Part 11
A Chief Information Security Officer (CISO) for a school district wants to enable SSL to protect all of the public-facing servers in the domain. Which of the following is a secure solution that is the MOST cost effective? A. Create and install a self-signed certificate on each of the servers in the domain. B. Purchase a load balancer and install a single certificate on the load balancer. C. Purchase a wildcard certificate and implement it on every server. D. Purchase individual certificates and apply them to the individual servers.
A
A company is performing an analysis of the corporate enterprise network with the intent of identifying any one system, person, function, or service that, when neutralized, will cause or cascade disproportionate damage to the company's revenue, referrals, and reputation. Which of the following an element of the BIA that this action is addressing? A. Identification of critical systems B. Single point of failure C. Value assessment D. Risk register
A
A security analyst has recently deployed an MDM solution that requires biometric authentication for company-issued smartphones. As the solution was implemented the help desk has seen a dramatic increase in calls by employees frustrated that company-issued phones take several attempts to unlock using the fingerprint scanner. Which of the following should be reviewed to mitigate this problem? A. Crossover error rate B. False acceptance rate C. False rejection rate D. True rejection rate
A
A security analyst is asked to check the configuration of the company's DNS service on the server. Which of the following command line tools should the analyst use to perform the Initial assessment? A. nslookup/dlg B. traced C. ipconfig/ifconfig D. tcpdump
A
A security analyst is investigating a report from an employee in the human resources (HR) department who is having sporadic issues with Internet access. When the security analyst pulls the UTM logs for the IP addresses in the HR group, the following activity is shown: Host Destination Port Category User Group Action -10.1.13.45 165.35.23.129 8080 News/Journalism General Block -10.1.13.45 89.23.45.11 443 Banking General Allow -10.1.13.46 76.4.3.19 8080 Business HR Users Allow -10.1.13.45 145.29.173 8080 Business General Block -10.1.13.45 10.1.1.29 443 Internal General Allow -10.1.13.46 19.34.1.189 443 Banking HR Users Allow -10.1.13.45 45.1.39.118 8080 Job search General Block -10.1.13.46 45.1.39.118 8080 Job Search HR Users Allow Which of the following actions should the security analyst take? A. Ensure the HR employee is in the appropriate user group B. Allow port 8080 on the UTM for all outgoing traffic C. Disable the proxy settings on the HR employee's device. D. Edit the last line Of the ACL On the UTM lo: allow any any.
A
A technician is installing a new SIEM and is configuring the system to count the number of times an event occurs at a specific logical location before the system takes action. Which of the following BEST describes the feature being configured by the technician? A. Correlation B. Aggregation C. Event deduplication D. Flood guard
A
A technician is required to configure updates on a guest operating system while maintaining the ability to quickly revert the changes that were made while testing the updates. Which of the following should the technician implement? A. Snapshots B. Revert to known state C. Rollback to known configuration D. Shadow copy
A
A user from the financial aid office is having trouble interacting with the finaid directory on the universitys ERP system. The systems administrator who took the call ran a command and received the following output: drwx---r-- 4 admin common 12K Feb1 15:23 finaid Subsequently, the systems administrator has also confirmed the user is a member of the finaid group on the ERP system. Which of the following is the MOST likely reason for the issue? A. The permissions on the finaid directory should be drwxrwxrwx. B. The problem is local to the user, and the user should reboot the machine. C. The files on the finaid directory have become corrupted. D. The finaid directory is not formatted correctly
A
An organization has created a review process to determine how to best handle data with different sensitivity levels. The process includes the following requirements: *-Soft copy Pll must be encrypted. -Hard copy Pll must be placed In a locked container. -Soft copy PHI must be encrypted and audited monthly. -Hard copy PHI must be placed in a locked container and inventoried monthly. Locked containers must be approved and designated for document storage. Any violations must be reported to the Chief Security Officer {CSO}. While searching for coffee in the kitchen, an employee unlocks a cabinet and discovers a list of customer names and phone numbers. Which of the following actions should the employee take? A. Put the document back in the cabinet, lock the cabinet, and report the incident to the CS B. Take custody of the document, secure it at a desk, and report the incident to the CS C. Take custody of the document and immediately report the incident to the CS D. Put the document back in the cabinet, inventory the contents, lock the cabinet, and report the incident to the CS
A
During the penetration testing of an organization, the tester was provided with the names of a few key servers, along with their IP address. Which of the following is the organization conducting? A. Gray box testing B. White box testing C. Back box testing D. Isolated container testing E. Vulnerability testing
A
Given the following: *-md5.exe filel.txt ADIFAB103773DC6A1E6021B7E503A210 -md5.exe file2.txt ADIFAB103773DC6A1E602lB7E503A210* Which of the following concepts of cryptography is shown? A. Collision B. Salting C. Steganography D. Stream cipher
A
Joe a new employee, discovered a thumb drive with the company's logo on it while walking in the parking lot Joe was curious as to the contents of the drive and placed it into his work computer. Shortly after accessing the contents, he noticed the machine was running slower, started to reboot, and displayed new icons on the screen. Which of the following types of attacks occurred? A. Social engineering B. Brute force attack C. MITM D. DoS
A
Staff members of an organization received an email message from the Chief Executive Officer (CEO) asking them for an urgent meeting in the main conference room. When the staff assembled, they learned the message received was not actually from the CEO. Which of the following BEST represents what happened? A. Spear phishing attack B. Whaling attack C. Phishing attack D. Vishing attack
A
When building a hosted datacenter. Which of the following is the MOST important consideration for physical security within the datacenter? A. Security guards B. Cameras C. Secure enclosures D. Biometrics
A
A technician wants to add wireless guest capabilities to an enterprise wireless network that is currently implementing 802.1X EAP-TLS. The guest network must: -Support client Isolation. -Issue a unique encryption key to each client. -Allow guests to register using their personal email addresses Which of the following should the technician implement? (Select TWO) A. RADIUS Federation B. Captive portal C. EAP-PEAP D. WPA2-PSK E. A separate guest SSID F. P12 certificate format
A, B
The director of information security at a company has recently directed the security engineering team to implement new security technologies aimed at reducing the impact of insider threats. Which of the following tools has the team MOST likely deployed? (Select TWO). A. DLF B. UTM C. SFTP D. SSH E. SSL
A, B
A Chief Information Officer (CIO) wants to eliminate the number of calls help desk is receiving for password resets when users log on to internal portals. Which of the following is the BEST solution? A. Increase password length B. Implement a self-service portal C. Decrease lockout threshold D. Deploy mandatory access control
B
A NIPS administrator needs to install a new signature to observe the behavior of a worm that may be spreading over SMB. Which of the following signatures should be installed on the NIPS'? A. PERMIT from ANY:ANY to ANY: 445 regex '.-SM-' B. DROP from ANY:445 Co ANY: 445 regex '.-SM*' C. DENY from ANY: ANY Co ANY: 445 regex '.SM' D. RESET from ANY: ANY co ANY: 445 regex '.-3M-'
B
A coding error has been discovered on a customer-facing website. The error causes each request to return confidential PHI data for the incorrect organization. The IT department is unable to identify the specific customers who are affected. As a result, all customers must be notified of the potential breach. Which of the following would allow the team to determine the scope of future incidents? A. Intrusion detection system B. Database access monitoring C. Application fuzzing D. Monthly vulnerability scans
B
A company uses WPA2-PSK, and it appears there are multiple unauthorized connected to the wireless network. A technician suspects this is because the wireless passwords has been shared with unauthorized individuals. Which of the following should the technician implement to BEST reduce the risk of this happening in the future? A. Wireless guest isolation B. 802.1X C. WPS D. MAC address blacklist
B
A computer forensics team is performing an integrity check on key systems files. The team is comparing the signatures of original baseline files with the latest signatures. The original baseline was taken on March 2, 2016. and was established to be clean of malware and uncorrupted. The latest tile signatures were generated yesterday. One file is known to be corrupted, but when the team compares the signatures of the original and latest flies, the team sees the Following: Original: 2d da b1 4a fc f1 98 06 b1 e5 26 b2 df e5 5b 3e cb 83 e1 Latest: 2d da b1 4a 98 fc f1 98 bl e5 26 b2 df e5 5b 3e cb 83 e1 Which of the following is MOST likely the situation? A. The forensics team must have reverted the system to the original date. Which resulted in an identical hash calculation. B. The original baseline was compromised, so the corrupted file was always on the system. C. The signature comparison is using two different algorithms that happen to have generated the same values. D. The algorithm used to calculate the hash has a collision weakness, and an attacker has exploited it.
B
A critical enterprise component whose loss or destruction would significantly impede business operations or have an outsized impact on corporate revenue is known as: A. a single point of failure B. critical system infrastructure C. proprietary information. D. a mission-essential function
B
A security administrator plans to conduct a vulnerability scan on the network to determine if system applications are up to date. The administrator wants to limit disruptions to operations but not consume too many resources. Which of the following types of vulnerability scans should be conducted? A. Credentialed B. Non-Intrusive C. SYN D. Port
B
A security engineer wants to further secure a sensitive VLAN on the network by introducing MFA. Which of the following is the BEST example of this? A. PSK and PIN B. RSA token and password C. Fingerprint scanner and voice recognition D. Secret question and CAPTCHA
B
A systems administrator is auditing the company's Active Directory environment. It is quickly noted that the username "company\bsmith" is interactively logged into several desktops across the organization. Which of the following has the systems administrator MOST likely come across? A. Service account B. Shared credentials C. False positive D. Local account
B
A user wants to send a confidential message to a customer to ensure unauthorized users cannot access the information. Which of the following can be used to ensure the security of the document while in transit and at rest? A. BCRYPT B. PGP C. FTPS D. S/MIME
B
After a breach, a company has decided to implement a solution to better understand the technique used by the attackers. Which of the following is the BEST solution to be deployed? A. Network analyzer B. Protocol analyzer C. Honeypot network D. Configuration compliance scanner
B
An organization is updating its access control standards for SSL VPN login to include multifactor authentication. The security administrator assigned to this project has been given the following guidelines to use when selecting a solution *-High security -Lowest false acceptance rate -Quick provisioning time for remote users and offshore consultants* Which of the following solutions will BEST fit this organization's requirements? A. AES-256 key fobs B. Software tokens C. Fingerprint scanners D. Iris scanners
B
Ann, a user, reported to the service desk that many files on her computer will not open or the contents are not readable. The service desk technician asked Ann if she encountered any strange messages on boot-up or login, and Ann indicated she did not. Which of the following has MOST likely occurred on Ann's computer? A. The hard drive is falling, and the files are being corrupted. B. The computer has been infected with crypto-malware. C. A replay attack has occurred. D. A keylogger has been installed.
B
During a security audit of a company's network, unsecure protocols were found to be in use. A network administrator wants to ensure browser-based access to company switches is using the most secure protocol. Which of the following protocols should be implemented? A. SSH2 B. TLS1.2 C. SSL1.3 D. SNMPv3
B
In the event of a security incident, which of the following should be captured FIRST? A. An external hard drive B. System memory C. An internal hard drive D. Network interface data
B
Which of the following BEST distinguishes Agile development from other methodologies in terms of vulnerability management? A. Cross-functional teams B. Rapid deployments C. Daily standups D. Peer review E. Creating user stories
B
Which of the following is the MOST likely motivation for a script kiddie threat actor? A. Financial gain B. Notoriety C. Political expression D. Corporate espionage
B
A company recently experienced a network security breach and wants to apply two-factor authentication to secure its network. Which of the following should the company use? (Select TWO) A. User ID and password B. Cognitive password and OTP C. Fingerprint scanner and voice recognition D. Smart card and PIN E. Proxmity card and CAC
B, D
A company is deploying MFDs in its office to improve employee productivity when dealing with paperwork. Which of the following concerns is MOST likely to be raised as a possible security issue in relation Io these devices? A. Sensitive scanned materials being saved on the local hard drive B. Faulty printer drivers causing PC performance degradation C. Improperly configured NIC settings interfering with network security D. Excessive disk space consumption due to storing large documents
C
A government organization recently contacted three different vendors to obtain cost quotes for a desktop PC refresh. The quote from one of the vendors was significantly lower than the other two and was selected for the purchase. When the PCs arrived, a technician determined some NICs had been tampered with. Which of the following MOST accurately describes the security risk presented in this situation? A. Hardware root of trust B. UEFI C. Supply chain D. TPM E. Crypto-malware F. ARP poisoning
C
A security administrator is implementing a SIEM and needs to ensure events can be compared against each other based on when the events occurred and were collected. Which of the following does the administrator need to implement to ensure this can be accomplished? A. TOTP B. TKJP C. NTP D. HOTP
C
A security analyst receives the following output *Time Action Host FileName User -12/15/2017 Policy: Endpoint USB Transfer - Blocked Host1 Q3-Financials.PDF User1* Which of the following MOST likely occurred to produce this output? A. The host-based firewall prevented an attack from a Trojan horse B. USB-OTG prevented a file from being uploaded to a mobile device C. The host DLP prevented a file from being moved off a computer D. The firewall prevented an incoming malware-infected file
C
A security engineer needs to obtain a recurring log of changes to system files. The engineer is most concerned with detecting unauthorized changes to system data. Which of the following tools can be used to fulfill the requirements that were established by the engineer? A. TPM B. Trusted operating system C. File integrity monitor D. UEFI E. FDE
C
A technician suspects that a desktop was compromised with a rootkit. After removing the hard drive from the desktop and running an offline file integrity check, the technician reviews the following output: FileName ExpectedHash InstalledHash AvailableVersion InstalledVersion -notepad.exe 48D403AD1FAB103BC04732ACB4B3A922 48D403AD1FAB103BC04732ACB4B3A922 49.33.21 48.100.2 -kernel.dll AB502DE1A78AD1FAB1010AB3AFD45021 1AC406DE49564AD1FAB1019DDA264120 1.01.200 1.01.200 -lsass.exe 0987352AB3823AADD1FAB108JAB94D3EE 0987352AB3823AADD1FAB108JAB94D3EE 0.900.20 0.900.12 -httpd.exe AD1FAB10492839FAB109283AA18549AA AD1FAB10492839FAB109283AA18549AA 10.200.1 10.200.0 Based on the above output, which of the following is the malicious file? A. notepad.exe B. lsass.exe C. kernel.dll D. httpd.axe
C
An attacker uses a network sniffer to capture the packets of a transaction that adds $20 to a gift card. The attacker then user a function of the sniffer to push those packets back onto the network again, adding another $20 to the gift card. This can be done many times. Which of the following describes this type of attack? A. Integer overflow attack B. Smurf attack C. Replay attack D. Buffer overflow attack E. Cross-site scripting attack
C
An authorized user is conducting a penetration scan of a system for an organization. The tester has a set of network diagrams. Source code, version numbers of applications. and other information about the system. Including hostnames and network addresses. Which of the following BEST describes this type of penetration test? A. Gray-box testing B. Black-box testing C. White-box testing D. Blue team exercise E. Red team exercise
C
An organization handling highly confidential information needs to update its systems. Which of the following is the BEST method to prevent data compromise? A. Wiping B. Degaussing C. Shredding D. Purging
C
An organization wants to set up a wireless network in the most secure way. Budget is not a major consideration, and the organization is willing to accept some complexity when clients are connecting. It is also willing to deny wireless connectivity for clients who cannot be connected in the most secure manner. Which of the following would be the MOST secure setup that conforms to the organization's requirements? A. Enable WPA2-PSK for older clients and WPA2-Enterprise for all other clients. B. Enable WPA2-PSK, disable all other modes, and implement MAC filtering along with port security. C. Use WPA2-Enterprise with RADIUS and disable pre-shared keys. D. Use WPA2-PSK with a 24-character complex password and change the password monthly.
C
An organization was recently compromised by an attacker who used a server certificate with the company's domain issued by an irrefutable CA. Which of the following should be used to mitigate this risk in the future? A. OCSP B. DNSSEC C. Corticated pinning D. C. B. A. D. Key escrow
C
Which of the following cloud models is used to share resources and information with business partners and like businesses without allowing everyone else access? A. Public B. Hybrid C. Community D. Private
C
Which of the following security controls BEST mitigates social engineering attacks? A. Separation of duties B. Least privilege C. User awareness training D. Mandatory vacation
C
Which of the following types of vulnerability scans typically returns more detailed and thorough insights into actual system vulnerabilities? A. Non-credentialed B. Intrusive C. Credentialed D. Non-Intrusive
C
A security administrator is creating a risk assessment on BYOD. One of the requirements of the risk assessment is to address the following: -Centrally managing mobile devices -Data loss prevention Which of the following recommendations should the administrator include in the assessment? (Select TWO). A. implement encryption. B. implement hashing. C. implement an MDM with mobile device hardening. D. implement a VPN with secure connection in webmail. E. implement and allow cloud storage features on the network.
C, E
During a penetration test, Joe, an analyst, contacts the target's service desk Impersonating a user, he attempts to obtain assistance with resetting an email password. Joe claims this needs to be done as soon as possible, as he is the vice president of sales and does not want to contact the Chief Operations Officer (COO) for approval, since the COO is on vacation. When challenged. Joe reaffirms that he needs this done immediately, and threatens to contact the service desk supervisor over the issue. Which of the following social engineering principles is Joe employing in this scenario'? (Select TWO). A. Intimidation B. Consensus C. Familiarity D. Scarcity E. Authority
C, E
A Chief Security Office's (CSO's) key priorities are to improve preparation, response, and recovery practices to minimize system downtime and enhance organizational resilience to ransomware attacks. Which of the following would BEST meet the CSO's objectives? A. Use email-filtering software and centralized account management, patch high-risk systems, and restrict administration privileges on fileshares. B. Purchase cyber insurance from a reputable provider to reduce expenses during an incident. C. Invest in end-user awareness training to change the long-term culture and behavior of staff and executives, reducing the organization's susceptibility to phishing attacks. D. Implement application whitelisting and centralized event-log management, and perform regular testing and validation of full backups.
D
A company is looking for an all-in-one solution to provide identification authentication, authorization, and accounting services. Which of the following technologies should the company use? A. Diameter B. SAML C. Kerberos D. CHAP
D
A credentialed vulnerability scan is often preferred over a non-credentialed scan because credentialed scans: A. generates more false positives. B. rely solely on passive measures. C. are always non-intrusive. D. provide more accurate data.
D
A developer is building a new web portal for internal use. The web portal will only the accessed by internal users and will store operational documents. Which of the following certificate types should the developer install if the company is MOST interested in minimizing costs? A. Wildcard B. Code signing C. Root D. Self-signed
D
A dumpster diver was able to retrieve hard drives from a competitor's trash bin. After installing the and hard drives and running common date recovery software. Sensitive information was recovered. In which of the following ways did the competitor apply media sanitation? A. Pulverizing B. Degaussing C. Encrypting D. Formatting
D
A security administrator begins assessing a network with software that checks for available exploits against a known database using both credentials and external scripts A report will be compiled and used to confirm patching levels. This is an example of A. penetration testing B. fuzzing C. static code analysis D. vulnerability scanning
D
A security administrator is investigating a possible account compromise. The administrator logs onto a desktop computer, executes the command notepad.exe c:\Temp\qkakforlkgfkja.1og, and reviews the following: *Lee,\rI have completed the task that was assigned to me\rrespectfully\rJohn\r https://www.portal.com\rjohnuser\rilovemycat2* Given the above output, which of the following is the MOST likely cause of this compromise? A. Virus B. Worm C. Rootkit D. Keylogger
D
A security analyst wants to limit the use of USB and external drives to protect against malware. as well as protect files leaving a user's computer. Which of the following is the BEST method to use? A. Firewall B. Router C. Antivirus software D. Data loss prevention
D
After being alerted to potential anomalous activity related to trivial DNS lookups, a security analyst looks at the following output of implemented firewall rules: *Rule# Source Destination Port(s) Protocol Action HitCount -13 192.168.1.99 10.5.10.254 (80,443,53) TCP ALLOW 0 -27 192.168.1.99 10.5.10.254 (5799,5798,5800) UDP ALLOW 916 -999 192.168.1.0/24 ANY ANY TCP/UDP DENY 10988* The analyst notices that the expected policy has no hit count for the day. Which of the following MOST likely occurred? A. Data execution prevention is enabled. B. The VLAN is not trunked properly. C. There is a policy violation for DNS lookups. D. The firewall policy is misconfigured.
D
After deploying an antivirus solution on some network-isolated industrial computers, the service desk team received a trouble ticket about the following message being displayed on then computer's screen: Which of the following would be the SAFEST next step to address the issue? Your AV protection has blocked an unknown application while performing a suspicious activities. The application was put in quarantine. A. Immediately delete the detected file from the quarantine to secure the environment and clear the alert from the antivirus console B. Perform a manual antivirus signature update directly from the antivirus vendor's cloud C. Centrally activate a full scan for the entire set of industrial computers, looking for new threats D. Check the antivirus vendor's documentation about the security modules, incompatibilities, and software whitelisting.
D
An internal intranet site is required to authenticate users and restrict access to content to only those who are authorized to view it. The site administrator previously encountered issues with credential spoofing when using the default NTLM setting and wants to move to a system that will be more resilient to replay attacks Which of the following should the administrator implement? A. NTLMv2 B. TACACS+ C. Kerberos D. Shibboleth
D
An organization is building a new customer services team, and the manager needs to keep the team focused on customer issues and minimize distractions. The users have a specific set of tools installed, which they must use to perform their duties. Other tools are not permitted for compliance and tracking purposes. Team members have access to the Internet for product lookups and to research customer issues. Which of the following should a security engineer employ to fulfill the requirements for the manager? A. Install a web application firewall. B. Install HIPS on the team's workstations. C. Implement containerization on the workstations. D. Configure whitelisting for the team.
D
During a routine check, a security analyst discovered the script responsible for the backup of the corporate file server had been changed to the following. *date = get_currentdate() if date = $userA.Birthdate then exec ' rm -rf/ ' end if* Which of the following BEST describes the type of malware the analyst discovered? A. Key logger B. Rootkit C. RAT D. Logic bomb
D
Some call center representatives workstations were recently updated by a contractor, who was able to collect customer information from the call center workstations. Which of the following types of malware was installed on the call center users' systems? A. Adware B. Logic bomb C. Trojan D. Spyware
D
The Chief Information Security Officer (CISO) at a large company tasks a security administrator to provide additional validation for website customers. Which of the following should the security administrator implement? A. HTTP B. DNSSEC C. 802.1X D. Captive portal
D
Which of the following could an attacker use to overwrite instruction pointers in order to execute malicious code? A. Memory leak B. SQL injection C. Resource exhaustion D. Buffer overflow
D
Which of the following impacts MOST likely results from poor exception handling? A. Widespread loss of confidential data B. Network-wide resource exhaustion C. Privilege escalation D. Local disruption of services
D
Which of the following is a passive method to test whether transport encryption is implemented? A. Black box penetration test B. Port scan C. Code analysis D. Banner grabbing
D