|An organization’s RPO for a critical system is two hours. The system is used Monday through Friday, from 9:00 a.m. to 5:00
p.m. Currently, the organization performs a full backup every Saturday that takes four hours to complete. Which of the
following additional backup implementations would be the MOST efficient way for the analyst to meet the business
requirements? Incremental backups Monday through Friday at 6:00 p.m. and differential backups hourly Full backups Monday through Friday at 6:00 p.m. and incremental backups hourly Incremental backups Monday through Friday at 6:00 p.m. and full backups hourly Full backups Monday through Friday at 6:00 p.m. and differential backups hourly.
A security researcher is tracking an adversary by nothing its attacks and techniques based on its capabilities, infrastructure,
and victims. Which of the following is the researcher MOST likely using?
The Diamond Model of Intrusion Analysis The Cyber Kill Chain The MITRE CVE database The incident response process.
Which of the following BEST explains the difference between a data owner and a data custodian? The data owner is responsible for adhering to the rules for using the data, while the data custodian is responsible for
determining the corporate governance regarding the data The data owner is responsible for determining how the data may be used, while the data custodian is responsible for
implementing the protection to the data The data owner is responsible for controlling the data, while the data custodian is responsible for maintaining the chain of
custody when handling the data The data owner grants the technical permissions for data access, while the data custodian maintains the database access
controls to the data.
Customers reported their antivirus software flagged one of the company’s primary software products as suspicious. The
company’s Chief Information Security Officer has tasked the developer with determining a method to create a trust model
between the software and the customer’s antivirus software. Which of the following would be the BEST solution? Code signing Domain validation Extended validation Self-signing.
An organization has decided to host its web application and database in the cloud. Which of the following BEST describes the security concerns for this decision? Access to the organization's servers could be exposed to other cloud-provider clients. The cloud vendor is a new attack vector within the supply chain. Outsourcing the code development adds risk to the cloud provider. Vendor support will cease when the hosting platforms reach EOL.
A cybersecurity department purchased a new PAM solution. The team is planning to randomize the service account
credentials of the Windows servers first. Which of the following would be the BEST method to increase the security on the
Linux servers? Randomize the shared credentials. Use only guest accounts to connect Use SSH keys and remove generic passwords. Remove all user accounts.
A privileged user at a company stole several proprietary documents from a server. The user also went into the log files and
deleted all records of the incident. The systems administrator has just informed investigators that other log files are available
for review. Which of the following did the administrator MOST likely configure that will assist the investigators? Memory dumps The syslog server The application log The log retention policy.
An organization is developing an authentication service for use at the entry and exit ports of country borders. The service will
use data feeds obtained from passport systems, passenger manifests, and high-definition video feeds from CCTV systems
that are located at the ports. The service will incorporate machine-learning techniques to eliminate biometric enrollment
processes while still allowing authorities to identify passengers with increasing accuracy over time. The more frequently
passengers travel, the more accurately the service will identify them. Which of the following biometrics will MOST likely be
used, without the need for enrollment? (Choose two.) Voice Gait Vein Facial Retina Fingerprint.
A cybersecurity administrator needs to add disk redundancy for a critical server. The solution must have a two-drive failure
for better fault tolerance. Which of the following RAID levels should the administrator select?
0 1 5 6.
A security analyst discovers several .jpg photos from a cellular phone during a forensic investigation involving a compromised system. The analyst runs a forensic tool to gather file metadata. Which of the following would be part of the images if all the metadata is still intact? The GPS location When the file was deleted The total number of print jobs The number of copies made.
A security engineer at an offline government facility is concerned about the validity of an SSL certificate. The engineer wants
to perform the fastest check with the least delay to determine if the certificate has been revoked. Which of the following
would BEST meet these requirements? RA OCSP CRL CSR.
A public relations team will be taking a group of guests on a tour through the facility of a large e-commerce company. The
day before the tour, the company sends out an email to employees to ensure all whiteboards are cleaned and all desks are
cleared. The company is MOST likely trying to protect against: loss of proprietary information. damage to the company’s reputation. social engineering credential exposure.
A security engineer is installing a WAF to protect the company’s website from malicious web requests over SSL. Which of
the following is needed to meet the objective? A reverse proxy A decryption certificate A split-tunnel VPN Load-balanced servers.
An organization with a low tolerance for user inconvenience wants to protect laptop hard drives against loss or data theft.
Which of the following would be the MOST acceptable? SED HSM DLP TPM.
An organization blocks user access to command-line interpreters, but hackers still managed to invoke the interpreters using
native administrative tools. Which of the following should the security team do to prevent this from happening in the future? Implement HIPS to block inbound and outbound SMB ports 139 and 445 Trigger a SIEM alert whenever the native OS tools are executed by the user. Disable the built-in OS utilities as long as they are not needed for functionality. Configure the AV to quarantine the native OS tools whenever they are executed.
A company has determined that if its computer-based manufacturing is not functioning for 12 consecutive hours, it will lose
more money that it costs to maintain the equipment. Which of the following must be less than 12 hours to maintain a positive
total cost of ownership? MTBF RPO RTO MTTR.
Which of the following scenarios would make DNS sinkhole effective in thwarting an attack? An attacker is sniffing traffic to port 53, and the server is managed using unencrypted usernames and passwords An organization is experiencing excessive traffic on port 53 and suspects an attacker is trying to DoS the domain name
server. Malware is trying to resolve an unregistered domain name to determine if it is running in an isolated sandbox. Routing tables have been compromised, and an attacker is rerouting traffic to malicious websites.
A financial institution would like to store its customer data in a cloud but still allow the data to be accessed and manipulated while encrypted. Doing so would prevent the cloud service provider from being able to decipher the data due to its sensitivity. The financial institution is not concerned about computational overheads and slow speeds. Which of the following cryptographic techniques would BEST meet the requirement? Asymmetric Symmetric Homomorphic Ephemeral.
A systems administrator needs to implement an access control scheme that will allow an object’s access policy to be
determined by its owner. Which of the following access control schemes BEST fits the requirements? Role-based access control Discretionary access control Mandatory access control Attribute-based access control.
A company has three technicians who share the same credentials for troubleshooting system. Every time credentials are
changed, the new ones are sent by email to all three technicians. The security administrator has become aware of this
situation and wants to implement a solution to mitigate the risk. Which of the following is the BEST solution for company to
implement? SSO authentication SSH keys OAuth authentication . Password vaults.
A security analyst needs to complete an assessment. The analyst is logged into a server and must use native tools to map
services running on it to the server’s listening ports. Which of the following tools can BEST accomplish this task? Netcat Netstat Nmap Nessus.
An organization needs to implement more stringent controls over administrator/root credentials and service accounts.
Requirements for the project include:
1. Check-in/checkout of credentials
2. The ability to use but not know the password
3. Automated password changes
4. Logging of access to credentials
Which of the following solutions would meet the requirements? OAuth 2.0 Secure Enclave A privileged access management system An OpenID Connect authentication system.
A major political party experienced a server breach. The hacker then publicly posted stolen internal communications
concerning campaign strategies to give the opposition party an advantage. Which of the following BEST describes these
threat actors? Semi-authorized hackers State actors Script kiddies Advanced persistent threats.
A security engineer needs to implement the following requirements:
All Layer 2 switches should leverage Active Directory for authentication.
All Layer 2 switches should use local fallback authentication of Active Directory is offline. All Layer 2 switches are not
the same and are manufactured by several vendors.
Which of the following actions should the engineer take to meet these requirements? (Choose two.) Implement RADIUS. Configure AAA on the switch with local login as secondary Configure port security on the switch with the secondary login method. Implement TACACS+ Enable the local firewall on the Active Directory server. Implement a DHCP server.
The SIEM at an organization has detected suspicious traffic coming from a workstation in its internal network. An analyst in
the SOC investigates the workstation and discovers malware that is associated with a botnet is installed on the device. A
review of the logs on the workstation reveals that the privileges of the local account were escalated to a local administrator.
To which of the following groups should the analyst report this real-world event? The NOC team The vulnerability management team The CIRT The red team.
A security incident may have occurred on the desktop PC of an organization’s Chief Executive Officer (CEO). A duplicate
copy of the CEO’s hard drive must be stored securely to ensure appropriate forensic processes and the chain of custody are
followed. Which of the following should be performed to accomplish this task? Install a new hard drive in the CEO’s PC, and then remove the old hard drive and place it in a tamper-evident bag Connect a write blocker to the hard drive. Then, leveraging a forensic workstation, utilize the dd command in a live Linux
environment to create a duplicate copy. Remove the CEO’s hard drive from the PC, connect to the forensic workstation, and copy all the contents onto a remote
fileshare while the CEO watches. Refrain from completing a forensic analysis of the CEO’s hard drive until after the incident is confirmed; duplicating the
hard drive at this stage could destroy evidence.
Joe, a user at a company, clicked an email link led to a website that infected his workstation. Joe, was connected to the
network, and the virus spread to the network shares. The protective measures failed to stop this virus, and It has continues
to evade detection. Which of the following should administrator implement to protect the environment from this malware? Install a definition-based antivirus. Implement an IDS/IPS Implement a heuristic behavior-detection solution. Implement CASB to protect the network shares.
While checking logs, a security engineer notices a number of end users suddenly downloading files with the .tar.gz
extension. Closer examination of the files reveals they are PE32 files. The end users state they did not initiate any of the
downloads. Further investigation reveals the end users all clicked on an external email containing an infected MHT file with
an href link a week prior. Which of the following is MOST likely occurring? A RAT was installed and is transferring additional exploit tools The workstations are beaconing to a command-and-control server. A logic bomb was executed and is responsible for the data transfers. A fireless virus is spreading in the local network environment.
A security analyst is reviewing output of a web server log and notices a particular account is attempting to transfer large amounts of money:
GET http://yourbank.com/transfer.do?accnum=12345&amount=500000 HTTP/1.1
GET http://yourbank.com/transfer.do?accnum=12345&amount=200000 HTTP/1.1
GET http://yourbank.com/transfer.do?accnum=12345&amount=1200000 HTTP/1.1
Which of the following types of attack is MOST likely being conducted? SQLi CSRF Session replay API.
To mitigate the impact of a single VM being compromised by another VM on the same hypervisor, an administrator would
like to utilize a technical control to further segregate the traffic. Which of the following solutions would BEST accomplish this
objective? Install a hypervisor firewall to filter east-west traffic Add more VLANs to the hypervisor network switches Move exposed or vulnerable VMs to the DMZ Implement a Zero Trust policy and physically segregate the hypervisor servers.
Under GDPR, which of the following is MOST responsible for the protection of privacy and website user rights? The data protection officer The data processor The data owner The data controller.
A Chief Security Officer (CSO) is concerned about the volume and integrity of sensitive information that is exchanged
between the organization and a third party through email. The CSO is particularly concerned about an unauthorized party
who is intercepting information that is in transit between the two organizations. Which of the following would address the
CSO’s concerns? SPF DMARC SSL DKIM TLS.
During an incident, a company’s CIRT determines it is necessary to observe the continued network-based transactions
between a callback domain and the malware running on an enterprise PC. Which of the following techniques would be BEST
to enable this activity while reducing the risk of lateral spread and the risk that the adversary would notice any changes? Physically move the PC to a separate Internet point of presence Create and apply microsegmentation rules. Emulate the malware in a heavily monitored DMZ segment Apply network blacklisting rules for the adversary domain.
The Chief Security Officer (CSO) at a major hospital wants to implement SSO to help improve security in the environment and protect patient data, particularly at shared terminals. The Chief Risk Officer (CRO) is concerned that training and guidance have not been provided to frontline staff, and a risk analysis has not been performed. Which of the following is the MOST likely cause of the CRO's concerns? SSO would simplify username and password management, making it easier for hackers to guess accounts. SSO would reduce password fatigue, but staff would still need to remember more complex passwords. SSO would reduce the password complexity for frontline staff. SSO would reduce the resilience and availability of systems if the identity provider goes offline.
A systems administrator needs to install the same X.509 certificate on multiple servers. Which of the following should the administrator use? Key escrow A self-signed certificate Certificate chaining An extended validation certificate .
A security administrator suspects an employee has been emailing proprietary information to a competitor. Company policy
requires the administrator to capture an exact copy of the employee’s hard disk. Which of the following should the
administrator use? dd chmod dnsenum logger.
A remote user recently took a two-week vacation abroad and brought along a corporate-owned laptop. Upon returning to work, the user has been unable to connect the laptop to the VPN. Which of the following is the MOST likely reason for the user’s inability to connect the laptop to the VPN? (Choose two.) Due to foreign travel, the user’s laptop was isolated from the network. The user’s laptop was quarantined because it missed the latest path update. The VPN client was blacklisted. The user’s account was put on a legal hold. The laptop is still configured to connect to an international mobile network operator. The user is unable to authenticate because the user is outside of the organization’s mobile geofencing configuration.
A university is opening a facility in a location where there is an elevated risk of theft. The university wants to protect the
desktops in its classrooms and labs. Which of the following should the university use to BEST protect these assets deployed
in the facility? Visitor logs Cable locks Guards Disk encryption Motion detection.
A security analyst is performing a forensic investigation involving compromised account credentials. Using the Event Viewer,
the analyst was able to detect the following message: “Special privileges assigned to new logon.” Several of these messages
did not have a valid logon associated with the user before these privileges were assigned. Which of the following attacks is
MOST likely being detected? Pass-the-hash Buffer overflow Cross-site scripting Session replay.
Several employees return to work the day after attending an industry trade show. That same day, the security manager
notices several malware alerts coming from each of the employee’s workstations. The security manager investigates but
finds no signs of an attack on the perimeter firewall or the NIDS. Which of the following is MOST likely causing the malware
alerts? A worm that has propagated itself across the intranet, which was initiated by presentation media A malicious PowerShell script that was attached to an email and transmitted to multiple employees A Trojan that has passed through and executed malicious code on the hosts A USB flash drive that is trying to run malicious code but is being blocked by the host firewall.
Which of the following are requirements that must be configured for PCI DSS compliance? (Choose two.)
Testing security systems and processes regularly Installing and maintaining a web proxy to protect cardholder data Assigning a unique ID to each person with computer access Encrypting transmission of cardholder data across private networks Benchmarking security awareness training for contractors Using vendor-supplied default passwords for system passwords.
A security engineer needs to create a network segment that can be used for servers that require connections form untrusted
networks. Which of the following should the engineer implement? An air gap A hot site A VLAN A screened subnet
After installing a Windows server, a cybersecurity administrator needs to harden it, following security best practices. Which of
the following will achieve the administrator’s goal? (Choose two.) Disabling guest accounts Disabling service accounts Enabling network sharing Disabling NetBIOS over TCP/IP Storing LAN manager hash values Enabling NTLM.
A company recently set up an e-commerce portal to sell its product online. The company wants to start accepting credit
cards for payment, which requires compliance with a security standard. Which of the following standards must the company
comply with before accepting credit cards on its e-commerce platform? PCI DSS ISO 22301 ISO 27001 NIST CSF.
A company just implemented a new telework policy that allows employees to use personal devices for official email and file sharing while working from home.
Some of the requirements are:
✑ Employees must provide an alternate work location (i.e., a home address).
✑ Employees must install software on the device that will prevent the loss of proprietary data but will not restrict any other software from being installed.
Which of the following BEST describes the MDM options the company is using? Geofencing, content management, remote wipe, containerization, and storage segmentation Content management, remote wipe, geolocation, context-aware authentication, and containerization Application management, remote wipe, geofencing, context-aware authentication, and containerization Remote wipe, geolocation, screen locks, storage segmentation, and full-device encryption.
Which of the following is the correct order of volatility from MOST to LEAST volatile? Memory, temporary filesystems, routing tables, disk, network storage Cache, memory, temporary filesystems, disk, archival media Memory, disk, temporary filesystems, cache, archival media Cache, disk, temporary filesystems, network storage, archival media.
The manager who is responsible for a data set has asked a security engineer to apply encryption to the data on a hard disk.
The security engineer is an example of a: Data controller Data owner. Data custodian. Data processor.
A Chief Executive Officer (CEO) is dissatisfied with the level of service from the company’s new service provider. The
service provider is preventing the CEO from sending email from a work account to a personal account. Which of the
following types of service providers is being used? Telecommunications service provider Cloud service provider Master managed service provider Managed security service provider.
The SOC is reviewing process and procedures after a recent incident. The review indicates it took more than 30 minutes to
determine that quarantining an infected host was the best course of action. The allowed the malware to spread to additional
hosts before it was contained. Which of the following would be BEST to improve the incident response process? Updating the playbooks with better decision points Dividing the network into trusted and untrusted zones Providing additional end-user training on acceptable use Implementing manual quarantining of infected hosts.
An organization plans to transition the intrusion detection and prevention techniques on a critical subnet to an anomalybased system. Which of the following does the organization need to determine for this to be successful? The baseline The endpoint configurations The adversary behavior profiles The IPS signatures.
A university with remote campuses, which all use different service providers, loses Internet connectivity across all locations.
After a few minutes, Internet and VoIP services are restored, only to go offline again at random intervals, typically within four
minutes of services being restored. Outages continue throughout the day, impacting all inbound and outbound connections
and services. Services that are limited to the local LAN or WiFi network are not impacted, but all WAN and VoIP services are
Later that day, the edge-router manufacturer releases a CVE outlining the ability of an attacker to exploit the SIP protocol
handling on devices, leading to resource exhaustion and system reloads. Which of the following BEST describe this type of
attack? (Choose two.) DoS SSL stripping Memory leak Race condition Shimming Refactoring.
Which of the following provides the BEST protection for sensitive information and data stored in cloud-based services but still
allows for full functionality and searchability of data within the cloud-based services? Data encryption Data masking Anonymization Tokenization.
A root cause analysis reveals that a web application outage was caused by one of the company’s developers uploading a
newer version of the third-party libraries that were shared among several applications. Which of the following
implementations would be BEST to prevent the issue from reoccurring? CASB SWG Containerization Automated failover.
Which of the following would be the BEST method for creating a detailed diagram of wireless access points and hotspots?
B. White-box testing
C. A drone/UAV
A smart switch has the ability to monitor electrical levels and shut off power to a building in the event of power surge of
power surge or other fault situation. The switch was installed on a wired network in a hospital and is monitored by the
facilities department via a cloud application. The security administrator isolated the switch on a separate VLAN and set up a
patching routine. Which of the following steps should also be taken to harden the smart switch? Set up an air gap for the switch. Change the default password for the switch. Place the switch in a Faraday cage. Install a cable lock on the switch.
An analyst is trying to identify insecure services that are running on the internal network. After performing a port scan, the
analyst identifies that a server has some insecure services enabled on default ports. Which of the following BEST describes
the services that are currently running and the secure alternatives for replacing them? (Choose three.) SFTP, FTPS SNMPv2, SNMPv3 HTTP, HTTPS TFTP, FTP SNMPv1, SNMPv2 Telnet, SSH TLS, SSL POP, IMAP I. Login, rlogin.
An external forensics investigator has been hired to investigate a data breach at a large enterprise with numerous assets. It
is known that the breach started in the DMZ and moved to the sensitive information, generating multiple logs as the attacker
traversed through the network? Which of the following will BEST assist with this investigation? Perform a vulnerability scan to identify the weak spots Use a packet analyzer to investigate the NetFlow traffic Check the SIEM to review the correlated logs Require access to the routers to view current sessions.
Which of the following environments minimizes end-user disruption and MOST likely to be used to assess the impacts of any
database migrations or major system changes by using the final version of the code? Staging Test Production Development.