PFS 1-50

Question 1

A security analyst is reviewing the following output from a system:

TCP 192.168.10.10:80 192.168.1.2:60101 TIME WAIT
TCP 192.168.10.10:80 192.168.1.2:60102 TIME WAIT
TCP 192.168.10.10:80 192.168.1.2:60103
TIME WAIT
TCP 192-168.10.10:80 192.168.1.2:60104 TIME WAIT
TCP 192.168.10.10:80 192.168.1-2:60105
TIME WAIT
TCP 192.168.10.10:80 192.168.1.2:60106 TIME WAIT
TCP 192.166.10.10:80 192.168.1.2:60107
TIME WAIT
TCP 192.168.10.10:80 192.168.1.2:60108 TIME WAIT
TCP 192.168.10.10:80 192.168.1.2:60109 TIME WAIT
TCP 192.168.10.10:80 192.168.1.2:60110 TIME_ WAIT

Which of the following is MOST likely being observed?

A.) ARP poisoning
B.) Man in the middle
C.) Denial of service
D.) DNS poisoning

Answer 1

C. Denial of Service

Question 2

A systems analyst is responsible for generating a new digital forensics chain-of-custody form. Which of the following should the analvst include in this documentation? (Choose two.)

A The order of volatility
B A CRC32 checksum
C The provenance of the artifacts
D The vendor’s name
E The date and time
F A warning banner

Answer 2

C The provenance of the artifacts
E The date and time

Question 3

Which of the following provides a calculated value for known vulnerabilities so organizations can prioritize mitigation steps?

A CVSS
B SIEM
C SOAR
D CVE

Answer 3

A. CVSS

Question 4

A penetration tester is fuzzing an application to identify where the EIP of the stack is located on memory. Which of the following attacks is the penetration tester planning to execute?

A Race condition
B Pass the hash
C Buffer overflow
D XSS

Answer 4

C. Buffer Overflow

Question 5

A security engineer is reviewing log files after a third party discovered usernames and passwords for the organization’s accounts. The engineer sees there was a change in the IP address for a vendor website one week earlier. This change lasted eight hours. Which of the following attacks was MOST likely used?

A Man-in-the-middle
B Spear-phishing
C Evil twin
D DNS poisoning

Answer 5

D. DNS Poisoning

Question 6

A company recently decided to allow its employees to use their personally owned devices for tasks like checking email and messaging via mobile applications. The company would like to use MDM, but employees are concerned about the loss of personal data. Which of the following should the IT department implement to BEST protect the company against company data loss while still addressing the employees’ concerns?

A Enable the remote wiping option in the MDM software in case the phone is stolen.
B Configure the MDM software to enforce the use of PINs to access the phone
C Configure MDM for FDE without enabling the lock screen.
D Perform a factory reset on the phone before installing the company’s applications.

Answer 6

B. Configure the MDM software to enforce the use of PINs to access the phone

Question 7

A SOC operator is analyzing a log file that contains the following entries:

[06-Apr-2021-18:00:061 GET /index.php/.
/../etc/passwd

[06-Apr-2021-18:01:071 GET /index.php/
/.. /etc/shadow

[06-Apr-2021-18:01:261 GET /index.php/../../../../../../../.etc/passwd

[06-Apr-2021-18: 02:16] GET /index.php?varl-;cat /etc/passwd;&var2-7865tgydk

[06-Apr-2021-18: 02:561 GET /index.php?varl=;cat /etc/shadow; §var2-7865tgydk

Which of the following explains these log entries?

A SQL injection and improper input-handling attempts
B Cross-site scripting and resource exhaustion attempts
C Command injection and directory traversal attempts
D Error handling and privilege escalation attempts

Answer 7

C. Command injection and directory traversal attempts

Question 8

An analyst visits an Internet forum looking for information about a tool. The analyst finds a thread that appears to contain relevant information. One of the posts says the following.

Make Notes
Hello everyone,
I am having the same problem with my server. Can you help me?
<script type-“text/javascript” src-http://website.com/user.js>
Onload=sqlexec () ;
</script>
Thank you,
Joe

Which of the following BEST describes the attack that was attempted against the forum readers?

A SQLi attack
B DLL attack
C XSS attack
D API attack

Answer 8

C. XSS attack

Question 9

A global pandemic is forcing a private organization to close some business units and reduce staffing at others. Which of the following would be BEST to help the organization’s executives determine their next course of action?

A An incident response plan
B A communication plan
C A disaster recovery plan
D A business continuity plan

Answer 9

D. A business continuity plan

Question 10

A security analyst is concerned about traffic initiated to the dark web from the corporate LAN. Which of the following networks should the analyst monitor?

A SETP
B AIS
C Tor
D lOC

Answer 10

C. Tor

Question 11

If a current private key is compromised, which of the following would ensure it cannot be used to decrypt all historical data?

A Perfect forward secrecy
B Elliptic-curve cryptography
C Kev stretching
D Homomorphic encryption

Answer 11

A. Perfect forward secrecy

Question 12

After gaining access to a dual-homed (i.e., wired and wireless) multifunction device by exploiting a vulnerability in the device’s firmware, a penetration tester then gains shell access on another networked asset. This technique is an example of.

A privilege escalation.
B footprinting.
C persistence.
D pivoting

Answer 12

D. Pivoting

Question 13

A software development manager wants to ensure the authenticity of the code created by the company. Which of the following options is the most appropriate?

A Testing input validation on the user input fields
B Performing code signing on company-developed software
C Performing static code analysis on the software
D Ensuring secure cookies are used

Answer 13

B. Performing code signing on company-developed software

Question 14

Cloud security engineers are planning to allow and deny access to specific features in order to increase data security. Which of the following cloud features is the most appropriate to ensure access is granted properly?

A API integrations
B Auditing
C Resource policies
D Virtual networks

Answer 14

A. API integrations

Question 15

An enterprise has hired an outside security firm to conduct penetration testing on its network and applications. The firm has been given the documentation only available to the customers of the applications. Which of the following BEST represents the type of testing that will occur?

A Bug bounty
B Black-box
C Gray-box
D White-box

Answer 15

C. Gray-box

Question 16

An organization wants to implement a biometric system with the highest likelihood that an unauthorized user will be denied access. Which of the following should the organization use to compare biometric solutions?

A FRR
B Difficulty of use
C Cost
D FAR
E CER

Answer 16

D. FAR

Question 17

A security administrator is trying to determine whether a server is vulnerable to a range of attacks. After using a tool, the administrator obtains the following output:

HIP/1.0 200 OK
Content-Type: text/html
Server: Apache

root:s9fyf983#:0:1:System Operator: /:/bin/bash daemon:*:1:1:: /tmp:
userl:fi@su3FF: 183:100:user: /home/users/userl: /bin/bash

Which of the following attacks was successfully implemented based on the output?

A Memory leak
B Race conditions
C SQL injection
D Directory traversal

Answer 17

D. Directory traversal

Question 18

A website developer is working on a new e-commerce website and has asked an information security expert for the most appropriate way to store credit card numbers to create an easy reordering process. Which of the following methods would BEST accomplish this goal?

A Salting the magnetic strip information
B Encrypting the credit card information in transit
C Hashing the credit card numbers upon entry
D Tokenizing the credit cards in the database

Answer 18

D. Tokenizing the credit cards in the database

Question 19

After a recent ransomware attack on a company’s system, an administrator reviewed the log files. Which of the following control types did the administrator use?

A Compensating
B Detective
C Preventive
D Corrective

Answer 19

B. Detective

Question 20

Which of the following roles would most likely have direct access to the senior management team?

A Data custodian
B Data owner
C Data protection officer
D Data controller

Answer 20

D. Data controller

Question 21

An untrusted SSL certificate was discovered during the most recent vulnerability scan. A security analyst determines the certificate is signed properly and is a valid wildcard. This same certificate is installed on the other company servers without issue. Which of the following is the MOST likely reason for this finding?

A The required intermediate certificate is not loaded as part of the certificate chain.
B The certificate is on the CRL and is no longer valid.
C The corporate CA has expired on every server, causing the certificate to fail verification.
D The scanner is incorrectly configured to not trust this certificate when detected on the server

Answer 21

D. The scanner is incorrectly configured to not trust this certificate when detected on the server

Question 22

A user reports falling for a phishing email to an analyst. Which of the following system logs would the analyst check FIRST?

A DNS
B Message gateway
C Network
D Authentication

Answer 22

D. Authentication

Question 23

Which of the following must be considered when designing a high-availability network? (Choose two.)

A Ease of recovery
B Ability to patch
c Physical isolation
D Responsiveness
E Attack surface
F Extensible authentication

Answer 23

A. Ease of recovery
D. Responsiveness

Question 24

An organization suffered an outage, and a critical system took 90 minutes to come back online. Though there was no data loss during the outage, the expectation was that the critical system would be available again within 60 minutes. Which of the following is the 60-minute expectation an example of?

A MTBF
B RPO
C MTTR
D RTO

Answer 24

D. RTO

Question 25

A systems engineer thinks a business system has been compromised and is being used to exfiltrate data to a competitor. The engineer contacts the CSIRT. The CSIRT tells the engineer to immediately disconnect the network cable and to not do anything else. Which of the following is the most likely reason for this request?

A The CSIRT thinks an insider threat is attacking the network.
B Outages of business-critical svstems cost too much monev.
C The CSIRT does not consider the systems engineer to be trustworthy.
D Memory contents, including fileless malware, are lost when the power is turned off.

Answer 25

D. Memory contents, including fileless malware, are lost when the power is turned off.

Question 26

Which of the following actions would be recommended to improve an incident response process? Select 1

A Train the team to identify the difference between events and incidents.
B Modify access so the IT team has full access to the compromised assets
C Contact the authorities if a cybercrime is suspected.
D Restrict communication surrounding the response to the IT team.

Answer 26

A. Train the team to identify the difference between events and incidents.

Question 27

Which of the following is an example of transference of risk?

A Purchasing insurance
B Patching vulnerable servers
C Retiring outdated applications
D Application owner risk sign-off

Answer 27

A. Purchasing insurance

Question 28

Which of the following would be indicative of a hidden audio file found inside of a piece of source code?

A Steganography
B Homomorphic encryption
C Cipher suite
D Blockchain

Answer 28

A. Steganography

Question 29

An employee fell for a phishing scam, which allowed an attacker to gain access to a company PC. The attacker scraped the PC’s memory to find other credentials. Without cracking these credentials, the attacker used them to move laterally through the corporate network. Which of the following describes this type of attack?

A Privilege escalation
B Buffer overflow
C SQL injection
D Pass-the hash

Answer 29

D. Pass-the-hash

Question 30

Which of the following is the best method for ensuring non-repudiation?
A SSO
B Digital certificate
C Token
D SSHkey

Answer 30

B. Digital certificate

Question 31

Which of the following would provide guidelines on how to label new network devices as part of the initial configuration?

A IP schema
B Application baseline configuration
C Standard naming convention policy
D Wireless LAN and network perimeter diagram

Answer 31

C. Standard naming convention policy

Question 32

A security analyst is tasked with defining the “something you are” factor of the company’s MA settings. Which of the following is BEST to use to complete the configuration?

A Gait analysis
B Vein
C Softtoken
D HMAC-based, one-time password

Answer 32

D. HMAC-based, one-time password

Question 33

A company recently implemented a patch management policy, however, vulnerability scanners have still been flagging several hosts, even after the completion of the patch process. Which of the following is the MOST likely cause of the issue?

A The vendor firmware lacks support.
B Zero-dav vulnerabilities are being discovered
C Third-party applications are not being patched.
D Code development is being outsourced.

Answer 33

C. Third-party applications are not being patched.

Question 34

A bank insists all of its vendors must prevent data loss on stolen laptops. Which of the following strategies is the bank requiring?

A Encryption at rest
B Masking
C Data classification
D Permission restrictions

Answer 34

A. Encryption at rest

Question 35

A security assessment found that several embedded systems are running unsecure protocols. These systems were purchased two years ago, and the company that developed them is no longer in business. Which of the following constraints best describes the reason the findings cannot be remediated?

A Inability to authenticate
B Implied trust
C Lack of computing power
D Unavailable patch

Answer 35

D. Unavailable patch

Question 36

Which of the following documents specifies what to do in the event of catastrophic loss of a physical or virtual system?

A Data retention plan
B Incident response plan
C Disaster recovery plan
D Communication plan

Answer 36

C. Disaster recovery plan

Question 37

The Chief Technology Officer of a local college would like visitors to utilize the school’s Wi-Fi but must be able to associate potential malicious activity to a specific person. Which of the following would best allow this objective to be met?

A Requiring all new. on-site visitors to configure their devices to use WPS
B Implementing a new SSID for every event hosted by the college that has visitors
C Creating a unique PSK for every visitor when they arrive at the reception area
D Deploying a captive portal to capture visitors’ MAC addresses and names

Answer 37

D. Deploying a captive portal to capture visitors’ MAC addresses and names

Question 38

Which of the following organizations sets frameworks and controls for optimal security configuration on systems?

A ISO
B GDPR
C PCIDSS
D NIST

Answer 38

D. NIST

Question 39

A security analyst has received an alert about PIl being sent via email. The analyst’s Chief Information Security Officer (CISO) has made it clear that PII must be handled with extreme care. From which of the following did the alert MOST likely originate?

A S/MIME
B DLP
C IMAP
D HIDS

Answer 39

B. DLP

Question 40

An organization discovered files with proprietary financial data have been deleted. The files have been recovered from backup, but every time the Chief Financial Officer logs in to the file server, the same files are deleted again. No other users are experiencing this issue. Which of the following types of malware is MOST likely causing this behavior?

A Logic bomb
B Cryptomalware
C Spyware
D Remote access Trojan

Answer 40

A. Logic bomb

Question 41

The compliance team requires an annual recertification of privileged and non-privileged user access. However, multiple users who left the company six months ago still have access. Which of the following would have prevented this compliance violation?

A Account audits
B AUP
C Password reuse
D SSO

Answer 41

A. Account audits

Question 42

Historically, a company has had issues with users plugging in personally owned removable media devices into corporate computers. As a result, the threat of malware incidents is almost constant. Which of the following would best help prevent the malware from being installed on the computers?

A AUP
B NGFW
C DLP
D EDR

Answer 42

D. EDR

Question 43

A marketing coordinator is trying to access a social media application on a company laptop but is getting blocked. The coordinator opens a help desk ticket to report the issue. Which of the following documents should a security analyst review to determine whether accessing social media applications on a company device is permitted?

A Incident response policy
B Business continuity policy
C Change management policy
D Acceptable use policy

Answer 43

D. Acceptable use policy

Question 44

A security administrator needs a method to secure data in an environment that includes some form of checks so that the administrator can track any changes. Which of the following should the administrator set up to achieve this goal?

A SPF
B GPO
C NAC
D FIM

Answer 44

D. FIM

Question 45

Practical

Question 46

Stakeholders at an organization must be kept aware of any incidents and receive updates on status changes as they occur. Which of the following plans would fulfill this requirement?

A Communication plan
B Disaster recovery plan
C Business continuity plan
D Risk plan

Answer 46

A. Communication plan

Question 47

A security administrator performs weekly vulnerability scans on all cloud assets and provides a detailed report. Which of the following describes the administrator’s activities?

A Continuous deployment
B Continuous integration
C Data owners
D Data processor

Answer 47

D. Data processor

Question 48

A security analyst has been tasked with creating a new WiFi network for the company. The requirements received by the analyst are as follows.

• Must be able to differentiate between users connected to WiFi
• The encryption keys need to change routinely without interrupting the users or forcing reauthentication
• Must be able to integrate with RADIUS
• Must not have an open SSIDs

Which of the following options BEST accommodates these requirements?

A WPA2-Enterprise
B WPA3-PSK
C 802.11n
D WPS

Answer 48

A. WPA2-Enterprise

Question 49

A security analyst discovers that one of the web APIs is being abused by an unknown third party. Logs indicate that the third party is attempting to manipulate the parameters being passe
API endpoint. Which of the following solutions would best help to protect against the attack?

A DIP
B SIEM
C NIDS
D WAF

Answer 49

D. WAF

Question 50

Which of the following is MOST likely to outline the roles and responsibilities of data controllers and data processors?

A SSAE SOC 2
B POIDSS
C GDPR
D ISO 31000

Answer 50

C. GDPR