651-675

Question 1

A security engineer is reviewing log files after a third party discovered usernames and passwords for the organization’s accounts. The engineer sees there was a change in the IP address for a vendor website one week earlier. This change lasted eight hours. Which of the following attacks was MOST likely used?

A. Man-in-the-middle
B. Spear-phishing
C. Evil twin
D. DNS poisoning

Answer 1

D. DNS poisoning

Question 2

A user recently entered a username and password into a recruiting application website that had been forged to look like the legitimate site. Upon investigation, a security analyst identifies the following:

• The legitimate website’s IP address is 10.1.1.20 and eRecruit.local resolves to this IP.
• The forged website’s IP address appears to be 10.2.12.99, based on NetFlow records.
• All three of the organization’s DNS servers show the website correctly resolves to the legitimate IP.
• DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the approximate time of the suspected compromise.

Which of the following MOST likely occurred?

A. A reverse proxy was used to redirect network traffic.
B. An SSL strip MITM attack was performed.
C. An attacker temporarily poisoned a name server.
D. An ARP poisoning attack was successfully executed.

Answer 2

C. An attacker temporarily poisoned a name server.

Question 3

A recent audit uncovered a key finding regarding the use of a specific encryption standard in a web application that is used to communicate with business customers. Due to the technical limitations of its customers, the company is unable to upgrade the encryption standard. Which of the following types of controls should be used to reduce the risk created by this scenario?

A. Physical
B. Detective
C. Preventive
D. Compensating

Answer 3

D. Compensating

Question 4

Which of the following is a team of people dedicated to testing the effectiveness of organizational security programs by emulating the techniques of potential attackers?

A. Red team
B. White team
C. Blue team
D. Purple team

Answer 4

A. Red team

Question 5

A security assessment determines DES and 3DES are still being used on recently deployed production servers. Which of the following did the assessment identify?

A. Unsecure protocols
B. Default settings
C. Open permissions
D. Weak encryption

Answer 5

D. Weak encryption

Question 6

The cost of removable media and the security risks of transporting data have become too great for a laboratory. The laboratory has decided to interconnect with partner laboratories to make data transfers easier and more secure. The Chief Security Officer (CSO) has several concerns about proprietary data being exposed once the interconnections are established. Which of the following security features should the network administrator implement to prevent unwanted data exposure to users in partner laboratories?

A. VLAN zoning with a file-transfer server in an external-facing zone
B. DLP running on hosts to prevent file transfers between networks
C. NAC that permits only data-transfer agents to move data between networks
D. VPN with full tunneling and NAS authenticating through the Active Directory

Answer 6

A. VLAN zoning with a file-transfer server in an external-facing zone

Question 7

A vulnerability assessment report will include the CVSS score of the discovered vulnerabilities because the score allows the organization to better:

A. validate the vulnerability exists in the organization’s network through penetration testing.
B. research the appropriate mitigation techniques in a vulnerability database.
C. find the software patches that are required to mitigate a vulnerability.
D. prioritize remediation of vulnerabilities based on the possible impact.

Answer 7

D. prioritize remediation of vulnerabilities based on the possible impact.

Question 8

A security analyst is performing a forensic investigation involving compromised account credentials. Using the Event Viewer, the analyst was able to detect the following message: “Special privileges assigned to new logon.” Several of these messages did not have a valid logon associated with the user before these privileges were assigned. Which of the following attacks is MOST likely being detected?

A. Pass-the-hash
B. Buffer overflow
C. Cross-site scripting
D. Session replay

Answer 8

A. Pass-the-hash

Question 9

Company engineers regularly participate in a public Internet forum with other engineers throughout the industry. Which of the following tactics would an attacker MOST likely use in this scenario?

A. Watering-hole attack
B. Credential harvesting
C. Hybrid warfare
D. Pharming

Answer 9

A. Watering-hole attack

Question 10

As company uses wireless for all laptops and keeps a very detailed record of its assets, along with a comprehensive list of devices that are authorized to be on the wireless network. The Chief Information Officer (CIO) is concerned about a script kiddie potentially using an unauthorized device to brute force the wireless PSK and obtain access to the internal network. Which of the following should the company implement to BEST prevent this from occurring?

A. A BPDU guard
B. WPA-EAP
C. IP filtering
D. A WIDS

Answer 10

B. WPA-EAP

Question 11

In the middle of a cyberattack, a security engineer removes the infected devices from the network and locks down all compromised accounts. In which of the following incident response phases is the security engineer currently operating?

A. Identification
B. Preparation
C. Lessons learned
D. Eradication
E. Recovery
F. Containment

Answer 11

F. Containment

Question 12

A network administrator would like to configure a site-to-site VPN utilizing IPSec. The administrator wants the tunnel to be established with data integrity, encryption, authentication, and anti-replay functions. Which of the following should the administrator use when configuring the VPN?

A. AH
B. EDR
C. ESP
D. DNSSEC

Answer 12

C. ESP

Question 13

A security incident may have occurred on the desktop PC of an organization’s Chief Executive Officer (CEO). A duplicate copy of the CEO’s hard drive must be stored securely to ensure appropriate forensic processes and the chain of custody are followed. Which of the following should be performed to accomplish this task?

A. Install a new hard drive in the CEO’s PC, and then remove the old hard drive and place it in a tamper-evident bag.
B. Connect a write blocker to the hard drive. Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy.
C. Remove the CEO’s hard drive from the PC, connect to the forensic workstation, and copy all the contents onto a remote fileshare while the CEO watches.
D. Refrain from completing a forensic analysis of the CEO’s hard drive until after the incident is confirmed; duplicating the hard drive at this stage could destroy evidence.

Answer 13

B. Connect a write blocker to the hard drive. Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy.

Question 14

A security engineer at an offline government facility is concerned about the validity of an SSL certificate. The engineer wants to perform the fastest check with the least delay to determine if the certificate has been revoked. Which of the following would BEST meet these requirements?

A. RA
B. OCSP
C. CRL
D. CSR

Answer 14

C. CRL

Question 15

A security administrator needs to create a RAID configuration that is focused on high read speeds and fault tolerance. It is unlikely that multiple drives will fail simultaneously. Which of the following RAID configurations should the administrator use?

A. RAID 0
B. RAID 1
C. RAID 5
D. RAID 10

Answer 15

D. RAID 10

Question 16

Which of the following algorithms has the SMALLEST key size?

A. DES
B. Twofish
C. RSA
D. AES

Answer 16

A. DES

Question 17

During an incident response, a security analyst observes the following log entry on the web server:

GET http://www.companysite.com/product_info.php?
show=../../../../etc/passwrd HTTP/1.1
Host: www.companysite.com

Which of the following BEST describes the type of attack the analyst is experiencing?

A. SQL injection
B. Cross-site scripting
C. Pass-the-hash
D. Directory traversal

Answer 17

D. Directory traversal

Question 18

A security audit has revealed that a process control terminal is vulnerable to malicious users installing and executing software on the system. The terminal is beyond end-of-life support and cannot be upgraded, so it is placed on a protected network segment. Which of the following would be MOST effective to implement to further mitigate the reported vulnerability?

A. DNS sinkholing
B. DLP rules on the terminal
C. An IP blacklist
D. Application whitelisting

Answer 18

D. Application whitelisting

Question 19

A document that appears to be malicious has been discovered in an email that was sent to a company’s Chief Financial Officer (CFO). Which of the following would be BEST to allow a security analyst to gather information and confirm it is a malicious document without executing any code it may contain?

A. Open the document on an air-gapped network.
B. View the document’s metadata for origin clues.
C. Search for matching file hashes on malware websites.
D. Detonate the document in an analysis sandbox.

Answer 19

C. Search for matching file hashes on malware websites.

Question 20

A security analyst has received an alert about PII being sent via email. The analyst’s Chief Information Security Officer (CISO) has made it clear that PII must be handled with extreme care. From which of the following did the alert MOST likely originate?

A. S/MIME
B. DLP
C. IMAP
D. HIDS

Answer 20

B. DLP

Question 21

A company has drafted an insider-threat policy that prohibits the use of external storage devices. Which of the following would BEST protect the company from data exfiltration via removable media?

A. Monitoring large data transfer transactions in the firewall logs
B. Developing mandatory training to educate employees about the removable media policy
C. Implementing a group policy to block user access to system files
D. Blocking removable-media devices and write capabilities using a host-based security tool

Answer 21

D. Blocking removable-media devices and write capabilities using a host-based security tool

Question 22

After a ransomware attack, a forensics company needs to review a cryptocurrency transaction between the victim and the attacker. Which of the following will the company MOST likely review to trace this transaction?

A. The public ledger
B. The NetFlow data
C. A checksum
D. The event log

Answer 22

A. The public ledger

Question 23

A network administrator is setting up wireless access points in all the conference rooms and wants to authenticate devices using PKI. Which of the following should the administrator configure?

A. A captive portal
B. PSK
C. 802.1X
D. WPS

Answer 23

C. 802.1X

Question 24

A security analyst is reviewing the following attack log output:

user comptia\john.smith attempted to login with the password123
user comptia\john.doe attempted to login with the password123
user comptia\user.1 attempted to login with the password123
user comptia\user.2 attempted to login with the password123
user comptia\user.3 attempted to login with the password123

user comptia\john.smith attempted to login with the password234
user comptia\john.doe attempted to login with the password234
user comptia\user.1 attempted to login with the password234
user comptia\user.2 attempted to login with the password234
user comptia\user.3 attempted to login with the password234

Which of the following types of attacks does this MOST likely represent?

A. Rainbow table
B. Brute-force
C. Password-spraying
D. Dictionary

Answer 24

C. Password-spraying

Question 25

An organization has hired a security analyst to perform a penetration test. The analyst captures 1Gb worth of inbound network traffic to the server and transfers the pcap back to the machine for analysis. Which of the following tools should the analyst use to further review the pcap?

A. Nmap
B. cURL
C. Netcat
D. Wireshark

Answer 25

D. Wireshark