Security + Exam,Part 2
An engineer needs to deploy a security measure to identify and prevent data tampering within the enterprise. Which of the following will accomplish this goal? A. Antivirus B. IPS C. FTP D. FIM
D. FIM
Question 226 ( Topic 1 ) A security operations analyst is using the companyגTM€s SIEM solution to correlate alerts. Which of the following stages of the incident response process is this an example of? A. Eradiction B. Recovery C. Identification D. Preparation
C. Identification
A developer is concerned about people downloading fake malware-infected replicas of a popular game. Which of the following should the developer do to help verify legitimate versions of the game for users? A. Digitally sign the relevant game files B. Embed a watermark using steganography C. Implement TLS on the license activation server D. Fuzz the application for unknown vulnerabilitie
A. Digitally sign the relevant game files
Question 260 ( Topic 1 ) A security engineer obtained the following output from a threat intelligence source that recently performed an attack on the companyגTM€s server: Which of the following BEST describes this kind of attack? A. Directory traversal B. SQL injection C. API D. Request forgery
A. Directory traversal
Question 263 ( Topic 1 ) After a phishing scam for a userגTM€s credentials, the red team was able to craft a payload to deploy on a server. The attack allowed the installation of malicious software that initiates a new remote session. Which of the following types of attacks has occurred? A. Privilege escalation B. Session replay C. Application programming interface D. Directory traversal
A. Privilege escalation
A company has discovered unauthorized devices are using its WiFi network, and it wants to harden the access point to improve security. Which of the following configurations should an analyst enable to improve security? (Choose two.) A. RADIUS B. EAP-PEAP C. WPS D. WPA-TKIP E. SSL F. WPA2-PSK
A. RADIUS F. WPA2-PSK
A company was compromised, and a security analyst discovered the attacker was able to get access to a service account. The following logs were discovered during the investigation: Which of the following MOST likely would have prevented the attacker from learning the service account name? A. Race condition testing B. Proper error handling C. Forward web server logs to a SIEM D. Input sanitization
B. Proper error handling
Question 296 ( Topic 1 ) Which of the following would be BEST for a technician to review to determine the total risk an organization can bear when assessing a ג€cloud-firstג €adoption strategy? A. Risk matrix B. Risk tolerance C. Risk register D. Risk appetite
B. Risk tolerance
Which of the following function as preventive, detective, and deterrent controls to reduce the risk of physical theft? (Choose two.) A. Mantraps B. Security guards C. Video surveillance D. Fences E. Bollards F. Antivirus
B. Security guards C. Video surveillance
Question 237 ( Topic 1 ) A major political party experienced a server breach. The hacker then publicly posted stolen internal communications concerning campaign strategies to give the opposition party an advantage. Which of the following BEST describes these threat actors? A. Semi-authorized hackers B. State actors C. Script kiddies D. Advanced persistent threats
B. State actors
Which of the following environments utilizes dummy data and is MOST likely to be installed locally on a system that allows code to be assessed directly and modified easily with each build? A. Production B. Test C. Staging D. Development
B. Test
Question 249 ( Topic 1 ) A security analyst has been reading about a newly discovered cyberattack from a known threat actor. Which of the following would BEST support the analystגTM€s review of the tactics, techniques, and protocols the threat actor was observed using in previous campaigns? A. Security research publications B. The MITRE ATT&CK framework C. The Diamond Model of Intrusion Analysis D. The Cyber Kill Chain
B. The MITRE ATT&CK framework
A company recently experienced an attack during which its main website was directed to the attackerג€™s web server, allowing the attacker to harvest credentials from unsuspecting customers. Which of the following should the company implement to prevent this type of attack from occurring in the future? A. IPSec B. SSL/TLS C. DNSSEC D. S/MIME
C. DNSSEC
Question 279 ( Topic 1 ) A security analyst notices several attacks are being blocked by the NIPS but does not see anything on the boundary firewall logs. The attack seems to have been thwarted. Which of the following resiliency techniques was applied to the network to prevent this attack? A. NIC teaming B. Port mirroring C. Defense in depth D. High availability E. Geographic dispersal
C. Defense in depth
A security analyst is reviewing the following output from a system: Which of the following is MOST likely being observed? A. ARP poisoning B. Man in the middle C. Denial of service D. DNS poisoning
C. Denial of service
Question 261 ( Topic 1 ) After installing a Windows server a cybersecurity administrator needs to harden it following security best practices Which of the following will achieve the administratorגTM€s goal? After installing a Windows server, a cybersecurity administrator needs to harden it, following security best practices. Which of the following will achieve the administratorגTM€s goal? (Choose two.) A. Disabling guest accounts B. Disabling service accounts C. Enabling network sharing D. Disabling NetBIOS over TCP/IP E. Storing LAN manager hash values F. Enabling NTLM
A. Disabling guest accounts D. Disabling NetBIOS over TCP/IP E. Storing LAN manager hash values F. Enabling NTLM
Question 259 ( Topic 1 ) Several large orders of merchandise were recently purchased on an e-commerce companyגTM€s website. The totals for each of the transactions were negative values, resulting in credits on the customersג TM€accounts. Which of the following should be implemented to prevent similar situations in the future? A. Ensure input validation is in place to prevent the use of invalid characters and values. B. Calculate all possible values to be added together and ensure the use of the proper integer in the code. C. Configure the web application firewall to look for and block session replay attacks. D. Make sure transactions that are submitted within very short time periods are prevented from being processed
A. Ensure input validation is in place to prevent the use of invalid characters and values.
Which of the following terms should be included in a contract to help a company monitor the ongoing security maturity of a new vendor? A. A right-to-audit clause allowing for annual security audits B. Requirements for event logs to be kept for a minimum of 30 days C. Integration of threat intelligence in the companyג€™s AV D. A data-breach clause requiring disclosure of significant data loss
A. A right-to-audit clause allowing for annual security audits
Question 209 ( Topic 1 ) A security analyst receives the configuration of a current VPN profile and notices the authentication is only applied to the IP datagram portion of the packet. Which of the following should the analyst implement to authenticate the entire packet? A. AH B. ESP C. SRTP D. LDAP
A. AH
Question 267 ( Topic 1 ) Which of the following should a data owner require all personnel to sign to legally protect intellectual property? A. An NDA B. An AUP C. An ISA D. An MOU
A. An NDA
Ann, a customer, received a notification from her mortgage company stating her PII may be shared with partners, affiliates, and associates to maintain day-to-day business operations. Which of the following documents did Ann receive? A. An annual privacy notice B. A non-disclosure agreement C. A privileged-user agreement D. A memorandum of understanding
A. An annual privacy notice
Which of the following represents a biometric FRR? A. Authorized users being denied access B. Users failing to enter the correct PIN C. The denied and authorized numbers being equal D. The number of unauthorized users being granted access
A. Authorized users being denied access
A company is implementing a DLP solution on the file server. The file server has PII, financial information, and health information stored on it. Depending on what type of data that is hosted on the file server, the company wants different DLP rules assigned to the data. Which of the following should the company do to help to accomplish this goal? A. Classify the data B. Mask the data C. Assign the application owner D. Perform a risk analysis
A. Classify the data
A major clothing company recently lost a large amount of proprietary information. The security officer must find a solution to ensure this never happens again.Which of the following is the BEST technical implementation to prevent this from happening again? A. Configure DLP solutions B. Disable peer-to-peer sharing C. Enable role-based D. Mandate job rotation E. Implement content filters
A. Configure DLP solutions
Question 213 ( Topic 1 ) Which of the following provides the BEST protection for sensitive information and data stored in cloud-based services but still allows for full functionality and searchability of data within the cloud-based services? A. Data encryption B. Data masking C. Anonymization D. Tokenization
A. Data encryption
Question 201 ( Topic 1 ) Which of the following types of controls is a CCTV camera that is not being monitored? A. Detective B. Deterrent C. Physical D. Preventiv
A. Detective
A security analyst reports a company policy violation in a case in which a large amount of sensitive data is being downloaded after hours from various mobile devices to an external site. Upon further investigation, the analyst notices that successful login attempts are being conducted with impossible travel times during the same time periods when the unauthorized downloads are occurring. The analyst also discovers a couple of WAPs are using the same SSID, but they have non-standard DHCP configurations and an overlapping channel. Which of the following attacks is being conducted? A. Evil twin B. Jamming C. DNS poisoning D. Bluesnarfing E. DDoS
A. Evil twin
A Chief Security Officer (CSO) has asked a technician to devise a solution that can detect unauthorized execution privileges form the OS in both executable and data files and can work in conjunction with proxies or UTM. Which of the following would BEST meet the CSOג€™s requirements? A. Fuzzing B. Sandboxing C. Static code analysis D. Code review
A. Fuzzing
Question 242 ( Topic 1 ) An organization that has a large number of mobile devices is exploring enhanced security controls to manage unauthorized access if a device is lost or stolen. Specifically, if mobile devices are more than 3mi (4.8km) from the building, the management team would like to have the security team alerted and server resources restricted on those devices. Which of the following controls should the organization implement? A. Geofencing B. Lockout C. Near-field communication D. GPS tagging
A. Geofencing
Question 269 ( Topic 1 ) An enterprise needs to keep cryptographic keys in a safe manner. Which of the following network appliances can achieve this goal? A. HSM B. CASB C. TPM D. DLP
A. HSM
Question 238 ( Topic 1 ) Which of the following BEST describes the method a security analyst would use to confirm a file that is downloaded from a trusted security website is not altered in transit or corrupted using a verified checksum? A. Hashing B. Salting C. Integrity D. Digital signature
A. Hashing
Question 228 ( Topic 1 ) A security analyst is reviewing the following command-line output: Which of the following is the analyst observing? A. ICMP spoofing B. URL redirection C. MAC address cloning D. DNS poisoning
A. ICMP spoofing
Question 233 ( Topic 1 ) An organization blocks user access to command-line interpreters, but hackers still managed to invoke the interpreters using native administrative tools. Which of the following should the security team do to prevent this from happening in the future? A. Implement HIPS to block inbound and outbound SMB ports 139 and 445. B. Trigger a SIEM alert whenever the native OS tools are executed by the user. C. Disable the built-in OS utilities as long as they are not needed for functionality. D. Configure the AV to quarantine the native OS tools whenever they are executed.
A. Implement HIPS to block inbound and outbound SMB ports 139 and 445.
Question 274 ( Topic 1 ) An organizationגTM€s RPO for a critical system is two hours. The system is used Monday through Friday, from 9:00 a.m. to 5:00 p.m. Currently, the organization performs a full backup every Saturday that takes four hours to complete. Which of the following additional backup implementations would be the MOST efficient way for the analyst to meet the business requirements? A. Incremental backups Monday through Friday at 6:00 p.m. and differential backups hourly B. Full backups Monday through Friday at 6:00 p.m. and incremental backups hourly C. Incremental backups Monday through Friday at 6:00 p.m. and full backups hourly D. Full backups Monday through Friday at 6:00 p.m. and differential backups hourly
A. Incremental backups Monday through Friday at 6:00 p.m. and differential backups hourly
To mitigate the impact of a single VM being compromised by another VM on the same hypervisor, an administrator would like to utilize a technical control to further segregate the traffic. Which of the following solutions would BEST accomplish this objective? A. Install a hypervisor firewall to filter east-west traffic B. Add more VLANs to the hypervisor network switches C. Move exposed or vulnerable VMs to the DMZ D. Implement a Zero Trust policy and physically segregate the hypervisor servers
A. Install a hypervisor firewall to filter east-west traffic
An organization recently recovered form a data breach. During the root cause analysis, the organization determined the source of the breach to be a personal cell phone that had been reported lost. Which of the following solutions should the organization implement to reduce the likelihood of future data breaches? A. MDM B. MAM C. VDI D. DLP
A. MDM
Question 219 ( Topic 1 ) A company has determined that if its computer-based manufacturing machinery is not functioning for 12 consecutive hours, it will lose more money than it costs to maintain the equipment. Which of the following must be less than 12 hours maintain a positive total cost of ownership? A. MTBF B. RPO C. RTO D. MTTR
A. MTBF
Question 239 ( Topic 1 ) Which of the following would satisfy three-factor authentication? A. Password, retina scanner, and NFC card B. Password, fingerprint scanner, and retina scanner C. Password, hard token, and NFC card D. Fingerprint scanner, hard token, and retina scanner
A. Password, retina scanner, and NFC card
Question 293 ( Topic 1 ) A multinational organization that offers web-based services has datacenters that are located only in the United States; however, a large number of its customers are in Australia, Europe, and China. Payments for services are managed by a third party in the United Kingdom that specializes in payment gateways. The management team is concerned the organization is not compliant with privacy laws that cover some of its customers. Which of the following frameworks should the management team follow? A. Payment Card Industry Data Security Standard B. Cloud Security Alliance Best Practices C. ISO/IEC 27032 Cybersecurity Guidelines D. General Data Protection Regulation
A. Payment Card Industry Data Security Standard
Question 264 ( Topic 1 ) If a current private key is compromised, which of the following would ensure it cannot be used to decrypt all historical data? A. Perfect forward secrecy B. Elliptic-curve cryptography C. Key stretching D. Homomorphic encryption
A. Perfect forward secrecy
Question 234 ( Topic 1 ) A manufacturing company has several one-off legacy information systems that cannot be migrated to a newer OS due to software compatibility issues. The OSs are still supported by the vendor, but the industrial software is no longer supported. The Chief Information Security Officer (CISO) has created a resiliency plan for these systems that will allow OS patches to be installed in a non-production environment, while also creating backups of the systems for recovery. Which of the following resiliency techniques will provide these capabilities? A. Redundancy B. RAID 1+5 C. Virtual machines D. Full backups
A. Redundancy
Question 297 ( Topic 1 ) A bank detects fraudulent activity on userגTM€s account. The user confirms transactions completed yesterday on the bankגTM€s website at https:/www.company.com. A security analyst then examines the userגTM€s Internet usage logs and observes the following output: Which of the following has MOST likely occurred? A. Replay attack B. SQL injection C. SSL stripping D. Race conditions
A. Replay attack
Question 254 ( Topic 1 ) A security analyst is reviewing a penetration-testing report from a third-party contractor. The penetration testers used the organizationגTM€s new API to bypass a driver to perform privilege escalation on the organizationגTM€s web servers. Upon looking at the API, the security analyst realizes the particular API call was to a legacy system running an outdated OS. Which of the following is the MOST likely attack type? A. Request forgery B. Session replay C. DLL injection D. Shimming
A. Request forgery
Question 284 ( Topic 1 ) An organization would like to remediate the risk associated with its cloud service provider not meeting its advertised 99.999% availability metrics. Which of the following should the organization consult for the exact requirements for the cloud provider? A. SLA B. BPA C. NDA D. MOU
A. SLA
uestion 216 ( Topic 1 ) A company has three technicians who share the same credentials for troubleshooting system. Every time credentials are changed, the new ones are sent by email to all three technicians. The security administrator has become aware of this situation and wants to implement a solution to mitigate the risk. Which of the following is the BEST solution for company to implement? A. SSO authentication B. SSH keys C. OAuth authentication D. Password vaults
A. SSO authentication
Which of the following often operates in a client-server architecture to act as a service repository, providing enterprise consumers access to structured threat intelligence data? A. STIX B. CIRT C. OSINT D. TAXII
A. STIX
Question 217 ( Topic 1 ) A security analyst sees the following log output while reviewing web logs: Which of the following mitigation strategies would be BEST to prevent this attack from being successful? A. Secure cookies B. Input validation C. Code signing D. Stored procedures
A. Secure cookies
Several employees have noticed other bystanders can clearly observe a terminal where passcodes are being entered. Which of the following can be eliminated with the use of a privacy screen? A. Shoulder surfing B. Spear phishing C. Impersonation attack D. Card cloning
A. Shoulder surfing
Question 286 ( Topic 1 ) A user must introduce a password and a USB key to authenticate against a secure computer, and authentication is limited to the state in which the company resides. Which of the following authentication concepts are in use? A. Something you know, something you have, and somewhere you are B. Something you know, something you can do, and somewhere you are C. Something you are, something you know, and something you can exhibit D. Something you have, somewhere you are, and someone you know
A. Something you know, something you have, and somewhere you are
Question 224 ( Topic 1 ) Which of the following environments minimizes end-user disruption and MOST likely to be used to assess the impacts of any database migrations or major system changes by using the final version of the code? A. Staging B. Test C. Production D. Development
A. Staging
Question 276 ( Topic 1 ) An analyst needs to set up a method for securely transferring files between systems. One of the requirements is to authenticate the IP header and the payload. Which of the following services would BEST meet the criteria? A. TLS B. PFS C. ESP D. AH
A. TLS
Question 290 ( Topic 1 ) Which of the following environments would MOST likely be used to assess the execution of component parts of a system at both the hardware and software levels and to measure performance characteristics? A. Test B. Staging C. Development D. Production
A. Test
A security researcher is tracking an adversary by nothing its attacks and techniques based on its capabilities, infrastructure, and victims. Which of the following is the researcher MOST likely using? A. The Diamond Model of Intrusion Analysis B. The Cyber Kill Chain C. The MITRE CVE database D. The incident response process
A. The Diamond Model of Intrusion Analysis
Question 220 ( Topic 1 ) [1] file metadata. Which of the following would be part of the images if all the metadata is still intact? A. The GPS location B. When the file was deleted C. The total number of print jobs D. The number of copies made
A. The GPS location
The SIEM at an organization has detected suspicious traffic coming from a workstation in its internal network. An analyst in the SOC investigates the workstation and discovers malware that is associated with a botnet is installed on the device. A review of the logs on the workstation reveals that the privileges of the local account were escalated to a local administrator. To which of the following groups should the analyst report this real-world event? A. The NOC team B. The vulnerability management team C. The CIRT D. The red team
A. The NOC team
Question 298 ( Topic 1 ) An organization plans to transition the intrusion detection and prevention techniques on a critical subnet to an anomaly-based system. Which of the following does the organization need to determine for this to be successful? A. The baseline B. The endpoint configurations C. The adversary behavior profiles D. The IPS signatures
A. The baseline
Question 204 ( Topic 1 ) A forensics examiner is attempting to dump password cached in the physical memory of a live system but keeps receiving an error message. Which of the following BEST describes the cause of the error? A. The examiner does not have administrative privileges to the system. B. The system must be taken offline before a snapshot can be created. C. Checksum mismatches are invalidating the disk image. D. The swap file needs to be unlocked before it can be accessed.
A. The examiner does not have administrative privileges to the system.
Question 257 ( Topic 1 ) Which of the following should a technician consider when selecting an encryption method for data that needs to remain confidential for a specific length of time? A. The key length of the encryption algorithm B. The encryption algorithmגTM€s longevity C. A method of introducing entropy into key calculations D. The computational overhead of calculating the encryption key
A. The key length of the encryption algorithm
A bad actor tries to persuade someone to provide financial information over the phone in order to gain access to funds. Which of the following types of attacks does this scenario describe? A. Vishing B. Phishing C. Spear phishing D. Whaling
A. Vishing
Question 236 ( Topic 1 ) Which of the following BEST describes a social engineering attack that relies on an executive at a small business visiting a fake banking website where credit card and account details are harvested? A. Whaling B. Spam C. Invoice scam D. Pharming
A. Whaling
Question 256 ( Topic 1 ) The concept of connecting a user account across the systems of multiple enterprises is BEST known as: A. federation. B. a remote access policy. C. multifactor authentication. D. single sign-on.
A. federation.
Question 268 ( Topic 1 ) A new vulnerability in the SMB protocol on the Windows systems was recently discovered, but no patches are currently available to resolve the issue. The security administrator is concerned that servers in the company's DMZ will be vulnerable to external attack; however, the administrator cannot disable the service on the servers, as SMB is used by a number of internal systems and applications on the LAN. Which of the following TCP ports should be blocked for all external inbound connections to the DMZ as a workaround to protect the servers? (Choose two.) A. 135 B. 139 C. 143 D. 161 E. 443 F. 445
B. 139 F. 445
While reviewing pcap data, a network security analyst is able to locate plaintext usernames and passwords being sent from workstations to network switches.Which of the following is the security analyst MOST likely observing? A. SNMP traps B. A Telnet session C. An SSH connection D. SFTP traffic
B. A Telnet session
A company has been experiencing very brief power outages from its utility company over the last few months. These outages only last for one second each time.The utility company is aware of the issue and is working to replace a faulty transformer. Which of the following BEST describes what the company should purchase to ensure its critical servers and network devices stay online? A. Dual power supplies B. A UPS C. A generator D. A PDU
B. A UPS
Question 243 ( Topic 1 ) A security engineer is installing a WAF to protect the companyגTM€s website from malicious web requests over SSL. Which of the following is needed to meet the objective? A. A reverse proxy B. A decryption certificate C. A split-tunnel VPN D. Load-balanced servers
B. A decryption certificate
Question 245 ( Topic 1 ) A security researcher is attempting to gather data on the widespread use of a zero-day exploit. Which of the following will the researcher MOST likely use to capture this data? A. A DNS sinkhole B. A honeypot C. A vulnerability scan D. CVSS
B. A honeypot
Which of the following is MOST likely to contain ranked and ordered information on the likelihood and potential impact of catastrophic events that may affect business processes and systems, while also highlighting the residual risks that need to be managed after mitigating controls have been implemented? A. An RTO report B. A risk register C. A business impact analysis D. An asset value register E. A disaster recovery plan
B. A risk register
A new plug-and-play storage device was installed on a PC in the corporate environment. Which of the following safeguards will BEST help to protect the PC from malicious files on the storage device? A. Change the default settings on the PC B. Define the PC firewall rules to limit access C. Encrypt the disk on the storage device D. Plug the storage device in to the UPS
C. Encrypt the disk on the storage device
Which of the following scenarios BEST describes a risk reduction technique? A. A security control objective cannot be met through a technical change, so the company purchases insurance and is no longer concerned about losses from data breaches. B. A security control objective cannot be met through a technical change, so the company implements a policy to train users on a more secure method of operation. C. A security control objective cannot be met through a technical change, so the company performs regular audits to determine if violations have occurred. D. A security control objective cannot be met through a technical change, so the Chief Information Officer decides to sign off on the risk.
B. A security control objective cannot be met through a technical change, so the company implements a policy to train users on a more secure method of operation.
Question 246 ( Topic 1 ) A systems administrator needs to install the same X.509 certificate on multiple servers. Which of the following should the administrator use? A. Key escrow B. A self-signed certificate C. Certificate chaining D. An extended validation certificate
B. A self-signed certificate
Question 214 ( Topic 1 ) An attacker is trying to gain access by installing malware on a website that is known to be visited by the target victims. Which of the following is the attacker MOST likely attempting? A. A spear-phishing attack B. A watering-hole attack C. Typo squatting D. A phishing attack
B. A watering-hole attack
Question 208 ( Topic 1 ) Which of the following would BEST identify and remediate a data-loss event in an enterprise using third-party, web-based services and file-sharing platforms? A. SIEM B. CASB C. UTM D. EDR
B. CASB
Question 294 ( Topic 1 ) Which of the following is the correct order of volatility from MOST to LEAST volatile? A. Memory, temporary filesystems, routing tables, disk, network storage B. Cache, memory, temporary filesystems, disk, archival media C. Memory, disk, temporary filesystems, cache, archival media D. Cache, disk, temporary filesystems, network storage, archival media
B. Cache, memory, temporary filesystems, disk, archival media
Question 273 ( Topic 1 ) Ann, a forensic analyst, needs to prove that the data she originally acquired has remained unchanged while in her custody. Which of the following should Ann use? A. Chain of custody B. Checksums C. Non-repudiation D. Legal hold
B. Checksums
Question 270 ( Topic 1 ) A Chief Executive Officer (CEO) is dissatisfied with the level of service from the companyגTM€s new service provider. The service provider is preventing the CEO from sending email from a work account to a personal account. Which of the following types of service providers is being used? A. Telecommunications service provider B. Cloud service provider C. Master managed service provider D. Managed security service provider
B. Cloud service provider
A security analyst is hardening a network infrastructure. The analyst is given the following requirements: ✑ Preserve the use of public IP addresses assigned to equipment on the core router.Enable ג€in transportג€ encryption protection to the web server with the strongest ciphers. Which of the following should the analyst implement to meet these requirements? (Choose two.) A. Configure VLANs on the core router B. Configure NAT on the core router C. Configure BGP on the core router D. Enable AES encryption on the web server E. Enable 3DES encryption on the web server F. Enable TLSv2 encryption on the web server
B. Configure NAT on the core router F. Enable TLSv2 encryption on the web server
Question 210 ( Topic 1 ) During an incident, a companyגTM€s CIRT determines it is necessary to observe the continued network-based transactions between a callback domain and the malware running on an enterprise PC. Which of the following techniques would be BEST to enable this activity while reducing the risk of lateral spread and the risk that the adversary would notice any changes? A. Physically move the PC to a separate Internet point of presence. B. Create and apply microsegmentation rules. C. Emulate the malware in a heavily monitored DMZ segment. D. Apply network blacklisting rules for the adversary domain.
B. Create and apply microsegmentation rules.
Question 203 ( Topic 1 ) A security analyst reviews the datacenter access logs for a fingerprint scanner and notices an abundance of errors that correlate with usersג TM€reports of issues accessing the facility. Which of the following MOST likely indicates the cause of the access issues? A. False rejection B. Cross-over error rate C. Efficacy rate D. Attestation
B. Cross-over error rate
Question 288 ( Topic 1 ) A systems administrator is considering different backup solutions for the IT infrastructure. The company is looking for a solution that offers the fastest recovery time while also saving the most amount of storage used to maintain the backups. Which of the following recovery solutions would be the BEST option to meet these requirements? A. Snapshot B. Differential C. Full D. Tape
B. Differential
Question 235 ( Topic 1 ) A security administrator is analyzing the corporate wireless network. The network only has two access points running on channels 1 and 11. While using airodump-ng. the administrator notices other access points are running with the same corporate ESSID on all available channels and with the same BSSID of one of the legitimate access points. Which of the following attacks is happening on the corporate network? A. Man in the middle B. Evil twin C. Jamming D. Rogue access point E. Disassociation
B. Evil twin
Question 253 ( Topic 1 ) A user is concerned that a web application will not be able to handle unexpected or random inputs without crashing. Which of the following BEST describes the type of testing the user should perform? A. Code signing B. Fuzzing C. Manual code review D. Dynamic code analysis
B. Fuzzing
Question 275 ( Topic 1 ) Which of the following threat actors is MOST likely to be motivated by ideology? A. Business competitor B. Hacktivist C. Criminal syndicate D. Script kiddie E. Disgruntled employee
B. Hacktivist
Question 252 ( Topic 1 ) Which of the following cryptographic concepts would a security engineer utilize while implementing non-repudiation? (Choose two.) A. Block cipher B. Hashing C. Private key D. Perfect forward secrecy E. Salting F. Symmetric keys
B. Hashing C. Private key
Question 262 ( Topic 1 ) A web server administrator has redundant servers and needs to ensure failover to the secondary server when the primary server goes down. Which of the following should the administrator implement to avoid disruption? A. NIC teaming B. High availability C. Dual power supply D. IaaS
B. High availability
Question 277 ( Topic 1 ) A network administrator is concerned about users being exposed to malicious content when accessing company cloud applications. The administrator wants to be able to block access to sites based on the AUP. The users must also be protected because many of them work from home or at remote locations, providing on-site customer support. Which of the following should the administrator employ to meet these criteria? A. Implement NAC. B. Implement an SWG. C. Implement a URL filter. D. Implement an MDM.
B. Implement an SWG.
Question 285 ( Topic 1 ) A company is implementing a new SIEM to log and send alerts whenever malicious activity is blocked by its antivirus and web content filters. Which of the following is the primary use case for this scenario? A. Implementation of preventive controls B. Implementation of detective controls C. Implementation of deterrent controls D. Implementation of corrective controls
B. Implementation of detective controls
A client sent several inquiries to a project manager about the delinquent delivery status of some critical reports. The project manager claimed the reports were previously sent via email, but then quickly generated and backdated the reports before submitting them as plain text within the body of a new email message thread. Which of the following actions MOST likely supports an investigation for fraudulent submission? A. Establish chain of custody B. Inspect the file metadata C. Reference the data retention policy D. Review the email event log
B. Inspect the file metadata
Question 265 ( Topic 1 ) Following a prolonged datacenter outage that affected web-based sales, a company has decided to move its operations to a private cloud solution. The security team has received the following requirements: ✑ There must be visibility into how teams are using cloud-based services. ✑ The company must be able to identify when data related to payment cards is being sent to the cloud. ✑ Data must be available regardless of the end userגTM€s geographic location. Administrators need a single pane-of-glass view into traffic and trends. Which of the following should the security analyst recommend? A. Create firewall rules to restrict traffic to other cloud service providers. B. Install a DLP solution to monitor data in transit. C. Implement a CASB solution. D. Configure a web-based content filter
B. Install a DLP solution to monitor data in transit.
Question 287 ( Topic 1 ) A global company is experiencing unauthorized logins due to credential theft and account lockouts caused by brute-force attacks. The company is considering implementing a third-party identity provider to help mitigate these attacks. Which of the following would be the BEST control for the company to require from prospective vendors? A. IP restrictions B. Multifactor authentication C. A banned password list D. A complex password policy
B. Multifactor authentication
Question 223 ( Topic 1 ) A security analyst needs to complete an assessment. The analyst is logged into a server and must use native tools to map services running on it to the serverגTM€s listening ports. Which of the following tools can BEST accomplish this task? A. Netcat B. Netstat C. Nmap D. Nessus
B. Netstat
An information security officer at a credit card transaction company is conducting a framework-mapping exercise with the internal controls. The company recently established a new office in Europe. To which of the following frameworks should the security officer map the existing controls? (Choose two.) A. ISO B. PCI DSS C. SOC D. GDPR E. CSA F. NIST
B. PCI DSS D. GDPR
Question 241 ( Topic 1 ) While reviewing the wireless router, a systems administrator of a small business determines someone is spoofing the MAC address of an authorized device. Given the table below: Which of the following should be the administratorגTM€s NEXT step to detect if there is a rogue system without impacting availability? A. Conduct a ping sweep. B. Physically check each system. C. Deny Internet access to the ג€UNKNOWNג €hostname. D. Apply MAC filtering
B. Physically check each system.
Question 207 ( Topic 1 ) Which of the following would cause a Chief Information Security Officer (CISO) the MOST concern regarding newly installed Internet-accessible 4K surveillance cameras? A. An inability to monitor 100% of every facility could expose the company to unnecessary risk. B. The cameras could be compromised if not patched in a timely manner. C. Physical security at the facility may not protect the cameras from theft. D. Exported videos may take up excessive space on the file servers.
B. The cameras could be compromised if not patched in a timely manner.
A security analyst needs to find real-time data on the latest malware and IoCs. Which of the following BEST describes the solution the analyst should pursue? A. Advisories and bulletins B. Threat feeds C. Security news articles D. Peer-reviewed content
B. Threat feeds
Which of the following is a reason why an organization would define an AUP? A. To define the lowest level of privileges needed for access and use of the organizationג€™s resources B. To define the set of rules and behaviors for users of the organizationג€™s IT systems C. To define the intended partnership between two organizations D. To define the availability and reliability characteristics between an IT provider and consumer
B. To define the set of rules and behaviors for users of the organizationג€™s IT systems
Question 225 ( Topic 1 ) An attacker is attempting to exploit users by creating a fake website with the URL www.validwebsite.com. The attackerגTM€s intent is to imitate the look and feel of a legitimate website to obtain personal information from unsuspecting users. Which of the following social-engineering attacks does this describe? A. Information elicitation B. Typo squatting C. Impersonation D. Watering-hole attack
B. Typo squatting
Question 281 ( Topic 1 ) A company is required to continue using legacy software to support a critical service. Which of the following BEST explains a risk of this practice? A. Default system configuration B. Unsecure protocols C. Lack of vendor support D. Weak encryption
B. Unsecure protocols
The spread of misinformation surrounding the outbreak of a novel virus on election day led to eligible voters choosing not to take the risk of going the polls. This is an example of: A. prepending. B. an influence campaign. C. a watering-hole attack. D. intimidation. E. information elicitation.
B. an influence campaign.
Question 230 ( Topic 1 ) A symmetric encryption algorithm is BEST suited for: A. key-exchange scalability. B. protecting large amounts of data. C. providing hashing capabilities. D. implementing non-repudiation
B. protecting large amounts of data.
A network manager is concerned that business may be negatively impacted if the firewall in its datacenter goes offline. The manager would like to implement a high availability pair to: A. decrease the mean time between failures. B. remove the single point of failure. C. cut down the mean time to repair. D. reduce the recovery time objective
B. remove the single point of failure.
Customers reported their antivirus software flagged one of the companyג€™s primary software products as suspicious. The companyג€™s Chief Information SecurityOfficer has tasked the developer with determining a method to create a trust model between the software and the customerג€™s antivirus software. Which of the following would be the BEST solution? A. Code signing B. Domain validation C. Extended validation D. Self-signing
C. Extended validation
A financial institution would like to store its customer data in a cloud but still allow the data to be accessed and manipulated while encrypted. Doing so would prevent the cloud service provider from being able to decipher the data due to its sensitivity. The financial institution is not concerned about computational overheads and slow speeds. Which of the following cryptographic techniques would BEST meet the requirement? A. Asymmetric B. Symmetric C. Homomorphic D. Ephemeral
C. Homomorphic
Question 272 ( Topic 1 ) Which of the following distributes data among nodes, making it more difficult to manipulate the data while also minimizing downtime? A. MSSP B. Public cloud C. Hybrid cloud D. Fog computing
C. Hybrid cloud
Question 295 ( Topic 1 ) After segmenting the network, the network manager wants to control the traffic between the segments. Which of the following should the manager use to control the network traffic? A. A DMZ B. A VPN C. A VLAN D. An ACL
C. A VLAN
Question 229 ( Topic 1 ) A security analyst is reviewing logs on a server and observes the following output: Which of the following is the security analyst observing? A. A rainbow table attack B. A password-spraying attack C. A dictionary attack D. A keylogger attack
C. A dictionary attack
Question 211 ( Topic 1 ) An organizationגTM€s Chief Security Officer (CSO) wants to validate the businessגTM€s involvement in the incident response plan to ensure its validity and thoroughness. Which of the following will the CSO MOST likely use? A. An external security assessment B. A bug bounty program C. A tabletop exercise D. A red-team engagement
C. A tabletop exercise
A security analyst has received several reports of an issue on an internal web application. Users state they are having to provide their credentials twice to log in.The analyst checks with the application team and notes this is not an expected behavior. After looking at several logs, the analyst decides to run some commands on the gateway and obtains the following output: Which of the following BEST describes the attack the company is experiencing? A. MAC flooding B. URL redirection C. ARP poisoning D. DNS hijacking
C. ARP poisoning
Question 255 ( Topic 1 ) Entering a secure area requires passing through two doors, both of which require someone who is already inside to initiate access. Which of the following types of physical security controls does this describe? A. Cameras B. Faraday cage C. Access control vestibule D. Sensors E. Guards
C. Access control vestibule
Question 283 ( Topic 1 ) A company just implemented a new telework policy that allows employees to use personal devices for official email and file sharing while working from home. Some of the requirements are: ✑ Employees must provide an alternate work location (i.e., a home address). ✑ Employees must install software on the device that will prevent the loss of proprietary data but will not restrict any other software from being installed. Which of the following BEST describes the MDM options the company is using? A. Geofencing, content management, remote wipe, containerization, and storage segmentation B. Content management, remote wipe, geolocation, context-aware authentication, and containerization C. Application management, remote wipe, geofencing, context-aware authentication, and containerization D. Remote wipe, geolocation, screen locks, storage segmentation, and full-device encryption
C. Application management, remote wipe, geofencing, context-aware authentication, and containerization
Question 221 ( Topic 1 ) A company has decided to move its operations to the cloud. It wants to utilize technology that will prevent users from downloading company applications for personal use, restrict data that is uploaded, and have visibility into which applications are being used across the company. Which of the following solutions will BEST meet these requirements? A. An NGFW B. A CASB C. Application whitelisting D. An NG-SWG
C. Application whitelisting
Question 289 ( Topic 1 ) The lessons-learned analysis from a recent incident reveals that an administrative office worker received a call from someone claiming to be from technical support. The caller convinced the office worker to visit a website, and then download and install a program masquerading as an antivirus package. The program was actually a backdoor that an attacker could later use to remote control the workerגTM€s PC. Which of the following would be BEST to help prevent this type of attack in the future? A. Data loss prevention B. Segmentation C. Application whitelisting D. Quarantine
C. Application whitelisting
Question 232 ( Topic 1 ) An enterprise has hired an outside security firm to facilitate penetration testing on its network and applications. The firm has agreed to pay for each vulnerability that is discovered. Which of the following BEST represents the type of testing that is being used? A. White-box B. Red-team C. Bug bounty D. Gray-box E. Black-box
C. Bug bounty
An external forensics investigator has been hired to investigate a data breach at a large enterprise with numerous assets. It is known that the breach started in the DMZ and moved to the sensitive information, generating multiple logs as the attacker traversed through the network? Which of the following will BEST assist with this investigation? A. Perform a vulnerability scan to identify the weak spots B. Use a packet analyzer to investigate the NetFlow traffic C. Check the SIEM to review the correlated logs D. Require access to the routers to view current sessions
C. Check the SIEM to review the correlated logs
Question 250 ( Topic 1 ) An incident, which is affecting dozens of systems, involves malware that reaches out to an Internet service for rules and updates. The IP addresses for the Internet host appear to be different in each case. The organization would like to determine a common IoC to support response and recovery actions. Which of the following sources of information would BEST support this solution? A. Web log files B. Browser cache C. DNS query logs D. Antivirus
C. DNS query logs
Question 299 ( Topic 1 ) A developer is building a new portal to deliver single-pane-of-glass management capabilities to customers with multiple firewalls. To improve the user experience, the developer wants to implement an authentication and authorization standard that uses security tokens that contain assertions to pass user information between nodes. Which of the following roles should the developer configure to meet these requirements? (Choose two.) A. Identity processor B. Service requestor C. Identity provider D. Service provider E. Tokenized resource F. Notarized referral
C. Identity provider E. Tokenized resource
Question 215 ( Topic 1 ) A network engineer needs to create a plan for upgrading the wireless infrastructure in a large office. Priority must be given to areas that are currently experiencing latency and connection issues. Which of the following would be the BEST resource for determining the order of priority? A. Nmap B. Heat maps C. Network diagrams D. Wireshark
C. Network diagrams
A financial analyst has been accused of violating the companyג€™s AUP and there is forensic evidence to substantiate the allegation. Which of the following would dispute the analystג€™s claim of innocence? A. Legal hold B. Order of volatility C. Non-repudiation D. Chain of custody
C. Non-repudiation
Question 218 ( Topic 1 ) When used at design stage, which of the following improves the efficiency, accuracy, and speed of a database? A. Tokenization B. Data masking C. Normalization D. Obfuscation
C. Normalization
A company is concerned about its security after a red-team exercise. The report shows the team was able to reach the critical servers due to the SMB being exposed to the Internet and running NTLMv1. Which of the following BEST explains the findings? A. Default settings on the servers B. Unsecured administrator accounts C. Open ports and services D. Weak data encryption
C. Open ports and services
Question 222 ( Topic 1 ) A large enterprise has moved all its data to the cloud behind strong authentication and encryption. A sales director recently had a laptop stolen, and later enterprise data was found to have been compromised from a local database. Which of the following was the MOST likely cause? A. Shadow IT B. Credential stuffing C. SQL injection D. Man in the browser E. Bluejacking
C. SQL injection
Question 227 ( Topic 1 ) To reduce and overhead, an organization wants to move from an on-premises email solution to a cloud-based email solution. At this time, no other services will be moving. Which of the following cloud models would BEST meet the needs of the organization? A. MaaS B. IaaS C. SaaS D. PaaS
C. SaaS
Question 248 ( Topic 1 ) Which of the following is a risk that is specifically associated with hosting applications in the public cloud? A. Unsecured root accounts B. Zero-day C. Shared tenancy D. Insider threat
C. Shared tenancy
An organization has expanded its operations by opening a remote office. The new office is fully furnished with office resources to support up to 50 employees working on any given day. Which of the following VPN solutions would BEST support the new office? A. Always-on B. Remote access C. Site-to-site D. Full tunnel
C. Site-to-site
Question 240 ( Topic 1 ) The human resources department of a large online retailer has received multiple customer complaints about the rudeness of the automated chatbots it uses to interface and assist online shoppers. The system, which continuously learns and adapts, was working fine when it was installed a few months ago. Which of the following BEST describes the method being used to exploit the system? A. Baseline modification B. A fileless virus C. Tainted training data D. Cryptographic manipulation
C. Tainted training data
A systems analyst is responsible for generating a new digital forensics chain-of-custody form. Which of the following should the analyst include in this documentation? (Choose two.) A. The order of volatility B. A CRC32 checksum C. The provenance of the artifacts D. The vendorג€™s name E. The date and time F. A warning banner
C. The provenance of the artifacts E. The date and time
A desktop support technician recently installed a new document-scanning software program on a computer. However, when the end user tried to launch the program, it did not respond. Which of the following is MOST likely the cause? A. A new firewall rule is needed to access the application B. The system was quarantined for missing software updates C. The software was not added to the application whitelist D. The system was isolated from the network due to infected software
C. The software was not added to the application whitelist
An engineer is setting up a VDI environment for a factory location, and the business wants to deploy a low-cost solution to enable users on the shop floor to log in the VDI environment directly. Which of the following should the engineer select to meet these requirements? A. Laptops B. Containers C. Thin clients D. Workstations
C. Thin clients
Question 205 ( Topic 1 ) Which of the following is the BEST reason to maintain a functional and effective asset management policy that aids in ensuring the security of an organization? A. To provide data to quantify risk based on the organizationגTM€s systems B. To keep all software and hardware fully patched for known vulnerabilities C. To only allow approved, organization-owned devices onto the business network D. To standardize by selecting one laptop model for all users in the organization
C. To only allow approved, organization-owned devices onto the business network
A security analyst is concerned about traffic initiated to the dark web form the corporate LAN. Which of the following networks should the analyst monitor? A. SFTP B. AIS C. Tor D. IoC
C. Tor
Question 206 ( Topic 1 ) A cybersecurity department purchased a new PAM solution. The team is planning to randomize the service account credentials of the Windows servers first. Which of the following would be the BEST method to increase the security on the Linux servers? A. Randomize the shared credentials. B. Use only guest accounts to connect. C. Use SSH keys and remove generic passwords. D. Remove all user accounts
C. Use SSH keys and remove generic passwords.
An attack relies on an end user visiting a website the end user would typically visit; however, the site is compromised and uses vulnerabilities in the end userג€™s browser to deploy malicious software. Which of the following types of attacks does this describe? A. Smishing B. Whaling C. Watering hole D. Phishing
C. Watering hole
A security analyst is investigating a vulnerability in which a default file permission was set incorrectly. The company uses non-credentialed scanning for vulnerability management. Which of the following tools can the analyst use to verify the permissions? A. ssh B. chmod C. ls D. setuid E. nessus F. nc
C. ls
Question 251 ( Topic 1 ) DRAG DROP - Leveraging the information supplied below, complete the CSR for the server to set up TLS (HTTPS). ✑ Hostname: ws01 ✑ Domain: comptia.org ✑ IPv4: 10.1.9.50 ✑ IPv4: 10.2.10.50 ✑ Root: home.aspx ✑ DNS CNAME: homesite INSTRUCTIONS - Drag the various data points to the correct locations within the CSR. Extension criteria belong in the left-hand column and values belong in the corresponding row in the right- hand column. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. Select and Place:
Common Name - ws01.comptia.org ExtendedKeyUsage - OCSP URL:http://ocsp.pki comptia.org Policy Identification - URL = http://homesite.comptia.og/name.aspx SubAltName - DNS Name=homesite.comptia.org
A large financial services firm recently released information regarding a security breach within its corporate network that began several years before. During the time frame in which the breach occurred, indicators show an attacker gained administrative access to the network through a file downloaded from a social media site and subsequently installed it without the userג€™s knowledge. Since the compromise, the attacker was able to take command and control the computer systems anonymously while obtaining sensitive corporate and personal employee information. Which of the following methods did the attacker MOST likely use to gain access? A. A bot B. A fileless virus C. A logic bomb D. A RAT
D. A RAT
Question 271 ( Topic 1 ) During an incident, an EDR system detects an increase in the number of encrypted outbound connections from multiple hosts. A firewall is also reporting an increase in outbound connections that use random high ports. An analyst plans to review the correlated logs to find the source of the incident. Which of the following tools will BEST assist the analyst? A. A vulnerability scanner B. A NGFW C. The Windows Event Viewer D. A SIEM
D. A SIEM
A security engineer needs to create a network segment that can be used for servers that require connections form untrusted networks. Which of the following should the engineer implement? A. An air gap B. A hot site C. A VLAN D. A screened subnet
D. A screened subnet
A retail company that is launching a new website to showcase the companyג€™s product line and other information for online shoppers registered the following URLs: ✑ www.companysite.com✑ shop.companysite.com ✑ about-us.companysite.com✑ contact-us.companysite.com✑ secure-logon.companysite.comWhich of the following should the company use to secure its website if the company is concerned with convenience and cost? A. A self-signed certificate B. A root certificate C. A code-signing certificate D. A wildcard certificate E. An extended validation certificate
D. A wildcard certificate
A security analyst needs to implement security features across smartphones, laptops, and tablets. Which of the following be the MOST effective across heterogeneous platforms? A. Enforcing encryption B. Deploying GPOs C. Removing administrative permissions D. Applying MDM software
D. Applying MDM software
When planning to build a virtual environment, an administrator needs to achieve the following: ✑ Establish policies to limit who can create new VMs. ✑ Allocate resources according to actual utilization. ✑ Require justification for requests outside of the standard requirements. ✑ Create standardized categories based on size and resource requirements.Which of the following is the administrator MOST likely trying to do? A. Implement IaaS replication B. Protect against VM escape C. Deploy a PaaS D. Avoid VM sprawl
D. Avoid VM sprawl
Question 202 ( Topic 1 ) A company is setting up a web server on the Internet that will utilize both encrypted and unencrypted web-browsing protocols. A security engineer runs a port scan against the server from the Internet and sees the following output: Which of the following steps would be best for the security engineer to take NEXT? A. Allow DNS access from the Internet. B. Block SMTP access from the Internet. C. Block HTTPS access from the Internet. D. Block SSH access from the Internet
D. Block SSH access from the Internet
Question 244 ( Topic 1 ) When implementing automation with IoT devices, which of the following should be considered FIRST to keep the network secure? A. Z-Wave compatibility B. Network range C. Zigbee configuration D. Communication protocols
D. Communication protocols
Question 231 ( Topic 1 ) An engineer wants to access sensitive data from a corporate-owned mobile device. Personal data is not allowed on the device. Which of the following MDM configurations must be considered when the engineer travels for business? A. Screen locks B. Application management C. Geofencing D. Containerization
D. Containerization
Question 258 ( Topic 1 ) Which of the following types of attacks is specific to the individual it targets? A. Whaling B. Pharming C. Smishing D. Credential harvesting
D. Credential harvesting
Question 300 ( Topic 1 ) A Chief Security Officer (CSO) is concerned about the volume and integrity of sensitive information that is exchanged between the organization and a third party through email. The CSO is particularly concerned about an unauthorized party who is intercepting information that is in transit between the two organizations. Which of the following would address the CSOגTM€s concerns? A. SPF B. DMARC C. SSL D. DKIM E. TLS
D. DKIM
Question 266 ( Topic 1 ) Which of the following is the MOST secure but LEAST expensive data destruction method for data that is stored on hard drives? A. Pulverizing B. Shredding C. Incinerating D. Degaussing
D. Degaussing
A security administrator is setting up a SIEM to help monitor for notable events across the enterprise. Which of the following control types does this BEST represent? A. Preventive B. Compensating C. Corrective D. Detective
D. Detective
A security administrator is trying to determine whether a server is vulnerable to a range of attacks. After using a tool, the administrator obtains the following output: Which of the following attacks was successfully implemented based on the output? A. Memory leak B. Race conditions C. SQL injection D. Directory traversal
D. Directory traversal
Question 291 ( Topic 1 ) An organization regularly scans its infrastructure for missing security patches but is concerned about hackers gaining access to the scannerגTM€s account. Which of the following would be BEST to minimize this risk while ensuring the scans are useful? A. Require a complex, eight-character password that is updated every 90 days. B. Perform only non-intrusive scans of workstations. C. Use non-credentialed scans against high-risk servers. D. Log and alert on unusual scanner account logon times.
D. Log and alert on unusual scanner account logon times.
Question 278 ( Topic 1 ) A security administrator needs to inspect in-transit files on the enterprise network to search for PII, credit card data, and classification words. Which of the following would be the BEST to use? A. IDS solution B. EDR solution C. HIPS software solution D. Network DLP solution
D. Network DLP solution
Question 212 ( Topic 1 ) Which of the following scenarios would make DNS sinkhole effective in thwarting an attack? A. An attacker is sniffing traffic to port 53, and the server is managed using unencrypted usernames and passwords. B. An organization is experiencing excessive traffic on port 53 and suspects an attacker is trying to DoS the domain name server. C. Malware is trying to resolve an unregistered domain name to determine if it is running in an isolated sandbox. D. Routing tables have been compromised, and an attacker is rerouting traffic to malicious websites
D. Routing tables have been compromised, and an attacker is rerouting traffic to malicious websites
Which of the following disaster recovery tests is the LEAST time consuming for the disaster recovery team? A. Tabletop B. Parallel C. Full interruption D. Simulation
D. Simulation
Question 247 ( Topic 1 ) After a hardware incident, an unplanned emergency maintenance activity was conducted to rectify the issue. Multiple alerts were generated on the SIEM during this period of time. Which of the following BEST explains what happened? A. The unexpected traffic correlated against multiple rules, generating multiple alerts. B. Multiple alerts were generated due to an attack occurring at the same time C. An error in the correlation rules triggered multiple alerts. D. The SIEM was unable to correlate the rules, triggering the alerts
D. The SIEM was unable to correlate the rules, triggering the alerts
A recent security assessment revealed that an actor exploited a vulnerable workstation within an organization and has persisted on the network for several months. The organization realizes the need to reassess its security strategy for mitigating risks within the perimeter. Which of the following solutions would BEST support the organizationג€™s strategy? A. FIM B. DLP C. EDR D. UTM
D. UTM
A forensics investigator is examining a number of unauthorized payments that were reported on the companyג€™s website. Some unusual log entries show users received an email for an unwanted mailing list and clicked on a link to attempt to unsubscribe. One of the users reported the email to the phishing team, and the forwarded email revealed the link to be:<a href=ג€https://www.company.com/payto.do?routing=00001111&acct=22223334&amount=250ג€>Click here to unsubscribe</a>Which of the following will the forensics investigator MOST likely determine has occurred? A. SQL injection B. Broken authentication C. XSS D. XSRF
D. XSRF
Question 292 ( Topic 1 ) A security analyst wants to verify that a client-server (non-web) application is sending encrypted traffic. Which of the following should the analyst use? A. openssl B. hping C. netcat D. tcpdump
D. tcpdump
A company wants to modify its current backup strategy to minimize the number of backups that would need to be restored in case of data loss. Which of the following would be the BEST backup strategy to implement? A. Incremental backups followed by differential backups B. Full backups followed by incremental backups C. Delta backups followed by differential backups D. Incremental backups followed by delta backups E. Full backups followed by differential backups
E. Full backups followed by differential backups
Question 280 ( Topic 1 ) An organization recently acquired an ISO 27001 certification. Which of the following would MOST likely be considered a benefit of this certification? A. It allows for the sharing of digital forensics data across organizations. B. It provides insurance in case of a data breach. C. It provides complimentary training and certification resources to IT security staff. D. It certifies the organization can work with foreign entities that require a security clearance. E. It assures customers that the organization meets security standards.
E. It assures customers that the organization meets security standards.
During a security assessment, a security analyst finds a file with overly permissive permissions. Which of the following tools will allow the analyst to reduce the permissions for the existing users and groups and remove the set-user-ID bit from the file? A. ls B. chflags C. chmod D. lsof E. setuid
E. setuid
