S Y0-601 P ra c tic e Te s t – All Do ma in s

1. Atta c ks , Th rea ts , a n d Vu ln e ra b ilitie s

2. Arc h ite c tu re a n d De s ig n
3. Im p le m e n ta tio n
4. Op e ra tio n s a n d In c id e n t Res p o n s e
5. Go ve rn a n c e , Ris k, a n d Co m p lia n c e
 2

A cus tome r s ervice re pre s e nta tive re porte d a n unus ua l te xt

me s s age tha t wa s s e nt to the he lp de s k. The mes s a ge
conta ine d a n unre cognize d invoice number with a la rge
ba la nce due a nd a link to click for more deta ils . Which of the
following BES T de s cribe s this te chnique ?

A. Vis hing
B. Wha ling
C. P his hing
D. S mis hing

Answer: D
 3

Which of the following s hould be monitore d by thre a t

inte llige nce re s ea rche rs who s e a rch for le a ke d cre de ntia ls ?

A. Common We a knes s Enume ration

B. OS INT
C. Dark we b
D. Vulne ra bility da ta ba s e s

Answer: C
 4

Sales employees regularly utilize the same fantasy football

website as other sales associates working for other companies.
Which of the following attacks is the highest concern in this
scenario?
Watering-hole attack: involves attacking a 3rd party site in order to gain access to the real target.
Credential harvesting: collecting usernames and passwords.
Hybrid warfare: use of disinformation, hacking, and espionage.
Pharming: Directing someone to the wrong IP address through DNS manipulation/ spoofing.

A. Watering-hole attack
B. Credential harvesting
C. Hybrid warfare
D. Pharming Answer: A
 5

Emily has received a suspicious email that claims she won a

multi-million dollar sweepstake. The email instructs her to reply
with her full name, birthdate, and home address so her identity
can be validated before she is given the prize. What best
describes this type of social engineering attack?

A. Vishing – Atype of phishing but specifically over the phone. Think Voice-phishing
B. Phishing – Great answer! Phishing is typically performed through email or social media.
C. Whaling – Atype of spear phishing, the target must be upper management (boss, CEO, board of directors).
D. Spear phishing – Atype of phishing, that targets a specific group/ person and customizes its
attack to match.

Since this attack came through email, (A) is out. Since the attack wasn’t specifically
crafted for Emily, a group, or upper management, (C) and (D) are both out too. Answer: B
 6

An employee installed a new service on the domain controller

without consent or approval from the IT department and change
management. What specifically describes this type of threat?

A. OSINT
B. Insider threat
C. Shadow IT
D. Dark web
Answer: C
 7

AChief Executive Officer's (CEO) personal information was stolen

in a social engineering attack. Which of the following sources
would reveal if the CEO's personal information is for sale?

A. Automated information sharing

B. Open-source intelligence
C. The dark web
D. Vulnerability databases

Answer: C
 8

After a security assessment is concluded, what benefit does the CVSS score
provide to a company on the list of discovered vulnerabilities?
CVSS (Common Vulnerability Scoring System) is used to assign severity scores (zero to ten) to
vulnerabilities which allows responders to prioritize the responses and better manage resources.
Scores are calculated by a formula that uses several metrics, including complexity and severity.

A. Validate the vulnerability exists in the organization’s network through

penetration testing.
B. Research the appropriate mitigation techniques in a vulnerability
database.
C. Find the software patches that are required to mitigate a vulnerability.
D. Prioritize remediation of vulnerabilities based on the possible impact.

Answer: D
 9

Which of the following would best describe the severity of a

company’s vulnerabilities?

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a
vulnerability and produce a numerical score reflecting its severity.

CVE is a list of entries—each containing an identification number, a

description, and at least one public reference—for publicly known cybersecurity vulnerabilities.

A. CVSS SIEM (Security information and event management) is a service/ software that gathers network
and application logs in real-time and analyzes them, giving security experts the ability to better
B. SIEM monitor and analyze attacks/ threats.

C. CVE Sometimes running alongside the SIEM or built into it, SOAR (Security Orchestration,
Automation, and Response) was designed to automate and improve response time when a SIEM
D. SOAR detects a threat/ anomaly on the network. Sometimes referred to as a Next Generation SIEM.

Answer: A
 10

After logging into a switch, an admin retrieves the following information:

Which of the following attacks is most likely occuring?

A. MACflooding
B. DNS poisoning
C. MACcloning
D. ARP poisoning
Answer: A
 11

Which of the following should be disabled in order to improve

security?

A. WPA3
B. AES
C. RADIUS
D. WPS

Answer: D
 12

Travis, a penetration tester, heard about a new vulnerability that

affects many modern platforms. Which of the following would be
BEST to consult in order to determine exactly which platforms
have been affected?
Notably, we are asking about PLATFORMS here and
not individual systems on a network. Aplatform is
generally just the types of OSs that would be
potentially compromised by this new vulnerability.
A. OSINT
CVEs (Common Vulnerabilities and Exposures) is a
B. SIEM database of known vulnerabilities as well as their
C. CVSS attributes, including affected platform.

D. CVE
Answer: D
 13

Awebserver was recently overwhelmed by a sudden flood of SYN

packets from multiple sources. Of the options below, which best
describes this attack?

To overwhelm a server with SYN packets we will need to

A. Worm utilize the combined bandwidth of a botnet. Abotnet is a
B. Botnet collection of compromised computers that act together in
unison to perform a DDoS (Distributed Denial of Service).
C. Virus The individual computers are often called bots or zombies.
D. RAT
E. Logic bomb
Answer: B
 14

Auser is having problem accessing network shares. An admin

investigates and finds the following on the user’s computer:
Internet Address Physical Address Type Two different devices shouldn’t
192.168.1.1 9c-3f-cf-5c-e1-c3 dynamic have the same MACaddresses.
192.168.1.5 00-1f-88-49-32-73 dynamic Since these are dynamically
192.168.1.9 3c-9c-23-2c-e8-92 dynamic learned ARP entries, it is
192.168.1.11 9c-3f-cf-5c-e1-c3 dynamic reasonable to believe this was
192.168.1.13 f8-0d-fc-bb-db-85 dynamic an ARP poisoning. Device .1 is
192.168.1.255 ff-ff-ff-ff-ff-ff static probably the default gateway
255.255.255.255 ff-ff-ff-ff-ff-ff static and then device .11 is the MitM.

What attack has been performed on this computer?

A. Directory traversal D. ARP poisoning
B. Pass-the-hash E. IP conflict
Answer: D
C. Mac flood F. DHCP starvation attack
 15

A ne ws a rticle s ta te s that a popula r we b brows e r de ployed on

all corpora te P Cs is vulnera ble to a ze ro-da y a tta ck. Which of
the following MOST concern the Chief Informa tion S e curity
Office r a bout the information in the ne ws a rticle ?

A. Ins ide r thre a ts ha ve compromis e d this ne twork

B. Web brows ing is not functiona l for the e ntire ne twork
C. Antivirus s igna ture s a re re quire d to be upda te d
imme dia te ly
D. No pa tche s a re a va ila ble for the we b brows e r
Answer: D
 16
What attack best describes the logs below:
-

12.10.2020 @ 3:14:12 user admin, login failed, password: password1

12.10.2020 @ 3:14:12 user steve, login failed, password: password1
12.10.2020 @ 3:14:12 user john, login failed, password: password1
12.10.2020 @ 3:14:12 user jane, login failed, password: password1
12.10.2020 @ 3:14:12 user jill, login failed, password: password1
12.10.2020 @ 3:14:13 user user, login failed, password: password1 Password spraying!
-

12.10.2020 @ 3:14:13 user admin, login failed, password: password12 Using common passwords against
several user accounts.
12.10.2020 @ 3:14:13 user steve, login failed, password: password12
12.10.2020 @ 3:14:14 user john, login failed, password: password12
12.10.2020 @ 3:14:14 user jane, login failed, password: password12
12.10.2020 @ 3:14:14 user jill, login failed, password: password12
12.10.2020 @ 3:14:14 user user, login failed, password: password12

A. Brute-force C. Dictionary
B. Spraying D. Rainbow table Answer: B
 17

A routine a udit of me dica l billing cla ims reve a le d tha t

s e ve ra l claims we re s ubmitte d without the s ubs cribe r's
knowle dge. A re vie w of the a udit logs for the me dica l billing
compa ny's s ys te m indica ted a compa ny e mploye e
downloa de d cus tome r re cords a nd a djus ted the dire ct
de pos it informa tion to a pe rs ona l ba nk a ccount. Which of
the following doe s this a ction de s cribe?
A. Ins ide r thre a t
B. S ocia l e ngine e ring
C. Third-party ris k
D. Da ta brea ch
Answer: A
 19

A s e curity ma nage r runs Ne s s us s ca ns of the ne twork a fte r

e ve ry ma inte na nce window. Which of the following is the
s e curity ma na ge r MOS T like ly trying to a ccomplis h?

A. Ve rifying tha t s ys te m pa tching has e ffe ctive ly re moved known

vulne ra bilitie s
B. Ide ntifying a s s ets on the ne twork tha t ma y not e xis t on the
ne twork a s s et inventory
C. Va lida ting the hos ts do not ha ve vulne ra ble ports e xpos e d to the
inte rnet
D. Che cking the s ta tus of the a utoma te d malwa re a na lys is tha t is
be ing pe rforme d
Answer: A
 20

Which of the following s tatements BEST des cribes zero-day

exploits ?

A. When a zero-d ay exploit is dis covered, the s ys tem cannot be

protected by any means
B. Zero-day exploits have their own s coring category in CVSS
C. A zero-day exploit is initially undetectable and no patch for it
exis ts
D. Dis covering zero-day exploits is always performed via b ug
bounty programs

Answer: C
 21

A s e curity a na lys t rece ive s a n a le rt from the compa ny's S IEM tha t
a nomalous a ctivity is coming from a loca l s ource IP a ddre s s of
192.168.34.26. The Chie f Information S e curity Office r a s ks the
a nalys t to block the origina ting s ource . S e ve ral da ys la te r a nothe r
e mployee opens a n inte rna l ticke t s ta ting tha t vulne ra bility s ca ns are
no longe r being performe d prope rly. The IP a ddres s the e mploye e
provide s is 192.168.34.26. Which of the following de s cribe s this type
of ale rt?
A. True pos itive
B. True ne ga tive
C. Fa ls e pos itive
D. Fa ls e ne ga tive
Answer: C
 22

A compa ny is providing s e curity awa re ne s s tra ining

re ga rding the importa nce of not forwa rding s ocia l me dia
me s s age s from unve rifie d s ources . Which of the following
ris ks would this training he lp to pre vent?

A. Hoaxe s
B. S P IMs
C. Ide ntity fra ud
D. Cre de ntia l harve s ting

Answer: A
 23

An informa tion s e curity policy s ta te s tha t s e para tion of

dutie s is re quire d for all highly s e ns itive da ta ba s e changes
tha t involve cus tome rs ' fina ncia l da ta . Which of the
following will this be BES T to pre ve nt?
A. Le a s t privilege
B. An ins ide r thre a t
C. A da ta brea ch
D. A cha nge control viola tion

Answer: B
 24

An a tta cke r was e a ve s dropping on a us e r who wa s

s hopping online . The a ttacke r wa s a ble to s poof the IP
a ddre s s a s s ociate d with the s hopping s ite. La te r, the us e r
re ceive d an e ma il re ga rding the cre dit ca rd s ta te me nt with
unus ual purcha s e s . Which of the following a tta cks took
pla ce ?
A. On-pa th a tta ck
B. P rotocol pois oning
C. Doma in hija cking
D. Blue ja cking
Answer: A
 25

A s e curity a dminis tra tor is analyzing the corpora te wire le s s network.

The ne twork only ha s two acce s s points running on channe ls 1 a nd
11. While us ing a irodump-ng, the a dminis tra tor notice s othe r a cce s s
points a re running with the s a me corpora te ES S ID on all a va ila ble
cha nnels a nd with the s a me BS S ID of one of the le gitima te a cce s s
points . Which of the following a tta cks in ha ppe ning on the corpora te
ne twork?
A. Ma n in the middle
B. Evil twin
C. J a mming
D. Rogue a cces s point
E. Dis a s s ocia tion
Answer: B
 26

An e mployee re ce ive d a word proce s s ing file tha t wa s

de live re d as a n e ma il a ttachment. The s ubje ct line a nd
e mail content e ntice d the e mploye e to ope n the atta chme nt.
Which of the following a tta ck ve ctors BES T ma tche s this
ma lwa re ?
A. Embe dde d P ython code
B. Ma cro-e na bled file
C. Ba s h s cripting
D. Cre de ntia l-ha rve s ting we bs ite

Answer: B
 27

Which of the following would MOST like ly be ide ntified by a

cre de ntia led s ca n but would be mis s e d by a n
uncre de ntiale d s ca n?

A. Vulne rabilitie s with a CVS S s core gre ate r tha n 6.9.

B. Critica l infra s tructure vulne ra bilitie s on non-IP
protocols .
C. CVEs re la te d to non-Micros oft s ys te ms s uch a s
printe rs a nd s witche s .
D. Mis s ing pa tche s for third-pa rty s oftwa re on Windows
works ta tions a nd s e rve rs .
Answer: D
 28

Afte r ga ining a cce s s to a dual-home d (i.e .. wire d a nd

wire le s s ) multifunction de vice by e xploiting a vulnerability in
the device 's firmwa re , a pe ne tra tion te s te r the n gains s he ll
a cce s s on a nothe r networked as s e t. This te chnique is a n
e xa mple of:

A. privile ge e s ca lation
B. footprinting
C. pe rs is tence
D. pivoting.

Answer: D
 29

A SOC operator is analyzing a log file that contains the

following entries :

What bes t des crib es this attack?

A. SQL injection and improper input-hand ling attempts
B. Cros s -s ite s cripting and res ource exhaus tion attempts
C. Command injection and directory travers al attempts
D. Error handling and privilege es calation attempts

Answer: C
 30

A s e curity a na lys t is re ce iving nume rous a le rts reporting tha t

the re s pons e time of an inte rne t-facing a pplication ha s be e n
de gra de d. Howe ve r, the inte rnal ne twork pe rforma nce wa s
not degra de d. Which of the following MOST like ly e xpla ins
this beha vior?

A. DNS pois oning

B. MAC flooding
C. DDoS a tta ck
D. ARP pois oning

Answer: C
 31

A pe ne tra tion te s te r s ucce s s fully ga ine d a cce s s to a compa ny’s ne twork.

The inve s tiga ting a na lys t de te rmine s ma licious tra ffic conne cte d through
the WAP de s pite filte ring rule s be ing in pla ce . Logging in to the conne cte d
s witch, the a na lys t s e e s the following in the ARP ta ble :

Which of the following did the pe ne tra tion te s te r MOST like ly us e ?

A. ARP pois oning
B. MAC cloning
C. Ma n in the middle
D. Evil twin Answer: A
 32

A compa ny wa s compromis e d, a nd a s e curity a na lys t

dis cove re d the a tta cke r wa s a ble to ge t a cce s s to a s e rvice
a ccount. The following logs we re dis cove re d during the
inve s tiga tion:

Which of the following MOS T like ly would ha ve preve nte d the

a tta cke r from le a rning the s e rvice a ccount name ?
A. Ra ce condition te s ting
B. P rope r e rror ha ndling
C. Forwa rd web s e rve r logs to a SIEM
D. Input s a nitiza tion
Answer: B
 33

A us e r's login cre de ntia ls we re re ce ntly compromis e d.

During the inve s tiga tion, the s e curity a na lys t de te rmine d the
us e r input his cre de ntia ls into a pop-up window whe n
prompte d to confirm the us e rna me a nd pa s s word. Howe ve r,
the trus te d we bs ite doe s not us e a pop-up for e nte ring us e r
cre de ntia ls . Which of the following a tta cks occurre d?

A. Cros s -s ite s cripting

B. S QL inje ction
C. DNS pois oning
D. Certifica te forge ry
Answer: C
 34
A compa ny re duced the a re a utilize d in its data ce nte r by
cre a ting virtua l ne tworking through automa tion a nd by
cre a ting provis ioning route s and rules through s cripting.
Which of the following does this e xa mple de s cribe?

A. la C
B. MS S P
C. Conta iners
D. S a a S

Answer: A
 35

As part of the le s s ons -le arne d pha s e , the S OC is tas ke d

with building me thods to de te ct if a pre vious incide nt is
ha ppe ning a ga in. Which of the following would a llow the
s ecurity a na lys t to a le rt the S OC if a n e ve nt is re occurring?

A. Crea ting a pla ybook within the S OAR

B. Imple me nting rule s in the NGFW
C. Upda ting the DLP ha s h da ta ba s e
D. P ublis hing a new CRL with re voked ce rtificate s

Answer: A
 36

A s ys te ms a dminis tra tor is cons ide ring diffe re nt ba ckup s olutions

for the IT infra s tructure . The compa ny is looking for a s olution
tha t offe rs the fa s te s t re cove ry time while als o s a ving the mos t
a mount of s tora ge us e d to ma inta in the ba ckups . Which of the
following re cove ry s olutions would be the BES T option to me e t
the s e re quireme nts ?
A. S naps hot
B. Diffe re ntia l
C. Full
D. Ta pe

Answer: B
 37

An orga niza tion wa nts s e a mle s s a uthe ntica tion to its

a pplica tions . Which of the following s hould the orga niza tion
e mploy to me e t this re quire me nt?

A. S OAP
B. S AML
C. SSO
D. Ke rbe ros

Answer: C
 38

A rece nt a udit cited a ris k involving nume rous low-critica lity

vulne ra bilities cre ate d by a we b a pplica tion us ing a third-pa rty
libra ry. The de ve lopment s ta ff s ta te s tha t the re a re s till cus tome rs
us ing the a pplica tion e ve n though it is e nd of life and it would be a
s ubs ta ntial burde n to upda te the a pplica tion for compa tibility with
more s ecure libra rie s . Which of the following would be the MOST
prude nt cours e of a ction?
A.De ny the ris k due to the e nd-of-life s ta tus of the a pplica tion.
B.Us e conta inerization to s e gme nt the a pplica tion from othe r
a pplica tions to e limina te the ris k
C.Outs ource the applica tion to a third-pa rty de velope r group
D.Acce pt the ris k if the re is a cle a r roa d ma p for time ly
de commis s ion
Answer: B
 39

A Chief Informa tion S e curity Office r (CIS O) is evalua ting the dange rs
involved in de ploying a new ERP s ys te m for the company. The CIS O
ca te gorize s the s ys te m, s ele cts the controls tha t a pply to the s ys te m,
imple me nts the controls , a nd the n a s s e s s e s the s ucce s s of the
controls be fore a uthorizing the s ys tem. Which of the following is the
CIS O us ing to e va lua te the e nvironme nt for this ne w ERP s ys tem?

https:// www.tripwire.com/ state-of-security/ controls/ cis-control-4/

A. The Dia mond Model of Intrus ion Ana lys is

B. CIS Critica l S ecurity Controls
C. NIS T Ris k Ma na ge me nt Fra me work
D. IS O 27002
Answer: B
 40

During a n inve s tiga tion, the incident re s pons e te a m dis covers tha t
multiple a dminis tra tor accounts we re s us pe cte d of be ing
compromis e d. The hos t a udit logs indica te a re pe a te d brute -force
a tta ck on a s ingle a dminis tra tor a ccount followed by s us picious
logins from unfa milia r ge ogra phic loca tions . Which of the following
da ta s ources would be BES T to us e to a s s e s s the accounts
impa cte d by this a tta ck?
A. Us e r be ha vior a na lytics
B. Dump file s
C. Ba ndwidth monitors
D. P rotocol a na lyze r output

Answer: A
 41

During a n incident, a n EDR s ys te m de te cts an incre a s e in

the number of e ncrypte d outbound conne ctions from
multiple hos ts . A fire wa ll is a ls o re porting an incre a s e in
outbound conne ctions tha t us e ra ndom high ports . An
a na lys t plans to revie w the corre la te d logs to find the s ource
of the incident. Which of the following tools will BES T a s s is t
the a na lys t?
A. A vulnerability s canne r
B. A NGFW
C. The Windows Eve nt Vie we r
D. A S IEM
Answer: D
 42

A ne twork e ngine er a t a compa ny with a web s erve r is building a

ne w we b e nvironme nt with the following re quireme nts :
• Only one we b s e rve r a t a time ca n s e rvice reque s ts .
• If the prima ry we b s e rve r fa ils , a fa ilove r ne e ds to occur to e ns ure
the s e conda ry we b s e rve r be come s the prima ry.
Which of the following loa d-ba lancing options BES T fits the
re quire me nts ?
A. Cookie -ba s e d
B. Active -pa s s ive
C. P e rs is te nce
D. Round robin

Answer: B
 43

During a re ce nt pe netra tion te s t, the te s te r dis cove rs la rge

a mounts of da ta we re e xfiltra ted ove r the cours e of 12 months
via the Inte rne t. The pe ne tra tion te s te r s tops the te s t to inform
the clie nt of the findings . Which of the following s hould be the
client's NEXT s te p to mitiga te the is s ue ?

A. Conduct a full vulne ra bility s ca n to ide ntify pos s ible

vulne ra bilitie s
B. Pe rform conta inme nt on the critica l s e rve rs a nd re s ource s
C. Re vie w the fire wa ll a nd identify the s ource of the a ctive
conne ction
D. Dis conne ct the e ntire infra s tructure from the Inte rne t
Answer: A
 44

A compa ny is pla nning to ins ta ll a gue s t wire le s s ne twork s o vis itors will
be a ble to a cce s s the inte rne t. The s ta keholde rs wa nt the ne twork to be
e a s y to conne ct to, s o time is not wa s te d during me e tings . The WAP s a re
configure d s o tha t powe r le ve ls a nd a nte nna s cove r only the confe rence
rooms whe re vis itors will a tte nd me e tings . Which of the following would
BES T prote ct the compa ny’s inte rna l wire le s s ne twork a ga ins t vis itors
a cce s s ing compa ny re s ource s ?
A. Configure the gue s t wire le s s ne twork to be on a s e pa ra te VLAN from the
compa ny's inte rna l wire le s s ne twork
B. Cha nge the pa s s word for the gue s t wire le s s ne twork eve ry month.
C.De cre a s e the powe r le ve ls of the a cce s s points for the gue s t wire le s s
ne twork.
D.Ena ble WP A2 us ing 802.1X for logging on to the gues t wire le s s ne twork.

Answer: A
 45

Which of the following type s of a tta cks is be ing a tte mpte d

a nd how can it be mitiga te d?

A. XS S ; imple me nt a S IEM
B. CS RF; imple ment a n IPS
C. Dire ctory tra ve rs a l: imple ment a WAF
D. S QL injection: imple me nt a n IDS

Answer: C
 46

Which of the following control type s is focus ed primarily on

re ducing ris k be fore a n incident occurs ?

A. P re ve ntive
B. De te rre nt
C. Corre ctive
D. De te ctive

Answer: A
 47

P e r compa ny s ecurity policy, IT s ta ff me mbe rs a re re quire d

to ha ve s epa rate cre dentials to pe rform a dminis tra tive
functions us ing jus t-in-time permis s ions . Which of the
following s olutions is the company imple me nting?

A. Attribute -bas e d a cce s s control

B. P rivile ge d a cce s s ma na ge me nt
C. S S O
D. RADIUS

Answer: B
 48

Which of the following will Incre as e cryptographic s e curity?

A. High data e ntropy

B. Ha s hing
C. Algorithms tha t re quire le s s computing powe r
D. Longe r key longe vity

Answer: A
 49

Which of the following compone nts ca n be us e d to

cons olida te a nd forwa rd inbound Inte rne t tra ffic to multiple
cloud e nvironme nts though a s ingle fire wa ll?

A. Tra ns it ga te wa y
B. Cloud hot s ite
C. Edge computing
D. DNS s inkhole

Answer: A
 50

A s e curity a na lys t is inve s tiga ting s us picious tra ffic on the we b

s e rve r loca te d a t IP a ddre s s 10.10.1.1. A s e a rch of the WAF logs
re ve a ls the following output:

Which of the following is MOS T like ly occurring?

A. XS S a tta ck
B. S QLi atta ck
C. Re play a ttack
D. XS RF atta ck Answer: B
 51

A re ce nt s e curity bre a ch e xploite d s oftware vulne ra bilitie s in

the firewa ll a nd within the ne twork ma na ge me nt s olution.
Which of the following will MOS T like ly be us e d to ide ntify
whe n the bre a ch occurre d through e a ch de vice ?

A. S IEM corre la tion das hboa rds

B. Fire wa ll s ys log eve nt logs
C. Ne twork mana ge me nt s olution login a udit logs
D. Ba ndwidth monitors a nd interfa ce s e ns ors

Answer: A
 52

The Chie f Te chnology Office r of a loca l colle ge would like

vis itors to utilize the s chool's WiFi but mus t be a ble to
a s s ocia te pote ntia l ma licious activity to a s pecific pe rs on.
Which of the following would BES T a llow this obje ctive to be
me t?
A. Requiring all ne w, on-s ite vis itors to configure their de vice s to us e
WP S
B. Imple me nting a ne w S S ID for e ve ry e ve nt hos te d by the colle ge
tha t ha s vis itors
C. Cre a ting a unique P S K for e very vis itor whe n the y a rrive a t the
re ce ption a re a
D. Deploying a ca ptive portal to ca pture vis itors ' MAC addres s e s a nd
na me s Answer: D
 53

Two orga niza tions pla n to colla bora te on the e valua tion of
ne w S IEM s olutions for the ir re s pective compa nie s . A
combine d e ffort from both orga niza tions ' S OC te a ms would
s pe e d up the effort.
Which of the following ca n be writte n to docume nt this
a gre e me nt?
A. MOU
B. IS A
C. S LA
D. NDA

Answer: A
 54

A ma lwa re a tta ck has corrupte d 30TB of compa ny da ta a cros s a ll file

s e rve rs . A s ys te ms a dminis tra tor ide ntifie s the ma lwa re a nd conta ins
the is s ue , but the da ta is unre cove ra ble. The adminis tra tor is not
conce rne d about the da ta los s be ca us e the compa ny ha s a s ys te m
in pla ce tha t will a llow us e rs to acce s s the da ta tha t wa s ba cke d up
la s t night. Which of the following re s iliency te chnique s did the
a dminis tra tor MOS T like ly us e to pre ve nt impa cts to bus ine s s
opera tions afte r a n a tta ck?
A. Ta pe backups
B. Re plica tion
C. RAID
D. Cloud s tora ge
Answer: A
 55

A cybers e curity a dminis tra tor ne e ds to imple me nt a Laye r 7

s e curity control on a ne twork and block pote ntia l atta cks .
Which of the following ca n block an a tta ck a t La yer 7?
(S e le ct TWO).
A. HIDS
B. NIP S
C. HS M
D. WAF
E. NAC
F. NIDS
G. S ta te le s s fire wa ll
Answer: BD
 56

An orga niza tion is moving a way from the us e of clie nt-s ide
a nd s e rve r-s ide ce rtifica te s for EAP. The compa ny would
like for the ne w EAP s olution to ha ve the a bility to de te ct
rogue acce s s points . Which of the following would
a ccomplis h the s e re quire ments ?

A. P EAP
B. EAP -FAS T
C. EAP -TLS
D. EAP -TTLS

Answer: B
 57

An a mus e me nt park is imple menting a biome tric s ys te m tha t

va lida tes cus tome rs ' finge rprints to e ns ure the y a re not
s ha ring ticke ts . The park's owne r va lue s cus tome rs above
a ll a nd would pre fe r cus tome rs ' conve nie nce ove r s e curity.
For this re a s on, which of the following fe a ture s s hould the
s e curity te am prioritize FIRS T?

A. LOW FAR
B. Low e ffica cy
C. Low FRR
D. Low CER
Answer: C
 58

A s e curity propos a l wa s s e t up to tra ck re ques ts for re mote

acce s s by cre a ting a ba s e line of the us e rs ' common s ign-in
propertie s . Whe n a ba s e line de via tion is de tected, a n MFA
cha lle nge will be trigge re d. Which of the following s hould be
configure d in orde r to de ploy the propos a l?

A. Conte xt-a wa re a uthe ntica tion

B. S imulta ne ous authe ntica tion of e quals
C. Exte ns ive authentica tion protocol
D. Age ntle s s ne twork a cce s s control

Answer: A
 59

A compa ny re ce ntly e xpe rie nce d a s ignificant da ta los s whe n

proprie ta ry informa tion wa s le a ke d to a compe titor. The compa ny
took s pe cia l pre ca utions by us ing prope r labe ls ; howe ve r, e ma il filte r
logs do not have a ny re cord of the incide nt. An Inves tiga tion
confirmed the corpora te network wa s not bre a che d, but docume nts
we re downloa ded from a n e mploye e 's COP E ta ble t a nd pa s s e d to
the competitor via cloud s tora ge .
Which of the following is the BES T re me diation for this da ta le a k?
A. Us e r tra ining
B. CAS B
C. MDM
D. DLP
Answer: D
 60

The Chie f Informa tion S ecurity Officer wa nts to pre vent

e xfiltration of s e ns itive informa tion from e mploye e ce ll
phones when us ing public US B powe r charging s ta tions .
Which of the following would be the BES T s olution to
imple me nt?

A. DLP
B. USB da ta blocke r
C. US B OTG
D. Dis a bling US B ports

Answer: B
 61

An orga niza tion is pla nning to open othe r da ta ce nte rs to

s us ta in opera tions in the e ve nt of a na tura l dis a s te r. Which
of the following cons ide ra tions would BES T s upport the
orga niza tion's re s iliency?

A. Geographic dis pe rs a l
B. Gene rator powe r
C. Fire s uppres s ion
D. Fa cility a utomation

Answer: A
 62

A s e curity a na lys t ha s be e n a s ke d by the Chie f Information S e curity

Office r to:
• de ve lop a s ecure me thod of providing ce ntralize d ma nage me nt of
infra s tructure
• re duce the ne e d to cons ta ntly re pla ce aging e nd us e r ma chine s
• provide a cons is te nt us er de s ktop e xperie nce
Which of the following BES T me e ts thes e re quire me nts ?
A. BYOD
B. Mobile de vice ma na ge me nt
C. VDI
D. Conta ine riza tion

Answer: C
 63

His torica lly, a compa ny ha s had is s ue s with us e rs plugging

in pe rs ona lly owne d re mova ble me dia de vice s into
corporate compute rs . As a res ult, the thre a t of ma lwa re
incide nts is a lmos t cons ta nt. Which of the following would
BES T he lp pre ve nt the ma lwa re from be ing ins ta lle d on the
compute rs ?
A. AUP
B. NGFW
C. DLP
D. EDR

Answer: D
 64

During an incide nt re s pons e, a n a na lys t a pplie d rule s to a ll

inbound tra ffic on the borde r fire wa ll a nd imple me nte d ACLs on
e a ch critica l s e rve r. Following a n inve s tiga tion, the compa ny
re a lize s it is s till vulne ra ble be ca us e outbound tra ffic is not
re s tricte d, and the a dve rs a ry is a ble to mainta in a pre s e nce in
the ne twork. In which of the following s ta ge s of the Cybe r Kill
Cha in is the a dve rs a ry curre ntly ope ra ting?

A. Re conna is s a nce
B. Comma nd a nd control
C. Actions on obje ctive
D. Exploitation
Answer: C
 65
A s e curity a na lys t ha s be e n ta s ke d with cre a ting a ne w WiFi ne twork
for the compa ny. The re quire me nts received by the a na lys t a re a s
follows :
• Mus t be a ble to diffe re ntiate be twe e n us e rs conne cte d to WiFi
• The e ncryption ke ys ne ed to change routine ly without interrupting the
us e rs or forcing re a uthe ntica tion
• Mus t be a ble to inte gra te with RADIUS
• Mus t not ha ve a ny ope n S S IDs
Which of the following options BES T a ccommoda te s the s e
re quire me nts ?
A. WP A2-Ente rpris e
B. WP A3-P SK
C. 802.11n
D. WP S Answer: A
 66

An a pplica tion owner re ports s us picious a ctivity on a n inte rna l fina ncia l a pplica tion
from va rious inte rna l us ers within the pa s t 14 da ys . A s e curity a na lys t notice s the
following:
• Fina ncia l tra ns a ctions were occurring during irre gula r time fra me s a nd outs ide of
bus ine s s hours by una uthorize d us e rs .
• Inte rna l us e rs in que s tion we re cha nging the ir pa s s words fre que ntly during tha t
time pe riod.
• A jump box tha t s e ve ra l doma in a dminis tra tor us e rs us e to conne ct to re mote
de vices wa s re ce ntly compromis e d.
• The a uthe ntica tion me thod us e d in the e nvironme nt is NTLM.
Which of the following type s of a tta cks is MOS T like ly be ing us e d to ga in
unauthorize d acce s s ?
A. P a s s -the -ha s h
B. Brute -force
C. Dire ctory tra ve rs a l
D. Re pla y Answer: A
 67

Which of the following de s cribe s the continuous de live ry

s oftwa re de velopme nt me thodology?

A. Wa te rfa ll
B. S pira l
C. V-s ha pe d
D. Agile

Answer: D
 68

A compa ny is looking to migra te s ome s erve rs to the cloud

to minimize its te chnology footprint.
The company ha s 100 da ta bas e s tha t a re on pre mis e s .
Which of the following s olutions will re quire the LEAS T
ma na ge ment a nd s upport from the company?

A. S a aS
B. Ia a S
C. P a a S
D. S DN

Answer: A
 69

All s e curity a nalys ts ' works ta tions a t a compa ny ha ve

ne twork a cce s s to a critica l s e rve r VLAN. The informa tion
s e curity mana ge r wa nts to furthe r e nha nce the controls by
re quiring tha t a ll a cce s s to the s e cure VLAN be a uthorize d
only from a give n s ingle loca tion. Which of the following will
the information s e curity mana ge r MOS T like ly imple me nt?

A. A forwa rd proxy s e rve r

B. A jump s e rve r
C. A re vers e proxy s e rve r
D. A s ta te ful fire wa ll s e rve r
Answer: B
 70

A compa ny s us pe cts tha t s ome corporate a ccounts we re

compromis e d. The numbe r of s us picious logins from loca tions not
re cognize d by the us e rs is increa s ing. Employe e s who tra ve l ne e d
the ir a ccounts prote cte d without the ris k of blocking legitima te login
re que s ts tha t ma y be ma de ove r ne w s ign-in prope rtie s . Which of
the following s ecurity controls ca n be imple me nte d?

A. Enforce MFA whe n a n a ccount re que s t re a che s a ris k

thres hold.
B. Imple me nt geo fe ncing to only a llow a cce s s from
he adqua rte rs
C. Enforce time -ba s e d login re ques ts tria l a lign with bus ines s
hours Answer: A
D. S hift the a cce ss control s che me to a dis cre tiona ry acce s s
l
 71

Which of the following BES T re duce s the s e curity ris ks

introduce d whe n running s ys tems tha t have e xpire d ve ndor
s upport a nd la ck an imme dia te re pla ce me nt?

A. Imple me nt prope r ne twork a cces s re s trictions

B. Initia te a bug bounty progra m
C. Cla s s ify the s ys te m a s s hadow IT.
D. Incre a s e the fre quency of vulnera bility s ca ns

Answer: A
 72

An orga niza tion wa nts to imple ment a biome tric s ys te m with

the highe s t like lihood tha t a n una uthorize d us e r will be
de nie d a cces s . Which of the following s hould the
orga niza tion us e to compare biome tric s olutions ?

A. FRR
B. Difficulty of us e
C. Cos t
D. FAR
E. CER
Answer: D
 73

Which of the following e nvironme nts minimizes e nd us e r

dis ruption a nd is MOS T like ly to be us e d to a s s e s s the
impa cts of any da ta ba s e migra tions or ma jor s ys te m
cha nges by us ing the fina l vers ion of the code in an
ope ra tionally re pre s e nta tive e nvironment?

A. S taging
B. Te s t
C. P roduction
D. Deve lopme nt

Answer: A
 74

A da ta ba s e a dminis tra tor wa nts to grant a cce s s to a n

a pplica tion tha t will be re a ding a nd writing da ta to a
da tabas e . The da ta bas e is s ha re d by other applications a ls o
us e d by the fina nce depa rtme nt. Which of the following
a ccount type s is MOST a ppropriate for this purpos e ?

A.S e rvice
B.S ha re d
C.Ge ne ric
D.Admin

Answer: A
 75

A junior s ecurity a na lys t is conducting a n a na lys is a fte r pa s s words

we re cha nged on multiple accounts without us e rs ' intera ction. The
S IEM ha ve multiple login entrie s with the following te xt:

Which of the following is the MOS T like ly a tta ck conducte d on

the e nvironme nt?
A. Ma licious s cript
B. P rivilege e s ca la tion
C. Doma in hijacking
D. DNS pois oning Answer: A
 76

A compa ny is re ce iving e ma ils with links to phis hing s ite s tha t look
ve ry s imila r to the compa ny's own we bs ite a ddre s s a nd content.
Which of the following is the BES T wa y for the company to mitiga te
this a tta ck?
A. Cre a te a hone yne t to tra p a tta cke rs who a cce s s the VP N with
cre de ntia ls obta ine d by phis hing.
B. Gene ra te a lis t of doma ins s imila r to the compa ny's own a nd
imple me nt a DNS s inkhole for e ach.
C. Us e a n a utoma te d tool to flood the phis hing we bs ite s with fa ke
us e rnames a nd pas s words .
D. Dis a ble P OP and IMAP on all Inte rne t-fa cing e ma il s e rve rs a nd
imple me nt S MTP S .
Answer: B
 77

As pa rt of a s e curity complia nce a s s es s me nt, a n a uditor

pe rforms a utoma ted vulne rability s ca ns . In a ddition, which
of the following s hould the a uditor do to comple te the
a s s e s s me nt?

A. Us e r be ha vior a na lys is
B. P a cke t ca ptures
C. Configura tion re views
D. Log a na lys is

Answer: C
 78

Afte r multiple on pre mis e s s ecurity s olutions we re migra te d

to the cloud, the incide nt res pons e time incre a s e d. The
a na lys ts a re s pe nding a long time to tra ce information on
diffe rent cloud cons ole s a nd correla ting da ta in diffe re nt
forma ts . Which of the following ca n be us e d to optimize the
incide nt res pons e time ?
A. CAS B
B. VP C
C. S WG
D. CMS

Answer: A
 79

Which of the following is the MOS T re le vant s e curity che ck to be

pe rforme d be fore embe dding third pa rty libra ries in de ve lope d code ?

A. Che ck to s e e if the third pa rty has re s ource s to cre a te dedica te d

de ve lopme nt and s ta ging environme nts .
B. Ve rify the numbe r of compa nies tha t downloa de d the third-pa rty
code a nd the numbe r of contributions on the code re pos itory.
C. As s e s s e xis ting vulne ra bilitie s a ffe cting the third-party code a nd
the reme dia tion e fficie ncy of the libra rie s ' de ve lope rs .

D. Rea d multiple pe ne tra tion-te s ting re ports for e nvironme nts

running s oftwa re tha t re us e d the libra ry.
Answer: C
 80

Ce rta in us e rs a re re porting the ir a ccounts a re be ing us e d to s e nd

una uthorize d e ma ils a nd conduct s us picious a ctivitie s . Afte r furthe r
inve s tiga tion, a s ecurity a na lys t notices the following:
• All us e rs s ha re works ta tions throughout the da y.
• Endpoint prote ction wa s dis a ble d on s eve ra l works ta tions throughout the
ne twork.
• Tra ve l time s on logins from the a ffe cte d us e rs a re impos s ible .
• S e ns itive da ta is be ing uploa de d to e xterna l s ite s .
• All us e r a ccount pa s s words we re force d to be re s e t a nd the is s ue continue d.
Which of the following atta cks is be ing us e d to compromis e the us e r
a ccounts ?
A. Brute -force
B. Ke ylogge r
C. Dictiona ry
D. Ra inbow Answer: B
 81

Which of the following is the MOS T like ly re a s on for

s e curing an a ir-ga ppe d la bora tory HVAC s ys te m?

A. To a void da ta lea ka ge
B. To prote ct s urve illance logs
C. To e ns ure a vaila bility
D. To re s trict re mote a cce s s

Answer: C
 82

An a pplica tion de velope r accide nta lly uploa de d a compa ny's

code -s igning ce rtifica te priva te ke y to a public we b s e rve r.
The compa ny is conce rne d a bout ma licious us e of its
ce rtificate . Which of the following s hould the compa ny do
FIRS T?
A. De le te the priva te ke y from the repos itory.
B. Ve rify the public ke y is not e xpos e d a s we ll.
C. Upda te the DLP s olution to che ck for private ke ys .
D. Revoke the code -s igning ce rtificate .

Answer: D
 83

The Chie f Informa tion S ecurity Officer (CIS O) re que s te d a

re port on pote ntia l a re as of improve ment following a s e curity
incide nt. Which of the following incide nt re s pons e proce s s e s
is the CIS O reque s ting?

A. Le s s ons le a rne d
B. P re pa ration
C. De te ction
D. Conta inment
E. Root caus e a na lys is
Answer: A
 84

While re vie wing a n ale rt tha t s hows a malicious re que s t on

one we b a pplication, a cybe rs e curity a na lys t is a le rte d to a
s ubs e que nt token reus e mome nts la te r on a diffe re nt
s ervice us ing the s a me s ingle s ign-on me thod.
Which of the following would BES T de te ct a malicious
actor?
A. Utilizing S IEM corre la tion e ngine s
B. De ploying Ne tflow a t the ne twork borde r
C. Dis a bling s e s s ion tokens for all s ite s
D. Deploying a WAF for the we b s e rve r

Answer: A
 85

An a dminis trator is e xpe rie ncing is s ue s whe n trying to

uploa d a s upport file to a ve ndor. A pop-up me s s age re ve a ls
tha t a payme nt ca rd numbe r wa s found in the file , a nd the
file uploa d was blocke d. Which of the following controls is
mos t like ly ca us ing this is s ue a nd s hould be che cke d
FIRS T?
A. DLP
B. Firewa ll rule
C. Conte nt filter
D. MDM
E. Application white lis t
Answer: A
 86

Afte r returning from a confe re nce , a us e r's la ptop ha s be e n

ope ra ting s lowe r tha n norma l and overhea ting, a nd the fa ns
ha ve be e n running cons ta ntly. During the dia gnos is
proce s s , an unknown pie ce of ha rdwa re is found conne cte d
to the la ptop's mothe rboa rd. Which of the following a tta ck
ve ctors was exploite d to ins tall the hardware ?

A. Re mova ble me dia

B. S pea r phis hing
C. S upply cha in
D. Dire ct a cces s
Answer: D
 87

Which of the following policie s e s ta blis he s rules to mea s ure

third-party work ta s ks a nd e ns ure de live ra ble s a re provided
within a s pecific time line ?

A. S LA
B. MOU
C. AUP
D. NDA

Answer: A
 88

A cus tomer ha s re ported tha t an orga niza tion's we bs ite dis pla ye d an
ima ge of a s mile y fa ce ra the r tha n the e xpe cte d web pa ge for a s hort
time two days ea rlie r. A s e curity a na lys t revie ws log trie s a nd s e e s
the following a round the lime of the incide nt:

Which of the following is MOS T like ly occurring?

A.Inva lid trus t cha in
B.Doma in hija cking
C.DNS pois oning
D. URL re dire ction Answer: C
 89

Which of the following in a fore ns ic inve s tiga tion s hould be

priorities ba s e d on the orde r of vola tility? (S e le ct TWO).

A. P a ge file s
B. Eve nt logs
C. RAM
D. Ca che
E. S tore d file s
F. HDD

Answer: CD
 90

A s e curity forens ics a na lys t is e xa mining a virtua l s e rve r.

The a na lys t wants to pre s e rve the pres e nt s ta te of the
virtua l s e rver, including memory contents . Which of the
following backup type s s hould be us ed?

A. S naps hot
B. Diffe re ntia l
C. Cloud
D. Full
E. Increme nta l

Answer: A
 91

A s e curity monitoring compa ny offe rs a s ervice tha t ale rts its

cus tome rs if the ir cre dit ca rds ha ve be e n s tole n. Which of
the following is the MOS T like ly s ource of this information?

A. S TIX
B. The da rk we b
C. TAXII
D. S ocia l me dia
E. P CI

Answer: B
 92

An orga niza tion has hire d a re d tea m to s imulate attacks on

its s e curity pos ture. Which of the following will the blue tea m
do after de te cting an loC?

A. Re ima ge the impacte d works ta tions .

B. Activa te runbooks for incide nt re s pons e
C. Conduct fore ns ics on the compromis ed s ys te m
D. Conduct pa s s ive reconna is s a nce to ga the r
informa tion

Answer: B
 93

A s e curity a na lys t wa s ca lled to inve s tiga te a file rece ive d

dire ctly from a ha rdwa re ma nufa cture r. The a na lys t is trying
to de termine whe the r the file wa s modifie d in tra ns it be fore
ins ta lla tion on the us e r's compute r. Which of the following
ca n be us ed to s a fe ly a s s e s s the file ?

A. Check the ha s h of the ins ta lla tion

file
B. Ma tch the file na me s
C. Ve rify the URL downloa d loca tion
D. Ve rify the code -s igning ce rtifica te
Answer: A
 94

Afte r a re ce nt s e curity bre ach, a s ecurity ana lys t re ports tha t

s e ve ra l a dminis trative us erna me s a nd pas s words a re be ing
s e nt via cle a rtext acros s the ne twork to a cce s s ne twork
de vice s over port 23. Which of the following s hould be
imple me nte d s o a ll cre de ntia ls s e nt over the ne twork are
e ncrypte d whe n re mote ly a cces s ing and configuring
ne twork device s ?
A. S S H
B. S NMPv3
C. S FTP
D. Te lne t
E. FTP Answer: A
 95

A s e curity a dminis tra tor has dis covered that works ta tions on the
LAN a re be coming infe cted with ma lware . The ca us e of the
infe ctions a ppe ars ta o be us e rs re ce iving phis hing e ma ils tha t a re
bypas s ing the current e ma il-filtering technology. As a re s ult, us e rs
a re being tricke d into clicking on ma licious URLs , as no inte rna l
controls curre ntly exis t in the e nvironme nt to e va lua te the ir s a fe ty.
Which of the following would be BES T to imple me nt to a ddre s s the
is s ue ?
A. Forwa rd proxy
B. HIDS
C. Awa re ne s s tra ining
D. A jump s e rver
E. IP S
Answer: C
 96

Which of the following a re common VoIP -as s ociate d

vulne rabilitie s ? (S e le ct TWO).

A. S P IM
B. Vis hing
C. Hopping
D. P his hing
E. Cre de ntial ha rve s ting
F. Ta ilgating

Answer: AB
 97

A s e curity a na lys t ha s ide ntifie d ma lwa re s pre ading through

the corpora te ne twork a nd ha s a ctiva ted the CS IRT. Which
of the following s hould the a nalys t do NEXT?

A. Re vie w how the ma lwa re wa s introduce d to the ne twork.

B. Atte mpt to qua ra ntine a ll infe cte d hos ts to limit furthe r
s pre a d.
C. Cre a te he lp de s k tickets to ge t infe cte d s ys te ms re ima ge d.
D. Upda te a ll e ndpoint a ntivirus s olutions with the la te s t
upda te s .

Answer: B
 98

A cloud s e rvice provide r has cre a te d an e nvironme nt where

cus tome rs ca n conne ct e xis ting loca l ne tworks to the cloud
for a dditiona l computing re s ource s a nd block inte rna l HR
a pplica tions from re a ching the cloud. Which of the following
cloud mode ls is be ing us e d?

A. P ublic
B. Community
C. Hybrid
D. P riva te
Answer: C
 99

De ve lope rs a re a bout to re le a s e a fina ncia l a pplica tion, but

the numbe r of fie lds on the forms tha t could be a bus e d by
a n a tta cker is troubling.
Which of the following te chnique s s hould be us e d to
a ddre s s this vulne ra bility?

A. Imple me nt input va lida tion

B. Encrypt da ta be fore s ubmis s ion
C. P e rform a ma nua l review
D. Conduct a pe e r revie w s e s s ion

Answer: A
 100

A s ys te ms adminis tra tor re ports de gra de d performa nce on a virtual s e rve r.

The a dminis trator incre a s es the virtua l me mory a lloca tion, which improve s
conditions , but performa nce de gra des a ga in a fte r a fe w da ys . The a dminis tra tor
runs a n a na lys is tool a nd s e e s the following output:

The a dminis trator te rmina te s the time Atte nd.e xe , obs e rve s s ys te m
pe rforma nce ove r the ne xt fe w days and notice s tha t the s ys te m
pe rforma nce doe s not de gra de .
Which of the following is s ue s is MOS T like ly occurring?
A. DLL inje ction
B. AP I a tta ck
Answer: D
C. Buffe r ove rflow
D. Me mory le a k
 101

The Chie f Informa tion S ecurity Officer (CIS O) ha s re ques te d

tha t a third-pa rty ve ndor provide s upporting docume nts tha t
s how prope r controls a re in pla ce to prote ct cus tome r da ta.
Which of the following would be BES T for the third-pa rty
ve ndor to provide to the CIS O?

A. GDP R complia nce a ttes tation

B. Cloud S e curity Allia nce ma te ria ls
C. S OC 2 Type 2 re port
D. NIS T RMF workbooks

Answer: C
 102

Which of the following is a be nefit of including a ris k

ma na ge ment fra me work into an orga nization's s ecurity
a pproach?

A.It de fine s e xpe cted s e rvice le ve ls from participa ting s upply cha in
pa rtne rs to e ns ure s ys te m outages a re re me dia ted in a time ly
ma nner
B.It ide ntifie s s pe cific ve ndor products tha t ha ve bee n te s ted a nd
a pprove d for us e in a s e cure e nvironme nt.
C.It provide s le ga l a s s ura nce s a nd re me die s in the e ve nt a da ta
brea ch occurs
D.It incorpora te s control, de ve lopme nt, policy, a nd ma na ge me nt
a ctivities into IT ope ra tions . Answer: D
 103

A te chnicia n ena bles full dis k e ncryption on a laptop tha t will

be ta ken on a bus ine s s trip. Which of the following does this
proce s s BES T prote ct?

A. Data in tra ns it
B. Data a t re s t
C. Data in proce s s ing
D. Data toke niza tion

Answer: B
 104

Which of the following documents provide e xpe ctations at a

te chnica l le ve l for qua lity, a vailability, a nd re s pons ibilitie s ?

A. EOL
B. S LA
C. MOU
D. EOS L

Answer: B
 105

An e ngine e r re ce ntly deploye d a group of 100 we b s e rve rs

in a cloud environme nt. P e r the s e curity policy, a ll we b-
s e rve r ports exce pt 443 s hould be dis a ble d. Which of the
following ca n be us e d to accomplis h this ta s k?

A. Application allow lis t

B. S WG
C. Hos t-bas e d fire wa ll
D. VP N

Answer: C
 106

Which of the following control type s would be BES T to us e

in a n a ccounting de pa rtme nt to re duce los s e s from
fra udule nt tra ns a ctions ?

A. Re cove ry
B. De terre nt
C. Corrective
D. De te ctive

Answer: D
 107

The databas e adminis tration team is reques ting guidance for a

s ecure s olution that will ens ure confidentiality of cardholder data at
res t only in certain fields in the databas e s chema.
The requirement is to s ubs titute a s ens itive data field with a non-
s ens itive field that is rendered us eles s if a data breach occurs .
Which of the following is the BEST s olution to meet the
requirement?
http:/ / www.differencebetween.net/ technology/ difference-between-tokenization-and-masking/

A. Tokenization
B. Mas king
C. Full dis k encryption
D. Mirroring
Answer: A
 108

A DBA re ports that s e ve ra l production s e rve r ha rd drive s we re wipe d

over the wee kend. The DBA a ls o re ports tha t s e ve ra l Linux s e rvers
we re una va ila ble due to s ys te m file s be ing de le te d unexpe ctedly. A
s e curity a nalys t ve rifie d tha t s oftwa re wa s configure d to de le te da ta
de libe rate ly from thos e s e rve rs . No ba ckdoors to any s e rve rs we re
found.
Which of the following a tta cks wa s MOS T like ly us e d to ca us e the
da ta los s ?
A. Logic bomb
B. Rans omware
C. File le s s virus
D. Re mote a cce s s Troja ns
E. Rootkit
Answer: A
 109

During a tria l, a judge de te rmine d e vide nce ga the re d from a

ha rd drive wa s not a dmis s ible. Which of the following BEST
e xpla ins this re a s oning?

A. The forens ic inve s tiga tor forgot to run a checks um on the dis k
ima ge a fte r cre a tion
B. The cha in of cus tody form did not note time zone offs e ts be twe e n
tra ns porta tion re gions
C. The compute r wa s turne d off a nd a RAM ima ge could not be
ta ke n at the s a me time
D. The ha rd drive wa s not prope rly ke pt in a n a ntis tatic ba g whe n it
wa s move d
Answer: A
 110

A s e curity e ngine er was a s s igne d to imple me nt a s olution to

preve nt a tta cke rs from ga ining a cces s by pre te nding to be
a uthorize d us e rs . Which of the following te chnologie s
me ets the re quire me nt?

A. S S O
B. IDS
C. MFA
D. TP M

Answer: C
 111

A compa ny la be le d s ome docume nts with the public

s e ns itivity cla s s ifica tion. This me a ns the docume nts ca n be
a cce s s e d by:
A. Employe e s of othe r compa nie s a nd the pre s s
B. All me mbers of the de pa rtme nt tha t cre a te d the
docume nts
C. Only the company's e mployee s a nd thos e lis ted in the
docume nt
D. Only the individua ls lis te d in the docume nts

Answer: A
 112

Which of the following a ctions would be re comme nde d to

improve a n incide nt re s pons e proces s ?

A. Tra in the te a m to ide ntify the diffe re nce be twe e n e ve nts a nd

incide nts
B. Modify a cce s s s o the IT te am ha s full a cce s s to the
compromis e d as s e ts
C. Contact the a uthoritie s if a cybercrime is s us pe cte d
D. Re s trict communica tion s urrounding the re s pons e to the IT
tea m

Answer: A
 113

A compa ny ne e ds to va lidate its upda te d incide nt re s pons e pla n

us ing a re a l-world s ce na rio tha t will te s t de cis ion points a nd
re leva nt incide nt re s pons e a ctions without inte rrupting da ily
opera tions . Which of the following would BES T me e t the
compa ny's re quire me nts ?

A. Re d-te a m e xe rcis e
B. Ca pture -the -fla g e xe rcis e
C. Ta ble top e xe rcis e
D. P his hing e xe rcis e

Answer: C
 114

A s e curity a na lys t is e va lua ting s olutions to deploy a n

a dditiona l la yer of protection for a we b a pplica tion.
The goa l is to a llow only e ncrypte d communica tions without
re lying on ne twork de vice s . Which of the following ca n be
imple me nte d?
https:// www.thesslstore.com/ blog/http-security-headers/

A. HTTP s e curity he a de rs
B. DNS S EC imple me nta tion
C. S RTP
D. S /MIME
Answer: A
 115

A ta x orga niza tion is working on a s olution to va lida te the online

s ubmis s ion of docume nts .
The s olution s hould be ca rried on a porta ble US B de vice tha t
s hould be ins e rte d on a ny compute r tha t is tra ns mitting a
tra ns a ction s e cure ly. Which of the following is the BES T
ce rtifica te for the s e re quire me nts ?

A. Us e r certifica te
B. Se lf-s igned ce rtifica te
C. Compute r certifica te
D. Root ce rtifica te

Answer: C
 116

A bus ine s s ope ra tions ma na ge r is conce rne d tha t a P C tha t is

critica l to bus ines s ope ra tions will ha ve a cos tly ha rdwa re fa ilure
s oon. The ma na ge r is looking for options to continue bus ine s s
ope ra tions without incurring la rge cos ts . Which of the following
would mitiga te the ma na ge r's conce rns ?

A. Imple me nt a full s ys te m upgra de

B. P e rform a phys ica l-to-virtua l migra tion
C. Ins tall uninterruptible powe r s upplie s
D. P urcha s e cybe rs e curity ins ura nce

Answer: B
 117

An orga nization would like to give re mote workers the a bility to

us e a pplica tions hos te d ins ide the corpora te ne twork. Us e rs will
be a llowe d to us e the ir pe rs onal compute rs , or the y will be
provide d orga niza tion a s s e ts . Eithe r wa y no da ta or a pplica tions
will be ins ta lle d loca lly on a ny us e r s ys te ms . Which of the
following mobile s olutions would a ccomplis h the s e goa ls ?

A. VDI
B. MDM
C. COPE
D. UTM
Answer: A
 118

A s e curity a na lys t ne e ds to be a ble to s e arch a nd corre la te

logs from multiple s ource s in a s ingle tool. Which of the
following would BES T a llow a s e curity a na lys t to ha ve this
a bility?
A. S OAR
B. S IEM
C. Log collectors
D. Network-a tta che d s tora ge

Answer: B
 119

The Chie f Informa tion S ecurity Officer dire cte d a ris k

re duction in s ha dow IT a nd cre a te d a policy re quiring a ll
uns a nctioned high-ris k S a aS applica tions to be blocke d
from us er a cces s . Which of the following is the BES T
s e curity s olution to re duce this ris k?
A. CAS B
B. VP N concentra tor
C. MFA
D. VP C e ndpoint

Answer: A
 120

A s e curity incide nt ha s be e n res olve d. Which of the following

BES T de s cribe s the importa nce of the fina l pha s e of the incide nt
re s pons e pla n?
A. It e xa mine s a nd docume nts how we ll the te a m res ponde d,
dis cove rs wha t caus ed the incide nt, a nd de te rmine s how the
incident ca n be a voide d in the future
B. It re turns the a ffecte d s ys te ms ba ck into production once
s ys te ms ha ve be en fully pa tche d, da ta re s tore d, a nd
vulne ra bilitie s a ddre s s e d
C. It ide ntifies the incide nt and the s cope of the bre a ch, how it
a ffe cts the production e nvironment, a nd the ingre s s point
D. It conta ins the a ffe cte d s ys te ms and dis connects the m from the
ne twork, preve nting furthe r s pre ad of the a tta ck or bre Answer:
a ch A
 121

A he lp de s k te chnicia n re ce ive s a phone ca ll from s ome one cla iming to be

a pa rt of the orga niza tion's cybe rs e curity incide nt re s pons e te a m. The
ca lle r a s ks the te chnicia n to ve rify the ne twork's inte rna l firewa ll IP
a ddre s s . Which of the following is the te chnicia n's BES T cours e of a ction?

A. Dire ct the ca lle r to s top by the help de s k in pe rs on a nd ha ng up

de clining a ny furthe r re que s ts from the ca lle r
B. As k for the caller’s na me , ve rify the pe rs ons ide ntity in the e ma il
dire ctory a nd provide the re que s te d informa tion ove r the phone
C.Write down the phone numbe r of the ca lle r, if pos s ible , the na me of the
pe rs on re que s ting the informa tion, ha ng up a nd notify the orga niza tion's
cybe rs e curity office r
D.Re que s t the ca lle r s e nd a n e ma il for ide ntity ve rifica tion a nd provide the
re que s te d informa tion via e ma il to the ca lle r
Answer: D
 122

Which of the following would BES T provide de te ctive a nd

corre ctive controls for therma l re gulation?

A. A s moke de te ctor
B. A fire a la rm
C. An HVAC s ys te m
D. A fire s uppre s s ion s ys te m
E. Gua rds

Answer: C
 123

The S OC for a la rge MS S P is me e ting to dis cus s the le s s ons

le a rne d from a re ce nt incide nt tha t took much too long to re s olve .
This type of incide nt has be come more common in re ce nt we e ks and
is cons uming la rge a mounts of the a na lys ts ' time due to ma nua l
ta s ks be ing pe rforme d. Which of the following s olutions s hould the
S OC cons ide r to BES T improve its re s pons e time ?

A. Configure a NIDS a ppliance us ing a S witche d P ort

Ana lyzer
B. Collect OS INT and ca talog the a rtifa cts in a ce ntral
re pos itory
C. Imple me nt a S OAR with cus tomizable pla ybooks
D. Ins ta ll a S IEM with community-drive n thre a t inte llige nce
Answer: C
 124

Which of the following is the BES T e xample of a cos t-effe ctive

phys ica l control to e nforce a USB re mova ble me dia re s triction
policy?

A. P utting s e curity/antita mpe r ta pe ove r US B ports logging the

port numbe rs a nd re gula rly ins pe cting the ports
B. Imple me nting a GPO tha t will re s trict a cce s s to a uthorize d
US B remova ble me dia a nd re gula rly ve rifying that it is
e nforced
C. P la cing s ys tems into locke d key-controlle d conta ine rs with no
a cce s s to the US B ports
D. Ins talling a n e ndpoint age nt to de tect conne ctivity of US B and
re mova ble me dia
Answer: C
 125

An orga nization dis cove re d file s with proprie ta ry fina ncia l da ta

ha ve be e n de le ted. The file s ha ve be e n re cove re d from ba ckup
but e ve ry time the Chie f Fina ncia l Office r logs in to the file
s e rve r, the s a me file s a re de le te d a ga in.
No othe r us e rs a re e xpe riencing this is s ue. Which of the
following type s of ma lwa re is MOS T like ly ca us ing this
be ha vior?
A. Logic bomb
B. Crypto ma lwa re
C. S pywa re
D. Re mote a cces s Troja n

Answer: A
 126

A s e curity a na lys t ge ne ra ted a file name d hos t1.pca p a nd

s ha re d it with a te a m me mbe r who is going to us e it for
furthe r incide nt a nalys is .
Which of the following tools will the othe r te a m me mbe r
MOS T like ly us e to ope n this file ?

A. Autops y
B. Me mdump
C. FTK ima ge r
D. Wire s hark

Answer: D
 127

An IT ma na ge r is e s tima ting the mobile device budge t for

the upcoming ye a r. Ove r the la s t five ye a rs , the numbe r of
de vice s tha t were re pla ce d due to los s da ma ge or the ft
s te a dily incre as e d by 10%. Which of the following would
BES T de s cribe the e s tima te d numbe r of de vice s to be
re pla ced next ye a r?
A. ALE
B. ARO
C. RP O
D. S LE
Answer: B
 128

A compa ny is cons ide ring tra ns itioning to the cloud. The

compa ny e mploys individua ls from va rious loca tions a round
the world. The company doe s not want to incre a s e its on-
pre mis e s infra s tructure blue print and only wants to pay for
a dditiona l compute powe r re quire d. Which of the following
s olutions would BES T me e t the nee ds of the compa ny?

A. P riva te cloud
B. Ma na ge d S e curity S e rvice P rovide r
C. Hybrid e nvironme nt
D. Hot ba ckup s ite
Answer: C
 129

A s e curity policy s ta te s tha t common words s hould not be

us e d a s pas s words . A s e curity a uditor wa s a ble to pe rform
a dictiona ry a tta ck a ga ins t corporate cre de ntia ls . Which of
the following controls wa s be ing viola te d?

A. P a s s word comple xity

B. P a s s word his tory
C. P a s s word re us e
D. P a s s word le ngth

Answer: A
 130

Which of the following is a s s ure d whe n a us e r s igns an

e mail us ing a private ke y?

A. Non-re pudia tion

B. Confidentia lity
C. Availa bly
D. Authe ntica tion

Answer: A
 131

An orga niza tion impleme nte d a proce s s tha t compa re s the

s e ttings curre ntly configure d on s ys te ms a ga ins t s e cure
configura tion guide line s in order to ide ntify a ny gaps . Which
of the following control type s ha s the orga niza tion
imple me nte d?

A. Compe ns ating
B. Corre ctive
C. P re ve ntive
D. Dete ctive

Answer: B
 132

A compa ny wa nts to improve e nd-us ers ' e xpe rie nce s whe n
the y log in to a trus te d partne r webs ite . The compa ny doe s
not want the us e rs to be is s ue d s e pa ra te cre de ntia ls for the
pa rtne r webs ite . Which of the following s hould be
imple me nte d to a llow us e rs to authe ntica te us ing the ir own
cre de ntia ls to log in to the trus te d pa rtne r's we bs ite ?
A. Dire ctory s e rvice
B. AAA s e rve r
C. Fe de ra tion
D. Multifa ctor a uthe ntica tion
Answer: C
 133

Which of the following would be the BEST way to analyze dis kles s
malware that has infected a VDI?

A. S hut down the VDI and copy off the e ve nt logs .

B. Ta ke a me mory s naps hot of the running s ys tem.
C. Us e Ne tFlow to identify comma nd-a nd-control IP s .
D. Run a full on-dema nd s ca n of the root volume.

Answer: B
 134

After a re ce nt s e curity incide nt, a s e curity a na lys t dis covere d tha t

unne ces s a ry ports were ope n on a fire wa ll policy for a web s erve r.
Which of the following fire wa ll policie s would be MOS T s e cure for a
we b s e rver?

Answer: D
 135

A re port de live re d to the Chie f Informa tion S e curity Officer

(CIS O) s hows tha t s ome us e r cre de ntials could be
e xfiltrate d. The re port a ls o indica tes tha t us e rs te nd to
choos e the s a me cre dentials on diffe re nt s ys te ms a nd
a pplica tions . Which of the following policie s s hould the
CIS O us e to pre vent s ome one from us ing the e xfiltra ted
cre de ntia ls ?
A. MFA
B. Lockout
C. Time -ba s ed logins
D. P a s s word his tory
Answer: A
 136

Which of the following tools is e ffective in preve nting a us e r

from a cce s s ing una uthorize d re mova ble me dia ?

A. US B da ta blocke r
B. Fa ra day ca ge
C. P roximity re a de r
D. Cable lock

Answer: A
 137

A ne w compa ny wa nts to a void cha nne l inte rfe re nce whe n building a
WLAN. The compa ny ne e ds to know the ra dio fre que ncy be havior,
ide ntify de ad zone s , a nd de te rmine the be s t pla ce for a cce s s points .
Which of the following s hould be done FIRS T?
• Asite survey is used to measure signal strength and channel usage
throughout the area to cover. Asite survey starts with an
architectural map of the site, with features that can cause
A. Configure he a t ma ps . background interference marked.
B. Utilize ca ptive porta ls . • These features include solid walls, reflective surfaces, motors,
microwave ovens, and so on. The Wi-Fi analyzer records information
C. Conduct a s ite s urve y. about the signal obtained at regularly spaced points as the surveyor
D. Ins ta ll Wi-Fi a na lyze rs . moves around the area.
• These readings are combined and analyzed to produce a heat map,
showing where a signal is strong (red) or weak (green/ blue), and
which channel is being used and how they overlap.

Answer: C
 138

A us e r e nters a us e rna me a nd a pa s s word a t the login s cree n for a

we b porta l. A fe w s e conds la te r the following me s s a ge a ppe ars on
the s cree n: “P le a s e us e a combina tion of numbe rs , s pe cia l
cha ra cters , a nd le tte rs in the pas s word fie ld”. Which of the following
conce pts doe s this me s s a ge des cribe ?

A. P a s s word comple xity

B. P a s s word reus e
C. P a s s word his tory
D. P a s s word a ge

Answer: A
 139

An engineer wants to ins pect traffic to a clus ter of web

s ervers in a cloud environment. Which of the following
s olutions s hould the engineer implement?

A. Proxy s erver
B. WAF
C. Load balancer
D. VPN

Answer: B
 140

Data exfiltration analys is indicates that an attacker managed to

download s ys tem configuration notes from a web s erver. The web-
s erver logs have b een deleted, but the analys ts have determined
that the s ys tem configuration notes were s tored in the databas e
adminis trator' s folder on the web s erver. Which of the following
attacks explains what occurred? (Select TWO)

A. Pas s -the-has h
B. Directory travers al
C. SQL injection
D. Privilege es calation
E. Cros s -s ite s cripting
F. Reques t forgery Answer: BD
 141

A s e curity a na lys t is conce rne d a bout critica l vulnerabilitie s

tha t have be e n de te cte d on s ome a pplica tions running ins ide
conta ine rs . Which of the following is the BES T re me diation
s tra te gy?

A.Update the ba s e conta ine r ima ge and re de ploy the e nvironment

B.Include the conta ine rs in the re gula r pa tching s che dule for
s e rve rs
C.P a tch e a ch running conta ine r individua lly a nd te s t the
a pplication
D.Upda te the hos t in which the conta ine rs a re running
Answer: A
 142

Which of the following is the MOS T effective control a ga ins t

ze ro-day vulne ra bilitie s ?

A. Ne twork s e gme nta tion

B. P a tch ma na ge me nt
C. Intrus ion pre ve ntion s ys tem
D. Multiple vulnera bility s ca nne rs

Answer: A
 143

Which of the following orga niza tions s e ts fra me works a nd

controls for optima l s e curity configura tion on s ys tems ?

A. IS O
B. GDP R
C. P CI DSS
D. NIS T

Answer: A
 144

Which of the following des cribe s the e xploita tion of an

inte ra ctive proce s s to ga in a cce s s to re s tricte d a re a s ?

A. P e rs is te nce
B. Buffe r ove rflow
C. P rivile ge e s ca la tion
D. P harming

Answer: C
 145

Which of the following is a known s e curity ris k a s s ocia te d with da ta

a rchives tha t contain fina ncia l informa tion?

A. Da ta ca n be come a lia bility if a rchive d longer tha n re quire d by

re gulatory guida nce
B. Da ta mus t be a rchive d off-s ite to a void bre a che s a nd me e t
bus ine s s re quire me nts
C. Compa nie s are prohibite d from providing a rchive d da ta to e -
dis cove ry reque s ts
D. Unencrypte d a rchive s s hould be pre s e rve d a s long a s
pos s ible a nd e ncrypte d

Answer: A
 146

A compa ny is imple me nting a DLP s olution on the file

s e rve r. The file s e rve r ha s P ll, fina ncia l informa tion, and
he a lth informa tion s tore d on it. Depe nding on wha t type of
da ta tha t is hos te d on the file s e rver, the compa ny wa nts
diffe rent DLP rule s a s s igne d to the data . Which of the
following s hould the company do to help accomplis h this
goa l?
A. Cla s s ify the data
B. Mas k the da ta
C. As s ign a n applica tion owne r
D. P e rform a ris k a na lys is
Answer: A
 147

A la rge ba nk with two ge ogra phically dis pe rs ed da ta ce nte rs is

conce rne d about ma jor powe r dis ruptions a t both loca tions . Eve ry
da y e a ch loca tion e xperie nce s ve ry brief outa ge s tha t la s t for a few
s e conds . Howe ve r, during the s umme r a high ris k of inte ntional
brownouts tha t la s t up to a n hour exis ts particula rly a t one of the
loca tions ne a r a n indus tria l comple x. Which of the following is the
BES T s olution to re duce the ris k of da ta los s ?
Apower distribution unit (PDU) comes with circuitry to "clean" the power signal,
A. Dua l s upply provide protection against spikes, surges, and brownouts, and can integrate with
B. Ge ne rator uninterruptible power supplies (UPSs). Managed PDUs support remote power
monitoring functions, such as reporting load and status, switching power to a socket
C. UP S on and off, or switching sockets on in a particular sequence.
D. P DU
E. Da ily
ba ckups Answer: D
 148

S e ve ra l unive rs itie s a re pa rticipa ting in a colla bora tive

re s ea rch project a nd ne e d to s ha re compute and s tora ge
re s ources . Which of the following cloud deployment
s tra te gie s would BES T me e t this ne ed?
A. Community
B. P rivate
C. P ublic
D. Hybrid

Answer: A
 149

An organization has activated an incident res pons e plan due to a malware

outbreak on its network. The organization has brought in a forens ics team that
has identified an internet-facing Wind ows s erver as the likely p oint of initial
compromis e. The malware family that was detected is known to b e dis trib uted
by manually logging on to s ervers and running the malicious code.
Which of the following actions would be BEST to prevent reinfection from the
initial infection vector?

A. Prevent connections over TFTP from the internal network

B. Create a firewall rule that b locks port 22 from the internet to the s erver
C. Dis able file s haring over port 445 to the s erver
D. Block p ort 3389 inbound from untrus ted networks

Answer: D
 150

A Chief Security Officer (CSO) is concerned that cloud-bas ed

s ervices are not adequately protected from advanced threats and
malware. The CSO believes there is a high ris k that a data breach
could occur in the near future due to the lack of detective and
preventive controls . Which of the following s hould be implemented
to BEST addres s the CSO' s concerns ? (Select TWO)
A. A WAF
B. A CASB
C. An NG-SWG
D. Segmentation
E. Encryption
F. Containerization
Answer: BC
 151

Fie ld worke rs in a n orga niza tion a re is s ue d mobile phone s on a da ily

ba s is . All the work is performe d within one city a nd the mobile
phone s a re not us e d for any purpos e othe r than work. The
orga niza tion doe s not wa nt thes e phone s us e d for pe rs ona l
purpos e s . The orga nization would like to is s ue the phone s to
worke rs a s pe rma ne nt de vice s s o the phone s do not nee d to be
re is s ue d e ve ry da y. Give n the conditions de s cribe d, which of the
following technologie s would BES T mee t the s e re quire me nts ?
A. Geofe ncing
B. Mobile de vice ma na ge me nt
C. Conta ine riza tion
D. Remote wiping

Answer: B
 152

During a recent incident, an external attacker was able to

exploit an SMB vulnerab ility over the internet. Which of the
following action items s hould a s ecurity analys t perform
FIRST to prevent this from occurring again?

A. Check for any recent SMB CVEs

B. Ins tall AV on the affected s erver
C. Block unneeded TCP 445 connections
D. Deploy a NIDS in the affected s ubnet

Answer: C
 153

Bus ines s partne rs a re working on a s ecurity me cha nis m to

va lida te trans a ctions s e cure ly. The re quire ment is for one
compa ny to be re s pons ible for de ploying a trus ted s olution
tha t will re gis ter a nd is s ue a rtifacts us e d to s ign, e ncrypt,
a nd decrypt tra ns a ction file s . Which of the following is the
BES T s olution to adopt?

A. P KI
B. Blockcha in
C. S AML
D. OAuth
Answer: A
 154

An orga niza tion wa nts to pa rticipate in thre a t inte llige nce

informa tion s ha ring with pe er groups .
Which of the following would MOST like ly me et the
orga niza tions re quire me nt?

A. P e rform OS INT inves tiga tions

B. S ubs cribe to thre a t inte lligence fe eds
C. S ubmit RFCs
D. Imple ment a TAXII s e rve r

Answer: D
 155

An orga niza tion has de ve lope d a n a pplica tion tha t nee ds a

pa tch to fix a critica l vulne ra bility. In which of the following
e nvironme nts s hould the pa tch be de ploye d LAS T?

A. Te s t
B. S ta ging
C. De ve lopme nt
D. P roduction

Answer: D
 156

Which of the following ris k management s trategies would

an organization us e to maintain a legacy s ys tem with
known ris ks for operational p urpos es ?

A. Acceptance
B. Trans ference
C. Avoidance
D. Mitigation

Answer: D
 157

A re ce nt s e curity a udit re vea le d tha t a popula r we bs ite with IP a ddre s s 172.16.1.5 a ls o ha s an

FTP s e rvice tha t e mploye e s we re us ing to s tore s e ns itive corpora te data .
The orga niza tion's outbound fire wa ll proce s s e s rule s top-down.
Which of the following would pe rmit HTTP a nd HTTP S , while de nying a ll othe r s e rvice s for this
hos t?
A. a cce s s -rule pe rmit tcp de s tina tion 172.16.1.5 port 80
a cce s s -rule permit tcp de s tina tion 172.16-1-5 port 443
a cce s s -rule deny ip de s tina tion 172.16.1.5

A. a cce s s -rule pe rmit tcp de s tina tion 172.16.1.5 port 22

a cce s s -rule permit tcp de s tina tion 172.16.1.5 port 443
a cce s s -rule deny tcp de s tina tion 172.16.1.5 port 80

A. a cce s s -rule pe rmit tcp de s tina tion 172.16.1.5 port 21

a cce s s -rule permit tcp de s tina tion 172.16.1.5 port 80
a cce s s -rule deny ip de s tina tion 172.16.1.5

A. a cce s s -rule pe rmit tcp de s tina tion 172.16.1.5 port 80

a cce s s -rule permit tcp de s tina tion 172.16.1.5 port 443
a cce s s -rule deny tcp de s tina tion 172.16.1.5 port 21 Answer: A
 158

A s ocial media company bas ed in North America is looking

to expand into new global markets and needs to maintain
compliance with international s tandards . Which of the
following is the company' s data protection officer MOST
likely concerned?

A. NIST Framework
B. ISO 27001
C. GDPR
D. PCI-DSS

Answer: C
 159

Several us ers have op ened tickets with the help des k. The help des k has
reas s igned the tickets to a s ecurity analys t for further review. The s ecurity
analys t reviews the following metrics :

Which of the following is MOST

likely the res ult of the s ecurity
analys t's review?

A. The ISP is dropping outbound connections

B. The us er of the Sales -PC fell for a phis hing attack
C. Corporate PCs have been turned into a botnet
D. An on-p ath attack is taking p lace between PCs and the router
Answer: C
 160

Digita l s ignature s us e a s ymme tric e ncryption. This me a ns

the mes s age is e ncrypte d with:

A.the s ende r's priva te ke y a nd de crypte d with the s ende r's public
ke y
B.the recipie nt's public ke y a nd decrypte d with the re cipie nt's
priva te ke y
C.the s e nde r’s priva te ke y a nd de crypte d with the re cipie nt's public
ke y
D. the s e nde r's public ke y a nd de crypte d with the recipie nt's priva te
ke y

Answer: B
 161

A we bs ite de velope r who is concerne d a bout the ft of the

compa ny's us e r da ta ba s e wants to prote ct wea k pa s s words
from offline brute -force a ttacks . Which of the following would
be the BEST s olution?

A. Lock accounts a fte r five fa ile d logons

B. P re compute pas s words with rainbow ta ble s
C. Us e a ke y-s tre tching te chnique
D. Ha s h pa s s words with the MD5 a lgorithm

Answer: C
 162

A us e r re ports trouble us ing a corpora te laptop. The la ptop free zes

a nd res ponds s lowly whe n writing documents a nd the mous e pointe r
occa s ionally dis a ppe ars . The ta s k lis t s hows the following re s ults :

Which of the following is MOS T like ly the

is s ue ? https:// www.popsci.com/ find-and-remove-spyware/
A. P UP
S pywa re will try to run invis ibly, but it will s till us e up
B. RAT me mory a nd CP U time .
C. S pywa re
D. Ke ylogge r Answer: C
 163

The organization’s bank only calls on a predetermined landline.

What best describes the MFA(multifactor authentication)
attribute that the bank is attempting to utilize?

A. Something you exhibit

B. Something you can do
C. Someone you know
D. Somewhere you are

Answer: D
 164

Last month a company moved all of their corporate data to a

private cloud and secured it with strong encryption and
authentication mechanisms. Earlier this week, a sales manager
had their laptop stolen. Today, enterprise data was stolen from a
local database. Of the options below, what is the most likely
cause of this data breach? If sales manager uses the same password for several services, then it is
likely someone retrieved a saved password from the laptop and then
successfully used that on the cloud server.

A. Bluejacking Credential stuffing involves getting a valid set of credentials from one
location, and then trying them elsewhere to gain access. For example,
B. Man in the browser someone finds out the password for your bank account. The attacker then
uses that same password to try and access your email. That would be
C. Credential stuffing considered credentialed stuffing and is the most likely of our options.
(additional notes in the slide notes)
D. Shadow IT
E. SQLinjection Answer: C
 165

A compa ny wa nts to re s trict e ma iling of P HI docume nts .

The company is imple me nting a DLP s olution in orde r to
re s trict P HI docume nts . Which of the following s hould be
pe rforme d firs t?

A. Re te ntion
B. Gove rna nce
C. Clas s ifica tion
D. Cha nge mana ge me nt

Answer: C
 166
An organization is building backup servers in geographically
diverse locations. The Chief information Security Officer
implemented a requirement on the project that states the new
hardware cannot be susceptible to the same vulnerabilities in the
existing server room. Which of the following should the systems
engineer consider?
A. Purchasing hardware from different vendors
B. Migrating workloads to public cloud infrastructure
C. Implementing a robust patch management solution
D. Designing new detective security controls

Answer: A
 167

A s e curity a na lys t is working on a proje ct to implement a

s olution that monitors ne twork communica tions a nd
provides alerts when a bnorma l beha vior is de te cte d. Which
of the following is the s e curity analys t MOS T like ly
imple me nting?

A. Vulne ra bility s ca ns
B. Us er be ha vior a na lys is
C. S e curity orche s tra tion, automa tion, a nd re s pons e
D. Thre a t hunting

Answer: B
 168

Which of the following provide s a ca lcula te d va lue for known

vulne rabilitie s s o orga niza tions ca n prioritize mitiga tion
s te ps ?
A. CVS S
B. S IEM
C. S OAR
D. CVE

Answer: A
 169

A Chief Information Security Officer has defined res iliency requirements for a new
data center architecture. The requirements are as follows :
• Critical file s hares will remain acces s ible during and after a natural dis as ter
• Five p ercent of the hard dis ks can fail at any given time without impacting the data
• Sys tems will be forced to s hut d own gracefully when battery levels are b elow 20%
Which of the following are required to BEST meet thes e objectives ? (Select THREE)

A. Fiber s witching F. Redundant power s upplies

B. laC G. Geographic dis pers al
C. NAS H. Snaps hots
D. RAID I. Load balancing
E. UPS

Answer: DEG
 170

A fore ns ic analys t ne e ds to prove tha t da ta ha s not be e n

ta mpere d with s ince it wa s collected. Which of the following
me thods will the a na lys t MOS T likely us e ?

A. Look for ta mpe ring on the e vidence colle ction ba g

B. Encrypt the colle cte d da ta us ing a s ymme tric encryption
C. Ens ure prope r proce dure s for cha in of cus tody a re be ing
followe d
D. Ca lcula te the che cks um us ing a ha s hing a lgorithm

Answer: D
 171

An orga niza tion has de cided to purcha s e a n ins ura nce

policy be ca us e a ris k as s e s s ment de te rmine d tha t the cos t
to re mediate the ris k is gre ate r tha n the five -yea r cos t of the
ins ura nce policy. The organiza tion is ena bling ris k:
A. a voida nce
B. a ccepta nce
C. mitiga tion
D. tra ns fe rence

Answer: D
 172

Which of the following is the GREATES T s e curity conce rn

whe n outs ourcing code de ve lopme nt to third-pa rty
contractors for a n inte rne t-fa cing applica tion?

A. Inte lle ctua l prope rty the ft

B. Ele va ted privile ge s
C. Unknown ba ckdoor
D. Quality a s s ura nce

Answer: C
 173

A compa ny is a uditing the ma nne r in which its Europe a n

cus tome rs ' pe rs ona l informa tion is handle d.
Which of the following s hould the compa ny cons ult?

A. GDP R
B. IS O
C. NIS T
D. P CI DSS

Answer: A
 174

A s e curity a na lys t is de s igning the a ppropria te controls to limit

unauthorize d a cce s s to a phys ica l s ite . The ana lys t has a dire ctive to
utilize the lowes t pos s ible budge t. Which of the following would
BES T me e t the re quire me nts ?

A. P re ventive controls
B. Compe ns a ting controls
C. Dete rre nt controls
D. Dete ctive controls

Answer: A
 175

Which of the following would BES T provide a s ys te ms

a dminis trator with the a bility to more efficie ntly ide ntify
s ys te ms a nd ma na ge pe rmis s ions a nd policie s ba s e d on
loca tion, role , a nd s e rvice le ve l?

A. S tanda rd na ming conventions

B. Doma in s e rvices
C. Ba s e line configurations
D. Dia gra ms
Standardizing Host and Server Naming Conventions (device42.com)

Answer: A
 176

Which of the following te rms des cribe s a broa d ra nge of

informa tion that is s e ns itive to a s pe cific orga nization?

A. P ublic
B. Top s e cre t
C. P roprie ta ry
D. Ope n-s ource

Answer: C
 177

Which of the following would be indicative of a hidde n a udio

file found ins ide of a pie ce of s ource code ?

A. S te ga nogra phy
B. Homomorphic e ncryption
C. Ciphe r s uite
D. Blockcha in

Answer: A
 178

A s oftwa re compa ny a dopte d the following proce s s e s be fore

re lea s ing s oftwa re to production:
• P e er re vie w
• S ta tic code s ca nning
• S igning
A cons ide ra ble numbe r of vulne ra bilities a re s till be ing de te cted
whe n code is e xe cute d on production. Which of the following
s e curity tools ca n improve vulne ra bility de te ction on this
e nvironme nt?
A. File inte grity monitoring for the s ource code
B. Dyna mic code a na lys is tool
C. Encrypte d code re pos itory
D. Endpoint de te ction a nd re s pons e s olution
Answer: B
 179

An organiza tion is migra ting s e ve ral S aa S a pplica tions tha t s upport

S S O. The s e curity ma na ger wants to e ns ure the migra tion is
comple te d s e cure ly.
Which of the following s hould the orga niza tion cons ider be fore
imple me nta tion? (S e le ct TWO).
A. The ba ck-e nd dire ctory s ource
B. The ide ntity fe dera tion protocol
C. The ha s hing method
D. The e ncryption me thod
E. The re gis tra tion a uthority
F. The ce rtificate authority

Answer: CD
 180

During a n incident re s pons e proces s involving a la ptop, a

hos t was ide ntifie d a s the entry point for ma lwa re. The
ma na ge ment te a m would like to have the la ptop re s tore d
a nd give n ba ck to the us er. The cybe rs e curity a nalys t would
like to continue inve s tiga ting the intrus ion on the hos t.
Which of the following would a llow the a na lys t to continue
the inve s tiga tion a nd a ls o re turn the la ptop to the us e r a s
s oon a s pos s ible ?
A. dd
B. me mdump
C. tcpdump
D. he a d Answer: A
 181

During a s ecurity incide nt inve s tiga tion, a n a na lys t cons ults

the compa ny’s S IEM a nd s e e s a n e ve nt conce rning high
tra ffic to a known, ma licious command-a nd-control s erve r.
The a na lys t would like to de te rmine the number of compa ny
works tations that ma y be impacted by this is s ue .
Which of the following ca n provide the informa tion?

A. WAF logs
B. DNS logs
C. S ys te m logs
D. Application logs
Answer: B
 182

S erve r a dminis tra tors wa nt to configure a cloud s olution s o tha t

computing me mory a nd proce s s or us a ge is ma ximize d mos t
e fficie ntly a cros s a number of virtual s e rve rs . They a ls o nee d to
a void pote ntia l de nia l-of-s ervice s itua tions ca us e d by a va ila bility.
Which of the following s hould adminis tra tors configure to ma ximize
s ys te m a va ila bility while e fficie ntly utilizing a vaila ble computing
powe r?
A.Dyna mic re s ource alloca tion
B.High a va ila bly
C.S egmentation
D.Conta ine r s e curity
Answer: A
 183

A s e curity e ngine er is de ploying a ne w wire le s s network for

a compa ny. The compa ny s hare s office s pa ce with multiple
te nants . Which of the following s hould the e ngine e r
configure d on the wire le s s ne twork to ens ure that
confide ntia l da ta is not e xpos e d to una uthorize d us e rs ?

A. EAP
B. TLS
C. HTTP S
D. AES

Answer: D
 184

A fina ncia l ins titution would like to s tore its cus tome r da ta in a cloud
but s till a llow the da ta to be a cce s s ed a nd ma nipula ted while
e ncrypte d.
Doing s o would pre ve nt the cloud s e rvice provide r from be ing a ble to
de ciphe r the da ta due to its s e ns itivity. The fina ncia l ins titution is not
conce rne d about computationa l ove rhea ds a nd s low s pe eds .
Which of the following cryptographic te chnique s would BEST me e t the
re quire me nt?
A. As ymme tric
B. S ymme tric
C. Homomorphic
D. Ephe me ra l
Answer: C
 185

A s e curity ma na ge r ha s ta s ke d the s ecurity ope ra tions

ce nte r with loca ting a ll we b s e rve rs tha t res pond to a n
uns e cure protocol. Which of the following comma nds could
a n analys t run to find the re que s te d s e rve rs ?

A. ns lookup 10.10.10.0
B. nmap –p 80 10.10.10.0/24
C. pa thping 10.10.10.0 –p 80
D. nc -1 –p 80

Answer: B
 186

A s e curity ma na ge r ne eds to as s e s s the s e curity pos ture of

one of the orga nization's ve ndors . The contra ct with the
ve ndor does not a llow for a uditing of the ve ndor's s e curity
controls . Which of the following s hould the mana ge r re que s t
to comple te the a s s e s s me nt?

A. A s e rvice -le ve l a gree me nt

B. A bus ine s s pa rtners hip a gre e me nt
C. A S OC 2 Type 2 re port
D. A me morandum of unde rs ta nding

Answer: C
 187

A compa ny wa nts the a bility to re s trict we b acce s s a nd

monitor the we bs ite s tha t e mploye e s vis it.
Which of the following would BES T me e t the s e
re quireme nts ?
A. Inte rne t proxy
B. VP N
C. WAF
D. Fire wa ll

Answer: A
 188

A s e curity a na lys t wa s a s ke d to eva lua te a pote ntia l atta ck

tha t occurre d on a publicly a cce s s ible s e ction of the
compa ny's we bs ite. The ma licious a ctor pos te d a n e ntry in
a n atte mpt to trick us e rs into clicking the following:

Which of the following wa s MOS T like ly obs erve d?

A. DLL injection
B. S e s s ion re pla y
C. S QLI
D. XS S
Answer: D
 189

An a dminis tra tor nee ds to prote ct us e r pa s s words and ha s bee n

a dvis e d to ha s h the pas s words . Which of the following BES T
de s cribe s wha t the a dminis tra tor is be ing a dvis e d to do?

A.P e rform a ma thematica l ope ra tion on the pa s s words tha t will

conve rt them into unique s trings
B.Add extra da ta to the pas s words s o their le ngth is increa s ed,
ma king the m ha rde r to brute force
C.S tore a ll pa s s words in the s ys te m in a ra inbow ta ble tha t ha s a
ce ntra lized loca tion
D.Enforce the us e of one -time pa s s words that a re cha nge d for e very
login s e s s ion.

Answer: A
 190

An a udit ide ntifie d P II be ing utilize d in the de ve lopme nt e nvironment

of a critical a pplica tion. The Chie f P riva cy Office r (CP O) is a da ma nt
tha t this data mus t be remove d; howe ver, the de velope rs a re
conce rne d tha t without re a l da ta the y ca nnot pe rform functiona lity
te s ts a nd s ea rch for s pe cific da ta . Which of the following s hould a
s e curity profe s s iona l imple me nt to BES T s a tis fy both the CP O's a nd
the de ve lopme nt tea m's require me nts ?
Afully anonymized data set is one where individual subjects
can no longer be identified, even if the data set is combined
A. Da ta a nonymiza tion with other data sources. Identifying information is permanently
removed.
B. Da ta e ncryption
C. Da ta ma s king
D. Da ta toke niza tion
Answer: A
 191

To re duce a nd limit s oftwa re and infras tructure cos ts , the

Chie f Informa tion Office r ha s reque s te d to move ema il
s e rvice s to the cloud. The cloud provide r a nd the
orga niza tion mus t ha ve s e curity controls to protect s ens itive
da ta. Which of the following cloud s e rvice s would BES T
a ccommoda te the re que s t?
A.la a s
B.Pa a s
C.Da a s
D.S a a S
Answer: B
 192

Adminis tra tors ha ve a llowe d e mploye e s to a cce s s the ir compa ny e ma il

from pe rs ona l compute rs . Howe ve r, the a dminis tra tors a re conce rne d tha t
the s e compute rs a re a nothe r a tta ck s urfa ce a nd ca n re s ult in us e r
a ccounts be ing brea che d by fore ign a ctors .
Which of the following a ctions would provide the MOS T s e cure s olution?

A. Imple me nt a 16-cha racte r minimum le ngth a nd 30-da y e xpira tion

pa s s word policy
B. Ena ble a n option in the a dminis tra tion ce nter s o a ccounts ca n be locke d if
the y a re a cce s s e d from diffe re nt ge ogra phica l a re a s
C.S e t up a globa l ma il rule to dis a llow the forwa rding of a ny compa ny e ma il
to e ma il a ddre s s e s outs ide the orga nization
D.Enforce a policy tha t a llows employe e s to be a ble to a cce s s the ir e ma il
only while the y are conne cte d to the inte rne t via VP N
Answer: D
 193

A s e curity e ngine er ne e ds to build a s olution to s a tis fy

re gulatory re quire me nts tha t s ta te ce rta in critical s e rve rs
mus t be a cce s s e d us ing MFA. Howe ve r, the critica l s e rve rs
a re olde r a nd a re unable to s upport the a ddition of MFA.
Which of the following will the e ngine er MOS T like ly us e to
a chie ve this obje ctive ?
A. A forwa rd proxy
B. A s tate ful fire wa ll
C. A jump s e rve r
D. A port ta p

Answer: C
 194

Which of the following provides a ca talog of s e curity a nd

priva cy controls rela te d to the Unite d S ta te s fe dera l
informa tion s ys te ms ?
A. GDP R
B. P CI DS S
C. IS O 27000
D. NIS T 800-53

Answer: D
 195

DDoS atta cks are ca us ing a n ove rloa d on the clus te r of

cloud s e rvers . A s e curity a rchite ct is re s e arching
a lte rnatives to ma ke the cloud e nvironment re s pond to load
fluctuations in a cos t-e ffe ctive wa y. Which of the following
options BES T fulfils the a rchitect's re quire me nts ?

A. An orche s tra tion s olution tha t ca n a djus t s ca la bility of cloud

a s s e ts
B. Us e of multipa th by a dding more connections to cloud s torage
C. Cloud a s s e ts re plica te d on ge ogra phically dis tribute d re gions
D. An on-s ite ba ckup tha t is de ploye d a nd only us e d whe n the loa d
incre a s e s
Answer: A
 196

Which of the following e xpla ins why RTO is included in a

BIA?
A. It ide ntifie s the a mount of allowa ble downtime for a n a pplica tion or
s ys te m
B. It prioritize s ris ks s o the orga nization ca n a lloca te res ources
a ppropria te ly.
C. It mone tize s the los s of an as s e t a nd de te rmines a brea k eve n
point for ris k mitigation
D. It informs the ba ckup approach s o tha t the orga niza tion ca n
re cover data to a known time

Answer: A
 197

To track cha nge s to s oftwa re de ve lopme nt, us e

A. Ha s hing
B. e ncryption
C. digita l s igna ture s
D. Ve rs ion control

Answer: D
 198

Due to unexpe cte d circums ta nce s , a n IT compa ny mus t

va ca te its ma in office , forcing a ll ope rations to a lte rna te , off-
s ite loca tions . Which of the following will the compa ny
MOS T like ly re fe re nce for guida nce during this cha nge?

A.The bus ines s continuity pla n

B.The re te ntion policy
C.The dis a s te r recovery pla n
D.The incide nt re s pons e pla n

Answer: C
 199

Afte r a WiFi s ca n of a loca l office wa s conducte d, a n

unknown wireles s s igna l wa s ide ntified. Upon inve s tiga tion,
a n unknown Ra s pbe rry P i de vice wa s found conne cte d to
a n Ethernet port us ing a s ingle conne ction. Which of the
following BES T de s cribe s the purpos e of this de vice ?
https:/ / thepi.io/ how-to-use-your-raspberry-pi-as-a-wireless-access-point/

A. loT s e ns or
B. Evil twin
C. Rogue a cce s s point
D. On-path a tta ck
Answer: C
 200

ASWG protects users from accessing infected external websites or undesirable

content hosted outside of the organization. AWAF protects hosted web-based
applications from attacks that are initiated by external attackers.

ANext Generation Secure Web Gateway (SWG) is a new cloud-native solution

for protecting enterprises from the growing volume of sophisticated cloud
enabled threats and data risks.
Answer: B
 201

Answer: A
 202

Answer: A
 203
Ha ckers re cently a tta cke d a compa ny's ne twork a nd
obta ine d s e ve ra l unfa vorable pictures from the Chie f
Exe cutive Office r’s works ta tion. The ha cke rs a re threa tening
to s e nd the ima ge s to the pre s s if a ra ns om is not paid.
Which of the following is impacte d the MOS T?

A. Ide ntify the ft

B. Da ta los s
C. Data e xfiltra tion
D. Reputa tion

Answer: D
 204

A s oftwa re compa ny is a nalyzing a proce s s tha t de tects

s oftwa re vulne ra bilitie s a t the e a rlie s t s ta ge pos s ible . The goa l
is to s ca n the s ource looking for uns e cure pra ctice s a nd
we a kne s s e s be fore the a pplica tion is de ploye d in a runtime
e nvironme nt. Which of the following would BES T a s s is t the
compa ny with this obje ctive ?
A. Us e fuzzing te s ting
B. Us e a we b vulne ra bility s ca nner
C. Us e s tatic code a na lys is
D. Us e a pe ne tra tion-tes ting OS

Answer: C
 205

A pe ne tra tion te s te r wa s a ble to compromis e a n inte rna l

s e rve r a nd is now trying to pivot the curre nt s e s s ion in a
ne twork la tera l move me nt. Which of the following tools , if
a va ila ble on the s erve r, will provide the MOS T us e ful
informa tion for the ne xt a s s e s s ment s te p?

A. Autops y
B. Cuckoo
C. Me mdump
D. Nma p

Answer: D
 206

A s e curity a na lys t is re s ponding to a n a le rt from the S IEM. The

a le rt s ta te s tha t ma lwa re wa s dis cove red on a hos t a nd wa s not
a utomatica lly de le te d. Which of the following would be BES T for
the a nalys t to pe rform?

A. Add a de ny-a ll rule to that hos t in the ne twork ACL

B. Imple me nt a ne twork-wide s ca n for othe r ins ta nce s of the
ma lwa re
C. Quara ntine the hos t from othe r pa rts of the ne twork
D. Re voke the clie nt's ne twork a cce s s ce rtificate s

Answer: B
 207

Which of the following a uthe ntica tion me thods s e nds out a

unique pa s s word to be us e d within a s pe cific numbe r of
s e conds ?

A. TOTP
B. Biometrics
C. Ke rbe ros
D. LDAP

Answer: A
 208

Which of the following mus t be in pla ce be fore imple me nting

a BCP ?

A. S LA
B. AUP
C. NDA
D. BIA

Answer: D
 209

Answer: BC
 210

Answer: A
 211

Multiple bus ine s s a ccounts we re compromis e d a fe w da ys

afte r a public we bs ite ha d its cre de ntia ls da taba s e lea ked on
the Inte rne t. No bus ine s s e ma ils we re ide ntifie d in the
bre a ch, but the s e curity te am thinks tha t the lis t of
pa s s words e xpos e d wa s la te r us e d to compromis e bus ine s s
accounts . Which of the following would mitiga te the is s ue ?

A. Complexity re quire me nts

B. P a s s word his tory
C. Accepta ble us e policy
D. S ha re d a ccounts
Answer: B
 212

Answer: A
 213

https:// www.dekart.com/ howto/ howto_disk_encryption/ disk_firewall

Answer: B
 214

A dyna mic a pplication vulne ra bility s ca n ide ntifie d code

inje ction could be pe rformed us ing a we b form. Which of the
following will be BES T re mediation to pre ve nt this
vulne rability? https:/ / techtipbits.com/ security/ input-validation-in-web-applications/

A. Imple me nt input va lida tions

B. De ploy MFA
C. Utilize a WAF
D. Configure HIP S

Answer: A
 215

Which of the following would be us e d to find the MOS T

common web-a pplica tion vulnera bilitie s ?

A. S DLC
B. MITRE ATTACK
C. Cybe r Kill Cha in
D. OWAS P

Answer: D
 216

The boa rd of doctors at a compa ny contra cte d with an

ins ura nce firm to limit the organization's liability. Which of
the following ris k ma na ge me nt practice s does this de cis ion
BES T de s cribe ?
A. Tra ns fe re nce
B. Avoida nce
C. Mitiga tion
D. Acknowledge me nt

Answer: A
 217

Which of the following would be MOS T e ffe ctive to conta in a

ra pid atta ck tha t is a ffecting a large numbe r of
orga niza tions ?

A. Ma chine le arning
B. DNS s inkhole
C. Hone ypot
D. Blocklis t

Answer: D
 218

A pe ne tra tion te s te r ga ins a cce s s to the ne twork by

e xploiting a vulne rability on a public-fa cing we b s e rve r.
Which of the following te chnique s will the te s te r mos t like ly
pe rform NEXT?
A.Ga the r more informa tion a bout the targe t through pa s s ive
re conna is s a nce
B.Es ta blis h rules of e nga ge me nt be fore procee ding
C.Cre a te a us e r a ccount to ma inta in pe rs is te nce
D.Move la te ra lly throughout the ne twork to s e a rch for s e ns itive
information

Answer: C
 219

Which of the following would de te ct intrus ions at the

pe rimeter of a n a irport?

A. S igna ge
B. Fe ncing
C. Motion s e ns ors
D. Lighting
E. Bolla rds

Answer: B
 220

An a na lys t jus t dis covere d a n ongoing a tta ck on a hos t tha t is on the

ne twork. The a na lys t obs e rve s the be low ta king pla ce :
• The computer pe rforma nce is s low
• Ads a re a ppe a ring from va rious pop-up windows
• Ope ra ting s ys te m file s a re modifie d
• The computer is re ce iving AV a le rts for e xe cu tion of ma licious
proce s s e s .
Which of the following s te ps s hould the a na lys t cons ider FIRS T?
A. Che ck to ma ke s ure the DLP s olution is in the a ctive s tate
B. P a tch the hos t to pre ve nt e xploita tion
C. P ut the ma chine in conta inme nt
D. Upda te the AV s olution on the hos t to s top the a tta ck
Answer: C
 221

Answer: B
 222

A compa ny curre ntly us e s pas s words for logging in to

compa ny-owne d de vice s a nd wa nts to a dd a s e cond
a uthe ntication fa ctor. P e r corpora te policy, us e rs a re not
a llowe d to ha ve s ma rtphones a t the ir de s ks . Which of the
following would me e t the s e re quire me nts ?

A. S ma rt ca rd
B. P IN code
C. Knowle dge -ba s e d que s tion
D. S e cre t ke y

Answer: A
 223

The chie f complia nce office r from a ba nk ha s a pprove d a

ba ckground che ck policy for a ll new hire s . Which of the
following is the policy MOS T like ly prote cting aga ins t?

A. P reventing a ny curre nt e mploye e s ' s iblings from working

a t the bank to pre ve nt ne potis m
B. Hiring a n employee who has be en convicte d of the ft to
a dhe re to indus try complia nce
C. Filte ring a pplica nts who ha ve adde d fals e informa tion to
re s ume s s o the y appe a r be tte r qua lifie d
D. Ens uring no new hires have worked at othe r ba nks tha t
ma y be trying to s te al cus tome r informa tion
Answer: B
 224

Which biome tric e rror would a llow a n una uthorize d us e r to

a cce s s a s ys te m?

A. Fa ls e a ccepta nce
B. Fa ls e e ntra nce
C. Fa ls e re jection
D. Fa ls e de nia l

Answer: A
 225

Which of the following would produce the clos e s t e xpe rie nce
of re s ponding to a n a ctua l incide nt re s pons e s ce na rio?

A. Le s s ons le a rne d
B. S imula tion
C. Wa lk-through
D. Tabletop

Answer: B
 226

An orga niza tion is conce rne d a bout inte lle ctua l property
the ft by e mploye e s who lea ve the orga niza tion. Which of the
following will be orga niza tion MOS T like ly impleme nt?

A. CBT
B. NDA
C. MOU
D. AUP

Answer: B
 227

An orga niza tion mainta ins s e vera l e nvironme nts in which

pa tche s a re deve loped a nd te s te d be fore de ployed to a n
ope ra tion s ta tus . Which of the following is the e nvironment
in which pa tches will be de ploye d jus t prior to be ing put into
a n opera tional s ta tus ?
A. De ve lopme nt
B. Te s t
C. P roduction
D. S ta ging

Answer: D
 228

Which of the following control type s would be BES T to us e

to ide ntify violations a nd incidents ?

A. De te ctive
B. Compe ns a ting
C. De te rrent
D. Corre ctive
E. Re cove ry
F. P re ve ntive

Answer: A
 229

A s e curity a na lys t wa nts to finge rprint a we b s erver. Which

of the following tools will the s e curity a na lys t MOS T like ly
us e to a ccomplis h this ta s k?

A. nma p -p 1-65535 192.168.0.10

B. dig 192.168.0.10
C. curl --he a d http://192.168.0.10
D. ping 192.168.0.10

Answer: C
 230

Answer: A
 231

Answer: B
 232

A s ys te m tha t require s a n ope ra tion a va ila bility of 99.99%

a nd has a n a nnua l mainte na nce window a vaila ble to
pa tching and fixe s will re quire the HIGHES T:

A.MTBF
B.MTTR
C.RP O
D.RTO

Answer: A
 233

Answer: E
 234

Answer: D
 235

Answer: A
 236

Answer: A
 237

Alocal coffee shop runs a small Wi-Fi hotspot for its customers
that utilizes WPA2-PSK. The coffee shop would like to stay
current with security trends and wants to implement WPA3 to
make its Wi-Fi even more secure. Which of the following
technologies will the coffee shop MOST likely use in place of
PSK?

A.WEP
B.MSCHAP
C.WPS
D.SAE
Answer: D
 238

During an incident, a company's CIRTdetermines it is necessary to

observe the continued network-based transactions between a callback
domain and the malware running on an enterprise PC. Which of the
following techniques would be BEST to enable this activity while
reducing the risk of lateral spread and the risk that the adversary would
notice any changes?

A.Physically move the PCto a separate Internet point of presence.

B.Create and apply micro segmentation rules.
C. Emulate the malware in a heavily monitored DMZsegment.
D.Apply network blacklisting rules for the adversary domain.

Answer: B
 239

Which of the following should a technician consider when

selecting an encryption method for data that needs to
remain confidential for a specific length of time?

A. The key length of the encryption algorithm

B. The encryption algorithm's longevity
C. Amethod of introducing entropy into key
calculations
D. The computational overhead of calculating the
encryption key
Answer: B
 240

Which of the following e mploye e role s is re s pons ible for

prote cting an organization's colle cte d pe rs ona l information?

A.CTO
B.DP O
C.CEO
D.DBA

Answer: B
 241

An orga niza tion's Chie f Informa tion S e curity Office r is

cre a ting a pos ition that will be re s pons ible for imple menting
technica l controls to protect da ta , including ens uring
ba ckups a re properly ma intaine d. Which of the following
role s would MOS T likely include the s e re s pons ibilities ?

A. Da ta prote ction office r

B. Da ta owne r
C. Ba ckup adminis trator
D. Da ta cus todia n
E. Inte rna l a uditor
Answer: D
Do m a in s :
1. Atta c ks , Th re a ts , a n d Vu ln e ra b ilitie s
2. Arc h ite c tu re a n d De s ig n
3. Im p lem e n tatio n
 243

After a ransomware attack, you need to review a cryptocurrency

transaction made by the victim. Which of the following you
MOST likely review to trace this transaction?
“Blockchain is a concept in which an expanding list of transactional records is secured using
cryptography.
The blockchain is recorded in a public ledger. This ledger does not exist as an individual file on a single
computer; rather, one of the most important characteristics of a blockchain is that it is decentralized.
The ledger is distributed across a peer-to-peer (P2P) network in order to mitigate the risks associated
with having a single point of failure or compromise. Blockchain users can therefore trust each other
equally.”
A. The public ledger
B. The NetFlow data
C. Achecksum
D. The event log Answer: A
 245

Symmetric cryptography can efficiently:

A. Perform key exchange

B. Protect large amounts of data
C. Hash data
D. Provide non-repudiation
Answer: B
 246

Due to a weakness in the company’s currently implemented

hashing algorithm a technician added a randomly generated
value to the password before storing it. What is best description
of this action?
In cryptography, a ”salt” is pseudo-random data that is used as an additional input
when hashing a password or passphrase to make them stronger/ harder to crack.

A. Predictability
B. Key Stretching
C. Salting
D. Hashing
Answer: C
 247

Apenetration tester has found a domain controller using 3DES to

encrypt authentication messages. What problem has the
penetration tester identified?

A. Unsecure protocols
B. Default settings
C. Open permissions
D. Weak encryption Answer: D
 248

Which of the following would MOST likely support the integrity of

a banking application?
More about blockchain:
Ablockchain is a growing list of records, called blocks, that are linked using cryptography. Each
block contains a cryptographic hash of the previous block, a timestamp, and transaction data. By
design, a blockchain is resistant to modification of its data. This is because once recorded, the data
in any given block cannot be altered retroactively without alteration of all subsequent blocks

A. Perfect forward secrecy

B. Transport Layer Security
C. Blockchain
D. Asymmetric encryption
Answer: C
 249

Acompany would like to get one SSLcertificate that can cover

both of their application servers, [email protected] and
www.example.com. Furthermore, this certificate should be able
to cover any future application servers that the company may
add of a similar naming convention, such as smtp.example.com.
What type of SSLcertificate would best fit their needs?

*.example.com
A. Self-signed Awildcard certificate is capable of being used by,
and protecting, several servers so long as the
B. SAN domain and top level domain are matching.
C. Wildcard
D. Extended validation
Answer: C
 250

Aserver certificate needs to be generated to be used for 802.1X. Which of

the following is the FIRSTstep that will most likely accomplish this task?
OCSP – Online Certificate Status Protocol: Used to quickly check that a certificate hasn’t been revoked, without needing to
download a complete CRLfrom the CA. OCSP messages are signed to provide authenticity, integrity, and non-repud. This
requires an internet connection.

CSR – Certificate Signing Request: This is sent to a CAto begin the process of certificate creation. The CSR should include the
public key, domain/ device validation (proof of ownership), common name, location, etc.

CRL– Certificate Revocation List: Alist (by serial number) of all revoked certificates that a CAhas previously issued. These lists
can become very large, which is why OCSP was created. Adecent option if the computer is airgapped.

PFXfile - Abinary format for storing the server certificate, any intermediate certificates, and the private key into a single
encryptable file. This file is typically what is sent to key escrow.

A. Create an OCSP.
B. Generate a CSR.
C. Create a CRL.
D. Generate a .pfx file. Answer: B
 251

While deploying TLS certificates on your air-gapped private

network you determine that you need the ability to check
revoked certificates quickly. Which of the following would best fit
these requirements?

While OCSP (Online Certificate Status Protocol) could certainly be faster

than a CRL(Certificate Revocation List), it does require an online
connection. However, our network is air gapped so this isn’t possible to
A. RA use. CRLit is!
B. OCSP
RA= registration authority.
C. CRL
D. CSR
Answer: C
 252

ASOCis currently being outsourced. Which of the

following is being used?
https:// www.datashieldprotect.com/ blog/ pros-and-cons-of-an-outsourced-soc

A. Microservices
B. SaaS
C. MSSP
D. PaaS
Answer: C
 253

A security analyst is investigating a phishing email that contains a

malicious document directed to the company's Chief Executive
Officer (CEO). Which of the following should the analyst perform
to understand the threat and retrieve possible IoCs?

A. Run a vulnerability scan against the CEOs computer to find possible

vulnerabilities
B. Install a sandbox to run the malicious payload in a safe environment
C. Perform a traceroute to identify the communication path
D. Use netstat to check whether communication has been made with a
remote host

Answer: B
 254

Which of the following controls would BESTidentify and

report malicious insider activities?

A. An intrusion detection system

B. Aproxy
C. Audit trails
D. Strong authentication

Answer: C
 255
A company recently experienced an attack during which its
main website was directed to the attacker’s web server,
allowing the attacker to harvest credentials from
unsuspecting customers. Which of the following should the
company implement to prevent this type of attack
occurring in the future?
A. IPSec
B. SSL/ TLS
C. DNSSEC
D. S/ MIME
Answer: C
 256
ASecurity analyst must enforce policies to harden an MDM
infrastructure. The requirements are as follows
• Ensure mobile devices can be traced and wiped.
• Confirm mobile devices are encrypted.
Which of the following should the analyst enable on all the devices
to meet these requirements?

A. Geofencing
B. Biometric authentication
C. Geolocation
D. Geotagging
Answer: C
 257
A user downloaded an extension for a browser, and the user
device later became infected. The analyst who is investigating the
incident saw various logs where the attacker was hiding activity by
deleting data. The following was observed running:

Which of the following is the malware using to execute the attack?

A. PowerShell
B. Python
C. Bash
D. Macros
Answer: A
 258
An engineer needs to deploy a security measure to identify
and prevent data tampering within the enterprise. Which
of the following will accomplish this goal?

A. Antivirus
B. IPS
C. FTP
D. FIM

Answer: D
 259
When planning to build a virtual environment, an administrator needs
to achieve the following:
• Establish polices and limit who can create new VMs
• Allocate resources according to actual utilization
• Require justification for requests outside of the standard
requirements.
• Create standardized categories based on size and resource
requirements
Which of the following is the administrator MOST likely trying to do?

A.Implement IaaS replication

B.Product against VM escape
C.Deploy a PaaS
D.Avoid VM sprawl Answer: D
 260
Asecurity analyst has received several reports of an issue on an internal web application.
Users state they are having to provide their credential twice lo log in. The analyst checks
with the application team and notes this is not an expected behavior. After looking at
several logs the analyst decides to run some commands on the gateway and obtains the
following output:

Which of the following BESTdescribes the attack the company is experiencing?

A. MACflooding
B. URLredirection
C. ARP poisoning
D. DNS hijacking
Answer: C
 261

An analyst is generating a security report for the management team.

Security guidelines recommend disabling all listening unencrypted services.
Given this output from Nmap:

Which of the following should the analyst recommend to disable?

A. 21/ tcp
B. 22/ tcp
C. 23/tcp
D. 443/tcp Answer: C
 262

The Chief Information Security Officer wants to pilot a new

adaptive, user-based authentication method. The concept
includes granting logical access based on physical location
and proximity. Which of the following is the BEST solution
for the pilot?

A. Geofencing
B. Self-sovereign identification
C. PKl certificates
D. SSO
Answer: A
 263

Which of the following would satisfy three-factor

authentication?

A. Password, fingerprint scanner, and retina scanner

B. Password, retina scanner, and NFCcard
C. Password, hard token, and NFCcard
D. Fingerprint scanner, hard token, and retina scanner

Answer: B
 264

Which two features are available only in next-generation

firewalls? (Choose two )

A. deep packet inspection

B. packet filtering
C. application awareness
D. stateful inspection
E. virtual private network

Answer: AC
 265

A developer is building a new portal to deliver single-pane-of-glass

management capabilities to customers with multiple firewalls. To improve
the user experience, the developer wants to implement an authentication
and authorization standard that uses security tokens that contain assertions
to pass user Information between nodes. Which of the following roles
should the developer configure to meet these requirements? (Select TWO).

A. Identity processor
B. Service requestor
C. Identity provider
D. Service provider
E. Tokenized resource
F. Notarized referral
Answer: CD
 266

A security analyst was deploying a new website and found a

connection attempting to authenticate on the site's portal. While
investigating the incident, the analyst identified the following
input in the username field:

A. DLLinjection to hijack administrator services

B. SQLi on the field to bypass authentication
C. Execution of a stored XSS on the website
D. Code to execute a race condition on the server
Answer: B
 267

Developers are writing code and merging it into shared

repositories several times a day, where it is tested
automatically. Which of the following concepts does this
BESTrepresent?

A. Functional testing
B. Stored procedures
C. Elasticity
D. Continuous integration
Answer: D
 268

Which of the following environments would MOST likely be

used to assess the execution of component parts of a
system at both the hardware and software levels and to
measure performance characteristics?

A. Test
B. Staging
C. Development
D. Production
Answer: A
 269

Remote workers in an organization use company-provided laptops

with locally installed applications and locally stored data. Users can
store data on a remote server using an encrypted connection. The
organization discovered data stored on a laptop had been made
available to the public. Which of the following security solutions
would mitigate the risk of future data disclosures?

A. TPM
B. HIDS
C. FDE
D. VPN
Answer: C
 270

A grocery store is expressing security and reliability concerns

regarding the on-site backup strategy currently being performed
by locally attached disks. The main concerns are the physical
security of the backup media and the durability of the data stored
on these devices. Which of the following is a cost-effective
approach to address these concerns?

A. Enhance resiliency by adding a hardware RAID.

B. Move data to a tape library and store the tapes off site
C. Install a local network-attached storage.
D. Migrate to a cloud backup solution
Answer: D
 271

Asystems administrator is looking for a solution that will

help prevent OAuth applications from being leveraged by
hackers to trick users into authorizing the use of their
corporate credentials. Which of the following BEST
describes this solution?
https:/ / www.microsoft.com/ security/ blog/ 2019/ 09/ 25/ top-5-use-cases-
cloud-access-security-broker/
A.CASB
B.UEM
C.WAF
D.VPC
Answer: A
 272

Web server Ais unreachable from the corporate branch office. Review the
stateful firewall below. Which of the options below would resolve the
problem while ensuring the web traffic is secure?
Branch Office
# Action Source IP Destination IP Protocol 172.30.1.0/ 24
1 Permit 172.30.1.0/ 24 172.30.2.1/ 24 SSH
2 Deny Any 172.30.2.1/ 24 Telnet
3 Permit 172.30.2.1/ 24 Any DNS
Firewall
(A), (B), and (C) are all insecure. We want HTTPS. (D) Is the wrong direction. We want the branch office set as
the source and the web server as the destination. (E) Has the wrong source address. (F) is correct. We do not
need to make a rule for the web server to the office since a stateful firewall will allow return traffic that
matches the new rule.
A. Add a rule “permit source 172.30.2.1/ 24 to destination 172.30.1.0/ 24, HTTP” Web server A
B. Add a rule “permit source 172.30.3.0/ 24 to destination 172.30.2.1/ 24, HTTP” 172.30.2.1/ 24
C. Add a rule “permit source 172.30.1.0/ 24 to destination 172.30.2.1/ 24, HTTP”
D. Add a rule “permit source 172.30.2.1/ 24 to destination 172.30.1.0/ 24, HTTPS”
E. Add a rule “permit source 172.30.3.0/ 24 to destination 172.30.2.1/ 24, HTTPS”
F. Add a rule “permit source 172.30.1.0/ 24 to destination 172.30.2.1/ 24, HTTPS” Answer: F
 273

Acompany wants to deploy systems alongside production

systems in order to entice threat actors and to learn more
about attackers. Which of the following BEST describe
these systems?

A. DNS sinkholes
B. Honeypots
C. Virtual machines
D. Neural network

Answer: B
 274

Acompany recently experienced an attack in which a malicious

actor was able to exfiltrate data by cracking stolen passwords,
using a rainbow table on sensitive data. Which of the following
should a security engineer do to prevent such an attack in the
future?

A. Use password hashing.

B. Enforce password complexity.
C. Implement password salting.
D. Disable password reuse.

Answer: C
 275

Asecurity analyst is concerned about traffic initiated to the

dark web from the corporate LAN. Which of the following
should the analyst monitor?

A. SFTP
B. AS
C. Tor
D. IoC

Answer: C
 276

The website http:// companywebsite.com requires users to

provide personal Information, Including security question
responses, for registration. Which of the following would MOST
likely cause a data breach?

A. Lack of input validation

B. Open permissions
C. Unsecure protocol
D. Missing patches

Answer: C
 277

A new vulnerability in the SMB protocol on the Windows systems was

recently discovered, but no patches are currently available to resolve the
issue. The security administrator is concerned the servers in the company's
DMZ will be vulnerable to external attack; however, the administrator
cannot disable the service on the servers, as SMB is used by a number of
internal systems and applications on the LAN. Which of the following TCP
ports should be blocked for all external inbound connections to the DMZ as
a workaround to protect the servers? (Select TWO).
A. 135
B. 139
C. 143
D. 161
E. 443
F. 445 Answer: B,F
 278
Asecurity analyst is reviewing the following command-line output:

Which of the following BEST

describes this type of attack?
A. IGMP spoofing
B. URLredirection
C. MACaddress cloning
Answer: C
D. DNS poisoning
 279

Aweb server that require both encrypted and unencrypted web

traffic is utilizing default ports. Which of the following changes
should be made to the firewall below?

Fire wa ll rule s :
P ort S ta tus A. Allow 53 from the internet
22 Ope n B. Block 25 from the internet
25 Filte re d C. Block 443 from the internet
53 Filte re d D. Block 22 from the internet
80 Ope n E. Block 80 from the internet
443 Ope n

Only web traffic is required to the web server!

Answer: D
 280

Which of the following BEST describes the method a

security analyst would use to confirm a file that is
downloaded from a trusted security website is not altered
in transit or corrupted using a verified checksum?

A. Hashing
B. Salting
C. Integrity
D. Digital signature

Answer: A
 281

Which type of RAID would allow for recovery even after two drive
failures?

A. 0 RAID6 can support two drive failures. RAID1 and 5 can only
B. 1 support a single failure, while RAID0 has no fault tolerance.

C. 5
D. 6

Answer: D
 282

Anetwork engineer notices the VPN concentrator overloads and crashes

on days when there are a lot of remote workers.
Senior management has placed greater importance on the availability of
VPN resources for the remote workers than the security of the end users’
traffic. Which of the following would be BESTto solve this issue?

A. IPSec
B. Always On
C. Split Tunneling
D. L2TP

Answer: C
 283

Which of the following security architecture components are

integral parts of implementing WPA2-Enterprise utilizing EAP-
TLS? (Pick Two)

A. DNSSEC
B. Reverse Proxy
C. VPN Concentrator
D. PKI
E. Active Directory
F. RADIUS
Answer: D & F
 284

A user's PC was recently infected by malware. The user has a legacy printer
without vendor support, and the user's OS is fully patched. The user downloaded a
driver package from the internet. No threats were found on the downloaded file,
but during file installation, a malicious runtime threat was detected. Which of the
following is MOST likely cause of the infection?
A. The driver has malware installed and was refactored upon download to
avoid detection.
B. The user's computer has a rootkit installed that has avoided detection until
the new driver overwrote key files.
C. The user's antivirus software definition were out of date and were damaged
by the installation of the driver
D. The user's computer has been infected with a logic bomb set to run when
new driver was installed.
Answer: A
 285
Asecurity engineer needs to create a network segment
that can be used for servers that require connections from
untrusted networks. Which of the following should the
engineer implement?

A. An air gap
B. Ahot site
C. AVLAN
D. Ascreened subnet

Answer: D
Do m a in s :
4. Op e ratio n s a n d In c id e n t Re s p o n s e
5. Go vern a n c e, Ris k, an d Co m p lia n c e
 287
Entering a secure area requires passing through two doors, both
of which require someone who is already inside to initiate access.
Which of the following types of physical security controls does
this describe?
Amantrap, access control vestibule, sally port, or air lock:
Aphysical security access control system comprising a small room with two sets of
interlocking doors, such that the first set of doors must close before the second set opens.
This mechanism seeks to eliminate the threat of piggybacking or tailgating.

A. Cameras
B: Faraday cage
C. Access control vestibule
D. Sensors
E. Guards
Answer: C
 288

Which of the following native tools would allow a technician to

view services running on a system as well the associated listening
ports?
Netstat can show you all of your active
connections and open/ listening ports.
Furthermore, if you use “-o” it will show you
which currently running processes/services
opened those connections/ ports. Most
conventional operating systems have netstat
built in (native).

A. Netcat
B. Netstat
C. Nmap
D. Nessus
Answer: B
 289

Which one of the tools below could be used to find out if the
corporate server is running unnecessary services?

Nmap, short for network mapper, is capable of port scanning the network
and determining what services are running on any hosts that are detected.

A. Nmap DNSEnum is a command-line tool that automatically identifies

basic DNS records.
B. DNSEnum
Wireshark is a protocol analyzer and packet sniffer that is used
C. Wireshark for gathering, sorting, and analyzing traffic from a network.

D. Autopsy Autopsy is a tool for performing data forensics.

Answer: A
 290

Asystems analyst is responsible for generating a new digital

forensics chain-of-custody form. Which of the following should
the analyst Include in this documentation? (Select TWO).

A. The order of volatility

B. Achecksum
C. The location of the artifacts
D. The vendor's name
E. The date and time https:/ / www.monderlaw.com/ news/ chain-of-custody/
F. Awarning banner

Answer: CE
 291

As part of an investigation a forensics expert has been given a

massive packet capture for analysis, full of HTTP requests. They
need to view the first few requests and then search for a specific
string that indicates the compromise. Which of the options below
would allow them to perform this action quickly and efficiently?
(Pick two)

A. openssl E. grep
B. dd F. curl
C. head G. tcpdump
D. tail
Answer: C&E
 292

A security analyst is investigating a malware incident at a company. The malware is

accessing a command-and-control website at www.comptia.com. All outbound internet
traffic is logged to a syslog server and stored in / logfiles/ messages.
Which of the following commands would be BESTfor the analyst to use on the syslog
server to search for recent traffic to the command-and-control website?

A. Option A
B. Option B
C. Option C
D. Option D Answer: C
 293
Asecurity researcher is tracking an adversary by noting its
attack and techniques based on its capabilities,
infrastructure, and victims. Which of the following is the
researcher MOST likely using?

A.The Diamond Model of Intrusion Analysis

B.The Cyber Kill Chain
C.The MITRECVE database
D.The incident response process

Answer: A
 294

Which of the following is an example of risk avoidance?

A.Installing security updates directly in production to expedite

vulnerability fixes
B.Buying insurance to prepare for financial loss associated with
exploits
C.Not installing new software to prevent compatibility errors
D.Not taking preventive measures to stop the theft of equipment

Answer: C
 295

Which of the following would document concerns associated

with the restoration of IT systems in the event of a flood,
earthquake, or hurricane?

A. Business continuity plan

B. Communications plan
C. Disaster recovery plan
D. Continuity of operations plan Answer: C
 297

Your company wants to build another office that is expected to

cost two million dollars. The town that this new office will be
built in has a history of terrible earthquakes, once every 50 years.
The estimated damage is 50% of the buildings cost. What is the
SLE (Single Loss Expectancy)?
We are given the AV, EF, and ARO. We need to solve for SLE.

A. 20,000 (AV) Asset Value

(EF) Exposure Factor
- $ 2 million
- .5 (Half the value, %50)
B. 40,000 (SLE) Single Lost Expectancy - $ 1 Million <-Answer
(ARO) Annual Rate of Occurrence - .02 (1 every 50 years)
C. 500,000 (ALE) Annual Loss Expectancy - $20,000
D. 1,000,000 EQUATIONS
E. 4,000,000 AV x EF = SLE 2 Million * .5 = 1 Million
SLEx ARO = ALE (this equation is not needed in this question) Answer: D
 298

Which of the following is a difference between a DRP and a

BCP?

A. ABCP keeps operations running during a disaster while a

DRP does not.
B. ABCP prepares for any operational interruption while a DRP
prepares for natural disasters
C. ABCP is a technical response to disasters while a DRP is
operational.
D. ABCP Is formally written and approved while a DRP is not.

Answer: B
 299

Which of the following describes a maintenance metric that

measures the average time required to troubleshoot and
restore failed equipment?

A. RTO
B. MTBF
C. MTTR
D. RPO
Answer: C
 300

A Chief Information Officer receives an email stating a

database will be encrypted within 24 hours unless a
payment of $20,000 is credited to the account mentioned
in the email. This BESTdescribes a scenario related to:

A. whaling.
B. smishing.
C. spear phishing
D. vishing
Answer: A
 301

Which of the following holds staff accountable while

escorting unauthorized personnel?

A. Locks
B. Badges
C. Cameras
D. Visitor logs

Answer: D
 302
Which of the following corporate policies is used to help
prevent employee fraud and to detect system log
modifications or other malicious activity based on tenure?

A. Background checks
B. Mandatory vacation
C. Social media analysis
D. Separation of duties

Answer: D
 303
The SIEM at an organization has detected suspicious traffic coming
to a workstation in its internal network. An analyst in the SOC
discovers malware that is associated with a botnet is installed on
the device. A review of the logs on the workstation reveals that
the privileges of the local account were escalated to a local
administrator. To which of the following groups should the analyst
report this real-world event?

A. The NOCteam
B. The vulnerability management team
C. The CIRT
D. The read team
Answer: C
 304

A company is required to continue using legacy software to

support a critical service. Which of the following BEST explains a
risk of this practice?

A. Default system configuration

B. Unsecure protocols
C. Lack of vendor support
D. Weak encryption

Answer: C
 305

Which of the following is a reason to publish files’ hashes?

A. To validate the integrity of the files

B. To verify if the software was digitally signed
C. To use the hash as a software activation key
D. To use the hash as a decryption passphrase

Answer: A
 306

Acompany has a flat network that is deployed in the cloud.

Security policy states that all production and development servers
must be segmented. Which of the following should be used to
design the network to meet the security requirements?

A. VPN
B. VLAN
C. Screened subnet
D. WAF

Answer: B
La tes t Qu e s tio n s
 308

Acompany is under investigation for possible fraud. As part of the

investigation, the authorities need to review all emails and ensure
data is not deleted. Which of the following should the company
implement to assist in the investigation?

A. Legal hold
B. Chain of custody
C. Data loss prevention
D. Content filter

Answer: A
 309

Which of the following techniques eliminates the use of rainbow

tables for password cracking?

A. Hashing
B. Tokenization
C. Asymmetric encryption
D. Salting

Answer: D
 310

Achief Information Security Officer wants to ensure the

organization is validating and checking the integrity of zone
transfers. Which of the following solutions should be implemented?

A. DNSSEC
B. LDAPS
C. NGFW
D. DLP

Answer: A
 311

Acompany’s security team received notice of a critical vulnerability affecting

a high-profile device within the web infrastructure. The vendor patch was just
made available online but has not yet been regression tested in development
environments. In the interim, firewall rules were implemented to reduce the
access to the interface affected by the vulnerability. Which of the following
controls does this scenario describe?

A. Deterrent
B. Compensating
C. Detective
D. preventive
Answer: B
 312
Acompany recently decided to allow its employees to use their personal
owned devices for tasks like checking email and messaging via mobile
applications. The company would like to use MDM, but employees are
concerned about the loss of personal data. Which of the following should the
ITdepartment implement to BEST protect the company against lost devices
while still addressing the employees’ concerns?

A. Enable the remote-wiping option in the MDM software in case the phone is stolen
B. Configure the MDM software to enforce the use of PINs to access the phone
C. Configure MDM for FDEwithout enabling the lock screen
D. Perform a factory reset on the phone before installing the company’s applications

Answer: A
 313

The president of a regional bank likes to frequently provide SOC

tours to potential investors. Which of the following polices BEST
reduces the risk of malicious activity occurring after a tour?

A. Password complexity
B. Acceptable use
C. Access control
D. Clean desk

Answer: C
 314

A user wanted to catch up on some work over the weekend

but had issues logging in to the corporate network using a
VPN. On Monday, the user opened a ticket for this issue but
was able to log in successfully. Which of the following BEST
describes the policy that is being implemented?

A. Time-based logins
B. Geofencing
C. Network location
D. Password history
Answer: A
 315

Asecurity architect is required to deploy to conference rooms

some workstations that will allow sensitive data to be displayed on
large screens. Due to the nature of the data, it cannot be store in
the conference rooms. The fileshare is located in a local data
center. Which of the following should the security architect
recommend to BEST meet the requirements?

A. Fog computing and KVMs

B. VDI and thin clients
C. Private cloud and DLP
D. Full drive encryption and thick clients
Answer: B
 316

An attacker has determined the best way to impact

operations is to infiltrate third-party software vendors.
Which of the following vectors is being exploited?

A. Social media
B. Cloud
C. Supply chain
D. Social engineering

Answer: C
 317

An engineer wants to implement an authentication system

using EAP-TLS. Which of the following solutions should be
implemented?

A. SAML
B. 802.1x
C. LDAPS
D. OpendID

Answer: B
 318

Acompany has decided to implement a control that fixes a

vulnerability and mitigate a risk. Which of the following
controls does this scenario describe?

A. Deterrent
B. Compensating
C. Detective
D. Corrective

Answer: D
 319

Which control type can make a company aware of an initial

data compromised?

A. Deterrent
B. Compensating
C. Detective
D. Corrective

Answer: C
 320

What social engineering attack would exploit a sense of

urgency?

A. An email stating that a settlement will expire soon

B. Alink redirection to a fake website
C. Aphone call impersonating technical support personnel
D. An email with instruction to download security software

Answer: A
 321

On the way into a secure building, an unknown individual strikes

up a conversation with an employee. The employee scans the
required badge at the door while the unknown individual holds the
door open, seemingly out of courtesy, for the employee. Which of
the following social engineering techniques is being utilized?

A. Shoulder surfing
B. Watering-hole attack
C. Tailgating
D. Impersonation

Answer: C
 322

Users are presented with a banner upon each login to a

workstation. The banner mentions that users are not entitled to
any reasonable expectation of privacy and access is for authorized
personnel only.
In order to proceed past that banner, users must click the OK
button. Which of the following is this an example of?

A. AUP
B. NDA
C. SLA
D. MOU
Answer: A
 323

An internet company has created a new collaboration application.

To expand the user base, the company wants to implement an
option that allows users to log in to the application with the
credentials of other popular websites. Which of the following
should the company implement?

A. SSO
B. CHAP
C. 802.1X
D. OpenID

Answer: D
 324

Auser reports falling for a phishing email to an analyst. Which of

the following system logs would the analyst check FIRST?

A. DNS
B. Mes s age gateway
C. Network
D. Authentication

Answer: A
 325

Acompany discovered that terabytes of data have been exfiltrated

over the past year after an employee clicked on an email link. The
threat continued to evolve and remain undetected until a security
analyst noticed an abnormal amount of external connections when
the employee was not working. Which of the following is the
MOST likely threat actor?

A. Shadow IT
B. Script kiddies
C. APT
D. Ins ider threat
Answer: C
 326

AChief Security Officer is looking for a solution that can provide increased
scalability and flexibility for back-end infrastructure, allowing it to be
updated and modified without disruption to services. The security architect
would like the solution selected to reduce the back-end server resources
and has highlighted that session persistence is not important for the
applications running on the back-end servers. Which of the following would
BEST meet the requirements?

A. Revers e proxy
B. Automated patch management
C. Snaps hots
D. NIC teaming

Answer: A
 327

Aresearch company discovered that an unauthorized piece of software has been

detected on a small number of machines in its lab. The researchers collaborate
with other machines using port 445 and, on the internet, using port 443. The
unauthorized software is starting to be seen on additional machines outside of the
lab and is making outbound communications using HTTPS and SMB. The security
team has been instructed to resolve the problem as quickly as possible causing
minimal disruption to the researchers. Which of the following contains the BEST
course of action in this scenario?

A. Update the host firewalls to block outbound SMB

B. Place the machines with the unapproved software in containment
C. Place the unauthorized application in a blocklist
D. Implement a content filter to block the unauthorized software communication

Answer: C
 334

Which of the following uses SAMLfor authentication?

A. TOTP
B. Federation
C. Kerberos
D. HOTP

Answer: B
 335

An organization is planning to roll out a new mobile device policy

and issue each employee a new laptop. These laptops would
access the user corporate operating system remotely and allow
them to use the laptops for purposes outside of their job roles.
Which of the following deployment models is being utilized?
A. MDM and application management
B. BYOD and containers
C. COPE and VDI
D. CYOD and VMs

Answer: C
 336

Two hospitals merged into a single organization. The privacy officer

requested a review of all records to ensure encryption was used during
record storage, in compliance with regulations. During the review, the
officer discovered that medical diagnosis codes and patient names were left
unsecured. Which of the following types of data does this combination BEST
represent?

A. Personal health information

B. Personally Identifiable Information
C. Tokenized data
D. Proprietary data
Answer: A
 337

An attacker browses a company’s online job board attempting to find any

relevant information regarding the technologies the company uses. Which
of the following BESTdescribes this social engineering technique?

A. Hoax
B. Reconnaissance
C. Impersonation
D. Pretexting

Answer: B
 338

An a dminis tra tor is configuring a fire wall rule s e t for a s ubne t to only
a cce s s DHCP , we b pa ge s , a nd S FTP , and to s pe cifica lly block FTP .
Which of the following would BES T a ccomplis h this goa l?
A Permission Source Destination Port B Permission Source Destination Port
. Allow: Any Any 80 . Allow: Any Any 80
Allow: Any Any 443 Allow: Any Any 443
Allow: Any Any 67 Allow: Any Any 67
Allow: Any Any 68 Allow: Any Any 68
Allow: Any Any 22 Deny: Any Any 22
Deny: Any Any 21 Allow: Any Any 21
Deny: Any Any Deny: Any Any

C Permission Source Destination Port D Permission Source Destination Port

. Allow: Any Any 80 . Allow: Any Any 80
Allow: Any Any 443
Allow: Any Any 443
Deny: Any Any 67
Allow: Any Any 22
Allow: Any Any 68
Deny: Any Any 67
Allow: Any Any 22
Deny: Any Any 68
Allow: Any Any 21
Deny: Any Any 21
Allow: Any Any
Allow: Any Any
Answer: A
 339

While inve s tiga ting a re ce nt s ecurity incide nt, a s ecurity

a nalys t de cide d to view a ll ne twork connections on a
pa rticula r s e rve r. Which of the following would provide the
de s ire d informa tion?
A. a rp
B. ns lookup
C. nets ta t
D. nma p

Answer: C
 340

An untrus te d S S L ce rtifica te wa s dis cove re d during the mos t re cent

vulne ra bility s ca n. A s e curity ana lys t dete rmine s the ce rtifica te is
s igne d prope rly a nd is a va lid wildca rd. This s a me ce rtificate is
ins ta lled on othe r compa ny s e rve rs without is s ue . Which of the
following is the MOS T like ly rea s on for this finding?
A. The re quire d inte rme dia te certificate is not loa de d a s pa rt of the ce rtifica te
cha in
B. The ce rtifica te is on a CRL a nd is no longe r va lid
C. The corporate CA ha s e xpire d on e ve ry s e rve r, ca us ing the ce rtifica te to
fa il ve rifica tion
D. The s ca nne r is incorre ctly configure d to not trus t this ce rtifica te whe n
de te cte d on the s e rve r

Answer: A
 341

An orga niza tion jus t imple me nte d a new s e curity s ys te m.

Loca l laws s tate tha t citizens mus t be notifie d prior to
e ncounte ring the de te ction me cha nis m to de ter ma licious
a ctivitie s . Which of the following is be ing impleme nte d?

A. P roximity ca rds with gua rds

B. Fe nce with ele ctricity
C. Drone s with ala rms
D. Motion s e ns ors with s igna ge

Answer: B
 342

Which of the following is the BES T a ction to fos te r a

cons is te nt a nd a udita ble incide nt re s pons e proces s ?

A. Incent new hire s to cons ta ntly update the docume nt with

e xterna l knowle dge
B. P ublis h the document in a centra l re pos itory that is ea s ily
a cce s s ible to the organization
C. Re s trict e ligibility to comme nt on the proce s s to s ubje ct
ma tte r e xperts of e ach IT s ilo
D. Rotate CIRT me mbe rs to fos te r a s ha red re s pons ibility
mode l in the orga niza tion

Answer: B
 343

A ne ws a rticle s ta te s ha cke rs ha ve be e n s e lling acce s s to

IoT came ra fe e ds . Which of the following is the MOS T likely
re as on for this is s ue ?

A. Outda te s oftwa re
B. We a k crede ntia ls
C. La ck of e ncryption
D. Ba ckdoors

Answer: B
 344

Which of the following in the incide nt re s pons e proce s s is

the BES T a pproa ch to improve the s pee d of the
ide ntifica tion pha s e ?

A. Activa te ve rbos e logging in a ll critica l a s s e ts

B. Tune monitoring in orde r to re duce fals e pos itives ra te s
C. Redire cts a ll e ve nts to multiple s ys log s e rve rs
D. Incre as e the numbe r of s e ns ors pre s e nt on the
environme nt

Answer: D
 345

A compa ny wa nts to build a ne w we bs ite to s e ll products .

The webs ite will hos t a n s tore front a pplica tion tha t will a llow
vis itors to a dd products to a s hopping ca rt a nd pay for the
products us ing a cre dit card. Which of the following
protocols would be the MOS T s e cure to impleme nt?

A. S S L
B. S FTP
C. S NMP
D. TLS

Answer: D
 346

A s e curity a na lys t is ha rde ning a ne twork infra s tructure. The ana lys t
is give n the following re quire ments :
• P re s e rve the us e of public IP a ddre s s e s a s s igne d to e quipme nt on the core
route r
• Ena ble “in tra ns port” e ncryption prote ction to the we b s e rve r with the s tronge s t
ciphe r
Which of the following s hould the a na lys t impleme nt to me et the s e
re quire me nts ? (S elect two)
A. Configure VLANs on the core route r
B. Configure NAT on the core route r
C. Configure BGP in the core route r
D. Ena ble AES e ncryption on the we b s e rve r
E. Ena ble 3DES encryption on the we b s e rve r
F. Ena ble TLS v2 encryption on the we b s erve r
Answer: BF
 347

A s e curity engine e r is re vie wing the logs from a SAML a pplica tion tha t is
configure d to us e MFA. During this re vie w, the e nginee r notice s a high
volume of s ucce s s ful logins tha t did not re quire MFA from us e rs who we re
tra ve lling inte rna tiona lly. The a pplica tion which ca n be a cce s s e d without a
VPN ha s a policy tha t a llows time -ba s e d toke ns to be ge ne ra te d. Us e rs
who cha nge loca tions s hould be re quire d to re a uthe ntica te but ha ve be en
a ble to log in without doing s o. Which of the following s ta te me nts BEST
e xpla ins the is s ue ?
A. Ope nID is ma nda tory to ma ke the MFA re quire me nts work
B. An incorre ct brows e r ha s be e n de te cte d by the SAML
a pplica tion
C. The a cce s s de vice ha s a trus te d ce rtifica te ins ta lle d tha t is
overwriting the s e s s ion toke n
D. The us e r’s IP a ddre s s is cha nging be twe e n logins , but the
a pplica tion is not inva lida ting the toke n Answer: D
 348

While reviewing the wireless router, a systems administrator of a small business

determines someone is spoofing the MACaddress of an authorized device.
Given the table below
Hostname IP Address MAC MAC Filter
PC1 192.168.1.20 00:1D:1D:44:17:B5 On
PC2 192.168.1.23 21:13:D6:C5:42:A2 Off
PC3 192.168.2.25 42:A7:D1:25:11:52 On
Unknown 192.168.1.21 10:B3:22:1A:FF:21 Off

Which of the following should be the administrator’s NEXTstep to detect if

there is a rogue system without impacting availability?
A. Conduct a ping sweep
B. Physically check each system
C. Deny internet access to the “UNKNOWN” hostname
D. Apply MACfiltering
Answer: B
 349

A s e curity a na lys t is e va lua ting the ris ks of a uthorizing

multiple s ecurity s olutions to colle ct da ta from the
compa ny’s cloud e nvironme nt. Which of the following is a n
imme dia te cons e que nce of the s e inte gra tions ?

A. Non-complia nce with da ta s ove reignty

rule s
B. Los s of the ve ndor’s interope ra bility
s upport
C. Ma nda tory de ployme nt of a S IEM s olution
D. Incre as e in the a tta ck s urfa ce
Answer: D
 350

A s e curity e ngine er is conce rne d tha t the s tra te gy for

de tection on e ndpoints is too he a vily depende nt on
previous ly de fine d a tta cks . The e ngine e r would like a tool to
monitor for cha nge s to ke y file s a nd ne twork tra ffic on the
de vice . Which of the following tools BES T a ddre s s e s both
de tection and pre ve ntion?
A. NIDS
B. HIP S
C. AV
D. NGFW

Answer: B
 351

Which of the following proce s s es will elimina te data us ing a

me thod that will a llow the s tora ge de vice to be re us e d a fte r
the proce s s is comple te ?

A. P ulve rizing
B. Ove rwriting
C. S hre dding
D. De ga us s ing

Answer: B
 352

A s e curity a na lys t is re ce iving s e ve ra l a le rts pe r us e r a nd is

trying to de te rmine if va rious logins a re malicious . The s e curity
a nalys t would like to cre ate a ba s e line of norma l ope ra tions a nd
re duce nois e . Which of the following a ctions s hould the s e curity
a nalys t pe rform?
A. Adjus t the data flow from a uthe ntica tion s ource s to the
S IEM
B. Dis able e ma il a le rting a nd re vie w the SIEM dire ctly
C. Adjus t the s e ns itivity le ve ls of the S IEM corre la tion e ngine
D. Utilize be ha viora l a na lys is to e na ble the S IEM’s le a rning
mode
Answer: D
 353

During a re cent s ecurity incide nt a t a multinational

corpora tion a s e curity ana lys t found the following logs for a n
a ccount
Account ca lleLogin
r uslocation
er Time (UTC) Message
user New York 9:00 a.m. Login: user, successful
user Los Angeles 9:01 a.m. Login: user, successful
user Sao Paolo 9:05 a.m. Login: user, successful
user Munich 9:12 a.m. Login: user, successful

Which of the following a ccount policie s would BES T pre ve nt

atta cke rs from logging in a s us e r?
A. Impos s ible tra vel time
B. Geofe ncing
C. Time -bas e d logins
D. Geolocation
Answer: A
 354

A compa ny is working on mobile de vice s e curity a fte r a

re port re vea le d that us ers gra nte d non-ve rifie d s oftwa re
a cce s s to corpora te da ta . Which of the following is the
MOS T e ffe ctive s ecurity control to mitiga te this ris k?

A. Block a cce s s to a pplica tion s tores

B. Imple me nt OTA upda te s
C. Update the BYOD policy
D. Deploy a uniform firmwa re

Answer: A
 355

Which of the following s e cure coding te chnique s ma ke s

compromis e d code more difficult for hacke rs to us e ?

A. Obfus ca tion
B. Norma liza tion
C. e xe cution
D. Reus e

Answer: A
 356

A compa ny is imple me nting BYOD a nd wa nts to e ns ure all

us e rs ha ve a cce s s to the s a me cloud-ba s e d s e rvice s .
Which of the following would BES T a llow the compa ny to
me et this re quire me nt?

A. Ia a S
B. PaaS
C. Ma a S
D. SaaS

Answer: B
 357

An orga niza tion is tuning S IEM rule s ba s ed off of thre at

inte llige nce re ports . Which of the following pha s e s of the
incide nt res pons e proce s s does this s ce na rio re pre s e nt?

A. Le s s ons le arne d
B. Eradica tion
C. Recove ry
D. P repa ra tion

Answer: D
 358

Which of the following is a ris k that is s pecifica lly a s s ocia te d

with hos ting applica tions in the public cloud?

A. Uns e cure d root a ccounts

B. Ze ro-da y
C. S ha re d te na ncy
D. Ins ide r thre a t

Answer: C
 359

A vulnera bility ha s be e n dis cove re d and a known patch to

a ddre s s the vulne ra bility doe s not e xis t. Which of the
following controls work BES T until a proper fix is re le a s e d?

A. Dete ctive
B. Compe ns a ting
C. de te rrent
D. Corre ctive

Answer: B
 360

Which of the following preve nts a n e mploye e from s e eing a

colle a gue who is vis iting a n ina ppropria te we bs ite ?

A. J ob rota tion policy

B. NDA
C. AUP
D. S e pa ra tion of dutie s
policy

Answer: D
 361

Which of the following is a n effective tool to s top or preve nt

the e xfiltration of da ta from a ne twork?

A. NIDS
B. DLP
C. TP M
D. FDE

Answer: B
 362

An a na lys t is re vie wing logs a s s ocia te d with a n a tta ck. The

logs indica te a n a tta cke r downloa de d a ma licious file tha t wa s
quara ntine d by the AV s olution. The a tta cke r utilize d a loca l
non-a dminis tra tive a ccount to re s tore the ma licious file to a
ne w loca tion. The file wa s the n us e d by a nothe r proce s s to
e xe cute a pa yloa d. Which of the following a tta cks did the
a nalys t obs e rved?

A. P rivile ge e s ca la tion
B. Re que s t forge ries
C. Inje ction
D. Re pla y a tta ck
Answer: A
 363

Which of the following s hould a n orga niza tion cons ide r

imple me nting in the e vent e xe cutive s ne ed to s pe a k to the
me dia a fte r a publicize d da ta bre a ch?

A. Incide nt re s pons e pla n

B. Bus ine s s continuity pla n
C. Communication pla n
D. Dis a s te r recovery pla n

Answer: C
 364

A compa ny re ce ntly e xpe rie nce d a n ins ide a tta ck us ing a corpora te
ma chine tha t re s ulted in da ta compromis e . Ana lys is indica te d an
unauthorize d cha nge to the s oftwa re circumve nte d te chnologica l
prote ction me as ure s . The analys t wa s ta s ke d with de te rmining the
be s t method to e ns ure the inte grity of the s ys tems re ma ins intact
a nd loca l a nd re mote boot a tte s ta tion ca n take place . Which of the
following would provide the BES T s olution?
A. HIP S
B. FIM
C. TP M
D. DLP

Answer: C
 365

Which of the following is the MOST e ffe ctive wa y to de te ct

s e curity fla ws pre s e nt on third-pa rty libra rie s e mbe dde d on
s oftwa re before it is re le as e d into production?

A. Employ diffe rent te chnique s for s e rver- and clie nt-s ide
va lida tions
B. Us e a diffe re nt ve rs ion control s ys te m for third-party librarie s
C. Imple me nt a vulne ra bility s ca n to a s s es s de pe ndencie s ea rlie r
on S DLC
D. Incre a s e the numbe r of pe ne tra tion te s ts be fore s oftwa re
re le a s e

Answer: C
 366

An a nnua l information s e curity a s s e s s ment ha s re ve a le d

tha t s e ve ra l OS -le ve l configura tions a re not in complia nce
due to outda te d ha rde ning s ta nda rds the compa ny is us ing.
Which of the following would be BES T to us e to update a nd
re configure the OS -le vel s e curity configura tions ?

A. CIS be nchma rks

B. GDP R Guida nce
C. Re giona l re gula tions
D. IS O 27001 s ta nda rds
https:/ / www.beyondtrust.com/ resources/ glossary/ systems-hardening
Answer: A