Which of the following would detect intrusions at the perimeter of an airport? Signage Fencing Motion sensors Lighting Bollards.
Which of the following in a forensic investigation should be priorities based on the order of volatility?
(Select TWO). Page files Event logs RAM Cache Stored files HDD.
An amusement park is implementing a biometric system that validates customers' fingerprints to ensure
they are not sharing tickets The park's owner values customers above all and would prefer customers'
convenience over security. For this reason, which of the following features should the security team
prioritize FIRST? Low FAR Low efficacy Low FRR Low CER.
Which of the following components can be used to consolidate and forward inbound Interne! traffic to
multiple cloud environments though a single firewall? Transit gateway Cloud hot site Edge computing DNS sinkhole.
Which of the following types of attacks is being attempted and how can it be mitigated? XSS; implement a SIEM CSRF; implement an IPS Directory traversal: implement a WAF SQL injection: implement an IDS.
Which of the following are common VoIP-associated vulnerabilities? (Select TWO) SPIM vishing Hopping Phishing Credential harvesting Tailgating.
The Chief Information Security Officer (CISO) requested a report on potential areas of improvement
following a security incident. Which of the following incident response processes is the CISO requesting? Lessons learned Preparation Detection Containment Root cause analysis.
A customer service representative reported an unusual text message that was sent to the help desk. The
message contained an unrecognized invoice number with a large balance due and a link to click for more
details. Which of the following BEST describes this technique? Vishing Whaling Phishing Smishing.
A company Is planning to install a guest wireless network so visitors will be able to access the Internet.
The stakeholders want the network to be easy to connect to so time is not wasted during meetings. The
WAPs are configured so that power levels and antennas cover only the conference rooms where visitors
will attend meetings. Which of the following would BEST protect the company's Internal wireless network
against visitors accessing company resources? Configure the guest wireless network to be on a separate VLAN from the company's internal wireless
network Change the password for the guest wireless network every month. Decrease the power levels of the access points for the guest wireless network. Enable WPA2 using 802.1X for logging on to the guest wireless network.
A security analyst has been tasked with creating a new WiFi network for the company. The requirements
received by the analyst are as follows:
Must be able to differentiate between users connected to WiFi The encryption keys need to change
routinely without interrupting the users or forcing reauthentication Must be able to integrate with RADIUS
Must not have any open SSIDs
Which of the following options BEST accommodates these requirements? WPA2-Enterprise WPA3-PSK 802.11n WPS.
Certain users are reporting their accounts are being used to send unauthorized emails and conduct
suspicious activities. After further investigation, a security analyst notices the following:
1. All users share workstations throughout the day.
2. Endpoint protection was disabled on several workstations throughout the network.
3. Travel times on logins from the affected users are impossible.
4. Sensitive data is being uploaded to external sites.
5. All user account passwords were forced to be reset and the issue continued.
Which of the following attacks is being used to compromise the user accounts? Brute-force Keylogger Dictionary Rainbow.
Which of the following should be monitored by threat intelligence researchers who search for leaked
credentials? Common Weakness Enumeration OSINT Dark web Vulnerability databases.
A security proposal was set up to track requests for remote access by creating a baseline of the users'
common sign-in properties. When a baseline deviation is detected, an Iv1FA challenge will be triggered.
Which of the following should be configured in order to deploy the proposal? Context-aware authentication Simultaneous authentication of equals Extensive authentication protocol Agentless network access control.
A cybersecurity administrator needs to implement a Layer 7 security control on a network and block
potential attacks. Which of the following can block an attack at Layer 7? (Select TWO). HIDS NIPS HSM WAF NAC NIDS Stateless firewall.
A company suspects that some corporate accounts were compromised. The number of suspicious logins
from locations not recognized by the users is increasing. Employees who travel need their accounts
protected without the risk of blocking legitimate login requests that may be made over new sign-in
properties. Which of the following security controls can be implemented? Enforce MFA when an account request reaches a risk threshold Implement geofencing to only allow access from headquarters Enforce time-based login requests trial align with business hours Shift the access control scheme to a discretionary access contro.
A cloud service provider has created an environment where customers can connect existing local networks
to the cloud lor additional computing resources and block internal HR applications from reaching the cloud.
Which of the following cloud models is being used? Public Community Hybrid Private.
After a recent security breach, a security analyst reports that several administrative usernames and
passwords are being sent via cleartext across the network to access network devices over port 23. Which
of the following should be implemented so all credentials sent over the network are encrypted when
remotely accessing and configuring network devices? SSH SNMPv3 SFTP Telnet FTP.
A customer has reported that an organization's website displayed an image of a smiley (ace rather than
the expected web page for a short time two days earlier. A security analyst reviews log tries and sees the
following around the lime of the incident: Invalid trust chain Domain hijacking DNS poisoning URL redirection.
Which of the following will Increase cryptographic security? High data entropy Algorithms that require less computing power Longer key longevity Hashing.
An attacker was eavesdropping on a user who was shopping online. The attacker was able to spoof the IP
address associated with the shopping site. Later, the user received an email regarding the credit card
statement with unusual purchases. Which of the following attacks took place? On-path attack Protocol poisoning Domain hijacking Bluejacking.
While reviewing an alert that shows a malicious request on one web application, a cybersecurity analyst is
alerted to a subsequent token reuse moments later on a different service using the same single sign-on
method. Which of the following would BEST detect a malicious actor? Utilizing SIEM correlation engines Deploying Netflow at the network border Disabling session tokens for all sites Deploying a WAF for the web server.
A recent security breach exploited software vulnerabilities in the firewall and within the network
management solution. Which of the following will MOST likely be used to identify when the breach
occurred through each device? SIEM correlation dashboards Firewall syslog event logs Network management solution login audit logs Bandwidth monitors and interface sensors.
Which of the following employee roles is responsible for protecting an organization's collected personal
information? CTO DPO CEO DBA.
A systems administrator reports degraded performance on a virtual server. The administrator increases the
virtual memory allocation, which improves conditions, but performance degrades again after a few days
The administrator runs an analysis tool and sees the following output: DLL injection API attack Buffer overflow Memory leak.
A security manager needs to assess the security posture of one of the organization's vendors. The
contract with the vendor does not allow for auditing of the vendor's security controls. Which of (he following
should the manager request to complete the assessment? A service-level agreement A business partnership agreement A SOC 2 Type 2 report A memorandum of understanding.
After multiple on premises security solutions were migrated to the cloud, the incident response time
increased. The analyst are spending a long time to trace information on different cloud consoles and
correlating data in different formats.
Which of the following can be used to optimize the incident response time? CASB VPC SWG CMS.
A company needs to validate its updated incident response plan using a real-world scenario that will test
decision points and relevant incident response actions without interrupting daily operations. Which of the
following would BEST meet the company's requirements? Red-team exercise Capture-the-flag exercise Tabletop exercise Phishing exercise.
An organization is moving away from the use of client-side and server-side certificates for EAR The
company would like for the new EAP solution to have the ability to detect rogue access points. Which of
the following would accomplish these requirements? PEAP EAP-FAST EAP-TLS EAP-TTLS.
A company is receiving emails with links to phishing sites that look very similar to the company's own
website address and content. Which of the following is the BEST way for the company to mitigate this
attack? Create a honeynet to trap attackers who access the VPN with credentials obtained by phishing. Generate a list of domains similar to the company's own and implement a DNS sinkhole for each. Disable POP and IMAP on all Internet-facing email servers and implement SMTPS. Use an automated tool to flood the phishing websites with fake usernames and passwords.
A systems administrator is troubleshooting a server's connection to an internal web server. The
administrator needs to determine the correct ports to use. Which of the following tools BEST shows which
ports on the web server are in a listening state? Ipconfig ssh Ping Netstat.
Per company security policy, IT staff members are required to have separate credentials to perform
administrative functions using just-in-time permissions. Which of the following solutions is the company
Implementing? Privileged access management SSO RADIUS Attribute-based access control.
The Chief Technology Officer of a local college would like visitors to utilize the school's WiFi but must be
able to associate potential malicious activity to a specific person. Which of the following would BEST allow
this objective to be met? Requiring all new, on-site visitors to configure their devices to use WPS Implementing a new SSID for every event hosted by the college that has visitors Creating a unique PSK for every visitor when they arrive at the reception area Deploying a captive portal to capture visitors' MAC addresses and names.
A malware attack has corrupted 30TB of company data across all file servers A systems administrator
Identifies the malware and contains the Issue, but the data Is unrecoverable. The administrator Is not
concerned about the data loss because the company has a system in place that will allow users to access
the data that was backed up last night. Which of the following resiliency techniques did the administrator
MOST likely use to prevent impacts to business operations after an attack? Tape backups Replication RAID Cloud storage.
A security analyst is investigating some users who are being redirected to a fake website that resembles
www.comptia.org. The following output was found on the naming server of the organization: Domain reputation Domain hijacking Disassociation DNS poisoning.
Which of the following is the MOST relevant security check to be performed before embedding third-parry
libraries in developed code? Check to see if the third party has resources to create dedicated development and staging
environments. Verify the number of companies that downloaded the third-party code and the number of contributions
on the code repository. Assess existing vulnerabilities affecting the third-parry code and the remediation efficiency of the
libraries' developers. Read multiple penetration-testing reports for environments running software that reused the library.
During a recent penetration test, the tester discovers large amounts of data were exfiltrated over the
course of 12 months via the Internet. The penetration tester stops the test to inform the client of the
findings. Which of the following should be the client's NEXT step to mitigate the issue? Conduct a full vulnerability scan to identify possible vulnerabilities. Perform containment on the critical servers and resources Review the firewall and identify the source of the active connection. Disconnect the entire infrastructure from the Internet.
Which of the following describes the continuous delivery software development methodology? Waterfall Spiral V-shaped Agile.
Developers are about to release a financial application, but the number of fields on the forms that could be
abused by an attacker is troubling. Which of the following techniques should be used to address this
vulnerability? Implement input validation Encrypt data Before submission Perform a manual review Conduct a peer review session.
A security administrator has discovered that workstations on the LAN are becoming infected with malware.
The cause of the infections appears to be users receiving phishing emails that are bypassing the current
email-filtering technology. As a result, users are being tricked into clicking on malicious URLs, as no
internal controls currently exist in the environment to evaluate their safety. Which of the following would be
BEST to implement to address the issue? Forward proxy HIDS Awareness training A jump server IPS.
A security analyst has identified malware spreading through the corporate network and has activated the
CSIRT.
Which of the following should the analyst do NEXT? Review how the malware was introduced to the network. Attempt to quarantine all infected hosts to limit further spread. Create help desk tickets to get infected systems reimaged Update all endpoint antivirus solutions with the latest updates.
A junior security analyst is conducting an analysis after passwords were changed on multiple accounts
without users' interaction. The SIEM have multiple login entries with the following text: Malicious script Privilege escalation Domain hijacking DNS poisoning.
A security forensics analyst is examining a virtual server. The analyst wants to preserve the present state
of the virtual server, including memory contents. Which of the following backup types should be used? Snapshot Differential Cloud Full Incremental.
A user's login credentials were recently compromised During the investigation, the security analyst
determined the user input credentials into a pop-up window when prompted to confirm the username and
password. However the trusted website does not use a pop-up for entering user credentials. Which of the
following attacks occurred? Cross-site scripting SQL injection DNS poisoning Certificate forgery.
A security analyst was called to Investigate a file received directly from a hardware manufacturer. The
analyst is trying to determine whether the file was modified in transit before installation on the user's
computer. Which of the following can be used to safely assess the file? Check the hash of the installation file Match the file names Verify the URL download location Verify the code-signing certificate.
Which of the following BEST reduces the security risks introduced when running systems that have expired
vendor support and lack an immediate replacement? Implement proper network access restrictions Initiate a bug bounty program Classify the system as shadow IT Increase the frequency of vulnerability scans.
Which of the following control types is focused primarily on reducing risk before an incident occurs? Preventive Deterrent Corrective Detective.
Which of the following policies establishes rules to measure third-party work tasks and ensure deliverables
are provided within a specific time line? SLA MOU AUP NDA.
Two organizations plan to collaborate on the evaluation of new SIEM solutions for their respective
companies. A combined effort from both organizations' SOC teams would speed up the effort. Which of the
following can be written to document this agreement? MOU ISA SLA NDA.
All security analysts workstations at a company have network access to a critical server VLAN. The
information security manager wants to further enhance the controls by requiring that all access to the
secure VLAN be authorized only from a given single location. Which of the following will the information
security manager MOST likely implement? A forward proxy server A jump server A reverse proxy server A stateful firewall server.
An organization is planning to open other datacenters to sustain operations in the event of a natural
disaster. Which of the following considerations would BEST support the organization's resiliency? Geographic dispersal Generator power Fire suppression Facility automation.
During an incident response, an analyst applied rules to all inbound traffic on the border firewall and
implemented ACLs on each critical server. Following an investigation, the company realizes it is still
vulnerable because outbound traffic is not restricted, and the adversary is able to maintain a presence in
the network. In which of the following stages of the Cyber Kill Chain is the adversary currently operating? Reconnaissance Command and control Actions on objective Exploitation.
After returning from a conference, a user's laptop has been operating slower than normal and overheating,
and the fans have been running constantly. During the diagnosis process, an unknown piece of hardware
is found connected to the laptop's motherboard.
Which of the following attack vectors was exploited to install the hardware? Removable media Spear phishing Supply chain Direct access.
Which of the following would MOST likely be identified by a credentialed scan but would be missed by an
uncredentialed scan? Vulnerabilities with a CVSS score greater than 6.9 Critical infrastructure vulnerabilities on non-IP protocols CVEs related to non-Microsoft systems such as printers and switches Missing patches for third-party software on Windows workstations and servers.
A database administrator wants to grant access to an application that will be reading and writing data to a
database. The database is shared by other applications also used by the finance department. Which of the
following account types Is MOST appropriate for this purpose? Service Shared Generic Admin.
An administrator is experiencing issues when trying to upload a support file to a vendor. A pop-up
message reveals that a payment card number was found in the file, and the file upload was blocked. Which
of the following controls is most likely causing this issue and should be checked FIRST? DLP Firewall rule Content filter MDM Application whitelist.
Multiple business accounts were compromised a few days after a public website had its credentials
database leaked on the Internet. No business emails were identified in the breach, but the security team
thinks that the list of passwords exposed was later used to compromise business accounts. Which of the
following would mitigate the issue? Complexity requirements Password history Acceptable use policy Shared accounts.
The Chief Information Security Officer warns lo prevent exfiltration of sensitive information from employee
cell phones when using public USB power charging stations. Which of the following would be the BEST
solution to Implement? DLP USB data blocker USB OTG Disabling USB ports.
After gaining access to a dual-homed (i.e.. wired and wireless) multifunction device by exploiting a
vulnerability in the device's firmware, a penetration tester then gains shell access on another networked
asset.
This technique is an example of: privilege escalation footprinting persistence pivoting.
An application developer accidentally uploaded a company's code-signing certificate private key to a public
web server. The company is concerned about malicious use of its certificate. Which of the following should
the company do FIRST? Delete the private key from the repository. Verify the public key is not exposed as well. Update the DLP solution to check for private keys. Revoke the code-signing certificate.
A company is looking to migrate some servers to the cloud to minimize its technology footprint. The
company has 100 databases that are on premises. Which of the following solutions will require the LEAST
management and support from the company? SaaS IaaS PaaS SDN.
A security monitoring company offers a service that alerts ifs customers if their credit cards have been
stolen. Which of the following is the MOST likely source of this information? STIX The dark web TAXII Social media PCI.
A company recently experienced a significant data loss when proprietary Information was leaked to a
competitor. The company took special precautions by using proper labels; however, email filter logs do not
have any record of the incident. An Investigation confirmed the corporate network was not breached, but
documents were downloaded from an employee's COPE tablet and passed to the competitor via cloud
storage. Which of the following is the BEST remediation for this data leak? User training CASB MDM DLP.
A security analyst has been asked by the Chief Information Security Officer to:
1. develop a secure method of providing centralized management of infrastructure
2. reduce the need to constantly replace aging end user machines
3. provide a consistent user desktop experience
Which of the following BEST meets these requirements? BYOD Mobile device management VDI Containerization.
An application owner reports suspicious activity on an internal financial application from various internal
users within the past 14 days. A security analyst notices the following:
Financial transactions were occurring during irregular time frames and outside of business hours by
unauthorized users.
Internal users in question were changing their passwords frequently during that time period. A jump box
that several domain administrator users use to connect to remote devices was recently compromised.
The authentication method used in the environment is NTLM.
Which of the following types of attacks is MOST likely being used to gain unauthorized access? Pass-the-hash Brute-force Directory traversal Replay.
A routine audit of medical billing claims revealed that several claims were submitted without the
subscriber's knowledge. A review of the audit logs for the medical billing company's system indicated a
company employee downloaded customer records and adjusted the direct deposit information to a
personal bank account. Which of the following does this action describe? Insider threat Social engineering Third-party risk Data breach.
A company wants to improve end users experiences when they tog in to a trusted partner website The
company does not want the users to be issued separate credentials for the partner website Which of the
following should be implemented to allow users to authenticate using their own credentials to log in to the
trusted partner's website? Directory service AAA server Federation Multifactor authentication.
Which of the following statements BEST describes zero-day exploits'? When a zero-day exploit is discovered, the system cannot be protected by any means Zero-day exploits have their own scoring category in CVSS A zero-day exploit is initially undetectable and no patch for it exists Discovering zero-day exploits is always performed via bug bounty programs.
Which of the following would BEST provide a systems administrator with the ability to more efficiently
identify systems and manage permissions and policies based on location, role, and service level? Standard naming conventions Domain services Baseline configurations Diagrams.
An organization has activated an incident response plan due to a malware outbreak on its network The
organization has brought in a forensics team that has identified an internet- facing Windows server as the
likely point of initial compromise The malware family that was detected is known to be distributed by
manually logging on to servers and running the malicious code
Which of the following actions would be BEST to prevent reinfection from the initial infection vector? Prevent connections over TFTP from the internal network Create a firewall rule that blocks port 22 from the internet to the server Disable file sharing over port 445 to the server Block port 3389 inbound from untrusted networks.
Which of the following is a known security risk associated with data archives that contain financial
information? Data can become a liability if archived longer than required by regulatory guidance Data must be archived off-site to avoid breaches and meet business requirements Companies are prohibited from providing archived data to e-discovery requests Unencrypted archives should be preserved as long as possible and encrypted.
An organization would like to give remote workers the ability to use applications hosted inside the
corporate network Users will be allowed to use their personal computers or they will be provided
organization assets Either way no data or applications will be installed locally on any user systems
Which of the following mobile solutions would accomplish these goals? VDI MDM COPE UTM.
Server administrator want to configure a cloud solution so that computing memory and processor usage is
maximized most efficiently access a number of virtual servers. They also need to avoid potential denial-offservice situations caused by availability. Which of the following should administrator configure to maximize
system availability while efficiently utilizing available computing power? Dynamic resource allocation High availability Segmentation Container security.
During a security incident investigation, an analyst consults the company's SIEM and sees an event
concerning high traffic to a known, malicious command-and-control server. The analyst would like to
determine the number of company workstations that may be impacted by this issue. Which of the following
can provide the information? WAF logs DNS logs System logs Application logs.
A forensic analyst needs to prove that data has not been tampered with since it was collected
Which of the following methods will the analyst MOST likely use? Look for tampering on the evidence collection bag Encrypt the collected data using asymmetric encryption Ensure proper procedures for chain of custody are being followed Calculate the checksum using a hashing algorithm.
An organization has developed an application that needs a patch to fix a critical vulnerability In which of the
following environments should the patch be deployed LAST? Test Staging Development Production.
A company labeled some documents with the public sensitivity classification This means the documents
can be accessed by: employees of other companies and the press all members of the department that created the documents only the company's employees and those listed in the document only the individuate listed in the documents.
A company is implementing BYOD and wants to ensure all users have access to the same cloud-based
services. Which of the following would BEST allow the company to meet this requirement? laaS PasS MaaS SaaS.
An organization wants to participate in threat intelligence information sharing with peer groups. Which of
the following would MOST likely meet the organizations requirement? Perform OSINT investigations Subscribe to threat intelligence feeds Submit RFCs Implement a TAXII serve.
A security engineer was assigned to implement a solution to prevent attackers from gaining access by
pretending to be authorized users. Which of the following technologies meets the requirement? SSO IDS MFA TPM.
A security manager has tasked the security operations center with locating all web servers that respond to
an unsecure protocol. Which of the following commands could an analyst run to find requested servers? nslookup 10.10.10.0 nmap -p 80 10.10.10.0/24 pathping 10.10.10.0 -p 80 no -1 -p 80.
A report delivered to the Chief Information Security Officer (CISO) shows that some user credentials could
be exfiltrated. The report also indicates that users tend to choose the same credentials on different
systems and applications.
Which of the following policies should the CISO use to prevent someone from using the exfiltrated credentials? MFA Lockout Time-based logins Password history.
During an incident response, an analyst applied rules to all inbound traffic on the border firewall and
implemented ACLs on each critical server Following an investigation, the company realizes it is still
vulnerable because outbound traffic is not restricted and the adversary is able lo maintain a presence in
the network. In which of the following stages of the Cyber Kill Chain is the adversary currently operating? Reconnaissance Command and control Actions on objective Exploitation.
Which of the following risk management strategies would an organization use to maintain a legacy system
with known risks for operational purposes? Acceptance Transference Avoidance Mitigation.
Which of the following terms describes a broad range of information that is sensitive to a specific
organization? Public Top secret Proprietary Open-source.
An organization has hired a ted team to simulate attacks on its security posture Which of the following will
the blue team do after detecting an loC? Reimage the impacted workstations Activate runbooks for incident response Conduct forensics on the compromised system Conduct passive reconnaissance to gather information.
Which of the following is an example of transference of risk? Purchasing insurance Patching vulnerable servers Retiring outdated applications Application owner risk sign-off.
Which of the following is a benefit of including a risk management framework into an organization's
security approach? It defines expected service levels from participating supply chain partners to ensure system outages
are remediated in a timely manner It identifies specific vendor products that have been tested and approved for use in a secure
environment It provides legal assurances and remedies in the event a data breach occurs It incorporates control, development, policy, and management activities into IT operations.
A large bank with two geographically dispersed data centers is concerned about major power disruptions at both locations. Every day each location experiences very brief outages that last for a few seconds. However, during the summer a high risk of intentional brownouts that last up to an hour exists, particularly at one of the locations near an industrial smelter. Which of the following is the BEST solution to reduce the risk of data loss? Dual supply Generator UPS PDU Daily backups.
A DBA reports that several production server hard drives were wiped over the weekend. The DBA also
reports that several Linux servers were unavailable due to system files being deleted unexpectedly. A
security analyst verified that software was configured to delete data deliberately from those servers. No
backdoors to any servers were found. Which of the following attacks was MOST likely used to cause the
data toss? Logic bomb Ransomware Fileless virus Remote access Trojans Rootkit.
A Chief Information Security Officer has defined resiliency requirements for a new data center architecture. The requirements are as follows:
* Critical fileshares will remain accessible during and after a natural disaster.
* Five percent of hard disks can fail at any given time without impacting the data.
* Systems will be forced to shut down gracefully when battery levels are below 20%.
Which of the following are required to BEST meet these objectives? (Choose three.) Fiber switching laC NAS RAID UPS Redundant power supplies Geographic dispersal Snapshots Load balancing.
|
