|During a monthly vulnerability scan, a server was flagged for being vulnerable to an Apache Struts
exploit. Upon further investigation, the developer responsible for the server informs the security
team that Apache Struts is not installed on the server. Which of the following BEST describes how
the security team should react to this incident? The finding is a false positive and can be disregarded The Struts module needs to be hardened on the server The Apache software on the server needs to be patched and updated The server has been compromised by malware and needs to be quarantined.
A systems administrator wants to protect data stored on mobile devices that are used to scan and
record assets in a warehouse. The control must automatically destroy the secure container of
mobile devices if they leave the warehouse. Which of the following should the administrator
implement? (Select two.) Geofencing Remote wipe Near-field communication Push notification services Containerization.
A security analyst is performing a quantitative risk analysis. The risk analysis should show the
potential monetary loss each time a threat or event occurs. Given this requirement, which of the
following concepts would assist the analyst in determining this value? (Select two.) ALE AV ARO EF ROI.
A workstation puts out a network request to locate another system. Joe, a hacker on the network,
responds before the real system does, and he tricks the workstation into communicating with him.
Which of the following BEST describes what occurred? The hacker used a race condition. The hacker used a pass-the-hash attack. The hacker-exploited improper key management. The hacker exploited weak switch configuration.
Audit logs from a small company’s vulnerability scanning software show the following findings:
-Server001- Internal human resources payroll server
-Server101-Internet-facing web server
-Server201- SQL server for Server101
-Server301-Jumpbox used by systems administrators accessible from the internal network
Validated vulnerabilities found:
-Server001- Vulnerable to buffer overflow exploit that may allow attackers to install software
-Server101- Vulnerable to buffer overflow exploit that may allow attackers to install software
-Server201-OS updates not fully current
-Server301- Accessible from internal network without the use of jumpbox
-Server301-Vulnerable to highly publicized exploit that can elevate user privileges
Assuming external attackers who are gaining unauthorized information are of the highest concern,
which of the following servers should be addressed FIRST? Server001 Server101 Server201 Server301.
A security administrator suspects a MITM attack aimed at impersonating the default gateway is
underway. Which of the following tools should the administrator use to detect this attack? (Select
two.) Ping Ipconfig Tracert Netstat Dig Nslookup.
After a routine audit, a company discovers that engineering documents have been leaving the
network on a particular port. The company must allow outbound traffic on this port, as it has a
legitimate business use. Blocking the port would cause an outage. Which of the following
technology controls should the company implement? NAC Web proxy DLP ACL.
An organization’s primary datacenter is experiencing a two-day outage due to an HVAC
malfunction. The node located in the datacenter has lost power and is no longer operational,
impacting the ability of all users to connect to the alternate datacenter. Which of the following BIA
concepts BEST represents the risk described in this scenario? SPoF RTO MTBF MTTR.
A security analyst notices anomalous activity coming from several workstations in the
organizations. Upon identifying and containing the issue, which of the following should the security
analyst do NEXT? Document and lock the workstations in a secure area to establish "chain of custody" Notify the IT department that the workstations are to be reimaged and the data restored for reuse Notify the IT department that the workstations may be reconnected to the network for the users to
continue working Document findings and processes in the after-action and lessons learned report.
A group of non-profit agencies wants to implement a cloud service to share resources with each
other and minimize costs. Which of the following cloud deployment models BEST describes this
type of effort? Public Hybrid Community Private.
A copy of a highly confidential salary report was recently found on a printer in the IT department.
The human resources department does not have this specific printer mapped to its devices, and it
is suspected that an employee in the IT department browsed to the share where the report was
located and printed it without authorization. Which of the following technical controls would be the
BEST choice to immediately prevent this from happening again? Implement a DLP solution and classify the report as confidential, restricting access only to human
resources staff Restrict access to the share where the report resides to only human resources employees and
enable auditing Have all members of the IT department review and sign the AUP and disciplinary policies Place the human resources computers on a restricted VLAN and configure the ACL to prevent
access from the IT department.
A help desk is troubleshooting user reports that the corporate website is presenting untrusted
certificate errors to employees and customers when they visit the website. Which of the following
is the MOST likely cause of this error, provided the certificate has not expired? The certificate was self-signed, and the CA was not imported by employees or customers The root CA has revoked the certificate of the intermediate CA The valid period for the certificate has passed, and a new certificate has not been issued The key escrow server has blocked the certificate from being validated.
A security analyst is investigating a suspected security breach and discovers the following in the
logs of the potentially compromised server:
Which of the following would be the BEST method for preventing this type of suspected attack in
the future? Implement password expirations Implement restrictions on shared credentials Implement account lockout settings Implement time-of-day restrictions on this server.
A new mobile application is being developed in-house. Security reviews did not pick up any major
flaws, however, vulnerability scanning results show fundamental issues at the very end of the
Which of the following security activities should also have been performed to discover
vulnerabilities earlier in the lifecycle? Architecture review Risk assessment Protocol analysis Code review.
A security administrator is creating a subnet on one of the corporate firewall interfaces to use as a
DMZ which is expected to accommodate at most 14 physical hosts.
Which of the following subnets would BEST meet the requirements? 192.168.0.16 255.25.255.248 192.168.0.16/28 192.168.1.50 255.255.25.240 192.168.2.32/27.
The security administrator receives an email on a non-company account from a coworker stating
that some reports are not exporting correctly. Attached to the email was an example report file with
several customers' names and credit card numbers with the PIN.
Which of the following are the BEST technical controls that will help mitigate this risk of disclosing
sensitive data? Configure the mail server to require TLS connections for every email to ensure all transport data is
encrypted Create a user training program to identify the correct use of email and perform regular audits to
ensure compliance Implement a DLP solution on the email gateway to scan email and remove sensitive data or files Classify all data according to its sensitivity and inform the users of data that is prohibited to share.
A security administrator has been assigned to review the security posture of the standard
corporate system image for virtual machines. The security administrator conducts a thorough
review of the system logs, installation procedures, and network configuration of the VM image.
Upon reviewing the access logs and user accounts, the security administrator determines that
several accounts will not be used in production.
Which of the following would correct the deficiencies? Mandatory access controls Disable remote login Host hardening Disabling services.
An attacker discovers a new vulnerability in an enterprise application. The attacker takes
advantage of the vulnerability by developing new malware. After installing the malware, the
attacker is provided with access to the infected machine.
Which of the following is being described? Zero-day exploit Remote code execution Session hijacking Command injection.
A security administrator returning from a short vacation receives an account lock-out message
when attempting to log into the computer. After getting the account unlocked the security
administrator immediately notices a large amount of email alerts pertaining to several different
user accounts being locked out during the past three days. The security administrator uses system
logs to determine that the lock-outs were due to a brute force attack on all accounts that have been
previously logged into that machine.
Which of the following can be implemented to reduce the likelihood of this attack going
undetected? Password complexity rules Continuous monitoring User access reviews Account lockout policies.
During a routine audit, it is discovered that someone has been using a stale administrator account
to log into a seldom-used server. The person has been using the server to view inappropriate
websites that are prohibited to end-users.
Which of the following could best prevent this from occurring again? Credential management Group policy management Acceptable use policy Account expiration policy.
A portable data storage device has been determined to have malicious firmware.
Which of the following is the BEST course of action to ensure data confidentiality? Format the device Re-image the device Perform virus scan in the device Physically destroy the device.
A security administrator must implement a system to ensure that invalid certificates are not used
by a custom developed application. The system must be able to check the validity of certificates
even when internet access is unavailable.
Which of the following MUST be implemented to support this requirement? CSR OCSP CRL SSH.
A technician has installed new vulnerability scanner software on a server that is joined to the
company domain. The vulnerability scanner is able to provide visibility over the patch posture of all
the company's clients.
Which of the following is being used? Gray box vulnerability testing Passive scan Credentialed scan Bypassing security controls.
The Chief Security Officer (CISO) at a multinational banking corporation is reviewing a plan to
upgrade the entire corporate IT infrastructure. The architecture consists of a centralized cloud
environment hosting the majority of data, small server clusters at each corporate location to
handle the majority of customer transaction processing, ATMs, and a new mobile banking
application accessible from smartphones, tablets, and the Internet via HTTP. The corporation does
business having varying data retention and privacy laws.
Which of the following technical modifications to the architecture and corresponding security
controls should be implemented to provide the MOST complete protection of data? Revoke existing root certificates, re-issue new customer certificates, and ensure all transactions are
digitally signed to minimize fraud, implement encryption for data-in-transit between data centers Ensure all data is encryption according to the most stringent regulatory guidance applicable,
implement encryption for data-in-transit between data centers, increase data availability by
replicating all data, transaction data, logs between each corporate location Store customer data based on national borders, ensure end-to-end encryption between ATMs, end
users, and servers, test redundancy, and COOP plans to ensure data is not inadvertently shifted
from one legal jurisdiction to another with more stringent regulations Install redundant servers to handle corporate customer processing, encrypt all customer data to
ease the transfer from one country to another, implement end-to-end encryption between mobile
applications and the cloud.
While reviewing the monthly internet usage it is noted that there is a large spike in traffic classified
as "unknown" and does not appear to be within the bounds of the organization's Acceptable Use
Which of the following tool or technology would work BEST for obtaining more information on this
traffic? Firewall logs IDS logs Increased spam filtering Protocol analyzer.
A network administrator wants to ensure that users do not connect any unauthorized devices to
the company network. Each desk needs to connect a VoIP phone and computer.
Which of the following is the BEST way to accomplish this? Enforce authentication for network devices Configure the phones on one VLAN, and computers on another Enable and configure port channels Make users sign an Acceptable use Agreement.
A user of the wireless network is unable to gain access to the network. The symptoms are:
1.) Unable to connect to both internal and Internet resources
2.) The wireless icon shows connectivity but has no network access
The wireless network is WPA2 Enterprise and users must be a member of the wireless security
group to authenticate.
Which of the following is the MOST likely cause of the connectivity issues? The wireless signal is not strong enough A remote DDoS attack against the RADIUS server is taking place The user's laptop only supports WPA and WEP The DHCP scope is full The dynamic encryption key did not update while the user was offline.
A chief Financial Officer (CFO) has asked the Chief Information Officer (CISO) to provide
responses to a recent audit report detailing deficiencies in the organization's security controls. The
CFO would like to know ways in which the organization can improve its authorization controls.
Given the request by the CFO, which of the following controls should the CISO focus on in the
report? (Select Three) Password complexity policies Hardware tokens Biometric systems Role-based permissions One time passwords Separation of duties Multifactor authentication Single sign-on Least privilege.
A mobile device user is concerned about geographic positioning information being included in
messages sent between users on a popular social network platform. The user turns off the
functionality in the application but wants to ensure the application cannot re-enable the setting
without the knowledge of the user.
Which of the following mobile device capabilities should the user disable to achieve the stated
goal? Device access control Location-based services Application control GEO-Tagging.
A member of a digital forensics team, Joe arrives at a crime scene and is preparing to collect
system data. Before powering the system off, Joe knows that he must collect the most volatile
Which of the following is the correct order in which Joe should collect the data? CPU cache, paging/swap files, RAM, remote logging data RAM, CPU cache. Remote logging data, paging/swap files Paging/swap files, CPU cache, RAM, remote logging data CPU cache, RAM, paging/swap files, remote logging data.
An organization has hired a penetration tester to test the security of its ten web servers. The penetration tester is able to gain root/administrative access in several servers by exploiting vulnerabilities associated with the implementation of SMTP, POP, DNS, FTP, Telnet, and IMAP. Which of the following recommendations should the penetration tester provide to the organization to better protect their web servers in the future? Use a honeypot Disable unnecessary services Implement transport layer security Increase application event logging.
A security engineer is faced with competing requirements from the networking group and database
administrators. The database administrators would like ten application servers on the same subnet
Which of the following should the security administrator do to rectify this issue? Recommend performing a security assessment on each application, and only segment the
applications with the most vulnerability Recommend classifying each application into like security groups and segmenting the groups from
one another Recommend segmenting each application, as it is the most secure approach Recommend that only applications with minimal security features should be segmented to protect
A network administrator is attempting to troubleshoot an issue regarding certificates on a secure
website. During the troubleshooting process, the network administrator notices that the web
gateway proxy on the local network has signed all of the certificates on the local machine.
Which of the following describes the type of attack the proxy has been legitimately programmed to
perform? Transitive access Spoofing Man-in-the-middle Replay.
Which of the following uses the SSH protocol? Stelnet SCP SNMP FTPS SSL SFTP.
An organization relies heavily on an application that has a high frequency of security updates. At
present, the security team only updates the application on the first Monday of each month, even
though the security updates are released as often as twice a week.
Which of the following would be the BEST method of updating this application? Configure testing and automate patch management for the application. Configure security control testing for the application Manually apply updates for the application when they are released. Configure a sandbox for testing patches before the scheduled monthly update.
A software development company needs to share information between two remote servers, using
encryption to protect it. A programmer suggests developing a new encryption protocol, arguing
that using an unknown protocol with secure, existing cryptographic algorithm libraries will provide
strong encryption without being susceptible to attacks on other known protocols.
Which of the following summarizes the BEST response to the programmer's proposal? The newly developed protocol will only be as secure as the underlying cryptographic algorithms
used. New protocols often introduce unexpected vulnerabilities, even when developed with otherwise
secure and tested algorithm libraries. A programmer should have specialized training in protocol development before attempting to
design a new encryption protocol. The obscurity value of unproven protocols against attacks often outweighs the potential for
introducing new vulnerabilities.
A supervisor in your organization was demoted on Friday afternoon. The supervisor had the ability
to modify the contents of a confidential database, as well as other managerial permissions. On
Monday morning, the database administrator reported that log files indicated that several records
were missing from the database.
Which of the following risk mitigation strategies should have been implemented when the supervisor was demoted? Incident management Routine auditing IT governance Monthly user rights reviews.
Recently several employees were victims of a phishing email that appeared to originate from the
company president. The email claimed the employees would be disciplined if they did not click on
a malicious link in the message.
Which of the following principles of social engineering made this attack successful? Authority Spamming Social proof Scarcity.
An employee uses RDP to connect back to the office network.
If RDP is misconfigured, which of the following security exposures would this lead to? A virus on the administrator's desktop would be able to sniff the administrator's username and
password. Result in an attacker being able to phish the employee's username and password. A social engineering attack could occur, resulting in the employee's password being extracted. A man in the middle attack could occur, resulting in the employee's username and password being
An auditor has identified an access control system that can incorrectly accept an access attempt
from an unauthorized user. Which of the following authentication systems has the auditor
reviewed? Password-based Biometric-based Location-based Certificate-based.
The Chief Technology Officer (CTO) of a company, Ann, is putting together a hardware budget for
the next 10 years. She is asking for the average lifespan of each hardware device so that she is
able to calculate when she will have to replace each device.
Which of the following categories BEST describes what she is looking for? ALE MTTR MTBF MTTF.
A software developer wants to ensure that the application is verifying that a key is valid before
establishing SSL connections with random remote hosts on the Internet.
Which of the following should be used in the code? (Select TWO.) Escrowed keys SSL symmetric encryption key Software code private key Remote server public key OCSP.
Which of the following vulnerability types would the type of hacker known as a script kiddie be
MOST dangerous against? Passwords written on the bottom of a keyboard Unpatched exploitable Internet-facing services Unencrypted backup tapes Misplaced hardware token.
To reduce disk consumption, an organization’s legal department has recently approved a new
policy setting the data retention period for sent email at six months. Which of the following is the
BEST way to ensure this goal is met? Create a daily encrypted backup of the relevant emails Configure the email server to delete the relevant emails. Migrate the relevant emails into an “Archived” folder. Implement automatic disk compression on email servers.