Security+ Updated Exam Questions 401-500

A systems administrator has isolated an infected system from the network and terminated the malicious process from executing. Which of the following should the administrator do NEXT according to the incident response process? A. Restore lost data from a backup B. Wipe the system C. Document the lessons learned D. Determine the scope of impact

A. Restore lost data from a backup

Which of the following solutions should an administrator use to reduce the risk from an unknown vulnerability in a third-party software application? A. Sandboxing B. Encryption C. Code signing D. Fuzzing

A. Sandboxing

Ann, a customer, is reporting that several important files are missing from her workstation. She recently received communication from an unknown party who is requesting funds to restore the files. Which of the following attacks has occurred? A. Ransomware B. Keylogger C. Buffer overflow D. Rootkit

A. Ransomware

While working on an incident, Joe, a technician, finished restoring the OS and applications on a workstation from the original media. Joe is about to begin copying the user's files back onto the hard drive. Which of the following incident response steps is Joe working on now? A. Recovery B. Eradication C. Containment D. Identification

A. Recovery

A recent internal audit is forcing a company to review each internal business unit's VMs because the cluster they are installed on is in danger of running out of computer resources. Which of the following vulnerabilities exist? A. Buffer overflow B. End-of-life systems C. System sprawl D. Weak configuration

C. System sprawl

Systems administrator and key support staff come together to simulate a hypothetical interruption of service. The team updates the disaster recovery processes and documentation after meeting. Which of the following describes the teams efforts? A. Business impact analysis B. Continuity of operation C. Tabletop exercise D. Order of restoration

C. Tabletop exercise

To help prevent one job role from having sufficient access to create, modify, and approve payroll data, which of the following practices should be employed? A. Least privilege B. Job rotation C. Background checks D. Separation of duties

D. Separation of duties

A security analyst is reviewing patches on servers. One of the servers is reporting the following error message in the WSUS management console: The computer has not reported status in 30 days. Given this scenario, which of the following statements BEST represents the issue with the output above? A. The computer in question has not pulled the latest ACL policies for the firewall. B. The computer in question has not pulled the latest GPO policies from the management server. C. The computer in question has not pulled the latest antivirus definitions from the antivirus program. D. The computer in question has not pulled the latest application software updates.

D. The computer in question has not pulled the latest application software updates.

When attackers use a compromised host as a platform for launching attacks deeper into a company's network, it is said that they are: A. escalating privilege B. becoming persistent C. fingerprinting D. pivoting

D. pivoting

A Chief Information Officer (CIO) asks the company's security specialist if the company should spend any funds on malware protection for a specific server. Based on a risk assessment, the ARO value of a malware infection for a server is 5 and the annual cost for the malware protection is $2500. Which of the following SLE values warrants a recommendation against purchasing the malware protection? A. $500 B. $1000 C. $2000 D. $2500

A. $500 SLE Single loss expectancy is the cost of any single loss. If a threat would cause the complete destruction of an asset, such as a stolen laptop, the SLE is simply the asset value. If a threat would merely damage an asset, such as a flood doing costly damage to a facility but leaving it repairable, the SLE is the asset value multiplied by an exposure factor representing an estimated damage percentage ARO Annual rate of occurrence is how many times you expect a given type of loss to occur a year. It doesn't need to be an integer: if your company has ten laptops stolen in the average year, the ARO is 10. If your warehouse by the river floods about every 20 years, the ARO is 0.05. ALE Annual loss expectancy is the cost per year you can expect from the threat, or the SLE × ARO. In the previous examples, 10 stolen $2500 laptops a year comes out to an ALE of $25,000, while $1,000,000 in flood damage every 20 years produces an ALE of $50,000.

A security technician is configuring an access management system to track and record user actions. Which of the following functions should the technician configure? A. Accounting B. Authorization C. Authentication D. Identification

A. Accounting

A remote intruder wants to take inventory of a network so exploits can be researched. The intruder is looking for information about software versions on the network. Which of the following techniques is the intruder using? A. Banner grabbing B. Port scanning C. Packet sniffing D. Virus scanning

A. Banner grabbing Banner Grabbing - Using routine communications with a host to gain information about its running services and open ports.

A network administrator needs to allocate a new network for the R&D group. The network must not be accessible from the internet regardless of the network firewall or other external misconfigurations. Which of the following settings should the network administrator implement to accomplish this? A. Configure the OS default TTL to 1 B. Use NAT on the R&D network C. Implement a router ACL D. Enable protected ports on the switch

A. Configure the OS default TTL to 1

A computer emergency response team is called at midnight to investigate a case in which a mail server was restarted. After an initial investigation, it was discovered that email is being exfiltrated through an active connection. Which of the following is the NEXT step the team should take? A. Identify the source of the active connection B. Perform eradication of active connection and recover. C. Performance containment procedure by disconnecting the server. D. Format the server and restore its initial configuration.

A. Identify the source of the active connection

A security analyst is securing smartphones and laptops for a highly mobile workforce. Priorities include: Remote wipe capabilities Geolocation services Patch management and reporting Ability to require passcodes and pins Ability to require encryption Which of the following would BEST meet these requirements? A. Implementing MDM software B. Deploying relevant group policies to the devices. C. Installing full device encryption. D. Removing administrative rights to the devices.

A. Implementing MDM software

When it comes to cloud computing, if one of the requirements for a project is to have the most control over the systems in the cloud, which of the following is a service model that would be BEST suited for this goal? A. Infrastructure B. Platform C. Software D. Virtualization

A. Infrastructure

An application was recently compromised after some malformed data came in via web form. Which of the following would MOST likely have prevented this? A. Input validation B. Proxy server C. Stress testing D. Encoding

A. Input validation Insecure web applications will attempt to process whatever input data they receive, whether it's what they expect or not. Carefully malformed data can be used to perform injection attacks or buffer overflows, enabling and attacker to compromise a whole application just by filling a field out improperly. Secure applications validate all input they receive before processing it, and reject anything unexpected.

A systems administrator found a suspicious file in the root of the file system. The file contains URLs, usernames, passwords, and text from other documents being edited on the system. Which of the following types of malware would generate such a file? A. Keylogger B. Rootkit C. Bot D. RAT

A. Keylogger

A company is performing an analysis of the corporate enterprise network with the intent of identifying what will cause losses in revenue, referrals, and/or reputation when out of commission. Which of the following is an element of a BIA that is being addressed? A. Mission-essential function B. Single point of failure C. Backup and restoration plans D. Identification of critical systems

A. Mission-essential functions Explanation: Business Impact Analysis The BIA is composed of the following three steps: Determine mission/business processes and recovery criticality. Mission/business processes supported by the system are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime.

A systems administrator wants to provide balance between the security of a wireless network and usability. The administrator is concerned with wireless encryption compatibility of older devices used by some employees. Which of the following would provide strong security and backward compatibility when accessing the wireless network? A. Open wireless network and SSL VPN B. WPA using a preshared key C. WPA2 using a RADIUS back-end for 802.1x authentication. D. WEP with a 40-bit key.

A. Open wireless network and SSL VPN

A Chief Information Officer (CIO) recently saw on the news that a significant security flaw exists with a specific version of a technology the company uses to support many critical applications. The CIO wants to know if this reported vulnerability exists in the organization and, if so, to what extent the company could be harmed. Which of the following would BEST provide the needed information? A. Penetration test B. Vulnerability scan C. Active reconnaissance D. Patching assessment report

A. Penetration test

Joe, a salesman, was assigned to anew project that requires him to travel to a client site. While waiting for a flight, Joe, decides to connect to the airport wireless network without connecting to a VPN, and then sends confidential emails to fellow colleagues. A few days later, the company experiences a data breach. Upon investigation, the company learns Joe's emails were intercepted. Which of the following MOST likely caused the data breach? A. Policy violation B. Social engineering C. Insider threat D. Zero-day attack

A. Policy violation

An organization plans to implement multifactor authentication techniques within the enterprise network architecture. Each authentication factor is expected to be a unique control. Which of the following BEST describes the proper employment of multifactor authentication? A. Proximity card, fingerprint scanner, PIN B. Fingerprint scanner, voice recognition, proximity card. C. Smart card, user PKI certificate, privileged user certificate. D. Voice recognition, smart card, proximity card.

A. Proximity card, fingerprint scanner, PIN

A company wants to ensure confidential data from storage media is sanitized in such a way that the drive cannot be reused. Which of the following methods should the technician use? A. Shredding B. Wiping C. Low-level formatting D. Repartitioning E. Overwriting

A. Shredding

Two users must encrypt and transmit large amounts of data between them. Which of the following should they use to encrypt and transmit the data? A. Symmetric algorithm B. Hash function C. Digital signature D. Obfuscation

A. Symmetric algorithm

An organization is expanding its network team. Currently, it has local accounts on all network devices, but with growth, it wants to move to centrally managed authentication. Which of the following are the BEST solutions for the organization? (Select TWO) A. TACACS+ B. CHAP C. LDAP D. RADIUS E. MSCHAPv2

A. TACACS+ D. RADIUS

A user typically works remotely over the holidays using a web-based VPN to access corporate resources. The user reports getting untrusted host errors and being unable to connect. Which of the following is MOST likely the case? A. The certificate has expired. B. The browser does not support SSL C. The user's account is locked out. D. The VPN software has reached the seat license maximum.

A. The certificate has expired.

A security analyst is reviewing an assessment report that includes software versions, running services, supported encryption algorithms, and permission settings. Which of the following produced the report? A. Vulnerability scanner B. Protocol analyzer C. Network mapper D. Web inspector

A. Vulnerability scanner

An analyst is using a vulnerability scanner to look for common security misconfigurations on devices. Which of the following might be identified by the scanner? (Select TWO). A. The firewall is disabled on workstations. B. SSH is enabled on servers. C. Browser homepages have not been customized D. Default administrator credentials exist on networking hardware. E. The OS is only set to check for updates once a day.

A. The firewall is disabled on workstations. B. SSH is enabled on servers.

User from two organizations, each with its own PKI, need to begin working together on a joint project. Which of the following would allow the users of the separate PKI's to work together without connection errors? A. Trust model B. Stapling C. Intermediate CA D. Key escrow

A. Trust model

Upon entering an incorrect password, the logon screen displays a message informing the user that the password does not match the username provided and is not the required length of 12 characters. Which of the following secure coding techniques should a security analyst address with the application developers to follow security best practices? A. Input Validation B. Error handling C. Obfuscation D. Data exposure

B. Error handling

A software developer is concerned about DLL hijacking in an application being written. Which of the following is the MOST viable mitigation measure of this type of attack? A. The DLL of each application should be set individually. B. All calls to different DLLs should be hard-coded in the application. C. Access to DLLs from the Windows registry should be disabled. D. The affected DLLs should be renamed to avoid future hijacking.

B. All calls to different DLLs should be hard-coded in the application.

Joe, a user, has been trying to send Ann, a different user, an encrypted document via email. Ann has not received the attachment but is able to receive the header information. Which of the following is MOST likely preventing Ann from receiving the encrypted file? A. Unencrypted credentials B. Authentication issues C. Weak cipher suite D. Permission issues

B. Authentication issues

While troubleshooting a client application connecting to the network, the security administrator notices the following error: Certificate is not valid. Which of the following is the BEST way to check if the digital certificate is valid? A. PKI B. CRL C. CSR D. IPSec

B. CRL

A security analyst is mitigating a pass-the-hash on a Windows infrastructure. Given the requirement, which of the following should the security analyst do to MINIMIZE the risk? A. Enable CHAP B. Disable NTLM C. Enable Kerberos D. Disable PAP

B. Disable NTLM

A security administrator is diagnosing a server where the CPU utilization is at 100% for 24 hours. The main culprit of CPU utilization is the antivirus program. Which of the following issue could occur if left unresolved? (Select TWO) A. MITM attack B. DoS attack C. DLL injection D. Buffer overflow E. Resource exhaustion

B. DoS attack E. Resource exhaustion

Company A has acquired Company B. Company A has different domains spread globally, and typically migrates its acquisitions infrastructure under its own domain infrastructure. Company B, however, cannot be merged into Company A's domain infrastructure. Which of the following methods would allow the two companies to access one another's resources? A. Attestation B. Federation C. Single sign-on D. Kerberos

B. Federation

Which of the following types of penetration test will allow the tester to have access only to password hashes prior to the penetration test? A. Black box B. Gray box C. Credentialed D. White box

B. Gray box

Every morning, a systems administrator monitors failed login attempts on the company's log management server. The administrator notices the DBAdmin account has five failed username and/or password alerts during a ten-minute window. The systems administrator determines the user account is a dummy account used to attract attackers. Which of the following techniques should the systems administrator implement? A. Role-based access control B. Honeypot C. Rule-based access control D. Password cracker

B. Honeypot

Which of the following threats has sufficient knowledge to cause the MOST danger to an organization? A. Competitors B. Insiders C. Hacktivists D. Script kiddies

B. Insiders

Which of the following refers to the term used to restore a system to its operational state? A. MTBF B. MTTR C. RTO D. RPO

B. MTTR Mean Time To Recovery

A systems administrator is configuring a system that uses data classification labels. Which of the following will the administrator need to implement to enforce access control? A. Discretionary access control B. Mandatory access control C. Role-based access control D. Rule-based access control

B. Mandatory access control

A security analyst is attempting to identify vulnerabilities in a customer's web application without impacting the system or its data. Which of the following BEST describes the vulnerability scanning concept performed? A. Aggressive scan B. Passive scan C. Non-credentialed scan D. Compliance scan

B. Passive scan Explanation: Passive scanning is a method of vulnerability detection that relies on information gleaned from network data that is captured from a target computer without direct interaction. Packet sniffing applications can be used for passive scanning to reveal information such as operating system, known protocols running on non-standard ports and active network applications with known bugs.

When attempting to secure a mobile workstation, which of the following authentication technologies rely on the user's physical characteristics? (Select TWO) A. MAC address table B. Retina scan C. Fingerprint scan D. Two-factor authentication E. CAPTCHA F. Password string

B. Retina scan C. Fingerprint scan

An analyst receives an alert from the SIEM showing an IP address that does not belong to the assigned network can be seen sending packets to the wrong gateway. Which of the following network devices is misconfigured and which of the following should be done to remediate the issue? A. Firewall; implement an ACL on the interface B. Router; place the correct subnet on the interface. C. Switch; modify the access port to trunk port D. Proxy; add the correct transparent interface.

B. Router; place the correct subnet on the interface.

Which of the following is a deployment concept that can be used to ensure only the required OS access is exposed to software applications? A. Staging environment B. Sandboxing C. Secure baseline D. Trusted OS

B. Sandboxing

An organization's employees use three different sets of credentials to access multiple internal resources. Management wants to make this process less complex. Which of the following would be the BEST option to meet this goal? A. Transitive trust B. Single Sign-on C. Federation D. Secure Token

B. Single Sign-on

An external attacker can modify the ARP cache of an internal computer. Which of the following types of attacks is described? A. Replay B. Spoofing C. DNS poisoning D. Client-side attack

B. Spoofing

A security analyst is acquiring data from a potential network incident. Which of the following evidence is the analyst MOST likely to obtain to determine the incident? A. Volatile memory capture B. Traffic and logs C. Screenshots D. System image capture

B. Traffic and logs

A company has two wireless networks utilizing captive portals. Some employees report getting a trust error in their browsers when connecting to one of the networks. Both captive portals are using the same server certificate for authentication, but the analyst notices the following differences between the two certificate details: Certificate 1 Certificate Path: Geotrust Global CA *company.com Certificate 2 Certificate Path: *company.com Which of the following would resolve the problem? A. Use a wildcard certificate B. Use certificate chaining C. Use a trust model D. Use an extended validation certificate

B. Use certificate chaining

An active/passive configuration has an impact on: A. Confidentiality B. Integrity C. Availability D. Non-repudiation

C. Availability

A systems administrator is attempting to recover from a catastrophic failure in the datacenter. To recover the domain controller, the systems administrator needs to provide the domain administrator credentials. Which of the following account types is the systems administrator using? A. Local account B. Guest account C. Service account D. User account

C. Service account

A company has noticed multiple instances of proprietary information on public websites. It has also observed an increase in the number of email messages sent to random employees containing malicious links and PDFs. Which of the following changes should the company make to reduce the risks associated with phishing attacks? (Select TWO) A. Install an additional firewall B. Implement a redundant email server C. Block access to personal email on corporate systems. D. Update the X.509 certificates on the corporate email server. E. Update corporate policy to prohibit access to social media websites. F. Review access violation on the file server.

C. Block access to personal email on corporate systems. E. Update corporate policy to prohibit access to social media websites.

A security administrator has written a script that will automatically upload binary and text-based configuration files onto a remote server using a scheduled task. The configuration files contain sensitive information. Which of the following should the administrator use? (Select TWO) A. TOPT B. SCP C. FTP over a non-standard port D. SRTP E. Certificate-based authentication F. SNMPv3

C. FTP over a non-standard port E. Certificate-based authentication

A security administrator is reviewing the following PowerShell script referenced in the Task Scheduler on a database server: $members = GetADGroupMember-Identity "Domain Admins" -Recursive | Select - ExpandProperty name if($members -notcontains "JohnDoe"){ Remove-Item -path C:\Database -recurse -force } Which of the following did the security administrator discover? A. Ransomeware B. Backdoor C. Logic bomb D. Trojan

C. Logic bomb

Which of the following is used to validate the integrity of data? A. CBC B. Blowfish C. MD5 D. RSA

C. MD5

An audit report has identified a weakness that could allow unauthorized personnel access to the facility at its entrance and from there gain access to the network. Which of the following would BEST resolve the vulnerability? A. Faraday B. Air gap C. Mantrap D. Bollards

C. Mantrap

A security administrator is trying to eradicate a worm, which is spreading throughout the organization, using an old remote vulnerability in the SMB protocol. The worm uses NMAP to identify target hosts within the company. The administrator wants to implement a solution that will eradicate the current worm and any future attacks that may be using zero-day vulnerabilities. Which of the following would BEST meet the requirements when implemented? A. Host-based firewall B. Enterprise patch management system C. Network-based intrusion prevention system D. Application blacklisting E. File integrity checking

C. Network-based intrusion prevention system

A procedure differs from a policy in that it: A. Is a high-level statement regarding the company's position on a topic. B. Sets a minimum expected baseline of behavior. C. Provides step-by-step instructions for performing a task. D. Describes adverse actions when violations occur.

C. Provides step-by-step instructions for performing a task.

Which of the following uses precomputed hashes to guess passwords? A. IP tables B. NAT tables C. Rainbow tables D. ARP tables

C. Rainbow tables

A security administrator installed a new network scanner that identifies new host systems on the network. Which of the following did the security administrator install? A. Vulnerability scanner B. Network-based IDS C. Rogue system detection D. Configuration compliance scanner

C. Rogue system detection

The help desk received a call after hours from an employee who was attempting to log into the payroll server remotely. When the help desk returned the call the next morning, the employee was able to log into the server remotely without incident. However, the incident occurred again the next evening. Which of the following BEST describes the cause of the issue? A. The password expired on the account and needed to be reset. B. The employee does not have the rights needed to access the database remotely. C. Time-of-day restrictions prevented the account from logging in. D. The employee's account was locked out and needed to be unlocked.

C. Time-of-day restrictions prevented the account from logging in.

Which of the following is the BEST reason to run an untested application in a sandbox> A. To allow the application to take full advantage of the host system's resources and storage. B. To utilize the host systems antivirus and firewall applications instead of running its own protection. C. To prevent the application from acquiring escalated privileges and accessing its host system. D. To increase application processing speed so the host system can perform real-time logging.

C. To prevent the application from acquiring escalated privileges and accessing its host system.

A security engineer must install the same x.509 certificate on three different servers. The client application that connects to the server performs a check to ensure the certificate matches the host name. Which of the following should the security engineer use? A. Wildcard B. Extended validation certificate C. Certificate chaining D. Certificate utilizing the SAN file

D. Certificate utilizing the SAN file Explanation: SAN = Subject Alternative Names

A Chief Information Officer (CIO) has decided it is not cost effective to implement safeguards against a known vulnerability. Which of the following risk responses does this BEST describe? A. Transference B. Avoidance C. Mitigation D. Acceptance

D. Acceptance

A new Chief Information Officer (CIO) has been reviewing the badging and decides to write a policy that all employees must have their badges rekeyed at least annually. Which of the following controls BEST describes this policy? A. Physical B. Corrective C. Technical D. Administrative

D. Administrative

A technician is investigating a potentially compromised device with the following symptoms: Browser slowness Frequent browser crashes Hourglass stuck New search toolbar Increased memory consumption Which of the following types of malware has infected the system? A. Man-in-the-browser B. Spoofer C. Spyware D. Adware

D. Adware

Which of the following locations contain the MOST volatile data? A. SSD B. Paging file C. RAM D. Cache memory

D. Cache memory

A stock trading company had the budget for enhancing its secondary datacenter approved. Since the main site is a hurricane-affected area and the disaster recovery site is 100 mi (161 km) away, the company wants to ensure its business is always operational with the least amount of man hours needed. Which of the following types of disaster recovery sites should the company implement? A. Hot site B. Warm site C. Cold site D. Cloud-based site

D. Cloud-based site

A security analyst is hardening a WiFi intrastructure. The primary requirements are the following: The infrastructure must allow staff to authenticate using the most secure method. The infrastructure must allow guests to use an "open" WiFi network that logs valid email addresses before granting access to the internet? Given these requirements, which of the following statements BEST represents what the analyst should recommend and configure? A. Configure a captive portal for guests and WPS for staff. B. Configure a captive portal for staff and WPA for guests. C. Configure a captive portal for staff and WEP for guests. D. Configure a captive portal for guests and WPA2 Enterprise for staff.

D. Configure a captive portal for guests and WPA2 Enterprise for staff.

A home invasion occurred recently in which an intruder compromised a home network and accessed a Wifi-enabled baby monitor while the baby's parents were sleeping. Which of the following BEST describes how the intruder accessed the monitor? A. Outdated antivirus B. WiFi signal strength C. Social engineering D. Default configuration

D. Default configuration

An incident response manager has started to gather all the facts related to a SIEM alet showing multiple systems may have been compromised. The manager has gathered these facts: The breach is currently indicated on six user PC's. One service account is potentially compromised. Executive management has been notified. In which of the following phases of the IRP is the manager currently working? A. Recovery B. Eradication C. Containment D. Identification

D. Identification

A new security administrator ran a vulnerability scanner for the first time and caused a system outage. Which of the following types of scans MOST likely caused the outage? A. Non-intrusive credentialed scan B. Non-intrusive non-credentialed scan C. Intrusive credentialed scan D. Intrusive non-credentialed scan

D. Intrusive non-credentialed scan

A technician is configuring a load balancer for the application team to accelerate the network performance of their applications. The applications are hosted on multiple servers and must be redundant. Given this scenario, which of the following would be the BEST method of configuring the load balancer? A. Round-robin B. Weighted C. Least connection D. Locality-based

D. Locality-based

A penetration tester has written an application that performs a bit-by-bit XOR 0xFF operation on binaries prior to transmission over untrusted media. Which of the following BEST describes the action performed by this type of application? A. Hashing B. Key exchange C. Encryption D. Obfuscation

D. Obfuscation Cryptographic obfuscation: Protects the code of a program itself from those who would try to reverse engineer it, without changing its functions. Unlike storage or memory encryption, obfuscation affects the source code of the program itself. Obfuscation of some sort or another is often used by malware trying to hide itself from scanners, but the concept also has value in solving many other problems in software security. Cryptographically secure obfuscation that will work for all programs has been mathematically proven to be impossible, but there are ongoing advancements in obfuscation that's strong enough to give meaningful protection in at least some cases.

Which of the following would provide additional security by adding another factor to a smart card? A. Token B. Proximity badge C. Physical key D. PIN

D. PIN

A systems administrator wants to implement a wireless protocol that will allow the organization to authenticate mobile devices prior to providing the user with a captive portal login. Which of the following should the systems administrator configure? A. L2TP with MAC filtering B. EAP-TTLS C. WPA2-CCMP with PSK D. RADIUS federation

D. RADIUS federation Explanation: RADIUS generally includes 802.1x that pre-authenticates devices. RADIUS stands for Remote Authentication Dial-In User Service and was develop to authenticate, authorize and account (AAA) Dail-In users. Today it's often used as a centralized authentication server for the management interface for all kinds of networking devices.

A security analyst is investigating a potential breach. Upon gathering, documenting, and securing the evidence, which of the following actions is the NEXT step to minimize the business impact? A. Launch an investigation to identify the attacking host. B. Initiate the incident response plan. C. Review lessons learned captured in the process. D. Remove malware and restore the system to normal operation.

D. Remove malware and restore the system to normal operation.

A security technician has been receiving alerts from several servers that indicate load balancers have had a significant increase in traffic. The technician initiates a system scan. The scan results illustrate that the disk space on several servers has reached capacity. The scan also indicates that incoming internet traffic to the servers has increased. Which of the following is the MOST likely cause of the decreased disk space? A. Misconfigured devices B. Logs and events anomalies C. Authentication issues D. Unauthorized software

D. Unauthorized software

A forensic expert is given a hard drive from a crime scene and is asked to perform an investigation. Which of the following is the FIRST step the forensic expert needs to take the chain of custody? A. Make a forensic copy B. Create a hash of the hard drive C. Recover the hard drive data D. Update the evidence log

D. Update the evidence log

A bank is experiencing a DoS attack against an application designed to handle 500 IP-based sessions. In addition, the perimeter router can only handle 1Gbps of traffic. Which of the following should be implemented to prevent a DoS attack in the future? A. Deploy multiple web servers and implement a load balancer. B. Increase the capacity of the perimeter router to 10 Gbps. C. Install a firewall at the network to prevent all attacks. D. Use redundancy across all network devices and services.

D. Use redundancy across all network devices and services.

A business sector is highly competitive, and safeguarding trade secrets and critical information is paramount. On a seasonal basis, an organization employs temporary hires and contractor personnel to accomplish its mission objectives. The temporary and contract personnel require access to network resources only when on the clock. Which of the following account management practices are the BEST ways to manage these accounts? A. Employ time-of-day restrictions. B. Employ password complexity. C. Employ a random key generator strategy. D. Employ an account expiration strategy. E. Employ a password lockout policy.

E. Employ a password lockout policy.