Which of the following is most likely to be a data privacy concern for StreamPal users?

NO.501 A company installed several crosscut shredders as part of increased information security

practices targeting data leakage risks. Which of the following will this practice reduce?

(A). Dumpster diving

(B). Shoulder surfing

(C). Information elicitation

(D). Credential harvesting

(D). Credential harvesting

NO.502 A vulnerability assessment report will include the CVSS score of the discovered

vulnerabilities because the score allows the organization to better.

(A). validate the vulnerability exists in the organization's network through penetration testing

(B). research the appropriate mitigation techniques in a vulnerability database

(C). find the software patches that are required to mitigate a vulnerability

(D). prioritize remediation of vulnerabilities based on the possible impact.

(D). prioritize remediation of vulnerabilities based on the possible impact.

NO.503 A network administrator at a large organization Is reviewing methods to improve the

security of the wired LAN Any security improvement must be centrally managed and allow corporate owned devices to have access to the intranet but limit others to Internet access only. Which of the

following should the administrator recommend?

(A). 802.1X utilizing the current PKI infrastructure

(B). SSO to authenticate corporate users

(C). MAC address filtering with ACLs on the router

(D). PAM for user account management

(A). 802.1X utilizing the current PKI infrastructure

NO.504 Which of the following control sets should a well-written BCP include? (Select THREE)

(A). Preventive

(B). Detective

(C). Deterrent

(D). Corrective

(E). Compensating

(F). Physical

(G). Recovery

(A). Preventive

(D). Corrective

(G). Recovery

NO.505 An information security incident recently occurred at an organization, and the organization

was required to report the incident to authorities and notify the affected parties. When the

organization's customers became of aware of the incident, some reduced their orders or stopped

placing orders entirely. Which of the following is the organization experiencing?

(A). Reputation damage

(B). Identity theft

(C). Anonymlzation

(D). Interrupted supply chain

NO.506 An organization is developing a plan in the event of a complete loss of critical systems and

data.

Which of the following plans is the organization MOST likely developing?

(A). Incident response

(B). Communications

(C). Disaster recovery

(D). Data retention

No. 507/ 134 new

refer to pdf

NO.508 A company is experiencing an increasing number of systems that are locking up on Windows

IT Certification Guaranteed, The Easy Way!

131

startup. The security analyst clones a machine, enters into safe mode, and discovers a file in the

startup process that runs Wstart.bat.

@echo off

:asdhbawdhbasdhbawdhb

start notepad.exe

start notepad.exe

start calculator.exe

start calculator.exe

goto asdhbawdhbasdhbawdhb

Given the file contents and the system's issues, which of the following types of malware is present?

(A). Rootkit

(B). Logic bomb

(C). Worm

(D). Virus

NO.509 refer to pdf

An analyst visits an internet forum looking for information about a tool. The analyst finds a

threat that appears to contain relevant information. One of the posts says the following:

Which of the following BEST describes the attack that was attempted against the forum readers?

(A). SOU attack

(B). DLL attack

(C). XSS attack

(D). API attack

NO.510 A systems administrator is considering different backup solutions for the IT infrastructure.

The company is looking for a solution that offers the fastest recovery time while also saving the most

amount of storage used to maintain the backups. Which of the following recovery solutions would be

the BEST option to meet these requirements?

(A). Snapshot

(B). Differential

(C). Full

(D). Tape

NO.511 A workwide manufacturing company has been experiencing email account compromised. In

one incident, a user logged in from the corporate office in France, but then seconds later, the same

user account attempted a login from Brazil. Which of the following account policies would BEST

prevent this type of attack?

(A). Network location

(B). Impossible travel time

(C). Geolocation

(D). Geofencing

NO.512 A company just implemented a new telework policy that allows employees to use personal

devices for official email and file sharing while working from home. Some of the requirements are:

- Employees must provide an alternate work location (i.e., a home address)

- Employees must install software on the device that will prevent the loss of proprietary data but will

not restrict any other software from being installed.

Which of the following BEST describes the MDM options the company is using?

(A). Geofencing, content management, remote wipe, containerization, and storage segmentation

(B). Content management, remote wipe, geolocation, context-aware authentication, and

containerization

(C). Application management, remote wipe, geofencing, context-aware authentication, and

containerization

(D). Remote wipe, geolocation, screen locks, storage segmentation, and full-device encryption

(D). Remote wipe, geolocation, screen locks, storage segmentation, and full-device encryption

NO.513 Which of the following refers to applications and systems that are used within an

organization without consent or approval?

(A). Shadow IT

(B). OSINT

(C). Dark web

(D). Insider threats

NO.514 An organization has implemented a policy requiring the use of conductive metal lockboxes

for personal electronic devices outside of a secure research lab. Which of the following did the

organization determine to be the GREATEST risk to intellectual property when creating this policy?

(A). The theft of portable electronic devices

(B). Geotagging in the metadata of images

(C). Bluesnarfing of mobile devices

(D). Data exfiltration over a mobile hotspot

(D). Data exfiltration over a mobile hotspot

NO.515 A security analyst reviews the datacenter access logs for a fingerprint scanner and notices

an abundance of errors that correlate with users' reports of issues accessing the facility.

Which of the following MOST likely the cause of the cause of the access issues?

(A). False rejection

(B). Cross-over error rate

(C). Efficacy rale

(D). Attestation

(B). Cross-over error rate

NO.516 An analyst needs to identify the applications a user was running and the files that were

open before the user's computer was shut off by holding down the power button. Which of the

following would MOST likely contain that information?

(A). NGFW

(B). Pagefile

(C). NetFlow

(D). RAM

NO.517 A company has just experienced a malware attack affecting a large number of desktop

users.

The antivirus solution was not able to block the malware, but the HIDS alerted to C2 calls as

'Troj.Generic'. Once the security team found a solution to remove the malware, they were able to

remove the malware files successfully, and the HIDS stopped alerting. The next morning, however,

the HIDS once again started alerting on the same desktops, and the security team discovered the files

were back. Which of the following BEST describes the type of malware infecting this company's

network?

(A). Trojan

(B). Spyware

(C). Rootkit

(D). Botnet

NO.518 A security auditor is reviewing vulnerability scan data provided by an internal security team.

Which of the following BEST indicates that valid credentials were used?

(A). The scan results show open ports, protocols, and services exposed on the target host

(B). The scan enumerated software versions of installed programs

(C). The scan produced a list of vulnerabilities on the target host

(D). The scan identified expired SSL certificate

(B). The scan enumerated software versions of installed programs

NO.519 A security analyst is investigating multiple hosts that are communicating to external IP

addresses during the hours of 2:00 a.m - 4:00 am. The malware has evaded detection by traditional

antivirus software. Which of the following types of malware is MOST likely infecting the hosts?

(A). A RAT

(B). Ransomware

(C). Polymophic

(D). A worm

NO.520 A security administrator has received multiple calls from the help desk about customers

who are unable to access the organization's web server. Upon reviewing the log files. the security

administrator determines multiple open requests have been made from multiple IP addresses, which

is consuming system resources. Which of the following attack types does this BEST describe?

A)DDos

B)Dos

C)Zero Day

D)Logic Bomb

NO.521 refer to pdf

The following are the logs of a successful attack.

Which of the following controls would be BEST to use to prevent such a breach in the future?

(A). Password history

(B). Account expiration

(C). Password complexity

(D). Account lockout

NO.522 A security analyst is investigating a vulnerability in which a default file permission was set

incorrectly. The company uses non-credentialed scanning for vulnerability management. Which of

the following tools can the analyst use to verify the permissions?

(A). ssh

(B). chmod

(C). 1s

(D). setuid

(E). nessus

(F). nc

new pdf

NO.12 The CSIRT is reviewing the lessons learned from a recent incident. A worm was able to spread

unhindered throughout the network and infect a large number of computers and servers. Which of

the following recommendations would be BEST to mitigate the impacts of a similar incident in the

future?

(B). Segment the network with firewalls.

new pdf

NO.13 After reading a security bulletin, a network security manager is concerned that a malicious

actor may have breached the network using the same software

flaw. The exploit code is publicly

available and has been reported as being used against other industries in the same vertical. Which of

the following should the network security manager consult FIRST to determine a priority list for

forensic review?

(A). The vulnerability scan output

NO.21 As part of the lessons-learned phase, the SOC is tasked with building methods to detect if a

previous incident is happening again. Which of the following would allow the security analyst to alert

the SOC if an event is reoccurring?

(A). Creating a playbook within the SOAR

(B). Implementing rules in the NGFW

(C). Updating the DLP hash database

(D). Publishing a new CRL with revoked certificates

new pdf

NO.17 A company wants to modify its current backup strategy to minimize the number of backups

that would need to be restored in case of data loss. Which of the following would be the BEST backup

strategy to implement?

(A). Incremental backups followed by differential backups

(B). Full backups followed by incremental backups

(C). Delta backups followed by differential backups

(D). Incremental backups followed by delta backups

(E). Full backups followed by differential backups

(B). Full backups followed by incremental backups

NO.26 Which of the following should a technician consider when selecting an encryption method for

data that needs to remain confidential for a specific length of time?

(A). The key length of the encryption algorithm

(B). The encryption algorithm's longevity

(C). A method of introducing entropy into key calculations

(D). The computational overhead of calculating the encryption key

(D). The computational overhead of calculating the encryption key

NO.34 A security analyst is investigating a phishing email that contains a malicious document

directed to the company's Chief Executive Officer (CEO). Which of the following should the analyst

perform to understand the threat and retrieve possible IoCs?

(A). Run a vulnerability scan against the CEOs computer to find possible vulnerabilities

(B). Install a sandbox to run the malicious payload in a safe environment

(C). Perform a traceroute to identify the communication path

(D). Use netstat to check whether communication has been made with a remote host

(B). Install a sandbox to run the malicious payload in a safe environment

NO.35 A Chief Security Officer (CSO) has asked a technician to devise a solution that can detect

unauthorized execution privileges from the OS in both executable and data files, and can work in

conjunction with proxies or UTM. Which of the following would BEST meet the CSO's requirements?

(A). Fuzzing

(B). Sandboxing

(C). Static code analysis

(D). Code review

NO.37 A security analyst is concerned about critical vulnerabilities that have been detected on some

applications running inside containers. Which of the following is the BEST remediation strategy?

(A). Update the base container image and redeploy the environment.

(B). Include the containers in the regular patching schedule for servers

(C). Patch each running container individually and test the application

(D). Update the host in which the containers are running

(C). Patch each running container individually and test the application

A container image vulnerability is a security risk that is embedded inside a container image. While

vulnerable images themselves don't pose an active threat, if containers are created based on a

vulnerable image, the containers will introduce the vulnerability to a live environment.

NO.44 A well-known organization has been experiencing attacks from APIs. The organization is

concerned that custom malware is being created and emailed into the company or installed on USB

sticks that are dropped in parking lots. Which of the following is the BEST defense against this

scenario?

(A). Configuring signature-based antivirus io update every 30 minutes

(B). Enforcing S/MIME for email and automatically encrypting USB drives upon insertion.

(C). Implementing application execution in a sandbox for unknown software.

(D). Fuzzing new files for vulnerabilities if they are not digitally signed

(C). Implementing application execution in a sandbox for unknown software.

NO.51 A security analyst is hardening a network infrastructure. The analyst is given the following

requirements;

* Preserve the use of public IP addresses assigned to equipment on the core router.

* Enable "in transport 'encryption protection to the web server with the strongest ciphers.

Which of the following should the analyst implement to meet these requirements? (Select TWO).

(A). Configure VLANs on the core router

(B). Configure NAT on the core router

(C). Configure BGP on the core router

(D). Configure AES encryption on the web server

(E). Enable 3DES encryption on the web server

(F). Enable TLSv2 encryption on the web server

(A). Configure VLANs on the core router

(E). Enable 3DES encryption on the web server

NO.60 Which of the following BEST describes the method a security analyst would use to confirm a

file that is downloaded from a trusted security website is not altered in transit or corrupted using a

verified checksum?

A) Hashing

B)Salting

C)Integrity

NO.61 A recent security audit revealed that a popular website with IP address 172.16.1.5 also has an

FTP service that employees were using to store sensitive corporate dat

a. The organization's outbound firewall processes rules top-down. Which of the following would

permit HTTP and HTTPS, while denying all other services for this host?

(A). access-rule permit tcp destination 172.16.1.5 port 80

access-rule permit tcp destination 172.16-1-5 port 443

access-rule deny ip destination 172.16.1.5

(D). access-rule permit tcp destination 172.16.1.5 port 80

access-rule permit tcp destination 172.16.1.5 port 443

access-rule deny tcp destination 172.16.1.5 port 21

(D). access-rule permit tcp destination 172.16.1.5 port 80

access-rule permit tcp destination 172.16.1.5 port 443

access-rule deny tcp destination 172.16.1.5 port 21

NO.64 After a WiFi scan of a local office was conducted, an unknown wireless signal was identified

Upon investigation, an unknown Raspberry Pi device was found connected to an Ethernet port using

a single connection. Which of the following BEST describes the purpose of this device?

(A). loT sensor

(B). Evil twin

(C). Rogue access point

(D). On-path attack

NO.65 A user is concerned that a web application will not be able to handle unexpected or random

input without crashing. Which of the following BEST describes the type of testing the user should

perform?

(A). Code signing

(B). Fuzzing

(C). Manual code review

(D). Dynamic code analysis

(D). Dynamic code analysis

NO.66 Which of the following authentication methods sends out a unique password to be used

within a specific number of seconds?

(A). TOTP

(B). Biometrics

(C). Kerberos

(D). LDAP

NO.68 A university with remote campuses, which all use different service providers, loses Internet

connectivity across all locations. After a few minutes, Internet and VoIP services are restored, only to

go offline again at random intervals, typically within four minutes of services being restored. Outages

continue throughout the day, impacting all inbound and outbound connections and services. Services

that are limited to the local LAN or WiFi network are not impacted, but all WAN and VoIP services are

affected.

Later that day, the edge-router manufacturer releases a CVE outlining the ability of an attacker to

exploit the SIP protocol handling on devices, leading to resource exhaustion and system reloads.

Which of the following BEST describe this type of attack? (Choose two.)

(A). DoS

(B). SSL stripping

(C). Memory leak

(D). Race condition

(E). Shimming

(F). Refactoring

NO.83 A company wants to deploy systems alongside production systems in order to entice threat

actors and to learn more about attackers. Which of the following BEST describe these systems?

(A). DNS sinkholes

(B). Honepots

(C). Virtual machines

(D). Neural network

(A). DNS sinkholes

can get attackers ip address

NO.84 A technician needs to prevent data loss in a laboratory. The laboratory is not connected to

any external networks. Which of the following methods would BEST prevent the exfiltration of data?

(Select TWO).

(A). VPN

(B). Drive encryption

(C). Network firewall

(D). File level encryption

(E). USB blocker

(F). MFA

(B). Drive encryption

(E). USB blocker

labs are usually air gapped

NO.87 A cyberthreat intelligence analyst is gathering data about a specific adversary using OSINT

techniques. Which of the following should the analyst use?

(A). Internal log files

(B). Government press releases

(C). Confidential reports

(D). Proprietary databases

NO.92 A forensics investigator is examining a number of unauthorized payments that were reported

on the 00mpany's website. Some unusual log entries show users received an email for an unwanted

mailing list and clicked on a link to attempt to unsubscribe. One of the users reported the email to

the phishing team, and the forwarded email revealed the link to be:

Which of the following will the forensics investigator MOST likely determine has occurred?

(A). SQL injection

(B). Broken authentication

(C). XSS

(D). XSRF

NO.93 An organization wants seamless authentication to its applications. Which of the following

should the organization employ to meet this requirement?

(A). SOAP

(B). SAML

(C). SSO

(D). Kerberos

NO.97 Which of the following would produce the closet experience of responding to an actual

incident response scenario?

(A). Lessons learned

(B). Simulation

(C). Walk-through

(D). Tabletop

NO.98 An organization's finance department is implementing a policy to protect against collusion.

Which of the following control types and corresponding procedures should the

organization implement to fulfill this policy's requirement? (Select TWO).

(A). Corrective

(B). Deterrent

(C). Preventive

(D). Mandatory vacations

(E). Job rotation

(F). Separation of duties

(D). Mandatory vacations

(E). Job rotation

NO.103 A client sent several inquiries to a project manager about the delinquent delivery status of

some critical reports. The project manager darned the reports were previously sent via email but

then quickly generated and backdated the reports before submitting them via a new email message

Which of the following actions MOST likely supports an investigation for fraudulent submission?

(A). Establish chain of custody

(B). Inspect the file metadata

(C). Reference the data retention policy

(D). Review the email event logs

(D). Review the email event logs

new pdf

NO.104 An analyst visits an internet forum looking for information about a tool. The analyst finds a

threat that appears to contain relevant information. One of the posts says the following:

Which of the following BEST describes the attack that was attempted against the forum readers?

(A). SOU attack

(B). DLL attack

(C). XSS attack

(D). API attack

(C). XSS attack

Cross-site scripting attacks may occur anywhere that possibly malicious users are allowed to post

unregulated material to a trusted website for the consumption of other valid users. The most

common example can be found in bulletin-board websites which provide web based mailing list-style

functionality. https://owasp.org/www-community/attacks/xss/

https://www.acunetix.com/websitesecurity/cross-site-scripting/

NO.107 A SECURITY ANALYST NEEDS TO FIND REAL-TIME DATA ON THE LATEST MALWARE AND loCs

WHICH OF THE FOLLOWING BEST DESCRIBE THE SOLUTION THE ANALYST SHOULD PERSUE?

(A). ADVISORIES AND BULLETINS

(B). THREAT FEEDS

(C). SECURITY NEWS ARTICLES

(D). PEER-REVIEWED CONTENT

NO.108 A forensics investigator is examining a number of unauthorized payments the were reported

on the company's website. Some unusual log entries show users received an email for an unwanted

mailing list and clicked on a link to attempt to unsubscribe. One of the users reported the email to

the phishing team, and the forwarded email revealed the link to be:

Which of the following will the forensics investigator MOST likely determine has occurred?

(A). SQL injection

(B). CSRF

(C). XSS

(D). XSRF

NO.113 Which of the following will MOST likely adversely impact the operations of unpatched

traditional programmable-logic controllers, running a back-end LAMP server and OT systems with

human-management interfaces that are accessible over the Internet via a web interface? (Choose two.)

(A). Cross-site scripting

(B). Data exfiltration

(C). Poor system logging

(D). Weak encryption

(E). SQL injection

(F). Server-side request forgery

(D). Weak encryption

(F). Server-side request forgery

new pdf

NO.115 Security analysts are conducting an investigation of an attack that occurred inside the

organization's network. An attacker was able to connect network traffic between workstation

throughout the network. The analysts review the following logs:

The layer 2 address table has hundred of entries similar to the ones above. Which of the following

attacks has MOST likely occurred?

(A). SQL injection

(B). DNS spoofing

(C). MAC flooding

(D). ARP poisoning

new pdf

NO.118 An analyst is generating a security report for the management team. Security guidelines

recommend disabling all listening unencrypted services. Given this output from Nmap.

Which of the following should the analyst recommend to disable?

(A). 21/tcp

(B). 22/tcp

(C). 23/tcp

(D). 443/tcp

During a security assessment, a security finds a file with overly permissive permissions. Which of the following tools will allow the analyst to reduce the permission for the existing users and groups and remove the set-user-ID from the file?

A. 1a

B. chflags

C. chmod

D. leof

E. setuid

NO.138 A network engineer has been asked to investigate why several wireless barcode scanners

and wireless computers in a warehouse have intermittent connectivity to the shipping server. The

barcode scanners and computers are all on forklift trucks and move around the warehouse during

their regular use. Which of the following should the engineer do to determine the issue? (Choose

two.)

(A). Perform a site survey

(B). Deploy an FTK Imager

(C). Create a heat map

(D). Scan for rogue access points

(E). Upgrade the security protocols

(F). Install a captive portal

(A). Perform a site survey

(C). Create a heat map

heat map and site survey will provide the wifi strength and identify the weakness areas..this will give

the opportunity if we need to increase WiFI strength or give suggestion to the forklift drivers about

the movement

NO.139 A news article states that a popular web browser deployed on all corporate PCs is vulnerable a zero-day attack. Which of the following MOST concern the Chief Information Security

Officer about the information in the new article?

(A). Insider threats have compromised this network

(B). Web browsing is not functional for the entire network

(C). Antivirus signatures are required to be updated immediately

(D). No patches are available for the web browser

(D). No patches are available for the web browser

new pdf

NO.140 A user reports trouble using a corporate laptop. The laptop freezes and responds slowly

when writing documents and the mouse pointer occasional disappears.

The task list shows the following results

Which of the following is MOST likely the issue?

(A). RAT

(B). PUP

(C). Spyware

(D). Keylogger

NO.141 Hackers recently attacked a company's network and obtained several unfavorable pictures

from the Chief Executive Officer's workstation. The hackers are threatening to send the images to the

press if a ransom is not paid. Which of the following is impacted the MOST?

(A). Identify theft

(B). Data loss

(C). Data exfiltration

(D). Reputation

(C). Data exfiltration

Data exfiltration occurs when malware and/or a malicious actor carries out an unauthorized data

transfer from a computer. It is also commonly called data extrusion or data exportation. Data

exfiltration is also considered a form of data theft.

NO.142 During an investigation, a security manager receives notification from local authorities mat

company proprietary data was found on a former employees home computer, The former

employee's corporate workstation has since been repurposed, and the data on the hard drive has

been overwritten Which of the following would BEST provide the security manager with enough

details to determine when the data was removed from the company network?

(A). Properly configured hosts with security logging

(B). Properly configured endpoint security tool with darting

(C). Properly configured SIEM with retention policies

(D). Properly configured USB blocker with encryption

(A). Properly configured hosts with security logging

NO.147 A security analyst discovers several .jpg photos from a cellular phone during a forensics

investigation involving a compromised system. The analyst runs a forensics tool to gather file

metadat

a. Which of the following would be part of the images if all the metadata is still intact?

(A). The GPS location

(B). When the file was deleted

(C). The total number of print jobs

(D). The number of copies made

NO.154 A forensics examiner is attempting to dump password cached in the physical memory of a

live system but keeps receiving an error message. Which of the following BEST describes the cause of

the error?

(A). The examiner does not have administrative privileges to the system

(B). The system must be taken offline before a snapshot can be created

(C). Checksum mismatches are invalidating the disk image

(D). The swap file needs to be unlocked before it can be accessed

(D). The swap file needs to be unlocked before it can be accessed

NO.157 A security analyst is performing a packet capture on a series of SOAP HTTP requests for a

security assessment. The analyst redirects the output to a file After the capture is complete, the analyst needs to review the first transactions quickly and then search the entire series of requests for

a particular string Which of the following would be BEST to use to accomplish the task? (Select TWO).

(A). head

(B). Tcpdump

(C). grep

(D). rail

(E). curl

(F). openssi

(G). dd

(A). head

(C). grep

A - "analyst needs to review the first transactions quickly"

C - "search the entire series of requests for a particular string"

new pdf

NO.160 Which of the following BEST explains the difference between a for controlling the data while the data custodian is responsible for implementing the protection of data.

B)The data owner is responsible for controlling the data while the data custodian is responsible for implementing the protection of data.

B)The data owner is responsible for controlling the data while the data custodian is responsible for implementing the protection of data.

Data Owner - the administrator/CEO/board/president of a company

Data custodian - the ones taking care of the actual data - like IT staff (generally) or HR staff (for HR-related data)

NO.165 A security analyst has received an alert about being sent via email. The analyst's Chief

information Security Officer (CISO) has made it clear that PII must be handle with extreme care From

which of the following did the alert MOST likely originate?

(A). S/MIME

(B). DLP

(C). IMAP

(D). HIDS

(B). DLP

Network-based DLP monitors outgoing data looking for sensitive data. Network-based DLP systems

monitor outgoing email to detect and block unauthorized data transfers and monitor data stored in the cloud.

NO.169 A penetration tester gains access to the network by exploiting a vulnerability on a publicfacing web server. Which of the following techniques will the tester most likely perform NEXT?

(A). Gather more information about the target through passive reconnaissance

(B). Establish rules of engagement before proceeding

(C). Create a user account to maintain persistence

(D). Move laterally throughout the network to search for sensitive information

(C). Create a user account to maintain persistence

NO.170 Which of the following environments typically hosts the current version configurations and

code, compares user-story responses and workflow, and uses a modified version of actual data for

testing?

A) Development

B) Staging

C) Production

D) Test

NO.171 Which of the following scenarios BEST describes a risk reduction technique?

(A). A security control objective cannot be met through a technical change, so the company

purchases insurance and is no longer concerned about losses from data breaches.

(B). A security control objective cannot be met through a technical change, so the company

implements a policy to train users on a more secure method of operation.

(C). A security control objective cannot be met through a technical change, so the company changes

as method of operation

(D). A security control objective cannot be met through a technical change, so the Chief Information

Officer (CIO) decides to sign off on the risk.

(B). A security control objective cannot be met through a technical change, so the company

implements a policy to train users on a more secure method of operation.

NO.174 An analyst needs to set up a method for securely transferring files between systems. One of

the requirements is to authenticate the IP header and the payload. Which of the following services

would BEST meet the criteria?

(A). TLS

(B). PFS

(C). ESP

(D). AH

NO.176 During an investigation, the incident response team discovers that multiple administrator

accounts were suspected of being compromised. The host audit logs indicate a repeated brute-force

attack on a single administrator account followed by suspicious logins from unfamiliar geographic

locations. Which of the following data sources would be BEST to use to assess the accounts impacted

by this attack?

(A). User behavior analytics

(B). Dump files

(C). Bandwidth monitors

(D). Protocol analyzer output

(A). User behavior analytics

User behavior analytics

User behavior analytics is a cybersecurity process about detection of insider threats, targeted attacks,

and financial fraud that tracks a system's users. UBA looks at patterns of human behavior, and then

analyzes them to detect anomalies that indicate potential threats.

NO.182 A security engineer needs to build a solution to satisfy regulatory requirements that state

certain critical servers must be accessed using MFA.

However, the critical servers are older and are unable to support the addition of MFA. Which of the

following will the engineer MOST likely use to achieve this objective?

(A). A forward proxy

(B). A stateful firewall

(C). A jump server

(D). A port tap

NO.192 Administrators have allowed employee to access their company email from personal

computers. However, the administrators are concerned that these computes are another attach

surface and can result in user accounts being breached by foreign actors. Which of the following

actions would provide the MOST secure solution?

(A). Enable an option in the administration center so accounts can be locked if they are accessed from

different geographical areas

(B). Implement a 16-character minimum length and 30-day expiration password policy

(C). Set up a global mail rule to disallow the forwarding of any company email to email addresses

outside the organization

(D). Enforce a policy that allows employees to be able to access their email only while they are

connected to the internet via VPN

(D). Enforce a policy that allows employees to be able to access their email only while they are

connected to the internet via VPN

NO.194 A penetration tester was able to compromise an internal server and is now trying to pivot

the current session in a network lateral movement. Which of the following tools, if available on the

server, will provide the MOST useful information for the next assessment step?

(A). Autopsy

(B). Cuckoo

(C). Memdump

(D). Nmap

(D). Nmap

Memdump

A display or printout of all or selected contents of RAM. After a program abends (crashes), a memory

dump is taken in order to analyze the status of the program. The programmer looks into the memory

buffers to see which data items were being worked on at the time of failure.

Nmap

Nmap is a network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a

computer network by sending packets and analyzing the responses. Nmap provides a number of

features for probing computer networks, including host discovery and service and operating system

detection

NO.195 A security administrator needs to inspect in-transit files on the enterprise network to search

for Pll, credit card data, and classification words. Which of the following would be the BEST to use?

(A). IDS solution

(B). EDR solution

(C). HIPS software solution

(D). Network DLP solution

(D). Network DLP solution

NO.200 A security analyst receives an alert from the company's SIEM that anomalous activity is

coming from a local source IP address of 192.168.34.26. The Chief Information Security Officer asks

the analyst to block the originating source. Several days later another employee opens an internal

ticket stating that vulnerability scans are no longer being performed properly. The IP address the

employee provides is 192.168.34.26. Which of the following describes this type of alert?

A) true positive

B) true negative

C) false positive

D) false negative

C) false positive

Traditional SIEM Log Analysis

Traditionally, the SIEM used two techniques to generate alerts from log data: correlation rules, specifying a sequence of events that indicates an anomaly, which could represent a security threat,

vulnerability or active security incident; and vulnerabilities and risk assessment, which involves

scanning networks for known attack patterns and vulnerabilities. The drawback of these older

techniques is that they generate a lot of false positives, and are not successful at detecting new and

unexpected event types

NO.204 A security engineer needs to implement an MDM solution that complies with the corporate

mobile device policy. The policy states that in order for mobile users to access corporate resources on

their devices the following requirements must be met:

* Mobile device OSs must be patched up to the latest release

* A screen lock must be enabled (passcode or biometric)

* Corporate data must be removed if the device is reported lost or stolen

Which of the following controls should the security engineer configure? (Select TWO)

(A). Containerization

(B). Storage segmentation

(C). Posturing

(D). Remote wipe

(E). Full-device encryption

(D). Remote wipe

(E). Full-device encryption

NO.206 A company recently experienced an attack during which its main website was directed to

the attacker's web server, allowing the attacker to harvest credentials from unsuspecting customers.

Which of the following should the company implement to prevent this type of attack occurring in the

future?

(A). IPSec

(B). SSL/TLS

(C). DNSSEC

(D). S/MIME

NO.207 An.. that has a large number of mobile devices is exploring enhanced security controls to

manage unauthorized access if a device is lost or stolen. Specifically, if mobile devices are more

than 3mi (4 8km) from the building, the management team would like to have the security team

alerted and server resources restricted on those devices. Which of the following controls should the

organization implement?

NO.208 A company processes highly sensitive data and senior management wants to protect the

sensitive data by utilizing classification labels. Which of the following access control schemes would

be BEST for the company to implement?

(A). Discretionary

(B). Rule-based

(C). Role-based

(D). Mandatory

NO.209 A security analyst wants to fingerprint a web server. Which of the following tools will the

security analyst MOST likely use to accomplish this task?

(A). nmap -p1-65535 192.168.0.10

(B). dig 192.168.0.10

(C). curl --head http://192.168.0.10

(D). ping 192.168.0.10

(C). curl --head http://192.168.0.10

curl - Identify remote web server

Type the command as follows: $ curl -I http://www.remote-server.com/ $ curl -I

http://vivekgite.com/ Output:

HTTP/1.1 200 OK

Content-type: text/html

Content-Length: 0

Date: Mon, 28 Jan 2008 08:53:54 GMT

Server: lighttpd

NO.213 A network engineer needs to create a plan for upgrading the wireless infrastructure in a

large office Priority must be given to areas that are currently experiencing latency and connection

issues. Which of the following would be the BEST resource for determining the order of priority?

(A). Nmapn

(B). Heat maps

(C). Network diagrams

(D). Wireshark

(B). Heat maps

engineer needs to create a plan for upgrading the wireless infrastructure in a large office. Priority

must be given to areas that are currently.

Site surveys and heat maps provide the following benefits: Identify trouble areas to help eliminate

slows speeds and poor performance

NO.214 A Chief Information Security Officer (CISO) is evaluating the dangers involved in deploying a

new ERP system for the company. The CISO categorizes the system, selects the controls that apply to

the system, implements the controls, and then assesses the success of the controls before

authorizing the system. Which of the following is the CISO using to evaluate the environment for this

new ERP system?

(A). The Diamond Model of Intrusion Analysis

(B). CIS Critical Security Controls

(C). NIST Risk Management Framework

(D). ISO 27002

erp enterprise resource planning

(D). ISO 27002

ISO/IEC 27002

ISO/IEC 27002 is an information security standard published by the International Organization for

Standardization and by the International Electrotechnical Commission, titled Information technology

- Security techniques - Code of practice for information security controls.

NO.215 A security administrator needs to create a RAIS configuration that is focused on high read

speeds and fault tolerance. It is unlikely that multiple drivers will fail simultaneously. Which of the

following RAID configurations should the administration use?

(A). RA1D 0

(B). RAID1

(C). RAID 5

(D). RAID 10

NO.216 An organization wants to implement a third factor to an existing multifactor authentication.

The organization already uses a smart card and password. Which of the following would meet the

organization's needs for a third factor?

(A). Date of birth

(B). Fingerprints

(C). PIN

(D). TPM

NO.217 A Chief Security Office's (CSO's) key priorities are to improve preparation, response, and

recovery practices to minimize system downtime and enhance organizational resilience to

ransomware attacks. Which of the following would BEST meet the CSO's objectives?

(A). Use email-filtering software and centralized account management, patch high-risk systems, and

restrict administration privileges on fileshares.

(B). Purchase cyber insurance from a reputable provider to reduce expenses during an incident.

(C). Invest in end-user awareness training to change the long-term culture and behavior of staff and

executives, reducing the organization's susceptibility to phishing attacks.

(D). Implement application whitelisting and centralized event-log management, and perform regular

testing and validation of full backups.

(D). Implement application whitelisting and centralized event-log management, and perform regular

testing and validation of full backups.

new pdf

NO.225 A security analyst has been asked to investigate a situation after the SOC started to receive

alerts from the SIEM. The analyst first looks at the domain controller and finds the following events:

To better understand what is going on, the analyst runs a command and receives the following

output:

Based on the analyst's findings, which of the following attacks is being executed?

(A). Credential harvesting

(B). Keylogger

(C). Brute-force

(D). Spraying

(D). Spraying

If a user tries to authenticate with a wrong password, the domain controller who handles the

authentication request will increment an attribute called badPwdCount. As you can see in the image,

the badpwdcount attribute for the user states that many passwords were used to try to log in

without success. Password spraying is an attack that attempts to access a large number of accounts

(usernames) with a few commonly used passwords. https://www.coalfire.com/the-coalfireblog/march-2019/password-spraying-what-to-do-and-how-to-avoid-it

https://doubleoctopus.com/security-wiki/threats-and-tools/password-spraying/

NO.228 A security administrator currently spends a large amount of time on common security tasks,

such aa report generation, phishing investigations, and user provisioning and deprovisioning This

prevents the administrator from spending time on other security projects. The business does not

have the budget to add more staff members. Which of the following should the administrator

implement?

(A). DAC

(B). ABAC

(C). SCAP

(D). SOAR

new pdf refer

NO.232 A user downloaded an extension for a browser, and the uses device later became infected.

The analyst who is investigating the incident saw various logs where the attacker was hiding activity by deleting data The following was observed running:

Which of the following is the malware using to execute the attack?

(A). PowerShell

(B). Python

(C). Bash

(D). Macros

NO.235 A company reduced the area utilized in its datacenter by creating virtual networking

through automation and by creating provisioning routes and rules through scripting. Which of the

following does this example describe?

(A). laC

(B). MSSP

(C). Containers

(D). SaaS

(A). laC

Infrastructure as Code

Infrastructure as code is the process of managing and provisioning computer data centers through

machine-readable definition files, rather than physical hardware configuration or interactive

configuration tools

refer to new pdf

NO.236 The following are the logs of a successful attack.

Which of the following controls would be BEST to use to prevent such a breach in the future?

(A). Password history

(B). Account expiration

(C). Password complexity

(D). Account lockout

NO.238 Which of the following BEST explains the reason why a server administrator would place a

document named password.txt on the desktop of an administrator account on a server?

(A). The document is a honeyfile and is meant to attract the attention of a cyberintruder.

(B). The document is a backup file if the system needs to be recovered.

(C). The document is a standard file that the OS needs to verify the login credentials.

(D). The document is a keylogger that stores all keystrokes should the account be compromised.

(A). The document is a honeyfile and is meant to attract the attention of a cyberintruder.

NO.240 Which of the following control types would be BEST to use to identify violations and

incidents?

(A). Detective

(B). Compensating

(C). Deterrent

(D). Corrective

(E). Recovery

(F). Preventive

NO.241 Which of the following represents a biometric FRR?

(A). Authorized users being denied access

(B). Users failing to enter the correct PIN

(C). The denied and authorized numbers being equal

(D). The number of unauthorized users being granted access

(A). Authorized users being denied access

NO.242 A security analyst must determine if either SSH or Telnet is being used to log in to servers.

Which of the following should the analyst use?

(A). logger

(B). Metasploit

(C). tcpdump

(D). netstat

NO.243 Which of the following function as preventive, detective, and deterrent controls to reduce

the risk of physical theft? (Select TWO).

(A). Mantraps

(B). Security guards

(C). Video surveillance

(D). Fences

(E). Bollards

(F). Antivirus

(B). Security guards

(D). Fences

NO.248 The Chief Information Security Officer (CISO) has decided to reorganize security staff to

concentrate on incident response and to outsource outbound Internet URL categorization and

filtering to an outside company. Additionally, the CISO would like this solution to provide the same

protections even when a company laptop or mobile device is away from a home office. Which of the

following should the CISO choose?

(A). CASB

(B). Next-generation SWG

(C). NGFW

(D). Web-application firewall

(B). Next-generation SWG

A Next Generation Secure Web Gateway (SWG) is a new cloud-native solution for protecting

enterprises from the growing volume of sophisticated cloud enabled threats and data risks. It is the

logical evolution of the traditional secure web gateway, also known as a web proxy or web filter.

NGFW

A Next-Generation Firewall (NGFW) is a cyber security solution to protect network fronts with

capabilities that extend beyond traditional firewalls.

Web-application firewall

A WAF protects your web apps by filtering, monitoring, and blocking any malicious HTTP/S traffic

traveling to the web application, and prevents any unauthorized data from leaving the app. It does

this by adhering to a set of policies that help determine what traffic is malicious and what traffic is

safe.

NO.252 During an incident response, a security analyst observes the following log entry on the web

server.

Which of the following BEST describes the type of attack the analyst is experience?

(A). SQL injection

(B). Cross-site scripting

(C). Pass-the-hash

(D). Directory traversal

(D). Directory traversal

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files.

NO.253 A security analyst has received several reports of an issue on an internal web application.

Users stale they are having to provide their credential twice lo log in. The analyst checks with the

application team and notes this is not an expected behavior. After looking at several loos the analyst

decades to run some commands on the gateway and obtains the following output

Internet address

Which of the following BEST describes the attack the company is experiencing?

(A). MAC flooding

(B). URL redirection

(C). ARP poisoning

(D). DNS hijacking

NO.255 Which of the following uses six initial steps that provide basic control over system security

by including hardware and software inventory, vulnerability management, and continuous

monitoring to minimize risk in all network environments?

(A). ISO 27701

(B). The Center for Internet Security

(C). SSAE SOC 2

(D). NIST Risk Management Framework

(D). NIST Risk Management Framework

Which of the following is most likely to be a beneficial effect of using me reader?

Which of the following best describes a limitation of using a simulation for this purpose?

Which of the following are true statements about how the Internet enables crowdsourcing?

Which of the following best explains how bias could occur in the game?