Sec + 501 Practice 1
A user needs to transmit confidential information to a third party. Which of the following should be used to encrypt the message? A. AES B. SHA-2 C. SSL D. RSA
A. AES
A security consultant is gathering information about the frequency of a security threat's impact to an organization. Which of the following should the consultant use to label the number of times an attack can be expected to impact the organization in a 365-day period? A. ARO B. MTBF C. ALE D. MTTR E. SLA
A. ARO
Which of the following differentiates ARP poisoning from a MAC spoofing attack? A. ARP poisoning uses unsolicited ARP replies. B. ARP poisoning overflows a switch's CAM table. C. MAC spoofing uses DHCPOFFER/DHCPACK packets. D. MAC spoofing can be performed across multiple routers.
A. ARP poisoning uses unsolicited ARP replies.
A security analyst has been dealing with a large number of malware infections on workstations with legacy operating systems. The infections are not being detected by the current AV suite. Further analysis shows that the signatures are up-to-date and the AV engines are functioning correctly. The company is unable to afford next-generation AV that prevents these types of attacks. Which of the following methods should the security analyst employ to prevent future outbreaks/ A. Application whitelisting B. Patch management C. Host-based intrusion detection D. File integrity monitoring
A. Application whitelisting
user suspects someone has been accessing a home network without permission by spoofing the MAC address of an authorized system. While attempting to determine if an unauthorized user is logging into the home network, the user reviews the wireless router, which shows the following table for systems that are currently on the home network: Hostname IP Address MAC MAC Filter DadPC 192.168.1.15 00:1D:1A:44:17:B5 On MomPC 192.168.1.15 21:13:D6:C5:42:A2 Off JuniorPC 192.168.2.16 42:A7:D1:25:11:52 On Unknown 192.168.1.18 10:B3:22:1A:FF:21 Off Which of the following should be the NEXT step to determine if there is an unauthorized user on the network? A. Apply MAC filtering and see if the router drops any of the systems B. Physically check each of the authorized systems to determine if they are logged onto the network C. Deny the "unknown" host because the hostname is not known and MAC filtering is not applied to this host D. Conduct a ping sweep of each of the authorized systems and see if an echo response is received
A. Apply MAC filtering and see if the router drops any of the systems
Which of the following are used to substantially increase the computation time required to crack a password? (Select TWO). A. BCRYPT B. Substitution cipher C. ECDHE D. PBKDF2 E. Diffie-Hellman
A. BCRYPT D. PBKDF2
A senior incident response manager receives a call about some external IPs communicating with internal computers during off hours. Which of the following types of malware is MOST likely causing this issue? A. Botnet B. Ransomware C. Polymorphic malware D. Armored virus
A. Botnet
A network technician must update the company's wireless configuration settings to comply with new requirements, which means the use of AES encryption. Which of the following settings would BEST ensure the requirements are met? A. Configure CCMP. B. Require TKIP. C. Implement WPA. D. Implement 802.1x
A. Configure CCMP.
A security analyst reviews the following log entry: 2017-01-13 1622CST 10.11.24.18 93242 148 TCP_HIT 200.200.0.223 _ OBSERVED POST HTTP/1.1.0. "Mozilla 1." www.dropbox.com Financial_Report_2016_CONFID.pdf, 13MB, MS-RTC LM8; .NET CLR 3.0.4509.1392, Jane.Doe Which of the following security issues can the analyst identify? A. Data exfiltration B. Access violation C. Social engineering D. Unencrypted credentials
A. Data exfiltration
A company has been experiencing many successful email phishing attacks, which have been resulting in the compromise of multiple employees' accounts when employees reply with their credentials. The security administrator has been notifying each user and resetting the account passwords when accounts become compromised. Regardless of this process, the same accounts continue to be compromised even when the users do not respond to the phishing attacks. Which of the following are MOST likely to prevent similar account compromises? (Select TWO). A. Enforce password reuse limitations. B. Enable password complexity. C. Reset the account security questions. D. Configure account lockout. E. Implement time-of-day restrictions.
A. Enforce password reuse limitations. C. Reset the account security questions.
Which of the following BEST implements control diversity to reduce the risks associated with the authentication of employees into company resources? A. Enforcing the use of something you know and something you have for authentication B. Requiring employees to sign the company's password and acceptable use policies C. Implementing LDAP authentication for some systems and RADIUS authentication for others D. Publishing a password policy and enforcing password requirements via a GPO
A. Enforcing the use of something you know and something you have for authentication
Which of the following allows an auditor to test proprietary-software compiled code for security flaws? A. Fuzzing B. Static review C. Code signing D. Regression testing
A. Fuzzing
A network technician is trying to set up a secure method for managing users and groups across the enterprise. Which of the following protocols is MOST likely to be used? A. LDAPS B. SFTP C. NTLM D. SNMPv3
A. LDAPS
Which of the following would be MOST effective in reducing tailgating incidents? A. Mantrap B. Faraday cage C. Motion detection D. Bollards
A. Mantrap
A company is performing an analysis of the corporate enterprise network with the intent of identifying what will cause losses in revenue, referrals, and/or reputation when out of commission. Which of the following is an element of a BIA that is being addressed? A. Mission-essential function B. Single point of failure C. backup and restoration plans D. Identification of critical systems
A. Mission-essential function
Ann, a security administrator, wants to ensure credentials are encrypted in transit when implementing a RADIUS server for SSO. Which of the following are needed given these requirements? (Select TWO) A. Public key B. Shared key C. Elliptic curve D. MD5 E. Private key F. DES
A. Public key E. Private key
An organization would like to grant access to its wireless network to users who are visiting from another trusted organization by authenticating the visiting users at their home organization. Which of the following is the organization's BEST option? A. RADIUS Federation B. Captive portal C. OCSP D. Certificate chaining
A. RADIUS Federation
Some of the legacy systems in an organization are running old versions of the Windows OS and others are running Linux OSs, while new systems are running the latest release of the Windows OS. The systems are not running any legacy custom applications. The organization's Chief Information Officer (CIO) wishes to unify all systems to reduce cost and enhance the security posture of the organization, without losing data or causing data leakage. Which of the following would be the BEST course of action to take? A. Reconfigure all existing machines to have the latest release of Windows OS. B. Restore all machines to default configurations. C. Upgrade part of the legacy systems' infrastructure and perform OS updates. D. Treat all legacy machines as end-of-life systems and replace them.
A. Reconfigure all existing machines to have the latest release of Windows OS.
Which of the following is a compensating control that will BEST reduce the risk of weak passwords? A. Requiring the use of one-time tokens B. Increasing password history retention count C. Disable user accounts after exceeding maximum attempts D. Setting expiration of user passwords to a shorter time
A. Requiring the use of one-time tokens
The human resources department is outsourcing much of its operations to a third party. As part of the process, the local human resources data needs to be transmitted to the third party over the Internet. Which of the following is the BEST way to transmit the data? A. SFTP B. DNSSEC C. SNMPv3 D. LDAPS
A. SFTP
A company has developed a business critical system for its core automation process with a software vendor. Which of the following can provide access to the source code if the licensor declares bankruptcy? A. Software escrow B. Software code review C. Software change control D. Software configuration management
A. Software escrow
A user receives an email from ISP indicating malicious traffic coming from the user's home network is detected. The traffic appears to be Linux-based, and it is targeting a website that was recently featured on the news as being taken offline by an Internet attack. The only Linux device on the network is a home surveillance camera system. Which of the following BEST describes what is happening? A. The camera system is infected with a bot. B. The camera system is infected with a RAT. C. The camera system is infected with a Trojan. D. The camera system is infected with a backdoor.
A. The camera system is infected with a bot.
After an employee reported slow network speeds and application responsiveness, the help desk asked the company's security administrator to review the following firewall logs from the employee's computer: 2017-05-30 12:12:31 ALLOW TCP 192.168.1.236 192.168.1.1 30295 21 2017-05-30 12:12:32 ALLOW TCP 192.168.1.236 192.168.1.1 30296 22 2017-05-30 12:12:33 ALLOW TCP 192.168.1.236 192.168.1.1 30296 25 2017-05-30 12:12:33 ALLOW TCP 192.168.1.236 192.168.1.1 30297 80 2017-05-30 12:12:33 DROP TCP 84.176.55.103 192.168.1.236 10434 445 Which of the following can the security administrator infer and report to the help desk based on the above logs? A. The employee's computer is being actively scanned. B. The employee's computer is infected with a worm. C. The employee's computer firewall should be enabled. D. The computer's router is actively listening to unneeded services.
A. The employee's computer is being actively scanned.
An organization has implemented an IPSec VPN access for remote users. Which of the following IPSec modes would be the MOST secure for this organization to implement? A. Tunnel mode B. Transport mode C. AH-only mode D. ESP-only mode
A. Tunnel mode
A security consultant wants to see what information can be obtained by banner grabbing the company's web servers. There are more than 100 web servers, and the consultant would like to perform and aggregate the information quickly. Which of the following is the MOST time-efficient way to accomplish this task? A. Use nc to establish a connection to each web server. B. Run tcpdump on each web server in the organization. C. Use dig to return results for each web server address. D. Run netstat on each webserver in the organization E. Use ssh to connect to port 80 on each web server.
A. Use nc to establish a connection to each web server.
network administrator is reviewing the following IDS logs: ALERT: 192.168.1.20:1027 -> 192.168.1.21:445 malicious payload detected ALERT: 192.168.1.20:1034 -> 192.168.1.21:445 malicious payload detected ALERT: 192.168.1.20:2041 -> 192.168.1.21:445 malicious payload detected ALERT: 192.168.1.20:1165 -> 192.168.1.21:445 malicious payload detected Based on the above information, which of the following types of malware is triggering the IDS? A. Worm B. Logic bomb C. Rootkit D. Backdoor
A. Worm
After a significant amount of hiring, an organization would like to simplify the connection process to its wireless network for employees while ensuring maximum security. The Chief Information Officer (CIO) wants to get rid of any shared network passwords and require employees to use their company credentials when connecting. Which of the following should be implemented to BEST meet this requirement? A. PSK B. 802.1X C. CCMP D. TKIP
B. 802.1X
Which of the following access management concepts is MOST closely associated with the use of a password or PIN? A. Authorization B. Authentication C. Accounting D. Identification
B. Authentication
While troubleshooting a client application connecting to the network, the security administrator notices the following error: Certificate is not valid. Which of the following is the BEST way to check if the digital certificate is valid? A. PKI B. CRL C. CSR D. IPSec
B. CRL
Which of the following security controls provides an alternative solution to a control that would be considered unpractical or excessively expensive? A. Deterrent B. Compensating C. Technical D. Administrative
B. Compensating
A CSIRT has completed restoration procedures related to a breach of sensitive data is creating documentation used to improve future response activities and coordination among team members. Which of the following information would be MOST beneficial to include in lessons learned documentation? (Select TWO). A. A summary of approved policy changes based on the outcome of the incident B. Details of any communication challenges that hampered initial response times C. Details of man-hours and related costs associated with the breach, including lost revenue D. Details regarding system restoration activities completed during the response activity E. Suggestions for potential areas of focus during quarterly training activiites F. Suggestions of tools that would provide improved monitoring and auditing of system access
B. Details of any communication challenges that hampered initial response times D. Details regarding system restoration activities completed during the response activity
After attempting to harden a web server, a security analyst needs to determine if an application remains vulnerable to SQL injection attacks. Which of the following would BEST assist the analyst in making this determination? A. tracert B. Fuzzer C. nslookup D. Nmap E. netcat
B. Fuzzer
A security engineer is working with the CSIRT to investigate a recent breach of client data to the improper use of cloud-based tools. The engineer finds that an employee was able to access cloud-based storage platform from the office and upload data for the purposes of doing work from home after hours. Such activity is prohibited by policy, but no preventive control is in place to block such activities. Which of the following controls would have prevented this breach? A. Network-based IPS B. Host-based DLP C. Host-based IDS D. NAC using TACACS+
B. Host-based DLP
A security analyst identified an SQL injection attack. Which of the following is the FIRST step in remediating the vulnerability? A. Implement stored procedures. B. Implement input validations. C. Implement proper error handling. D. Implement a WAF.
B. Implement input validations.
Which of the following are the primary differences between an incremental and differential backup? (Select TWO). A. Incremental backups take more time to complete. B. Incremental backups take less time to complete. C. Differential backups only back up files since the last full backup. D. Differential backups use less disk space on the storage drive. E. Incremental backups are less secure than differential backups. F. Differential backups are faster than incremental backups.
B. Incremental backups take less time to complete. C. Differential backups only back up files since the last full backup.
A company is looking for an authentication protocol that uses tickets and time stamps to ensure the validity of requests and prevent against replay attacks. Which of the following would be BEST suited to meet this requirement? A. TACACS+ B. Kerberos C. RADIUS D. MSCHAP
B. Kerberos
A security analyst is attempting to identify vulnerabilities in a customer's web application without impacting the system or its data. Which of the following BEST describes the vulnerability scanning concept performed? A. Aggressive scan B. Passive scan C. Non-credentialed scan D. Compliance scan
B. Passive scan
A third-party penetration testing company was able to successfully use an ARP cache poison technique to gain root access on a server. The tester successfully moved to another server that was not in the original network. Which of the following is the MOST likely method used to gain access to the other host? A. Backdoor B. Pivoting C. Persistence D. Logic bomb
B. Pivoting
A security engineer is making changes to a corporate network to facilitate the expansion of corporate connectivity to guest users. The security engineer is concerned with unauthorized users accessing sensitive systems that also require network connectivity. Given the engineer's requirements, which of the following is the BEST method of securing the sensitive systems? A. Place the sensitive systems in an isolated VLAN. B. Place an air gap around the sensitive systems. C. Virtualize the guest wireless infrastructure. D. Place the guest WAPs on a honeypot.
B. Place an air gap around the sensitive systems.
A technician is evaluating malware that was found on the enterprise network. After reviewing samples of the malware binaries, the technician finds each has a different hash associated with it. Which of the following types of malware is MOST likely present in the environment? A. Trojan B. Polymorphic worm C. Rootkit D. Logic bomb E. Armored virus
B. Polymorphic worm
Which of the following types of embedded systems is required in manufacturing environments with life safety requirements? A. MFD B. RTOS C. SoC D. RTU
B. RTOS
As part of a corporate merger, two companies are combining resources. As a result, they must transfer files through the internet in a secure manner. Which of the following protocols would BEST meet this objective? (Select Two) A. LDAPS B. SFTP C. HTTPS D. DNSSEC E. SRTP
B. SFTP C. HTTPS
A manager wants to distribute a report to several other managers within the company. Some of them reside in remote locations that are not connected to the domain but have a local server. Because there is sensitive data within the report and the size is beyond the limit of the email attachment size, emailing the report is not an option. Which of the following protocols should be implemented to distribute the report securely? (Select THREE) A. S/MIME B. SSH C. SNMPv3 D. FTPS E. SRTP F. HTTPS G. LDAPS
B. SSH D. FTPS F. HTTPS
A consumer purchases an exploit from the dark web. The exploit targets the online shopping cart of popular website, allowing the shopper to modify the price of an item at checkout. Which of the following BEST describes this type of user? A. Insider B. Script kiddie C. Competitor D. Hacktivist E. APT
B. Script kiddie
A security analyst is securing a PACS. One of the requirements is network isolation with no access to the Internet or networked computers. Given this scenario, which of the following should the analyst implement to BEST address this requirement? A. Set up a firewall rule blocking ports 80 and 443. B. Set up an air-gapped environment. C. Set up a router and configure an ACL. D. Set up a segmented VLAN.
B. Set up an air-gapped environment.
An organization wants to ensure servers and applications can be deployed rapidly, in a consistent manner, and allow for flexible configuration changes. Which of the following should the organization use to make this process repeatable across multiple locations? A. Redundancy B. Templates C. Snapshots D. Elasticity E. Configuration validation
B. Templates
A network administrator is downloading the latest software for the organization's core switch. The downloads page allows users to view the checksum values for the available files. The network administrator is shows the following when viewing the checksum values for the TB_16.swi.file: Checksum values for the downloaded file: MD5 d50b2b04cfb168eec8 SHA1 6a49065705a43de83dfa9e94 SHA256 7123fb644fbabdda6a73f6e6bc833e2cf12 After downloading the file, the network administrator runs a command to show the following output: Algorithm Hash Patch SHA256 5fdbbfb644fbabdda000006e6bc833e2c968 C:\Users\bsmith\YB_16.swi SHA256 64ccbfbaf4fb96dda6a7373e9bcf62e3c244 C:\Users\bsmith\AA_15.swi SHA1 12fec6aabc9ce87fee654abc C:\Users\bsmith\KB_09.swi MD5 5fdbbfb644fbadda6 C:\Users\bsmith\KA_01.swi Which of the following can be determined from the above output? A. The download file was only hashed with SHA-256. B. The download file has been corrupted or tampered with. C. The download file should not be used because it was not hashed with MD5. D. The download file should not be used because its hash differs from the hash of AA_15.swi
B. The download file has been corrupted or tampered with.
A technician receives a device with the following anomalies: Frequent pop-up ads Show response-time switching between active programs Unresponsive peripherals The technician reviews the following log file entries: File Name Source MD5 Target MD5 Status antivirus.exe F794F21CD33E4F57890DDEA5CF267ED2 F794F21CD33E4F57890DDEA5CF267ED2 Automatic iexplore.exe 7FAAF21CD33E4F57890DDEA5CF29CCEA AA87F21CD33E4F57890DDEAEE2197333 Automatic service.exe 77FF390CD33E4F57890DDEA5CF28881F 77FF390CD33E4F57890DDEA5CF28881F Manual USB.exe E289F21CD33E4F57890DDEA5CF28EDC0 E289F21CD33E4F57890DDEA5CF28EDC0 Stopped Based on the above output, which of the following should be reviewed? A. The web application firewall B. The file integrity check C. The data execution prevention D. The removable media control
B. The file integrity check
Vendor diversity is considered an architectural best practice because: A. it prevents vulnerabilities from spreading from device to device in a crisis. B. it mitigates the risk of a programming flaw affecting the entire architecture. C. it allows for more user training to be conducted on different equipment. D. it transfers the risk associated with vulnerable devices to multiple vendors.
B. it mitigates the risk of a programming flaw affecting the entire architecture.
An organization wants to upgrade its enterprise-wide desktop computer solution. The organization currently has 500 PCs active on the network. the Chief Information Security Officer (CISO) suggests that the organization employ desktop imaging technology for such a large scale upgrade. Which of the following is a security benefit of implementing an imaging solution? A. it allows for faster deployment B. it provides a consistent baseline C. It reduces the number of vulnerabilities D. It decreases the boot time
B. it provides a consistent baseline
A vice president at a manufacturing organization is concerned about desktops being connected to the network. Employees need to log onto the desktops' local account to verify that a product is being created within specifications; otherwise, the desktops should be as isolated as possible. Which of the following is the BEST way to accomplish this? A. Put the desktops in the DMZ. B. Create a separate VLAN for the desktops. C. Air gap the desktops. D. Join the desktops to an ad-hoc network.
C. Air gap the desktops.
Which of the following encryption methods does PKI typically use to securely protect keys? A. Elliptic curve B. Digital signatures C. Asymmetric D. Obfuscation
C. Asymmetric
Which of the following access management concepts is associated with file permissions? A. Authentication B. Accounting C. Authorization D. Identification
C. Authorization
An employee has been writing a secure shell around software used to secure executable files. The employee has conducted the appropriate self-test and is ready to move the software into the next environment. Within which of the following environments is the employee currently working? A. Staging B. Test C. Development D. Production
C. Development
An auditor confirms the risk associated with a Windows-specific vulnerability, which was discovered by the company's security tool, does not apply due ot the server running a LInux OS. Which of the following does this BEST describe? A. Inherent risk B. Attack vector C. False positive D. Remediation
C. False positive
The Chief Information Security Officer (CISO) of an organization has tasked the security analysis team with researching and developing a multifactor authentication alternative to the existing single-factor version. The team decides that multifactor, for this organization, will mean three separate and distinct authentication methods. Which of the following options BEST meets this requirement? A. Retina scan, blood sample, token B. Token, certificate, voice recognition C. Fingerprint, token, challenge question D. PIV, token, challenge question
C. Fingerprint, token, challenge question
Joe, a senior systems administrator, must leave for a family emergency. While Joe is absent, another systems administrator discovers Joe stole confidential company information. Which of the following organizational procedures would have detected this breach sooner? A. Background check B. Separation of duties C. Job rotation D. Rules of behavior E. Non-disclosure agreement
C. Job rotation
A network administrator receives a support ticket from the security operations team to implement secure access to the domain. The support ticket contains the following information: Source: 192.168.1.137 Destination: 10.113.10.8 Protocol: TCP Ports: 636 Time-of-day restriction: None Proxy bypass required: Yes'' Which of the following is being requested to be implemented? A. DNSSEC B. S/MIME C. LDAPS D. RDP
C. LDAPS
The Chief Information Security Officer (CISO) of a university is concerned about potential transmission of usernames and passwords in cleartext when authenticating to a directory server. Which of the following would BEST mitigate the CISO's concerns? A. SFTP B. SNMPv3 C. LDAPS D. SMB
C. LDAPS
A security specialist must confirm file backups match the original copy. Which of the following should the security specialist use to accomplish the objective? A. AES B. 3ES C. MD5 D. RSA
C. MD5
A department head at a university resigned on the first day of spring semester. It was subsequently determined that the department head deleted numerous files and directories from the server-based home directory while the campus was closed. Which of the following policies or procedures could have prevented this form occurring? A. Time-of-day restrictions B. Permissions auditing and review C. Offboarding D. Account expiration
C. Offboarding
A security administrator is configuring a RADIUS server for wireless authentication. The configuration must ensure client credentials are encrypted end-to-end between the client and the authenticator. Which of the following protocols should be configured on the RADIUS server? (Select TWO). A. PAP B. MSCHAP C. PEAP D. NTLM E. SAML
C. PEAP E. SAML
A company was recently audited by a third party. The audit revealed the company's network devices were transferring files in the clear. Which of the following protocols should the company use to transfer files? A. HTTPS B. LDAPS C. SCP D. SNMPv3
C. SCP
The POODLE attack is an MITM exploit that affects: A. TLS1.0 with CBC mode cipher B. SSLv2.0 with CBC mode cipher C. SSLv3.0 with CBC mode cipher D. SSLv3.0 with ECB mode cipher
C. SSLv3.0 with CBC mode cipher
When using a cryptographic function to store a password, which of the following should be used to avoid similar output from similar passwords? A. Hashing B. Field padding C. Salting D. Key rotating
C. Salting
An energy company is in the final phase of testing its new billing service. The testing team wants to use production data in the test system for stress testing. Which of the following is the BEST way to use production data without sending false notification to the customers? A. Back up and archive the production data to an external source. B. Disable notifications in the production system. C. Scrub the confidential information. D. Encrypt the data prior to the stress test.
C. Scrub the confidential information.
A security analyst is conducting a web application vulnerability scan against the company website. Which of the following is considered an intrusive scan? A. Ping sweep B. Time-delay port scanning C. Service identification D. Cipher suite order
C. Service identification
Which of the following BEST describes the process of altering the bits of a media file to embed a hidden message? A. Encryption B. Diffusion C. Steganography D. Hashing
C. Steganography
A security auditor is testing perimeter security in a building that is protected by badge readers. Which of the following types of attacks would MOST likely gain access? A. Phishing B. Man-in-the-middle C. Tailgating D. Watering hole E. Shoulder surfing
C. Tailgating
A DFIR analyst is collecting log data from multiple global locations. Which of the following must the DFIR analyst do to properly utilize the logs for forensic analysis? A. Log encryption B. Filling out chain of custody C. Time normalization D. Timesheet update
C. Time normalization
Which of the following s the BEST reason to run an untested application is a sandbox? A. To allow the application to take full advantage of the host system's resources and storage B. To utilize the host systems antivirus and firewall applications instead of running it own protection C. To prevent the application from acquiring escalated privileges and accessing its host system D. To increase application processing speed so the host system can perform real-time logging
C. To prevent the application from acquiring escalated privileges and accessing its host system
Management wishes to add another authentication factor in addition to fingerprints and passwords in order to have three-factor authentication. Which of the following would BEST satisfy this request? A. Retinal scan B. Passphrase C. Token fob D. Security question
C. Token fob
An organization is providing employees on the shop floor with computers that will log their time based on when they sign on and off the network. Which of the following account types should the employee receive? A. Shared account B. Privileged account C. User account D. Service account
C. User account
A company wishes to deploy a wireless network. Management insists that each individual user should have to authenticate with a unique username and password before being able to associate with the wireless access points. Which of the following wireless features would be the MOST appropriate to achieve this objective? A. WPA2 PSK B. WEP C. WPA Enterprise D. 802.11r E. Captive portal
C. WPA Enterprise
A Chief Executive Officer (CEO) of an organization receives an email stating the CEO's account may have been compromised. The email further directs the CEO to click on a link to update the account credentials. Which of the following types of attacks has MOST likely occurred? A. Pharming B. Hoax C. Whaling D. Spear phishing
C. Whaling
The network team has detected a large amount of traffic between workstations on the network. The traffic was initially very light, but it is increasing exponentially as the day progresses. Which of the following types of malware might be suspected? A. Backdoor B. Rootkit C. Worm D. Spyware
C. Worm
An active/passive configuration has an impact on: A. confidentiality B. integrity C. availability D. non-repudiation
C. availability
A procedure differs from a policy in that it: A. is a high-level statement regarding the company's position on a topic. B. sets a minimum expected baseline of behavior. C. provides step-by-step instructions for performing a task. D. describes adverse actions when violations occur.
C. provides step-by-step instructions for performing a task.
Finance department employees are reporting slow network connectivity and SSL/TLS certificate errors when they access secure websites. A security administrator suspects a computer in the finance VLAN may have been compromised and is impersonating the router's IP address using an MITM attack. Which of the following commands should the security administrator use to verify this finding? A. arp B. route C. tracert D. nmap E. nslookup
C. tracert
A security administrator wants to prevent standard users from running software they downloaded or copied to the computer. The security administrator find the following permissions on the computer: Folder Location Administrator Permissions Standard User Permissions C:\ RW RW C:\OperatingSystem\ RW R C:\Programs\ RW R C:\TEMP\ RW RW C:\ShippingDATA RW RW C:\Users\User1 R RW C:\Users\Admin RW . The administrator needs to create a policy that specifies from which folders a low-privilege user can run applications. Which of the following application whitelist configurations would BEST accomplish this task? A. Allow: * Block: C:\TEMP, C:\Shipping DATA, C:\Users\User1 B. Allow: C:\, C:\OperatingSystem, C:\Programs, C:\Users\User1 Block: C:\TEMP, C:\ShippingDATA, C:\Users\User1 C. Allow: C:\ Block: C:\TEMP, C:\ShippingDATA, C:\Users\User1 D. Allow: C:\OperatingSystem\, C: Programs Block: *
D. Allow: C:\OperatingSystem\, C: Programs Block: *
Which of the following BEST describes the impact of an unremediated session timeout vulnerability? A. The credentials of a legitimate user could be intercepted and reused to log in when the legitimate user is offline. B. An attacker has more time to attempt brute-force password cracking. C. More than one user may be allowed to concurrently connect to the system, and an attacker can use one of those concurrent connections. D. An attacker could use an existing session that has been initiated by a legitimate user.
D. An attacker could use an existing session that has been initiated by a legitimate user.
An administrator is configuring a wireless network. Security policy states that deprecated cryptography should not be used when there is an alternative choice. Which of the following should the administrator use for the wireless network's cryptographic protocol? A. MD5 B. RC4 C. TKIP D. CCMP E. Diffie-Hellman
D. CCMP
A security administrator wants to determine if a company's web servers have the latest operating system and application patches installed. Which of the following types of vulnerability scan should be conducted? A. Non-credentialed B. Passive C. Port D. Credentialed E. Red team F. Active
D. Credentialed
A security analyst wants to limit the use of USB and external drives to protect against malware, as well as protect files leaving a user's computer. Which of the following is the BEST method to use? A. Firewall B. Router C. Antivirus software D. Data loss prevention
D. Data loss prevention
A security engineer is configuring a wireless network with EAP-TLS. Which of the following activities is a requirement for this configuration? A. Setting up a TACACS+ server B. Configuring federation between authentication servers C. Enabling TOTP D. Deploying certificates to endpoint devices
D. Deploying certificates to endpoint devices
An incident response analyst at a large corporation is reviewing proxy log data. The analyst believes a malware infection may have occurred. Upon further review, the analyst determines the computer responsible for the suspicious network traffic is used by the Chief Executive Officer (CEO). Which of the following is the best NEXT step for the analyst to take? A. Call the CEO directly to ensure awareness of the event. B. Run a malware scan on the CEO's workstation. C. Reimage the CEO's workstation. D. Disconnect the CEO's workstation from the network.
D. Disconnect the CEO's workstation from the network.
A group of developers is collaborating to write software for a company. The developers need to work in subgroups and restrict access to their modules. Which of the following access control methods is considered user-centric? A. Role-based B. Mandatory C. Rule-based D. Discretionary
D. Discretionary
Several workstations on a network are found to be on OS versions that are vulnerable to a specific attack. Which of the following is considered to be a corrective action to combat this vulnerability? A. Install an antivirus definition patch B. Educate the workstation users C. Leverage server isolation D. Install a vendor-supplied patch E. Install an intrusion detection system
D. Install a vendor-supplied patch
Company A has acquired Company B. Company A has different domains spread globally, and typically migrates its acquisitions infrastructure under its own domain infrastructure. Company B, however, cannot be merged into Company A's domain infrastructure. Which of the following methods would allow the two companies to access one another's resources? A. Attestation B. Federation C. Single sign-on D. Kerberos
D. Kerberos
Ann, a user, states that her machine has been behaving erratically over the past week. She has experienced slowness and input lag and found text files that appear to contain pieces of her emails or online conversations with coworkers. The technician runs a standard virus scan but detects nothing. Which of the following types of malware has infected the machine? A. Ransomware B. Rootkit C. Backdoor D. Keylogger
D. Keylogger
A penetration tester uses an exploited network printer as a base of operations to expand access to various workstations. Which of the following BEST describes the tester's actions? A. Pivoting B. Passive reconnaissance C. Active reconnaissance D. Persistence
D. Persistence
An organization has an account management policy that defines parameters around each type of account. The policy specifies different security attributes, such as longevity, usage auditing, password complexity, and identity proofing. The goal of the account management policy is to ensure the highest level of security while providing the greatest availability without compromising data integrity for users. Which of the following account types should the policy specify for service technicians from corporate partners? A. Guest account B. User account C. Shared account D. Privileged user account E. Default account F. Service account
D. Privileged user account
A systems administrator wants to implement a wireless protocol that will allow the organization to authenticate mobile devices prior to providing the user with a captive portal login. Which of the following should the systems administrator configure? A. L2TP with MAC filtering B. EAP-TTLS C. WPA2-CCMP with PSK D. RADIUS federation
D. RADIUS federation
Which of the following staging environments is MOST likely to be a one-to-one mapping with the production environment and used for testing and validation prior to "go live"? A. Quality assurance B. Development C. Production D. Test
D. Test
A security engineer at a manufacturing company is implementing a third-party cloud application. Rather than create users manually in the application, the engineer decides to use the SAML protocol. Which of the following is being used for this implementation? A. The manufacturing company is the service provider, and the cloud company is the identity provider. B. The manufacturing company is the authorization provider, and the cloud company is the service provider. C. The manufacturing company is the identity provider, and the cloud company is the OAuth provider. D. The manufacturing company is the identity provider, and the cloud company is the service provider. E. The manufacturing company is the service provider, and the cloud company is the authorization provider.
D. The manufacturing company is the identity provider, and the cloud company is the service provider.
To get the most accurate results on the security posture of a system, which of the following actions should the security analyst do prior to scanning? A. Log all users out of the system. B. Patch the scanner. C. Reboot the target host. D. Update the plugins.
D. Update the plugins.
When developing an application, executing a preconfigured set of instructions is known as: A. a code library. B. code signing. C. a stored procedure. D. infrastructure as code.
D. infrastructure as code.
A security administrator is performing a test to determine if a server is vulnerable to compromise through unnecessary ports. Which of the following tools would assist the security administrator in gathering the required information? A. tcpdump B. netcat C. nslookup D. nmap E. dig
D. nmap
Security administrators attempted corrective action after a phishing attack. Users are still experiencing trouble logging in, as well as an increase in account lockouts. Users' email contacts are complaining of an increase in spam and social networking requests. Due to the large number of affected accounts, remediation must be accomplished quickly. Which of the following actions should be taken FIRST? (Select TWO) A. Disable the compromised accounts B. Update WAF rules to block social networks C. Remove the compromised accounts with all AD groups D. Change the compromised accounts' passwords E. Disable the open relay on the email server F. Enable sender policy framework
E. Disable the open relay on the email server F. Enable sender policy framework