Home Your library Expert solutions Study sets, textbooks, questions Profile Picture Upgrade: free 7-day trial Security+ SY0-601 Certification Practice Exam Study Other Computer Skills Security+ SY0-601 Certification Practice Exam 9 studiers today Leave the first rating Flashcards Learn Test Match Which of the following is an important aspect of evidence-gathering? Back up all log files and audit trails. Purge transaction logs. Restore damaged data from backup media. Monitor user access to compromised systems. Back up all log files and audit trails. 1 / 89 Profile Picture Created by Paladin_Rhyne Terms in this set (89) Original Which of the following is an important aspect of evidence-gathering? Back up all log files and audit trails. Purge transaction logs. Restore damaged data from backup media. Monitor user access to compromised systems. Back up all log files and audit trails. Which of the following items would be implemented at the Network layer of the security model? Wireless networks Network plans Firewalls using ACLs Penetration testing Penetration testing Prepare to Document means establishing the process you will use to document your network. Which of the following makes this documentation more useful? Identify the choke points on the network. Automate administration as much as possible. Identify who is responsible for each device. Have a printed hard copy kept in a secure location. Have a printed hard copy kept in a secure location. You assign access permissions so that users can only access the resources required to accomplish their specific work tasks. Which security principle are you complying with? Cross-training Job rotation Need to know Principle of least privilege Principle of least privilege A recreation of historical events is made possible through which of the following? Incident reports Audits Audit trails Penetration testing Audit trails An attacker uses an exploit to push a modified hosts file to client systems. This hosts file redirects traffic from legitimate tax preparation sites to malicious sites to gather personal and financial information. Which kind of exploit has been used in this scenario? Man-in-the-middle Reconnaissance DNS poisoning Domain name kiting DNS poisoning When you inform an employee that he or she is being terminated, which of the following is the most important activity? Disable his or her network access Allow him or her to collect their personal items Allow him or her to complete their current work projects Give him or her two weeks' notice Disable his or her network access Which protocol does HTTPS use to offer greater security in web transactions? Kerberos IPsec SSL Telnet SSL How often should change-control management be implemented? Any time a production system is altered. At regular intervals throughout the year. Only when changes are made that affect senior management. Only when a production system is altered greatly. Any time a production system is altered. A user copies files from her desktop computer to a USB flash device and puts the device into her pocket. Which of the following security risks is most pressing? Non-repudiation Confidentiality Availability Integrity Confidentiality Which ISO publication lays out guidelines for selecting and implementing security controls? 31000 27002 27701 27001 27002 You are cleaning your desk at work. You toss several stacks of paper in the trash, including a sticky note with your password written on it. Which of the following types of non-technical password attacks have you enabled? Social engineering Dumpster diving Shoulder surfing Password guessing Dumpster diving Which of the following functions does a single quote (') perform in an SQL injection? Indicates that everything after the single quote is a comment Indicates that the comment has ended and data is being entered Indicates that code is ending and a comment is being entered Indicates that data has ended and a command is beginning Indicates that data has ended and a command is beginning You have detected and identified a security event. What's the first step you should complete? Isolation Segmentation Playbook Containment Containment Which access control model is based on assigning attributes to objects and using Boolean logic to grant access based on the attributes of the subject? Mandatory Access Control (MAC) Role-Based Access Control (RBAC) Attribute-Based Access Control (ABAC) Rule-Based Access Control Attribute-Based Access Control (ABAC) Which of the following types of auditing verifies that systems are utilized appropriately and in accordance with written organizational policies? Financial audit PoLP Internal audit Usage audit Usage audit Which EAP implementation is MOST secure? EAP-MD5 LEAP EAP-FAST EAP-TLS EAP-TLS Extensible Authentication Protocol - Transport Layer Security Which type of reconnaissance is dumpster diving? Active Passive Packet sniffing OSINT Passive no active modification/querying is involved You have been hired as part of the team that manages an organization's network defense. Which security team are you working on? Red White Blue Purple Blue What is the average number of times that a specific risk is likely to be realized in a single year? Estimated maximum downtime Annualized rate of occurrence Exposure factor Annualized loss expectancy Annualized rate of occurrence Your LDAP directory-services solution uses simple authentication. What should you always do when using simple authentication? Use IPsec and certificates Use SSL Use Kerberos Add SASL and use TLS Use SSL A wireless access point configured to use Wired Equivalent Privacy (WEP) is an example of which kind of vulnerability? Unpatched software Default settings Zero-day exploit Weak security configurations Weak security configurations You manage an Active Directory domain. All users in the domain have a standard set of internet options configured by a GPO linked to the domain, but you want users in the Administrators OU to have a different set of internet options. What should you do? Create a GPO computer policy for the Administrators OU. Create a GPO user policy for the Administrators OU. Create a Local Group Policy on the computers used by members of the Administrators OU. Create a GPO user policy for the domain. Create a GPO user policy for the Administrators OU. What is the most obvious means of providing non-repudiation in a cryptography system? Digital signatures Shared secret keys Public keys Hashing values Digital signatures SSL (Secure Sockets Layer) operates at which layer of the OSI model? Session Application Transport Presentation Session What is the purpose of audit trails? To detect security-violating events. To restore systems to normal operations. To correct system problems. To prevent security breaches. To detect security-violating events. Most equipment is cooled by bringing cold air in the front and ducting the heat out of the back. What is the term for where the heat is sent in this type of scenario? Hot aisle Cold aisle Front aisle Back aisle Hot aisle Which of the following happens by default when you create a new ACL on a router? All traffic is blocked. All traffic is permitted. The ACL is ignored until applied. ACLs are not created on a router. All traffic is blocked. Which of the following terms is used to describe an event in which a person who should be allowed access is denied access to a system? False negative Error rate False positive False acceptance False negative Which of the following drive configurations is fault tolerant? Disk striping RAID 5 Expanded volume set RAID 0 RAID 5 Which of the following terms describes the actual time required to successfully recover operations in the event of an incident? Recovery point objective (RPO) Mean time to repair (MTTR) Recovery time objective (RTO) Maximum tolerable downtime (MTD) Recovery time objective (RTO) != or <> refers to Not Equal in which scripting language? Bash PuTTY Python PowerShell Python You want to identify traffic that is generated and sent through a network by a specific application running on a device. Which tool should you use? Certifier Protocol analyzer Multimeter Toner probe TDR Protocol analyzer You want to identify all devices on a network along with a list of open ports on those devices. You want the results displayed in a graphical diagram. Which tool should you use? OVAL Network mapper Port scanner Ping scanner Network mapper After a security event that involves a breach of physical security, what is the term used for the new measures, incident review, and repairs meant to stop a future incident from occurring? Detection Recovery Prevention Data breach Recovery A relatively new employee in the data entry cubical farm was assigned a user account similar to the other data entry employees' accounts. However, audit logs have shown that this user account has been used to change ACLs on several confidential files and has accessed data in restricted areas. This situation indicates which of the following has occurred? Physical security Social engineering External attack Privilege escalation Privilege escalation Which of the following is the BEST example of the principle of least privilege? Lenny has been given access to files that he does not need for his job. Wanda has been given access to the files that she needs for her job. Jill has been given access to all of the files on one server. Mary has been given access to all of the file servers. Wanda has been given access to the files that she needs for her job. In which phase of an attack does the attacker gather information about the target? Reconnaissance Exploit the system Breach the system Escalating privileges Reconnaissance When you dispose of a computer or sell used hardware, it is crucial that none of the data on the hard disks can be recovered. Which of the following actions can you take to ensure that no data is recoverable? Damage the hard disks so badly that all data remanence is gone. Encrypt all data on the hard disks. Reformat all the hard disks in the computer. Delete all files from all the hard disks in the computer. Damage the hard disks so badly that all data remanence is gone. As a security analyst, you are looking for a platform to compile all your security data generated by different endpoints. Which tool would you use? MAM SOAR GDPR MDM SOAR a platform to compile security data generated by different security endpoints Which of the following password attacks uses preconfigured matrices of hashed dictionary words? Rainbow table attack Hybrid attack Dictionary attack Brute-force attack Rainbow table attack Users in the sales department perform many of their daily tasks, such as emailing and creating sales presentations, on their personal tablets. The chief information officer worries that one of these users might also use their tablet to steal sensitive information from the organization's network. Your job is to implement a solution that prevents insiders from accessing sensitive information stored on the organization's network from their personal devices while still giving them access to the internet. Which of the following should you implement? A guest wireless network that is isolated from your organization's production network A mobile device management (MDM) infrastructure A Network Access Control (NAC) solution An Acceptable Use Policy (AUP) A guest wireless network that is isolated from your organization's production network What does the netstat -a command show? All connected hosts All listening sockets All listening and non-listening sockets All network users All listening and non-listening sockets Which of the following is a network virtualization solution provided by Microsoft? VirtualBox Hyper-V VMware Citrix Hyper-V Change control should be used to oversee and manage changes over which aspect of an organization? IT hardware and software Physical environment Personnel and policies Every aspect Every aspect If an SMTP server is not properly and securely configured, it can be hijacked and used maliciously as an SMTP relay agent. Which activity could result if this happens? Salami attack Spamming Virus hoax Data diddling Spamming Which of the following BEST describes zero-trust security? Only devices that pass authentication are trusted. Only devices that pass authorization are trusted. Only devices that pass both authentication and authorization are trusted. All devices are trusted. Only devices that pass both authentication and authorization are trusted. Your organization is having a third party come in and perform an audit on the financial records. You want to ensure that the auditor has access to the data they need while keeping the customers' data secure. To accomplish this goal, you plan to implement a mask that replaces the client names and account numbers with fictional data. Which masking method are you implementing? Dynamic Encryption Static Tokenization Dynamic Which of the following can be classified as a stream cipher? Blowfish AES Twofish RC4 RC4 Which security mechanism uses a unique list that meets the following specifications: The list is embedded directly in the object itself. The list defines which subjects have access to certain objects. The list specifies the level or type of access allowed to certain objects. Conditional access Hashing User ACL Mandatory access control User ACL You are part of a committee that is meeting to define how Network Access Control (NAC) should be implemented in the organization. Which step in the NAC process is this? Define Plan Review Apply Plan The government and military use the following information classification system:UnclassifiedSensitive But UnclassifiedConfidentialSecretTop SecretDrag each classification on the left to the appropriate description on the right. Drag UnclassifiedSensitive But Unclassified Confidential SecretTop Secret Drop The lowest level of classified information used by the military. Release of this information could cause damage to military efforts. If this information is released, it poses grave consequences to national security. This information can be accessed by the public and poses no security threat. If this information is disclosed, it could cause some harm, but not a national disaster If this information is disclosed, it could cause severe and permanent damage to military actions. The lowest level of classified information used by the military. Release of this information could cause damage to military efforts. Confidential If this information is released, it poses grave consequences to national security. Top Secret This information can be accessed by the public and poses no security threat. Unclassified If this information is disclosed, it could cause some harm, but not a national disaster. Sensitive But Unclassified If this information is disclosed, it could cause severe and permanent damage to military actions. Secret Some users report that frequent system crashes have started happening on their workstations. Upon further investigation, you notice that these users all have the same application installed that has been recently updated. Where would you go to conduct a root cause analysis? Security log Network log Application log Firewall log Application log Which of the following is a common social engineering attack? Using a sniffer to capture network traffic Distributing false information about an organization's financial status Distributing hoax virus-information emails Logging on with stolen credentials Distributing hoax virus-information emails Which of the following is a disadvantage of software defined networking (SDN)? SDN creates centralized management. SDN standards are still being developed. SDN facilitates communication between hardware from different vendors. SDN gathers network information and statistics. SDN standards are still being developed. Which of the following sends unsolicited business cards and messages to a Bluetooth device? Slamming Bluejacking Bluebugging Bluesnarfing Bluejacking You have physically added a wireless access point to your network and installed a wireless networking card in two laptops that run Windows. Neither laptop can find the network. You have come to the conclusion that you must manually configure the access point (AP). Which of the following values uniquely identifies the network AP? SSID Channel WEP PS SSID You are running a packet sniffer on your workstation so you can identify the types of traffic on your network. You expect to see all the traffic on the network, but the packet sniffer only seems to be capturing frames that are addressed to the network interface on your workstation. Which of the following must you configure in order to see all of the network traffic? Configure the network interface to use promiscuous mode. Configure the network interface to use port mirroring mode. Configure the network interface to enable logging. Configure the network interface to use protocol analysis mode. Configure the network interface to use promiscuous mode. Which of the following best describes shoulder surfing? Guessing someone's password because it is so common or simple. Someone nearby watching you enter your password on your computer and recording it. Giving someone you trust your username and account password. Finding someone's password in the trash can and using it to access their account. Someone nearby watching you enter your password on your computer and recording it. A type of malware that prevents the system from being used until the victim pays the attacker money is known as what? Fileless virus Remote Access Trojan (RAT) Ransomware Denial-of-service attack (DoS attack) Ransomware Which of the following cloud storage access services acts as a gatekeeper, extending an organization's security policies into the cloud storage infrastructure? A web service application programming interface A cloud storage gateway A cloud-access security broker A co-located cloud computer service A cloud-access security broker Which of the following are often identified as the three main goals of security? (Select three.) Assets Confidentiality Availability Policies Integrity Employees Non-repudiation Confidentiality Availability Integrity Which of the following lets you make phone calls over a packet-switched network? VoIP SCADA FPGA RTOS VoIP In which phase of the Microsoft Intune application life cycle would you assign an app to users and/or devices you manage and monitor them on the Azure portal? Configure Protect Deploy Add Deploy An attacker is attempting to crack a system's password by matching the password hash to a hash in a large table of hashes he or she has. Which type of attack is the attacker using? Brute force Rainbow RIPEMD Cracking Rainbow Which of the following can make passwords useless on a router? Using the MD5 hashing algorithm to encrypt the password Not controlling physical access to the router Storing the router configuration file in a secure location Using SSH to remotely connect to a router Not controlling physical access to the router What is the primary security feature that can be designed into a network's infrastructure to protect and support availability? Redundancy Switches instead of hubs Periodic backups Fiber optic cables Redundancy Which of the following is an example of privilege escalation? Separation of duties Privilege creep Mandatory vacations Principle of least privilege Privilege creep Which of the following is an example of protocol-based network virtualization? VFA VMM vSwitch VLAN VLAN Which of the following are characteristics of a circuit-level gateway? (Select two.) Stateless Filters based on sessions Filters IP address and port Stateful Filters based on URL Stateful Filters based on sessions You want to know which protocols are being used on your network. You'd like to monitor network traffic and sort traffic by protocol. Which tool should you use? Port scanner Packet sniffer IPS Throughput tester IDS Packet sniffer Which of the following are backed up during an incremental backup? Only files that have changed since the last full backup. Only files that have changed since the last full or differential backup. Only files that have changed since the last full or incremental backup. Only files that are new since the last full or incremental backup. Only files that have changed since the last full or incremental backup. Which of the following standards relates to the use of credit cards? PCI DSS PoLP Financial audit SOX PCI DSS A collection of zombie computers have been set up to collect personal information. Which type of malware do the zombie computers represent? Trojan horse Logic bomb Spyware Botnet Botnet What is the most important element related to evidence in addition to the evidence itself? Photographs of the crime scene Chain of custody document Completeness Witness testimony Chain of custody document Which of the following tools allows the user to set security rules for an instance of an application that interacts with one organization and different security rules for an instance of the application when interacting with another organization? Integration Replication Instance awareness Encryption Instance awareness Which of the following describes a configuration baseline? A collection of security settings that can be automatically applied to a device A list of common security settings that a group or all devices share The minimum services required for a server to function A set of performance statistics that identifies normal operating performance A list of common security settings that a group or all devices share You are using a password attack that tests every possible keystroke for each single key in a password until the correct one is found. Which of the following technical password attacks are you using? Password sniffing Pass-the-hash attack Brute force attack Keylogger Brute force attack You have been asked to implement a RAID 5 solution for your network. What is the minimum number of hard disks that can be used to configure RAID 5? 2 3 4 5 6 3 What is the name of the service included with the Windows Server operating system that manages a centralized database containing user account and security information? ... You want to protect data on hard drives for users with laptops. You want the drive to be encrypted, and you want to prevent the laptops from booting unless a special USB drive is inserted. In addition, the system should not boot if a change is detected in any of the boot files. What should you do? Have each user encrypt user files with EFS. Implement BitLocker without a TPM. Have each user encrypt the entire volume with EFS. Implement BitLocker with a TPM. Implement BitLocker without a TPM. What is the primary function of the IKE Protocol used with IPsec? Create a security association between communicating partners. Encrypt packet contents. Ensure dynamic key rotation and select initialization vectors (IVs). Provide both authentication and encryption. Provide authentication services. Create a security association between communicating partners. Which of the following functions are performed by proxies? (Select two.) Cache web pages Give users the ability to participate in real-time, text-based internet discussions Filter unwanted emails Block employees from accessing certain websites Store client files Cache web pages Block employees from accessing certain websites Which type of firewall protects against packets coming from certain IP addresses? Application layer Packet-filtering Stateful Circuit-level Packet-filtering Which of the following is considered a major problem with instant messaging applications? Loss of productivity Transfer of text and files Real-time communication Freely available for use Loss of productivity You need to check network connectivity from your computer to a remote computer. Which of the following tools would be the BEST option to use? nmap ping route tracert ping Which of the following is a privilege or action that can be taken on a system? User rights SACL Permissions DACL User rights You are adding switches to your network to support additional VLANs. Unfortunately, the new switches are from a different vendor than the current switches. Which standard do you need to ensure that the switches are supported? 802.11 802.1Q 802.1x 802.3 802.1Q In your role as a security analyst, you ran a vulnerability scan, and several vulnerabilities were reported. Upon further inspection, none of the vulnerabilities actually existed. Which type of result is this? False negative True positive True negative False positive False positive Home Your library Expert solutions Study sets, textbooks, questions Profile Picture Upgrade: free 7-day trial 2022 CompTIA SECURITY+ SY0-601 BEST EXAM STUDY by Brian MacFarlane Study 2022 CompTIA SECURITY+ SY0-601 BEST EXAM STUDY by Brian MacFarlane 194 studiers today 4.4 (121 reviews) Flashcards Learn Test Match A A security administrator suspects an employee has been emailing proprietary information to a competitor. Company policy requires the administrator to capture an exact copy of the employee's hard disk. Which of the following should the administrator use? A. dd B. chmod C. dnsenum D. logger 1 / 174 Profile Picture Created by WieldyStone2 Updated on 2022-03-17 from Examtopics.com Textbook solutions for this set CompTIA Security+ Guide to Network Security Fundamentals 6th Edition by Mark Ciampa CompTIA Security+ Guide to Network Security Fundamentals 6th Edition•ISBN: 9781337514774 Mark Ciampa CompTIA Security+ Certification Study Guide (Exam SY0-501) 3rd Edition by Glen Clarke CompTIA Security+ Certification Study Guide (Exam SY0-501) 3rd Edition•ISBN: 9781260026054 Glen Clarke Search for a textbook or question Terms in this set (174) Original A A security administrator suspects an employee has been emailing proprietary information to a competitor. Company policy requires the administrator to capture an exact copy of the employee's hard disk. Which of the following should the administrator use? A. dd B. chmod C. dnsenum D. logger THIS IS THE ORDER AS FOLLOWS: ssh-keygen -t rsa ssh-copy-id -i ~/.ssh/id_rsa.pub user@server chmod 644 ~/.ssh/id_rsa ssh root@server DRAG AND DROP SIMULATION (SEE IMAGE) Firewall 1:DNS Rule "" ANY --> ANY --> DNS --> PERMIT HTTPS Outbound "" 10.0.0.1/24 --> ANY --> HTTPS --> PERMIT Management "" ANY --> ANY --> SSH --> PERMIT HTTPS Inbound "" ANY --> ANY --> HTTPS --> PERMIT HTTP Inbound "" ANY --> ANY --> HTTP --> DENY Firewall 2: No changes should be made to this firewall Firewall 3:DNS Rule "" ANY --> ANY --> DNS --> PERMIT HTTPS Outbound "" 192.168.0.1/24 --> ANY --> HTTPS --> PERMIT Management "" ANY --> ANY --> SSH --> PERMIT HTTPS Inbound "" ANY --> ANY --> HTTPS --> PERMIT HTTP Inbound "" ANY --> ANY --> HTTP --> DENY DROP DOWN SIMULATION (SEE IMAGE) See IMAGE DRAG AND DROP SIMULATION (SEE ANSWERS IN IMAGE) DF Which of the following will MOST likely adversely impact the operations of unpatched traditional programmable-logic controllers, running a back-end LAMP server and OT systems with human-management interfaces that are accessible over the Internet via a web interface? (Choose two.) A. Cross-site scripting B. Data exfiltration C. Poor system logging D. Weak encryption E. SQL injection F. Server-side request forgery A A company recently transitioned to a strictly BYOD culture due to the cost of replacing lost or damaged corporate-owned mobile devices. Which of the following technologies would be BEST to balance the BYOD culture while also protecting the company's data? A. Containerization B. Geofencing C. Full-disk encryption D. Remote wipe D A Chief Security Office's (CSO's) key priorities are to improve preparation, response, and recovery practices to minimize system downtime and enhance organizational resilience to ransomware attacks. Which of the following would BEST meet the CSO's objectives? A. Use email-filtering software and centralized account management, patch high-risk systems, and restrict administration privileges on fileshares. B. Purchase cyber insurance from a reputable provider to reduce expenses during an incident. C. Invest in end-user awareness training to change the long-term culture and behavior of staff and executives, reducing the organization's susceptibility to phishing attacks. D. Implement application whitelisting and centralized event-log management, and perform regular testing and validation of full backups. AC A network engineer has been asked to investigate why several wireless barcode scanners and wireless computers in a warehouse have intermittent connectivity to the shipping server. The barcode scanners and computers are all on forklift trucks and move around the warehouse during their regular use. Which of the following should the engineer do to determine the issue? (Choose two.) A. Perform a site survey B. Deploy an FTK Imager C. Create a heat map D. Scan for rogue access points E. Upgrade the security protocols F. Install a captive portal C Which of the following is MOST likely to outline the roles and responsibilities of data controllers and data processors? A. SSAE SOC 2 B. PCI DSS C. GDPR D. ISO 31000 C Phishing and spear-phishing attacks have been occurring more frequently against a company's staff. Which of the following would MOST likely help mitigate this issue? A. DNSSEC and DMARC B. DNS query logging C. Exact mail exchanger records in the DNS D. The addition of DNS conditional forwarders EF On which of the following is the live acquisition of data for forensic analysis MOST dependent? (Choose two.) A. Data accessibility B. Legal hold C. Cryptographic or hash algorithm D. Data retention legislation E. Value and volatility of data F. Right-to-audit clauses B Which of the following incident response steps involves actions to protect critical systems while maintaining business operations? A. Investigation B. Containment C. Recovery D. Lessons learned B A security auditor is reviewing vulnerability scan data provided by an internal security team. Which of the following BEST indicates that valid credentials were used? A. The scan results show open ports, protocols, and services exposed on the target host B. The scan enumerated software versions of installed programs C. The scan produced a list of vulnerabilities on the target host D. The scan identified expired SSL certificates B Which of the following BEST explains the difference between a data owner and a data custodian? A. The data owner is responsible for adhering to the rules for using the data, while the data custodian is responsible for determining the corporate governance regarding the data B. The data owner is responsible for determining how the data may be used, while the data custodian is responsible for implementing the protection to the data C. The data owner is responsible for controlling the data, while the data custodian is responsible for maintaining the chain of custody when handling the data D. The data owner grants the technical permissions for data access, while the data custodian maintains the database access controls to the data D A network engineer needs to build a solution that will allow guests at the company's headquarters to access the Internet via WiFi. This solution should not allow access to the internal corporate network, but it should require guests to sign off on the acceptable use policy before accessing the Internet. Which of the following should the engineer employ to meet these requirements? A. Implement open PSK on the APs B. Deploy a WAF C. Configure WIPS on the APs D. Install a captive portal D Based on the analyst's findings, which of the following attacks is being executed? A. Credential harvesting B. Keylogger C. Brute-force D. Spraying C Which of the following cloud models provides clients with servers, storage, and networks but nothing else? A. SaaS B. PaaS C. IaaS D. DaaS AB A network administrator needs to build out a new datacenter, with a focus on resiliency and uptime. Which of the following would BEST meet this objective?(Choose two.) A. Dual power supply B. Off-site backups C. Automatic OS upgrades D. NIC teaming E. Scheduled penetration testing F. Network-attached storage C Which of the following network attacks is the researcher MOST likely experiencing? A. MAC cloning B. Evil twin C. Man-in-the-middle D. ARP poisoning BD An organization is developing an authentication service for use at the entry and exit ports of country borders. The service will use data feeds obtained from passport systems, passenger manifests, and high-definition video feeds from CCTV systems that are located at the ports. The service will incorporate machine-learning techniques to eliminate biometric enrollment processes while still allowing authorities to identify passengers with increasing accuracy over time. The more frequently passengers travel, the more accurately the service will identify them. Which of the following biometrics will MOST likely be used, without the need for enrollment? (Choose two.) A. Voice B. Gait C. Vein D. Facial E. Retina F. Fingerprint D An organization needs to implement more stringent controls over administrator/root credentials and service accounts. Requirements for the project include: ✑ Check-in/checkout of credentials ✑ The ability to use but not know the password ✑ Automated password changes ✑ Logging of access to credentials Which of the following solutions would meet the requirements? A. OAuth 2.0 B. Secure Enclave C. A privileged access management system D. An OpenID Connect authentication system A Several employees return to work the day after attending an industry trade show. That same day, the security manager notices several malware alerts coming from each of the employee's workstations. The security manager investigates but finds no signs of an attack on the perimeter firewall or the NIDS. Which of the following is MOST likely causing the malware alerts? A. A worm that has propagated itself across the intranet, which was initiated by presentation media B. A fileless virus that is contained on a vCard that is attempting to execute an attack C. A Trojan that has passed through and executed malicious code on the hosts D. A USB flash drive that is trying to run malicious code but is being blocked by the host firewall A After reading a security bulletin, a network security manager is concerned that a malicious actor may have breached the network using the same software flaw.The exploit code is publicly available and has been reported as being used against other industries in the same vertical. Which of the following should the network security manager consult FIRST to determine a priority list for forensic review? A. The vulnerability scan output B. The IDS logs C. The full packet capture data D. The SIEM alerts D A financial organization has adopted a new secure, encrypted document-sharing application to help with its customer loan process. Some important PII needs to be shared across this new platform, but it is getting blocked by the DLP systems. Which of the following actions will BEST allow the PII to be shared with the secure application without compromising the organization's security posture? A. Configure the DLP policies to allow all PII B. Configure the firewall to allow all ports that are used by this application C. Configure the antivirus software to allow the application D. Configure the DLP policies to whitelist this application with the specific PII E. Configure the application to encrypt the PII C An auditor is performing an assessment of a security appliance with an embedded OS that was vulnerable during the last two assessments. Which of the following BEST explains the appliance's vulnerable state? A. The system was configured with weak default security settings. B. The device uses weak encryption ciphers. C. The vendor has not supplied a patch for the appliance. D. The appliance requires administrative credentials for the assessment. C A company's bank has reported that multiple corporate credit cards have been stolen over the past several weeks. The bank has provided the names of the affected cardholders to the company's forensics team to assist in the cyber-incident investigation.An incident responder learns the following information: ✑ The timeline of stolen card numbers corresponds closely with affected users making Internet-based purchases from diverse websites via enterprise desktopPCs. ✑ All purchase connections were encrypted, and the company uses an SSL inspection proxy for the inspection of encrypted traffic of the hardwired network. Purchases made with corporate cards over the corporate guest WiFi network, where no SSL inspection occurs, were unaffected. Which of the following is the MOST likely root cause? A. HTTPS sessions are being downgraded to insecure cipher suites B. The SSL inspection proxy is feeding events to a compromised SIEM C. The payment providers are insecurely processing credit card charges D. The adversary has not yet established a presence on the guest WiFi network BE A pharmaceutical sales representative logs on to a laptop and connects to the public WiFi to check emails and update reports. Which of the following would be BEST to prevent other devices on the network from directly accessing the laptop? (Choose two.) A. Trusted Platform Module B. A host-based firewall C. A DLP solution D. Full disk encryption E. A VPN F. Antivirus software C A company is implementing MFA for all applications that store sensitive data. The IT manager wants MFA to be non-disruptive and user friendly. Which of the following technologies should the IT manager use when implementing MFA? A. One-time passwords B. Email tokens C. Push notifications D. Hardware authentication B The CSIRT is reviewing the lessons learned from a recent incident. A worm was able to spread unhindered throughout the network and infect a large number of computers and servers. Which of the following recommendations would be BEST to mitigate the impacts of a similar incident in the future? A. Install a NIDS device at the boundary. B. Segment the network with firewalls. C. Update all antivirus signatures daily. D. Implement application blacklisting. A A company is adopting a BYOD policy and is looking for a comprehensive solution to protect company information on user devices. Which of the following solutions would BEST support the policy? A. Mobile device management B. Full-device encryption C. Remote wipe D. Biometrics B A development team employs a practice of bringing all the code changes from multiple team members into the same development project through automation. A tool is utilized to validate the code and track source code through version control. Which of the following BEST describes this process? A. Continuous delivery B. Continuous integration C. Continuous validation D. Continuous monitoring D A cybersecurity administrator needs to add disk redundancy for a critical server. The solution must have a two-drive failure for better fault tolerance. Which of the following RAID levels should the administrator select? A. 0 B. 1 C. 5 D. 6 A Which of the following BEST explains the reason why a server administrator would place a document named password.txt on the desktop of an administrator account on a server? A. The document is a honeyfile and is meant to attract the attention of a cyberintruder. B. The document is a backup file if the system needs to be recovered. C. The document is a standard file that the OS needs to verify the login credentials. D. The document is a keylogger that stores all keystrokes should the account be compromised. B A small company that does not have security staff wants to improve its security posture. Which of the following would BEST assist the company? A. MSSP B. SOAR C. IaaS D. PaaS C An organization's help desk is flooded with phone calls from users stating they can no longer access certain websites. The help desk escalates the issue to the security team, as these websites were accessible the previous day. The security analysts run the following command: ipconfig /flushdns, but the issue persists. Finally, an analyst changes the DNS server for an impacted machine, and the issue goes away. Which of the following attacks MOST likely occurred on the original DNS server? A. DNS cache poisoning B. Domain hijacking C. Distributed denial-of-service D. DNS tunneling C A cybersecurity manager has scheduled biannual meetings with the IT team and department leaders to discuss how they would respond to hypothetical cyberattacks. During these meetings, the manager presents a scenario and injects additional information throughout the session to replicate what might occur in a dynamic cybersecurity event involving the company, its facilities, its data, and its staff. Which of the following describes what the manager is doing? A. Developing an incident response plan B. Building a disaster recovery plan C. Conducting a tabletop exercise D. Running a simulation exercise C A RAT that was used to compromise an organization's banking credentials was found on a user's computer. The RAT evaded antivirus detection. It was installed by a user who has local administrator rights to the system as part of a remote management tool set. Which of the following recommendations would BEST prevent this from reoccurring? A. Create a new acceptable use policy. B. Segment the network into trusted and untrusted zones. C. Enforce application whitelisting. D. Implement DLP at the network boundary. B A security analyst is reviewing a new website that will soon be made publicly available. The analyst sees the following in the URL: http://dev-site.comptia.org/home/show.php?sessionID=77276554&loc=us. The analyst then sends an internal user a link to the new website for testing purposes, and when the user clicks the link, the analyst is able to browse the website with the following URL: http://dev-site.comptia.org/home/show.php?sessionID=98988475&loc=us Which of the following application attacks is being tested? A. Pass-the-hash B. Session replay C. Object deference D. Cross-site request forgery C A network administrator has been asked to install an IDS to improve the security posture of an organization. Which of the following control types is an IDS? A. Corrective B. Physical C. Detective D. Administrative C Which of the following should be put in place when negotiating with a new vendor about the timeliness of the response to a significant outage or incident? A. MOU B. MTTR C. SLA D. NDA C A startup company is using multiple SaaS and IaaS platforms to stand up a corporate infrastructure and build out a customer-facing web application. Which of the following solutions would be BEST to provide security, manageability, and visibility into the platforms? A. SIEM B. DLP C. CASB D. SWG C A root cause analysis reveals that a web application outage was caused by one of the company's developers uploading a newer version of the third-party libraries that were shared among several applications. Which of the following implementations would be BEST to prevent the issue from reoccurring? A. CASB B. SWG C. Containerization D. Automated failover A A security administrator suspects there may be unnecessary services running on a server. Which of the following tools will the administrator MOST likely use to confirm the suspicions? A. Nmap B. Wireshark C. Autopsy D. DNSEnum D A company has drafted an insider-threat policy that prohibits the use of external storage devices. Which of the following would BEST protect the company from data exfiltration via removable media? A. Monitoring large data transfer transactions in the firewall logs B. Developing mandatory training to educate employees about the removable media policy C. Implementing a group policy to block user access to system files D. Blocking removable-media devices and write capabilities using a host-based security tool D A network administrator has been alerted that web pages are experiencing long load times. After determining it is not a routing or DNS issue, the administrator logs in to the router, runs a command, and receives the following output: (SEE IMAGE) Which of the following is the router experiencing? A. DDoS attack B. Memory leak C. Buffer overflow D. Resource exhaustion C A company provides mobile devices to its users to permit access to email and enterprise applications. The company recently started allowing users to select from several different vendors and device models. When configuring the MDM, which of the following is a key security implication of this heterogeneous device approach? A. The most common set of MDM configurations will become the effective set of enterprise mobile security controls. B. All devices will need to support SCEP-based enrollment; therefore, the heterogeneity of the chosen architecture may unnecessarily expose private keys to adversaries. C. Certain devices are inherently less secure than others, so compensatory controls will be needed to address the delta between device vendors. D. MDMs typically will not support heterogeneous deployment environments, so multiple MDMs will need to be installed and configured. A An organization with a low tolerance for user inconvenience wants to protect laptop hard drives against loss or data theft. Which of the following would be theMOST acceptable? A. SED (Self-Encrypting Drive) B. HSM (Hardware Security Module) C. DLP (Data Loss Prevention software) D. TPM (Trusted Platform Module) C A security analyst receives a SIEM alert that someone logged in to the appadmin test account, which is only used for the early detection of attacks. The security analyst then reviews the following application log: (SEE IMAGE) Which of the following can the security analyst conclude? A. A replay attack is being conducted against the application. B. An injection attack is being conducted against a user authentication system. C. A service account password may have been changed, resulting in continuous failed logins within the application. D. A credentialed vulnerability scanner attack is testing several CVEs against the application. D In which of the following situations would it be BEST to use a detective control type for mitigation? A. A company implemented a network load balancer to ensure 99.999% availability of its web application. B. A company designed a backup solution to increase the chances of restoring services in case of a natural disaster. C. A company purchased an application-level firewall to isolate traffic between the accounting department and the information technology department. D. A company purchased an IPS system, but after reviewing the requirements, the appliance was supposed to monitor, not block, any traffic. E. A company purchased liability insurance for flood protection on all capital assets. D The IT department's on-site developer has been with the team for many years. Each time an application is released, the security team is able to identify multiple vulnerabilities. Which of the following would BEST help the team ensure the application is ready to be released to production? A. Limit the use of third-party libraries. B. Prevent data exposure queries. C. Obfuscate the source code. D. Submit the application to QA before releasing it. A - OAuth is for 3rd parties, whereas SAML uses SSO to federate users across an organization's inner functions. A cybersecurity analyst needs to implement secure authentication to third-party websites without users' passwords. Which of the following would be the BEST way to achieve this objective? A. OAuth B. SSO C. SAML D. PAP B An analyst needs to identify the applications a user was running and the files that were open before the user's computer was shut off by holding down the power button. Which of the following would MOST likely contain that information? A. NGFW B. Pagefile C. NetFlow D. RAM A A remote user recently took a two-week vacation abroad and brought along a corporate-owned laptop. Upon returning to work, the user has been unable to connect the laptop to the VPN. Which of the following is the MOST likely reason for the user's inability to connect the laptop to the VPN? A. Due to foreign travel, the user's laptop was isolated from the network. B. The user's laptop was quarantined because it missed the latest path update. C. The VPN client was blacklisted. D. The user's account was put on a legal hold. A In which of the following common use cases would steganography be employed? A. Obfuscation B. Integrity C. Non-repudiation D. Blockchain C To secure an application after a large data breach, an e-commerce site will be resetting all users' credentials. Which of the following will BEST ensure the site's users are not compromised after the reset? A. A password reuse policy B. Account lockout after three failed attempts C. Encrypted credentials in transit D. A geofencing policy based on login history A In which of the following risk management strategies would cybersecurity insurance be used? A. Transference B. Avoidance C. Acceptance D. Mitigation D An organization has implemented a policy requiring the use of conductive metal lockboxes for personal electronic devices outside of a secure research lab. Which of the following did the organization determine to be the GREATEST risk to intellectual property when creating this policy? A. The theft of portable electronic devices B. Geotagging in the metadata of images C. Bluesnarfing of mobile devices D. Data exfiltration over a mobile hotspot C A security analyst is using a recently released security advisory to review historical logs, looking for the specific activity that was outlined in the advisory. Which of the following is the analyst doing? A. A packet capture B. A user behavior analysis C. Threat hunting D. Credentialed vulnerability scanning D Which of the following would MOST likely support the integrity of a voting machine? A. Asymmetric encryption B. Blockchain C. Transport Layer Security D. Perfect forward secrecy B A Chief Information Security Officer (CISO) needs to create a policy set that meets international standards for data privacy and sharing. Which of the following should the CISO read and understand before writing the policies? A. PCI DSS B. GDPR C. NIST D. ISO 31000 B The IT department at a university is concerned about professors placing servers on the university network in an attempt to bypass security controls. Which of the following BEST represents this type of threat? A. A script kiddie B. Shadow IT C. Hacktivism D. White-hat B A commercial cyber-threat intelligence organization observes IoCs across a variety of unrelated customers. Prior to releasing specific threat intelligence to other paid subscribers, the organization is MOST likely obligated by contracts to: A. perform attribution to specific APTs and nation-state actors. B. anonymize any PII that is observed within the IoC data. C. add metadata to track the utilization of threat intelligence reports. D. assist companies with impact assessments based on the observed data. A While checking logs, a security engineer notices a number of end users suddenly downloading files with the .tar.gz extension. Closer examination of the files reveals they are PE32 files. The end users state they did not initiate any of the downloads. Further investigation reveals the end users all clicked on an external email containing an infected MHT file with an href link a week prior. Which of the following is MOST likely occurring? A. A RAT was installed and is transferring additional exploit tools. B. The workstations are beaconing to a command-and-control server. C. A logic bomb was executed and is responsible for the data transfers. D. A fireless virus is spreading in the local network environment. C An organization is developing a plan in the event of a complete loss of critical systems and data. Which of the following plans is the organization MOST likely developing? A. Incident response B. Communications C. Disaster recovery D. Data retention C Which of the following is the purpose of a risk register? A. To define the level or risk using probability and likelihood B. To register the risk with the required regulatory agencies C. To identify the risk, the risk owner, and the risk measures D. To formally log the type of risk mitigation strategy the organization is using AD A university with remote campuses, which all use different service providers, loses Internet connectivity across all locations. After a few minutes, Internet and VoIP services are restored, only to go offline again at random intervals, typically within four minutes of services being restored. Outages continue throughout the day, impacting all inbound and outbound connections and services. Services that are limited to the local LAN or WiFi network are not impacted, but all WAN and VoIP services are affected.Later that day, the edge-router manufacturer releases a CVE outlining the ability of an attacker to exploit the SIP protocol handling on devices, leading to resource exhaustion and system reloads. Which of the following BEST describe this type of attack? (Choose two.) A. DoS B. SSL stripping C. Memory leak D. Race condition E. Shimming F. Refactoring A A company recently set up an e-commerce portal to sell its product online. The company wants to start accepting credit cards for payment, which requires compliance with a security standard. Which of the following standards must the company comply with before accepting credit cards on its e-commerce platform? A. PCI DSS B. ISO 22301 C. ISO 27001 D. NIST CSF B Which of the following BEST describes a security exploit for which a vendor patch is not readily available? A. Integer overflow B. Zero-day C. End of life D. Race condition B The Chief Financial Officer (CFO) of an insurance company received an email from Ann, the company's Chief Executive Officer (CEO), requesting a transfer of$10,000 to an account. The email states Ann is on vacation and has lost her purse, containing cash and credit cards. Which of the following social-engineering techniques is the attacker using? A. Phishing B. Whaling C. Typo squatting D. Pharming B An organization wants to implement a third factor to an existing multifactor authentication. The organization already uses a smart card and password. Which of the following would meet the organization's needs for a third factor? A. Date of birth B. Fingerprints C. PIN D. TPM C An employee has been charged with fraud and is suspected of using corporate assets. As authorities collect evidence, and to preserve the admissibility of the evidence, which of the following forensic techniques should be used? A. Order of volatility B. Data recovery C. Chain of custody D. Non-repudiation B A company wants to deploy PKI on its Internet-facing website. The applications that are currently deployed are: ✑ www.company.com (main website) ✑ contactus.company.com (for locating a nearby location) ✑ quotes.company.com (for requesting a price quote) The company wants to purchase one SSL certificate that will work for all the existing applications and any future applications that follow the same naming conventions, such as store.company.com. Which of the following certificate types would BEST meet the requirements? A. SAN B. Wildcard C. Extended validation D. Self-signed B A Chief Security Officer (CSO) is concerned about the amount of PII that is stored locally on each salesperson's laptop. The sales department has a higher-than- average rate of lost equipment. Which of the following recommendations would BEST address the CSO's concern? A. Deploy an MDM solution. B. Implement managed FDE. C. Replace all hard drives with SEDs. D. Install DLP agents on each laptop. B A user contacts the help desk to report the following:✑ Two days ago, a pop-up browser window prompted the user for a name and password after connecting to the corporate wireless SSID. This had never happened before, but the user entered the information as requested.✑ The user was able to access the Internet but had trouble accessing the department share until the next day.✑ The user is now getting notifications from the bank about unauthorized transactions. Which of the following attack vectors was MOST likely used in this scenario? A. Rogue access point B. Evil twin C. DNS poisoning D. ARP poisoning A A host was infected with malware. During the incident response, Joe, a user, reported that he did not receive any emails with links, but he had been browsing theInternet all day. Which of the following would MOST likely show where the malware originated? A. The DNS logs B. The web server logs C. The SIP traffic logs D. The SNMP logs A A recently discovered zero-day exploit utilizes an unknown vulnerability in the SMB network protocol to rapidly infect computers. Once infected, computers are encrypted and held for ransom. Which of the following would BEST prevent this attack from reoccurring? A. Configure the perimeter firewall to deny inbound external connections to SMB ports. B. Ensure endpoint detection and response systems are alerting on suspicious SMB connections. C. Deny unauthenticated users access to shared network folders. D. Verify computers are set to install monthly operating system, updates automatically. C Joe, an employee, receives an email stating he won the lottery. The email includes a link that requests a name, mobile phone number, address, and date of birth be provided to confirm Joe's identity before sending him the prize. Which of the following BEST describes this type of email? A. Spear phishing B. Whaling C. Phishing D. Vishing A Which of the following refers to applications and systems that are used within an organization without consent or approval? A. Shadow IT B. OSINT C. Dark web D. Insider threats A A manufacturer creates designs for very high security products that are required to be protected and controlled by the government regulations. These designs are not accessible by corporate networks or the Internet. Which of the following is the BEST solution to protect these designs? A. An air gap B. A Faraday cage C. A shielded cable D. A demilitarized zone D A company processes highly sensitive data and senior management wants to protect the sensitive data by utilizing classification labels. Which of the following access control schemes would be BEST for the company to implement? A. Discretionary B. Rule-based C. Role-based D. Mandatory C Which of the following policies would help an organization identify and mitigate potential single points of failure in the company's IT/security operations? A. Least privilege B. Awareness training C. Separation of duties D. Mandatory vacation A Which of the following would be the BEST method for creating a detailed diagram of wireless access points and hotspots? A. Footprinting B. White-box testing C. A drone/UAV D. Pivoting AB A user enters a password to log in to a workstation and is then prompted to enter an authentication code. Which of the following MFA factors or attributes are being utilized in the authentication process? (Choose two.) A. Something you know B. Something you have C. Somewhere you are D. Someone you know E. Something you are F. Something you can do A When selecting a technical solution for identity management, an architect chooses to go from an in-house solution to a third-party SaaS provider. Which of the following risk management strategies is this an example of? A. Transference B. Avoidance C. Acceptance D. Mitigation D A website developer is working on a new e-commerce website and has asked an information security expert for the most appropriate way to store credit card numbers to create an easy reordering process. Which of the following methods would BEST accomplish this goal? A. Salting the magnetic strip information B. Encrypting the credit card information in transit C. Hashing the credit card numbers upon entry D. Tokenizing the credit cards in the database C A company recently experienced a data breach and the source was determined to be an executive who was charging a phone in a public area. Which of the following would MOST likely have prevented this breach? A. A firewall B. A device pin C. A USB data blocker D. Biometrics C An analyst visits an Internet forum looking for information about a tool. The analyst finds a thread that appears to contain relevant information. One of the posts says the following: (SEE IMAGE) Which of the following BEST describes the attack that was attempted against the forum readers? A. SQLi attack B. DLL attack C. XSS attack D. API attack C A network administrator would like to configure a site-to-site VPN utilizing IPsec. The administrator wants the tunnel to be established with data integrity, encryption, authentication, and anti-replay functions. Which of the following should the administrator use when configuring the VPN? A. AH (Authentication Header) B. EDR (Endpoint Detection and Response) C. ESP (Encapsulating Security Payload) D. DNSSEC (Domain Naming System Security Extensions) BE Users have been issued smart cards that provide physical access to a building. The cards also contain tokens that can be used to access information systems.Users can log in to any thin client located throughout the building and see the same desktop each time. Which of the following technologies are being utilized to provide these capabilities? (Choose two.) A. COPE B. VDI C. GPS D. TOTP E. RFID F. BYOD D The Chief Security Officer (CSO) at a major hospital wants to implement SSO to help improve security in the environment and protect patient data, particularly at shared terminals. The Chief Risk Officer (CRO) is concerned that training and guidance have not been provided to frontline staff, and a risk analysis has not been performed. Which of the following is the MOST likely cause of the CRO's concerns? A. SSO would simplify username and password management, making it easier for hackers to guess accounts. B. SSO would reduce password fatigue, but staff would still need to remember more complex passwords. C. SSO would reduce the password complexity for frontline staff. D. SSO would reduce the resilience and availability of systems if the identity provider goes offline. B A smart switch has the ability to monitor electrical levels and shut off power to a building in the event of power surge of power surge or other fault situation. The switch was installed on a wired network in a hospital and is monitored by the facilities department via a cloud application. The security administrator isolated the switch on a separate VLAN and set up a patching routine. Which of the following steps should also be taken to harden the smart switch? A. Set up an air gap for the switch. B. Change the default password for the switch. C. Place the switch in a Faraday cage. D. Install a cable lock on the switch. D A cybersecurity administrator has a reduced team and needs to operate an on-premises network and security infrastructure efficiently. To help with the situation, the administrator decides to hire a service provider. Which of the following should the administrator use? A. SDP B. AAA C. IaaS D. MSSP (Managed Security Services Provider) E. Microservices D A security assessment determines DES and 3DES are still being used on recently deployed production servers. Which of the following did the assessment identify? A. Unsecure protocols B. Default settings C. Open permissions D. Weak encryption A Which of the following types of controls is a turnstile? A. Physical B. Detective C. Corrective D. Technical A Which of the following describes the BEST approach for deploying application patches? A. Apply the patches to systems in a testing environment, then to systems in a staging environment, and finally to production systems. B. Test the patches in a staging environment, develop against them in the development environment, and then apply them to the production systems. C. Test the patches in a test environment, apply them to the production systems, and then apply them to a staging environment. D. Apply the patches to the production systems, apply them in a staging environment, and then test all of them in a testing environment. E A security analyst is investigating an incident that was first reported as an issue connecting to network shares and the Internet. While reviewing logs and tool output, the analyst sees the following: (SEE IMAGE) Which of the following attacks has occurred? A. IP conflict B. Pass-the-hash C. MAC flooding D. Directory traversal E. ARP poisoning D After entering a username and password, an administrator must draw a gesture on a touch screen. Which of the following demonstrates what the administrator is providing? A. Multifactor authentication B. Something you can do C. Biometrics D. Two-factor authentication D An organization suffered an outage, and a critical system took 90 minutes to come back online. Though there was no data loss during the outage, the expectation was that the critical system would be available again within 60 minutes. Which of the following is the 60-minute expectation an example of? A. MTBF B. RPO C. MTTR D. RTO C Joe, a user at a company, clicked an email links that led to a website that infected his workstation. Joe was connected to the network, and the virus spread to the network shares. The protective measures failed to stop this virus, and it has continued to evade detection. Which of the following should a security administrator implement to protect the environment from this malware? A. Install a definition-based antivirus. B. Implement an IDS/IPS C. Implement a heuristic behavior-detection solution. D. Implement CASB to protect the network shares. C An organization is concerned that its hosted web servers are not running the most updated version of the software. Which of the following would work BEST to help identify potential vulnerabilities? A. hping3 -S comptia.org -p 80 B. nc -l -v comptia.org -p 80 C. nmap comptia.org -p 80 -sV D. nslookup -port=80 comptia.org D A retail executive recently accepted a job with a major competitor. The following week, a security analyst reviews the security logs and identifies successful logon attempts to access the departed executive's accounts. Which of the following security practices would have addressed the issue? A. A non-disclosure agreement B. Least privilege C. An acceptable use policy D. Offboarding A A security analyst is performing a forensic investigation involving compromised account credentials. Using the Event Viewer, the analyst was able to detect the following message: "Special privileges assigned to new logon." Several of these messages did not have a valid logon associated with the user before these privileges were assigned. Which of the following attacks is MOST likely being detected? A. Pass-the-hash attack B. Buffer overflow C. Cross-site scripting D. Session replay B A systems administrator needs to implement an access control scheme that will allow an object's access policy to be determined by its owner. Which of the following access control schemes BEST fits the requirements? A. Role-based access control B. Discretionary access control C. Mandatory access control D. Attribute-based access control B A cybersecurity analyst reviews the log files from a web server and sees a series of files that indicate a directory-traversal attack has occurred. Which of the following is the analyst MOST likely seeing? A. http://sample.url.com/script Please-Visit-Our-Phishing-Site script B. http://sample.url.com/someotherpageonsite/../../../etc/shadow C. http://sample.url.com/select-from-database-where-password-null D. http://redirect.sameple.url.sampleurl.com/malicious-dns-redirect D A company has limited storage space available and an online presence that cannot be down for more than four hours. Which of the following backup methodologies should the company implement to allow for the FASTEST database restore time in the event of a failure, while being mindful of the limited available storage space? A. Implement full tape backups every Sunday at 8:00 p.m. and perform nightly tape rotations. B. Implement differential backups every Sunday at 8:00 p.m. and nightly incremental backups at 8:00 p.m. C. Implement nightly full backups every Sunday at 8:00 p.m. D. Implement full backups every Sunday at 8:00 p.m. and nightly differential backups at 8:00 p.m. C An organization has a growing workforce that is mostly driven by additions to the sales department. Each newly hired salesperson relies on a mobile device to conduct business. The Chief Information Officer (CIO) is wondering if the organization may need to scale down just as quickly as it scaled up. The CIO is also concerned about the organization's security and customer privacy. Which of the following would be BEST to address the CIO's concerns? A. Disallow new hires from using mobile devices for six months. B. Select four devices for the sales department to use in a CYOD model. C. Implement BYOD for the sales department while leveraging the MDM. D. Deploy mobile devices using the COPE methodology. C A malicious actor recently penetrated a company's network and moved laterally to the datacenter. Upon investigation, a forensics firm wants to know what was in the memory on the compromised server. Which of the following files should be given to the forensics firm? A. Security B. Application C. Dump D. Syslog A A public relations team will be taking a group of guests on a tour through the facility of a large e-commerce company. The day before the tour, the company sends out an email to employees to ensure all whiteboards are cleaned and all desks are cleared. The company is MOST likely trying to protect against: A. loss of proprietary information. B. damage to the company's reputation. C. social engineering. D. credential exposure. D The manager who is responsible for a data set has asked a security engineer to apply encryption to the data on a hard disk. The security engineer is an example of a: A. data controller. B. data owner. C. data custodian. D. data processor. A A network engineer is troubleshooting wireless network connectivity issues that were reported by users. The issues are occurring only in the section of the building that is closest to the parking lot. Users are intermittently experiencing slow speeds when accessing websites and are unable to connect to network drives. The issues appear to increase when laptop users return to their desks after using their devices in other areas of the building. There have also been reports of users being required to enter their credentials on web pages in order to gain access to them. Which of the following is the MOST likely cause of this issue? A. An external access point is engaging in an evil-twin attack. B. The signal on the WAP needs to be increased in that section of the building. C. The certificates have expired on the devices and need to be reinstalled. D. The users in that section of the building are on a VLAN that is being blocked by the firewall. D A security administrator needs to create a RAID configuration that is focused on high read speeds and fault tolerance. It is unlikely that multiple drives will fail simultaneously. Which of the following RAID configurations should the administrator use? A. RAID 0 B. RAID 1 C. RAID 5 D. RAID 10 B A company's Chief Information Officer (CIO) is meeting with the Chief Information Security Officer (CISO) to plan some activities to enhance the skill levels of the company's developers. Which of the following would be MOST suitable for training the developers? A. A capture-the-flag competition B. A phishing simulation C. Physical security training D. Basic awareness training B A security analyst needs to generate a server certificate to be used for 802.1X and secure RDP connections. The analyst is unsure what is required to perform the task and solicits help from a senior colleague. Which of the following is the FIRST step the senior colleague will most likely tell the analyst to perform to accomplish this task? A. Create an OCSP (Online Certificate Status Protocol) B. Generate a CSR. (Certificate Signing Request) C. Create a CRL. (Certificate Revocation List) D. Generate a .pfx file. C Under GDPR, which of the following is MOST responsible for the protection of privacy and website user rights? A. The data protection officer B. The data processor C. The data owner D. The data controller A A small business just recovered from a ransomware attack against its file servers by purchasing the decryption keys from the attackers. The issue was triggered by a phishing email and the IT administrator wants to ensure it does not happen again. Which of the following should the IT administrator do FIRST after recovery? A. Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis. B. Restrict administrative privileges and patch all systems and applications. C. Rebuild all workstations and install new antivirus software. D. Implement application whitelisting and perform user application hardening. D A global pandemic is forcing a private organization to close some business units and reduce staffing at others. Which of the following would be BEST to help the organization's executives determine their next course of action? A. An incident response plan B. A communications plan C. A disaster recovery plan D. A business continuity plan B Which of the following describes the ability of code to target a hypervisor from inside a guest OS? A. Fog computing B. VM escape C. Software-defined networking D. Image forgery E. Container breakout A After a ransomware attack, a forensics company needs to review a cryptocurrency transaction between the victim and the attacker. Which of the following will the company MOST likely review to trace this transaction? A. The public ledger (record keeping system) B. The NetFlow data C. A checksum D. The event log D During an incident response, a security analyst observes the following log entry on the web server: (SEE IMAGE) Which of the following BEST describes the type of attack the analyst is experiencing? A. SQL injection B. Cross-site scripting C. Pass-the-hash D. Directory traversal C Which of the following ISO standards is certified for privacy? A. ISO 9001 B. ISO 27002 C. ISO 27701 D. ISO 31000 C A document that appears to be malicious has been discovered in an email that was sent to a company's Chief Financial Officer (CFO). Which of the following would be BEST to allow a security analyst to gather information and confirm it is a malicious document without executing any code it may contain? A. Open the document on an air-gapped network. B. View the document's metadata for origin clues. C. Search for matching file hashes on malware websites. D. Detonate the document in an analysis sandbox. B A security analyst is running a vulnerability scan to check for missing patches during a suspected security incident. During which of the following phases of the response process is this activity MOST likely occurring? A. Containment B. Identification C. Recovery D. Preparation A Which of the following is a team of people dedicated to testing the effectiveness of organizational security programs by emulating the techniques of potential attackers? A. Red team B. White team C. Blue team D. Purple team B A security analyst discovers that a company's username and password database was posted on an Internet forum. The usernames and passwords are stored in plain text. Which of the following would mitigate the damage done by this type of data exfiltration in the future? A. Create DLP controls that prevent documents from leaving the network. B. Implement salting and hashing. C. Configure the web content filter to block access to the forum. D. Increase password complexity requirements. AC Which of the following are requirements that must be configured for PCI DSS compliance? (Choose two.) A. Testing security systems and processes regularly B. Installing and maintaining a web proxy to protect cardholder data C. Assigning a unique ID to each person with computer access D. Encrypting transmission of cardholder data across private networks E. Benchmarking security awareness training for contractors F. Using vendor-supplied default passwords for system passwords C A security analyst needs to be proactive in understanding the types of attacks that could potentially target the company's executives. Which of the following intelligence sources should the security analyst review? A. Vulnerability feeds B. Trusted automated exchange of indicator information C. Structured threat information expression (STIX) D. Industry information-sharing and collaboration groups D A security audit has revealed that a process control terminal is vulnerable to malicious users installing and executing software on the system. The terminal is beyond end-of-life support and cannot be upgraded, so it is placed on a protected network segment. Which of the following would be MOST effective to implement to further mitigate the reported vulnerability? A. DNS sinkholing B. DLP rules on the terminal C. An IP blacklist D. Application whitelisting B A user recently entered a username and password into a recruiting application website that had been forged to look like the legitimate site. Upon investigation, a security analyst identifies the following:✑ The legitimate website's IP address is 10.1.1.20 and eRecruit.local resolves to this IP.✑ The forged website's IP address appears to be 10.2.12.99, based on NetFlow records.✑ All three of the organization's DNS servers show the website correctly resolves to the legitimate IP.✑ DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the approximate time of the suspected compromise. Which of the following MOST likely occurred? A. A reverse proxy was used to redirect network traffic. B. An SSL strip MITM attack was performed. C. An attacker temporarily poisoned a name server. D. An ARP poisoning attack was successfully executed. D An organization has hired a security analyst to perform a penetration test. The analyst captures 1Gb worth of inbound network traffic to the server and transfers the pcap back to the machine for analysis. Which of the following tools should the analyst use to further review the pcap file? A. Nmap B. cURL C. Netcat D. Wireshark B A company uses wireless for all laptops and keeps a very detailed record of its assets, along with a comprehensive list of devices that are authorized to be on the wireless network. The Chief Information Officer (CIO) is concerned about a script kiddie potentially using an unauthorized device to brute force the wireless PSK and obtain access to the internal network. Which of the following should the company implement to BEST prevent this from occurring? A. A BPDU guard B. WPA-EAP C. IP filtering D. A WIDS D A vulnerability assessment report will include the CVSS score of the discovered vulnerabilities because the score allows the organization to better: A. validate the vulnerability exists in the organization's network through penetration testing. B. research the appropriate mitigation techniques in a vulnerability database. C. find the software patches that are required to mitigate a vulnerability. D. prioritize remediation of vulnerabilities based on the possible impact. D A security engineer is reviewing log files after a third party discovered usernames and passwords for the organization's accounts. The engineer sees there was a change in the IP address for a vendor website one week earlier. This change lasted eight hours. Which of the following attacks was MOST likely used? A. Man-in-the-middle B. Spear phishing C. Evil twin D. DNS poisoning E A company recently moved sensitive videos between on-premises, company-owned websites. The company then learned the videos had been uploaded and shared to the Internet. Which of the following would MOST likely allow the company to find the cause? A. Checksums B. Watermarks C. Order of volatility D. A log analysis E. A right-to-audit clause A A large industrial system's smart generator monitors the system status and sends alerts to third-party maintenance personnel when critical failures occur. While reviewing the network logs, the company's security manager notices the generator's IP is sending packets to an internal file server's IP. Which of the following mitigations would be BEST for the security manager to implement while maintaining alerting capabilities? A. Segmentation B. Firewall whitelisting C. Containment D. Isolation B Which of the following allows for functional test data to be used in new systems for testing and training purposes to protect the real data? A. Data encryption B. Data masking C. Data deduplication D. Data minimization A A consultant is configuring a vulnerability scanner for a large, global organization in multiple countries. The consultant will be using a service account to scan systems with administrative privileges on a weekly basis, but there is a concern that hackers could gain access to the account and pivot throughout the global network. Which of the following would be BEST to help mitigate this concern? A. Create different accounts for each region, each configured with push MFA notifications. B. Create one global administrator account and enforce Kerberos authentication. C. Create different accounts for each region, limit their logon times, and alert on risky logins. D. Create a guest account for each region, remember the last ten passwords, and block password reuse. B A software developer needs to perform code-execution testing, black-box testing, and non-functional testing on a new product before its general release. Which of the following BEST describes the tasks the developer is conducting? A. Verification B. Validation C. Normalization D. Staging D A security analyst is configuring a large number of new company-issued laptops. The analyst received the following requirements: ✑ The devices will be used internationally by staff who travel extensively. ✑ Occasional personal use is acceptable due to the travel requirements. ✑ Users must be able to install and configure sanctioned programs and productivity suites. ✑ The devices must be encrypted. ✑ The devices must be capable of operating in low-bandwidth environments. Which of the following would provide the GREATEST benefit to the security posture of the devices? A. Configuring an always-on VPN B. Implementing application whitelisting C. Requiring web traffic to pass through the on-premises content filter D. Setting the antivirus DAT update schedule to weekly B An organization has decided to host its web application and database in the cloud. Which of the following BEST describes the security concerns for this decision? A. Access to the organization's servers could be exposed to other cloud-provider clients. B. The cloud vendor is a new attack vector within the supply chain. C. Outsourcing the code development adds risk to the cloud provider. D. Vendor support will cease when the hosting platforms reach EOL. Hide Solution Discussion 2 C An organization that is located in a flood zone is MOST likely to document the concerns associated with the restoration of IT operations in a: A. business continuity plan. B. communications plan. C. disaster recovery plan. D. continuity of operations plan. D A user received an SMS on a mobile phone that asked for bank details. Which of the following social-engineering techniques was used in this case? A. SPIM B. Vishing C. Spear phishing D. Smishing A Company engineers regularly participate in a public Internet forum with other engineers throughout the industry. Which of the following tactics would an attacker MOST likely use in this scenario? A. Watering-hole attack B. Credential harvesting C. Hybrid warfare D. Pharming CE Which of the following will provide the BEST physical security countermeasures to stop intruders? (Choose two.) A. Alarms B. Signage C. Lighting D. Mantraps E. Fencing F. Sensors D A security analyst is looking for a solution to help communicate to the leadership team the severity levels of the organization's vulnerabilities. Which of the following would BEST meet this need? A. CVE B. SIEM C. SOAR D. CVSS D A security incident may have occurred on the desktop PC of an organization's Chief Executive Officer (CEO). A duplicate copy of the CEO's hard drive must be stored securely to ensure appropriate forensic processes and the chain of custody are followed. Which of the following should be performed to accomplish this task? A. Install a new hard drive in the CEO's PC, and then remove the old hard drive and place it in a tamper-evident bag. B. Connect a write blocker to the hard drive. Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy. C. Remove the CEO's hard drive from the PC, connect to the forensic workstation, and copy all the contents onto a remote file share while the CEO watches. D. Refrain from completing a forensic analysis of the CEO's hard drive until after the incident is confirmed; duplicating the hard drive at this stage could destroy evidence. AE The Chief Executive Officer (CEO) of an organization would like staff members to have the flexibility to work from home anytime during business hours, including during a pandemic or crisis. However, the CEO is concerned that some staff members may take advantage of the flexibility and work from high-risk countries while on holiday or outsource work to a third-party organization in another country. The Chief Information Officer (CIO) believes the company can implement some basic controls to mitigate the majority of the risk. Which of the following would be BEST to mitigate the CEO's concerns? (Choose two.) A. Geolocation B. Time-of-day restrictions C. Certificates D. Tokens E. Geotagging F. Role-based access controls F In the middle of a cyberattack, a security engineer removes the infected devices from the network and locks down all compromised accounts. In which of the following incident response phases is the security engineer currently operating? A. Identification B. Preparation C. Lessons learned D. Eradication E. Recovery F. Containment A The SOC is reviewing processes and procedures after a recent incident. The review indicates it took more than 30 minutes to determine that quarantining an infected host was the best course of action. This allowed the malware to spread to additional hosts before it was contained. Which of the following would be BEST to improve the incident response process? A. Updating the playbooks with better decision points B. Dividing the network into trusted and untrusted zones C. Providing additional end-user training on acceptable use D. Implementing manual quarantining of infected hosts C A security analyst is reviewing the following attack log output: (SEE IMAGE) Which of the following types of attacks does this MOST likely represent? A. Rainbow table B. Brute-force C. Password-spraying D. Dictionary C A network administrator is setting up wireless access points in all the conference rooms and wants to authenticate devices using PKI. Which of the following should the administrator configure? A. A captive portal B. PSK C. 802.1X D. WPS See more Students also viewed Security+ Cert Exam Objectives SYO-601 786 terms Profile Picture jeffrey_baker Security+ (SY0-601) Acronym List 358 terms Profile Picture arthur_lukyanovskiy CompTIA Security+ SY0-601 Practice Questions. 150 terms Profile Picture JT_Collett Security + 601: Ports 35 terms Profile Picture ATaylorII Recent flashcard sets Midterm study guide 86 terms Profile Picture addison1040 Constituição de 1988 7 terms Profile Picture laracristina_melo NHẬN BIẾT GIỐNG DANH TỪ TIẾNG ĐỨC,. 8 terms Profile Picture GoToDeutschland112 Module 4 Blueprint 2 terms Profile Picture lindsaypellerite Sets found in the same folder CompTIA Security+ (SY0-601) 200 terms Profile Picture examsdigest Teacher Security+ (SY0-601) Acronym List 358 terms Profile Picture arthur_lukyanovskiy Security+ Cert Exam Objectives SYO-601 786 terms Profile Picture jeffrey_baker Security+ SY0-601 85 terms Profile Picture Brantly_Bemis8 Other sets by this creator DoD Marking Classified Information (2023) 20 terms Profile Picture WieldyStone2 CYSA+ CS0-002 Study Set 10/2022 483 terms Profile Picture WieldyStone2 2022 NEW 8/22 AUGUST CCSP EXAM STUDY 480 Udem… 37 terms Profile Picture WieldyStone2 2022 BEST Security+ SY0-601 EXAM STUDY 276 terms Images Profile Picture WieldyStone2 Verified questions Other Why do you think some workplaces have adopted more casual dress codes? Verified answer Other Of the different methods available for buying clothes, which do you think is most likely to lead to overspending? Why? Verified answer Other Should you wear your most formal outfit to a job interview? Why or why not? Verified answer Other Does a classic style ever change? Explain. Verified answer 1/5 About us About Quizlet How Quizlet works Careers Advertise with us News Get the app For students Flashcards Learn Solutions Modern Learning Lab For teachers Live Checkpoint Blog Be the Change Resources Help center Honor code Community guidelines Privacy Terms Ad and Cookie Policy Language English (USA) © 2023 Quizlet, Inc. COPPA Safe Harbor Certification seal Home Your library Expert solutions Study sets, textbooks, questions Profile Picture Upgrade: free 7-day trial Security+ 601 Practice Questions Study Security+ 601 Practice Questions 10 studiers today Leave the first rating Flashcards Learn Test Match An international company is expanding it services and is creating several new servers to store customer data. Of the options listed below, which would likely contain an outline of roles/responsibilities for data controllers/processors that the company should follow? A.ISO 31000 International risk management best practices B.GDPR The European Union’s regulation that states that personal data cannot be collected or processed without the individual’s informed consent. C.PCI DSS Outlines how credit card/bank info must be safely managed. D.SSAE SOC2 An audit/test that reports on an organization’s controls relative to the CIA triad. The question is somewhat vague, so we will want a generalized answer. The GDPR (General Data Protection Regulation) is most likely to outline responsibilities for data controllers/processors/users. B.GDPR The European Union’s regulation that states that personal data cannot be collected or processed without the individual’s informed consent. 1 / 163 Profile Picture Created by Veljulisa Textbook solutions for this set CCNA Guide to Cisco Networking Fundamentals 4th Edition by Anthony V Chiarella, Kelly Cannon, Kelly Caudle CCNA Guide to Cisco Networking Fundamentals 4th Edition•ISBN: 9781285414348 Anthony V Chiarella, Kelly Cannon, Kelly Caudle Physics for Scientists and Engineers: A Strategic Approach with Modern Physics 4th Edition by Randall D. Knight Physics for Scientists and Engineers: A Strategic Approach with Modern Physics 4th Edition•ISBN: 9780133942651 (5 more) Randall D. Knight 3,508 solutions Search for a textbook or question Terms in this set (163) Original An international company is expanding it services and is creating several new servers to store customer data. Of the options listed below, which would likely contain an outline of roles/responsibilities for data controllers/processors that the company should follow? A.ISO 31000 International risk management best practices B.GDPR The European Union’s regulation that states that personal data cannot be collected or processed without the individual’s informed consent. C.PCI DSS Outlines how credit card/bank info must be safely managed. D.SSAE SOC2 An audit/test that reports on an organization’s controls relative to the CIA triad. The question is somewhat vague, so we will want a generalized answer. The GDPR (General Data Protection Regulation) is most likely to outline responsibilities for data controllers/processors/users. B.GDPR The European Union’s regulation that states that personal data cannot be collected or processed without the individual’s informed consent. What type of control would a sign, like the one above, be considered? A.Detective B.Compensating C.Deterrent D.Corrective C.Deterrent Before accepting credit cards on a new shopping website, what standard must a company follow? A.PCI DSS B.NIST CSF C.ISO 22301 D.ISO 27001 A.PCI DSS PCI DSS = Payment Card Industry Data Security Standard NIST CSF = National Institute of Standards and Technology, Cyber Security Framework ISO 22301 - security & resilience, business continuity management ISO 27001 - information security rules and requirements (compliance/regulations) Of the control type listed below, what would a mantrap (access control vestibule) or turnstile be considered? A.Physical B.Detective C.Corrective D.Technical A.Physical Which ISO standard is specifically designed for certifying privacy? A.31000 B.27002 C.27701 D.9001 C.27701 ISO standards 27001, 27002, 27701, 31000 are listed as exam objectives. Additional supplementary ISO numbers can be found in this slide's notes. - ISO 27001 Information Security Management Systems Infosec rules and requirements used by many governing bodies to create compliance/regulations. - ISO 27701 Privacy Information Management An extension to 27001 that outlines rules and regulations specifically tied to privacy. - ISO 27002 Information Security Best Practices Guidelines and suggestions for how to start or improve infosec at an organization. - ISO 31000 Risk Management Best Practices Generic (non specific) suggestions for managing risk response within an organization What is ISO 27001? Information Security Management Systems Infosec rules and requirements used by many governing bodies to create compliance/regulations. What is ISO 27701? Privacy Information Management An extension to 27001 that outlines rules and regulations specifically tied to privacy. What is ISO 27002? Information Security Best Practices Guidelines and suggestions for how to start or improve infosec at an organization. What is ISO 31000? Risk Management Best Practices Generic (non specific) suggestions for managing risk response within an organization A penetration tester revealed that an end of life server is using 3DES to encrypt its traffic. Unfortunately, the server which is mission critical cannot be upgraded to AES, replaced, or removed. What type of control could help reduce the risk created by this server considering the company must continue to use it? A.Corelating B.Physical C.Detective D.Preventative E.Compensation E.Compensation An employee installed a new service on the domain controller without consent or approval from the IT department and change management. What specifically describes this type of threat? A.OSINT B.Insider threat C.Shadow IT D.Dark web D.Dark web Shadow IT (also known as fake IT, stealth IT, or rogue IT) refers to information technology (IT) systems deployed by departments other than the central IT department, to work around the shortcomings of the central information system. Of the intelligence sources below, which should an security manager review that would allow them to remain proactive in understanding the types of threats that face their company? A.Vulnerability feeds B.Trusted automated exchange of indicator information C.Structured threat information expression D.Industry information-sharing and collaboration groups D.Industry information-sharing and collaboration groups (A) Vulnerability feeds only show software/hardware vulnerabilities. Nothing about their human targets. (B) TAXII is a protocol for transferring Cyber Threat Intelligence from a server to client(C) STIX - Structured method of describing cyber security threats in a consistent matter. While it helps logically organize information it isn't a source of sharing information. (D) ISAC - Industry specific groups on sharing threat information (for example aviation or financial businesses) From the options below, what type of threat actor would be described as highly skilled and well coordinated? A.Shadow IT B.A hacktivist C.An advanced persistent threat D.An insider threat C.An advanced persistent threat Due to a supply shortage over the summer not all of the company campus was upgraded with the new and faster wireless access points. While the company is waiting for more to come in, a security analyst has grown concerned that employees might bring in their own access points without permission. What type of threat is the security analyst concerned about? A.Hactivist B.Shadow IT C.White-hat D.A script kiddie E.APT B.Shadow IT A public announcement is made about a newly discovered, rapidly spreading virus. The security team immediately updates and applies all its antivirus signatures. The security manager contacts the antivirus vendor support team to ask why one of the systems was infected. The vendor support team explains that the signature update is not available for this virus yet. Which of the following best describes the situation? A.Race condition B.End of life C.Zero day D.Integer overflow C.Zero day How could you tell from the results of a vulnerability scan if the scanner had been provided valid credentials relevant to the target it was scanning? A.The scan identified expired SSL certificates B.The scan produced a list of vulnerabilities on the target host C.The scan enumerated software versions of installed programs D.The scan results show open ports, protocols, and services exposed on the target host C.The scan enumerated software versions of installed programs A vulnerability scanner should NOT be able to see software versions of installed programs unless it has valid credentials and can log into the device it is scanning. A security expert is looking through logs for a specific IoC (Indicator of Compromise) that they read about online. What are they doing? A.A packet capture B.A user behavior analysis C.Threat hunting D.Credentialed vulnerability scanning C.Threat hunting After a security assessment is concluded, what benefit does the CVSS score provide to a company on the list of discovered vulnerabilities? A.Validate the vulnerability exists in the organization's network through penetration testing. B.Research the appropriate mitigation techniques in a vulnerability database. C.Find the software patches that are required to mitigate a vulnerability. D.Prioritize remediation of vulnerabilities based on the possible impact. D.Prioritize remediation of vulnerabilities based on the possible impact. Which of the following tools should be utilized to review a 1GB pcap? A.Nmap B.cURL C.Netcat D.Wireshark D.Wireshark Pcap = packet captureWireshark, a protocol analyzer, would be an ideal tool for this! Which of the following pen-test teams would mimic the tactics used by hackers? A.Red team B.White team C.Blue team D.Purple team A.Red team Which of the following would best describe the severity of a company's vulnerabilities? A.CVSS B.SIEM C.CVE D.SOAR A.CVSS - The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. - CVE is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities. - SIEM (Security information and event management) is a service/software that gathers network and application logs in real-time and analyzes them, giving security experts the ability to better monitor and analyze attacks/threats. - Sometimes running alongside the SIEM or built into it, SOAR (Security Orchestration, Automation, and Response) was designed to automate and improve response time when a SIEM detects a threat/anomaly on the network. Sometimes referred to as a Next Generation SIEM. You are concerned with servers running outdated applications. Which command would work BEST to help identify potential vulnerabilities? A.hping3 -S comptia.org -p 80 B.nc -1 -v comptia.org -p 80 C.nmap comptia.org -p 80 -sV D.nslookup -port=80 comptia.org C.nmap comptia.org -p 80 -sV Since no vulnerability scanners are listed (Nessus or OpenVAS for example) then NMAP is our next best choice (As a scanning tool it has basic vulnerability scanning) An investigation has revealed that the worm gained access to the company SQL server using well-known credentials. It then spread throughout the network and managed to infect over a dozen systems before it was contained. What is the best preventative measure the company could take to prevent this from happening again? A.Air gap the SQL server from the network B.Block all remote access services on the network gateway C.Establish routine backups for all company servers D.Change the default application password D.Change the default application password "Well known credentials" indicates we have a common/predictable/default password on our hands. We should change that password ASAP and then deploy IPS/antimalware tools. Which one of the tools below could be used to find out if the corporate server is running unnecessary services? A.Nmap B.DNSEnum C.Wireshark D.Autopsy A.Nmap - Nmap, short for network mapper, is capable of port scanning the network and determining what services are running on any hosts that are detected. - Wireshark is a protocol analyzer and packet sniffer that is used for gathering, sorting, and analyzing traffic from a network. - Autopsy is a tool for performing data forensics. After reading the user manual for a specific brand of security camera, a hacker was able to log in and disable the cameras on the company's campus. What describes the configuration that the hacker took advantage of? A.Open permissions B.Default settings C.Unsecure protocols D.Weak encryption B.Default settings If the hacker figured out how to access (log in) and disable the cameras just from reading the manual, it is likely that there is a default password on the camera that was never changed. Sales employees regularly utilize the same fantasy football website as other sales associates working for other companies. Which of the following attacks is the highest concern in this scenario? A.Watering-hole attack B.Credential harvesting C.Hybrid warfare D.Pharming A.Watering-hole attack An employee received a text message (SMS) on their phone that asked for them to confirm their social security number and date of birth. Of the options below, what best describes what this employee has experienced? A.Smishing B.SPIM C.Vishing D.Spear phishing A.Smishing - Smishing is text/instant message (SMS) phishing. - SPIM is text/instant message spam. - Vishing is VOIP (voice) phishing. It requires someone to call you. - Spear phishing is a phishing attack that targets a specific individual or group. An admin sees several employees all simultaneously downloading files with the .tar.gz extension. The employees say they did not initiate any of the downloads. A closer examination of the files reveals they are PE32 files. Another admin discovers all of the employees clicked on an external email containing an infected MHT file with an href link at least two weeks prior. Which of the following is MOST likely occurring? A.A RAT was installed and is transferring additional exploit tools. B.The workstations are beaconing to a command-and-control server. C.A logic bomb was executed and is responsible for the data transfers. D.A fileless virus is spreading in the local network environment. C.A logic bomb was executed and is responsible for the data transfers. The two week delay suggests logic bomb! Emily has received a suspicious email that claims she won a multi-million dollar sweepstake. The email instructs her to reply with her full name, birthdate, and home address so her identity can be validated before she is given the prize. What best describes this type of social engineering attack? A.Vishing B.Phishing C.Whaling D.Spear phishing B.Phishing The company's Chief Financial Officer received an email from a branch office manager who claims to have lost their company credit cards. They are requesting $12,000 be sent to a private bank account to cover various business expenses. What type of social engineer attack does this best illustrate? A.Pharming B.Phishing C.Typo squatting D.Whaling D.Whaling Whaling: A form of spear phishing where the target is upper management. After a ransomware attack, you need to review a cryptocurrency transaction made by the victim. Which of the following you MOST likely review to trace this transaction? A.The public ledger B.The NetFlow data C.A checksum D.The event log A.The public ledger “Blockchain is a concept in which an expanding list of transactional records is secured using cryptography. The blockchain is recorded in a public ledger. This ledger does not exist as an individual file on a single computer; rather, one of the most important characteristics of a blockchain is that it is decentralized. The ledger is distributed across a peer-to-peer (P2P) network in order to mitigate the risks associated with having a single point of failure or compromise. Blockchain users can therefore trust each other equally.” Page 121 A penetration tester has found a domain controller using 3DES to encrypt authentication messages. What problem has the penetration tester identified? A.Unsecure protocols B.Default settings C.Open permissions D.Weak encryption D.Weak encryption Which of the following would MOST likely support the integrity of a banking application? A.Perfect forward secrecy B.Transport Layer Security C.Blockchain D.Asymmetric encryption C.Blockchain (A) and (B) are designed to support confidentiality, while (C) BLOCKCHAIN is specifically used for integrity management through encryption. (D) can be used for integrity management, but not without the addition of hashing, which creates a process known as signing. More about blockchain: A blockchain is a growing list of records, called blocks, that are linked using cryptography. Each block contains a cryptographic hash of the previous block, a timestamp, and transaction data. By design, a blockchain is resistant to modification of its data. This is because once recorded, the data in any given block cannot be altered retroactively without alteration of all subsequent blocks An employee typical uses SSH to connect and configure a remote server. Today they got this message: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx WARNING: REMOTE HOST ID HAS CHANGED! xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx The fingerprint for the RSA key sent by the host is SHA: 1B8104A05A243CEE3776A81BDE2EC7DAA990D0A5. Host key verification failed. Please contact your admin. What network attack is the employee most likely experiencing? A.Evil twin B.ARP poisoning C.Man-in-the-middle D.MAC cloning C.Man-in-the-middle The remote device we are attempting to connect to does not have the proper SSH key. We are likely talking to a Man-in-the-Middle (MitM) who is impersonating our intended destination. A data breach was discovered after a company's usernames and password were posted to a hacker website. Afterwards, an analyst discovered the company stored credentials in plain text. Which of the following would help mitigate this type of breach in the future? A.Create DLP controls that prevent documents from leaving the network. B.Implement salting and hashing. C.Configure the web content filter to block access to the forum. D.Increase password complexity requirements. B.Implement salting and hashing. Of the options below, which one would typically utilize steganography? A.Blockchain B.Integrity C.Non-repudiation D.Obfuscation D.Obfuscation Steganography is a technique/art that involves obscuring or hiding a message in plain sight. A company would like to get one SSL certificate that can cover both of their application servers, ftp@example.com and www.example.com. Furthermore, this certificate should be able to cover any future application servers that the company may add of a similar naming convention, such as smtp.example.com. What type of SSL certificate would best fit their needs? A.Self-signed B.SAN C.Wildcard D.Extended validation C.Wildcard *.example.com A wildcard certificate is capable of being used by, and protecting, several servers so long as the domain and top level domain are matching. A server certificate needs to be generated to be used for 802.1X. Which of the following is the FIRST step that will most likely accomplish this task? A.Create an OCSP. B.Generate a CSR. C.Create a CRL. D.Generate a .pfx file. B.Generate a CSR. An admin wanted to better understand their company's security posture from a outsider's perspective. Examine the information they gathered below. What is true based off of the admin's findings? (pick two) A.They used Whois to produce this output B.They used cURL to produce this output C.They used Wireshark to produce this output. D.The organization has adequate information in public registration. E.The organization has too much information available in public registration. F.The organization has to little information available in the public registration. This is an output from a Whois search. Contact information (phone number, email, address of registrant) should not be stored in the Whois as per the GDPR. A.They used Whois to produce this output E.The organization has too much information available in public registration. After entering a password a user is asked to enter an authentication code. What type of MFA factors are being used in this scenario? (pick two) A.Something you know B.Something you have C.Somewhere you are D.Someone you know E.Something you are F.Something you can do A.Something you know B.Something you have HD cameras located throughout the airport are going to be used to track passengers without requiring them to enroll in a biometric system. Of the biometric options below, what would be suitable for this advanced security tracking system? (pick two) A.Voice B.Vein C.Facial D.Gait E.Fingerprint F.Retina Without enrollment, the only things the cameras could reasonably use would be facial recognition and gait (how someone walks, or the distance between their steps). C.Facial D.Gait An admin logs into the domain controller and finds the following information: Based on the evidence gathered, what best describes this attack? A.Brute-force B.Spraying C.Keylogger D.Credential harvesting It looks like a hacker is trying to gain access to one of the accounts listed below. Password spraying is a safe assumption. See the notes for more explanation. B.Spraying PASSWORD SPRAYING: Step 1: Acquire a list of usernames. This part can be difficult. Step 2: Try common passwords with each of the user accounts. This part is very easy. Step 3: Gain access, assuming you don't get caught! Pg 159 in student guide. The company wants to deploy MFA on desktops in the main office. They have specified that the MFA solution must be non-disruptive and as user friendly as possible. Which of the options below would be best considering these conditions? A.One-time passwords B.Email tokens C.Push notifications D.Hardware authentication The most user friendly option would be hardware authentication. If the hardware provides authentication on its own through a certificates or token, it will not require any extra steps for the end user. All of the other options require a user to get a pin number and enter it in addition to a password. D.Hardware authentication The data center is currently protected by two factor authentication that includes a fingerprint scanner and a pin number. What item could be added to this preexisting system to allow for three factor authentication? A.Date of birth B.Password C.TPM D.Smart card E.Iris scan D.Smart card We already have fingerprint (something you are) and pin number (something you know). We need to find something from a different category, such as something you have! What attack best describes the logs below: A.Brute-force B.Spraying C.Dictionary D.Rainbow table B.Spraying Given the following output on an Attacker's system: Status : Cracked Hash.Type : SHA-1 Hash.Target : e653c7526c3a40b47943710427dabaee71ec2267 Time.Started : Tuesday, April 21 1:45:12 2020 Progress : 26845159 / 450365879 (5.96%) hashes Time.Stopped : Tuesday, April 21 1:47:53 2020 Password found : Str0ngP@ssword1! Which of the following BEST describes the type of password attack the attacker is performing? A.Dictionary B.Pash-the-hash C.Brute-force D.Password spraying A.Dictionary A password that long broken in a few minutes? Must be a dictionary attack; brute force attacks could take years to crack passwords of that length. You enter a username and password and then must draw a gesture on a touch screen. Which of the following answers best describes what you are doing? A.Multifactor authentication B.Something you can do C.Biometrics D.Two-factor authentication Very bad question. All bad answers but, while a specific gesture is "Something you know" we have to assume that isn't the answer because it isn't an option, and the same goes with this only being single factor. If you argue that B applies to gesture lock, then if you combine the gesture with the username and password, making it two factors of authentication. This feels like a logic puzzle more than a question, but sometimes that's just what you get. D.Two-factor authentication You are configuring a vulnerability scanner for a multinational organization. You are required by contract to scan systems on a weekly basis with admin privileges, but are concerned that hackers could gain access to the account and pivot throughout the company's networks. Which of the following BEST addresses this concern? A.Create different accounts for each region, each configured with push MFA notifications. B.Create one global administrator account and enforce Kerberos authentication. C.Create different accounts for each region, limit their logon times, and alert on risky logins. D.Create a guest account for each region, remember the last ten passwords, and block password reuse. C.Create different accounts for each region, limit their logon times, and alert on risky logins. An attacker used a keylogger to remotely monitor a user's input, thereby harvesting important credentials. What would best mitigate or prevent this threat in the future? A.Change default passwords B.Update cryptographic protocols C.Implement 2FA using push notifications D.Force password resets for compromised accounts E.Enforce complexity requirements through group policy With 2FA (two factor authentication) the attacker can get our password (something you know) with a keylogger, as described above, and will not be able to access the system without the pin number from the push notification (something you have). C.Implement 2FA using push notifications Which of the access control mechanisms listed below uses classification labels? A.Mandatory B.Role-based C.Rule-based D.Discretionary In the MAC (mandatory access control) model: •Subjects (users/applications) are granted clearance tags/labels. •Objects (files/folders/etc) are given classification tags/labels. If you have, for example, secret clearance, you are permitted within the MAC model to see secret, confidential, and any other classifications considered to be beneath secret. You cannot see any files with classifications above your clearance level, such as top secret. A.Mandatory A professor recently left their position at university A to take a job at a rivaling college, university B. A few months after the professor officially departed, a security analyst at university A noticed that the former professor had logged into a department server and deleted several important file shares. Of the security practices listed below, what should have been performed to prevent the important files from being deleted? A.Non-disclosure agreement B.Offboarding C.An acceptable use policy D.Least privilege B.Offboarding The CEO would like employees to be able to work from home in the event of a disaster. However, they are concerned that staff might attempt to work from high risk countries or outsource their work if given the ability to work remotely. What controls could best mitigate the CEO's concerns? (pick two) A.Geolocation B.Time-of-day restrictions C.Certificates D.Tokens E.Geotagging F.Role-based access controls A.Geolocation B.Time-of-day restrictions A company's Chief Information Officer (CIO) is meeting with the Chief Information Security Officer (CISO) to plan some activities to enhance the skill levels of the company's developers. Which of the following would be MOST suitable for training the developers? A.A capture-the-flag competition B.A phishing simulation C.Physical security training D.Basic awareness training Capture the Flag (CTF) is usually used in ethical hacker training programs and gamified competitions. Participants must complete a series of challenges within a virtualized computing environment to discover a flag. The flag will represent either threat actor activity (for blue team exercises) or a vulnerability (for red team exercises). None of the other options would enhance the “SKILL LEVELS” of the developers. A.A capture-the-flag competition Of the access control schemes below, which one allows an owner to determine an object's access policies? A.Role-based B.Attribute-based C.Mandatory D.Discretionary D.Discretionary A company needs to detect single points of failure in their security systems. Which of the following policies or concepts would assist them in this endeavor? A.Mandatory vacation B.Separation of duties C.Awareness training D.Least privilege Separation of duties would allow at least one other individual to identify a flaw in a process, especially when considering the risk from an insider threat. To resolve SPoFs with personnel, use job rotation. B.Separation of duties After many passwords where leaked to the dark web, an admin has decided everyone must change their password at next login. What should the admin consider to minimize the likelihood that accounts are not compromised again after the reset is issued? A.A geofencing policy based on logon history B.Encrypted credentials in transit C.Account lockout after three failed attempts D.A password reuse policy If the passwords have been leaked, we don’t want anyone to REUSE the same password when they are prompted to change them! D.A password reuse policy What could be used to allow for secure authentication to cloud services and third-party websites without the need to send a password? A.SSO B.PAP C.Oauth D.SAML PAP, typically used with point to point serial connections, sends your password as plaintext. Oauth is typically used for sending authorizations from one web service / cloud server to another, but doesn’t typically handle authentication. SAML is an XML-based format used to exchange authentication information and thereby achieve identity federations (SSO). It doesn’t actually send your password from one system to another in the process. Instead it tokenizes credentials across multiple parties. D.SAML A manager has decided that outsiders and corporate partners visiting the company campus need to sign a digital AUP before they will be allowed to access the isolated and complementary guest WiFi. What would a technician utilize to facilitate the manager's decision? A.Implement open PSK on the Aps B.Install a captive portal C.Deploy a WAF D.Configure WIPS on the APs A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. B.Install a captive portal Employee tablets and phones have been losing WiFi connectivity in specific places within the sale offices. What should a network technician use to determine the source of the problem? (pick two) A.Perform a site survey B.Install a captive portal C.Deploy a FTK imager D.Upgrade the security protocols E.Create a heat map F.Scan for rogue access points It sounds like we have a problem with interference or employees are walking out of range. Perform a site survey to figure out where the access points are located, what the building is made of, and which frequencies are in use. Then, create a heat map that details where the signal is strong versus where it is the weakest. We may need to change antennas, adjust the signal strength, use a different channel/frequency, or get a few more access points. FTK = Forensics Tool Kit imager is used to quickly assess electronic evidence. A.Perform a site survey E.Create a heat map After returning from an overseas trip with a company laptop, an employee is unable to establish a VPN on the laptop in the home office. What is the most likely explanation for why they are unable to establish a VPN connection? A.Due to foreign travel, the user's laptop was isolated from the network. B.The user's laptop was quarantined because it missed the latest patch update. C.The VPN client was blacklisted. D.The user's account was put on a legal hold. It is very likely that there was a policy in place where the laptop must be scanned or checked back in before it can resume using the VPN service. This type of policy is not unusual, and it may be described as a host health check. (B) is also a possibility, but it seems less likely than (A). A.Due to foreign travel, the user’s laptop was isolated from the network. After connecting the laptop to the company's SSID, an employee was prompted to enter their username and password into a popup web browser. This had never happened before, but they entered their credentials anyways. Later that day they noticed they where unable to access any of the company servers and unusual transactions where appearing on their credit card. What attack is most likely being described in this scenario? A.Rogue access point B.Evil twin C.DNS poisoning D.ARP poisoning B.Evil twin An organization is worried that the SCADA network that controls the environmental systems could be compromised if the staff's WiFi network was breached. What would be the best option to mitigate this threat? A.Install a smart meter of the staff WiFi. B.Place the environmental systems in the same DHCP scope as the staff WiFi. C.Implement Zigbee on the staff WiFi access points. D.Segment the staff WiFi network from the environmental systems network. We should isolate/separate/segment those networks! D.Segment the staff WiFi network from the environmental systems network. A technician needs to create a detailed diagram that shows where all of the company access points are located in the office. What would be the best method for creating this diagram? A.Footprinting B.White-box testing C.A drone/UAV D.Pivoting A site survey would be a great answer. Unfortunately, footprinting is the best that we have available to us. A.Footprinting A company has maintained highly detailed records of all of their authorized network devices and is planning to use WiFi for all laptops that need network access. What would alleviate the risk of a script kiddie brute forcing a PSK on a wireless access point? A.BPDU guard B.WPA-EAP C.IP filtering D.A WIDS If we have detailed records, lets limit which devices can even use the APs by filtering the IP addresses. While a skilled hacker could easily get around this, a script kiddie probably couldn’t. C.IP filtering A webserver was recently overwhelmed by a sudden flood of SYN packets from multiple sources. Of the options below, which best describes this attack? A.Worm B.Botnet C.Virus D.RAT E.Logic bomb To overwhelm a server with SYN packets we will need to utilize the combined bandwidth of a botnet. A botnet is a collection of compromised computers that act together in unison to perform a DDoS (Distributed Denial of Service). The individual computers are often called bots or zombies. B.Botnet An admin is deploying access points that will use PKI for authentication. What needs to be configured for this to work? A.Captive portal B.WPS C.802.1x D.PSK Using PKI to authenticate into the access point will require an AAA system (a RADIUS or TACACS server must be on the network and configured properly). This process is described in the standard 802.1x, and is also referred to as “enterprise authentication”. C.802.1x A smart switch has the ability to monitor electrical levels and shut off power to a building in the event of a power surge or other similar situations. The switch was installed on a wired network in a local office and is monitored via a cloud application. The switch is already isolated on a separate VLAN and set up a patching routine. Which of the following steps should also be taken to harden the smart switch? A.Set up an air gap for the switch. B.Change the default password for the switch. C.Place the switch in a Faraday cage. D.Install a cable lock on the switch. Air gapping the device could cut it off from the cloud application, the question doesn’t mention wireless so a faraday cage won’t help, and a cable lock will only help prevent against physical theft which doesn’t appear to be our main concern. That leaves us with (B). B.Change the default password for the switch. A user is having problem accessing network shares. An admin investigates and finds the following on the user's computer: What attack has been performed on this computer? A.Directory traversal B.Pass-the-hash C.Mac flood D.ARP poisoning E.IP conflict F.DHCP starvation attack Two different devices shouldn’t have the same MAC addresses. Since these are dynamically learned ARP entries, it is reasonable to believe this was an ARP poisoning. Device .1 is probably the default gateway and then device .11 is the MitM. D.ARP poisoning An admin is concerned that a threat actor may have breached the company network using a new and publicly available exploit. What should be checked first that would best inform the admin as to the order for future data forensics? A.The vulnerability scan output B.The SIEM alerts C.The IDS logs D.The full packet capture data We may have been compromised! Lets check the vulnerability scanner and let that inform our future decisions relating to data forensics. The vulnerability scanner should give us the best look into our network’s security posture (level of vulnerability) and may also give us some clues (IoCs = indicators of compromise). A.The vulnerability scan output Of the options below, when would it be the best time to use a detective control instead of a preventative control? A.A company implemented a network load balancer to ensure 99.999% availability of its web application. B.A company designed a backup solution to increase the chances of restoring services in case of a natural disaster. C.A company purchased an application-level firewall to isolate traffic between the accounting department and the information technology department. D.A company purchased an IPS system, but after reviewing the requirements, the appliance was supposed to monitor, not block, any traffic. All IPSs (intrusion prevention systems) can be set up to act as an IDSs (intrusion detection systems). D.A company purchased an IPS system, but after reviewing the requirements, the appliance was supposed to monitor, not block, any traffic. Several credit cards numbers have been stolen and incident response has determined the following: •All SSL encrypted traffic is sent through an inspection proxy at the edge of the company network •Only the traffic going through the proxy was compromised •Traffic that did not go through the proxy (the guest network) was not compromised •The websites that employees used to make online purchases at where not the cause of the compromise What is the most likely cause of this compromise considering the facts above? A.HTTPS sessions are being downgraded to insecure cipher suites. B.The SSL inspection proxy is feeding events to a compromised SIEM. C.The payment providers are insecurely processing credit card charges. D.The adversary has not yet established a presence on the guest WiFI network. The only thing we know for sure is that the inspection proxy is integral to this issue. The only answer that involves the proxy is (B). Process of elimination is crucial when troubleshooting any problem, incident, or tricky test question! B.The SSL inspection proxy is feeding events to a compromised SIEM. A worm infected a computer, and then spread to the network's file shares. All preventative measures failed to block or detect the worm and it has continued to evade detection. What could be used to protect the network from this elusive malware? A.Install a definition-based antivirus. B.Implement an IDS/IPS. C.Implement a heuristic behavior-detection solution. D.Implement CASB to protect the network shares. Either the worm is a zero-day and there is no signature or patch for it, or the worm is polymorphic and thereby evading detection. Nevertheless, time for anomaly based (heuristics/behavior) solution. C.Implement a heuristic behavior-detection solution. An large industrial HVAC system is set up to alert the maintenance company whenever there is a problem with the system. While performing a routine audit an engineer notices that the HVAC system is sending IP packets to an internal file server's IP. While maintaining the alerting capabilities of the HVAC system, what mitigation effort should the engineer employ? A.Segmentation B.Firewall whitelisting C.Containment D.Isolation A firewall could be used to force the HVAC system to communicate ONLY to the maintenance company, and not the internal file server. Segmentation is not a bad answer, but without knowing how we do the segmentation, it is a risky choice. Containment/isolation will cut the device off from the maintenance company and we need to maintain the alerting capabilities. B.Firewall whitelisting Web server A is unreachable from the corporate branch office. Review the stateful firewall below. Which of the options below would resolve the problem while ensuring the web traffic is secure? A.Add a rule "permit source 172.30.2.1/24 to destination 172.30.1.0/24, HTTP" B.Add a rule "permit source 172.30.3.0/24 to destination 172.30.2.1/24, HTTP" C.Add a rule "permit source 172.30.1.0/24 to destination 172.30.2.1/24, HTTP" D.Add a rule "permit source 172.30.2.1/24 to destination 172.30.1.0/24, HTTPS" E.Add a rule "permit source 172.30.3.0/24 to destination 172.30.2.1/24, HTTPS" F.Add a rule "permit source 172.30.1.0/24 to destination 172.30.2.1/24, HTTPS" (A), (B), and (C) are all insecure. We want HTTPS. (D) Is the wrong direction. We want the branch office set as the source and the web server as the destination. (E) Has the wrong source address. (F) is correct. We do not need to make a rule for the web server to the office since a stateful firewall will allow return traffic that matches the new rule. F. Add a rule “permit source 172.30.1.0/24 to destination 172.30.2.1/24, HTTPS” Of the control types listed below, what best fits the description of a NIDS? A.Corrective B.Physical C.Administrative D.Detective NIDS = Network Intrusion Detection System D.Detective Which of the following is the most secure choice for MANAGING a Unix based network device? A.SSH B.DNS C.SNMP D.Telnet E.HTTP SSH provides an encrypted remote connection to another device via the command line. It is still commonly used when managing UNIX systems and network based devices. It operates on port 22 TCP. A.SSH Countless websites have become unreachable for all the hosts on the network. A technician from the helpdesk runs ipconfig /flushdns on all affected workstations but the problem persists. The issue is elevated to a senior technician who changes the configured DNS server on the affected hosts and the problem is resolved. What problem is the original DNS most likely server suffering from? A.DNS cache poisoning B.DNS tunneling C.Domain hijacking D.Distributed denial-of-service A. If this was the case, flushing the DNS would have solved the problem. B. This is when an attacker uses DNS as a covert channel to exfiltrate data from the network. C. Since we are dealing with several websites, it is unlikely a hacker has compromised all of them. Furthermore, most hijacks do not involve disabling the server. D. Sounds like the DNS server that we where originally using is having problems. A DDoS could be responsible. D.Distributed denial-of-service A computer on the company network was infected with malware and the user says they haven't used the device for anything but browsing the internet. They did not download anything or open any emails on the infected computer. Of the options below, what might help a technician find where the malware came from? A.The DNS logs B.The web server logs C.The SIP traffic logs D.The SNMP logs The DNS logs will reveal which websites the user went to. A.The DNS logs What will help protect a company from phishing and spear-phishing attacks? A.DNSSEC and DMARC B.DNS query logging C.Exact mail exchanger records in the DNS D.The addition of DNS conditional forwarders https://dmarc.org/ DMARC is a way to make it easier for email senders and receivers to determine whether or not a given message is legitimately from the sender, and what to do if it isn’t. This makes it easier to identify spam and phishing messages, and keep them out of peoples’ inboxes. A.DNSSEC and DMARC What command would be used to create an SSH key pair using RSA? A.ssh -keygen -t rsa B.ssh -i ~/.ssh/id_rsa C.Ssh -new rsa 2048 D.Ssh -n -rsa “-T” allows you to change the TYPE of key that is created. A.ssh -keygen -t rsa A VPN connection needs to be configured from site A to site B while also providing the following: ·Integrity ·Encryption ·Authentication ·Anti-replay Which of the following should be enabled when configuring the VPN to meet the objectives above? A.ESP B.DNSSEC C.AH D.EDR ESP (Encapsulated Security Payload can provide all of the requirements above, while AH (Authentication Header) provides all of them EXCEPT encryption. EDR stands for Endpoint Detection and Response. A.ESP After several corporate usernames and credentials where posted on the dark web, a security engineer began an investigation. They discovered that for eight hours, last week, the IP address for a vendor's website was changed. Of the attacks below, which is the most likely considering the limited evidence? A.Man-in-the-middle B.Spear-phishing C.Evil twin D.DNS poisoning D.DNS poisoning A manager is using their company laptop to connect to a public access point and remotely access company file shares. What would best be utilized in this situation to protect the laptop from other devices on the public network? (Pick two) A.Trusted Platform Module B.A Host-based firewall C.A DLP solution D.Full disk encryption E.A VPN F.Antivirus software A host-based firewall will stop unwanted traffic from entering the laptop, while a VPN would be ideal for creating an encrypted connection to the corporate shares over public WiFi. B.A Host-based firewall E.A VPN A security expert has identified the following:- •www.example.com is officially hosted at 172.16.99.99.- •Based off of Netflow records, there was a day where a single corporate DNS server resolved www.example.com to 172.31.50.50.- •At present all company DNS servers resolve www.example.com to 172.16.99.99. - Of the options below, what most likely occurred? A.A reverse proxy was used to redirect network traffic. B.An SSL strip MITM attack was performed. C.An attacker temporarily poisoned a name server. D.An ARP poisoning attack was successfully executed. C.An attacker temporarily poisoned a name server. What command would be used to send a public SSH key to another host? A.Copy-ssh ~/ssh/id_rsa/pub user@server B.chmod 644 ~/.ssh/id_rsa C.Ssh-copy-id -i ~/ssh/id_rsa_pub user@server D.chmod 777 ~/.ssh/authroized_keys Chmod alters permissions on a folder or file. 644 means the owner has read and write while everyone else has read only. 777 means everyone can read, write, and execute. C.Ssh-copy-id -i ~/ssh/id_rsa_pub user@server (This copies the public key to the remote server) An admin performing a routine audit at the company revealed that a network appliance with an embedded OS is potentially vulnerable to compromise. Looking back at the company records, the admin notices that this same piece of hardware was identified as vulnerable during the last three audits. What best explains the appliance's vulnerable state? A.The appliance requires administrative credentials for the assessment. B.The vendor has not supplied a patch for the appliance. C.The device uses weak encryption ciphers. D.The system was configured with weak default security settings. The question should be interpreted as “why hasn’t anyone fixed this thing?” Ether the company is negligent or there isn’t a patch for this particular system (answer B). B.The vendor has not supplied a patch for the appliance. While minimizing inconvenience for employees, what would protect a corporate laptop's HDD from possible data theft? A.HSM B.TPM C.SED D.DLP Since they specified HDD (hard-drive disk) a SED is a slightly better answer than a DLP. HSM = Hardware Security Module, an addon device that is plugged into a computer to provide crypto processing and manage/store digital encryption keys. TPM = Trusted Platform Module, just like the HSM, but built into your motherboard. It can do everything the HSM can do, but it can’t be removed. A thief will have to take the entire motherboard if they want the keys! SED = Self Encrypting Drive, a hard drive that encrypts itself. Faster encryption when compared with software encryption options like Bitlocker. DLP = Data Loss Prevention, used to protect data from theft, while in motion, at rest, or in use. C.SED A worm spread rapidly through a company's network infecting dozens of host machines before it was detected. What would be the best approach to preventing this from happening again? A.Segment the network with firewalls B.Install a NIDS device at the boundary C.Implement application blacklisting D.Update all antivirus signatures daily There is no mention of this worm being polymorphic so signature-based antimalware tools would be very effective at stopping it, assuming they are updated regularly. We don’t know the topology of this network or what port the worm used to spread, so it is hard to tell if segmentation with firewalls is even possible or useful. (D) is the best answer, and (A) is the runner up. D.Update all antivirus signatures daily A company is concerned about custom/targeted malware being injected into their IT systems via USB sticks or email. Of the options below, what is the company's best course of action to mitigate this specific threat? A.Configure signature-based antivirus to update every 30 minutes B.Fuzzing new files for vulnerabilities if they are not digitally signed C.Implement application execution in a sandbox for unknown software D.Enforcing S/MIME for email and automatically encrypting USB drives upon insertion (A)Signature based antivirus will not stop CUSTOM malware.(B) Fuzzing is used to test input validation and will not help in this situation. (C) A reasonable answer. Any unknown applications are immediately sent to an isolated sandbox. (D) Encrypting the drives doesn’t stop the malware from attempting to access the system. C.Implement application execution in a sandbox for unknown software A document that appears to be malicious has been discovered in an email that was sent to a company's Chief Financial Officer (CFO). Which of the following would be BEST to allow a security analyst to gather and confirm it is a malicious document without executing any code it may contain? A.Open the document on an air-gapped network. B.View the document's metadata for origin clues. C.Search for matching file hashes on malware websites. D.Detonate the document in an analysis sandbox. Detonation/execution of a file in a sandbox would give you the ability to analyze its behavior in a controlled environment, making it a good answer. Unfortunately the question specifically mentions not executing any code so C is much safer C.Search for matching file hashes on malware websites. You are responsible for emailing company employees their benefits and tax information. After sending an email to a new employee you receive back the following email: "Your email message was quarantined. Violation: PII. Please contact IT." Which of the following most likely generated the email found above? A.S/MIME B.DLP C.IMAP D.HIDS DLP (Data loss/leak prevention) software detects potential data breaches or data ex-filtration and prevents them by monitoring, detecting and blocking sensitive data while in use, in motion, and at rest. The contents of the email contained PII (personally identifiable information) and the DLP software put in place by the IT department quarantined the email. S/MIME is a protocol for singing and encrypting emails. IMAP is a protocol used for accessing and managing emails stored on an email server. A HIDS is used to detect hackers attempting to access a host system. B.DLP An organization needs their future internet service provider to commit to a specific timeframe in the event of a significant service outage. What document would be used to enforce this with the service provider? A.MOU B.MTTR C.SLA D.NDA C.SLA What control could be used to detect when a mobile device is about to leave the company premises? A.Geotargeting B.Geolocation C.Geotagging D.Geofencing Geofencing refers to accepting or rejecting access requests based on location. Geofencing can also be used to send alerts to a device when a user enters a specific area. Geotagging refers recording the GPS location in the meta data of a file when it is created on a mobile device. D.Geofencing Before entering a high security environment, all guests must put their phone in a metal lockbox, and leave it outside of the lab. Which risk inspired the creation of this policy? A.The theft of portable electronic devices B.Geotagging in the metadata of images C.Bluesnarfing of mobile devices D.Data exfiltration over a mobile hotspot Metal boxes? Sounds like a faraday cage. The company is worried about someone using a wireless technology (like a hotspot) to exfiltrate data. The metal lockbox will block all wireless signals thereby mitigating the risk. D.Data exfiltration over a mobile hotspot One of your employees wants to access sensitive data from a corporate-owned mobile device. Personal data is not allowed on the device. Which of the following MDM configurations must be considered when the engineer travels for business? A.Screen locks B.Application management C.Geofencing D.Containerization Containerization protects portions of a device as well as how data can be transferred into and outside of that container. This could also determine how an employee can write data to their phone, such as personal data. P. 353 While geofencing is a tempting answer, it doesn’t address the overall concerns of personal data while an employee uses the phone, only when they bring it outside of boundaries of the fence. D.Containerization A company has decided to adopt the CYOD (choose your own device) deployment model, where the company allows the employee to choose from a range of cellular devices. Considering this deployment model, what should the security team consider before the phones are deployed? A.The most common set of MDM configurations will become the effective set of enterprise mobile security controls. B.All devices will need to support SCEP-based enrollment; therefore, the heterogeneity of the chosen architecture may unnecessarily expose private keys to adversaries. C.Certain devices are inherently less secure than others, so compensatory controls will be needed to address the delta between device vendors. D.MDMs typically will not support heterogeneous deployment environments, so multiple MDMs will need to be installed and configured. Different phones will have different security postures, features, and control mechanisms. Some may require compensatory controls. C.Certain devices are inherently less secure than others, so compensatory controls will be needed to address the delta between device vendors. Which would be best in balancing a newly adopted BYOD culture while also protecting company secrets? A.Containerization B.Geofencing C.Full-disk encryption D.Remote wipe A.Containerization A popular manufacturer of network hardware releases a CVE (Common Vulnerability & Exposure) that outlines a weakness in the latest OS patch for their routers. This vulnerability allows attackers to perform a resource exhaustion on the SIP protocol which causes the routers to restart. What type of attack is being described? (pick two) A.DoS B.SSL stripping C.Memory leak D.Race condition E.Shimming F.Refactoring Forcing devices to restart due to a resource exhaustion? While there are many ways to perform a resource exhaustion, the best example of that is a memory leak. A. Denial of Service, an attack that causes a system or service to be temporarily or permanently unavailable. B. An exploit that involves downgrading an SSL encrypted connect to a non-encrypted connection C. An attack that causes a device to run out of memory (resource exhaustion), and typically leads to a system crash (DOS) or other instability. D. An undesirable situation that occurs when a device or system attempts to perform two operations at the same time, but because of the nature of the device/system, the operations must be done in the proper sequence to be done correctly. Can cause a DOS or other instability. E. Creating or modifying a DLL, driver, or API to get an app to perform a malicious or unusual function. F. An attack that utilizes a small library (shim) that transparently intercepts API calls and changes the arguments passed, handles the operation itself, or redirects the operation elsewhere. A.DoS C.Memory leak A designer is building a new database for the company. What could they implement to improve the efficiency and accuracy of the future database? A.Obfuscation B.Normalization C.Data masking D.Tokenization Normalization is a form of input validation. Any string that is input is stripped of illegal characters and converted to the accepted character set before being entered into or processed by the database. B.Normalization A RAT was used to compromise a manager's computer and steal the password to the corporate bank account. Data forensics revealed that the manager's account had permission to install and the RAT was installed by clicking on an email attachment. What would prevent this from reoccurring to them or someone else in the future? A.Create a new acceptable use policy. B.Segment the network into trusted and untrusted zones. C.Enforce application whitelisting. D.Implement DLP at the network boundary. Application whitelisting can restrict untrusted or unknown applications from being installed. C.Enforce application whitelisting. A corporate partner has been assisting in the development of several SaaS products. The past three projects they completed lacked input validation and contained several other vulnerabilities. What should be done to find these weaknesses before the software is released? A.Limit the use of third-party libraries. B.Prevent data exposure queries. C.Obfuscate the source code. D.Submit the application to QA before releasing it. (A), (B), and (C) will not detect vulnerabilities, while (D) submitting to Quality Assurance could, so long as they are instructed to look for them. D.Submit the application to QA before releasing it. Before a new application can be sent to the production environment, a developer needs to perform the following: •code-execution testing •black-box testing •non-functional testing What best describes the series of tasks the developer needs to perform? A.Verification B.Validation C.Normalization D.Staging Non-functional testing is focused on the user experience and performance of the software. All of these would be performed as part of staging, in a staging environment. Staging environments are built to mimic the real production environment. We would also do fuzzing and stress testing in this environment too. D.Staging Which is the BEST way to deploy software patches? A.Apply the patches to systems in a testing environment, then to systems in a staging environment, and finally to production systems. B.Test the patches in a staging environment, develop against them in the development environment, and then apply them to the productions systems. C.Test the patches in a test environment, apply them to the production systems, and then apply them to a staging environment. D.Apply the patches to the production systems, apply them in a staging environment, and then test all of them in a testing environment. First you apply the patches for testing in the testing environment, then the staging environments, and finally production. Development -> Testing -> Staging -> Production A.Apply the patches to systems in a testing environment, then to systems in a staging environment, and finally to production systems. During an investigation, the following is found in a web server's logs: GET http://somesite.com/../../../../etc/shadow Which attack is the above most likely seen above? A.SQL injection B.Cross-site scripting C.Pass-the-hash D.Directory traversal D.Directory traversal A security audit has revealed that a system is vulnerable to malicious users installing and running applications on the system. The system is beyond end-of-life support, so it is placed on a protected network segment until it can be upgraded. Which technology would most effectively protect the vulnerable system? A.DNS sinkhole B.DLP rules on the terminal C.An IP blacklist D.Application whitelisting D.Application whitelisting Which of the following best represents a directory traversal? A.http://website.com/products/../../..etc/shadow B.http://website.com/robert');+drop+table+users;-- http://redirect.wibsite.url.website.com/malicious-dns-redirect A.http://website.com/products/../../..etc/shadow Of the options below, which attack could potentially have the worst impact on an unpatched PLC (programable logic controller) running a LAMP server that is accessible via HTTP? (pick two) A.Cross-site scripting B.Data exfiltration C.Poor system logging D.Weak encryption E.SQL injection F.Server-side request forgery LAMP (Linux, Apache, MySQL, PHP/Perl/Python) is a very common example of a web service stack, after its four original components: the Linux operating system, the Apache HTTP Server, the MySQL relational database management system (RDBMS), and the PHP programming language. Code being inserted into the webpage, or into the SQL application, will be the most impactful thing that could happen to the device itself. Everything else is an inconvenience or an issue relating to privacy, that wouldn’t significantly impact the device, but could harm the business. A.Cross-site scripting E.SQL injection An insider at an application development company embedded a backdoor in an application, allowing them the ability to bypass standard account login mechanisms on any computer running this app. What would be the best measure for the company to take to prevent this in the future? A.Conduct code review B.Implement application fuzzing C.Implement 2FA using TOTP D.Change the default application password If an insider has inserted a backdoor into the application, we will need a mechanism that can detect that type of malicious activity (answer A). Fuzzing is used to test input validation, so (B) is wrong. TOTP (time based one time password, answer C) and changing the default password (answer D) wouldn’t help us detect a backdoor either. A.Conduct code review Users are having trouble accessing the internet and file shares on remote servers. A technician observes the following on the edge router: CPU UTILIZATION 0% - last checked 5 minutes ago 5 minutes, average 10% 1 minute, average, 95% 1 second, average, 99% What is the problem with the edge router? A.DDoS attack B.Memory leak C.Buffer overflow D.Resource exhaustion The traffic volume seems to be spiking periodically. If the average utilization is in the high 90s, we run the risk of a resource exhaustion. The router’s CPU simply can’t handle anymore traffic. D.Resource exhaustion Several team members are collaborating on the same project. They bring their code together with an automation tool that also ensures that it is validated (tested) and tracked through version control. Of the options below, what most accurately describes this process? A.Continuous monitoring B.Continuous validation C.Continuous integration D.Continuous delivery Word “validate” is there to throw you off. Continuous validation has to do with compliance and design goals. Continuous integration is more focused on multiple developers working in parallel. a. Constant/automatic detection of security problems and service failures. b. Automatic compliance testing and frequent checks to ensure it meets design goals. c. Quickly applying changes, keep track of changes/versions, and constant testing. d. Consistent testing of infrastructure that supports the app, such as network. C.Continuous integration An admin is viewing the company website and see the URL displayed below: http://security123.com/home/forum.php?sessionID=7261143 The admin copies their URL and sends it a coworker. Then they browse the website through the following URL: http:// security123.com/home/forum.php?sessionID=9819813 Which of the following attacks is being tested? A.Pass-the-hash B.Cross-site request forgery C.Session replay D.Object deference C.Session replay A cloud storage server has been brought online that is intended to serve hospitals exclusively. Several hospitals, all owned by different entities, have begun using this highly secured cloud server. What type of cloud deployment model matches this type of server? A.Public B.Private C.Community D.Hybrid A community cloud is shared by a group of similar organizations that all have similar needs. In this example, it is a server built only to serve hospitals. A.Community A cloud administrator is configuring five compute instances under the same subnet in a VPC. Which of the following must the administrator configure to meet this requirement? A.One security group B.Two security groups C.Three security groups D.Five security groups While it is possible that each instance has its own security group, a single security group can manage multiple instances. So the minimum requirement is only one group. P. 426 A.One security group A company lacks the personnel and expertise to secure their new cloud platform. Of the options below, which could best assist the company with their security needs? A.MSSP B.SOAR C.IaaS D.PaaS MSSP = Managed Security Service Provider A third party organization hired to manage another company’s security. A.MSSP An organization has a few severs with end-of-life software running on them. The OS is still receiving updates, but the software isn't and it can't be migrated to any other system due to compatibility issues. An admin has developed a resiliency plan that would allow the OS to be patched in a non-production environment, while also effortlessly making backups of the systems should recovery be necessary. What resiliency technique will best provide the services described above? A.Redundancy B.RAID 1+5 C.Virtual machines D.Full backups A long question that attempts to confuse you with excess information! They are trying to describe the benefits of using virtual machines. C.Virtual machines You have been issued a smart card that provides physical access to a building as well as thin clients on the network utilizing tokens. You see the same desktop each time you log in regardless of which thin client is used. Which technologies are responsible for these capabilities? (Pick Two) A.COPE B.VDI C.GPS D.TOTP E.RFID F.BYOD B.VDI E.RFID A contractor working for the company updated several applications and plugins on the cloud platform causing a massive outage. Of the options below, what would best prevent this from happening again? A.SWG B.CASB C.Automated failover D.Containerization SWG = Secure Web Gateway. Its an application firewall built to serve cloud applications. While these are capable of inspecting traffic and filtering out scripting attacks, it is unlikely that the gateway would block an application from receiving an update. CASB = Cloud Access Security Broker. This is a proxy server that limits access and enforces access control for the cloud, on a per user basis. Many CASB’s will include SWG functionality and a CASB could block an application or plugin from receiving an update. B.CASB Of the cloud service models listed below, which would include storage, networking, and servers, but not applications? A.DaaS B.SaaS C.PaaS D.IaaS The primary three cloud SERVICE models: DaaS = Desktop as a Service – its VDI but through the cloud D.IaaS An organization is overwhelmed with the responsibilities tied to safely securing their new online store. They are looking for a service provider to assist them in this endeavor. What would be the best option in this situation? A.SDP B.AAA C.IaaS D.MSSP E.Microservices D.MSSP A company is worried about the complexities of managing hundreds of encryption keys in a multi-cloud environment. Of the options below, what would grant them centralized control and management over the keys, while also allowing the integration of preexisting keys? A.Trusted Platform Module B.IaaS C.HSMaaS D.PaaS E.Key Management Service Hardware Security Module as a Service. A cloud provider will manage your encryption keys! C.HSMaaS Which of the following describes the ability of code to target a hypervisor from inside a guest OS? A.Fog computing B.VM escape C.Software-defined networking D.Image forgery E.Container breakout B.VM escape A company has developed their own SaaS product. They need a flexible and transparent management tool that grants them the ability to control and monitor who uses their product. What could meet the needs of this company for their new SaaS product? A.SIEM B.DLP C.CASB D.SWG CASB (Cloud Access Security Broker) is a software/service that sits between the end user and the cloud provider. Flexible management, security, access control… a CASB should be able to handle all of their needs. A SWG (software web gateway, basically a layer 7 firewall) is going to be more limited in its functions and will not give them all the flexibility, granular controls, and transparency that they will ultimately require. C.CASB A hospital has a new encrypted document management application that allows remote doctors to securely access patient hospital records. However, the PHI data is being blocked by the hospital's DLP system. What would be the best way to resolve this issue without unnecessarily compromising the systems security? A.Configure the DLP policies to allow all PHI B.Configure the DLP policies to whitelist this application with the specific PHI C.Configure the firewall to allow all ports that are used by this application D.Configure the antivirus software to allow the application. E.Configure the application to encrypt the PHI Our goal is to enable the use of the application with as little risk as possible. Whitelisting (allowing) the PHI data will be required for this to work, and we want to limit the whitelisting to this new application only. B.Configure the DLP policies to whitelist this application with the specific PHI Which is the most accurate? A.The data owner is responsible for adhering to the rules for using the data, while the data custodian is responsible for determining the corporate governance regarding the data. B.The data owner is responsible for determining how the data may be used, while the data custodian is responsible for implementing the protections to the data. C.The data owner is responsible for controlling the data, while the data custodian is responsible for maintaining the chain of custody. D.The data owner grants the technical permissions for data access, while the data custodian maintains the database access controls to the data. The custodian described in (A) is actually the job description of the data steward. Owner – Management role of data Stewart – governance/ compliance Custodian – access controls and security enforcement Privacy Officer – PII and disclosure B.The data owner is responsible for determining how the data may be used, while the data custodian is responsible for implementing the protections to the data. Without losing the ability to search or fully utilize the data, what is the best protection mechanism for data stored on cloud-based services? A.Data encryption B.Data masking C.Anonymization D.Tokenization Tokenization: A deidentification method where a unique token is substituted for real data. Unlike masking, it is non-destructive. It is used as a substitute for encryption, because from a regulatory perspective an encrypted field is the same value as the original data. D.Tokenization What would best protect a company from data theft via USB drives or other removable media? A.Blocking removable-media devices and write capabilities using a host-based security tool B.Implementing a group policy to block user access to system files C.Monitor large data transfer transactions in the firewall logs D.Develop mandatory training to educate employees about the removable media policy To best protect the company we need a preventative control. (A)Blocking USBs with a host based tool will achieve the desired results. Good answer! (B)The majority of files we are protecting are not likely to be specifically “system files”. (C)This is a detective control and furthermore not possible in most systems, if any. (D)Training is nice, but a preventative technical control like (A) will be more reliable. A.Blocking removable-media devices and write capabilities using a host-based security tool Before a news team takes a tour of the new state-of-the-art office complex, a manager instructs employees to clean all whiteboards and clear off all of their desks. What threat is the manager most likely trying to mitigate? A.Loss of proprietary information B.Damage to the company's reputation C.Social engineering D.Credential exposure A.Loss of proprietary information An intelligence organization detects IoC (Indicators of Compromise) coming from several different companies that use their services. Before the organization can release news of these threats, what are they obligated to do? A.Perform attribution to specific APTs and nation-state actors. B.Anonymize any PII that is observed within the IoC data. C.Add metadata to track the utilization of threat intelligence reports. D.Assist companies with impact assessments based on the observed data. The evidence they collected could be very sensitive and needs to be anonymized before any part of it can be shared. B.Anonymize any PII that is observed within the IoC data. An admin needs to use functional data drawn from the production environment in a new virtual training environment. What should be done to the data that is drawn from the production environment so that security and anonymity is maintained when it is used by the training environment? A.Data minimization B.Data masking C.Data deduplication D.Data encryption Data masking can mean that part or all of the contents of a field are redacted by substituting strings with a new value. For example, all patients could have their age masked and the training system only sees everyone as being 30 years old. Data masking is considered an irreversible deidentification technique, while tokenization can be undone as needed. B.Data masking A company is building a new e-commerce website and has asked an specialist for the most appropriate way to store credit card numbers to create an easy reordering process. Of the methods outlined below, which would be best for achieving this goal? A.Salting the magnetic strip information B.Encrypting the credit card information in transit C.Hashing the credit card numbers upon entry D.Tokenizing the credit cards in the database D.Tokenizing the credit cards in the database Several managers have gathered to discuss hypothetical attacks and threats to the company. They discuss how to respond to the threats based off of previous plans and explore how to handle a dynamic security breach. What best describes what the managers are doing? A.Running a simulation exercise B.Conducting a tabletop exercise C.Building a disaster recovery plan D.Developing an incident response plan A table top exercise involves reviewing the incident response plans so that future responses are faster and smoother. Furthermore, it gives everyone an opportunity to suggest improvements or changes to the plan. B.Conducting a tabletop exercise To protect business operations during an incident, a manager has asked you to update the execution prevention rules to stop malware from spreading to critical systems. Which of the following incident response steps are you being asked to perform? A.Investigation B.Lessons learned C.Containment D.Recovery E.Eradication Incident response process = PICERL Prepare Identify Contain Eradicate Recover Lessons-learned C.Containment A technician at the SOC (security operations center) is using a SIEM to aggregate and correlate alert messages gathered from all across the network. What step of incident response are they most likely involved in? A.Eradication B.Preparation C.Identification D.Recovery Incident response process = PICERL Prepare Identify Contain Eradicate Recover Lessons-learned C.Identification Of the plans listed below, which one would help a company's executives determine how to proceed during an ongoing disaster, such as a global pandemic? A.An incident response plan B.A communications plan C.A disaster recovery plan D.A business continuity plan A recovery plan is about recovering after the disaster. A continuity plan is about increasing resiliency and possibly what to do during a disaster. D.A business continuity plan In your growing company, each newly hired salesperson relies on a mobile device to conduct business. You are wondering if the organization may need to scale down just as quickly as it scaled up. You're also concerned about the organization's security and customer privacy. Which of the following would be BEST to address your concerns? A.Disallow new hires from using mobile devices for six months. B.Select four devices for the sales department to use in a CYOD model. C.Implement BYOD for the sales department while leveraging the MDM. D.Deploy mobile devices using the COPE methodology. C.Implement BYOD for the sales department while leveraging the MDM. After an incident was identified, it took more than an hour to quarantine the affected system. This allowed the malware to spread to additional hosts before it was contained. Which of the following would be BEST to improve this process? A.Updating the playbooks with better decisions points. B.Dividing the network into trusted and untrusted zones. C.Providing additional end-user training on acceptable use. D.Implementing manual quarantining of infected hosts. It sounds like the incident response playbook needs some revision. A.Updating the playbooks with better decisions points. During an ongoing attack an admin locks all of the compromised accounts and airgaps all infected hosts. What step of the incident response process is being described? A.Preparation B.Eradication C.Identification D.Lessons Learned E.Containment F.Recovery E.Containment You have been tasked with performing data forensics and need to make an exact copy of a hard drive. What command could you use to perform this task? A.Dd B.Chmod C.Dnsenum D.logger CompTIA says, “on a Linux host you can use the dd command to make a copy of an input file (if=) to an output file (of=) and apply optional conversions to the file data. In the following sda is the fixed drive: dd if=/dev/sda of=/mnt/usbstick/backup.img” Chmod alters permissions for file system objects while Dnsenum is for gathering (enumerating) dns information. Logger is used to make entries in the system log. It provides a command interface to the syslog module. A.Dd Which will most affect the collection of live forensics data? (Pick two) A.Data accessibility B.Right-to-audit clauses C.Legal hold D.Value and volatility of data E.Data retention legislation F.Cryptographic or hash algorithm Since the rise of cloud providers, gaining access to the LIVE data has become increasingly difficult. (A) Data accessibility. Can we get to the data we need to collect? (D) Value and volatility. How important is the data, and how long will it last before it is erased? Some types of data are inherently more volatile than others, meaning it needs to be collected quickly or it will no longer be available A.Data accessibility D.Value and volatility of data What forensics technique must be used to preserve the admissibility of evidence? A.Order of volatility B.Data recovery C.Chain of custody D.Non-repudiation In criminal and civil law, the term “chain of custody” refers to the order in which items of evidence have been handled during the investigation of a case. Proving that an item has been properly handled through an unbroken chain of custody is required for it to be legally considered as evidence in court. C.Chain of custody Somebody managed to capture all of the password hashes from a web server on a company's network. While performing an investigation, an analyst needs to gain access to the contents of RAM from the compromised server. Which of the following file types is the analyst looking for? A.Security B.Application C.Dump D.Syslog A system memory dump creates an image file that can be analyzed to identify the processes that are running, the contents of temporary file systems, registry data, network connections, cryptographic keys, and more. P.471 C.Dump Mr. LaRusso, the owner of your company, may have had their PC affected by a security incident. A duplicate copy of his hard drive must be stored securely to follow chain of custody and appropriate forensic procedure. Which of the following steps should be performed in order to accomplish this goal? A.Install a new hard drive in his PC, and then remove the old hard drive and place it in a tamper-evident bag. B.Connect a write blocker to the hard drive. Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy. C.Remove his hard drive from the PC, connect to the forensic workstation, and copy all the contents onto a remote fileshare while Mr. LaRusso watches. D.Refrain from completing a forensic analysis of his hard drive until after the incident is confirmed; duplicating the hard drive at this stage could destroy evidence. B.Connect a write blocker to the hard drive. Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy. After a meeting with an auditor, a manager is putting together a risk register. What best describes a risk register? A.To define the level or risk using probability and likelihood B.To register the risk with the required regulatory agencies C.To identify the risk, the risk owner, and the risk measures D.To formally log the type of risk mitigation strategy the organization is using A risk register will: •Identify potential risks and their impact/likelihood •Display the company’s mitigation plan for each risk •Assign responsibility for the execution of those plans •Track the status of each plan (complete, in-progress, not started, etc) (A) isn’t wrong, but (C) is a more complete answer. C.To identify the risk, the risk owner, and the risk measures What type of plan would the company use in the event that they completely lost all of their critical systems and data? A.Data retention plan B.Disaster recovery plan C.Communications plan D.Incident response plan They lost everything? That sounds like a disaster! B.Disaster recovery plan A cloud service provider (CSP) outlines in a contract that the customer has the ultimate responsibility of ensuring the resources and services provided by the CSP are not used for illegal or fraudulent activity. Which of the risk responses is the CSP demonstrating? A.Risk avoidance B.Risk acceptance C.Risk transference D.Risk mitigation Transference: The cloud provider has transferred the risk, and thereby the responsibility for securing the services, to the customer. C.Risk transference After a server failure, it took the cloud provider 120 minutes to bring the system back online. Meanwhile, an affected company expected the server would be available again within 60 minutes. Of the answers below, what best illustrates the company's expectation? A.MTBF B.RPO C.MTTR D.RTO MTBF = Mean Time Between Failures RPO = Recovery Point Objective (acceptable amount of data loss)MTTR = Mean Time To Recovery (real world average time for recovery) RTO = Recovery Time Objective (goal/expected time for recovery) D.RTO Which of the following would document concerns associated with the restoration of IT systems in the event of a flood, earthquake, or hurricane? A.Business continuity plan B.Communications plan C.Disaster recovery plan D.Continuity of operations plan C.Disaster recovery plan Instead of relying on in-house application security, an organization has decided to outsource their application security by adopting a SaaS from a CSP (cloud service provider). What type of risk management has the company performed by implementing this change? A.Acceptance B.Transference C.Avoidance D.Mitigation B.Transference Your company wants to build another office that is expected to cost two million dollars. The town that this new office will be built in has a history of terrible earthquakes, once every 50 years. The estimated damage is 50% of the buildings cost. What is the SLE (Single Loss Expectancy)? A.20,000 B.40,000 C.500,000 D.1,000,000 E.4,000,000 We are given the AV, EF, and ARO. We need to solve for SLE. (AV) Asset Value - $ 2 million(EF) Exposure Factor - .5 (Half the value, %50)(SLE) Single Lost Expectancy - $ 1 Million <-Answer(ARO) Annual Rate of Occurrence - .02 (1 every 50 years)(ALE) Annual Loss Expectancy - $20,000 EQUATIONS AV x EF = SLE 2 Million * .5 = 1 Million SLE x ARO = ALE (this equation is not needed in this question) D.1,000,000 The SLA created with the cloud storage provider outlines the acceptable amount of data loss must be no greater than one hour in the event of a disaster. What metric is being described in this agreement? A.DRP B.RPO C.RTO D.MTTR Recovery Point Objective (RPO) is the acceptable amount of data loss. If the cloud provider was to lose more than one hour worth of data for any reason, they would be subject to penalties as outlined in the SLA (service level agreement). B.RPO See more Students also viewed 2022 CompTIA SECURITY+ SY0-601 BEST EXAM STUD… 174 terms Images Profile Picture WieldyStone2 Security+ Cert Exam Objectives SYO-601 786 terms Profile Picture jeffrey_baker Security+ 601 Practice Questions 187 terms Images Profile Picture DrewMyCC Teacher Security+ (SY0-601) Acronym List 358 terms Profile Picture arthur_lukyanovskiy Sets found in the same folder 2022 CompTIA SECURITY+ SY0-601 BEST EXAM STUD… 174 terms Images Profile Picture WieldyStone2 Security+ 601 845 terms Profile Picture ManInTh3Middl3 Security+ 601 Part 1 195 terms Profile Picture Michael_Wilson35 Teacher Security + SYO 601 Exam Cram 95 terms Profile Picture Dlawso11 Other sets by this creator Quiz 1 17 terms Profile Picture Veljulisa Chapter 11: Secure Network Architecture and S… 37 terms Profile Picture Veljulisa Chapter 10: Physical Security Requirements 30 terms Profile Picture Veljulisa Chapter 9: Security Vulnerabilities, Threats,… 36 terms Profile Picture Veljulisa 1/3 About us About Quizlet How Quizlet works Careers Advertise with us News Get the app For students Flashcards Learn Solutions Modern Learning Lab For teachers Live Checkpoint Blog Be the Change Resources Help center Honor code Community guidelines Privacy Terms Ad and Cookie Policy Language English (USA) © 2023 Quizlet, Inc. COPPA Safe Harbor Certification seal Home Your library Expert solutions Study sets, textbooks, questions Profile Picture Upgrade: free 7-day trial Security + Test Questions Study Security + Test Questions 17 studiers recently 5.0 (1 review) Flashcards Learn Test Match A user is attempting to navigate to a website from inside the company network using a desktop. When the user types in the URL, https://www.site.com, the user is presented with a certificate mismatch warning from the browser. The user does not receive a warning when visiting http://www.anothersite.com. Which of the following describes this attack? A. On-path B. Domain hijacking C. DNS poisoning D. Evil twin C. DNS poisoning 1 / 20 Profile Picture Created by stazzonew Terms in this set (20) Original A user is attempting to navigate to a website from inside the company network using a desktop. When the user types in the URL, https://www.site.com, the user is presented with a certificate mismatch warning from the browser. The user does not receive a warning when visiting http://www.anothersite.com. Which of the following describes this attack? A. On-path B. Domain hijacking C. DNS poisoning D. Evil twin C. DNS poisoning Which of the following tools is effective in preventing a user from accessing unauthorized removable media? A. USB data blocker B. Faraday cage C. Proximity reader D. Cable lock A. USB data blocker A Chief Security Officer is looking for a solution that can provide increased scalability and flexibility for back-end infrastructure, allowing it to be updated and modified without disruption to services. The security architect would like the solution selected to reduce the back-end server resources and has highlighted that session persistence is not important for the applications running on the back-end servers. Which of the following would BEST meet the requirements? A. Reverse proxy B. Automated patch management C. Snapshots D. NIC teaming A. Reverse proxy Which of the following describes a social engineering technique that seeks to exploit a person's sense of urgency? A. A phishing email stating a cash settlement has been awarded but will expire soon B. A smishing message stating a package is scheduled for pickup C. A vishing call that requests a donation be made to a local charity D. A SPIM notification claiming to be undercover law enforcement investigating a cybercrime A. A phishing email stating a cash settlement has been awarded but will expire soon A security analyst is reviewing application logs to determine the source of a breach and locates the following log: https://www.comptia.com/login.php?id='%20or%20'1'1='1Which of the following has been observed? A. DLL Injection B. API attack C. SQLi D. XSS C. SQLi An audit identified PII being utilized in the development environment of a critical application. The Chief Privacy Officer (CPO) is adamant that this data must be removed; however, the developers are concerned that without real data they cannot perform functionality tests and search for specific data. Which of the following should a security professional implement to BEST satisfy both the CPO's and the development team's requirements? A. Data anonymization B. Data encryption C. Data masking D. Data tokenization A. Data anonymization A company is implementing a DLP solution on the file server. The file server has PII, financial information, and health information stored on it. Depending on what type of data that is hosted on the file server, the company wants different DLP rules assigned to the data. Which of the following should the company do to help accomplish this goal? A. Classify the data. B. Mask the data. C. Assign the application owner. D. Perform a risk analysis. A. Classify the data. A forensics investigator is examining a number of unauthorized payments that were reported on the company's website. Some unusual log entries show users received an email for an unwanted mailing list and clicked on a link to attempt to unsubscribe. One of the users reported the email to the phishing team, and the forwarded email revealed the link to be:<a href="https://www.company.com/payto.do?routing=00001111&acct=22223334&amount=250">Click here to unsubscribe</a>Which of the following will the forensics investigator MOST likely determine has occurred? A. SQL injection B. Broken authentication C. XSS D. XSRF D. XSRF A report delivered to the Chief Information Security Officer (CISO) shows that some user credentials could be exfiltrated. The report also indicates that users tend to choose the same credentials on different systems and applications. Which of the following policies should the CISO use to prevent someone from using the exfiltrated credentials? A. MFA B. Lockout C. Time-based logins D. Password history A. MFA A company wants to simplify the certificate management process. The company has a single domain with several dozen subdomains, all of which are publicly accessible on the internet. Which of the following BEST describes the type of certificate the company should implement? A. Subject alternative name B. Wildcard C. Self-signed D. Domain validation B. Wildcard Which of the following is an effective tool to stop or prevent the exfiltration of data from a network? A. DLP B. NIDS C. TPM D. FDE A. DLP Several attempts have been made to pick the door lock of a secure facility. As a result, the security engineer has been assigned to implement a stronger preventative access control. Which of the following would BEST complete the engineer's assignment? A. Replacing the traditional key with an RFID key B. Installing and monitoring a camera facing the door C. Setting motion-sensing lights to illuminate the door on activity D. Surrounding the property with fencing and gates A. Replacing the traditional key with an RFID key Which of the following can be used by a monitoring tool to compare values and detect password leaks without providing the actual credentials? A. Hashing B. Tokenization C. Masking D. Encryption A. Hashing A security engineer is building a file transfer solution to send files to a business partner. The users would like to drop off the files in a specific directory and have the server send the file to the business partner. The connection to the business partner is over the internet and needs to be secure. Which of the following can be used? A. S/MIME B. LDAPS C. SSH D. SRTP C. SSH An administrator needs to protect user passwords and has been advised to hash the passwords. Which of the following BEST describes what the administrator is being advised to do? A. Perform a mathematical operation on the passwords that will convert them into unique strings. B. Add extra data to the passwords so their length is increased, making them harder to brute force. C. Store all passwords in the system in a rainbow table that has a centralized location. D. Enforce the use of one-time passwords that are changed for every login session. A. Perform a mathematical operation on the passwords that will convert them into unique strings. Which of the following would be indicative of a hidden audio file found inside of a piece of source code? A. Steganography B. Homomorphic encryption C. Cipher suite D. Blockchain A. Steganography A user enters a username and a password at the login screen for a web portal. A few seconds later the following message appears on the screen:Please use a combination of numbers, special characters, and letters in the password field.Which of the following concepts does this message describe? A. Password complexity B. Password reuse C. Password history D. Password age A. Password complexity A company recently experienced an inside attack using a corporate machine that resulted in data compromise. Analysis indicated an unauthorized change to the software circumvented technological protection measures. The analyst was tasked with determining the best method to ensure the integrity of the systems remains intact and local and remote boot attestation can take place. Which of the following would provide the BEST solution? A. HIPS B. FIM C. TPM D. DLP C. TPM Which of the following is a reason to publish files' hashes? A. To validate the integrity of the files B. To verify if the software was digitally signed C. To use the hash as a software activation key D. To use the hash as a decryption passphrase A. To validate the integrity of the files A security manager has tasked the security operations center with locating all web servers that respond to an unsecure protocol. Which of the following commands could an analyst run to find the requested servers? A. nslookup 10.10.10.0 B. nmap -p 80 10.10.10.0/24 C. pathping 10.10.10.0 -p 80 D. ne -l -p 80 B. nmap -p 80 10.10.10.0/24 Students also viewed Customer Service 1 - Customer Service Foundat… 40 terms Profile Picture flyingtim1 Security+ 501 PassCompTIA 50 terms Profile Picture ydapaa Security + 501 Chapter 4 Identity and Access… 86 terms Profile Picture kevin_stephenson5 Jason Dion All quiz questions 26 terms Profile Picture Gttennesen Sets found in the same folder Sec+ ITE 2 terms Profile Picture Kai_Gathers9 Teacher Security + Set 6 72 terms Profile Picture kym9rrp6qv Teacher Verified questions French Interviewez votre partenaire. Tu es rest ˊ e ˊ (e) chez toi samedi matin? Tu es rest ˊ e ˊ (e) au lit jusqu’ ˋ a ˋ quelle heure? Tu as pris un café? O ˋ u ˋ est-ce que tu as pris ton petit d ˊ e ˊ jeuner? Verified answer Spanish A 537 años de su nacimiento, Juan Diego, natural de estas A tuertas, sigue siendo tema de controversia en el mundo eclesiástico por su historia con la Virgen de Guadalupe; se ha puesto en duda desde la veracidad de su clarividencia hasta su propio 5 nacaiento. Sin embargo, numerosos estudios comprueban que Juan Diego no es un personaje Acticio; sino que realmente cxisció y ha pasado a la historia religiosa como uno de los personajes más aFortunados. Su virtud se reconoce a tal grado que su Santidad Juan Pablo II le otorgó la condición de santo en el año 2002. 10 El lugar más probable de su nacimiento fue Cuautitlán. barrio de Tlayacac, en el año 1474; de origen chichimeca, nuestro personaje se dedicó seguramente a la agricultura, aunque es factible que tambien trabajara en la alfareria, ia cesteria o similares. Asimismo, es posible que fuera sujeto 15 de la emigración provocada por un nuevo reparto de tierras conquistadas por los tenochcas alrededor de 1516 , 1516,y que esto, lo llevara a mudarse obligatoria o voluntariamente a Tulpetlac, cerca de Ecatepec, donde se hallaria al iniciarse la Conquista. 20 Se supone que hacia 1524 Juan Diego fue bautizado, junto 20 con su esposa y dio, y que reabieron, respectivamente, los nombres cristianos Juan Diego, Maria Lucia y Juan Bernardino. Juan Diego enviudó en 1529, dos años antes de que se le aparecuera la Señora Inmaculada y sus vecinos le llamaban "E Peregrino", pues gustaba de caminar a solas, e ir de su lugar 25 de residencia a Tlatelolco para recibir la catequización y escuchar misa. Una vez pasada la maravillosa experiencia de platicar con la Señora del Cielo, de ver la imagen estampada en su cilma y construida la ermita, se dedicó a cuidarla y seguramente a platicar con Ella, asi como a referir el acontecimiento a todo aquel que quisiera escucharlo y, en especial, a seguir viviendo santamente. Juan Diego murió en 1548, a los 74 años, "pobre en méritos humanos, rico en viriud y fama", en su aposento "muy chiquito". de adobe, que tenía junto a la ermita, como consta = = en las Informaciones de 1666. Otra información que confirma la existencia y vida de Juan Diego proviene de un medallón... La inscripción con letra de oro en campo azul dice asi: "En este lugar se apareció Nuestra Señora de Guadalupe a un indio Hamado Juan Diego, que está enterrado en esta iglesia". Desde el punto de vista histórico y de acuerdo con el ingeniero Joel Romero, don Ignacio Manuel Altamirano trató magistralmente a Juan Diego, cuando le dijo que "el dia que no hubiera Guadalupe ni Juan Diego, no habría nacionalidad mexicana". Y, agrega el ingeniero Romero, en una entrevista publicada en Ixtus (1996). "Juan Diego es un modelo de paz interior que todos necesitamos en este convulso mundo, y su principal hazaña es que estando condenado a la oscuridad. refulge con luz propia a pesar de la luz guadalupana". ¿Cómo se llama la parada de metro más cercana a la Basílica? (A) Talismán (B) Basilica (C) General Villada (D) Ricarte . Verified answer English For each of the following sentences, cross out any word that has an error in capitalization and correctly write the word above it. Example 1. We subscribe to the Reader’s digest digest (Digest) and the the (The) Saturday evening post evening post (Evening Post) Read "first snow in alsace" by Richard Wilbur. Verified answer French Answer these questions in French. Write complete sentences. Pourquoi est-ce que Sandrine pense qu'Amina a de la chance? Verified answer 1/3 About us About Quizlet How Quizlet works Careers Advertise with us News Get the app For students Flashcards Learn Solutions Modern Learning Lab For teachers Live Checkpoint Blog Be the Change Resources Help center Honor code Community guidelines Privacy Terms Ad and Cookie Policy Language English (USA) © 2023 Quizlet, Inc. COPPA Safe Harbor Certification seal Terms in this set (12) Original Start your Preparation for CompTIA SY0-601 and become CompTIA Security+ certified with www.edusum.com. Here you get online practice tests prepared and approved by CompTIA certified experts based on their own certification exam experience. Here, you also get the detailed and regularly updated syllabus for CompTIA SY0-601. CompTIA SY0-601 practice tests provided by the www.edusum.com is just one of the promising techniques of preparation for the SY0-601 exam. This CompTIA Security+ practice tests are composed by a team of experienced professionals. Upgraded Security Plus practice questions will give you the useful experience of learning for the CompTIA SY0-601 exam. You can gain the CompTIA Security+ certification on the first go with the help of the SY0-601 practice questions. If you are planning to prepare for SY0-601 exam, but not sure how hard the exam is and you want to try out a sample test, you can take our SY0-601 practice test. To help you assess your readiness, we've developed a set of CompTIA SY0-601 sample questions and assembled them into a free online test exam. Getting that CompTIA SY0-601 certification is a great first step and these practice tests can help you toward a better score. Millions of aspirants have become certified with our practice tests. Give your preparation a new edge with www.edusum.com practice tests. Effective and dynamic self-preparation is very important for your success in your CompTIA Security+ certification exam. You therefore need to explore all options of preparation that are available to you. After studying all the resource materials, you still need to go through different practice tests to evaluate your knowledge base and skill set. 01. Which of the following disaster recovery sites would require the MOST time to get operations back online? a) Colocation b) Cold c) Hot d) Warm b) Cold 02. A Chief Financial Officer (CFO) has been receiving email messages that have suspicious links embedded from unrecognized senders. The emails ask the recipient for identity verification. The IT department has not received reports of this happening to anyone else. Which of the following is the MOST likely explanation for this behavior? a) The CFO is the target of a whaling attack. b) The CFO is the target of identity fraud. c) The CFO is receiving spam that got past the mail filters. d) The CFO is experiencing an impersonation attack. a) The CFO is the target of a whaling attack. 03. Why do vendors provide MD5 values for their software patches? a) To provide the necessary key for patch activation b) To allow the downloader to verify the authenticity of the site providing the patch c) To ensure that auto-updates are enabled for subsequent patch releases d) To allow the recipient to verify the integrity of the patch prior to installation d) To allow the recipient to verify the integrity of the patch prior to installation 04. The IT department receives a call one morning about users being unable to access files on the network shared drives. An IT technician investigates and determines the files became encrypted at 12:00 a.m. While the files are being recovered from backups, one of the IT supervisors realizes the day is the birthday of a technician who was fired two months prior. Which of the following describes what MOST likely occurred? a) The fired technician placed a logic bomb. b) The fired technician installed a rootkit on all the affected users' computers. c) The fired technician installed ransomware on the file server. d) The fired technician left a network worm on an old work computer. a) The fired technician placed a logic bomb. 05. You have been asked to provide a virtualized environment. Which of the following makes it possible for many instances of an operating system to be run on the same machine? a) API b) Virtual machine c) Hypervisor d) Container c) Hypervisor To get preparation tips for CompTIA SY0-601 Exam: Click Here: https://sy0-601preparationguide.tumblr.com/ 06. Which of the following would be the BEST method to prevent the physical theft of staff laptops at an open-plan bank location with a high volume of customers each day? a) Guards at the door b) Cable locks c) Visitor logs d) Cameras b) Cable locks 07. What is the term given to a framework or model outlining the phases of attack to help security personnel defend their systems and respond to attacks? a) Command and control b) Intrusion kill chain c) Cyber-incident response d) CIRT b) Intrusion kill chain 08. A security manager needed to protect a high-security datacenter, so the manager installed an access control vestibule that can detect an employee's heartbeat, weight, and badge. Which of the following did the security manager implement? a) A physical control b) A corrective control c) A compensating control d) A managerial control a) A physical control 09. Joe, an employee, knows he is going to be fired in three days. Which of the following characterizations describes the employee? a) An insider threat b) A competitor c) A hacktivist d) A state actor a) An insider threat 10. An organization has a policy in place that states the person who approves firewall controls/changes cannot be the one implementing the changes. Which of the following describes this policy? a) Change management b) Job rotation c) Separation of duties d) Least privilege c) Separation of duties Terms in this set (100) Original A user is attempting to navigate to a website from inside the company network using a desktop. When the user types in the URL, https://www.site.com, the user is presented with a certificate mismatch warning from the browser. The user does not receive a warning when visiting http://www.anothersite.com. Which of the following describes this attack? A. On-path B. Domain hijacking C. DNS poisoning D. Evil twin B. Domain hijacking Which of the following tools is effective in preventing a user from accessing unauthorized removable media? A. USB data blocker B. Faraday cage C. Proximity reader D. Cable lock A. USB data blocker A Chief Security Officer is looking for a solution that can provide increased scalability and flexibility for back-end infrastructure, allowing it to be updated and modified without disruption to services. The security architect would like the solution selected to reduce the back-end server resources and has highlighted that session persistence is not important for the applications running on the back-end servers. Which of the following would BEST meet the requirements? A. Reverse proxy B. Automated patch management C. Snapshots D. NIC teaming C. Snapshots Which of the following describes a social engineering technique that seeks to exploit a person's sense of urgency? A. A phishing email stating a cash settlement has been awarded but will expire soon B. A smishing message stating a package is scheduled for pickup C. A vishing call that requests a donation be made to a local charity D. A SPIM notification claiming to be undercover law enforcement investigating a cybercrime C. A vishing call that requests a donation be made to a local charity A security analyst is reviewing application logs to determine the source of a breach and locates the following log: https://www.comptia.com/login.php?id='%20or%20'1'1='1Which of the following has been observed? A. DLL Injection B. API attack C. SQLi D. XSS C. SQLi An audit identified PII being utilized in the development environment of a critical application. The Chief Privacy Officer (CPO) is adamant that this data must be removed; however, the developers are concerned that without real data they cannot perform functionality tests and search for specific data. Which of the following should a security professional implement to BEST satisfy both the CPO's and the development team's requirements? A. Data anonymization B. Data encryption C. Data masking D. Data tokenization A. Data anonymization A company is implementing a DLP solution on the file server. The file server has PII, financial information, and health information stored on it. Depending on what type of data that is hosted on the file server, the company wants different DLP rules assigned to the data. Which of the following should the company do to help accomplish this goal? A. Classify the data. B. Mask the data. C. Assign the application owner. D. Perform a risk analysis. A. Classify the data. A forensics investigator is examining a number of unauthorized payments that were reported on the company's website. Some unusual log entries show users received an email for an unwanted mailing list and clicked on a link to attempt to unsubscribe. One of the users reported the email to the phishing team, and the forwarded email revealed the link to be:<a href="https://www.company.com/payto.do?routing=00001111&acct=22223334&amount=250">Click here to unsubscribe</a>Which of the following will the forensics investigator MOST likely determine has occurred? A. SQL injection B. Broken authentication C. XSS D. XSRF B. Broken authentication A report delivered to the Chief Information Security Officer (CISO) shows that some user credentials could be exfiltrated. The report also indicates that users tend to choose the same credentials on different systems and applications. Which of the following policies should the CISO use to prevent someone from using the exfiltrated credentials? A. MFA B. Lockout C. Time-based logins D. Password history A. MFA A company wants to simplify the certificate management process. The company has a single domain with several dozen subdomains, all of which are publicly accessible on the internet. Which of the following BEST describes the type of certificate the company should implement? A. Subject alternative name B. Wildcard C. Self-signed D. Domain validation B. Wildcard Which of the following is an effective tool to stop or prevent the exfiltration of data from a network? A. DLP B. NIDS C. TPM D. FDE A. DLP Several attempts have been made to pick the door lock of a secure facility. As a result, the security engineer has been assigned to implement a stronger preventative access control. Which of the following would BEST complete the engineer's assignment? A. Replacing the traditional key with an RFID key B. Installing and monitoring a camera facing the door C. Setting motion-sensing lights to illuminate the door on activity D. Surrounding the property with fencing and gates A. Replacing the traditional key with an RFID key Which of the following can be used by a monitoring tool to compare values and detect password leaks without providing the actual credentials? A. Hashing B. Tokenization C. Masking D. Encryption A. Hashing A security engineer is building a file transfer solution to send files to a business partner. The users would like to drop off the files in a specific directory and have the server send the file to the business partner. The connection to the business partner is over the internet and needs to be secure. Which of the following can be used? A. S/MIME B. LDAPS C. SSH D. SRTP C. SSH An administrator needs to protect user passwords and has been advised to hash the passwords. Which of the following BEST describes what the administrator is being advised to do? A. Perform a mathematical operation on the passwords that will convert them into unique strings. B. Add extra data to the passwords so their length is increased, making them harder to brute force. C. Store all passwords in the system in a rainbow table that has a centralized location. D. Enforce the use of one-time passwords that are changed for every login session. A. Perform a mathematical operation on the passwords that will convert them into unique strings Which of the following would be indicative of a hidden audio file found inside of a piece of source code? A. Steganography B. Homomorphic encryption C. Cipher suite D. Blockchain A. Steganography A user enters a username and a password at the login screen for a web portal. A few seconds later the following message appears on the screen:Please use a combination of numbers, special characters, and letters in the password field.Which of the following concepts does this message describe? A. Password complexity B. Password reuse C. Password history D. Password age A. Password complexity A company recently experienced an inside attack using a corporate machine that resulted in data compromise. Analysis indicated an unauthorized change to the software circumvented technological protection measures. The analyst was tasked with determining the best method to ensure the integrity of the systems remains intact and local and remote boot attestation can take place. Which of the following would provide the BEST solution? A. HIPS B. FIM C. TPM D. DLP C. TPM Which of the following is a reason to publish files' hashes? A. To validate the integrity of the files B. To verify if the software was digitally signed C. To use the hash as a software activation key D. To use the hash as a decryption passphrase A. To validate the integrity of the files A security manager has tasked the security operations center with locating all web servers that respond to an unsecure protocol. Which of the following commands could an analyst run to find the requested servers? A. nslookup 10.10.10.0 B. nmap -p 80 10.10.10.0/24 C. pathping 10.10.10.0 -p 80 D. ne -l -p 80 B. nmap -p 80 10.10.10.0/24 Which biometric error would allow an unauthorized user to access a system? A. False acceptance B. False entrance C. False rejection D. False denial A. False acceptance A company is auditing the manner in which its European customers' personal information is handled. Which of the following should the company consult? A. GDPR B. ISO C. NIST D. PCI DSS A. GDPR Which of the following are common VoIP-associated vulnerabilities? (Choose two.) A. SPIM B. Vishing C. Hopping D. Phishing E. Credential harvesting F. Tailgating A. SPIM B. Vishing An organization is planning to open other data centers to sustain operations in the event of a natural disaster. Which of the following considerations would BEST support the organization's resiliency? A. Geographic dispersal B. Generator power C. Fire suppression D. Facility automation A. Geographic dispersal Which of the following describes the exploitation of an interactive process to gain access to restricted areas? A. Persistence B. Buffer overflow C. Privilege escalation D. Pharming C. Privilege escalation A security engineer is deploying a new wireless network for a company. The company shares office space with multiple tenants. Which of the following should the engineer configure on the wireless network to ensure that confidential data is not exposed to unauthorized users? A. EAP B. TLS C. HTTPS D. AES D. AES The Chief Compliance Officer from a bank has approved a background check policy for all new hires. Which of the following is the policy MOST likely protecting against? A. Preventing any current employees' siblings from working at the bank to prevent nepotism B. Hiring an employee who has been convicted of theft to adhere to industry compliance C. Filtering applicants who have added false information to resumes so they appear better qualified D. Ensuring no new hires have worked at other banks that may be trying to steal customer information C. Filtering applicants who have added false information to resumes so they appear better qualified An engineer recently deployed a group of 100 web servers in a cloud environment. Per the security policy, all web-server ports except 443 should be disabled.Which of the following can be used to accomplish this task? A. Application allow list B. SWG C. Host-based firewall D. VPN B. SWG A technician was dispatched to complete repairs on a server in a data center. While locating the server, the technician entered a restricted area without authorization. Which of the following security controls would BEST prevent this in the future? A. Use appropriate signage to mark all areas. B. Utilize cameras monitored by guards. C. Implement access control vestibules. D. Enforce escorts to monitor all visitors. B. Utilize cameras monitored by guards. Which of the following would BEST provide a systems administrator with the ability to more efficiently identify systems and manage permissions and policies based on location, role, and service level? A. Standard naming conventions B. Domain services C. Baseline configurations D. Diagrams B. Domain services Which of the following would detect intrusions at the perimeter of an airport? A. Signage B. Fencing C. Motion sensors D. Lighting E. Bollards E. Bollards A security analyst is concerned about critical vulnerabilities that have been detected on some applications running inside containers. Which of the following is theBEST remediation strategy? A. Update the base container Image and redeploy the environment. B. Include the containers in the regular patching schedule for servers. C. Patch each running container individually and test the application. D. Update the host in which the containers are running. B. Include the containers in the regular patching schedule for servers. An organization has decided to purchase an insurance policy because a risk assessment determined that the cost to remediate the risk is greater than the five- year cost of the insurance policy. The organization is enabling risk: A. avoidance. B. acceptance. C. mitigation. D. transference D. transference A security analyst receives an alert from the company's SIEM that anomalous activity is coming from a local source IP address of 192.168.34.26. The ChiefInformation Security Officer asks the analyst to block the originating source. Several days later, another employee opens an internal ticket stating that vulnerability scans are no longer being performed properly. The IP address the employee provides is 192.168.34.26. Which of the following describes this type of alert? A. True negative B. True positive C. False positive D. False negative C. False positive A security analyst wants to reference a standard to develop a risk management program. Which of the following is the BEST source for the analyst to use? A. SSAE SOC 2 B. ISO 31000 C. NIST CSF D. GDPR C. NIST CSF The Chief Information Security Officer (CISO) requested a report on potential areas of improvement following a security incident. Which of the following incident response processes is the CISO requesting? A. Lessons learned B. Preparation C. Detection D. Containment E. Root cause analysis A. Lessons learned A company is providing security awareness training regarding the importance of not forwarding social media messages from unverified sources. Which of the following risks would this training help to prevent? A. Hoaxes B. SPIMs C. Identity fraud D. Credential harvesting A. Hoaxes A security analyst is receiving numerous alerts reporting that the response time of an internet-facing application has been degraded. However, the internal network performance was not degraded. Which of the following MOST likely explains this behavior? A. DNS poisoning B. MAC flooding C. DDoS attack D. ARP poisoning C. DDoS attack Which of the following will increase cryptographic security? A. High data entropy B. Algorithms that require less computing power C. Longer key longevity D. Hashing A. High data entropy Which of the following statements BEST describes zero-day exploits? A. When a zero-day exploit is discovered, the system cannot be protected by any means. B. Zero-day exploits have their own scoring category in CVSS. C. A zero-day exploit is initially undetectable, and no patch for it exists. D. Discovering zero-day exploits is always performed via bug bounty programs. C. A zero-day exploit is initially undetectable, and no patch for it exists. A company wants to restrict emailing of PHI documents. The company is implementing a DLP solution. In order to restrict PHI documents, which of the following should be performed FIRST? A. Retention B. Governance C. Classification D. Change management C. Classification A security analyst is investigating some users who are being redirected to a fake website that resembles www.comptia.org. The following output was found on the naming server of the organization:Which of the following attacks has taken place? NAME TYPE DATA www A 192.168.1.10 server1 A 10.10.1O.1O server2 A 10.10.10.11 file A 10.10.10.12 A. Domain reputation B. Domain hijacking C. Disassociation D. DNS poisoning B. Domain hijacking Which of the following describes the continuous delivery software development methodology? A. Waterfall B. Spiral C. V-shaped D. Agile D. Agile Which of the following is the BEST example of a cost-effective physical control to enforce a USB removable media restriction policy? A. Putting security/antitamper tape over USB ports, logging the port numbers, and regularly inspecting the ports B. Implementing a GPO that will restrict access to authorized USB removable media and regularly verifying that it is enforced C. Placing systems into locked, key-controlled containers with no access to the USB ports D. Installing an endpoint agent to detect connectivity of USB and removable media B. Implementing a GPO that will restrict access to authorized USB removable media and regularly verifying that it is enforced A company suspects that some corporate accounts were compromised. The number of suspicious logins from locations not recognized by the users is increasing.Employees who travel need their accounts protected without the risk of blocking legitimate login requests that may be made over new sign-in properties. Which of the following security controls can be implemented? A. Enforce MFA when an account request reaches a risk threshold. B. Implement geofencing to only allow access from headquarters. C. Enforce time-based login requests that align with business hours. D. Shift the access control scheme to a discretionary access control. A. Enforce MFA when an account request reaches a risk threshold. An organization wants to participate in threat intelligence information sharing with peer groups. Which of the following would MOST likely meet the organization's requirement? A. Perform OSINT investigations. B. Subscribe to threat intelligence feeds. C. Submit RFCs. D. Implement a TAXII server. D. Implement a TAXII server. Which of the following is the MOST effective control against zero-day vulnerabilities? A. Network segmentation B. Patch management C. Intrusion prevention system D. Multiple vulnerability scanners C. Intrusion prevention system Which of the following is the GREATEST security concern when outsourcing code development to third-party contractors for an internet-facing application? A. Intellectual property theft B. Elevated privileges C. Unknown backdoor D. Quality assurance C. Unknown backdoor An organization has hired a red team to simulate attacks on its security posture. Which of the following will the blue team do after detecting an IoC? A. Reimage the impacted workstations. B. Activate runbooks for incident response. C. Conduct forensics on the compromised system. D. Conduct passive reconnaissance to gather information. C. Conduct forensics on the compromised system. An amusement park is implementing a biometric system that validates customers' fingerprints to ensure they are not sharing tickets. The park's owner values customers above all and would prefer customers' convenience over security. For this reason, which of the following features should the security team prioritizeFIRST? A. Low FAR B. Low efficacy C. Low FRR D. Low CER C. Low FRR Which of the following organizations sets frameworks and controls for optimal security configuration on systems? A. ISO B. GDPR C. PCI DSS D. NIST D. NIST An organization discovered files with proprietary financial data have been deleted. The files have been recovered from backup, but every time the Chief FinancialOfficer logs in to the file server, the same files are deleted again. No other users are experiencing this issue. Which of the following types of malware is MOST likely causing this behavior? A. Logic bomb B. Cryptomalware C. Spyware D. Remote access Trojan A. Logic bomb A security analyst has identified malware spreading through the corporate network and has activated the CSIRT. Which of the following should the analyst doNEXT? A. Review how the malware was introduced to the network. B. Attempt to quarantine all infected hosts to limit further spread. C. Create help desk tickets to get infected systems reimaged. D. Update all endpoint antivirus solutions with the latest updates. B. Attempt to quarantine all infected hosts to limit further spread. During an incident response, an analyst applied rules to all inbound traffic on the border firewall and implemented ACLs on each critical server. Following an investigation, the company realizes it is still vulnerable because outbound traffic is not restricted, and the adversary is able to maintain a presence in the network.In which of the following stages of the Cyber Kill Chain is the adversary currently operating? A. Reconnaissance B. Command and control C. Actions on objective D. Exploitation C. Actions on objective A recent security breach exploited software vulnerabilities in the firewall and within the network management solution. Which of the following will MOST likely be used to identify when the breach occurred through each device? A. SIEM correlation dashboards B. Firewall syslog event logs C. Network management solution login audit logs D. Bandwidth monitors and interface sensors A. SIEM correlation dashboards Which of the following is the FIRST environment in which proper, secure coding should be practiced? A. Stage B. Development C. Production D. Test A. Stage A cloud service provider has created an environment where customers can connect existing local networks to the cloud for additional computing resources and block internal HR applications from reaching the cloud. Which of the following cloud models is being used? A. Public B. Community C. Hybrid D. Private C. Hybrid An organization has developed an application that needs a patch to fix a critical vulnerability. In which of the following environments should the patch be deployed LAST? A. Test B. Staging C. Development D. Production C. Development An organization is building backup server rooms in geographically diverse locations. The Chief Information Security Officer implemented a requirement on the project that states the new hardware cannot be susceptible to the same vulnerabilities in the existing server room. Which of the following should the systems engineer consider? A. Purchasing hardware from different vendors B. Migrating workloads to public cloud infrastructure C. Implementing a robust patch management solution D. Designing new detective security controls B. Migrating workloads to public cloud infrastructure A security analyst is working on a project to implement a solution that monitors network communications and provides alerts when abnormal behavior is detected.Which of the following is the security analyst MOST likely implementing? A. Vulnerability scans B. User behavior analysis C. Security orchestration, automation, and response D. Threat hunting B. User behavior analysis Data exfiltration analysis indicates that an attacker managed to download system configuration notes from a web server. The web-server logs have been deleted, but analysts have determined that the system configuration notes were stored in the database administrator's folder on the web server. Which of the following attacks explains what occurred? (Choose two.) A. Pass-the-hash B. Directory traversal C. SQL injection D. Privilege escalation E. Cross-site scripting F. Request forgery B. Directory traversal D. Privilege escalation A junior security analyst is conducting an analysis after passwords were changed on multiple accounts without users' interaction. The SIEM have multiple login entries with the following text: suspicious event - user: scheduledtasks successfully authenticate on AD on abnormal time suspicious event - user: scheduledtasks failed to execute c:\weekly_checkups\amazing-3rdparty-domain-assessment.py suspicious event - user: scheduledtasks failed to execute c:\weekly_checkups\secureyourAD-3rdparty-compliance.sh suspicious event - user: scheduledtasks successfully executed c:\weekly_checkups\amazing-3rdparty-domain-assessment.pyWhich of the following is the MOST likely attack conducted on the environment? A. Malicious script B. Privilege escalation C. Domain hijacking D. DNS poisoning A. Malicious script A customer service representative reported an unusual text message that was sent to the help desk. The message contained an unrecognized invoice number with a large balance due and a link to click for more details. Which of the following BEST describes this technique? A. Vishing B. Whaling C. Phishing D. Smishing D. Smishing Which of the following actions would be recommended to improve an incident response process? A. Train the team to identify the difference between events and incidents. B. Modify access so the IT team has full access to the compromised assets. C. Contact the authorities if a cybercrime is suspected. D. Restrict communication surrounding the response to the IT team. A. Train the team to identify the difference between events and incidents. A cybersecurity administrator needs to implement a Layer 7 security control on a network and block potential attacks. Which of the following can block an attack at Layer 7? (Choose two.) A. HIDS B. NIPS C. HSM D. WAF E. NAC F. NIDS B. NIPS D. WAF A business operations manager is concerned that a PC that is critical to business operations will have a costly hardware failure soon. The manager is looking for options to continue business operations without incurring large costs. Which of the following would mitigate the manager's concerns? A. Implement a full system upgrade. B. Perform a physical-to-virtual migration. C. Install uninterruptible power supplies. D. Purchase cybersecurity insurance. B. Perform a physical-to-virtual migration. An organization has activated an incident response plan due to a malware outbreak on its network. The organization has brought in a forensics team that has identified an internet-facing Windows server as the likely point of initial compromise. The malware family that was detected is known to be distributed by manually logging on to servers and running the malicious code. Which of the following actions would be BEST to prevent reinfection from the infection vector? A. Prevent connections over TFTP from the internal network. B. Create a firewall rule that blocks a 22 from the internet to the server. C. Disable file sharing over port 445 to the server. D. Block port 3389 inbound from untrusted networks. C. Disable file sharing over port 445 to the server. Which of the following uses SAML for authentication? A. TOTP B. Federation C. Kerberos D. HOTP B. Federation The SOC for a large MSSP is meeting to discuss the lessons learned from a recent incident that took much too long to resolve. This type of incident has become more common in recent weeks and is consuming large amounts of the analysts' time due to manual tasks being performed. Which of the following solutions should the SOC consider to BEST improve its response time? A. Configure a NIDS appliance using a Switched Port Analyzer. B. Collect OSINT and catalog the artifacts in a central repository. C. Implement a SOAR with customizable playbooks. D. Install a SIEM with community-driven threat intelligence. C. Implement a SOAR with customizable playbooks. Business partners are working on a security mechanism to validate transactions securely. The requirement is for one company to be responsible for deploying a trusted solution that will register and issue artifacts used to sign, encrypt, and decrypt transaction files. Which of the following is the BEST solution to adopt? A. PKI B. Blockchain C. SAML D. OAuth A. PKI A security analyst has been asked by the Chief Information Security Officer to:✑ develop a secure method of providing centralized management of infrastructure✑ reduce the need to constantly replace aging end user machines✑ provide a consistent user desktop experienceWhich of the following BEST meets these requirements? A. BYOD B. Mobile device management C. VDI D. Containerization C. VDI Which of the following terms describes a broad range of information that is sensitive to a specific organization? A. Public B. Top secret C. Proprietary D. Open-source C. Proprietary A Chief Security Officer (CSO) is concerned that cloud-based services are not adequately protected from advanced threats and malware. The CSO believes there is a high risk that a data breach could occur in the near future due to the lack of detective and preventive controls. Which of the following should be implemented to BEST address the CSO's concerns? (Choose two.) A. A WAF B. A CASB C. An NG-SWG D. Segmentation E. Encryption F. Containerization C. An NG-SWG D. Segmentation An organization is planning to roll out a new mobile device policy and issue each employee a new laptop. These laptops would access the users' corporate operating system remotely and allow them to use the laptops for purposes outside of their job roles. Which of the following deployment models is being utilized? A. MDM and application management B. BYOD and containers C. COPE and VDI D. CYOD and VMs B. BYOD and containers Certain users are reporting their accounts are being used to send unauthorized emails and conduct suspicious activities. After further investigation, a security analyst notices the following:✑ All users share workstations throughout the day.✑ Endpoint protection was disabled on several workstations throughout the network.✑ Travel times on logins from the affected users are impossible.✑ Sensitive data is being uploaded to external sites. All user account passwords were forced to be reset and the issue continued. Which of the following attacks is being used to compromise the user accounts? A. Brute-force B. Keylogger C. Dictionary D. Rainbow B. Keylogger A security forensics analyst is examining a virtual server. The analyst wants to preserve the present state of the virtual server, including memory contents. Which of the following backup types should be used? A. Snapshot B. Differential C. Cloud D. Full E. Incremental A. Snapshot After returning from a conference, a user's laptop has been operating slower than normal and overheating, and the fans have been running constantly. During the diagnosis process, an unknown piece of hardware is found connected to the laptop's motherboard. Which of the following attack vectors was exploited to install the hardware? A. Removable media B. Spear phishing C. Supply chain D. Direct access A. Removable media After a recent security breach, a security analyst reports that several administrative usernames and passwords are being sent via cleartext across the network to access network devices over port 23. Which of the following should be implemented so all credentials sent over the network are encrypted when remotely accessing and configuring network devices? A. SSH B. SNMPv3 C. SFTP D. Telnet E. FTP A. SSH Which of the following provides a calculated value for known vulnerabilities so organizations can prioritize mitigation steps? A. CVSS B. SIEM C. SOAR D. CVE A. CVSS Several universities are participating in a collaborative research project and need to share compute and storage resources. Which of the following cloud deployment strategies would BEST meet this need? A. Community B. Private C. Public D. Hybrid A. Community A forensic analyst needs to prove that data has not been tampered with since it was collected. Which of the following methods will the analyst MOST likely use? A. Look for tampering on the evidence collection bag. B. Encrypt the collected data using asymmetric encryption. C. Ensure proper procedures for chain of custody are being followed. D. Calculate the checksum using a hashing algorithm. D. Calculate the checksum using a hashing algorithm. Multiple business accounts were compromised a few days after a public website had its credentials database leaked on the Internet. No business emails were identified in the breach, but the security team thinks that the list of passwords exposed was later used to compromise business accounts. Which of the following would mitigate the issue? A. Complexity requirements B. Password history C. Acceptable use policy D. Shared accounts B. Password history A security analyst wants to fingerprint a web server. Which of the following tools will the security analyst MOST likely use to accomplish this task? A. nmap -pl-65535 192.168.0.10 B. dig 192.168.0.10 C. curl --head http://192.168.0.10 D. ping 192.168.0.10 C. curl --head http://192.168.0.10 A penetration tester was able to compromise an internal server and is now trying to pivot the current session in a network lateral movement. Which of the following tools, if available on the server, will provide the MOST useful information for the next assessment step? A. Autopsy B. Cuckoo C. Memdump D. Nmap A. Autopsy Field workers in an organization are issued mobile phones on a daily basis. All the work is performed within one city, and the mobile phones are not used for any purpose other than work. The organization does not want these phones used for personal purposes. The organization would like to issue the phones to workers as permanent devices so the phones do not need to be reissued every day. Given the conditions described, which of the following technologies would BEST meet these requirements? A. Geofencing B. Mobile device management C. Containerization D. Remote wiping B. Mobile device management Which of the following control types is focused primarily on reducing risk before an incident occurs? A. Preventive B. Deterrent C. Corrective D. Detective A. Preventive A systems administrator reports degraded performance on a virtual server. The administrator increases the virtual memory allocation, which improves conditions, but performance degrades again after a few days. The administrator runs an analysis tool and sees the following output:==3214== timeAttend.exe analyzed==3214== ERROR SUMMARY:==3214== malloc/free: in use at exit: 4608 bytes in 18 blocks.==3214== checked 82116 bytes==3214== definitely lost: 4608 bytes in 18 blocks.The administrator terminates the timeAttend.exe, observes system performance over the next few days, and notices that the system performance does not degrade. Which of the following issues is MOST likely occurring? A. DLL injection B. API attack C. Buffer overflow D. Memory leak D. Memory leak An administrator is experiencing issues when trying to upload a support file to a vendor. A pop-up message reveals that a payment card number was found in the file, and the file upload was blocked. Which of the following controls is most likely causing this issue and should be checked FIRST? A. DLP B. Firewall rule C. Content filter D. MDM E. Application allow list A. DLP Which of the following risk management strategies would an organization use to maintain a legacy system with known risks for operational purposes? A. Acceptance B. Transference C. Avoidance D. Mitigation A. Acceptance Which of the following is the BEST action to foster a consistent and auditable incident response process? A. Incent new hires to constantly update the document with external knowledge. B. Publish the document in a central repository that is easily accessible to the organization. C. Restrict eligibility to comment on the process to subject matter experts of each IT silo. D. Rotate CIRT members to foster a shared responsibility model in the organization. D. Rotate CIRT members to foster a shared responsibility model in the organization. During a recent penetration test, the tester discovers large amounts of data were exfiltrated over the course of 12 months via the internet. The penetration tester stops the test to inform the client of the findings. Which of the following should be the client's NEXT step to mitigate the issue? A. Conduct a full vulnerability scan to identify possible vulnerabilities. B. Perform containment on the critical servers and resources. C. Review the firewall and identify the source of the active connection. D. Disconnect the entire infrastructure from the internet. B. Perform containment on the critical servers and resources. A security analyst is designing the appropriate controls to limit unauthorized access to a physical site. The analyst has a directive to utilize the lowest possible budget. Which of the following would BEST meet the requirements? A. Preventive controls B. Compensating controls C. Deterrent controls D. Detective controls D. Detective controls A company is looking to migrate some servers to the cloud to minimize its technology footprint. The company has 100 databases that are on premises. Which of the following solutions will require the LEAST management and support from the company? A. SaaS B. IaaS C. PaaS D. SDN A. SaaS Which of the following employee roles is responsible for protecting an organization's collected personal information? A. CTO B. DPO C. CEO D. DBA B. DPO Against the recommendation of the IT security analyst, a company set all user passwords on a server as `P@55w0rD`. Upon review of the /etc/passwd file, an attacker found the following: alice:a8df3b6c4fd75f0617431fd248f35191df8d237f bob:2d250c5b2976b03d757f324ebd59340df96aa05e chris:ea981ec3285421d014108089f3f3f997ce0f4150Which of the following BEST explains why the encrypted passwords do not match? A. Perfect forward secrecy B. Key stretching C. Salting D. Hashing C. Salting After gaining access to a dual-homed (i.e., wired and wireless) multifunction device by exploiting a vulnerability in the device's firmware, a penetration tester then gains shell access on another networked asset. This technique is an example of: A. privilege escalation. B. footprinting. C. persistence. D. pivoting. D. pivoting. Which of the following should be monitored by threat intelligence researchers who search for leaked credentials? A. Common Weakness Enumeration B. OSINT C. Dark web D. Vulnerability databases C. Dark web A security analyst needs to be able to search and correlate logs from multiple sources in a single tool. Which of the following would BEST allow a security analyst to have this ability? A. SOAR B. SIEM C. Log collectors D. Network-attached storage B. SIEM A security analyst is investigating suspicious traffic on the web server located at IP address 10.10.1.1. A search of the WAF logs reveals the following output:Which of the following is MOST likely occurring? SOURCE IP DESTINATION IP REQUESTED URL ACTION TAKEN 172.16.1.3 10.10.1.1 /web/cgi-bin/contact? A. XSS attack B. SQLi attack C. Replay attack D. XSRF attack B. SQLi attack Which of the following components can be used to consolidate and forward inbound internet traffic to multiple cloud environments though a single firewall? A. Transit gateway B. Cloud hot site C. Edge computing D. DNS sinkhole A. Transit gateway Home Your library Expert solutions Study sets, textbooks, questions Profile Picture Upgrade: free 7-day trial Security+ SY0-601 Certification Practice Exam Study Other Computer Skills Security+ SY0-601 Certification Practice Exam 9 studiers today Leave the first rating Flashcards Learn Test Match Which of the following is an important aspect of evidence-gathering? Back up all log files and audit trails. Purge transaction logs. Restore damaged data from backup media. Monitor user access to compromised systems. Back up all log files and audit trails. 1 / 89 Profile Picture Created by Paladin_Rhyne Terms in this set (89) Original Which of the following is an important aspect of evidence-gathering? Back up all log files and audit trails. Purge transaction logs. Restore damaged data from backup media. Monitor user access to compromised systems. Back up all log files and audit trails. Which of the following items would be implemented at the Network layer of the security model? Wireless networks Network plans Firewalls using ACLs Penetration testing Penetration testing Prepare to Document means establishing the process you will use to document your network. Which of the following makes this documentation more useful? Identify the choke points on the network. Automate administration as much as possible. Identify who is responsible for each device. Have a printed hard copy kept in a secure location. Have a printed hard copy kept in a secure location. You assign access permissions so that users can only access the resources required to accomplish their specific work tasks. Which security principle are you complying with? Cross-training Job rotation Need to know Principle of least privilege Principle of least privilege A recreation of historical events is made possible through which of the following? Incident reports Audits Audit trails Penetration testing Audit trails An attacker uses an exploit to push a modified hosts file to client systems. This hosts file redirects traffic from legitimate tax preparation sites to malicious sites to gather personal and financial information. Which kind of exploit has been used in this scenario? Man-in-the-middle Reconnaissance DNS poisoning Domain name kiting DNS poisoning When you inform an employee that he or she is being terminated, which of the following is the most important activity? Disable his or her network access Allow him or her to collect their personal items Allow him or her to complete their current work projects Give him or her two weeks' notice Disable his or her network access Which protocol does HTTPS use to offer greater security in web transactions? Kerberos IPsec SSL Telnet SSL How often should change-control management be implemented? Any time a production system is altered. At regular intervals throughout the year. Only when changes are made that affect senior management. Only when a production system is altered greatly. Any time a production system is altered. A user copies files from her desktop computer to a USB flash device and puts the device into her pocket. Which of the following security risks is most pressing? Non-repudiation Confidentiality Availability Integrity Confidentiality Which ISO publication lays out guidelines for selecting and implementing security controls? 31000 27002 27701 27001 27002 You are cleaning your desk at work. You toss several stacks of paper in the trash, including a sticky note with your password written on it. Which of the following types of non-technical password attacks have you enabled? Social engineering Dumpster diving Shoulder surfing Password guessing Dumpster diving Which of the following functions does a single quote (') perform in an SQL injection? Indicates that everything after the single quote is a comment Indicates that the comment has ended and data is being entered Indicates that code is ending and a comment is being entered Indicates that data has ended and a command is beginning Indicates that data has ended and a command is beginning You have detected and identified a security event. What's the first step you should complete? Isolation Segmentation Playbook Containment Containment Which access control model is based on assigning attributes to objects and using Boolean logic to grant access based on the attributes of the subject? Mandatory Access Control (MAC) Role-Based Access Control (RBAC) Attribute-Based Access Control (ABAC) Rule-Based Access Control Attribute-Based Access Control (ABAC) Which of the following types of auditing verifies that systems are utilized appropriately and in accordance with written organizational policies? Financial audit PoLP Internal audit Usage audit Usage audit Which EAP implementation is MOST secure? EAP-MD5 LEAP EAP-FAST EAP-TLS EAP-TLS Extensible Authentication Protocol - Transport Layer Security Which type of reconnaissance is dumpster diving? Active Passive Packet sniffing OSINT Passive no active modification/querying is involved You have been hired as part of the team that manages an organization's network defense. Which security team are you working on? Red White Blue Purple Blue What is the average number of times that a specific risk is likely to be realized in a single year? Estimated maximum downtime Annualized rate of occurrence Exposure factor Annualized loss expectancy Annualized rate of occurrence Your LDAP directory-services solution uses simple authentication. What should you always do when using simple authentication? Use IPsec and certificates Use SSL Use Kerberos Add SASL and use TLS Use SSL A wireless access point configured to use Wired Equivalent Privacy (WEP) is an example of which kind of vulnerability? Unpatched software Default settings Zero-day exploit Weak security configurations Weak security configurations You manage an Active Directory domain. All users in the domain have a standard set of internet options configured by a GPO linked to the domain, but you want users in the Administrators OU to have a different set of internet options. What should you do? Create a GPO computer policy for the Administrators OU. Create a GPO user policy for the Administrators OU. Create a Local Group Policy on the computers used by members of the Administrators OU. Create a GPO user policy for the domain. Create a GPO user policy for the Administrators OU. What is the most obvious means of providing non-repudiation in a cryptography system? Digital signatures Shared secret keys Public keys Hashing values Digital signatures SSL (Secure Sockets Layer) operates at which layer of the OSI model? Session Application Transport Presentation Session What is the purpose of audit trails? To detect security-violating events. To restore systems to normal operations. To correct system problems. To prevent security breaches. To detect security-violating events. Most equipment is cooled by bringing cold air in the front and ducting the heat out of the back. What is the term for where the heat is sent in this type of scenario? Hot aisle Cold aisle Front aisle Back aisle Hot aisle Which of the following happens by default when you create a new ACL on a router? All traffic is blocked. All traffic is permitted. The ACL is ignored until applied. ACLs are not created on a router. All traffic is blocked. Which of the following terms is used to describe an event in which a person who should be allowed access is denied access to a system? False negative Error rate False positive False acceptance False negative Which of the following drive configurations is fault tolerant? Disk striping RAID 5 Expanded volume set RAID 0 RAID 5 Which of the following terms describes the actual time required to successfully recover operations in the event of an incident? Recovery point objective (RPO) Mean time to repair (MTTR) Recovery time objective (RTO) Maximum tolerable downtime (MTD) Recovery time objective (RTO) != or <> refers to Not Equal in which scripting language? Bash PuTTY Python PowerShell Python You want to identify traffic that is generated and sent through a network by a specific application running on a device. Which tool should you use? Certifier Protocol analyzer Multimeter Toner probe TDR Protocol analyzer You want to identify all devices on a network along with a list of open ports on those devices. You want the results displayed in a graphical diagram. Which tool should you use? OVAL Network mapper Port scanner Ping scanner Network mapper After a security event that involves a breach of physical security, what is the term used for the new measures, incident review, and repairs meant to stop a future incident from occurring? Detection Recovery Prevention Data breach Recovery A relatively new employee in the data entry cubical farm was assigned a user account similar to the other data entry employees' accounts. However, audit logs have shown that this user account has been used to change ACLs on several confidential files and has accessed data in restricted areas. This situation indicates which of the following has occurred? Physical security Social engineering External attack Privilege escalation Privilege escalation Which of the following is the BEST example of the principle of least privilege? Lenny has been given access to files that he does not need for his job. Wanda has been given access to the files that she needs for her job. Jill has been given access to all of the files on one server. Mary has been given access to all of the file servers. Wanda has been given access to the files that she needs for her job. In which phase of an attack does the attacker gather information about the target? Reconnaissance Exploit the system Breach the system Escalating privileges Reconnaissance When you dispose of a computer or sell used hardware, it is crucial that none of the data on the hard disks can be recovered. Which of the following actions can you take to ensure that no data is recoverable? Damage the hard disks so badly that all data remanence is gone. Encrypt all data on the hard disks. Reformat all the hard disks in the computer. Delete all files from all the hard disks in the computer. Damage the hard disks so badly that all data remanence is gone. As a security analyst, you are looking for a platform to compile all your security data generated by different endpoints. Which tool would you use? MAM SOAR GDPR MDM SOAR a platform to compile security data generated by different security endpoints Which of the following password attacks uses preconfigured matrices of hashed dictionary words? Rainbow table attack Hybrid attack Dictionary attack Brute-force attack Rainbow table attack Users in the sales department perform many of their daily tasks, such as emailing and creating sales presentations, on their personal tablets. The chief information officer worries that one of these users might also use their tablet to steal sensitive information from the organization's network. Your job is to implement a solution that prevents insiders from accessing sensitive information stored on the organization's network from their personal devices while still giving them access to the internet. Which of the following should you implement? A guest wireless network that is isolated from your organization's production network A mobile device management (MDM) infrastructure A Network Access Control (NAC) solution An Acceptable Use Policy (AUP) A guest wireless network that is isolated from your organization's production network What does the netstat -a command show? All connected hosts All listening sockets All listening and non-listening sockets All network users All listening and non-listening sockets Which of the following is a network virtualization solution provided by Microsoft? VirtualBox Hyper-V VMware Citrix Hyper-V Change control should be used to oversee and manage changes over which aspect of an organization? IT hardware and software Physical environment Personnel and policies Every aspect Every aspect If an SMTP server is not properly and securely configured, it can be hijacked and used maliciously as an SMTP relay agent. Which activity could result if this happens? Salami attack Spamming Virus hoax Data diddling Spamming Which of the following BEST describes zero-trust security? Only devices that pass authentication are trusted. Only devices that pass authorization are trusted. Only devices that pass both authentication and authorization are trusted. All devices are trusted. Only devices that pass both authentication and authorization are trusted. Your organization is having a third party come in and perform an audit on the financial records. You want to ensure that the auditor has access to the data they need while keeping the customers' data secure. To accomplish this goal, you plan to implement a mask that replaces the client names and account numbers with fictional data. Which masking method are you implementing? Dynamic Encryption Static Tokenization Dynamic Which of the following can be classified as a stream cipher? Blowfish AES Twofish RC4 RC4 Which security mechanism uses a unique list that meets the following specifications: The list is embedded directly in the object itself. The list defines which subjects have access to certain objects. The list specifies the level or type of access allowed to certain objects. Conditional access Hashing User ACL Mandatory access control User ACL You are part of a committee that is meeting to define how Network Access Control (NAC) should be implemented in the organization. Which step in the NAC process is this? Define Plan Review Apply Plan The government and military use the following information classification system:UnclassifiedSensitive But UnclassifiedConfidentialSecretTop SecretDrag each classification on the left to the appropriate description on the right. Drag UnclassifiedSensitive But Unclassified Confidential SecretTop Secret Drop The lowest level of classified information used by the military. Release of this information could cause damage to military efforts. If this information is released, it poses grave consequences to national security. This information can be accessed by the public and poses no security threat. If this information is disclosed, it could cause some harm, but not a national disaster If this information is disclosed, it could cause severe and permanent damage to military actions. The lowest level of classified information used by the military. Release of this information could cause damage to military efforts. Confidential If this information is released, it poses grave consequences to national security. Top Secret This information can be accessed by the public and poses no security threat. Unclassified If this information is disclosed, it could cause some harm, but not a national disaster. Sensitive But Unclassified If this information is disclosed, it could cause severe and permanent damage to military actions. Secret Some users report that frequent system crashes have started happening on their workstations. Upon further investigation, you notice that these users all have the same application installed that has been recently updated. Where would you go to conduct a root cause analysis? Security log Network log Application log Firewall log Application log Which of the following is a common social engineering attack? Using a sniffer to capture network traffic Distributing false information about an organization's financial status Distributing hoax virus-information emails Logging on with stolen credentials Distributing hoax virus-information emails Which of the following is a disadvantage of software defined networking (SDN)? SDN creates centralized management. SDN standards are still being developed. SDN facilitates communication between hardware from different vendors. SDN gathers network information and statistics. SDN standards are still being developed. Which of the following sends unsolicited business cards and messages to a Bluetooth device? Slamming Bluejacking Bluebugging Bluesnarfing Bluejacking You have physically added a wireless access point to your network and installed a wireless networking card in two laptops that run Windows. Neither laptop can find the network. You have come to the conclusion that you must manually configure the access point (AP). Which of the following values uniquely identifies the network AP? SSID Channel WEP PS SSID You are running a packet sniffer on your workstation so you can identify the types of traffic on your network. You expect to see all the traffic on the network, but the packet sniffer only seems to be capturing frames that are addressed to the network interface on your workstation. Which of the following must you configure in order to see all of the network traffic? Configure the network interface to use promiscuous mode. Configure the network interface to use port mirroring mode. Configure the network interface to enable logging. Configure the network interface to use protocol analysis mode. Configure the network interface to use promiscuous mode. Which of the following best describes shoulder surfing? Guessing someone's password because it is so common or simple. Someone nearby watching you enter your password on your computer and recording it. Giving someone you trust your username and account password. Finding someone's password in the trash can and using it to access their account. Someone nearby watching you enter your password on your computer and recording it. A type of malware that prevents the system from being used until the victim pays the attacker money is known as what? Fileless virus Remote Access Trojan (RAT) Ransomware Denial-of-service attack (DoS attack) Ransomware Which of the following cloud storage access services acts as a gatekeeper, extending an organization's security policies into the cloud storage infrastructure? A web service application programming interface A cloud storage gateway A cloud-access security broker A co-located cloud computer service A cloud-access security broker Which of the following are often identified as the three main goals of security? (Select three.) Assets Confidentiality Availability Policies Integrity Employees Non-repudiation Confidentiality Availability Integrity Which of the following lets you make phone calls over a packet-switched network? VoIP SCADA FPGA RTOS VoIP In which phase of the Microsoft Intune application life cycle would you assign an app to users and/or devices you manage and monitor them on the Azure portal? Configure Protect Deploy Add Deploy An attacker is attempting to crack a system's password by matching the password hash to a hash in a large table of hashes he or she has. Which type of attack is the attacker using? Brute force Rainbow RIPEMD Cracking Rainbow Which of the following can make passwords useless on a router? Using the MD5 hashing algorithm to encrypt the password Not controlling physical access to the router Storing the router configuration file in a secure location Using SSH to remotely connect to a router Not controlling physical access to the router What is the primary security feature that can be designed into a network's infrastructure to protect and support availability? Redundancy Switches instead of hubs Periodic backups Fiber optic cables Redundancy Which of the following is an example of privilege escalation? Separation of duties Privilege creep Mandatory vacations Principle of least privilege Privilege creep Which of the following is an example of protocol-based network virtualization? VFA VMM vSwitch VLAN VLAN Which of the following are characteristics of a circuit-level gateway? (Select two.) Stateless Filters based on sessions Filters IP address and port Stateful Filters based on URL Stateful Filters based on sessions You want to know which protocols are being used on your network. You'd like to monitor network traffic and sort traffic by protocol. Which tool should you use? Port scanner Packet sniffer IPS Throughput tester IDS Packet sniffer Which of the following are backed up during an incremental backup? Only files that have changed since the last full backup. Only files that have changed since the last full or differential backup. Only files that have changed since the last full or incremental backup. Only files that are new since the last full or incremental backup. Only files that have changed since the last full or incremental backup. Which of the following standards relates to the use of credit cards? PCI DSS PoLP Financial audit SOX PCI DSS A collection of zombie computers have been set up to collect personal information. Which type of malware do the zombie computers represent? Trojan horse Logic bomb Spyware Botnet Botnet What is the most important element related to evidence in addition to the evidence itself? Photographs of the crime scene Chain of custody document Completeness Witness testimony Chain of custody document Which of the following tools allows the user to set security rules for an instance of an application that interacts with one organization and different security rules for an instance of the application when interacting with another organization? Integration Replication Instance awareness Encryption Instance awareness Which of the following describes a configuration baseline? A collection of security settings that can be automatically applied to a device A list of common security settings that a group or all devices share The minimum services required for a server to function A set of performance statistics that identifies normal operating performance A list of common security settings that a group or all devices share You are using a password attack that tests every possible keystroke for each single key in a password until the correct one is found. Which of the following technical password attacks are you using? Password sniffing Pass-the-hash attack Brute force attack Keylogger Brute force attack You have been asked to implement a RAID 5 solution for your network. What is the minimum number of hard disks that can be used to configure RAID 5? 2 3 4 5 6 3 What is the name of the service included with the Windows Server operating system that manages a centralized database containing user account and security information? ... You want to protect data on hard drives for users with laptops. You want the drive to be encrypted, and you want to prevent the laptops from booting unless a special USB drive is inserted. In addition, the system should not boot if a change is detected in any of the boot files. What should you do? Have each user encrypt user files with EFS. Implement BitLocker without a TPM. Have each user encrypt the entire volume with EFS. Implement BitLocker with a TPM. Implement BitLocker without a TPM. What is the primary function of the IKE Protocol used with IPsec? Create a security association between communicating partners. Encrypt packet contents. Ensure dynamic key rotation and select initialization vectors (IVs). Provide both authentication and encryption. Provide authentication services. Create a security association between communicating partners. Which of the following functions are performed by proxies? (Select two.) Cache web pages Give users the ability to participate in real-time, text-based internet discussions Filter unwanted emails Block employees from accessing certain websites Store client files Cache web pages Block employees from accessing certain websites Which type of firewall protects against packets coming from certain IP addresses? Application layer Packet-filtering Stateful Circuit-level Packet-filtering Which of the following is considered a major problem with instant messaging applications? Loss of productivity Transfer of text and files Real-time communication Freely available for use Loss of productivity You need to check network connectivity from your computer to a remote computer. Which of the following tools would be the BEST option to use? nmap ping route tracert ping Which of the following is a privilege or action that can be taken on a system? User rights SACL Permissions DACL User rights You are adding switches to your network to support additional VLANs. Unfortunately, the new switches are from a different vendor than the current switches. Which standard do you need to ensure that the switches are supported? 802.11 802.1Q 802.1x 802.3 802.1Q In your role as a security analyst, you ran a vulnerability scan, and several vulnerabilities were reported. Upon further inspection, none of the vulnerabilities actually existed. Which type of result is this? False negative True positive True negative False positive False positive Students also viewed Security+ Cert Exam Objectives SYO-601 786 terms Profile Picture jeffrey_baker CompTIA Security+ SY0-601 Practice Questions. 150 terms Profile Picture JT_Collett 2022 CompTIA SECURITY+ SY0-601 BEST EXAM STUD… 174 terms Images Profile Picture WieldyStone2 12.4 Active Directory 12 terms Profile Picture cicilylafleur Recent flashcard sets Financial Accounting Ratios 22 terms Profile Picture Michael_Martirano5 Vocabulary 1 10 terms Profile Picture sens02 french vocaqbbbb 149 terms Profile Picture Claire_Jackson17 English, Examens, Wordlist 44 terms Profile Picture massimoleleux Sets found in the same folder Security+ SY0-601: Cloud Security Design & Im… 61 terms Profile Picture Todd_Libet Security+ SY0-601: Endpoint Security Design &… 51 terms Profile Picture Todd_Libet Security+ 1,027 terms Profile Picture melliz2015 Security+ SY0-601: Network Security Design &… 150 terms Profile Picture Todd_Libet Other sets by this creator Network+ Domain 5 33 terms Profile Picture Paladin_Rhyne Network+ Domain 4 45 terms Profile Picture Paladin_Rhyne Network+ Domain 3 15 terms Profile Picture Paladin_Rhyne Network+ Domain 1 174 terms Profile Picture Paladin_Rhyne Verified questions Other Give two reasons why clothing tends to be more expensive at a boutique than at a mass merchandise discounter. Verified answer Other Describe three methods businesses use to deal with theft. Verified answer Other How are family values useful when making clothing decisions? Verified answer Other For what natural fibers are lyocell and acrylic sometimes substituted? Why? Verified answer 1/5 About us About Quizlet How Quizlet works Careers Advertise with us News Get the app For students Flashcards Learn Solutions Modern Learning Lab For teachers Live Checkpoint Blog Be the Change Resources Help center Honor code Community guidelines Privacy Terms Ad and Cookie Policy Language English (USA) © 2023 Quizlet, Inc. COPPA Safe Harbor Certification seal Terms in this set (39) Original D During an incident, an EDR system detects an increase in the number of encrypted outbound connections from multiple hosts. A firewall is also reporting an increase in outbound connections that use random high ports. An analyst plans to review the correlated logs to find the source of the incident. Which of the following tools will BEST assist the analyst? A. A vulnerability scanner B. A NGFW C. The Windows Event Viewer D. A SIEM B A network engineer at a company with a web server is building a new web environment with the following requirements: Only one web server at a time can service requests. If the primary web server fails, a failover needs to occur to ensure the secondary web server becomes the primary. Which of the following load-balancing options BEST fits the requirements? A. Cookie-based B. Active-passive C. Persistence D. Round robin A During an investigation, the incident response team discovers that multiple administrator accounts were suspected of being compromised. The host audit logs indicate a repeated brute-force attack on a single administrator account followed by suspicious logins from unfamiliar geographic locations. Which of the following data sources would be BEST to use to assess the accounts impacted by this attack? A. User behavior analytics B. Dump files C. Bandwidth monitors D. Protocol analyzer output D A Chief Information Security Officer (CISO) is evaluating the dangers involved in deploying a new ERP system for the company. The CISO categorizes the system, selects the controls that apply to the system, implements the controls, and then assesses the success of the controls before authorizing the system. Which of the following is the CISO using to evaluate the environment for this new ERP system? A. The Diamond Model of Intrusion Analysis B. CIS Critical Security Controls C. NIST Risk Management Framework D. ISO 27002 C A recent audit cited a risk involving numerous low-criticality vulnerabilities created by a web application using a third-party library. The development staff state there are still customers using the application even though it is end of life and it would be a substantial burden to update the application for compatibility with more secure libraries. Which of the following would be the MOST prudent course of action? A. Accept the risk if there is a clear road map for timely decommission B. Deny the risk due to the end-of-life status of the application. C. Use containerization to segment the application from other applications to eliminate the risk D. Outsource the application to a third-party developer group C A penetration tester successfully gained access to a company's network The investigating analyst determines malicious traffic connected through the WAP despite filtering rules being in place. Logging in to the connected switch, the analyst sees the following m the ARP table: Which of the following did the penetration tester MOST likely use? A. ARP poisoning B. MAC cloning C. Man in the middle D. Evil twin C An organization wants seamless authentication to its applications. Which of the following should the organization employ to meet this requirement? A. SOAP B. SAML C. SSO D. Kerberos B A systems administrator is considering different backup solutions for the IT infrastructure. The company is looking for a solution that offers the fastest recovery time while also saving the most amount of storage used to maintain the backups. Which of the following recovery solutions would be the BEST option to meet these requirements? A. Snapshot B. Differential C. Full D. Tape B A company was compromised, and a security analyst discovered the attacker was able to get access to a service account. The following logs were discovered during the investigation: Which of the following MOST likely would have prevented the attacker from learning the service account name? A. Race condition testing B. Proper error handling C. Forward web server logs to a SIEM D. Input sanitization A As part of the lessons-learned phase, the SOC is tasked with building methods to detect if a previous incident is happening again. Which of the following would allow the security analyst to alert the SOC if an event is reoccurring? A. Creating a playbook within the SOAR B. Implementing rules in the NGFW C. Updating the DLP hash database D. Publishing a new CRL with revoked certificates A A company reduced the area utilized in its datacenter by creating virtual networking through automation and by creating provisioning routes and rules through scripting. Which of the following does this example describe? A. laC B. MSSP C. Containers D. SaaS B A system that requires an operation availability of 99.99% and has an annual maintenance window available to patching and fixes will require the HIGHEST: A. MTBF B. MTTR C. RPO D. RTO D Which of the following must be in place before implementing a BCP? A. SLA B. AUP C. NDA D. BIA A Which of the following authentication methods sends out a unique password to be used within a specific number of seconds? A. TOTP B. Biometrics C. Kerberos D. LDAP B A security analyst is responding to an alert from the SIEM. The alert states that malware was discovered on a host and was not automatically deleted. Which of the following would be BEST for the analyst to perform? A. Add a deny-all rule to that host in the network ACL B. Implement a network-wide scan for other instances of the malware. C. Quarantine the host from other parts of the network D. Revoke the client's network access certificates D A penetration tester was able to compromise an internal server and is now trying to pivot the current session in a network lateral movement. Which of the following tools, if available on the server, will provide the MOST useful information for the next assessment step? A. Autopsy B. Cuckoo C. Memdump D. Nmap D A company is providing security awareness training regarding the importance of not forwarding social media messages from unverified sources. Which of the following risks would this training help to prevent? A. Hoaxes B. SPIMs C. Identity fraud D. Credential harvesting C A software company is analyzing a process that detects software vulnerabilities at the earliest stage possible. The goal is to scan the source looking for unsecure practices and weaknesses before the application is deployed in a runtime environment. Which of the following would BEST assist the company with this objective? A. Use fuzzing testing B. Use a web vulnerability scanner C. Use static code analysis D. Use a penetration-testing OS C Hackers recently attacked a company's network and obtained several unfavorable pictures from the Chief Executive Officer's workstation. The hackers are threatening to send the images to the press if a ransom is not paid. Which of the following is impacted the MOST? A. Identify theft B. Data loss C. Data exfiltration D. Reputation C A security analyst receives an alert from the company's SIEM that anomalous activity is coming from a local source IP address of 192.168.34.26. The Chief Information Security Officer asks the analyst to block the originating source. Several days later another employee opens an internal ticket stating that vulnerability scans are no longer being performed properly. The IP address the employee provides is 192.168.34.26. Which of the following describes this type of alert? A. True positive B. True negative C. False positive D. False negative B An information security policy stales that separation of duties is required for all highly sensitive database changes that involve customers' financial dat a. Which of the following will this be BEST to prevent? A. Least privilege B. An insider threat C. A data breach D. A change control violation D Which of the following provides a catalog of security and privacy controls related to the United States federal information systems? A. GDPR B. PCI DSS C. ISO 27000 D. NIST 800-53 C A security analyst wants to fingerprint a web server. Which of the following tools will the security analyst MOST likely use to accomplish this task? A. nmap -p1-65535 192.168.0.10 B. dig 192.168.0.10 C. curl --head http://192.168.0.10 D. ping 192.168.0.10 B A security engineer needs to build a solution to satisfy regulatory requirements that state certain critical servers must be accessed using MFA. However, the critical servers are older and are unable to support the addition of MFA. Which of the following will the engineer MOST likely use to achieve this objective? A. A forward proxy B. A stateful firewall C. A jump server D. A port tap D Administrators have allowed employee to access their company email from personal computers. However, the administrators are concerned that these computes are another attach surface and can result in user accounts being breached by foreign actors. Which of the following actions would provide the MOST secure solution? A. Enable an option in the administration center so accounts can be locked if they are accessed from different geographical areas B. Implement a 16-character minimum length and 30-day expiration password policy C. Set up a global mail rule to disallow the forwarding of any company email to email addresses outside the organization D. Enforce a policy that allows employees to be able to access their email only while they are connected to the internet via VPN A DDoS attacks are causing an overload on the cluster of cloud servers. A security architect is researching alternatives to make the cloud environment respond to load fluctuation in a costeffective way. Which of the following options BEST fulfils the architect’s requirements? A. An orchestration solution that can adjust scalability of cloud assets B. Use of multipath by adding more connections to cloud storage C. Cloud assets replicated on geographically distributed regions D. An on-site backup that is deployed and only used when the load increases D A news article states that a popular web browser deployed on all corporate PCs is vulnerable a zeroday attack. Which of the following MOST concern the Chief Information Security Officer about the information in the new article? A. Insider threats have compromised this network B. Web browsing is not functional for the entire network C. Antivirus signatures are required to be updated immediately D. No patches are available for the web browser C A penetration tester gains access to the network by exploiting a vulnerability on a public-facing web server. Which of the following techniques will the tester most likely perform NEXT? A. Gather more information about the target through passive reconnaissance B. Establish rules of engagement before proceeding C. Create a user account to maintain persistence D. Move laterally throughout the network to search for sensitive information A A security manager runs Nessus scans of the network after every maintenance window. Which of the following is the security manger MOST likely trying to accomplish? A. Verifying that system patching has effectively removed knows vulnerabilities B. Identifying assets on the network that may not exist on the network asset inventory C. Validating the hosts do not have vulnerable ports exposed to the internet D. Checking the status of the automated malware analysis that is being performed A Which of the following control types would be BEST to use to identify violations and incidents? A. Detective B. Compensating C. Deterrent D. Corrective E. Recovery F. Preventive B An organization maintains several environments in which patches are developed and tested before deployed to an operation status. Which of the following is the environment in which patches will be deployed just prior to being put into an operational status? A. Development B. Test C. Production D. Staging B An organization is concerned about intellectual property theft by employee who leave the organization. Which of the following will be organization MOST likely implement? A. CBT B. NDA C. MOU D. AUP B Which of the following would produce the closet experience of responding to an actual incident response scenario? A. Lessons learned B. Simulation C. Walk-through D. Tabletop A Which biometric error would allow an unauthorized user to access a system? A. False acceptance B. False entrance C. False rejection D. False denial B The chief compliance officer from a bank has approved a background check policy for all new hires. Which of the following is the policy MOST likely protecting against? A. Preventing any current employees' siblings from working at the bank to prevent nepotism B. Hiring an employee who has been convicted of theft to adhere to industry compliance C. Filtering applicants who have added false information to resumes so they appear better qualified D. Ensuring no new hires have worked at other banks that may be trying to steal customer information C Security analysts are conducting an investigation of an attack that occurred inside the organization’s network. An attacker was able to connect network traffic between workstation throughout the network. The analysts review the following logs: The layer 2 address table has hundred of entries similar to the ones above. Which of the following attacks has MOST likely occurred? A. SQL injection B. DNS spoofing C. MAC flooding D. ARP poisonin C An analyst just discovered an ongoing attack on a host that is on the network. The analyst observes the below taking place: The computer performance is slow Ads are appearing from various pop-up windows Operating system files are modified The computer is receiving AV alerts for execution of malicious processes Which of the following steps should the analyst consider FIRST? A. Check to make sure the DLP solution is in the active state B. Patch the host to prevent exploitation C. Put the machine in containment D. Update the AV solution on the host to stop the attack D Which of the following would be MOST effective to contain a rapidly attack that is affecting a large number of organizations? A. Machine learning B. DNS sinkhole C. Blocklist D. Honeypot A The board of doctors at a company contracted with an insurance firm to limit the organization’s liability. Which of the following risk management practices does the BEST describe? A. Transference B. Avoidance C. Mitigation D. Acknowledgement Terms in this set (30) Original An administrator needs to protect user passwords and has been advised to hash the passwords. Which of the following BEST describes what the administrator is being advised to do? Perform a mathematical operation on the passwords that will convert them into unique strings An audit Identified Pll being utilized In the development environment of a critical application. The Chief Privacy Officer (CPO) Is adamant that this data must be removed; however, the developers are concerned that without real data they cannot perform functionality tests and search for specific data. Which of the following should a security professional implement to BEST satisfy both the CPO's and the development team's requirements? Data anonymization Which of the following are common VoIP-associated vulnerabilities? (Select TWO). SPIM and vishing The SOC for a large MSSP is meeting to discuss the lessons learned from a recent incident that took much too long to resolve This type of incident has become more common in recent weeks and is consuming large amounts of the analysts' time due to manual tasks being performed Which of the following solutions should the SOC consider to BEST improve its response time? Implement a SOAR with customizable playbooks During a security incident investigation, an analyst consults the company's SIEM and sees an event concerning high traffic to a known, malicious command-and-control server. The analyst would like to determine the number of company workstations that may be impacted by this issue. Which of the following can provide the information? DNS logs After reluming from a conference, a user's laptop has been operating slower than normal and overheating and the fans have been running constantly During the diagnosis process, an unknown piece of hardware is found connected to the laptop's motherboard Which of the following attack vectors was exploited to install the hardware? Direct access A company is receiving emails with links to phishing sites that look very similar to the company's own website address and content. Which of the following is the BEST way for the company to mitigate this attack? Generate a list of domains similar to the company's own and implement a DNS sinkhole for each. Which of the following terms describes a broad range of information that is sensitive to a specific organization? Proprietary A company wants to improve end users experiences when they tog in to a trusted partner website The company does not want the users to be issued separate credentials for the partner website Which of the following should be implemented to allow users to authenticate using their own credentials to log in to the trusted partner's website? Federation A new company wants to avoid channel interference when building a WLAN. The company needs to know the radio frequency behavior, identify dead zones, and determine the best place for access points. Which of the following should be done FIRST? Configure heat maps. Which of the following is the GREATEST security concern when outsourcing code development to third-party contractors for an internet-facing application? Unknown backdoor A security engineer was assigned to implement a solution to prevent attackers from gaining access by pretending to be authorized users. Which of the following technologies meets the requirement? MFA After gaining access to a dual-homed (i.e.. wired and wireless) multifunction device by exploiting a vulnerability in the device's firmware, a penetration tester then gains shell access on another networked asset This technique is an example of: privilege escalation Field workers in an organization are issued mobile phones on a daily basis All the work is performed within one city and the mobile phones are not used for any purpose other than work The organization does not want these phones used for personal purposes. The organization would like to issue the phones to workers as permanent devices so the pnones do not need to be reissued every day. Given the conditions described, which of the following technologies would BEST meet these requirements' Mobile device management An organization has developed an application that needs a patch to fix a critical vulnerability In which of the following environments should the patch be deployed LAST? Production A technician enables full disk encryption on a laptop that will be taken on a business tnp. Which of the following does this process BEST protect? Data at rest During a trial, a judge determined evidence gathered from a hard drive was not admissible. Which of the following BEST explains this reasoning? The forensic investigator forgot to run a checksum on the disk image after creation A company wants to restrict emailing of PHI documents. The company is implementing a DLP solution In order to restrict PHI documents which of the following should be performed FIRST? Classification A security incident has been resolved Which of the following BEST describes the importance of the final phase of the incident response plan? AAR/Lessons learnt will improve the plan for the next incident A company labeled some documents with the public sensitivity classification This means the documents can be accessed by: employees of other companies and the press An organization is migrating several SaaS applications that support SSO. The security manager wants to ensure the migration is completed securely. Which of the following should the organization consider before implementation? (Select TWO). The identity federation protocol and The encryption method Server administrators want to configure a cloud solution so that computing memory and processor usage is maximized most efficiently across a number or virtual servers. They also need to avoid potential denial-of-service situations caused by availability. Which of the following should administrators configure to maximize system availability while efficiently utilizing available computing power? Dynamic resource allocation A security analyst has identified malware spreading through the corporate network and has activated the CSIRT Which of the following should the analyst do NEXT? Attempt to quarantine all infected hosts to limit further spread While reviewing an alert that shows a malicious request on one web application, a cybersecurity analyst is alerted to a subsequent token reuse moments later on a different service using the same single sign-on method. Which of the following would BEST detect a malicious actor? Utilizing SIEM correlation engines A help desk technician receives a phone call from someone claiming to be a part of the organization's cybersecurity modem response team The caller asks the technician to verify the network's internal firewall IP address Which of the following is the technician's BEST course of action? Write down the phone number of the caller if possible, the name of the person requesting the information hang up. and notify the organization's cybersecurity officer A security manager has tasked the security operations center with locating all web servers that respond to an unsecure protocol. Which of the following commands could an analyst run to find requested servers? nmap -p 80 10.10.10.0/24 A cloud service provider has created an environment where customers can connect existing local networks to the cloud for additional computing resources and block internal HR applications from reaching the cloud. Which of the following cloud models is being used? Hybrid A report delivered to the Chief Information Security Officer (CISO) shows that some user credentials could be exfiltrated. The report also indicates that users tend to choose the same credentials on different systems and applications. Which of the following policies should the CISO use to prevent someone from using the exfiltrated credentials? MFA Which of the following describes the exploitation of an interactive process to gain access to restricted areas? Privilege escalation The Chief Information Secunty Officer (CISO) requested a report on potential areas of improvement following a security incident. Which of the following incident response processes is the CISO requesting? Lessons learned Terms in this set (11) Original which of the following will most likely adversely impact the operations of unpatched trad programmable logic controllers running a back end LAMP server and OT systems with human management interfaces that are accessible over the internet via web interface weak encryption and server-side request forgery a company recently transitioned to a strictly BYOD culture due to the cost of replacing lost or damaged corporate-owned device. Which of the following technologies would be best to balance the BYOD culture while also protecting the company's data full disk encryption A chief security office's key priorities are to improve preparation and recovery practices to minimize system downtime and enhance organizational resilience to ransomware attacks. Which of the following would best meet the CSO's objectives Implement application whitelisting and centralized event-log management and perform regular testing and validation of full backups A network engineer has been asked to investigate why several wireless barcode scanners and wireless computers in a warehouse have intermittent connectivity to the shipping server. the barcode scanners and computers are all on forklift trucks and move around the warehouse during their use. which of the following should the engineer do to determine the issue perform a site survey and create a heat map a security admin suspects an employee has been emailing proprietary information to the competitor. company policy requires the admin to capture an exact copy of the employee's hard disk. which of the following should the admin use DD Which of the following is MOST likely to outline the roles and responsibilities of data controllers and data processors? GDPR Phishing and spear phishing attacks have been occurring more frequently against a company's staff. which of the following would most likely help mitigate this issue exact mail exchanger records in the DNS which of the following is the live acquisition of data for forensic analysis most dependent Value and volatility of data right to audit clauses Which of the following incident response steps involves actions to protect critical systems while maintaining business operations Containment A security auditor is reviewing vulnerability scan data provided by an internal security team. which of the following indicates that valid credentials were used? The scan enumerated software version of installed programs which of the following Best explains the difference between a data owner and a data custodian? The data owner is responsible for determining how the data may be used while the data custodian is responsible for implementing the protection to the data