A network administrator at a large organization Is reviewing methods to improve the security of the wired
LAN Any security improvement must be centrally managed and allow corporate-owned devices to have
access to the intranet but limit others to Internet access only.
Which of the following should the administrator recommend? 802.1X utilizing the current PKI infrastructure SSO to authenticate corporate users MAC address filtering with ACLs on the router PAM for user account management.
A company is concerned about is security after a red-team exercise. The report shows the team was able
to reach the critical servers due to the SMB being exposed to the Internet and running NTLMV1.
Which of the following BEST explains the findings? Default settings on the servers Unsecured administrator accounts Open ports and services Weak Data encryption.
An engineer is setting up a VDI environment for a factory location, and the business wants to deploy a low cost solution to enable users on the shop floor to log in to the VDI environment directly.
Which of the following should the engineer select to meet these requirements? Laptops Containers Thin clients Workstations.
A nationwide company is experiencing unauthorized logins at all hours of the day. The logins appear to
originate from countries in which the company has no employees.
Which of the following controls should the company consider using as part of its IAM strategy? (Select
TWO). A complex password policy Geolocation An impossible travel policy Self-service password reset Geofencing Time-based logins.
A security engineer obtained the following output from a threat intelligence source that recently performed
an attack on the company's server: Directory traversal SQL injection API Request forgery.
An attacker is attempting, to harvest user credentials on a client's website. A security analyst notices
multiple attempts of random usernames and passwords. When the analyst types in a random username
and password. the logon screen displays the following message:
Which of the following should the analyst recommend be enabled? Input validation Obfuscation Error handling Username lockout.
A security administrator is analyzing the corporate wireless network The network only has two access
points running on channels 1 and 11. While using airodump-ng. the administrator notices other access
points are running with the same corporate ESSID on all available channels and with the same BSSID of
one of the legitimate access ports.
Which erf the following attacks in happening on the corporate network? Man in the middle Evil twin Jamming Rogue access point Disassociation.
An organization is having difficulty correlating events from its individual AV. EDR. DLP. SWG. WAF. MOM.
HIPS, and CASB systems.
Which of the following is the BEST way to improve the situation? Remove expensive systems that generate few alerts. Modify the systems to alert only on critical issues Utilize a SIEM to centralize togs and dashboards Implement a new syslog/NetFlow appliance.
Which of the following would a European company interested in implementing a technical, hands-on set of
security standards MOST likely choose? GDPR CIS controls ISO 27001 ISO 37000.
A security analyst has been reading about a newly discovered cyber attack from a known threat actor.
Which of the following would BEST support the analyst's review of the tactics, techniques, and protocols
the threat actor was observed using in previous campaigns? Security research publications The MITRE ATT&CK framework The Diamond Model of Intrusion Analysis The Cyber Kill Chain.
A500 is implementing an insider threat detection program, The primary concern is that users may be
accessing confidential data without authorization. Which of the following should be deployed to detect a
potential insider threat? A honeyfile A DMZ ULF File integrity monitoring.
Which of the following terms should be included in a contract to help a company monitor the ongoing
security maturity of a new vendor? A right-to-audit clause allowing for annual security audits Requirements for event logs to be kept for a minimum of 30 days Integration of threat intelligence in the company's AV A data-breach clause requiring disclosure of significant data loss.
A security administrator is setting up a SIEM to help monitor for notable events across the enterprise.
Which of the following control types does this BEST represent? Preventive Compensating Corrective Detective.
Which of the following is a risk that is specifically associated with hosting applications in the public cloud? Unsecured root accounts Zero day Shared tenancy Insider threat.
When implementing automation with loT devices, which of the following should be considered FIRST to
keep the network secure? 2-Wave compatibility Network range Zigbee configuration Communication protocols.
Which of the following is the MOST secure but LEAST expensive data destruction method for data that is
stored on hard drives? Pulverizing Shredding Incinerating Degaussing.
A new vulnerability in the SMB protocol on the Windows systems was recently discovered, but no patches
are currently available to resolve the issue. The security administrator is concerned tf servers in the
company's DMZ will be vulnerable to external attack; however, the administrator cannot disable the service
on the servers, as SMB is used by a number of internal systems and applications on the LAN.
Which of the following TCP ports should be blocked for all external inbound connections to the DMZ as a
workaround to protect the servers? (Select TWO). 135 139 143 161 443 445.
Which of the following BEST describes a social-engineering attack that relies on an executive at a small
business visiting a fake banking website where credit card and account details are harvested? Whaling Spam Invoice scam Pharming.
A company wants to modify its current backup strategy to minimize the number of backups that would
need to be restored in case of data loss. Which of the following would be the BEST backup strategy to
implement? Incremental backups followed by differential backups Full backups followed by incremental backups Delta backups followed by differential backups Incremental backups followed by delta backups Full backups followed by differential backups.
A company is required to continue using legacy software to support a critical service. Which of the
following BEST explains a risk of this practice? Default system configuration Unsecure protocols Lack of vendor support Weak encryption.
Which of the following types of attacks is specific to the individual it targets? Whaling Pharming Smishing Credential harvesting.
A large financial services firm recently released information regarding a security bfeach within its corporate
network that began several years before. During the time frame in which the breach occurred, indicators
show an attacker gained administrative access to the network through a file download from a social media
site and subsequently installed it without the user's knowledge. Since the compromise, the attacker was
able to take command and control of the computer systems anonymously while obtaining sensitive
corporate and personal employee information.
Which of the following methods did the attacker MOST likely use to gam access? A bot A fileless virus A logic bomb A RAT.
Joe, an employee, is transferring departments and is providing copies of his files to a network share folder
for his previous team to access. Joe is granting read-write-execute permissions to his manager but giving
read-only access to the rest of the team. Which of the following access controls is Joe using? FACL DAC ABAC MAC.
Which of the following cryptographic concepts would a security engineer utilize while implementing nonrepudiation? (Select TWO) Block cipher Hashing Private key Perfect forward secrecy Salting Symmetric keys.
A security researcher has alerted an organization that its sensitive user data was found for sale on a
website. Which of the following should the organization use to inform the affected parties? An incident response plan A communications plan A business continuity plan A disaster recovery plan.
A security analyst is investigating multiple hosts that are communicating to external IP addresses during
the hours of 2:00 a.m - 4:00 am. The malware has evaded detection by traditional antivirus software.
Which of the following types of malware is MOST likely infecting the hosts? A RAT Ransomware Polymophic A worm.
A financial analyst has been accused of violating the company's AUP and there is forensic evidence to
substantiate the allegation. Which of the following would dispute the analyst's claim of innocence? Legal hold Order of volatility Non-repudiation Chain of custody.
A major clothing company recently lost a large amount of proprietary information The security officer must
find a solution to ensure this never happens again Which of the following is the BEST technical
implementation to prevent this from happening again? Configure DLP solutions Disable peer-to-peer sharing Enable role-based access controls Mandate job rotation. Implement content filters.
Which of the following would satisfy three-factor authentication? Password, retina scanner, and NFC card Password, fingerprint scanner, and retina scanner Password, hard token, and NFC card Fingerprint scanner, hard token, and retina scanner.
A company recently experienced an attack during which its main website was directed to the attacker's
web server, allowing the attacker to harvest credentials from unsuspecting customers. Which of the
following should the company implement to prevent this type of attack occurring in the future? IPSec SSL/TLS DNSSEC S/MIME.
A retail company that is launching a new website to showcase the company's product line and other
information for online shoppers registered the following URLs: A self-signed certificate A root certificate A code-signing certificate A wildcard certificate An extended validation certificate.
A security analyst is hardening a network infrastructure. The analyst is given the following requirements;
1. Preserve the use of public IP addresses assigned to equipment on the core router.
2. Enable "in transport encryption protection to the web server with the strongest ciphers.
Which of the following should the analyst implement to meet these requirements? (Select TWO). Configure VLANs on the core router Configure NAT on the core router Configure BGP on the core router Configure AES encryption on the web server Enable 3DES encryption on the web server Enable TLSv2 encryption on the web server.
After segmenting the network, the network manager wants to control the traffic between the segments.
Which of the following should the manager use to control the network traffic? A DMZ A VPN A VLAN An ACL.
While investigating a data leakage incident, a security analyst reviews access control to cloud-hosted data.
The following information was presented in a security posture report. Spyware Logic bomb Potentially unwanted programs Supply chain.
Which of the following describes a maintenance metric that measures the average time required to
troubleshoot and restore failed equipment? RTO MTBF MTTR RPO.
A network analyst is setting up a wireless access point for a home office in a remote, rural location. The
requirement is that users need to connect to the access point securely but do not want to have to
remember passwords Which of the following should the network analyst enable to meet the requirement? MAC address filtering 802.1X Captive portal WPS.
Ann, a customer, received a notification from her mortgage company stating her PII may be shared with
partners, affiliates, and associates to maintain day-to-day business operations.
Which of the following documents did Ann receive? An annual privacy notice A non-disclosure agreement A privileged-user agreement A memorandum of understanding.
A developer is building a new portal to deliver single-pane-of-glass management capabilities to customers
with multiple firewalls. To Improve the user experience, the developer wants to implement an
authentication and authorization standard that uses security tokens that contain assertions to pass user
Information between nodes.
Which of the following roles should the developer configure to meet these requirements? (Select TWO). Identity processor Service requestor Identity provider Service provider Tokenized resource Notarized referral.
An organization is concerned about hackers potentially entering a facility and plugging in a remotely
accessible Kali Linux box.
Which of the following should be the first lines of defense against such an attack? (Select TWO) MAC filtering Zero Trust segmentation Network access control Access control vestibules Guards Bollards.
An organization is building backup sever moms in geographically diverse locations. The Chief information
Security Officer implemented a requirement on the project that states the new hardware cannot be
susceptible to the same vulnerabilities in the existing sewer room.
Which of the following should the systems engineer consider'? Purchasing hardware from different vendors Migrating workloads to public cloud infrastructure Implementing a robust patch management solution Designing new detective security controls.
Which of the following corporate policies is used to help prevent employee fraud and to detect system log
modifications or other malicious activity based on tenure? Background checks Mandatory vacation Social media analysis Separation of duties.
After a hardware incident, an unplanned emergency maintenance activity was conducted to rectify the
issue. Multiple alerts were generated on the SIEM during this period of time.
Which of the following BEST explains what happened? The unexpected traffic correlated against multiple rules, generating multiple alerts. Multiple alerts were generated due to an attack occurring at the same time. An error in the correlation rules triggered multiple alerts. The SIEM was unable to correlate the rules, triggering the alerts.
A security analyst wants to verify that a client-server (non-web) application is sending encrypted traffic.
Which of the following should the analyst use? openssl hping netcat tcpdump.
A user downloaded an extension for a browser, and the uses device later became infected. The analyst
who is investigating the incident saw various logs where the attacker was hiding activity by deleting data
The following was observed running: PowerShell Python Bash Macros.
A security assessment found that several embedded systems are running unsecure protocols. These
Systems were purchased two years ago and the company that developed them is no longer in business
Which of the following constraints BEST describes the reason the findings cannot be remediated? inability to authenticate Implied trust Lack of computing power Unavailable patch.
Developers are writing code and merging it into shared repositories several times a day, where it is tested
automatically. Which of the following concepts does this BEST represent? Functional testing Stored procedures Elasticity Continuous integration.
An organization would like to remediate the risk associated with its cloud service provider not meeting its
advertised 99.999% availability metrics. Which of the following should the organization consult for the
exact requirements for the cloud provider? SLA BPA NDA MOU.
A security analyst has received several reports of an issue on an internal web application. Users stale they
are having to provide their credential twice lo log in. The analyst checks with the application team and
notes this is not an expected behavior. After looking at several loos the analyst decades to run some
commands on the gateway and obtains the following output Internet address MAC flooding URL redirection ARP poisoning DNS hijacking.
A Chief Security Officer (CSO) has asked a technician to devise a solution that can detect unauthorized
execution privileges from the OS in both executable and data files, and can work in conjunction with
proxies or UTM.
Which of the following would BEST meet the CSO's requirements? Fuzzing Sandboxing Static code analysis Code review.
The security team received a report of copyright infringement from the IP space of lire corporate network.
The report provided a precise time stamp for the incident as well as the name of the copyrighted le. The
analyst has been tasked with determining the infringing source machine and instructed to implement
measures to prevent such incidents from occurring again.
Which of the following is MOST capable of accomplishing both tasks? HIDS Allow list TPM NGFW.
While reviewing pcap data, a network security analyst is able to locate plaintext usernames and passwords
being sent from workstations to network witches.
Which of the following is the security analyst MOST likely observing? SNMP traps A Telnet session An SSH connection SFTP traffic.
A security researching is tracking an adversary by noting its attack and techniques based on its
capabilities, infrastructure, and victims.
Which of the following is the researcher MOST likely using? The Diamond Model of intrusion Analysis The Cyber Kill Chain The MITRE CVE database The incident response process.
A security analyst was deploying a new website and found a connection attempting to authenticate on the
site's portal. While Investigating The incident, the analyst identified the following Input in the username
field: DLL injection to hijack administrator services SQLi on the field to bypass authentication Execution of a stored XSS on the website Code to execute a race condition on the server.
A security engineer needs to create a network segment that can be used for servers that require
connections from untrusted networks.
When of the following should the engineer implement? An air gap A hot site AVLAN A screened subnet.
A cyberthreat intelligence analyst is gathering data about a specific adversary using OSINT techniques.
Which of the following should the analyst use? Internal log files Government press releases Confidential reports Proprietary databases.
When planning to build a virtual environment, an administrator need to achieve the following:
1. Establish polices in Limit who can create new VMs
2. Allocate resources according to actual utilization`
3. Require justification for requests outside of the standard requirements.
4. Create standardized categories based on size and resource requirements
Which of the following is the administrator MOST likely trying to do? Implement IaaS replication Product against VM escape Deploy a PaaS Avoid VM sprawl.
Which of the following uses six initial steps that provide basic control over system security by including
hardware and software inventory, vulnerability management, and continuous monitoring to minimize risk in
all network environments? ISO 27701 The Center for Internet Security SSAE SOC 2 NIST Risk Management Framework.
Which of the following function as preventive, detective, and deterrent controls to reduce the risk of
physical theft? (Select TWO). Mantraps Security guards Video surveillance Fences Bollards Antivirus.
Which of the following environments would MOST likely be used to assess the execution of component
parts of a system at both the hardware and software levels and to measure performance characteristics? Test Staging Development Production.
A systems administrator is looking for a solution that will help prevent OAuth applications from being
leveraged by hackers to trick users into authorizing the use of their corporate credentials. Which of the
following BEST describes this solution? CASB UEM WAF VPC.
Which of the following is a difference between a DRP and a BCP? A BCP keeps operations running during a disaster while a DRP does not A BCP prepares for any operational interruption while a DRP prepares for natural disasters A BCP is a technical response to disasters while a DRP is operational. A BCP Is formally written and approved while a DRP is not.
Which of the following environments utilizes dummy data and is MOST likely to be installed locally on a
system that allows code to be assessed directly and modified easily with each build? Production Test Staging Development.
Remote workers in an organization use company-provided laptops with locally installed applications and
locally stored data Users can store data on a remote server using an encrypted connection. The
organization discovered data stored on a laptop had been made available to the public.
Which of the following security solutions would mitigate the risk of future data disclosures? FDE TPM HIDS VPN.
The SIEM at an organization has detected suspicious traffic coming a workstation in its internal network.
An analyst in the SOC the workstation and discovers malware that is associated with a botnet is installed
on the device A review of the logs on the workstation reveals that the privileges of the local account were
escalated to a local administrator.
To which of the following groups should the analyst report this real-world event? The NOC team The vulnerability management team The CIRT The read team.
Which of the following holds staff accountable while escorting unauthorized personnel? Locks Badges Cameras Visitor logs.
Security analyst must enforce policies to harden an MOM infrastructure. The requirements are as follows:
1. Ensure mobile devices can be traded and wiped.
2. Confirm mobile devices are encrypted.
Which of the following should the analyst enable on all the devices to meet these requirements? Geofencing Biometric authentication Geolocation Geotagging.
Which of the following is an example of risk avoidance? Installing security updates directly in production to expedite vulnerability fixes Buying insurance to prepare for financial loss associated with exploits Not installing new software to prevent compatibility errors Not taking preventive measures to stop the theft of equipment.
An analyst Is generating a security report for the management team. Security guidelines recommend
disabling all listening unencrypted services. Given this output from Nmap: 21/tcp 22/tcp 23/tcp 443/tcp.
A grocery store is expressing security and reliability concerns regarding the on-site backup strategy
currently being performed by locally attached disks. The main concerns are the physical security of the
backup media and the durability of the data stored on these devices.
Which of the following is a cost-effective approach to address these concerns? Enhance resiliency by adding a hardware RAID Move data to a tape library and store the tapes off site Install a local network-attached storage. Migrate to a cloud backup solution.
During an investigation, a security manager receives notification from local authorities mat company
proprietary data was found on a former employees home computer, The former employee's corporate
workstation has since been repurposed, and the data on the hard drive has been overwritten
Which of the following would BEST provide the security manager with enough details to determine when
the data was removed from the company network? Properly configured hosts with security logging Properly configured endpoint security tool with darting Properly configured SIEM with retention policies Properly congured USB blocker with encryption.
A Chief Information Officer receives an email stating a database will be encrypted within 24 hours unless a
payment of $20,000 is credited to the account mentioned In the email. This BEST describes a scenario
related to: whaling. smishing spear phishing vishing.
An attack relies on an end user visiting a website the end user would typically visit, however, the site is
compromised and uses vulnerabilities in the end users browser to deploy malicious software. Which of the
blowing types of attack does this describe? Smishing Whaling Watering hole Phishing.
A company is implementing a new SIEM to log and send alerts whenever malicious activity is blocked by
its antivirus and web content filters. Which of the following is the primary use case for this scenario? Implementation of preventive controls Implementation of detective controls Implementation of deterrent controls Implementation of corrective controls.
A developer is concerned about people downloading fake malware-infected replicas of a popular game.
Which of the following should the developer do to help verify legitimate versions of the game for users? Digitally sign the relevant game files Embed a watermark using steganography Implement TLS on the license activation server. Fuzz the application for unknown vulnerabilities.
If a current private key is compromised, which of the following would ensure it cannot be used to decrypt all
historical data? Perfect forward secrecy Elliptic-curve cryptography Key stretching Homomorphic encryption.
The Chief Information Security Officer wants to pilot a new adaptive, user-based authentication method.
The concept Includes granting logical access based on physical location and proximity. Which of the
following Is the BEST solution for the pilot? Geofencing Self-sovereign identification PKl certificates SSO.
Which two features are available only in next-generation firewalls? (Choose two ) deep packet inspection packet filtering application awareness stateful inspection virtual private network.
A security analyst is Investigating a malware incident at a company. The malware Is accessing a
command-and-control website at www.comptia.com. All outbound Internet traffic is logged to a syslog
server and stored in /logfiles/messages.
Which of the following commands would be BEST for the analyst to use on the syslog server to search for
recent traffic to the command-and-control website? Option A Option B Option C Option D.
During an incident, a company's CIRT determines it is necessary to observe the continued network-based
transactions between a callback domain and the malware running on an enterprise PC. Which of the
following techniques would be BEST to enable this activity while reducing the risk of lateral spread and the
risk that the adversary would notice any changes? Physically move the PC to a separate Internet point of presence Create and apply micro segmentation rules Emulate the malware in a heavily monitored DMZ segment Apply network blacklisting rules for the adversary domain.
A company has three technicians who share the same credentials for troubleshooting system. Every time
credentials are changed, the new ones are sent by email to all three technicians. The security
administrator has become aware of this situation and wants to implement a solution to mitigate the risk.
Which of the following is the BEST solution for company to implement? SSO authentication SSH keys OAuth authentication Password vaults.
A company has determined that if its computer-based manufacturing machinery is not functioning for 12
consecutive hours, it will lose more money than it costs to maintain the equipment. Which of the following
must be less than 12 hours maintain a positive total cost of ownership? MTBF RPO RTO MTTR.
An enterprise has hired an outside security firm to facilitate penetration testing on its network and
applications. The firm has agreed to pay for each vulnerability that is discovered. Which of the following
BEST represents the type of testing that is being used? White-box Red-team Bug bounty Gray-box Black-box.
Which of the following BEST describes the method a security analyst would use to confirm a file that is
downloaded from a trusted security website is not altered in transit or corrupted using a verified
checksum? Hashing Salting Integrity Digital signature.
An organization that has a large number of mobile devices is exploring enhanced security controls to
manage unauthorized access if a device is lost or stolen. Specifically, if mobile devices are more than 3mi
(4.8km) from the building, the management team would like to have the security team alerted and server
resources restricted on those devices. Which of the following controls should the organization implement? Geofencing Lockout Near-field communication GPS tagging.
Which of the following should a technician consider when selecting an encryption method for data that
needs to remain confidential for a specific length of time? The key length of the encryption algorithm The encryption algorithm's longevity A method of introducing entropy into key calculations The computational overhead of calculating the encryption key.
During an incident, an EDR system detects an increase in the number of encrypted outbound connections
from multiple hosts. A firewall is also reporting an increase in outbound connections that use random high
ports. An analyst plans to review the correlated logs to find the source of the incident. Which of the
following tools will BEST assist the analyst? A vulnerability scanner A NGFW The Windows Event Viewer A SIEM.
Which of the following threat actors is MOST likely to be motivated by ideology? Business competitor Hacktivist Criminal syndicate Script kiddie Disgruntled employee.
A systems administrator is considering different backup solutions for the IT infrastructure. The company is
looking for a solution that offers the fastest recovery time while also saving the most amount of storage
used to maintain the backups.
Which of the following recovery solutions would be the BEST option to meet these requirements? Snapshot Differential Full Tape.
A company was compromised, and a security analyst discovered the attacker was able to get access to a
service account. The following logs were discovered during the investigation: Race condition testing Proper error handling Forward web server logs to a SIEM Input sanitization.
An organization recently discovered that a purchasing officer approved an invoice for an amount that was
different than the original purchase order. After further investigation a security analyst determines that the
digital signature for the fraudulent invoice is exactly the same as the digital signature for the correct invoice
that had been approved.
Which of the following attacks MOST likely explains the behavior? Birthday Rainbow table Impersonation Whaling.
|
