CYSA+ Pre-Assessment
Due No due date
Points 90
Allowed Attempts Unlimited
Questions 90
Time Limit 90 Minutes
Instructions
This is a non-graded assessment, but it's completion will count towards your participation grade.
Complete to the best of your ability.
Take the Quiz Again
Attempt History
Attempt
Time
Score
KEPT
Attempt 3
77 minutes
57 out of 90
LATEST
Attempt 4
85 minutes
32 out of 90
Attempt 3
77 minutes
57 out of 90
Attempt 2
90 minutes
32 out of 90
Attempt 1
64 minutes
31.5 out of 90
Submitted Jul 19 at 11am
Question 1
1 / 1 pts
In a meeting, another cybersecurity analyst was making the point that
social media can present a threat to the users in an organization. Which
of the following web attacks is NOT easier to carry out when the website
is a social media website?
Buffer overflows
Correct!
Privilege escalation
XSS
Code injection
Question 2
1 / 1 pts
You are your company's security analyst. As part of your job duties, you
must configure the company's vulnerability management solution to
perform credentialed scans of certain servers. Which permissions should
you assign the account used for the vulnerability scans?
Full control
Correct!
Read only
Write only
Modify
Question 3
1 / 1 pts
Lately, you have become concerned that certain types of traffic that
should be encrypted on the network are not in fact encrypted. An
associate explains that you need to perform packet capture to assess the
breadth of this problem. Which of the following tools would allow you to do
this?
Correct!
Wireshark
IDS
IPS
HIDS
Question 4
1 / 1 pts
You have been capturing packets to troubleshoot a network issue. The
exhibit shows an excerpt of some of the packets captured.
Which of the following statements is TRUE about packet number 36
(highlighted in blue)?
Only the ACK flag is set.
The packet came from 192.168.0.2.
The source port is 3197.
Correct!
The packet is a response from a web server.
Question 5
0 / 1 pts
The organization has a web server that needs to be available to all traffic
on the Internet. It needs to be placed where access to external traffic can
occur without authentication, but external access to the internal LAN
cannot. In which of the following should it be placed?
WAN
LAN
orrect Answer
DMZ
ou Answered
Extranet
Question 6
0 / 1 pts
Which of the following is also referred to as closed or black box testing?
ou Answered
Target test
Partial-knowledge test
Full-knowledge test
orrect Answer
Zero-knowledge test
Question 7
1 / 1 pts
Which of the following is NOT a responsibility of management during the
creation of an incident response plan?
Correct!
Coordinate with legal to prepare media responses and internal
communications regarding incidents.
Communicate the importance of the incident response plan to all parts of
the organization.
Create decision systems for determining when key systems must be
removed from the network.
Create agreements detailing the authority of the IR team to take over
business systems if necessary.
Question 8
0 / 1 pts
A team is working to design the information security vulnerability
management process for a large company. They have identified all the
requirements for this process. What is the next step that they should
complete?
ou Answered
Execute the vulnerability scan.
Generate reports.
Configure the tools to perform the vulnerability scan.
orrect Answer
Establish scanning frequency.
Question 9
0 / 1 pts
You are working with a new security analyst on a recent non-credentialed
Nessus vulnerability scan. You need to document the number of devices
that are impacted by a particular vulnerability. The new security analyst
does not know how to obtain this information. Which of the following
should you instruct the analyst to obtain?
Credentialed scan
orrect Answer
Vulnerabilities Grouped by Plugin
ou Answered
Suggested Remediations
Vulnerabilities Grouped by Host
Question 10
0 / 1 pts
The team has been assigned to perform host hardening of the servers in
the sales domain. Which of the following activities would NOT be a part of
this goal?
ou Answered
Updating security patches
Removing unneeded applications
orrect Answer
Using encryption for all transmissions
Closing all but required ports
Question 11
1 / 1 pts
Which of the following roles in the incident response process is
responsible for recognizing, identifying, and reacting to incidents, and for
providing support in analyzing those incidents when an incident occurs or
is discovered?
Law enforcement
Management
Correct!
Technical
Marketing
Question 12
1 / 1 pts
Which of the following is a technique that can be used to run a possibly
malicious program in a safe environment so it does not infect the local
system?
System isolation
Decomposition
Network segmentation
Correct!
Sandboxing
Question 13
0 / 1 pts
While analyzing network traffic as a security consultant, you discover an
appliance that is installed at the company's network perimeter. This
appliance is used to avert attacks and alert administrators. Which product
did you most likely encounter?
AlienVault
Imperva
orrect Answer
Sourcefire
ou Answered
Nmap
Question 14
1 / 1 pts
During a data classification meeting, someone mentions a type of data
covered by PCI-DSS. What type of data is this?
corporate confidential
intellectual property
PHI
Correct!
credit card data
Question 15
1 / 1 pts
As a security analyst, you need to assess the passwords used by your
users. Which tool should you use?
Correct!
John the Ripper
MD5sum
DD
SHAsum
Question 16
1 / 1 pts
During the containment stage of incident recovery, which operation is
implemented by shutting the device down?
reverse engineering
Correct!
removal
segmentation
isolation
Question 17
1 / 1 pts
Several weeks ago, the network suffered a DoS attack, and the database
server was down for two hours. Analysts were slowed during the
investigation by the need to access the local logs of the database server,
routers, and switches in the network. You would like to suggest a solution
that would centralize these logs in one place.
Which two options are available? (Choose two.)
Packet analyzer
MBSA
Correct!
SIEM system
Correct!
Syslog server
WSUS server
Question 18
1 / 1 pts
Which of the following is a technique that can be used to run a possibly
malicious program in a safe environment so it does not infect the local
system?
Decomposition
System isolation
Correct!
Sandboxing
Network segmentation
Question 19
0 / 1 pts
The cyber team just returned from a security conference where they
learned about the value of determining the MTD for each asset. They
have made these determinations. Now they are creating realistic goals for
recovering these assets in the event they go down. What determination
are they now making?
WRT
MTBF
ou Answered
RPO
orrect Answer
RTO
Question 20
0 / 1 pts
As a security analyst, you assess your company's current enterprise
against several NIST standards for IT security. As a result of the
assessment, you determine that several security controls need to be
implemented. After providing your recommendations to management, you
discover that three non-compliant systems must remain in their current
configuration for business reasons. However, these three systems will be
completely removed from the enterprise in six months. You need to
ensure that these cases are documented appropriately. What should you
do?
Prepare a remediation plan whereby these systems are remediated within
the next six months.
Implement a configuration management process whereby these
configurations are documented and tracked.
ou Answered
Implement a change management process whereby these changes are
documented and tracked
orrect Answer
Implement an exception management process whereby these systems are
documented and tracked.
Question 21
0 / 1 pts
The company is performing a risk assessment to assess its risk to a social
engineering attack. You have been assigned the task of assessing the
possibility of all types of these attacks. Which of the following attacks will
NOT be of concern to you as part of the current assessment?
Piggybacking
ou Answered
Phishing
orrect Answer
XSS
Whaling
Question 22
0 / 1 pts
ter completing a vulnerability scan, John received a report that no
vulnerabilities existed on a Windows workstation. Later, John discovered
that the workstation had a vulnerability in the operating system that was
not caught. What type of error occurred?
orrect Answer
False negative
ou Answered
False positive
True negative
True positive
Question 23
1 / 1 pts
While assisting a senior cyber security technician, you observe him using
a tool that allows him to identify specific conversations in the network. He
explains that each "conversation" is unique based on various
characteristics including the following:
Source MAC address
Destination MAC Address
IP source address
IP destination address
Source port
Destination port
What type of analysis is the technician performing?
Heuristic analysis
Anomaly analysis
Correct!
NetFlow analysis
Trend analysis
Question 24
1 / 1 pts
A new version of a web application has been developed. The software
development team is injecting invalid or unexpected input into the
application to test how the application reacts. Which type of testing are
they performing?
Using an interception proxy to crawl the application
Correct!
Fuzzing
Web app vulnerability scanning
Static code analysis
Question 25
1 / 1 pts
As a cybersecurity analyst, you have been assigned the job of performing
a vulnerability assessment of the network. As a part of this process, you
ping all IP addresses in a subnet. Which of the following steps in
reconnaissance are you performing?
Social media profiling
Correct!
Topology discovery
Service discovery
DNS harvesting
Question 26
1 / 1 pts
Users at a company report that computers are suddenly acting strangely.
An IT engineer suspects persistent malicious activity. Which areas does
the engineer investigate? Select all that apply.
Failed logins
Correct!
Scheduled tasks
Disabled devices
Correct!
Cron jobs
"Persistent" refers to an event that continues or is reoccurring. On
a Windows system, IT should investigate scheduled tasks. Task
scheduler may reveal an unauthorized task that routinely runs.
A cron job is a task on a Linux system. If the system experiences
routine issues, it is possible that an unauthorized cron job may be
executing.
Disabled devices may be a sign of malicious activity. The disabled
devices themselves are not persistent; however, the method that
an attacker may use to disable them might be.
Failed logins are not a persistent type of attack. A persistent attack
is one that presents itself routinely, such as a malicious executable
that runs every time a user starts the system.
"Persistent" refers to an event that continues or is reoccurring. On
a Windows system, IT should investigate scheduled tasks. Task
scheduler may reveal an unauthorized task that routinely runs.
A cron job is a task on a Linux system. If the system experiences
routine issues, it is possible that an unauthorized cron job may be
executing.
Disabled devices may be a sign of malicious activity. The disabled
devices themselves are not persistent; however, the method that
an attacker may use to disable them might be.
Failed logins are not a persistent type of attack. A persistent attack
is one that presents itself routinely, such as a malicious executable
that runs every time a user starts the system.
Question 27
1 / 1 pts
It is important to assess sources when adding information to a data set.
Considering threat intelligence, this data is likely to derive from external
sources. Which factor is key in disseminating updates?
Relevancy
Accuracy
Correct!
Timeliness
Confidence levels
Threats diminish or change and evolve. Once an analyst identifies
an adversary group in the report, the adversary is likely to try to
disguise future activities and adopt different tactics. Assessing
whether an intelligence source can research and disseminate
updates in a timely manner is key.
When publishing analyst observations or data points, the act of
publishing lends the point a certain authority. It is usually
appropriate to temper that authority by grading the data or analysis
on some scale between reliable and unreliable.
An admin should perform assessments as to whether intelligence
that a source produces is relevant. For example, a threat
intelligence source that focuses on Windows security is of limited
use if systems are Linux-based.
In one sense, accuracy means showing that the information
produced is true and validated. Accuracy can also refer to whether
the intelligence is of a general or specific nature.
Threats diminish or change and evolve. Once an analyst identifies
an adversary group in the report, the adversary is likely to try to
disguise future activities and adopt different tactics. Assessing
whether an intelligence source can research and disseminate
updates in a timely manner is key.
When publishing analyst observations or data points, the act of
publishing lends the point a certain authority. It is usually
appropriate to temper that authority by grading the data or analysis
on some scale between reliable and unreliable.
An admin should perform assessments as to whether intelligence
that a source produces is relevant. For example, a threat
intelligence source that focuses on Windows security is of limited
use if systems are Linux-based.
In one sense, accuracy means showing that the information
produced is true and validated. Accuracy can also refer to whether
the intelligence is of a general or specific nature.
Question 28
0 / 1 pts
Evaluate the possibilities and determine which stage an attacker uses a
value system to target data.
Concealment
orrect Answer
Action on objectives
Maintain access
ou Answered
Strengthen access
Once attackers have enough permissions to assets of interest,
they will use tools to covertly copy or modify the data or target
system, depending on their motive. This is known as action on
objectives.
To strengthen access, attackers use malware to identify and infect
other systems, possibly of higher value (such as moving from a
workstation to a server).
When enabling concealment, attackers may choose to maintain
access, but put any malicious tools into a dormant mode to avoid
detection.
To maintain access, the malware will install some type of remote
access trojan (RAT), to give the adversary a command and control
mechanism over the victim machine.
Once attackers have enough permissions to assets of interest,
they will use tools to covertly copy or modify the data or target
system, depending on their motive. This is known as action on
objectives.
To strengthen access, attackers use malware to identify and infect
other systems, possibly of higher value (such as moving from a
workstation to a server).
When enabling concealment, attackers may choose to maintain
access, but put any malicious tools into a dormant mode to avoid
detection.
To maintain access, the malware will install some type of remote
access trojan (RAT), to give the adversary a command and control
mechanism over the victim machine.
Question 29
0 / 1 pts
Cybersecurity analysts are considering a feasible approach to restoring a
compromised cloud-based virtual machine. All systems are based on
templates. Which approach do the analysts utilize?
ou Answered
Reconstitution
Sanitization
orrect Answer
Reimage
Containment
In circumstances where sanitization is possible, analysts will be
able to reimage. Reimaging enables analysts to reconstruct and
reimage the drive using a known clean backup after an admin
sanitizes it.
In circumstances where sanitization and then reconstruction or
reimaging of the system is not possible (perhaps where it is
necessary to recover data, or an up-to-date image of the specific
system configuration is not available), analysts will need to
reconstitute a resource manually.
Sanitization purges data from the device, but does not damage the
storage medium itself.
Containment is an approach used to isolate a contaminated
system or incident for other healthy systems.
In circumstances where sanitization is possible, analysts will be
able to reimage. Reimaging enables analysts to reconstruct and
reimage the drive using a known clean backup after an admin
sanitizes it.
In circumstances where sanitization and then reconstruction or
reimaging of the system is not possible (perhaps where it is
necessary to recover data, or an up-to-date image of the specific
system configuration is not available), analysts will need to
reconstitute a resource manually.
Sanitization purges data from the device, but does not damage the
storage medium itself.
Containment is an approach used to isolate a contaminated
system or incident for other healthy systems.
Question 30
1 / 1 pts
A developer discovers an overflow vulnerability in some software code.
The developer describes the problem as a heap overflow. Evaluate the
given descriptions and determine which describes this overflow type.
Directly dependent on the order and timing of certain events
An area within a stack frame used to store a variable
Defined with fixed lower and upper bounds
Correct!
Overwrite variables and possibly allow arbitrary code execution
A heap is an area of memory an application allocates during
execution, to store a variable. The heap can store larger amounts
of data than the stack, and variables are globally accessible to the
process. A heap overflow can overwrite those variables and
possibly allow arbitrary code execution.
Many buffer overflow attacks target the stack. A stack frame is an
area of memory used by a function within the program. It includes
a return address, which is the location of the function that called it.
A buffer is an area within a stack frame used to store a variable.
An integer is a positive or negative number (or whole numbers with
their negative counterparts). Systems widely use integers as a
data type, where they commonly define them with fixed lower and
upper bounds. An integer overflow attack causes the target
software to calculate a value that exceeds these bounds.
Race conditions occur when the outcome from execution
processes is directly dependent on the order and timing of certain
events, and those events fail to execute in the order and timing
intended by the developer.
A heap is an area of memory an application allocates during
execution, to store a variable. The heap can store larger amounts
of data than the stack, and variables are globally accessible to the
process. A heap overflow can overwrite those variables and
possibly allow arbitrary code execution.
Many buffer overflow attacks target the stack. A stack frame is an
Many buffer overflow attacks target the stack. A stack frame is an
area of memory used by a function within the program. It includes
a return address, which is the location of the function that called it.
A buffer is an area within a stack frame used to store a variable.
An integer is a positive or negative number (or whole numbers with
their negative counterparts). Systems widely use integers as a
data type, where they commonly define them with fixed lower and
upper bounds. An integer overflow attack causes the target
software to calculate a value that exceeds these bounds.
Race conditions occur when the outcome from execution
processes is directly dependent on the order and timing of certain
events, and those events fail to execute in the order and timing
intended by the developer.
Question 31
0 / 1 pts
A security analyst for a technology firm needs to attempt password
recovery on a system. The analyst utilizes a tool that takes advantage of
Graphics Processor Units (GPUs) for a brute force approach. Which tool
does the analyst use?
Pixie Dust
orrect Answer
Hashcat
ou Answered
Reaver
Responder
Hashcat is a password recovery tool, if viewing its use as benign. If
a user uses it maliciously, it is a password cracking tool. At one
point in its development, Hashcat was rewritten to take advantage
of the processing power available in graphics processing units
(GPUs).
Reaver exploits the Wi-Fi Protected Setup (WPS) mechanism.
WPS simplifies the process for clients to join a pre-shared key
protected wireless network.
Reaver has an offline attack (referred to as Pixie Dust) that exploits
an implementation fault in some access point models.
Responder is a man-in-the-middle type of tool that exploits name
resolution on Windows networks.
Hashcat is a password recovery tool, if viewing its use as benign. If
a user uses it maliciously, it is a password cracking tool. At one
point in its development, Hashcat was rewritten to take advantage
of the processing power available in graphics processing units
(GPUs).
Reaver exploits the Wi-Fi Protected Setup (WPS) mechanism.
WPS simplifies the process for clients to join a pre-shared key
protected wireless network.
Reaver has an offline attack (referred to as Pixie Dust) that exploits
an implementation fault in some access point models.
Responder is a man-in-the-middle type of tool that exploits name
resolution on Windows networks.
Question 32
0 / 1 pts
An engineer implements a cloud-based data repository. Which issue
relates to the data's credibility?
orrect Answer
Data integrity
Data sovereignty
ou Answered
Data encryption
Data privacy
Data integrity refers to ensuring the credibility of data. With data
integrity, the engineer uses validation methods to verify that the
there is no alteration or corruption of the data.
Data sovereignty refers to a jurisdiction that prevents or restricts
processing and storage from taking place on systems that do not
physically reside within that jurisdiction.
Data privacy refers to protecting data in such a way that admin
does not expose it or falls outside of its intended purpose.
Data encryption is a method safeguarding information so that it is
not accessible or viewable by unauthorized parties.
Data integrity refers to ensuring the credibility of data. With data
integrity, the engineer uses validation methods to verify that the
there is no alteration or corruption of the data.
Data sovereignty refers to a jurisdiction that prevents or restricts
processing and storage from taking place on systems that do not
physically reside within that jurisdiction.
Data privacy refers to protecting data in such a way that admin
does not expose it or falls outside of its intended purpose.
Data encryption is a method safeguarding information so that it is
not accessible or viewable by unauthorized parties.
Question 33
1 / 1 pts
A systems engineer wishes to improve a development environment. The
goal is for developers to implement within a virtualized environment.
Which solution does the engineer deploy?
Correct!
Docker
Ansible
Puppet
Github
Docker is an open platform for developing, shipping, running, and
deploying applications quickly, using container-based virtualization.
Ansible is an orchestration tool that does not use agents. Instead,
the master connects to client machines over SSH. Ansible
configuration files (playbooks) use Yet Another Markup Language
(YAML).
Github is a service that allows developers to share code and
collaborate on apps. Both public and private code repositories are
available.
Puppet is an orchestration tool that requires the installation of a
master server and client agent in target nodes and includes an
option for a standalone client. Puppet caters more to traditional
operations teams.
Docker is an open platform for developing, shipping, running, and
deploying applications quickly, using container-based virtualization.
Ansible is an orchestration tool that does not use agents. Instead,
the master connects to client machines over SSH. Ansible
configuration files (playbooks) use Yet Another Markup Language
(YAML).
Github is a service that allows developers to share code and
collaborate on apps. Both public and private code repositories are
available.
Puppet is an orchestration tool that requires the installation of a
master server and client agent in target nodes and includes an
option for a standalone client. Puppet caters more to traditional
operations teams.
Question 34
0 / 1 pts
A security firm conducts a process of risk identification and assessment.
Using NIST's Managing Information Security Risk principles as a guide,
which area does the firm outline that identifies eliminating negative
change as an overall goal?
Assess
orrect Answer
Monitor
ou Answered
Respond
Frame
The monitor component evaluates the effectiveness of risk
response measures and identifies changes that could affect risk
management processes.
The assess component identifies and prioritizes business
processes/workflows. The analyst performs a systems assessment
to determine which IT assets and procedures support these
workflows.
The respond component mitigates each risk factor through the
deployment of managerial, operational, and technical security
controls.
The frame component establishes a strategic risk management
framework, supported by decision-makers at the top tier of the
organization. The risk frame sets an overall goal for the degree of
risk tolerated and demarcates responsibilities.
The monitor component evaluates the effectiveness of risk
response measures and identifies changes that could affect risk
management processes.
The assess component identifies and prioritizes business
processes/workflows. The analyst performs a systems assessment
to determine which IT assets and procedures support these
workflows.
The respond component mitigates each risk factor through the
deployment of managerial, operational, and technical security
controls.
The frame component establishes a strategic risk management
framework, supported by decision-makers at the top tier of the
organization. The risk frame sets an overall goal for the degree of
risk tolerated and demarcates responsibilities.
Question 35
0 / 1 pts
A systems administrator for a large corporation is reviewing security
settings on Windows PCs after a small malware incident. After finishing
the review, the administrator establishes a group policy that prevents
users from using any executables on a system, except within specifically
designated folders. Which policies does the administrator implement?
Select all that apply.
orrect Answer
Applocker
Windows defender application control
Correct!
ou Answered
Software restriction policies
Execution control
Software restriction policies (SRP) is available for most versions
and editions of Windows. The admin can configure SRP as a
group policy objects (GPO) to whitelist file system locations from
which executables and scripts can launch.
AppLocker improves configuration options and default usage of
SRP. Notably, the admin can apply AppLocker policies to user and
group accounts, rather than just computer accounts.
The admin can use Windows defender application control (WDAC)
to create code integrity (CI) policies, used on their own, or in
conjunction with, AppLocker.
Execution control is the process and approach of determining what
additional software an admin can install on a client or server
beyond its baseline.
Software restriction policies (SRP) is available for most versions
and editions of Windows. The admin can configure SRP as a
group policy objects (GPO) to whitelist file system locations from
which executables and scripts can launch.
AppLocker improves configuration options and default usage of
SRP. Notably, the admin can apply AppLocker policies to user and
group accounts, rather than just computer accounts.
The admin can use Windows defender application control (WDAC)
to create code integrity (CI) policies, used on their own, or in
conjunction with, AppLocker.
Execution control is the process and approach of determining what
additional software an admin can install on a client or server
beyond its baseline.
Question 36
0 / 1 pts
A technology specialist is investigating a computer infected with malware.
The investigator discovers that the malware caused a data leak that
reveals the private information for an upcoming product. Which data type
did the malware compromise?
ou Answered
Sensitive personal information (SPI)
Personally identifiable information (PII)
Personal health information (PHI)
orrect Answer
Intellectual property (IP)
Intellectual property (IP) is information created by a company,
typically about the products or services that they make or perform.
IP can include copyright works, patents, and trademarks.
Personally identifiable information (PII) is data that identifies an
individual, and referred to as a data subject.
Personal (or protected) health information (PHI) refers to medical
and insurance records, plus associated hospital and laboratory test
results.
Sensitive personal information (SPI) is not identifying information,
but privacy-sensitive information about a subject that could be
harmful if made public, and could prejudice decisions made about
the person.
Intellectual property (IP) is information created by a company,
typically about the products or services that they make or perform.
IP can include copyright works, patents, and trademarks.
Personally identifiable information (PII) is data that identifies an
individual, and referred to as a data subject.
Personal (or protected) health information (PHI) refers to medical
and insurance records, plus associated hospital and laboratory test
results.
Sensitive personal information (SPI) is not identifying information,
but privacy-sensitive information about a subject that could be
harmful if made public, and could prejudice decisions made about
the person.
Question 37
0 / 1 pts
There are different levels of data privacy categorization that follow military
usage. Which level has the highest privacy rating?
orrect Answer
Top-secret
Secret
Confidential
ou Answered
Classified
Top-secret is the highest level of classification. Details for this type
of information, including parties allowed to view it, are scarce.
For data classified as secret, the information is too valuable to
allow any risk of its capture. Network security severely restricts
parties viewing this type of classified data.
With confidential (or restricted) data, the information is highly
sensitive and is for viewing only by approved persons within the
organization (and possibly by trusted third parties under an NDA).
Classified data (private/internal use only/official use only) is
information where network security restricts viewing to authorized
persons within the owner organization, or to third parties under a
non-disclosure agreement (NDA).
Top-secret is the highest level of classification. Details for this type
of information, including parties allowed to view it, are scarce.
For data classified as secret, the information is too valuable to
allow any risk of its capture. Network security severely restricts
parties viewing this type of classified data.
With confidential (or restricted) data, the information is highly
sensitive and is for viewing only by approved persons within the
organization (and possibly by trusted third parties under an NDA).
Classified data (private/internal use only/official use only) is
information where network security restricts viewing to authorized
persons within the owner organization, or to third parties under a
non-disclosure agreement (NDA).
Question 38
0 / 1 pts
An administrator needs to block traffic on a firewall. The traffic to block is
unnecessary external traffic. Which traffic type does the administrator
deem as unnecessary? Select all that apply.
ou Answered
HTTPS
ou Answered
HTTP
orrect Answer
SMB
orrect Answer
ICMP
The admin should block Internet Control Message Protocol (ICMP)
traffic, such as ping, so it does not interfere with network
operations. Malicious use of the ping command could flood the
network.
File transfers use the Server Message Block (SMB) protocol with
Windows systems. SMB is a popular protocol for file sharing.
External access with this protocol may cause malicious activity.
Systems use Hypertext Transfer Protocol (HTTP) traffic for webbased communications, such as browsing. If there is no Internal
web server (currently unknown), then the system could potentially
block this traffic.
Systems use Hypertext Transfer Protocol Secure (HTTPS) traffic
for web-based communications, such as browsing. If there is no
Internal web server (currently unknown), then the system could
potentially block this traffic.
The admin should block Internet Control Message Protocol (ICMP)
traffic, such as ping, so it does not interfere with network
operations. Malicious use of the ping command could flood the
network.
File transfers use the Server Message Block (SMB) protocol with
Windows systems. SMB is a popular protocol for file sharing.
External access with this protocol may cause malicious activity.
Systems use Hypertext Transfer Protocol (HTTP) traffic for webbased communications, such as browsing. If there is no Internal
web server (currently unknown), then the system could potentially
block this traffic.
Systems use Hypertext Transfer Protocol Secure (HTTPS) traffic
for web-based communications, such as browsing. If there is no
Internal web server (currently unknown), then the system could
potentially block this traffic.
Question 39
0 / 1 pts
A security firm establishes an office in a new building. In the office,
security analysts gather information from member systems in industryspecific areas. The office functions as which type of facility?
SOP
NOC
orrect Answer
ISAC
ou Answered
SOC
Information Sharing and Analysis Centers (ISAC) gather and
produce data from member systems in sector-specific areas. The
resulting data is highly industry-specific and relevant in
researching threat intelligence.
A Network Operations Center (NOC) is a location where personnel
monitor and maintain the health of server systems, including
communication and connectivity.
A Standard Operating Procedure (SOP) is a set of documented
steps and notes used as a guideline for a process.
A Security Operations Center (SOC) is a location where security
professionals monitor and protect critical information assets in an
organization.
Information Sharing and Analysis Centers (ISAC) gather and
produce data from member systems in sector-specific areas. The
resulting data is highly industry-specific and relevant in
researching threat intelligence.
A Network Operations Center (NOC) is a location where personnel
monitor and maintain the health of server systems, including
communication and connectivity.
A Standard Operating Procedure (SOP) is a set of documented
steps and notes used as a guideline for a process.
A Security Operations Center (SOC) is a location where security
professionals monitor and protect critical information assets in an
organization.
Question 40
1 / 1 pts
Engineers at a company feel that a rogue system exists on a corporate
network. The engineers determine that capturing packets may help
identify the system. Compare the device types and conclude which of the
following the engineers utilize.
Virtual Machine
Honeypot
Smart appliance
Correct!
Network tap
An engineer might attach a physical device to cabling to record
packets passing over that segment. Once attached, other devices
in line with the network do not detect the tap.
Devices such as printers, webcams, and VoIP handsets, have all
suffered from exploitable vulnerabilities in their firmware. If an
engineer does not track or monitor the use of these assets, they
could represent a potential vector for an adversary.
An adversary may try to set up a server as a malicious honeypot to
harvest network credentials or other data.
The risk from rogue servers can be particularly high in a virtualized
environment. This is due to the ability to easily create a virtual
machine without the need for extra hardware.
An engineer might attach a physical device to cabling to record
packets passing over that segment. Once attached, other devices
in line with the network do not detect the tap.
Devices such as printers, webcams, and VoIP handsets, have all
suffered from exploitable vulnerabilities in their firmware. If an
engineer does not track or monitor the use of these assets, they
could represent a potential vector for an adversary.
An adversary may try to set up a server as a malicious honeypot to
harvest network credentials or other data.
The risk from rogue servers can be particularly high in a virtualized
environment. This is due to the ability to easily create a virtual
machine without the need for extra hardware.
Question 41
0 / 1 pts
IT security experts are examining a system that was part of a security
breach. The experts determine that port forwarding was a key element in
the attack. Which technique do the experts conclude the attacker uses?
ou Answered
Pagefile
orrect Answer
Pivoting
Steganography
Lateral
Pivoting is a process similar to lateral movement. One use for
pivoting is port forwarding, using a tool such as netcat. In port
forwarding, the attacker uses a host as a pivot and can access one
of its open TCP/IP ports. The attacker then sends traffic from this
port to a port of a host on a different subnet using pivoting
methods.
Remote access services are a significant part of the lateral
movement process. To hop from one host to another, the attacker
opens a connection between the hosts that provides some
measure of control.
Using steganography, an attacker might be able to evade intrusion
detection and data loss countermeasures if the attacker hides
information within images or a video.
Memory management uses pagefiles. It stores pages of memory in
use that exceed the capacity of the host's RAM modules. Analysis
tools cannot interpret the structure of the pagefile, but it is possible
to search for strings.
Pivoting is a process similar to lateral movement. One use for
pivoting is port forwarding, using a tool such as netcat. In port
forwarding, the attacker uses a host as a pivot and can access one
of its open TCP/IP ports. The attacker then sends traffic from this
port to a port of a host on a different subnet using pivoting
methods.
R
t
i
i
ifi
t
t f th l t
l
Remote access services are a significant part of the lateral
movement process. To hop from one host to another, the attacker
opens a connection between the hosts that provides some
measure of control.
Using steganography, an attacker might be able to evade intrusion
detection and data loss countermeasures if the attacker hides
information within images or a video.
Memory management uses pagefiles. It stores pages of memory in
use that exceed the capacity of the host's RAM modules. Analysis
tools cannot interpret the structure of the pagefile, but it is possible
to search for strings.
Question 42
0 / 1 pts
The systems administrator for a medium-sized company manages a bring
your own device (BYOD) program. There is concern about device
misplacement and theft with small mobile devices, such as tablets and
phones. Which area is the administrator concerned with? Select all that
apply.
ou Answered
Managing software patches
Network strain
orrect Answer
Correct!
Bringing work home
Unencrypted data
Freely-accessible, unencrypted data on a lost or stolen device,
such as a phone or a tablet, is at risk of compromise.
Employees who take sensitive data outside of the perimeter
(deperimeterization), without securing their devices, will risk that
data falling into the wrong hands.
Mobile devices employees use may be difficult to patch, or they
may be running outdated software, which could leave them more
vulnerable to attack.
The addition of multiple devices may place a strain on the network
and cause it to stop functioning at optimum capacity. This may also
lead to a DoS, whether intentional or not.
Freely-accessible, unencrypted data on a lost or stolen device,
such as a phone or a tablet, is at risk of compromise.
Employees who take sensitive data outside of the perimeter
(deperimeterization), without securing their devices, will risk that
data falling into the wrong hands.
Mobile devices employees use may be difficult to patch, or they
may be running outdated software, which could leave them more
vulnerable to attack.
The addition of multiple devices may place a strain on the network
and cause it to stop functioning at optimum capacity. This may also
lead to a DoS, whether intentional or not.
Question 43
1 / 1 pts
An administrator configures a cloud access security broker (CASB) to
mediate access to cloud services by users across all types of devices.
Which functions does a CASB provide? Select all that apply.
Correct!
Auditing
Correct!
Single sign-on authentication
Infrastructure as a service (IaaS)
Forward proxy
A CASB can enable single sign-on authentication and enforce
access controls and authorizations from the enterprise network to
the cloud provider.
As a CASB may provide auditing features. If so, the monitoring of
both user and resource activity is possible.
A forward proxy is not feature of a CASB, but rather, one of the
possible ways a CASB may function. An admin establishes a
forward proxy at a client network, rather than at a cloud network
edge.
Infrastructure as a service (IaaS) is a means of provisioning IT
resources such as servers, load balancers, and storage area
network (SAN) components quickly.
A CASB can enable single sign-on authentication and enforce
access controls and authorizations from the enterprise network to
the cloud provider.
As a CASB may provide auditing features. If so, the monitoring of
both user and resource activity is possible.
A forward proxy is not feature of a CASB, but rather, one of the
possible ways a CASB may function. An admin establishes a
forward proxy at a client network, rather than at a cloud network
edge.
Infrastructure as a service (IaaS) is a means of provisioning IT
resources such as servers, load balancers, and storage area
network (SAN) components quickly.
Question 44
0 / 1 pts
An organization moves multiple services to the cloud. Rather than use onpremise email, the organization moves to Office 365. Additionally, the
organization moves file storage for projects to Amazon Web Services
(AWS). Which approach does the organization use for cloud-provisioning?
Community
ou Answered
Public
orrect Answer
Multi
Private
Multi-cloud architectures occur when an organization uses
services from multiple CSPs. An example of a multi-cloud
architecture might be an organization that uses Microsoft's Office
365 productivity suite, Slack messaging for internal
communications, and Dropbox to share files.
When multiple organizations share ownership of a cloud service,
they deploy the service as a community cloud. Usually, this pools
resources for a common concern, like standardization and security
policies.
A public cloud is a service offered over the Internet by cloud
service providers (CSPs) to cloud consumers. With this model,
businesses can offer subscriptions or pay-as-you-go financing.
Private clouds operate by a single company or other business
entity. The hosting may be internal, or it may be offsite and
managed directly by the organization or via a service provider.
Multi-cloud architectures occur when an organization uses
services from multiple CSPs. An example of a multi-cloud
architecture might be an organization that uses Microsoft's Office
365 productivity suite, Slack messaging for internal
communications, and Dropbox to share files.
When multiple organizations share ownership of a cloud service,
they deploy the service as a community cloud. Usually, this pools
resources for a common concern, like standardization and security
policies.
A public cloud is a service offered over the Internet by cloud
service providers (CSPs) to cloud consumers. With this model,
businesses can offer subscriptions or pay-as-you-go financing.
Private clouds operate by a single company or other business
entity. The hosting may be internal, or it may be offsite and
managed directly by the organization or via a service provider.
Question 45
1 / 1 pts
An organization implements password policies to tighten security. Which
policy is NOT considered deprecated?
Aging policies
Challenge questions
Correct!
2-step verification
Complexity
With 2-step verification, the user adds a secondary communication
channel, such as an alternate email address or cell/smartphone
number.
Policies should not enforce complexity rules. Best practice should
allow the user to choose a password (or other memorized secret)
of between 8 and 64 ASCII or Unicode characters, including
spaces.
Challenge questions should record information that only the user
knows, such as pet names or first school. A well-resourced
attacker may be able to discover or guess the responses to
challenge questions. Updated best practices recommend against
challenge questions and hints.
Policies should not enforce aging policies. Users should be able to
select if or when to change a password.
With 2-step verification, the user adds a secondary communication
channel, such as an alternate email address or cell/smartphone
number.
Policies should not enforce complexity rules. Best practice should
allow the user to choose a password (or other memorized secret)
of between 8 and 64 ASCII or Unicode characters, including
spaces.
Challenge questions should record information that only the user
knows, such as pet names or first school. A well-resourced
attacker may be able to discover or guess the responses to
challenge questions. Updated best practices recommend against
challenge questions and hints.
Policies should not enforce aging policies. Users should be able to
select if or when to change a password.
Question 46
0 / 1 pts
A security specialist configures an internal email system with enhanced
spoofing protection. The approach specifies permitted senders for multiple
domains. Which solution does the specialist implement?
Digital Signatures
orrect Answer
Sender Policy Framework
ou Answered
Domain-based Message Authentication, Reporting, and Conformance
Domain Keys Identified Mail
Sender Policy Framework (SPF) uses a DNS record published by
an organization hosting email services. The SPF record identifies
the hosts authorized to send email from that domain.
The Domain-based Message Authentication, Reporting, and
Conformance (DMARC) framework ensures that the system
effectively utilizes SPF and DKIM. It specifies an alignment
mechanism to verify that the domain, identified in the rule header
from field, matches the domain in the envelope from field.
With an email system, a digital signature verifies the identity of a
sender by using certificates and keys.
Domain Keys Identified Mail (DKIM) provides a cryptographic
authentication mechanism. This can replace or supplement SPF.
Sender Policy Framework (SPF) uses a DNS record published by
an organization hosting email services. The SPF record identifies
the hosts authorized to send email from that domain.
The Domain-based Message Authentication, Reporting, and
Conformance (DMARC) framework ensures that the system
effectively utilizes SPF and DKIM. It specifies an alignment
mechanism to verify that the domain, identified in the rule header
from field, matches the domain in the envelope from field.
With an email system, a digital signature verifies the identity of a
sender by using certificates and keys.
Domain Keys Identified Mail (DKIM) provides a cryptographic
authentication mechanism. This can replace or supplement SPF.
Question 47
1 / 1 pts
A developer researches a fix for a vulnerability that targets what is known
as a network channel. Which platform does the developer reference?
Select all that apply.
Mobile
Correct!
Web
Correct!
Client/server
Embedded
A web application is a particular type of client/server architecture.
A web application leverages existing technologies to simplify
development.
Most application architectures use a client/server model to direct
attacks at the local client code, at the server application, or at the
network channel between them.
Mobile devices are particularly vulnerable to attacks launched from
use of open wireless access points. There are also risks from
malicious apps, particularly if the app is running on a jailbroken or
rooted device.
As the devices hosting embedded applications have become
increasingly exposed to data networks and the Internet, it has
become clear that embedded application development needs to
incorporate security at every stage.
A web application is a particular type of client/server architecture.
A web application leverages existing technologies to simplify
development.
Most application architectures use a client/server model to direct
attacks at the local client code, at the server application, or at the
network channel between them.
Mobile devices are particularly vulnerable to attacks launched from
use of open wireless access points. There are also risks from
malicious apps, particularly if the app is running on a jailbroken or
rooted device.
As the devices hosting embedded applications have become
increasingly exposed to data networks and the Internet, it has
become clear that embedded application development needs to
incorporate security at every stage.
Question 48
1 / 1 pts
Engineers analyze previous hacks and intrusions to produce definitions of
the tactics, techniques, and procedures (TTP) used to perform attacks.
When evaluating data, the engineers classify which attack based on the
behavior of increased network traffic?
Network reconnaissance
Viruses/worms
Advanced persistent threats (APTs)
Correct!
Data exfiltration
Spikes in database reads and/or high-volume network transfers
might be an indicator of a data exfiltration event, especially if the
endpoints involved do not typically see high traffic levels.
With advanced persistent threats (APTs) an attacker needs to use
some sort of command and control (C2 or C&C) mechanism to
communicate with a controller host on the Internet. This
communication gives the attacker an open line even when not in
use.
Network reconnaissance (if not performed sparsely) scans against
multiple ports or across numerous IP addresses, and will be highly
visible, providing an early warning of adversary behavior.
High CPU or memory usage could be a sign of malware, such as
viruses or worms infecting a host.
Spikes in database reads and/or high-volume network transfers
might be an indicator of a data exfiltration event, especially if the
endpoints involved do not typically see high traffic levels.
With advanced persistent threats (APTs) an attacker needs to use
some sort of command and control (C2 or C&C) mechanism to
communicate with a controller host on the Internet. This
communication gives the attacker an open line even when not in
use.
Network reconnaissance (if not performed sparsely) scans against
multiple ports or across numerous IP addresses, and will be highly
visible, providing an early warning of adversary behavior.
High CPU or memory usage could be a sign of malware, such as
viruses or worms infecting a host.
Question 49
1 / 1 pts
An IT engineer decides to standardize on regular expression (regex)
syntax when writing Security Information and Event Management (SIEM)
correlation rules. The engineer needs to specify a match at the start of a
line. Which syntax elements does the engineer use to accomplish this
goal?
$
?
Correct!
^
{}
Filtering a log to discover data points of interest or writing an SIEM
correlation rule usually involves some sort of string search,
typically invoking regular expression (regex) syntax. When using
the upwards caret (^), the match is the start of a line only
(anchor/boundary).
When using the dollar sign ($), the match is at the end of a line
only (anchor/boundary).
To find matches a number of times (quantifier), the engineer will
use {} brackets. For example, {2} matches two times.
The question mark (?) signifies that a match exists once or not at
all (quantifier).
Filtering a log to discover data points of interest or writing an SIEM
correlation rule usually involves some sort of string search,
typically invoking regular expression (regex) syntax. When using
the upwards caret (^), the match is the start of a line only
(anchor/boundary).
When using the dollar sign ($), the match is at the end of a line
only (anchor/boundary).
To find matches a number of times (quantifier), the engineer will
use {} brackets. For example, {2} matches two times.
The question mark (?) signifies that a match exists once or not at
all (quantifier).
Question 50
1 / 1 pts
A security committee at an organization develops a security plan.
Numerous security control types are in place. The organization utilizes a
training program to provide best practices training to all employees. The
committee uses which category to define the program?
Correct!
Operational
Managerial
Technical
Cybersecurity
Organizations may implement operational controls. These controls
are primarily by people, rather than systems. For example, security
guards and training programs are operational controls, rather than
technical controls.
Organizations implement a technical control system (hardware,
software, or firmware). For example, firewalls, anti-virus software,
and OS access control models are technical controls. Technical
controls are also known as logical controls.
A managerial control gives oversight of the information system.
Examples could include risk identification or a tool allowing the
evaluation and selection of other security controls.
Cybersecurity is a general term that refers to the overall approach
of protecting systems, data, and an infrastructure. Organizations
implement controls to establish security.
Organizations may implement operational controls. These controls
are primarily by people, rather than systems. For example, security
guards and training programs are operational controls, rather than
technical controls.
Organizations implement a technical control system (hardware,
software, or firmware). For example, firewalls, anti-virus software,
and OS access control models are technical controls. Technical
controls are also known as logical controls.
A managerial control gives oversight of the information system.
Examples could include risk identification or a tool allowing the
evaluation and selection of other security controls.
Cybersecurity is a general term that refers to the overall approach
of protecting systems, data, and an infrastructure. Organizations
implement controls to establish security.
Question 51
0 / 1 pts
A security analyst is reviewing the logs from an internal chat server. The
chat.log file is too large to review manually, so the analyst wants to create
a shorter log file that only includes lines associated with a user
demonstrating anomalous activity. Below is a snippet of the log:
grep -v pythonfun chat.log
orrect Answer
grep -v chatter14 chat.log
grep -v javashark chat.log
ou Answered
grep -i pythonfun chat.log
grep -i chatter14 chat.log
grep -i javashark chat.log
Question 52
0 / 1 pts
A cybersecurity analyst has access to several threat feeds and wants to
organize them while simultaneously comparing intelligence against
network traffic.
Which of the following would BEST accomplish this goal?
Continuous interaction and deployment
Information sharing and analysis
ou Answered
Automation and orchestration
orrect Answer
Static and dynamic analysis
Question 53
0 / 1 pts
As part of an exercise set up by the information security officer, the IT
staff must move some of the network systems to an off-site facility and
redeploy them for testing. All staff members must ensure their respective
systems can power back up and match their gold image. If they find any
inconsistencies, they must formally document the information.
Which of the following BEST describes this test?
Full interruption
ou Answered
Walk through
Parallel
orrect Answer
Simulation
Question 54
0 / 1 pts
A security manager has asked an analyst to provide feedback on the
results of a penetration test. After reviewing the results, the manager
requests information regarding the possible exploitation of vulnerabilities.
Which of the following information data points would be MOST useful for
the analyst to provide to the security manager, who would then
communicate the risk factors to senior management? (Choose two.)
Classification
orrect Answer
Impact
ou Answered
Adversary capability
ou Answered
Indicators of compromise
orrect Answer
Probability
Attack vector
Question 55
0 / 1 pts
It is important to parameterize queries to prevent __________.
a memory overflow that executes code with elevated privileges
ou Answered
the establishment of a web shell that would allow unauthorized access
orrect Answer
the execution of unauthorized actions against a database.
the queries from using an outdated library with security vulnerabilities
Question 56
0 / 1 pts
As part of a review of incident response plans, which of the following is
MOST important for an organization to understand when establishing the
breach notification period?
ou Answered
Vendor requirements and contracts
orrect Answer
Legal requirements
Service-level agreements
Organizational policies
Question 57
1 / 1 pts
A team of security analysts has been alerted to potential malware activity.
The initial examination indicates one of the affected workstations is
beaconing on TCP port 80 to five IP addresses and attempting to spread
across the network over port 445. Which of the following should be the
team’s NEXT step during the detection phase of this response process?
Depending on system criticality, remove each affected device from the
network by disabling wired and
wireless connections.
Correct!
Identify potentially affected systems by creating a correlation search in the
SIEM based on the network
traffic.
Engage the engineering team to block SMB traffic internally and outbound
HTTP traffic to the five IP
addresses
Escalate the incident to management, who will then engage the network
infrastructure team to keep them
informed.
Question 58
0 / 1 pts
A security analyst implemented a solution that would analyze the attacks
that the organization’s firewalls failed to prevent. The analyst used the
existing systems to enact the solution and executed the following
command:
$ sudo nc -1 –v –e maildaemon.py 25 > caplog.txt
Which of the following solutions did the analyst implement?
ou Answered
Crontab mail script
Honeypot
Sinkhole
orrect Answer
Log collector
Question 59
0 / 1 pts
A monthly job to install approved vendor software updates and hot fixes
recently stopped working. The security team performed a vulnerability
scan, which identified several hosts as having some critical OS
vulnerabilities, as referenced in the common vulnerabilities and exposures
(CVE) database.
Which of the following should the security team do NEXT to resolve the
critical findings in the most effective manner? (Choose two.)
Tag the computers with critical findings as a business risk acceptance.
Harden the hosts on the network, as recommended by the NIST
framework.
Correct!
Patch the required hosts with the correct updates and hot fixes, and rescan
them for vulnerabilities.
Manually patch the computers on the network, as recommended on the
CVE website
ou Answered
Remove the servers reported to have high and medium vulnerabilities.
orrect Answer
Resolve the monthly job issues and test them before applying them to the
production network.
Question 60
0 / 1 pts
The security team at a large corporation is helping the paymentprocessing team to prepare for a regulatory compliance audit and meet
the following objectives:
- Reduce the number of potential findings by the auditors.
- Limit the scope of the audit to only devices used by the paymentprocessing team for activities directly impacted by the regulations.
- Prevent the external-facing web infrastructure used by other teams from
coming into scope.
- Limit the amount of exposure the company will face if the systems used
by the payment-processing team are compromised.
Which of the following would be the MOST effective way for the security
team to meet these objectives?
orrect Answer
Segment the servers and systems used by the business unit from the rest
of the network.
ou Answered
Limit the permissions to prevent other employees from accessing data
owned by the business unit.
Implement full-disk encryption on the laptops used by employees of the
payment-processing team.
Deploy patches to all servers and workstations across the entire
organization.
Question 61
0 / 1 pts
A cybersecurity analyst is supporting an incident response effort via threat
intelligence. Which of the following is the analyst MOST likely executing?
ou Answered
Indicator enrichment and research pivoting
Recovery and post-incident review
Containment and eradication
orrect Answer
Requirements analysis and collection planning
Question 62
0 / 1 pts
A development team signed a contract that requires access to an onpremises physical server. Access must be restricted to authorized users
only and cannot be connected to the Internet.
Which of the following solutions would meet this requirement?
orrect Answer
Establish a hosted SSO.
ou Answered
Implement a CASB
Virtualize the server.
Air gap the server
Question 63
0 / 1 pts
A security analyst is reviewing a web application. If an unauthenticated
user tries to access a page in the application, the user is redirected to the
login page. After successful authentication, the user is then redirected
back to the original page. Some users have reported receiving phishing
emails with a link that takes them to the application login page but then
redirects to a fake login page after successful authentication.
Which of the following will remediate this software vulnerability?
orrect Answer
Enforce unique session IDs for the application
ou Answered
Use a parameterized query to check the credentials.
Check for and enforce the proper domain for the redirect.
Deploy a WAF in front of the web application
Implement email filtering with anti-phishing protection.
Question 64
1 / 1 pts
A security analyst has received information from a third-party intelligencesharing resource that indicates employee accounts were breached.
Which of the following is the NEXT step the analyst should take to
address the issue?
Correct!
Force a password reset for the impacted employees and revoke any
tokens.
Configure SSO to prevent passwords from going outside the local network.
Set up privileged access management to ensure auditing is enabled.
Audit access permissions for all employees to ensure least privilege.
Question 65
0 / 1 pts
Which of the following is the MOST important objective of a post-incident
review?
Develop a process for containment and continue improvement efforts
ou Answered
Identify new technologies and strategies to remediate
orrect Answer
Capture lessons learned and improve incident response processes
Identify a new management strategy
Question 66
0 / 1 pts
An audit has revealed an organization is utilizing a large number of
servers that are running unsupported operating systems.
As part of the management response phase of the audit, which of the
following would BEST demonstrate senior management is appropriately
aware of and addressing the issue?
orrect Answer
Minutes from meetings in which risk assessment activities addressing the
servers were discussed
ou Answered
ACLs from perimeter firewalls showing blocked access to the servers
Copies of prior audits that did not identify the servers as an issue
Copies of change orders relating to the vulnerable servers
Project plans relating to the replacement of the servers that were approved
by management
Question 67
0 / 1 pts
A security analyst needs to reduce the overall attack surface.
Which of the following infrastructure changes should the analyst
recommend?
air gap sensitive systems
ou Answered
implement a honeypot
orrect Answer
increase the network segmentation
implement a cloud-based artchitecture
Question 68
0 / 1 pts
A security analyst is evaluating two vulnerability management tools for
possible use in an organization. The analyst set up each of the tools
according to the respective vendor's instructions and generated a report
of vulnerabilities that ran against the same target server.
Tool A reported the following:
Tool B reported the following:
Which of the following BEST describes the method used by each tool?
(Choose two.)
orrect Answer
Tool A is agent based.
orrect Answer
Tool B is unauthenticated.
ou Answered
Tool A is unauthenticated
Tool B utilized machine learning technology.
Tool B is agent based.
Tool A used fuzzing logic to test vulnerabilities.
Question 69
1 / 1 pts
A security analyst is investigating a system compromise. The analyst
verifies the system was up to date on OS patches at the time of the
compromise.
Which of the following describes the type of vulnerability that was MOST
likely exploited?
Correct!
Zero day
Insider threat
Buffer overflow
Advanced persistent threat
Question 70
A Chief Information Security Officer (CISO) wants to upgrade an
organization's security posture by improving proactive activities
associated with attacks from internal and external threats.
0 / 1 pts
Which of the following is the MOST proactive tool or technique that feeds
incident response capabilities?
ou Answered
Quarterly vulnerability scanning using credentialed scans
Log correlation, monitoring, and automated reporting through a SIEM
platform
orrect Answer
Development of a hypothesis as part of threat hunting
Continuous compliance monitoring using SCAP dashboards
Question 71
0 / 1 pts
As part of a review of incident response plans, which of the following is
MOST important for an organization to understand when establishing the
breach notification period?
Vendor requirements and contracts
Service-level agreements
ou Answered
Organizational policies
orrect Answer
Legal requirements
Question 72
0 / 1 pts
An organization that handles sensitive financial information wants to
perform tokenization of data to enable the execution of recurring
transactions. The organization is most interested in a secure, built-in
device to support its solution.
Which of the following would MOST likely be required to perform the
desired function?
HSM
ou Answered
FPGA
orrect Answer
TPM
eFUSE
UEFI
Question 73
0 / 1 pts
An incident responder successfully acquired application binaries off a
mobile device for later forensic analysis.
Which of the following should the analyst do NEXT?
Decompile each binary to derive the source code.
Perform a factory reset on the affected mobile device.
ou Answered
Inspect the permissions manifests within each application.
orrect Answer
Encrypt the binaries using an authenticated AES-256 mode of operation.
Compute SHA-256 hashes for each binary
Question 74
1 / 1 pts
A hybrid control is one that:
authenticates using passwords and hardware tokens
Correct!
is implemented at the enterprise and system levels
has operational and technical components
is implemented differently on individual systems
Question 75
0 / 1 pts
Which of the following roles is ultimately responsible for determining the
classification levels assigned to specific data sets?
Senior management
Data processor
ou Answered
Data custodian
orrect Answer
Data owner
Question 76
It is important to parameterize queries to prevent __________.
0 / 1 pts
ou Answered
the establishment of a web shell that would allow unauthorized access
orrect Answer
the execution of unauthorized actions against a database.
a memory overflow that executes code with elevated privileges
the queries from using an outdated library with security vulnerabilities
Question 77
0 / 1 pts
When attempting to do a stealth scan against a system that does not
respond to ping, which of the following Nmap commands BEST
accomplishes that goal?
nmap –sA –O <system> -noping
ou Answered
nmap –sQ –O <system> -P0
nmap –sT –O <system> -P0
orrect Answer
nmap –sS –O <system> -P0
Question 78
0 / 1 pts
A threat feed notes malicious actors have been infiltrating companies and
exfiltrating data to a specific set of domains. Management at an
organization wants to know if it is a victim. Which of the following should
the security analyst recommend to identify this behavior without alerting
any potential malicious actors?
Create an IPS rule to block these domains and trigger an alert within the
SIEM tool when these domains
are requested.
orrect Answer
Add the domains to a DNS sinkhole and create an alert in the SIEM tool
when the domains are queried
ou Answered
Query DNS logs with a SIEM tool for any hosts requesting the malicious
domains and create alerts based
on this information
Look up the IP addresses for these domains and search firewall logs for
any traffic being sent to those IPs
over port 443
Question 79
0 / 1 pts
An analyst performs a routine scan of a host using Nmap and receives the
following output:
Which of the following should the analyst investigate FIRST?
Port 80
orrect Answer
Port 23
ou Answered
Port 22
Port 21
Question 80
0 / 1 pts
A network attack that is exploiting a vulnerability in the SNMP is detected.
Which of the following should the cybersecurity analyst do FIRST?
Disable all privileged user accounts on the network.
ou Answered
Escalate the incident to senior management for guidance.
Temporarily block the attacking IP address.
orrect Answer
Apply the required patches to remediate the vulnerability.
Question 81
0 / 1 pts
A monthly job to install approved vendor software updates and hot fixes
recently stopped working. The security team performed a vulnerability
scan, which identified several hosts as having some critical OS
vulnerabilities, as referenced in the common vulnerabilities and exposures
(CVE) database.
Which of the following should the security team do NEXT to resolve the
critical findings in the most effective manner? (Choose two.)
Harden the hosts on the network, as recommended by the NIST
framework.
Tag the computers with critical findings as a business risk acceptance.
ou Answered
Remove the servers reported to have high and medium vulnerabilities.
Correct!
Resolve the monthly job issues and test them before applying them to the
production network.
Manually patch the computers on the network, as recommended on the
CVE website
orrect Answer
Patch the required hosts with the correct updates and hot fixes, and rescan
them for vulnerabilities.
Question 82
0 / 1 pts
A security analyst is providing a risk assessment for a medical device that
will be installed on the corporate network. During the assessment, the
analyst discovers the device has an embedded operating system that will
be at the end of its life in two years. Due to the criticality of the device, the
security committee makes a riskbased policy decision to review and
enforce the vendor upgrade before the end of life is reached.
Which of the following risk actions has the security committee taken?
ou Answered
Risk tolerance
orrect Answer
Risk acceptance
Risk exception
Risk avoidance
Question 83
1 / 1 pts
A developer wrote a script to make names and other PII data
unidentifiable before loading a database export into the testing system.
Which of the following describes the type of control that is being used?
Data loss prevention
Correct!
Data masking
Data encoding
Data classification
Question 84
0 / 1 pts
A security analyst has received information from a third-party intelligencesharing resource that indicates employee accounts were breached.
Which of the following is the NEXT step the analyst should take to
address the issue?
Configure SSO to prevent passwords from going outside the local network.
ou Answered
Set up privileged access management to ensure auditing is enabled.
Audit access permissions for all employees to ensure least privilege.
orrect Answer
Force a password reset for the impacted employees and revoke any
tokens.
Question 85
1 / 1 pts
A security analyst wants to identify which vulnerabilities a potential
attacker might initially exploit if the network is compromised. Which of the
following would provide the BEST results?
Correct!
Uncredentialed scan
External penetration test
Network ping sweep
Baseline configuration assessment
Question 86
0 / 1 pts
The security team at a large corporation is helping the paymentprocessing team to prepare for a regulatory compliance audit and meet
the following objectives:
- Reduce the number of potential findings by the auditors.
- Limit the scope of the audit to only devices used by the payment-
processing team for activities directly impacted by the regulations.
- Prevent the external-facing web infrastructure used by other teams from
coming into scope.
- Limit the amount of exposure the company will face if the systems used
by the payment-processing team are compromised.
Which of the following would be the MOST effective way for the security
team to meet these objectives?
orrect Answer
Segment the servers and systems used by the business unit from the rest
of the network.
ou Answered
Deploy patches to all servers and workstations across the entire
organization.
Limit the permissions to prevent other employees from accessing data
owned by the business unit.
Implement full-disk encryption on the laptops used by employees of the
payment-processing team.
Question 87
0 / 1 pts
A cybersecurity analyst has access to several threat feeds and wants to
organize them while simultaneously comparing intelligence against
network traffic.
Which of the following would BEST accomplish this goal?
Continuous interaction and deployment
orrect Answer
Static and dynamic analysis
ou Answered
Information sharing and analysis
Automation and orchestration
Question 88
0 / 1 pts
A development team is testing a new application release. The team needs
to import existing client PHI data records from the production environment
to the test environment to test accuracy and functionality.
Which of the following would BEST protect the sensitivity of this data
while still allowing the team to perform the
testing?
Encryption
ou Answered
Encoding
Watermarking
orrect Answer
Deidentification
Question 89
0 / 1 pts
A security technician is testing a solution that will prevent outside entities
from spoofing the company's email domain, which is comptia.org. The
testing is successful, and the security technician is prepared to fully
implement the solution.
Which of the following actions should the technician take to accomplish
this task?
orrect Answer
Add TXT @ "v=spf1 mx include:_spf.comptia.org -all" to the DNS record.
Add TXT @ "v=spf1 mx include:_spf.comptia.org +all" to the web server
ou Answered
Add TXT @ "v=spf1 mx include:_spf.comptia.org -all" to the email server.
Add TXT @ "v=spf1 mx include:_spf.comptia.org +all" to the domain
controller.
Question 90
0 / 1 pts
Because some clients have reported unauthorized activity on their
accounts, a security analyst is reviewing network packet captures from
the company's API server. A portion of a capture file is shown below:
Which of the following MOST likely explains how the clients' accounts
were compromised?
orrect Answer
The clients' authentication tokens were impersonated and replayed.
The clients' usernames and passwords were transmitted in cleartext.
ou Answered
An XSS scripting attack was carried out on the server.
A SQL injection attack was carried out on the server.
