Part 10
The Chief Information Security Officer (CISO) of a regional banking institution has just been informed that the organization's public website has been compromised, and the purported actors made modifications to the site's home page to display a politically motivated message about an environmental cause, Based on motive, which of the following BEST describes the type of actor? --NOT CERTAIN A. Script kiddie B. Hacktivist C. Insider threat D. Nation state
B
The president of a company that specializes in military contracts receives a request for an interview. During the interview, the reporter seems more interested in discussing the president's family life and personal history than the details of a recent company success. Which of the following security concerns is this MOST likely an example of? A. Insider threat B. Social engineering C. Passive reconnaissance D. Phishing
B
Vendor diversity is considered an architectural best practice because: --NOT CERTAIN A. it prevents vulnerabilities from spreading from device to device in a crisis. B. it mitigates the risk of a programming flaw affecting the entire architecture. C. it allows for more user training to be conducted on different equipment. D. it transfers the risk associated with vulnerable devices to multiple vendors.
B
Which of the following physical security controls is MOST effective when trying to prevent tailgating? A. CCTV B. Mantrap C. Biometrics D. RFID badge E. Motion detection
B
Which of the following security controls provides an alternative solution to a control that would be considered unpractical or excessively expensive? --NOT CERTAIN A. Deterrent B. Compensating C. Technical D. Administrative
B
Which of the following encryption algorithms require one encryption key? (Choose two.) A. MD5 B. 3DES C. BCRYPT D. RC4 E. DSA
B, D
A company employee recently retired, and there was a schedule delay because no one was capable of filling the employee's position. Which of the following practices would BEST help to prevent this situation in the future? A. Mandatory vacation B. Separation of duties C. Job rotation D. Exit interviews
C
A developer wants to use an open source, third-party plug-in. The developer downloads the plug-in from the provider's website and from a mirror, and runs the files through an integrity checking hash. The output of each file is shown below: *-fileA:BA411C782AD521740123456789ABCDEF -fileB:BA411C782AD521740123456789ABCDEF* Which of the following statements BEST summarize what conclusion the developer can draw from the above results? --NOT CERTAIN A. The files have both been compromised because the numeric and letter indicates and error B. The integrity checksum in MD5 and cannot be assumed reliable C. Given the output, the developer can assume there is no integrity compromise D. The MD5 and SHA-1 checksums match, so the files have not been compromised
C
A network administrator receives a support ticket from the security operations team to implement secure access to the domain. The support ticket contains the following info: *-Source: 192.168.1.137 -Destination: 10.113.10.8 -Protocol TCP Ports: 636 -Time-of-day restriction: None -Proxy bypass required: Yes* Which of the following is being requested to be implemented? A. DNSSEC B. S/MIME C. LDAPS D. RDP
C
The human resources department is outsourcing much of its operations to a third party. As part of the process, the local human resources data needs to be transmitted to the third party over the Internet. Which of the following is the BEST way to transmit the data? --NOT CERTAIN A. SFTP B. DNSSEC C. SNMPv3 D. LDAPS
A
Using an ROT13 cipher to protocol confidential information for unauthorized access is known as what? A. Steganography B. Obfuscation C. Non repudiation D. Diffusion
A
Which of the following BEST explains how the use of configuration templates reduces organization risk? A. It ensures consistency of configuration for initial system implementation. B. It enables system rollback to a last known-good state patches break functionality. C. It facilitates fault tolerance since applications can be migrated across templates. D. It improves vulnerability scanning efficiency across multiple systems.
A
Which of the following would be MOST effective in reducing tailgating incidents? A. Mantrap B. Faraday cage C. Motion detection D. Bollards
A
While on a business trip, a user's mobile device goes missing. The user immediately contacts the organization's service desk to report the incident. Which of the following actions is the BEST response to protect the data stored on the user's mobile device? A. Remotely wipe the mobile device via the mobile device manager to ensure the data is not compromised. B. Deploy full-device encryption through the mobile device manager to ensure the data is not accessed. C. Track the mobile device through geolocation services, and then alert the authorities of its whereabouts. D. Initiate remote lockout on the mobile device to prevent unauthorized access.
A
You are helping implement your company's business continuity plan. For one system, the plan requires an RTO of five hours and an RPO of one day. Which of the following would meet this requirement? --NOT CERTAIN A. Ensure the system can be restored within five hours and ensure it does not lose more than one day of data. B. Ensure the system can be restored within one day and ensure it does not lose more than five hours of data. C. Ensure the system can be restored between five hours and one day after an outage. D. Ensure critical systems can be restored within five hours and noncritical systems can be restored within one day.
A
A company has been experiencing many successful email phishing email attacks, which have been resulting in the compromise of multiple employees' accounts when employees reply with their credentials. The security administrator has been notifying each user and resetting the account passwords when accounts have become compromised. Regardless of this process, the same accounts continue to be compromised even when the users do not respond to the phishing attacks. Which of the following are MOST likely to prevent similar account compromises? (select TWO) --NOT CERTAIN A. Enforce password reuse limitations B. Enable password complexity C. Reset the account security questions D. Configure account lockout E. Implement time-of-day restrictions
A, B
Which of the following staging environments is MOST likely to be a one-to-one mapping with the production environment and used for testing and validation prior to "go live"? A. Quality assurance B. Development C. Production D. Test
D
Which of the following types of embedded systems is required in manufacturing environments with life safety requirements? --NOT CERTAIN A. MFD B. RTOS C. SoC D. ICS
D
A recent audit contained significant findings for several servers, including: <SCREEN SHOWING MULTIPLE MACHINES MISSING OS PATCHES> In the future, which of the following capabilities would enable administrators to detect these issues proactively? A. Credentialed vulnerability scan B. Non-credentialed vulnerability scan C. Automatic file integrity checking D. Manual file integrity checking E. Log collection and correlation
A
A retail store recently deployed tablets for sales employees to use while assisting customers. Two of the tablets have already been lost or stolen. Which of the following would be the BEST way for the store to secure the tablets against future loss or theft? A. Cable locks B. Screen filters C. Geocaching D. Remote wipe
A
A network technician must update the company's wireless configuration settings to comply with new requirements, which mandates the use of AES encryption. Which of the following settings would BEST ensure the requirements are met? --NOT CERTAIN A. Configure CCMP B. Require TKIP C. Implement WPA D. Implement 802.1x
A
A company has found that people are browsing directories they should not be accessing. Which of the following techniques should the security administrator implement to prevent this from happening in the future? A. Least privilege B. Full-disk encryption C. Separation of duties D. Job rotation
A
A company is implementing an internal PKI. The design will include a CA and a subordinate CA. Which of the following CA design choices should be considered prior to implementation? --NOT CERTAIN A. Wildcard vs. standard certificate B. Subject field vs. subject alternative name field C. Private vs. public D. Online vs. offline E. Stapling vs. pinning
A
A company recently installed fingerprint scanners at all entrances to increase the facility's security. The scanners were installed on Monday morning, and by the end of the week it was determined that 1.5% of valid users were denied entry. Which of the following measurements do these users fall under? A. FRR B. FAR C. CER D. SLA
A
A company recently updated its website to increase sales. The new website uses PHP forms for leads and provides a directory with sales staff and their phone numbers. A systems administrator is concerned with the new website and provides the following log to support the concern: *-username JohnD does not exist, password prompt not supplied -username DJohn does not exist, password prompty not supplied -username JohnDoe exists, invalid password supplied -username JohnDoe exists, invalid password supplied -username JohnDoe exists, invalid password supplied -username JohnDoe exists, account locked* Which of the following is the systems administrator MOST likely to suggest to the Chief Information Security Officer (CISO) based on the above? A. Changing the account standard naming convention B. Implementing account lockouts C. Discontinuing the use of privileged accounts D. Increasing the minimum password length from eight to ten characters
A
A network administrator is reviewing the following IDS logs: *-ALERT: 192.168.1.20:1027 -> 192.168.1.21:445 malicious payload detected -ALERT: 192.168.1.20:1034 -> 192.168.1.21:445 malicious payload detected -ALERT: 192.168.1.20:2041 -> 192.168.1.21:445 malicious payload detected -ALERT: 192.168.1.20:1165 -> 192.168.1.21:445 malicious payload detected* Based on the above information, which of the following types of malware is triggering the IDS? A. Worm B. Logic bomb C. Rootkit D. Backdoor
A
A network technician is trying to set up a secure method for managing users and groups across the enterprise. Which of the following protocols is MOST likely to be used? A. LDAPS B. SFTP C. NTLM D. SNMPV3
A
A security administrator is investigating many recent incidents of credential theft for users accessing the company's website, despite the hosting web server requiring HTTPS for access. The server's logs show the website leverages the HTTP POST method for carrying user authentication details. Which of the following is the MOST likely reason for compromise? A. The HTTP POST method is not protected by HTTPS. B. The web server is running a vulnerable SSL configuration. C. The HTTP response is susceptible to sniffing. D. The company doesn't support DNSSEC.
A
A security administrator is reviewing the following firewall configuration after receiving reports that users are unable to connect to remote websites: *-10 PERMIT FROM:ANY TO:ANY PORT:80 -20 PERMIT FROM:ANY TO:ANY PORT:443 30 DENY FROM:ANY TO:ANY PORT:ANY* Which of the following is the MOST secure solution the security administrator can implement to fix this issue? A. Add the following rule to the firewall: 5 PERMIT FROM:ANY TO:ANY PORT:53 B. Replace rule number 10 with the following rule: 10 PERMIT FROM:ANY TO:ANY PORT:22 C. Insert the following rule in the firewall: 25 PERMIT FROM:ANY TO:ANY PORTS:ANY D. Remove the following rule from the firewall: 30 DENY FROM:ANY TO:ANY PORT:ANY
A
A security administrator wants to audit the login page of a newly developed web application to determine if default accounts have been disabled. Which of the following is BEST suited to perform this audit? --NOT CERTAIN A. Password cracker B. Rainbow table C. Protocol analyzer D. Banner grabbing
A
A security analyst has been dealing with a large number of malware infections on workstations with legacy operating systems. The infections are not being detected by the current AV suite. Further analysis shows that the signatures are up-to-date and the AV engines are functioning correctly. The company is unable to afford next-generation AV that prevents these types of attacks. Which of the following methods should the security analyst employ to prevent future outbreaks? --NOT CERTAIN A. Application whitelisting B. Patch management C. Host-based intrusion detection D. File integrity monitoring
A
A security analyst is checking log files and finds the following entries: *-C:|\>nc -vv 192.160.118.130 80 -192.160.118.130: inverse host lookup failed: h_errno 11004: NO_DATA (UNKNOWN) [192.160.118.130] 80 (http) open -HEAD / HTTP/1.0 -HTTP/1.1 408 Request Time-out -Date: Thu, 29 Nov 2017 07:15:37 GMT -Server: Apache/2.2.14 (Ubuntu) -Vary: Accept-Encoding -Connection: close -Content-Type: text/html; charset=iso-8859-1 -sent 16, rcvd 189: NOTSOCK -C:\>* Which of the following is MOST likely happening? A. A hacker attempted to pivot using the web server interface. B. A potential hacker could be banner grabbing to determine what architecture is being used. C. The DNS is misconfigured for the server's IP address. D. A server is experiencing a DoS, and the request is timing out.
A
A security analyst reviews the following log entry: *-2017-01-13 1622CST 10.11.24.18 93242 148 TCP HIT 200.200.0.223 -OBSERVED POST HTTP/1.1.0 "Mozilla 1.0" www.dropbox.com -Financial Report 2016 CONFID.pdf, 13MB, MS-RTC LMB; .NET -CLR 3.0.4509.1392, Jane.Doe* Which of the following security issues can the analyst identify? --NOT CERTAIN A. Data exfiltration B. Access violation C. Social engineering D. Unencrypted credentials
A
A security consultant is gathering information about the frequency of a security threat's impact to an organization. Which of the following should the consultant use to label the number of times an attack can be expected to impact the organization of a 365-day period? A. ARO B. MTBF C. ALE D. MTTR E. SLA
A
A security consultant wants to see what information can be obtained by banner grabbing the company's web servers. There are more than 100 web servers, and the consultant would like to perform and aggregate the information quickly. Which of the following is the MOST time-efficient way to accomplish this task? --NOT CERTAIN A. Use nc to establish a connection to each web server B. Run tcpdump on each web server in the organization C. Use dig to return results for each web server address D. Run netstat on each web server in the organization E. Use ssh to connect to port 80 on each web server
A
A security team has completed the installation of a new server. The OS and applications have been patched and tested, and the server is ready to be deployed. Which of the following actions should be taken before deploying the new server? A. Disable the default accounts. B. Run a penetration test on the network. C. Create a DMZ In which to place the server. D. validate the integrity of the patches.
A
A security technician has been assigned data destruction duties. The hard drives that are being disposed of contain highly sensitive information. Which of the following data destruction techniques is MOST appropriate? --NOT CERTAIN A. Degaussing B. Purging C. Wiping D. Shredding
A
An organization has air gapped a critical system. Which of the following BEST describes the type of attacks that are prevented by this security measure? A. Attacks from another local network segment B. Attacks exploiting USB drives and removable media C. Attacks that spy on leaked emanations or signals D. Attacks that involve physical intrusion or theft
A
An organization's IRP prioritizes containment over eradication. An incident has been discovered where an attacker outside of the organization has installed cryptocurrency mining software on the organization's web servers. Given the organization's stated priorities, which of the following would be the NEXT step? A. Remove the affected servers from the network. B. Review firewall and IDS logs to identify possible source IPs. C. Identify and apply any missing operating system and software patches. D. Delete the malicious software and determine if the servers must be reimaged.
A
During certain vulnerability scanning scenarios, It is possible for the target system to react in unexpected ways. This type of scenario is MOST commonly known as: --FLAGGED A. intrusive testing. B. a butter overflow. C. a race condition D. active reconnaissance.
A
The Chief Executive Officer (CEO) has asked a junior technician to create a folder in which the CEO can place sensitive files. The technician finds the information within these files is the topic of conversation around the company. When this information gets back to the CEO, the technician is called in to explain. Which of the following MOST likely occurred? --NOT CERTAIN A. Access violations B. Permission issues C. Data ex filtration D. Certificate issues
A
A company has just adopted the BYOD deployment methodology. The company is unsure of how to address the new trend and has requested assistance from a consultant. Given this scenario, which of the following should consultant recommend? (select TWO) --NOT CERTAIN A. Use password-enabled lock screens B. Implement an MDM solution C. Configure time-of-day restrictions D. Disable personal email E. Implement application whitelisting F. Deny access to the corporate portal
A, B
An administrator is implementing a secure server and wants to ensure that if the server application is compromised, the application does not have access to other parts of the server or network. Which of the following should the administrator implement? (Choose two.) A. Mandatory access control B. Discretionary access control C. Rule-based access control D. Role-based access control E. Attribute-based access control
A, D
The output of running the "netstat -an" command on a network device is as follows: *Proto Local Addr Foreign Addx State -TCP 0.0.0.0:22 0.0.0.0:0 Listening -TCP 0.0.0.0:25 0.0.0.0:0 Listening -TCP 0.0.0.0:631 0.0.0.0:0 Listening -TCP 0.0.0.0:161 0.0.0.0:0 Listening The device is to be used only as a networked printer. Given the above output, which of the following services should be disabled for the HIGHEST level of security? (select TWO). A. SSH B. SNMP C. Syslog D. SMTP E. FTP F. Telnet
A, D
A Chief Information Security Officer (CISO) is performing a BIA for the organization in case of a natural disaster. Which of the following should be at the top of the CISO's list? A. Identify redundant and high-availability systems. B. Identity mission-critical applications and systems. C. Identify the single point of failure in the system. D. Identity the impact on safety of the property.
B
A member of the human resources department is searching for candidate resumes and encounters the following error message when attempting to access popular job search websites: *-Site cannot be Displayed: Unauthorized Access -Policy Violation: Job Search -User Group: Retail_Employee_Access -Client Address: 10.13.78.145 -DNS Server: 10.1.1.9 -Proxy IP Address: 10.1.1.29 -Contact your systems administrator for assistance* Which of the following would resolve this issue without compromising the company's security policies? A. Renew the DNS settings and IP address on the employee's computer B. Add the employee to a less restrictive group on the content filter C. Remove the proxy settings from the employee's web browser D. Create an exception for the job search sites in the host-based firewall on the employee's computer
B
Emails containing the URL of a popular technology forum were sent from an external source to a research and development company. When users at the company load the page, malware infects their system. Which of the following BEST describes this scenario? --NOT CERTAIN A. The email is intended to spread information that is a hoax. B. The email is intended to bait users into accessing a watering hole. C. The email is intended to promote shoulder surfing. D. The email is intended to disrupt productivity.
B
A network administrator is downloading the latest software for the organization's core switch. The downloads page allows users to view the checksum values for the available files. The network administrator is shows the following when viewing the checksum values for the TB_16.swi.file: Checksum values for the downloaded file: MD5 d50b2b04cfb168eec8 SHA1 6a49065705a43de83dfa9e94 SHA256 7123fb644fbabdda6a73f6e6bc833e2cf12 After downloading the file, the network administrator runs a command to show the following output: Algorithm Hash Patch -SHA256 5fdbbfb644fbabdda000006e6bc833e2c968 C:\Users\bsmith\TB_16.swi -SHA256 64ccbfbaf4fb96dda6a7373e9bcf62e3c244 C:\Users\bsmith\AA_15.swi -SHA1 12fec6aabc9ce87fee654abc C:\Users\bsmith\KB_09.swi -MD5 5fdbbfb644fbadda6 C:\Users\bsmith\KA_01.swi Which of the following can be determined from the above output? --NOT CERTAIN A. The download file was only hashed with SHA-256. B. The download file has been corrupted or tampered with. C. The download file should not be used because it was not hashed with MD5. D. The download file should not be used because its hash differs from the hash of AA_15.swi
B
A network technician is designing a network for a small company. The network technician needs to implement an email server and web server that will be accessed by both internal employees and external customers. Which of the following would BEST secure the internal network and allow access to the needed servers? A. Implementing a site-to-site VPN for server access. B. Implementing a DMZ segment for the server. C. Implementing NAT addressing for the servers. D. Implementing a sandbox to contain the servers.
B
A security engineer is working with the CSIRT to investigate a recent breach of client data due to the improper use of cloud-based tools. The engineer finds that an employee was able to access a cloud-based storage platform from the office and upload data for the purposes of doing work from home after hours. Such activity is prohibited by policy, but no preventative control is in place to block such activities. Which of the following controls would have prevented this breach? A. Network-based IPS B. Host-based DLP C. Host-based IDS D. NAC using TACACS+
B
A systems administrator is implementing a remote access method for the system that will utilize GUI. Which of the following protocols would be BEST suited for this? A. TLS B. SSH C. SFTP D. SRTP
B
A technician receives a device with the following anomalies: *-Frequent pop-up ads -Slow response-time switching between active programs -Unresponsive peripherals* (Image of table) Based on the above output, which of the following should be reviewed? --NOT CERTAIN A. The web application firewall B. The file integrity check C. The data execution prevention D. The removable media control
B
A technician receives a device with the following anomalies: Frequent pop-up ads Show response-time switching between active programs Unresponsive peripherals The technician reviews the following log file entries: *File Name Source MD5 Target MD5 Status -antivirus.exe F794F21CD33E4F57890DDEA5CF267ED2 F794F21CD33E4F57890DDEA5CF267ED2 Automatic -iexplore.exe 7FAAF21CD33E4F57890DDEA5CF29CCEA AA87F21CD33E4F57890DDEAEE2197333 Automatic -service.exe 77FF390CD33E4F57890DDEA5CF28881F 77FF390CD33E4F57890DDEA5CF28881F -Manual USB.exe E289F21CD33E4F57890DDEA5CF28EDC0 E289F21CD33E4F57890DDEA5CF28EDC0 Stopped* Based on the above output, which of the following should be reviewed? A. The web application firewall B. The file integrity check C. The data execution prevention D. The removable media control
B
A website form is used to register new students at a university. The form passes the unsanitized values entered by the user and uses them to directly add the student's information to several core systems. Which of the following attacks can be used to gain further access due to this practice? --NOT CERTAIN A. Cross-site request forgeries B. XSS attacks C. MITM attacks D. SQL injection
B
After a recent attack causing a data breach, an executive is analyzing the financial losses. She determined that the attack is likely to cost at least $1 million. She wants to ensure that this information is documented for future planning purposes. In which of the following is she MOST likely to document it? --NOT CERTAIN A. DRP B. BIA C. HVAC D. RTO
B
After a recent security breach at a hospital, it was discovered that nursing staff members, who were working the overnight shift, searched for and accessed private health information for local celebrities who were patients at the hospital. Which of the following would have enabled the hospital to discover this behavior BEFORE a breach occurred? --NOT CERTAIN A. Time-of-day restrictions B. Usage reviews C. Periodic permission audits D. Location-based policy enforcement
B
After discovering a security incident and removing the affected files, an administrator disabled an unneeded service that led to the breach. Which of the following steps in the incident response process has the administrator just completed? A. Containment B. Eradication C. Recovery D. Identification
B
An administrator is setting up automated remote file transfers to another organization. The other organization has the following requirements for the connection protocol: *-Encryption in transit is required. -Mutual authentication must be used. -Certificate authentication must be used (no passwords).* Which of the following should the administrator choose? --NOT CERTAIN A. SNMPv3 B. SFTP C. TLS D. LDAPS E. SRTP
B
An organization wants to ensure servers and applications can be deployed rapidly, in a consistent manner, and allow for flexible configuration changes. Which of the following should the organization use to make this process repeatable across multiple locations? --NOT CERTAIN A. Redundancy B. Templates C. Snapshots D. Elasticity E. Configuration validation
B
An organization wants to move its operations to the cloud. The organization's systems administrators will still maintain control of the servers, firewalls, and load balancers in the cloud environment. Which of the following models is the organization considering? --NOT CERTAIN A. SaaS B. laaS C. Paas D. Maas
B
Compared to a non-credentialed scan, which of the following is a unique result of a credentialed scan? A. Uncommon open ports on the host B. Outdated software versions on the host C. Self-signed certificate on the host D. Fully qualified domain name
B
A security analyst is investigating a call from a user regarding one of the websites receiving a 503: Service Unavailable error. The analyst runs a netstat -an command to discover if the web server is up and listening. The analyst receives the following output: TCP 10.1.5.2:80 192.168.2.112:60973 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112:60974 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112:60975 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112:60976 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112:60977 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112:60978 TIME_WAIT Which of the following types of attack is the analyst seeing? A. Buffer overflow B. Domain hijacking C. Denial of service D. ARP poisoning
C
A security team has deployed a new UTM to connect different segments of the corporate network. In addition to the UTM, each host has its own firewall and HIPS. The new UTM implements many of the same protections as the host-based firewall and HIPS, but the security team plans to leave both of these protections in place. Which of the following BEST describes the reason for this redundancy? --NOT CERTAIN A. Having multiple security devices can result in faster performance B. The UTM cannot protect against threats from outside the network C. Multiple forms of protections is preferred over single points of failure D. A UTM cannot perform malware analysis, but a HIPS can
C
A technician is investigating a report of unusual behavior and slow performance on a company-owned laptop. The technician runs a command and reviews the following information: *Proto LocalAddress ForeignAddress State -TCP 0.0.0.0:445 --- Listening RpcSc -TCP 0.0.0.0:80 --- Listening httpd.exe -TCP 0.0.0.0:443 192.168.1.20:1301 Established httpd.exe -TCP 0.0.0.0:90328 172.55.80.22:9090 Established notepad.exe* Based on the above information, which of the following types of malware should the technician report? --FLAGGED A. Spyware B. Rootkit C. RAT D. Logic bomb
C
An analyst is reviewing the following web-server log after receiving an alert from the DLP system about multiple PII records being transmitted in cleartext: *SourceIP TimeStamp URI HTTP CODE SIZE -10.45.10.200 3/15/2018 10:43:30 GET/../../../../config.php 400 - 5443 -10.43.40.112 3/15/2018 10:43:32 GET/calendar.php? a=select%20^ 200 - 1010 -192.6.43.122 3/15/2018 10:43:36 GET/events/event.png 200 - 5405 -172.44.33.10 3/15/2018 10:43:41 POST/user.php? id=123233304 400 - 3100* Which of the following IP addresses in MOST likely involved in the data leakage attempt? A. 10.43.40.112 B. 10.45.10.200 C. 172.44.33.10 D. 192.4.43.122
C
An attacker has obtained the user ID and password of a datacenter's backup operator and has gained access to a production system. Which of the following would be the attacker's NEXT action? A. Perform a passive reconnaissance of the network. B. Initiate a confidential data exfiltration process. C. Look for known vulnerabilities to escalate privileges. D. Create an alternate user ID to maintain persistent access
C
An employee has been writing a secure shell around software used to secure executable files. The employee has conducted the appropriate self-test and is ready to move the software into the next environment. Within which of the following environments is the employee currently working? --NOT CERTAIN A. Staging B. Test C. Development D. Production
C
An energy company is in the final phase of testing its new billing service. The testing team wants to use production data in the test system for stress testing. Which of the following is the BEST way to use production data without sending false notification to the customers? --NOT CERTAIN A. Back up and archive the production data to an external source. B. Disable notifications in the production system. C. Scrub the confidential information. D. Encrypt the data prior to the stress test.
C
An organization wants to ensure network access is granted only after a user or device has been authenticated. Which of the following should be used to achieve this objective for both wired and wireless networks? A. CCMP B. PKCS#12 C. IEEE 802.1X D. OCSP
C
An organization's policy requires users to create passwords with an uppercase letter, lowercase letter, number, and symbol. This policy is enforced with technical controls, which also prevents users from using any of their previous 12 passwords. The quantization does not use single sign-on, nor does it centralize storage of passwords. The incident response team recently discovered that passwords for one system were compromised. Passwords for a completely separate system have NOT been compromised, but unusual login activity has been detected for that separate system. Account login has been detected for users who are on vacation. Which of the following BEST describes what is happening? A. Some users are meeting password complexity requirements but not password length requirements. B. The password history enforcement is insufficient, and old passwords are still valid across many different systems. C. Some users are reusing passwords, and some of the compromised passwords are valid on multiple systems. D. The compromised password file has been brute-force hacked, and the complexity requirements are not adequate to mitigate this risk.
C
During a routine review of firewall log reports, a security admin user during unusual hours. The technician contacts the network technician notices multiple successful logins for the administrator, who confirms the logins were not related to the administrator's activities. Which of the following is the MOST likely reason for these logins? --NOT CERTAIN A. Firewall maintenance service windows were scheduled B. Default credentials were still in place C. The entries in the log were caused by the file integrity monitoring system D. A blue team was conducting a penetration test on the firewall
C
During an audit, the auditor requests to see a copy of the identified mission-critical applications as well as their disaster recovery plans. The company being audited has an SLA around the applications it hosts. With which of the following is the auditor MOST likely concerned? --NOT CERTAIN A. ARO/ALE B. MTTR/MTBF C. RTO/RPO D. Risk assessment
C
The network team has detected a large amount of traffic between workstations on the network. The traffic was initially very light, but it is increasing exponentially as the day progresses. Which of the following types of malware might be suspected? --NOT CERTAIN A. Backdoor B. Rootkit C. Worm D. Spyware
C
To help prevent against an SQL injection, which of the following functions should the application developer implement? A Error handling B. Code signing C. Input validation D. Model verification
C
When backing up a database server to LTO tape drives, the following backup schedule is used. Backups take one hour to complete: *-Sunday (7 PM): Full backup -Monday (7 PM): Incremental -Tuesday (7 PM): Incremental -Wednesday (7 PM): Differential -Thursday (7 PM): Incremental -Friday (7 PM): Incremental -Saturday (7 PM): Incremental* On Friday at 9:00 p.m., there is a RAID failure on the database server. The data must be restored from backup. Which of the following is the number of backup tapes that will be needed to complete this operation? A. 1 B. 2 C. 3 D. 4 E. 6
C
Which of the following BEST explains why an application team might take a VM snapshot before applying patches in the production environment? --NOT CERTAIN A. To reduce operational risk so application users can continue using the system while the patch is being applied in the production environment B. To reduce security risk by having a baseline against which the patched system can be compared if the system becomes compromised C. To reduce operational risk so the team can quickly restore the application to a previous working condition if the patch fails D. To reduce security risk so vulnerability scans can be performed on a pre- and post- patched system and the results can be compromised
C
Which of the following Is a resiliency strategy that allows a system to automatically adapt to workload changes? A. Fault tolerance B. Redundancy C. Elasticity D. High availability
C
Which of the following controls does a mantrap BEST represent? A. Deterrent B. Detective C. Physical D. Corrective
C
While monitoring the SIEM, a security analyst observes traffic from an external IP to an IP address of the business network on port 443. Which of the following protocols would MOST likely cause this traffic? A. HTTP B. SSH C. SSL D. DNS
C
A company is implementing a tool to mask all PII when moving data from a production server to a testing server. Which of the following security techniques is the company applying? A. Data wiping B. Steganograpgy C. Data obfuscation D. Data sanitization
D
A company recently implemented a new security system. In the course of configuration, the security administrator adds the following entry: *#Whitelist USB\VID_13FE&PID_4127&REV_0100* Which of the following security technologies is MOST likely being configured? A. Application whitelisting B. HIDS C. Data execution prevention D. Removable media control
D
A restaurant wants to deploy tablets to all waitstaff but does not want to use passwords or manage users to connect the tablets to the network. Which of the following types of authentication would be BEST suited for this scenario? A. Proximity cards B. IEEE 802.1x C. Hardware token D. Fingerprint reader
D
A security administrator is developing a methodology for tracking staff access to patient data. Which of the following would be the BEST method of creating audit trails for usage reports? --NOT CERTAIN A. Deploy file integrity checking B. Restrict access to the database by following the principle of least privilege C. Implementing a database activity monitoring system D. Created automated alerts on the IDS system for the database server
D
A security administrator is implementing a new WAF solution and has placed some of the web servers behind the WAF, with the WAF set to audit mode. When reviewing the audit logs of external requests and posts to the web servers, the administrator finds the following entry: *Context Details for Signature 20000018334 Context: Parameter Actual Parameter Name: Account_Name Parameter Value: SELECT FROM User WHERE Username='1' OR '1'='1' OR '1'='1' Based on this data, which of the following actions should the administrator take? A. Alert the web server administrators to a misconfiguration. B. Create a blocking policy based on the parameter values. C. Change the parameter name 'Account_Name' identified in the log. D. Create an alert to generate emails for abnormally high activity.
D
A security administrator needs to conduct a full inventory of all encryption protocols and cipher suites. Which of the following tools will the security administrator use to conduct this inventory MOST efficiently? A. tcpdump B. Protocol analyzer C. Netstat D. Nmap
D
Which of the following BEST explains why a development environment should have the same database server secure baseline that exist in production even if there is no PII in the database? --NOT CERTAIN A. Without the same configuration in both development and production, there are no assurance that changes made in development will have the same effect in production. B. Attackers can extract sensitive, personal information from lower development environment databases just as easily as they can from production databases. C. Databases are unique in their need to have secure configurations applied in all environment because they are attacked more often. D. Laws stipulate that databases with the ability to store personal information must be secured regardless of the environment or if they actually have PIL.
D
A security administrator wants to prevent standard users from running a software they downloaded or copied to the computer. The security administrator finds the following permissions on the computer. *FolderLocation AdministratorPermission StandardUserPermissions -C:\ RW RW -C:\OperatingSystem\ RW R -C:\Programs\ RW R -C:\TEMP\ RW RW -C:\ShippingDATA RW RW -C:\USERS\User1 R RW -C:\Users\Admin RW -* The administrator needs to create a policy that specifies from which folders a low-privilege user can run applications. Which of the following application whitelist configuration would BEST accomplish this task? --NOT CERTAIN A. Allow ^ Block C:\TEMP, C:\ShippingDATA, C:\Users\User1 B. Allow C:\, C:\OperatingSystem, C:\Programs, C:\Users\Users1 Block C:\TEMP, C:\ShippingDATA, C:\Users\User1 C. Allow C:\ Block C:\User\User1 D. Allow C:\OperatingSystem\, C:\Programs Block ^
D
A security analyst is performing a BIA. The analyst notes that in a disaster, failover systems must be up and running within 30 minutes. The failover systems must use backup data that is no older than one hour. Which of the following should the analyst include in the business continuity plan? A. A maximum MTTR of 30 minutes B. A maximum MTBF of 30 minutes C. A maximum RTO of 60 minutes D. A maximum RPO of 60 minutes E. An SLA guarantee of 60 minutes
D
A security engineer is analyzing the following line of JavaScript code that was found in a comment field on a web forum, which was recently involved in a security breach: -script src=http://gotcha.com/hackme.js--/script- Given the line of code above, which of the following BEST represents the attack performed during the breach? A. CSRF B. DDoS C. DoS D. XSS
D
A security engineer is configuring a wireless network. The security requirements for the network are: *-Mutual authentication of wireless clients and the authentication server -Client authentication must be username and password -Cannot use a certificate on the authentication server* --NOT CERTAIN А.EAP B. EAP-TLS C. EAP-TTLS D. EAP-FAST
D
After the integrity of a patch has been verified, but before being deployed to production, it is important to: --NOT CERTAIN A. perform static analysis B. reverse engineer it for embedded malware. C. run dynamic analysis on the executable. D. test it in a staging environment
D
An auditor has identified unauthorized p2p file-sharing programs and possible copyrighted material on employees' computers. Which of the following should the auditor recommend be done to prevent employees from installing unauthorized software? --NOT CERTAIN A. Remove administrative permissions B. Implement a hash-based software blacklist C. Install a file integrity monitoring system D. Configure a software whitelist
D
An organization needs to integrate with a third-party cloud application. The organization has 15000 users and does not want to allow the cloud provider to query its LDAP authentication server directly. Which of the following is the BEST way for the organization to integrate with the cloud application? A. Upload a separate list of users and passwords with a batch import. B. Distribute hardware tokens to the users for authentication to the cloud. C. Implement SAML with the organization's server acting as the identity provider. D. Configure a RADIUS federation between the organization and the cloud provider.
D
Network administrators have identified what appears to be malicious traffic coming from an internal computer, but only when no one is logged on to the computer. You suspect the system is infected with malware. It periodically runs an application that attempts to connect to web sites over port 80 with Telnet. After comparing the computer with a list of applications from the master image, you verify this application is very likely the problem. What allowed you to make this determination? --NOT CERTAIN A. Least functionality B. Sandbox C. Blacklist D. Integrity measurements
D
Sara, a company's security officer, often receives reports of unauthorized personnel having access codes to the cipher locks of secure areas in the building. Sara should immediately implement which of the following? --NOT CERTAIN A. Acceptable Use Policy B. Physical security controls C. Technical controls D. Security awareness training
D
The Chief Information Officer (CIO) has determined the company's new PKI will not use OCSP. The purpose of OCSP still needs to be addressed. Which of the following should be implemented? A. Build an online intermediate CA. B. Implement a key escrow. C. Implement stapling. D. Install a CRL.
D
The payroll department has contacted the security team regarding an anomaly with amounts paid via the weekly payroll file. The security analyst is provided the following log from the server. *Time Source IP File Path Action -1/1/16 9:24:10 10.10.24.156 C:\ACH\payrolll.xls File created -1/1/16 3:15:23 172.14.89.12 C:\ACH\payrolll.xls File transferred -1/7/16 9:24:10 10.10.24.156 C:\ACH\payrolll.xls File created -1/7/16 3:15:23 172.14.89.12 C:\ACH\payrolll.xls File transferred -1/14/16 9:24:10 10.10.24.156 C:\ACH\payrolll.xls File created -1/14/16 9:51:34 10.10.24.156 C:\ACH\payrolll.xls File modified -1/14/16 3:10:29 172.14.89.12 C:\ACH\payrolll.xls Transfer failed -1/14/16 4:10:52 172.14.89.12 C:\ACH\payrolll.xls File transferred -1/21/16 9:24:10 10.10.24.156 C:\ACH\payrolll.xls File created -1/21/16 3:45:01 172.14.89.12 C:\ACH\payrolll.xls File transferred -1/28/16 9:24:10 10.10.24.156 C:\ACH\payrolll.xls File created -1/28/16 9:45:23 10.10.24.156 C:\ACH\payrolll.xls File modified -1/28/16 10:23:52 17.23.45.29 C:\ACH\payrolll.xls File modified -1/28/16 3:22:15 172.14.89.12 C:\ACH\payrolll.xls File transferred* Which of the following is the MOST likely reason for the anomaly? --NOT CERTAIN A. The file was corrupted in transit. B. The file was transferred to the wrong destination. C. The connection was refused by the destination. D. The file was compromised before being sent.
D
Which of the following BEST describes the purpose of authorization? A. Authorization provides logging to a resource and comes after authentication. B. Authorization provides authentication to a resource and comes after identification. C. Authorization provides identification to a resource and comes after authentication. D. Authorization provides permissions to a resource and comes after authentication
D
Which of the following computer recovery sites is the least expensive and most difficult to test at the same time? --NOT CERTAIN A. Non-mobile hot site B. Mobile hot site C. Warm site D. Cold site
D
Which of the following is an example of federated access management? A. Windows passing user credentials on a peer-to-peer network B. Applying a new user account with a complex password C. Implementing a AAA framework for network access D. Using a popular website login to provide access to another website
D