A network engineer needs to build a solution that will allow guests at the company's headquarters to
access the Internet via WiFi. This solution should not allow access to the internal corporate network, but it
should require guests to sign off on the acceptable use policy before accessing the Internet. Which of the
following should the engineer employ to meet these requirements? Implement open PSK on the APs Deploy a WAF Configure WIPS on the APs Install a captive portal. Which of the following types of controls is a CCTV camera that is not being monitored? Detective Deterrent Physical Preventive. An engineer wants to access sensitive data from a corporate-owned mobile device. Personal data is not
allowed on the device. Which of the following MDM configurations must be considered when the engineer
travels for business? Screen locks Application management Geofencing Containerization. A security analyst reviews the datacenter access logs for a fingerprint scanner and notices an abundance
of errors that correlate with users' reports of issues accessing the facility. Which of the following MOST
likely the cause of the cause of the access issues? False rejection Cross-over error rate Efficacy rale Attestation. A cybersecurity administrator has a reduced team and needs to operate an on-premises network and
security infrastructure efficiently. To help with the situation, the administrator decides to hire a service
provider. Which of the following should the administrator use? SDP AAA IaaS MSSP Microservices. Under GDPR, which of the following is MOST responsible for the protection of privacy and website user
rights? The data protection officer The data processor The data owner The data controller. An organization just experienced a major cyberattack modem. The attack was well coordinated
sophisticated and highly skilled. Which of the following targeted the organization? Shadow IT An insider threat A hacktivist An advanced persistent threat. Given the following logs:
Which of the following BEST describes the type of attack that is occurring? Rainbow table Dictionary Password spraying Pass-the-hash. In which of the following situations would it be BEST to use a detective control type for mitigation? A company implemented a network load balancer to ensure 99.999% availability of its web application. A company designed a backup solution to increase the chances of restoring services in case of a
natural disaster. A company purchased an application-level firewall to isolate traffic between the accounting department
and the information technology department A company purchased an IPS system, but after reviewing the requirements, the appliance was
supposed to monitor, not block, any traffic. A company purchased liability insurance for flood protection on all capital assets. A security administrator suspects an employee has been emailing proprietary information to a competitor.
Company policy requires the administrator to capture an exact copy of the employee's hard disk. Which of
the following should the administrator use? dd chmod dnsenum logger. Company engineers regularly participate in a public Internet forum with other engineers throughout the
industry. Which of the following tactics would an attacker MOST likely use in this scenario? Watering-hole attack Credential harvesting Hybrid warfare Pharming. Which of the following would be the BEST method for creating a detailed diagram of wireless access points
and hot-spots? Footprinting White-box testing A drone/UAV Pivoting. Which of the following is the purpose of a risk register? To define the level or risk using probability and likelihood To register the risk with the required regulatory agencies To identify the risk, the risk owner, and the risk measures To formally log the type of risk mitigation strategy the organization is using. A university with remote campuses, which all use different service providers, loses Internet connectivity
across all locations. After a few minutes, Internet and VoIP services are restored, only to go offline again at
random intervals, typically within four minutes of services being restored. Outages continue throughout the
day, impacting all inbound and outbound connections and services. Services that are limited to the local
LAN or WiFi network are not impacted, but all WAN and VoIP services are affected.
Later that day, the edge-router manufacturer releases a CVE outlining the ability of an attacker to exploit
the SIP protocol handling on devices, leading to resource exhaustion and system reloads. Which of the
following BEST describe this type of attack? (Choose two.) DoS SSL stripping Memory leak Race condition Shimming Refactoring. A security analyst is reviewing a new website that will soon be made publicly available. The analyst sees
the following in the URL:
http://dev-site.comptia.org/home/show.php?sessionID=77276554&loc=us
The analyst then sends an internal user a link to the new website for testing purposes, and when the user
clicks the link, the analyst is able to browse the website with the following URL:
http://dev-site.comptia.org/home/show.php?sessionID=98988475&loc=us
Which of the following application attacks is being tested? Pass-the-hash Session replay Object deference Cross-site request forgery. Which of the following refers to applications and systems that are used within an organization without
consent or approval? Shadow IT OSINT Dark web Insider threats. A security analyst is performing a packet capture on a series of SOAP HTTP requests for a security
assessment. The analyst redirects the output to a file After the capture is complete, the analyst needs to
review the first transactions quickly and then search the entire series of requests for a particular string
Which of the following would be BEST to use to accomplish the task? (Select TWO). head Tcpdump grep rail curl openssi dd. Which of the following relets to applications and systems that are used within an organization without
consent or approval? Shadow IT OSINT Dark web Insider threats. Which of the following would BEST identify and remediate a data-loss event in an enterprise using thirdparty, web-based services and file-sharing platforms? SIEM CASB UTM DLP. A company's Chief Information Security Officer (CISO) recently warned the security manager that the
company's Chief Executive Officer (CEO) is planning to publish a controversial option article in a national
newspaper, which may result in new cyberattacks Which of the following would be BEST for the security
manager to use in a threat mode? Hacktivists White-hat hackers Script kiddies Insider threats. A security analyst is reviewing the following attack log output:
Which of the following types of attacks does this MOST likely represent? Rainbow table Brute-force Password-spraying Dictionary. A security analyst is preparing a threat for an upcoming internal penetration test. The analyst needs to
identify a method for determining the tactics, techniques, and procedures of a threat against the
organization's network. Which of the following will the analyst MOST likely use to accomplish the
objective? A table exercise NST CSF MTRE ATT$CK OWASP. A root cause analysis reveals that a web application outage was caused by one of the company's
developers uploading a newer version of the third-party libraries that were shared among several
applications. Which of the following implementations would be BEST to prevent the issue from
reoccurring? CASB SWG Containerization Automated failover. A technician needs to prevent data loss in a laboratory. The laboratory is not connected to any external
networks. Which of the following methods would BEST prevent data? (Select TWO) VPN Drive encryption Network firewall File-level encryption USB blocker MFA. A network engineer notices the VPN concentrator overloaded and crashes on days when there are a lot of
remote workers. Senior management has placed greater importance on the availability of VPN resources
for the remote workers than the security of the end users' traffic. Which of the following would be BEST to
solve this issue? iPSec Always On Split tunneling L2TP. The Chief Security Officer (CSO) at a major hospital wants to implement SSO to help improve in the
environment patient data, particularly at shared terminals. The Chief Risk Officer (CRO) is concerned that
training and guidance have been provided to frontline staff, and a risk analysis has not been performed.
Which of the following is the MOST likely cause of the CRO's concerns? SSO would simplify username and password management, making it easier for hackers to pass guess
accounts SSO would reduce password fatigue, but staff would still need to remember more complex passwords. SSO would reduce the password complexity for frontline staff. SSO would reduce the resilience and availability of system if the provider goes offline. An organization has decided to host its web application and database in the cloud Which of the following
BEST describes the security concerns for this decision? Access to the organization's servers could be exposed to other cloud-provider clients The cloud vendor is a new attack vector within the supply chain Outsourcing the code development adds risk to the cloud provider Vendor support will cease when the hosting platforms reach EOL. A Chief Information Security Officer (CISO) needs to create a policy set that meets international standards
for data privacy and sharing. Which of the following should the CISO read and understand before writing
the policies? PCI DSS GDPR NIST ISO 31000. Which of the following are the MOST likely vectors for the unauthorized inclusion of vulnerable code in a
software company's final software releases? (Select TWO.) Unsecure protocols Use of penetration-testing utilities Weak passwords Included third-party libraries Vendors/supply chain Outdated anti-malware software. A security analyst sees the following log output while reviewing web logs:
Which of the following mitigation strategies would be BEST to prevent this attack from being successful? Secure cookies Input validation Code signing Stored procedures. A security analyst has received an alert about being sent via email. The analyst's Chief information
Security Officer (CISO) has made it clear that PII must be handle with extreme care From which of the
following did the alert MOST likely originate? S/MIME DLP IMAP HIDS. A company's bank has reported that multiple corporate credit cards have been stolen over the past several
weeks. The bank has provided the names of the affected cardholders to the company's forensics team to
assist in the cyber-incident investigation.
An incident responder learns the following information:
The timeline of stolen card numbers corresponds closely with affected users making Internet-based
purchases from diverse websites via enterprise desktop PCs. All purchase connections were encrypted,
and the company uses an SSL inspection proxy for the inspection of encrypted traffic of the hardwired
network. Purchases made with corporate cards over the corporate guest WiFi network, where no SSL
inspection occurs, were unaffected.
Which of the following is the MOST likely root cause? HTTPS sessions are being downgraded to insecure cipher suites The SSL inspection proxy is feeding events to a compromised SIEM The payment providers are insecurely processing credit card charges The adversary has not yet established a presence on the guest WiFi network. A security analyst is performing a forensic investigation compromised account credentials. Using the Event
Viewer, the analyst able to detect the following message, `'Special privileges assigned to new login.''
Several of these messages did not have a valid logon associated with the user before these privileges
were assigned. Which of the following attacks is MOST likely being detected? Pass-the-hash Buffer overflow Cross-site scripting Session replay. An analyst needs to set up a method for securely transferring files between systems. One of the
requirements is to authenticate the IP header and the payload. Which of the following services would
BEST meet the criteria? TLS PFS ESP AH. A cybersecurity administrator is using iptables as an enterprise firewall. The administrator created some
rules, but the network now seems to be unresponsive All connections are being dropped by the firewall.
Which of the following would be the BEST option to remove the rules? # iptables -t mangle -X # iptables -F # iptables -Z # iptables -P INPUT -j DROP. An organization that is located in a flood zone is MOST likely to document the concerns associated with
the restoration of IT operation in a: business continuity plan communications plan. disaster recovery plan. continuity of operations plan. A network administrator has been asked to design a solution to improve a company's security posture The
administrator is given the following, requirements?
1. The solution must be inline in the network
2. The solution must be able to block known malicious traffic
3. The solution must be able to stop network-based attacks
Which of the following should the network administrator implement to BEST meet these requirements? HIDS NIDS HIPS NIPS. A forensics examiner is attempting to dump password cached in the physical memory of a live system but
keeps receiving an error message. Which of the following BEST describes the cause of the error? The examiner does not have administrative privileges to the system The system must be taken offline before a snapshot can be created Checksum mismatches are invalidating the disk image The swap file needs to be unlocked before it can be accessed. An organization blocks user access to command-line interpreters but hackers still managed to invoke the
interpreters using native administrative tools Which of the following should the security team do to prevent
this from Happening in the future? Implement HIPS to block Inbound and outbound SMB ports 139 and 445. Trigger a SIEM alert whenever the native OS tools are executed by the user Disable the built-in OS utilities as long as they are not needed for functionality. Configure the AV to quarantine the native OS tools whenever they are executed. A cybersecurity administrator needs to add disk redundancy for a critical server. The solution must have a
two- drive failure for better fault tolerance. Which of the following RAID levels should the administrator
select? 0 1 5 6. A security analyst needs to produce a document that details how a security incident occurred, the steps
that were taken for recovery, and how future incidents can be avoided. During which of the following
stages of the response process will this activity take place? Recovery Identification Lessons learned Preparation. An organization's RPO for a critical system is two hours. The system is used Monday through Friday, from
9:00 am to 5:00 pm. Currently, the organization performs a full backup every Saturday that takes four
hours to complete. Which of the following additional backup implementations would be the BEST way for
the analyst to meet the business requirements? Incremental backups Monday through Friday at 6:00 p.m and differential backups hourly Full backups Monday through Friday at 6:00 p.m and incremental backups hourly incremental backups Monday through Friday at 6:00 p.m and full backups hourly. Full backups Monday through Friday at 6:00 p.m and differential backups hourly. A technician needs to prevent data loss in a laboratory. The laboratory is not connected to any external
networks. Which of the following methods would BEST prevent the exfiltration of data? (Select TWO). VPN Drive encryption Network firewall File level encryption USB blocker MFA. A network engineer needs to create a plan for upgrading the wireless infrastructure in a large office Priority
must be given to areas that are currently experiencing latency and connection issues. Which of the
following would be the BEST resource for determining the order of priority? Nmap Heat maps Network diagrams Wireshark. A user reports constant lag and performance issues with the wireless network when working at a local
coffee shop. A security analyst walks the user through an installation of Wireshark and get a five-minute
pcap to analyze. The analyst observes the following output:
Which of the following attacks does the analyst MOST likely see in this packet capture? Session replay Evil twin Bluejacking ARP poisoning. Which of the following would be the BEST resource lor a software developer who is looking to improve
secure coding practices for web applications? OWASP Vulnerability scan results NIST CSF Third-party libraries. A security engineer is reviewing log files after a third discovered usernames and passwords for the
organization's accounts. The engineer sees there was a change in the IP address for a vendor website one
earlier. This change lasted eight hours. Which of the following attacks was MOST likely used? Man-in- the middle Spear-phishing Evil twin DNS poising. A security analyst has been asked to investigate a situation after the SOC started to receive alerts from the
SIEM. The analyst first looks at the domain controller and finds the following events: Credential harvesting Keylogger Brute-force Spraying. An attacker is exploiting a vulnerability that does not have a patch available. Which of the following is the
attacker exploiting? Zero-day Default permissions Weak encryption Unsecure root accounts. A security analyst is using a recently released security advisory to review historical logs, looking for the
specific activity that was outlined in the advisory. Which of the following is the analyst doing? A packet capture A user behavior analysis Threat hunting Credentialed vulnerability scanning. A security analyst needs to generate a server certificate to be used for 802.1X and secure RDP
connections. The analyst is unsure what is required to perform the task and solicits help from a senior
colleague. Which of the following is the FIRST step the senior colleague will most likely tell the analyst to
perform to accomplish this task? Create an OCSP Generate a CSR Create a CRL Generate a .pfx file. A forensics investigator is examining a number of unauthorized payments that were reported on the
00mpany's website. Some unusual log entries show users received an email for an unwanted mailing list
and clicked on a link to attempt to unsubscribe. One of the users reported the email to the phishing team,
and the forwarded email revealed the link to be:
Which of the following will the forensics investigator MOST likely determine has occurred? SQL injection CSRF XSS XSRF. A security engineer needs to enhance MFA access to sensitive areas in a building. A key card and
fingerprint scan are already in use. Which of the following would add another factor of authentication? Hard token Retina scan SMS text Keypad PIN. A security analyst is reviewing logs on a server and observes the following output: A rainbow table attack A password-spraying attack A dictionary attack A keylogger attack. An employee has been charged with fraud and is suspected of using corporate assets. As authorities
collect evidence, and to preserve the admissibility of the evidence, which of the following forensic
techniques should be used? Order of volatility Data recovery Chain of custody Non-repudiation. A website developer is working on a new e-commerce website and has asked an information security
expert for the most appropriate way to store credit card numbers to create an easy reordering process.
Which of the following methods would BEST accomplish this goal? Salting the magnetic strip information Encrypting the credit card information in transit. Hashing the credit card numbers upon entry. Tokenizing the credit cards in the database. An enterprise has hired an outside security firm to conduct penetration testing on its network and
applications. The firm has only been given the documentation available to the customers of the
applications. Which of the following BEST represents the type of testing that will occur? Bug bounty Black-box Gray-box White-box Red-team. Users at organization have been installing programs from the internet on their workstations without first
proper authorization. The organization maintains a portal from which users can install standardized
programs. However, some users have administrative access on their workstations to enable legacy
programs to function property. Which of the following should the security administrator consider
implementing to address this issue? Application code signing Application whitellsting Data loss prevention Web application firewalls. To secure an application after a large data breach, an e-commerce site will be resetting all users'
credentials. Which of the following will BEST ensure the site's users are not compromised after the reset? A password reuse policy Account lockout after three failed attempts Encrypted credentials in transit A geofencing policy based on login history. A large enterprise has moved all Hs data to the cloud behind strong authentication and encryption A sales
director recently had a laptop stolen and later, enterprise data was round to have been compromised
database. Which of the following was the MOST likely cause? Shadow IT Credential stuffing SQL injection Man-in-the-browser Bluejacking. An incident response technician collected a mobile device during an investigation. Which of the following
should the technician do to maintain chain of custody? Document the collection and require a sign-off when possession changes. Lock the device in a safe or other secure location to prevent theft or alteration. Place the device in a Faraday cage to prevent corruption of the data Record the collection in a blockchain-protected public ledger. The website http://companywebsite.com requires users to provide personal Information, Including security
question responses, for registration. Which of the following would MOST likely cause a data breach? Lack of input validation Open permissions Unsecure protocol Missing patches. A company has drafted an insider-threat policy that prohibits the use of external storage devices. Which of
the following would BEST protect the company from data exfiltration via removable media? Monitoring large data transfer transactions in the firewall logs Developing mandatory training to educate employees about the removable media policy Implementing a group policy to block user access to system files Blocking removable-media devices and write capabilities using a host-based security tool. A company has limited storage available and online presence that cannot for more than four hours. Which
of the following backup methodologies should the company implement to allow for the FASTEST database
restore time In the event of a failure, which being maindful of the limited available storage space? Implement fulltape backup every Sunday at 8:00 p.m and perform nightly tape rotations. Implement different backups every Sunday at 8:00 and nightly incremental backups at 8:00 p.m Implement nightly full backups every Sunday at 8:00 p.m Implement full backups every Sunday at 8:00 p.m and nightly differential backups at 8:00. A company was recently breached Part of the company's new cybersecurity strategy is to centralize the
logs from all security devices Which of the following components forwards the logs to a central source? . Log enrichment Log aggregation Log parser Log collector. Which of the following scenarios BEST describes a risk reduction technique? A security control objective cannot be met through a technical change, so the company purchases
insurance and is no longer concerned about losses from data breaches. A security control objective cannot be met through a technical change, so the company implements a
policy to train users on a more secure method of operation. A security control objective cannot be met through a technical change, so the company changes as
method of operation A security control objective cannot be met through a technical change, so the Chief Information Officer
(CIO) decides to sign off on the risk. A network administrator is setting up wireless access points in all the conference rooms and wants to
authenticate device using PKI. Which of the following should the administrator configure? A captive portal PSK 802.1X WPS. A remote user recently took a two-week vacation abroad and brought along a corporate- owned laptop.
Upon returning to work, the user has been unable to connect the laptop to the VPN. Which of the following
is the MOST likely reason for the user's inability to connect the laptop to the VPN?(Select TWO). Due to foreign travel, the user's laptop was isolated from the network The user's laptop was quarantined because it missed the latest path update. The VPN client was blacklisted The user's account was put on a legal hold. The laptop is still configured to connect to an international mobile network operator The user in unable to authenticate because they are outside of the organization's mobile geofencing
configuration. When selecting a technical solution for identity management, an architect chooses to go from an in-house
to a third-party SaaS provider. Which of the following risk management strategies is this an example of? Acceptance Mitigation Avoidance Transference. A commercial cyber-threat intelligence organization observes IoCs across a variety of unrelated
customers. Prior to releasing specific threat intelligence to other paid subscribers, the organization is
MOST likely obligated by contracts to: perform attribution to specific APTs and nation-state actors. anonymize any PII that is observed within the IoC data. add metadata to track the utilization of threat intelligence reports. assist companies with impact assessments based on the observed data. A global pandemic is forcing a private organization to close some business units and reduce staffing at
others. Which of the following would be BEST to help the organization's executives determine the next
course of action? An incident response plan A communications plan A disaster recovery plan A business continuity plan. Some laptops recently went missing from a locked storage area that is protected by keyless RFID-enabled
locks. There is no obvious damage to the physical space. The security manager identifies who unlocked
the door, however, human resources confirms the employee was on vacation at the time of the incident.
Which of the following describes what MOST likely occurred? The employee's physical access card was cloned. The employee is colluding with human resources The employee's biometrics were harvested A criminal used lock picking tools to open the door. A user contacts the help desk to report the following:
Two days ago, a pop-up browser window prompted the user for a name and password after connecting to
the corporate wireless SSID. This had never happened before, but the user entered the information as
requested. The user was able to access the Internet but had trouble accessing the department share until
the next day.
The user is now getting notifications from the bank about unauthorized transactions.
Which of the following attack vectors was MOST likely used in this scenario? Rogue access point Evil twin DNS poisoning ARP poisoning. A network administrator has been alerted that web pages are experiencing long load times. After
determining it is not a routing or DNS issue, the administrator logs in to the router, runs a command, and
receives the following output: DDoS attack Memory leak Buffer overflow Resource exhaustion. A network administrator has been asked to install an IDS to improve the security posture of an
organization. Which of the following control types is an IDS? Corrective Physical Detective Administrative. A company provides mobile devices to its users to permit access to email and enterprise applications. The
company recently started allowing users to select from several different vendors and device models. When
configuring the MDM, which of the following is a key security implication of this heterogeneous device
approach? The most common set of MDM configurations will become the effective set of enterprise mobile security
controls. All devices will need to support SCEP-based enrollment; therefore, the heterogeneity of the chosen
architecture may unnecessarily expose private keys to adversaries. Certain devices are inherently less secure than others, so compensatory controls will be needed to
address the delta between device vendors. MDMs typically will not support heterogeneous deployment environments, so multiple MDMs will need
to be installed and configured. In the middle of a cybersecurity, a security engineer removes the infected devices from the network and
lock down all compromised accounts. In which of the following incident response phases is the security
engineer currently operating? Identification Preparation Eradication Recovery Containment. A development team employs a practice of bringing all the code changes from multiple team members into
the same development project through automation. A tool is utilized to validate the code and track source
code through version control. Which of the following BEST describes this process? Continuous delivery Continuous integration Continuous validation Continuous monitoring. An organization is developing an authentication service for use at the entry and exit ports of country
borders. The service will use data feeds obtained from passport systems, passenger manifests, and highdefinition video feeds from CCTV systems that are located at the ports. The service will incorporate
machine-learning techniques to eliminate biometric enrollment processes while still allowing authorities to
identify passengers with increasing accuracy over time. The more frequently passengers travel, the more
accurately the service will identify them. Which of the following biometrics will MOST likely be used, without
the need for enrollment? (Choose two.) Voice Gait Vein Facial Retina Fingerprint. A software developer needs to perform code-execution testing, black-box testing, and non- functional
testing on a new product before its general release. Which of the following BEST describes the tasks the
developer is conducting? Verification Validation Normalization Staging. A local coffee shop runs a small WiFi hotspot for its customers that utilizes WPA2-PSK. The coffee shop
would like to stay current with security trends and wants to implement WPA3 to make its WiFi even more
secure. Which of the following technologies will the coffee shop MOST likely use in place of PSK? WEP MSCHAP WPS SAE. The process of passively gathering information prior to launching a cyberattack is called: tailgating reconnaissance pharming prepending. An organization has various applications that contain sensitive data hosted in the cloud. The company’s
leaders are concerned about lateral movement across applications of different trust levels. Which of the
following solutions should the organization implement to address the concern? ISFW UTM SWG CASB. A manufacturing company has several one-off legacy information systems that cannot be migrated to a
newer OS due to software compatibility issues. The Oss are still supported by the vendor, but the industrial
software is no longer supported. The Chief Information Security Officer (CISO) has created a resiliency
plan for these systems that will allow OS patches to be installed in a non-production environment, while
also creating backups of the systems for recovery.
Which of the following resiliency techniques will provide these capabilities? Redundancy RAID 1+5 Virtual machines Full backups. A security administrator has noticed unusual activity occurring between different global instances and
workloads and needs to identify the source of the unusual traffic.
Which of the following log sources would be BEST to show the source of the unusual traffic? HIDS UEBA CASB VPC. A network manager is concerned that business may be negatively impacted if the firewall in its datacenter
goes offline. The manager would like to Implement a high availability pair to: decrease the mean ne between failures remove the single point of failure cut down the mean tine to repair reduce the recovery time objective. Accompany deployed a WiFi access point in a public area and wants to harden the configuration to make it
more secure. After performing an assessment, an analyst identifies that the access point is configured to
use WPA3, AES, WPS, and RADIUS.
Which of the following should the analyst disable to enhance the access point security? WPA3 AES RADIUS WPS. The following are the logs of a successful attack. Password history Account expiration Password complexity Account lockout. An organization's corporate offices were destroyed due to a natural disaster, so the organization is now
setting up offices in a temporary work space.
Which of the following will the organization MOST likely consult? The business continuity plan The disaster recovery plan The communications plan The incident response plan. The spread of misinformation surrounding the outbreak of a novel virus on election day ted to eligible
voters choosing not to take the risk of going to the polls This is an example of: prepending an influence campaign a watering-hole attack intimidation information elicitation.
|