During an asset inventory, several assets, supplies, and miscellaneous items were noted as missing. The
security manager has been asked to find an automated solution to detect any future theft of equipment.
Which of the following would be BEST to implement? Badges Fencing Access control vestibule Lighting Cameras.
A company wants to deploy systems alongside production systems in order to entice threat actors and to
learn more about attackers. Which of the following BEST describe these systems? DNS sinkholes Honeypots Virtual machines Neural network.
A user's PC was recently infected by malware. The user has a legacy printer without vendor support, and
the user's OS is fully patched. The user downloaded a driver package from the internet. No threats were
found on the downloaded file, but during file installation, a malicious runtime threat was detected. Which of
the following is MOST likely cause of the infection? The driver has malware installed and was refactored upon download to avoid detection. The user's computer has a rootkit installed that has avoided detection until the new driver overwrote
key files. The user's antivirus software definition were out of date and were damaged by the installation of the
driver The user's computer has been infected with a logic bomb set to run when new driver was installed.
A SOC is currently being outsourced. Which of the following is being used? Microservices SaaS MSSP PaaS.
A security analyst is investigating a phishing email that contains a malicious document directed to the
company's Chief Executive Officer (CEO). Which of the following should the analyst perform to understand
the threat and retrieve possible IoCs? Run a vulnerability scan against the CEOs computer to find possible vulnerabilities Install a sandbox to run the malicious payload in a safe environment Perform a traceroute to identify the communication path Use netstat to check whether communication has been made with a remote host.
A new security engineer has started hardening systems. One of the hardening techniques the engineer is
using involves disabling remote logins to the NAS. Users are now reporting the inability to use SCP to
transfer files to the NAS, even though the data is still viewable from the users PCs.
Which of the following is the MOST likely cause of this issue? TFTP was disabled on the local hosts SSH was turned off instead of modifying the configuration file Remote login was disabled in the networkd.config instead of using the sshd.conf Network services are no longer running on the NAS.
A company is considering transitioning to the cloud. The company employs individuals from various
locations around the world The company does not want to increase its on-premises infrastructure blueprint
and only wants to pay for additional compute power required. Which of the following solutions would BEST
meet the needs of the company? Private cloud Hybrid environment Managed security service provider Hot backup site.
A company is implementing a DLP solution on the file server. The file server has PII, financial information,
and health information stored on it. Depending on what type of data that is hosted on the file server, the
company wants different DLP rules assigned to the data. Which of the following should the company do to
help to accomplish this goal? Classify the data Mask the data Assign the application owner Perform a risk analysis.
A network analyst is investigating compromised corporate information. The analyst leads to a theory that
network traffic was intercepted before being transmitted to the internet. The following output was captured
on an internal host: Denial of service ARP poisoning Command injection MAC flooding.
A company's cybersecurity department is looking for a new solution to maintain high availability. Which of
the following can be utilized to build a solution? (Select Two) A stateful inspection IP hashes A round robin A VLAN A DMZ.
A company installed several crosscut shredders as part of increased information security practices
targeting data leakage risks. Which of the following will this practice reduce? Dumpster diving Shoulder surfing Information elicitation Credential harvesting.
A company would like to provide flexibility for employees on device preference. However, the company is
concerned about supporting too many different types of hardware. Which of the following deployment
models will provide the needed flexibility with the GREATEST amount of control and security over
company data and infrastructure? BYOD VDI COPE CYOD.
Users reported several suspicious activities within the last two weeks that resulted in several unauthorized
transactions. Upon investigation, the security analyst found the following:
Multiple reports of breached credentials within that time period
Traffic being redirected in certain parts of the network
Fraudulent emails being sent by various internal users without their consent
Which of the following types of attacks was MOST likely used? Replay attack Race condition Cross site scripting Request forgeries.
Several employees have noticed other bystanders can clearly observe a terminal where passcodes are
being entered. Which of the following can be eliminated with the use of a privacy screen? Shoulder surfing Spear phishing Impersonation attack Card cloning.
A user's account is constantly being locked out. Upon further review, a security analyst found the following
in the SIEM An attacker is utilizing a password-spraying attack against the account. An attacker is utilizing a dictionary attack against the account. An attacker is utilizing a brute-force attack against the account. An attacker is utilizing a rainbow table attack against the account.
A bad actor tries to persuade someone to provide financial information over the phone in order to gain
access to funds. Which of the following types of attacks does this scenario describe? Vishing Phishing Spear phishing Whaling.
Which of the following environments typically hosts the current version configurations and code, compares
user-story responses and workflow, and uses a modified version of actual data for testing? Development Staging Production Test.
Which of the following controls would BEST identify and report malicious insider activities? An intrusion detection system A proxy Audit trails Strong authentication.
A security analyst reports a company policy violation in a case in which a large amount of sensitive data is
being downloaded after hours from various mobile devices to an external site. Upon further investigation,
the analyst notices that successful login attempts are being conducted with impossible travel times during
the same time periods when the unauthorized downloads are occurring. The analyst also discovers a
couple of WAPs are using the same SSID, but they have non-standard DHCP configurations and an
overlapping channel. Which of the following attacks is being conducted? Evil twin Jamming DNS poisoning Bluesnarfing DDoS.
A new plug-and-play storage device was installed on a PC in the corporate environment. Which of the
following safeguards will BEST help to protect the PC from malicious files on the storage device? Change the default settings on the PC. Define the PC firewall rules to limit access Encrypt the disk on the storage device Plug the storage device in to the UPS.
Customers reported their antivirus software flagged one of the company's primary software products as
suspicious. The company's Chief Information Security Officer has tasked the developer with determining a
method to create a trust model between the software and the customer's antivirus software. Which of the
following would be the BEST solution? Code signing Domain validation Extended validation Self-signing.
A security analyst is concerned about traffic initiated to the dark web form the corporate LAN. Which of the
following networks should the analyst monitor? SFTP AIS Tor IoC.
A financial institution would like to store its customer data in a cloud but still allow the data to be accessed
and manipulated while encrypted. Doing so would prevent the cloud service provider from being able to
decipher the data due to its sensitivity. The financial institution is not concerned about computational
overheads and slow speeds. Which of the following cryptographic techniques would BEST meet the
requirement? Asymmetric Symmetric Homomorphic Ephemeral.
Due to unexpected circumstances, an IT company must vacate its main office, forcing all operations to
alternate, off-site locations. Which of the following will the company MOST likely reference for guidance
during this change? The business continuity plan The retention policy The disaster recovery plan The incident response plan.
A company was compromised, and a security analyst discovered the attacker was able to get access to a
service account. The following logs were discovered during the investigation: Race condition testing Proper error handling Forward web server logs to a SIEM Input sanitization.
A bad actor tries to persuade someone to provide financial information over the phone in order to gain
access to funds.
Which of the following types of attacks does this scenario describe? Vishing Phishing Spear phishing Whaling.
A security analyst needs to implement security features across smartphones, laptops, and tablets. Which
of the following be the MOST effective across heterogeneous platforms? Enforcing encryption Deploying GPOs Removing administrative permissions Applying MDM software.
A security analyst is responding to an alert from the SIEM. The alert states that malware was discovered
on a host and was not automatically deleted. Which of the following would be BEST for the analyst to
perform? Add a deny-all rule to that host in the network ACL Implement a network-wide scan for other instances of the malware. Quarantine the host from other parts of the network Revoke the client's network access certificates.
An external forensics investigator has been hired to investigate a data breach at a large enterprise with
numerous assets. It is known that the breach started in the DMZ and moved to the sensitive information,
generating multiple logs as the attacker traversed through the network? Which of the following will BEST
assist with this investigation? Perform a vulnerability scan to identify the weak spots Use a packet analyzer to investigate the NetFlow traffic Check the SIEM to review the correlated logs Require access to the routers to view current sessions.
A security analyst reports a company policy violation in a case in which a large amount of sensitive data is
being downloaded after hours from various mobile devices to an external site. Upon further investigation,
the analyst notices that successful login attempts are being conducted with impossible travel times during
the same time periods when the unauthorized downloads are occurring. The analyst also discovers a
couple of WAPs are using the same SSID, but they have non-standard DHCP configurations and an
overlapping channel.
Which of the following attacks is being conducted? Evil twin Jamming DNS poisoning Bluesnarfing DDoS.
As part of a company's ongoing SOC maturation process, the company wants to implement a method to
share cyberthreat intelligence data with outside security partners. Which of the following will the company
MOST likely implement? TLP TTP STIX TAXII.
Which of the following authentication methods sends out a unique password to be used within a specific
number of seconds? TOTP Biometrics Kerberos LDAP.
Which of the following would be used to find the MOST common web-application vulnerabilities? OWASP MITRE ATTACK Cyber Kill Chain SDLC.
A network engineer at a company with a web server is building a new web environment with the following
requirements:
Only one web server at a time can service requests. If the primary web server fails, a failover needs to
occur to ensure the secondary web server becomes the primary.
Which of the following load-balancing options BEST fits the requirements? Cookie-based Active-passive Persistence Round robin.
The board of doctors at a company contracted with an insurance firm to limit the organization's liability.
Which of the following risk management practices does the BEST describe? Transference Avoidance Mitigation Acknowledgement.
During an investigation, the incident response team discovers that multiple administrator accounts were
suspected of being compromised. The host audit logs indicate a repeated brute-force attack on a single
administrator account followed by suspicious logins from unfamiliar geographic locations. Which of the
following data sources would be BEST to use to assess the accounts impacted by this attack? User behavior analytics Dump files Bandwidth monitors Protocol analyzer output.
A system that requires an operation availability of 99.99% and has an annual maintenance window
available to patching and fixes will require the HIGHEST: MTBF MTTR RPO RTO.
A website developer who is concerned about theft of the company's user database warns to protect weak
passwords from offline brute-force attacks. Which of the following be the BEST solution? Lock accounts after five failed logons Precompute passwords with rainbow tables Use a key-stretching technique Hash passwords with the MD5 algorithm.
Hackers recently attacked a company's network and obtained several unfavorable pictures from the Chief
Executive Officer's workstation. The hackers are threatening to send the images to the press if a ransom is
not paid. Which of the following is impacted the MOST? Identify theft Data loss Data exfiltration Reputation.
Which of the following would be MOST effective to contain a rapidly attack that is affecting a large number
of organizations? Machine learning DNS sinkhole Blocklist Honeypot.
Which of the following is a detective and deterrent control against physical intrusions? An alarm A fence A sign Mantrap.
A security analyst generated a file named host1.pcap and shared it with a team member who is going to
use it for further incident analysis. Which of the following tools will the other team member MOST likely use
to open this file? Autopsy Memdump FTK imager Wireshark.
An information security policy stales that separation of duties is required for all highly sensitive database
changes that involve customers' financial data. Which of the following will this be BEST to prevent? Least privilege An insider threat A data breach A change control violation.
A security analyst is concerned about critical vulnerabilities that have been detected on some applications
running inside containers. Which of the following is the BEST remediation strategy? Include the containers in the regular patching schedule for servers Patch each running container individually and test the application Update the host in which the containers are running Update the base container image and redeploy the environment.
Which of the following would produce the closet experience of responding to an actual incident response
scenario? Lessons learned Simulation Walk-through Tabletop.
A dynamic application vulnerability scan identified code injection could be performed using a web form.
Which of the following will be BEST remediation to prevent this vulnerability? Implement input validations Deploy MFA Utilize a WAF Configure HIPS.
A penetration tester successfully gained access to a company's network The investigating analyst
determines malicious traffic connected through the WAP despite filtering rules being in place. Logging in to
the connected switch, the analyst sees the following m the ARP table:
Which of the following did the penetration tester MOST likely use? ARP poisoning MAC cloning Man in the middle Evil twin.
A user reports trouble using a corporate laptop. The laptop freezes and responds slowly when writing
documents and the mouse pointer occasional disappears.
The task list shows the following results RAT PUP Spyware Keylogger.
A software company is analyzing a process that detects software vulnerabilities at the earliest stage
possible. The goal is to scan the source looking for unsecure practices and weaknesses before the
application is deployed in a runtime environment. Which of the following would BEST assist the company
with this objective? Use fuzzing testing Use a web vulnerability scanner Use static code analysis Use a penetration-testing OS.
A company recently suffered a breach in which an attacker was able to access the internal mail servers
and directly access several user inboxes. A large number of email messages were later posted online.
Which of the following would BEST prevent email contents from being released should another breach
occur? Enable full disk encryption on the mail servers Use digital certificates when accessing email via the web Configure web traffic to only use TLS-enabled channels Implement S/MIME to encrypt the emails at rest.
A security analyst receives an alert from the company's SIEM that anomalous activity is coming from a
local source IP address of 192.168.34.26. The Chief Information Security Officer asks the analyst to block
the originating source. Several days later another employee opens an internal ticket stating that
vulnerability scans are no longer being performed properly. The IP address the employee provides is
192.168.34.26. Which of the following describes this type of alert? True positive True negative False positive False negative.
As part of the lessons-learned phase, the SOC is tasked with building methods to detect if a previous
incident is happening again. Which of the following would allow the security analyst to alert the SOC if an
event is reoccurring? Creating a playbook within the SOAR Implementing rules in the NGFW Updating the DLP hash database Publishing a new CRL with revoked certificates.
Which of the following BEST helps to demonstrate integrity during a forensic investigation? Encryption Hashing Snapshots Event logs.
A company reduced the area utilized in its datacenter by creating virtual networking through automation
and by creating provisioning routes and rules through scripting. Which of the following does this example
describe? laC MSSP Containers SaaS.
Security analysts are conducting an investigation of an attack that occurred inside the organization's
network. An attacker was able to connect network traffic between workstation throughout the network. The
analysts review the following logs: SQL injection DNS spoofing MAC flooding ARP poisoning.
The chief compliance officer from a bank has approved a background check policy for all new hires. Which
of the following is the policy MOST likely protecting against? Preventing any current employees' siblings from working at the bank to prevent nepotism Hiring an employee who has been convicted of theft to adhere to industry compliance Filtering applicants who have added false information to resumes so they appear better qualified Ensuring no new hires have worked at other banks that may be trying to steal customer information.
Which of the following control types would be BEST to use to identify violations and incidents? Detective Compensating Deterrent Corrective Recovery Preventive.
Which of the following provides a catalog of security and privacy controls related to the United States
federal information systems? GDPR PCI DSS ISO 27000 NIST 800-53.
A penetration tester was able to compromise an internal server and is now trying to pivot the current
session in a network lateral movement. Which of the following tools, if available on the server, will provide
the MOST useful information for the next assessment step? Autopsy Cuckoo Memdump Nmap.
A news article states that a popular web browser deployed on all corporate PCs is vulnerable a zero-day
attack. Which of the following MOST concern the Chief Information Security Officer about the information
in the new article? Insider threats have compromised this network Web browsing is not functional for the entire network Antivirus signatures are required to be updated immediately No patches are available for the web browser.
A systems analyst determines the source of a high number of connections to a web server that were
initiated by ten different IP addresses that belong to a network block in a specific country. Which of the
following techniques will the systems analyst MOST likely implement to address this issue? Content filter SIEM Firewall rules DLP.
A penetration tester gains access to the network by exploiting a vulnerability on a public- facing web
server. Which of the following techniques will the tester most likely perform NEXT? Gather more information about the target through passive reconnaissance Establish rules of engagement before proceeding Create a user account to maintain persistence Move laterally throughout the network to search for sensitive information.
An organization is concerned about intellectual property theft by employee who leave the organization.
Which of the following will be organization MOST likely implement? CBT NDA MOU AUP.
An organization wants seamless authentication to its applications. Which of the following should the
organization employ to meet this requirement? SOAP SAML SSO Kerberos.
A company is providing security awareness training regarding the importance of not forwarding social
media messages from unverified sources. Which of the following risks would this training help to prevent? Hoaxes SPIMs Identity fraud Credential harvesting.
After a WiFi scan of a local office was conducted, an unknown wireless signal was identified Upon
investigation, an unknown Raspberry Pi device was found connected to an Ethernet port using a single
connection. Which of the following BEST describes the purpose of this device? Evil twin Rogue access point On-path attack On-path attack.
A recent security audit revealed that a popular website with IP address 172.16.1.5 also has an FTP service
that employees were using to store sensitive corporate data. The organization's outbound firewall
processes rules top-down. Which of the following would permit HTTP and HTTPS, while denying all other
services for this host? access-rule permit tcp destination 172.16.1.5 port 80
access-rule permit tcp destination 172.16-1-5 port 443
access-rule deny ip destination 172.16.1.5 access-rule permit tcp destination 172.16.1.5 port 22
access-rule permit tcp destination 172.16.1.5 port443
access-rule deny tcp destination 172.16.1.5 port 80 access-rule permit tcp destination 172.16.1.5 port 21
access-rule permit tcp destination 172.16.1.5 port 80
access-rule deny ip destination 172.16.1.5 access-rule permit tcp destination 172.16.1.5 port 80
access-rule permit tcp destination 172.16.1.5 port 443
access-rule deny tcp destination 172.16.1.5 port 21.
A company currently uses passwords for logging in to company-owned devices and wants to add a second
authentication factor. Per corporate policy, users are not allowed to have smartphones at their desks.
Which of the following would meet these requirements? Smart card PIN code Knowledge-based question Secret key.
A backdoor was detected on the containerized application environment. The investigation detected that a
zero-day vulnerability was introduced when the latest container image version was downloaded from a
public registry. Which of the following is the BEST solution to prevent this type of incident from occurring
again? Deploy an IPS solution capable of detecting signatures of attacks targeting containers Define a vulnerability scan to assess container images before being introduced on the environment Create a dedicated VPC for the containerized environment Enforce the use of a controlled trusted source of container images.
A security manager runs Nessus scans of the network after every maintenance window. Which of the
following is the security manger MOST likely trying to accomplish? Verifying that system patching has effectively removed knows vulnerabilities Identifying assets on the network that may not exist on the network asset inventory Validating the hosts do not have vulnerable ports exposed to the internet Checking the status of the automated malware analysis that is being performed.
An analyst just discovered an ongoing attack on a host that is on the network. The analyst observes the
below taking place:
1. The computer performance is slow
2. Ads are appearing from various pop-up windows
3. Operating system files are modified
4. The computer is receiving AV alerts for execution of malicious processes
Which of the following steps should the analyst consider FIRST? Check to make sure the DLP solution is in the active state Patch the host to prevent exploitation Put the machine in containment Update the AV solution on the host to stop the attack.
Name: Wikipedia.org
Address: 208.80.154.224
Which of the following attacks MOST likely occurred on the user's internal network? DNS poisoning URL redirection ARP poisoning /etc/hosts poisoning.
An organization maintains several environments in which patches are developed and tested before
deployed to an operation status. Which of the following is the environment in which patches will be
deployed just prior to being put into an operational status? Development Test Production Staging.
A recent audit cited a risk involving numerous low-criticality vulnerabilities created by a web application
using a third-party library. The development staff state there are still customers using the application even
though it is end of life and it would be a substantial burden to update the application for compatibility with
more secure libraries. Which of the following would be the MOST prudent course of action? Accept the risk if there is a clear road map for timely decommission Deny the risk due to the end-of-life status of the application. Use containerization to segment the application from other applications to eliminate the risk Outsource the application to a third-party developer group.
The website http://companywebsite.com requires users to provide personal information including security
responses, for registration. which of the following would MOST likely cause a date breach? LACK OF INPUT VALIDATION OPEN PERMISSIONS UNSCECURE PROTOCOL MISSING PATCHES.
Administrators have allowed employee to access their company email from personal computers. However,
the administrators are concerned that these computes are another attach surface and can result in user
accounts being breached by foreign actors. Which of the following actions would provide the MOST secure
solution? Enable an option in the administration center so accounts can be locked if they are accessed from
different geographical areas Implement a 16-character minimum length and 30-day expiration password policy Set up a global mail rule to disallow the forwarding of any company email to email addresses outside
the organization Enforce a policy that allows employees to be able to access their email only while they are connected
to the internet via VPN.
A cybersecurity administrator needs to allow mobile BYOD devices to access network resources. As the
devices are not enrolled to the domain and do not have policies applied to them, which of the following are
best practices for authentication and infrastructure security? (Select TWO). Create a new network for the mobile devices and block the communication to the internal network and
servers Use a captive portal for user authentication. Authenticate users using OAuth for more resiliency Implement SSO and allow communication to the internal network Use the existing network and allow communication to the internal network and servers Use a new and updated RADIUS server to maintain the best solution.
A security analyst wants to fingerprint a web server. Which of the following tools will the security analyst
MOST likely use to accomplish this task? nmap -p1-65535 192.168.0.10 dig 192.168.0.10 curl --head http://192.168.0.10 ping 192.168.0.10.
A company wants to restrict emailing of PHI documents. The company is implementing a DLP solution. In
order to restrict PHI documents, which of the following should be performed FIRST? Governance Classification Change management Retention.
Law enforcement officials sent a company a notification that states electronically stored information and
paper documents cannot be destroyed. Which of the following explains this process? Accountability Legal hold Chain of custody Data breach notification .
A security analyst is investigating multiple hosts that are communicating to external IP addresses during
the hours of 2:00 a.m - 4:00 am. The malware has evaded detection by traditional antivirus software.
Which of the following types of malware is MOST likely infecting the hosts? A RAT Ransomware Logic bomb A worm.
DDoS attacks are causing an overload on the cluster of cloud servers. A security architect is researching
alternatives to make the cloud environment respond to load fluctuation in a cost-effective way. Which of the
following options BEST fulfils the architect's requirements? An orchestration solution that can adjust scalability of cloud assets Use of multipath by adding more connections to cloud storage Cloud assets replicated on geographically distributed regions An on-site backup that is deployed and only used when the load increases.
An organization wants to integrate its incident response processes into a workflow with automated decision
points and actions based on predefined playbooks. Which of the following should the organization
implement? SIEM SOAR EDR CASB.
Which biometric error would allow an unauthorized user to access a system? False acceptance False entrance False rejection False denial.
The Chief Information Security Officer (CISO) has decided to reorganize security staff to concentrate on
incident response and to outsource outbound Internet URL categorization and filtering to an outside
company. Additionally, the CISO would like this solution to provide the same protections even when a
company laptop or mobile device is away from a home office. Which of the following should the CISO
choose? CASB Next-generation SWG NGFW Web-application firewall.
Which of the following must be in place before implementing a BCP? SLA AUP NDA BIA.
Several universities are participating in a collaborative research project and need to share compute and
storage resources. Which of the following cloud deployment strategies would BEST meet this need? Community Private Public Hybrid.
An organization's Chief Information Security Officer is creating a position that will be responsible for
implementing technical controls to protect data, including ensuring backups are properly maintained.
Which of the following roles would MOST likely include these responsibilities? Data protection officer Data owner Backup administrator Data custodian Internal auditor.
A security engineer needs to build a solution to satisfy regulatory requirements that state certain critical
servers must be accessed using MFA. However, the critical servers are older and are unable to support
the addition of MFA. Which of the following will the engineer MOST likely use to achieve this objective? A forward proxy A stateful firewall A jump server A port tap.
A Chief Information Security Officer (CISO) is evaluating the dangers involved in deploying a new ERP
system for the company. The CISO categorizes the system, selects the controls that apply to the system,
implements the controls, and then assesses the success of the controls before authorizing the system.
Which of the following is the CISO using to evaluate the environment for this new ERP system? The Diamond Model of Intrusion Analysis CIS Critical Security Controls NIST Risk Management Framework ISO 27002.
|
