Final Sweep 8-5-21
A company monitors the performance of all web servers using WMI. A network administrator informs the security engineer that web servers hosting the companyג€™s client-facing portal are running slowly today. After some investigation, the security engineer notices a large number of attempts at enumerating host information via SNMP from multiple IP addresses. Which of the following would be the BEST technique for the security engineer to employ in an attempt to prevent reconnaissance activity? A. Install a HIPS on the web servers B. Disable inbound traffic from offending sources C. Disable SNMP on the web servers D. Install anti-DDoS protection in the DMZ
Correct Answer: A
A companyג€™s Chief Operating Officer (COO) is concerned about the potential for competitors to infer proprietary information gathered from employeesג€™ social media accounts. Which of the following methods should the company use to gauge its own social media threat level without targeting individual employees? A. Utilize insider threat consultants to provide expertise. B. Require that employees divulge social media accounts. C. Leverage Big Data analytical algorithms. D. Perform social engineering tests to evaluate employee awareness.
Correct Answer: A
A government contracting company issues smartphones to employees to enable access to corporate resources. Several employees will need to travel to a foreign country for business purposes and will require access to their phones. However, the company recently received intelligence that its intellectual property is highly desired by the same countryג€™s government. Which of the following MDM configurations would BEST reduce the risk of compromise while on foreign soil? A. Disable firmware OTA updates. B. Disable location services. C. Disable push notification services. D. Disable wipe
Correct Answer: A
A manufacturing company recently recovered from an attack on its ICS devices. It has since reduced the attack surface by isolating the affected components. The company now wants to implement detection capabilities. It is considering a system that is based on machine learning. Which of the following features would BEST describe the driver to adopt such nascent technology over mainstream commercial IDSs? A. Trains on normal behavior and identifies deviations therefrom B. Identifies and triggers upon known bad signatures and behaviors C. Classifies traffic based on logical protocols and messaging formats D. Automatically reconfigures ICS devices based on observed behavior
Correct Answer: A
A security architect has designated that a server segment of an enterprise network will require each server to have secure and measured boot capabilities. The architect now wishes to ensure service consumers and peers can verify the integrity of hosted services. Which of the following capabilities must the architect consider for enabling the verification? A. Centralized attestation server B. Enterprise HSM C. vTPM D. SIEM
Correct Answer: A
A small firmג€™s newly created website has several design flaws. The developer created the website to be fully compatible with ActiveX scripts in order to use various digital certificates and trusting certificate authorities. However, vulnerability testing indicates sandboxes were enabled, which restricts the codeג€™s access to resources within the userג€™s computer. Which of the following is the MOST likely cause of the error? A. The developer inadvertently used Java applets B. The developer established a corporate account with a non-reputable certification authority C. The developer used fuzzy logic to determine how the web browser would respond once ports 80 and 443 were both open D. The developer did not consider that mobile code would be transmitted across the network
Correct Answer: A
An administrator is working with management to develop policies related to the use of the cloud-based resources that contain corporate data. Management plans to require some control over organizational data stored on personal devices, such as tablets. Which of the following controls would BEST support managementג€™s policy? A. MDM B. Sandboxing C. Mobile tokenization D. FDE E. MFA
Correct Answer: A
An analyst is investigating anomalous behavior on a corporate-owned, corporate-managed mobile device with application whitelisting enabled, based on a name string. The employee to whom the device is assigned reports the approved email client is displaying warning messages that can launch browser windows and is adding unrecognized email addresses to the ג€composeג€ window. Which of the following would provide the analyst the BEST chance of understanding and characterizing the malicious behavior? A. Reverse engineer the application binary. B. Perform static code analysis on the source code. C. Analyze the device firmware via the JTAG interface. D. Change to a whitelist that uses cryptographic hashing. E. Penetration test the mobile application.
Correct Answer: A
An application has been through a peer review and regression testing and is prepared for release. A security engineer is asked to analyze an application binary to look for potential vulnerabilities prior to wide release. After thoroughly analyzing the application, the engineer informs the developer it should include additional input sanitation in the application to prevent overflows. Which of the following tools did the security engineer MOST likely use to determine this recommendation? A. Fuzzer B. HTTP interceptor C. Vulnerability scanner D. SCAP scanner
Correct Answer: A
An organization is evaluating options related to moving organizational assets to a cloud-based environment using an IaaS provider. One engineer has suggested connecting a second cloud environment within the organizationג€™s existing facilities to capitalize on available datacenter space and resources. Other project team members are concerned about such a commitment of organizational assets, and ask the Chief Security Officer (CSO) for input. The CSO explains that the project team should work with the engineer to evaluate the risks associated with using the datacenter to implement: A. a hybrid cloud. B. an on-premises private cloud. C. a hosted hybrid cloud. D. a private cloud.
Correct Answer: A
Confidential information related to Application A, Application B, and Project X appears to have been leaked to a competitor. After consulting with the legal team, the IR team is advised to take immediate action to preserve evidence for possible litigation and criminal charges.While reviewing the rights and group ownership of the data involved in the breach, the IR team inspects the following distribution group access lists:Group Name: product-updates-application-aMembers: administrator, app-support, dev-ops, jdoe, jsmith, mpetersGroup Name: pending-bug-fixes-application-aMembers: administrator, app-support, dev-ops, jsmith, jdoe, mpeters, rwilliamsGroup Name: inflight-updates-application-bMembers: app-support, dev-ops, jdoe, nbrown, jsmithGroup Name: PoC-project-x -Members: dev-support, product-mgt, jsmith, nbrown, rwilliamsWhich of the following actions should the IR team take FIRST? A. Remove all members from the distribution groups immediately B. Place the mailbox for jsmith on legal hold C. Implement a proxy server on the network to inspect all outbound SMTP traffic for the DevOps group D. Install DLP software on all developer laptops to prevent data from leaving the network
Correct Answer: A Maybe:B
A vendor develops a mobile application for global customers. The mobile application supports advanced encryption of data between the source (the mobile device) and the destination (the organizationג€™s ERP system).As part of the vendorג€™s compliance program, which of the following would be important to take into account? A. Mobile tokenization B. Export controls C. Device containerization D. Privacy policies
Correct Answer: A Online: B maybe? I would answer B. Advanced encryption and global does not mix well, because come countries (e.g. USA) have mandated that encryption algorithm is a weapon and should not be exported to certain countries (e.g. Iran). The question refers to "compliance program" and should take into consideration of this issue.
A Chief Information Security Officer (CISO is reviewing and revising system configuration and hardening guides that were developed internally and have been used several years to secure the organizationג€™s systems. The CISO knows improvements can be made to the guides. Which of the following would be the BEST source of reference during the revision process? A. CVE database B. Internal security assessment reports C. Industry-accepted standards D. External vulnerability scan reports E. Vendor-specific implementation guides
Correct Answer: A Online: B or C or E?
A newly hired security analyst has joined an established SOC team. Not long after going through corporate orientation, a new attack method on web-based applications was publicly revealed. The security analyst immediately brings this new information to the team lead, but the team lead is not concerned about it. Which of the following is the MOST likely reason for the team leadג€™s position? A. The organization has accepted the risks associated with web-based threats. B. The attack type does not meet the organizationג€™s threat model. C. Web-based applications are on isolated network segments. D. Corporate policy states that NIPS signatures must be updated every hour.
Correct Answer: A Online: B which I agree with.
A security analyst is attempting to break into a clientג€™s secure network. The analyst was not given prior information about the client, except for a block of public IP addresses that are currently in use. After network enumeration, the analystג€™s NEXT step is to perform: A. a gray-box penetration test B. a risk analysis C. a vulnerability assessment D. an external security audit E. a red team exercise
Correct Answer: A Online: C The next step should be C. Vulnerability Assessment. Enumeration is in the Reconnaissance Phase - Gathering any information relevant to the assessment goals and enumerating the attack surface. Vulnerability Assessment, which is the next phase. - Identifying vulnerabilities and quantifying the risk associated. I think the line about the block of public IP addresses is meant to steer you in the wrong direction.
A security engineer discovers a PC may have been breached and accessed by an outside agent. The engineer wants to find out how this breach occurred before remediating the damage. Which of the following should the security engineer do FIRST to begin this investigation? A. Create an image of the hard drive B. Capture the incoming and outgoing network traffic C. Dump the contents of the RAM D. Parse the PC logs for information on the attacker
Correct Answer: A Online: C or B not sure. A. Create an image of the hard drive -> Not what we normally do first. B. Capture the incoming and outgoing network traffic -> If the system is on this is first. C. Dump the contents of the RAM -> If the system is on this is second. Unfortunately a very poor question, but I think I'd answer B on the exam.
The Chief Information Officer (CIO) has been asked to develop a security dashboard with the relevant metrics. The board of directors will use the dashboard to monitor and track the overall security posture of the organization. The CIO produces a basic report containing both KPI and KRI data in two separate sections for the board to review. Which of the following BEST meets the needs of the board? A. KRI: - Compliance with regulations - Backlog of unresolved security investigations - Severity of threats and vulnerabilities reported by sensors - Time to patch critical issues on a monthly basis KPI: - Time to resolve open security items - % of suppliers with approved security control frameworks - EDR coverage across the fleet - Threat landscape rating B. KRI: - EDR coverage across the fleet - Backlog of unresolved security investigations - Time to patch critical issues on a monthly basis - Threat landscape rating KPI: - Time to resolve open security items - Compliance with regulations - % of suppliers with approved security control frameworks - Severity of threats and vulnerabilities reported by sensors C. KRI: - EDR coverage across the fleet - % of suppliers with approved security control framework - Backlog of unresolved security investigations - Threat landscape rating KPI: - Time to resolve open security items - Compliance with regulations - Time to patch critical issues on a monthly basis - Severity of threats and vulnerabilities reported by sensors D. KPI: - Compliance with regulations - % of suppliers with approved security control frameworks - Severity of threats and vulnerabilities reported by sensors - Threat landscape rating KRI: - Time to resolve open security items - Backlog of unresolved security investigations - EDR coverage across the fleet - Time to patch critical issues on a monthly basis
Correct Answer: A Online: D KRI: Key Risk Indicators. What is your current posture and how bad can thing go. IE: MTBF and MTTR. Patches missing, etc KPI: Key Performance Indicators. Incidence Response Time, number of missing devices, passwords cracked, etc. Specifically, "most effective ... when they are presented GRAPHICALLY". How well are things going now With the above in mind, we are looking for KPI given the question. Take note of the formatting issue, all answers contain both KPI and KRI. Also, option D is incorrectly entered. It should read: KRI: Compliance with regulations % of suppliers with approved security control frameworks Severity of threats and vulnerabilities reported by sensors Threat landscape rating KPI: Time to resolve open security items Backlog of unresolved security investigations EDR coverage across the fleet Time to patch critical issues on a monthly basis In all, we are given 8 distinct metrics as follows and one needs to determine which they fall under; KRI or KPI: Compliance with regulations - KRI Backlog of unresolved security investigations - KPI Severity of threats and vulnerabilities reported by sensors - KRI Time to patch critical issues on a monthly basis - KPI Time to resolve open security items - KPI % of suppliers with approved security control frameworks - KRI EDR coverage across the fleet - KPI Threat landscape rating - KRI With that in mind, D is indeed the correct answer. A doesn't work because a backlog of unresolved security investigations is a quantifiable metric used towards evaluating the success of processes towards performance goals. Additionally, Time to patch is very much a KPI. B is incorrect, once again Time to patch will be a KPI and % of suppliers... is a KRI C is incorrect, Compliance with regulation is KRI. Thus D is perfect for this. Additional note, KRI measures the amount of risk an activity brings to an organization, hence, it doesn't measure past performance it measures the risk factors of what can lead to KPIs in the future.
A government entity is developing requirements for an RFP to acquire a biometric authentication system. When developing these requirements, which of the following considerations is MOST critical to the verification and validation of the SRTM? A. Local and national laws and regulations B. Secure software development requirements C. Environmental constraint requirements D. Testability of requirements
Correct Answer: A Online: D Maybe: D. Testability of requirements? Certainly any such system would have to testable, and therefore testable.
A manufacturing companyג€™s security engineer is concerned a remote actor may be able to access the ICS that is used to monitor the factory lines. The security engineer recently proposed some techniques to reduce the attack surface of the ICS to the Chief Information Security Officer (CISO). Which of the following would BEST track the reductions to show the CISO the engineerג€™s plan is successful during each phase? A. Conducting tabletop exercises to evaluate system risk B. Contracting a third-party auditor after the project is finished C. Performing pre- and post-implementation penetration tests D. Running frequent vulnerability scans during the project
Correct Answer: A Online: D?
A company has decided to lower costs by conducting an internal assessment on specific devices and various internal and external subnets. The assessment will be done during regular office hours, but it must not affect any production servers. Which of the following would MOST likely be used to complete the assessment? (Choose two.) A. Agent-based vulnerability scan B. Black-box penetration testing C. Configuration review D. Social engineering E. Malware sandboxing F. Tabletop exercise
Correct Answer: AC
A company is migrating systems from an on-premises facility to a third-party managed datacenter. For continuity of operations and business agility, remote access to all hardware platforms must be available at all times. Access controls need to be very robust and provide an audit trail. Which of the following security controls will meet the companyג€™s objectives? (Choose two.) A. Integrated platform management interfaces are configured to allow access only via SSH B. Access to hardware platforms is restricted to the systems administratorג€™s IP address C. Access is captured in event logs that include source address, time stamp, and outcome D. The IP addresses of server management interfaces are located within the companyג€™s extranet E. Access is limited to interactive logins on the VDi F. Application logs are hashed cryptographically and sent to the SIEM
Correct Answer: AC
A new database application was added to a companyג€™s hosted VM environment. Firewall ACLs were modified to allow database users to access the server remotely. The companyג€™s cloud security broker then identified abnormal from a database user on-site. Upon further investigation, the security team noticed the user ran code on a VM that provided access to the hypervisor directly and access to other sensitive data. Which of the following should the security team do to help mitigate future attacks within the VM environment? (Choose two.) A. Install the appropriate patches. B. Install perimeter NGFW. C. Configure VM isolation. D. Deprovision database VM. E. Change the userג€™s access privileges. F. Update virus definitions on all endpoints.
Correct Answer: AC
A threat advisory alert was just emailed to the IT security staff. The alert references specific types of host operating systems that can allow an unauthorized person to access files on a system remotely. A fix was recently published, but it requires a recent endpoint protection engine to be installed prior to running the fix. Which of the following MOST likely need to be configured to ensure the system are mitigated accordingly? (Select two.) A. Antivirus B. HIPS C. Application whitelisting D. Patch management E. Group policy implementation F. Firmware updates
Correct Answer: AD
An internal application has been developed to increase the efficiency of an operational process of a global manufacturer. New code was implemented to fix a security bug, but it has caused operations to halt. The executive team has decided fixing the security bug is less important than continuing operations. Which of the following would BEST support immediate rollback of the failed fix? (Choose two.) A. Version control B. Agile development C. Waterfall development D. Change management E. Continuous integration
Correct Answer: AD
While conducting a BIA for a proposed acquisition, the IT integration team found that both companies outsource CRM services to competing and incompatible third-party cloud services. The decision has been made to bring the CRM service in-house, and the IT team has chosen a future solution. With which of the following should the Chief Information Security Officer (CISO) be MOST concerned? (Choose two.) A. Data remnants B. Sovereignty C. Compatible services D. Storage encryption E. Data migration F. Chain of custody
Correct Answer: AD
Within the past six months, a company has experienced a series of attacks directed at various collaboration tools. Additionally, sensitive information was compromised during a recent security breach of a remote access session from an unsecure site. As a result, the company is requiring all collaboration tools to comply with the following: ✑ Secure messaging between internal users using digital signatures ✑ Secure sites for video-conferencing sessions ✑ Presence information for all office employees ✑ Restriction of certain types of messages to be allowed into the network. Which of the following applications must be configured to meet the new requirements? (Choose two.) A. Remote desktop B. VoIP C. Remote assistance D. Email E. Instant messaging F. Social media websites
Correct Answer: AD Online: DE which I agree with since they are applications.
A developer has executed code for a website that allows users to search for employeesג€™ phone numbers by last name. The query string sent by the browser is as follows: http://www.companywebsite.com/search.php?q=SMITHThe developer has implemented a well-known JavaScript sanitization library and stored procedures, but a penetration test shows the website is vulnerable to XSS.Which of the following should the developer implement NEXT to prevent XSS? (Choose two.) A. Sanitization library B. Secure cookies C. TLS encryption D. Input serialization E. Output encoding F. PUT form submission
Correct Answer: AE Online: BE
An advanced threat emulation engineer is conducting testing against a clientג€™s network. The engineer conducts the testing in as realistic a manner as possible. Consequently, the engineer has been gradually ramping up the volume of attacks over a long period of time. Which of the following combinations of techniques would the engineer MOST likely use in this testing? (Choose three.) A. Black box testing B. Gray box testing C. Code review D. Social engineering E. Vulnerability assessment F. Pivoting G. Self-assessment H. White teaming I. External auditing
Correct Answer: AEF
An organization has recently deployed an EDR solution across its laptops, desktops, and server infrastructure. The organizationג€™s server infrastructure is deployed in an IaaS environment. A database within the non-production environment has been misconfigured with a routable IP and is communicating with a command and control server. Which of the following procedures should the security responder apply to the situation? (Choose two.) A. Contain the server. B. Initiate a legal hold. C. Perform a risk assessment. D. Determine the data handling standard. E. Disclose the breach to customers. F. Perform an IOC sweep to determine the impact.
Correct Answer: AF
A systems administrator recently joined an organization and has been asked to perform a security assessment of controls on the organizationג€™s file servers, which contain client data from a number of sensitive systems. The administrator needs to compare documented access requirements to the access implemented within the file system. Which of the following is MOST likely to be reviewed during the assessment? (Choose two.) A. Access control list B. Security requirements traceability matrix C. Data owner matrix D. Roles matrix E. Data design document F. Data access policies
Correct Answer: AF Maybe BF (Double check SRTM)
A company recently implemented a variety of security services to detect various types of traffic that pose a threat to the company. The following services were enabled within the network: Scan of specific subsets for vulnerabilities Categorizing and logging of website traffic Enabling specific ACLs based on application traffic Sending suspicious files to a third-party site for validation A report was sent to the security team that identified multiple incidents of users sharing large amounts of data from an on-premise server to a public site. A small percentage of that data also contained malware and spyware Which of the following services MOST likely identified the behavior and sent the report? A. Content filter B. User behavioral analytics C. Application sandbox D. Web application firewall E. Endpoint protection F. Cloud security broker
Correct Answer: B
A medical device company is implementing a new COTS antivirus solution in its manufacturing plant. All validated machines and instruments must be retested for interoperability with the new software. Which of the following would BEST ensure the software and instruments are working as designed? A. System design documentation B. User acceptance testing C. Peer review D. Static code analysis testing E. Change control documentation
Correct Answer: B
A network engineer is upgrading the network perimeter and installing a new firewall, IDS, and external edge router. The IDS is reporting elevated UDP traffic, and the internal routers are reporting high utilization. Which of the following is the BEST solution? A. Reconfigure the firewall to block external UDP traffic. B. Establish a security baseline on the IDS. C. Block echo reply traffic at the firewall. D. Modify the edge router to not forward broadcast traffic.
Correct Answer: B
A smart switch has the ability to monitor electrical levels and shut off power to a building in the event of power surge or other fault situation. The switch was installed on a wired network in a hospital and is monitored by the facilities department via a cloud application. The security administrator isolated the switch on a separate VLAN and set up a patching routine. Which of the following steps should also be taken to harden the smart switch? A. Set up an air gap for the switch. B. Change the default password for the switch. C. Place the switch in a Faraday cage. D. Install a cable lock on the switch.
Correct Answer: B
An organization is currently working with a client to migrate data between a legacy ERP system and a cloud-based ERP tool using a global PaaS provider. As part of the engagement, the organization is performing data deduplication and sanitization of client data to ensure compliance with regulatory requirements. Which of the following is the MOST likely reason for the need to sanitize the client data? A. Data aggregation B. Data sovereignty C. Data isolation D. Data volume E. Data analytics
Correct Answer: B
During a sprint, developers are responsible for ensuring the expected outcome of a change is thoroughly evaluated for any security impacts. Any impacts must be reported to the team lead. Before changes are made to the source code, which of the following MUST be performed to provide the required information to the team lead? A. Risk assessment B. Regression testing C. User story development D. Data abstraction E. Business impact assessment
Correct Answer: B
The Chief Executive Officer (CEO) of a small company decides to use cloud computing to host critical corporate data for protection from natural disasters. The recommended solution is to adopt the public cloud for its cost savings. If the CEO insists on adopting the public cloud model, which of the following would be the BEST advice? A. Ensure the cloud provider supports a secure virtual desktop infrastructure B. Ensure the colocation facility implements a robust DRP to help with business continuity planning C. Ensure the on-premises datacenter employs fault tolerance and load balancing capabilities D. Ensure the ISP is using a standard help-desk ticketing system to respond to any system outages
Correct Answer: B
A security engineer is designing a system in which offshore, outsourced staff can push code from the development environment to the production environment securely. The security engineer is concerned with data loss, while the business does not want to slow down its development process. Which of the following solutions BEST balances security requirements with business need? A. Set up a VDI environment that prevents copying and pasting to the local workstations of outsourced staff members B. Install a client-side VPN on the staff laptops and limit access to the development network C. Create an IPSec VPN tunnel from the development network to the office of the outsourced staff D. Use online collaboration tools to initiate workstation-sharing sessions with local staff who have access to the development network
Correct Answer: B Online could be C or A
Joe, a penetration tester, is assessing the security of an application binary provided to him by his client. Which of the following methods would be the MOST effective in reaching this objective? A. Employ a fuzzing utility B. Use a static code analyzer C. Run the binary in an application sandbox D. Manually review the binary in a text editor
Correct Answer: B Online: A Question says that you only have the binary, so B (static code analyzer) would not be possible. If you run the binary in a sandbox you won't analyze it's security, but check app's behavior. D is obviously wrong. So, A would be the most feasible answer: to fuzz the app binary.
In the past, the risk committee at Company A has shown an aversion to even minimal amounts of risk acceptance. A security engineer is preparing recommendations regarding the risk of a proposed introducing legacy ICS equipment. The project will introduce a minor vulnerability into the enterprise. This vulnerability does not significantly expose the enterprise to risk and would be expensive against. Which of the following strategies should the engineer recommended be approved FIRST? A. Avoid B. Mitigate C. Transfer D. Accept
Correct Answer: B Online: A From the question: "A security engineer is preparing recommendations regarding the risk of a PROPOSED introducing legacy ICS equipment." -- the decision hasn't been made, this is the planning phase. The engineer should avoid the risk by finding non-legacy ICS equipment that introduces no risk into the environment.
An organization is integrating an ICS and wants to ensure the system is cyber resilient. Unfortunately, many of the specialized components are legacy systems that cannot be patched. The existing enterprise consists of mission-critical systems that require 99.9% uptime. To assist in the appropriate design of the system given the constraints, which of the following MUST be assumed? A. Vulnerable components B. Operational impact due to attack C. Time critically of systems D. Presence of open-source software
Correct Answer: B Online: A The question states: "specialized components are legacy systems that cannot be patched." That would seem to indicate components could be vulnerable.
Which of the following may indicate a configuration item has reached end-of-life? A. The device will no longer turn on and indicated an error. B. The vendor has not published security patches recently. C. The object has been removed from the Active Directory. D. Logs show a performance degradation of the component.
Correct Answer: B Online: A or C A. The device will no longer turn on and indicated an error. Especially if it is an inexpensive and/or older device. I would say that indicates end-of-life. Probably not worth fixing. B. The vendor has not published security patches recently. "Recently?" Like in the past two weeks? I don't think that indicates end-of-life. C. The object has been removed from the Active Directory. May not mean anything. D. Logs show a performance degradation of the component. If the degradation is not especially serious. I don't think that indicates end-of-life.
An organization is in the process of evaluating service providers for an upcoming migration to cloud-based services for the organizationג€™s ERP system. As part of the requirements defined by the project team, regulatory requirements specify segmentation and isolation of the organizationג€™s data. Which of the following should the vendor management team identify as a requirement during the procurement process? A. Public cloud services with single-tenancy IaaS architectures B. Private cloud services with single-tenancy PaaS services C. Private cloud services with multitenancy in place for private SaaS environments D. Public cloud services with private SaaS environments supported by private IaaS backbones
Correct Answer: B Online: D Maybe
An organization based in the United States is planning to expand its operations into the European market later in the year. Legal counsel is exploring the additional requirements that must be established as a result of the expansion. The BEST course of action would be to: A. revise the employee provisioning and deprovisioning procedures B. complete a quantitative risk assessment C. draft a memorandum of understanding D. complete a security questionnaire focused on data privacy
Correct Answer: B Online: D because its more relevant to what is being asked.
A forensics analyst suspects that a breach has occurred. Security logs show the companyג€™s OS patch system may be compromised, and it is serving patches that contain a zero-day exploit and backdoor. The analyst extracts an executable file from a packet capture of communication between a client computer and the patch server. Which of the following should the analyst use to confirm this suspicion? A. File size B. Digital signature C. Checksums D. Anti-malware software E. Sandboxing
Correct Answer: B Online: Maybe C or E.
As part of the development process for a new system, the organization plans to perform requirements analysis and risk assessment. The new system will replace a legacy system, which the organization has used to perform data analytics. Which of the following is MOST likely to be part of the activities conducted by management during this phase of the project? A. Static code analysis and peer review of all application code B. Validation of expectations relating to system performance and security C. Load testing the system to ensure response times is acceptable to stakeholders D. Design reviews and user acceptance testing to ensure the system has been deployed properly E. Regression testing to evaluate interoperability with the legacy system during the deployment
Correct Answer: B We're in the requirements phase still, I would say B. Validation, as the rest of these answers deal with the testing of the new system after development.
A company contracts a security consultant to perform a remote white-box penetration test. The company wants the consultant to focus on Internet-facing services without negatively impacting production services. Which of the following is the consultant MOST likely to use to identify the companyג€™s attack surface? (Choose two.) A. Web crawler B. WHOIS registry C. DNS records D. Companyג€™s firewall ACL E. Internal routing tables F. Directory service queries
Correct Answer: BC
A penetration test is being scoped for a set of web services with API endpoints. The APIs will be hosted on existing web application servers. Some of the newAPIs will be available to unauthenticated users, but some will only be available to authenticated users. Which of the following tools or activities would the penetration tester MOST likely use or do during the engagement? (Choose two.) A. Static code analyzer B. Intercepting proxy C. Port scanner D. Reverse engineering E. Reconnaissance gathering F. User acceptance testing
Correct Answer: BC Online: BE maybe?
A security technician is incorporating the following requirements in an RFP for a new SIEM: ✑ New security notifications must be dynamically implemented by the SIEM engine ✑ The SIEM must be able to identify traffic baseline anomalies ✑ Anonymous attack data from all customers must augment attack detection and risk scoring Based on the above requirements, which of the following should the SIEM support? (Choose two.) A. Autoscaling search capability B. Machine learning C. Multisensor deployment D. Big Data analytics E. Cloud-based management F. Centralized log aggregation
Correct Answer: BD
The audit team was only provided the physical and logical addresses of the network without any type of access credentials. Which of the following methods should the audit team use to gain initial access during the security assessment? (Choose two.) A. Tabletop exercise B. Social engineering C. Runtime debugging D. Reconnaissance E. Code review F. Remote access tool
Correct Answer: BD
A Chief Information Security Officer (CISO) has created a survey that will be distributed to managers of mission-critical functions across the organization. The survey requires the managers to determine how long their respective units can operate in the event of an extended IT outage before the organization suffers monetary losses from the outage. To which of the following is the survey question related? (Choose two.) A. Risk avoidance B. Business impact C. Risk assessment D. Recovery point objective E. Recovery time objective F. Mean time between failures
Correct Answer: BE
An engineer maintains a corporate-owned mobility infrastructure, and the organization requires that all web browsing using corporate-owned resources be monitored. Which of the following would allow the organization to meet its requirement? (Choose two.) A. Exempt mobile devices from the requirement, as this will lead to privacy violations B. Configure the devices to use an always-on IPSec VPN C. Configure all management traffic to be tunneled into the enterprise via TLS D. Implement a VDI solution and deploy supporting client apps to devices E. Restrict application permissions to establish only HTTPS connections outside of the enterprise boundary
Correct Answer: BE Online: BD maybe? A is incorrect because the issue is the same as non-mobile devices -They are both corporate devices. If you have a rule for one, you can have a rule for the other. B could be correct, it steers all traffic through the corporate network, giving you the opportunity to control and monitor C is incorrect, it doesn't address the question D VDI ensures that no data is kept on the mobile device (Laptop etc.) and all is kept on the company network, allowing it to be monitored. E This does not address the "monitoring" requirements
A new cluster of virtual servers has been set up in a lab environment and must be audited before being allowed on the production network. The security manager needs to ensure unnecessary services are disabled and all system accounts are using strong credentials. Which of the following tools should be used? (Choose two.) A. Fuzzer B. SCAP scanner C. Packet analyzer D. Password cracker E. Network enumerator F. SIEM
Correct Answer: BF Online: BE I tend to agree
A company has completed the implementation of technical and management controls as required by its adopted security policies and standards. The implementation took two years and consumed all the budget approved to security projects. The board has denied any further requests for additional budget. Which of the following should the company do to address the residual risk? A. Transfer the risk B. Baseline the risk C. Accept the risk D. Remove the risk
Correct Answer: C
A financial institution would like to store its customer data in a cloud but still allow the data to be accessed and manipulated while encrypted. Doing so would prevent the cloud service provider from being able to decipher the data due to its sensitivity. The financial institution is not concerned about computational overheads and slow speeds. Which of the following cryptographic techniques would BEST meet the requirement? A. Asymmetric B. Symmetric C. Homomorphic D. Ephemeral
Correct Answer: C
A security assessor is working with an organization to review the policies and procedures associated with managing the organizationג€™s virtual infrastructure. During a review of the virtual environment, the assessor determines the organization is using servers to provide more than one primary function, which violates a regulatory requirement. The assessor reviews hardening guides and determines policy allows for this configuration. It would be MOST appropriate for the assessor to advise the organization to: A. segment dual-purpose systems on a hardened network segment with no external access B. assess the risks associated with accepting non-compliance with regulatory requirements C. update system implementation procedures to comply with regulations D. review regulatory requirements and implement new policies on any newly provisioned servers
Correct Answer: C
A security consultant is performing a penetration test on www.comptia.org and wants to discover the DNS administratorג€™s email address to use in a later social engineering attack. The information listed with the DNS registrar is private. Which of the following commands will also disclose the email address? A. dig ג€"h comptia.org B. whois ג€"f comptia.org C. nslookup ג€"type=SOA comptia.org D. dnsrecon ג€"i comptia.org ג€"t hostmaster
Correct Answer: C
A system owner has requested support from data owners to evaluate options for the disposal of equipment containing sensitive data. Regulatory requirements state the data must be rendered unrecoverable via logical means or physically destroyed. Which of the following factors is the regulation intended to address? A. Sovereignty B. E-waste C. Remanence D. Deduplication
Correct Answer: C
A systems analyst is concerned that the current authentication system may not provide the appropriate level of security. The company has integrated WAYF within its federation system and implemented a mandatory two-step authentication system. Some accounts are still becoming compromised via phishing attacks that redirect users to a fake portal, which is automatically collecting and replaying the stolen credentials. Which of the following is a technical solution that would BEST reduce the risk of similar compromises? A. Security awareness training B. Push-based authentication C. Software-based TOTP D. OAuth tokens E. Shibboleth
Correct Answer: C
A team is at the beginning stages of designing a new enterprise-wide application. The new application will have a large database and require a capital investment in hardware. The Chief Information Officer (׀¡IO) has directed the team to save money and reduce the reliance on the datacenter, and the vendor must specialize in hosting large databases in the cloud. Which of the following cloud-hosting options would BEST meet these needs? A. Multi-tenancy SaaS B. Hybrid IaaS C. Single-tenancy PaaS D. Community IaaS
Correct Answer: C
During a security event investigation, a junior analyst fails to create an image of a serverג€™s hard drive before removing the drive and sending it to the forensics analyst. Later, the evidence from the analysis is not usable in the prosecution of the attackers due to the uncertainty of tampering. Which of the following should the junior analyst have followed? A. Continuity of operations B. Chain of custody C. Order of volatility D. Data recovery
Correct Answer: C Could be B?
The Chief Information Security Officer (CISO) has asked the security team to determine whether the organization is susceptible to a zero-day exploit utilized in the banking industry and whether attribution is possible. The CISO has asked what process would be utilized to gather the information, and then wants to apply signatureless controls to stop these kinds of attacks in the future. Which of the following are the MOST appropriate ordered steps to take to meet the CISOג€™s request? A. 1. Perform the ongoing research of the best practices 2. Determine current vulnerabilities and threats 3. Apply Big Data techniques 4. Use antivirus control B. 1. Apply artificial intelligence algorithms for detection 2. Inform the CERT team 3. Research threat intelligence and potential adversaries 4. Utilize threat intelligence to apply Big Data techniques C. 1. Obtain the latest IOCs from the open source repositories 2. Perform a sweep across the network to identify positive matches 3. Sandbox any suspicious files 4. Notify the CERT team to apply a future proof threat model D. 1. Analyze the current threat intelligence 2. Utilize information sharing to obtain the latest industry IOCs 3. Perform a sweep across the network to identify positive matches 4. Apply machine learning algorithms
Correct Answer: C Online: CISO wants: 1- Zero-day exploit vulnerability information (Exploits not already known about by AV vendors) 2- attribution information (who done it) 3- how will latest threat information be gathered (how done it) 4- mitigate with signatureless controls (AI/ML) This is a tough one. Not perfectly clear. Looking at the Pearsonvue Cert guide from P643 helps, remember, the question specifies "ordered" steps, so if it's out o order, or there's a step that doesn't do anything to achieve the goal, then it's not the MOST appropriate. Answer B) A) No - Missing 4 - Antivirus is not signatureless B) Yes -1- Addressed by 1 2- Addressed by 2. 3- Addressed by 3 4- Addressed by 4 allows you to amalgamate all the research you've done and come up with new potential threats. C) No - This does not address the "attribution" requirement. D) Possible - But not in order.1- Addressed by 1.2- Addressed by 1.3- By 2.4- addressed by 4. ML for mitigation (Signatureless)
A development team releases updates to an application regularly. The application is compiled with several standard, open-source security products that require a minimum version for compatibility. During the security review portion of the development cycle, which of the following should be done to minimize possible application vulnerabilities? A. The developers should require an exact version of the open-source security products, preventing the introduction of new vulnerabilities. B. The application development team should move to an Agile development approach to identify security concerns faster. C. The change logs for the third-party libraries should be reviewed for security patches, which may need to be included in the release D. The application should eliminate the use of open-source libraries and products to prevent known vulnerabilities from being included
Correct Answer: C Online: A maybe
A company wants to secure a newly developed application that is used to access sensitive information and data from corporate resources. The application was developed by a third-party organization, and it is now being used heavily, despite lacking the following controls: ✑ Certificate pinning ✑ Tokenization ✑ Biometric authentication The company has already implemented the following controls: ✑ Full device encryption ✑ Screen lock ✑ Device password ✑ Remote wipe The company wants to defend against interception of data attacks. Which of the following compensating controls should the company implement NEXT? A. Enforce the use of a VPN when using the newly developed application B. Implement a geofencing solution that disables the application according to company requirements C. Implement an out-of-band second factor to authenticate authorized users D. Install the application in a secure container requiring additional authentication controls
Correct Answer: C Online: A maybe D? leaning towards A
A security consultant is conducting a penetration test against a customer enterprise that comprises local hosts and cloud-based servers. The hosting service employs a multitenancy model with elastic provisioning to meet customer demand. The customer runs multiple virtualized servers on each provisioned cloud host. The security consultant is able to obtain multiple sets of administrator credentials without penetrating the customer network. Which of the following is the MOST likely risk the tester exploited? A. Data-at-rest encryption misconfiguration and repeated key usage B. Offline attacks against the cloud security broker service C. The ability to scrape data remnants in a multitenancy environment D. VM escape attacks against the customer network hypervisors
Correct Answer: C Online: B
A forensic analyst suspects that a buffer overflow exists in a kernel module. The analyst executes the following command: dd if=/dev/ram of=/tmp/mem/dmp The analyst then reviews the associated output: ^34^#AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/bin/bash^21^03#45 However, the analyst is unable to find any evidence of the running shell. Which of the following of the MOST likely reason the analyst cannot find a process ID for the shell? A. The NX bit is enabled B. The system uses ASLR C. The shell is obfuscated D. The code uses dynamic libraries
Correct Answer: C Online: B idk tbh.
A systems administrator recently conducted a vulnerability scan of the intranet. Subsequently, the organization was successfully attacked by an adversary. Which of the following is the MOST likely explanation for why the organizationג€™s network was compromised? A. There was a false positive since the network was fully patched B. The systems administrator did not perform a full system scan C. The systems administrator performed a credentialed scan D. The vulnerability database was not updated
Correct Answer: C Online: B maybe?
A web developer has implemented HTML5 optimizations into a legacy web application. One of the modifications the web developer made was the following client side optimization: localStorage.setItem(ג€session-cookieג€, document.cookie);Which of the following should the security engineer recommend? A. Session Storage should be used so authorized cookies expire after the session ends B. Cookies should be marked as ג€secureג€ and ג€HttpOnlyג€ C. Cookies should be scoped to a relevant domain/path D. Client-side cookies should be replaced by server-side mechanisms
Correct Answer: C Online: B which I agree with.
A security engineer is embedded with a development team to ensure security is built into products being developed. The security engineer wants to ensure developers are not blocked by a large number of security requirements applied at specific schedule points. Which of the following solutions BEST meets the engineerג€™s goal? A. Schedule weekly reviews of al unit test results with the entire development team and follow up between meetings with surprise code inspections. B. Develop and implement a set of automated security tests to be installed on each development team leaderג€™s workstation. C. Enforce code quality and reuse standards into the requirements definition phase of the waterfall development process. D. Deploy an integrated software tool that builds and tests each portion of code committed by developers and provides feedback.
Correct Answer: C Online: D maybe?
After an employee was terminated, the company discovered the employee still had access to emails and attached content that should have been destroyed during the off-boarding. The employeeג€™s laptop and cell phone were confiscated and accounts were disabled promptly. Forensic investigation suggests the companyג€™sDLP was effective, and the content in question was not sent outside of work or transferred to removable media. Personality owned devices are not permitted to access company systems or information. Which of the following would be the MOST efficient control to prevent this from occurring in the future? A. Install application whitelist on mobile devices. B. Disallow side loading of applications on mobile devices. C. Restrict access to company systems to expected times of day and geographic locations. D. Prevent backup of mobile devices to personally owned computers. E. Perform unannounced insider threat testing on high-risk employees.
Correct Answer: C Online: D which I agree with
After the departure of a developer under unpleasant circumstances, the company is concerned about the security of the software to which the developer has access. Which of the following is the BEST way to ensure security of the code following the incident? A. Hire an external red team to conduct black box testing B. Conduct a peer review and cross reference the SRTM C. Perform white-box testing on all impacted finished products D. Perform regression testing and search for suspicious code
Correct Answer: C From the Official CASP Book: White Box Testing: ..."The tester fully understands the function and design of the systems and networks before they carry out the test. The goal of this type of test is to simulate an inside attacker with high-level knowledge and understanding of the environment they are attacking." White box testing would simulate the inside attack perspective that the company is concerned about from the software developer. This also takes into account the assumption that he only has access to finished products that are available publicly per answer C "impacted finished products"
A systems administrator receives an advisory email that a recently discovered exploit is being used in another country and the financial institutions have ceased operations while they find a way to respond to the attack. Which of the following BEST describes where the administrator should look to find information on the attack to determine if a response must be prepared for the systems? (Choose two.) A. Bug bounty websites B. Hacker forums C. Antivirus vendor websites D. Trade industry association websites E. CVE database F. Companyג€™s legal department
Correct Answer: C&E. from the CASP+ All-In-One: Here are some suggestions to consider when doing your security research. • Visit vendor websites for the latest information on vulnerabilities, updates, FAQs, other software downloads, and best security practices. • Use official information security sources such as RFCs, ISO, NIST, ISACA, EC-Council, (ISC)², and SANS. • Subscribe to security mailing lists such as Bugtraq and CERT Advisories and Security Weekly. • Visit vulnerability websites such as the CVE database, SecurityTracker, and SecurityFocus.
A company has adopted and established a continuous-monitoring capability, which has proven to be effective in vulnerability management, diagnostics, and mitigation. The company wants to increase the likelihood that it is able to discover and therefore respond to emerging threats earlier in the life cycle. Which of the following methodologies would BEST help the company to meet this objective? (Choose two.) A. Install and configure an IPS. B. Enforce routine GPO reviews. C. Form and deploy a hunt team. D. Institute heuristic anomaly detection. E. Use a protocol analyzer with appropriate connectors.
Correct Answer: CD I would definitely choose However, I was in doubt between A (IPS) and C (hunt team). From CASP official material: "Hunt teaming is yet another technique that facilitates incident response. Instead of passively monitoring entities and systems, a team of security personnel will actively "hunt" for indicators of compromise in a particular environment. This is based on the assumption that you may already be compromised, even if you don't notice any overt signs of an incident. A hunt team will typically examine hosts and network activity for evidence of command and control (C&C) channels used in a botnet; unusual registry keys that could indicate persistent malware; rogue hardware that is attached to the network; suspicious or unusual network port and protocol usage; unauthorized accounts; and more." Company's objective: discover and respond to emerging threats earlier in the life cycle I would rather choose C (hunt team).
A medical facility wants to purchase mobile devices for doctors and nurses. To ensure accountability, each individual will be assigned a separate mobile device. Additionally, to protect patientsג€™ health information, management has identified the following requirements: ✑ Data must be encrypted at rest. ✑ The device must be disabled if it leaves the facility. ✑ The device must be disabled when tampered with. Which of the following technologies would BEST support these requirements? (Choose two.) A. eFuse B. NFC C. GPS D. Biometric E. USB 4.1 F. MicroSD
Correct Answer: CD Online: AC which I kinda agree
A Chief Information Security Officer (CISO) recently changed jobs into a new industry. The CISOג€™s first task is to write a new, relevant risk assessment for the organization. Which of the following would BEST help the CISO find relevant risks to the organization? (Choose two.) A. Perform a penetration test. B. Conduct a regulatory audit. C. Hire a third-party consultant. D. Define the threat model. E. Review the existing BIA. F. Perform an attack path analysis.
Correct Answer: CE
An SQL database is no longer accessible online due to a recent security breach. An investigation reveals that unauthorized access to the database was possible due to an SQL injection vulnerability. To prevent this type of breach in the future, which of the following security controls should be put in place before bringing the database back online? (Choose two.) A. Secure storage policies B. Browser security updates C. Input validation D. Web application firewall E. Secure coding standards F. Database activity monitoring
Correct Answer: CF Online: CD As a WAF is preventive control while DAM for monitoring.
A Chief Information Security Officer (CISO) of a large financial institution undergoing an IT transformation program wants to embed security across the business rapidly and across as many layers of the business as possible to achieve quick wins and reduce risk to the organization. Which of the following business areas should the CISO target FIRST to best meet the objective? A. Programmers and developers should be targeted to ensure secure coding practices, including automated code reviews with remediation processes, are implemented immediately. B. Human resources should be targeted to ensure all new employees undertake security awareness and compliance training to reduce the impact of phishing and ransomware attacks. C. The project management office should be targeted to ensure security is managed and included at all levels of the project management cycle for new and in- flight projects. D. Risk assurance teams should be targeted to help identify key business unit security risks that can be aggregated across the organization to produce a risk posture dashboard for executive management.
Correct Answer: D
A project manager is working with system owners to develop maintenance windows for system patching and upgrades in a cloud-based PaaS environment. Management has indicated one maintenance windows will be authorized per month, but clients have stated they require quarterly maintenance windows to meet their obligations. Which of the following documents should the project manager review? A. MOU B. SOW C. SRTM D. SLA
Correct Answer: D
A recent CRM upgrade at a branch office was completed after the desired deadline. Several technical issues were found during the upgrade and need to be discussed in depth before the next branch office is upgraded. Which of the following should be used to identify weak processes and other vulnerabilities? A. Gap analysis B. Benchmarks and baseline results C. Risk assessment D. Lessons learned report
Correct Answer: D
A security analyst has been asked to create a list of external IT security concerns, which are applicable to the organization. The intent is to show the different types of external actors, their attack vectors, and the types of vulnerabilities that would cause business impact. The Chief Information Security Officer (CISO) will then present this list to the board to request funding for controls in areas that have insufficient coverage. Which of the following exercise types should the analyst perform? A. Summarize the most recently disclosed vulnerabilities. B. Research industry best practices and the latest RFCs. C. Undertake an external vulnerability scan and penetration test. D. Conduct a threat modeling exercise.
Correct Answer: D
A vulnerability was recently announced that allows a malicious user to gain root privileges on other virtual machines running within the same hardware cluster. Customers of which of the following cloud-based solutions should be MOST concerned about this vulnerability? A. Single-tenant private cloud B. Multitenant SaaS cloud C. Single-tenant hybrid cloud D. Multitenant IaaS cloud E. Multitenant PaaS cloud F. Single-tenant public cloud
Correct Answer: D
After several industry competitors suffered data loss as a result of cyberattacks, the Chief Operating Officer (COO) of a company reached out to the information security manager to review the organizationג€™s security stance. As a result of the discussion, the COO wants the organization to meet the following criteria: ✑ Blocking of suspicious websites ✑ Prevention of attacks based on threat intelligence ✑ Reduction in spam ✑ Identity-based reporting to meet regulatory compliance ✑ Prevention of viruses based on signature ✑ Protect applications from web-based threats Which of the following would be the BEST recommendation the information security manager could make? A. Reconfigure existing IPS resources B. Implement a WAF C. Deploy a SIEM solution D. Deploy a UTM solution E. Implement an EDR platform
Correct Answer: D
An online bank has contracted with a consultant to perform a security assessment of the bankג€™s web portal. The consultant notices the login page is linked from the main page with HTTPS, but when the URL is changed to HTTP, the browser is automatically redirected back to the HTTPS site. Which of the following is a concern for the consultant, and how can it be mitigated? A. XSS could be used to inject code into the login page during the redirect to the HTTPS site. The consultant should implement a WAF to prevent this. B. The consultant is concerned the site is using an older version of the SSL 3.0 protocol that is vulnerable to a variety of attacks. Upgrading the site to TLS 1.0 would mitigate this issue. C. The HTTP traffic is vulnerable to network sniffing, which could disclose usernames and passwords to an attacker. The consultant should recommend disabling HTTP on the web server. D. A successful MITM attack Could intercept the redirect and use sslstrip to decrypt further HTTPS traffic. Implementing HSTS on the web server would prevent this.
Correct Answer: D
An organization enables BYOD but wants to allow users to access the corporate email, calendar, and contacts from their devices. The data associated with the userג€™s accounts is sensitive, and therefore, the organization wants to comply with the following requirements: ✑ Active full-device encryption ✑ Enabled remote-device wipe ✑ Blocking unsigned applications ✑ Containerization of email, calendar, and contacts Which of the following technical controls would BEST protect the data from attack or loss and meet the above requirements? A. Require frequent password changes and disable NFC. B. Enforce device encryption and activate MAM. C. Install a mobile antivirus application. D. Configure and monitor devices with an MDM.
Correct Answer: D
As part of incident response, a technician is taking an image of a compromised system and copying the image to a remote image server (192.168.45.82). The system drive is very large but does not contain the sensitive data. The technician has limited time to complete this task. Which of the following is the BEST command for the technician to run? A. tar cvf - / | ssh 192.168.45.82 ג€cat - > /images/image.tarג€ B. dd if=/dev/mem | scp - 192.168.45.82:/images/image.dd C. memdump /dev/sda1 | nc 192.168.45.82 3000 D. dd if=/dev/sda | nc 192.168.45.82 3000
Correct Answer: D
Following a complete outage of the electronic medical record system for more than 18 hours, the hospitalג€™s Chief Executive Officer (CEO) has requested that the Chief Information Security Officer (CISO) perform an investigation into the possibility of a disgruntled employee causing the outage maliciously. To begin the investigation, the CISO pulls all event logs and device configurations from the time of the outage. The CISO immediately notices the configuration of a top-of-rack switch from one day prior to the outage does not match the configuration that was in place at the time of the outage. However, none of the event logs show who changed the switch configuration, and seven people have the ability to change it. Because of this, the investigation is inconclusive. Which of the following processes should be implemented to ensure this information is available for future investigations? A. Asset inventory management B. Incident response plan C. Test and evaluation D. Configuration and change management
Correct Answer: D
Following a recent network intrusion, a company wants to determine the current security awareness of all of its employees. Which of the following is the BEST way to test awareness? A. Conduct a series of security training events with comprehensive tests at the end B. Hire an external company to provide an independent audit of the network security posture C. Review the social media of all employees to see how much proprietary information is shared D. Send an email from a corporate account, requesting users to log onto a website with their enterprise account
Correct Answer: D
Which of the following is the GREATEST security concern with respect to BYOD? A. The filtering of sensitive data out of data flows at geographic boundaries. B. Removing potential bottlenecks in data transmission paths. C. The transfer of corporate data onto mobile corporate devices. D. The migration of data into and out of the network in an uncontrolled manner.
Correct Answer: D
A breach was caused by an insider threat in which customer PII was compromised. Following the breach, a lead security analyst is asked to determine which vulnerabilities the attacker used to access company resources. Which of the following should the analyst use to remediate the vulnerabilities? A. Protocol analyzer B. Root cause analysis C. Behavioral analytics D. Data leak prevention
Correct Answer: D Online argues maybe B? Which I don't agree with.
The Chief Executive Officer (CEO) of a company has considered implementing a cost-saving measure that might result in new risk to the company. When deciding whether to implement this measure, which of the following would be the BEST course of action to manage the organizationג€™s risk? A. Present the detailed risk resulting from the change to the companyג€™s board of directors B. Pilot new mitigations that cost less than the total amount saved by the change C. Modify policies and standards to discourage future changes that increase risk D. Capture the risk in a prioritized register that is shared routinely with the CEO
Correct Answer: D Online: A maybe? Maybe: A. Present the detailed risk resulting from the change to the company's board of directors ? The CEO should run such ideas by the board. I am not sure what is meant by "capture the risk in a prioritized register." And why would the CEO want put to something where it will be shared by the CEO? He/she is the CEO.
After multiple service interruptions caused by an older datacenter design, a company decided to migrate away from its datacenter. The company has successfully completed the migration of all datacenter servers and services to a cloud provider. The migration project includes the following phases: ✑ Selection of a cloud provider ✑ Architectural design ✑ Microservice segmentation ✑ Virtual private cloud ✑ Geographic service redundancy ✑ Service migration The Chief Information Security Officer (CISO) is still concerned with the availability requirements of critical company applications. Which of the following should the company implement NEXT? A. Multicloud solution B. Single-tenancy private cloud C. Hybrid cloud solution D. Cloud access security broker
Correct Answer: D Online: A or C as they address availability
A security architect is designing a system to satisfy user demand for reduced transaction time, increased security and message integrity, and improved cryptographic security. The resultant system will be used in an environment with a broad user base where many asynchronous transactions occur every minute and must be publicly verifiable. Which of the following solutions BEST meets all of the architectג€™s objectives? A. An internal key infrastructure that allows users to digitally sign transaction logs B. An agreement with an entropy-as-a-service provider to increase the amount of randomness in generated keys. C. A publicly verified hashing algorithm that allows revalidation of message integrity at a future date. D. An open distributed transaction ledger that requires proof of work to append entries.
Correct Answer: D Online: A, which I lean towards
An external red team member conducts a penetration test, attempting to gain physical access to a large organization's server room in a branch office. During reconnaissance, the red team member sees a clearly marked door to the server room, located next to the lobby, with a tumbler lock.Which of the following is BEST for the red team member to bring on site to open the locked door as quickly as possible without causing significant damage? A. Screwdriver set B. Bump key C. RFID duplicator D. Rake picking
Correct Answer: D Online: B
Two competing companies experienced similar attacks on their networks from various threat actors. To improve response times, the companies wish to share some threat intelligence about the sources and methods of attack. Which of the following business documents would be BEST to document this engagement? A. Business partnership agreement B. Memorandum of understanding C. Service-level agreement D. Interconnection security agreement
Correct Answer: D Online: B The two companies are not becoming partner, they are just sharing information about the attacks that happened against them. So NO not BPA, Not ISA since neither company is sharing equipment. An MOU is used here because the two companies are discussing what actions they are taking together. B is the correct answer.
A security engineer is working with a software development team. The engineer is tasked with ensuring all security requirements are adhered to by the developers. Which of the following BEST describes the contents of the supporting document the engineer is creating? A. A series of ad-hoc tests that each verify security control functionality of the entire system at once. B. A series of discrete tasks that, when viewed in total, can be used to verify and document each individual constraint from the SRTM. C. A set of formal methods that apply to one or more of the programing languages used on the development project. D. A methodology to verify each security control in each unit of developed code prior to committing the code.
Correct Answer: D Online: B maybe?
While an employee is on vacation, suspicion arises that the employee has been involved in malicious activity on the network. The security engineer is concerned the investigation may need to continue after the employee returns to work. Given this concern, which of the following should the security engineer recommend to maintain the integrity of the investigation? A. Create archival copies of all documents and communications related to the employee B. Create a forensic image of network infrastructure devices C. Create an image file of the employeeג€™s network drives and store it with hashes D. Install a keylogger to capture the employeeג€™s communications and contacts
Correct Answer: D Online: C Maybe: C. Create an image file of the employee's network drives and store it with hashes ? The question asks us: "to maintain the integrity of the investigation." To do that, we must preserve the chain of custody. We must make sure that the evidence we are using has not been tampered with. Once the employee gets back, he/she will probably start changing his/her network drives. Once that happens, the integrity of the investigation is shot - unless we have a protected copy.
A security administrator receives reports that several workstations are unable to access resources within one network segment. A packet capture shows the segment is flooded with ICMPv6 traffic from the source fe80::21ae:4571:42ab:1fdd and for the destination ff02::1. Which of the following should the security administrator integrate into the network to help prevent this from occurring? A. Raise the dead peer detection interval to prevent the additional network chatter B. Deploy honeypots on the network segment to identify the sending machine C. Ensure routers will use route advertisement guards D. Deploy ARP spoofing prevention on routers and switches
Correct Answer: D Online: C Maybe: C. Ensure routers will use route advertisement guards ? "RA guard works by validating RA messages on the basis of whether they meet certain criteria, configured on the switch using policies. RA guard inspects RA messages and compares the information contained in the message attributes to the configured policy. Depending on the policy, RA guard either drops or forwards the RA messages that match the conditions" Don't know if its been spoofed.
A laptop is recovered a few days after it was stolen. Which of the following should be verified during incident response activities to determine the possible impact of the incident? A. Full disk encryption status B. TPM PCR values C. File system integrity D. Presence of UEFI vulnerabilities
Correct Answer: D Online: C or A, I lean towards A
Due to a recent acquisition, the security team must find a way to secure several legacy applications. During a review of the applications, the following issues are documented: ✑ The applications are considered mission-critical. ✑ The applications are written in code languages not currently supported by the development staff. ✑ Security updates and patches will not be made available for the applications. ✑ Username and passwords do not meet corporate standards. ✑ The data contained within the applications includes both PII and PHI. ✑ The applications communicate using TLS 1.0. ✑ Only internal users access the applications. Which of the following should be utilized to reduce the risk associated with these applications and their current architecture? A. Update the company policies to reflect the current state of the applications so they are not out of compliance. B. Create a group policy to enforce password complexity and username requirements. C. Use network segmentation to isolate the applications and control access. D. Move the applications to virtual servers that meet the password and account standards.
Correct Answer: D Online: C which I agree with.
A security researcher is gathering information about a recent spoke in the number of targeted attacks against multinational banks. The spike is on top of already sustained attacks against the banks. Some of the previous attacks have resulted in the loss of sensitive data, but as of yet the attackers have not successfully stolen any funds. Based on the information available to the researcher, which of the following is the MOST likely threat profile? A. Nation-state-sponsored attackers conducting espionage for strategic gain. B. Insiders seeking to gain access to funds for illicit purposes. C. Opportunists seeking notoriety and fame for personal gain. D. Hacktivists seeking to make a political statement because of socio-economic factors.
Correct Answer: D Online: Could be A as well.
An incident responder wants to capture volatile memory comprehensively from a running machine for forensic purposes. The machine is running a very recent release of the Linux OS. Which of the following technical approaches would be the MOST feasible way to accomplish this capture? A. Run the memdump utility with the -k flag. B. Use a loadable kernel module capture utility, such as LiME. C. Run dd on/dev/mem. D. Employ a stand-alone utility, such as FTK Imager.
Correct Answer: D Possibly B?
A security analyst for a bank received an anonymous tip on the external banking website showing the following: ✑ Protocols supported- TLS 1.0- SSL 3- SSL 2 ✑ Cipher suites supported- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA-ECDH p256r1- TLS_DHE_RSA_WITH_AES_256_CBC_SHA-DH 1024bit- TLS_RSA_WITH_RC4_128_SHA ✑ TLS_FALLBACK_SCSV non supported ✑ POODLE✑ Weak PFS ✑ OCSP stapling supported Which of the following should the analyst use to reproduce these findings comprehensively? A. Query the OCSP responder and review revocation information for the user certificates. B. Review CA-supported ciphers and inspect the connection through an HTTP proxy. C. Perform a POODLE (SSLv3) attack using an exploitations framework and inspect the output. D. Inspect the server certificate and simulate SSL/TLS handshakes for enumeration.
Correct Answer: D What happens during a TLS handshake? During the course of a TLS handshake, the client and server together will do the following: Specify which version of TLS (TLS 1.0, 1.2, 1.3, etc.) they will use Decide on which cipher suites (see below) they will use Authenticate the identity of the server via the server's public key and the SSL certificate authority's digital signature Generate session keys in order to use symmetric encryption after the handshake is complete
A companyג€™s security policy states any remote connections must be validated using two forms of network-based authentication. It also states local administrative accounts should not be used for any remote access. PKI currently is not configured within the network. RSA tokens have been provided to all employees, as well as a mobile application that can be used for 2FA authentication. A new NGFW has been installed within the network to provide security for external connections, and the company has decided to use it for VPN connections as well. Which of the following should be configured? (Choose two.) A. Certificate-based authentication B. TACACS+ C. 802.1X D. RADIUS E. LDAP F. Local user database
Correct Answer: DE
First responders, who are part of a core incident response team, have been working to contain an outbreak of ransomware that also led to data loss. In a rush to isolate the three hosts that were calling out to the NAS to encrypt whole directories, the hosts were shut down immediately without investigation and then isolated.Which of the following were missed? (Choose two.) A. CPU, process state tables, and main memory dumps B. Essential information needed to perform data restoration to a known clean state C. Temporary file system and swap space D. Indicators of compromise to determine ransomware encryption E. Chain of custody information needed for investigation
Correct Answer: DE
A company has decided to replace all the T-1 uplinks at each regional office and move away from using the existing MPLS network. All regional sites will use high- speed connections and VPNs to connect back to the main campus. Which of the following devices would MOST likely be added at each location? A. SIEM B. IDS/IPS C. Proxy server D. Firewall E. Router
Correct Answer: E
A security manager is determining the best DLP solution for an enterprise. A list of requirements was created to use during the source selection. The security manager wants to confirm a solution exists for the requirements that have been defined. Which of the following should the security manager use? A. NDA B. RFP C. RFQ D. MSA E. RFI
Correct Answer: E Online: B since it looks like the sec manager knows what hes looking for.
A deployment manager is working with a software development group to assess the security of a new version of the organizationג€™s internally developed ERP tool.The organization prefers to not perform assessment activities following deployment, instead focusing on assessing security throughout the life cycle. Which of the following methods would BEST assess the security of the product? A. Static code analysis in the IDE environment B. Penetration testing of the UAT environment C. Vulnerability scanning of the production environment D. Penetration testing of the production environment E. Peer review prior to unit testing
Correct Answer: E The Question specifically mentions "The firm prefers not to perform assessment activities following deployment. "This means that the activities in the production environment are not allowed. Therefore C and D are incorrect. Other requirement here is "focussing on assessing security throughout the lifecycle" (This is referring to the SDLC) This leaves us with A,B and E B is incorrect because UAT is not conducted throughout the SDLC.A is incorrect, as this is done on static code in the development environment, so the security is not assessed throughout the SDLC Both of these answers are good things to do, but are not the BEST answer as requested. E is the correct answer. "Unit testing" is testing of each function as it is committed. This ensures that testing is done throughout the SDLC rather than just at specified points.
After embracing a BYOD policy, a company is faced with new security challenges from unmanaged mobile devices and laptops. The companyג€™s IT department has seen a large number of the following incidents: ✑ Duplicate IP addresses ✑ Rogue network devices ✑ Infected systems probing the companyג€™s network Which of the following should be implemented to remediate the above issues? (Choose two.) A. Port security B. Route protection C. NAC D. HIPS E. NIDS
Suggested Answer: BC Online which I think is real: CE Key words: - "unmanaged", meaning you can't install anything on them - "mobile devices AND laptops", implying the existence of both wired and wireless connections, meaning port security (protecting wired network connections) is not gonna cut it. So - C and E should correct (NAC should prevent infected devices connecting to the network, while NIDS should detect rogue network devices)
During a security assessment, an organization is advised of inadequate control over network segmentation. The assessor explains that the organizationג€™s reliance on VLANs to segment traffic is insufficient to provide segmentation based on regulatory standards. Which of the following should the organization consider implementing along with VLANs to provide a greater level of segmentation? A. Air gaps B. Access control lists C. Spanning tree protocol D. Network virtualization E. Elastic load balancing
Suggested Answer: D Online argues: B