NO.501 A company installed several crosscut shredders as part of increased information security
practices targeting data leakage risks. Which of the following will this practice reduce?
(A). Dumpster diving
(B). Shoulder surfing
(C). Information elicitation
(D). Credential harvesting
(D). Credential harvesting
NO.502 A vulnerability assessment report will include the CVSS score of the discovered
vulnerabilities because the score allows the organization to better.
(A). validate the vulnerability exists in the organization's network through penetration testing
(B). research the appropriate mitigation techniques in a vulnerability database
(C). find the software patches that are required to mitigate a vulnerability
(D). prioritize remediation of vulnerabilities based on the possible impact.
(D). prioritize remediation of vulnerabilities based on the possible impact.
NO.503 A network administrator at a large organization Is reviewing methods to improve the
security of the wired LAN Any security improvement must be centrally managed and allow corporate owned devices to have access to the intranet but limit others to Internet access only. Which of the
following should the administrator recommend?
(A). 802.1X utilizing the current PKI infrastructure
(B). SSO to authenticate corporate users
(C). MAC address filtering with ACLs on the router
(D). PAM for user account management
(A). 802.1X utilizing the current PKI infrastructure
NO.504 Which of the following control sets should a well-written BCP include? (Select THREE)
(A). Preventive
(B). Detective
(C). Deterrent
(D). Corrective
(E). Compensating
(F). Physical
(G). Recovery
(A). Preventive
(D). Corrective
(G). Recovery
NO.505 An information security incident recently occurred at an organization, and the organization
was required to report the incident to authorities and notify the affected parties. When the
organization's customers became of aware of the incident, some reduced their orders or stopped
placing orders entirely. Which of the following is the organization experiencing?
(A). Reputation damage
(B). Identity theft
(C). Anonymlzation
(D). Interrupted supply chain
NO.506 An organization is developing a plan in the event of a complete loss of critical systems and
data.
Which of the following plans is the organization MOST likely developing?
(A). Incident response
(B). Communications
(C). Disaster recovery
(D). Data retention
No. 507/ 134 new
refer to pdf
NO.508 A company is experiencing an increasing number of systems that are locking up on Windows
IT Certification Guaranteed, The Easy Way!
131
startup. The security analyst clones a machine, enters into safe mode, and discovers a file in the
startup process that runs Wstart.bat.
@echo off
:asdhbawdhbasdhbawdhb
start notepad.exe
start notepad.exe
start calculator.exe
start calculator.exe
goto asdhbawdhbasdhbawdhb
Given the file contents and the system's issues, which of the following types of malware is present?
(A). Rootkit
(B). Logic bomb
(C). Worm
(D). Virus
NO.509 refer to pdf
An analyst visits an internet forum looking for information about a tool. The analyst finds a
threat that appears to contain relevant information. One of the posts says the following:
Which of the following BEST describes the attack that was attempted against the forum readers?
(A). SOU attack
(B). DLL attack
(C). XSS attack
(D). API attack
NO.510 A systems administrator is considering different backup solutions for the IT infrastructure.
The company is looking for a solution that offers the fastest recovery time while also saving the most
amount of storage used to maintain the backups. Which of the following recovery solutions would be
the BEST option to meet these requirements?
(A). Snapshot
(B). Differential
(C). Full
(D). Tape
NO.511 A workwide manufacturing company has been experiencing email account compromised. In
one incident, a user logged in from the corporate office in France, but then seconds later, the same
user account attempted a login from Brazil. Which of the following account policies would BEST
prevent this type of attack?
(A). Network location
(B). Impossible travel time
(C). Geolocation
(D). Geofencing
NO.512 A company just implemented a new telework policy that allows employees to use personal
devices for official email and file sharing while working from home. Some of the requirements are:
- Employees must provide an alternate work location (i.e., a home address)
- Employees must install software on the device that will prevent the loss of proprietary data but will
not restrict any other software from being installed.
Which of the following BEST describes the MDM options the company is using?
(A). Geofencing, content management, remote wipe, containerization, and storage segmentation
(B). Content management, remote wipe, geolocation, context-aware authentication, and
containerization
(C). Application management, remote wipe, geofencing, context-aware authentication, and
containerization
(D). Remote wipe, geolocation, screen locks, storage segmentation, and full-device encryption
(D). Remote wipe, geolocation, screen locks, storage segmentation, and full-device encryption
NO.513 Which of the following refers to applications and systems that are used within an
organization without consent or approval?
(A). Shadow IT
(B). OSINT
(C). Dark web
(D). Insider threats
NO.514 An organization has implemented a policy requiring the use of conductive metal lockboxes
for personal electronic devices outside of a secure research lab. Which of the following did the
organization determine to be the GREATEST risk to intellectual property when creating this policy?
(A). The theft of portable electronic devices
(B). Geotagging in the metadata of images
(C). Bluesnarfing of mobile devices
(D). Data exfiltration over a mobile hotspot
(D). Data exfiltration over a mobile hotspot
NO.515 A security analyst reviews the datacenter access logs for a fingerprint scanner and notices
an abundance of errors that correlate with users' reports of issues accessing the facility.
Which of the following MOST likely the cause of the cause of the access issues?
(A). False rejection
(B). Cross-over error rate
(C). Efficacy rale
(D). Attestation
(B). Cross-over error rate
NO.516 An analyst needs to identify the applications a user was running and the files that were
open before the user's computer was shut off by holding down the power button. Which of the
following would MOST likely contain that information?
(A). NGFW
(B). Pagefile
(C). NetFlow
(D). RAM
NO.517 A company has just experienced a malware attack affecting a large number of desktop
users.
The antivirus solution was not able to block the malware, but the HIDS alerted to C2 calls as
'Troj.Generic'. Once the security team found a solution to remove the malware, they were able to
remove the malware files successfully, and the HIDS stopped alerting. The next morning, however,
the HIDS once again started alerting on the same desktops, and the security team discovered the files
were back. Which of the following BEST describes the type of malware infecting this company's
network?
(A). Trojan
(B). Spyware
(C). Rootkit
(D). Botnet
NO.518 A security auditor is reviewing vulnerability scan data provided by an internal security team.
Which of the following BEST indicates that valid credentials were used?
(A). The scan results show open ports, protocols, and services exposed on the target host
(B). The scan enumerated software versions of installed programs
(C). The scan produced a list of vulnerabilities on the target host
(D). The scan identified expired SSL certificate
(B). The scan enumerated software versions of installed programs
NO.519 A security analyst is investigating multiple hosts that are communicating to external IP
addresses during the hours of 2:00 a.m - 4:00 am. The malware has evaded detection by traditional
antivirus software. Which of the following types of malware is MOST likely infecting the hosts?
(A). A RAT
(B). Ransomware
(C). Polymophic
(D). A worm
NO.520 A security administrator has received multiple calls from the help desk about customers
who are unable to access the organization's web server. Upon reviewing the log files. the security
administrator determines multiple open requests have been made from multiple IP addresses, which
is consuming system resources. Which of the following attack types does this BEST describe?
A)DDos
B)Dos
C)Zero Day
D)Logic Bomb
NO.521 refer to pdf
The following are the logs of a successful attack.
Which of the following controls would be BEST to use to prevent such a breach in the future?
(A). Password history
(B). Account expiration
(C). Password complexity
(D). Account lockout
NO.522 A security analyst is investigating a vulnerability in which a default file permission was set
incorrectly. The company uses non-credentialed scanning for vulnerability management. Which of
the following tools can the analyst use to verify the permissions?
(A). ssh
(B). chmod
(C). 1s
(D). setuid
(E). nessus
(F). nc
new pdf
NO.12 The CSIRT is reviewing the lessons learned from a recent incident. A worm was able to spread
unhindered throughout the network and infect a large number of computers and servers. Which of
the following recommendations would be BEST to mitigate the impacts of a similar incident in the
future?
(B). Segment the network with firewalls.
new pdf
NO.13 After reading a security bulletin, a network security manager is concerned that a malicious
actor may have breached the network using the same software
flaw. The exploit code is publicly
available and has been reported as being used against other industries in the same vertical. Which of
the following should the network security manager consult FIRST to determine a priority list for
forensic review?
(A). The vulnerability scan output
NO.21 As part of the lessons-learned phase, the SOC is tasked with building methods to detect if a
previous incident is happening again. Which of the following would allow the security analyst to alert
the SOC if an event is reoccurring?
(A). Creating a playbook within the SOAR
(B). Implementing rules in the NGFW
(C). Updating the DLP hash database
(D). Publishing a new CRL with revoked certificates
new pdf
NO.17 A company wants to modify its current backup strategy to minimize the number of backups
that would need to be restored in case of data loss. Which of the following would be the BEST backup
strategy to implement?
(A). Incremental backups followed by differential backups
(B). Full backups followed by incremental backups
(C). Delta backups followed by differential backups
(D). Incremental backups followed by delta backups
(E). Full backups followed by differential backups
(B). Full backups followed by incremental backups
NO.26 Which of the following should a technician consider when selecting an encryption method for
data that needs to remain confidential for a specific length of time?
(A). The key length of the encryption algorithm
(B). The encryption algorithm's longevity
(C). A method of introducing entropy into key calculations
(D). The computational overhead of calculating the encryption key
(D). The computational overhead of calculating the encryption key
NO.34 A security analyst is investigating a phishing email that contains a malicious document
directed to the company's Chief Executive Officer (CEO). Which of the following should the analyst
perform to understand the threat and retrieve possible IoCs?
(A). Run a vulnerability scan against the CEOs computer to find possible vulnerabilities
(B). Install a sandbox to run the malicious payload in a safe environment
(C). Perform a traceroute to identify the communication path
(D). Use netstat to check whether communication has been made with a remote host
(B). Install a sandbox to run the malicious payload in a safe environment
NO.35 A Chief Security Officer (CSO) has asked a technician to devise a solution that can detect
unauthorized execution privileges from the OS in both executable and data files, and can work in
conjunction with proxies or UTM. Which of the following would BEST meet the CSO's requirements?
(A). Fuzzing
(B). Sandboxing
(C). Static code analysis
(D). Code review
NO.37 A security analyst is concerned about critical vulnerabilities that have been detected on some
applications running inside containers. Which of the following is the BEST remediation strategy?
(A). Update the base container image and redeploy the environment.
(B). Include the containers in the regular patching schedule for servers
(C). Patch each running container individually and test the application
(D). Update the host in which the containers are running
(C). Patch each running container individually and test the application
A container image vulnerability is a security risk that is embedded inside a container image. While
vulnerable images themselves don't pose an active threat, if containers are created based on a
vulnerable image, the containers will introduce the vulnerability to a live environment.
NO.44 A well-known organization has been experiencing attacks from APIs. The organization is
concerned that custom malware is being created and emailed into the company or installed on USB
sticks that are dropped in parking lots. Which of the following is the BEST defense against this
scenario?
(A). Configuring signature-based antivirus io update every 30 minutes
(B). Enforcing S/MIME for email and automatically encrypting USB drives upon insertion.
(C). Implementing application execution in a sandbox for unknown software.
(D). Fuzzing new files for vulnerabilities if they are not digitally signed
(C). Implementing application execution in a sandbox for unknown software.
NO.51 A security analyst is hardening a network infrastructure. The analyst is given the following
requirements;
* Preserve the use of public IP addresses assigned to equipment on the core router.
* Enable "in transport 'encryption protection to the web server with the strongest ciphers.
Which of the following should the analyst implement to meet these requirements? (Select TWO).
(A). Configure VLANs on the core router
(B). Configure NAT on the core router
(C). Configure BGP on the core router
(D). Configure AES encryption on the web server
(E). Enable 3DES encryption on the web server
(F). Enable TLSv2 encryption on the web server
(A). Configure VLANs on the core router
(E). Enable 3DES encryption on the web server
NO.60 Which of the following BEST describes the method a security analyst would use to confirm a
file that is downloaded from a trusted security website is not altered in transit or corrupted using a
verified checksum?
A) Hashing
B)Salting
C)Integrity
NO.61 A recent security audit revealed that a popular website with IP address 172.16.1.5 also has an
FTP service that employees were using to store sensitive corporate dat
a. The organization's outbound firewall processes rules top-down. Which of the following would
permit HTTP and HTTPS, while denying all other services for this host?
(A). access-rule permit tcp destination 172.16.1.5 port 80
access-rule permit tcp destination 172.16-1-5 port 443
access-rule deny ip destination 172.16.1.5
(D). access-rule permit tcp destination 172.16.1.5 port 80
access-rule permit tcp destination 172.16.1.5 port 443
access-rule deny tcp destination 172.16.1.5 port 21
(D). access-rule permit tcp destination 172.16.1.5 port 80
access-rule permit tcp destination 172.16.1.5 port 443
access-rule deny tcp destination 172.16.1.5 port 21
NO.64 After a WiFi scan of a local office was conducted, an unknown wireless signal was identified
Upon investigation, an unknown Raspberry Pi device was found connected to an Ethernet port using
a single connection. Which of the following BEST describes the purpose of this device?
(A). loT sensor
(B). Evil twin
(C). Rogue access point
(D). On-path attack
NO.65 A user is concerned that a web application will not be able to handle unexpected or random
input without crashing. Which of the following BEST describes the type of testing the user should
perform?
(A). Code signing
(B). Fuzzing
(C). Manual code review
(D). Dynamic code analysis
(D). Dynamic code analysis
NO.66 Which of the following authentication methods sends out a unique password to be used
within a specific number of seconds?
(A). TOTP
(B). Biometrics
(C). Kerberos
(D). LDAP
NO.68 A university with remote campuses, which all use different service providers, loses Internet
connectivity across all locations. After a few minutes, Internet and VoIP services are restored, only to
go offline again at random intervals, typically within four minutes of services being restored. Outages
continue throughout the day, impacting all inbound and outbound connections and services. Services
that are limited to the local LAN or WiFi network are not impacted, but all WAN and VoIP services are
affected.
Later that day, the edge-router manufacturer releases a CVE outlining the ability of an attacker to
exploit the SIP protocol handling on devices, leading to resource exhaustion and system reloads.
Which of the following BEST describe this type of attack? (Choose two.)
(A). DoS
(B). SSL stripping
(C). Memory leak
(D). Race condition
(E). Shimming
(F). Refactoring
NO.83 A company wants to deploy systems alongside production systems in order to entice threat
actors and to learn more about attackers. Which of the following BEST describe these systems?
(A). DNS sinkholes
(B). Honepots
(C). Virtual machines
(D). Neural network
(A). DNS sinkholes
can get attackers ip address
NO.84 A technician needs to prevent data loss in a laboratory. The laboratory is not connected to
any external networks. Which of the following methods would BEST prevent the exfiltration of data?
(Select TWO).
(A). VPN
(B). Drive encryption
(C). Network firewall
(D). File level encryption
(E). USB blocker
(F). MFA
(B). Drive encryption
(E). USB blocker
labs are usually air gapped
NO.87 A cyberthreat intelligence analyst is gathering data about a specific adversary using OSINT
techniques. Which of the following should the analyst use?
(A). Internal log files
(B). Government press releases
(C). Confidential reports
(D). Proprietary databases
NO.92 A forensics investigator is examining a number of unauthorized payments that were reported
on the 00mpany's website. Some unusual log entries show users received an email for an unwanted
mailing list and clicked on a link to attempt to unsubscribe. One of the users reported the email to
the phishing team, and the forwarded email revealed the link to be:
Which of the following will the forensics investigator MOST likely determine has occurred?
(A). SQL injection
(B). Broken authentication
(C). XSS
(D). XSRF
NO.93 An organization wants seamless authentication to its applications. Which of the following
should the organization employ to meet this requirement?
(A). SOAP
(B). SAML
(C). SSO
(D). Kerberos
NO.97 Which of the following would produce the closet experience of responding to an actual
incident response scenario?
(A). Lessons learned
(B). Simulation
(C). Walk-through
(D). Tabletop
NO.98 An organization's finance department is implementing a policy to protect against collusion.
Which of the following control types and corresponding procedures should the
organization implement to fulfill this policy's requirement? (Select TWO).
(A). Corrective
(B). Deterrent
(C). Preventive
(D). Mandatory vacations
(E). Job rotation
(F). Separation of duties
(D). Mandatory vacations
(E). Job rotation
NO.103 A client sent several inquiries to a project manager about the delinquent delivery status of
some critical reports. The project manager darned the reports were previously sent via email but
then quickly generated and backdated the reports before submitting them via a new email message
Which of the following actions MOST likely supports an investigation for fraudulent submission?
(A). Establish chain of custody
(B). Inspect the file metadata
(C). Reference the data retention policy
(D). Review the email event logs
(D). Review the email event logs
new pdf
NO.104 An analyst visits an internet forum looking for information about a tool. The analyst finds a
threat that appears to contain relevant information. One of the posts says the following:
Which of the following BEST describes the attack that was attempted against the forum readers?
(A). SOU attack
(B). DLL attack
(C). XSS attack
(D). API attack
(C). XSS attack
Cross-site scripting attacks may occur anywhere that possibly malicious users are allowed to post
unregulated material to a trusted website for the consumption of other valid users. The most
common example can be found in bulletin-board websites which provide web based mailing list-style
functionality. //owasp.org/www-community/attacks/xss/
//www.acunetix.com/websitesecurity/cross-site-scripting/
NO.107 A SECURITY ANALYST NEEDS TO FIND REAL-TIME DATA ON THE LATEST MALWARE AND loCs
WHICH OF THE FOLLOWING BEST DESCRIBE THE SOLUTION THE ANALYST SHOULD PERSUE?
(A). ADVISORIES AND BULLETINS
(B). THREAT FEEDS
(C). SECURITY NEWS ARTICLES
(D). PEER-REVIEWED CONTENT
NO.108 A forensics investigator is examining a number of unauthorized payments the were reported
on the company's website. Some unusual log entries show users received an email for an unwanted
mailing list and clicked on a link to attempt to unsubscribe. One of the users reported the email to
the phishing team, and the forwarded email revealed the link to be:
Which of the following will the forensics investigator MOST likely determine has occurred?
(A). SQL injection
(B). CSRF
(C). XSS
(D). XSRF
NO.113 Which of the following will MOST likely adversely impact the operations of unpatched
traditional programmable-logic controllers, running a back-end LAMP server and OT systems with
human-management interfaces that are accessible over the Internet via a web interface? (Choose two.)
(A). Cross-site scripting
(B). Data exfiltration
(C). Poor system logging
(D). Weak encryption
(E). SQL injection
(F). Server-side request forgery
(D). Weak encryption
(F). Server-side request forgery
new pdf
NO.115 Security analysts are conducting an investigation of an attack that occurred inside the
organization's network. An attacker was able to connect network traffic between workstation
throughout the network. The analysts review the following logs:
The layer 2 address table has hundred of entries similar to the ones above. Which of the following
attacks has MOST likely occurred?
(A). SQL injection
(B). DNS spoofing
(C). MAC flooding
(D). ARP poisoning
new pdf
NO.118 An analyst is generating a security report for the management team. Security guidelines
recommend disabling all listening unencrypted services. Given this output from Nmap.
Which of the following should the analyst recommend to disable?
(A). 21/tcp
(B). 22/tcp
(C). 23/tcp
(D). 443/tcp
During a security assessment, a security finds a file with overly permissive permissions. Which of the following tools will allow the analyst to reduce the permission for the existing users and groups and remove the set-user-ID from the file?
A. 1a
B. chflags
C. chmod
D. leof
E. setuid
NO.138 A network engineer has been asked to investigate why several wireless barcode scanners
and wireless computers in a warehouse have intermittent connectivity to the shipping server. The
barcode scanners and computers are all on forklift trucks and move around the warehouse during
their regular use. Which of the following should the engineer do to determine the issue? (Choose
two.)
(A). Perform a site survey
(B). Deploy an FTK Imager
(C). Create a heat map
(D). Scan for rogue access points
(E). Upgrade the security protocols
(F). Install a captive portal
(A). Perform a site survey
(C). Create a heat map
heat map and site survey will provide the wifi strength and identify the weakness areas..this will give
the opportunity if we need to increase WiFI strength or give suggestion to the forklift drivers about
the movement
NO.139 A news article states that a popular web browser deployed on all corporate PCs is vulnerable a zero-day attack. Which of the following MOST concern the Chief Information Security
Officer about the information in the new article?
(A). Insider threats have compromised this network
(B). Web browsing is not functional for the entire network
(C). Antivirus signatures are required to be updated immediately
(D). No patches are available for the web browser
(D). No patches are available for the web browser
new pdf
NO.140 A user reports trouble using a corporate laptop. The laptop freezes and responds slowly
when writing documents and the mouse pointer occasional disappears.
The task list shows the following results
Which of the following is MOST likely the issue?
(A). RAT
(B). PUP
(C). Spyware
(D). Keylogger
NO.141 Hackers recently attacked a company's network and obtained several unfavorable pictures
from the Chief Executive Officer's workstation. The hackers are threatening to send the images to the
press if a ransom is not paid. Which of the following is impacted the MOST?
(A). Identify theft
(B). Data loss
(C). Data exfiltration
(D). Reputation
(C). Data exfiltration
Data exfiltration occurs when malware and/or a malicious actor carries out an unauthorized data
transfer from a computer. It is also commonly called data extrusion or data exportation. Data
exfiltration is also considered a form of data theft.
NO.142 During an investigation, a security manager receives notification from local authorities mat
company proprietary data was found on a former employees home computer, The former
employee's corporate workstation has since been repurposed, and the data on the hard drive has
been overwritten Which of the following would BEST provide the security manager with enough
details to determine when the data was removed from the company network?
(A). Properly configured hosts with security logging
(B). Properly configured endpoint security tool with darting
(C). Properly configured SIEM with retention policies
(D). Properly configured USB blocker with encryption
(A). Properly configured hosts with security logging
NO.147 A security analyst discovers several .jpg photos from a cellular phone during a forensics
investigation involving a compromised system. The analyst runs a forensics tool to gather file
metadat
a. Which of the following would be part of the images if all the metadata is still intact?
(A). The GPS location
(B). When the file was deleted
(C). The total number of print jobs
(D). The number of copies made
NO.154 A forensics examiner is attempting to dump password cached in the physical memory of a
live system but keeps receiving an error message. Which of the following BEST describes the cause of
the error?
(A). The examiner does not have administrative privileges to the system
(B). The system must be taken offline before a snapshot can be created
(C). Checksum mismatches are invalidating the disk image
(D). The swap file needs to be unlocked before it can be accessed
(D). The swap file needs to be unlocked before it can be accessed
NO.157 A security analyst is performing a packet capture on a series of SOAP HTTP requests for a
security assessment. The analyst redirects the output to a file After the capture is complete, the analyst needs to review the first transactions quickly and then search the entire series of requests for
a particular string Which of the following would be BEST to use to accomplish the task? (Select TWO).
(A). head
(B). Tcpdump
(C). grep
(D). rail
(E). curl
(F). openssi
(G). dd
(A). head
(C). grep
A - "analyst needs to review the first transactions quickly"
C - "search the entire series of requests for a particular string"
new pdf
NO.160 Which of the following BEST explains the difference between a for controlling the data while the data custodian is responsible for implementing the protection of data.
B)The data owner is responsible for controlling the data while the data custodian is responsible for implementing the protection of data.
B)The data owner is responsible for controlling the data while the data custodian is responsible for implementing the protection of data.
Data Owner - the administrator/CEO/board/president of a company
Data custodian - the ones taking care of the actual data - like IT staff (generally) or HR staff (for HR-related data)
NO.165 A security analyst has received an alert about being sent via email. The analyst's Chief
information Security Officer (CISO) has made it clear that PII must be handle with extreme care From
which of the following did the alert MOST likely originate?
(A). S/MIME
(B). DLP
(C). IMAP
(D). HIDS
(B). DLP
Network-based DLP monitors outgoing data looking for sensitive data. Network-based DLP systems
monitor outgoing email to detect and block unauthorized data transfers and monitor data stored in the cloud.
NO.169 A penetration tester gains access to the network by exploiting a vulnerability on a publicfacing web server. Which of the following techniques will the tester most likely perform NEXT?
(A). Gather more information about the target through passive reconnaissance
(B). Establish rules of engagement before proceeding
(C). Create a user account to maintain persistence
(D). Move laterally throughout the network to search for sensitive information
(C). Create a user account to maintain persistence
NO.170 Which of the following environments typically hosts the current version configurations and
code, compares user-story responses and workflow, and uses a modified version of actual data for
testing?
A) Development
B) Staging
C) Production
D) Test
NO.171 Which of the following scenarios BEST describes a risk reduction technique?
(A). A security control objective cannot be met through a technical change, so the company
purchases insurance and is no longer concerned about losses from data breaches.
(B). A security control objective cannot be met through a technical change, so the company
implements a policy to train users on a more secure method of operation.
(C). A security control objective cannot be met through a technical change, so the company changes
as method of operation
(D). A security control objective cannot be met through a technical change, so the Chief Information
Officer (CIO) decides to sign off on the risk.
(B). A security control objective cannot be met through a technical change, so the company
implements a policy to train users on a more secure method of operation.
NO.174 An analyst needs to set up a method for securely transferring files between systems. One of
the requirements is to authenticate the IP header and the payload. Which of the following services
would BEST meet the criteria?
(A). TLS
(B). PFS
(C). ESP
(D). AH
NO.176 During an investigation, the incident response team discovers that multiple administrator
accounts were suspected of being compromised. The host audit logs indicate a repeated brute-force
attack on a single administrator account followed by suspicious logins from unfamiliar geographic
locations. Which of the following data sources would be BEST to use to assess the accounts impacted
by this attack?
(A). User behavior analytics
(B). Dump files
(C). Bandwidth monitors
(D). Protocol analyzer output
(A). User behavior analytics
User behavior analytics
User behavior analytics is a cybersecurity process about detection of insider threats, targeted attacks,
and financial fraud that tracks a system's users. UBA looks at patterns of human behavior, and then
analyzes them to detect anomalies that indicate potential threats.
NO.182 A security engineer needs to build a solution to satisfy regulatory requirements that state
certain critical servers must be accessed using MFA.
However, the critical servers are older and are unable to support the addition of MFA. Which of the
following will the engineer MOST likely use to achieve this objective?
(A). A forward proxy
(B). A stateful firewall
(C). A jump server
(D). A port tap
NO.192 Administrators have allowed employee to access their company email from personal
computers. However, the administrators are concerned that these computes are another attach
surface and can result in user accounts being breached by foreign actors. Which of the following
actions would provide the MOST secure solution?
(A). Enable an option in the administration center so accounts can be locked if they are accessed from
different geographical areas
(B). Implement a 16-character minimum length and 30-day expiration password policy
(C). Set up a global mail rule to disallow the forwarding of any company email to email addresses
outside the organization
(D). Enforce a policy that allows employees to be able to access their email only while they are
connected to the internet via VPN
(D). Enforce a policy that allows employees to be able to access their email only while they are
connected to the internet via VPN
NO.194 A penetration tester was able to compromise an internal server and is now trying to pivot
the current session in a network lateral movement. Which of the following tools, if available on the
server, will provide the MOST useful information for the next assessment step?
(A). Autopsy
(B). Cuckoo
(C). Memdump
(D). Nmap
(D). Nmap
Memdump
A display or printout of all or selected contents of RAM. After a program abends (crashes), a memory
dump is taken in order to analyze the status of the program. The programmer looks into the memory
buffers to see which data items were being worked on at the time of failure.
Nmap
Nmap is a network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a
computer network by sending packets and analyzing the responses. Nmap provides a number of
features for probing computer networks, including host discovery and service and operating system
detection
NO.195 A security administrator needs to inspect in-transit files on the enterprise network to search
for Pll, credit card data, and classification words. Which of the following would be the BEST to use?
(A). IDS solution
(B). EDR solution
(C). HIPS software solution
(D). Network DLP solution
(D). Network DLP solution
NO.200 A security analyst receives an alert from the company's SIEM that anomalous activity is
coming from a local source IP address of 192.168.34.26. The Chief Information Security Officer asks
the analyst to block the originating source. Several days later another employee opens an internal
ticket stating that vulnerability scans are no longer being performed properly. The IP address the
employee provides is 192.168.34.26. Which of the following describes this type of alert?
A) true positive
B) true negative
C) false positive
D) false negative
C) false positive
Traditional SIEM Log Analysis
Traditionally, the SIEM used two techniques to generate alerts from log data: correlation rules, specifying a sequence of events that indicates an anomaly, which could represent a security threat,
vulnerability or active security incident; and vulnerabilities and risk assessment, which involves
scanning networks for known attack patterns and vulnerabilities. The drawback of these older
techniques is that they generate a lot of false positives, and are not successful at detecting new and
unexpected event types
NO.204 A security engineer needs to implement an MDM solution that complies with the corporate
mobile device policy. The policy states that in order for mobile users to access corporate resources on
their devices the following requirements must be met:
* Mobile device OSs must be patched up to the latest release
* A screen lock must be enabled (passcode or biometric)
* Corporate data must be removed if the device is reported lost or stolen
Which of the following controls should the security engineer configure? (Select TWO)
(A). Containerization
(B). Storage segmentation
(C). Posturing
(D). Remote wipe
(E). Full-device encryption
(D). Remote wipe
(E). Full-device encryption
NO.206 A company recently experienced an attack during which its main website was directed to
the attacker's web server, allowing the attacker to harvest credentials from unsuspecting customers.
Which of the following should the company implement to prevent this type of attack occurring in the
future?
(A). IPSec
(B). SSL/TLS
(C). DNSSEC
(D). S/MIME
NO.207 An.. that has a large number of mobile devices is exploring enhanced security controls to
manage unauthorized access if a device is lost or stolen. Specifically, if mobile devices are more
than 3mi (4 8km) from the building, the management team would like to have the security team
alerted and server resources restricted on those devices. Which of the following controls should the
organization implement?
NO.208 A company processes highly sensitive data and senior management wants to protect the
sensitive data by utilizing classification labels. Which of the following access control schemes would
be BEST for the company to implement?
(A). Discretionary
(B). Rule-based
(C). Role-based
(D). Mandatory
NO.209 A security analyst wants to fingerprint a web server. Which of the following tools will the
security analyst MOST likely use to accomplish this task?
(A). nmap -p1-65535 192.168.0.10
(B). dig 192.168.0.10
(C). curl --head //192.168.0.10
(D). ping 192.168.0.10
(C). curl --head //192.168.0.10
curl - Identify remote web server
Type the command as follows: $ curl -I //www.remote-server.com/ $ curl -I
//vivekgite.com/ Output:
HTTP/1.1 200 OK
Content-type: text/html
Content-Length: 0
Date: Mon, 28 Jan 2008 08:53:54 GMT
Server: lighttpd
NO.213 A network engineer needs to create a plan for upgrading the wireless infrastructure in a
large office Priority must be given to areas that are currently experiencing latency and connection
issues. Which of the following would be the BEST resource for determining the order of priority?
(A). Nmapn
(B). Heat maps
(C). Network diagrams
(D). Wireshark
(B). Heat maps
engineer needs to create a plan for upgrading the wireless infrastructure in a large office. Priority
must be given to areas that are currently.
Site surveys and heat maps provide the following benefits: Identify trouble areas to help eliminate
slows speeds and poor performance
NO.214 A Chief Information Security Officer (CISO) is evaluating the dangers involved in deploying a
new ERP system for the company. The CISO categorizes the system, selects the controls that apply to
the system, implements the controls, and then assesses the success of the controls before
authorizing the system. Which of the following is the CISO using to evaluate the environment for this
new ERP system?
(A). The Diamond Model of Intrusion Analysis
(B). CIS Critical Security Controls
(C). NIST Risk Management Framework
(D). ISO 27002
erp enterprise resource planning
(D). ISO 27002
ISO/IEC 27002
ISO/IEC 27002 is an information security standard published by the International Organization for
Standardization and by the International Electrotechnical Commission, titled Information technology
- Security techniques - Code of practice for information security controls.
NO.215 A security administrator needs to create a RAIS configuration that is focused on high read
speeds and fault tolerance. It is unlikely that multiple drivers will fail simultaneously. Which of the
following RAID configurations should the administration use?
(A). RA1D 0
(B). RAID1
(C). RAID 5
(D). RAID 10
NO.216 An organization wants to implement a third factor to an existing multifactor authentication.
The organization already uses a smart card and password. Which of the following would meet the
organization's needs for a third factor?
(A). Date of birth
(B). Fingerprints
(C). PIN
(D). TPM
NO.217 A Chief Security Office's (CSO's) key priorities are to improve preparation, response, and
recovery practices to minimize system downtime and enhance organizational resilience to
ransomware attacks. Which of the following would BEST meet the CSO's objectives?
(A). Use email-filtering software and centralized account management, patch high-risk systems, and
restrict administration privileges on fileshares.
(B). Purchase cyber insurance from a reputable provider to reduce expenses during an incident.
(C). Invest in end-user awareness training to change the long-term culture and behavior of staff and
executives, reducing the organization's susceptibility to phishing attacks.
(D). Implement application whitelisting and centralized event-log management, and perform regular
testing and validation of full backups.
(D). Implement application whitelisting and centralized event-log management, and perform regular
testing and validation of full backups.
new pdf
NO.225 A security analyst has been asked to investigate a situation after the SOC started to receive
alerts from the SIEM. The analyst first looks at the domain controller and finds the following events:
To better understand what is going on, the analyst runs a command and receives the following
output:
Based on the analyst's findings, which of the following attacks is being executed?
(A). Credential harvesting
(B). Keylogger
(C). Brute-force
(D). Spraying
(D). Spraying
If a user tries to authenticate with a wrong password, the domain controller who handles the
authentication request will increment an attribute called badPwdCount. As you can see in the image,
the badpwdcount attribute for the user states that many passwords were used to try to log in
without success. Password spraying is an attack that attempts to access a large number of accounts
(usernames) with a few commonly used passwords. //www.coalfire.com/the-coalfireblog/march-2019/password-spraying-what-to-do-and-how-to-avoid-it
//doubleoctopus.com/security-wiki/threats-and-tools/password-spraying/
NO.228 A security administrator currently spends a large amount of time on common security tasks,
such aa report generation, phishing investigations, and user provisioning and deprovisioning This
prevents the administrator from spending time on other security projects. The business does not
have the budget to add more staff members. Which of the following should the administrator
implement?
(A). DAC
(B). ABAC
(C). SCAP
(D). SOAR
new pdf refer
NO.232 A user downloaded an extension for a browser, and the uses device later became infected.
The analyst who is investigating the incident saw various logs where the attacker was hiding activity by deleting data The following was observed running:
Which of the following is the malware using to execute the attack?
(A). PowerShell
(B). Python
(C). Bash
(D). Macros
NO.235 A company reduced the area utilized in its datacenter by creating virtual networking
through automation and by creating provisioning routes and rules through scripting. Which of the
following does this example describe?
(A). laC
(B). MSSP
(C). Containers
(D). SaaS
(A). laC
Infrastructure as Code
Infrastructure as code is the process of managing and provisioning computer data centers through
machine-readable definition files, rather than physical hardware configuration or interactive
configuration tools
refer to new pdf
NO.236 The following are the logs of a successful attack.
Which of the following controls would be BEST to use to prevent such a breach in the future?
(A). Password history
(B). Account expiration
(C). Password complexity
(D). Account lockout
NO.238 Which of the following BEST explains the reason why a server administrator would place a
document named password.txt on the desktop of an administrator account on a server?
(A). The document is a honeyfile and is meant to attract the attention of a cyberintruder.
(B). The document is a backup file if the system needs to be recovered.
(C). The document is a standard file that the OS needs to verify the login credentials.
(D). The document is a keylogger that stores all keystrokes should the account be compromised.
(A). The document is a honeyfile and is meant to attract the attention of a cyberintruder.
NO.240 Which of the following control types would be BEST to use to identify violations and
incidents?
(A). Detective
(B). Compensating
(C). Deterrent
(D). Corrective
(E). Recovery
(F). Preventive
NO.241 Which of the following represents a biometric FRR?
(A). Authorized users being denied access
(B). Users failing to enter the correct PIN
(C). The denied and authorized numbers being equal
(D). The number of unauthorized users being granted access
(A). Authorized users being denied access
NO.242 A security analyst must determine if either SSH or Telnet is being used to log in to servers.
Which of the following should the analyst use?
(A). logger
(B). Metasploit
(C). tcpdump
(D). netstat
NO.243 Which of the following function as preventive, detective, and deterrent controls to reduce
the risk of physical theft? (Select TWO).
(A). Mantraps
(B). Security guards
(C). Video surveillance
(D). Fences
(E). Bollards
(F). Antivirus
(B). Security guards
(D). Fences
NO.248 The Chief Information Security Officer (CISO) has decided to reorganize security staff to
concentrate on incident response and to outsource outbound Internet URL categorization and
filtering to an outside company. Additionally, the CISO would like this solution to provide the same
protections even when a company laptop or mobile device is away from a home office. Which of the
following should the CISO choose?
(A). CASB
(B). Next-generation SWG
(C). NGFW
(D). Web-application firewall
(B). Next-generation SWG
A Next Generation Secure Web Gateway (SWG) is a new cloud-native solution for protecting
enterprises from the growing volume of sophisticated cloud enabled threats and data risks. It is the
logical evolution of the traditional secure web gateway, also known as a web proxy or web filter.
NGFW
A Next-Generation Firewall (NGFW) is a cyber security solution to protect network fronts with
capabilities that extend beyond traditional firewalls.
Web-application firewall
A WAF protects your web apps by filtering, monitoring, and blocking any malicious HTTP/S traffic
traveling to the web application, and prevents any unauthorized data from leaving the app. It does
this by adhering to a set of policies that help determine what traffic is malicious and what traffic is
safe.
NO.252 During an incident response, a security analyst observes the following log entry on the web
server.
Which of the following BEST describes the type of attack the analyst is experience?
(A). SQL injection
(B). Cross-site scripting
(C). Pass-the-hash
(D). Directory traversal
(D). Directory traversal
Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files.
NO.253 A security analyst has received several reports of an issue on an internal web application.
Users stale they are having to provide their credential twice lo log in. The analyst checks with the
application team and notes this is not an expected behavior. After looking at several loos the analyst
decades to run some commands on the gateway and obtains the following output
Internet address
Which of the following BEST describes the attack the company is experiencing?
(A). MAC flooding
(B). URL redirection
(C). ARP poisoning
(D). DNS hijacking
NO.255 Which of the following uses six initial steps that provide basic control over system security
by including hardware and software inventory, vulnerability management, and continuous
monitoring to minimize risk in all network environments?
(A). ISO 27701
(B). The Center for Internet Security
(C). SSAE SOC 2
(D). NIST Risk Management Framework
(D). NIST Risk Management Framework