An architectural firm is working with its security team to ensure that any draft images that are leaked to the public can be traced back to a specific external party. Which of the following would BEST accomplish this goal? A. Properly configure a secure file transfer system to ensure file integrity. B. Have the external parties sign non-disclosure agreements before sending any images. C. Only share images with external parties that have worked with the firm previously. D. Utilize watermarks in the images that are specific to each external party.
A security analyst is reviewing SIEM events and is uncertain how to handle a particular event. The file is reviewed with the security vendor who is aware that this type of file routinely triggers this alert. Based on this information, the security analyst acknowledges this alert. Which of the following event classifications is MOST likely the reason for this action? A. True negative B. False negative C. False positive D. Non-automated response.
A security administrator wants to detect a potential forged sender claim in the envelope of an email. Which of the following should the security administrator implement? (Choose two.) A. MX record B. DMARC C. SPF D. DNSSEC E. S/MIME F. TLS.
A company is acquiring a competitor, and the security team is performing due diligence activities on the competitor prior to the acquisition. The team found a recent compliance audit of the competitor's environment that shows a mature security infrastructure, but it lacks a cohesive policy and process framework. Based on the audit findings, the security team determines the competitor's existing security capabilities are sufficient, but they will need to incorporate additional security policies. Which of the following risk management strategies is the security team recommending? A. Mitigate and avoid B. Transfer and accept C. Avoid and transfer D. Accept and mitigate.
A security engineer performed an assessment on a recently deployed web application. The engineer was able to exfiltrate a company report by visiting the following URL:
www.intranet.abc.com/get-files.jsp?file=report.pdf
Which of the following mitigation techniques would be BEST for the security engineer to recommend? A. Input validation B. Firewall C. WAF D. DLP.
A help desk technician is troubleshooting an issue with an employee's laptop that will not boot into its operating system. The employee reported the laptop had been stolen but then found it one day later. The employee has asked the technician for help recovering important data. The technician has identified the following:
• The laptop operating system was not configured with BitLocker.
• The hard drive has no hardware failures.
• Data is present and readable on the hard drive, although it appears to be illegible.
Which if the following is the MOST likely reason the technician is unable to retrieve legible data from the hard drive? A. The employee's password was changed, and the new password needs to be used B. The PKI certificate was revoked, and a new one must be installed. C. The hard drive experienced crypto-shredding. D. The technician is using the incorrect cipher to read the data.
A security team is concerned with attacks that are taking advantage of return-oriented programming against the company's public facing applications. Which of the following should the company implement on the public-facing servers? A. WAF B. ASLR C. NX D. HSM.
A cyberanalyst has been tasked with recovering PDF files from a provided image file. Which of the following is the BEST file-carving tool for PDF recovery? A. objdump B. Strings C. dd D. Foremost.
A security officer is requiring all personnel working on a special project to obtain a security clearance requisite with the level of all information being accessed. Data on this network must be protected at the same level of each clearance holder. The need to know must be verified by the data owner. Which of the following should the security officer do to meet these requirements? A. Create a rule to authorize personnel only from certain IPs to access the files. B. Assign labels to the files and require formal access authorization. C. Assign attributes to each file and allow authorized users to share the files. D. Assign roles to users and authorize access to files based on the roles.
A company is deploying multiple VPNs to support supplier connections into its extranet applications. The network security standard requires:
• All remote devices to have up-to-date antivirus
• A HIDS
• An up-to-date and patched OS
Which of the following technologies should the company deploy to meet its security objectives? (Choose two.) A. NAC B. WAF C. NIDS D. Reverse proxy E. NGFW F. Bastion host.
A consultant needs access to a customer's cloud environment. The customer wants to enforce the following engagement requirements:
• All customer data must remain under the control of the customer at all times.
• Third-party access to the customer environment must be controlled by the customer.
• Authentication credentials and access control must be under the customer's control.
Which of the following should the consultant do to ensure all customer requirements are satisfied when accessing the cloud environment? A. Use the customer's SSO with read-only credentials and share data using the customer's provisioned secure network storage. B. Use the customer-provided VDI solution to perform work on the customer's environment. C. Provide code snippets to the customer and have the customer run code and securely deliver its output. D. Request API credentials from the customer and only use API calls to access the customer's environment.
A small software company deployed a new web application after a network security scan found no vulnerabilities. A customer using this application reported malicious activity believed to be associated with the application. During an investigation, the company discovered that the customer closed the browser tab and connected to another application, using the same credentials on both platforms. Which of the following detection methods should the software company implement before deploying the next version? A. Multifactor authentication B. Static application code scanning C. Stronger password policy D. A SIEM.
A systems administrator confirms that the company's remote server is providing the following list of preferred ciphers:
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
• TLS_RSA_WITH_RC4_128_SHA (0x5)
• TLS_RSA_WITH_RC4_128_MD5 (0x4)
Nevertheless, when the systems administrator's browser connects to the server, it negotiates TLS_RSA_WITH_RC4_128_MD5 (0x4), while all other employees' browsers negotiate TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030). Which of the following describes a potential attack to the systems administrator's browser? A. A cipher mismatch B. Key rotation C. A downgrade attack D. A compromised key E. Rekeying.
The principal security analyst for a global manufacturer is investigating a security incident related to abnormal behavior in the ICS network. A controller was restarted as part of the troubleshooting process, and the following issue was identified when the controller was restarted:
SECURE BOOT FAILED:
FIRMWARE MISMATCH EXPECTED 0xFDC479 ACTUAL 0x79F31B
During the investigation, this modified firmware version was identified on several other controllers at the site. The official vendor firmware versions do not have this checksum. Which of the following stages of the MITRE ATT&CK framework for ICS includes this technique? A. Evasion B. Persistence C. Collection D. Lateral movement.
The Chief Information Security Officer is concerned about the possibility of employees downloading malicious files from the internet and opening them on corporate workstations. Which of the following solutions would be BEST to reduce this risk? A. Integrate the web proxy with threat intelligence feeds. B. Scan all downloads using an antivirus engine on the web proxy. C. Block known malware sites on the web proxy. D. Execute the files in the sandbox on the web proxy.
An internal security assessor identified large gaps in a company’s IT asset inventory system during a monthly asset review. The assessor is aware of an external audit that is underway. In an effort to avoid external findings, the assessor chooses not to report the gaps in the inventory system. Which of the following legal considerations is the assessor directly violating? A. Due care B. Due diligence C. Due process D. Due notice.
An organization offers SaaS services through a public email and storage provider. To facilitate password resets, a simple online system is set up. During a routine check of the storage each month, a significant increase in use of storage can be seen. Which of the following techniques would remediate the attack? A. Including input sanitization to the logon page B. Configuring an account lockout policy C. Implementing a new password reset system D. Adding MFA to all accounts.
A security engineer has recently become aware of a Java application that processes critical information in real time on the company's network. The Java application was scanned with SAST prior to deployment, and all vulnerabilities have been mitigated. However, some known issues within the Java runtime environment cannot be resolved. Which of the following should the security engineer recommend to the developer in order to mitigate the issue with the LEAST amount of downtime? A. Perform software composition analysis on libraries from third parties. B. Run the application in a sandbox and perform penetration tests. C. Rewrite and compile the application in C++ and then reinstall it. D. Embed the current application into a virtual machine that runs on dedicated hardware.
After installing an unapproved application on a personal device, a Chief Executive Officer reported an incident to a security analyst. This device is not controlled by the MDM solution, as stated in the BVOD policy. However, the device contained critical confidential information. The cyber incident response team performed the analysis on the device and found the following log:
Wed 12 Dec 2020 10:00:03 Unknown sources is now enabled on this device.
Which of the following is the MOST likely reason for the successful attack? A. Lack of MDM controls B. Auto-join hotspots enabled C. Sideloading D. Lack of application segmentation.
An organization has an operational requirement with a specific equipment vendor. The organization is located in the United States, but the vendor is located in another region. Which of the following risks would be MOST concerning to the organization in the event of equipment failure? A. Support may not be available during all business hours. B. The organization requires authorized vendor specialists. C. Each region has different regulatory frameworks to follow. D. Shipping delays could cost the organization money.
A new requirement for legislators has forced a government security team to develop a validation process to verify the integrity of a downloaded file and the sender of the file. Which of the following is the BEST way for the security team to comply with this requirement? A. Digital signature B. Message hash C. Message digest D. Message authentication code.
A MSSP has taken on a large client that has government compliance requirements. Due to the sensitive nature of communications to its aerospace partners, the MSSP must ensure that all communications to and from the client web portal are secured by industry-standard asymmetric encryption methods. Which of the following should the MSSP configure to BEST meet this objective? A. ChaCha20 B. RSA C. AES256 D. RIPEMD.
Signed applications reduce risks by: A. encrypting the application’s data on the device B. requiring the developer to use code-level hardening techniques. C. providing assurance that the application is using unmodified source code. D. costing the developer money to publish, which reduces the likelihood of malicious intent.
A security engineer is assessing a legacy server and needs to determine if FTP is running and on which port. The service cannot be turned off, as it would impact a critical application's ability to function. Which of the following commands would provide the information necessary to create a firewall rule to prevent that service from being exploited? A. service –-status-all | grep ftpd B. chkconfig –-list C. netstat –tulpn D. systemctl list-unit-file –-type service ftpd E. service ftpd status.
A security assessor identified an internet-facing web service API provider that was deemed vulnerable. Execution of testssl provided the following insight:
Which of the following configuration changes would BEST mitigate chosen ciphertext attacks? A. Enable 3DES ciphers IDEA. B. Enable export ciphers. C. Enable PFS ciphers. D. Enable AEAD.
A company underwent an audit in which the following issues were enumerated:
• Insufficient security controls for internet-facing services, such as VPN and extranet
• Weak password policies governing external access for third-party vendors
Which of the following strategies would help mitigate the risks of unauthorized access? A. 2FA B. RADIUS C. Federation D. OTP.
A company recently implemented a CI/CD pipeline and is now concerned with the current state of its software development processes. The company wants to augment its CI/CD pipeline with a solution to:
• Prevent code configuration drifts.
• Ensure coding standards are followed.
Which of the following should the company implement to address these concerns? (Choose two.) A. Code signing B. Fuzzers C. Dynamic code analysis D. Manual approval processes E. Linters F. Regression testing.
A SaaS startup is maturing its DevSecOps program and wants to identify weaknesses earlier in the development process in order to reduce the average time to identify serverless application vulnerabilities and the costs associated with remediation. The startup began its early security testing efforts with DAST to cover public-facing application components and recently implemented a bug bounty program. Which of the following will BEST accomplish the company’s objectives? A. RASP B. SAST C. WAF D. CMS.
A security manager has written an incident response play book for insider attacks and is ready to begin testing it. Which of the following should the manager conduct to test the playbook? A. Automated vulnerability scanning B. Centralized logging, data analytics, and visualization C. Threat hunting D. Threat emulation.
A company wants to improve the security of its web applications that are running on in-house servers. A risk assessment has been performed, and the following capabilities are desired:
• Terminate SSL connections at a central location
• Manage both authentication and authorization for incoming and outgoing web service calls
• Advertise the web service API
• Implement DLP and anti-malware features
Which of the following technologies will be the BEST option? A. WAF B. XML gateway C. ESB gateway D. API gateway.
A bank hired a security architect to improve its security measures against the latest threats. The solution must meet the following requirements:
• Recognize and block fake websites.
• Decrypt and scan encrypted traffic on standard and non-standard ports.
• Use multiple engines for detection and prevention.
• Have central reporting.
Which of the following is the BEST solution the security architect can propose? A. CASB B. Web filtering C. NGFW D. EDR.
An organization is running its e-commerce site in the cloud. The capacity is sufficient to meet the organization's needs throughout most of the year, except during the holidays when the organization plans to introduce a new line of products and expects an increase in traffic The organization is not sure how well its products will be received. To address this issue, the organization needs to ensure that:
• System capacity is optimized.
• Cost is reduced
Which of the following should be implemented to address these requirements? (Choose two.) A. Containerization B. Load balancer C. Microsegmentation D. Autoscaling E. CDN.
A mobile administrator is reviewing the following mobile device DHCP logs to ensure the proper mobile settings are applied to managed devices:
Which of the following mobile configuration settings is the mobile administrator verifying? A. Service set identifier authentication B. Wireless network auto joining C. 802.1X with mutual authentication D. Association MAC address randomization.
A company recently deployed a SIEM and began importing logs from a firewall, a file server, a domain controller, a web server, and a laptop. A security analyst receives a series of SIEM alerts and prepares to respond. The following is the alert information:
Which of the following should the security analyst do FIRST? A. Disable Administrator on abc-usa-fs1; the local account is compromised. B. Shut down the abc-usa-fs1 server; a plaintext credential is being used C. Disable the jdoe account; it is likely compromised. D. Shut down abc-usa-fw01; the remote access VPN vulnerability is exploited.
A web service provider has just taken on a very large contract that comes with requirements that are currently not being implemented. In order to meet contractual requirements, the company must achieve the following thresholds:
• 99.99% uptime
• Load time in 3 seconds
• Response time = <1.0 seconds
Starting with the computing environment, which of the following should a security engineer recommend to BEST meet the requirements? (Choose three.) A. Installing a firewall at corporate headquarters B. Deploying a content delivery network C. Implementing server clusters D. Employing bare-metal loading of applications E. Lowering storage input/output F. Implementing RAID on the backup servers G. Utilizing redundant power for all developer workstations H. Ensuring technological diversity on critical servers.
A security architect is designing a solution for a new customer who requires significant security capabilities in its environment. The customer has provided the architect with the following set of requirements:
• Capable of early detection of advanced persistent threats.
• Must be transparent to users and cause no performance degradation.
• Allow integration with production and development networks seamlessly.
• Enable the security team to hunt and investigate live exploitation techniques.
Which of the following technologies BEST meets the customer's requirements for security capabilities? A. Threat Intelligence B. Deception software C. Centralized logging D. Sandbox detonation.
A global financial firm wants to onboard a new vendor that sells a very specific SaaS application. The application is only hosted in the vendor's home country, and the firm cannot afford any significant downtime. Which of the following is the GREATEST risk to the firm, assuming the decision is made to work with the new vendor? A. The application's performance will be different in regional offices. B. There are regulatory concerns with using SaaS applications. C. The SaaS application will only be available to users in one country D. There is no geographical redundancy in case of network outages.
A company is experiencing a large number of attempted network-based attacks against its online store. To determine the best course of action, a security analyst reviews the following logs.
Which of the following should the company do NEXT to mitigate the risk of a compromise from these attacks? A. Restrict HTTP methods. B. Perform parameterized queries. C. Implement input sanitization. D. Validate content types.
An organization must implement controls that are aligned with its financial requirements; specifically, the organization is looking to implement the following:
• Financial transactions that require one reviewer
• Audits of funds disbursements
• Cross-training of employees
Which of the following controls will address the organization's requirements? A. Change management B. Job rotation C. Least privilege D. Separation of duties.
A company recently migrated all its workloads to the cloud and implemented a transit VPC with a managed firewall. The cloud infrastructure implements a 10.0.0.0/16 network, and the firewall implements the following ACLs:
The Chief Information Security Officer wants to monitor relevant traffic for signs of data exfiltration. Which of the following should the organization place in its monitoring tool to BEST detect data exfiltration while reducing log size and the time to search logs? A. FROM UDP 10.0.0.0/16 ANY TO 0.0.0.0/0 ANY B. FROM TCP 10.0.0.0/16 80,443 TO 0.0.0.0/0 ANY C. FROM TCP 0.0.0.0/0 ANY TO 10.0.0.0/16 80,443,22 D. FROM IP 10.0.0.0/16 ANY TO 0.0.0.0/0 ANY E. FROM IP 0.0.0.0/0 ANY TO TCP 0.0.0.0/0 ANY F. FROM UDP 0.0.0.0/0 ANY TO 0.0.0.0/0 ANY.
A security analyst is reviewing the data portion acquired from the following command:
tcpdump -lnvi icmp and src net 192.168.1.0/24 and dst net 0.0.0.0/0 -w output.pcap
The data portion of the packet capture shows the following:
The analyst suspects that a data exfiltration attack is occurring using a pattern in which the last five digits are encoding sensitive information. Which of the following technologies and associated rules should the analyst implement to stop this specific attack? (Choose two.) A. Intrusion prevention system B. Data loss prevention C. sed -e 's/a-z.*0-9.*//g' D. reject icmp any any <> any any (msg:"alert"; regex [a-z]{26}[0-9]{5}) E. Second-generation firewall F. drop icmp from 192.168.1.0/24 to 0.0.0.0/0.
The Chief Information Security Officer (CISO) has outlined a five-year plan for the company that includes the following:
• Implement an application security program.
• Reduce the click rate on phishing simulations from 73% to 8%.
• Deploy EDR to all workstations and servers.
• Ensure all systems are sending logs to the SIEM.
• Reduce the percentage of systems with vulnerabilities from 89% to 5%.
Which of the following would BEST aid the CISO in determining whether these goals are obtainable? A. An asset inventory B. A third-party audit C. A risk assessment D. An organizational CMMI.
The Chief Security Officer (CSO) requested the security team implement technical controls that meet the following requirements:
• Monitors traffic to and from both local NAS and cloud-based file repositories
• Prevents on-site staff who are accessing sensitive customer PII documents on file repositories from accidentally or deliberately sharing sensitive documents on personal SaaS solutions
• Uses document attributes to reduce false positives
• Is agentless and not installed on staff desktops or laptops
Which of the following when installed and configured would BEST meet the CSO’s requirements? (Choose two.) A. DLP B. NGFW C. UTM D. UEBA E. CASB F. HIPS.
A small bank is evaluating different methods to address and resolve the following requirements:
• Must be able to store credit card data using the smallest amount of data possible.
• Must be compliant with PCI DSS.
• Must maintain confidentiality if one piece of the layer is compromised.
Which of the following is the BEST solution for the bank? A. Scrubbing B. Tokenization C. Masking D. Homomorphic encryption.
When implementing serverless computing, an organization must still account for: A. the underlying computing network infrastructure. B. hardware compatibility. C. the security of its data. D. patching the service.
A systems administrator at a web-hosting provider has been tasked with renewing the public certificates of all customer sites. Which of the following would BEST support multiple domain names while minimizing the amount of certificates needed? A. OCSP B. CRL C. SAN D. CA.
An IT department is currently working to implement an enterprise DLP solution. Due diligence and best practices must be followed in regard to mitigating risk. Which of the following ensures that authorized modifications are well planned and executed? A. Risk management B. Network management C. Configuration management D. Change management.
|
