Question #1

SIMULATION -
A company recently added a DR site and is redesigning the network. Users at the DR site are having issues browsing websites.

INSTRUCTIONS -
Click on each rewall to do the following:
1. Deny cleartext web tra c.
2. Ensure secure management protocols are used.
3. Resolve issues at the DR site.
The ruleset order cannot be modi ed due to outside constraints.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Correct Answer: See explanation below.
Firewall 1:
DNS Rule ‫ג‬€" ANY --> ANY --> DNS --> PERMIT
HTTPS Outbound 10.0.0.1/24 "€‫ ג‬--> ANY --> HTTPS --> PERMIT
Management ‫ג‬€" ANY --> ANY --> SSH --> PERMIT
HTTPS Inbound ‫ג‬€" ANY --> ANY --> HTTPS --> PERMIT
HTTP Inbound ‫ג‬€" ANY --> ANY --> HTTP --> DENY
Firewall 2: No changes should be made to this rewall
Firewall 3:
DNS Rule ‫ג‬€" ANY --> ANY --> DNS --> PERMIT
HTTPS Outbound 192.168.0.1/24 "€‫ ג‬--> ANY --> HTTPS --> PERMIT
Management ‫ג‬€" ANY --> ANY --> SSH --> PERMIT
HTTPS Inbound ‫ג‬€" ANY --> ANY --> HTTPS --> PERMIT
HTTP Inbound ‫ג‬€" ANY --> ANY --> HTTP --> DENY
Question #2

DRAG DROP -
A security engineer is setting up passwordless authentication for the rst time.

INSTRUCTIONS -
Use the minimum set of commands to set this up and verify that it works. Commands cannot be reused.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Select and Place:

Correct Answer:
Question #3

HOTSPOT -
Select the appropriate attack and remediation from each drop-down list to label the corresponding attack with its remediation.

INSTRUCTIONS -
Not all attacks and remediation actions will be used.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Hot Area:
Correct Answer:
 #4

end LAMP server and OT systems with human-management interfaces that are accessible over the Internet via a web interface? (Choose two.)

ex ltration

encryption

injection

#5

Containerization

Geofencing

wipe

#6

enhance organizational resilience to ransomware attacks. Which of the following would BEST meet the CSO's objectives?

leshares.

susceptibility to phishing attacks.

 #7

A network engineer has been asked to investigate why several wireless barcode scanners and wireless computers in a warehouse have

during their regular use. Which of the following should the engineer do to determine the issue? (Choose two.)

Scan for rogue access points

Install a captive portal

#8

dd

chmod

dnsenum

logger

#9

DSS

31000
 #10

help mitigate this issue?

#11

accessibility

Legal hold

#12

Investigation

Containment

Recovery

Lessons learned
 #13

credentials were used?

#14

corporate governance regarding the data

protection to the data

handling the data

The data owner grants the technical permissions for data access, while the data custodian maintains the database access controls to the
data

#15

should not allow access to the internal corporate network, but it should require guests to sign off on the acceptable use policy before accessing
the Internet. Which of the following should the engineer employ to meet these requirements?

Install a captive portal

Question #16 Topic 1

A security analyst has been asked to investigate a situation after the SOC started to receive alerts from the SIEM. The analyst rst looks at the
domain controller and nds the following events:

To better understand what is going on, the analyst runs a command and receives the following output:

Based on the analyst‫ג‬€™s ndings, which of the following attacks is being executed?

A. Credential harvesting

B. Keylogger

C. Brute-force

D. Spraying

Correct Answer: D

#17

DaaS
 #18

objective?
two.)

teaming

#19

typically connects via

cloning

Evil twin

poisoning
 #20

An organization is developing an authentication service for use at the entry and exit ports of country borders. The service will use data feeds
obtained from passport systems, passenger manifests, and high-de nition video feeds from CCTV systems that are located at the ports. The
service will incorporate machine- learning techniques to eliminate biometric enrollment processes while still allowing authorities to identify

Voice

Gait

Vein

Retina

Fingerprint

#21

project include:

✑ Logging of access to credentials

2.0

Enclave

A privileged access management system

#22
 #23

software aw.
The exploit code is publicly available and has been reported as being used against other industries in the same vertical. Which of the following
should the network security manager consult FIRST to determine a priority list for forensic review?

#24

A nancial organization has adopted a new secure, encrypted document-sharing application to help with its customer loan process. Some

#25

An auditor is performing an assessment of a security appliance with an embedded OS that was vulnerable during the last two assessments. Which
of the following
Question #26 Topic 1

A company‫ג‬€™s bank has reported that multiple corporate credit cards have been stolen over the past several weeks. The bank has provided the
names of the affected cardholders to the company‫ג‬€™s forensics team to assist in the cyber-incident investigation.
An incident responder learns the following information:
✑ The timeline of stolen card numbers corresponds closely with affected users making Internet-based purchases from diverse websites via
enterprise desktop
PCs.
✑ All purchase connections were encrypted, and the company uses an SSL inspection proxy for the inspection of encrypted tra c of the
hardwired network.
Purchases made with corporate cards over the corporate guest WiFi network, where no SSL inspection occurs, were unaffected.

Which of the following is the MOST likely root cause?

A. HTTPS sessions are being downgraded to insecure cipher suites

B. The SSL inspection proxy is feeding events to a compromised SIEM

C. The payment providers are insecurely processing credit card charges

D. The adversary has not yet established a presence on the guest WiFi network

Correct Answer: C

#27

following would be

Full disk encryption

VPN

#28

Which of the following technologies should the IT manager use when implementing MFA?

Email tokens

Push noti cations

authentication
 #29

the future?

#30

following solutions would BEST support the policy?

wipe

Biometrics

#31

process?

delivery

integration

validation

monitoring
 #32

tolerance. Which of the following RAID levels should the administrator select?

#33

administrator account on a server?

#34
 #35

the issue to the security team, as these websites were accessible the previous day. The security analysts run the following command: ipcon g
/ ushdns, but the issue persists. Finally, an analyst changes the DNS server for an impacted machine, and the issue goes away. Which of the
following attacks MOST likely occurred on the original DNS server?

tunneling

#36

A cybersecurity manager has scheduled biannual meetings with the IT team and department leaders to discuss how they would respond to

replicate what might occur in a dynamic cybersecurity event involving the company, its facilities, its data, and its staff. Which of the following
describes what the manager is doing?

#37

following recommendations would BEST prevent this from reoccurring?

 #38

A security analyst is reviewing a new website that will soon be made publicly available. The analyst sees the following in the URL: http://dev-
site.comptia.org/home/show.php?sessionID=77276554&loc=us

browse the website with the following URL: http://dev-site.comptia.org/home/show.php?sessionID=98988475&loc=us

Pass-the-hash

Session replay

deference

#39

is an IDS?

Corrective

Detective

Administrative

#40

incident?

MTTR

SLA
 #41

A startup company is using multiple SaaS and IaaS platforms to stand up a corporate infrastructure and build out a customer-facing web
application. Which of the following solutions would be BEST to provide security, manageability, and visibility into the platforms?

SIEM

DLP

CASB

SWG

#42

from reoccurring?

CASB

Containerization

failover

#43

MOST likely use to con rm the suspicions?

Nmap

Wireshark

Autopsy

DNSEnum
 #44

company from data ex ltration via removable media?

#45

attack

leak

over ow

#46

A company provides mobile devices to its users to permit access to email and enterprise applications. The company recently started allowing

of this heterogeneous device approach?

private keys to adversaries.

vendors.
 #47

would be the
acceptable?

SED

HSM

DLP

TPM

#48

#49

department.
 #50

identify multiple vulnerabilities. Which of the following would BEST help the team ensure the application is ready to be released to production?

#51

would be the BEST way to achieve this objective?

OAuth

SSO

SAML

PAP

#52

NetFlow

RAM
 #53

VPN?

#54

Obfuscation

Integrity

repudiation

Blockchain

#55

ensure the site‫ג‬€™s users are not compromised after the reset?

A geofencing policy based on login history

#56

Transference

Avoidance

Acceptance

Mitigation
 #57

#58

advisory. Which of the following is the analyst doing?

#59

Blockchain

#60

the following should the CISO read and understand before writing the policies?

DSS

NIST

31000
 #61

controls. Which of the following BEST represents this type of threat?

IT

Hacktivism

hat

#62

intelligence to other paid subscribers, the organization is MOST likely obligated by contracts to:

assist companies with impact assessments based on the observed data.

#63

all
clicked on an external email containing an infected MHT le with an href link a week prior. Which of the following is MOST likely occurring?
 #64

An organization is developing a plan in the event of a complete loss of critical systems and data. Which of the following plans is the organization
MOST likely developing?

response

Communications

retention

#65

#66

Internet and VoIP services are restored, only to go o ine again at random intervals, typically within four minutes of services being restored.

WiFi network are not impacted, but all WAN and VoIP services are affected.

leading to resource exhaustion and system reloads. Which of the following BEST describe this type of attack? (Choose two.)

DoS

SSL stripping

leak

condition

Shimming

Refactoring
 #67

requires compliance with a security standard. Which of the following standards must the company comply with before accepting credit cards on
its e-commerce platform?

DSS

22301

27001

CSF

#68

over ow

day

condition

#69

requesting a transfer of
$10,000 to an account. The email states Ann is on vacation and has lost her purse, containing cash and credit cards. Which of the following
social-engineering techniques is the attacker using?

Whaling

squatting

Pharming
 #70

password. Which of the following would meet the organization‫ג‬€™s needs for a third factor?

Fingerprints

PIN

TPM

#71

An employee has been charged with fraud and is suspected of using corporate assets. As authorities collect evidence, and to preserve the
admissibility of the evidence, which of the following forensic techniques should be used?

repudiation

#72

naming conventions, such as store.company.com. Which of the following certi cate types would BEST meet the requirements?

SAN

Wildcard

validation

Self-
 #73

Install DLP agents on each laptop.

#74

never happened before, but the user entered the information as requested.

Which
of the following attack vectors was MOST likely used in this scenario?

Rogue access point

Evil twin

poisoning

poisoning

#75

been browsing the

 #76

#77

Joe, an employee, receives an email stating he won the lottery. The email includes a link that requests a name, mobile phone number, address, and

phishing

Whaling

Vishing

#78

IT

web

#79
 #80

A company processes highly sensitive data and senior management wants to protect the sensitive data by utilizing classi cation labels. Which of
the following access control schemes would be BEST for the company to implement?

Discretionary

based

based

Mandatory

#81

operations?

Least privilege

training

vacation

#82

Footprinting

drone/UAV

Pivoting
 #83

attributes are being utilized in the authentication process? (Choose two.)

#84

Which of the following risk management strategies is this an example of?

Transference

Avoidance

Acceptance

Mitigation

#85

credit card numbers to create an easy reordering process. Which of the following methods would BEST accomplish this goal?

Salting the magnetic strip information

 #86

Which of the following would MOST likely have prevented this breach?

rewall

Biometrics

#87

attack

attack

attack

#88

DNSSEC
 #89

Users have been issued smart cards that provide physical access to a building. The cards also contain tokens that can be used to access
information systems.

being utilized to provide these capabilities? (Choose two.)

GPS

RFID

#90

#91

situation. The switch was installed on a wired network in a hospital and is monitored by the facilities department via a cloud application. The

harden the smart switch?

Place the switch in a Faraday cage.

Install a cable lock on the switch.

 #92

with the situation, the administrator decides to hire a service provider. Which of the following should the administrator use?

SDP

AAA

Microservices

#93

assessment identify?

protocols

settings

permissions

encryption

#94

Detective

Corrective

Technical
 #95

systems.

#96

IP con ict

Pass-the-hash

ooding

traversal

poisoning

#97

administrator is providing?

authentication

Biometrics
 #98

An organization suffered an outage, and a critical system took 90 minutes to come back online. Though there was no data loss during the outage,
the expectation was that the critical system would be available again within 60 minutes. Which of the following is the 60-minute expectation an
example of?

MTBF

RPO

MTTR

RTO

#99

Joe, a user at a company, clicked an email links that led to a website that infected his workstation. Joe was connected to the network, and the
virus spread to the network shares. The protective measures failed to stop this virus, and it has continued to evade detection. Which of the
following should a security administrator implement to protect the environment from this malware?

Install a de nition-based antivirus.

#100

work BEST to help identify potential vulnerabilities?

issue?

Least privilege

Offboarding

#102

A security analyst is performing a forensic investigation involving compromised account credentials. Using the Event Viewer, the analyst was able
to detect the following message: ‫ג‬€Special privileges assigned to new logon.‫ג‬€ Several of these messages did not have a valid logon associated
with the user before these privileges were assigned. Which of the following attacks is MOST likely being detected?

Pass-the-hash

over ow

Session replay

#103

Which of the following access control schemes BEST ts the requirements?

Role-based access control

Mandatory access control

Which of the following is the analyst MOST likely seeing?

http://sample.url.com/someotherpageonsite/../../../etc/shadow

#105

backup methodologies should the company implement to allow for the FASTEST database restore time in the event of a failure, while being
mindful of the limited available storage space?

Implement full backups every Sunday at 8:00 p.m. and nightly differential backups at 8:00 p.m.

#106

An organization has a growing workforce that is mostly driven by additions to the sales department. Each newly hired salesperson relies on a

address the CIO‫ג‬€™s concerns?

know what was in the memory on the compromised server. Which of the following les should be given to the forensics rm?

Security

Application

Dump

#108

company sends out an email to employees to ensure all whiteboards are cleaned and all desks are cleared. The company is MOST likely trying to
protect against:

social engineering.

exposure.

#109

The manager who is responsible for a data set has asked a security engineer to apply encryption to the data on a hard disk. The security engineer
is an example of a:

data controller.

data owner.

data custodian.

data processor.
 #110

section of the building that is closest to the parking lot. Users are intermittently experiencing slow speeds when accessing websites and are

of the building. There have also been reports of users being required to enter their credentials on web pages in order to gain access to them.

#111

drives will fail simultaneously. Which of the following RAID con gurations should the administrator use?

10

#112

Physical security training

Basic awareness training

to perform the task and solicits help from a senior colleague. Which of the following is the FIRST step the senior colleague will most likely tell the
analyst to perform to accomplish this task?

#114

#115

was triggered by a phishing email and the IT administrator wants to ensure it does not happen again. Which of the following should the IT
administrator do FIRST after recovery?

Restrict administrative privileges and patch all systems and applications.

A global pandemic is forcing a private organization to close some business units and reduce sta ng at others. Which of the following would be
BEST to help the organization‫ג‬€™s executives determine their next course of action?

#117

Fog computing

escape

Image forgery

breakout

#118

following will the company MOST likely review to trace this transaction?

checksum
 injection

Pass-the-hash

#120

9001

27002

27701

31000

#121

may contain?
A security analyst is running a vulnerability scan to check for missing patches during a suspected security incident. During which of the following
phases of the response process is this activity MOST likely occurring?

Containment

Identi cation

Recovery

Preparation

#123

Which of the following is a team of people dedicated to testing the effectiveness of organizational security programs by emulating the techniques
of potential attackers?

team

team

team

#124

passwords are stored in plain text. Which of the following would mitigate the damage done by this type of data ex ltration in the future?

Implement salting and hashing.

 Testing security systems and processes regularly

#126

the following intelligence sources should the security analyst review?

#127

A security audit has revealed that a process control terminal is vulnerable to malicious users installing and executing software on the system. The

MOST effective to implement to further mitigate the reported vulnerability?

sinkholing

whitelisting
 #128

investigation, a security analyst identi es the following:

compromise.

An ARP poisoning attack was successfully executed.

#129

and transfers the pcap back to the machine for analysis. Which of the following tools should the analyst use to further review the pcap?

Nmap

cURL

Netcat

Wireshark

#130

A company uses wireless for all laptops and keeps a very detailed record of its assets, along with a comprehensive list of devices that are

prevent this from occurring?

EAP

IP ltering
 #132

sees there was a change in the IP address for a vendor website one week earlier. This change lasted eight hours. Which of the following attacks
was MOST likely used?

phishing

Evil twin

poisoning

#133

Checksums

Watermarks
capabilities?

Segmentation

whitelisting

Containment

Isolation

#135

masking

deduplication

minimization

#136

A consultant is con guring a vulnerability scanner for a large, global organization in multiple countries. The consultant will be using a service
account to scan systems with administrative privileges on a weekly basis, but there is a concern that hackers could gain access to the account
and pivot throughout the global network. Which of the following would be BEST to help mitigate this concern?
release. Which of the following BEST describes the tasks the developer is conducting?

Veri cation

Validation

Normalization

#138

#139

for this decision?

 #141

A user received an SMS on a mobile phone that asked for bank details. Which of the following social-engineering techniques was used in this
case?

Vishing

phishing

#142

would an attacker

Pharming
 Alarms

Lighting

Mantraps

Fencing

Sensors

#144

Which of the following would BEST meet this need?

CVE

SIEM

CVSS

#145

be performed to accomplish this task?

create a duplicate copy.

the CEO watches.

stage could destroy evidence.

 #146

Geolocation

Certi cates

Tokens

Geotagging

Role-based access controls

#147

which of the following incident response phases is the security engineer currently operating?

Identi cation

Preparation

Lessons learned

Eradication

Recovery

Containment

#148

quarantining an infected host was the best course of action. This allowed the malware to spread to additional hosts before it was contained.
Which of the following would be BEST to improve the incident response process?
 #149

table

force

Dictionary

#150

the following should the administrator con gure?

PSK

802.1X

WPS

#151

protocols

chain
business customers. Due to the technical limitations of its customers, the company is unable to upgrade the encryption standard. Which of the
following types of controls should be used to reduce the risk created by this scenario?

Detective

Preventive

Compensating

#153

following targeted the organization?

IT

hacktivist

#154

that PII must be handled with extreme care. From which of the following did the alert MOST likely originate?

S/MIME

DLP

IMAP

HIDS
 Bug bounty

box

box

box

#156

two.)

Password and CAPTCHA

Password and smart card

Password and ngerprint

Password and voice

 #157

lockout policy requires that an account be locked out for a minimum of 15 minutes after three unsuccessful attempts. While reviewing the log

Dictionary

stu ng

force

#158

DLP

HIDS

NIPS

mitigate this risk?

A local coffee shop runs a small WiFi hotspot for its customers that utilizes WPA2-PSK. The coffee shop would like to stay current with security

in place of PSK?

WEP

MSCHAP

WPS

SAE

#161

included? (Choose two.)

doors

#162

procedures

over ows

reuse
 reconnaissance.

pharming.

prepending.

#164

WPA2. Physical access to the company‫ג‬€™s facility requires two-factor authentication using a badge and a passcode. Which of the following
should the administrator implement to nd and remediate the issue? (Choose two.)

#165

movement across applications of different trust levels. Which of the following solutions should the organization implement to address the
concern?

ISFW

CASB
A security engineer at an o ine government facility is concerned about the validity of an SSL certi cate. The engineer wants to perform the

RA

OCSP

CRL

CSR

#167

A small retail business has a local store and a newly established and growing online storefront. A recent storm caused a power outage to the
business and the local ISP, resulting in several hours of lost sales and delayed order processing. The business owner now needs to ensure two
things:

✑ Always-available connectivity in case of an outage

second need?

#168

Session replay

Evil twin

Bluejacking

poisoning
and include monetary penalties for breaches to manage third-party risk?

ARO

MOU

SLA

BPA

#170

organization maintains a portal from which users can install standardized programs. However, some users have administrative access on their

address this issue?

whitelisting

#171

mobile users to access corporate resources on their devices, the following requirements must be met:

Containerization

segmentation

Posturing

wipe

Geofencing
network is breached. Which of the following would BEST address this security concern?

Install a smart meter on the staff WiFi.

#173

which platforms have been affected?

SIEM

CVSS

CVE

#174

would BEST prevent the ex ltration of data? (Choose two.)

VPN

encryption

rewall

MFA
following is the WEAKEST design element?

#176

risk management strategies is the manager adopting?

acceptance

avoidance

transference

mitigation

#177

would be BEST for the security manager to use in a threat model?

Hacktivists

kiddies
each password before storing. Which of the following techniques BEST explains this action?

Predictability

stretching

Hashing

#179

Which of the following would MOST likely cause a data breach?

permissions

protocol
Question #180 Topic 1

SIMULATION -
A systems administrator needs to install a new wireless network for authenticated guest access. The wireless network should support 802.1X
using the most secure encryption and protocol available.

INSTRUCTIONS -
Perform the following steps:
1. Con gure the RADIUS server.
2. Con gure the WiFi controller.
3. Precon gure the client for an incoming guest. The guest AD credentials are:

User: guest01 -

Password: guestpass -
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Correct Answer: See explanation below.
Con gure the settings as shown below:
Question #181 Topic 1

HOTSPOT -
The security administrator has installed a new rewall which implements an implicit DENY policy by default.

INSTRUCTIONS -
Click on the rewall and con gure it to allow ONLY the following communication:
✑ The Accounting workstation can ONLY access the web server on the public network over the default HTTPS port. The accounting workstation
should not access other networks.
✑ The HR workstation should be restricted to communicate with the Financial server ONLY, over the default SCP port.
✑ The Admin workstation should ONLY be able to access the servers on the secure network over the default TFTP port.
The rewall will process rules in a top-down manner in order as a rst match. The port number must be typed in and only one port number can be
entered per rule.
Type ANY for all ports.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Hot Area:
 #182

connected to the VPN?

 #183

secure alternatives for replacing them? (Choose three.)

FTPS

SNMPv3

HTTPS

FTP

SNMPv2

SSL

rlogin

#184

SQLi

CSRF

Session replay

API

Reference:
administrator MOST likely con gure that will assist the investigators?

dumps

The syslog server

#186

The following are the logs of a successful attack:

Password history

expiration

Password complexity

lockout

Reference:

%20your%20account%20again
A security administrator currently spends a large amount of time on common security tasks, such as report generation, phishing investigations,

have the budget to add more staff members. Which of the following should the administrator attempt?

DAC

ABAC

SCAP

SOAR

Reference:

#188

deployed. Which of the following is required to assess the vulnerabilities resident in the application?

Static code analysis

#189

A security analyst is performing a packet capture on a series of SOAP HTTP requests for a security assessment. The analyst redirects the output

particular string. Which of the following would be BEST to use to accomplish this task? (Choose two.)

head

tcpdump

grep

tail

curl

openssl

dd

Reference: https://science.hamptonu.edu/compsci/docs/iac/packet_sni ng.pdf

 #190

architecture to achieve

DNSSEC

proxy

concentrator

PKI

Directory

Reference:

#191

classrooms and labs. Which of the following should the university use to BEST protect these assets deployed in the facility?

logs

locks

Guards

encryption

detection

#192
BEST vulnerability scan report?

Port

Intrusive

discovery

Credentialed

#194

A worldwide manufacturing company has been experiencing email account compromises. In one incident, a user logged in from the corporate

prevent this type of attack?

location

Geolocation

Geofencing

#195

requirements:

HIDS

HIPS

NIPS
 #196

ooding

poisoning

cloning

poisoning

Reference:
http://cisco.num.edu.mn/CCNA_R&S2/course/module2/2.2.2.1/2.2.2.1.html

#197

and handle two simultaneous disk failures. Which of the following RAID levels meet this requirement?

0+1

Reference:
 #198

RADIUS.

TACACS+.

#199

A security analyst is preparing a threat brief for an upcoming internal penetration test. The analyst needs to identify a method for determining the

to accomplish the objective?

CSF

ATT&CK

OWASP

Reference:

#200

Which of the following controls will the analyst MOST likely recommend?

ARP
 Detective

Deterrent

Preventive

Reference:

#202

#203

reports of issues accessing the facility. Which of the following MOST likely indicates the cause of the access issues?

False rejection

Attestation

Reference:

(CER),accuracy%20of%20a%20biometric%20system
A forensics examiner is attempting to dump password cached in the physical memory of a live system but keeps receiving an error message.
Which of the following BEST describes the cause of the error?

The system must be taken o ine before a snapshot can be created.

#205

Which of the following is the BEST reason to maintain a functional and effective asset management policy that aids in ensuring the security of an
organization?

#206

servers rst.
surveillance cameras?

#208

platforms?

SIEM

CASB

Reference:

#209

the packet. Which of the following should the analyst implement to authenticate the entire packet?

SRTP

LDAP

Reference:
https://www.ibm.com/docs/en/zos/2.2.0?topic=ipsec-ah-esp-protocols
risk of lateral spread and the risk that the adversary would notice any changes?

#211

validity and thoroughness.

Reference:

#212

An attacker is sni ng tra c to port 53, and the server is managed using unencrypted usernames and passwords.
functionality and searchability of data within the cloud-based services?

masking

Anonymization

Tokenization

Reference:

#214

An attacker is trying to gain access by installing malware on a website that is known to be visited by the target victims. Which of the following is
the attacker MOST likely attempting?

squatting

#215

A network engineer needs to create a plan for upgrading the wireless infrastructure in a large o ce. Priority must be given to areas that are

Nmap

maps

diagrams

Wireshark
 #216

are sent by email to all three technicians. The security administrator has become aware of this situation and wants to implement a solution to
mitigate the risk. Which of the following is the BEST solution for company to implement?

authentication

SSH keys

authentication

Password vaults

Reference:

#217

cookies

validation

signing

procedures

#218

When used at design stage, which of the following improves the e ciency, accuracy, and speed of a database?

Tokenization

masking

Normalization

Obfuscation

Reference:
https://www.informit.com/articles/article.aspx?p=30646
A company has determined that if its computer-based manufacturing machinery is not functioning for 12 consecutive hours, it will lose more

MTBF

RPO

RTO

MTTR

Reference:

#220

Reference:

#221

A company has decided to move its operations to the cloud. It wants to utilize technology that will prevent users from downloading company
applications for personal use, restrict data that is uploaded, and have visibility into which applications are being used across the company. Which
of the following solutions will

whitelisting
and later enterprise data was found to have been compromised from a local database. Which of the following was the MOST likely cause?

IT

stu ng

injection

Bluejacking

#223

A security analyst needs to complete an assessment. The analyst is logged into a server and must use native tools to map services running on it
to the server‫ג‬€™s listening ports. Which of the following tools can BEST accomplish this task?

Netcat

Netstat

Nmap

Nessus

Reference:

#224

or major system changes by using the nal version of the code?

Test

Production

Development

Reference:

20(stage)%20is,like%20environment%20before%20application%20deployment
look and feel of a legitimate website to obtain personal information from unsuspecting users. Which of the following social-engineering attacks
does this describe?

elicitation

squatting

Impersonation

Reference:

#226

process is this an example of?

Eradiction

Recovery

Identi cation

Preparation

Reference:
https://digitalguardian.com/blog/ ve-steps-incident-response

#227

services will be moving. Which of the following cloud models would BEST meet the needs of the organization?

Reference:
https://rubygarage.org/blog/iaas-vs-paas-vs-saas#:~:text=In%20fact%2C%20email%20services%20such,Pod)%2C%20and%
20so%20on
 #228

spoo ng

poisoning

#229

Reference:
 providing hashing capabilities.

Reference:

#231

following MDM con gurations must be considered when the engineer travels for business?

locks

management

Geofencing

Containerization

#232

each vulnerability that is discovered. Which of the following BEST represents the type of testing that is being used?

Bug bounty

box

box

Reference:
tools. Which of the following should the security team do to prevent this from happening in the future?

#234

A manufacturing company has several one-off legacy information systems that cannot be migrated to a newer OS due to software compatibility

has created a resiliency plan for these systems that will allow OS patches to be installed in a non-production environment, while also creating
backups of the systems for recovery. Which of the following resiliency techniques will provide these capabilities?

Redundancy

1+5

machines

Full backups
Question #235

Which of the following would a security specialist be able to determine upon examination of a
server‫ג‬€™s certificate?

• A. CA public key
• B. Server private key
• C. CSR
• D. OID

Correct Answer: D

Question #236

A security analyst is diagnosing an incident in which a system was compromised from an

external IP address. The socket identified on the firewall was traced to
207.46.130.0 :6666. Which of the following should the security analyst do to determine if the
compromised system still has an active connection?

• A. tracert
• B. netstat
• C. ping
• D. nslookup

Correct Answer: B

Question #237

Multiple organizations operating in the same vertical want to provide seamless wireless access
for their employees as they visit the other organizations. Which of the following should be
implemented if all the organizations use the native 802.1x client on their mobile devices?

• A. Shibboleth
• B. RADIUS federation
• C. SAML
• D. OAuth
• E. OpenID connect

Correct Answer: B
http://archive.oreilly.com/pub/a/wireless/2005/01/01/authentication.html

Question #238

Which of the following BEST describes an important security advantage yielded by

implementing vendor diversity?
 • A. Sustainability
• B. Homogeneity
• C. Resiliency
• D. Configurability

Correct Answer: C

Question #239

In a corporation where compute utilization spikes several times a year, the Chief Information
Officer (CIO) has requested a cost-effective architecture to handle the variable capacity demand.
Which of the following characteristics BEST describes what the CIO has requested?

• A. Elasticity
• B. Scalability
• C. High availability
• D. Redundancy

Correct Answer: A
Elasticity is defined as ‫ג‬€the degree to which a system is able to adapt to workload changes
by provisioning and de-provisioning resources in an autonomic manner, such that at each
point in time the available resources match the current demand as closely as possible‫ג‬€.

Question #240

A security engineer is configuring a system that requires the X.509 certificate information to be
pasted into a form field in Base64 encoded format to import it into the system. Which of the
following certificate formats should the engineer use to obtain the information in the required
format?

• A. PFX
• B. PEM
• C. DER
• D. CER

Correct Answer: B

Question #241

Which of the following attacks specifically impact data availability?

• A. DDoS
• B. Trojan
• C. MITM
• D. Rootkit
• Correct Answer: A
Reference: https://www.netscout.com/what-is-ddos
Question #242

A root cause analysis reveals that a web application outage was caused by one of the company’s
developers uploading a newer version of the third-party libraries that were shared among several
applications. Which of the following implementations would be BEST to prevent the issue from
recurring?

A. CASB
B. SWG
C. Containerization
D. Automated failover

Answer: C

Question #243

A security administrator suspects there may be unnecessary services running on a server. Which of
the following tools will the administrator MOST likely use to confirm the suspicions?

A. Nmap
B. Wireshark
C. Autopsy
D. DNSEnum

Answer: A

Question #244
A company has drafted an insider-threat policy that prohibits the use of external storage devices. Which of the
following would BEST protect the company from data exfiltration via removable media?

A. Monitoring large data transfer transactions in the firewall logs

B. Developing mandatory training to educate employees about the removable media policy
C. Implementing a group policy to block user access to system files
D. Blocking removable-media devices and write capabilities using a host-based security tool

Answer: D

Question #245
A network administrator has been alerted that web pages are experiencing long load times. After determining it
is not a routing or DNS issue, the administrator logs in to the router, runs a command, and receives the
following output:

Which of the following is the router experiencing?

A. DDoS attack
B. Memory leak
C. Buffer overflow
D. Resource exhaustion

Answer: D

Question #246

A company provides mobile devices to its users to permit access to email and enterprise applications.
The company recently started allowing users to select from several different vendors and device
models. When configuring the MDM, which of the following is a key security implication of this
heterogeneous device approach?

A. The most common set of MDM configurations will become the effective set of enterprise mobile
security controls.
B. All devices will need to support SCEP-based enrollment; therefore, the heterogeneity of the
chosen architecture may unnecessarily expose private keys to adversaries.
C. Certain devices are inherently less secure than others, so compensatory controls will be needed to
address the delta between device vendors.
D. MDMs typically will not support heterogeneous deployment environments, so multiple MDMs will
need to be installed and configured.

Answer: C

Question #247

An organization with a low tolerance for user inconvenience wants to protect laptop hard drives
against loss or data theft. Which of the following would be the
MOST acceptable?

A. SED
B. HSM
C. DLP
D. TPM

Answer: A

Question #248

A security analyst receives a SIEM alert that someone logged in to the appadmin test account, which
is only used for the early detection of attacks. The security analyst then reviews the following
application log:

Which of the following can the security analyst conclude?

A. A replay attack is being conducted against the application.
B. An injection attack is being conducted against a user authentication system.
C. A service account password may have been changed, resulting in continuous failed logins within
the application.
D. A credentialed vulnerability scanner attack is testing several CVEs against the application.

Answer: B

Question #249

In which of the following situations would it be BEST to use a detective control type for mitigation?

A. A company implemented a network load balancer to ensure 99.999% availability of its web
application.
B. A company designed a backup solution to increase the chances of restoring services in case of a
natural disaster.
C. A company purchased an application-level firewall to isolate traffic between the accounting
department and the information technology department.
D. A company purchased an IPS system, but after reviewing the requirements, the appliance was
supposed to monitor, not block, any traffic.
E. A company purchased liability insurance for flood protection on all capital assets.

Answer: D

Question #250

The IT department’s on-site developer has been with the team for many years. Each time an
application is released, the security team is able to identify multiple vulnerabilities. Which of the
following would BEST help the team ensure the application is ready to be released to production?

A. Limit the use of third-party libraries.

B. Prevent data exposure queries.
C. Obfuscate the source code.
D. Submit the application to QA before releasing it.

Answer: D

Question #251

A cybersecurity analyst needs to implement secure authentication to third-party websites without

users’ passwords. Which of the following would be the BEST way to achieve this objective?

A. OAuth
B. SSO
C. SAML
D. PAP

Answer: C
Question #252

An analyst needs to identify the applications a user was running and the files that were open before
the user’s computer was shut off by holding down the power button. Which of the following would
MOST likely contain that information?

A. NGFW
B. Pagefile
C. NetFlow
D. RAM

Answer: B

Question #253

A remote user recently took a two-week vacation abroad and brought along a corporate-owned
laptop. Upon returning to work, the user has been unable to connect the laptop to the VPN. Which of
the following is the MOST likely reason for the user’s inability to connect the laptop to the VPN?

A. Due to foreign travel, the user’s laptop was isolated from the network.
B. The user’s laptop was quarantined because it missed the latest path update.
C. The VPN client was blacklisted.
D. The user’s account was put on a legal hold.

Answer: A

Question #254

In which of the following common use cases would steganography be employed?

A. Obfuscation
B. Integrity
C. Non-repudiation
D. Blockchain

Answer: A

Question #255

To secure an application after a large data breach, an e-commerce site will be resetting all users’
credentials. Which of the following will BEST ensure the site’s users are not compromised after the
reset?

A. A password reuse policy

B. Account lockout after three failed attempts
C. Encrypted credentials in transit
D. A geofencing policy based on login history

Answer: A

Question #256

In which of the following risk management strategies would cybersecurity insurance be used?

A. Transference
B. Avoidance
C. Acceptance
D. Mitigation

Answer: A

Question #257

An organization has implemented a policy requiring the use of conductive metal lockboxes for
personal electronic devices outside of a secure research lab. Which of the following did the
organization determine to be the GREATEST risk to intellectual property when creating this policy?

A. The theft of portable electronic devices

B. Geotagging in the metadata of images
C. Bluesnarfing of mobile devices
D. Data exfiltration over a mobile hotspot

Answer: D

Question #258

A security analyst is using a recently released security advisory to review historical logs, looking for
the specific activity that was outlined in the advisory. Which of the following is the analyst doing?

A. A packet capture
B. A user behavior analysis
C. Threat hunting
D. Credentialed vulnerability scanning

Answer: C

Question #259

Which of the following would MOST likely support the integrity of a voting machine?

A. Asymmetric encryption
B. Blockchain
C. Transport Layer Security
D. Perfect forward secrecy

Answer: B

Question #260

A Chief Information Security Officer (CISO) needs to create a policy set that meets international
standards for data privacy and sharing. Which of the following should the CISO read and understand
before writing the policies?

A. PCI DSS
B. GDPR
C. NIST
D. ISO 31000

Answer: B

Question #261

The IT department at a university is concerned about professors placing servers on the university
network in an attempt to bypass security controls. Which of the following BEST represents this type of
threat?

A. A script kiddie
B. Shadow IT
C. Hacktivism
D. White-hat

Answer: B
Which of the following BEST describes a social engineering attack that relies on an executive at a small business visiting a fake banking website
where credit card and account details are harvested?

Whaling

scam

Pharming

Reference:

20of,to%20high%2Dlevel%20company%20information.&text=Pharming%20is%20a%20method%20of,tra c%20to%20a%20fake%20site

#237

strategies to give the opposition party an advantage. Which of the following BEST describes these threat actors?

State actors

kiddies

Reference:

20a%20'Licence%20to%20Hack'.,incidents%20that%20have%20international%20signi cance

#238

website is not altered in transit or corrupted using a veri ed checksum?

Hashing

Integrity

signature
 #240

chatbots it uses to interface and assist online shoppers. The system, which continuously learns and adapts, was working ne when it was
installed a few months ago. Which of the following BEST describes the method being used to exploit the system?

Baseline modi cation

A leless virus

#241

Physically check each system.

An organization that has a large number of mobile devices is exploring enhanced security controls to manage unauthorized access if a device is

team alerted and server resources restricted on those devices. Which of the following controls should the organization implement?

Geofencing

Lockout

Reference:

20consists,for%20a%20promotion%20or%20coupon

#243

needed to meet the objective?

#244

range

protocols
likely use to capture this data?

honeypot

CVSS

#246

escrow

A self-signed certi cate

chaining

#247

SIEM during this period of time. Which of the following BEST explains what happened?

#248

Which of the following is a risk that is speci cally associated with hosting applications in the public cloud?

day
the analyst‫ג‬€™s review of the tactics, techniques, and protocols the threat actor was observed using in previous campaigns?

Reference:
https://www.rapid7.com/fundamentals/mitre-attack/

#250

An incident, which is affecting dozens of systems, involves malware that reaches out to an Internet service for rules and updates. The IP

and recovery actions. Which of the following sources of information would BEST support this solution?

cache

Antivirus
Question #251 Topic 1

DRAG DROP -
Leveraging the information supplied below, complete the CSR for the server to set up TLS (HTTPS).
✑ Hostname: ws01
✑ Domain: comptia.org
✑ IPv4: 10.1.9.50
✑ IPv4: 10.2.10.50
✑ Root: home.aspx
✑ DNS CNAME: homesite

INSTRUCTIONS -
Drag the various data points to the correct locations within the CSR. Extension criteria belong in the left-hand column and values belong in the
corresponding row in the right- hand column.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Select and Place:
 cipher

Hashing

keys

#253

describes the type of testing the user should perform?

signing
the particular API call was to a legacy system running an outdated

forgery

Session replay

Shimming

#255

following types of physical security controls does this describe?

Cameras

Faraday

Sensors

Guards

#256

federation.

a remote access policy.

authentication.

single sign-on.

Reference:

20applications%20across%20various%20enterprises
length of time?

#258

Whaling

Pharming

#259

situations in the future?

 injection

API

forgery

#261

achieve the administrator‫ג‬€™s goal?

two.)

Disabling guest accounts

Enabling NTLM

#262

of the following should the administrator implement to avoid disruption?

teaming

availability
installation of malicious software that initiates a new remote session. Which of the following types of attacks has occurred?

Privilege escalation

Session replay

#264

stretching

encryption

Reference:

20data%20is%20exposed

#265

Following a prolonged datacenter outage that affected web-based sales, a company has decided to move its operations to a private cloud
solution. The security team has received the following requirements:

Administrators need a single pane-of-glass view into tra c and trends.

 Pulverizing

Shredding

Incinerating

Degaussing

Reference:

#267

AUP

ISA

#268

cannot disable the service on the servers, as

135

B. 139

143

161

E. 443

Reference:

port/#:~:text=SMB%20uses%20either%20IP%20port,top%20of%20a%20TCP%20stack
 HSM

CASB

TPM

DLP

Reference:

#270

used?

Master managed service provider

#271

During an incident, an EDR system detects an increase in the number of encrypted outbound connections from multiple hosts. A rewall is also

incident. Which of the following tools will BEST assist the analyst?
 Public cloud

cloud

Fog computing

#273

should Ann use?

Checksums

repudiation

Legal hold

#274

would be the MOST e cient way for the analyst to meet the business requirements?
 Business competitor

Hacktivist

kiddie

Reference:

#276

the payload. Which of the following services would BEST meet the criteria?

TLS

Reference:

#277

A network administrator is concerned about users being exposed to malicious content when accessing company cloud applications. The
administrator wants to be able to block access to sites based on the AUP. The users must also be protected because many of them work from

NAC.
Which of the following would be the BEST to use?

#279

seems to have been thwarted.

teaming

mirroring

availability

dispersal

#280

certi cation?

It allows for the sharing of digital forensics data across organizations.

It provides insurance in case of a data breach.

Reference:
https://www.iso.org/standard/54534.html
 protocols

encryption

#282

about losses from data breaches.

method of operation.

have occurred.

#283

from home. Some of the requirements are:

installed.
Which of the following should the organization consult for the exact requirements for the cloud provider?

SLA

BPA

NDA

MOU

#285

Which of the following is the primary use case for this scenario?

#286

company resides. Which of the following authentication concepts are in use?

company to require from prospective vendors?

IP restrictions

authentication

#288

fastest recovery time while also saving the most amount of storage used to maintain the backups. Which of the following recovery solutions
would be the BEST option to meet these requirements?

Snapshot

Differential

Full

Tape

Reference:

#289

technical support. The caller convinced the o ce worker to visit a website, and then download and install a program masquerading as an antivirus

would be BEST to help prevent this type of attack in the future?

Segmentation

whitelisting

Quarantine
and software levels and to measure performance characteristics?

Test

Development

Production

#291

An organization regularly scans its infrastructure for missing security patches but is concerned about hackers gaining access to the scanner‫ג‬€™s
account. Which of the following would be BEST to minimize this risk while ensuring the scans are useful?

#292

use?

openssl

hping

netcat

tcpdump
its customers are in
Australia, Europe, and China. Payments for services are managed by a third party in the United Kingdom that specializes in payment gateways.

frameworks should the management team follow?

#294

#295

use to control the network tra c?

VPN

ACL
 matrix

tolerance

register

appetite

#297

attack

injection

SSL stripping

conditions

#298

the following does the organization need to determine for this to be successful?

baseline
 processor

requestor

provider

resource

referral

#300

and a third party through email.

TLS

Reference:
Question #301 Topic 1

SIMULATION -
A newly purchased corporate WAP needs to be con gured in the MOST secure manner possible.

INSTRUCTIONS -
Please click on the below items on the network diagram and con gure them accordingly:
‫ג‬€¢ WAP
‫ג‬€¢ DHCP Server
‫ג‬€¢ AAA Server
‫ג‬€¢ Wireless Controller
‫ג‬€¢ LDAP Server
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Correct Answer: See explanation below.
 Question #1
Despite having implemented password policies, users continue to set the same weak passwords and
reuse old passwords. Which of the following technical controls would help prevent these policy
violations? (Choose two.)

• A. Password expiration
• B. Password length
• C. Password complexity
• D. Password history
• E. Password lockout

Correct Answer: CD

Question #2
A security analyst is reviewing the following output from an IPS:

Given this output, which of the following can be concluded? (Choose two.)

• A. The source IP of the attack is coming from 250.19.18.22.

• B. The source IP of the attack is coming from 250.19.18.71.
• C. The attacker sent a malformed IGAP packet, triggering the alert.
• D. The attacker sent a malformed TCP packet, triggering the alert.
• E. The TTL value is outside of the expected range, triggering the alert.

Correct Answer: BC

Question #3
Which of the following types of keys is found in a key escrow?

• A. Public
• B. Private
• C. Shared
• D. Session

Correct Answer: B 🗳+
*
)
(
'
&
%
$
#
"
https:/
/www.professormesser.com/security
-
plus/sy0-401/key-escrow-3/

Question #4Topic 1
 Which of the following would a security specialist be able to determine upon examination of a server's
certificate?

• A. CA public key
• B. Server private key
• C. CSR
• D. OID

Correct Answer: D

Question #5Topic 1
A security analyst is diagnosing an incident in which a system was compromised from an external IP
address. The socket identified on the firewall was traced to
207.46.130.0:6666. Which of the following should the security analyst do to determine if the
compromised system still has an active connection?

• A. tracert
• B. netstat
• C. ping
• D. nslookup

Correct Answer: B

Question #6Topic 1
Multiple organizations operating in the same vertical want to provide seamless wireless access for
their employees as they visit the other organizations. Which of the following should be implemented if
all the organizations use the native 802.1x client on their mobile devices?

• A. Shibboleth
• B. RADIUS federation
• C. SAML
• D. OAuth
• E. OpenID connect

Correct Answer: B 🗳 +
*
)
(
'
&
%
$
#
"
http://archive.oreilly.com/pub/a/wireless/2005/01/01/authentication.html

Question #7Topic 1
Which of the following BEST describes an important security advantage yielded by implementing
vendor diversity?

• A. Sustainability
• B. Homogeneity
• C. Resiliency
• D. Configurability
 Correct Answer: C

Question #8Topic 1
In a corporation where compute utilization spikes several times a year, the Chief Information Officer
(CIO) has requested a cost-effective architecture to handle the variable capacity demand. Which of
the following characteristics BEST describes what the CIO has requested?

• A. Elasticity
• B. Scalability
• C. High availability
• D. Redundancy

Correct Answer: A 🗳 +
*
)
(
'
&
%
$
#
"
Elasticity is defined as ‫ג‬€the degree to which a system is able to adapt to workload changes by provisioning
and de-provisioning resources in an autonomic manner, such that at each point in time the available resources
match the current demand as closely as possible‫ג‬€.

Question #9Topic 1
A security engineer is configuring a system that requires the X.509 certificate information to be pasted
into a form field in Base64 encoded format to import it into the system. Which of the following
certificate formats should the engineer use to obtain the information in the required format?

• A. PFX
• B. PEM
• C. DER
• D. CER

Correct Answer: B

Question #10Topic 1
Which of the following attacks specifically impact data availability?

• A. DDoS
• B. Trojan
• C. MITM
• D. Rootkit

Correct Answer: A 🗳 +
*
)
(
'
&
%
$
#
"
Reference: https://www.netscout.com/what-is-ddos

Question #11Topic 1
A security analyst is hardening a server with the directory services role installed. The analyst must
ensure LDAP traffic cannot be monitored or sniffed and maintains compatibility with LDAP clients.
Which of the following should the analyst implement to meet these requirements? (Choose two.)

• A. Generate an X.509-compliant certificate that is signed by a trusted CA.

• B. Install and configure an SSH tunnel on the LDAP server.
• C. Ensure port 389 is open between the clients and the servers using the communication.
• D. Ensure port 636 is open between the clients and the servers using the communication.
• E. Remote the LDAP directory service role from the server.

Correct Answer: AD

Question #12Topic 1
Which of the following threat actors is MOST likely to steal a company's proprietary information to
gain a market edge and reduce time to market?

• A. Competitor
• B. Hacktivist
• C. Insider
• D. Organized crime.

Correct Answer: A

Question #13Topic 1
A penetration tester is crawling a target website that is available to the public. Which of the following
represents the actions the penetration tester is performing?

• A. URL hijacking
• B. Reconnaissance
• C. White box testing
• D. Escalation of privilege

Correct Answer: B

Question #14Topic 1
Which of the following characteristics differentiate a rainbow table attack from a brute force attack?
(Choose two.)

• A. Rainbow table attacks greatly reduce compute cycles at attack time.

• B. Rainbow tables must include precomputed hashes.
• C. Rainbow table attacks do not require access to hashed passwords.
• D. Rainbow table attacks must be performed on the network.
• E. Rainbow table attacks bypass maximum failed login restrictions.

Correct Answer: BE

Question #15Topic 1
Which of the following best describes routine in which semicolons, dashes, quotes, and commas are
removed from a string?

• A. Error handling to protect against program exploitation

• B. Exception handling to protect against XSRF attacks.
• C. Input validation to protect against SQL injection.
• D. Padding to protect against string buffer overflows.

Correct Answer: C
 Question #16Topic 1
A security analyst wishes to increase the security of an FTP server. Currently, all traffic to the FTP
server is unencrypted. Users connecting to the FTP server use a variety of modern FTP client
software.
The security analyst wants to keep the same port and protocol, while also still allowing unencrypted
connections. Which of the following would BEST accomplish these goals?

• A. Require the SFTP protocol to connect to the file server.

• B. Use implicit TLS on the FTP server.
• C. Use explicit FTPS for connections.
• D. Use SSH tunneling to encrypt the FTP traffic.

Correct Answer: C

Question #17Topic 1
Which of the following explains why vendors publish MD5 values when they provide software patches
for their customers to download over the Internet?

• A. The recipient can verify integrity of the software patch.

• B. The recipient can verify the authenticity of the site used to download the patch.
• C. The recipient can request future updates to the software using the published MD5 value.
• D. The recipient can successfully activate the new software patch.

Correct Answer: A

Question #18Topic 1
Refer to the following code:

Which of the following vulnerabilities would occur if this is executed?

• A. Page exception
• B. Pointer deference
• C. NullPointerException
• D. Missing null check

Correct Answer: D

Question #19Topic 1
Multiple employees receive an email with a malicious attachment that begins to encrypt their hard
drives and mapped shares on their devices when it is opened.
The network and security teams perform the following actions:
✑ Shut down all network shares.
 ✑ Run an email search identifying all employees who received the malicious message.
✑ Reimage all devices belonging to users who opened the attachment.
Next, the teams want to re-enable the network shares. Which of the following BEST describes this
phase of the incident response process?

• A. Eradication
• B. Containment
• C. Recovery
• D. Lessons learned

Correct Answer: C

Question #20Topic 1
An organization has determined it can tolerate a maximum of three hours of downtime. Which of the
following has been specified?

• A. RTO
• B. RPO
• C. MTBF
• D. MTTR

Correct Answer: A

Question #24Topic 1
Which of the following types of cloud infrastructures would allow several organizations with similar
structures and interests to realize the benefits of shared storage and resources?

• A. Private
• B. Hybrid
• C. Public
• D. Community

Correct Answer: D

Question #25Topic 1
A company is currently using the following configuration:
✑ IAS server with certificate-based EAP-PEAP and MSCHAP
✑ Unencrypted authentication via PAP
A security administrator needs to configure a new wireless setup with the following configurations:
✑ PAP authentication method
✑ PEAP and EAP provide two-factor authentication
Which of the following forms of authentication are being used? (Choose two.)

• A. PAP
• B. PEAP
• C. MSCHAP
• D. PEAP- MSCHAP
• E. EAP
• F. EAP-PEAP
 Correct Answer: AC

Question #26Topic 1
An auditor wants to test the security posture of an organization by running a tool that will display the
following:

Which of the following commands should be used?

• A. nbtstat
• B. nc
• C. arp
• D. ipconfig

Correct Answer: A

Question #27Topic 1
A company determines that it is prohibitively expensive to become compliant with new credit card
regulations. Instead, the company decides to purchase insurance to cover the cost of any potential
loss. Which of the following is the company doing?

• A. Transferring the risk

• B. Accepting the risk
• C. Avoiding the risk
• D. Migrating the risk

Correct Answer: A

Question #28Topic 1
A company is using a mobile device deployment model in which employees use their personal
devices for work at their own discretion. Some of the problems the company is encountering include
the following:
✑ There is no standardization.
✑ Employees ask for reimbursement for their devices.
✑ Employees do not replace their devices often enough to keep them running efficiently.
✑ The company does not have enough control over the devices.
Which of the following is a deployment model that would help the company overcome these
problems?

• A. BYOD
• B. VDI
• C. COPE
• D. CYOD

Correct Answer: D
 Question #29Topic 1
A botnet has hit a popular website with a massive number of GRE-encapsulated packets to perform a
DDoS attack. News outlets discover a certain type of refrigerator was exploited and used to send
outbound packets to the website that crashed. To which of the following categories does the
refrigerator belong?

• A. SoC
• B. ICS
• C. IoT
• D. MFD

Correct Answer: C

Question #30Topic 1
Users report the following message appears when browsing to the company's secure site: This
website cannot be trusted. Which of the following actions should a security analyst take to resolve
these messages? (Choose two.)

• A. Verify the certificate has not expired on the server.

• B. Ensure the certificate has a .pfx extension on the server.
• C. Update the root certificate into the client computer certificate store.
• D. Install the updated private key on the web server.
• E. Have users clear their browsing history and relaunch the session.

Correct Answer: AC

Question #31Topic 1
When trying to log onto a company's new ticketing system, some employees receive the following
message: Access denied: too many concurrent sessions. The ticketing system was recently installed
on a small VM with only the recommended hardware specifications. Which of the following is the
MOST likely cause for this error message?

• A. Network resources have been exceeded.

• B. The software is out of licenses.
• C. The VM does not have enough processing power.
• D. The firewall is misconfigured.

Correct Answer: C

Question #32Topic 1
Joe, an employee, wants to show his colleagues how much he knows about smartphones. Joe
demonstrates a free movie application that he installed from a third party on his corporate
smartphone. Joe's colleagues were unable to find the application in the app stores. Which of the
following allowed Joe to install the application? (Choose two.)

• A. Near-field communication.
• B. Rooting/jailbreaking
• C. Ad-hoc connections
• D. Tethering
• E. Sideloading
 Correct Answer: BE

Question #33Topic 1
Which of the following can be provided to an AAA system for the identification phase?

• A. Username
• B. Permissions
• C. One-time token
• D. Private certificate

Correct Answer: A

Question #34Topic 1
Which of the following implements two-factor authentication?

• A. A phone system requiring a PIN to make a call

• B. At ATM requiring a credit card and PIN
• C. A computer requiring username and password
• D. A datacenter mantrap requiring fingerprint and iris scan

Correct Answer: B

Question #35Topic 1
Malicious traffic from an internal network has been detected on an unauthorized port on an
application server.
Which of the following network-based security controls should the engineer consider implementing?

• A. ACLs
• B. HIPS
• C. NAT
• D. MAC filtering

Correct Answer: A

Question #36Topic 1
A network administrator wants to implement a method of securing internal routing. Which of the
following should the administrator implement?

• A. DMZ
• B. NAT
• C. VPN
• D. PAT

Correct Answer: C

Question #37Topic 1
 A security administrator is developing controls for creating audit trails and tracking if a PHI data
breach is to occur. The administrator has been given the following requirements:
All access must be correlated to a user account.

✑ All user accounts must be assigned to a single individual.

✑ User access to the PHI data must be recorded.
✑ Anomalies in PHI data access must be reported.
✑ Logs and records cannot be deleted or modified.
Which of the following should the administrator implement to meet the above requirements? (Choose
three.)

• A. Eliminate shared accounts.

• B. Create a standard naming convention for accounts.
• C. Implement usage auditing and review.
• D. Enable account lockout thresholds.
• E. Copy logs in real time to a secured WORM drive.
• F. Implement time-of-day restrictions.
• G. Perform regular permission audits and reviews.

Correct Answer: ACE

Question #38Topic 1
Which of the following encryption methods does PKI typically use to securely protect keys?

• A. Elliptic curve
• B. Digital signatures
• C. Asymmetric
• D. Obfuscation

Correct Answer: C

Question #39Topic 1
An organization is using a tool to perform a source code review. Which of the following describes the
case in which the tool incorrectly identifies the vulnerability?

• A. False negative
• B. True negative
• C. False positive
• D. True positive

Correct Answer: C

Question #40
A department head at a university resigned on the first day of the spring semester. It was
subsequently determined that the department head deleted numerous files and directories from the
server-based home directory while the campus was closed. Which of the following policies or
procedures could have prevented this from occurring?

• A. Time-of-day restrictions
• B. Permission auditing and review
• C. Offboarding
• D. Account expiration

Correct Answer: C

Question #41
A database backup schedule consists of weekly full backups performed on Saturday at 12:00 a.m.
and daily differential backups also performed at 12:00 a.m. If the database is restored on Tuesday
afternoon, which of the following is the number of individual backups that would need to be applied to
complete the database recovery?

• A. 1
• B. 2
• C. 3
• D. 4

Correct Answer: B

Question #42
Which of the following security controls does an iris scanner provide?

• A. Logical
• B. Administrative
• C. Corrective
• D. Physical
• E. Detective
• F. Deterrent

Correct Answer: D

Question #43
As part of a new industry regulation, companies are required to utilize secure, standardized OS
settings. A technical must ensure the OS settings are hardened.
Which of the following is the BEST way to do this?

• A. Use a vulnerability scanner.

• B. Use a configuration compliance scanner.
• C. Use a passive, in-line scanner.
• D. Use a protocol analyzer.

Correct Answer: B

Question #44
A user has attempted to access data at a higher classification level than the user's account is
currently authorized to access. Which of the following access control models has been applied to this
user's account?

• A. MAC
• B. DAC
• C. RBAC
• D. ABAC

Correct Answer: A
 Question #45
A security consultant discovers that an organization is using the PCL protocol to print documents,
utilizing the default driver and print settings. Which of the following is the MOST likely risk in this
situation?

• A. An attacker can access and change the printer configuration.

• B. SNMP data leaving the printer will not be properly encrypted.
• C. An MITM attack can reveal sensitive information.
• D. An attacker can easily inject malicious code into the printer firmware.
• E. Attackers can use the PCL protocol to bypass the firewall of client computers.

Correct Answer: B

Question #46
An organization finds that most help desk calls are regarding account lockout due to a variety of
applications running on different systems. Management is looking for a solution to reduce the number
of account lockouts while improving security. Which of the following is the BEST solution for this
organization?

• A. Create multiple application accounts for each user.

• B. Provide secure tokens.
• C. Implement SSO.
• D. Utilize role-based access control.

Correct Answer: C

Question #47
A user suspects someone has been accessing a home network without permission by spoofing the
MAC address of an authorized system. While attempting to determine if an authorized user is logged
into the home network, the user reviews the wireless router, which shows the following table for
systems that are currently on the home network.

Which of the following should be the NEXT step to determine if there is an unauthorized user on the
network?

• A. Apply MAC filtering and see if the router drops any of the systems.
• B. Physically check each of the authorized systems to determine if they are logged onto the network.
• C. Deny the ‫ג‬€unknown‫ג‬€ host because the hostname is not known and MAC filtering is not applied
to this host.
• D. Conduct a ping sweep of each of the authorized systems and see if an echo response is received.

Correct Answer: B

Question #48
 When performing data acquisition on a workstation, which of the following should be captured based
on memory volatility? (Choose two.)

• A. USB-attached hard disk

• B. Swap/pagefile
• C. Mounted network storage
• D. ROM
• E. RAM

Correct Answer: BE

Question #49
Ann, a security administrator, has been instructed to perform fuzz-based testing on the company's
applications.
Which of the following best describes what she will do?

• A. Enter random or invalid data into the application in an attempt to cause it to fault
• B. Work with the developers to eliminate horizontal privilege escalation opportunities
• C. Test the applications for the existence of built-in- back doors left by the developers
• D. Hash the application to verify it won't cause a false positive on the HIPS

Correct Answer: A

Question #50
An attacker compromises a public CA and issues unauthorized X.509 certificates for Company.com.
In the future, Company.com wants to mitigate the impact of similar incidents. Which of the following
would assist Company.com with its goal?

• A. Certificate pinning
• B. Certificate stapling
• C. Certificate chaining
• D. Certificate with extended validation

Correct Answer: A

Question #51
A systems administrator is attempting to recover from a catastrophic failure in the datacenter. To
recover the domain controller, the systems administrator needs to provide the domain administrator
credentials. Which of the following account types is the systems administrator using?

• A. Shared account
• B. Guest account
• C. Service account
• D. User account

Correct Answer: C

Question #52
A security administrator has found a hash in the environment known to belong to malware. The
administrator then finds this file to be in in the preupdate area of the OS, which indicates it was
 pushed from the central patch system.
File: winx86_adobe_flash_upgrade.exe
Hash: 99ac28bede43ab869b853ba62c4ea243
The administrator pulls a report from the patch management system with the following output:

Given the above outputs, which of the following MOST likely happened?

• A. The file was corrupted after it left the patch system.

• B. The file was infected when the patch manager downloaded it.
• C. The file was not approved in the application whitelist system.
• D. The file was embedded with a logic bomb to evade detection.

Correct Answer: B

Question #53
A network administrator at a small office wants to simplify the configuration of mobile clients
connecting to an encrypted wireless network. Which of the following should be implemented in the
administrator does not want to provide the wireless password or he certificate to the employees?

• A. WPS
• B. 802.1x
• C. WPA2-PSK
• D. TKIP

Correct Answer: A

Question #54
When connected to a secure WAP, which of the following encryption technologies is MOST likely to
be configured when connecting to WPA2-PSK?

• A. DES
• B. AES
• C. MD5
• D. WEP

Correct Answer: B

Question #55
A company has a data classification system with definitions for `Private` and `Public`. The company's
security policy outlines how data should be protected based on type. The company recently added
the data type `Proprietary`.
Which of the following is the MOST likely reason the company added this data type?

• A. Reduced cost
• B. More searchable data
• C. Better data classification
• D. Expanded authority of the privacy officer
 Correct Answer: C

Question #56
When configuring settings in a mandatory access control environment, which of the following
specifies the subjects that can access specific data objects?

• A. Owner
• B. System
• C. Administrator
• D. User

Correct Answer: C

Question #57
A high-security defense installation recently begun utilizing large guard dogs that bark very loudly and
excitedly at the slightest provocation. Which of the following types of controls does this BEST
describe?

• A. Deterrent
• B. Preventive
• C. Detective
• D. Compensating

Correct Answer: A

Question #58
A company's user lockout policy is enabled after five unsuccessful login attempts. The help desk
notices a user is repeatedly locked out over the course of a workweek. Upon contacting the user, the
help desk discovers the user is on vacation and does not have network access. Which of the
following types of attacks are MOST likely occurring? (Select two.)

• A. Replay
• B. Rainbow tables
• C. Brute force
• D. Pass the hash
• E. Dictionary

Correct Answer: CE

Question #59
Ann. An employee in the payroll department, has contacted the help desk citing multiple issues with
her device, including:
✑ Slow performance
✑ Word documents, PDFs, and images no longer opening
✑ A pop-up
Ann states the issues began after she opened an invoice that a vendor emailed to her. Upon opening
the invoice, she had to click several security warnings to view it in her word processor. With which of
the following is the device MOST likely infected?

• A. Spyware
• B. Crypto-malware
• C. Rootkit
• D. Backdoor

Correct Answer: D
 #60

A security administrator is hardening a TrustedSolaris server that processes sensitive data. The data owner has established the following security
requirements:

SELinux

DLP

HIDS

boot

Watermarking

#61

An SQL database is no longer accessible online due to a recent security breach. An investigation reveals that unauthorized access to the database
was possible due to an SQL injection vulnerability. To prevent this type of breach in the future, which of the following security controls should be
put in place before bringing the database back online? (Choose two.)

validation

#62

organizations. Which of the following is required in this scenario?

ISA

BIA

SLA

RA
 #63

#64

social engineering to be conducted during this engagement?

Simulating an illness while at a client location for a sales call and then recovering once listening devices are installed
 #65

public Internet:

#66

Two new technical SMB security settings have been enforced and have also become policies that increase secure communications.
Network Client: Digitally sign communication

A storage administrator in a remote location with a legacy storage array, which contains time-sensitive data, reports employees can no longer

owner?

device can be upgraded

risk exception for the use of cloud storage

#67

Which of the following solutions BEST balances security requirements with business need?
 #68

A systems security engineer is assisting an organization‫ג‬€™s market survey team in reviewing requirements for an upcoming acquisition of
mobile devices. The engineer expresses concerns to the survey team about a particular class of devices that uses a separate SoC for baseband
radio I/O. For which of the following reasons is the engineer concerned?

routines

#69

following should the organization consider implementing along with VLANs to provide a greater level of segmentation?

Elastic load balancing