SEC+ test questions
32.) Users are attempting to access a company's website but are transparently redirected to another website. The users confirm the URL is correct. Which of the following would BEST prevent this issue in the future? A. DNSSEC B. HTTPS C. IPSec D. TLS/SSL
A DNSSEC
75.) A company recently updated its website to increase sales. The new website uses PHP forms for leads and provides a directory with sales staff and their phone numbers. A systems administrator is concerned about the new website and provides the following log to support the concern: username JohnD does not exist, password prompt not supplied username DJohn does not exist, password prompt not supplied username JohnDoe exists, invalid password supplied username JohnDoe exists, invalid password supplied username JohnDoe exists, invalid password supplied username JohnDoe exists, account locked Which of the following is the systems administrator MOST likely to suggest to the Chief Information Security Officer based on the above? A. Changing the account standard naming convention B. Implementing account lockouts C. Discontinuing the use of privileged accounts D. Increasing the minimum password length from eight to ten characters
A changing the account standard naming convention
66.) A network administrator provided the following output from a vulnerability scan: Plugin ID Severity Count Description Risk Score 10 Critical 1 Centos 7 : rpm (CTSA-2014:1980) 3.4 11 Low 178 Microsoft Windows Update 1.3 12 Medium 120 openSUSE Security Update: python3 / rpm 1.8 13 High 15 Microsoft Windows Update Reboot Required 3.6 14 Low 1389 RHEL 4 : RPM (RHSA-2016:0678) 2.1 The network administrator has been instructed to prioritize remediation efforts based on overall risk to the enterprise. Which of the following plugin IDs should be remediated FIRST? A. 10 B. 11 C. 12 D. 13 E. 14
A. 10
1.) A security administrator is implementing a new WAF solution and has placed some of the web servers behind the WAF, with the WAF set to audit mode. When reviewing the audit logs of external requests and posts to the web servers, the administrator finds the following entry: Context Details for signature 20000018334 Context: Parameter Actual Parameter Name: Account_Name Parameter Value: SELECT * FROM Users WHERE Username='1' OR '1'='1' Based on this data, which of the following actions should the administrator take? A. Alert the web server administrators to a misconfiguration. B. Create a blocking policy based on the parameter values. C. Change the parameter name 'Account_Name' identified in the log. D. Create an alert to generate emails for abnormally high activity.
A. Alert the web server administrator to a misconfiguration
1.) A coffee company has hired an IT consultant to set up a WIFI network that will provide internet access to customers who visit the company's chain of cafes. The coffee company has provided no requirements other than customers should be granted access after registering via a web form and accepting the terms of service. Which of the following is the MINIMUM acceptable configuration to meet this single requirement? A. Captive portal B. WPA with PSK C. Open WiFi D. WPS
A. Captive Portal
91.) Which of the following controls is implemented in lieu of the primary security controls? A. Compensating. B. Corrective. C. Detective. D. Deterrent.
A. Compensating.
After running an online password cracking tool, an attacker recovers the following password: gh ;j SKSTO¡;618& Based on the above information, which of the following technical controls have been implemented (Select TWO). A. Complexity B. Encryption C. Hashing D. Length E. Salting F. Stretching
A. Complexity D. Length
49.) A contracting company recently completed its period of performance on a government contract and would like to destroy all information associated with contract performance. Which of the following is the best NEXT step for the company to take? A. Consult data disposition policies in the contract. B. Use a pulper or pulverizer for data destruction. C. Retain the data for a period no more than one year. D. Burn hard copies containing PII or PHI.
A. Consult data disposition policies in the contract.
55.) Which of the following attacks can be mitigated by proper data retention policies? A. Dumpster diving B. Man-in-the-browser C. Spear phishing D. Watering hole
A. Dumpster Diving
88.) A security analyst is investigating a report from an employee in the human resources (HR) department who is having sporadic issues with internet access. When the security analyst pulls the UTM logs for the IP addresses in the HR group, the following activity is shown: Host Destination Port Category User Group Action 10.1.13.45 165.35.23.129 8080 News-Journalism General Block 10.1.13.45 89.23.45.11 443 Banking General Allow 10.1.13.46 76.4.3.19 8080 Business HR Users Allow 10.1.13.45 145.29.173 8080 Business General Block 10.1.13.45 10.1.1.29 443 Internal General Allow 10.1.13.46 19.34.1.189 443 Banking HR Users Allow 10.1.13.45 45.1.39.118 8080 Job Search General Block 10.1.13.46 45.1.39.118 8080 Job Search HR Users Allow Which of the following actions should the security analyst take? A. Ensure the HR employee is in the appropriate user group. B. Allow port 8080 on the UTM for all outgoing traffic. C. Disable the proxy settings on the HR employee's device D. Edit the last line of the ACL on the UTM to: allow any any.
A. Ensure the HR employee is in the appropriate user group.
1.) A threat actor motivated by political goals that is active for a short period of time but has virtually unlimited resources is BEST categorized as a: A. Hacktivist B. Nation-state C. Script kiddie D. Apt
A. Hacktivist
65.) A systems administrator has been assigned to create accounts for summer interns. The interns are only authorized to be in the facility and operate computers under close supervision. They must also leave the facility at designated times each day. However, the interns can access intern file folders without supervision. Which of the following represents the BEST way to configure the accounts? (Select TWO). A. Implement time-of-day restrictions. B. Modify archived data. C. Access executive shard portals. D. Create privileged accounts. E. Enforce least privilege.
A. Implement time-of-day restrictions E. Enforce least privilege
47.) A transitive trust: A. Is automatically established between a parent and a child. B. Is used to update DNS records. C. Allows access to untrusted domains. D. Can be used in place of a hardware token for logins.
A. Is automatically established between a parent and a child.
42.) After patching computers with the latest application security patches/updates, users are unable to open certain applications. Which of the following will correct the issue? A. Modifying the security policy for patch management tools. B. Modifying the security policy for HIDS/HIPS C. Modifying the security policy for DLP D. Modifying the security policy for media control
A. Modifying the Security policy for Patch Management Tools.
58.) An organization wants to implement a solution that allows for automated logical controls for network defense. An engineer plans to select an appropriate network security component, which automates response actions based on security threats to the network. Which of the following would be MOST appropriate based on the engineer's requirements? A. NIPS B. HIDS C. Web proxy D. Elastic load balancer E. NAC
A. NIPS
61.) Ina lessons-learned report, it is suspected that a well-organized, well-funded, and extremely sophisticated group of attackers may have been responsible for a breach at a nuclear facility. Which of the following describes the type of actors that may have been implicated? A. Nation-state B. Hacktivist C. Insider D. Competitor
A. Nation-state
45.) A highly complex password policy has made it nearly impossible to crack accounts passwords. Which of the following might a hacker still be able to perform? A. Pass-the-hash-attack B. ARP poisoning attack C. Birthday attack D. Brute-force attack
A. Pass-the-hash-attack
A security analyst wishes to scan the network to view potentially vulnerable systems the way an attacker would. Which of the following would BEST enable the analyst to complete the objective? A. Perform a non-credentialed scan. B. Conduct an intrusive scan. C. Attempt escalation of privilege. D. Execute a credentialed scan.
A. Perform a non-credentialed scan
96.) An organization's IRP prioritizes containment over eradication. An incident has been discovered where an attacker outside of the organization has installed cryptocurrency mining software on the organization's web servers. Given the organization's stated priorities, which of the following would be the NEXT step? A. Remove the affected servers from the network. B. Review firewall and IDS logs to identify possible source IPs. C. Identify and apply any missing operating system and software patches. D. Delete the malicious software and determine if the servers must be reimaged.
A. Remove the affected servers from the network.
An organization regularly scans its infrastructure for missing security patches but is concerned about hackers gaining access to the scanner's account. Which of the following would be BEST to minimize this risk? A. Require a complex, eight-character password that is updated every 90 days. B. Perform only non-intrusive scans of workstations. C. Use non-credentialed scans against high-risk servers. D. Log and alert on unusual scanner account logon times
A. Require a complex, eight-character password that is updated every 90 days.
1.) An organization with a low tolerance for user inconvenience wants to protect laptop hard drives against loss or data theft. Which of the following would be the MOST acceptable? A. SED B. HSM C. DLP D. TPM
A. SED
48.) A customer calls a technician and needs to remotely connect to a web server to change some code manually. The technician needs to configure the user's machine with protocols to connect to the Unix web server, which is behind a firewall. Which of the following protocols does the technician MOST likely need to configure? A. SSH B. SFTP C. HTTPS D. SNMP
A. SSH
51.) An organization has the following password policies: • Passwords must be at least 16 characters long. • A password cannot be the same as any previous 20 passwords. • Three failed login attempts will lock the account for five minutes. • Passwords must have one uppercase letter, one lowercase letter, and one non-alphanumeric symbol. A database server was recently breached, and the incident response team suspects the passwords were compromised. Users with permission on that database server were forced to change their passwords for that server. Unauthorized and suspicious logins are now being detected on a completely separate server. Which of the following is MOST likely the issue and the best solution? A. Some users are reusing passwords for different systems; the organization should scan for password reuse across systems. B. The Organization has improperly configured single sign-on; the organization should implement a RADIUS server to control account logins. C. User passwords are not sufficiently long or complex; the organization should increase the complexity and length requirements for passwords. D. The trust relationship between the two servers has been compromised; the organization should place each server on a separate VLAN.
A. Some users are reusing passwords for different systems; the organization should scan for password reuse across systems.
79.) Using a one-time code that has been texted to a smartphone is an example of: A. Something you have. B. Something you are. C. Something you know. D. Something you do.
A. Something you have
99.) Which of the following is the MAIN disadvantage of using SSO? A. The architecture can introduce a single point of failure. B. Users need to authenticate for each resource they access. C. It requires an organization to configure federation. D. The authentication is transparent to the user.
A. The architecture can introduce a single point of failure.
1.) Which of the following is the proper use of a Faraday cage? A. To block electronic signals sent to erase a cell phone. B. To capture packets sent to a honeypot during an attack. C. To protect hard disks from access during a forensics investigation. D. To restrict access to a building allowing only one person to enter at a time.
A. To block electronic signals sent to erase a cell phone.
1.) An organization has hired a new remote workforce. Many new employees are reporting that they are unable to access the shared network resources while traveling. They need to be able to travel to and from different locations on a weekly basis. Shared offices are retained at the headquarters location. The remote workforce will have identical file and system access requirements and must also be able to log in to the headquarters location remotely. Which of the following BEST represent how the remote employees should have been set up initially? (Select TWO). A. User-based access control B. Shared accounts. C. Group-based access control D. Mapped drives E. Individual accounts F. Location-based policies
A. User-based access control F. Location-based policies
94.) Which of the following BEST explains why a development environment should have the same database server secure baseline that exists in production even if there is no PII in the database? A. Without the same configuration in both development and production, there are no assurances that changes made in development will have the same effect in production. B. Attackers can extract sensitive, personal information from lower development environment databases just as easily as they can from production databases. C. Databases are unique in their need to have secure configurations applied in all environments because they are attacked more often. D. Laws stipulate that databases with the ability to store personal information must be secured regardless of the environment or if they actually have PII.
A. Without the same configuration in both development and production, there are no assurances that changes made in development will have the same effect in production.
59.) Which of the following is an algorithm family that was developed for use cases in which power consumption and lower computing power are constraints? A. Elliptic curve B. RSA C. Diffie-Hellman D. SHA
A. elliptic curve
An employee workstation with an IP address of 204.211.38.211/24 reports it is unable to submit print jobs to a network printer at 204.211.38.52/24 after a firewall upgrade. The active firewall rules are as follows: IP Address Protocol Port Number Action 204.211.38.1/24 ALL ALL Permit 204.211.38.211/24 ALL ALL Permit 204.211.38.52/24 UDP 631 Permit 204.211.38.52/24 TCP 25 Deny Assuming port numbers have not been changed from their defaults, which of the following should be modified to allow printing to the network printer? A. The permit statement for 204.211.38.52/24 should be changed to TCP port 631 instead of UDP. B. The deny statement for 204.211.38.52/24 should be changed to a permit statement. C. The permit statement for 204.211.38.52/24 should be changed to UDP port 443 instead of 631. D. The permit statement for 204.211.38.211/24 should be changed to TCP port 631 only instead of ALL
A. the permit statement for 204.211.38.52/24 should be changes to TCP port 631 instead of UDP.
1.)An accountant is attempting to log in to the internal accounting system and receives a message that the website's certificate is fraudulent. The accountant finds instructions for manually installing the new trusted root onto the local machine. Which of the following would be the company's BEST option for this situation in the future? A. Utilize a central CRL. B. Implement C. Ensure access to KMS. D. Use a stronger cipher suite.
A. utilize a central CRL
7.) If two employees are encrypting traffic between them using a single encryption key, which of the following algorithms are they using? A. RSA B. 3DES C. DSA D. SHA-2
B. 3DES
71.) A member of the human resources department is searching for candidate resumes and encounters the following error message when attempting to access popular job search websites: Site Cannot Be Displayed: Unauthorized Access Policy Violation: Job Search User Group: Retail_Employee_Access Client Address: 10.13.78.145 DNS Server: 10.1.1.9 Proxy IP Address: 10.1.1.29 Contact your systems administrator for assistance. Which of the following would resolve this issue without compromising the company´s security policies? A. Renew the DNS settings and IP address on the employee´s computer. B. Add the employee to a less restrictive group on the content filter C. Remove the proxy settings from the employee´s web browser. D. Create an exception for the job search sites in the host-based firewall on the employee´s computer.
B. Add the employee to a less restrictive group on the content filter
A system in the network is used to store proprietary secrets and needs the highest level of security possible. Which of the following should a security administrator implement to ensure the system cannot be reached from the internet? A. VLAN B. Air gap C. NAT D. Firewall
B. Air Gap
1.) Which of the following access management concepts is MOST closely associated with the use of a password or PIN? A. Authorization B. Authentication C. Accounting D. Identification
B. Authentication
An organization wishes to allow its users to select devices for business use but does not want to overwhelm the service desk with requests for too many different device types and models. Which of the following deployment models should the organization use to BEST meet these requirements? A. VDI environment B. CYOD model C. DAC model D. BYOD model
B. CYOD model
41.) During an incident response, a security analyst observes the following log entry on the web server: GET http://www.companysite.com/poduct_info.php?show=../../../../etc/passwd HTTP/1.1 Host: www.companysite.com Which of the following BEST describes the type of attack the analyst is experiencing? A. SQL injection B. Cross-site scripting C. Pass-the-hash D. Directory traversal
B. Cross-site Scripting
84.) A company hired a firm to test the security posture of its database servers and determine if any vulnerabilities can be explained. The company provided limited information pertaining to the infrastructure and database server. Which of the following forms of testing does this BEST describe? A. Black box B. Gray box C. White box D. Vulnerability scanning
B. Gray Box
1.) Which of the following are considered to be "something you do"? (Select TWO). A. Iris scan B. Handwriting C. Common Access Card D. Gait E. PIN F. Fingerprint
B. Handwriting D. Gait
57.) A security specialist is notified about a certificate warning that users receive when using a new internal website. After being given the URL from one of the users and seeing the warning, the security specialist inspects the certificate and realizes it has been issued to the IP address, which is how the developers reach the site. Which of the following would BEST resolve the issue? A. OSCP B. OID C. PEM D. SAN
B. OID
Which of the following is the MOST significant difference between intrusive and non-intrusive vulnerability scanning? A. One uses credentials, but the other does not. B. One has a higher potential for disrupting system operations. C. One allows systems to activate firewall countermeasures. D. One returns service banners, including running versions
B. One has a higher potential for disrupting system operations
62.) A company wants to configure its wireless network to require username and password authentication. Which of the following should the systems administrator implement? A. WPS B. PEAP C. TKIP D. PKI
B. Peap
31.) A junior systems administrator noticed that one of two hard drives in a server room had a red error notification. The administrator removed the hard drive to replace it but was unaware that the server was configured in an array. Which of the following configurations would ensure no data is lost? A. RAID 0 B. RAID 1 C. RAID 2 D. RAID 3
B. RAID 1
40.) A security administrator is reviewing the following firewall configuration after receiving reports that users are unable to connect to remote websites: 10 PERMIT FROM:ANY TO:ANY PORT:80 20 PERMIT FROM:ANY TO:ANY PORT:443 30 DENY FROM:ANY TO:ANY PORT:ANY Which of the following is the MOST secure solution the security administrator can implement to fix this issue? A. Add the following rule to the firewall: 5 PERMIT FROM:ANY TO:ANY PORT:53 B. Replace rule number 10 with the following rule: 10 PERMIT FROM:ANY TO:ANY PORT:22 C. Insert the following rule in the firewall: 25 PERMIT FROM:ANY TO:ANY PORTS:ANY D. Remove the following rule from the firewall: 30 DENY FROM:ANY TO:ANY PORT:ANY
B. Replace rule number 10 with the following rule: 10 PERMIT FROM:ANY TO:ANY PORT:22
68.) An email systems administrator is configuring the mail server to prevent spear phishing attacks email messages. Which of the following refers to what the administrator is doing? A. Risk avoidance B. Risk mitigation C. Risk transference D. Risk acceptance
B. Risk mitigation
50.) Database server logs show that an attack has occurred with an apostrophe in the username of a section of a web form. Which of the following BEST describes the attack? A. XSS B. SQL injection C. CSRF D. Clickjacking
B. SQL injection
14.) A systems administrator is auditing the company's Active Directory environment. It is quickly noted that the username "company/bsmith" is interactively logged into several desktops across the organization. Which of the following has the systems administrator MOST likely come across? A. Service account B. Shared credentials C. False positive D. Local account
B. Shared Credential
97.) An organization discovers that unauthorized applications have been installed ion company-provided mobile phones. The organization issues these devices, but some users have managed to bypass the security controls. Which of the following is the MOST likely issue, and how can the organization BEST prevent this from happening? A. The mobile phones are being infected with malware that covertly installs the applications. Implement full disk encryption and integrity-checking software. B. Some advanced users are jailbreaking the OS and bypassing the controls. Implement an MDM solution to control access to company resources. C. The mobile phones have been compromised by an APT and can no longer be trusted. Scan the devices for the unauthorized software, recall any compromised devices, and issue completely new ones. D. Some advances users are upgrading the devices' OS and installing the applications. The organization should create an AUP that prohibits this activity.
B. Some advanced users are jailbreaking the OS and bypassing the controls. Implement an MDM solution to control access to company resources.
1.) During a security audit of a company's network, unsecure protocols were found to be in use. A network administrator wants to ensure browser-based access to company switches is using the most secure protocol. Which of the following protocols should be implemented? A. SSH2 B. TLS1.2 C. SSL1.3 D. SNMPv3
B. TLS 1.2
10.) A systems administrator has implemented multiple websites using host headers on the same server. The server hosts two websites that require encryption and other websites where encryption is optional. Which of the following should the administrator implement to encrypt web traffic for the required websites? A. Extended domain validation B. TLS host certificate C. OCSP stapling D. Wildcard certificate
B. TLS host certificate
76.) A network technician discovered the usernames and passwords used for network device configuration have been compromised by a user with a packet sniffer. Which of the following would secure the credentials from sniffing? A. Implement complex passwords. B. Use SSH for remote access. C. Configure SNMPv2 for device management. D. Use TFTP to copy device configuration
B. Use SSH for remote access.
73.) An engineer is configuring a wireless network using PEAP for the authentication protocol. Which of the following is required? A. 802. 11n support on the WAP B. X.509 certificate on the server C. CCMP support on the network switch D. TLS 1.0 support on the client
B. X.509 certificate on the server
90.) A technician is auditing network security by connecting a laptop to open hardwired jacks within the facility to verify they cannot connect. Which of the following is being tested? A. Layer 3 routing B. Port security C. Secure IMAP D. S/MIME
B. port security
81.) Which of the following terms BEST describes an exploitable vulnerability that exists but has not been publicly disclosed yet? A. Design weakness B. Zero-day C. Logic bomb D. Trojan
B. zero-day
15.) A hospital has received reports from multiple patients that their PHI was stolen after completing forms on the hospital's website. Upon investigation, the hospital finds a packet a packet analyzer was used to steal data. Which of the following protocols would prevent this attack from reoccurring? A. SFTP B. HTTPS C. FTPS D. SRTP
B.HTTPS
53.) A company occupies the third floor of a leased building that has other tenants. The path from the demarcation point to the company's controlled space runs through unsecured areas managed by other companies. Which of the following could be used to protect the company's cabling as it passes through uncontrolled spaces? A. Plenum-rated cables B. Cable locks C. Conduits D. Bayonet Neill-Concelman
C. Conduits
1.) A company that processes sensitive information has implemented a BYOD policy and an MDM solution to secure sensitive data that is processed by corporate and personality owned mobile devices. Which of the following should the company implement to prevent sensitive data from being stored on mobile devices? A. VDI B. Storage segmentation C. Containerization D. USB OTG E. Geofencing
C. Containerization
38.) When a malicious user is able to retrieve sensitive information from RAM, the programmer has failed to implement: A. Session keys B. Encryption of data at rest C. Encryption of data in use D. Ephemeral keys
C. Encryption of Data in use
98.) A salesperson often uses a USB drive to save and move files from a corporate laptop. The corporate laptop was recently updated, and now the files on the USB are read-only. Which of the following was recently added to the laptop? A. Antivirus software B. File integrity check C. HIPS D. DLP
C. HIPS
Which of the following implements two-factor authentication on a VPN? A. Username, password, and source IP B. Public and private keys C. HOTP token and logon credentials D. Source and destination IP addresses.
C. HOTP token and logon credentials
70.) Buffer overflow can be avoided using proper: A. Memory leak prevention. B. Memory reuse. C. Input validation. D. Implementation of ASLR.
C. Input validation.
74.) A company notices that at 10 a.m. every Thursday, three users' computers become inoperable. The security analyst team discovers a file called where.pdf.exe that runs on system startup. The contents of where.pdf.exe are shown below: @echo off If [c:\file.txt] deltree c:\ Based on the above information, which of the following types of malware was discovered? A. Rootkit B. Backdoor C. Logic bomb D. RAT
C. Logic bomb
52.) A company wants to provide centralized authentication for its wireless system. The wireless authentication system must integrate with the directory back end. Which of the following is an AAA solution that will provide the required wireless authentication? A. TACACS+ B. MSCHAPv2 C. RADIUS D. LDAP
C. RADIUS
39.) During an audit, the auditor requests to see a copy of the identified mission-critical applications as well as their disaster recovery plans. The company being audited has an SLA around the applications it hosts. With which of the following is the auditor MOST likely concerned? A. ARO/ALE B. MTTR/MTBF C. RTO/RPO D. Risk assessment
C. RTO/RPO
37.) A company has just experienced a malware attack affecting a large number of desktop users. The antivirus solution was able to block the malware, but the HIDS alerted to C2 calls as 'Troj.Generic'. Once the security team found a solution to remove the malware, they were able to remove the malware files successfully, and the HIDS stopped alerting. The next morning, however, the HIDS once again started alerting on the same desktops, and the security team discovered the files were back. Which of the following BEST describes the type of malware infecting this company's network? A. Trojan B. Spyware C. Rootkit D. Botnet
C. Rootkit
Which of the following is an example of resource exhaustion? A. A penetration tester requests every available IP address from a DHCP server. B. A SQL injection attack returns confidential data back to the browser. C. Server CPU utilization peaks at 100% during the reboot process. D. System requirements for a new software package recommend having 12GB of RAM, but only 8GB are available
C. Server CPU utilization peaks at 100% during the reboot process
Ann, a new employee, received an email from an unknown source indicating she needed to click on the provided link to update her company's profile. Once Ann clicked the link, a command prompt appeared with the following output: C:\Users\Ann\Documents\File1.pgp C:\Users\Ann\Documents\AdvertisingReport.pgp C:\Users\Ann\Documents\FinancialReport.pgp Which of the following types of malware was executed? A. Ransomware B. Adware C. Spyware D. Virus
C. Spyware
80.) A government organization recently contacted three different vendors to obtain cost quotes for a desktop PC refresh. The quote from one of the vendors was significantly lower than the other two and was selected for the purchase. When the PCs arrived, a technician determined some NICs had been tampered. Which of the following MOST accurately describes the security risk presented in this situation? A. Hardware root of trust B. UEFI C. Supply chain D. TPM E. Crypto-malware F. ARP poisoning
C. Supply chain
1.) A security analyst runs a monthly file integrity check on the main web server. When analyzing the logs, the analyst observed the following entry: File cmd.exe Previous hash C4ca6a34c5e3a0f98dc03d4f8adf56a3 Current hash A24f5a34c5e3a0f98dc03d4f8ac5c0e2 File Iexplore.exe Previous hash B9c8e3f24b38c94a7c5f3d9d8d4e7ab3 Current hash B9c8e3f24b38c94a7c5f3d9d8d4e7ab3 No OS patches were applied to this server during this period. Considering the log output, which of the following is the BEST conclusion? A. The cmd.exe was executed on the scanned server between the two dates. An incident ticket should be created. B. The iexplore.exe was executed on the scanned server between the two dates. An incident ticket should be created. C. The cmd.exe was updated on the scanned server. An incident ticket should be created. D. The iexplore.exe was updated on the scanned server. An incident ticket should be created.
C. The cmd.exe was updated on the scanned server. An incident ticket should be created.
95.) Ann, a security analyst from a large organization, has been instructed to use another, more effective scanning tool. After installing the tool on her desktop, she started a full vulnerability scan. After running the scan for eight hours, Ann finds that there were no vulnerabilities identified. Which of the following is the MOST likely cause of not receiving any vulnerabilities on the network? A. The organization has a zero tolerance policy against not applying cybersecurity best practices. B. The organization had a proactive approach to patch management principles and practices. C. The security analyst credentials did not allow full administrative rights for the scanning tool. D. The security analyst just recently applied operating system level patches.
C. The security analyst credentials did not allow full administrative rights for the scanning tool.
43.) Which of the following methods is used by internal security teams to assess the security of internally developed applications? A. Active reconnaissance B. Pivoting C. White-box testing D. Persistence
C. White-box testing
78.) Which of the following penetration testing concepts is an attacker MOST interested in when placing the path of a malicious file in the Windows/CurrentVersion/Run registry key? A. Persistence B. Pivoting C. Active reconnaissance D. Escalation of privilege
C. active reconnaissance
86.) A security engineer wants to add SSL to the public web server. Which of the following would be the FIRST step to implement the SSL certificate? A. Download the web certificate. B. Install the intermediate certificate. C. Generate a CSR D. Encrypt the private key.
C. generate
89.) A Chief Executive Officer is staying at a hotel during a business trip. The hotel's wireless network does not show a lock symbol. Which of the following precautions should the CEO take? (Select TWO) A. Change the connection type to WPA2. B. Change TKIP to CCMP. C. Use a VPN. D. Tether to a mobile phone. E. Create a tunnel connection with EAP_TTLS.
C. use a VPN D. tether to mobile
87.) A security administrator wants to determine if a company's web servers have the latest operating system and application patches installed. Which of the following of vulnerability scans should be conducted? A. Non-credentialed B. Passive C. Port D. Credentialed E. Red team F. Active
D credentialed
4.) Which of the following BEST explains the difference between a credentialed scan and a non-credentialed scan? A. A credentialed scan sees devices in the network, including those behind NAT, while a non-credentialed scan sees outward-facing applications. B. A credentialed scan will not show up in system logs because the scan is running with the necessary authorization, while non-credentialed scan activity will appear in the logs. C. A credentialed scan generates significantly more false positives, while a non-credentialed scan generates fewer false positives. D. A credentialed scan sees the system the way an authorized user sees the system, while a non-credentialed scan sees the system as a guest.
D. A credentialed scan sees the system the way an authorized user sees the system, while a non-credentialed scan sees the system as a guest.
44.) Which of the following types of attack is being used when an attacker responds by sending the MAC address of the attacking machine to resolve the MAC to IP address of a valid server? A. Session hijacking B. IP spoofing C. Evil twin D. ARP poisoning
D. ARP poisoning
8.) A security audit has revealed that a process control terminal is vulnerable to malicious users installing and executing software on the system. The terminal is beyond end-of-life support and cannot be upgraded, so it is placed on a protected network segment. Which of the following would be MOST effective to implement to further mitigate the reported vulnerability? A. DNS sinkholing B. DLP rules on the terminal C. An IP blacklist D. Application whitelisting
D. Application Whitelisting
A systems administrator wants to configure an enterprise wireless solution that supports authentication over HTTPS and wireless encryption using AES. Which of the following should the administrator configure to support these requirements? (Select TWO). A. 802.1X B. RADIUS federation C. WPS D. Captive portal E. WPA2 F. WDS
D. Captive Portal E. WPA2
69.) A security administrator wants to better prepare the incident response team for possible security events. The IRP has been updated and distributed to incident response team members. Which of the following is the BEST option to fulfill the administrator´s objective? A. Identify the members´ roles and responsibilities. B. Select a backup-failover location C. Determine the order of restoration D. Conduct a tabletop test.
D. Conduct a tabletop test.
83.) An organization is building a new customer services team, and the manager needs to keep the team focused on customer issues and minimize distractions. The users have a specific set of tools installed, which they must use to perform their duties. Other tools are not permitted for compliance and tracking purposes. Team members have access to the internet for product lookups and to research customer issues. Which of the following should a security engineer employ to fulfill the requirements for the manager? A. Install a web application firewall. B. Install HIPS on the team's workstations. C. Implement containerization on the workstations. D. Configure whitelisting for the team
D. Configure whitelisting for the team
56.) A company is deploying a wireless network. It is a requirement that client devices must use X.509 certifications to mutually authenticate before connecting to the wireless network. Which of the following protocols would be required to accomplish this? A. EAP-TTLS B. EAP-MD5 C. LEAP D. EAP-TLS E. EAP-TOTP
D. EAP-TLS
46.) An engineer needs to deploy a security measure to identify and prevent data tampering within the enterprise. Which of the following will accomplish this goal? A. Antivirus B. IPS C. FTP D. FIM
D. FIM
1.) A company has a term of penetration testers. This team has located a file on the company file server that they believe contains cleartext usernames followed by a hash. Which of the following tools should the penetration testers use to learn more about the content of this file? A. Exploitation framework B. Vulnerability scanner C. Netcat D. Password cracker
D. Password Cracker
93.) A security analyst is interested in setting up an IDS to monitor the company network. The analyst has been told there can be no network downtime to implement the solution, but the IDS must capture all of the network traffic. Which of the following should be used for the IDS implementation? A. Network tap B. Honeypot C. Aggregation D. Port mirror
D. Port Mirror
64.) A technician wants to configure a wireless network for username- and password-based authentication. The current configuration implements WPA-PSK. Which of the following components are required to support the new wireless authentication system? (Select TWO). A. PKI certificate B. CCMP C. WPS D. RADIUS E. WPA2
D. RADIUS E. WPA2
9.) Which of the following are the BEST selection criteria to use when assessing hard drive suitability for time-sensitive applications that deal with large amounts of critical information? (Select TWO). A. MTBF B. MTTR C. SLA D. RTO E. MTTF F. RPO
D. RTO E. MTTF
1.) Which of the following vulnerabilities can lead to unexpected system behavior, including the bypassing of security controls, due to differences between the time of commitment and the time of execution? A. Buffer overflow B. DLL injection C. Pointer dereference D. Race condition
D. Race Condition
77.) An application developer is working on a new calendar and scheduling application. The developer wants to test new functionality that is time/date dependent and set the local system time on one year in the future. The application also has a feature that uses SHA-256 hashing and AES encryption for data exchange. The application attempts to connect to a separate remote server using SSL, but the connection fails. Which of the following is the MOST likely cause and next step? A. The date is past the certificate expiration; reset the system to the current time and see if the connection still fails. B. The remote server cannot support SHA-256; try another hashing algorithm like SHA-1 and see if the application can connect. C. AES is date/time dependent, either reset the system time to the correct time or try a different encryption approach. D. SSL is not the correct protocol to use in this situation; change to TLS and try the client-server connection again.
D. SSL is not the correct protocol to use in this situation; change to TLS and try the client-server connection again.
67.) Which of the following is the purpose of an industry-standard framework? A. To promulgate compliance requirements for sales of common IT systems B. To provide legal relief to participating organizations in the event of a security breach C. To promulgate security settings on a vendor-by-vendor basis D. To provide guidance across common system implementations
D. To provide guidance across common system implementations
72.) An attacker is able to capture the payload for the following packet: IP 192.168.1.22:2020 10.10.10.5:443 IP 192.168.1.10:1030 10.10.10.1:21 IP 192.168.1.57:5217 10.10.10.1:3389 During an investigation, an analyst discovers that the attacker was able to capture the information above and use it to log on to other servers across the company. Which of the following is the MOST likely reason? A. The attacker has exploited a vulnerability that is commonly associated with TLS1.3. B. The application server is also running a web server that has been compromised. C. The attacker is picking off unencrypted credentials and those to log in to the secure server. D. User accounts have been improperly configured to allow single sign-on multiple servers.
D. User accounts have been improperly configured to allow single sign-on multiple servers.
33.) A Chief Information Security Officer (CISO) asks the security architect to design a method for contractors to access the company's internal wiki, corporate directory, and email services securely without allowing access to systems beyond the scope of their project. Which of the following methods would BEST fit the needs of the CISO? A. VPN B. PaaS C. IaaS D. VDI
D. VDI
1.) A company utilizes 802.11 for all client connectivity within a facility. Users in one part of the reporting they are unable to access company resources when connected to the company SSID. Which of the following should the security administrator use to access connectivity? A. Sniffer B. Honeypot C. Routing tables D. Wireless scanner
D. Wireless Scanner
A security engineer at a manufacturing company is implementing a third-party cloud application. Rather than creating users manually in the application, the engineer decides to use the SAML protocol. Which of the following is being used for this implementation? A. The manufacturing company is the service provider, and the cloud company is the identity provider. B. The manufacturing company is the authorization provider, and the cloud company is the service provider. C. The manufacturing company is the identity provider, and the cloud company is the OAuth provider. D. The manufacturing company is the identity provider, and the cloud company is the service provider. E. The manufacturing company is the service provider, and the cloud company is the authorization provider.
E. The manufacturing company is the service provider, and the cloud company is the authorization provider.
54.) A security engineer is concerned about susceptibility to HTTP downgrade attacks because the current customer portal redirects users from port 80 to the secure site on port 443. Which of the following would be MOST appropriate to mitigate the attack? A. DNSSEC B. HSTS C. Certificate pinning D. OCSP
HSTS
63.) A security administrator is choosing an algorithm to generate password hashes. Which of the following would offer the BEST protection against offline brute force attacks? A. MD5 B. 3DES C. AES D. SHA-1
Sha-1
100.) A company recently experienced data exfiltration via the corporate network. In response to the breach, a security analyst recommends deploying an out-of-band IDS solution. The analyst says the solution can be implemented without purchasing any additional network hardware. Which of the following solutions will be used to deploy the IDS? A. Network tap B. Network proxy C. Honeypot D. Port mirroring
c. honeypot
85.) A cryptographer has developed a new proprietary hash function for a company and solicited employees to test the function before recommending its implementation. An employee takes the plaintext version of a document and hashes it, then changes the original plaintext document slightly and hashes it, and continues repeating this process until two identical hash values are produced from two different documents. Which of the following BEST describes this cryptographic attach? A. Brute force B. Known plaintext C. Replay D. Collision
d. Collision
82.) An attachment that was emailed to finance employees contained an embedded message. The security administrator investigates and finds the intent was to conceal the embedded information from public view. Which of the following BEST describes this type of message? A. Obfuscation B. Steganography C. Diffusion D. BCRYPT
steganography
Which of the following is a technical preventive control? A. Two-factor authentication B. DVR-supported cameras C. Acceptable-use MOTD D. Syslog server
two-factor authen