Which of the following solutions should an administrator use to reduce the risk from an unknown
vulnerability in a third-party software application? Sandboxing Encryption Code signing Fuzzing. A network administrator needs to allocate a new network for the R&D group. The network must not
be accessible from the Internet regardless of the network firewall or other external
misconfigurations. Which of the following settings should the network administrator implement to
accomplish this? Configure the OS default TTL to 1 Use NAT on the R&D network Implement a router ACL Enable protected ports on the switch. To help prevent one job role from having sufficient access to create, modify, and approve payroll
data, which of the following practices should be employed? Least privilege Job rotation Background checks Separation of duties. When attackers use a compromised host as a platform for launching attacks deeper into a
network, it is said that they are: escalating privilege becoming persistent fingerprinting pivoting. The help desk received a call after hours from an employee who was attempting to log into the
payroll server remotely. When the help desk returned the call the next morning, the employee was
able to log into the server remotely without incident. However, the incident occurred again the next
Which of the following BEST describes the cause of the issue? The password expired on the account and needed to be reset The employee does not have the rights needed to access the database remotely Time-of-day restrictions prevented the account from logging in The employee's account was locked out and needed to be unlocked. An analyst receives an alert from the SIEM showing an IP address that does not belong to the
assigned network can be seen sending packets to the wrong gateway.
Which of the following network devices is misconfigured and which of the following should be done
to remediate the issue? Firewall; implement an ACL on the interface Router; place the correct subnet on the interface Switch; modify the access port to trunk port Proxy; add the correct transparent interface. A home invasion occurred recently in which an intruder compromised a home network and
accessed a WiFI- enabled baby monitor while the baby's parents were sleeping.
Which of the following BEST describes how the intruder accessed the monitor? Outdated antivirus WiFi signal strength Social engineering Default configuration. A security engineer must install the same x.509 certificate on three different servers. The client
application that connects to the server performs a check to ensure the certificate matches the host
name. Which of the following should the security engineer use? Wildcard certificate Extended validation certificate Certificate chaining Certificate utilizing the SAN file. Which of the following refers to the term used to restore a system to its operational state? MTBF MTTR RTO RPO. A Chief Information Officer (CIO) recently saw on the news that a significant security flaws exists
with a specific version of a technology the company uses to support many critical application. The
CIO wants to know if this reported vulnerability exists in the organization and, if so, to what extent
the company could be harmed.
Which of the following would BEST provide the needed information? Penetration test Vulnerability scan Active reconnaissance Patching assessment report. An organization is expanding its network team. Currently, it has local accounts on all network
devices, but with growth, it wants to move to centrally managed authentication. Which of the
following are the BEST solutions for the organization? (Select TWO) TACACS+ CHAP LDAP RADIUS MSCHAPv2. An active/passive configuration has an impact on: confidentiality integrity availability non-repudiation. Which of the following would provide additional security by adding another factor to a smart card? Token Proximity badge Physical key PIN. A systems administrator wants to implement a wireless protocol that will allow the organization to
authenticate mobile devices prior to providing the user with a captive portal login. Which of the
following should the systems administrator configure? L2TP with MAC filtering EAP-TTLS WPA2-CCMP with PSK RADIUS federation. Which of the following uses precomputed hashes to guess passwords? Iptables NAT tables Rainbow tables ARP tables. A systems administrator wants to provide balance between the security of a wireless network and
usability. The administrator is concerned with wireless encryption compatibility of older devices
used by some employees.
Which of the following would provide strong security and backward compatibility when accessing
the wireless network? Open wireless network and SSL VPN WPA using a preshared key WPA2 using a RADIUS back-end for 802.1x authentication WEP with a 40-bit key. A company has noticed multiple instances of proprietary information on public websites. It has also
observed an increase in the number of email messages sent to random employees containing
malicious links and PDFs. Which of the following changes should the company make to reduce the
risks associated with phishing attacks? (Select TWO) Install an additional firewall Implement a redundant email server Block access to personal email on corporate systems Update the X.509 certificates on the corporate email server Update corporate policy to prohibit access to social media websites Review access violation on the file server. A security analyst is investigating a potential breach. Upon gathering, documenting, and securing
the evidence, which of the following actions is the NEXT step to minimize the business impact? Launch an investigation to identify the attacking host Initiate the incident response plan Review lessons learned captured in the process Remove malware and restore the system to normal operation. Joe, a salesman, was assigned to a new project that requires him to travel to a client site. While
waiting for a flight, Joe, decides to connect to the airport wireless network without connecting to a
VPN, and the sends confidential emails to fellow colleagues. A few days later, the company
experiences a data breach. Upon investigation, the company learns Joe's emails were intercepted.
Which of the following MOST likely caused the data breach? Policy violation Social engineering Insider threat Zero-day attack. A company is performing an analysis of the corporate enterprise network with the intent of
identifying what will cause losses in revenue, referrals, and/or reputation when out of commission.
Which of the following is an element of a BIA that is being addressed? Mission-essential function Single point of failure backup and restoration plans Identification of critical systems. A company wants to ensure confidential data from storage media is sanitized in such a way that
the drive cannot be reused. Which of the following method should the technician use? Shredding Wiping Low-level formatting Repartitioning Overwriting. A forensic expert is given a hard drive from a crime scene and is asked to perform an
investigation. Which of the following is the FIRST step the forensic expert needs to take the chain
of custody? Make a forensic copy Create a hash of the hard rive Recover the hard drive data Update the evidence log. An incident response manager has started to gather all the facts related to a SIEM alert showing
multiple systems may have been compromised.
The manager has gathered these facts:
The breach is currently indicated on six user PCs
One service account is potentially compromised
Executive management has been notified
In which of the following phases of the IRP is the manager currently working? Recovery Eradication Containment Identification. A stock trading company had the budget for enhancing its secondary datacenter approved. Since
the main site is a hurricane-affected area and the disaster recovery site is 100 mi (161 km) away,
the company wants to ensure its business is always operational with the least amount of man
hours needed. Which of the following types of disaster recovery sites should the company
implement? Hot site Warm site Cold site Cloud-based site. User from two organizations, each with its own PKI, need to begin working together on a joint project. Which of the following would allow the users of the separate PKIs to work together without
connection errors? Trust model Stapling Intermediate CA Key escrow. A security analyst is mitigating a pass-the-hash vulnerability on a Windows infrastructure.
Given the requirement, which of the following should the security analyst do to MINIMIZE the risk? Enable CHAP Disable NTLM Enable Kerebos Disable PAP. A security analyst is reviewing an assessment report that includes software versions, running
services, supported encryption algorithms, and permission settings. Which of the following
produced the report? Vulnerability scanner Protocol analyzer Network mapper Web inspector. A Chief Information Officer (CIO) asks the company's security specialist if the company should
spend any funds on malware protection for a specific server. Based on a risk assessment, the
ARO value of a malware infection for a server is 5 and the annual cost for the malware protection
Which of the following SLE values warrants a recommendation against purchasing the malware
protection? $500 $1000 $2000 $2500. A recent internal audit is forcing a company to review each internal business unit's VMs because
the cluster they are installed on is in danger of running out of computer resources. Which of the
following vulnerabilities exist? Buffer overflow End-of-life systems System sprawl Weak configuration. A security analyst is attempting to identify vulnerabilities in a customer's web application without
impacting the system or its data.
Which of the following BEST describes the vulnerability scanning concept performed? Aggressive scan Passive scan Non-credentialed scan Compliance scan. Two users must encrypt and transmit large amounts of data between them.
Which of the following should they use to encrypt and transmit the data? Symmetric algorithm Hash function Digital signature Obfuscation. A new Chief Information Officer (CIO) has been reviewing the badging and decides to write a
policy that all employees must have their badges rekeyed at least annually. Which of the following
controls BEST describes this policy? Physical Corrective Technical Administrative. A software developer is concerned about DLL hijacking in an application being written. Which of
the following is the MOST viable mitigation measure of this type of attack? The DLL of each application should be set individually All calls to different DLLs should be hard-coded in the application Access to DLLs from the Windows registry should be disabled The affected DLLs should be renamed to avoid future hijacking. An application was recently compromised after some malformed data came in via web form.
Which of the following would MOST likely have prevented this? Input validation Proxy server Stress testing Encoding. While working on an incident, Joe, a technician, finished restoring the OS and applications on a
workstation from the original media. Joe is about to begin copying the user's files back onto the
Which of the following incident response steps is Joe working on now? Recovery Eradication Containment Identification. A systems administrator found a suspicious file in the root of the file system. The file contains
URLs, usernames, passwords, and text from other documents being edited on the system. Which
of the following types of malware would generate such a file? Keylogger Rootkit Bot RAT. A computer emergency response team is called at midnight to investigate a case in which a mail
server was restarted. After an initial investigation, it was discovered that email is being exfiltrated
through an active connection.
Which of the following is the NEXT step the team should take? Identify the source of the active connection Perform eradication of active connection and recover Performance containment procedure by disconnecting the server Format the server and restore its initial configuration. A remote intruder wants to take inventory of a network so exploits can be researched. The intruder
is looking for information about software versions on the network. Which of the following
techniques is the intruder using? Banner grabbing Port scanning Packet sniffing Virus scanning. A security technician is configuring an access management system to track and record user
actions. Which of the following functions should the technician configure? Accounting Authorization Authentication Identification. A security administrator installed a new network scanner that identifies new host systems on the
Which of the following did the security administrator install? Vulnerability scanner Network-based IDS Rogue system detection Configuration compliance scanner. A Chief Information Officer (CIO) has decided it is not cost effective to implement safeguards
against a known vulnerability.
Which of the following risk responses does this BEST describe? Transference Avoidance Mitigation Acceptance. A technician is investigating a potentially compromised device with the following symptoms:
Frequent browser crashes
New search toolbar
Increased memory consumption
Which of the following types of malware has infected the system? Man-in-the-browser Spoofer Spyware Adware. A penetration tester has written an application that performs a bit-by-bit XOR 0xFF operation on
binaries prior to transmission over untrusted media. Which of the following BEST describes the
action performed by this type of application? Hashing Key exchange Encryption Obfusication. An audit reported has identifies a weakness that could allow unauthorized personnel access to the
facility at its main entrance and from there gain access to the network. Which of the following
would BEST resolve the vulnerability? Faraday cage Air gap Mantrap Bollards. When attempting to secure a mobile workstation, which of the following authentication
technologies rely on the user's physical characteristics? (Select TWO) MAC address table Retina scan Fingerprint scan Two-factor authentication CAPTCHA Password string. Systems administrator and key support staff come together to simulate a hypothetical interruption
of service. The team updates the disaster recovery processes and documentation after meeting.
Which of the following describes the team's efforts? Business impact analysis Continuity of operation Tabletop exercise Order of restoration. A company has two wireless networks utilizing captive portals. Some employees report getting a
trust error in their browsers when connecting to one of the networks.
Both captive portals are using the same server certificate for authentication, but the analyst
notices the following differences between the two certificate details:
Geotrust Global CA
A company has two wireless networks utilizing captive portals. Some employees report getting a
trust error in their browsers when connecting to one of the networks.
Both captive portals are using the same server certificate for authentication, but the analyst
notices the following differences between the two certificate details:
Geotrust Global CA
Certificate 2 Use a wildcard certificate. Use certificate chaining. Use a trust model. Use an extended validation certificate. Company A has acquired Company B. Company A has different domains spread globally, and
typically migrates its acquisitions infrastructure under its own domain infrastructure. Company B,
however, cannot be merged into Company A's domain infrastructure.
Which of the following methods would allow the two companies to access one another's
resources? Attestation Federation Single sign-on Kerberos. A technician is configuring a load balancer for the application team to accelerate the network
performance of their applications. The applications are hosted on multiple servers and must be
Given this scenario, which of the following would be the BEST method of configuring the load
balancer? Round-robin Weighted Least connection Locality-based. An organization's employees currently use three different sets of credentials to access multiple
internal resources. Management wants to make this process less complex. Which of the following
would be the BEST option to meet this goal? Transitive trust Single sign-on Federation Secure token. An external attacker can modify the ARP cache of an internal computer.
Which of the following types of attacks is described? Replay Spoofing DNS poisoning Client-side attack. A systems administrator has isolated an infected system from the network and terminated the
malicious process from executing.
Which of the following should the administrator do NEXT according to the incident response
process? Restore lost data from a backup. Wipe the system. Document the lessons learned. Determine the scope of impact. A new security administrator ran a vulnerability scanner for the first time and caused a system
Which of the following types of scans MOST likely caused the outage? Non-intrusive credentialed scan Non-intrusive non-credentialed scan Intrusive credentialed scan Intrusive non-credentialed scan. A security analyst is hardening a WiFi infrastructure.
The primary requirements are the following:
The infrastructure must allow staff to authenticate using the most secure method.
The infrastructure must allow guests to use an "open" WiFi network that logs valid email
addresses before granting access to the Internet.
Given these requirements, which of the following statements BEST represents what the analyst
should recommend and configure? Configure a captive portal for guests and WPS for staff. Configure a captive portal for staff and WPA for guests. Configure a captive portal for staff and WEP for guests. Configure a captive portal for guest and WPA2 Enterprise for staff. A security administrator is trying to eradicate a worm, which is spreading throughout the
organization, using an old remote vulnerability in the SMB protocol. The worm uses Nmap to
identify target hosts within the company. The administrator wants to implement a solution that will
eradicate the current worm and any future attacks that may be using zero-day vulnerabilities.
Which of the following would BEST meet the requirements when implemented? Host-based firewall Enterprise patch management system Network-based intrusion prevention system Application blacklisting File integrity checking. Which of the following is a deployment concept that can be used to ensure only the required OS
access is exposed to software applications? Staging environment Sandboxing Secure baseline Trusted OS. A procedure differs from a policy in that it: is a high-level statement regarding the company's position on a topic. sets a minimum expected baseline of behavior. provides step-by-step instructions for performing a task. describes adverse actions when violations occur. Ann, a user, reports she is unable to access an application from her desktop. A security analyst
verifies Ann's access and checks the SIEM for any errors. The security analyst reviews the log file
from Ann's system and notices the following output:
Which of the following is MOST likely preventing Ann from accessing the application from the
Web application firewall DLP Host-based firewall UTM Network-based firewall. Which of the following types of penetration test will allow the tester to have access only to
hashes prior to the penetration test? Black box Gray box Credentialed White box. Which of the following threats has sufficient knowledge to cause the MOST danger to an
organization? Competitors Insiders Hacktivists Script kiddies. While troubleshooting a client application connecting to the network, the security administrator
notices the following error: Certificate is not valid.
Which of the following is the BEST way to check if the digital certificate is valid? PKI CRL CSR IPSec. A business sector is highly competitive, and safeguarding trade secrets and critical information is
paramount. On a seasonal basis, an organization employs temporary hires and contractor
personnel to accomplish its mission objectives. The temporary and contract personnel require
access to network resources only when on the clock.
Which of the following account management practices are the BEST ways to manage these
accounts? Employ time-of-day restrictions. Employ password complexity. Employ a random key generator strategy. Employ an account expiration strategy. Employ a password lockout policy. Which of the following locations contain the MOST volatile data? SSD Paging file RAM Cache memory. Ann, a customer, is reporting that several important files are missing from her workstation. She
recently received communication from an unknown party who is requesting funds to restore the
files. Which of the following attacks has occurred? Ransomware Keylogger Buffer overflow Rootkit. Every morning, a systems administrator monitors failed login attempts on the company's log
management server. The administrator notices the DBAdmin account has five failed username
and/or password alerts during a ten-minute window. The systems administrator determines the
user account is a dummy account used to attract attackers.
Which of the following techniques should the systems administrator implement? Role-based access control Honeypot Rule-based access control Password cracker. Joe, a user, has been trying to send Ann, a different user, an encrypted document via email. Ann
has not received the attachment but is able to receive the header information.
Which of the following is MOST likely preventing Ann from receiving the encrypted file? Unencrypted credentials Authentication issues Weak cipher suite Permission issues. A systems administrator is configuring a system that uses data classification labels.
Which of the following will the administrator need to implement to enforce access control? Discretionary access control Mandatory access control Role-based access control Rule-based access control. An analyst is using a vulnerability scanner to look for common security misconfigurations on
Which of the following might be identified by the scanner? (Select TWO). The firewall is disabled on workstations. SSH is enabled on servers. Browser homepages have not been customized. Default administrator credentials exist on networking hardware The OS is only set to check for updates once a day. A security analyst is reviewing patches on servers. One of the servers is reporting the following
error message in the WSUS management console:
The computer has not reported status in 30 days.
Given this scenario, which of the following statements BEST represents the issue with the output
above? The computer in question has not pulled the latest ACL policies for the firewall. The computer in question has not pulled the latest GPO policies from the management server. The computer in question has not pulled the latest antivirus definitions from the antivirus program. The computer in question has not pulled the latest application software updates. A security administrator is reviewing the following PowerShell script referenced in the Task
Scheduler on a database server:
Which of the following did the security administrator discover? Ransomeware Backdoor Logic bomb Trojan. A bank is experiencing a DoS attack against an application designed to handle 500 IP-based
in addition, the perimeter router can only handle 1Gbps of traffic.
Which of the following should be implemented to prevent a DoS attacks in the future? Deploy multiple web servers and implement a load balancer Increase the capacity of the perimeter router to 10 Gbps Install a firewall at the network to prevent all attacks Use redundancy across all network devices and services. A malicious system continuously sends an extremely large number of SYN packets to a server.
Which of the following BEST describes the resulting effect? The server will be unable to server clients due to lack of bandwidth The server's firewall will be unable to effectively filter traffic due to the amount of data transmitted The server will crash when trying to reassemble all the fragmented packets The server will exhaust its memory maintaining half-open connections. A systems administrator is deploying a new mission essential server into a virtual environment.
Which of the following is BEST mitigated by the environment's rapid elasticity characteristic? Data confidentiality breaches VM escape attacks Lack of redundancy Denial of service. Which of the following is the proper order for logging a user into a system from the first step to the
last step? Identification, authentication, authorization Identification, authorization, authentication Authentication, identification, authorization Authorization, identification, authentication. A company stores highly sensitive data files used by the accounting system on a server file share.
The accounting system uses a service account named accounting-svc to access the file share.
The data is protected will a full disk encryption, and the permissions are set as follows:
File system permissions: Users = Read Only
Share permission: accounting-svc = Read Only
Given the listed protections are in place and unchanged, to which of the following risks is the data
still subject? Exploitation of local console access and removal of data Theft of physical hard drives and a breach of confidentiality Remote exfiltration of data using domain credentials Disclosure of sensitive data to third parties due to excessive share permissions. A bank uses a wireless network to transmit credit card purchases to a billing system.
Which of the following would be MOST appropriate to protect credit card information from being
accessed by unauthorized individuals outside of the premises? Air gap Infrared detection Faraday cage Protected distributions. A help desk technician receives a phone call from an individual claiming to be an employee of the
organization and requesting assistance to access a locked account. The help desk technician asks
the individual to provide proof of identity before access can be granted. Which of the following
types of attack is the caller performing? Phishing Shoulder surfing Impersonation Dumpster diving. Confidential emails from an organization were posted to a website without the organization's
knowledge. Upon investigation, it was determined that the emails were obtained from an internal
actor who sniffed the emails in plain text.
Which of the following protocols, if properly implemented, would have MOST likely prevented the
from being sniffed? (Select TWO) Secure IMAP DNSSEC S/MIME SMTPS HTTPS. A company wants to implement an access management solution that allows employees to use the
same usernames and passwords for multiple applications without having to keep multiple
Which of the following solutions would BEST meet these requirements? Multifactor authentication SSO Biometrics PKI Federation. An external auditor visits the human resources department and performs a physical security
assessment. The auditor observed documents on printers that are unclaimed. A closer look at
these documents reveals employee names, addresses, ages, and types of medical and dental
coverage options each employee has selected.
Which of the following represents the MOST secure method of time synchronization? The server should connect to external Stratum 0 NTP servers for synchronization The server should connect to internal Stratum 0 NTP servers for synchronization The server should connect to external Stratum 1 NTP servers for synchronization The server should connect to external Stratum 1 NTP servers for synchronization. When sending messages using symmetric encryption, which of the following must happen FIRST? Exchange encryption key Establish digital signatures Agree on an encryption method Install digital certificates. Which of the following scenarios BEST describes an implementation of non-repudiation? A user logs into a domain workstation and access network file shares for another department A user remotely logs into the mail server with another user's credentials A user sends a digitally signed email to the entire finance department about an upcoming meeting A user access the workstation registry to make unauthorized changes to enable functionality within
an application. An office manager found a folder that included documents with various types of data relating to
corporate clients. The office manager notified the data included dates of birth, addresses, and
phone numbers for the clients. The office manager then reported this finding to the security
compliance officer. Which of the following portions of the policy would the security officer need to
consult to determine if a breach has occurred? Public Private PHI PII. Which of the following is an asymmetric function that generates a new and separate key every
time it runs? RSA DSA DHE HMAC PBKDF2. Which of the following would be considered multifactor authentication? Hardware token and smart card Voice recognition and retina scan Strong password and fingerprint PIN and security questions. A user receives an email from ISP indicating malicious traffic coming from the user's home
network is detected. The traffic appears to be Linux-based, and it is targeting a website that was
recently featured on the news as being taken offline by an Internet attack. The only Linux device
on the network is a home surveillance camera system.
Which of the following BEST describes what is happening? The camera system is infected with a bot. The camera system is infected with a RAT. The camera system is infected with a Trojan. The camera system is infected with a backdoor. A security auditor is testing perimeter security in a building that is protected by badge readers.
Which of the following types of attacks would MOST likely gain access? Phishing Man-in-the-middle Tailgating Watering hole Shoulder surfing. An organization wants to upgrade its enterprise-wide desktop computer solution. The organization
currently has 500 PCs active on the network. the Chief Information Security Officer (CISO)
suggests that the organization employ desktop imaging technology for such a large scale upgrade.
Which of the following is a security benefit of implementing an imaging solution? it allows for faster deployment it provides a consistent baseline It reduces the number of vulnerabilities It decreases the boot time. An organization has implemented an IPSec VPN access for remote users.
Which of the following IPSec modes would be the MOST secure for this organization to
implement? Tunnel mode Transport mode AH-only mode ESP-only mode. Several workstations on a network are found to be on OS versions that are vulnerable to a specific
Which of the following is considered to be a corrective action to combat this vulnerability? Install an antivirus definition patch Educate the workstation users Leverage server isolation Install a vendor-supplied patch Install an intrusion detection system. A security administrator suspects that a DDoS attack is affecting the DNS server. The
administrator accesses a workstation with the hostname of workstation01 on the network and
obtains the following output from the ipconfig command:
The administrator successfully pings the DNS server from the workstation. Which of the following
commands should be issued from the workstation to verify the DDoS attack is no longer occurring? dig www.google.com dig 192.168.1.254 dig workstation01.com dig 192.168.1.26. A security administrator has configured a RADIUS and a TACACS+ server on the company’s
network. Network devices will be required to connect to the TACACS+ server for authentication
and send accounting information to the RADIUS server. Given the following information:
RADIUS IP: 192.168.20.45
TACACS+ IP: 10.23.65.7
Which of the following should be configured on the network clients? (Select two.) Accounting port: TCP 389 Accounting port: UDP 1812 Accounting port: UDP 1813 Authentication port: TCP 49 Authentication port: TCP 88 Authentication port: UDP 636. A number of employees report that parts of an ERP application are not working. The systems
administrator reviews the following information from one of the employee workstations:
Execute permission denied: financemodule.dll
Execute permission denied: generalledger.dll
Which of the following should the administrator implement to BEST resolve this issue while
minimizing risk and attack exposure? Update the application blacklist Verify the DLL’s file integrity Whitelist the affected libraries Place the affected employees in the local administrator’s group. A Chief Information Security Officer (CISO) has tasked a security analyst with assessing the
security posture of an organization and which internal factors would contribute to a security
compromise. The analyst performs a walk-through of the organization and discovers there are
multiple instances of unlabeled optical media on office desks. Employees in the vicinity either do
not claim ownership or disavow any knowledge concerning who owns the media. Which of the
following is the MOST immediate action to be taken? Confiscate the media and dispose of it in a secure manner as per company policy. Confiscate the media, insert it into a compter, find out what is on the disc, and then label it and
return it to where it was found. Confiscate the media and wait for the owner to clain it. If it is not claimed within one month, shred
it. Confiscate the media, insert it into a computer, make a copy of the disc, and then return the
original to where it was found.