COMPTIA SEC+

The exploitation of a buffer-overrun vulnerability in an application will MOST likely lead to: A. arbitrary code execution. B. resource exhaustion. C. exposure of authentication credentials. D. dereferencing of memory pointers.

(A)

The help desk received a call from a user who was trying to access a set of files from the day before but received the following error message: File format not recognized. Which of the following types of malware MOST likely caused this to occur? A. Ransomware B. Polymorphic virus C. Rootkit D. Spyware

(A)

To reduce disk consumption, an organization's legal department has recently approved a new policy setting the data retention period for sent email at six months. Which of the following is the BEST way to ensure this goal is met? A. Create a daily encrypted backup of the relevant emails. B. Configure the email server to delete the relevant emails. C. Migrate the relevant emails into an "Archived" folder. D. Implement automatic disk compression on email servers.

(A)

Two users must encrypt and transmit large amounts of data between them. Which of the following should they use to encrypt and transmit the data? A. Symmetric algorithm B. Hash function C. Digital signature D. Obfuscation

(A)

User from two organizations, each with its own PKI, need to begin working together on a joint project. Which of the following would allow the users of the separate PKIs to work together without connection errors? A. Trust model B. Stapling C. Intermediate CA D. Key escrow

(A)

Users are attempting to access a company's website but are transparently redirected to another websites. The users confirm the URL is correct. Which of the following would BEST prevent this issue in the futue? A. DNSSEC B. HTTPS C. IPSec D. TLS/SSL

(A)

Using an ROT13 cipher to protocol confidential information for unauthorized access is known as: A. Steganography B. Obfuscation C. Non repudiation D. diffusion

(A)

When identifying a company's most valuable assets as part of a BIA, which of the following should be the FIRST priority? A. Life B. Intellectual property C. Sensitive data D. Public reputation

(A)

When it comes to cloud computing, if one of the requirements for a project is to have the most control over the systems in the cloud, which of the following is a service model that would be BEST suited for this goal? A. Infrastructure B. Platform C. Software D. Virtualization

(A)

Which of the following BEST describes a network-based attack that can allow an attacker to take full control of a vulnerable host? A. Remote exploit B. Amplification C. Sniffing D. Man-in-the-middle

(A)

Which of the following BEST explains how the use of configuration templates reduces organization risk? A. It ensures consistency of configuration for initial system implementation. B. It enables system rollback to a last known-good state patches break functionality. C. It facilitates fault tolerance since applications can be migrated across templates. D. It improves vulnerability scanning efficiency across multiple systems.

(A)

During a forensic investigation, which of the following must be addressed FIRST according to the order of volatility? A. Hard drive B. RAM C. Network attached storage D. USB flash drive

(B)

During a forensics investigation, which of the following must be addressed FIRST according to the order of volatility? A. Hard drive B. RAM C. Network-attached storage D. USB flash drive

(B)

During a recent audit, it was discovered that several user accounts belonging to former employees were still active and had valid VPN permissions. Which of the following would help reduce the amount of risk the organization incurs in this situation in the future? A. Time-of-day restrictions B. User access reviews C. Group-based privileges D. Change management policies

(B)

During a security audit of a company's network, unsecure protocols were found to be in use. A network administrator wants to ensure browser-based access to company switches is using the most secure protocol. Which of the following protocols should be implemented? A. SSH2 B. TLS1.2 C. SSL1.3 D. SNMPv3

(B)

Ipconfig

Displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Used without parameters, ipconfig displays Internet Protocol version 4 (IPv4) and IPv6 addresses, subnet mask, and default gateway for all adapters.

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

Uses 3-way handshake, uses an encrypted challenge to be able to send these credentials across the network. Once the client and server initially connect, the server will send a challenge message to the client. The client then combines the password with that challenge message and sends a hash back to the server

Secure Copy Protocol (SCP)

a means of securely transferring computer files between a local host and a remote host or between two remote hosts. It is based on the Secure Shell (SSH) protocol

Data Execution Prevention (DEP)

a security feature that can help prevent damage to your computer from viruses and other security threats

Simple Network Management Protocol (SNMP)

a way for different devices on a network to share information with one another. Helps identify devices, monitor network performance, keep track of changes to the network, or determine status of network devices in real time

Mandatory Access Control (MAC)

admins create a set of levels and each user is linked with a specific access level. Admin can access all resources that are not greater than his access level

Federation

allows SSO without passwords bc of the trust between the two systems

Network Address Translation (NAT)

allows a router to modify packets to allow for multiple devices to share a single IP address

Key Escrow

an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys.

Hypertext Transfer Protocol Secure - HTTPS

an encrypted form of information transfer on the Internet that combines HTTP and TLS

Cross-Site Scripting (XSS)

attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. Injection attack, javascript

Single Sign-on (SSO)

authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials

Mean Time Between Failures (MTBF)

average time between system breakdowns

EAP (Extensible Authentication Protocol)

by itself is only an authentication framework.

tracert

command-line utility that you can use to trace the path that an Internet Protocol (IP) packet takes to its destination

Remote Access Server (RAS)

contact point between the remote user and the network ex. VPN

Access Control List (ACL)

contains rules that grant or deny access to certain digital environments

Remote Access Trojan (RAT)

creates a virtual back door on your computer. That back door provides hackers with remote access to your system whenever they want to take advantage of it.

Secure Shell (SSH)

cryptographic network protocol for operating network services securely over an unsecured network

Sideloading apps

process of installing apps on your computer that hasn't gone through the certification process

Internet Authentication Service (IAS)

proprietary network server belonging to Microsoft, side server, not directly in the path of any connection. Provides centralized authentication, authorization, and accounting.

Security Assertion Markup Language (SAML)

protocol for authenticating web servers, allows identity providers (IdP) to pass authorization credentials to service providers (SP), can use one set of credentials to logon to many diff websites

Extensible Authentication Protocol (EAP)

protocol for wireless networks that expands on authentication methods used by the Point-to-Point protocol (PPP), a protocol often used when connecting to a computer to the Internet

SNMPv3

provides security with authentication and privacy, and its administration offers logical contexts, view-based access control, and remote configuration. This technology is available for networks, systems, applications, manager-to-manager communications, and proxy management of legacy systems.

Fuzz-based Testing

quality assurance technique used to discover coding errors and security loopholes

Salt

random data that is used as an additional input to a one-way function that hashes data, password or phrase, used to safeguard passwords in storage

Recovery Time Objective (RTO)

refers to how much time an application can be down without causing significant damage to the business

File Transfer Protocol Secure (FTPS)

secure file transfer protocol that allows you to connect securely with your trading partners, customers, and users.

Intrusion Detection System (IDS) logs

simplify the job of detecting attacks well before the actual attack by tracing the trails that the attacker leaves while gathering intelligence about a network

X.509 Certificate

standard format for public key certificates. Uses public key, digital signature, and info about both identity associated with the certificate and its issuing certificate authority (CA). Combined into chains for validation

End-of-Life (EOL)

term used with respect to a product supplied to customers, indicating that the product is in the end of its useful life (from the vendor's point of view), and a vendor stops marketing, selling, or rework sustaining it. (The vendor may simply intend to limit or end support for the product.)

Recovery Point Objective (RPO)

the amount of data that can be lost before significant damage to the business occurs

Mean Time To Recovery (MTTR)

the average amount of time it takes to recover from a product or system failure

A Chief Information Officer (CIO) asks the company's security specialist if the company should spend any funds on malware protection for a specific server. Based on a risk assessment, the ARO value of a malware infection for a server is 5 and the annual cost for the malware protection is $2500. Which of the following SLE values warrants a recommendation against purchasing the malware protection? A. $500 B. $1000 C. $2000 D. $2500

(A)

A Chief Information Officer (CIO) is concerned that encryption keys might be exfiltrated by a contractor. The CIO wants to keep control over key visibility and management. Which of the following would be the BEST solution for the CIO to implement?" A. HSM B. CA C. SSH D. SSL

(A)

A Chief Information Officer (CIO) recently saw on the news that a significant security flaws exists with a specific version of a technology the company uses to support many critical application. The CIO wants to know if this reported vulnerability exists in the organization and, if so, to what extent the company could be harmed. Which of the following would BEST provide the needed information? A. Penetration test B. Vulnerability scan C. Active reconnaissance D. Patching assessment report

(A)

A Chief Information Security Officer (CISO) for a school district wants to enable SSL to protect all of the public-facing servers in the domain. Which of the following is a secure solution that is the MOST cost effective? A. Create and install a self-signed certificate on each of the servers in the domain. B. Purchase a load balancer and install a single certificate on the load balancer. C. Purchase a wildcard certificate and implement it on every server. D. Purchase individual certificates and apply them to the individual servers.

(A)

A Chief Information Security Officer (CISO) has instructed the information assurance staff to act upon a fast-spreading virus. Which of the following steps in the incident response process should be taken NEXT? A. Identification B. Eradication C. Escalation D. Containment

(A)

A Chief Information Security Officer (CISO) has tasked a security analyst with assessing the security posture of an organization and which internal factors would contribute to a security compromise. The analyst performs a walk-through of the organization and discovers there are multiple instances of unlabeled optical media on office desks. Employees in the vicinity either do not claim ownership or disavow any knowledge concerning who owns the media. Which of the following is the MOST immediate action to be taken? A. Confiscate the media and dispose of it in a secure manner as per company policy. B. Confiscate the media, insert it into a computer, find out what is on the disc, and then label it and return it to where it was found. C. Confiscate the media and wait for the owner to claim it. If it is not claimed within one month, shred it. D. Confiscate the media, insert it into a computer, make a copy of the disc, and then return the original to where it was found.

(A)

A coffee company has hired an IT consultant to set up a WiFi network that will provide Internet access to customers who visit the company's chain of cafés. The coffee company has provided no requirements other than that customers should be granted access after registering via a web form and accepting the terms of service. Which of the following is the MINIMUM acceptable configuration to meet this single requirement? A. Captive portal B. WPA with PSK C. Open WiFi D. WPS

(A)

A company exchanges information with a business partner. An annual audit of the business partner is conducted against the SLA in order to verify: A. Performance and service delivery metrics B. Backups are being performed and tested C. Data ownership is being maintained and audited D. Risk awareness is being adhered to and enforced

(A)

A company has critical systems that are hosted on an end-of-life OS. To maintain operations and mitigate potential vulnerabilities, which of the following BEST accomplishes this objective? A. Use application whitelisting. B. Employ patch management. C. Disable the default administrator account. D. Implement full-disk encryption.

(A)

A company is deploying a new VoIP phone system. They require 99.999% uptime for their phone service and are concerned about their existing data network interfering with the VoIP phone system. The core switches in the existing data network are almost fully saturated. Which of the following options will pro-vide the best performance and availability for both the VoIP traffic, as well as the traffic on the existing data network? A. Put the VoIP network into a different VLAN than the existing data network. B. Upgrade the edge switches from 10/100/1000 to improve network speed C. Physically separate the VoIP phones from the data network D. Implement flood guards on the data network

(A)

A company is performing an analysis of the corporate enterprise network with the intent of identifying any one system, person, function, or service that, when neutralized, will cause or cascade disproportionate damage to the company's revenue, referrals, and reputation. Which of the following an element of the BIA that this action is addressing? A. Identification of critical systems B. Single point of failure C. Value assessment D. Risk register

(A)

A company is performing an analysis of which corporate units are most likely to cause revenue loss in the event the unit is unable to operate. Which of the following is an element of the BIA that this action is addressing? A. Critical system inventory B. Single point of failure C. Continuity of operations D. Mission-essential functions

(A)

A company offers SaaS, maintaining all customers' credentials and authenticating locally. Many large customers have requested the company offer some form of federation with their existing authentication infrastructures. Which of the following would allow customers to manage authentication and authorizations from within their existing organizations? A. Implement SAML so the company's services may accept assertions from the customers' authentication servers. B. Provide customers with a constrained interface to manage only their users' accounts in the company's active directory server. C. Provide a system for customers to replicate their users' passwords from their authentication service to the company's. D. Use SOAP calls to support authentication between the company's product and the customers' authentication servers.

(A)

A company recently installed fingerprint scanners at all entrances to increase the facility's security. The scanners were installed on Monday morning, and by the end of the week it was determined that 1.5% of valid users were denied entry. Which of the following measurements do these users fall under? A. FRR B. FAR C. CER D. SLA

(A)

A company researched the root cause of a recent vulnerability in its software. It was determined that the vulnerability was the result of two updates made in the last release. Each update alone would not have resulted in the vulnerability. In order to prevent similar situations in the future, the company should improve which of the following? A. Change management procedures B. Job rotation policies C. Incident response management D. Least privilege access controls

(A)

A company stores highly sensitive data files used by the accounting system on a server file share. The accounting system uses a service account named accounting-svc to access the file share. The data is protected will a full disk encryption, and the permissions are set as follows: File system permissions: Users = Read Only Share permission: accounting-svc = Read Only Given the listed protections are in place and unchanged, to which of the following risks is the data still subject? A. Exploitation of local console access and removal of data B. Theft of physical hard drives and a breach of confidentiality C. Remote exfiltration of data using domain credentials D. Disclosure of sensitive data to third parties due to excessive share permissions

(A)

A company that processes sensitive information has implemented a BYOD policy and an MDM solution to secure sensitive data that is processed by corporate and personally owned mobile devices. Which of the following should the company implement to prevent sensitive data from being stored on mobile devices? A. VDI B. Storage segmentation C. Containerization D. USB OTG E. Geofencing

(A)

A company wants to configure its wireless network to require username and password authentication. Which of the following should the systems administrator implement? A. WPS B. PEAP C. TKIP D. PKI

(A)

A company wants to host a publicly available server that performs the following functions: Evaluates MX record lookup Can perform authenticated requests for A and AAA records Uses RRSIG Which of the following should the company use to fulfill the above requirements? A. DNSSEC B. SFTP C. nslookup D. dig E. LDAPS

(A)

A company wishes to move all of its services and applications to a cloud provider but wants to maintain full control of the deployment, access, and provisions of its services to its users. Which of the following BEST represents the required cloud deployment model? A. SaaS B. IaaS C. MaaS D. Hybrid E. Private

(A)

A company's IT staff is given the task of securely disposing of 100 server HDDs. The security team informs the IT staff that the data must not be accessible by a third party after disposal. Which of the following is the MOST time-efficient method to achieve this goal? A. Use a degausser to sanitize the drives. B. Remove the platters from the HDDs and shred them. C. Perform a quick format of the HDD drives. D. Use software to zero fill all of the hard drives.

(A)

A computer emergency response team is called at midnight to investigate a case in which a mail server was restarted. After an initial investigation, it was discovered that email is being exfiltrated through an active connection. Which of the following is the NEXT step the team should take? A. Identify the source of the active connection B. Perform eradication of active connection and recover C. Performance containment procedure by disconnecting the server D. Format the server and restore its initial configuration

(A)

A consultant is configuring a vulnerability scanner for a large, global organization in multiple countries. The consultant will be using a service account to scan systems with administrative privileges on a weekly basis, but there is a concern that hackers could gain access to the account and pivot throughout the global network. Which of the following would be BEST to help mitigate this concern? A. Create different accounts for each region, each configured with push MFA notifications. B. Create one global administrator account and enforce Kerberos authentication. C. Create different accounts for each region, limit their logon times, and alert on risky logins. D. Create a guest account for each region, remember the last ten passwords, and block password reuse.

(A)

A contracting company recently completed its period of performance on a government contract and would like to destroy all information associated with contract performance. Which of the following is the best NEXT step for the company to take? A. Consult data disposition policies in the contract. B. Use a pulper or pulverizer for data destruction. C. Retain the data for a period no more than one year. D. Burn hard copies containing PII or PHI

(A)

A customer calls a technician and needs to remotely connect to a web server to change some code manually. The technician needs to configure the user's machine with protocols to connect to the Unix web server, which is behind a firewall. Which of the following protocols does the technician MOST likely need to configure? A. SSH B. SFTP C. HTTPS D. SNMP

(A)

A forensics analyst is investigating a hard drive for evidence of suspected illegal activity. Which of the following should the analyst do FIRST? A. Create a hash of the hard drive. B. Export the Internet history. C. Save a copy of the case number and date as a text file in the root directory. D. Back up the pictures directory for further inspection.

(A)

A highly complex password policy has made it nearly impossible to crack account passwords. Which of the following might a hacker still be able to perform? A. Pass-the-hash attack B. ARP poisoning attack C. Birthday attack D. Brute force attack

(A)

A large financial services firm recently released information regarding a security breach within its corporate network that began several years before. During the time frame in which the breach occurred, indicators show an attacker gained administrative access to the network through a file download from a social media site and subsequently installed it without the user's knowledge. Since the compromise, the attacker was able to take command and control of the computer systems anonymously while obtaining sensitive corporate and personal employee information. Which of the following methods did the attacker MOST likely use to gain access? A. A bot B. A fileless virus C. A logic bomb D. A RAT

(A)

A malicious attacker has intercepted HTTP traffic and inserted an ASCII line that sets the referrer URL. Which of the following is the attacker most likely utilizing? A. Header manipulation B. Cookie hijacking C. Cross-site scripting D. Xml injection

(A)

A network administrator at a large organization is reviewing methods to improve the security of the wired LAN. Any security improvement must be centrally managed and allow corporate-owned devices to have access to the intranet but limit others to Internet access only. Which of the following should the administrator recommend? A. 802.1X utilizing the current PKI infrastructure B. SSO to authenticate corporate users C. MAC address filtering with ACLs on the router D. PAM for users account management

(A)

A network administrator is implementing multifactor authentication for employees who travel and use company devices remotely by using the company VPN. Which of the following would provide the required level of authentication? A. 802.1X and OTP B. Fingerprint scanner and voice recognition C. RBAC and PIN D. Username/Password and TOTP

(A)

A network administrator needs to allocate a new network for the R&D group. The network must not be accessible from the Internet regardless of the network firewall or other external misconfigurations. Which of the following settings should the network administrator implement to accomplish this? A. Configure the OS default TTL to 1 B. Use NAT on the R&D network C. Implement a router ACL D. Enable protected ports on the switch

(A)

A network administrator was concerned during an audit that users were able to use the same passwords the day after a password change policy took effect. The following settings are in place: - Users must change their passwords every 30 days. - Users cannot reuse the last 10 passwords. Which of the following settings would prevent users from being able to immediately reuse the same passwords? A. Minimum password age of five days B. Password history of ten passwords C. Password length greater than ten characters D. Complex passwords must be used

(A)

A new security policy in an organization requires that all file transfers within the organization be completed using applications that provide secure transfer. Currently, the organization uses FTP and HTTP to transfer files. Which of the following should the organization implement in order to be compliant with the new policy? A. Replace FTP with SFTP and replace HTTP with TLS B. Replace FTP with FTPS and replaces HTTP with TFTP C. Replace FTP with SFTP and replace HTTP with Telnet D. Replace FTP with FTPS and replaces HTTP with IPSec

(A)

A remote intruder wants to take inventory of a network so exploits can be researched. The intruder is looking for information about software versions on the network. Which of the following techniques is the intruder using? A. Banner grabbing B. Port scanning C. Packet sniffing D. Virus scanning

(A)

A security administrator is adding a NAC requirement for all VPN users to ensure the connecting devices are compliant with company policy. Which of the following items provides the HIGHEST assurance to meet this requirement? A. Implement a permanent agent. B. Install antivirus software. C. Use an agentless implementation. D. Implement PKI.

(A)

A security administrator is investigating many recent incidents of credential theft for users accessing the company's website, despite the hosting web server requiring HTTPS for access. The server's logs show the website leverages the HTTP POST method for carrying user authentication details. Which of the following is the MOST likely reason for compromise? A. The HTTP POST method is not protected by HTTPS. B. The web server is running a vulnerable SSL configuration. C. The HTTP response is susceptible to sniffing. D. The company doesn't support DNSSEC.

(A)

A security administrator is reviewing the following firewall configuration after receiving reports that users are unable to connect to remote websites: 10 PERMIT FROM ANY TO:ANY PORT: 80 20 PERMIT FROM:ANY TO:ANY PORT: 443 30 DENY FROM: ANY TO:ANY PORT:ANY Which of the following is the MOST secure solution the security administrator can implement to fix this issue? A. Add the following rule to the firewall: 5 PERMIT FROM:ANY TO:ANY PORT:53 B. Replace rule number 10 with the following rule: 10 PERMIT FROM:ANY TO:ANY PORT:22 C. Insert the following rule in the firewall: 25 PERMIT FROM:ANY TO:ANY PORTS:ANY D. Remove the following rule from the firewall: 30 DENY FROM:ANY TO:ANY PORT:ANY

(A)

A security administrator needs an external vendor to correct an urgent issue with an organization's physical access control system (PACS). The PACS does not currently have internet access because it is running a legacy operation system. Which of the following methods should the security administrator select the best balances security and efficiency? A. Temporarily permit outbound internet access for the pacs so desktop sharing can be set up B. Have the external vendor come onsite and provide access to the PACS directly C. Set up VPN concentrator for the vendor and restrict access to the PACS using desktop sharing D. Set up a web conference on the administrator's pc; then remotely connect to the pacs

(A)

A security administrator needs to implement a system that detects possible intrusions based upon a vendor provided list. Which of the following BEST describes this type of IDS? A. Signature based B. Heuristic C. Anomaly-based D. Behavior-based

(A)

A security administrator suspects an employee has been emailing proprietary information to a competitor. Company policy requires the administrator to capture an exact copy of the employee's hard disk. Which of the following should the administrator use? A. dd B. chmod C. dnaenum D. logger

(A)

A security administrator suspects there may be unnecessary services running on a server. Which of the following tools will the administrator MOST likely use to confirm the suspicions? A. Nmap B. Wireshark C. Autopsy D. DNSEnum

(A)

A security administrator wants to implement a logon script that will prevent MITM attacks on the local LAN. Which of the following commands should the security administrator implement within the script to accomplish this task? A. arp - s 192.168.1.1 00-3a-d1-fa-b1-06 B. dig - [email protected] mypc.comptia.com C. nmap - A - T4 192.168.1.1 D. tcpdump - lnv host 192.168.1.1 or either 00:3a:d1:fa:b1:06

(A)

A security analyst is emailing PII in a spreadsheet file to an audit validator for after-actions related to a security assessment. The analyst must make sure the PII data is protected with the following minimum requirements: - Ensure confidentiality at rest. - Ensure the integrity of the original email message. Which of the following controls would ensure these data security requirements are carried out? A. Encrypt and sign the email using S/MIME. B. Encrypt the email and send it using TLS. C. Hash the email using SHA-1. D. Sign the email using MD5.

(A)

A security analyst is implementing PKI-based functionality to a web application that has the following requirements: - File contains certificate information - Certificate chains - Root authority certificates - Private key All of these components will be part of one file and cryptographically protected with a password. Given this scenario, which of the following certificate types should the analyst implement to BEST meet these requirements? A. .pfx certificate B. .cer certificate C. .der certificate D. .crt certificate

(A)

A security analyst is interested in setting up an IDS to monitor the company network. The analyst has been told there can be no network downtime to implement the solution, but the IDS must capture all of the network traffic. Which of the following should be used for the IDS implementation? A. Network tap B. Honeypot C. Aggregation D. Port mirror

(A)

A security analyst is reviewing an assessment report that includes software versions, running services, supported encryption algorithms, and permission settings. Which of the following produced the report? A. Vulnerability scanner B. Protocol analyzer C. Network mapper D. Web inspector

(A)

A security analyst is securing smartphones and laptops for a highly mobile workforce. Priorities include: - Remote wipe capabilities - Geolocation services - Patch management and reporting - Mandatory screen locks - Ability to require passcodes and pins - Ability to require encryption Which of the following would BEST meet these requirements? A. Implementing MDM software B. Deploying relevant group policies to the devices C. Installing full device encryption D. Removing administrative rights to the devices

(A)

A security analyst wants to harden the company's VoIP PBX. The analyst is worried that credentials may be intercepted and compromised when IP phones authenticate with the BPX. Which of the following would best prevent this from occurring? A. Implement SRTP between the phones and the PBX. B. Place the phones and PBX in their own VLAN. C. Restrict the phone connections to the PBX. D. Require SIPS on connections to the PBX.

(A)

A security consultant is setting up a new electronic messaging platform and wants to ensure the platform supports message integrity validation. Which of the following protocols should the consultant recommend? A. S/MIME B. DNSSEC C. RADIUS D. 802.11x

(A)

A security engineer at a manufacturing company is implementing a third-party cloud application. Rather than creating users manually in the application, the engineer decides to use the SAML protocol. Which of the following is being used for this implementation? A. The manufacturing company is the service provider, and the cloud company is the identity provider. B. The manufacturing company is the authorization provider, and the cloud company is the service provider. C. The manufacturing company is the identity provider, and the cloud company is the OAuth provider. D. The manufacturing company is the identity provider, and the cloud company is the service provider. E. The manufacturing company is the service provider, and the cloud company is the authorization provider.

(A)

A security researcher is tracking an adversary by noting its attacks and techniques based on its capabilities, infrastructure, and victims. Which of the following is the researcher MOST likely using? A. The Diamond Model of Intrusion Analysis B. The Cyber Kill Chain C. The MITRE CVE database D. The incident response process

(A)

A security specialist is notified about a certificate warning that users receive when using a new internal website. After being given the URL from one of the users and seeing the warning, the security specialist inspects the certificate and realizes it has been issued to the IP address, which is how the developers reach the site. Which of the following would BEST resolve the issue? A. OSCP B. OID C. PEM D. SAN

(A)

A security technician has been given the task of preserving emails that are potentially involved in a dispute between a company and a contractor. Which of the following BEST describes this forensic concept? A. Legal hold B. Chain of custody C. Order of volatility D. Data acquisition

(A)

A security technician is configuring an access management system to track and record user actions. Which of the following functions should the technician configure? A. Accounting B. Authorization C. Authentication D. Identification

(A)

A server administrator needs to administer a server remotely using RDP, but the specified port is closed on the outbound firewall on the network. The access the server using RDP on a port other than the typical registered port for the RDP protocol? A. TLS B. MPLS C. SCP D. SSH

(A)

A small business just recovered from a ransomware attack against its file servers by purchasing the decryption keys from the attackers. The issue was triggered by a phishing email and IT administrator wants to ensure it does not happen again. Which of the following should the IT administrator do FIRST after recovery? A. Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis. B. Restrict administrative privileges and patch all systems and applications. C. Rebuild all workstations and install new antivirus software. D. Implement application whitelisting and perform user application hardening.

(A)

A small company's Chief Executive Officer (CEO) has asked its Chief Security Officer (CSO) to improve the company's security posture quickly with regard to targeted attacks. Which of the following should the CSO conduct FIRST? A. Survey threat feeds from services inside the same industry. B. Purchase multiple threat feeds to ensure diversity and implement blocks for malicious traffic C. Conduct an internal audit against industry best practices to perform a qualitative analysis. D. Deploy a UTM solution that receives frequent updates from a trusted industry vendor.

(A)

A system uses an application server and database server. Employing the principle of least privilege, only database administrators are given administrative privileges on the database server, and only application team members are given administrative privileges on the application server. Audit and log file reviews are performed by the business unit (a separate group from the database and application teams). The organization wants to optimize operational efficiency when application or database changes are needed, but it also wants to enforce least privilege, prevent modification of log files, and facilitate the audit and log review performed by the business unit. Which of the following approaches would BEST meet the organization's goals? A. Restrict privileges on the log file directory to "read only" and use a service account to send a copy of these files to the business unit. B. Switch administrative privileges for the database and application servers. Give the application team administrative privileges on the database servers and the database team administrative privileges on the application servers. C. Remove administrative privileges from both the database and application servers, and give the business unit "read only" privileges on the directories where the log files are kept. D. Give the business unit administrative privileges on both the database and application servers so they can independently monitor server activity.

(A)

A systems administrator has installed a new UTM that is capable of inspecting SSL/TLS traffic for malicious payloads. All inbound network traffic coming from the Internet and terminating on the company's secure web servers must be inspected. Which of the following configurations would BEST support this requirement? A. The web servers' CA full certificate chain must be installed on the UTM. B. The UTM certificate pair must be installed on the web servers. C. The web servers' private certificate must be installed on the UTM. D. The UTM and web servers must use the same certificate authority.

(A)

A systems administrator has isolated an infected system from the network and terminated the malicious process from executing. Which of the following should the administrator do NEXT according to the incident response process? A. Restore lost data from a backup. B. Wipe the system. C. Document the lessons learned. D. Determine the scope of impact.

(A)

A systems administrator is implementing a remote access method for the system that will utilize GUI. Which of the following protocols would be BEST suited for this? A. TLS B. SSH C. SFTP D. SRTP

(A)

A systems administrator is receiving multiple alerts from the company NIPS. A review of the NIPS logs shows the following: reset both: 70.32.200.2:3194 -> 10.4.100.4:80 buffer overflow attempt reset both: 70.32.200.2:3230 -> 10.4.100.4:80 directory traversal attack reset client: 70.32.200.2:4019 -> 10.4.100.4:80 Blind SQL injection attack Which of the following should the systems administrator report back to management? A. The company web server was attacked by an external source, and the NIPS blocked the attack. B. The company web and SQL servers suffered a DoS caused by a misconfiguration of the NIPS. C. An external attacker was able to compromise the SQL server using a vulnerable web application. D. The NIPS should move from an inline mode to an out-of-band mode to reduce network latency.

(A)

A systems administrator needs to integrate multiple IoT and small embedded devices into the company's wireless network securely. Which of the following should the administrator implement to ensure low-power and legacy devices can connect to the wireless network? A. WPS B. WPA C. EAP-FAST D. 802.1X

(A)

A systems administrator wants to replace the process of using a CRL to verify certificate validity. Which of the following would BEST suit the administrator's needs? A. OCSP B. CSR C. Key escrow D. CA

(A)

The concept of connecting a user account across the systems of multiple enterprises is BEST known as: A. federation. B. a remote access policy. C. multifactor authentication. D. single sign-on.

(A)

A systems engineer is configuring a wireless network. The network must not require installation of third-party software. Mutual authentication of the client and the server must be used. The company has an internal PKI. Which of the following configurations should the engineer choose? A. EAP-TLS B. EAP-TTLS C. EAP-FAST D. EAP-MD5 E. PEAP

(A)

A technician has been asked to document which services are running on each of a collection of 200 servers. Which of the following tools BEST meets this need while minimizing the work required? A. Nmap B. Nslookup C. Netcat D. Netstat

(A)

A technician is configuring a wireless guest network. After applying the most recent changes the technician finds the new devices can no longer find the wireless network by name but existing devices are still able to use the wireless network. Which of the following security measures did the technician MOST likely implement to cause this Scenario? A. Deactivation of SSID broadcast B. Reduction of WAP signal output power C. Activation of 802.1X with RADIUS D. Implementation of MAC filtering E. Beacon interval was decreased

(A)

A technician is required to configure updates on a guest operating system while maintaining the ability to quickly revert the changes that were made while testing the updates. Which of the following should the technician implement? A. Snapshots B. Revert to known state C. Rollback to known configuration D. Shadow copy

(A)

A technician must configure a firewall to block external DNS traffic from entering a network. Which of the following ports should they block on the firewall? A. 53 B. 110 C. 143 D. 443

(A)

A technician needs to document which application versions are listening on open ports. Which of the following is MOST likely to return the information the technician needs? A. Banner grabbing B. Steganography tools C. Protocol analyzer D. Wireless scanner

(A)

A user loses a COPE device. Which of the following should the user do NEXT to protect the data on the device? A. Call the company help desk to remotely wipe the device. B. Report the loss to authorities. C. Check with corporate physical security for the device. D. Identify files that are potentially missing on the device.

(A)

A user needs to transmit confidential information to a third party. Which of the following should be used to encrypt the message? A. AES B. SHA-2 C. SSL D. RSA

(A)

A user receives an email from ISP indicating malicious traffic coming from the user's home network is detected. The traffic appears to be Linux-based, and it is targeting a website that was recently featured on the news as being taken offline by an Internet attack. The only Linux device on the network is a home surveillance camera system. Which of the following BEST describes what is happening? A. The camera system is infected with a bot. B. The camera system is infected with a RAT. C. The camera system is infected with a Trojan. D. The camera system is infected with a backdoor.

(A)

A user typically works remotely over the holidays using a web-based VPN to access corporate resources. The user reports getting untrusted host errors and being unable to connect. Which of the following is MOST likely the case? A. The certificate has expired B. The browser does not support SSL C. The user's account is locked out D. The VPN software has reached the seat license maximum

(A)

A vulnerability scanner that uses its running service's access level to better assess vulnerabilities across multiple assets within an organization is performing a: A. Credentialed scan. B. Non-intrusive scan. C. Privilege escalation test. D. Passive scan.

(A)

A web developer improves client access to the company's REST API. Authentication needs to be tokenized but not expose the client's password. Which of the following methods would BEST meet the developer's requirements? A. SAML B. LDAP C. OAuth D. Shibboleth

(A)

Adhering to a layered security approach, a controlled access facility employs security guards who verify the authorization of all personnel entering the facility. Which of the following terms BEST describes the security control being employed? A. Administrative B. Corrective C. Deterrent D. Compensating

(A)

After a security incident, management is meeting with involved employees to document the incident and its aftermath. Which of the following BEST describes this phase of the incident response process? A. Lessons learned B. Recovery C. Identification D. Preparation

(A)

After correctly configuring a new wireless enabled thermostat to control the temperature of the company's meeting room, Joe, a network administrator determines that the thermostat is not connecting to the internet-based control system. Joe verifies that the thermostat received the expected network parameters and it is associated with the AP. Additionally, the other wireless mobile devices connected to the same wireless network are functioning properly. The network administrator verified that the thermostat works when tested at his residence. Which of the following is the MOST likely reason the thermostat is not connecting to the internet? A. The company implements a captive portal B. The thermostat is using the incorrect encryption algorithm C. the WPA2 shared likely is incorrect D. The company's DHCP server scope is full

(A)

After patching computers with the latest application security patches/updates, users are unable to open certain applications. Which of the following will correct the issue? A. Modifying the security policy for patch management tools B. Modifying the security policy for HIDS/HIPS C. Modifying the security policy for DLP D. Modifying the security policy for media control

(A)

An administrator discovers the following log entry on a server: Nov 12 2013 00:23:45 httpd[2342]: GET /app2/prod/proc/process.php?input=change;cd%20../../../etc;cat%20shadow Which of the following attacks is being attempted? A. Command injection B. Password attack C. Buffer overflow D. Cross-site scripting

(A)

The chief security officer (CS0) has issued a new policy that requires that all internal websites be configured for HTTPS traffic only. The network administrator has been tasked to update all internal sites without incurring additional costs. Which of the following is the best solution for the network administrator to secure each internal website? A. Use certificates signed by the company CA B. Use a signing certificate as a wild card certificate C. Use certificates signed by a public ca D. Use a self-signed certificate on each internal server

(A)

An administrator has configured a new Linux server with the FTP service. Upon verifying that the service was configured correctly, the administrator has several users test the FTP service. Users report that they are able to connect to the FTP service and download their personal files, however, they cannot transfer new files to the server. Which of the following will most likely fix the uploading issue for the users? A. Create an ACL to allow the FTP service write access to user directories B. Set the Boolean selinux value to allow FTP home directory uploads C. Reconfigure the ftp daemon to operate without utilizing the PSAV mode D. Configure the FTP daemon to utilize PAM authentication pass through user permissions

(A)

An administrator intends to configure an IPSec solution that provides ESP with integrity protection, but not confidentiality protection. Which of the following AES modes of operation would meet this integrity-only requirement? A. HMAC B. PCBC C. CBC D. GCM E. CFB

(A)

An administrator is testing the collision resistance of different hashing algorithms. Which of the following is the strongest collision resistance test? A. Find two identical messages with different hashes B. Find two identical messages with the same hash C. Find a common has between two specific messages D. Find a common hash between a specific message and a random message

(A)

An attachment that was emailed to finance employees contained an embedded message. The security administrator investigates and finds the intent was to conceal the embedded information from public view. Which of the following BEST describes this type of message? A. Obfuscation B. Stenography C. Diffusion D. BCRYPT

(A)

An attacker compromises a public CA and issues unauthorized X.509 certificates for Company.com. In the future, Company.com wants to mitigate the impact of similar incidents. Which of the following would assist Company.com with its goal? A. Certificate pinning B. Certificate stapling C. Certificate chaining D. Certificate with extended validation

(A)

An auditor is reviewing the following output from a password-cracking tool: Which of the following methods did the auditor MOST likely use? user1: Password1 user2: Recovery! user3: Alaskan10 user4: 4Private user5: PerForMance2 A. Hybrid B. Dictionary C. Brute force D. Rainbow table

(A)

An in-house penetration tester is using a packet capture device to listen in on network communications. This is an example of: A. Passive reconnaissance B. Persistence C. Escalation of privileges D. Exploiting the switch

(A)

An incident responder is preparing to acquire images and files from a workstation that has been compromised. The workstation is still powered on and running. Which of the following should be acquired LAST? A. Application files on hard disk B. Processor cache C. Processes in running memory D. Swap space

(A)

An incident responder receives a call from a user who reports a computer is exhibiting symptoms consistent with a malware infection. Which of the following steps should the responder perform NEXT? A. Capture and document necessary information to assist in the response. B. Request the user capture and provide a screenshot or recording of the symptoms. C. Use a remote desktop client to collect and analyze the malware in real time. D. Ask the user to back up files for later recovery.

(A)

An information security specialist is reviewing the following output from a Linux server. user@server:~$ crontab -1 5 * * * * /usr/local/bin/backup.sh #!/bin/bash if ! grep - - quiet joeuser/etc/passwd then rm -rf / fi Based on the above information, which of the following types of malware was installed on the server? A. Logic bomb B. Trojan C. Backdoor D. Ransomware E. Rootkit

(A)

An organization has air gapped a critical system. Which of the following BEST describes the type of attacks that are prevented by this security measure? A. Attacks from another local network segment B. Attacks exploiting USB drives and removable media C. Attacks that spy on leaked emanations or signals D. Attacks that involve physical intrusion or theft

(A)

An organization has implemented an IPSec VPN access for remote users. Which of the following IPSec modes would be the MOST secure for this organization to implement? A. Tunnel mode B. Transport mode C. AH-only mode D. ESP-only mode

(A)

An organization is working with a cloud services provider to transition critical business applications to a hybrid cloud environment. The organization retains sensitive customer data and wants to ensure the provider has sufficient administrative and logical controls in place to protect its data. In which of the following documents would this concern MOST likely be addressed? A. Service level agreement B. Interconnection security agreement C. Non-disclosure agreement D. Business process analysis

(A)

An organization plans to implement multifactor authentication techniques within the enterprise network architecture. Each authentication factor is expected to be a unique control. Which of the following BEST describes the proper employment of multifactor authentication? A. Proximity card, fingerprint scanner, PIN B. Fingerprint scanner, voice recognition, proximity card C. Smart card, user PKI certificate, privileged user certificate D. Voice recognition, smart card, proximity card

(A)

An organization uses application whitelisting to help prevent zero-day attacks. Malware was recently identified on one client, which was able to run despite the organization's application whitelisting approach. The forensics team has identified the malicious file, conducted a post-incident analysis, and compared this with the original system baseline. The team sees the following output: filename hash (SHA-1) original: winSCP.exe 2d da b1 4a 98 fc f1 98 06 b1 e5 26 b2 df e5 f5 3e cb 83 el latest: winSCP.exe a3 4a c2 4b 85 fa f2 dd 0b ba f4 16 b2 df f2 4b 3f ac 4a e1 Which of the following identifies the flaw in the team's application whitelisting approach? A. Their approach uses executable names and not hashes for the whitelist. B. SHA-1 has known collision vulnerabilities and should not be used. C. The original baseline never captured the latest file signature D. Zero-day attacks require the latest file signatures

(A)

An organization wants to implement a solution that allows for automated logical controls for network defense. An engineer plans to select an appropriate network security component, which automates response actions based on security threats to the network. Which of the following would be MOST appropriate based on the engineer's requirements? A. NIPS B. HIDS C. Web proxy D. Elastic load balancer E. NAC

(A)

An organization wants to separate permissions for individuals who perform system changes from individuals who perform auditing of those system changes. Which of the following access control approaches is BEST suited for this? BD663BA4DCC6C24D0ADDFDC59A530F15 A. Assign administrators and auditors to different groups and restrict permissions on system log files to read-only for the auditor group. B. Assign administrators and auditors to the same group, but ensure they have different permissions based on the function they perform. C. Create two groups and ensure each group has representation from both the auditors and the administrators so they can verify any changes that were made. D. Assign file and folder permissions on an individual user basis and avoid group assignment altogether.

(A)

An organization wants to utilize a common, Internet-based third-party provider for authorization and authentication. The provider uses a technology based on OAuth 2.0 to provide required services. To which of the following technologies is the provider referring? A. Open ID Connect B. SAML C. XACML D. LDAP

(A)

Company engineers regularly participate in a public Internet forum with other engineers throughout the industry. Which of the following tactics would an attacker MOST likely use in this scenario? A. Watering-hole attack B. Credential harvesting C. Hybrid warfare D. Pharming

(A)

Corporations choose to exceed regulatory framework standards because of which of the following incentives? A. It improves the legal defensibility of the company. B. It gives a social defense that the company is not violating customer privacy laws. C. It proves to investors that the company takes APT cyber actors seriously D. It results in overall industrial security standards being raised voluntarily.

(A)

During a monthly vulnerability scan, a server was flagged for being vulnerable to an Apache Struts exploit. Upon further investigation, the developer responsible for the server informs the security team that Apache Struts is not installed on the server. Which of the following BEST describes how the security team should reach to this incident? A. The finding is a false positive and can be disregarded B. The Struts module needs to be hardened on the server C. The Apache software on the server needs to be patched and updated D. The server has been compromised by malware and needs to be quarantined.

(A)

During a recent audit, several undocumented and unpatched devices were discovered on the internal network. Which of the following can be done to prevent similar occurrences? A. Run weekly vulnerability scans and remediate any missing patches on all company devices B. Implement rogue system detection and configure automated alerts for new devices C. Install DLP controls and prevent the use of USB drives on devices D. Configure the WAPs to use NAC and refuse connections that do not pass the health check

(A)

During a risk assessment, results show that a fire in one of the company's datacenters could cost up to $20 million in equipment damages and lost revenue. As a result, the company insures the datacenter for up to $20 million damages for the cost of $30,000 a year. Which of the following risk response techniques has the company chosen? A. Transference B. Avoidance C. Mitigation D. Acceptance

(A)

During a routine vulnerability assessment, the following command was successful: echo "vrfy 'perl -e 'print "hi" x 500 ' ' " | nc www.company.com 25 Which of the following vulnerabilities is being exploited? A. Buffer overflow directed at a specific host MTA B. SQL injection directed at a web server C. Cross-site scripting directed at www.company.com D. Race condition in a UNIX shell script

(A)

Following the successful response to a data-leakage incident, the incident team lead facilitates an exercise that focuses on continuous improvement of the organization's incident response capabilities. Which of the following activities has the incident team lead executed? A. Lessons learned review B. Root cause analysis C. Incident audit D. Corrective action exercise

(A)

Given the following requirements: - Help to ensure non-repudiation - Capture motion in various formats Which of the following physical controls BEST matches the above descriptions? A. Camera B. Mantrap C. Security guard D. Motion sensor

(A)

In a lessons-learned report, it is suspected that a well-organized, well-funded, and extremely sophisticated group of attackers may have been responsible for a breach at a nuclear facility. Which of the following describes the type of actors that may have been implicated? A. Nation-state B. Hacktivist C. Insider D. Competitor

(A)

In terms of encrypting data, which of the following is BEST described as a way to safeguard password data by adding random data to it in storage? A. Using salt B. Using hash algorithms C. Implementing elliptical curve D. Implementing PKI

(A)

In which of the following risk management strategies would cybersecurity insurance be used? A. Transference B. Avoidance C. Acceptance D. Mitigation

(A)

Joe a computer forensic technician responds to an active compromise of a database server. Joe first collects information in memory, then collects network traffic and finally conducts an image of the hard drive. Which of the following procedures did Joe follow? A. Order of volatility B. Chain of custody C. Recovery procedure D. Incident isolation

(A)

Joe notices there are several user accounts on the local network generating spam with embedded malicious code. Which of the following technical control should Joe put in place to BEST reduce these incidents? A. Account lockout B. Group Based Privileges C. Least privilege D. Password complexity

(A)

Joe, a salesman, was assigned to a new project that requires him to travel to a client site. While waiting for a flight, Joe, decides to connect to the airport wireless network without connecting to a VPN, and the sends confidential emails to fellow colleagues. A few days later, the company experiences a data breach. Upon investigation, the company learns Joe's emails were intercepted. Which of the following MOST likely caused the data breach? A. Policy violation B. Social engineering C. Insider threat D. Zero-day attack

(A)

Malicious traffic from an internal network has been detected on an unauthorized port on an application server. Which of the following network-based security controls should the engineer consider implementing? A. ACLs B. HIPS C. NAT D. MAC filtering

(A)

Question 88

(A)

Which of the following BEST explains the reason why a server administrator would place a document named password.txt on the desktop of an administrator account on a server? A. The document is a honeyfile and is meant to attract the attention of a cyberintruder. B. The document is a backup file if the system needs to be recovered. C. The document is a standard file that the OS needs to verify the login credentials. D. The document is a keylogger that stores all keystrokes should the account be compromised.

(A)

Which of the following allows an auditor to test proprietary-software compiled code for security flaws? A. Fuzzing B. Static review C. Code signing D. Regression testing

(A)

Which of the following are MOST susceptible to birthday attacks? A. Hashed passwords B. Digital certificates C. Encryption passwords D. One time passwords

(A)

Which of the following attacks can be mitigated by proper data retention policies? A. Dumpster diving B. Man-in-the-browser C. Spear phishing D. Watering hole

(A)

Which of the following attacks can be used to exploit a vulnerability that was created by untrained users? A. A spear-phishing email with a file attachment. B. A DoS using IoT devices C. An evil twin wireless access point D. A domain hijacking of a bank website

(A)

Which of the following attacks can be used to exploit a vulnerability that was created by untrained users? A. A spear-phishing email with a file attachment. B. A DoS using IoT devices C. An evil twin wireless access point D. A domain hijacking of a bank website BD663BA4DCC6C24D0ADDFDC59A530F15

(A)

Which of the following can be provided to an AAA system for the identification phase? A. Username B. Permissions C. One-time token D. Private certificate

(A)

Which of the following can occur when a scanning tool cannot authenticate to a server and has to rely on limited information obtained from service banners? A. False positive B. Passive reconnaissance C. Access violation D. Privilege escalation

(A)

Which of the following components of printers and MFDs are MOST likely to be used as vectors of compromise if they are improperly configured? A. Embedded web server B. Spooler C. Network interface D. LCD control panel

(A)

Which of the following control types would a backup of server data provide in case of a system issue? A. Corrective B. Deterrent C. Preventive D. Detective

(A)

Which of the following differentiates ARP poisoning from a MAC spoofing attack? A. ARP poisoning uses unsolicited ARP replies. B. ARP poisoning overflows a switch's CAM table. C. MAC spoofing uses DHCPOFFER/DHCPACK packets. D. MAC spoofing can be performed across multiple routers.

(A)

Which of the following differentiates a collision attack from a rainbow table attack? A. A rainbow table attack performs a hash lookup B. A rainbow table attack uses the hash as a password C. In a collision attack, the hash and the input data are equivalent D. In a collision attack, the same input results in different hashes

(A)

Which of the following enables sniffing attacks against a switched network? A. ARP poisoning B. IGMP snooping C. IP spoofing D. SYN flooding

(A)

Which of the following encryption algorithms is used primarily to secure data at rest? A. AES B. SSL C. TLS D. RSA

(A)

Which of the following explains why a vulnerability scan might return a false positive? A. The scan is performed at a time of day when the vulnerability does not exist. B. The test is performed against the wrong host. C. The signature matches the product but not the version information. D. The hosts are evaluated based on an OS-specific profile.

(A)

Which of the following implements two-factor authentication on a VPN? A. Username, password, and source IP B. Public and private keys C. HOTP token and logon credentials D. Source and destination IP addresses

(A)

Which of the following is MOST likely caused by improper input handling? A. Loss of database tables B. Untrusted certificate warning C. Power off reboot loop D. Breach of firewall ACLs

(A)

Which of the following is a compensating control that will BEST reduce the risk of weak passwords? A. Requiring the use of one-time tokens B. Increasing password history retention count C. Disabling user accounts after exceeding maximum attempts D. Setting expiration of user passwords to a shorter time

(A)

Which of the following is a major difference between XSS attacks and remote code exploits? A. XSS attacks use machine language, while remote exploits use interpreted language B. XSS attacks target servers, while remote code exploits target clients C. Remote code exploits aim to escalate attackers' privileges, while XSS attacks aim to gain access only D. Remote code exploits allow writing code at the client side and executing it, while XSS attacks require no code to work

(A)

Which of the following is a security consideration for IoT devices? A. IoT devices have built-in accounts that users rarely access. B. IoT devices have less processing capabilities. C. IoT devices are physically segmented from each other. D. IoT devices have purpose-built applications.

(A)

Which of the following is a technical preventive control? A. Two-factor authentication B. DVR-supported cameras C. Acceptable-use MOTD D. Syslog server

(A)

Which of the following is an example of resource exhaustion? A. A penetration tester requests every available IP address from a DHCP server. B. An SQL injection attack returns confidential data back to the browser. C. Server CPU utilization peaks at 100% during the reboot process. D. System requirements for a new software package recommend having 12GB of RAM, but only BGB are available.

(A)

Which of the following is being used when a malicious actor searches various social media websites to find information about a company's system administrators and help desk staff? A. Passive reconnaissance B. Initial exploitation C. Vulnerability scanning D. Social engineering

(A)

Which of the following is commonly used for federated identity management across multiple organizations? A. SAML B. Active Directory C. Kerberos D. LDAP

(A)

Which of the following is the BEST reason for salting a password hash before it is stored in a database? A. To prevent duplicate values from being stored B. To make the password retrieval process very slow C. To protect passwords from being saved in readable format D. To prevent users from using simple passwords for their access credentials

(A)

Which of the following is the BEST use of a WAF? A. To protect sites on web servers that are publicly accessible B. To allow access to web services of internal users of the organization C. To maintain connection status of all HTTP requests D. To deny access to all websites with certain contents

(A)

Which of the following is the GREATEST risk to a company by allowing employees to physically bring their personal smartphones to work? A. Taking pictures of proprietary information and equipment in restricted areas. B. Installing soft token software to connect to the company's wireless network. C. Company cannot automate patch management on personally-owned devices. D. Increases the attack surface by having more target devices on the company's campus

(A)

Which of the following is the MAIN disadvantage of using SSO? A. The architecture can introduce a single point of failure. B. Users need to authenticate for each resource they access. C. It requires an organization to configure federation. D. The authentication is transparent to the user.

(A)

Which of the following is the primary reason for implementing layered security measures in a cybersecurity architecture? A. It increases the number of controls required to subvert a system B. It decreases the time a CERT has to respond to a security incident. C. It alleviates problems associated with EOL equipment replacement. D. It allows for bandwidth upgrades to be made without user disruption.

(A)

Which of the following is the proper use of a Faraday cage? A. To block electronic signals sent to erase a cell phone B. To capture packets sent to a honeypot during an attack C. To protect hard disks from access during a forensics investigation D. To restrict access to a building allowing only one person to enter at a time

(A)

Which of the following is the proper way to quantify the total monetary damage resulting from an exploited vulnerability? A. Calculate the ALE B. Calculate the ARO C. Calculate the MTBF D. Calculate the TCO

(A)

Which of the following methods minimizes the system interaction when gathering information to conduct a vulnerability assessment of a router? A. Download the configuration B. Run a credentialed scan. C. Conduct the assessmenet during downtime D. Change the routing to bypass the router

(A)

Which of the following must be intact for evidence to be admissible in court? A. Chain of custody B. Order of volatility C. Legal hold D. Preservation

(A)

Which of the following precautions MINIMIZES the risk from network attacks directed at multifunction printers, as well as the impact on functionality at the same time? A. Isolating the systems using VLANs B. Installing a software-based IPS on all devices C. Enabling full disk encryption D. Implementing a unique user PIN access functions

(A)

Which of the following serves to warn users against downloading and installing pirated software on company devices? A. AUP B. NDA C. ISA D. BPA

(A)

Which of the following should a security analyst perform FIRST to determine the vulnerabilities of alegacy system? A. Passive scan B. Aggressive scan C. Credentialed scan D. Intrusive scan

(A)

Which of the following strategies helps reduce risk if a rollback is needed when upgrading a critical system platform? A. Non-persistent configuration B. Continuous monitoring C. Firmware updates D. Fault tolerance

(A)

Which of the following vulnerabilities can lead to unexpected system behavior, including the bypassing of security controls, due to differences between the time of commitment and the time of execution? A. Buffer overflow B. DLL injection C. Pointer dereference D. Race condition

(A)

Which of the following works by implanting software on systems but delays execution until a specific set of conditions is met? A. Logic bomb B. Trojan C. Scareware D. Ransomware

(A)

Which of the following would provide a safe environment for an application to access only the resources needed to function while not having access to run at the system level? A. Sandbox B. Honeypot C. GPO D. DMZ

(A)

While checking logs, a security engineer notices a number of end users suddenly downloading files with the .tar.gz extension. Closer examination of the files reveals they are PE32 files. The end users state they did not initiate any of the downloads. Further investigation reveals the end users all clicked on an external email containing an infected MHT file with an href link a week prior. Which of the following is MOST likely occurring? A. A RAT was installed and is transferring additional exploit tools. B. The workstations are beaconing to a command-and-control server. C. A logic bomb was executed and is responsible for the data transfers. D. A fireless virus is spreading in the local network environment.

(A)

While performing surveillance activities, an attacker determines that an organization is using 802.1X to secure LAN access. Which of the following attack mechanisms can the attacker utilize to bypass the identified network security? A. MAC spoofing B. Pharming C. Xmas attack D. ARP poisoning

(A)

While reviewing system logs, a security analyst notices that a large number of end users are changing their passwords four times on the day the passwords are set to expire. The analyst suspects they are cycling their passwords to circumvent current password controls. Which of the following would provide a technical control to prevent this activity from occurring? A. Set password aging requirements. B. Increase the password history from three to five. C. Create an AUP that prohibits password reuse. D. Implement password complexity requirements.

(A)

While testing a new vulnerability scanner, a technician becomes concerned about reports that list security concerns that are not present on the systems being tested. Which of the following BEST describes this flaw? A. False positives B. Crossover error rate C. Uncredentialed scan D. Passive security controls

(A)

communicates to the network switch and assigns the user to the proper VLAN. Which of the following protocols should be used? A. RADIUS B. Kerberos C. LDAP D. MSCHAP

(A)

QUESTION 98 A security analyst is hardening a web server, which should allow a secure certificate-based session using the organization's PKI infrastructure. The web server should also utilize the latest security techniques and standards. Given this set of requirements, which of the following techniques should the analyst implement to BEST meet these requirements? (Select two.) A. Install an X- 509-compliant certificate. B. Implement a CRL using an authorized CA. C. Enable and configure TLS on the server. D. Install a certificate signed by a public CA. E. Configure the web server to use a host header.

(A)(C)

An administrator is implementing a secure web server and wants to ensure that if the web server application is compromised, the application does not have access to other parts of the server or network. Which of the following should the administrator implement? (Choose two.) A. Mandatory access control B. Discretionary access control C. Rule-based access control D. Role-based access control E. Attribute-based access control

(A,C)

A systems engineer wants to leverage a cloud-based architecture with low latency between network-connected devices that also reduces the bandwidth that is required by performing analytics directly on the endpoints. Which of the following would BEST meet the requirements? (Choose two.) A. Private cloud B. SaaS C. Hybrid cloud D. IaaS E. DRaaS F. Fog computing

(AB)

A university with remote campuses, which all use different service providers, loses Internet connectivity across all locations. After a few minutes, internet and VoIP services are restored, only to go offline again at random intervals. typically, within four minutes of services being restored. Outages continue throughout the day. impacting all inbound and outbound connections and services. Services that are limited to the local LAN or WiFi network are not impacted, but all WAN and VoIP services are affected. Later that day. the edge-router manufacturer releases a CVE outlining the ability of an attacker to exploit the SIP protocol handling on devices, leading to resource exhaustion and system reloads. Which of the following BEST describe this type of attack? (Select TWO). A. DOS B. SSL Stripping C. Memory leak D. Race condition E. Shimming F. Refactoring

(AB)

During an incident, a company's CIRT determines it is necessary to observe the continued network-based transactions between a callback domain and the malware running on an enterprise PC. Which of the following techniques would be BEST to enable this activity while reducing the risk of lateral spread and the risk that the adversary would notice any changes? A. Physically move the PC to a separate Internet point of presence. B. Create and apply microsegmentation rules. C. Emulate the malware in a heavily monitored DMZ segment. D. Apply network blacklisting rules for the adversary domain.

(AB)

The Chief Executive Officer (CEO) of an organization would like staff members to have the flexibility to work from home anytime during business hours, including during a pandemic or crisis. However, the CEO is concerned that some staff members may take advantage of the flexibility and work from high-risk countries while on holiday or outsource work to a third-party organization in another country. The Chief Information Officer (CIO) believes the company can implement some basic controls to mitigate the majority of the risk. Which of the following would be BEST to mitigate the CEO's concerns? (Choose two.) A. Geolocation B. Time-of-day restrictions C. Certificates D. Tokens E. Geotagging F. Role-based access controls

(AB)

Which of the following are methods to implement HA in a web application server environment? (Select two.) A. Load balancers B. Application layer firewalls C. Reverse proxies D. VPN concentrators E. Routers

(AB)

Which of the following are the BEST selection criteria to use when assessing hard drive suitability for time-sensitive applications that deal with large amounts of critical information? (Select TWO). A. MTBF B. MTTR C. SLA D. RTO E. MTTF F. RPO

(AB)

Which of the following technologies employ the use of SAML? (Select two.) A. Single sign-on B. Federation C. LDAP D. Secure token E. RADIUS

(AB)

A company is executing a strategy to encrypt and sign all proprietary data in transit. The company recently deployed PKI services to support this strategy. Which of the following protocols supports the strategy and employs certificates generated by the PKI? (Choose three.) A. S/MIME B. TLS C. SFTP D. SAML E. SIP F. IPSec G. Kerberos

(ABC)

A security analyst is performing a quantitative risk analysis. The risk analysis should show the potential monetary loss each time a threat or event occurs. Given this requirement, which of the following concepts would assist the analyst in determining this value? (Select two.) A. ALE B. AV C. ARO D. EF E. ROI

(AC)

Which of the following AES modes of operation provide authentication? (Select two.) A. CCM B. CBC C. GCM D. DSA E. CFB

(AC)

Which of the following concepts ensure ACL rules on a directory are functioning as expected? (Choose two.) A. Accounting B. Authentication C. Auditing D. Authorization E. Non-repudiation

(AC)

A global gaming console manufacturer is launching a new gaming platform to its customers. Which of the following controls reduces the risk created by malicious gaming customers attempting to circumvent control by way of modifying consoles? A. Firmware version control B. Manual software upgrades C. Vulnerability scanning D. Automatic updates E. Network segmentation F. Application firewalls

(AD)

A security analyst is updating a BIA document. The security analyst notices the support vendor's time to replace a server hard drive went from eight hours to two hours. Given these new metrics, which of the following can be concluded? (Select TWO) A. The MTTR is faster. B. The MTTR is slower. C. The RTO has increased. D. The RTO has decreased. E. The MTTF has increased. F. The MTTF has decreased.

(AD)

A systems administrator has been assigned to create accounts for summer interns. The interns are only authorized to be in the facility and operate computers under close supervision. They must also leave the facility at designated times each day. However, the interns can access intern file folders without supervision. Which of the following represents the BEST way to configure the accounts? (Select TWO.) A. Implement time-of-day restrictions. B. Modify archived data. C. Access executive shared portals. D. Create privileged accounts. E. Enforce least privilege.

(AD)

A systems administrator is installing and configuring an application service that requires access to read and write to log and configuration files on a local hard disk partition. The service must run as an account with authorization to interact with the file system. Which of the following would reduce the attack surface added by the service and account? (Choose two.) A. Use a unique managed service account. B. Utilize a generic password for authenticating. C. Enable and review account audit logs. D. Enforce least possible privileges for the account. E. Add the account to the local administrators group. F. Use a guest account placed in a non-privileged users group.

(AD)

An organization is expanding its network team. Currently, it has local accounts on all network devices, but with growth, it wants to move to centrally managed authentication. Which of the following are the BEST solutions for the organization? (Select TWO) A. TACACS+ B. CHAP C. LDAP D. RADIUS E. MSCHAPv2

(AD)

QUESTION 306 While reviewing the security controls in place for a web-based application, a security controls assessor notices that there are no password strength requirements in place. Because of this vulnerability, passwords might be easily discovered using a brute force attack. Which of the following password requirements will MOST effectively improve the security posture of the application against these attacks? (Select two) A. Minimum complexity B. Maximum age limit C. Maximum length D. Minimum length E. Minimum age limit F. Minimum re-use limit

(AD)

To determine the ALE of a particular risk, which of the following must be calculated? (Select two.) A. ARO B. ROI C. RPO D. SLE E. RTO

(AD)

Which of the following are the MAIN reasons why a systems administrator would install security patches in a staging environment before the patches are applied to the production server? (Select two.) A. To prevent server availability issues B. To verify the appropriate patch is being installed C. To generate a new baseline hash after patching D. To allow users to test functionality E. To ensure users are trained on new functionality

(AD)

Which of the following are used to substantially increase the computation time required to crack a password? (Choose two.) A. BCRYPT B. Substitution cipher C. ECDHE D. PBKDF2 E. Diffie-Hellman

(AD)

Which of the following impacts are associated with vulnerabilities in embedded systems? (Choose two.) A. Repeated exploitation due to unpatchable firmware B. Denial of service due to an integrated legacy operating system. C. Loss of inventory accountability due to device deployment D. Key reuse and collision issues due to decentralized management. E. Exhaustion of network resources resulting from poor NIC management.

(AD)

A security auditor is performing a vulnerability scan to find out if mobile applications used in the organization are secure. The auditor discovers that one application has been accessed remotely with no legitimate account credentials. After investigating, it seems the application has allowed some users to bypass authentication of that application. Which of the following types of malware allow such a compromise to take place? (Choose two.) A. RAT B. Ransomware C. Worm D. Trojan E. Backdoor

(AE)

A systems administrator wants to configure an enterprise wireless solution that supports authentication over HTTPS and wireless encryption using AES. Which of the following should the administrator configure to support these requirements? (Select TWO). A. 802.1X B. RADIUS federation C. WPS D. Captive portal E. WPA2 F. WDS

(AE)

A systems administrator wants to protect data stored on mobile devices that are used to scan and record assets in a warehouse. The control must automatically destroy the secure container of mobile devices if they leave the warehouse. Which of the following should the administrator implement? (Select two.) A. Geofencing B. Remote wipe C. Near-field communication D. Push notification services E. Containerization

(AE)

A user needs to send sensitive information to a colleague using PKI. Which of the following concepts apply when a sender encrypts the message hash with the sender's private key? (Select TWO) A. Non-repudiation B. Email content encryption C. Steganography D. Transport security E. Message integrity

(AE)

An employee opens a web browser and types a URL into the address bar. Instead of reaching the requested site, the browser opens a completely different site. Which of the following types of attacks have MOST likely occurred? (Choose two.) A. DNS hijacking B. Cross-site scripting C. Domain hijacking D. Man-in-the-browser E. Session hijacking

(AE)

Ann, a security administrator, wants to ensure credentials are encrypted in transit when implementing a RADIUS server for SSO. Which of the following are needed given these requirements? (Select TWO) A. Public key B. Shared key C. Elliptic curve D. MD5 E. Private key F. DES

(AE)

Which of the following could occur when both strong and weak ciphers are configured on a VPN concentrator? (Select TWO) A. An attacker could potentially perform a downgrade attack. B. The connection is vulnerable to resource exhaustion. C. The integrity of the data could be at risk. D. The VPN concentrator could revert to L2TP. E. The IPSec payload reverted to 16-bit sequence numbers

(AE)

A CSIRT has completed restoration procedures related to a breach of sensitive data is creating documentation used to improve the organization's security posture. The team has been specifically tasked to address logical controls in their suggestions. Which of the following would be MOST beneficial to include in lessons learned documentation? (Choose two.) A. A list of policies, which should be revised to provide better clarity to employees regarding acceptable use B. Recommendations relating to improved log correlation and alerting tools C. Data from the organization's IDS/IPS tools, which show the timeline of the breach and the activities executed by the attacker D. A list of potential improvements to the organization's NAC capabilities, which would improve AAA within the environment E. A summary of the activities performed during each phase of the incident response activity F. A list of topics that should be added to the organization's security awareness training program based on weaknesses exploited during the attack

(AF)

A security administrator wishes to implement a secure a method of file transfer when communicating with outside organizations. Which of the following protocols would BEST facilitate secure file transfers? (Select TWO) A. SCP B. TFTP C. SNMP D. FTP E. SMTP F. FTPS

(AF)

A security analyst is hardening a large-scale wireless network. The primary requirements are the following: - Must use authentication through EAP-TLS certificates - Must use an AAA server - Must use the most secure encryption protocol Given these requirements, which of the following should the analyst implement and recommend? (Select TWO.) A. 802.1X B. 802.3 C. LDAP D. TKIP E. CCMP F. WPA2-PSK

(AF)

**A security administrator is creating a subnet on one of the corporate firewall interfaces to use as a DMZ which is expected to accommodate at most 14 physical hosts. Which of the following subnets would BEST meet the requirements? A. 192.168.0.16 255.25.255.248 B. 192.168.0.16/28 C. 192.168.1.50 255.255.25.240 D. 192.168.2.32/27

(B)

A Chief Information Security Officer (CISO) is performing a BIA for the organization in case of a natural disaster. Which of the following should be at the top of the CISO's list? A. Identify redundant and high-availability systems. B. Identity mission-critical applications and systems. C. Identify the single point of failure in the system. D. Identity the impact on safety of the property.

(B)

A buffer overflow can result in: A. loss of data caused by unauthorized command execution. B. privilege escalation caused by TPN override. C. reduced key strength due to salt manipulation. D. repeated use of one-time keys.

(B)

A coding error has been discovered on a customer-facing website. The error causes each request to return confidential PHI data for the incorrect organization. The IT department is unable to identify the specific customers who are affected. As a result, all customers must be notified of the potential breach. Which of the following would allow the team to determine the scope of future incidents? A. Intrusion detection system B. Database access monitoring C. Application fuzzing D. Monthly vulnerability scans

(B)

A company has drafted an Insider-threat policy that prohibits the use of external storage devices. Which of the following would BEST protect the company from data exfiltration via removable media? A. Monitoring large data transfer transactions in the firewall logs B. Developing mandatory training to educate employees about the removable media policy C. Implementing a group policy to block user access to system files D. Blocking removable-media devices and write capabilities using a host-based security tool

(B)

A company has purchased a new SaaS application and is in the process of configuring it to meet the company's needs. The director of security has requested that the SaaS application be integrated into the company's IAM processes. Which of the following configurations should the security administrator set up in order to complete this request? A. LDAP B. RADIUS C. SAML D. NTLM

(B)

A company has two wireless networks utilizing captive portals. Some employees report getting a trust error in their browsers when connecting to one of the networks. Both captive portals are using the same server certificate for authentication, but the analyst notices the following differences between the two certificate details: Certificate 1 Certificate Path: Geotrust Global CA *company.com Certificate 2 Certificate Path: *company.com Which of the following would resolve the problem? A. Use a wildcard certificate. B. Use certificate chaining. C. Use a trust model. D. Use an extended validation certificate.

(B)

A company is examining possible locations for a hot site. Which of the following considerations is of MOST concern if the replication technology being used is highly sensitive to network latency? A. Connection to multiple power substations B. Location proximity to the production site C. Ability to create separate caged space D. Positioning of the site across international borders

(B)

A company is experiencing an increasing number of systems that are locking up on Windows startup. The security analyst clones a machine, enters into safe mode, and discovers a file in the startup process that runs Wstart.bat. @echo off :asdhbawdhbasdhbawdhb start notepad.exe start notepad.exe start calculator.exe start calculator.exe goto asdhbawdhbasdhbawdhb Given the file contents and the system's issues, which of the following types of malware is present? A. Rootkit B. Logic bomb C. Worm D. Virus

(B)

A company is investigating a data compromise where data exfiltration occurred. Prior to the investigation, the supervisor terminates an employee as a result of the suspected data loss. During the investigation, the supervisor is absent for the interview, and little evidence can be provided form the role-based authentication system in use by the company. The situation can be identified for future mitigation as which of the following? A. Job rotation B. Log failure C. Lack of training D. Insider threat

(B)

A company needs to fix some audit findings related to its physical security. A key finding was that multiple people could physically enter a location at the same time. Which of the following is the BEST control to address this audit finding? A. Faraday cage B. Mantrap C. Biometrics D. Proximity cards

(B)

A company wants to ensure that the validity of publicly trusted certificates used by its web server can be determined even during an extended internet outage. Which of the following should be implemented? A. Recovery agent B. Ocsp C. Crl D. Key escrow

(B)

A consultant has been tasked to assess a client's network. The client reports frequent network outages. Upon viewing the spanning tree configuration, the consultant notices that an old and law performing edge switch on the network has been elected to be the root bridge. Which of the following explains this scenario? A. The switch also serves as the DHCP server B. The switch has the lowest MAC address C. The switch has spanning tree loop protection enabled D. The switch has the fastest uplink port

(B)

A consumer purchases an exploit from the dark web. The exploit targets the online shopping cart of a popular website, allowing the shopper to modify the price of an item as checkout. Which of the following BEST describes this type of user? A. Insider B. Script kiddie C. Competitor D. Hacktivist E. APT

(B)

A security administrator is developing training for corporate users on basic security principles for personal email accounts. Which of the following should be mentioned as the MOST secure way for password recovery? A. Utilizing a single Qfor password recovery B. Sending a PIN to a smartphone through text message C. Utilizing CAPTCHA to avoid brute force attacks D. Use a different e-mail address to recover password

(B)

A copy of a highly confidential salary report was recently found on a printer in the IT department. The human resources department does not have this specific printer mapped to its devices, and it is suspected that an employee in the IT department browsed to the share where the report was located and printed it without authorization. Which of the following technical controls would be the BEST choice to immediately prevent this from happening again? A. Implement a DLP solution and classify the report as confidential, restricting access only to human resources staff B. Restrict access to the share where the report resides to only human resources employees and enable auditing C. Have all members of the IT department review and sign the AUP and disciplinary policies D. Place the human resources computers on a restricted VLAN and configure the ACL to prevent access from the IT Department

(B)

A database backup schedule consists of weekly full backups performed on Saturday at 12:00 a.m. and daily differential backups also performed at 12:00 a.m. If the database is restored on Tuesday afternoon, which of the following is the number of individual backups that would need to be applied to complete the database recovery? A. 1 B. 2 C. 3 D. 4

(B)

A forensic investigator has run into difficulty recovering usable files from a SAN drive. Which of the following SAN features might have caused the problem? A. Storage multipaths B. Deduplication C. iSCSI initiator encryption D. Data snapshots

(B)

A forensics investigator is examining a number of unauthorized payments that were reported on the company's website. Some unusual log entries show users received an email for an unwanted mailing attempt to unsubscribe. One of the users reported the email to the phishing team, and the forwarded email revealed the link to be: <a href="https://www.company.com/payto.do?routing=00001111&acct=22223334&amount=250">Clickhere to unsubscribe</a> Which of the following will the forensics investigator MOST likely determine has occurred? A. SQL injection B. CSRF C. XSS D. XSRF

(B)

A government contracting company issues smartphones to employees to enable access to corporate resources. Several employees will need to travel to a foreign country for business purposes and will require access to their phones. However, the company recently received intelligence that its intellectual property is highly desired by the same country's government. Which of the following MDM configurations would BEST reduce the disk of compromise while on foreign soil? A. Disable firmware OTA updates. B. Disable location services. C. Disable push notification services. D. Disable wipe.

(B)

A help desk is troubleshooting user reports that the corporate website is presenting untrusted certificate errors to employees and customers when they visit the website. Which of the following is the MOST likely cause of this error, provided the certificate has not expired? A. The certificate was self signed, and the CA was not imported by employees or customers B. The root CA has revoked the certificate of the intermediate CA C. The valid period for the certificate has passed, and a new certificate has not been issued D. The key escrow server has blocked the certificate from being validated

(B)

A hospital has received reports from multiple patients that their PHI was stolen after completing forms on the hospital's website. Upon investigation, the hospital finds a packet analyzer was used to steal data. Which of the following protocols would prevent this attack from reoccurring? A. SFTP B. HTTPS C. FTPS D. SRTP

(B)

A junior systems administrator noticed that one of two hard drives in a server room had a red error notification. The administrator removed the hard drive to replace it but was unaware that the server was configured in an array. Which of the following configurations would ensure no data is lost? A. RAID 0 B. RAID 1 C. RAID 2 D. RAID 3

(B)

A network technician is designing a network for a small company. The network technician needs to implement an email server and web server that will be accessed by both internal employees and external customers. Which of the following would BEST secure the internal network and allow access to the needed servers? A. Implementing a site-to-site VPN for server access. B. Implementing a DMZ segment for the server. C. Implementing NAT addressing for the servers. D. Implementing a sandbox to contain the servers.

(B)

A network technician needs to monitor and view the websites that are visited by an employee. The employee is connected to a network switch. Which of the following would allow the technician to monitor the employee's web traffic? A. Implement promiscuous mode on the NIC of the employee's computer. B. Install and configured a transparent proxy server. C. Run a vulnerability scanner to capture DNS packets on the router. D. Configure a VPN to forward packets to the technician's computer.

(B)

A penetration testing is preparing for a client engagement in which the tester must provide data that proves and validates the scanning tools' results. Which of the following is the best method for collecting this information? A. Set up the scanning system's firewall to permit and log all outbound connections B. Use a protocol analyzer to log all pertinent network traffic C. Configure network flow data logging on all scanning system D. Enable debug level logging on the scanning system and all scanning tools used.

(B)

A security administrator has been asked to implement a VPN that will support remote access over IPSEC. Which of the following is an encryption algorithm that would meet this requirement? A. MD5 B. AES C. UDP D. PKI

(B)

A security administrator is analyzing a user report in which the computer exhibits odd network-related outages. The administrator, however, does not see any suspicious process running. A prior technician's notes indicate the machine has been remediated twice, but the system still exhibits odd behavior. Files were deleted from the system recently. Which of the following is the MOST likely cause of this behavior? A. Crypto-malware B. Rootkit C. Logic bomb D. Session hijacking

(B)

A security administrator is creating a risk assessment with regard to how to harden internal communications in transit between servers. Which of the following should the administrator recommend in the report? A. Configure IPSec in transport mode. B. Configure server-based PKI certificates. C. Configure the GRE tunnel. D. Configure a site-to-site tunnel.

(B)

A security administrator is evaluating three different services: radius, diameter, and Kerberos. Which of the following is a feature that is UNIQUE to Kerberos? A. It provides authentication services B. It uses tickets to identify authenticated users C. It provides single sign-on capability D. It uses XML for cross-platform interoperability

(B)

A security administrator is implementing a secure method that allows developers to place files or objects onto a Linux server. Developers are required to log in using a username, password, and asymmetric key. Which of the following protocols should be implemented? A. SSL/TLS B. SFTP C. SRTP D. IPSec

(B)

A security administrator is tasked with implementing centralized management of all network devices. Network administrators will be required to logon to network devices using their LDAP credentials. All command executed by network administrators on network devices must fall within a preset list of authorized commands and must be logged to a central facility. Which of the following configuration commands should be implemented to enforce this requirement? A. LDAP server 10.55.199.3 B. CN=company, CN=com, OU=netadmin, DC=192.32.10.233 C. SYSLOG SERVER 172.16.23.50 D. TACAS server 192.168.1.100

(B)

A security administrator is trying to encrypt communication. For which of the following reasons should administrator take advantage of the Subject Alternative Name (SAM) attribute of a certificate? A. It can protect multiple domains B. It provides extended site validation C. It does not require a trusted certificate authority D. It protects unlimited subdomains

(B)

A security administrator receives an alert from a third-party vendor that indicates a certificate that was installed in the browser has been hijacked at the root of a small public CA. The security administrator knows there are at least four different browsers in use on more than a thousand computers in the domain worldwide. Which of the following solutions would be BEST for the security administrator to implement to most efficiently assist with this issue? A. SSL B. CRL C. PKI D. ACL

(B)

A security administrator returning from a short vacation receives an account lock-out message when attempting to log into the computer. After getting the account unlocked the security administrator immediately notices a large amount of emails alerts pertaining to several different user accounts being locked out during the past three days. The security administrator uses system logs to determine that the lock-outs were due to a brute force attack on all accounts that has been previously logged into that machine. Which of the following can be implemented to reduce the likelihood of this attack going undetected? A. Password complexity rules B. Continuous monitoring C. User access reviews D. Account lockout policies

(B)

A security administrator wants to implement a company-wide policy to empower data owners to manage and enforce access control rules on various resources. Which of the following should be implemented? A. Mandatory access control B. Discretionary access control C. Role based access control D. Rule-based access control

(B)

A security analyst captures forensic evidence from a potentially compromised system for further investigation. The evidence is documented and securely stored to FIRST: A. maintain the chain of custody. B. preserve the data. C. obtain a legal hold. D. recover data at a later time.

(B)

A security analyst discovers that a company's username and password database was posted on an Internet forum. The username and passwords are stored in plain text. Which of the following would mitigate the damage done by this type of data exfiltration in the future? A. Create DLP controls that prevent documents from leaving the network B. Implement salting and hashing. C. Configure the web content filter to block access to the forum. D. Increase password complexity requirements.

(B)

A security analyst is attempting to identify vulnerabilities in a customer's web application without impacting the system or its data. Which of the following BEST describes the vulnerability scanning concept performed? A. Aggressive scan B. Passive scan C. Non-credentialed scan D. Compliance scan

(B)

A security analyst is inspecting the results of a recent internal vulnerability scan that was performed against intranet services. The scan reports include the following critical-rated vulnerability: Title: Remote Command Execution vulnerability in web server Rating: Critical (CVSS 10.0) Threat actor: any remote user of the web server Confidence: certain Recommendation: apply vendor patches Which of the following actions should the security analyst perform FIRST? A. Escalate the issue to senior management. B. Apply organizational context to the risk rating. C. Organize for urgent out-of-cycle patching. D. Exploit the server to check whether it is a false positive.

(B)

A security analyst is mitigating a pass-the-hash vulnerability on a Windows infrastructure. Given the requirement, which of the following should the security analyst do to MINIMIZE the risk? A. Enable CHAP B. Disable NTLM C. Enable Kerebos D. Disable PAP

(B)

A security analyst is performing a manual audit of captured data from a packet analyzer. The analyst looks for Base64 encoded strings and applies the filter http.authbasic. Which of the following BEST describes what the analyst is looking for? A. Unauthorized software B. Unencrypted credentials C. SSL certificate issues D. Authentication tokens

(B)

A security analyst is performing a manual audit of captured data from a packet analyzer. The analyst looks forbase64 encoded strings and applies the filter http.authbasic. Which of the following describes what the analysts looking for? A. Unauthorized software B. Unencrypted credentials C. SSL certificate issues D. Authentication tokens

(B)

A security analyst is running a credential-based vulnerability scanner on a Windows host. The vulnerability scanner is using the protocol NetBIOS over TCP/IP to connect to various systems, However, the scan does not return any results. To address the issue, the analyst should ensure that which of the following default ports is open on systems? A. 135 B. 137 C. 3389 D. 5060

(B)

A security analyst is specifying requirements for a wireless network. The analyst must explain the security features provided by various architecture choices. Which of the following is provided by PEAP, EAP-TLS, and EAP-TTLS? A. Key rotation B. Mutual authentication C. Secure hashing D. Certificate pinning

(B)

A security analyst monitors the syslog server and notices the following pinging 10.25.27.31 with 65500 bytes of data Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Which of the following attacks is occurring? A. Memory leak B. Buffer overflow C. Null pointer deference D. Integer overflow

(B)

A security analyst needs to generate a server certificate to be used for 802.1X and secure RDP connections. The analyst is unsure what is required to perform the task and solicits help from a senior colleague. Which of the following is the FIRST step the senior colleague will most likely tell the analyst to perform to accomplish this task? A. Create an OCSP B. Generate a CSR C. Create a CRL D. Generate a .pfx file.

(B)

A security consultant discovers that an organization is using the PCL protocol to print documents, utilizing the default driver and print settings. Which of the following is the MOST likely risk in this situation? A. An attacker can access and change the printer configuration. B. SNMP data leaving the printer will not be properly encrypted. C. An MITM attack can reveal sensitive information. D. An attacker can easily inject malicious code into the printer firmware. E. Attackers can use the PCL protocol to bypass the firewall of client computers.

(B)

A security engineer at an offline government facility is concerned about the validity of an SSL certificate. The engineer wants to perform the fastest check with the least delay to determine if the certificate has been revoked. Which of the following would BEST meet these requirements? A. RA B. OCSP C. CRI D. CSR

(B)

A security engineer is installing a WAF to protect the company's website from malicious web requests over SSL. Which of the following is needed to meet the objective? A. A reverse proxy B. A decryption certificate C. A split-tunnel VPN D. Load-balanced servers

(B)

A security guard has informed the Chief Information Security Officer that a person with a tablet has been walking around the building. The guard also noticed strange white markings in different areas of the parking lot. The person is attempting which of the following types of attacks? A. Jamming B. War chalking C. Packet sniffing D. Near field communication

(B)

A small- to medium-sized company wants to block the use of USB devices on its network. Which of the following is the MOST cost-effective way for the security analyst to prevent this? A. Implement a DLP system B. Apply a GPO C. Conduct user awareness training D. Enforce the AUP.

(B)

A software developer is concerned about DLL hijacking in an application being written. Which of the following is the MOST viable mitigation measure of this type of attack? A. The DLL of each application should be set individually B. All calls to different DLLs should be hard-coded in the application C. Access to DLLs from the Windows registry should be disabled D. The affected DLLs should be renamed to avoid future hijacking

(B)

A software development manager is taking over an existing software development project. The team currently suffers from poor communication due to a long delay between requirements documentation and feature delivery. This gap is resulting in an above average number of security-related bugs making it into production. Which of the following development methodologies is the team MOST likely using now? A. Agile B. Waterfall C. Scrum D. Spiral

(B)

A staff member contacts the help desk because the staff member's device is currently experiencing the following symptoms: • Long delays when launching applications • Timeout errors when loading some websites • Errors when attempting to open local Word documents and photo files • Pop-up messages in the task bar stating that antivirus is out-of-date • VPN connection that keeps timing out, causing the device to lose connectivity • Which of the following BEST describes the root cause of these symptoms? A. The user has disabled the antivirus software on the device, and the hostchecker for the VPN is preventing access. B. The device is infected with crypto-malware, and the files on the device are being encrypted. C. The proxy server for accessing websites has a rootkit installed, and this is causing connectivity issues. D. A patch has been incorrectly applied to the device and is causing issues with the wireless adapter on the device.

(B)

A state-sponsored threat actor has launched several successful attacks against a corporate network. Although the target has a robust patch management program in place, the attacks continue in depth and scope, and the security department has no idea how the attacks are able to gain access. Given that patch management and vulnerability scanners are being used, which of the following would be used to analyze the attack methodology? A. Rogue system detection B. Honeypots C. Next-generation firewall D. Penetration test

(B)

A system administrator wants to provide balance between the security of a wireless network and usability. The administrator is concerned with wireless encryption compatibility of older devices used by some employees. Which of the following would provide strong security and backward compatibility when accessing the wireless network? A. Open wireless network and SSL VPN B. WPA using a preshared key C. WPA2 using a RADIUS back-end for 802.1x authentication D. WEP with a 40-bit key

(B)

A system in the network is used to store proprietary secrets and needs the highest level of security possible. Which of the following should a security administrator implement to ensure the system cannot be reached from the Internet? A. VLAN B. Air gap C. NAT D. Firewall

(B)

A systems administrator has implemented multiple websites using host headers on the same server. The server hosts two websites that require encryption and other websites where encryption is optional. Which of the following should the administrator implement to encrypt web traffic for the required websites? A. Extended domain validation B. TLS host certificate C. OCSP stapling D. Wildcard certificate

(B)

A systems administrator is auditing the company's Active Directory environment. It is quickly noted that the username "company\bsmith" is interactively logged into several desktops across the organization. Which of the following has the systems administrator MOST likely come across? A. Service account B. Shared credentials C. False positive D. Local account

(B)

A systems administrator is configuring a system that uses data classification labels. Which of the following will the administrator need to implement to enforce access control? A. Discretionary access control B. Mandatory access control C. Role-based access control D. Rule-based access control

(B)

A systems administrator is increasing the security settings on a virtual host to ensure users on one VM cannot access information from another VM. Which of the following is the administrator protecting against? A. VM sprawl B. VM escape C. VM migration D. VM sandboxing

(B)

A systems administrator wants to implement a secure wireless network requiring wireless clients to pre-register with the company and install a PKI client certificate prior to being able to connect to the wireless network. Which of the following should the systems administrator configure? A. EAP-TTLS B. EAP-TLS C. EAP-FAST D. EAP with PEAP E. EAP with MSCHAPv2

(B)

A technician needs to implement a system which will properly authenticate users by their username and password only when the users are logging in from a computer in the office building. Any attempt to authenticate from a location other than the office building should be rejected. Which of the following MUST the technician implement? A. Dual factor authentication B. Transitive authentication C. Single factor authentication D. Biometric authentication

(B)

A technician receives a device with the following anomalies: Frequent pop-up ads Show response-time switching between active programs Unresponsive peripherals The technician reviews the following log file entries: File Name Source MD5 Target MD5 Status antivirus.exe F794F21CD33E4F57890DDEA5CF267ED2 F794F21CD33E4F57890DDEA5CF267ED2 Automatic iexplore.exe 7FAAF21CD33E4F57890DDEA5CF29CCEA AA87F21CD33E4F57890DDEAEE2197333 Automatic service.exe 77FF390CD33E4F57890DDEA5CF28881F 77FF390CD33E4F57890DDEA5CF28881F Manual USB.exe E289F21CD33E4F57890DDEA5CF28EDC0 E289F21CD33E4F57890DDEA5CF28EDC0 Stopped Based on the above output, which of the following should be reviewed? A. The web application firewall B. The file integrity check C. The data execution prevention D. The removable media control

(B)

A third-party penetration testing company was able to successfully use an ARP cache poison technique to gain root access on a server. The tester successfully moved to another server that was not in the original network. Which of the following is the MOST likely method used to gain access to the other host? A. Backdoor B. Pivoting C. Persistance D. Logic bomp

(B)

A university is opening a facility in a location where there is an elevated risk of theft. The university wants to protect the desktops in its classrooms and labs. Which of the following should the university use to BEST protect these assets deployed in the facility? A. Visitor logs B. Cable locks C. Guards D. Disk encryption E. Motion detection

(B)

A user recently entered a username and password into a recruiting application website that had been forged to look like the legitimate site. Upon Investigation, a security analyst identifies the following: * The legitimate website's IP address is 10.1.1.20 and eRecruit.local resolves to this IP. * The forged website's IP address appears to be 10.2.12.99. based on NetFlow records. * All three of the organization's DNS servers show the website correctly resolves to the legitimate IP. * DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the approximate time of the suspected compromise. Which of the following MOST likely occurred? A. A reverse proxy was used to redirect network traffic. B. An SSL strip MITM attack was performed. C. An attacker temporarily poisoned a name server. D. An ARP poisoning attack was successfully executed.

(B)

After an identified security breach, an analyst is tasked to initiate the IR process. Which of the following is the NEXT step the analyst should take? A. Recovery B. Identification C. Preparation D. Documentation E. Escalation

(B)

After discovering a security incident and removing the affected files, an administrator disabled an unneeded service that led to the breach. Which of the following steps in the incident response process has the administrator just completed? A. Containment B. Eradication C. Recovery D. Identification

(B)

After successfully breaking into several networks and infecting multiple machines with malware, hackers contact the network owners, demanding payment to remove the infection and decrypt files. The hackers threaten to publicly release information about the breach if they are not paid. Which of the following BEST describes these attackers? A. Gray hat hackers B. Organized crime C. Insiders D. Hacktivists

(B)

An accountant is attempting to log in to the internal accounting system and receives a message that the website's certificate is fraudulent. The accountant finds instructions for manually installing the new trusted root onto the local machine. Which of the following would be the company's BEST option for this situation in the future? A. Utilize a central CRL B. Implement certificate management C. Ensure access to KMS D. Use a stronger cipher suite

(B)

An accountant is attempting to log in to the internal accounting system and receives a message that the website's certificate is fraudulent. The accountant finds instructions for manually installing the new trusted root onto the local machine. Which of the following would be the company's BEST option for this situation in the future? A. Utilize a central CRL. B. Implement certificate management. C. Ensure access to KMS. D. Use a stronger cipher suite.

(B)

An administrator is disposing of media that contains sensitive information. Which of the following will provide the MOST effective method to dispose of the media while ensuring the data will be unrecoverable? A. Wipe the hard drive. B. Shred the hard drive. C. Sanitize all of the data. D. Degauss the hard drive.

(B)

An analyst has determined that a server was not patched and an external actor exfiltrated data on port 139. Which of the following sources should the analyst review to BEST ascertain how the incident could have been prevented? A. The vulnerability scan output B. The security logs C. The baseline report D. The correlation of events

(B)

An attacker has obtained the user ID and password of a datacenter's backup operator and has gained access to a production system. Which of the following would be the attacker's NEXT action? A. Perform a passive reconnaissance of the network. B. Initiate a confidential data exfiltration process. C. Look for known vulnerabilities to escalate privileges. D. Create an alternate user ID to maintain persistent access.

(B)

An auditor has identified an access control system that can incorrectly accept an access attempt from an unauthorized user. Which of the following authentication systems has the auditor reviewed? A. Password-based B. Biometric-based C. Location-based D. Certificate-based

(B)

An external attacker can modify the ARP cache of an internal computer. Which of the following types of attacks is described? A. Replay B. Spoofing C. DNS poisoning D. Client-side attack

(B)

Which of the following is used to encrypt web application data? A. MD5 B. AES C. SHA D. DHA

(B)

An organization has decided to host its web application and database in the cloud. Which of the following BEST describes the security concerns for this decision? A. Access to the organization's servers could be exposed to other cloud-provider clients. B. The cloud vendor is a new attack vector within the supply chain. C. Outsourcing the code development adds risk to the cloud provider. D. Vendor support will cease when the hosting platforms reach EOL.

(B)

An organization is struggling to differentiate threats from normal traffic and access to systems. A security engineer has been asked to recommend a system that will aggregate data and provide metrics that will assist in identifying malicious actors or other anomalous activity throughout the environment. Which of the following solutions should the engineer recommend? A. Web application firewall B. SIEM C. IPS D. UTM E. File integrity monitor

(B)

An organization needs to implement a large PKI. Network engineers are concerned that repeated transmission of the OCSP will impact network performance. Which of the following should the security analyst recommend is lieu of an OCSP? A. CSR B. CRL C. CA D. OID

(B)

An organization recently moved its custom web applications to the cloud, and it is obtaining managed services of the back-end environment as part of its subscription. Which of the following types of services is this company now using? A. SaaS B. CASB C. IaaS D. PaaS

(B)

An organization requires users to provide their fingerprints to access an application. To improve security, the application developers intend to implement multifactor authentication. Which of the following should be implemented? A. Use a camera for facial recognition B. Have users sign their name naturally C. Require a palm geometry scan D. Implement iris recognition

(B)

An organization wants to upgrade its enterprise-wide desktop computer solution. The organization currently has 500 PCs active on the network. the Chief Information Security Officer (CISO) suggests that the organization employ desktop imaging technology for such a large scale upgrade. Which of the following is a security benefit of implementing an imaging solution? A. it allows for faster deployment B. it provides a consistent baseline C. It reduces the number of vulnerabilities D. It decreases the boot time

(B)

An organization wishes to allow its users to select devices for business use but does not want to overwhelm the service desk with requests for too many different device types and models. Which of the following deployment models should the organization use to BEST meet these requirements? A. VDI environment B. CYOD model C. DAC mode D. BYOD model

(B)

An organization's IRP prioritizes containment over eradication. An incident has been discovered where an attacker outside of the organization has installed cryptocurrency mining software on the organization's web servers. Given the organization's stated priorities, which of the following would be the NEXT step? A. Remove the affected servers from the network. B. Review firewall and IDS logs to identify possible source IPs. C. Identify and apply any missing operating system and software patches. D. Delete the malicious software and determine if the servers must be reimaged.

(B)

An organization's research department uses workstations in an air-gapped network. A competitor released products based on files that originated in the research department. Which of the following should management do to improve the security and confidentiality of the research files? A. Implement multifactor authentication on the workstations. B. Configure removable media controls on the workstations. C. Install a web application firewall in the research department. D. Install HIDS on each of the research workstations.

(B)

Ann, a user, reported to the service desk that many files on her computer will not open or the contents are not readable. The service desk technician asked Ann if she encountered any strange messages on boot-up or login, and Ann indicated she did not. Which of the following has MOST likely occurred on Ann's computer? A. The hard drive is falling, and the files are being corrupted. B. The computer has been infected with crypto-malware. C. A replay attack has occurred. D. A keylogger has been installed.

(B)

Company A has acquired Company B. Company A has different domains spread globally, and typically migrates its acquisitions infrastructure under its own domain infrastructure. Company B, however, cannot be merged into Company A's domain infrastructure. Which of the following methods would allow the two companies to access one another's resources? A. Attestation B. Federation C. Single sign-on D. Kerberos

(B)

Company XYZ has decided to make use of a cloud-based service that requires mutual, certificate- based authentication with its users. The company uses SSL-inspecting IDS at its network boundary and is concerned about the confidentiality of the mutual authentication. Which of the following model prevents the IDS from capturing credentials used to authenticate users to the new service or keys to decrypt that communication? A. Use of OATH between the user and the service and attestation from the company domain B. Use of active directory federation between the company and the cloud-based service C. Use of smartcards that store x.509 keys, signed by a global CA D. Use of a third-party, SAML-based authentication service for attestation

(B)

Company policy requires the use if passphrases instead if passwords. Which of the following technical controls MUST be in place in order to promote the use of passphrases? A. Reuse B. Length C. History D. Complexity

(B)

Datacenter employees have been battling alarms in a datacenter that has been experiencing hotter than normal temperatures. The server racks are designed so all 48 rack units are in use, and servers are installed in any manner in which the technician can get them installed. Which of the following practices would BEST alleviate the heat issues and keep costs low? A. Utilize exhaust fans. B. Use hot and cold aisles. C. Airgap the racks. D. Use a secondary AC unit.

(B)

Due to regulatory requirements, server in a global organization must use time synchronization. Which of the following represents the MOST secure method of time synchronization? A. The server should connect to external Stratum 0 NTP servers for synchronization B. The server should connect to internal Stratum 0 NTP servers for synchronization C. The server should connect to external Stratum 1 NTP servers for synchronization D. The server should connect to external Stratum 1 NTP servers for synchronization

(B)

During a third-party audit, it is determined that a member of the firewall team can request, approve, and implement a new ruleset on the firewall. Which of the following will the audit team most l likely recommend during the audit out brief? A. Discretionary access control for the firewall team B. Separation of duties policy for the firewall team C. Least privilege for the firewall team D. Mandatory access control for the firewall team

(B)

Fuzzing is used to reveal which of the following vulnerabilities in web applications? A. Weak cipher suites B. Improper input handling C. DLL injection D. Certificate signing flaws

(B)

Given the log output: Max 15 00:15:23.431 CRT: #SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: msmith] [Source: 10.0.12.45] [localport: 23] at 00:15:23:431 CET Sun Mar 15 2015 Which of the following should the network administrator do to protect data security? A. Configure port security for logons B. Disable telnet and enable SSH C. Configure an AAA server D. Disable password and enable RSA authentication

(B)

Given the output: Which of the following account management practices should the security engineer use to mitigate the identified risk? A. Implement least privilege B. Eliminate shared accounts. C. Eliminate password reuse. D. Implement two-factor authentication

(B)

If two employees are encrypting traffic between them using a single encryption key, which of the following agorithms are they using? A. RSA B. 3DES C. DSA D. SHA-2

(B)

In an effort to reduce data storage requirements, some company devices to hash every file and eliminate duplicates. The data processing routines are time sensitive so the hashing algorithm is fast and supported on a wide range of systems. Which of the following algorithms is BEST suited for this purpose? A. MD5 B. SHA C. RIPEMD D. AES

(B)

Joe a website administrator believes he owns the intellectual property for a company invention and has been replacing image files on the company's public facing website in the DMZ. Joe is using steganography to hide stolen data. Which of the following controls can be implemented to mitigate this type of inside threat? A. Digital signatures B. File integrity monitoring C. Access controls D. Change management E. Stateful inspection firewall

(B)

Joe, a security administrator, needs to extend the organization's remote access functionality to be used by staff while travelling. Joe needs to maintain separate access control functionalities for internal, external, and VOIP services. Which of the following represents the BEST access technology for Joe to use? A. RADIUS B. TACACS+ C. Diameter D. Kerberos

(B)

Joe, a technician, is working remotely with his company provided laptop at the coffee shop near his home. Joe is concerned that another patron of the coffee shop may be trying to access his laptop. Which of the following is an appropriate control to use to prevent the other patron from accessing Joe's laptop directly? A. full-disk encryption B. Host-based firewall C. Current antivirus definitions D. Latest OS updates

(B)

Joe, a user at a company, clicked an email link that led to a website that infected his workstation. Joe was connected to the network, and the virus spread to the network shares. The protective measures failed to stop this virus, and it has continued to evade detection. Which of the following should a security administrator implement to protect the environment from this malware? A. Install a definition-based antivirus. B. Implement an IDS/IPS. C. Implement a heuristic behavior-detection solution. D. Implement CASB to protect the network shares.

(B)

Joe, a user, has been trying to send Ann, a different user, an encrypted document via email. Ann has not received the attachment but is able to receive the header information. Which of the following is MOST likely preventing Ann from receiving the encrypted file? A. Unencrypted credentials B. Authentication issues C. Weak cipher suite D. Permission issues

(B)

Management wants to ensure any sensitive data on company-provided cell phones is isolated in a single location that can be remotely wiped if the phone is lost. Which of the following technologies BEST meets this need? A. Geofencing B. Containerization C. Device encryption D. Sandboxing

(B)

Moving laterally within a network once an initial exploit is used to gain persistent access for the purpose of establishing further control of a system is known as: A. pivoting. B. persistence. C. active reconnaissance. D. a backdoor.

(B)

QUESTION 135 A company hires a third-party firm to conduct an assessment of vulnerabilities exposed to the Internet. The firm informs the company that an exploit exists for an FTP server that had a version installed from eight years ago. The company has decided to keep the system online anyway, as no upgrade exists form the vendor. Which of the following BEST describes the reason why the vulnerability exists? A. Default configuration B. End-of-life system C. Weak cipher suite D. Zero-day threats

(B)

Six months into development, the core team assigned to implement a new internal piece of software must convene to discuss a new requirement with the stake holders. A stakeholder identified a missing feature critical to the organization, which must be implemented. The team needs to validate the feasibility of the newly introduced requirement and ensure it does not introduce new vulnerabilities to the software and other applications that will integrate with it. Which of the following BEST describes what the company? A. The system integration phase of the SDLC B. The system analysis phase of SDLC C. The system design phase of the SDLC D. The system development phase of the SDLC

(B)

Technicians working with servers hosted at the company's datacenter are increasingly complaining of electric shocks when touching metal items which have been linked to hard drive failures. Which of the following should be implemented to correct this issue? A. Decrease the room temperature B. Increase humidity in the room C. Utilize better hot/cold aisle configurations D. Implement EMI shielding

(B)

The CSIRT is reviewing the lessons learned from a recent incident. A worm was able to spread unhindered throughout the network and infect a large number of computers and server. Which of the following recommendations would be BEST to mitigate the impacts of a similar incident in the future? A. Install a NIDS device at the boundary. B. Segment the network with firewalls. C. Update all antivirus signatures daily. D. Implement application blacklisting.

(B)

The Chief Executive Officer (CEO) received an email from the Chief Financial Officer (CFO), asking the CEO to send financial details. The CEO thought it was strange that the CFO would ask for the financial details via email. The email address was correct in the "From" section of the email. The CEO clicked the form and sent the financial information as requested. Which of the following caused the incident? A. Domain hijacking B. SPF not enabled C. MX records rerouted D. Malicious insider

(B)

The Chief Financial Officer (CFO) of an insurance company received an email from Ann, the company's Chief Executive Officer (CEO), requesting a transfer of $10,000 to an account. The email states Ann is on vacation and has lost her purse, containing cash and credit cards. Which of the following social-engineering techniques is the attacker using? A. Phishing B. Whaling C. Typo squatting D. Pharming

(B)

The Chief Information Officer (CIO) has determined the company's new PKI will not use OCSP. The purpose of OCSP still needs to be addressed. Which of the following should be implemented? A. Build an online intermediate CA. B. Implement a key escrow. C. Implement stapling. D. Install a CRL.

(B)

The availability of a system has been labeled as the highest priority. Which of the following should be focused on the MOST to ensure the objective? A. Authentication B. HVAC C. Full-disk encryption D. File integrity checking

(B)

The data backup window has expanded into the morning hours and has begun to affect production users. The main bottleneck in the process is the time it takes to replicate the backups to separate severs at the offsite data center. Which of the following uses of deduplication could be implemented to reduce the backup window? A. Implement deduplication at the network level between the two locations B. Implement deduplication on the storage array to reduce the amount of drive space needed C. Implement deduplication on the server storage to reduce the data backed up D. Implement deduplication on both the local and remote servers

(B)

The firewall administrator is adding a new certificate for the company's remote access solution. The solution requires that the uploaded file contain the entire certificate chain for the certificate to load properly. The administrator loads the company certificate and the root CA certificate into the file. The file upload is rejected. Which of the following is required to complete the certificate chain? A. Certificate revocation list B. Intermediate authority C. Recovery agent D. Root of trust

(B)

To get the most accurate results on the security posture of a system, which of the following actions should the security analyst do prior to scanning? A. Log all users out of the system B. Patch the scanner C. Reboot the target host D. Update the web plugins

(B)

Upon entering an incorrect password, the logon screen displays a message informing the user that the password does not match the username provided and is not the required length of 12 characters. Which of the following secure coding techniques should a security analyst address with the application developers to follow security best practices? A. Input validation B. Error handling C. Obfuscation D. Data exposure

(B)

Using an ROT13 cipher to protect confidential information for unauthorized access is known as: A. steganography. B. obfuscation. C. non-repudiation. D. diffusion.

(B)

When considering IoT systems, which of the following represents the GREATEST ongoing risk after a vulnerability has been discovered? A. Difficult-to-update firmware B. Tight integration to existing systems C. IP address exhaustion D. Not using industry standards

(B)

When systems, hardware, or software are not supported by the original vendor, it is a vulnerability known as: A. system sprawl B. end-of-life systems C. resource exhaustion D. a default configuration

(B)

Which of the following BEST describes a security exploit for which a vendor patch is not readily available? A. Integer overflow B. Zero-day C. End of life D. Race condition

(B)

Which of the following BEST describes the concept of perfect forward secrecy? A. Using quantum random number generation to make decryption effectively impossible B. Preventing cryptographic reuse so a compromise of one operation does not affect other operations C. Implementing elliptic curve cryptographic algorithms with true random numbers D. The use of NDAs and policy controls to prevent disclosure of company secrets

(B)

Which of the following describes the ability of code to target a hypervisor from inside a guest OS? A. Fog computing B. VM escape C. Software-defined networking D. Image forgery E. Container breakout

(B)

Which of the following incident response steps involves actions to protect critical systems while maintaining business operations? A. Investigation B. Containment C. Recovery D. Lessons learned

(B)

Which of the following is a benefit of credentialed vulnerability scans? A. Credentials provide access to scan documents to identify possible data theft. B. The vulnerability scanner is able to inventory software on the target. C. A scan will reveal data loss in real time. D. Black-box testing can be performed.

(B)

Which of the following is a deployment concept that can be used to ensure only the required OS access is exposed to software applications? A. Staging environment B. Sandboxing C. Secure baseline D. Trusted OS

(B)

Which of the following is a random value appended to a credential that makes the credential less susceptible to compromise when hashed? A. Nonce B. Salt C. OTP D. Block cipher E. IV

(B)

Which of the following is the BEST choice for a security control that represents a preventive and corrective logical control at the same time? A. Security awareness training B. Antivirus C. Firewalls D. Intrusion detection system

(B)

Which of the following is the MOST likely motivation for a script kiddie threat actor? A. Financial gain B. Notoriety C. Political expression D. Corporate espionage

(B)

Which of the following is the MOST significant difference between intrusive and non-intrusive vulnerability scanning? A. One uses credentials, but the other does not. B. One has a higher potential for disrupting system operations. C. One allows systems to activate firewall countermeasures. D. One returns service banners, including running versions.

(B)

Which of the following may indicate a configuration item has reached end-of-life? A. The device will no longer turn on and indicated an error. B. The vendor has not published security patches recently. C. The object has been removed from the Active Directory. D. Logs show a performance degradation of the component.

(B)

Which of the following needs to be performed during a forensics investigation to ensure the data contained in a drive image has not been compromised? A. Follow the proper chain of custody procedures. B. Compare the image hash to the original hash. C. Ensure a legal hold has been placed on the image. D. Verify the time offset on the image file.

(B)

Which of the following network vulnerability scan indicators BEST validates a successful, active scan? A. The scan job is scheduled to run during off-peak hours. B. The scan output lists SQL injection attack vectors. C. The scan data identifies the use of privileged-user credentials. D. The scan results identify the hostname and IP address.

(B)

Which of the following refers to the term used to restore a system to its operational state? A. MTBF B. MTTR C. RTO D. RPO

(B)

Which of the following strategies should a systems architect use to minimize availability risks due to insufficient storage capacity? A. High availability B. Scalability C. Distributive allocation D. Load balancing

(B)

Which of the following technologies would be MOST appropriate to utilize when testing a new software patch before a company-wide deployment? A. Cloud computing B. Virtualization C. Redundancy D. Application control

(B)

Which of the following vulnerability types would the type of hacker known as a script kiddie be MOST dangerous against? A. Passwords written on the bottom of a keyboard B. Unpatched exploitable Internet-facing services C. Unencrypted backup tapes D. Misplaced hardware token

(B)

Which of the following would verify that a threat does exist and security controls can easily be bypassed without actively testing an application? A. Protocol analyzer B. Vulnerability scan C. Penetration test D. Port scanner

(B)

While reviewing the monthly internet usage it is noted that there is a large spike in traffic classified as "unknown" and does not appear to be within the bounds of the organizations Acceptable Use Policy. Which of the following tool or technology would work BEST for obtaining more information on this traffic? A. Firewall logs B. IDS logs C. Increased spam filtering D. Protocol analyzer

(B)

While troubleshooting a client application connecting to the network, the security administrator notices the following error: Certificate is not valid. Which of the following is the BEST way to check if the digital certificate is valid? A. PKI B. CRL C. CSR D. IPSec

(B)

When considering a third-party cloud service provider, which of the following criteria would be the BEST to include in the security assessment process? (Select two.) A. Use of performance analytics B. Adherence to regulatory compliance C. Data retention policies D. Size of the corporation E. Breadth of applications support

(B,C)

A penetration tester is checking to see if an internal system is vulnerable to an attack using a remote listener. Which of the following commands should the penetration tester use to verify if this vulnerability exists? (Choose two.) A. tcpdump B. nc C. nmap D. nslookup E. tail F. tracert

(BC)

A security administrator is configuring a RADIUS server for wireless authentication. The configuration must ensure client credentials are encrypted end-to-end between the client and the authenticator. Which of the following protocols should be configured on the RADIUS server? (Choose two.) A. PAP B. MSCHAP C. PEAP D. NTLM E. SAML

(BC)

A security administrator learns that PII, which was gathered by the organization, has been found in an open forum. As a result, several C-level executives found their identities were compromised, and they were victims of a recent whaling attack. Which of the following would prevent these problems in the future? (Select TWO). A. Implement a reverse proxy. B. Implement an email DLP. C. Implement a spam filter. D. Implement a host-based firewall. E. Implement a HIDS.

(BC)

A security administrator needs to address the following audit recommendations for a public-facing SFTP server: - Users should be restricted to upload and download files to their own home directories only. - Users should not be allowed to use interactive shell login. Which of the following configuration parameters should be implemented? (Select TWO). A. PermitTunnel B. ChrootDirectory C. PermitTTY D. AllowTcpForwarding E. IgnoreRhosts

(BC)

A security administrator suspects a MITM attack aimed at impersonating the default gateway is underway. Which of the following tools should the administrator use to detect this attack? (Select two.) A. Ping B. Ipconfig C. Tracert D. Netstat E. Dig F. Nslookup

(BC)

A security administrator suspects that data on a server has been exhilarated as a result of un- authorized remote access. Which of the following would assist the administrator in con-firming the suspicions? (Select TWO) A. Networking access control B. DLP alerts C. Log analysis D. File integrity monitoring E. Host firewall rules

(BC)

A technician needs to prevent data loss in a laboratory. The laboratory is not connected to any external networks. Which of the following methods would BEST prevent the exfiltration of data? (Select TWO). A. VPN B. Drive encryption C. Network firewall D. File-level encryption E. USB blocker F. MFA

(BC)

As part of a corporate merger, two companies are combining resources. As a result, they must transfer files through the Internet in a secure manner. Which of the following protocols would BEST meet this objective? (Choose two.) A. LDAPS B. SFTP C. HTTPS D. DNSSEC E. SRTP

(BC)

Which of the following are used to increase the computing time it takes to brute force a password using an offline attack? (Select TWO) A. XOR B. PBKDF2 C. bcrypt D. HMAC E. RIPEMD

(BC)

A computer forensics analyst collected a flash drive that contained a single file with 500 pages of text. Which of the following algorithms should the analyst use to validate the integrity of the file? A. 3DES B. AES C. MD5 D. RSA

(C)

Which of the following is the main difference an XSS vulnerability and a CSRF vulnerability? A. XSS needs the attacker to be authenticated to the trusted server. B. XSS does not need the victim to be authenticated to the trusted server. C. CSRF needs the victim to be authenticated to the trusted server. D. CSRF does not need the victim to be authenticated to the trusted server. E. CSRF does not need the attacker to be authenticated to the trusted server.

(BC)

Which of the following techniques can be bypass a user or computer's web browser privacy settings? (Select Two) A. SQL injection B. Session hijacking C. Cross-site scripting D. Locally shared objects E. LDAP injection

(BC)

A security analyst conducts a manual scan on a known hardened host that identifies many non-compliant items. Which of the following BEST describe why this has occurred? (Select TWO) A. Privileged-user certificated were used to scan the host B. Non-applicable plugins were selected in the scan policy C. The incorrect audit file was used D. The output of the report contains false positives E. The target host has been compromised

(BD)

A security analyst is investigating a security breach. Upon inspection of the audit an access logs, the analyst notices the host was accessed and the /etc/passwd file was modified with a new entry for username "gotcha" and user ID of 0. Which of the following are the MOST likely attack vector and tool the analyst should use to determine if the attack is still ongoing? (Select TWO) A. Logic bomb B. Backdoor C. Keylogger D. Netstat E. Tracert F. Ping

(BD)

A security manager is creating an account management policy for a global organization with sales personnel who must access corporate network resources while traveling all over the world. Which of the following practices is the security manager MOST likely to enforce with the policy? (Select TWO) A. Time-of-day restrictions B. Password complexity C. Location-based authentication D. Group-based access control E. Standard naming convention

(BD)

Due to regulatory requirements, a security analyst must implement full drive encryption on a Windows file server. Which of the following should the analyst implement on the system to BEST meet this requirement? (Choose two.) A. Enable and configure EFS on the file system. B. Ensure the hardware supports TPM, and enable it in the BIOS. C. Ensure the hardware supports VT-X, and enable it in the BIOS. D. Enable and configure BitLocker on the drives. E. Enable and configure DFS across the file system

(BD)

Given the information below: MD5HASH document.doc 049eab40fd36caadlfab10b3cdf4a883 MD5HASH image.jpg 049eab40fd36caadlfab10b3cdf4a883 Which of the following concepts are described above? (Choose two.) A. Salting B. Collision C. Steganography D. Hashing E. Key stretching

(BD)

Which of the following encryption algorithms require one encryption key? (Choose two.) A. MD5 B. 3DES C. BCRYPT D. RC4 E. DSA

(BD)

Which of the following would enhance the security of accessing data stored in the cloud? (Select TWO) A. Block level encryption B. SAML authentication C. Transport encryption D. Multifactor authentication E. Predefined challenge questions F. Hashing

(BD)

A manager wants to distribute a report to several other managers within the company. Some of them reside in remote locations that are not connected to the domain but have a local server. Because there is sensitive data within the report and the size of the report is beyond the limit of the email attachment size, emailing the report is not an option. Which of the following protocols should be implemented to distribute the report securely? (Select three.) A. S/MIME B. SSH C. SNMPv3 D. FTPS E. SRTP F. HTTPS G. LDAPS

(BDF)

A wireless network has the following design requirements: Authentication must not be dependent on enterprise directory service It must allow background reconnection for mobile users It must not depend on user certificates Which of the following should be used in the design to meet the requirements? (Choose two.) A. PEAP B. PSK C. Open systems authentication D. EAP-TLS E. Captive portals

(BE)

An organization is developing its mobile device management policies and procedures and is concerned about vulnerabilities that are associated with sensitive data being saved to a mobile device, as well as weak authentication when using a PIN. As part of some discussions on the topic, several solutions are proposed. Which of the following controls, when required together, will address the protection of data-at-rest as well as strong authentication? (Choose two.) A. Containerization B. FDE C. Remote wipe capability D. MDM E. MFA F. OTA updates

(BE)

When performing data acquisition on a workstation, which of the following should be captured based on memory volatility? (Select two.) A. USB-attached hard disk B. Swap/pagefile C. Mounted network storage D. ROM E. RAM

(BE)

Which of the following use the SSH protocol? A. Stelnet B. SCP C. SNMP D. FTPS E. SSL F. SFTP

(BF)

A Chief Information Security Officer (CISO) is concerned about the organization's ability to continue business operations in the event of a prolonged DDoS attack on its local datacenter that consumes server resources. Which of the following will the CISO MOST likely recommend to mitigate this risk? A. Upgrade the bandwidth available into the datacenter. B. Migrate to a geographically dispersed cloud datacenter. C. Implement a hot-site failover location. D. Switch to a complete SaaS offering to customers. E. Implement a challenge response test on all end-user queries.

(C)

A Chief Security Officer (CSO) has been unsuccessful in attempts to access the website for a potential partner (www.example.net). Which of the following rules is preventing the CSO from accessing the site? Blocked sites: *.nonews.com, *.rumorhasit.net, *.mars? A. Rule 1: deny from inside to outside source any destination any service smtp B. Rule 2: deny from inside to outside source any destination any service ping C. Rule 3: deny from inside to outside source any destination {blocked sites} service http-https D. Rule 4: deny from any to any source any destination any service any

(C)

A cybersecurity analyst needs to implement secure authentication to third-party websites without users' passwords. Which of the following would be the BEST way to achieve this objective? A. OAuth B. SSO C. SAML D. PAP

(C)

A bank requires tellers to get manager approval when a customer wants to open a new account. A recent audit shows that there have been four cases in the previous year where tellers opened accounts without management approval. The bank president thought separation of duties would prevent this from happening. In order to implement a true separation of duties approach the bank could: A. Require the use of two different passwords held by two different individuals to open an account B. Administer account creation on a role based access control approach C. Require all new accounts to be handled by someone else other than a teller since they have different duties D. Administer account creation on a rule based access control approach

(C)

A bank uses a wireless network to transmit credit card purchases to a billing system. Which of the following would be MOST appropriate to protect credit card information from being accessed by unauthorized individuals outside of the premises? A. Air gap B. Infrared detection C. Faraday cage D. Protected distributions

(C)

A company employee recently retired, and there was a schedule delay because no one was capable of filling the employee's position. Which of the following practices would BEST help to prevent this situation in the future? A. Mandatory vacation B. Separation of duties C. Job rotation D. Exit interviews

(C)

A company has just experienced a malware attack affecting a large number of desktop users. The antivirus solution was not able to block the malware, but the HIDS alerted to C2 calls as 'Troj.Generic'. Once the security team found a solution to remove the malware, they were able to remove the malware files successfully, and the HIDS stopped alerting. The next morning, however, the HIDS once again started alerting on the same desktops, and the security team discovered the files were back. Which of the following BEST describes the type of malware infecting this company's network? A. Trojan B. Spyware C. Rootkit D. Botnet

(C)

A company has won an important government contract. Several employees have been transferred from their existing projects to support a new contract. Some of the employees who have transferred will be working long hours and still need access to their project information to transition work to their replacements. Which of the following should be implemented to validate that the appropriate offboarding process has been followed? A. Separation of duties B. Time-of-day restrictions C. Permission auditing D. Mandatory access control

(C)

A company is deploying a file-sharing protocol access a network and needs to select a protocol for authenticating clients. Management requests that the service be configured in the most secure way possible. The protocol must also be capable of mutual authentication, and support SSO and smart card logons. Which of the following would BEST accomplish this task? A. Store credentials in LDAP B. Use NTLM authentication C. Implement Kerberos D. Use MSCHAP authentication

(C)

A company is evaluating cloud providers to reduce the cost of its internal IT operations. The company's aging systems are unable to keep up with customer demand. Which of the following cloud models will the company MOST likely select? A. PaaS B. SaaS C. IaaS D. BaaS

(C)

A company is implementing MFA for all applications that store sensitive data. The IT manager wants MFA to be non-disruptive and user friendly. Which of the following technologies should the IT manager use when implementing MFA? A. Onetime passwords B. Email tokens C. Push notifications D. Hardware authentication

(C)

A company is implementing a tool to mask all PII when moving data from a production server to a testing server. Which of the following security techniques is the company applying? A. Data wiping B. Steganography C. Data obfuscation D. Data sanitization

(C)

A company is planning to encrypt the files in several sensitive directories of a file server with a symmetric key. Which of the following could be used? A. RSA B. TwoFish C. Diffie-Helman D. NTLMv2 E. RIPEMD

(C)

A company is planning to utilize its legacy desktop systems by converting them into dummy terminals and moving all heavy applications and storage to a centralized server that hosts all of the company's required desktop applications. Which of the following describes the BEST deployment method to meet these requirements? A. IaaS B. VM sprawl C. VDI D. PaaS

(C)

A company just implemented a new telework policy that allows employees to use personal devices for official email and file sharing while working from home. Some of the requirements are: * Employees must provide an alternate work location (i.e., a home address). * Employees must install software on the device that will prevent the loss of proprietary data but will not restrict any other software from being installed. Which of the following BEST describes the MDM options the company is using? A. Geofencing, content management, remote wipe, containerization, and storage segmentation B. Content management, remote wipe, geolocation, context-aware authentication, and containerization C. Application management, remote wipe, geofencing, context-aware authentication, and containerization D. Remote wipe, geolocation, screen locks, storage segmentation, and full-device encryption

(C)

A company uses an enterprise desktop imaging solution to manage deployment of its desktop computers. Desktop computer users are only permitted to use software that is part of the baseline image. Which of the following technical solutions was MOST likely deployed by the company to ensure only known-good software can be installed on corporate desktops? A. Network access control B. Configuration manager C. Application whitelisting D. File integrity checks

(C)

A company wants to provide centralized authentication for its wireless system. The wireless authentication system must integrate with the directory back end. Which of the following is a AAA solution that will provide the required wireless authentication? A. TACACS+ B. MSCHAPv2 C. RADIUS D. LDAP

(C)

A company was recently audited by a third party. The audit revealed the company's network devices were transferring files in the clear. Which of the following protocols should the company use to transfer files? A. HTTPS B. LDAPS C. SCP D. SNMPv3

(C)

A company's loss control department identifies theft as a recurring loss type over the past year. Based on the department's report, the Chief Information Officer (CIO) wants to detect theft of datacenter equipment. Which of the following controls should be implemented? A. Biometrics B. Cameras C. Motion detectors D. Mantraps

(C)

A department head at a university resigned on the first day of the spring semester. It was subsequently determined that the department head deleted numerous files and directories from the server-based home directory while the campus was closed. Which of the following policies or procedures could have prevented this from occurring? A. Time-of-day restrictions B. Permission auditing and review C. Offboarding D. Account expiration

(C)

A developer has incorporated routines into the source code for controlling the length of the input passed to the program. Which of the following types of vulnerabilities is the developer protecting the code against? A. DLL injection B. Memory leak C. Buffer overflow D. Pointer dereference

(C)

A first responder needs to collect digital evidence from a compromised headless virtual host. Which of the following should the first responder collect FIRST? A. Virtual memory B. BIOS configuration C. Snapshot D. RAM

(C)

A government agency with sensitive information wants to virtualize its infrastructure. Which of the following cloud deployment models BEST fits the agency's needs? A. Public B. Community C. Private D. Hybrid

(C)

A government organization recently contacted three different vendors to obtain cost quotes for a desktop PC refresh. The quote from one of the vendors was significantly lower than the other two and was selected for the purchase. When the PCs arrived, a technician determined some NICs had been tampered with. Which of the following MOST accurately describes the security risk presented in this situation? A. Hardware root of trust B. UEFI C. Supply chain D. TPM E. Crypto-malware F. ARP poisoning

(C)

A group of non-profit agencies wants to implement a cloud service to share resources with each other and minimize costs. Which of the following cloud deployment models BEST describes this type of effort? A. Public B. Hybrid C. Community D. Private

(C)

A malicious actor recently penetrated a company's network and moved laterally to the datacenter. Upon investigation, a forensics firm wants to know what was in the memory on the compromised server. Which of the following files should be given to the forensics firm? A. Security B. Application C. Dump D. Syslog

(C)

A member of the admins group reports being unable to modify the "changes" file on a server. The permissions on the file are as follows: Permissions User Group File -rwxrw-r--+ Admins Admins changes Based on the output above, which of the following BEST explains why the user is unable to modify the "changes" file? A. The SELinux mode on the server is set to "enforcing." B. The SELinux mode on the server is set to "permissive." C. An FACL has been added to the permissions for the file. D. The admins group does not have adequate permissions to access the file.

(C)

A network administrator has been asked to install an IDS to improve the security posture of an organization. Which of the following control types Is an IDS? A. Corrective B. Physical C. Detective D. Administrative

(C)

A network administrator is attempting to troubleshoot an issue regarding certificates on a secure website. During the troubleshooting process, the network administrator notices that the web gateway proxy on the local network has signed all of the certificates on the local machine. Which of the following describes the type of attack the proxy has been legitimately programmed to perform? A. Transitive access B. Spoofing C. Man-in-the-middle D. Replay

(C)

A network administrator is setting up wireless access points in all the conference rooms and wants to authenticate devices using PKI. Which of the following should the administrator configure? A. A captive portal B. PSK C. 802.1X D. WPS

(C)

A network administrator is trying to provide the most resilient hard drive configuration in a server. With five hard drives which of the following is the MOST fault-tolerant configuration? A. RAID 1 B. RAID 5 C. RAID 6 D. RAID 10

(C)

A network administrator wants to implement a method of securing internal routing. Which of the following should the administrator implement? A. DMZ B. NAT C. VPN D. PAT

(C)

A network technician is setting up a new branch for a company. The users at the new branch will need to access resources securely as if they were at the main location. Which of the following networking concepts would BEST accomplish this? A. Virtual network segmentation B. Physical network segmentation C. Site-to-site VPN D. Out-of-band access E. Logical VLANs

(C)

A number of employees report that parts of an ERP application are not working. The systems administrator reviews the following information from one of the employee workstations: Execute permission denied: financemodule.dll Execute permission denied: generalledger.dll Which of the following should the administrator implement to BEST resolve this issue while minimizing risk and attack exposure? A. Update the application blacklist B. Verify the DLL's file integrity C. Whitelist the affected libraries D. Place the affected employees in the local administrator's group

(C)

A portable data storage device has been determined to have malicious firmware. Which of the following is the BEST course of action to ensure data confidentiality? A. Format the device B. Re-image the device C. Perform virus scan in the device D. Physically destroy the device

(C)

A preventive control differs from a compensating control in that a preventive control is: A. put in place to mitigate a weakness in a user control. B. deployed to supplement an existing control that is EOL. C. relied on to address gaps in the existing control structure. D. designed to specifically mitigate a risk.

(C)

A public relations team will be taking a group of guests on a tour through the facility of a large ecommerce company. The day before the tour, the company sends out an email to employees to ensure all whiteboards are cleaned and all desks are cleared. The company is MOST likely trying to protect against. A. loss of proprietary information B. damage to the company's reputation C. social engineering D. credential exposure

(C)

A recent internal audit is forcing a company to review each internal business unit's VMs because the cluster they are installed on is in danger of running out of computer resources. Which of the following vulnerabilities exist? A. Buffer overflow B. End-of-life systems C. System sprawl D. Weak configuration

(C)

A root cause analysis reveals that a web application outage was caused by one of the company's developers uploading a newer version of the third-party libraries that were shared among several applications. Which of the following implementations would be BEST to prevent this issue from reoccurring? A. CASB B. SWG C. Containerization D. Automated failover

(C)

A security administrator determined that users within the company are installing unapproved software. Company policy dictates that only certain applications may be installed or ran on the user's computers without exception. Which of the following should the administrator do to prevent all unapproved software from running on the user's computer? A. Deploy antivirus software and configure it to detect and remove pirated software B. Configure the firewall to prevent the downloading of executable files C. Create an application whitelist and use OS controls to enforce it D. Prevent users from running as administrator so they cannot install software.

(C)

A security administrator found the following piece of code referenced on a domain controller's task scheduler: $var = GetDomainAdmins If $var != 'fabio' SetDomainAdmins = NULL With which of the following types of malware is the code associated? A. RAT B. Backdoor C. Logic bomb D. Crypto-malware

(C)

A security administrator has been assigned to review the security posture of the standard corporate system image for virtual machines. The security administrator conducts a thorough review of the system logs, installation procedures, and network configuration of the VM image. Upon reviewing the access logs and user accounts, the security administrator determines that several accounts will not be used in production. Which of the following would correct the deficiencies? A. Mandatory access controls B. Disable remote login C. Host hardening D. Disabling services

(C)

A security administrator installed a new network scanner that identifies new host systems on the network. Which of the following did the security administrator install? A. Vulnerability scanner B. Network-based IDS C. Rogue system detection D. Configuration compliance scanner

(C)

A security administrator is choosing an algorithm to generate password hashes. Which of the following would offer the BEST protection against offline brute force attacks? A. MD5 B. 3DES C. AES D. SHA-1

(C)

A security administrator is developing a methodology for tracking staff access to patient data. Which of the following would be the BEST method of creating audit trails for usage reports? A. Deploy file integrity checking B. Restrict access to the database by following the principle of least privilege C. Implementing a database activity monitoring system D. Created automated alerts on the IDS system for the database server

(C)

A security administrator is trying to eradicate a worm, which is spreading throughout the organization, using an old remote vulnerability in the SMB protocol. The worm uses Nmap to identify target hosts within the company. The administrator wants to implement a solution that will eradicate the current worm and any future attacks that may be using zero-day vulnerabilities. Which of the following would BEST meet the requirements when implemented? A. Host-based firewall B. Enterprise patch management system C. Network-based intrusion prevention system D. Application blacklisting E. File integrity checking

(C)

A security administrator needs to configure remote access to a file share so it can only be accessed between the hours of 9:00 a.m. and 5:00 p.m. Files in the share can only be accessed by members of the same department as the data owner. Users should only be able to create files with approved extensions, which may differ by department. Which of the following access controls would be the MOST appropriate for this situation? A. RBAC B. MAC C. ABAC D. DAC

(C)

A security administrator wants to determine if a company's web servers have the latest operating system and application patches installed. Which of the following types of vulnerability scans should be conducted? A. Non-credentialed B. Passive C. Port D. Credentialed E. Red team F. Active

(C)

A security analyst accesses corporate web pages and inputs random data in the forms. The response received includes the type of database used and SQL commands that the database accepts. Which of the following should the security analyst use to prevent this vulnerability? A. Application fuzzing B. Error handling C. Input validation D. Pointer dereference

(C)

A security analyst has received several reports of an issue on an internal web application. Users state they are having to provide their credentials twice to log in. The analyst checks with the application team and notes this is not an expected behavior. After looking at several logs, the analyst decides to run some commands on the gateway and obtains the following output: Which of the following BEST describes the attack the company is experiencing? A. MAC flooding B. URL redirection C. ARP poisoning D. DNS hijacking

(C)

A security analyst has received several reports of an issue on an internal web application. Users state they are having to provide their credentials twice to log in. The analyst checks with the application team and notes this is not an expected behavior. After looking at several logs, the analyst decides to run some commands on the gateway and obtains the following output: Which of the following BEST describes the attack the company is experiencing? A. MAC flooding B. URL redirection C. ARP poisoning D. DNS hijacking

(C)

A security analyst is working on a project that requires the implementation of a stream cipher. Which of the following should the analyst use? A. Hash function B. Elliptic curve C. Symmetric algorithm D. Public key cryptography

(C)

A security engineer wants to add SSL to the public web server. Which of the following would be the FIRST step to implement the SSL certificate? A. Download the web certificate B. Install the intermediate certificate C. Generate a CSR D. Encrypt the private key

(C)

A security professional wants to test a piece of malware that was isolated on a user's computer to document its effect on a system. Which of the following is the FIRST step the security professional should take? A. Create a sandbox on the machine. B. Open the file and run it. C. Create a secure baseline of the system state. D. Harden the machine.

(C)

A Security analyst has received an alert about PII being sent via email. The analyst's Chief Information Security Officer (CISO) has made it clear that PII must be handled with extreme care. From which of the following did the alert MOST likely originate? A. S/MIME B. DLP C. IMAP D. HIDS

(D)

A security team has downloaded a public database of the largest collection of password dumps on the Internet. This collection contains the cleartext credentials of every major breach for the last four years. The security team pulls and compares users' credentials to the database and discovers that more than 30% of the users were still using passwords discovered in this list. Which of the following would be the BEST combination to reduce the risks discovered? A. Password length, password encryption, password complexity B. Password complexity, least privilege, password reuse C. Password reuse, password complexity, password expiration D. Group policy, password history, password encryption

(C)

A small enterprise decides to implement a warm site to be available for business continuity in case of a disaster. Which of the following BEST meets its requirements? A. A fully operational site that has all the equipment in place and full data backup tapes on site B. A site used for its data backup storage that houses a full-time network administrator C. An operational site requiring some equipment to be relocated as well as data transfer to the site D. A site staffed with personnel requiring both equipment and data to be relocated there in case of disaster

(C)

A small retail business has a local store and a newly established and growing online storefront. A recent storm caused a power outage to the business and the local ISP, resulting in several hours of lost sales and delayed order processing. The business owner now needs to ensure two things: - Protection from power outages - Always-available connectivity in case of an outage The owner has decided to implement battery backups for the computer equipment. Which of the following would BEST fulfill the owner's second need? A. Lease a telecommunications line to provide POTS for dial-up access. B. Connect the business router to its own dedicated UPS. C. Purchase services from a cloud provider for high availability. D. Replace the business's wired network with a wireless network.

(C)

A startup company is using multiple SaaS and laaS platforms to stand up a corporate infrastructure and build out a customer-facing web application. Which of the following solutions would be BEST to provide security, manageability, and visibility into the platforms? A. SIEM B. DLP C. CASB D. SWG

(C)

A system administrator is configuring a site-to-site VPN tunnel. Which of the following should be configured on the VPN concentrator during the IKE phase? A. RIPEMD B. ECDHE C. Diffie-Hellman D. HTTPS

(C)

A system administrator wants to implement an internal communication system that will allow employees to send encrypted messages to each other. The system must also support non- repudiation. Which of the following implements all these requirements? A. Bcrypt B. Blowfish C. PGP D. SHA

(C)

A systems administrator is configuring a new network switch for TACACS+ management and authentication. Which of the following must be configured to provide authentication between the switch and the TACACS+ server? A. 802.1X B. SSH C. Shared secret D. SNMPv3 E. CHAP

(C)

A systems administrator needs to configure an SSL remote access VPN according to the following organizational guidelines: * The VPN must support encryption of header and payload. * The VPN must route all traffic through the company's gateway. Which of the following should be configured on the VPN concentrator? A. Full tunnel B. Transport mode C. Tunnel mode D. IPSec

(C)

A systems administrator needs to configure an SSL remote access VPN according to the following organizational guidelines: - The VPN must support encryption of header and payload. - The VPN must route all traffic through the company's gateway. Which of the following should be configured on the VPN concentrator? A. Full tunnel B. Transport mode C. Tunnel mode D. IPSec

(C)

A systems administrator wants to generate a self-signed certificate for an internal website. Which of the following steps should the systems administrator complete prior to installing the certificate on the server? A. Provide the private key to a public CA. B. Provide the public key to the internal CA. C. Provide the public key to a public CA. D. Provide the private key to the internal CA. E. Provide the public/private key pair to the internal CA F. Provide the public/private key pair to a public CA.

(C)

A technician has installed new vulnerability scanner software on a server that is joined to the company domain. The vulnerability scanner is able to provide visibility over the patch posture of all company's clients. Which of the following is being used? A. Gray box vulnerability testing B. Passive scan C. Credentialed scan D. Bypassing security controls

(C)

A user of the wireless network is unable to gain access to the network. The symptoms are: 1.) Unable to connect to both internal and Internet resources 2.) The wireless icon shows connectivity but has no network access The wireless network is WPA2 Enterprise and users must be a member of the wireless security group to authenticate. Which of the following is the MOST likely cause of the connectivity issues? A. The wireless signal is not strong enough B. A remote DDoS attack against the RADIUS server is taking place C. The user's laptop only supports WPA and WEP D. The DHCP scope is full E. The dynamic encryption key did not update while the user was offline

(C)

A user receives a security alert pop-up from the host-based IDS, and a few minutes later notices a document on the desktop has disappeared and in its place is an odd filename with no icon image. When clicking on this icon, the user receives a system notification that it cannot find the correct program to use to open this file. Which of the following types of malware has MOST likely targeted this workstation? A. Rootkit B. Spyware C. Ransomware D. Remote-access Trojan

(C)

A user suspects someone has been accessing a home network without permission by spoofing the MAC address of an authorized system. While attempting to determine if an authorized user is logged into the home network, the user reviews the wireless router, which shows the following table for systems that are currently on the home network. Which of the following should be the NEXT step to determine if there is an unauthorized user on the network? A. Apply MAC filtering and see if the router drops any of the systems. B. Physically check each of the authorized systems to determine if they are logged onto the network. C. Deny the "unknown" host because the hostname is not known and MAC filtering is not applied to this host. D. Conduct a ping sweep of each of the authorized systems and see if an echo response is received.

(C)

Password Authentication Protocol (PAP)

A password-based authentication protocol used by Point to Point Protocol (PPP) to validate users. Older, not used by itself because communicates in the open

A vice president at a manufacturing organization is concerned about desktops being connected to the network. Employees need to log onto the desktops' local account to verify that a product is being created within specifications; otherwise, the desktops should be as isolated as possible. Which of the following is the BEST way to accomplish this? A. Put the desktops in the DMZ. B. Create a separate VLAN for the desktops. C. Air gap the desktops. D. Join the desktops to an ad-hoc network.

(C)

A vulnerability scan is being conducted against a desktop system. The scan is looking for files, versions, and registry values known to be associated with system vulnerabilities. Which of the following BEST describes the type of scan being performed? A. Non-intrusive B. Authenticated C. Credentialed D. Active

(C)

A water utility company has seen a dramatic increase in the number of water pumps burning out. A malicious actor was attacking the company and is responsible for the increase. Which of the following systems has the attacker compromised? A. DMZ B. RTOS C. SCADA D. IoT

(C)

A web application is configured to target browsers and allow access to bank accounts to siphon money to a foreign account. This is an example of which of the following attacks? A. SQL injection B. Header manipulation C. Cross-site scripting D. Flash cookie exploitation

(C)

After a routine audit, a company discovers that engineering documents have been leaving the network on a particular port. The company must allow outbound traffic on this port, as it has a legitimate business use. Blocking the port would cause an outage. Which of the following technology controls should the company implement? A. NAC B. Web proxy C. DLP D. ACL

(C)

After segmenting the network, the network manager wants to control the traffic between the segments. Which of the following should the manager use to control the network traffic? A. A DMZ B. A VPN C. A VLAN D. An ACL

(C)

An active/passive configuration has an impact on: A. confidentiality B. integrity C. availability D. non-repudiation

(C)

An administrator is replacing a wireless router. The configuration of the old wireless router was not documented before it stopped functioning. The equipment connecting to the wireless network uses older legacy equipment that was manufactured prior to the release of the 802.11i standard. Which of the following configuration options should the administrator select for the new wireless router? A. WPA+CCMP B. WPA2+CCMP C. WPA+TKIP D. WPA2+TKIP

(C)

An application developer is designing an application involving secure transports from one service to another that will pass over port 80 for a request. Which of the following secure protocols is the developer MOST likely to use? A. FTPS B. SFTP C. SSL D. LDAPS E. SSH

(C)

An attack that is using interference as its main attack to impede network traffic is which of the following? A. Introducing too much data to a targets memory allocation B. Utilizing a previously unknown security flaw against the target C. Using a similar wireless configuration of a nearby network D. Inundating a target system with SYN request

(C)

An attacker captures the encrypted communication between two parties for a week, but is unable to decrypt the messages. The attacker then compromises the session key during one exchange and successfully compromises a single message. The attacker plans to use this key to decrypt previously captured and future communications, but is unable to. This is because the encryption scheme in use adheres to: A. Asymmetric encryption B. Out-of-band key exchange C. Perfect forward secrecy D. Secure key escrow

(C)

An attacker is able to capture the payload for the following packet: IP 192.168.1.22:2020 10.10.10.5:443 IP 192.168.1.10:1030 10.10.10.1:21 IP 192.168.1.57:5217 10.10.10.1:3389 During an investigation, an analyst discovers that the attacker was able to capture the information above and use it to log on to other servers across the company. Which of the following is the MOST likely reason? A. The attacker has exploited a vulnerability that is commonly associated with TLS1.3. B. The application server is also running a web server that has been compromised. C. The attacker is picking off unencrypted credentials and using those to log in to the secure server. D. User accounts have been improperly configured to allow single sign-on across multiple servers.

(C)

An auditor is performing an assessment of a security appliance with an embedded OS that was vulnerable during the last two assessments. Which of the following BEST explains the appliance's vulnerable state? A. The system was configured with weak default security settings. B. The device uses weak encryption ciphers. C. The vendor has not supplied a patch for the appliance. D. The appliance requires administrative credentials for the assessment.

(C)

An incident response analyst in a corporate security operations center receives a phone call from an SOC analyst. The SOC analyst explains the help desk recently reimaged a workstation that was suspected of being infected with an unknown type of malware; however, even after reimaging, the host continued to generate SIEM alerts. Which of the following types of malware is MOST likely responsible for producing the SIEM alerts? A. Ransomware B. Logic bomb C. Rootkit D. Adware

(C)

An organization has a policy in place that states the person who approves firewall controls/changes cannot be the one implementing the changes. Which of the following is this an example of? A. Change management B. Job rotation C. Separation of duties D. Least privilege

(C)

An organization has several production-critical SCADA supervisory systems that cannot follow the normal 30- day patching policy. Which of the following BEST maximizes the protection of these systems from malicious software? A. Configure a firewall with deep packet inspection that restricts traffic to the systems. B. Configure a separate zone for the systems and restrict access to known ports. C. Configure the systems to ensure only necessary applications are able to run. D. Configure the host firewall to ensure only the necessary applications have listening ports

(C)

QUESTION 189 A security administrator must implement a system to ensure that invalid certificates are not used by a custom developed application. The system must be able to check the validity of certificates even when internet access is unavailable. Which of the following MUST be implemented to support this requirement? A. CSR B. OCSP C. CRL D. SSH

(C)

An organization is building a new customer services team, and the manager needs to keep the team focused on customer issues and minimize distractions. The users have a specific set of tools installed, which they must use to perform their duties. Other tools are not permitted for compliance and tracking purposes. Team members have access to the Internet for product lookups and to research customer issues. Which of the following should a security engineer employ to fulfill the requirements for the manager? A. Install a web application firewall. B. Install HIPS on the team's workstations. C. Implement containerization on the workstations. D. Configure whitelisting for the team.

(C)

An organization is drafting an IRP and needs to determine which employees have the authority to take systems offline during an emergency situation. Which of the following is being outlined? A. . Reporting and escalation procedures B. Permission auditing C. Roles and responsibilities D. Communication methodologies

(C)

An organization is looking to build its second head office another city, which has a history flooding with an average of two flooding every 100 years. The estimated building cost is $1 million, an the estimated damage due to flooding is half of the building's cost. Given this information, which of the following is the SLE? A. $50,000 B. $250,000 C. $500,000 D. $1,000,000

(C)

An organization requires employees to insert their identification cards into a reader so chips embedded in the cards can be read to verify their identities prior to accessing computing resources. Which of the following BEST describes this authentication control? A. TPM B. Token C. Proximity card D. CAC

(C)

An organization wants to ensure network access is granted only after a user or device has been authenticated. Which of the following should be used to achieve this objective for both wired and wireless networks? A. CCMP B. PKCS#12 C. IEEE 802.1X D. OCSP

(C)

An organization wants to implement a method to correct risks at the system/application layer. Which of the following is the BEST method to accomplish this goal? A. IDS/IPS B. IP tunneling C. Web application firewall D. Patch management

(C)

An organization wants to set up a wireless network in the most secure way. Budget is not a major consideration, and the organization is willing to accept some complexity when clients are connecting. It is also willing to deny wireless connectivity for clients who cannot be connected in the most secure manner. Which of the following would be the MOST secure setup that conforms to the organization's requirements? A. Enable WPA2-PSK for older clients and WPA2-Enterprise for all other clients. B. Enable WPA2-PSK, disable all other modes, and implement MAC filtering along with port security. C. Use WPA2-Enterprise with RADIUS and disable pre-shared keys. D. Use WPA2-PSK with a 24-character complex password and change the password monthly.

(C)

An organization's Chief Executive Officer (CEO) directs a newly hired computer technician to install an OS on the CEO's personal laptop. The technician performs the installation, and a software audit later in the month indicates a violation of the EULA occurred as a result. Which of the following would address this violation going forward? A. Security configuration baseline B. Separation of duties C. AUP D. NDA

(C)

Ann a security analyst is monitoring the IDS console and noticed multiple connections from an internal host to a suspicious call back domain. Which of the following tools would aid her to decipher the network traffic? A. Vulnerability Scanner B. NMAP C. NETSTAT D. Packet Analyzer

(C)

Before an infection was detected, several of the infected devices attempted to access a URL that was similar to the company name but with two letters transposed. Which of the following BEST describes the attack vector used to infect the devices? A. Cross-site scripting B. DNS poisoning C. Typo squatting D. URL hijacking

(C)

Confidential corporate data was recently stolen by an attacker who exploited data transport protections. Which of the following vulnerabilities is the MOST likely cause of this data breach? A. Resource exhaustion on VPN concentrators B. Weak SSL cipher strength C. Improper input handling on FTP site D. Race condition on packet inspection firewall

(C)

During a lessons learned meeting regarding a previous incident, the security team receives a follow-up action item with the following requirements: - Allow authentication from within the United States anytime - Allow authentication if the user is accessing email or a shared file system - Do not allow authentication if the AV program is two days out of date - Do not allow authentication if the location of the device is in two specific countries Given the requirements, which of the following mobile deployment authentication types is being utilized? A. Geofencing authentication B. Two-factor authentication C. Context-aware authentication D. Biometric authentication

(C)

During a penetration test, the tester performs a preliminary scan for any responsive hosts. Which of the following BEST explains why the tester is doing this? A. To determine if the network routes are improperly forwarding request packets B. To identify the total number of hosts and determine if the network can be victimized by a DoS attack C. To identify servers for subsequent scans and further investigation D. To identify the unresponsive hosts and determine if those could be used as zombies in a follow-up scan

(C)

During an audit, the auditor requests to see a copy of the identified mission-critical applications as well as their disaster recovery plans. The company being audited has an SLA around the applications it hosts. With which of the following is the auditor MOST likely concerned? A. ARO/ALE B. MTTR/MTBF C. RTO/RPO D. Risk assessment

(C)

In highly secure environments where the risk of malicious actors attempting to steal data is high, which of the following is the BEST reason to deploy Faraday cages? A. To provide emanation control to prevent credential harvesting B. To minimize signal attenuation over distances to maximize signal strength C. To minimize external RF interference with embedded processors D. To protect the integrity of audit logs from malicious alteration

(C)

Joe, a backup administrator, wants to implement a solution that will reduce the restoration time of physical servers. Which of the following is the BEST method for Joe to use? A. Differential B. Incremental C. Full D. Snapshots

(C)

Malware that changes its binary pattern on specific dates at specific times to avoid detection is known as a (n): A. armored virus B. logic bomb C. polymorphic virus D. Trojan

(C)

QUESTION 341 An administrator thinks the UNIX systems may be compromised, but a review of system log files provides no useful information. After discussing the situation with the security team, the administrator suspects that the attacker may be altering the log files and removing evidence of intrusion activity. Which of the following actions will help detect attacker attempts to further alter log files? A. Enable verbose system logging B. Change the permissions on the user's home directory C. Implement remote syslog D. Set the bash_history log file to "read only"

(C)

QUESTION 680 A systems administrator has created network file shares for each department with associated security groups for each role within the organization. Which of the following security concepts is the systems administrator implementing? A. Separation of duties B. Permission auditing C. Least privilege D. Standard naming conversation

(C)

The POODLE attack is an MITM exploit that affects: A. TLS1.0 with CBC mode cipher B. SSLv2.0 with CBC mode cipher C. SSLv3.0 with CBC mode cipher D. SSLv3.0 with ECB mode cipher

(C)

The SOC is reviewing processes and procedures after a recent incident. The review indicates it took more than 30 minutes to determine that quarantining an infected host was the best course of action. This allowed the malware to spread to additional hosts before it was contained. Which of the following would be BEST to improve the incident response process? A. Updating the playbooks with better decision points B. Dividing the network into trusted and untrusted zones C. Providing additional end-user training on acceptable use D. Implementing manual quarantining of infected hosts

(C)

The chief Security Officer (CSO) has reported a rise in data loss but no break ins have occurred. By doing which of the following is the CSO most likely to reduce the number of incidents? A. Implement protected distribution B. Empty additional firewalls C. Conduct security awareness training D. Install perimeter barricades

(C)

The process of applying a salt and cryptographic hash to a password then repeating the process many times is known as which of the following? A. Collision resistance B. Rainbow table C. Key stretching D. Brute force attack

(C)

Two users need to securely share encrypted files via email. Company policy prohibits users from sharing credentials or exchanging encryption keys. Which of the following can be implemented to enable users to share encrypted data while abiding by company policies? A. Key escrow B. Digital signatures C. PKI D. Hashing

(C)

Users in a corporation currently authenticate with a username and password. A security administrator wishes to implement two factor authentication to improve security. Which of the following authentication methods should be deployed to achieve this goal? A. PIN B. Security question C. Smart card D. Passphrase E. CAPTCHA

(C)

When a malicious user is able to retrieve sensitive information from RAM, the programmer has failed to implement: A. session keys. B. encryption of data at rest C. encryption of data in use. D. ephemeral keys.

(C)

When backing up a database server to LTO tape drives, the following backup schedule is used. Backups take one hour to complete: Sunday (7 PM): Full backup Monday (7 PM): Incremental Tuesday (7 PM): Incremental Wednesday (7 PM): Differential Thursday (7 PM): Incremental Friday (7 PM): Incremental Saturday (7 PM): Incremental On Friday at 9:00 p.m., there is a RAID failure on the database server. The data must be restored from backup. Which of the following is the number of backup tapes that will be needed to complete this operation? A. 1 B. 2 C. 3 D. 4 E. 6

(C)

When designing a web based client server application with single application server and database cluster backend, input validation should be performed: A. On the client B. Using database stored procedures C. On the application server D. Using HTTPS

(C)

When sending messages using symmetric encryption, which of the following must happen FIRST? A. Exchange encryption key B. Establish digital signatures C. Agree on an encryption method D. Install digital certificates

(C)

When trying to log onto a company's new ticketing system, some employees receive the following message: Access denied: too many concurrent sessions. The ticketing system was recently installed on a small VM with only the recommended hardware specifications. Which of the following is the MOST likely cause for this error message? A. Network resources have been exceeded. B. The software is out of licenses. C. The VM does not have enough processing power. D. The firewall is misconfigured.

(C)

Which of the following BEST distinguishes Agile development from other methodologies in terms of vulnerability management? A. Cross-functional teams B. Rapid deployments C. Daily standups D. Peer review E. Creating user stories

(C)

Which of the following algorithms would be used to provide non-repudiation of a file transmission? A. AES B. RSA C. MD5 D. SHA

(C)

Which of the following delineates why it is important to perform egress filtering and monitoring on Internet connected security zones of interfaces on a firewall? A. Egress traffic is more important than ingress traffic for malware prevention B. To rebalance the amount of outbound traffic and inbound traffic C. Outbound traffic could be communicating to known botnet sources D. To prevent DDoS attacks originating from external network

(C)

Which of the following encryption methods does PKI typically use to securely protect keys? A. Elliptic curve B. Digital signatures C. Asymmetric D. Obfuscation

(C)

Which of the following is an asymmetric function that generates a new and separate key every time it runs? A. RSA B. DSA C. DHE D. HMAC E. PBKDF2

(C)

Which of the following is the BEST reason to run an untested application is a sandbox? A. To allow the application to take full advantage of the host system's resources and storage B. To utilize the host systems antivirus and firewall applications instead of running it own protection C. To prevent the application from acquiring escalated privileges and accessing its host system D. To increase application processing speed so the host system can perform real-time logging

(C)

Transport Layer Security (TLS)

A protocol based on SSL 3.0 that provides authentication and encryption, used by most servers for secure exchanges over the Internet.

Which of the following is the BEST way for home users to mitigate vulnerabilities associated with IoT devices on their home networks? A. Power off the devices when they are not in use, B. Prevent IoT devices from contacting the Internet directly. C. Apply firmware and software updates upon availability. D. Deploy a bastion host on the home network.

(C)

Which of the following is the LEAST secure hashing algorithm? A. SHA1 B. RIPEMD C. MD5 D. DES

(C)

Which of the following is the appropriate network structure used to protect servers and services that must be provided to external clients without completely eliminating access for internal users? A. NAC B. VLAN C. DMZ D. Subnet

(C)

Which of the following is unique to a stream cipher? A. It encrypt 128 bytes at a time. B. It uses AES encryption. C. It performs bit-level encryption. D. It is used in HTTPS.

(C)

Which of the following is unique to a stream cipher? A. It encrypts 128 bytes at a time. B. It uses AES encryption C. It performs bit-level encryption D. It is used in HTTPS

(C)

Which of the following policies would help an organization identify and mitigate potential single points of failure in the company's IT/security operations? A. Least privilege B. Awareness training C. Separation of duties D. Mandatory vacation

(C)

Which of the following provides PFS? A. AES B. RC4 C. DHE D. HMAC

(C)

Which of the following should a technician use to protect a cellular phone that is needed for an investigation, to ensure the data will not be removed remotely? A. Air gap B. Secure cabinet C. Faraday cage D. Safe

(C)

Which of the following should be used to implement voice encryption? A. SSLv3 B. VDSL C. SRTP D. VoIP

(C)

Which of the following types of cloud infrastructures would allow several organizations with similar structures and interests to realize the benefits of shared storage and resources? A. Private B. Hybrid C. Public D. Community

(C)

Which of the following uses tokens between the identity provider and the service provider to authenticate and authorize users to resources? A. RADIUS B. SSH C. OAuth D. MSCHAP

(C)

Which of the following would allow for the QUICKEST restoration of a server into a warm recovery site in a case in which server data mirroring is not enabled? A. Full backup B. Incremental backup C. Differential backup D. Snapshot

(C)

While monitoring the SIEM, a security analyst observes traffic from an external IP to an IP address of the business network on port 443. Which of the following protocols would MOST likely cause this traffic? A. HTTP B. SSH C. SSL D. DNS

(C)

While performing a penetration test, the technicians want their efforts to go unnoticed for as long as possible while they gather useful data about the network they are assessing. Which of the following would be the BEST choice for the technicians? A. Vulnerability scanner B. Offline password cracker C. Packet sniffer D. Banner grabbing

(C)

organization's security policy, the employee's access to all network resources is terminated immediately. Two weeks later, the former employee sends an email to the help desk for a password reset to access payroll information from the human resources server. Which of the following represents the BEST course of action? A. Approve the former employee's request, as a password reset would give the former employee access to only the human resources server. B. Deny the former employee's request, since the password reset request came from an external email address. C. Deny the former employee's request, as a password reset would give the employee access to all network resources. D. Approve the former employee's request, as there would not be a security issue with the former employee gaining access to network resources.

(C)

A company has three divisions, each with its own networks and services. The company decides to make its secure web portal accessible to all employees utilizing their existing usernames and passwords. The security administrator has elected to use SAML to support authentication. In this scenario, which of the following will occur when users try to authenticate to the portal? (Select two.) A. The portal will function as a service provider and request an authentication assertion. B. The portal will function as an identity provider and issue an authentication assertion. C. The portal will request an authentication ticket from each network that is transitively trusted. D. The back-end networks will function as an identity provider and issue an authentication assertion. E. The back-end networks will request authentication tickets from the portal, which will act as the third-party service provider authentication store. F. The back-end networks will verify the assertion token issued by the portal functioning as the identity provider.

(C,D)

A security administrator has configured a RADIUS and a TACACS+ server on the company's network. Network devices will be required to connect to the TACACS+ server for authentication and send accounting information to the RADIUS server. Given the following information: RADIUS IP: 192.168.20.45 TACACS+ IP: 10.23.65.7 Which of the following should be configured on the network clients? (Select two.) A. Accounting port: TCP 389 B. Accounting port: UDP 1812 C. Accounting port: UDP 1813 D. Authentication port: TCP 49 E. Authentication port: TCP 88 F. Authentication port: UDP 636

(CD)

A technician is recommending preventive physical security controls for a server room. Which of the following would the technician MOST likely recommend? (Choose two.) A. Geofencing B. Video surveillance C. Protected cabinets D. Mantrap E. Key exchange F. Authorized personnel signage

(CD)

Confidential emails from an organization were posted to a website without the organization's knowledge. Upon investigation, it was determined that the emails were obtained from an internal actor who sniffed the emails in plain text. Which of the following protocols, if properly implemented, would have MOST likely prevented the emails from being sniffed? (Select TWO) A. Secure IMAP B. DNSSEC C. S/MIME D. SMTPS E. HTTPS

(CD)

The network information for a workstation is as follows: IP Address/Subnet Mask Default Gateway DNS Server 172.16.17.200/24 172.16.17.254 172.16.17.254 When the workstation's user attempts to access www.example.com, the URL that actually opens is www.notexample.com. The user successfully connects to several other legitimate URLs. Which of the following have MOST likely occurred? (Choose two.) A. ARP poisoning B. Buffer overflow C. DNS poisoning D. Domain hijacking E. IP spoofing

(CD)

A company has migrated to two-factor authentication for accessing the corporate network, VPN, and SSO. Several legacy applications cannot support multifactor authentication and must continue to use usernames and passwords. Which of the following should be implemented to ensure the legacy applications are as secure as possible while ensuring functionality? (Choose two.) A. Privileged accounts B. Password reuse restrictions C. Password complexity requirements D. Password recovery E. Account disablement

(CE)

A company has noticed multiple instances of proprietary information on public websites. It has also observed an increase in the number of email messages sent to random employees containing malicious links and PDFs. Which of the following changes should the company make to reduce the risks associated with phishing attacks? (Select TWO) A. Install an additional firewall B. Implement a redundant email server C. Block access to personal email on corporate systems D. Update the X.509 certificates on the corporate email server E. Update corporate policy to prohibit access to social media websites F. Review access violation on the file server

(CE)

A manufacturing company updates a policy that instructs employees not to enter a secure area in groups and requires each employee to swipe their badge to enter the area When employees continue to ignore the policy, a mantrap is installed. Which of the following BEST describe the controls that were implemented to address this issue? (Select TWO). A. Detective B. Administrative C. Deterrent D. Physical E. Corrective

(CE)

A security administrator has written a script that will automatically upload binary and text-based configuration files onto a remote server using a scheduled task. The configuration files contain sensitive information. Which of the following should the administrator use? (Select TWO) A. TOPT B. SCP C. FTP over a non-standard pot D. SRTP E. Certificate-based authentication F. SNMPv3

(CE)

A security analyst is assessing a small company's internal servers against recommended security practices. Which of the following should the analyst do to conduct the assessment? (Choose two.) A. Compare configurations against platform benchmarks B. Confirm adherence to the company's industry-specific regulations C. Review the company's current security baseline D. Verify alignment with policy related to regulatory compliance E. Run an exploitation framework to confirm vulnerabilities

(CE)

A software developer wants to ensure that the application is verifying that a key is valid before establishing SSL connections with random remote hosts on the Internet. Which of the following should be used in the code? (Select TWO.) A. Escrowed keys B. SSL symmetric encryption key C. Software code private key D. Remote server public key E. OCSP

(CE)

An organization has hired a new remote workforce. Many new employees are reporting that they are unable to access the shared network resources while traveling. They need to be able to travel to and from different locations on a weekly basis. Shared offices are retained at the headquarters location. The remote workforce will have identical file and system access requirements, and must also be able to log in to the headquarters location remotely. Which of the following BEST represent how the remote employees should have been set up initially? (Choose two.) A. User-based access control B. Shared accounts C. Group-based access control D. Mapped drives E. Individual accounts F. Location-based policies

(CE)

Which of the following are considered among the BEST indicators that a received message is a hoax? (Choose two.) A. Minimal use of uppercase letters in the message B. Warnings of monetary loss to the receiver C. No valid digital signature from a known security organization D. Claims of possible damage to computer hardware E. Embedded URLs

(CE)

After a merger between two companies a security analyst has been asked to ensure that the organization's systems are secured against infiltration by any former employees that were terminated during the transition. Which of the following actions are MOST appropriate to harden applications against infiltration by former employees? (Select TWO) A. Monitor VPN client access B. Reduce failed login out settings C. Develop and implement updated access control policies D. Review and address invalid login attempts E. Increase password complexity requirements F. Assess and eliminate inactive accounts

(CF)

A Chief Executive Officer (CEO) suspects someone in the lab testing environment is stealing confidential information after working hours when no one else is around. Which of the following actions can help to prevent this specific threat? A. Implement time-of-day restrictions. B. Audit file access times. C. Secretly install a hidden surveillance camera. D. Require swipe-card access to enter the lab.

(D)

A Chief Security Office's (CSO's) key priorities are to improve preparation, response, and recovery practices to minimize system downtime and enhance organizational resilience to ransomware attacks. Which of the following would BEST meet the CSO's objectives? A. Use email-filtering software and centralized account management, patch high-risk systems, and restrict administration privileges on fileshares. B. Purchase cyber insurance from a reputable provider to reduce expenses during an incident. C. Invest in end-user awareness training to change the long-term culture and behavior of staff and executives, reducing the organization's susceptibility to phishing attacks. D. Implement application whitelisting and centralized event-log management, and perform regular testing and validation of full backups.

(D)

A Security Officer on a military base needs to encrypt several smart phones that will be going into the field. Which of the following encryption solutions should be deployed in this situation? A. Elliptic curve B. One-time pad C. 3DES D. AES-256

(D)

A bank is experiencing a DoS attack against an application designed to handle 500 IP-based sessions. in addition, the perimeter router can only handle 1Gbps of traffic. Which of the following should be implemented to prevent a DoS attacks in the future? A. Deploy multiple web servers and implement a load balancer B. Increase the capacity of the perimeter router to 10 Gbps C. Install a firewall at the network to prevent all attacks D. Use redundancy across all network devices and services

(D)

A call center company wants to implement a domain policy primarily for its shift workers. The call center has large groups with different user roles. Management wants to monitor group performance. Which of the following is the BEST solution for the company to implement? A. Reduced failed logon attempts B. Mandatory password changes C. Increased account lockout time D. Time-of-day restrictions

(D)

A company has a team of penetration testers. This team has located a file on the company file server that they believe contains cleartext usernames followed by a hash. Which of the following tools should the penetration testers use to learn more about the content of this file? A. Exploitation framework B. Vulnerability scanner C. Netcat D. Password cracker

(D)

A company has had a BYOD policy in place for many years and now wants to roll out an MDM solution. The company has decided that end users who wish to utilize their personal devices for corporate use must opt in to the MDM solution. End users are voicing concerns about the company having access to their personal devices via the MDM solution. Which of the following should the company implement to ease these concerns? A. Sideloading B. Full device encryption C. Application management D. Containerization

(D)

A company is allowing a BYOD policy for its staff. Which of the following is a best practice that can decrease the risk of users jailbreaking mobile devices? A. Install a corporately monitored mobile antivirus on the devices. B. Prevent the installation of applications from a third-party application store. C. Build a custom ROM that can prevent jailbreaking. D. Require applications to be digitally signed.

(D)

A company is having issues with intellectual property being sent to a competitor from its system. The information being sent is not random but has an identifiable pattern. Which of the following should be implemented in the system to stop the content from being sent? A. Encryption B. Hashing C. IPS D. DLP

(D)

A company is implementing a tool to mask all PII when moving data from a production server to a testing server. Which of the following security techniques is the company applying? A. Data wiping B. Steganograpgy C. Data obfuscation D. Data sanitization

(D)

A company network is currently under attack. Although security controls are in place to stop the attack, the security administrator needs more information about the types of attacks being used. Which of the following network types would BEST help the administrator gather this information? A. DMZ B. Guest network C. Ad hoc D. Honeynet

(D)

A company recently experienced data exfiltration via the corporate network. In response to the breach, a security analyst recommends deploying an out-of-band IDS solution. The analyst says the solution can be implemented without purchasing any additional network hardware. Which of the following solutions will be used to deploy the IDS? A. Network tap B. Network proxy C. Honeypot D. Port mirroring

(D)

A company recently implemented a new security system. In the course of configuration, the security administrator adds the following entry: #Whitelist USB\VID_13FE&PID_4127&REV_0100 Which of the following security technologies is MOST likely being configured? A. Application whitelisting B. HIDS C. Data execution prevention D. Removable media control

(D)

A company wants to implement a wireless network with the following requirements: • All wireless users will have a unique credential. • User certificates will not be required for authentication. • The company's AAA infrastructure must be utilized. • Local hosts should not store authentication tokens. Which of the following should be used in the design to meet the requirements? A. EAP-TLS B. WPS C. PSK D. PEAP

(D)

A cryptographer has developed a new proprietary hash function for a company and solicited employees to test the function before recommending its implementation. An employee takes the plaintext version of a document and hashes it, then changes the original plaintext document slightly and hashes it, and continues repeating this process until two identical hash values are produced from two different documents. Which of the following BEST describes this cryptographic attack? A. Brute force B. Known plaintext C. Replay D. Collision

(D)

A datacenter engineer wants to ensure an organization's servers have high speed and high redundancy and can sustain the loss of two physical disks in an array. Which of the following RAID configurations should the engineer implement to deliver this functionality? A. RAID 0 B. RAID 1 C. RAID 5 D. RAID 10 E. RAID 50

(D)

A director of IR is reviewing a report regarding several recent breaches. The director compiles the following statistic's - Initial IR engagement time frame - Length of time before an executive management notice went out - Average IR phase completion The director wants to use the data to shorten the response time. Which of the following would accomplish this? A. CSIRT B. Containment phase C. Escalation notifications D. Tabletop exercise

(D)

A dumpster diver recovers several hard drives from a company and is able to obtain confidential data from one of the hard drives. The company then discovers its information is posted online. Which of the following methods would have MOST likely prevented the data from being exposed? A. Removing the hard drive from its enclosure B. Using software to repeatedly rewrite over the disk space C. Using Blowfish encryption on the hard drives D. Using magnetic fields to erase the data

(D)

A forensic expert is given a hard drive from a crime scene and is asked to perform an investigation. Which of the following is the FIRST step the forensic expert needs to take the chain of custody? A. Make a forensic copy B. Create a hash of the hard rive C. Recover the hard drive data D. Update the evidence log

(D)

A healthcare company is revamping its IT strategy in light of recent regulations. The company is concerned about compliance and wants to use a pay-per-use model. Which of the following is the BEST solution? A. On-premises hosting B. Community cloud C. Hosted infrastructure D. Public SaaS

(D)

A home invasion occurred recently in which an intruder compromised a home network and accessed a WiFI- enabled baby monitor while the baby's parents were sleeping. Which of the following BEST describes how the intruder accessed the monitor? A. Outdated antivirus B. WiFi signal strength C. Social engineering D. Default configuration

(D)

A law office has been leasing dark fiber from a local telecommunications company to connect a remote office to company headquarters. The telecommunications company has decided to discontinue its dark fiber product and is offering an MPLS connection, which the law office feels is too expensive. Which of the following is the BEST solution for the law office? A. Remote access VPN B. VLAN C. VPN concentrator D. Site-to-site VPN

(D)

A local coffee shop runs a small WiFi hotspot for its customers that utilizes WPA2-PSK. The coffee shop would like to stay current with security trends and wants to implement WPA3 to make its WiFi even more secure. Which of the following technologies should the coffee shop use in place of PSK? A. WEP B. EAP C. WPS D. SAE

(D)

A malicious system continuously sends an extremely large number of SYN packets to a server. Which of the following BEST describes the resulting effect? A. The server will be unable to server clients due to lack of bandwidth B. The server's firewall will be unable to effectively filter traffic due to the amount of data transmitted C. The server will crash when trying to reassemble all the fragmented packets D. The server will exhaust its memory maintaining half-open connections

(D)

A mobile application developer wants to secure an application that transmits sensitive information. Which of the following should the developer implement to prevent SSL MITM attacks? A. Stapling B. Chaining C. Signing D. Pinning

(D)

A mobile device user is concerned about geographic positioning information being included in messages sent between users on a popular social network platform. The user turns off the functionality in the application, but wants to ensure the application cannot re-enable the setting without the knowledge of the user. Which of the following mobile device capabilities should the user disable to achieve the stated goal? A. Device access control B. Location based services C. Application control D. GEO-Tagging

(D)

A network administrator has been alerted that web pages are experiencing long load times. After determining it is not a routing or DNS issue, the administrator logs in to the router, runs a command, and receives the following output: CPU 0 P percent busy, from 300 sec ago 1 sec ave: 99 percent busy 5 sec ave: 97 percent busy 1 sec ave: 83 percent busy Which of the following is the router experiencing? A. DDoS attack B. Memory leak C. Buffer overflow D. Resource exhaustion

(D)

A network administrator is creating a new network for an office. For security purposes, each department should have its resources isolated from every other department but be able to communicate back to central servers. Which of the following architecture concepts would BEST accomplish this? A. Air gapped network B. Load balanced network C. Network address translation D. Network segmentation

(D)

A new Chief Information Officer (CIO) has been reviewing the badging and decides to write a policy that all employees must have their badges rekeyed at least annually. Which of the following controls BEST describes this policy? A. Physical B. Corrective C. Technical D. Administrative

(D)

A new mobile application is being developed in-house. Security reviews did not pick up any major flaws, however vulnerability scanning results show fundamental issues at the very end of the project cycle. Which of the following security activities should also have been performed to discover vulnerabilities earlier in the lifecycle? A. Architecture review B. Risk assessment C. Protocol analysis D. Code review

(D)

A new security administrator ran a vulnerability scanner for the first time and caused a system outage. Which of the following types of scans MOST likely caused the outage? A. Non-intrusive credentialed scan B. Non-intrusive non-credentialed scan C. Intrusive credentialed scan D. Intrusive non-credentialed scan

(D)

A penetration tester finds that a company's login credentials for the email client were being sent in clear text. Which of the following should be done to provide encrypted logins to the email server? A. Enable IPSec and configure SMTP. B. Enable SSH and LDAP credentials. C. Enable MIME services and POP3. D. Enable an SSL certificate for IMAP services.

(D)

A penetration tester has written an application that performs a bit-by-bit XOR 0xFF operation on binaries prior to transmission over untrusted media. Which of the following BEST describes the action performed by this type of application? A. Hashing B. Key exchange C. Encryption D. Obfusication

(D)

A penetration tester is conducting an assessment on Comptia.org and runs the following command from a coffee shop while connected to the public Internet: c:\nslookup -querytype=MX comptia.org Server: Unknown Address: 198.51.100.45 comptia.org MX preference=10, mail exchanger = 92.68.102.33 comptia.org MX preference=20, mail exchanger = exchg1.comptia.org exchg1.comptia.org internet address = 192.168.102.67 Which of the following should the penetration tester conclude about the command output? A. The public/private views on the Comptia.org DNS servers are misconfigured. B. Comptia.org is running an older mail server, which may be vulnerable to exploits. C. The DNS SPF records have not been updated for Comptia.org. D. 192.168.102.67 is a backup mail server that may be more vulnerable to attack.

(D)

A recent audit uncovered a key finding regarding the use of a specific encryption standard in a web application that is used to communicate with business customers. Due to the technical limitations of its customers, the company is unable to upgrade the encryption standard. Which of the following types of controls should be used to reduce the risk created by this scenario? A. Physical B. Detective C. Preventive D. Compensating

(D)

A salesperson often uses a USB drive to save and move files from a corporate laptop. The coprorate laptop was recently updated, and now the files on the USB are read-only. Which of the following was recently added to the laptop? A. Antivirus software B. File integrity check C. HIPS D. DLP

(D)

A security engineer is configuring a wireless network with EAP-TLS. Which of the following activities is a requirement for this configuration? A. Setting up a TACACS+ server B. Configuring federation between authentication servers C. Enabling TOTP D. Deploying certificates to endpoint devices

(D)

A security administrator has completed a monthly review of DNS server query logs. The administrator notices continuous name resolution attempts from a large number of internal hosts to a single Internet addressable domain name. The security administrator then correlated those logs with the establishment of persistent TCP connections out to this domain. The connections seem to be carrying on the order of kilobytes of data per week. Which of the following is the MOST likely explanation for this company? A. An attacker is infiltrating large amounts of proprietary company data. B. Employees are playing multiplayer computer games. C. A worm is attempting to spread to other hosts via SMB exploits. D. Internal hosts have become members of a botnet.

(D)

A security administrator in a bank is required to enforce an access control policy so no single individual is allowed to both initiate and approve financial transactions. Which of the following BEST represents the impact the administrator is deterring? A. Principle of least privilege B. External intruder C. Conflict of interest D. Fraud

(D)

A security administrator is configuring a new network segment, which contains devices that will be accessed by external users, such as web and FTP server. Which of the following represents the MOST secure way to configure the new network segment? A. The segment should be placed on a separate VLAN, and the firewall rules should be configured to allow external traffic. B. The segment should be placed in the existing internal VLAN to allow internal traffic only. C. The segment should be placed on an intranet, and the firewall rules should be configured to allow external traffic. D. The segment should be placed on an extranet, and the firewall rules should be configured to allow both internal and external traffic.

(D)

A security administrator is implementing a new WAF solution and has placed some of the web servers behind the WAF, with the WAF set to audit mode. When reviewing the audit logs of external requests and posts to the web servers, the administrator finds the following entry: Question 557 Based on this data, which of the following actions should the administrator take? A. Alert the web server administrators to a misconfiguration. B. Create a blocking policy based on the parameter values. C. Change the parameter name 'Account_Name' identified in the log. D. Create an alert to generate emails for abnormally high activity.

(D)

A security administrator is investigating a possible account compromise. The administrator logs onto a desktop computer, executes the command notepad.exe c:\Temp\qkakforlkgfkja.log, and reviews the following: Lee,\rI have completed the task that was assigned to me\rrespectfully\rJohn\r https://www.portal.com\rjohnuser\rilovemycat2 Given the above output, which of the following is the MOST likely cause of this compromise? A. Virus B. Worm C. Rootkit D. Keylogger

(D)

A security administrator is performing a risk assessment on a legacy WAP with a WEP-enabled wireless infrastructure. Which of the following should be implemented to harden the infrastructure without upgrading the WAP? A. Implement WPA and TKIP B. Implement WPS and an eight-digit pin C. Implement WEP and RC4 D. Implement WPA2 Enterprise

(D)

A security administrator needs to conduct a full inventory of all encryption protocols and cipher suites. Which of the following tools will the security administrator use to conduct this inventory MOST efficiently? A. tcpdump B. Protocol analyzer C. Netstat D. Nmap

(D)

A security administrator needs to create a RAID configuration that is focused on high read speeds and fault tolerance. It is unlikely that multiple drives will fail simultaneously. Which of the following RAID configurations should the administrator use? A. RAID 0 B. RAID 1 C. RAID 5 D. RAID 10

(D)

A security analyst has set up a network tap to monitor network traffic for vulnerabilities. Which of the following techniques would BEST describe the approach the analyst has taken? A. Compliance scanning B. Credentialed scanning C. Passive vulnerability scanning D. Port scanning

(D)

A security analyst is hardening a WiFi infrastructure. The primary requirements are the following: - The infrastructure must allow staff to authenticate using the most secure method. - The infrastructure must allow guests to use an "open" WiFi network that logs valid email addresses before granting access to the Internet. Given these requirements, which of the following statements BEST represents what the analyst should recommend and configure? A. Configure a captive portal for guests and WPS for staff. B. Configure a captive portal for staff and WPA for guests. C. Configure a captive portal for staff and WEP for guests. D. Configure a captive portal for guest and WPA2 Enterprise for staff

(D)

A security analyst is investigating a potential breach. Upon gathering, documenting, and securing the evidence, which of the following actions is the NEXT step to minimize the business impact? A. Launch an investigation to identify the attacking host B. Initiate the incident response plan C. Review lessons learned captured in the process D. Remove malware and restore the system to normal operation

(D)

A security analyst is performing a BIA. The analyst notes that in a disaster, failover systems must be up and running within 30 minutes. The failover systems must use backup data that is no older than one hour. Which of the following should the analyst include in the business continuity plan? A. A maximum MTTR of 30 minutes B. A maximum MTBF of 30 minutes C. A maximum RTO of 60 minutes D. A maximum RPO of 60 minutes E. An SLA guarantee of 60 minutes

(D)

A security analyst is reviewing patches on servers. One of the servers is reporting the following error message in the WSUS management console: The computer has not reported status in 30 days. Given this scenario, which of the following statements BEST represents the issue with the output above? A. The computer in question has not pulled the latest ACL policies for the firewall. B. The computer in question has not pulled the latest GPO policies from the management server. C. The computer in question has not pulled the latest antivirus definitions from the antivirus program. D. The computer in question has not pulled the latest application software updates.

(D)

A security analyst needs to be proactive in understanding the types of attacks that could potentially target the company's executives. Which of the following intelligence sources should the security analyst review? A. Vulnerability feeds B. Trusted automated exchange of indicator information C. Structured threat information expression D. Industry information-sharing and collaboration groups

(D)

A security engineer must install the same x.509 certificate on three different servers. The client application that connects to the server performs a check to ensure the certificate matches the host name. Which of the following should the security engineer use? A. Wildcard certificate B. Extended validation certificate C. Certificate chaining D. Certificate utilizing the SAN file

(D)

A security engineer wants to implement a site-to-site VPN that will require SSL certificates for mutual authentication. Which of the following should the engineer implement if the design requires client MAC address to be visible across the tunnel? A. Tunnel mode IPSec B. Transport mode VPN IPSec C. L2TP D. SSL VPN

(D)

A security technician has been assigned data destruction duties. The hard drives that are being disposed of contain highly sensitive information. Which of the following data destruction techniques is MOST appropriate? A. Degaussing B. Purging C. Wiping D. Shredding

(D)

A security technician has been receiving alerts from several servers that indicate load balancers have had a significant increase in traffic. The technician initiates a system scan. The scan results illustrate that the disk space on several servers has reached capacity. The scan also indicates that incoming internet traffic to the servers has increased. Which of the following is the MOST likely cause of the decreased disk space? A. Misconfigured devices B. Logs and events anomalies C. Authentication issues D. Unauthorized software

(D)

A stock trading company had the budget for enhancing its secondary datacenter approved. Since the main site is a hurricane affected area and the disaster recovery site is 100 mi (161 km) away, the company wants to ensure its business is always operational with the least amount of man hours needed. Which of the following types of disaster recovery sites should the company implement? A. Hot site B. Warm site C. Cold site D. Cloud-based site

(D)

A systems administrator is deploying a new mission essential server into a virtual environment. Which of the following is BEST mitigated by the environment's rapid elasticity characteristic? A. Data confidentiality breaches B. VM escape attacks C. Lack of redundancy D. Denial of service

(D)

A systems administrator is installing a new server in a large datacenter. Which of the following BEST describes the importance of properly positioning servers in the rack to maintain availability? A. To allow for visibility of the servers' status indicators B. To adhere to cable management standards C. To maximize the fire suppression system's efficiency D. To provide consistent air flow

(D)

A systems administrator needs to install the same X.509 certificate on multiple servers. Which of the following should the administrator use? A. Key escrow B. A self-signed certificate C. Certificate chaining D. An extended validation certificate

(D)

A systems administrator wants to implement a wireless protocol that will allow the organization to authenticate mobile devices prior to providing the user with a captive portal login. Which of the following should the systems administrator configure? A. L2TP with MAC filtering B. EAP-TTLS C. WPA2-CCMP with PSK D. RADIUS federation

(D)

A systems developer needs to provide machine-to-machine interface between an application and a database server in the production environment. This interface will exchange data once per day. Which of the following access control account practices would BEST be used in this situation? A. Establish a privileged interface group and apply read-write permission to the members of that group. B. Submit a request for account privilege escalation when the data needs to be transferred. C. Install the application and database on the same server and add the interface to the local administrator group. D. Use a service account and prohibit users from accessing this account for development work.

(D)

A systems engineer is setting up a RADIUS server to support a wireless network that uses certificate authentication. Which of the following protocols must be supported by both the RADIUS server and the WAPs? A. CCMP B. TKIP C. WPS D. EAP

(D)

A technician has been asked to document which services are running on each of a collection of 200 servers. Which of the following tools BEST meets this need while minimizing the work required? A. Nmap B. Nslookup C. Netcat D. Netstat

(D)

A technician is configuring a load balancer for the application team to accelerate the network performance of their applications. The applications are hosted on multiple servers and must be redundant. Given this scenario, which of the following would be the BEST method of configuring the load balancer? A. Round-robin B. Weighted C. Least connection D. Locality-based

(D)

A technician is designing a solution that will be required to process sensitive information, including classified government data. The system needs to be common criteria certified. Which of the following should the technician select? A. Security baseline B. Hybrid cloud solution C. Open-source software applications D. Trusted operating system

(D)

A technician is investigating a potentially compromised device with the following symptoms: - Browser slowness - Frequent browser crashes - Hourglass stuck - New search toolbar - Increased memory consumption Which of the following types of malware has infected the system? A. Man-in-the-browser B. Spoofer C. Spyware D. Adware

(D)

A vulnerability assessment report will include the CVSS score of the discovered vulnerabilities because the score allows the organization to better: A. validate the vulnerability exists in the organization's network through penetration testing. B. research the appropriate mitigation techniques in a vulnerability database. C. find the software patches that are required to mitigate a vulnerability. D. prioritize remediation of vulnerabilities based on the possible impact.

(D)

A web server, which is configured to use TLS with AES-GCM-256, SHA-384, and ECDSA, recently suffered an information loss breach. Which of the following is MOST likely the cause? A. Insufficient key bit length B. Weak cipher suite C. Unauthenticated encryption method D. Poor implementation

(D)

A wireless network uses a RADIUS server that is connected to an authenticator, which in turn connects to a supplicant. Which of the following represents the authentication architecture in use? A. Open systems authentication B. Captive portal C. RADIUS federation D. 802.1x

(D)

After a merger, it was determined that several individuals could perform the tasks of a network administrator in the merged organization. Which of the following should have been performed to ensure that employees have proper access? A. Time-of-day restrictions B. Change management C. Periodic auditing of user credentials D. User rights and permission review

(D)

After a ransomware attack. a forensics company needs to review a cryptocurrency transaction between the victim and the attacker. Which of the following will the company MOST likely review to trace this transaction? A. The public ledger B. The NetFlow data C. A checksum D. The event log

(D)

After a systems administrator installed and configured Kerberos services, several users experienced authentication issues. Which of the following should be installed to resolve these issues? A. RADIUS server B. NTLM service C. LDAP service D. NTP server

(D)

After the integrity of a patch has been verified, but before being deployed to production, it is important to: A. perform static analysis B. reverse engineer it for embedded malware. C. run dynamic analysis on the executable. D. test it in a staging environment

(D)

An IT manager is estimating the mobile device budget for the upcoming year. Over the last five years, the number of devices that were replaced due to loss, damage, or theft steadily increased by 10%. Which of the following would BEST describe the estimated number of devices to be replaced next year? A. ALE B. ARO C. RPO D. SLE

(D)

An administrator is beginning an authorized penetration test of a corporate network. Which of the following tools would BEST assist in identifying potential attacks? A. Netstat B. Honey pot C. Company directory D. Nmap

(D)

An analyst is part of a team that is investigating a potential breach of sensitive data at a large financial services organization. The organization suspects a breach occurred when proprietary data was disclosed to the public. The team finds servers were accessed using shared credentials that have been in place for some time. In addition, the team discovers undocumented firewall rules, which provided unauthorized external access to a server. Suspecting the activities of a malicious insider threat, which of the following was MOST likely to have been utilized to exfiltrate the proprietary data? A. Keylogger B. Botnet C. Crypto-malware D. Backdoor E. Ransomware F. DLP

(D)

An audit has revealed that database administrators are also responsible for auditing database changes and backup logs. Which of the following access control methodologies would BEST mitigate this concern? A. Time of day restrictions B. Principle of least privilege C. Role-based access control D. Separation of duties

(D)

An employee uses RDP to connect back to the office network. If RDP is misconfigured, which of the following security exposures would this lead to? A. A virus on the administrator's desktop would be able to sniff the administrator's username and password. B. Result in an attacker being able to phish the employee's username and password. C. A social engineering attack could occur, resulting in the employee's password being extracted. D. A man in the middle attack could occur, resulting the employee's username and password being captured.

(D)

An incident response analyst at a large corporation is reviewing proxy data log. The analyst believes a malware infection may have occurred. Upon further review, the analyst determines the computer responsible for the suspicious network traffic is used by the Chief Executive Officer (CEO). Which of the following is the best NEXT step for the analyst to take? A. Call the CEO directly to ensure awareness of the event B. Run a malware scan on the CEO's workstation C. Reimage the CEO's workstation D. Disconnect the CEO's workstation from the network

(D)

An incident response analyst at a large corporation is reviewing proxy log data. The analyst believes a malware infection may have occurred. Upon further review, the analyst determines the computer responsible for the suspicious network traffic is used by the Chief Executive Officer (CEO). Which of the following is the best NEXT step for the analyst to take? A. Call the CEO directly to ensure awareness of the event B. Run a malware scan on the CEO's workstation C. Reimage the CEO's workstation D. Disconnect the CEO's workstation from the network.

(D)

An information system owner has supplied a new requirement to the development team that calls for increased non-repudiation within the application. After undergoing several audits, the owner determined that current levels of non-repudiation were insufficient. Which of the following capabilities would be MOST appropriate to consider implementing is response to the new requirement? A. Transitive trust B. Symmetric encryption C. Two-factor authentication D. Digital signatures E. One-time passwords

(D)

An instructor is teaching a hands-on wireless security class and needs to configure a test access point to show students an attack on a weak protocol. Which of the following configurations should the instructor implement? A. WPA2 B. WPA C. EAP D. WEP

(D)

An intruder sniffs network traffic and captures a packet of internal network transactions that add funds to a game card. The intruder pushes the same packet multiple times across the network, which increments the funds on the game card. Which of the following should a security administrator implement to BEST protect against this type of attack? A. An IPS B. A WAF C. SSH D. An IPSec VPN

(D)

An organization has an account management policy that defines parameters around each type of account. The policy specifies different security attributes, such as longevity, usage auditing, password complexity, and identity proofing. The goal of the account management policy is to ensure the highest level of security while providing the greatest availability without compromising data integrity for users. Which of the following account types should the policy specify for service technicians from corporate partners? A. Guest account B. User account C. Shared account D. Privileged user account E. Default account F. Service account

(D)

An organization has hired a security analyst to perform a penetration test. The analyst captures 1GB worth of inbound network traffic to the server and transfers the pcap back to the machine for analysis. Which of the following tools should the analyst use to future review the pcap? A. Nmap B. cURL C. Netcat D. Wireshark

(D)

When implementing automation with IoT devices, which of the following should be considered FIRST to keep the network secure? A. Z-Wave compatibility B. Network range C. Zigbee configuration D. Communication protocols

(D)

An organization has implemented a two-step verification process to protect user access to data that is stored in the cloud. Each employee now uses an email address or mobile number to receive a code to access the data. Which of the following authentication methods did the organization implement? A. Token key B. Static code C. Push notification D. HOTP

(D)

An organization hosts a public-facing website that contains a login page for users who are registered and authorized to access a secure, non-public section of the site. That non-public site hosts information that requires multifactor authentication for access. Which of the following access management approaches would be the BEST practice for the organization? A. Username/password with TOTP B. Username/password with pattern matching C. Username/password with a PIN D. Username/password with a CAPTCHA

(D)

An organization identifies a number of hosts making outbound connections to a known malicious IP over port TCP 80. The organization wants to identify the data being transmitted and prevent future connections to this IP. Which of the following should the organization do to achieve this outcome? A. Use a protocol analyzer to reconstruct the data and implement a web-proxy. B. Deploy a web-proxy and then blacklist the IP on the firewall. C. Deploy a web-proxy and implement IPS at the network edge. D. Use a protocol analyzer to reconstruct the data and blacklist the IP on the firewall.

(D)

An organization is moving its human resources system to a cloud services provider. The company plans to continue using internal usernames and passwords with the service provider, but the security manager does not want the service provider to have a company of the passwords. Which of the following options meets all of these requirements? A. Two-factor authentication B. Account and password synchronization C. Smartcards with PINS D. Federated authentication

(D)

An organization is trying to decide which type of access control is most appropriate for the network. The current access control approach is too complex and requires significant overhead. Management would like to simplify the access control and provide user with the ability to determine what permissions should be applied to files, document, and directories. The access control method that BEST satisfies these objectives is: A. Rule-based access control B. Role-based access control C. Mandatory access control D. Discretionary access control

(D)

An organization just experienced a major cyberattack incident. The attack was well coordinated, sophisticated, and highly skilled. Which of the following targeted the organization? A. Shadow IT B. An insider threat C. A hacktivist D. An advanced persistent threat

(D)

An organization needs to integrate with a third-party cloud application. The organization has 15000 users and does not want to allow the cloud provider to query its LDAP authentication server directly. Which of the following is the BEST way for the organization to integrate with the cloud application? A. Upload a separate list of users and passwords with a batch import. B. Distribute hardware tokens to the users for authentication to the cloud. C. Implement SAML with the organization's server acting as the identity provider. D. Configure a RADIUS federation between the organization and the cloud provider.

(D)

An organization wants to conduct secure transactions of large data files. Before encrypting and exchanging the data files, the organization wants to ensure a secure exchange of keys. Which of the following algorithms is appropriate for securing the key exchange? A. DES B. Blowfish C. DSA D. Diffie-Hellman E. 3DES

(D)

An organization wants to deliver streaming audio and video from its home office to remote locations all over the world. It wants the stream to be delivered securely and protected from intercept and replay attacks. Which of the following protocols is BEST suited for this purpose? A. SSH B. SIP C. S/MIME D. SRTP

(D)

An organization's policy requires users to create passwords with an uppercase letter, lowercase letter, number, and symbol. This policy is enforced with technical controls, which also prevents users from using any of their previous 12 passwords. The quantization does not use single sign-on, nor does it centralize storage of passwords. The incident response team recently discovered that passwords for one system were compromised. Passwords for a completely separate system have NOT been compromised, but unusual login activity has been detected for that separate system. Account login has been detected for users who are on vacation. Which of the following BEST describes what is happening? A. Some users are meeting password complexity requirements but not password length requirements. B. The password history enforcement is insufficient, and old passwords are still valid across many different systems. C. Some users are reusing passwords, and some of the compromised passwords are valid on multiple systems. D. The compromised password file has been brute-force hacked, and the complexity requirements are not adequate to mitigate this risk.

(D)

Ann, a new employee, received an email from an unknown source indicating she needed to click on the provided link to update her company's profile. Once Ann clicked the link, a command prompt appeared with the following output: C:\Users\AnnaDocuments\File1.pgp C:\Users\AnnaDocuments\AdvertisingReport.pgp C:\Users\AnnaDocuments\FinancialReport.pgp Which of the following types of malware was executed? ComptiaExamTest.com A. Ransomware B. Adware C. Spyware D. Virus

(D)

Ann, a user, states that her machine has been behaving erratically over the past week. She has experienced slowness and input lag and found text files that appear to contain pieces of her emails or online conversations with coworkers. The technician runs a standard virus scan but detects nothing. Which of the following types of malware has infected the machine? A. Ransomware B. Rootkit C. Backdoor D. Keylogger

(D)

During a data breach cleanup, it is discovered that not all of the sites involved have the necessary data wiping tools. The necessary tools are quickly distributed to the required technicians, but when should this problem BEST be revisited? A. Reporting B. Preparation C. Mitigation D. Lessons Learned

(D)

During an application design, the development team specifics a LDAP module for single sign-on communication with the company's access control database. This is an example of which of the following? A. Application control B. Data in-transit C. Identification D. Authentication

(D)

In determining when it may be necessary to perform a credentialed scan against a system instead of a non-credentialed scan, which of the following requirements is MOST likely to influence this decision? A. The scanner must be able to enumerate the host OS of devices scanned. B. The scanner must be able to footprint the network. C. The scanner must be able to check for open ports with listening services. D. The scanner must be able to audit file system permissions

(D)

Joe is exchanging encrypted email with another party. Joe encrypts the initial email with a key. When Joe receives a response, he is unable to decrypt the response with the same key he used initially. Which of the following would explain the situation? A. An ephemeral key was used for one of the messages B. A stream cipher was used for the initial email; a block cipher was used for the reply C. Out-of-band key exchange has taken place D. Asymmetric encryption is being used

(D)

Joe recently assumed the role of data custodian for this organization. While cleaning out an unused storage safe, he discovers several hard drives that are labeled "unclassified" and awaiting destruction. The hard drives are obsolete and cannot be installed in any of his current computing equipment. Which of the following is the BEST method for disposing of the hard drives? A. Burning B. Wiping C. Purging D. Pulverizing

(D)

Joe, a user, wants to send Ann, another user, a confidential document electronically. Which of the following should Joe do to ensure the document is protected from eavesdropping? A. Encrypt it with Joe's private key B. Encrypt it with Joe's public key C. Encrypt it with Ann's private key D. Encrypt it with Ann's public key

(D)

Many employees are receiving email messages similar to the one shown below: From IT department To employee Subject email quota exceeded Pease click on the following link http:www.website.info/email.php?quota=1Gb and provide your username and password to increase your email quota. Upon reviewing other similar emails, the security administrator realized that all the phishing URLs have the following common elements; they all use HTTP, they all come from .info domains, and they all contain the same URI. Which of the following should the security administrator configure on the corporate content filter to prevent users from accessing the phishing URL, while at the same time minimizing false positives? A. BLOCK http://www.*.info/" B. DROP http://"website.info/email.php?* C. Redirect http://www,*. Info/email.php?quota=*TOhttp://company.com/corporate_polict.html D. DENY http://*.info/email.php?quota=1Gb

(D)

Students at a residence hall are reporting Internet connectivity issues. The university's network administrator configured the residence hall's network to provide public IP addresses to all connected devices, but many student devices are receiving private IP addresses due to rogue devices. The network administrator verifies the residence hall's network is correctly configured and contacts the security administrator for help. Which of the following configurations should the security administrator suggest for implementation? A. Router ACLs B. BPDU guard C. Flood guard D. DHCP snooping

(D)

The Chief Security Officer (CSO) at a major hospital wants to implement SSO to help improve security in the environment and protect patient data, particularly at shared terminals. The Chief Risk Officer (CRO) is concerned that training and guidance have not been provided to frontline staff, and a risk analysis has not been performed. Which of the following is the MOST likely cause of the CRO's concerns? A. SSO would simplify username and password management, making it easier for hackers to guess accounts. B. SSO would reduce password fatigue, but staff would still need to remember more complex passwords. C. SSO would reduce the password complexity for frontline staff. D. SSO would reduce the resilience and availability of systems if the identity provider goes offline.

(D)

The IT department's on-site developer has been with the team for many years. Each time an application is released, the security team is able to identify multiple vulnerabilities. Which of the following would BEST help the team ensure the application is ready to be released to production? A. Limit the use of third-party libraries. B. Prevent data exposure queries. C. Obfuscate the source code. D. Submit the application to QA before releasing it.

(D)

The SSID broadcast for a wireless router has been disabled but a network administrator notices that unauthorized users are accessing the wireless network. The administer has determined that attackers are still able to detect the presence of the wireless network despite the fact the SSID has been disabled. Which of the following would further obscure the presence of the wireless network? A. Upgrade the encryption to WPA or WPA2 B. Create a non-zero length SSID for the wireless router C. Reroute wireless users to a honeypot D. Disable responses to a broadcast probe request

(D)

The administrator installs database software to encrypt each field as it is written to disk. Which of the following describes the encrypted data? A. In-transit B. In-use C. Embedded D. At-rest

(D)

The help desk is receiving numerous password change alerts from users in the accounting department. These alerts occur multiple times on the same day for each of the affected users' accounts. Which of the following controls should be implemented to curtail this activity? A. Password Reuse B. Password complexity C. Password History D. Password Minimum age

(D)

To further secure a company's email system, an administrator is adding public keys to DNS records in the company's domain. Which of the following is being used? A. PFS B. SPF C. DMARC D. DNSSEC

(D)

Two companies are enabling TLS on their respective email gateways to secure communications over the Internet. Which of the following cryptography concepts is being implemented? A. Perfect forward secrecy B. Ephemeral keys C. Domain validation D. Data in transit

(D)

When accessing a popular website, a user receives a warming that the certificate for the website is not valid. Upon investigation, it was noted that the certificate is not revoked and the website is working fine for other users. Which of the following is the MOST likely cause for this? A. The certificate is corrupted on the server. B. The certificate was deleted from the local cache. C. The user needs to restart the machine. D. The system date on the user's device is out of sync.

(D)

When generating a request for a new x.509 certificate for securing a website, which of the following is the MOST appropriate hashing algorithm? A. RC4 B. MD5 C. HMAC D. SHA

(D)

Which of the following BEST describes the purpose of authorization? A. Authorization provides logging to a resource and comes after authentication. B. Authorization provides authentication to a resource and comes after identification. C. Authorization provides identification to a resource and comes after authentication. D. Authorization provides permissions to a resource and comes after authentication.

(D)

Which of the following BEST explains the difference between a credentialed scan and a non-credentialed scan? A. A credentialed scan sees devices in the network, including those behind NAT, while a non-credentialed scan sees outward-facing applications. B. A credentialed scan will not show up in system logs because the scan is running with the necessary authorization, while non-credentialed scan activity will appear in the logs. C. A credentialed scan generates significantly more false positives, while a non-credentialed scan generates fewer false positives. D. A credentialed scan sees the system the way an authorized user sees the system, while a non-credentialed scan sees the system as a guest.

(D)

Which of the following BEST explains why a development environment should have the same database server secure baseline that exist in production even if there is no PII in the database? A. Without the same configuration in both development and production, there are no assurance that changes made in development will have the same effect in production. B. Attackers can extract sensitive, personal information from lower development environment databases just as easily as they can from production databases. C. Databases are unique in their need to have secure configurations applied in all environment because they are attacked more often. D. Laws stipulate that databases with the ability to store personal information must be secured regardless of the environment or if they actually have PIL.

(D)

Which of the following allows an application to securely authenticate a user by receiving credentials from a web domain? A. TACACS+ B. RADIUS C. Kerberos D. SAML

(D)

Which of the following attacks is used to capture the WPA2 handshake? A. Replay B. IV C. Evil twin D. Disassociation

(D)

Which of the following best describes the initial processing phase used in mobile device forensics? A. The phone should be powered down and the battery removed to preserve the state of data on any internal or removable storage utilized by the mobile device B. The removable data storage cards should be processed first to prevent data alteration when examining the mobile device C. The mobile device should be examined first, then removable storage and lastly the phone without removable storage should be examined again D. The phone and storage cards should be examined as a complete unit after examining the removable storage cards separately.

(D)

Which of the following can be used to control specific commands that can be executed on a network infrastructure device? A. LDAP B. Kerberos C. SAML D. TACACS+

(D)

Which of the following command line tools would be BEST to identify the services running in a server? A. Traceroute B. Nslookup C. Ipconfig D. Netstat

(D)

Which of the following control types are alerts sent from a SIEM fulfilling based on vulnerability signatures? A. Preventive B. Corrective C. Compensating D. Detective

(D)

Which of the following cryptography algorithms will produce a fixed-length, irreversible output? A. AES B. 3DES C. RSA D. MD5

(D)

Which of the following describes the BEST approach for deploying application patches? A. Apply the patches to systems in a testing environment, then to systems in a staging environment, and finally to production systems. B. Test the patches in a staging environment, develop against them in the development environment, and then apply them to the production systems C. Test the patches in a test environment, apply them to the production systems, and then apply them to a staging environment. D. Apply the patches to the production systems, apply them in a staging environment, and then test all of them in a testing environment.

(D)

Which of the following identity access methods creates a cookie on the first login to a central authority to allow logins to subsequent applications without re-entering credentials? A. Multifactor authentication B. Transitive trust C. Federated access D. Single sign-on

(D)

Which of the following implements a stream cipher? A. File-level encryption B. IKEv2 exchange C. SFTP data transfer D. S/MIME encryption

(D)

Which of the following is a document that contains detailed information about actions that include how something will be done, when the actions will be performed, and penalties for failure? A. MOU B. ISA C. BPA D. SLA

(D)

Which of the following is a passive method to test whether transport encryption is implemented? A. Black box penetration test B. Port scan C. Code analysis D. Banner grabbing

(D)

Which of the following is a risk that is specifically associated with hosting applications in the public cloud? A. Unsecured root accounts B. Zero-day C. Shared tenancy D. Insider threat

(D)

Which of the following is an example of federated access management? A. Windows passing user credentials on a peer-to-peer network B. Applying a new user account with a complex password C. Implementing a AAA framework for network access D. Using a popular website login to provide access to another website

(D)

Which of the following is commonly done as part of a vulnerability scan? A. Exploiting misconfigured applications B. Cracking employee passwords C. Sending phishing emails to employees D. Identifying unpatched workstations

(D)

Which of the following is the BEST explanation of why control diversity is important in a defense-in-depth architecture? A. Social engineering is used to bypass technical controls, so having diversity in controls minimizes the risk of demographic exploitation B. Hackers often impact the effectiveness of more than one control, so having multiple copies of individual controls provides redundancy C. Technical exploits to defeat controls are released almost every day; control diversity provides overlapping protection. D. Defense-in-depth relies on control diversity to provide multiple levels of network hierarchy that allow user domain Segmentation

(D)

Which of the following locations contain the MOST volatile data? A. SSD B. Paging file C. RAM D. Cache memory

(D)

Which of the following outcomes is a result of proper error-handling procedures in secure code? A. Execution continues with no notice or logging of the error condition. B. Minor fault conditions result in the system stopping to preserve state. C. The program runs through to completion with no detectable impact or output. D. All fault conditions are logged and do not result in a program crash.

(D)

Which of the following represents a multifactor authentication system? A. An iris scanner coupled with a palm print reader and fingerprint scanner with liveness detection. B. A secret passcode that prompts the user to enter a secret key if entered correctly. C. A digital certificate on a physical token that is unlocked with a secret passcode. D. A one-time password token combined with a proximity badge.

(D)

Which of the following scenarios would make a DNS sinkhole effective in thwarting an attack? A. An attacker is sniffing traffic to port 53, and the server is managed using unencrypted usernames and passwords. B. An organization is experiencing excessive traffic on port 53 and suspects an attacker is trying to DoS the domain name server. C. Malware is trying to resolve an unregistered domain name to determine if it is running in an isolated sandbox. D. DNS routing tables have been compromised, and an attacker is rerouting traffic to malicious websites.

(D)

Which of the following should identify critical systems and components? A. MOU B. BPA C. ITCP D. BCP

(D)

Which of the following types of attack is being used when an attacker responds by sending the MAC address of the attacking machine to resolve the MAC to IP address of a valid server? A. Session hijacking B. IP spoofing C. Evil twin D. ARP poisoning

(D)

Which of the following would MOST likely appear in an uncredentialled vulnerability scan? A. Self-signed certificates B. Missing patches C. Auditing parameters D. Inactive local accounts

(D)

Which of the following would MOST likely support the integrity of a voting machine? A. Asymmetric encryption B. Blockchain C. Transport Layer Security D. Perfect forward secrecy

(D)

content will only be to internal employees with the option to share. Which of the following concepts is MOST appropriate? A. VPN B. Proxy C. DMZ D. Extranet

(D)

workstation puts out a network request to locate another system. Joe, a hacker on the network, responds before the real system does, and he tricks the workstation into communicating with him. Which of the following BEST describes what occurred? A. The hacker used a race condition. B. The hacker used a pass-the-hash attack. C. The hacker-exploited improper key management. D. The hacker exploited weak switch configuration.

(D)

A security consultant was asked to revise the security baselines that are utilized by a large organization. Although the company provides different platforms for its staff, including desktops, laptops, and mobile devices, the applications do not vary by platform. Which of the following should the consultant recommend? (Select Two). A. Apply patch management on a daily basis. B. Allow full functionality for all applications that are accessed remotely C. Apply default configurations of all operating systems D. Apply application whitelisting. E. Disable default accounts and/or passwords.

(DE)

A security technician is configuring a new firewall appliance for a production environment. The firewall must support secure web services for client workstations on the 10.10.10.0/24 network. The same client workstations are configured to contact a server at 192.168.1.15/24 for domain name resolution. Which of the following rules should the technician add to the firewall to allow this connectivity for the client workstations? (Select TWO). A. Permit 10.10.10.0/24 0.0.0.0 -p tcp --dport 22 B. Permit 10.10.10.0/24 0.0.0.0 -p tcp --dport 80 C. Permit 10.10.10.0/24192.168.1.15/24 -p udp --dport 21 D. Permit 10.10.10.0/24 0.0.0.0-p tcp --dport 443 E. Permit 10.10.10.0/24 192.168.1.15/24 -p tcp --dport 53 F. Permit 10.10.10.0/24 192.168.1.15/24 -p udp --dport 53

(DE)

A technician, who is managing a secure B2B connection, noticed the connection broke last night. All networking equipment and media are functioning as expected, which leads the technician to question certain PKI components. Which of the following should the technician use to validate this assumption? (Choose two.) A. PEM B. CER C. SCEP D. CRL E. OCSP F. PFX

(DE)

The security administrator has noticed cars parking just outside of the building fence line. Which of the following security measures can the administrator use to help protect the company's WiFi network against war driving? (Select TWO) A. Create a honeynet B. Reduce beacon rate C. Add false SSIDs D. Change antenna placement E. Adjust power level controls F. Implement a warning banner

(DE)

A company has a security policy that specifies all endpoint computing devices should be assigned a unique identifier that can be tracked via an inventory management system. Recent changes to airline security regulations have cause many executives in the company to travel with mini tablet devices instead of laptops. These tablet devices are difficult to tag and track. An RDP application is used from the tablet to connect into the company network. Which of the following should be implemented in order to meet the security policy requirements? A. Virtual desktop infrastructure (IDI) B. WS-security and geo-fencing C. A hardware security module (HSM) D. RFID tagging system E. MDM software F. Security Requirements Traceability Matrix (SRTM)

(E)

A company recently experienced a security incident in which its domain controllers were the target of a DoS attack. In which of the following steps should technicians connect domain controllers to the network and begin authenticating users again? A. Preparation B. Identification C. Containment D. Eradication E. Recovery F. Lessons learned

(E)

A recent penetration test revealed several issues with a public-facing website used by customers. The testers were able to: - Enter long lines of code and special characters - Crash the system - Gain unauthorized access to the internal application server - Map the internal network The development team has stated they will need to rewrite a significant portion of the code used, and it will take more than a year to deliver the finished product. Which of the following would be the BEST solution to introduce in the interim? A. Content fileting B. WAF C. TLS D. IPS/IDS E. UTM

(E)

A security administrator receives notice that a third-party certificate authority has been compromised, and new certificates will need to be issued. Which of the following should the administrator submit to receive a new certificate? A. CRL B. OSCP C. PFX D. CSR E. CA

(E)

A website administrator has received an alert from an application designed to check the integrity of the company's website. The alert indicated that the hash value for a particular MPEG file has changed. Upon further investigation, the media appears to be the same as it was before the alert. Which of the following methods has MOST likely been used? A. Cryptography B. Time of check/time of use C. Man in the middle D. Covert timing E. Steganography

(E)

An email recipient is unable to open a message encrypted through PKI that was sent from another organization. Which of the following does the recipient need to decrypt the message? A. The sender's private key B. The recipient's private key C. The recipient's public key D. The CA's root certificate E. The sender's public key F. An updated CRL

(E)

An organization recently acquired an ISO 27001 certification. Which of the following would MOST likely be considered a benefit of this certification? A. It allows for the sharing of digital forensics data across organizations. B. It provides insurance in case of a data breach. C. It provides complimentary training and certification resources to IT security staff. D. It certifies the organization can work with foreign entities that require a security clearance. E. It assures customers that the organization meets security standards.

(E)

A security administrator is investigating a report that a user is receiving suspicious emails. The user's machine has an old functioning modem installed. Which of the following security concerns need to be identified and mitigated? (Choose two.) A. Vishing B. Whaling C. Spear phishing D. Pharming E. War dialing F. Hoaxing

(EF)

Security administrators attempted corrective action after a phishing attack. Users are still experiencing trouble logging in, as well as an increase in account lockouts. Users' email contacts are complaining of an increase in spam and social networking requests. Due to the large number of affected accounts, remediation must be accomplished quickly. Which of the following actions should be taken FIRST? (Select TWO) A. Disable the compromised accounts B. Update WAF rules to block social networks C. Remove the compromised accounts with all AD groups D. Change the compromised accounts' passwords E. Disable the open relay on the email server F. Enable sender policy framework

(EF)

Advanced Encryption Standard (AES)

A block-cipher adapted form of encryption that was created by Vincent Rinjndael and standardized by the US government. It is now used worldwide. Before we used AES, the Data Encryption Standard (DES) was widely used.

Certificate Revocation List (CRL)

A list of revoked public key certificates created and digitally signed by a Certification Authority, time-stamped and signed data structure that a certificate authority (CA) or CRL issuer periodically issues to communicate the revocation status of affected digital certificates

Domain Name System Security Extensions (DNSSEC)

A suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. TCP/UDP port 53

Wifi-Protected Setup (WPS)

A way to set up a secure wireless network by using a button personal identification number, or USB key to automatically configure devices to connect a network

Which of the following solutions should an administrator use to reduce the risk from an unknown vulnerability in a third-party software application?

A. Sandboxing B. Encryption C. Code signing D. Fuzzing

Lightweight Directory Access Protocol Secure (LDAPS)

As cryptographic protocols, SSL and TLS use certificates to establish a secure connection between client and server before any data (in this case, LDAP) is exchanged.

AAA system

Authentication, Authorization, Accounting

Choose Your Own Device (CYOD)

Companies provide employees with an approved set of devices from which to choose from and covers cost of mobile plan. Support and procurement more streamlined. Disadvantages - user dissatisfaction, struggle to manage repairs

Bring Your Own Device (BYOD)

Lower hardware and service costs, higher user convenience and satisfaction. Security can be more difficult to enforce

MAC filtering

MAC filtering is a security method based on access control. In this each address is assigned a 48-bit address which is used to determine whether we can access a network or not. It helps in listing a set of allowed devices which you need on your Wi-Fi and the list of denied devices which you don't want on your Wi-Fi

Secure/Multipurpose Internet Mail Extensions (S/MIME)

Secure email encryption

Annualized Loss Expectancy (ALE)

The expected monetary loss that can be expected for an asset due to a risk over a one-year period. ALE is AROxSLE (Annualized Rate of Occurrence x Single Loss Expectancy)

Annualized Rate of Occurrence (ARO)

The probability that a risk will occur in a particular year.

Zero-Day exploit

Unknown exploit, attack happens once the flaw/vulnerability was found

nbtstat (NetBIOS over TCP/IP Statistics)

Windows-only command that can help solve problems with NetBIOS name resolution. You can use any of the switches to specify what nbtstat output you want to display

Discretionary Access Control (DAC)

each resource has a list of users who can access it, provides identity of the user and not by permission level

Certificate pinning

forces your client app to validate the server's certificate against a known copy

PEAP (Protected Extensible Authentication Protocol)

fully encapsulates EAP and is designed to work within a TLS (Transport Layer Security) tunnel that may be encrypted but is authenticated. The primary motivation behind the creation of PEAP was to help correct the deficiencies discovered within EAP since that protocol assumes that the communications channel is protected. As a result, when EAP messages are able to be discovered in the "clear" they do not provide the protection that was assumed when the protocol was originally authored. PEAP, EAP-TTLS, and EAP-TLS "protect" inner EAP authentication within SSL/TLS sessions.

Business Impact Analysis (BIA)

help prioritize business processes and tells you where to start with your response. 1. Impacts, 2. Timeframes, 3. Dependencies

Host Intrusion Prevention System (HIPs)

installed software package that monitors a single host for suspicious activity by analyzing events occurring within that host

Online Certificate Status Protocol (OCSP)

internet protocol used for obtaining the revocation status of an X.509 digital certificate

incremental backup (partial backup)

involves backing up only files that have changed or have been created since the last backup was performed

Cross-Site Request Forgery (CSRF)

is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

Mean Time To Failure (MTTF)

maintenance metric that measures the average amount of time a non-repairable asset operates before it fails

MD5

used to validate the integrity of data

Protected Extensible Authentication Protocol (PEAP)

version of EAP, authentication protocol used in wireless networks and point-to-point connections. Designed to provide more secure authentication for 802.11 WLANs (wireless local area networks) that support 802.1X port access control