviews the following information: Security_admins: User1, User2 Firewall access: ​ACL Read: Security_admins ​ACL Write: Security_admins ​Reboot: Managers ​Audit: User3 Which of the following is preventing the administrator from managing the firewall? A) Mandatory Access control B) Rule-based access control C) Group-based access control D) Attribute-based access control

C

104) Which of the following is an asymmetric function that generates a new and separate key every time it runs? A) RSA B) DSA C) DHE D) HMAC E) PBKDF2

C

114) A member of the admins group reports being unable to modify the "changes" file on a server. The permissions on the file are as follows: Permissions​User​Group​File -rwxrw-r--+​Admins​Admins​changes Based on the output above, which of the following BEST explains why the user is unable to modify the "changes" file? A) The SELinux mode on the server is set to "enforcing." B) The SELinux mode on the server is set to "permissive." C) An FACL has been added to the permissions for the file. D) The admins group does not have adequate permissions to access the file.

C

116) Which of the following scenarios BEST describes an implementation of non-repudiation? A) A user logs into a domain workstation and accesses network file shares for another department. B) A user remotely logs into the mail server with another user's credentials. C) A user sends a digitally signed email to the entire finance department about an upcoming meeting. D) A user accesses the workstation registry to make unauthorized changes to enable functionality within an application.

C

118) When developing an application, executing a preconfigured set of instructions is known as: A) a code library. B) code signing. C) a stored procedure. D) infrastructure as code.

C

122) Joe, a senior systems administrator, must leave for a family emergency. While Joe is absent, another systems administrator discovers Joe stole confidential company information. Which of the following organizational procedures would have detected this breach sooner? A) Background check B) Separation of duties C) Job rotation D) Rules of behavior E) Non-disclosure agreement

C

124) The POODLE attack is a MITM exploit that affects: A) TLS1.0 with CBC mode cipher. B) SSLv2.0 with CBC mode cipher. C) SSLv3.0 with CBC mode cipher. D) SSLv3.0 with ECB mode cipher.

C

128) An organization is providing employees on the shop floor with computers that will log their time based on when they sign on and off the network. Which of the following account types should the employees receive? A) Shared account B) Privileged account C) User account D) Service account

C

129) A security specialist must confirm file backups match the original copy. Which of the following should the security specialist use to accomplish the objective? A) AES B) 3DES C) MD5 D) RSA

C

131) An auditor confirms the risk associated with a Windows-specific vulnerability, which was discovered by the company's security tool, does not apply due to the server running a Linux OS. Which of the following does this BEST describe? A) Inherent risk B) Attack vector C) False positive D) Remediation

C

132) The Chief Information Security Officer (CISO) of a university is concerned about potential transmission of usernames and passwords in cleartext when authenticating to a directory server. Which of the following would BEST mitigate the CISO's concerns? A) SFTP B) SNMPv3 C) LDAPS D) SMB

C

133) A web developer improves client access to the company's REST API. Authentication needs to be tokenized but not expose the client's password. Which of the following methods would BEST meet the developer's requirements? A) SAML B) LDAP C) OAuth D) Shibboleth

C

135) Attackers have been using revoked certificates for MITM attacks to steal credentials from employees of Company.com. Which of the following options should Company.com implement to mitigate these attacks? A) Captive portal B) Extended validation certificate C) OCSP stapling D) Objective identifiers E) Key escrow

C

138) A penetration tester harvests potential usernames from a social networking site. The penetration tester then uses social engineering to attempt to obtain associated passwords to gain unauthorized access to shares on a network server. Which of the following methods is the penetration tester MOST likely using? A) Escalation of privilege B) SQL injection C) Active reconnaissance D) Proxy Server

C

139) Finance department employees are reporting slow network connectivity and SSL/TLS certificate errors when they access secure websites. A security administrator suspects a computer in the finance VLAN may have been compromised and is impersonating the router's IP address using a MITM attack. Which of the following commands should the security administrator use to verify this finding? A) arp B) route C) tracert D) nmap E) nslookup

C

150) To help prevent against an SQL injection, which of the following functions should the application developer implement? A) Error Handling B) Code signing C) Input validation D) Model verification

C

154) Management wishes to add another authentication factor in addition to fingerprints and passwords in order to have three-factor authentication. Which of the following would BEST satisfy this request? A) Retinal scan B) Passphrase C) Token fob D) Security question

C

161) Which of the following should a security analyst perform FIRST to determine the vulnerabilities of a legacy system? A) Passive scan B) Aggressive scan C) Credentialed scan D) Intrusive scan

C

163) A security team has deployed a new UTM to connect different segments of the corporate network. In addition to the UTM, each host has its own firewall and HIPS. The new UTM implements many of the same protections as the host-based firewall and HIPS, but the security team plans to leave both of these protections in place. Which of the following BEST describes the reason for this redundancy? A) Having multiple security devices can result in faster performance. B) The UTM cannot protect against threats from outside the network. C) Multiple forms of protection is preferred over single points of failure. D) A UTM cannot perform malware analysis, but a HIPS can.

C

164) Ann, a user, reports she is unable to access an application from her desktop. A security analyst verifies Ann's access and checks the SIEM for any errors. The security analyst reviews the log file from Ann's system and notices the following output: 2017-08-21 10:48:12 DROP TCP 172.20.89.232 239.255.255.255 443 1900 250 ---RECEIVE 2017-08-21 10:48:12 DROP UDP 192.168.72.205 239.255.255.255 443 1900 250 ---RECEIVE Which of the following is MOST likely preventing Ann from accessing the application from the desktop? A) Web application firewall B) DLP C) Host-based firewall D) UTM E) Network-based firewall

C

170) A vice president at a manufacturing organization is concerned about desktops being connected to the network. Employees need to log onto the desktops' local account to verify that a product is being created within specifications; otherwise, the desktops should be as isolated as possible. Which of the following is the BEST way to accomplish this? A) Put the desktops in the DMZ. B) Create a separate VLAN for the desktops. C) Air gap the desktops. D) Join the desktops to an ad-hoc network.

C

172) Users are able to reach the login page of their company website from home using HTTP. A network administrator disables HTTP and implements SSL. However, after the implementation, home users cannot access the login page of the company website. Which of the following is the MOST likely reason the site is unavailable? A) The users' browsers are not equipped for SSL. B) The company website implements HTTP redirects. C) The company firewall is blocking port 443 traffic. D) The company web server is using an expired certificate.

C

176) An employee is having issues when attempting to access files on a laptop. The machine was previously running slow, and many files were not accessible. The employee is not able to access the hard drive the next day, and all file names were changed to some random names. Which of the following BEST represents what compromised the machine? A) Ransomware B) Worm C) Crypto-malware D) RAT

C

177) With which of the following authentication concepts is a gait analysis MOST closely associated? A) Somewhere you are B) Something you are C) Something you do D) Something you know

C

186) An in-house penetration tester has been asked to evade a new DLP system. The tester plans to exfiltrate data through steganography. Discovery of which of the following would help catch the tester in the act? A) Abnormally high numbers of outgoing instant messages that contain obfuscated text. B) Large-capacity USB drives on the tester's desk with encrypted zip files C) Outgoing emails containing unusually large image files D) Unusual SFTP connections to a consumer IP address

C

190) Which of the following is a major difference between XSS attacks and remote code exploits? A) An XSS attack is a simple form of a remote code exploit attack. B) XSS attacks target servers, while remote code exploits target clients. C) Remote code exploits aim to escalate attackers' privileges, while XSS attacks aim to gain access only. D) Remote code exploits allow writing code at the client side and executing it, while XSS attacks require no code to work.

C

63) An administrator is replacing a wireless router. The configuration of the old wireless router was not documented before it stopped functioning. The equipment connecting to the wireless network uses older legacy equipment that was manufactured prior to the release of the 802.11i standard. Which of the following configuration options should the administrator select for the new wireless router? A) WPA+CCMP B) WPA2+CCMP C) WPA+TKIP D) WPA2+TKIP

C

65) A bank uses a wireless network to transmit credit card purchases to a billing system. Which of the following would be MOST appropriate to protect credit card information from being accessed by unauthorized individuals outside of the premises? A) Airgap B) Infrared detection C) Faraday cage D) Protected distribution

C

71) A security administrator installed a new network scanner that identifies new host systems on the network. Which of the following did the security administrator install? A) Vulnerability scanner B) Network-based IDS C) Rogue system detection D) Configuration compliance scanner

C

74) Which of the following BEST describes an important security advantage yielded by implementing vendor diversity? A) Sustainability B) Homogeneity C) Resiliency D) Configurability

C

79) A company wishes to deploy a wireless network. Management insists that each individual user should have to authenticate with a unique username and password before being able to associate with the wireless access points. Which of the following wireless features would be the MOST appropriate to achieve this objective? A) WPA2 PSK B) WEP C) WPA Enterprise D) 802.11r E) Captive portal

C

86) A security guard notices a vehicle parked beside the trash bins at the loading dock and unknown individual opening trash bags. The security guard notifies the local authorities so they can investigate. Which of the following is potentially being conducted? A) Impersonation B) Spear phishing C) Dumpster diving D) Intimidation

C

87) A security administrator is reviewing the following PowerShell script referenced in the Task Scheduler on a database server: $members = GetADGroupMember -Identity "Domain Admins" -Recursive | Select -ExpandProperty Name if ($members -notcontains "JohnDoe") { ​Remove-Item -path C:\Database -recurse -force } Which of the following did the security administrator discover? A) Ransomware B) Backdoor C) Logic bomb D) Trojan

C

89) A systems administrator wants to implement a wireless protocol that will allow the organization to authenticate mobile devices prior to providing the user with a captive portal login. Which of the following should the systems administrator configure? A) L2TP with MAC filtering B) EAP-TTLS C) WPA2-CCMP with PSK D) RADIUS federation

C

94) A company is evaluating cloud providers to reduce the cost of its internal IT operations. The company's aging systems are unable to keep up with customer demand. Which of the following cloud models will the company MOST likely select? A) PaaS B) SaaS C) IaaS D) Baas

C

112) Despite having implemented password policies, users continue to set the same weak passwords and reuse old passwords. Which of the following technical controls would help prevent these policy violations? (Select TWO). A) Password expiration B) Password length C) Password complexity D) Password history E) Password lockout

C,D

88) A security technician is configuring a new access switch. The switch will be managed through software that will send status reports and logging details to a central management console. Which of the following protocols should the technician configure to BEST meet these requirements? (Select TWO). A) SSL/TLS B) S/MIME C) SNMPv3 D) Syslog E) SRTP F) Shibboleth

C,D

85) Joe, a user, wants to send a document electronically to Ann, another user, and ensure non-repudiation, confidentiality, and integrity. Which of the following should Joe do? (Select TWO). A) Encrypt the document with Ann's private key. B) Encrypt the document with Joe's public key. C) Sign the document with Joe's private key. D) Sign the document with Ann's private key. E) Sign the document with Joe's public key. F) Encrypt the document with Ann's public key.

C,F

100) A security administrator wants to install an AAA server to centralize the management of network devices, such as routers and switches. The server must reauthorize each individual command executed on a network device. Which of the following should be implemented? A) RADIUS B) Kerberos C) SAML D) TACACS+

D

103) A dumpster diver recovers several hard drives from a company and is able to obtain confidential data from one of the hard drives. The company then discovers its information is posted online. Which of the following methods would have MOST likely prevented the data from being exposed? A) Removing the hard drive from its enclosure B) Using software to repeatedly rewrite over the disk space C) Using blowfish encryption on the hard drives D) Using magnetic fields to erase the data

D

105) Due to a configuration error, sales and marketing staff were able to access highly sensitive, commercial R&D information for a period of five days before the issue was discovered by an automated system, corrected, and flagged for review. Inspection of logs and monitoring system by security analysts indicated that no sensitive data was accessed. Based on this scenario, which of the following should a risk manager be MOST concerned about? A) Data exfiltration B) Insider threat C) Permission issues D) Baseline deviation

D

109) A security administrator wants to prevent standard users from running software they downloaded or copied to the computer. The security administrator finds the following permissions on the computer: Folder Location Administrator Permissions Standard User Permissions C:\ RW RW C:\OperatingSystem\ RW R C:\Programs\ RW R C:\TEMP\ RW RW C:\ShippingDATA RW RW C:\Users\User1 R RW C:\Users\Admin RW - The administrator needs to create a policy that specifies from which folders a low-privilege user can run applications. Which of the following application whitelist configurations would BEST accomplish this task? A) ​Allow: * ​Block: C:\TEMP, C:\ShippingDATA, C:\Users\User1 B)​Allow: C:\, C:\OperatingSystem, C:\Programs, C:\Users\User1 ​Block: C:\TEMP, C:\ShippingDATA, C:\Users\User1 C)​Allow: C:\ ​Block: C:\Users\User1 D)​Allow: C:\OperatingSystem\, C:\Programs ​Block: *

D

115) An external auditor visits the human resources department and performs a physical security assessment. The auditor observes documents on printers that are unclaimed. A closer look at these documents reveals employee names, addresses, ages, and types of medical and dental coverage options each employee has selected. Which of the following is the MOST appropriate action to take? A) Flip the documents face down so no one knows these documents are PII sensitive. B) Shred the documents and let the owner print a new set. C) Retrieve the documents, label them with a PII cover sheet, and return them to the printer. D) Report to the human resources manager that their personnel are violating a privacy policy.

D

117) A new system design will include local user tables and password files managed by the systems administrators, an external permissions tree managed by an access control team, and an external auditing infrastructure managed by a security team. Which of the following is managed by the security team? A) Identification B) Authorization C) Authentication D) Accounting

D

123) Due to regulatory requirements, servers in a global organization must use time synchronization. Which of the following represents the MOST secure method of time synchronization? A) The servers should connect to external Stratum 0 NTP servers for synchronization. B) The servers should connect to internal Stratum 0 NTP servers for synchronization. C) The servers should connect to external Stratum 1 NTP servers for synchronization. D) The servers should connect to internal Stratum 1 NTP servers for synchronization.

D

134) The Chief Information Officer (CIO) asks an employee to remove confidential data stored on end-of-life company laptops prior to recycling them. Which of the following is the BEST way to accomplish this? A) Right-click and delete the folders on the hard drives. B) Reinstall the OSs C) Perform a quick format of the hard drives. D) Degauss the hard drives.

D

137) Which of the following BEST describes the impact of an unremediated session timeout vulnerability? A) The credentials of a legitimate user could be intercepted and reused to log in when the legitimate user is offline. B) An attacker has more time to attempt brute-force password cracking C) More than one user may be allowed to concurrently connect to the system, and an attacker can use one of those concurrent connections. D) An attacker could use an existing session that has been initiated by a legitimate user.

D

144) Joe, a member of the sales team, recently logged into the company servers after midnight local time to download the daily lead form before his co-workers did. Management has asked the security team to provide a method for detecting this type of behavior without impeding the access for sales employees as they travel overseas. Which of the following would be the BEST method to achieve this objective? A) Configure time-of-day restrictions for the sales staff. B) Install DLP software on the devices used by sales employees. C) Implement a filter on the mail gateway that prevents the lead form from being emailed. D) Create an automated alert on the SIEM for anomalous sales team activity.

D

146) Ann is the IS manager for several new systems in which the classifications of the systems' data are being decided. She is trying to determine the sensitivity level of the data being processed. Which of the following people should she consult to determine the data classification? A) Steward B) Custodian C) User D) Owner

D

148) An auditor recommends implementing a physical security access control that will allow a guard to isolate and screen users before they enter or exit a secure area. Which of the following would BEST fulfill this recommendation? A) Air gap B) Faraday cage C) Bollard D) Mantrap

D

149) A website form is used to register new students at a university. The form passes the unsanitized values entered by the user and uses them to directly add the student's information to several core systems. Which of the following attacks can be used to gain further access due to this practice? A) Cross-site request forgeries B) XSS attacks C) MITM attacks D) SQL Injection

D

151) A security engineer is configuring a wireless network with EAP-TLS. Which of the following activities is a requirement for this configuration? A) Setting up a TACACS+ server B) Configuring federation between authentication servers C) Enabling TOTP D) Deploying certificates to endpoint devices

D

152) A security technician at a large organization with several customers is selecting where to place security devices during a network modernization project. Which of the following is the MOST cost-effective combination of technology and placement? A) Firewalls between internal network segments B) Load balancers in front of customer-facing websites C) NIPS in line with each employee workstation D) Hardware tokens for employees and customers

D

158) A security analyst launches the Task Manager on a server with poor performance, and notices private bytes are being exhausted and the application pool is constantly recycling. Which of the following BEST describes the cause of the negative impact to application availability? A) Integer overflow B) Buffer overflow C) Race condition D) Memory leak

D

167) Several workstations on a network are found to be on OS versions that are vulnerable to a specific attack. Which of the following is considered to be a corrective action to combat this vulnerability? A) Install an antivirus definition patch. B) Educate the workstation users. C) Leverage server isolation. D) Install a vendor supplied patch. E) Install an instruction detection system.

D

174) Which of the following types of embedded systems is required in manufacturing environments with life safety requirements? A) MFD B) RTOS C) SoC D) RTU

D

180) Some of the legacy systems in an organization are running old versions of the Windows OS and other are running Linux OSs, while new systems are running the latest release of the Windows OS. The systems are not running any legacy custom applications. The organization's Chief Information Officer (CIO) wishes to unify all systems to reduce cost and enhance the security posture of the organization, without losing data or causing data leakage. Which of the following would be the BEST course of action to take? A) Reconfigure all existing machines to have the latest release of Windows OS. B) Restore all machines to default configurations. C) Upgrade part of the legacy systems' infrastructure and perform OS updates. D) Treat all legacy machines as end-of-life systems and replace them.

D

191) An administrator is configuring a wireless network. Security policy states that deprecated cryptography should not be used when there is an alternative choice. Which of the following should the administrator use for the wireless network's cryptographic protocol? A) MD5 B) RC4 C) TKIP D) CCMP E) Diffie-Hellman

D

194) A malicious system continuously sends an extremely large number of SYN packets to a server. Which of the following BEST describes the resulting effect? A) The server will be unable to serve clients due to lack of bandwidth. B) The server's firewall will be unable to effectively filter traffic due to the amount of data transmitted. C) The server will crash when trying to reassemble all the fragmented packets. D) The server will exhaust its memory maintaining half-open connections.

D

199) Ann, a user, states that her machine has been behaving erratically over the past week. She has experienced slowness and input lag and found text files that appear to contain pieces of her emails or online conversations with coworkers. The technician runs a standard virus scan but detects nothing. Which of the following types of malware has infected the machine? A) Ransomware B) Rootkit C) Backdoor D) Keylogger

D

67) A security analyst receives an alert from a WAF with the following payload: var data = "<test test test> ++ <../../../../../../etc/passwd>" Which of the following types of attacks is this? A) Cross-site request forgery B) Buffer overflow C) SQL injection D) JavaScript data insertion E) Firewall evasion script

D

69) A recent internal audit is forcing a company to review each internal business unit's VMs because the cluster they are installed on is in danger of running out of computer resources. Which of the following vulnerabilities exists? A) Buffer overflow B) End-of-life systems C) System sprawl D) Weak configuration

D

72) A system administrator is attempting to recover from a catastrophic failure in the datacenter. To recover the domain controller, the systems administrator needs to provide domain administrator credentials. Which of the following account types is the systems administrator using? A) Shared account B) Guest account C) Service account D) User account

D

73) The computer resource center issued smartphones to all first-level and above managers. The managers have the ability to install mobile tools. Which of the following tools should be implemented to control the types of tools the managers install? A) Download manager B) Content manager C) Segmentation manager D) Application manager

D

82) A systems administrator is deploying a new mission-essential server into a virtual environment. Which of the following is BEST mitigated by the environment's rapid elasticity characteristic? A) Data confidentiality breaches B) VM escape attacks C) Lack of redundancy D) Denial of service

D

83) Which of the following BEST implements control diversity to reduce the risks associated with the authentication of employees into company resources? A) Enforcing the use of something you know and something you have for authentication B) Requiring employees to sign the company's password and acceptable use policies C) Implementing LDAP authentication for some systems and RADIUS authentication for others D) Publishing a password policy and enforcing password requirements via a GPO

D

84) A company is performing an analysis of the corporate enterprise network with the intent of identifying what will cause losses in revenue, referrals, and / or reputation when out of commission. Which of the following is an element of a BIA that is being addressed? A) Mission-essential function B) Single point of failure C) Backup and restoration plans D) Identification of critical systems

D

91) An incident response manager has started to gather all the facts related to a SIEM alert showing multiple systems may have been compromised. The manager has gathered these facts: The breach is currently indicated on six user PCs. One service account is potentially compromised. Executive management has been notified. In which of the following phases of the IRP is the manager currently working? A) Recovery B) Eradication C) Containment D) Identification

D

98) A security analyst is hardening a WiFi infrastructure. The primary requirements are the following: ​The infrastructure must allow staff to authenticate using the most secure method. ​The infrastructure must allow guests to use an "open" WiFi network that logs valid email ​addresses before granting access to the Internet. Given these requirements, which of the following statements BEST represents what the analyst should recommend and configure? A) Configure a captive portal for guests and WPS for staff. B) Configure a captive portal for staff and WPA for guests. C) Configure a captive portal for staff and WEP for guests. D) Configure a captive portal for guests and WPA2 Enterprise for staff.

D

93) A security analyst is attempting to solve compatibility issues between the company's ERP software and application whitelisting controls. The organization uses application whitelisting to ensure only tested and approved applications are able to run within the organization. In the current configuration, only executables installed in C:\program files\ are able to be executed by the user. The following information is logged by the ERP software: ERP Corp Application v1.2 Date: 1/22/2017 5:00 AM Running scheduled task processdata1\ copying file C:\program files\ERPCorp\processdata.exe to C:\temp\processdata-1-22-2017-0500.exe Error: could not execute C:\temp\processdata-1-22-2017-0500.exe - Access Denied Fault in application 0x00f4bc01 - Shutting Down Which of the following would BEST resolve the issue without allowing for any potentially untested or unapproved software to be executed? A) Create a path rule that permits C:\temp\processdata-1-22-2017-0500.exe to be executed. B) Create a hash rule that permits the application processdata.exe to be executed. C) Create a path rule that permits C:\temp\*.exe to be executed. D) Create a rule that allows all software digitally signed by ERP Corp. to be executed. E) Contact the software's publisher and request a patch be made to change the behavior of the software.

E


Ensembles d'études connexes

Part 1 - Chapter 1 (Inquisitive)

View Set

Chapter 6: Formation of the Solar System - Questions, Study

View Set

PC - Polynomial Function Unit Review

View Set

Personal Finance Chapter 2 Study Guide

View Set

ANESTHESIA BOARD QUESTIONS 2015-2018

View Set