An organization is planning to roll out a new mobile device policy and issue each employee a new laptop,
These laptops would access the users' corporate operating system remotely and allow them to use the
laptops for purposes outside of their job roles. Which of the following deployment models is being utilized? MDM and application management BYOO and containers COPE and VDI CYOD and VMs.
A Chief Security Officer is looking for a solution that can provide increased scalability and flexibility for
back-end infrastructure, allowing it to be updated and modified without disruption to services. The security
architect would like the solution selected to reduce the back-end server resources and has highlighted that
session persistence is not important for the applications running on the back-end servers. Which of the
following would BEST meet the requirements? Reverse proxy Automated patch management Snapshots NIC teaming.
An analyst receives multiple alerts for beaconing activity for a host on the network, After analyzing the
activity, the analyst observes the following activity:
A user enters comptia.org into a web browser.
The website that appears is not the comptia.org site.
The website is a malicious site from the attacker.
Users in a different office are not having this issue.
Which of the following types of attacks was observed? On-path attack DNS poisoning Locator (URL) redirection Domain hijacking.
Which of the following can work as an authentication method and as an alerting mechanism for
unauthorized access attempts? Smart card Push notifications Attestation service HMAC-based, one-time password.
Which of the following is an effective tool to stop or prevent the exfiltration of data from a network? DLP NIDS TPM FDE.
An IT security manager requests a report on company information that is publicly available. The manager's
concern is that malicious actors will be able to access the data without engaging in active reconnaissance.
Which of the following is the MOST efficient approach to perform the analysis? Provide a domain parameter to the Harvester tool Check public DNS entries using dnsenum. Perform a vulnerability scan targeting a public company's IR Execute nmap using the options: scan all ports and sneaky mode.
A SOC operator is receiving continuous alerts from multiple Linux systems indicating that unsuccessful
SSH attempts to a functional user ID have been attempted on each one of them in a short period of time.
Which of the following BEST explains this behavior? Rainbow table attack Password spraying attack Logic bomb Malware bot.
Users are presented with a banner upon each login to a workstation. The banner mentions that users are
not entitled to any reasonable expectation of privacy and access is for authorized personnel only.
In order to proceed past that banner. users must click the OK button. Which of the following is this an
example of? AUP NDA SLA MOU.
An administrator is configuring a firewall rule set for a subnet to only access DHCP, web pages, and SFTP,
and to specifically block FTP. Which of the following would BEST accomplish this goal? Option A Option B Option C Option D.
Which of the following explains why RTO is included in a BIA? It identifies the amount of allowable downtime for an application or system It prioritizes risks so the organization can allocate resources appropriately, It monetizes the loss of an asset and determines a break-even point for risk mitigation It informs the backup approach so that the organization can recover data to a known time.
A security analyst is tasked with classifying data to be stored on company servers. Which of the following
should be classified as proprietary? Customers' dates of birth Customers' email addresses Marketing strategies Employee salaries.
Which of the following uses SAML for authentication? TOTP Federation Kerberos HOTP.
Which of the following supplies non-repudiation during a forensics investigation? Dumping volatile memory contents first Duplicating a drive with dd Using a SHA-2 signature of a drive image Logging everyone in contact with evidence Encrypting sensitive data.
An analyst is reviewing logs associated with an attack. The logs indicate an attacker downloaded a malicious file that was quarantined by the AV solution. The attacker utilized a local non-administrative account to restore the malicious file to a new location. The file was then used by another process to execute a payload.
Which of the following attacks did the analyst observe? Privilege escalation Request forgeries Injection Replay attack.
Which of the following BEST describes when an organization utilizes a ready-to-use application from a
cloud provider? laaS SaaS PaaS XaaS.
Which of the following is a security best practice that ensures the integrity of aggregated log files within a
SIEM? Set up hashing on the source log file servers that complies with local regulatory requirements, Back up the aggregated log files at least two times a day or as stated by local regulatory requirements Write protect the aggregated log files and move them to an isolated server with limited access. Back up the source log files and archive them for at least six years or in accordance with local
regulatory requirements.
A company discovered that terabytes of data have been exfiltrated over the past year after an employee
clicked on an email link. The threat continued to evolve and remain undetected until a security analyst
noticed an abnormal amount of external connections when the employee was not working. Which of the
following is the MOST likely threat actor? Shadow IT Script kiddies APT Insider threat.
A technician was dispatched to complete repairs on a server in a data center. While locating the server, the technician entered a restricted area without authorization. Which of the following security controls would BEST prevent this in the future? Use appropriate signage to mark all areas. Utilize cameras monitored by guards. Implement access control vestibules. Enforce escorts to monitor all visitors.
Which of the following should an organization consider implementing In the event executives need to
speak to the media after a publicized data breach? Incident response plan Business continuity plan Communication plan Disaster recovery plan.
A recent phishing campaign resulted in several compromised user accounts. The security incident
response team has been tasked with reducing the manual labor of filtering through all the phishing emails
as they arrive and blocking the sender's email address, along with other time-consuming mitigation
actions. Which of the following can be configured to streamline those tasks? SOAR playbook MOM policy Firewall rules URL filter SIEM data collection.
An untrusted SSL certificate was discovered during the most recent vulnerability scan. A security analyst
determines the certificate is signed properly and is a valid wildcard. This same certificate is installed on
other company servers without issue. Which of the following is the MOST likely reason for this finding? The required intermediate certificate is not loaded as part of the certificate chain The certificate is on the CRL and is no longer valid. The corporate CA has expired on every server, causing the certificate to fail verification. The scanner is incorrectly configured to not trust this certificate when detected on the server.
The new Chief Information Security Officer at a company has asked the security team to implement
stronger user account policies. The new policies require:
Users to choose a password unique to their last ten passwords
Users to not log in from certain high-risk countries
Which of the following should the security team implement? (Select TWO). Password complexity Password history Geolocation Geofencing Geotagging Password reuse.
The president of a regional bank likes to frequently provide SOC tours to potential investors. Which of the
following policies BEST reduces the risk of malicious activity occurring after a tour? Password complexity Acceptable use Access control Clean desk.
Several attempts have been made lo pick the door lock of a secure facility As a result the security engineer
has been assigned to implement a stronger preventative access control.
Which of the following would BEST complete the engineer's assignment? Replacing the traditional key with an RFID key Installing and monitoring a camera facing the door Setting motion-sensing lights to illuminate the door on activity Surrounding the property with fencing and gates.
A user wanted to catch up on some work over the weekend but had issues logging in to the corporate network using a VPN. On Monday, the user opened a ticket for this issue but was able to log in successfully. Which of the following BEST describes the policy that is being implemented? Time-based logins Geofencing Network location Password history.
Which of the following secure coding techniques makes compromised code more difficult for hackers to
use? Obfuscation Normalization Execution Reuse.
A company is under investigation for possible fraud. As part of the investigation. the authorities need to
review all emails and ensure data is not deleted.
Which of the following should the company implement to assist in the investigation? Legal hold Chain of custody Data loss prevention Content filter.
A research company discovered that an unauthorized piece of software has been detected on a small
number of machines in its lab. The researchers collaborate with other machines using port 445 and on the
Internet using port 443. The unauthorized software is starting to be seen on additional machines outside of
the lab and is making outbound communications using HTTPS and SMB. The security team has been
instructed to resolve the problem as quickly as possible causing minimal disruption to the researchers.
Which of the following contains the BEST course of action in this scenario? Update the host firewalls to block outbound SMB. Place the machines with the unapproved software in containment Place the unauthorized application in a blocklist. Implement a content filter to block the unauthorized software communication.
A penetration tester is fuzzing an application to identify where the EIP of the stack is located on memory.
Which of the following attacks is the penetration tester planning to execute? Race-condition Pass-the-hash Buffer overflow XSS.
Which of the following is the BEST action to foster a consistent and auditable incident response process? Incent new hires to constantly update the document with external knowledge. Publish the document in a central repository that is easily accessible to the organization. Restrict eligibility to comment on the process to subject matter experts of each IT silo. Rotate CIRT members to foster a shared responsibility model in the organization.
Which of the following control types fixes a previously identified issue and mitigates a risk? Detective Corrective Preventative Finalized.
During a recent security assessment, a vulnerability was found in a common OS, The OS vendor was
unaware of the issue and promised to release a patch within next quarter.
Which of the following BEST describes this type of vulnerability? Legacy operating system Weak configuration Zero day Supply chain.
A user forwarded a suspicious email to the security team, Upon investigation, a malicious URL was
discovered. Which of the following should be done FIRST to prevent other users from accessing the
malicious URL? Configure the web content filter for the web address. Report the website to threat intelligence partners Set me SIEM to alert for any activity to the web address. Send out a corporate communication to warn all users Of the malicious email.
During a recent security incident at a multinational corporation a security analyst found the following logs
for an account called user: Impossible travel time Geofencing Time-based logins Geolocation.
A company recently experienced an inside attack using a corporate machine that resulted in data
compromise. Analysis indicated an unauthorized change to the software circumvented technological
protection measures, The analyst was tasked with determining the best method to ensure the integrity of
the systems remains intact and local and remote boot attestation can take place. Which of the following
would provide the BEST solution? HIPS Fly TPM DLP.
A cyber-security administrator is using an enterprise firewall. The administrator created some rules, but
now Seems to be unresponsive. All connections being dropped by the firewall. Which of the following
would be the BEST option to remove the rules? # iptables -t mangle -x # iptables -f # iptables -z # iptables -p input -j drop.
Which of the following is the FIRST environment in which proper, secure coding should be practiced? Stage Development Production Test.
Security analysts notice a server login from a user who has been on vacation for two weeks The analysts
confirm that the user did not log in to the system while on vacation After reviewing packet capture logs, the
analysts notice the following: A buffer overflow was exploited to gain unauthorized access The user's account was compromised, and an attacker changed the login credentials An attacker used a pass-the-hash attack to gain access An insider threat with username smithJA logged in to the account.
In a phishing attack, the perpetrator is pretending to be someone in a position of power in an effort to
influence the target to click or follow the desired response. Which of the following principles is being used? Authority Intimidation Consensus Scarcity.
Which of the following is a targeted attack aimed at compromising users within a specific industry or
group? Watering hole Typo squatting Hoax Impersonation.
A company wants to build a new website to sell products online. The website will host a storefront
application that will allow visitors to add products to a shopping cart and pay for the products using a credit
card. Which of the following protocols would be the MOST secure to implement? SSL FTP SNMP TLS.
A security analyst is reviewing web-application logs and finds the following log: Directory traversal XSS XSS On-path attack.
Which of the following controls is used to make an organization initially aware of a data compromise? Protective Preventative Corrective Detective.
An organization just implemented a new security system. Local laws state that citizens must be notified
prior to encountering the detection mechanism to deter malicious activities.
Which of the following is being implemented? Proximity cards with guards Fence with electricity Drones with alarms Motion sensors with signage.
A vulnerability has been discovered and a known patch to address the vulnerability does not exist. Which
of the following controls works BEST until a proper fix is released? Detective Compensating Deterrent Corrective.
Which of the following documents provides guidance regarding the recommended deployment of network security systems from the manufacturer? Cloud control matrix Reference architecture NIST RMF CIS Top 20.
Which of the following concepts BEST describes tracking and documenting changes to software and
managing access to files and systems? Version control Continuous monitoring Stored procedures Automation.
After a recent external audit, the compliance team provided a list of several non-compliant, in-scope hosts
that were not encrypting cardholder data at rest.
Which of the following compliance frameworks would address the compliance team's GREATEST
concern? PCI DSS GDPR ISO 27001 NIST CSF.
A company is moving its retail website to a public cloud provider. The company wants to tokenize credit
card data but not allow the cloud provider to see the stored credit card information. Which of the following
would BEST meet these objectives? WAF CASB VPN TLS.
Which of the following can be used by a monitoring tool to compare values and detect password leaks
without providing the actual credentials? Hashing Tokenization Masking Encryption.
A security analyst is evaluating the risks of authorizing multiple security solutions to collect data from the
company's cloud environment.
Which of the following is an immediate consequence of these integrations? Non-compliance with data sovereignty rules Loss of the vendor's interoperability support Mandatory deployment of a SIEM solution Increase in the attack surface.
Which of the following is the MOST effective way to detect security flaws present on third- party libraries
embedded on software before it is released into production? Employ different techniques for server- and client-side validations Use a different version control system for third-party libraries Implement a vulnerability scan to assess dependencies earlier on SDLC. Increase the number of penetration tests before software release.
Which of the following is used to ensure that evidence is admissible in legal proceedings when it is
collected and provided to the authorities? Chain of custody Legal hold Event log Artifacts.
A user reports falling for a phishing email to an analyst. Which of the following system logs would the
analyst check FIRST? DNS Message gateway Network Authentication.
Which of the following is a reason to publish files' hashes? To validate the integrity of the files To verify if the software was digitally signed To use the hash as a software activation key To use the hash as a decryption passphrase.
A company wants to simplify the certificate management process. The company has a single domain with
several dozen subdomains, all of which are publicly accessible on the internet. Which of the following
BEST describes the type of certificate the company should implement? Subject alternative name Wildcard Self-signed Domain validation.
An attacker has determined the best way to impact operations is to infiltrate third-party software vendors.
Which of the following vectors is being exploited? Social media Cloud Supply chain Social engineering.
A security analyst has been tasked with finding the maximum amount of data loss that can occur before
ongoing business operations would be impacted. Which of the following terms BEST defines this metric? MTTR RTO RPO MTBF.
A Chief Security Officer is looking for a solution that can reduce the occurrence of customers receiving
errors from back-end infrastructure when systems go offline unexpectedly. The security architect would like
the solution to help maintain session persistence. Which of the following would BEST meet the
requirements? Reverse proxy NIC teaming Load balancer Forward proxy.
Which of the following in the incident response process is the BEST approach to improve the speed of the
identification phase? Activate verbose logging in all critical assets Tune monitoring in order to reduce false positive rates. Redirect all events to multiple syslog servers. Increase the number of sensors present on the environment.
A security engineer is concerned about using an agent on devices that relies completely on defined
known-bad signatures. The security engineer wants to implement a tool with multiple components
including the ability to track, analyze, and monitor devices without reliance on definitions alone. Which of
the following solutions BEST fits this use case? EDR DLP NGFW HIPS.
A web server has been compromised due to a ransomware attack. Further investigation reveals the
ransomware has been in the server for the past 72 hours. The systems administrator needs to get the
services back up as soon as possible. Which of the following should the administrator use to restore
services to a secure state? The last incremental backup that was conducted 72 hours ago The last known-good configuration The last full backup that was conducted seven days ago The baseline OS configuration.
|
