ABC Review Test 1
113)A company is executing a strategy to encrypt and sign all proprietary data in transit. The company recently deployed PKI services to support this strategy. Which of the following protocols supports the strategy and employs certificates generated by the PKI? (Choose three.) A. S/MIME B. TLS C. SFTP D. SAML E. SIP F. IPSec G. Kerberos
A. S/MIME B. TLS C. SFTP
35)A customer calls a technician and needs to remotely connect to a web server to change some code manually. The technician needs to configure the user's machine with protocols to connect to the Unix web server, which is behind a firewall. Which of the following protocols does the technician MOST likely need to configure? A. SSH B. SFTP C. HTTPS D. SNMP
A. SSH
62) An audit has revealed that database administrators are also responsible for auditing database changes and backup logs. Which of the following access control methodologies would BEST mitigate this concern? A. Time of day restrictions B. Principle of least privilege C. Role-based access control D. Separation of duties
D. Separation of duties
46) Which of the following can be used to control specific commands that can be executed on a network infrastructure device? A. LDAP B. Kerberos C. SAML D. TACACS+
D. TACACS+
164)Which of the following works by implanting software on systems but delays execution until a specific set of conditions is met? A. Logic bomb B. Trojan C. Scareware D. Ransomware
A. Logic bomb
168) Which of the following control types would a backup of server data provide in case of a system issue? A. Corrective B. Deterrent C. Preventive D. Detective
A. Corrective
143)A company wants to ensure users are only logging into the system from their laptops when they are on site. Which of the following would assist with this? A. Geofencing B. Smart cards C. Biometrics D. Tokens
A. Geofencing
130) Using an ROT13 cipher to protocol confidential information for unauthorized access is known as: A. Steganography B. Obfuscation C. Non repudiation D. Diffusion
A. Steganography
22)A company determines that it is prohibitively expensive to become compliant with new credit card regulations. Instead, the company decides to purchase insurance to cover the cost of any potential loss. Which of the following is the company doing? A. Transferring the risk B. Accepting the risk C. Avoiding the risk D. Migrating the risk
A. Transferring the risk
19) A security administrator has been asked to implement a VPN that will support remote access over IPSEC. Which of the following is an encryption algorithm that would meet this requirement? A. MD5 B. AES C. UDP D. PKI
B. AES
119) A development team has adopted a new approach to projects in which feedback is iterative and multiple iterations of deployments are provided within an application's full life cycle. Which of the following software development methodologies is the development team using? A. Waterfall B. Agile C. Rapid D. Extreme
B. Agile
93) A company has just completed a vulnerability scan of its servers. A legacy application that monitors the HVAC system in the datacenter presents several challenges, as the application vendor is no longer in business. Which of the following secure network architecture concepts would BEST protect the other company servers if the legacy server were to be exploited? A. Virtualization B. Air gap C. VLAN D. Extranet
B. Air gap
29) A security administrator is tasked with implementing centralized management of all network devices. Network administrators will be required to logon to network devices using their LDAP credentials. All command executed by network administrators on network devices must fall within a preset list of authorized commands and must be logged to a central facility. Which of the following configuration commands should be implemented to enforce this requirement? A. LDAP server 10.55.199.3 B. CN=company, CN=com, OU=netadmin, DC=192.32.10.233 C. SYSLOG SERVER 172.16.23.50 D. TACAS server 192.168.1.100
B. CN=company, CN=com, OU=netadmin, DC=192.32.10.233
220) While troubleshooting a client application connecting to the network, the security administrator notices the following error: Certificate is not valid. Which of the following is the BEST way to check if the digital certificate is valid? A. PKI B. CRL C. CSR D. IPSec
B. CRL
208) Company A has acquired Company B. Company A has different domains spread globally, and typically migrates its acquisitions infrastructure under its own domain infrastructure. Company B, however, cannot be merged into Company A's domain infrastructure. Which of the following methods would allow the two companies to access one another's resources? A. Attestation B. Federation C. Single sign-on D. Kerberos
B. Federation
98)Which of the following would meet the requirements for multifactor authentication? A. Username, PIN, and employee ID number B. Fingerprint and password C. Smart card and hardware token D. Voice recognition and retina scan
B. Fingerprint and password
69) A company hired a firm to test the security posture of its database servers and determine if any vulnerabilities can be exploited. The company provided limited imformation pertaining to the infrastructure and database server. Which of the following forms of testing does this BEST describe? A. Black box B. Gray box C. White box D. Vulnerability scanning
B. Gray box
7) The firewall administrator is adding a new certificate for the company's remote access solution. The solution requires that the uploaded file contain the entire certificate chain for the certificate to load properly. The administrator loads the company certificate and the root CA certificate into the file. The file upload is rejected. Which of the following is required to complete the certificate chain? A. Certificate revocation list B. Intermediate authority C. Recovery agent D. Root of trust
B. Intermediate authority
38) When generating a request for a new x.509 certificate for securing a website, which of the following is the MOST appropriate hashing algorithm? A. RC4 B. MD5 C. HMAC D. SHA
B. MD5
10) A penetration tester is crawling a target website that is available to the public. Which of the following represents the actions the penetration tester is performing? A. URL hijacking B. Reconnaissance C. White box testing D. Escalation of privilege
B. Reconnaissance
139) A systems administrator is implementing a remote access method for the system that will utilize GUI. Which of the following protocols would be BEST suited for this? A. TLS B. SSH C. SFTP D. SRTP
B. SSH
22) A consumer purchases an exploit from the dark web. The exploit targets the online shopping cart of a popular website, allowing the shopper to modify the price of an item as checkout. Which of the following BEST describes this type of user? A. Insider B. Script kiddie C. Competitor D. Hacktivist E. APT
B. Script kiddie
52) Which of the following techniques can be bypass a user or computer's web browser privacy settings? (Select Two) A. SQL injection B. Session hijacking C. Cross-site scripting D. Locally shared objects E. LDAP injection
B. Session hijacking C. Cross-site scripting
210) An organization's employees currently use three different sets of credentials to access multiple internal resources. Management wants to make this process less complex. Which of the following would be the BEST option to meet this goal? A. Transitive trust B. Single sign-on C. Federation D. Secure token
B. Single sign-on
187)A security administrator is choosing an algorithm to generate password hashes. Which of the following would offer the BEST protection against offline brute force attacks? A. MD5 B. 3DES C. AES D. SHA-1
C. AES
151) An organization's Chief Executive Officer (CEO) directs a newly hired computer technician to install an OS on the CEO's personal laptop. The technician performs the installation, and a software audit later in the month indicates a violation of the EULA occurred as a result. Which of the following would address this violation going forward? A. Security configuration baseline B. Separation of duties C. AUP D. NDA
C. AUP
92) A penetration tester harvests potential usernames from a social networking site. The penetration tester then uses social engineering to attempt to obtain associated passwords to gain unauthorized access to shares on a network server. Which of the following methods is the penetration tester MOST likely using? A. Escalation of privilege B. SQL injection C. Active reconnaissance D. Proxy server
C. Active reconnaissance
242) When sending messages using symmetric encryption, which of the following must happen FIRST? A. Exchange encryption key B. Establish digital signatures C. Agree on an encryption method D. Install digital certificates
C. Agree on an encryption method
16) Which of the following is the BEST way for home users to mitigate vulnerabilities associated with IoT devices on their home networks? A. Power off the devices when they are not in use, B. Prevent IoT devices from contacting the Internet directly. C. Apply firmware and software updates upon availability. D. Deploy a bastion host on the home network.
C. Apply firmware and software updates upon availability.
50)A company has a data classification system with definitions for "Private" and "Public". The company's security policy outlines how data should be protected based on type. The company recently added the data type "Proprietary". Which of the following is the MOST likely reason the company added this data type? A. Reduced cost B. More searchable data C. Better data classification D. Expanded authority of the privacy officer
C. Better data classification
177) A company has noticed multiple instances of proprietary information on public websites. It has also observed an increase in the number of email messages sent to random employees containing malicious links and PDFs. Which of the following changes should the company make to reduce the risks associated with phishing attacks? (Select TWO) A. Install an additional firewall B. Implement a redundant email server C. Block access to personal email on corporate systems D. Update the X.509 certificates on the corporate email server E. Update corporate policy to prohibit access to social media websites F. Review access violation on the file server
C. Block access to personal email on corporate systems E. Update corporate policy to prohibit access to social media websites
177)A company has noticed multiple instances of proprietary information on public websites. It has also observed an increase in the number of email messages sent to random employees containing malicious links and PDFs. Which of the following changes should the company make to reduce the risks associated with phishing attacks? (Select TWO) A. Install an additional firewall B. Implement a redundant email server C. Block access to personal email on corporate systems D. Update the X.509 certificates on the corporate email server E. Update corporate policy to prohibit access to social media websites F. Review access violation on the file server
C. Block access to personal email on corporate systems E. Update corporate policy to prohibit access to social media websites
99) A security engineer implements multiple technical measures to secure an enterprise network. The engineer also works with the Chief Information Officer (CIO) to implement policies to govern user behavior. Which of the following strategies is the security engineer executing? A. Baselining B. Mandatory access control C. Control diversity D. System hardening
C. Control diversity
96) A vulnerability scan is being conducted against a desktop system. The scan is looking for files, versions, and registry values known to be associated with system vulnerabilities. Which of the following BEST describes the type of scan being performed? A. Non-intrusive B. Authenticated C. Credentialed D. Active
C. Credentialed
148)An organization has hired a new remote workforce. Many new employees are reporting that they are unable to access the shared network resources while traveling. They need to be able to travel to and from different locations on a weekly basis. Shared offices are retained at the headquarters location. The remote workforce will have identical file and system access requirements, and must also be able to log in to the headquarters location remotely. Which of the following BEST represent how the remote employees should have been set up initially? (Choose two.) A. User-based access control B. Shared accounts C. Group-based access control D. Mapped drives E. Individual accounts F. Location-based policies
C. Group-based access control E. Individual accounts
186)An organization wants to ensure network access is granted only after a user or device has been authenticated. Which of the following should be used to achieve this objective for both wired and wireless networks? A. CCMP B. PKCS#12 C. IEEE 802.1X D. OCSP
C. IEEE 802.1X
127) Which of the following types of attacks precedes the installation of a rootkit on a server? A. Pharming B. DDoS C. Privilege escalation D. DoS
C. Privilege escalation
173)A company is planning to utilize its legacy desktop systems by converting them into dummy terminals and moving all heavy applications and storage to a centralized server that hosts all of the company's required desktop applications. Which of the following describes the BEST deployment method to meet these requirements? A. IaaS B. VM sprawl C. VDI D. PaaS
C. VDI
94) Which of the following methods is used by internal security teams to assess the security of internally developed applications? A. Active reconnaissance B. Pivoting C. White box testing D. Persistence
C. White box testing
132) A security analyst is attempting to break into a client's secure network. The analyst was not given prior information about the client, except for a block of public IP addresses that are currently in use. After network enumeration, the analyst's NEXT step is to perform: A. a risk analysis. B. a vulnerability assessment. C. a gray-box penetration test. D. an external security audit. E. a red team exercise.
C. a gray-box penetration test.
187)A Security Officer on a military base needs to encrypt several smart phones that will be going into the field. Which of the following encryption solutions should be deployed in this situation? A. Elliptic curve B. One-time pad C. 3DES D. AES-256
D. AES-256
113) A security analyst is performing a quantitative risk analysis. The risk analysis should show the potential monetary loss each time a threat or event occurs. Given this requirement, which of the following concepts would assist the analyst in determining this value? (Select two.) A. ALE (Annualized Loss Expectancy) B. AV (Asset Value) C. ARO (Annualize Rate of Occurrence) D. EF (Exposure Factor) E. ROI (Return on Investment)
B. AV (Asset Value) D. EF (Exposure Factor)
82) When considering a third-party cloud service provider, which of the following criteria would be the BEST to include in the security assessment process? (Select two.) A. Use of performance analytics B. Adherence to regulatory compliance C. Data retention policies D. Size of the corporation E. Breadth of applications support
B. Adherence to regulatory compliance C. Data retention policies
171) While reviewing the monthly internet usage it is noted that there is a large spike in traffic classified as "unknown" and does not appear to be within the bounds of the organizations Acceptable Use Policy. Which of the following tool or technology would work BEST for obtaining more information on this traffic? A. Firewall logs B. IDS logs C. Increased spam filtering D. Protocol analyzer
B. IDS logs
218) A company wants to ensure that the validity of publicly trusted certificates used by its web server can be determined even during an extended internet outage. Which of the following should be implemented? A. Recovery agent B. OCSP C. CRL D. Key escrow
B. OCSP
208) An administrator discovers the following log entry on a server: Nov 12 2013 00:23:45 httpd[2342]: GET/app2/prod/proc/process.php?input=change;cd%20../../../etc;cat%20shadow Which of the following attacks is being attempted? A. Command injection B. Password attack C. Buffer overflow D. Cross-site scripting
B. Password attack
18)Which of the following types of keys is found in a key escrow? A. Public B. Private C. Shared D. Session
B. Private
184) Which of the following use the SSH protocol? (choose 2) A. Stelnet B. SCP C. SNMP D. FTPS E. SSL F. SFTP
B. SCP F. SFTP
85) A wireless network uses a RADIUS server that is connected to an authenticator, which in turn connects to a supplicant. Which of the following represents the authentication architecture in use? A. Open systems authentication B. Captive portal C. RADIUS federation D. 802.1x
D. 802.1x
161) Company policy requires the use if passphrases instead if passwords. Which of the following technical controls MUST be in place in order to promote the use of passphrases? A. Reuse B. Length C. History D. Complexity
D. Complexity
140) A security analyst notices anomalous activity coming from several workstations in the organizations. Upon identifying and containing the issue, which of the following should the security analyst do NEXT? A. Document and lock the workstations in a secure area to establish chain of custody B. Notify the IT department that the workstations are to be reimaged and the data restored for reuse C. Notify the IT department that the workstations may be reconnected to the network for the users to continue working D. Document findings and processes in the after-action and lessons learned report
D. Document findings and processes in the after-action and lessons learned report
100) A penetration tester finds that a company's login credentials for the email client were being sent in clear text. Which of the following should be done to provide encrypted logins to the email server? A. Enable IPSec and configure SMTP. B. Enable SSH and LDAP credentials. C. Enable MIME services and POP3. D. Enable an SSL certificate for IMAP services.
D. Enable an SSL certificate for IMAP services.
129) A security analyst receives an alert from a WAF with the following payload: var data= "<test test test>" ++ <../../../../../../etc/passwd>" Which of the following types of attacks is this? A. Cross-site request forgery B. Buffer overflow C. SQL injection D. JavaScript data insertion E. Firewall evasion script
D. JavaScript data insertion
19) Despite having implemented password policies,users continue to set the same weak passwords and reuse old passwords. Which of the following technical controls would help prevent these policy violations?(Select two.) A. Password expiration B. Password length C. Password complexity D. Password history E. Password lockout
C. Password complexity D. Password history
188) A Chief Information Officer (CIO) asks the company's security specialist if the company should spend any funds on malware protection for a specific server. Based on a risk assessment, the ARO value of a malware infection for a server is 5 and the annual cost for the malware protection is $2500. Which of the following SLE (Single Loss Expectancy) values warrants a recommendation against purchasing the malware protection? A. $500 B. $1000 C. $2000 D. $2500
A. $500
189)A technician must configure a firewall to block external DNS traffic from entering a network. Which of the following ports should they block on the firewall? A. 53 B. 110 C. 143 D. 443
A. 53
147) Which of the following differentiates a collision attack from a rainbow table attack? A. A rainbow table attack performs a hash lookup B. A rainbow table attack uses the hash as a password C. In a collision attack, the hash and the input data are equivalent D. In a collision attack, the same input results in different hashes
A. A rainbow table attack performs a hash lookup
30)Malicious traffic from an internal network has been detected on an unauthorized port on an application server. Which of the following network-based security controls should the engineer consider implementing? A. ACLs (Access Control Lists) B. HIPS (Host Intrusion Prevention System) C. NAT (Network Address Translation) D. MAC filtering
A. ACLs (Access Control Lists)
12) Joe notices there are several user accounts on the local network generating spam with embedded malicious code. Which of the following technical control should Joe put in place to BEST reduce these incidents? A. Account lockout B. Group Based Privileges C. Least privilege D. Password complexity
A. Account lockout
93) Which of the following could occur when both strong and weak ciphers are configured on a VPN concentrator? (Select TWO) A. An attacker could potentially perform a downgrade attack. B. The connection is vulnerable to resource exhaustion. C. The integrity of the data could be at risk. D. The VPN concentrator could revert to L2TP. E. The IPSec payload reverted to 16-bit sequence numbers.
A. An attacker could potentially perform a downgrade attack. E. The IPSec payload reverted to 16-bit sequence numbers.
198) A remote intruder wants to take inventory of a network so exploits can be researched. The intruder is looking for information about software versions on the network. Which of the following techniques is the intruder using? A. Banner grabbing B. Port scanning C. Packet sniffing D. Virus scanning
A. Banner grabbing
127)During a routine vulnerability assessment, the following command was successful: echo "vrfy 'perl -e 'print "hi" x 500 ' ' " | nc www.company.com 25 Which of the following vulnerabilities is being exploited? A. Buffer overflow directed at a specific host MTA B. SQL injection directed at a web server C. Cross-site scripting directed at www.company.com D. Race condition in a UNIX shell script
A. Buffer overflow directed at a specific host MTA
146) Given the following requirements: Help to ensure non-repudiation Capture motion in various formats Which of the following physical controls BEST matches the above descriptions? A. Camera B. Mantrap C. Security guard D. Motion sensor
A. Camera
46)An attacker compromises a public CA and issues unauthorized X.509 certificates for Company.com. In the future, Company.com wants to mitigate the impact of similar incidents. Which of the following would assist Company.com with its goal? A. Certificate pinning B. Certificate stapling C. Certificate chaining D. Certificate with extended validation
A. Certificate pinning
156) A user typically works remotely over the holidays using a web-based VPN to access corporate resources. The user reports getting untrusted host errors and being unable to connect. Which of the following is MOST likely the case? A. The certificate has expired B. The browser does not support SSL C. The user's account is locked out D. The VPN software has reached the seat license maximum
A. The certificate has expired
227) An analyst is using a vulnerability scanner to look for common security misconfigurations on devices. Which of the following might be identified by the scanner? (Select TWO). A. The firewall is disabled on workstations. B. SSH is enabled on servers. C. Browser homepages have not been customized. D. Default administrator credentials exist on networking hardware. E. The OS is only set to check for updates once a day.
A. The firewall is disabled on workstations. B. SSH is enabled on servers.
193) A software developer is concerned about DLL hijacking in an application being written. Which of the following is the MOST viable mitigation measure of this type of attack? A. The DLL of each application should be set individually B. All calls to different DLLs should be hard-coded in the application C. Access to DLLs from the Windows registry should be disabled D. The affected DLLs should be renamed to avoid future hijacking
B. All calls to different DLLs should be hard-coded in the application
94) Which of the following is the BEST choice for a security control that represents a preventive and corrective logical control at the same time? A. Security awareness training B. Antivirus C. Firewalls D. Intrusion detection system
B. Antivirus
65) Two users need to send each other emails over unsecured channels. The system should support the principle of non-repudiation. Which of the following should be used to sign the user's certificates? A. RA (Registration Authority) B. CA (Certificate Authority) C. CRL (Certificate Revocation List) D. CSR (Certificate Signing Request)
B. CA
107)An organization recently moved its custom web applications to the cloud, and it is obtaining managed services of the back-end environment as part of its subscription. Which of the following types of services is this company now using? A. SaaS (Software as a Service) B. CASB (Cloud Access Security Broker) C. IaaS (Infrastructure as a Service) D. PaaS (Platform as a Service)
B. CASB (Cloud Access Security Broker)
133)An organization is comparing and contrasting migration from its standard desktop configuration to the newest version of the platform. Before this can happen, the Chief Information Security Officer (CISO) voices the need to evaluate the functionality of the newer desktop platform to ensure interoperability with existing software in use by the organization. In which of the following principles of architecture and design is the CISO engaging? A. Dynamic analysis B. Change management C. Baselining D. Waterfalling
B. Change management
103)Which of the following needs to be performed during a forensics investigation to ensure the data contained in a drive image has not been compromised? A. Follow the proper chain of custody procedures. B. Compare the image hash to the original hash. C. Ensure a legal hold has been placed on the image. D. Verify the time offset on the image file.
B. Compare the image hash to the original hash
103) Which of the following needs to be performed during a forensics investigation to ensure the data contained in a drive image has not been compromised? A. Follow the proper chain of custody procedures. B. Compare the image hash to the original hash. C. Ensure a legal hold has been placed on the image. D. Verify the time offset on the image file.
B. Compare the image hash to the original hash.
112) A security administrator is creating a risk assessment with regard to how to harden internal communications in transit between servers. Which of the following should the administrator recommend in the report? A. Configure IPSec in transport mode. B. Configure server-based PKI certificates. C. Configure the GRE tunnel. D. Configure a site-to-site tunnel
B. Configure server-based PKI certificates.
173)An administrator has concerns regarding the traveling sales team who works primarily from smart phones. Given the sensitive nature of their work, which of the following would BEST prevent access to the data in case of loss or theft? A. Enable screensaver locks when the phones are not in use to prevent unauthorized access B. Configure the smart phones so that the stored data can be destroyed from a centralized location C. Configure the smart phones so that all data is saved to removable media and kept separate from the device D. Enable GPS tracking on all smart phones so that they can be quickly located and recovered
B. Configure the smart phones so that the stored data can be destroyed from a centralized location
158)A security administrator returning from a short vacation receives an account lock-out message when attempting to log into the computer. After getting the account unlocked the security administrator immediately notices a large amount of emails alerts pertaining to several different user accounts being locked out during the past three days. The security administrator uses system logs to determine that the lock-outs were due to a brute force attack on all accounts that has been previously logged into that machine. Which of the following can be implemented to reduce the likelihood of this attack going undetected? A. Password complexity rules B. Continuous monitoring C. User access reviews D. Account lockout policies
B. Continuous monitoring
186) A security analyst is mitigating a pass-the-hash vulnerability on a Windows infrastructure. Given the requirement, which of the following should the security analyst do to MINIMIZE the risk? A. Enable CHAP (Challenge Hand-Shake Protocol) B. Disable NTLM (NT Lan Manager) C. Enable Kerebos D. Disable PAP (Password Authentication Protocol)
B. Disable NTLM (NT Lan Manager)
244)A security administrator wants to implement a company-wide policy to empower data owners to manage and enforce access control rules on various resources. Which of the following should be implemented? A. Mandatory access control B. Discretionary access control C. Role based access control D. Rule-based access control
B. Discretionary access control
154) A security administrator is diagnosing a server where the CPU utilization is at 100% for 24 hours. The main culprit of CPU utilization is the antivirus program. Which of the following issue could occur if left unresolved? (Select TWO) A. MITM attack B. DoS attack C. DLL injection D. Buffer overflow E. Resource exhaustion
B. DoS attack E. Resource exhaustion
151) Upon entering an incorrect password, the logon screen displays a message informing the user that the password does not match the username provided and is not the required length of 12 characters. Which of the following secure coding techniques should a security analyst address with the application developers to follow security best practices? A. Input validation B. Error handling C. Obfuscation D. Data exposure
B. Error handling
98) Which of the following would meet the requirements for multifactor authentication? A. Username, PIN, and employee ID number B. Fingerprint and password C. Smart card and hardware token D. Voice recognition and retina scan
B. Fingerprint and password
162) During a routine audit, it is discovered that someone has been using a stale administrator account to log into a seldom used server. The person has been using the server to view inappropriate websites that are prohibited to end users. Which of the following could best prevent this from occurring again? A. Credential management B. Group policy management C. Acceptable use policy D. Account expiration policy
B. Group policy management
162)During a routine audit, it is discovered that someone has been using a stale administrator account to log into a seldom used server. The person has been using the server to view inappropriate websites that are prohibited to end users. Which of the following could best prevent this from occurring again? A. Credential management B. Group policy management C. Acceptable use policy D. Account expiration policy
B. Group policy management
224)Every morning, a systems administrator monitors failed login attempts on the company's log management server. The administrator notices the DBAdmin account has five failed username and/or password alerts during a ten-minute window. The systems administrator determines the user account is a dummy account used to attract attackers. Which of the following techniques should the systems administrator implement? A. Role-based access control B. Honeypot C. Rule-based access control D. Password cracker
B. Honeypot
225)Joe, a technician, is working remotely with his company provided laptop at the coffee shop near his home. Joe is concerned that another patron of the coffee shop may be trying to access his laptop. Which of the following is an appropriate control to use to prevent the other patron from accessing Joe's laptop directly? A. full-disk encryption B. Host-based firewall C. Current antivirus definitions D. Latest OS updates
B. Host-based firewall
171) While reviewing the monthly internet usage it is noted that there is a large spike in traffic classified as "unknown" and does not appear to be within the bounds of the organizations Acceptable Use Policy. Which of the following tool or technology would work BEST for obtaining more information on this traffic? A. Firewall logs B. IDS logs C. Increased spam filtering D. Protocol analyzer
B. IDS logs
136) A security administrator learns that PII, which was gathered by the organization, has been found in an open forum. As a result, several C-level executives found their identities were compromised, and they were victims of a recent whaling attack. Which of the following would prevent these problems in the future? (Select TWO). A. Implement a reverse proxy. B. Implement an email DLP. C. Implement a spam filter. D. Implement a host-based firewall. E. Implement a HIDS.
B. Implement an email DLP. C. Implement a spam filter.
27)Joe, an employee, wants to show his colleagues how much he knows about smartphones. Joe demonstrates a free movie application that he installed from a third party on his corporate smartphone. Joe's colleagues were unable to find the application in the app stores. Which of the following allowed Joe to install the application? (Select two.) A. Near-field communication. B. Rooting/jailbreaking C. Ad-hoc connections D. Tethering E. Sideloading
B. Rooting/jailbreaking E. Sideloading
107) A security administrator is analyzing a user report in which the computer exhibits odd network related outages. The administrator, however, does not see any suspicious process running. A prior technician's notes indicate the machine has been remediated twice, but the system still exhibits odd behavior. Files were deleted from the system recently. Which of the following is the MOST likely cause of this behavior? A. Crypto-malware B. Rootkit C. Logic bomb D. Session hijacking
B. Rootkit
107) A security administrator is analyzing a user report in which the computer exhibits odd networkrelated outages. The administrator, however, does not see any suspicious process running. A prior technician's notes indicate the machine has been remediated twice, but the system still exhibits odd behavior. Files were deleted from the system recently. Which of the following is the MOST likely cause of this behavior? A. Crypto-malware B. Rootkit C. Logic bomb D. Session hijacking
B. Rootkit
107) A security administrator is analyzing a user report in which the computer exhibits odd networkrelated outages. The administrator, however, does not see any suspicious process running. A prior technician's notes indicate the machine has been remediated twice, but the system still exhibits odd behavior. Files were deleted from the system recently. Which of the following is the MOST likely cause of this behavior? A. Crypto-malware B. Rootkit C. Logic bomb D. Session hijacking
B. Rootkit
166) An analyst receives an alert from the SIEM(Security information and event management) showing an IP address that does not belong to the assigned network can be seen sending packets to the wrong gateway. Which of the following network devices is misconfigured and which of the following should be done to remediate the issue? A. Firewall; implement an ACL on the interface B. Router; place the correct subnet on the interface C. Switch; modify the access port to trunk port D. Proxy; add the correct transparent interface
B. Router; place the correct subnet on the interface
9) In an effort to reduce data storage requirements, some company devices to hash every file and eliminate duplicates. The data processing routines are time sensitive so the hashing algorithm is fastand supported on a wide range of systems. Which of the following algorithms is BEST suited for this purpose? A. MD5 B. SHA C. RIPEMD D. AES
B. SHA
41)A security consultant discovers that an organization is using the PCL protocol to print documents, utilizing the default driver and print settings. Which of the following is the MOST likely risk in this situation? A. An attacker can access and change the printer configuration. B. SNMP data leaving the printer will not be properly encrypted. C. An MITM attack can reveal sensitive information. D. An attacker can easily inject malicious code into the printer firmware. E. Attackers can use the PCL protocol to bypass the firewall of client computers.
B. SNMP data leaving the printer will not be properly encrypted
89) A manager wants to distribute a report to several other managers within the company. Some of them reside in remote locations that are not connected to the domain but have a local server. Because there is sensitive data within the report and the size of the report is beyond the limit of the email attachment size, emailing the report is not an option. Which of the following protocols should be implemented to distribute the report securely? (Select three.) A. S/MIME B. SSH C. SNMPv3 D. FTPS E. SRTP F. HTTPS G. LDAPS
B. SSH D. FTPS F. HTTPS
215) A security administrator is developing training for corporate users on basic security principles for personal email accounts. Which of the following should be mentioned as the MOST secure way for password recovery? A. Utilizing a single Qfor password recovery B. Sending a PIN to a smartphone through text message C. Utilizing CAPTCHA to avoid brute force attacks D. Use a different e-mail address to recover password
B. Sending a PIN to a smartphone through text message
102) Joe, a security administrator, needs to extend the organization's remote access functionality to be used by staff while travelling. Joe needs to maintain separate access control functionalities for internal, external, and VOIP services. Which of the following represents the BEST access technology for Joe to use? A. RADIUS B. TACACS+ C. Diameter D. Kerberos
B. TACACS+
30) A systems administrator has implemented multiple websites using host headers on the same server. The server hosts two websites that require encryption and other websites where encryption is optional. Which of the following should the administrator implement to encrypt web traffic for the required websites? A. Extended domain validation B. TLS host certificate C. OCSP stapling D. Wildcard certificate
B. TLS host certificate
48)Six months into development, the core team assigned to implement a new internal piece of software must convene to discuss a new requirement with the stake holders. A stakeholder identified a missing feature critical to the organization, which must be implemented. The team needs to validate the feasibility of the newly introduced requirement and ensure it does not introduce new vulnerabilities to the software and other applications that will integrate with it. Which of the following BEST describes what the company? A. The system integration phase of the SDLC B. The system analysis phase of SSDSLC C. The system design phase of the SDLC D. The system development phase of the SDLC
B. The system analysis phase of SSDSLC
247) A technician needs to implement a system which will properly authenticate users by their username and password only when the users are logging in from a computer in the office building. Any attempt to authenticate from a location other than the office building should be rejected. Which of the following MUST the technician implement? A. Dual factor authentication B. Transitive authentication C. Single factor authentication D. Biometric authentication
B. Transitive authentication
135)A security analyst is performing a manual audit of captured data from a packet analyzer. The analyst looks forbase64 encoded strings and applies the filter http.authbasic. Which of the following describes what the analysts looking for? A. Unauthorized software B. Unencrypted credentials C. SSL certificate issues D. Authentication tokens
B. Unencrypted credentials
207) A company has two wireless networks utilizing captive portals. Some employees report getting a trust error in their browsers when connecting to one of the networks. Both captive portals are using the same server certificate for authentication, but the analyst notices the following differences between the two certificate details: Certificate 1 Certificate Path: Geotrust Global CA company.com Certificate 2 Certificate Path: company.com Which of the following would resolve the problem? A. Use a wildcard certificate. B. Use certificate chaining. C. Use a trust model. D. Use an extended validation certificate.
B. Use certificate chaining.
47) Company XYZ has decided to make use of a cloud-based service that requires mutual, certificatebased authentication with its users. The company uses SSL-inspecting IDS at its network boundary and is concerned about the confidentiality of the mutual authentication. Which of the following model prevents the IDS from capturing credentials used to authenticate users to the new service or keys to decrypt that communication? A. Use of OATH between the user and the service and attestation from the company domain B. Use of active directory federation between the company and the cloud-based service C. Use of smartcards that store x.509 keys, signed by a global CA D. Use of a third-party, SAML-based authentication service for attestation
B. Use of active directory federation between the company and the cloud-based service
242) ) During a recent audit, it was discovered that several user accounts belonging to former employees were still active and had valid VPN permissions. Which of the following would help reduce the amount of risk the organization incurs in this situation in the future? A. Time-of-day restrictions B. User access reviews C. Group-based privileges D. Change management policies
B. User access reviews
57)Which of the following is an important step to take BEFORE moving any installation packages from a test environment to production? A. Roll back changes in the test environment B. Verify the hashes of files C. Archive and compress the files D. Update the secure baseline
B. Verify the hashes of files
211)Which of the following technologies would be MOST appropriate to utilize when testing a new software patch before a company-wide deployment? A. Cloud computing B. Virtualization C. Redundancy D. Application control
B. Virtualization
210) Which of the following would verify that a threat does exist and security controls can easily be bypassed without actively testing an application? A. Protocol analyzer B. Vulnerability scan C. Penetration test D. Port scanner
B. Vulnerability scan
11) Which of the following is the main difference an XSS vulnerability and a CSRF vulnerability? (Pick 2) A. XSS needs the attacker to be authenticated to the trusted server. B. XSS does not need the victim to be authenticated to the trusted server. C. CSRF needs the victim to be authenticated to the trusted server. D. CSRF does not need the victim to be authenticated to the trusted server. E. CSRF does not need the attacker to be authenticated to the trusted server.
B. XSS does not need the victim to be authenticated to the trusted server. C. CSRF needs the victim to be authenticated to the trusted server.
70) A security analyst captures forensic evidence from a potentially compromised system for further investigation. The evidence is documented and securely stored to FIRST: A. maintain the chain of custody. B. preserve the data. C. obtain a legal hold. D. recover data at a later time.
B. preserve the data.
33) Which of the following encryption methods does PKI typically use to securely project keys? A. Elliptic curve B. Digital signatures C. Asymmetric D. Obfuscation
C. Asymmetric
165) A web application is configured to target browsers and allow access to bank accounts to siphon money to a foreign account. This is an example of which of the following attacks? A. SQL injection B. Header manipulation C. Cross-site scripting D. Flash cookie exploitation
C. Cross-site scripting
165)A web application is configured to target browsers and allow access to bank accounts to siphon money to a foreign account. This is an example of which of the following attacks? A. SQL injection B. Header manipulation C. Cross-site scripting D. Flash cookie exploitation
C. Cross-site scripting
138)After a routine audit, a company discovers that engineering documents have been leaving the network on a particular port. The company must allow outbound traffic on this port, as it has a legitimate business use. Blocking the port would cause an outage. Which of the following technology controls should the company implement? A. NAC (Network Access Control) B. Web proxy C. DLP (Data Loss Prevention) D. ACL (Access Control List)
C. DLP (Data Loss Prevention)
85) A company has won an important government contract. Several employees have been transferred from their existing projects to support a new contract. Some of the employees who have transferred will be working long hours and still need access to their project information to transition work to their replacements. Which of the following should be implemented to validate that the appropriate offboarding process has been followed? A. Separation of duties B. Time-of-day restrictions C. Permission auditing D. Mandatory access control
C. Permission auditing
85)A company has won an important government contract. Several employees have been transferred from their existing projects to support a new contract. Some of the employees who have transferred will be working long hours and still need access to their project information to transition work to their replacements. Which of the following should be implemented to validate that the appropriate offboarding process has been followed? A. Separation of duties B. Time-of-day restrictions C. Permission auditing D. Mandatory access control
C. Permission auditing
156) An organization requires employees to insert their identification cards into a reader so chips embedded in the cards can be read to verify their identities prior to accessing computing resources. Which of the following BEST describes this authentication control? A. TPM B. Token C. Proximity card D. CAC
C. Proximity card
53)A company wants to provide centralized authentication for its wireless system. The wireless authentication system must integrate with the directory back end. Which of the following is a AAA solution that will provide the required wireless authentication? A. TACACS+ B. MSCHAPv2 C. RADIUS D. LDAP
C. RADIUS
26)Which of the following describes the maximum amount of time a mission essential function can operate without the systems it depends on before significantly impacting the organization? A. MTBF (Mean Time Before Failure) B. MTTR (Mean Time to Repair) C. RTO (Recovery Time Objective) D. RPO (Recovery Point Objective)
C. RTO (Recovery Time Objective)
140) During an audit, the auditor requests to see a copy of the identified mission-critical applications as well as their disaster recovery plans. The company being audited has an SLA around the applications it hosts With which of the following is the auditor MOST likely concerned? A. ARO(Annualized Rate of Occurrence)/ALE(Annualized Loss Expectancy) B. MTTR(Mean Time To Respond/Remediate) /MTBF(Mean Time To Between Failures) C. RTO(Recovery Time Objective)/RPO(Recovery Point Objective) D. Risk assessment
C. RTO/RPO
140) During an audit, the auditor requests to see a copy of the identified mission-critical applications as well as their disaster recovery plans. The company being audited has an SLA around the applications it hosts With which of the following is the auditor MOST likely concerned? A. ARO/ALE B. MTTR/MTBF C. RTO/RPO D. Risk assessment
C. RTO/RPO
63) Which of the following cryptographic attacks would salting of passwords render ineffective? A. Brute force B. Dictionary C. Rainbow tables D. Birthday
C. Rainbow tables
110)A company utilizes 802.11 for all client connectivity within a facility. Users in one part of the building are reporting they are unable to access company resources when connected to the company SSID. Which of the following should the security administrator use to assess connectivity? A. Sniffer B. Honeypot C. Routing tables D. Wireless scanner
C. Routing tables
233)The SSID broadcast for a wireless router has been disabled but a network administrator notices that unauthorized users are accessing the wireless network. The administer has determined that attackers are still able to detect the presence of the wireless network despite the fact the SSID has been disabled. Which of the following would further obscure the presence of the wireless network? A. Upgrade the encryption to WPA or WPA2 B. Create a non-zero length SSID for the wireless router C. Reroute wireless users to a honeypot D. Disable responses to a broadcast probe request
D. Disable responses to a broadcast probe request
175)A security analyst has been asked to perform a review of an organization's software development lifecycle. The analyst reports that the lifecycle does not contain a phase in which team members evaluate and provide critical feedback of another developer's code. Which of the following assessment techniques is BEST described in the analyst's report? A. Architecture evaluation B. Baseline reporting C. Whitebox testing D. Peer review
D. Peer review
65) A security analyst has set up a network tap to monitor network traffic for vulnerabilities. Which of the following techniques would BEST describe the approach the analyst has taken? A. Compliance scanning B. Credentialed scanning C. Passive vulnerability scanning D. Port scanning
D. Port scanning
60) A penetration testing team deploys a specifically crafted payload to a web server, which results in opening a new session as the web server daemon. This session has full read/write access to the file system and the admin console. Which of the following BEST describes the attack? A. Domain hijacking B. Injection C. Buffer overflow D. Privilege escalation
D. Privilege escalation
14) An information system owner has supplied a new requirement to the development team that calls for increased non-repudiation within the application. After undergoing several audits, the owner determined that current levels of non-repudiation were insufficient. Which of the following capabilities would be MOST appropriate to consider implementing is response to the new requirement? A. Transitive trust B. Symmetric encryption C. Two-factor authentication D. Digital signatures E. One-time passwords
D. Digital signatures
139)A systems administrator wants to generate a self-signed certificate for an internal website. Which of the following steps should the systems administrator complete prior to installing the certificate on the server? A. Provide the private key to a public CA. B. Provide the public key to the internal CA. C. Provide the public key to a public CA. D. Provide the private key to the internal CA. E. Provide the public/private key pair to the internal CA F. Provide the public/private key pair to a public CA.
D. Provide the private key to the internal CA.
174) A systems administrator wants to implement a wireless protocol that will allow the organization to authenticate mobile devices prior to providing the user with a captive portal login. Which of the following should the systems administrator configure? A. L2TP with MAC filtering B. EAP-TTLS C. WPA2-CCMP with PSK D. RADIUS federation
D. RADIUS federation
178)A security analyst is investigating a potential breach. Upon gathering, documenting, and securing the evidence, which of the following actions is the NEXT step to minimize the business impact? A. Launch an investigation to identify the attacking host B. Initiate the incident response plan C. Review lessons learned captured in the process D. Remove malware and restore the system to normal operation
D. Remove malware and restore the system to normal operation
132) A security analyst wants to harden the company's VoIP PBX. The analyst is worried that credentials may be intercepted and compromised when IP phones authenticate with the BPX. Which of the following would best prevent this from occurring? A. Implement SRTP between the phones and the PBX. B. Place the phones and PBX in their own VLAN. C. Restrict the phone connections to the PBX. D. Require SIPS on connections to the PBX.
D. Require SIPS on connections to the PBX.
120)A Chief Executive Officer (CEO) suspects someone in the lab testing environment is stealing confidential information after working hours when no one else is around. Which of the following actions can help to prevent this specific threat? A. Implement time-of-day restrictions. B. Audit file access times. C. Secretly install a hidden surveillance camera. D. Require swipe-card access to enter the lab.
D. Require swipe-card access to enter the lab.
184) After the integrity of a patch has been verified, but before being deployed to production, it is important to: A. perform static analysis B. reverse engineer it for embedded malware. C. run dynamic analysis on the executable. D. test it in a staging environment
D. test it in a staging environment
155)A security analyst is performing a BI A. The analyst notes that In a disaster, failover systems must be up and running within 30 minutes. The failover systems must use backup data that Is no older than one hour Which of the following should the analyst include In the business continuity plan? A. A maximum MTTR of 30 minutes B. A maximum MTBF of 30 minutes C. A maximum RTO of 60 minutes D. A maximum RPO of 60 minutes E. An SLA guarantee of 60 minutes
E. An SLA guarantee of 60 minutes
85) Security administrators attempted corrective action after a phishing attack. Users are still experiencing trouble logging in, as well as an increase in account lockouts. Users' email contacts are complaining of an increase in spam and social networking requests. Due to the large number of affected accounts, remediation must be accomplished quickly. Which of the following actions should be taken FIRST? (Select TWO) A. Disable the compromised accounts B. Update WAF rules to block social networks C. Remove the compromised accounts with all AD groups D. Change the compromised accounts' passwords E. Disable the open relay on the email server F. Enable sender policy framework
E. Disable the open relay on the email server F. Enable sender policy framework
152) A company has a security policy that specifies all endpoint computing devices should be assigned a unique identifier that can be tracked via an inventory management system. Recent changes to airline security regulations have cause many executives in the company to travel with mini tablet devices instead of laptops. These tablet devices are difficult to tag and track. An RDP application is used from the tablet to connect into the company network. Which of the following should be implemented in order to meet the security policy requirements? A. Virtual desktop infrastructure (IDI) B. WS-security and geo-fencing C. A hardware security module (HSM) D. RFID tagging system E. MDM software (Mobile Device Management) F. Security Requirements Traceability Matrix (SRTM)
E. MDM software (Mobile Device Management)
59) An organization wishes to provide better security for its name resolution services. Which of the following technologies BEST supports the deployment of DNSSEC at the organization? A. LDAP (Lightweight Direct Access Protocol) B. TPM (Trusted Platform Module) C. TLS (Transport Layer Security) D. SSL (Secure Sockets Layer) E. PKI (Public Key Infrastructure)
E. PKI (Public Key Infrastructure)
165)A company has migrated to two-factor authentication for accessing the corporate network, VPN, and SSO. Several legacy applications cannot support multifactor authentication and must continue to use usernames and passwords. Which of the following should be implemented to ensure the legacy applications are as secure as possible while ensuring functionality? (Choose two.) A. Priveleged accounts B. Password reuse restrictions C. Password complexity requirements D. Password recovery E. Account disablement
C. Password complexity requirements E. Account disablement
221)A security program manager wants to actively test the security posture of a system. The system is not yet in production and has no uptime requirement or active user base. Which of the following methods will produce a report which shows vulnerabilities that were actually exploited?A. Peer review B. Component testing C. Penetration testing D. Vulnerability testing
C. Penetration testing
123) An organization has several production-critical SCADA supervisory systems that cannot follow the normal 30-day patching policy. Which of the following BEST maximizes the protection of these systems from malicious software? A. Configure a firewall with deep packet inspection that restricts traffic to the systems. B. Configure a separate zone for the systems and restrict access to known ports. C. Configure the systems to ensure only necessary applications are able to run. D. Configure the host firewall to ensure only the necessary applications have listening ports
A. Configure a firewall with deep packet inspection that restricts traffic to the systems.
188) An organization relies heavily on an application that has a high frequency of security updates. At present, the security team only updates the application on the first Monday of each month, even though the security updates are released as often as twice a week. Which of the following would be the BEST method of updating this application? A. Configure testing and automate patch management for the application. B. Configure security control testing for the application. C. Manually apply updates for the application when they are released. D. Configure a sandbox for testing patches before the scheduled monthly update.
A. Configure testing and automate patch management for the application.
188)An organization relies heavily on an application that has a high frequency of security updates. At present, the security team only updates the application on the first Monday of each month, even though the security updates are released as often as twice a week. Which of the following would be the BEST method of updating this application? A. Configure testing and automate patch management for the application. B. Configure security control testing for the application. C. Manually apply updates for the application when they are released. D. Configure a sandbox for testing patches before the scheduled monthly update.
A. Configure testing and automate patch management for the application.
91) A vulnerability scanner that uses its running service's access level to better assess vulnerabilities across multiple assets within an organization is performing a: A. Credentialed scan. B. Non-intrusive scan. C. Privilege escalation test. D. Passive scan.
A. Credentialed scan.
97) A user is unable to open a file that has a grayed-out icon with a lock. The user receives a pop-up message indicating that payment must be sent in Bitcoin to unlock the file. Later in the day, other users in the organization lose the ability to open files on the server. Which of the following has MOST likely occurred? (Choose three.) A. Crypto-malware B. Adware C. Botnet attack D. Virus E. Ransomware F. Backdoor G. DDoS attack
A. Crypto-malware D. Virus E. Ransomware
158) A security technician has been assigned data destruction duties. The hard drives that are being disposed of contain highly sensitive information. Which of the following data destruction techniques is MOST appropriate? A. Degaussing B. Purging C. Wiping D. Shredding
A. Degaussing
32) A security administrator is developing controls for creating audit trails and tracking if a PHI data breach is to occur. The administrator has been given the following requirements: All access must be correlated to a user account. All user accounts must be assigned to a single individual. User access to the PHI data must be recorded. Anomalies in PHI data access must be reported. Logs and records cannot be deleted or modified. Which of the following should the administrator implement to meet the above requirements? (Select three.) A. Eliminate shared accounts. B. Create a standard naming convention for accounts. C. Implement usage auditing and review. D. Enable account lockout thresholds. E. Copy logs in real time to a secured WORM drive. F. Implement time-of-day restrictions. G. Perform regular permission audits and reviews.
A. Eliminate shared accounts. C. Implement usage auditing and review. G. Perform regular permission audits and reviews.
233) A company stores highly sensitive data files used by the accounting system on a server file share. The accounting system uses a service account named accounting-svc to access the file share. The data is protected will a full disk encryption, and the permissions are set as follows: File system permissions: Users = Read Only Share permission: accounting-svc = Read Only Given the listed protections are in place and unchanged, to which of the following risks is the data still subject? A. Exploitation of local console access and removal of data B. Theft of physical hard drives and a breach of confidentiality C. Remote exfiltration of data using domain credentials D. Disclosure of sensitive data to third parties due to excessive share permissions
A. Exploitation of local console access and removal of data
145)A company is developing a new system that will unlock a computer automatically when an authorized user sits in front of it, and then lock the computer when the user leaves. The user does not have to perform any action for this process to occur. Which of the following technologies provides this capability? A. Facial recognition B. Fingerprint scanner C. Motion detector D. Smart cards
A. Facial recognition
170) Which of the following can occur when a scanning tool cannot authenticate to a server and has to rely on limited information obtained from service banners? A. False positive B. Passive reconnaissance C. Access violation D. Privilege escalation
A. False positive
232)An administrator is testing the collision resistance of different hashing algorithms. Which of the following is the strongest collision resistance test? A. Find two identical messages with different hashes B. Find two identical messages with the same hash C. Find a common has between two specific messages D. Find a common hash between a specific message and a random message
A. Find two identical messages with different hashes
61) A global gaming console manufacturer is launching a new gaming platform to its customers. Which of the following controls reduces the risk created by malicious gaming customers attempting to circumvent control by way of modifying consoles? (Select Two) A. Firmware version control B. Manual software upgrades C. Vulnerability scanning D. Automatic updates E. Network segmentation F. Application firewalls
A. Firmware version control D. Automatic updates
95) A security analyst is testing both Windows and Linux systems for unauthorized DNS zone transfers within a LAN on comptia.org from example.org. Which of the following commands should the security analyst use? (Select two.) A. Option A B. Option B C. Option C D. Option D E. Option E F. Option F
A. Option A C. Option C
8) A security analyst is hardening a server with the directory services role installed. The analyst must ensure LDAP traffic cannot be monitored or sniffed and maintains compatibility with LDAP clients. Which of the following should the analyst implement to meet these requirements?(Select two.) A. Generate an X.509-compliant certificate that is signed by a trusted CA. B. Install and configure an SSH tunnel on the LDAP server. C. Insure port 389 is open between the clients and the servers using the communication. D. Ensure port 636 is open between the clients and the servers using the communication. E.Remote the LDAP directory service role from the server.
A. Generate an X.509-compliant certificate that is signed by a trusted CA. D. Ensure port 636 is open between the clients and the servers using the communication.
112) A systems administrator wants to protect data stored on mobile devices that are used to scan and record assets in a warehouse. The control must automatically destroy the secure container of mobile devices if they leave the warehouse. Which of the following should the administrator implement? (Select two.) A. Geofencing B. Remote wipe C. Near-field communication D. Push notification services E. Containerization
A. Geofencing E. Containerization
169)A technician has installed new vulnerability scanner software on a server that is joined to the company domain. The vulnerability scanner is able to provide visibility over the patch posture of all company's clients. Which of the following is being used? A. Gray box vulnerability testing B. Passive scan C. Credentialed scan D. Bypassing security controls
A. Gray box vulnerability testing
197) A computer emergency response team is called at midnight to investigate a case in which a mail server was restarted. After an initial investigation, it was discovered that email is being ex-filtrated through an active connection. Which of the following is the NEXT step the team should take? A. Identify the source of the active connection B. Perform eradication of active connection and recover C. Performance containment procedure by disconnecting the server D. Format the server and restore its initial configuration
A. Identify the source of the active connection
71) A systems administrator has been assigned to create accounts for summer interns. The interns are only authorized to be in the facility and operate computers under close supervision. They must also leave the facility at designated times each day. However, the interns can access intern file folders without supervision. Which of the following represents the BEST way to configure the accounts? (Select TWO.) A. Implement time-of-day restrictions. B. Modify archived data. C. Access executive shared portals. D. Create privileged accounts. E. Enforce least privilege.
A. Implement time-of-day restrictions. D. Create privileged accounts.
148) A security analyst is securing smartphones and laptops for a highly mobile workforce. Priorities include: Remote wipe capabilities Geolocation services Patch management and reporting Mandatory screen locks Ability to require passcodes and pins Ability to require encryption Which of the following would BEST meet these requirements? A. Implementing MDM software B. Deploying relevant group policies to the devices C. Installing full device encryption D. Removing administrative rights to the devices
A. Implementing MDM software
157)When it comes to cloud computing, if one of the requirements for a project is to have the most control over the systems in the cloud, which of the following is a service model that would be BEST suited for this goal? A. Infrastructure B. Platform C. Software D. Virtualization
A. Infrastructure
88)A security analyst is hardening a web server, which should allow a secure certificate-based session using the organization's PKI infrastructure. The web server should also utilize the latest security techniques and standards. Given this set of requirements, which of the following techniques should the analyst implement to BEST meet these requirements? (Select two.) A. Install an X- 509-compliant certificate. B. Implement a CRL using an authorized CA. C. Enable and configure TLS on the server. D. Install a certificate signed by a public CA. E. Configure the web server to use a host header.
A. Install an X- 509-compliant certificate. C. Enable and configure TLS on the server.
40)A user has attempted to access data at a higher classification level than the user's account is currently authorized to access. Which of the following access control models has been applied to this user's account? A. MAC (Message Authentication Code) B. DAC (Discretionary Access Control) C. RBAC (Role-based Access Control) D. ABAC (Attribute-based Access Control)
A. MAC (Message Authentication Code)
114) An incident involving a workstation that is potentially infected with a virus has occurred. The workstation may have sent confidential data to an unknown internet server. Which of the following should a security analyst do FIRST? A. Make a copy of everything in memory on the workstation. B. Turn off the workstation. C. Consult information security policy. D. Run a virus scan.
A. Make a copy of everything in memory on the workstation.
175) An administrator is implementing a secure web server and wants to ensure that if the web server application is compromised, the application does not have access to other parts of the server or network. Which of the following should the administrator implement? (Choose two.) A. Mandatory access control B. Discretionary access control C. Rule-based access control D. Role-based access control E. Attribute-based access control
A. Mandatory access control C. Rule-based access control
9)An organization wants to implement a solution that allows for automated logical controls for network defense. An engineer plans to select an appropriate network security component, which automates response actions based on security threats to the network. Which of the following would be MOST appropriate based on the engineer's requirements? A. NIPS B. HIDS C. Web proxy D. Elastic load balancer E. NAC
A. NIPS
111) A user needs to send sensitive information to a colleague using PKI(Public Key Infrastructure). Which of the following concepts apply when a sender encrypts the message hash with the sender's private key? (Select TWO) A. Non-repudiation B. Email content encryption C. Steganography D. Transport security E. Message integrity
A. Non-repudiation E. Message integrity
91) An organization wants to utilize a common, Internet-based third-party provider for authorization and authentication. The provider uses a technology based on OAuth 2.0 to provide required services. To which of the following technologies is the provider referring? A. Open ID Connect B. SAML C. XACML D. LDAP
A. Open ID Connect
21)A company is currently using the following configuration: IAS server with certificate-based EAP-PEAP and MSCHAP Unencrypted authentication via PAP A security administrator needs to configure a new wireless setup with the following configurations: PAP authentication method PEAP and EAP provide two-factor authentication Which of the following forms of authentication are being used? (Select two.) A. PAP (Password Authentication Protocol) B. PEAP (Protected Extensible Authentication Protocol) C. MSCHAP (Microsoft Version of Challenge Handshake Authentication Protocol) D. PEAP- MSCHAP E. EAP (Extensible Authentication Protocol) F. EAP-PEAP
A. PAP (Password Authentication Protocol) C. MSCHAP (Microsoft Version of Challenge
72) An analyst wants to implement a more secure wireless authentication for office access points. Which of the following technologies allows for encrypted authentication of wireless clients over TLS? A. PEAP (Protected Extensible Authentication Protocol) B. EAP (Extensible Authentication Protocol) C. WPA2 D. RADIUS
A. PEAP (Protected Extensible Authentication Protocol)
170) A Chief Information Officer (CIO) recently saw on the news that a significant security flaws exists with a specific version of a technology the company uses to support many critical application. The CIO wants to know if this reported vulnerability exists in the organization and, if so, to what extent the company could be harmed. Which of the following would BEST provide the needed information? A. Penetration test B. Vulnerability scan C. Active reconnaissance D. Patching assessment report
A. Penetration test
101) Ann, a security administrator, wants to ensure credentials are encrypted in transit when implementing a RADIUS server for SSO. Which of the following are needed given these requirements? (Select TWO) A. Public key B. Shared key C. Elliptic curve D. MD5 E. Private key F. DES
A. Public key E. Private key
212) A system administrator needs to implement 802.1x whereby when a user logs into the network, the authentication server communicates to the network switch and assigns the user to the proper VLAN. Which of the following protocols should be used? A. RADIUS B. Kerberos C. LDAP D. MSCHAP
A. RADIUS
17) An organization has determined it can tolerate a maximum of three hours of downtime. Which of the following has been specified? A. RTO (Recovery Time Objective) B. RPO (Recovery Point Objective) C. MTBF (mean Time Between Failures) D. MTTR (Mean Time To Resolve)
A. RTO (Recovery Time Objective)
17)An organization has determined it can tolerate a maximum of three hours of downtime. Which of the following has been specified? A. RTO (Recovery Time Objective) B. RPO (Recovery Point Objective) C. MTBF (mean Time Between Failures) D. MTTR (Mean Time To Resolve)
A. RTO (Recovery Time Objective)
229) A penetration testing is preparing for a client engagement in which the tester must provide data that proves and validates the scanning tools' results. Which of the following is the best method for collecting this information? A. Set up the scanning system's firewall to permit and log all outbound connections B. Use a protocol analyzer to log all pertinent network traffic C. Configure network flow data logging on all scanning system D. Enable debug level logging on the scanning system and all scanning tools used.
A. Set up the scanning system's firewall to permit and log all outbound connections
229)A penetration testing is preparing for a client engagement in which the tester must provide data that proves and validates the scanning tools' results. Which of the following is the best method for collecting this information? A. Set up the scanning system's firewall to permit and log all outbound connections B. Use a protocol analyzer to log all pertinent network traffic C. Configure network flow data logging on all scanning system D. Enable debug level logging on the scanning system and all scanning tools used.
A. Set up the scanning system's firewall to permit and log all outbound connections
69) Which of the following technologies employ the use of SAML (Security Assertion Markup Language)? (Select two.) A. Single sign-on B. Federation C. LDAP D. Secure token E. RADIUS
A. Single sign-on B. Federation
115)Joe, an employee, asks a coworker how long ago Ann started working at the help desk. The coworker expresses surprise since nobody named Ann works at the help desk. Joe mentions that Ann called several people in the customer service department to help reset their passwords over the phone due to unspecified "server issues". Which of the following has occurred? A. Social engineering B. Whaling C. Watering hole attack D. Password cracking
A. Social engineering
126)A small company's Chief Executive Officer (CEO) has asked its Chief Security Officer (CSO) to improve the company's security posture quickly with regard to targeted attacks. Which of the following should the CSO conduct FIRST? A. Survey threat feeds from services inside the same industry. B. Purchase multiple threat feeds to ensure diversity and implement blocks for malicious traffic C. Conduct an internal audit against industry best practices to perform a qualitative analysis. D. Deploy a UTM solution that receives frequent updates from a trusted industry vendor.
A. Survey threat feeds from services inside the same industry.
191) Two users must encrypt and transmit large amounts of data between them. Which of the following should they use to encrypt and transmit the data? A. Symmetric algorithm B. Hash function C. Digital signature D. Obfuscation
A. Symmetric algorithm
171) An organization is expanding its network team. Currently, it has local accounts on all network devices, but with growth, it wants to move to centrally managed authentication. Which of the following are the BEST solutions for the organization? (Select TWO) A. TACACS+ B. CHAP C. LDAP D. RADIUS E. MSCHAPv2
A. TACACS+ D. RADIUS
45)A server administrator needs to administer a server remotely using RDP, but the specified port is closed on the outbound firewall on the network. The access the server using RDP on a port other than the typical registered port for the RDP protocol? A. TLS B. MPLS C. SCP D. SSH
A. TLS
97) A security analyst is updating a BIA document. The security analyst notices the support vendor's time to replace a server hard drive went from eight hours to two hours. Given these new metrics, which of the following can be concluded? (Select TWO) A. The MTTR is faster. B. The MTTR is slower. C. The RTO has increased. D. The RTO has decreased. E. The MTTF has increased. F. The MTTF has decreased.
A. The MTTR is faster. D. The RTO has decreased.
94) A new firewall has been places into service at an organization. However, a configuration has not been entered on the firewall. Employees on the network segment covered by the new firewall report they are unable to access the network. Which of the following steps should be completed to BEST resolve the issue? A. The firewall should be configured to prevent user traffic form matching the implicit deny rule. B. The firewall should be configured with access lists to allow inbound and outbound traffic. C. The firewall should be configured with port security to allow traffic. D. The firewall should be configured to include an explicit deny rule.
A. The firewall should be configured to prevent user traffic form matching the implicit deny rule.
83) Which of the following occurs when the security of a web application relies on JavaScript for input validation? A. The integrity of the data is at risk. B. The security of the application relies on antivirus. C. A host-based firewall is required. D. The application is vulnerable to race conditions.
A. The integrity of the data is at risk.
74)A company has three divisions, each with its own networks and services. The company decides to make its secure web portal accessible to all employees utilizing their existing usernames and passwords. The security administrator has elected to use SAML to support authentication. In this scenario, which of the following will occur when users try to authenticate to the portal? (Select two.) A. The portal will function as a service provider and request an authentication assertion. B. The portal will function as an identity provider and issue an authentication assertion. C. The portal will request an authentication ticket from each network that is transitively trusted. D. The back-end networks will function as an identity provider and issue an authentication assertion. E. The back-end networks will request authentication tickets from the portal, which will act as the third-party service provider authentication store. F. The back-end networks will verify the assertion token issued by the portal functioning as the identity provider.
A. The portal will function as a service provider and request an authentication assertion. B. The portal will function as an identity provider and issue an authentication assertion.
126)A security administrator is configuring a new network segment, which contains devices that will be accessed by external users, such as web and FTP server. Which of the following represents the MOST secure way to configure the new network segment? A. The segment should be placed on a separate VLAN, and the firewall rules should be configured to allow external traffic. B. The segment should be placed in the existing internal VLAN to allow internal traffic only. C. The segment should be placed on an intranet, and the firewall rules should be configured to allow external traffic. D. The segment should be placed on an extranet, and the firewall rules should be configured to allow both internal and external traffic.
A. The segment should be placed on a separate VLAN, and the firewall rules should be configured to allow external traffic.
96)Which of the following are the MAIN reasons why a systems administrator would install security patches in a staging environment before the patches are applied to the production server? (Select two.) A. To prevent server availability issues B. To verify the appropriate patch is being installed C. To generate a new baseline hash after patching D. To allow users to test functionality E. To ensure users are trained on new functionality
A. To prevent server availability issues D. To allow users to test functionality
185) User from two organizations, each with its own PKI, need to begin working together on a joint project. Which of the following would allow the users of the separate PKIs to work together without connection errors? A. Trust model B. Stapling C. Intermediate CA D. Key escrow
A. Trust model
39)Which of the following is a technical preventive control? A. Two-factor authentication B. DVR-supported cameras C. Acceptable-use MOTD D. Syslog server
A. Two-factor authentication
162)A company has critical systems that are hosted on an end-of-life OS. To maintain operations and mitigate potential vulnerabilities, which of the following BEST accomplishes this objective? A. Use application whitelisting. B. Employ patch management. C. Disable the default administrator account. D. Implement full-disk encryption.
A. Use application whitelisting.
42) A Chief Information Security Officer (CISO) asks the security architect to design a method for contractors to access the company's internal network securely without allowing access to systems beyond the scope of their project. Which of the following methods would BEST fit the needs of the CISO? A. VPN B. PaaS C. IaaS D. VDI
A. VPN
25) Users report the following message appears when browsing to the company's secure site: This website cannot be trusted. Which of the following actions should a security analyst take to resolve these messages? (Select two.) A. Verify the certificate has not expired on the server. B. Ensure the certificate has a .pfx extension on the server. C. Update the root certificate into the client computer certificate store. D. Install the updated private key on the web server. E. Have users clear their browsing history and relaunch the session.
A. Verify the certificate has not expired on the server. C. Update the root certificate into the client computer certificate store.
60) A company hires a consulting firm to crawl its Active Directory network with a non-domain account looking for unpatched systems. Actively taking control of systems is out of scope, as is the creation of new administrator accounts. For which of the following is the company hiring the consulting firm? A. Vulnerability scanning B. Penetration testing C. Application fuzzing D. User permission auditing
A. Vulnerability scanning
48) A network administrator at a small office wants to simplify the configuration of mobile clients connecting to an encrypted wireless network. Which of the following should be implemented in the administrator does not want to provide the wireless password or he certificate to the employees? A. WPS (WiFi Protected Setup) B. 802.1x C. WPA2-PSK (WiFi Protected Access 2 with Pre Shared Key) D. TKIP (Temporal Key Integrity Protocol)
A. WPS (WiFi Protected Setup)
29) Which of the following is a major difference between XSS attacks and remote code exploits? A. XSS attacks use machine language, while remote exploits use interpreted language B. XSS attacks target servers, while remote code exploits target clients C. Remote code exploits aim to escalate attackers' privileges, while XSS attacks aim to gain access only D. Remote code exploits allow writing code at the client side and executing it, while XSS attacks require no code to work
A. XSS attacks use machine language, while remote exploits use interpreted language
228)The data backup window has expanded into the morning hours and has begun to affect production users. The main bottleneck in the process is the time it takes to replicate the backups to separate severs at the offsite data center. Which of the following uses of deduplication could be implemented to reduce the backup window? A. Implement deduplication at the network level between the two locations B. Implement deduplication on the storage array to reduce the amount of drive space needed C. Implement deduplication on the server storage to reduce the data backed up D. Implement deduplication on both the local and remote servers
B. Implement deduplication on the storage array to reduce the amount of drive space needed
134) A security administrator suspects a MITM attack aimed at impersonating the default gateway is underway. Which of the following tools should the administrator use to detect this attack? (Select two.) A. Ping B. Ipconfig C. Tracert D. Netstat E. Dig F. Nslookup
B. Ipconfig C. Tracert
98) A security administrator is configuring a RADIUS server for wireless authentication. The configuration must ensure client credentials are encrypted end-to-end between the client and the authenticator. Which of the following protocols should be configured on the RADIUS server? (Choose two.) A. PAP B. MSCHAP C. PEAP D. NTLM E. SAML
B. MSCHAP C. PEAP
169) Which of the following refers to the term used to restore a system to its operational state? A. MTBF (Mean Time Between Failures) B. MTTR (Mean Time To Repair) C. RTO (Recovery Time Objective) D. RPO (Recovery Point Objective)
B. MTTR (Mean Time To Repair)
245)Which of the following BEST describes an attack where communications between two parties are intercepted and forwarded to each party with neither party being aware of the interception and potential modification to the communications? A. Spear phishing B. Main-in-the-middle C. URL hijacking D. Transitive access
B. Main-in-the-middle
226) A systems administrator is configuring a system that uses data classification labels. Which of the following will the administrator need to implement to enforce access control? A. Discretionary access control B. Mandatory access control C. Role-based access control D. Rule-based access control
B. Mandatory access control
218)A company wants to ensure that the validity of publicly trusted certificates used by its web server can be determined even during an extended internet outage. Which of the following should be implemented? A. Recovery agent B. Ocsp C. Crl D. Key escrow
B. Ocsp
81) A wireless network has the following design requirements: Authentication must not be dependent on enterprise directory service It must allow background reconnection for mobile users It must not depend on user certificates Which of the following should be used in the design to meet the requirements? (Choose two.) A. PEAP B. PSK C. Open systems authentication D. EAP-TLS E. Captive portals
B. PSK E. Captive portals
135) A security manager is creating an account management policy for a global organization with sales personnel who must access corporate network resources while traveling all over the world. Which of the following practices is the security manager MOST likely to enforce with the policy? (Select TWO) A. Time-of-day restrictions B. Password complexity C. Location-based authentication D. Group-based access control E. Standard naming convention
B. Password complexity D. Group-based access control
41) A network technician is trying to determine the source of an ongoing network based attack. Which of the following should the technician use to view IPv4 packet data on a particular internal network segment? A. Proxy B. Protocol analyzer C. Switch D. Firewall
B. Protocol analyzer
67) A company has purchased a new SaaS application and is in the process of configuring it to meet the company's needs. The director of security has requested that the SaaS application be integrated into the company's IAM(Identity and Access Management) processes. Which of the following configurations should the security administrator set up in order to complete this request? A. LDAP (Lightweight Directory Access Protocol) B. RADIUS (Remote Authentication Dial-In User Service) C. SAML (Security Assertion Markup Language) D. NTLM (New Technology LAN Manager)
B. RADIUS (Remote Authentication Dial-In User Service)
11) Which of the following characteristics differentiate a rainbow table attack from a brute force attack? (Select two.) A. Rainbow table attacks greatly reduce compute cycles at attack time. B. Rainbow tables must include precomputed hashes. C. Rainbow table attacks do not require access to hashed passwords. D. Rainbow table attacks must be performed on the network. E. Rainbow table attacks bypass maximum failed login restrictions.
B. Rainbow tables must include precomputed hashes. E. Rainbow table attacks bypass maximum failed login restrictions.
144) A copy of a highly confidential salary report was recently found on a printer in the IT department. The human resources department does not have this specific printer mapped to its devices, and it is suspected that an employee in the IT department browsed to the share where the report was located and printed it without authorization. Which of the following technical controls would be the BEST choice to immediately prevent this from happening again? A. Implement a DLP solution and classify the report as confidential, restricting access only to human resources staff B. Restrict access to the share where the report resides to only human resources employees and enable auditing C. Have all members of the IT department review and sign the AUP and disciplinary policies D. Place the human resources computers on a restricted VLAN and configure the ACL to prevent access from the IT department
B. Restrict access to the share where the report resides to only human resources employees and enable auditing
144)A copy of a highly confidential salary report was recently found on a printer in the IT department. The human resources department does not have this specific printer mapped to its devices, and it is suspected that an employee in the IT department browsed to the share where the report was located and printed it without authorization. Which of the following technical controls would be the BEST choice to immediately prevent this from happening again? A. Implement a DLP solution and classify the report as confidential, restricting access only to human resources staff B. Restrict access to the share where the report resides to only human resources employees and enable auditing C. Have all members of the IT department review and sign the AUP and disciplinary policies D. Place the human resources computers on a restricted VLAN and configure the ACL to prevent access from the IT department
B. Restrict access to the share where the report resides to only human resources employees and enable auditing
122) An organization uses SSO authentication for employee access to network resources. When an employee resigns, as per the organization's security policy, the employee's access to all network resources is terminated immediately. Two weeks later, the former employee sends an email to the help desk for a password reset to access payroll information from the human resources server. Which of the following represents the BEST course of action? A. Approve the former employee's request, as a password reset would give the former employee access to only the human resources server. B. Deny the former employee's request, since the password reset request came from an external email address. C. Deny the former employee's request, as a password reset would give the employee access to all network resources. D. Approve the former employee's request, as there would not be a security issue with the former employee gaining access to network resources.
C. Deny the former employee's request, as a password reset would give the employee access to all network resources.
87) Adhering to a layered security approach, a controlled access facility employs security guards who verify the authorization of all personnel entering the facility. Which of the following terms BEST describes the security control being employed? A. Administrative B. Corrective C. Deterrent D. Compensating
C. Deterrent
75) Which of the following would allow for the QUICKEST restoration of a server into a warm recovery site in a case in which server data mirroring is not enabled? A. Full backup B. Incremental backup C. Differential backup D. Snapshot
C. Differential backup
203)A system administrator is configuring a site-to-site VPN tunnel. Which of the following should be configured on the VPN concentrator during the IKE phase? A. RIPEMD B. ECDHE C. Diffie-Hellman D. HTTPS
C. Diffie-Hellman
160)A security administrator has been tasked with improving the overall security posture related to desktop machines on the network. An auditor has recently that several machines with confidential customer information displayed in the screens are left unattended during the course of the day. Which of the following could the security administrator implement to reduce the risk associated with the finding? A. Implement a clean desk policy B. Security training to prevent shoulder surfing C. Enable group policy based screensaver timeouts D. Install privacy screens on monitors
C. Enable group policy based screensaver timeouts
159) A security administrator has written a script that will automatically upload binary and text-based configuration files onto a remote server using a scheduled task. The configuration files contain sensitive information. Which of the following should the administrator use? (Select TWO) A. TOPT B. SCP C. FTP over a non-standard pot D. SRTP E. Certificate-based authentication F. SNMPv3
C. FTP over a non-standard pot E. Certificate-based authentication
23)Joe, a backup administrator, wants to implement a solution that will reduce the restoration time of physical servers. Which of the following is the BEST method for Joe to use? A. Differential B. Incremental C. Full D. Snapshots
C. Full
155)A security administrator has been assigned to review the security posture of the standard corporate system image for virtual machines. The security administrator conducts a thorough review of the system logs, installation procedures, and network configuration of the VM image. Upon reviewing the access logs and user accounts, the security administrator determines that several accounts will not be used in production. Which of the following would correct the deficiencies? A. Mandatory access controls B. Disable remote login C. Host hardening D. Disabling services
C. Host hardening
153) The security administrator receives an email on a non-company account from a coworker stating that some reports are not exporting correctly. Attached to the email was an example report file with several customers' names and credit card numbers with the PIN. Which of the following is the BEST technical controls that will help mitigate this risk of disclosing sensitive data? A. Configure the mail server to require TLS connections for every email to ensure all transport data is encrypted B. Create a user training program to identify the correct use of email and perform regular audits to ensure compliance C. Implement a DLP solution on the email gateway to scan email and remove sensitive data or files D. Classify all data according to its sensitivity and inform the users of data that is prohibited to share
C. Implement a DLP solution on the email gateway to scan email and remove sensitive data or files
138) A security administrator is developing a methodology for tracking staff access to patient data. Which of the following would be the BEST method of creating audit trails for usage reports? A. Deploy file integrity checking B. Restrict access to the database by following the principle of least privilege C. Implementing a database activity monitoring system D. Created automated alerts on the IDS system for the database server
C. Implementing a database activity monitoring system
84)An organization's file server has been virtualized to reduce costs. Which of the following types of backups would be MOST appropriate for the particular file server? A. Snapshot B. Full C. Incremental D. Differential
C. Incremental
123)A systems administrator has created network file shares for each department with associated security groups for each role within the organization. Which of the following security concepts is the systems administrator implementing? A. Separation of duties B. Permission auditing C. Least privilege D. Standard naming conversation
C. Least privilege
183)A network administrator is attempting to troubleshoot an issue regarding certificates on a secure website. During the troubleshooting process, the network administrator notices that the web gateway proxy on the local network has signed all of the certificates on the local machine. Which of the following describes the type of attack the proxy has been legitimately programmed to perform? A. Transitive access B. Spoofing C. Man-in-the-middle D. Replay
C. Man-in-the-middle
36)A department head at a university resigned on the first day of the spring semester. It was subsequently determined that the department head deleted numerous files and directories from the server-based home directory while the campus was closed. Which of the following policies or procedures could have prevented this from occurring? A. Time-of-day restrictions B. Permission auditing and review C. Offboarding D. Account expiration
C. Offboarding
116) Hacktivists are most commonly motivated by: A. curiosity B. notoriety C. financial gain D. political cause
D. political cause
249) A Chief Security Officer (CSO) has been unsuccessful in attempts to access the website for a potential partner (www.example.net). Which of the following rules is preventing the CSO from accessing the site? Blocked sites: *.nonews.com, *.rumorhasit.net, *.mars? A. Rule 1: deny from inside to outside source any destination any service smtp B. Rule 2: deny from inside to outside source any destination any service ping C. Rule 3: deny from inside to outside source any destination {blocked sites} service http-https D. Rule 4: deny from any to any source any destination any service any
C. Rule 3: deny from inside to outside source any destination {blocked sites} service http-https
131)An administrator is implementing a secure web server and wants to ensure that if the web server application s compromised, the application does not have access to other parts of the server or network. Which of the following should the administrator implement? (Select TWO.) A. Mandatory access control B. Discretionary access control C. Rule-based access control D. Role-based access control E. Attribute-based access control
C. Rule-based access control D. Role-based access control
236) Confidential emails from an organization were posted to a website without the organization's knowledge. Upon investigation, it was determined that the emails were obtained from an internal actor who sniffed the emails in plain text. Which of the following protocols, if properly implemented, would have MOST likely prevented the emails from being sniffed? (Select TWO) A. Secure IMAP B. DNSSEC C. S/MIME D. SMTPS E. HTTPS
C. S/MIME D. SMTPS
117) A systems administrator is configuring a new network switch for TACACS+ management and authentication. Which of the following must be configured to provide authentication between the switch and the TACACS+ server? A. 802.1X B. SSH C. Shared secret D. SNMPv3 E. CHAP
C. Shared secret
105) Users in a corporation currently authenticate with a username and password. A security administrator wishes to implement two-factor authentication to improve security. Which of the following authentication methods should be deployed to achieve this goal? A. PIN B. Security Question: C. Smart card D. Passphrase E. CAPTCHA
C. Smart card
201) A software developer wants to ensure that the application is verifying that a key is valid before establishing SSL connections with random remote hosts on the Internet. Which of the following should be used in the code? (Select TWO.) A. Escrowed keys B. SSL symmetric encryption key C. Software code private key D. Remote server public key E. OCSP (online certificate status protocol)
C. Software code private key E. OCSP
170)The Chief Security Officer (CISO) at a multinational banking corporation is reviewing a plan to upgrade the entire corporate IT infrastructure. The architecture consists of a centralized cloud environment hosting the majority of data, small server clusters at each corporate location to handle the majority of customer transaction processing, ATMs, and a new mobile banking application accessible from smartphones, tablets, and the Internet via HTTP. The corporation does business having varying data retention and privacy laws. Which of the following technical modifications to the architecture and corresponding security controls should be implemented to provide the MOST complete protection of data? A. Revoke exiting root certificates, re-issue new customer certificates, and ensure all transactions are digitally signed to minimize fraud, implement encryption for data in-transit between data centers B. Ensure all data is encryption according to the most stringent regulatory guidance applicable, implement encryption for data in-transit between data centers, increase data availability by replicating all data, transaction data, logs between each corporate location C. Store customer data based on national borders, ensure end-to end encryption between ATMs, end users, and servers, test redundancy and COOP plans to ensure data is not inadvertently shifted from one legal jurisdiction to another with more stringent regulations D. Install redundant servers to handle corporate customer processing, encrypt all customer data to ease the transfer from one country to another, implement end-to-end encryption between mobile applications and the cloud.
C. Store customer data based on national borders, ensure end-to end encryption between ATMs, end users, and servers, test redundancy and COOP plans to ensure data is not inadvertently shifted from one legal jurisdiction to another with more stringent regulations
246) Which of the following would be considered multifactor authentication? A. Hardware token and smart card B. Voice recognition and retina scan C. Strong password and fingerprint D. PIN and security Question:s
C. Strong password and fingerprint
148) A help desk is troubleshooting user reports that the corporate website is presenting untrusted certificate errors to employees and customers when they visit the website. Which of the following is the MOST likely cause of this error, provided the certificate has not expired? A. The certificate was self signed, and the CA was not imported by employees or customers B. The root CA has revoked the certificate of the intermediate CA C. The valid period for the certificate has passed, and a new certificate has not been issued D. The key escrow server has blocked the certificate from being validated
C. The valid period for the certificate has passed, and a new certificate has not been issued
13) A security analyst wishes to increase the security of an FTP server. Currently, all traffic to the FTP server is unencrypted. Users connecting to the FTP server use a variety of modern FTP client software. The security analyst wants to keep the same port and protocol, while also still allowing unencrypted connections. Which of the following world Best accomplish these goals? A. Require the SFTP protocol to connect to the fileserver. B. Use implicit TLS on the FTP server. C. Use explicit FTPS for connections. D. Use SSH tunneling to encrypt the FTP traffic.
C. Use explicit FTPS for connections.
104) As part of the SDLC, a third party is hired to perform a penetration test. The third party will have access to the source code, integration tests, and network diagrams. Which of the following BEST describes the assessment being performed? A. Black box B. Regression C. White box D. Fuzzing
C. White box
66) Which of the following attack types BEST describes a client-side attack that is used to manipulate an HTML iframe with JavaScript code via a web browser? A. Buffer overflow B. MITM (Man-in-the-Middle) C. XSS (Cross-site Scripting) D. SQLi (SQLInjection)
C. XSS (Cross-site Scripting)
172)An active/passive configuration has an impact on: A. confidentiality B. integrity C. availability D. non-repudiation
C. availability
248) After correctly configuring a new wireless enabled thermostat to control the temperature of the company's meeting room, Joe, a network administrator determines that the thermostat is not connecting to the internetbased control system. Joe verifies that the thermostat received the expected network parameters and it is associated with the AP. Additionally, the other wireless mobile devices connected to the same wireless network are functioning properly. The network administrator verified that the thermostat works when tested at his residence. Which of the following is the MOST likely reason the thermostat is not connecting to the internet? A. The company implements a captive portal B. The thermostat is using the incorrect encryption algorithm C. the WPA2 shared likely is incorrect D. The company's DHCP server scope is full
C. the WPA2 shared likely is incorrect
197)An employee uses RDP to connect back to the office network. If RDP is misconfigured, which of the following security exposures would this lead to? A. A virus on the administrator's desktop would be able to sniff the administrator's username and password. B. Result in an attacker being able to phish the employee's username and password. C. A social engineering attack could occur, resulting in the employee's password being extracted. D. A man in the middle attack could occur, resulting the employee's username and password being captured.
D. A man in the middle attack could occur, resulting the employee's username and password being captured.
235)During an application design, the development team specifics a LDAP module for single sign-on communication with the company's access control database. This is an example of which of the following? A. Application control B. Data in-transit C. Identification D. Authentication
D. Authentication
54) Ann. An employee in the payroll department, has contacted the help desk citing multiple issues with her device, including: Slow performance Word documents, PDFs, and images no longer opening A pop-up Ann states the issues began after she opened an invoice that a vendor emailed to her. Upon opening the invoice, she had to click several security warnings to view it in her word processor. With which of the following is the device MOST likely infected? A. Spyware B. Crypto-malware C. Rootkit D. Backdoor
D. Backdoor
56) An analyst is part of a team that is investigating a potential breach of sensitive data at a large financial services organization. The organization suspects a breach occurred when proprietary data was disclosed to the public. The team finds servers were accessed using shared credentials that have been in place for some time. In addition, the team discovers undocumented firewall rules, which provided unauthorized external access to a server. Suspecting the activities of a malicious insider threat, which of the following was MOST likely to have been utilized to exfiltrate the proprietary data? A. Keylogger B. Botnet C. Crypto-malware D. Backdoor E. Ransomware F. DLP
D. Backdoor
122)The Chief Information Security Officer (CISO) is asking for ways to protect against zero-day exploits. The CISO is concerned that an unrecognized threat could compromise corporate data and result in regulatory fines as well as poor corporate publicity. The network is mostly flat, with split staff/guest wireless functionality. Which of the following equipment MUST be deployed to guard against unknown threats? A. Cloud-based antivirus solution, running as local admin, with push technology for definition updates B. Implementation of an off-site datacenter hosting all company data, as well as deployment of VDI for all client computing needs C. Host-based heuristic IPS, segregated on a management VLAN, with direct control of the perimeter firewall ACLs D. Behavior-based IPS with a communication link to a cloud-based vulnerability and threat feed
D. Behavior-based IPS with a communication link to a cloud-based vulnerability and threat feed
161)Company policy requires the use if passphrases instead if passwords. Which of the following technical controls MUST be in place in order to promote the use of passphrases?A. Reuse B. Length C. History D. Complexity
D. Complexity
134)A salesperson often uses a USB drive to save and move files from a corporate laptop. The corporate laptop was recently updated, and now the files on the USB are read-only. Which of the following was recently added to the laptop? A. Antivirus software B. File integrity check C. HIPS D. DLP
D. DLP
166)Two companies are enabling TLS on their respective email gateways to secure communications over the Internet. Which of the following cryptography concepts is being implemented? A. Perfect forward secrecy B. Ephemeral keys C. Domain validation D. Data in transit
D. Data in transit
128)A company is implementing a tool to mask all PII when moving data from a production server to a testing server. Which of the following security techniques is the company applying? A. Data wiping B. Steganograpgy C. Data obfuscation D. Data sanitization
D. Data sanitization
137) A security engineer is configuring a wireless network with EAP-TLS. Which of the following activities is a requirement for this configuration? A. Setting up a TACACS+ server B. Configuring federation between authentication servers C. Enabling TOTP D. Deploying certificates to endpoint devices
D. Deploying certificates to endpoint devices
221) A business sector is highly competitive, and safeguarding trade secrets and critical information is paramount. On a seasonal basis, an organization employs temporary hires and contractor personnel to accomplish its mission objectives. The temporary and contract personnel require access to network resources only when on the clock. Which of the following account management practices are the BEST ways to manage these accounts? A. Employ time-of-day restrictions. B. Employ password complexity. C. Employ a random key generator strategy. D. Employ an account expiration strategy. E. Employ a password lockout policy
D. Employ an account expiration strategy.
123) Joe, a user, wants to send Ann, another user, a confidential document electronically. Which of the following should Joe do to ensure the document is protected from eavesdropping? A. Encrypt it with Joe's private key B. Encrypt it with Joe's public key C. Encrypt it with Ann's private key D. Encrypt it with Ann's public key
D. Encrypt it with Ann's public key
117)An in-house penetration tester is using a packet capture device to listen in on network communications. This is an example of: A. Passive reconnaissance B. Persistence C. Escalation of privileges D. Exploiting the switch
D. Exploiting the switch
227)An organization is moving its human resources system to a cloud services provider. The company plans to continue using internal usernames and passwords with the service provider, but the security manager does not want the service provider to have a company of the passwords. Which of the following options meets all of these requirements? A. Two-factor authentication B. Account and password synchronization C. Smartcards with PINS D. Federated authentication
D. Federated authentication
227)An organization is moving its human resources system to a cloud services provider. The company plans to continue using internal usernames and passwords with the service provider, but the security manager does not want the service provider to have a company of the passwords. Which of the following options meets all of these requirements?A. Two-factor authentication B. Account and password synchronization C. Smartcards with PINS D. Federated authentication
D. Federated authentication
176) A mobile device user is concerned about geographic positioning information being included in messages sent between users on a popular social network platform. The user turns off the functionality in the application, but wants to ensure the application cannot re-enable the setting without the knowledge of the user. Which of the following mobile device capabilities should the user disable to achieve the stated goal? A. Device access control B. Location based services C. Application control D. GEO-Tagging
D. GEO-Tagging
40) A security administrator is performing a risk assessment on a legacy WAP with a WEP-enabled wireless infrastructure. Which of the following should be implemented to harden the infrastructure without upgrading the WAP? A. Implement WPA and TKIP B. Implement WPS and an eight-digit pin C. Implement WEP and RC4 D. Implement WPA2 Enterprise
D. Implement WPA2 Enterprise
40) A security administrator is performing a risk assessment on a legacy WAP with a WEP-enabled wireless infrastructure. Which of the following should be implemented to harden the infrastructure without upgrading the WAP? A. Implement WPA and TKIP B. Implement WPS and an eight-digit pin C. Implement WEP and RC4 D. Implement WPA2 Enterprise
D. Implement WPA2 Enterprise
213) A new security administrator ran a vulnerability scanner for the first time and caused a system outage. Which of the following types of scans MOST likely caused the outage? A. Non-intrusive credentialed scan B. Non-intrusive non-credentialed scan C. Intrusive credentialed scan D. Intrusive non-credentialed scan
D. Intrusive non-credentialed scan
87) Ann, a user, states that her machine has been behaving erratically over the past week. She has experienced slowness and input lag and found text files that appear to contain pieces of her emails or online conversations with coworkers. The technician runs a standard virus scan but detects nothing. Which of the following types of malware has infected the machine? A. Ransomware B. Rootkit C. Backdoor D. Keylogger
D. Keylogger
137)Which of the following BEST explains why a development environment should have the same database server secure baseline that exist in production even if there is no PII in the database? A. Without the same configuration in both development and production, there are no assurance that changes made in development will have the same effect in production. B. Attackers can extract sensitive, personal information from lower development environment databases just as easily as they can from production databases. C. Databases are unique in their need to have secure configurations applied in all environment because they are attacked more often. D. Laws stipulate that databases with the ability to store personal information must be secured regardless of the environment or if they actually have PIL.
D. Laws stipulate that databases with the ability to store personal information must be secured regardless of the environment or if they actually have PIL.
92)Which of the following cryptography algorithms will produce a fixed-length, irreversible output? A. AES (Advanced Encryption Standard) B. 3DES (Triple Data Encryption Standard) C. RSA D. MD5 (Message Digest 5)
D. MD5 (Message Digest 5)
200) The Chief Technology Officer (CTO) of a company, Ann, is putting together a hardware budget for the next 10 years. She is asking for the average lifespan of each hardware device so that she is able to calculate when she will have to replace each device. Which of the following categories BEST describes what she is looking for? A. ALE B. MTTR C. MTBF D. MTTF
D. MTTF
200)The Chief Technology Officer (CTO) of a company, Ann, is putting together a hardware budget for the next 10 years. She is asking for the average lifespan of each hardware device so that she is able to calculate when she will have to replace each device. Which of the following categories BEST describes what she is looking for? A. ALE B. MTTR C. MTBF D. MTTF
D. MTTF
55)The help desk is receiving numerous password change alerts from users in the accounting department. These alerts occur multiple times on the same day for each of the affected users' accounts. Which of the following controls should be implemented to curtail this activity? A. Password Reuse B. Password complexity C. Password History D. Password Minimum age
D. Password Minimum age
175) A chief Financial Officer (CFO) has asked the Chief Information Officer (CISO) to provide responses to a recent audit report detailing deficiencies in the organization security controls. The CFO would like to know ways in which the organization can improve its authorization controls. Given the request by the CFO, which of the following controls should the CISO focus on in the report? (Select Three) A. Password complexity policies B. Hardware tokens C. Biometric systems D. Role-based permissions E. One time passwords F. Separation of duties G. Multifactor authentication H. Single sign-on I. Lease privilege
D. Role-based permissions F. Separation of duties I. Lease privilege
40) Which of the following allows an application to securely authenticate a user by receiving credentials from a web domain? A. TACACS+ (terminal access controller access-control system) B. RADIUS (remote authentication dial-in user service) C. Kerberos D. SAML (security assertion markup language)
D. SAML
72)If two employees are encrypting traffic between them using a single encryption key, which of the following agorithms are they using? A. RSA B. 3DES C. DSA D. SHA-2
D. SHA-2
141) An employee receives an email, which appears to be from the Chief Executive Officer (CEO), asking for a report of security credentials for all users. Which of the following types of attack is MOST likely occurring? A. Policy violation B. Social engineering C. Whaling D. Spear phishing
D. Spear phishing
130)A workstation puts out a network request to locate another system. Joe, a hacker on the network, responds before the real system does, and he tricks the workstation into communicating with him. Which of the following BEST describes what occurred? A. The hacker used a race condition. B. The hacker used a pass-the-hash attack. C. The hacker-exploited improper key management. D. The hacker exploited weak switch configuration.
D. The hacker exploited weak switch configuration
230) Which of the following best describes the initial processing phase used in mobile device forensics? A. The phone should be powered down and the battery removed to preserve the state of data on any internal or removable storage utilized by the mobile device B. The removable data storage cards should be processed first to prevent data alteration when examining the mobile device C. The mobile device should be examined first, then removable storage and lastly the phone without removable storage should be examined again D. The phone and storage cards should be examined as a complete unit after examining the removable storage cards separately
D. The phone and storage cards should be examined as a complete unit after examining the removable storage cards separately
71)Which of the following network vulnerability scan indicators BEST validates a successful, active scan? A. The scan job is scheduled to run during off-peak hours. B. The scan output lists SQL injection attack vectors. C. The scan data identifies the use of privileged-user credentials. D. The scan results identify the hostname and IP address.
D. The scan results identify the hostname and IP address.
76) In determining when it may be necessary to perform a credentialed scan against a system instead of a noncredentialed scan, which of the following requirements is MOST likely to influence this decision? A. The scanner must be able to enumerate the host OS of devices scanned. B. The scanner must be able to footprint the network. C. The scanner must be able to check for open ports with listening services. D. The scanner must be able to audit file system permissions
D. The scanner must be able to audit file system permissions
18)A call center company wants to implement a domain policy primarily for its shift workers. The call center has large groups with different user roles. Management wants to monitor group performance. Which of the following is the BEST solution for the company to implement? A. Reduced failed logon attempts B. Mandatory password changes C. Increased account lockout time D. Time-of-day restrictions
D. Time-of-day restrictions
220) The chief security officer (CS0) has issued a new policy that requires that all internal websites be configured for HTTPS traffic only. The network administrator has been tasked to update all internal sites without incurring additional costs. Which of the following is the best solution for the network administrator to secure each internal website? A. Use certificates signed by the company CA B. Use a signing certificate as a wild card certificate C. Use certificates signed by a public ca D. Use a self-signed certificate on each internal server
D. Use a self-signed certificate on each internal server
229) A bank is experiencing a DoS attack against an application designed to handle 500 IP-based sessions. in addition, the perimeter router can only handle 1Gbps of traffic. Which of the following should be implemented to prevent a DoS attacks in the future? A. Deploy multiple web servers and implement a load balancer B. Increase the capacity of the perimeter router to 10 Gbps C. Install a firewall at the network to prevent all attacks D. Use redundancy across all network devices and services
D. Use redundancy across all network devices and services
182) A security administrator is tasked with conducting an assessment made to establish the baseline security posture of the corporate IT infrastructure. The assessment must report actual flaws and weaknesses in the infrastructure. Due to the expense of hiring outside consultants, the testing must be performed using in-house or cheaply available resource. There cannot be a possibility of any requirement being damaged in the test. Which of the following has the administrator been tasked to perform? A. Risk transference B. Penetration test C. Threat assessment D. Vulnerability assessment
D. Vulnerability assessment
182)A security administrator is tasked with conducting an assessment made to establish the baseline security posture of the corporate IT infrastructure. The assessment must report actual flaws and weaknesses in the infrastructure. Due to the expense of hiring outside consultants, the testing must be performed using in-house or cheaply available resource. There cannot be a possibility of any requirement being damaged in the test. Which of the following has the administrator been tasked to perform? A. Risk transference B. Penetration test C. Threat assessment D. Vulnerability assessment
D. Vulnerability assessment
61) An administrator is replacing a wireless router. The configuration of the old wireless router was not documented before it stopped functioning. The equipment connecting to the wireless network uses older legacy equipment that was manufactured prior to the release of the 802.11i standard. Which of the following configuration options should the administrator select for the new wireless router? A. WPA+CCMP B. WPA2+CCMP (Counter Mode CBC-MAC Protocol) C. WPA+TKIP D. WPA2+TKIP
D. WPA2+TKIP