Topic 6 (newest questions) Flashcards by David Tran

A Chief Information Security Officer (CISO) asks the security architect to design a method for contractors to
access the company’s internal wiki, corporate directory, and email services securely without allowing access to systems beyond the scope of their project. Which of the following methods would BEST fit the needs of the
CISO?

VPN
PaaS
laaS
VDI

VPN

How well did you know this?

Not at all

Perfectly

A security analyst wishes to scan the network to view potentially vulnerable systems the way an attacker
would. Which of the following would BEST enable the analyst to complete the objective?

Perform a non-credentialed scan.
Conduct an intrusive scan.
Attempt escalation of privilege.
Execute a credentialed scan.

Perform a non-credentialed scan

How well did you know this?

Not at all

Perfectly

Consult data disposition policies in the contract.
Use a pulper or pulverizer for data destruction
Retain the data for a period no more than one year
Burn hard copies containing Pll or PHI.

Consult data disposition policies in the contract.

How well did you know this?

Not at all

Perfectly

A threat actor motivated by political goals that is active for a short period of time but has virtually unlimited
resources is BEST categorized as a:

hacktivist.
nation-state
script kiddie
APT

nation-state

How well did you know this?

Not at all

Perfectly

Which of the following types of security testing is the MOST cost-effective approach used to analyze existing code and identity areas that require patching?

Black box
Gray box
White box
Red team
Blue team

White box

How well did you know this?

Not at all

Perfectly

A security analyst is assessing a small company’s internal servers against recommended security practices.
Which of the following should the analyst do to conduct the assessment? (Select TWO).

Compare configurations against platform benchmarks,
Confirm adherence to the company’s industry-specific regulations.
Review the company’s current security baseline,
Verify alignment with policy related to regulatory compliance
Run an exploitation framework to confirm vulnerabilities

Review the company’s current security baseline.

and

Run an exploitation framework to confirm vulnerabilities

How well did you know this?

Not at all

Perfectly

A security analyst is emailing PII in a spreadsheet file to an audit validator for after-actions related to a
security assessment. The analyst must make sure the PII data is protected with the following minimum
requirements:

*Ensure confidentiality at rest.
* Ensure the integrity of the original email message.
Which of the following controls would ensure these data security requirements are carried out?

Encrypt and sign the email using S/MIME.
Encrypt the email and send it using TLS.
Hash the email using SHA-1.
Sign the email using MD5

Encrypt and sign the email using S/MIME

How well did you know this?

Not at all

Perfectly

A member of the human resources department received the following email message after sending an email containing benefit and tax information to a candidate:

“Your message has been quarantined for the following policy violation: external_potential_Pll. Please contact
the IT security administrator for further details.”
Which of the following BEST describes why this message was received?

The DLP system flagged the message
The mail gateway prevented the message from being sent to personal email addresses.
The company firewall blocked the recipient’s IP address.
The file integrity check failed for the attached files.

The DLP system flagged the message

How well did you know this?

Not at all

Perfectly

Which of the following is the MOST likely motivation for a script kiddie threat actor?

Financial gain
Notoriety
Political expression
Corporate espionage

Notoriety

How well did you know this?

Not at all

Perfectly

A Chief Information Security Officer (CISO) for a school district wants to enable SSL to protect all of the
public-facing servers in the domain. Which of the following is a secure solution that is the MOST cost
effective?

Create and install a self-signed certificate on each of the servers in the domain.
Purchase a load balancer and install a single certificate on the load balancer.
Purchase a wildcard certificate and implement it on every server.
Purchase individual certificates and apply them to the individual servers.

Purchase a load balancer and install a single certificate on the load balancer.

How well did you know this?

Not at all

Perfectly

Which of the following would provide a safe environment for an application to access only the resources needed to function while not having access to run at the system level?

Sandbox
Honey pot
GPO
DMZ

Sandbox

How well did you know this?

Not at all

Perfectly

Which of the following is a technical preventive control?

Two-factor authentication
DVR-supported cameras
Acceptable-use MOTD
Syslog server

Two-factor authentication

How well did you know this?

Not at all

Perfectly

A security administrator is reviewing the following firewall configuration after receiving reports that users are
unable to connect to remote websites:
10 PERMIT FROM ANY TO:ANY PORT: 80
20 PERMIT FROM:ANY TO:ANY PORT: 443
30 DENY FROM: ANY TO:ANY PORT:ANY
Which of the following is the MOST secure solution the security administrator can implement to fix this issue
?

A. Add the following rule to the firewall: 5 PERMIT FROM: ANY TO:ANY PORT:53
B. Replace rule number 10 with the following rule: 10 PERMIT FROM: ANY TO:ANY PORT:22
C. Insert the following rule in the firewall: 25 PERMIT FROM ANY TO:ANY PORTS:ANY
D. Remove the following rule from the firewall: 30 DENY FROM:ANY TO:ANY PORT:ANY

B. Replace rule number 10 with the following rule: 10 PERMIT FROM: ANY TO:ANY PORT:22

How well did you know this?

Not at all

Perfectly

A security analyst is hardening a large-scale wireless network. The primary requirements are the following

Must use authentication through EAP-TLS certificates
Must use an AAA server
Must use the most secure encryption protocol

Given these requirements, which of the following should the analyst implement and recommend? (Select
TWO).

802.1X
802.3
LDAP
TKIP
CCMP
WPA2-PSK

802.1X

and

WPA2-PSK

How well did you know this?

Not at all

Perfectly

A systems engineer is configuring a wireless network. The network must not require installation of third-party
software. Mutual authentication of the client and the server must be used. The company has an internal PKI.
Which of the following configuration should the engineer choose?

EAP-TLS
EAP-TTLS
EAP-FAST
EAP-MD5
PEAP

EAP-TLS

How well did you know this?

Not at all

Perfectly

Which of the following is the MOST significant difference between intrusive and non-intrusive vulnerability scanning?

One uses credentials, but the other does not
One has a higher potential for disrupting system operations.
One allows systems to activate firewall countermeasures.
One returns service banners, including running versions

One has a higher potential for disrupting system operations

How well did you know this?

Not at all

Perfectly

A systems administrator wants to configure an enterprise wireless solution that supports authentication over HTTPS and wireless encryption using AES. Which of the following should the administrator configure to support these requirements? (Select TWO).

802.1X
RADIUS federation
WPS
Captive portal
WPA2
WDS

802.1X

and

WPA2

How well did you know this?

Not at all

Perfectly

A company needs to fix some audit findings related to its physical security. A key finding was that multiple
people could physically enter a location at the same time. Which of the following is the BEST control to address this audit finding?

Faraday cage
Mantrap
Biometrics
Proximity cards

Mantrap

How well did you know this?

Not at all

Perfectly

During a forensics investigation, which of the following must be addressed FIRST according to the order of
volatility?

Hard drive
RAM
Network-attached storage
USB flash drive

RAM

How well did you know this?

Not at all

Perfectly

During a security audit of a company’s network, unsecure protocols were found to be in use. A network
administrator wants to ensure browser-based access to company switches is using the most secure protocol.
Which of the following protocols should be implemented?

SSH2
TLS1.2
SSL1.3
SNMPv3

TLS 1.2

How well did you know this?

Not at all

Perfectly

A security administrator has received multiple calls from the help desk about customers who are unable to
access the organization’s web server. Upon reviewing the log files the security administrator determines
multiple open requests have been made from multiple IP addresses, which is consuming system resources.
Which of the following attack types does this BEST describe?

DDoS
DoS
Zero day
Logic bomb

DDoS

How well did you know this?

Not at all

Perfectly

The security administrator has installed a new firewall which implements an implicit DENY policy by default.
Click on the firewall and configure it to allow ONLY the following communication.

See PDF 374

PDF 374

How well did you know this?

Not at all

Perfectly

A company utilizes 802.11 for all client connectivity within a facility. Users in one part of the building are
reporting they are unable to access company resources when connected to the company SSID. Which of the following should the security administrator use to assess connectivity?

Sniffer
Honeypot
Routing tables
Wireless scanner

Routing tables

How well did you know this?

Not at all

Perfectly

A user loses a COPE device. Which of the following should the user do NEXT to protect the data on the
device?

Call the company help desk to remotely wipe the device.
Report the loss to authorities
Check with corporate physical security for the device.
Identify files that are potentially missing on the device.

Call the company help desk to remotely wipe the device

How well did you know this?

Not at all

Perfectly

Which of the following represents a multifactor authentication system? An iris scanner coupled with a palm print reader and fingerprint scanner with liveness detection. A secret passcode that prompts the user to enter a secret key if entered correctly. A digital certificate on a physical token that is unlocked with a secret passcode. A one-time password token combined with a proximity badge.

A one-time password token combined with a proximity badge

A security team has downloaded a public database of the largest collection of password dumps on the Internet. This collection contains the cleartext credentials of every major breach for the last four years. The security team pulls and compares users' credentials to the database and discovers that more than 30% of the users were still using passwords discovered in this list. Which of the following would be the BEST combination to reduce the risks discovered? Password length, password encryption, password complexity Password complexity, least privilege, password reuse Password reuse, password complexity, password expiration Group policy, password history, password encryption

Password length, password encryption, password complexity

A Chief Information Officer (CIO) is concerned that encryption keys might be exfiltrated by a contractor. The CIO wants to keep control over key visibility and management. Which of the following would be the BEST solution for the CIO to implement?” HSM CA SSH SSL

HSM (hardware security module)

A technician has been asked to document which services are running on each of a collection of 200 servers. Which of the following tools BEST meets this need while minimizing the work required? Nmap Nslookup Netcat Netstat

Netcat

Which of the following BEST describes a security exploit for which a vendor patch is not readily available? Integer overflow Zero-day End of life Race condition

Zero-day

A systems administrator is increasing the security settings on a virtual host to ensure users on one VM cannot access information from another VM. Which of the following is the administrator protecting against? VM sprawl VM escape VM migration VM sandboxing

VM escape

Which of the following BEST distinguishes Agile development from other methodologies in terms of vulnerability management? ``` Cross-functional teams Rapid deployments Daily standups Peer review Creating user stories ```

Daily standups

An organization wishes to allow its users to select devices for business use but does not want to overwhelm the service desk with requests for too many different device types and models. Which of the following deployment models should the organization use to BEST meet these requirements? VDI environment CYOD model DAC mode BYOD model

CYOD model

A security analyst wishes to scan the network to view potentially vulnerable systems the way an attacker would. Which of the following would BEST enable the analyst to complete the objective? Perform a non-credentialed scan. Conduct an intrusive scan. Attempt escalation of privilege Execute a credentialed scan.

Perform a non-credentialed scan

An organization’s IRP prioritizes containment over eradication. An incident has been discovered where an attacker outside of the organization has installed cryptocurrency mining software on the organization’s web servers. Given the organization’s stated priorities, which of the following would be the NEXT step? Remove the affected servers from the network. Review firewall and IDS logs to identify possible source IPs. Identify and apply any missing operating system and software patches. Delete the malicious software and determine if the servers must be reimaged.

Remove the affected servers from the network

Which of the following is the proper use of a Faraday cage? To block electronic signals sent to erase a cell phone To capture packets sent to a honeypot during an attack To protect hard disks from access during a forensics investigation To restrict access to a building allowing only one person to enter at a time

To block electronic signals sent to erase a cell phone

A security technician is configuring a new firewall appliance for a production environment. The firewall must support secure web services for client workstations on the 10.10.10.0/24 network. The same client workstations are configured to contact a server at 192.168.1.15/24 for domain name resolution. Which of the following rules should the technician add to the firewall to allow this connectivity for the client workstations? (Select TWO). Permit 10.10.10.0/24 0.0.0.0 -p tcp --dport 22 Permit 10.10.10.0/24 0.0.0.0 -p tcp --dport 80 Permit 10.10.10.0/24192.168.1.15/24 -p udp --dport 21 Permit 10.10.10.0/24 0.0.0.0-p tcp --dport 443 Permit 10.10.10.0/24 192.168.1.15/24 -p tcp --dport 53 Permit 10.10.10.0/24 192.168.1.15/24 -p udp --dport 53

Permit 10.10.10.0/24 0.0.0.0-p tcp --dport 443 and Permit 10.10.10.0/24 192.168.1.15/24 -p tcp --dport 53

A computer forensics analyst collected a flash drive that contained a single file with 500 pages of text. Which of the following algorithms should the analyst use to validate the integrity of the file? 3DES AES MD5 RSA

MD5

A technician, who is managing a secure B2B connection, noticed the connection broke last night. All networking equipment and media are functioning as expected, which leads the technician to QUESTION NO: certain PKI components. Which of the following should the technician use to validate this assumption? (Choose two.) ``` PEM CER SCEP CRL OCSP PFX ```

CRL and OCSP

The exploitation of a buffer-overrun vulnerability in an application will MOST likely lead to: arbitrary code execution. resource exhaustion. exposure of authentication credentials. dereferencing of memory pointers.

Arbitrary code execution

Company engineers regularly participate in a public Internet forum with other engineers throughout the industry. Which of the following tactics would an attacker MOST likely use in this scenario? Watering-hole attack Credential harvesting Hybrid warfare Pharming

Watering hole attack

A contracting company recently completed its period of performance on a government contract and would like to destroy all information associated with contract performance. Which of the following is the best NEXT step for the company to take? Consult data disposition policies in the contract. Use a pulper or pulverizer for data destruction. Retain the data for a period no more than one year. Burn hard copies containing PII or PHI

Consult data disposition policies in the contract

A company has a team of penetration testers. This team has located a file on the company file server that they believe contains cleartext usernames followed by a hash. Which of the following tools should the penetration testers use to learn more about the content of this file? Exploitation framework Vulnerability scanner Netcat Password cracker

Password cracker

An incident response analyst in a corporate security operations center receives a phone call from an SOC analyst. The SOC analyst explains the help desk recently reimaged a workstation that was suspected of being infected with an unknown type of malware; however, even after reimaging, the host continued to generate SIEM alerts. Which of the following types of malware is MOST likely responsible for producing the SIEM alerts? Ransomware Logic bomb Rootkit Adware

Rootkit

A public relations team will be taking a group of guests on a tour through the facility of a large e-commerce company. The day before the tour, the company sends out an email to employees to ensure all whiteboards are cleaned and all desks are cleared. The company is MOST likely trying to protect against. loss of proprietary information damage to the company's reputation social engineering credential exposure

Social engineering

A security analyst runs a monthly file integrity check on the main web server. When analyzing the logs, the analyst observed the following entry: No OS patches were applied to this server during this period. Considering the log output, which of the following is the BEST conclusion? The cmd.exe was executed on the scanned server between the two dates. An incident ticket should be created The iexplore.exe was executed on the scanned server between the two dates. An incident ticket should be created. The cmd.exe was updated on the scanned server. An incident ticket should be created The iexplore.exe was updated on the scanned server. An incident ticket should be created.

The cmd.exe was updated on the scanned server. An incident ticket should be created.

An employee opens a web browser and types a URL into the address bar. Instead of reaching the requested site, the browser opens a completely different site. Which of the following types of attacks have MOST likely occurred? (Choose two.) ``` DNS hijacking Cross-site scripting Domain hijacking Man-in-the-browser Session hijacking ```

DNS hijacking and Session hijacking

An attacker has obtained the user ID and password of a datacenter’s backup operator and has gained access to a production system. Which of the following would be the attacker's NEXT action? Perform a passive reconnaissance of the network. Initiate a confidential data exfiltration process. Look for known vulnerabilities to escalate privileges. Create an alternate user ID to maintain persistent access.

Initiate a confidential data exfiltration process

Which of the following documents would provide specific guidance regarding ports and protocols that should be disabled on an operating system? Regulatory requirements Secure configuration guide Application installation guides User manuals

Secure configuration guide

A technician is investigating a report of unusual behavior and slow performance on a company-owned laptop. The technician runs a command and reviews the following information: Based on the above information, which of the following types of malware should the technician report? Spyware Rootkit RAT Logic bomb

Spyware

After a ransomware attack. a forensics company needs to review a cryptocurrency transaction between the victim and the attacker. Which of the following will the company MOST likely review to trace this transaction? The public ledger The NetFlow data A checksum The event log

The event log

During an audit, the auditor requests to see a copy of the identified mission-critical applications as well as their disaster recovery plans. The company being audited has an SLA around the applications it hosts. With which of the following is the auditor MOST likely concerned? ARO/ALE MTTR/MTBF RTO/RPO Risk assessment

RTO/RPO

Which of the following provides PFS? AES RC4 DHE HMAC

DHE (Ephemeral Diffie-Hellman)

Joe, a contractor, is hired by a firm to perform a penetration test against the firm's infrastructure. While conducting the scan, he receives only the network diagram and the network list to scan against the network. Which of the following scan types is Joe performing? Authenticated White box Automated Gray box

Gray box

A company has drafted an Insider-threat policy that prohibits the use of external storage devices. Which of the following would BEST protect the company from data exfiltration via removable media? Monitoring large data transfer transactions in the firewall logs Developing mandatory training to educate employees about the removable media policy Implementing a group policy to block user access to system files Blocking removable-media devices and write capabilities using a host-based security tool

Developing mandatory training to educate employees about removable media policy

Given the information below: MD5HASH document.doc 049eab40fd36caadlfab10b3cdf4a883 MD5HASH image.jpg 049eab40fd36caadlfab10b3cdf4a883 Which of the following concepts are described above? (Choose two.) ``` Salting Collision Steganography Hashing Key stretching ```

Collision and Hashing

Which of the following are the BEST selection criteria to use when assessing hard drive suitability for time-sensitive applications that deal with large amounts of critical information? (Select TWO). ``` MTBF MTTR SLA RTO MTTF RPO ```

MTBF (mean time between failures) and MTTR

An organization has hired a new remote workforce. Many new employees are reporting that they are unable to access the shared network resources while traveling. They need to be able to travel to and from different locations on a weekly basis. Shared offices are retained at the headquarters location. The remote workforce will have identical file and system access requirements, and must also be able to log in to the headquarters location remotely. Which of the following BEST represent how the remote employees should have been set up initially? (Select TWO). ``` User-based access control Shared accounts Group-based access control Mapped drives Individual accounts Location-based policies ```

Group=based access control and Individual accounts

A systems administrator is installing and configuring an application service that requires access to read and write to log and configuration files on a local hard disk partition. The service must run as an account with authorization to interact with the file system. Which of the following would reduce the attack surface added by the service and account? (Select TWO) Use a unique managed service account Utilize a generic password for authenticating Enable and review account audit logs Enforce least possible privileges for the account Add the account to the local administrator’s group. Use a guest account placed in a non-privileged users’ group

Use a unique managed service account and Enforce least possible privileges for the account

A vulnerability assessment report will include the CVSS score of the discovered vulnerabilities because the score allows the organization to better: validate the vulnerability exists in the organization's network through penetration testing. research the appropriate mitigation techniques in a vulnerability database. find the software patches that are required to mitigate a vulnerability. prioritize remediation of vulnerabilities based on the possible impact.

Prioritize remediation of vulnerabilities based on the possible impact.

A security engineer is analyzing the following line of JavaScript code that was found in a comment field on a web forum, which was recently involved in a security breach: Given the line of code above, which of the following BEST represents the attack performed during the breach? CSRF DDoS Dos XSS

XSS

A startup company is using multiple SaaS and laaS platforms to stand up a corporate infrastructure and build out a customer-facing web application. Which of the following solutions would be BEST to provide security, manageability, and visibility into the platforms? SIEM DLP CASB SWG

CASB

A company employee recently retired, and there was a schedule delay because no one was capable of filling the employee’s position. Which of the following practices would BEST help to prevent this situation in the future? Mandatory vacation Separation of duties Job rotation Exit interviews

Job rotation

See PDF 395

395

A system in the network is used to store proprietary secrets and needs the highest level of security possible. Which of the following should a security administrator implement to ensure the system cannot be reached from the Internet? VLAN Air gap NAT Firewall

Air gap

After successfully breaking into several networks and infecting multiple machines with malware. hackers contact the network owners, demanding payment to remove the infection and decrypt files. The hackers threaten to publicly release information about the breach if they are not paid. Which of the following BEST describes these attackers? Gray hat hackers Organized crime Insiders Hacktivists

Organized crime

A system uses an application server and database server Employing the principle of least privilege, only database administrators are given administrative privileges on the database server, and only application team members are given administrative privileges on the application server. Audit and log file reviews are performed by the business unit (a separate group from the database and application teams). The organization wants to optimize operational efficiency when application or database changes are needed, but it also wants to enforce least privilege, prevent modification of log files, and facilitate the audit and log review performed by the business unit. Which of the following approaches would BEST meet the organization's goals? -Restrict privileges on the log file directory to "read only" and use a service account to send a copy of these files to the business unit. -Switch administrative privileges for the database and application servers. Give the application team administrative privileges on the database servers and the database team administrative privileges on the applicationservers. -Remove administrative privileges from both the database and application servers, and give the business unit "read only" privileges on the directories where the log files are kept. -Give the business unit administrative privileges on both the database and application servers so they can Independently monitor server activity.

Restrict privileges on the log file directory to "read only" and use a service account to send a copy of these files to the business unit.

The president of a company that specializes in military contracts receives a request for an interview. During the interview, the reporter seems more interested in discussing the president's family life and personal history than the details of a recent company success. Which of the following security concerns is this MOST likely an example of? Insider threat Social engineering Passive reconnaissance Phishing

Social engrineering

After segmenting the network, the network manager wants to control the traffic between the segments. Which of the following should the manager use to control the network traffic? A DMZ A VPN A VLAN An ACL

A VLAN

A state-sponsored threat actor has launched several successful attacks against a corporate network. Although the target has a robust patch management program in place, the attacks continue in depth and scope, and the security department has no idea how the attacks are able to gain access. Given that patch management and vulnerability scanners are being used, which of the following would be used to analyze the attack methodology? Rogue system detection Honeypots Next-generation firewall Penetration test

Honeypots

An organization’s policy requires users to create passwords with an uppercase letter, lowercase letter, number, and symbol. This policy is enforced with technical controls, which also prevents users from using any of their previous 12 passwords. The quantization does not use single sign-on, nor does it centralize storage of passwords. The incident response team recently discovered that passwords for one system were compromised. Passwords for a completely separate system have NOT been compromised, but unusual login activity has been detected for that separate system. Account login has been detected for users who are on vacation. Which of the following BEST describes what is happening? Some users are meeting password complexity requirements but not password length requirements. The password history enforcement is insufficient, and old passwords are still valid across many different systems. Some users are reusing passwords, and some of the compromised passwords are valid on multiple systems. The compromised password file has been brute-force hacked, and the complexity requirements are not adequate to mitigate this risk.

The compromised password file has been brute-force hacked, and the complexity requirements are not adequate to mitigate this risk.

A security analyst is running a credential-based vulnerability scanner on a Windows host. The vulnerability scanner is using the protocol NetBIOS over TCP/IP to connect to various systems, However, the scan does not return any results. To address the issue, the analyst should ensure that which of the following default ports is open on systems? 135 137 3389 5060

137

Which of the following describes the BEST approach for deploying application patches? Apply the patches to systems in a testing environment, then to systems in a staging environment, and finally to production systems. Test the patches in a staging environment, develop against them in the development environment, and then apply them to the production systems Test the patches in a test environment, apply them to the production systems, and then apply them to a staging environment. Apply the patches to the production systems, apply them in a staging environment, and then test all of them in a testing environment.

Apply the patches to the production systems, apply them in a staging environment, and then test all of them in a testing environment.

A systems administrator is auditing the company's Active Directory environment. It is quickly noted that the username "company\bsmith" is interactively logged into several desktops across the organization. Which of the following has the systems administrator MOST likely come across? Service account Shared credentials False positive Local account

Shared credentials

During a forensic investigation, which of the following must be addressed FIRST according to the order of volatility? Hard drive RAM Network attached storage USB flash drive

RAM

A company uses an enterprise desktop imaging solution to manage deployment of its desktop computers. Desktop computer users are only permitted to use software that is part of the baseline image. Which of the following technical solutions was MOST likely deployed by the company to ensure only known-good software can be installed on corporate desktops? Network access control Configuration manager Application whitelisting File integrity checks

Configuration manager

Which of the following scenarios would make a DNS sinkhole effective in thwarting an attack? -An attacker is sniffing traffic to port 53, and the server is managed using unencrypted usernames and passwords. -An organization is experiencing excessive traffic on port 53 and suspects an attacker is trying to DoS the domain name server. -Malware is trying to resolve an unregistered domain name to determine if it is running in an isolated sandbox. -DNS routing tables have been compromised, and an attacker is rerouting traffic to malicious websites.

DNS routing tables have been compromised, and an attacker is rerouting traffic to malicious websites

After a systems administrator installed and configured Kerberos services, several users experienced authentication issues. Which of the following should be installed to resolve these issues? RADIUS server NTLM service LDAP service NTP server

LDAP service

An organization wants to set up a wireless network in the most secure way. Budget is not a major consideration, and the organization is willing to accept some complexity when clients are connecting. It is also willing to deny wireless connectivity for clients who cannot be connected in the most secure manner. Which of the following would be the MOST secure setup that conforms to the organization’s requirements? Enable WPA2-PSK for older clients and WPA2-Enterprise for all other clients. Enable WPA2-PSK, disable all other modes, and implement MAC filtering along with port security. Use WPA2-Enterprise with RADIUS and disable pre-shared keys. Use WPA2-PSK with a 24-character complex password and change the password monthly.

Use WPA2-PSK with a 24-character complex password and change the password monthly.

A company just implemented a new telework policy that allows employees to use personal devices for official email and file sharing while working from home. Some of the requirements are: * Employees must provide an alternate work location (i.e., a home address). * Employees must install software on the device that will prevent the loss of proprietary data but will not restrict any other software from being installed. Which of the following BEST describes the MDM options the company is using? Geofencing, content management, remote wipe, containerization, and storage segmentation Content management, remote wipe, geolocation, context-aware authentication, and containerization Application management, remote wipe, geofencing, context-aware authentication, and containerization Remote wipe, geolocation, screen locks, storage segmentation, and full-device encryption

Application management, remote wipe, geofencing, context-aware authentication, and containerization

A company has just experienced a malware attack affecting a large number of desktop users. The antivirus solution was not able to block the malware, but the HIDS alerted to C2 calls as 'Troj.Generic'. Once the security team found a solution to remove the malware, they were able to remove the malware files successfully, and the HIDS stopped alerting. The next morning, however, the HIDS once again started alerting on the same desktops, and the security team discovered the files were back. Which of the following BEST describes the type of malware infecting this company's network? Trojan Spyware Rootkit Botnet

Trojan

A researcher has been analyzing large data sets for the last ten months. The researcher works with colleagues from other institutions and typically connects via SSH to retrieve additional data. Historically, this setup has worked without issue, but the researcher recently started getting the following message: Which of the following network attacks Is the researcher MOST likely experiencing? MAC cloning Evil twin Man-in-the-middle ARP poisoning

Man-in-the-middle

After being alerted to potential anomalous activity related to trivial DNS lookups, a security analyst looks at the following output of implemented firewall rules: The analyst notices that the expected policy has no hit count for the day. Which of the following MOST likely occurred? Data execution prevention is enabled The VLAN is not trunked properly There is a policy violation for DNS lookups The firewall policy is misconfigured

The firewall policy is misconfigured

The Chief Financial Officer (CFO) of an insurance company received an email from Ann, the company's Chief Executive Officer (CEO), requesting a transfer of $10,000 to an account. The email states Ann is on vacation and has lost her purse, containing cash and credit cards. Which of the following social-engineering techniques is the attacker using? Phishing Whaling Typo squatting Pharming

Whaling

Which of the following is a security consideration for IoT devices? IoT devices have built-in accounts that users rarely access. IoT devices have less processing capabilities. IoT devices are physically segmented from each other. IoT devices have purpose-built applications.

IoT devices have built-in accounts that users rarely access.

A forensics analyst is investigating a hard drive for evidence of suspected illegal activity. Which of the following should the analyst do FIRST? Create a hash of the hard drive. Export the Internet history. Save a copy of the case number and date as a text file in the root directory. Back up the pictures directory for further inspection.

Save a copy of the case number and date as a text file in the root directory

An organization’s research department uses workstations in an air-gapped network. A competitor released products based on files that originated in the research department. Which of the following should management do to improve the security and confidentiality of the research files? Implement multifactor authentication on the workstations. Configure removable media controls on the workstations. Install a web application firewall in the research department. Install HIDS on each of the research workstations.

Configure removable media controls on the workstation

A user recently entered a username and password into a recruiting application website that had been forged to look like the legitimate site. Upon Investigation, a security analyst identifies the following: * The legitimate website's IP address is 10.1.1.20 and eRecruit.local resolves to this IP. * The forged website's IP address appears to be 10.2.12.99. based on NetFlow records. * All three of the organization's DNS servers show the website correctly resolves to the legitimate IP. * DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the approximate time of the suspected compromise. Which of the following MOST likely occurred? A reverse proxy was used to redirect network traffic. An SSL strip MITM attack was performed. An attacker temporarily poisoned a name server. An ARP poisoning attack was successfully executed.

An SSL strip MITM attack was performed

When considering loT systems, which of the following represents the GREATEST ongoing risk after a vulnerability has been discovered? Difficult-to-update firmware Tight integration to existing systems IP address exhaustion Not using industry standards

Tight integration to existing systems

Which of the following BEST explains the reason why a server administrator would place a document named password.txt on the desktop of an administrator account on a server? The document is a honeyfile and is meant to attract the attention of a cyberintruder. The document is a backup file if the system needs to be recovered The document is a standard file that the OS needs to verify the login credentials. The document is a keylogger that stores all keystrokes should the account be compromised.

The document is a honeyfile and is meant to attract the attention of a cyber intruder.

A Security analyst has received an alert about PII being sent via email. The analyst’s Chief Information Security Officer (CISO) has made it clear that PII must be handled with extreme care. From which of the following did the alert MOST likely originate? S/MIME DLP IMAP HIDS

HIDS (host-based intrusion detection system)

A company is examining possible locations for a hot site. Which of the following considerations is of MOST concern if the replication technology being used is highly sensitive to network latency? Connection to multiple power substations Location proximity to the production site Ability to create separate caged space Positioning of the site across international borders

Location proximity to the production site

Which of the following command line tools would be BEST to identify the services running in a server? Traceroute Nslookup Ipconfig Netstat

Netstat

A technician is recommending preventive physical security controls for a server room. Which of the technician MOST likely recommend? (Select Two). ``` Geofencing Video Surveillance Protected cabinets Mantrap Key exchange Authorized personnel signage ```

Protected cabinets and mantrap

A security analyst has received several reports of an issue on an internal web application. Users state they are having to provide their credentials twice to log in. The analyst checks with the application team and notes this is not an expected behavior. After looking at several logs, the analyst decides to run some commands on the gateway and obtains the following output: ``` Which of the following BEST describes the attack the company is experiencing? MAC flooding URL redirection ARP poisoning DNS hijacking ```

ARP poisoning

A company moved into a new building next to a sugar mil. Cracks have been discovered in the walls of the server room, which is located on the same side as the sugar mill loading docks. The cracks are believed to have been caused by heavy trucks. Moisture has begun to seep into the server room, causing extreme humidification problems and equipment failure. Which of the following BEST describes the type of threat the organization faces? Foundational Man-made Environmental Natural

Foundational

Which of the following access management concepts is MOST closely associated with the use of a password or PIN? Authorization Authentication Accounting Identification

Authentication

A security administrator receives alerts from the perimeter UTM. Upon checking the logs, the administrator finds the following output: ``` Time: 12/25 0300 From Zone: Untrust To Zone: DMZ Attacker: externalip.com Victim: 172.16.0.20 To Port: 80 Action: Alert Severity: Critical When examining the PCAP associated with the event, the security administrator finds the following information: ``` alert ("Click here for important information regarding your account! http://externalip.com/account.php "); Which of the following actions should the security administrator take? -Upload the PCAP to the IDS in order to generate a blocking signature to block the traffic. -Manually copy the data from the PCAP file and generate a blocking signature in the HIDS to block the traffic for future events. -Implement a host-based firewall rule to block future events of this type from occurring. -Submit a change request to modify the XSS vulnerability signature to TCP reset on future attempts.

Manually copy the data from the PCAP file and generate a blocking signature in the HIDS to block the traffic for future events

A university with remote campuses, which all use different service providers, loses Internet connectivity across all locations. After a few minutes, internet and VoIP services are restored, only to go offline again at random intervals. typically, within four minutes of services being restored. Outages continue throughout the day. impacting all inbound and outbound connections and services. Services that are limited to the local LAN or WiFi network are not impacted, but all WAN and VoIP services are affected. Later that day. the edge-router manufacturer releases a CVE outlining the ability of an attacker to exploit the SIP protocol handling on devices, leading to resource exhaustion and system reloads. Which of the following BEST describe this type of attack? (Select TWO). ``` DOS SSL Stripping Memory leak Race condition Shimming Refactoring ```

DOS and SSL stripping

A security administrator needs to create a RAID configuration that is focused on high read speeds and fault tolerance. It is unlikely that multiple drives will fail simultaneously. Which of the following RAID configurations should the administrator use? RAID 0 RAID 1 RAID 5 RAID 10

RAID 10

An administrator is disposing of media that contains sensitive information. Which of the following will provide the MOST effective method to dispose of the media while ensuring the data will be unrecoverable? Wipe the hard drive. Shred the hard drive. Sanitize all of the data. Degauss the hard drive.

Shred the hard drive

An organization has decided to host its web application and database in the cloud. Which of the following BEST describes the security concerns for this decision? Access to the organization’s servers could be exposed to other cloud-provider clients. The cloud vendor is a new attack vector within the supply chain. Outsourcing the code development adds risk to the cloud provider. Vendor support will cease when the hosting platforms reach EOL.

The cloud vendor is a new attack vector within the supply chain

Which of the following serves to warn users against downloading and installing pirated software on company devices? AUP NDA ISA BPA

AUP

Shared credentials

A security consultant was asked to revise the security baselines that are utilized by a large organization. Although the company provides different platforms for its staff, including desktops, laptops, and mobile devices, the applications do not vary by platform. Which of the following should the consultant recommend? (Select Two). Apply patch management on a daily basis. Allow full functionality for all applications that are accessed remotely Apply default configurations of all operating systems Apply application whitelisting. Disable default accounts and/or passwords.

Apply patch management on a daily basis and Disable default accounts and/or passwords

XSS

Which of the following is unique to a stream cipher? It encrypt 128 bytes at a time. It uses AES encryption. It performs bit-level encryption. It is used in HTTPS.

It performs bit-level encryption

Fuzzing is used to reveal which of the following vulnerabilities in web applications? Weak cipher suites Improper input handling DLL injection Certificate signing flaws

Improper input handling

A first responder needs to collect digital evidence from a compromised headless virtual host. Which of the following should the first responder collect FIRST? Virtual memory BIOS configuration Snapshot RAM

Snapshot

Which of the following would MOST likely support the integrity of a voting machine? Asymmetric encryption Blockchain Transport Layer Security Perfect forward secrecy

Perfect forward secrecy

A small business just recovered from a ransomware attack against its file servers by purchasing the decryption keys from the attackers. The issue was triggered by a phishing email and the IT administrator wants to ensure it does not happen again. Which of the following should the IT administrator do FIRST after recovery? Scan the NAS for residual or dormant malware and take new dally backups that are tested on a frequent basis. Restrict administrative privileges and patch all systems and applications. Rebuild all workstations and Install new antivirus software. Implement application whitelisting and perform user application hardening.

Scan the NAS for residual or dormant malware and take new dally backups that are tested on a frequent basis.

Which of the following are considered to be "something you do"? (Select TWO). ``` Iris scan Handwriting Common Access Card Gait PIN Fingerprint ```

Handwriting and Gait

See PDF 417

ssh-keygen ~t rsa ssh-copy -id -i ~/ .ssh/id_rsa.pub user@server scp ~/.ssh/id_rsa user_server; .ssh/authorized_keys chmod 777 ~/.ssh/authorized_keys ssh root@server

A company recently installed fingerprint scanners at all entrances to increase the facility’s security. The scanners were installed on Monday morning, and by the end of the week it was determined that 1.5% of valid users were denied entry. Which of the following measurements do these users fall under? FRR FAR CER SLA

FRR (false rejection rate)

Which of the following is an example of resource exhaustion? A penetration tester requests every available IP address from a DHCP server. A SQL injection attack returns confidential data back to the browser. Server CPU utilization peaks at 100% during the reboot process System requirements for a new software package recommend having 12GB of RAM, but only 8GB are available.

A penetration tester requests every available IP address from a DHCP server.

A security administrator found the following piece of code referenced on a domain controller's task scheduler: $var = GetDomainAdmins If $var != ‘fabio’ SetDomainAdmins = NULL With which of the following types of malware is the code associated? RAT Backdoor Logic bomb Crypto-malware

Logic bomb

A company network is currently under attack. Although security controls are in place to stop the attack, the security administrator needs more information about the types of attacks being used. Which of the following network types would BEST help the administrator gather this information? DMZ Guest network Ad hoc Honeynet

Honeynet

A network administrator was concerned during an audit that users were able to use the same passwords the day after a password change policy took effect. The following settings are in place: * Users must change their passwords every 30 days. * Users cannot reuse the last 10 passwords. Which of the following settings would prevent users from being able to immediately reuse the same passwords? Minimum password age of five days Password history of ten passwords Password length greater than ten characters Complex passwords must be used

Password history of ten passwords

An administrator is beginning an authorized penetration test of a corporate network. Which of the following tools would BEST assist in identifying potential attacks? Netstat Honey pot Company directory Nmap

Nmap

After patching computers with the latest application security patches/updates, users are unable to open certain applications. Which of the following will correct the issue? Modifying the security policy for patch management tools Modifying the security policy for HIDS/HIPS Modifying the security policy for DLP Modifying the security policy for media control

Modifying the security policy for DLP

A company has had a BYOD policy in place for many years and now wants to roll out an MDM solution. The company has decided that end users who wish to utilize their personal devices for corporate use must opt in to the MDM solution. End users are voicing concerns about the company having access to their personal devices via the MDM solution. Which of the following should the company implement to ease these concerns? Sideloading Full device encryption Application management Containerization

Application management

While monitoring the SIEM, a security analyst observes traffic from an external IP to an IP address of the business network on port 443. Which of the following protocols would MOST likely cause this traffic? HTTP SSH SSL DNS

SSL

A security administrator suspects there may be unnecessary services running on a server. Which of the following tools will the administrator MOST likely use to confirm the suspicions? Nmap Wireshark Autopsy DNSEnum

Nmap

An email recipient is unable to open a message encrypted through PKI that was sent from another organization. Which of the following does the recipient need to decrypt the message? ``` The sender’s private key The recipient’s private key The recipient’s public key The CA’s root certificate The sender’s public key An updated CRL ```

The sender's public key

Which of the following algorithms would be used to provide non-repudiation of a file transmission? AES RSA MD5 SHA

MD5

A security engineer is installing a WAF to protect the company's website from malicious web requests over SSL. Which of the following is needed to meet the objective? A reverse proxy A decryption certificate A split-tunnel VPN Load-balanced servers

A decryption certificate

A technician needs to prevent data loss in a laboratory. The laboratory is not connected to any external networks. Which of the following methods would BEST prevent the exfiltration of data? (Select TWO). ``` VPN Drive encryption Network firewall File-level encryption USB blocker MFA ```

Drive encryption and Network firewall

Which of the following BEST explains how the use of configuration templates reduces organization risk? It ensures consistency of configuration for initial system implementation. It enables system rollback to a last known-good state if patches break functionality. It facilitates fault tolerance since applications can be migrated across templates. It improves vulnerability scanning efficiency across multiple systems.

It facilitates fault tolerance since applications can be migrated across templates

A small enterprise decides to implement a warm site to be available for business continuity in case of a disaster. Which of the following BEST meets its requirements? A fully operational site that has all the equipment in place and full data backup tapes on site A site used for its data backup storage that houses a full-time network administrator An operational site requiring some equipment to be relocated as well as data transfer to the site A site staffed with personnel requiring both equipment and data to be relocated there in case of disaster

An operational site requiring some equipment to be relocated as well as data transfer to the site.

Ann. a user, reported to the service desk that many files on her computer will not open or the contents are not readable. The service desk technician asked Ann if she encountered any strange messages on boot-up or login, and Ann indicated she did not. Which of the following has MOST likely occurred on Ann's computer? The hard drive is falling, and the files are being corrupted. The computer has been infected with crypto-malware. A replay attack has occurred. A keylogger has been installed.

The computer has been infected with crypto-malware

A network administrator has been asked to install an IDS to improve the security posture of an organization. Which of the following control types Is an IDS? Corrective Physical Detective Administrative

Detective

The help desk received a call from a user who was trying to access a set of files from the day before but received the following error message: File format not recognized. Which of the following types of malware MOST likely caused this to occur? Ransomware Polymorphic virus Rootkit Spyware

Ransomware

An organization is building a new customer services team, and the manager needs to keep the team focused on customer issues and minimize distractions. The users have a specific set of tools installed, which they must use to perform their duties. Other tools are not permitted for compliance and tracking purposes. Team members have access to the Internet for product lookups and to research customer issues. Which of the following should a security engineer employ to fulfill the requirements for the manager? Install a web application firewall. Install HIPS on the team’s workstations. Implement containerization on the workstations. Configure whitelisting for the team.

Implement containerization on the workstations

While reviewing system logs, a security analyst notices that a large number of end users are changing their passwords four times on the day the passwords are set to expire. The analyst suspects they are cycling their passwords to circumvent current password controls. Which of the following would provide a technical control to prevent this activity from occurring? Set password aging requirements. Increase the password history from three to five. Create an AUP that prohibits password reuse. Implement password complexity requirements.

Set password aging requirements

Which of the following is the BEST use of a WAF? To protect sites on web servers that are publicly accessible To allow access to web services of internal users of the organization To maintain connection status of all HTTP requests To deny access to all websites with certain contents

To protect sites on web servers that are publicly accessible

While testing a new vulnerability scanner, a technician becomes concerned about reports that list security concerns that are not present on the systems being tested. Which of the following BEST describes this flaw? False positives Crossover error rate Uncredentialed scan Passive security controls

False positives

An employee workstation with an IP address of 204 211.38.211/24 reports it is unable to submit print jobs to a network printer at 204.211.38.52/24 after a firewall upgrade. The active firewall rules are as follows: Assuming port numbers have not been changed from their defaults, which of the following should be modified to allow printing to the network printer? A) The permit statement for 204.211.38.52/24 should be changed to TCP port 631 instead of UDP. B) The deny statement for 204 211.38.52/24 should be changed to a permit statement C) The permit statement for 204.211.38.52/24 should be changed to UDP port 443 instead of 631 D) The permit statement for 204.211.38 211/24 should be changed to TCP port 631 only instead of ALL

The permit statement for 204.211.38.52/24 should be changed to TCP port 631 instead of UDP.

Which of the following is the MOST significant difference between intrusive and non-intrusive vulnerability scanning? One uses credentials, but the other does not. One has a higher potential for disrupting system operations. One allows systems to activate firewall countermeasures. One returns service banners, including running versions.

One has a higher potential for disrupting system operations

A penetration tester is checking to see if an internal system is vulnerable to an attack using a remote listener. Which of the following commands should the penetration tester use to verify if this vulnerability exists? (Choose two.) ``` tcpdump nc nmap nslookup tail tracert ```

nc and nmap

A government agency with sensitive information wants to virtualize its infrastructure. Which of the following cloud deployment models BEST fits the agency's needs? Public Community Private Hybrid

Community

A systems engineer is setting up a RADIUS server to support a wireless network that uses certificate authentication. Which of the following protocols must be supported by both the RADIUS server and the WAPs? CCMP TKIP WPS EAP

EAP

The CSIRT is reviewing the lessons learned from a recent incident A worm was able to spread unhindered throughout the network and infect a large number of computers and servers. Which of the following recommendations would be BEST to mitigate the impacts of a similar incident in the future? Install a NIDS device at the boundary. Segment the network with firewalls Update all antivirus signatures daily Implement application blacklisting.

Update all antivirus signatures daily

A network administrator is implementing multifactor authentication for employees who travel and use company devices remotely by using the company VPN. Which of the following would provide the required level of authentication? 802.1X and OTP Fingerprint scanner and voice recognition RBAC and PIN Username/Password and TOTP

802.1X and OTP

A security professional wants to test a piece of malware that was isolated on a user’s computer to document its effect on a system. Which of the following is the FIRST step the security professional should take? Create a sandbox on the machine. Open the file and run it. Create a secure baseline of the system state. Harden the machine.

Create a secure baseline of the system state

Which of the following encryption algorithms require one encryption key? (Choose two.) ``` MD5 3DES BCRYPT RC4 DSA ```

3DES and RC4

Which of the following BEST describes the concept of perfect forward secrecy? Using quantum random number generation to make decryption effectively impossible Preventing cryptographic reuse so a compromise of one operation does not affect other operations Implementing elliptic curve cryptographic algorithms with true random numbers The use of NDAs and policy controls to prevent disclosure of company secrets

Preventing cryptographic reuse so a compromise of one operation does not affect other operations

A security operations team recently detected a breach of credentials. The team mitigated the risk and followed proper processes to reduce risk. Which of the following processes would BEST help prevent this issue from happening again? Risk assessment Chain of custody Lessons learned Penetration test

Lessons learned

A manufacturing company updates a policy that instructs employees not to enter a secure area in groups and requires each employee to swipe their badge to enter the area. When employees continue to ignore the policy, a mantrap is installed. Which of the following BEST describe the controls that were implemented to address this issue? (Select TWO). ``` Detective Administrative Deterrent Physical Corrective ```

Deterrent and Corrective

A cryptographer has developed a new proprietary hash function for a company and solicited employees to test the function before recommending its implementation. An employee takes the plaintext version of a document and hashes it, then changes the original plaintext document slightly and hashes it, and continues repeating this process until two identical hash values are produced from two different documents. Which of the following BEST describes this cryptographic attack? Brute force Known plaintext Replay Collision

Collision

To block electronic signals sent to erase a cell phone

Which of the following should a technician use to protect a cellular phone that is needed for an investigation, to ensure the data will not be removed remotely? Air gap Secure cabinet Faraday cage Safe

Faraday cage

A network administrator has been alerted that web pages are experiencing long load times. After determining it is not a routing or DNS issue, the administrator logs in to the router, runs a command, and receives the output: ``` CPU 0 perfect busy, from 300 secds ago 1 sec ave: 99 percent busy 5 sec ave: 97 percent busy 1 min ave: 83 percent busy Which of the following is the router experiencing? ``` DDoS attack Memory leak Buffer overflow Resource exhaustion

Resource exhaustion

An organization plans to transition the intrusion detection and prevention techniques on a critical subnet to an anomaly-based system. Which of the following does the organization need to determine for this to be successful? The baseline The endpoint configurations The adversary behavior profiles The IPS signatures

The IPS signatures

The Chief Information Officer (CIO) has determined the company’s new PKI will not use OCSP. The purpose of OCSP still needs to be addressed. Which of the following should be implemented? Build an online intermediate CA. Implement a key escrow. Implement stapling. Install a CRL.

Implement a key escrow

Social engineering

An attacker is able to capture the payload for the following packet: IP 192.168.1.22:2020 10.10.10.5:443 IP 192.166.1.10:1030 10.10.10.1:21 IP 192.168.1.57:5217 10.10.10.1:3389 During an investigation, an analyst discovers that the attacker was able to capture the information above and use it to log on to other servers across the company. Which of the following is the MOST likely reason? The attacker has exploited a vulnerability that is commonly associated with TLS1.3. The application server is also running a web server that has been compromised. The attacker is picking off unencrypted credentials and using those to log in to the secure server. User accounts have been improperly configured to allow single sign-on across multiple servers.

The attacker has exploited a vulnerability that is commonly associated with TLS1.3

A systems administrator needs to configure an SSL remote access VPN according to the following organizational guidelines: * The VPN must support encryption of header and payload. * The VPN must route all traffic through the company's gateway. Which of the following should be configured on the VPN concentrator? Full tunnel Transport mode Tunnel mode IPSec

Full tunnel

Using a one-time code that has been texted to a smartphone is an example of: something you have. something you know. something you do. something you are.

Something you have

Which of the following methods is used by internal security teams to assess the security of internally developed applications? Active reconnaissance Pivoting White-box testing Persistence

White-box testing

A Chief Information Security Officer (CISO) is concerned about the organization's ability to continue business operations in the event of a prolonged DDoS attack on its local datacenter that consumes server. Which of the following will the CISO MOST likely recommend to mitigate this risk? Upgrade the bandwidth available into the datacenter. Migrate to a geographically dispersed cloud datacenter. Implement a hot-site failover location. Switch to a complete SaaS offering to customers. Implement a challenge response test on all end-user queries.

Implement a host site failover location

A manager makes an unannounced visit to the marketing department and performs a walk-through of the office. The manager observes unclaimed documents on printers. A closer look at these documents reveals employee names, addresses ages, birth dates, marital/dependent statuses, and favorite ice cream flavors. The manager brings this to the attention of the marketing department head. The manager believes this information to be Pll, but the marketing head does not agree. Having reached a stalemate, which of the following is the most appropriate action to take NEXT? Elevate to the Chief Executive Officer (CEO) for redress, change from the top down usually succeeds. Find the privacy officer in the organization and let the officer act as the arbiter. Notify employees whose names are on these files that their personal infor-mation is being compromised. To maintain a working relationship with marketing, quietly record the incident in the risk register.

Find the privacy officer in the organization and let the officer act as the arbiter.

A coffee company has hired an IT consultant to set up a WiFi network that will provide Internet access to customers who visit the company's chain of cafés. The coffee company has provided no requirements other than that customers should be granted access after registering via a web form and accepting the terms of service. Which of the following is the MINIMUM acceptable configuration to meet this single requirement? Captive portal WPA with PSK Open WiFi WPS

Captive portal

A buffer overflow can result in: loss of data caused by unauthorized command execution privilege escalation caused by TPM override. reduced key strength due to salt manipulation repeated use of one-time keys.

Privilege escalation caused by TPM override

An incident response analyst at a large corporation is reviewing proxy log data. The analyst believes a malware infection may have occurred. Upon further review, the analyst determines the computer responsible for the suspicious network traffic is used by the Chief Executive Officer (CEO). Which of the following is the best NEXT step for the analyst to take? Call the CEO directly to ensure awareness of the event Run a malware scan on the CEO's workstation Reimage the CEO's workstation Disconnect the CEO's workstation from the network.

Disconnect the CEO's workstation from the network

A systems administrator has installed a new UTM that is capable of inspecting SSL/TLS traffic for malicious payloads. All inbound network traffic coming from the Internet and terminating on the company’s secure web servers must be inspected. Which of the following configurations would BEST support this requirement? The web servers’ CA full certificate chain must be installed on the UTM. The UTM certificate pair must be installed on the web servers. The web servers’ private certificate must be installed on the UTM. The UTM and web servers must use the same certificate authority.

The web servers' CA full certificate chain must be installed on the UTM

A security engineer at a manufacturing company is implementing a third-party cloud application. Rather than creating users manually in the application, the engineer decides to use the SAML protocol. Which of the following is being used for this implementation? -The manufacturing company is the service provider, and the cloud company is the identity provider. -The manufacturing company is the authorization provider, and the cloud company is the service provider. -The manufacturing company is the identity provider, and the cloud company is the OAuth provider. -The manufacturing company is the identity provider, and the cloud company is the service provider. -The manufacturing company is the service provider, and the cloud company is the authorization provider.

The manufacturing company is the service provider, and the cloud company is the identity provider.

A security analyst is investigating a call from a user regarding one of the websites receiving a 503: Service Unavailable error. The analyst runs a netstat -an command to discover if the web server is up and listening. The analyst receives the following output: TCP 10.1.5.2:80 192.168.2.112:60973 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112:60974 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112:60975 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112:60976 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112:60977 TIME_WAIT TCP 10.1.5.2:80 192.168.2.112:60978 TIME_WAIT Which of the following types of attack is the analyst seeing? Buffer overflow Domain hijacking Denial of service ARP poisoning

Denial of Service

A security operations learn recently detected a breach of credentials. The team mitigated the risk and followed proper processes to reduce risk. Which of the following processes would BEST help prevent this issue from happening again? Risk assessment Chain of custody Lessons learned Penetration test

Lessons learned

A preventive control differs from a compensating control in that a preventive control is: put in place to mitigate a weakness in a user control. deployed to supplement an existing control that is EOL. relied on to address gaps in the existing control structure. designed to specifically mitigate a risk.

relied on to address gaps in the existing control structure.

A healthcare company is revamping its IT strategy in light of recent regulations. The company is concerned about compliance and wants to use a pay-per-use model. Which of the following is the BEST solution? On-premises hosting Community cloud Hosted infrastructure Public SaaS

Public SaaS

Moving laterally within a network once an initial exploit is used to gain persistent access for the purpose of establishing further control of a system is known as: pivoting. persistence. active reconnaissance. a backdoor.

Active reconnaissance

When a malicious user is able to retrieve sensitive information from RAM, the programmer has failed to implement: session keys. encryption of data at rest encryption of data in use. ephemeral keys.

Encryption of data in use

During an incident, a company's CIRT determines it is necessary to observe the continued network-based transactions between a callback domain and the malware running on an enterprise PC. Which of the following techniques would be BEST to enable this activity while reducing the risk of lateral spread and the risk that the adversary would notice any changes? Physically move the PC to a separate Internet point of presence. Create and apply microsegmentation rules. Emulate the malware in a heavily monitored DMZ segment. Apply network blacklisting rules for the adversary domain.

Create and apply microsegmentation rules

An organization needs to integrate with a third-party cloud application. The organization has 15000 users and does not want to allow the cloud provider to query its LDAP authentication server directly. Which of the following is the BEST way for the organization to integrate with the cloud application? Upload a separate list of users and passwords with a batch import. Distribute hardware tokens to the users for authentication to the cloud. Implement SAML with the organization’s server acting as the identity provider. Configure a RADIUS federation between the organization and the cloud provider.

Configure a RADIUS federation between organization and the cloud provider

A technician is required to configure updates on a guest operating system while maintaining the ability to quickly revert the changes that were made while testing the updates. Which of the following should the technician implement? Snapshots Revert to known state Rollback to known configuration Shadow copy

Snapshots

An attacker has gathered information about a company employee by obtaining publicly available information from the Internet and social networks. Which of the following types of activity is the attacker performing? Pivoting Exfiltration of data Social engineering Passive reconnaissance

Passive reconnaissance

An organization has hired a security analyst to perform a penetration test. The analyst captures 1GB worth of inbound network traffic to the server and transfers the pcap back to the machine for analysis. Which of the following tools should the analyst use to future review the pcap? Nmap cURL Netcat Wireshark

Wireshark

Select the appropriate attack and remediation from each drop-down list to label the corresponding attack with its remediation. See PDF 445

PDF 445

Which of the following is a benefit of credentialed vulnerability scans? Credentials provide access to scan documents to identify possible data theft. The vulnerability scanner is able to inventory software on the target. A scan will reveal data loss in real time. Black-box testing can be performed.

The vulnerability scanner is able to inventory software on the target.

Users are attempting to access a company's website but are transparently redirected to another website. The users confirm the URL is correct. Which of the following would BEST prevent this issue in the future? DNSSEC HTTPS IPSec TLS/SSL

DNSSEC

Which of the following describes the ability of code to target a hypervisor from inside a guest OS? ``` Fog computing VM escape Software-defined networking Image forgery Container breakout ```

VM escape

A security administrator is implementing a new WAF solution and has placed some of the web servers behind the WAF, with the WAF set to audit mode. When reviewing the audit logs of external requests and posts to the web servers, the administrator finds the following entry: Based on this data, which of the following actions should the administrator take? Alert the web server administrators to a misconfiguration Create a blocking policy based on the parameter values Change the parameter name 'Account_Name' identified in the log. Create an alert to generate emails for abnormally high activity.

Create an alert to generate emails for abnormally high activity

Which of the following serves to warn users against downloading and installing pirated software on company devices? AUP NDA ISA BPA

AUP (acceptance user policy)

An accountant is attempting to log in to the internal accounting system and receives a message that the website's certificate is fraudulent. The accountant finds instructions for manually installing the new trusted root onto the local machine. Which of the following would be the company's BEST option for this situation in the future? Utilize a central CRL. Implement certificate management. Ensure access to KMS. Use a stronger cipher suite.

Implement certificate management

A junior systems administrator noticed that one of two hard drives in a server room had a red error notification. The administrator removed the hard drive to replace it but was unaware that the server was configured in an array. Which of the following configurations would ensure no data is lost? RAID 0 RAID 1 RAID 2 RAID 3

RAID 1

Which of the following types of attack is being used when an attacker responds by sending the MAC address of the attacking machine to resolve the MAC to IP address of a valid server? Session hijacking IP spoofing Evil twin ARP poisoning

ARP Poisoning

A company recently implemented a new security system. In the course of configuration, the security administrator adds the following entry: #Whitelist USB\VID_13FE&PID_4127&REV_0100 Which of the following security technologies is MOST likely being configured? Application whitelisting HIDS Data execution prevention Removable media control

Removable media control

A security administrator is configuring a RADIUS server for wireless authentication. The configuration must ensure client credentials are encrypted end-to-end between the client and the authenticator. Which of the following protocols should be configured on the RADIUS server? (Select TWO). ``` PAP MSCHAP PEAP NTLM SAML ```

MSCHAP and PEAP

Which of the following is the MOST likely motivation for a script kiddie threat actor? Financial gain Notoriety Political expression Corporate espionage

Notoriety

In which of the following risk management strategies would cybersecurity insurance be used? Transference Avoidance Acceptance Mitigation

Avoidance

A systems developer needs to provide machine-to-machine interface between an application and a database server in the production environment. This interface will exchange data once per day. Which of the following access control account practices would BEST be used in this situation? Establish a privileged interface group and apply read-write permission to the members of that group. Submit a request for account privilege escalation when the data needs to be transferred. Install the application and database on the same server and add the interface to the local administrator group. Use a service account and prohibit users from accessing this account for development work.

User a service account and prohibit users from accessing this account for development work

Which of the following is unique to a stream cipher? It encrypts 128 bytes at a time. It uses AES encryption It performs bit-level encryption It is used in HTTPS

It performs bit-level encryption

A systems engineer wants to leverage a cloud-based architecture with low latency between network-connected devices that also reduces the bandwidth that is required by performing analytics directly on the endpoints. Which of the following would BEST meet the requirements? (Select TWO). ``` Private cloud SaaS Hybrid cloud laaS DRaaS Fog computing ```

Hybrid cloud and Fog computing

A government organization recently contacted three different vendors to obtain cost quotes for a desktop PC refresh. The quote from one of the vendors was significantly lower than the other two and was selected for the purchase. When the PCs arrived, a technician determined some NICs had been tampered with. Which of the following MOST accurately describes the security risk presented in this situation? ``` Hardware root of trust UEFI Supply chain TPM Crypto-malware ARP poisoning ```

Supply chain

A security administrator in a bank is required to enforce an access control policy so no single individual is allowed to both initiate and approve financial transactions. Which of the following BEST represents the impact the administrator is deterring? Principle of least privilege External intruder Conflict of Interest Fraud

Principle of least privilege

An organization is concerned about video emissions from users’ desktops. Which of the following is the BEST solution to implement? Screen filters Shielded cables Spectrum analyzers Infrared detection

Screen filters

A user receives a security alert pop-up from the host-based IDS, and a few minutes later notices a document on the desktop has disappeared and in its place is an odd filename with no icon image. When clicking on this icon, the user receives a system notification that it cannot find the correct program to use to open this file. Which of the following types of malware has MOST likely targeted this workstation? Rootkit Spyware Ransomware Remote-access Trojan

Ransomware

An organization is drafting an IRP and needs to determine which employees have the authority to take systems offline during an emergency situation. Which of the following is being outlined? Reporting and escalation procedures Permission auditing Roles and responsibilities Communication methodologies

Roles and responsibilities

Full tunnel

An incident responder is preparing to acquire images and files from a workstation that has been compromised. The workstation is still powered on and running. Which of the following should be acquired LAST? Application files on hard disk Processor cache Processes in running memory Swap space

Processes in running memory

ad-hoc

A security administrator is investigating a report that a user is receiving suspicious emails. The user’s machine has an old functioning modem installed. Which of the following security concerns need to be identified and mitigated? (Choose two.) ``` Vishing Whaling Spear phishing Pharming War dialing Hoaxing ```

War dialing and hoaxing

In highly secure environments where the risk of malicious actors attempting to steal data is high, which of the following is the BEST reason to deploy Faraday cages? To provide emanation control to prevent credential harvesting To minimize signal attenuation over distances to maximize signal strength To minimize external RF interference with embedded processors To protect the integrity of audit logs from malicious alteration

To minimize external RF interference with embedded processors.

After entering a username and password, an administrator must draw a gesture on a touch screen. Which of the following demonstrates what the administrator is providing? Multifactor authentication Something you can do Biometrics Two-factor authentication

Something you can do

A security analyst is interested in setting up an IDS to monitor the company network. The analyst has been told there can be no network downtime to implement the solution, but the IDS must capture all of the network traffic. Which of the following should be used for the IDS implementation? Network tap Honeypot Aggregation Port mirror

network tap

While reviewing the wireless router, the systems administrator of a small business determines someone is spoofing the MAC address of an authorized device. Given the table below: Which of the following should be the administrator’s NEXT step to detect if there is a rogue system without impacting availability? Conduct a ping sweep. Physically check each system. Deny Internet access to the “UNKNOWN” hostname. Apply MAC filtering.

Conduct a ping sweep

Which of the following implements two-factor authentication on a VPN? Username, password, and source IP Public and private keys HOTP token and logon credentials Source and destination IP addresses

username, password, and source IP

A company is experiencing an increasing number of systems that are locking up on Windows startup. The security analyst clones a machine, enters into safe mode, and discovers a file in the startup process that runs Wstart.bat. ``` @echo off :asdhbawdhbasdhbawdhb start notepad.exe start notepad.exe start calculator.exe start calculator.exe goto asdhbawdhbasdhbawdhb ``` Given the file contents and the system’s issues, which of the following types of malware is present? Rootkit Logic bomb Worm Virus

Logic bomb

After discovering a security incident and removing the affected files, an administrator disabled an unneeded service that led to the breach. Which of the following steps in the incident response process has the administrator just completed? Containment Eradication Recovery Identification

Eradication

Which of the following BEST explains the difference between a credentialed scan and a non-credentialed scan? A credentialed scan sees devices in the network, including those behind NAT, while a non-credentialed scan sees outward-facing applications. A credentialed scan will not show up in system logs because the scan is running with the necessary authorization, while non-credentialed scan activity will appear in the logs. A credentialed scan generates significantly more false positives, while a non-credentialed scan generates fewer false positives. A credentialed scan sees the system the way an authorized user sees the system, while a noncredentialed scan sees the system as a guest.

A credentialed scan sees the system the way an authorized user sees the system, while a non-credentialed scan sees the system as a guest.

Which of the following vulnerabilities can lead to unexpected system behavior, including the bypassing of security controls, due to differences between the time of commitment and the time of execution? Buffer overflow DLL injection Pointer dereference Race condition

Buffer overflow

A systems administrator has implemented multiple websites using host headers on the same server. The server hosts two websites that require encryption and other websites where encryption is optional. Which of the following should the administrator implement to encrypt web traffic for the required websites? Extended domain validation TLS host certificate OCSP stapling Wildcard certificate

Wildcard certificate

An IT manager is estimating the mobile device budget for the upcoming year. Over the last five years, the number of devices that were replaced due to loss, damage, or theft steadily increased by 10%. Which of the following would BEST describe the estimated number of devices to be replaced next year? ALE ARO RPO SLE

SLE

An application developer has neglected to include input validation checks in the design of the company's new web application. An employee discovers that repeatedly submitting large amounts of data, including custom code to an application will allow the execution of the custom code at the administrator level. Which of the following BEST identifies this application attack? Cross-site scripting Clickjacking Buffer overflow Replay

Buffer overflow

Which of the following is a risk that is specifically associated with hosting applications in the public cloud? Unsecured root accounts Zero-day Shared tenancy Insider threat

Insider threat

Which of the following is a passive method to test whether transport encryption is implemented? Black box penetration test Port scan Code analysis Banner grabbing

Port scan

A systems administrator is receiving multiple alerts from the company NIPS. A review of the NIPS logs shows the following: reset both: 70.32.200.2:3194 –> 10.4.100.4:80 buffer overflow attempt reset both: 70.32.200.2:3230 –> 10.4.100.4:80 directory traversal attack reset client: 70.32.200.2:4019 –> 10.4.100.4:80 Blind SQL injection attack Which of the following should the systems administrator report back to management? The company web server was attacked by an external source, and the NIPS blocked the attack. The company web and SQL servers suffered a DoS caused by a misconfiguration of the NIPS. An external attacker was able to compromise the SQL server using a vulnerable web application. The NIPS should move from an inline mode to an out-of-band mode to reduce network latency.

The company web server was attacked by an external source, and the NIPS blocked the attack.

During a risk assessment, results show that a fire in one of the company's datacenters could cost up to $20 million in equipment damages and lost revenue. As a result, the company insures the datacenter for up to $20 million in damages for the cost of $30,000 a year. Which of the following risk response techniques has the company chosen? Transference Avoidance Mitigation Acceptance

Transference

A coding error has been discovered on a customer-facing website. The error causes each request to return confidential PHI data for the incorrect organization. The IT department is unable to identify the specific customers who are affected. As a result, all customers must be notified of the potential breach. Which of the following would allow the team to determine the scope of future incidents? Intrusion detection system Database access monitoring Application fuzzing Monthly vulnerability scans

Application fuzzing

A Chief Security Officer's (CSO's) key priorities are to improve preparation response, and recovery practices to minimize system downtime and enhance organizational resilience to ransomware attacks. Which of the following would BEST meet the CSO's objectives? Use email-filtering software and centralized account management, patch high-risk systems, and restrict administration privileges on fileshares. Purchase cyber insurance from a reputable provider to reduce expenses during an incident Invest in end-user awareness training to change the long-term culture and behavior of staff and executives, reducing the organization's susceptibility to phishing attacks Implement application whitelisting and centralized event-log management and perform regular testing and validation of full backups.

Use email-filtering software and centralized account management, patch high-risk systems, and restrict administration privileges on fileshares.

Which of the following attacks is used to capture the WPA2 handshake? Replay IV Evil twin Disassociation

Replay

A hospital has received reports from multiple patients that their PHI was stolen after completing forms on the hospital's website. Upon investigation, the hospital finds a packet analyzer was used to steal data. Which of the following protocols would prevent this attack from reoccurring? SFTP HTTPS FTPS SRTP

SFTP

The SOC is reviewing processes and procedures after a recent incident. The review indicates it took more than 30 minutes to determine that quarantining an infected host was the best course of action. This allowed the malware to spread to additional hosts before it was contained. Which of the following would be BEST to improve the incident response process? Updating the playbooks with better decision points Dividing the network into trusted and untrusted zones Providing additional end-user training on acceptable use Implementing manual quarantining of infected hosts

Providing additional end-user training on acceptable use

A mobile application developer wants to secure an application that transmits sensitive information Which of the following should the developer implement to prevent SSL MITM attacks? Stapling Chaining Signing Pinning

Pinning

A Chief Information Security Officer (CISO) is performing a BIA for the organization in case of a natural disaster. Which of the following should be at the top of the CISO’s list? Identify redundant and high-availability systems. Identity mission-critical applications and systems. Identify the single point of failure in the system. Identity the impact on safety of the property.

Identity mission-critical applications and systems

A technician is designing a solution that will be required to process sensitive information, including classified government data. The system needs to be common criteria certified. Which of the following should the technician select? Security baseline Hybrid cloud solution Open-source software applications Trusted operating system

Trusted operating system

During a security audit of a company's network, unsecure protocols were found to be in use. A network administrator wants to ensure browser-based access to company switches is using the most secure protocol. Which of the following protocols should be implemented? SSH2 TLS12 SSL13 SNMPv3

SSH2

A security administrator suspects an employee has been emailing proprietary information to a competitor. Company policy requires the administrator to capture an exact copy of the employee's hard disk. Which of the following should the administrator use? dd chmod dnaenum logger

A recent audit uncovered a key finding regarding the use of a specific encryption standard in a web application that is used to communicate with business customers. Due to the technical limitations of its customers, the company is unable to upgrade the encryption standard. Which of the following types of controls should be used to reduce the risk created by this scenario? Physical Detective Preventive Compensating

Compensating

A security administrator is investigating a possible account compromise. The administrator logs onto a desktop computer, executes the command notepad.exe c:\Temp\qkakforlkgfkja.1og, and reviews the following: Lee,\rI have completed the task that was assigned to me\rrespectfully\rJohn\r https://www.portal.com\rjohnuser\rilovemycat2 Given the above output, which of the following is the MOST likely cause of this compromise? Virus Worm Rootkit Keylogger

Keylogger

The application team within a company is asking the security team to investigate why its application is slow after an upgrade. The source of the team's application is 10.13.136.9. and the destination IP is 10.17.36.5. The security analyst pulls the logs from the endpoint security software but sees nothing is being blocked. The analyst then looks at the UTM firewall logs and sees the following: Which of the following should the security analyst request NEXT based on the UTM firewall analysis? Request the application team to allow TCP port 87 to listen on 10.17.36.5. Request the network team to open port 1433 from 10.13.136.9 to 10.17.36.5. Request the network team to turn of IPS for 10.13.136.8 going to 10.17.36.5. Request the application team to reconfigure the application and allow RPC communication.

Request the network team to open port 1433 from 10.13.136.9 to 10.17.36.5.

A security administrator needs to conduct a full inventory of all encryption protocols and cipher suites. Which of the following tools will the security administrator use to conduct this inventory MOST efficiently? tcpdump Protocol analyzer Netstat Nmap

Nmap

Which of the following is MOST likely caused by improper input handling? Loss of database tables Untrusted certificate warning Power off reboot loop Breach of firewall ACLs

Loss of database tables

A systems administrator needs to install the same X.509 certificate on multiple servers. Which of the following should the administrator use? D18912E1457D5D1DDCBD40AB3BF70D5D Key escrow A self-signed certificate Certificate chaining An extended validation certificate

An extended validation certificate

Which of the following is an example of federated access management? Windows passing user credentials on a peer-to-peer network Applying a new user account with a complex password Implementing a AAA framework for network access Using a popular website login to provide access to another website

Using a popular website login to provide access to another website

Which of the following is the MAIN disadvantage of using SSO? The architecture can introduce a single point of failure. Users need to authenticate for each resource they access. It requires an organization to configure federation. The authentication is transparent to the user.

The architecture can introduce a single point of failure.

An organization recently acquired an ISO 27001 certification. Which of the following would MOST likely be considered a benefit of this certification? It allows for the sharing of digital forensics data across organizations. It provides insurance in case of a data breach. It provides complimentary training and certification resources to IT security staff. It certifies the organization can work with foreign entities that require a security clearance. It assures customers that the organization meets security standards.

It assures customers that the organization meets security standards.

If two employees are encrypting traffic between them using a single encryption key, which of the following algorithms are they using? RSA 3DES DSA SHA-2

SHA-2

A highly complex password policy has made it nearly impossible to crack account passwords. Which of the following might a hacker still be able to perform? Pass-the-hash attack ARP poisoning attack Birthday attack Brute-force attack

Pass-the-hash attack

A company that processes sensitive information has implemented a BYOD policy and an MDM solution to secure sensitive data that is processed by corporate and personally owned mobile devices. Which of the following should the company implement to prevent sensitive data from being stored on mobile devices? ``` VDI Storage segmentation Containerization USB OTG Geofencing ```

Storage segmentation

To further secure a company's email system, an administrator is adding public keys to DNS records in the company's domain. Which of the following is being used? PFS SPF DMARC DNSSEC

DNSSEC