Uploaded by jukkemwow

Updated Security plus

advertisement
1.) A penetration tester has written an application that performs a bit-by-bit XOR 0xFF operation on
binaries prior to transmission over un-trusted media. Which of the following BEST describes the action
performed by this type of application?
A. Hashing
B. Key exchange
C. Encryption
D. Obfuscation
2.) A company wants to ensure confidential data storage media is sanitized in such a way that the drive
cannot be reused. Which of the following methods should the technician use?
A. Shredding
B. Wiping
C. Low-level formatting
D. Repartitioning
E. Overwriting
3.) A remote intruder wants to take inventory of a network so exploits can be researched. The intruder is
looking for information about software versions on the network. Which of the following techniques is
the intruder using?
A. Banner grabbing
B. Port scanning
C. Packet sniffing
D. Virus scanning
4.) Which of the following specifically describes the exploitation of an interactive process to access
otherwise restricted areas of the OS?
A. Privilege escalation
B. Pivoting
C. Process affinity
D. Buffer overflow
5.)
A.
B.
C.
D.
When developing an application, executing a preconfigured set of instructions is known as:
A code library
Code signing
A stored procedure
Infrastructure as a code
6.) A network administrator needs to allocate a new network for the R&D group. The network must not be
accessible from the internet, regardless of the network firewall or other external misconfigurations.
Which of the following settings should the network administrator implement to accomplish this?
A. Configure the OS default TTL to 1
B. Use NAT on the R&D network
C. Implement a router ACL
D. Enable protected ports on the switch
7.) An application was recently compromised after some malformed data came in via a web form. Which of
the following would MOST likely have prevented this?
A. Input validation
B. Proxy server
C. Stress testing
D. Encoding
8.) When attackers use a compromised host as a platform for launching attacks deeper into a company’s
network, it is said that they are:
A. Escalating privilege
B. Becoming persistent
C. Fingerprinting
D. Pivoting
9.) A new Chief Information Officer has been reviewing the badging procedures and decides to write a
policy that all employees must have their badges rekeyed at least annually. Which of the following
controls BEST describes this policy?
A. Physical
B. Corrective
C. Technical
D. Administrative
10.) Which of the following refers to the term used to restore a system to its operational state?
A. MTBF
B. MTTR
C. RTO
D. RPO
11.) A security manager is creating an account management policy for a global organization with sales
personnel who must access corporate network resources while traveling all over the world. Which of the
following practices is the security manager MOST likely to enforce with the policy? (Select TWO)
A. Time-of-day restrictions
B. Password complexity
C. Location-based authentication
D. Group-based access control
E. Standard naming convention
12.) Which of the following would provide additional security by adding another factor to a smart card?
A. Token
B. Proximity badge
C. Physical key
D. PIN
13.) A security analyst is mitigating a pass-the-hash vulnerability on a Windows infrastructure. Given the
requirement, which of the following should the security analyst do to MINIMIZE the risk?
A.
B.
C.
D.
Enable CHAP
Disable NTLM
Enable Kerberos
Disable PAP
14.) A security administrator is diagnosing a server where the CPU utilization is at 100% for 24 hours. The
main culprit of CPU utilization is the antivirus program. Which of the following issues could occour if left
unresolved?(Select TWO)
A. MITM attack
B. DoS attack
C. DLL injection
D. Buffer overflow
E. Resource exhaustion
15.) A company has a data classification system with definitions for “Private” and “Public.” The company’s
security policy outlines how data should be protected based on type. The company recently added the
data type “Proprietary” which of the following is the MOST likely reason the company added this data
type.
A. Reduced cost
B. More searchable data
C. Better data classification
D. Expanded authority of the privacy officer
16.) A computer emergency response team is called at midnight to investigate a case in which a mail server
was restarted. After an initial investigation, it was discovered that email is being exfiltrated through an
active connection. Which of the following is the NEXT step the team should take?
A. Identify the source of the active connection
B. Perform eradication of the active connection and recover
C. Perform a containment procedure by disconnecting the server
D. Format the server and restore its initial configuration
17.) A security engineer must install the same x.509 certificate on three different servers. The client
application that connects to the server performs a check to ensure the certificate matches the host
name. Which of the following should the security engineer use?
A. Wildcard certificate
B. Extended validation certificate
C. Certificate chaining
D. Certificate utilizing the SAN field
18.) Which of the following BEST describes an important security advantage yielded by implementing vendor
diversity?
A. Sustainability
B. Homogeneity
C. Resiliency
D. Configurability
19.) A security administrator has found a hash in the environment known to belong to malware. The
administrator then finds this file to be in the preupdate area of the OS, which indicates it was pushed
form the central patch system:
The administrator pulls a report from the patch management system with the following output:
A.
B.
C.
D.
Given the above outputs, which of the following MOST likely happened?
The file was corrupted after it left the patch system
The file was infected when the patch manager downloaded it
The file was not approved in the application whitelist system
The file was embedded with a logic bomb to evade detection
20.) Which of the following differentiates a collision attack from a rainbow table attack?
A. A rainbow table attack performs a hash lookup
B. A rainbow table attack uses the hash as a password
C. In a collision attack, the hash and the input data are equivalent
D. In a collision attack, the same input results in different hashes
21.) Ransomware is detected on a database administrators workstation. Which of the following forensic
procedures should be performed FIRST to mitigate the threat?
A. Capture volatile memory
B. Create a system image
C. Isolate the workstation
D. Review network traffic logs
22.) Ann, a new security specialists, is attempting to access the internet using the company’s open wireless
network. The wireless network is not encrypted, however, once associated, Ann cannot access the
internet or other resources. In an attempt to troubleshoot, she scans the wireless network with NMAP
and discovers the firewall is the only other device on the wireless network. Which of the following BEST
describes the company’s wireless network situation?
A. The company uses VPN to authenticate and encrypt connections and traffic
B. The company’s WAP is being spoofed
C. The company allows unencrypted traffic to the internet
D. The company is using a wireless connection for internet traffic, so it does not need additional
encryption
23.) RJ-45 ports have been implemented on an embedded system to allow engineers more convenient
access. The network administrator has concerns regarding placing the equipment on the internal
network and exposing the devices. Which of the following would BEST meet both concerns if the
equipment is placed on the internal network?
A. Install the latest OS patches, and implement an antivirus solution on the equipment
B. Create a separate network segment for the equipment that only the engineers can access
C. Configure the switch that the proprietary system equipment is on to block all incoming traffic
D. Install a host-based prevention system on every piece of equipment to filter unknown traffic
24.) Which of the following threats is BEST mitigated by application hardening and patching rather than
security training?
A. Vishing
B. Shoulder surfing
C. Spimming
D. Software exploits
25.) A security administrator generates a key pair and sends one key inside a request file to a third party. The
third party sends back a signed file. In this scenario, the key sent to the third party is called a:
A. Private key
B. Session key
C. Public key
D. Recovery key
26.) An attacker drives past a company, captures the name of the WiFi network and locates a coffee shop
near the company. The attacker creates a mobile hotspot with the same name as the company’s WiFi.
Which of the following Best describes this wireless attack?
A. War driving
B. Rogue access point
C. Near field communication
D. Evil twin
27.) A developer needs to store sensitive employee information on a backend database. The sensitive
database records must be accessed by a public web server in the DMZ. Which of the following should be
implemented to secure the sensitive information stored in the database?
A. Store the sensitive records using symmetric encryption
B. Implement an ACL that prevents the web server from accessing the sensitive records
C. Hash the sensitive records before storing them in the database
D. Store the sensitive records using irreversible encryption
28.) To protect the confidentiality of a VPN session key, the administrator copies the key to a USB drive and
ships it overnight to a remote location. This type of key exchange is BEST described as:
A. Insecure
B. Out-of-band
C. Transport encryption
D. In-band
29.) A company is experiencing problems with performance and downtime because application updates and
patching are being conducted on production systems during business hours. Users and other IT staff are
not being notified of the updates. Which of the following should be instituted to BEST resolve the
problems?
A. Incident management
B. Change management
C. User right review
D. Acceptable use policy
30.) A Linux server using TCP wrappers is utilized in a SCADA environment. Which of the following entries
should be placed in the hosts.allow file to allow access on port 22 for a client at 192.168.14.127?
A. Sshd: 192.168.14.127
B. In.ssh 192.168.14.127
C. In. sftp 192.168.14.127
D. In. telnet 192.168.14.127
31.) A service desk manager is developing an SLA to be used with a new customer. As part of the SLA, various
metrics regarding uptime, responsiveness, and remediation are being identified. Given the manager’s
unfamiliarity with the products being supported, which of the following metrics would be MOST
important to solicit from the customer to determine how much downtime should be expected?
A. MTBF, MTTF
B. ALE, SLE
C. ARO, MTTR, MTBF
D. ARO, ALE, MTTF
32.) Members of a production team have been using the username and password of Ann, and employee, to
log into their workstations because Ann has elevated privileges. The administrator wants to prevent
unauthorized users from logging in with false credentials, while still allowing Ann to continue to utilize
her provided equipment. Which of the following should the administrator configure to achieve this?
A. Concurrent login
B. Password complexity
C. Account lockout
D. Authorized workstations
33.) A company needs to adopt a single tenant CSP due to strict regulatory compliance issues. The company
wants the CSP to be available at all times and accessible from anywhere over the internet. Which of the
following solutions should the company adopt?
A. Private cloud
B. Hybrid cloud
C. Public cloud
D. Community cloud
34.) A security administrator spots the following log entry fragment on a web server:
GET /home.aspx?id=<script>alert(document.cookie) </script>
Which of the following types of attacks was attempted?
A. Cross-site request forgery
B. Session enumeration
C. Cross-site scripting
D. Buffer overflow
35.) A systems administrator wants to install a new PKI certificate on a web server. The administrator creates
a CSR. Which of the following should the administrator send to the CA to issue a trusted certificate?
A. The web server’s public key
B. The web server’s private key
C. The web server’s private/public key pair
D. The web server’s CA public key
36.) A malicious user attempts to access a company’s wireless network from the parking lot. Upon launching
the wireless network from the parking lot. Upon launching the wireless scanner, the malicious user
activates the SSID decloak feature and views many other SSID’s. However, the company’s SSID does not
appear as an available network in the tool. Which of the following is preventing the malicious user form
scanning the company’s wireless network?
A. Authentication via a captive portal
B. Low-power directional antennas
C. Disable SSID broadcast on each access point
D. MAC filtering on every wireless device
37.) A new security policy being implemented requires all email within the organization be digitally signed by
the author using PGP. Which of the following would needs to be created for each user?
A. A certificate authority
B. A key escrow
C. A trusted key
D. A public and private key
38.) While responding to an incident on a Linux server, the administrator needs to disable unused services.
Which of the following commands can be used to see processes that are listening on a TCP port?
A. Lsof
B. Tcpdump
C. Top
D. Ifconfig
39.) An administrator wants to ensure that the reclaimed space of a hard drive has been sanitized while the
computer is in use. Which of the following can be implemented
A. Cluster tip wiping
B. Individual file encryption
C. Full disk encryption
D. Storage retention
40.) Which of the following access controls enforces permissions based on data labeling at specific levels?
A. Mandatory access control
B. Separation of duties access control
C. Discretionary access control
D. Role based access control
41.) A security technician would like an application to use random salts to generate short lived encryption
leys during the secure communication handshake process to increase communication security. Which of
the following concepts would BEST meet this goal?
A. Ephemeral keys
B. Symmetric Encryption Keys
C. AES Encryption keys
D. Key Escrow
42.) Joe, an employee, was escorted from the company premises due to suspicion of revealing trade secrets
to a competitor. Joe had already been working for two hours before leaving the premises.
A security technician was asked to prepare a report of files that had changed since last night's integrity
scan.
Which of the following could the technician use to prepare the report? (Select TWO).
A. PGP
B. MD5
C. ECC
D. AES
E. Blowfish
F. HMAC
43.) A breach at a credit card company resulted in customers credit card information being exposed . The
company has conducted a full forensic investigation and identified the source of the breach. Which of
the following should the company do NEXT?
A. Move to the incident identification phase
B. Implement the risk assessment plan
C. Implement damage and loss control procedures
D. Implement first responder processes
44.) A security administrator discovered that all communication over the company's encrypted wireless
network is being captured by savvy employees with a wireless sniffing tool and is then being decrypted
in an attempt to steal other employee's credentials. Which of the following technology is MOST likely in
use on the company's wireless?
A. WPA with TKIP
B. VPN over open wireless
C. WEP 128-PSK
D. WPA2-Enterprise
45.) An administrator is implementing a new management system for the machinery on the company's
production line. One requirement is that the system only be accessible while within the production
facility. Which of the following will be the MOST effective solution in limiting access based on this
requirement?
A. Access control list
B. Firewall policy
C. Air Gap
D. MAC filter
46.) Which of the following is a security concern regarding users bringing personally-owned devices that they
connect to the corporate network?
A. Cross-platform compatibility issues between personal devices and server-based applications
B. Lack of controls in place to ensure that the devices have the latest system patches and signature files
C. Non-corporate devices are more difficult to locate when a user is terminated
D. Non-purchased or leased equipment may cause failure during the audits of company-owned assets
47.) Which of the following offerings typically allows the customer to apply operating system patches?
A. Software as a service
B. Public Clouds
C. Cloud Based Storage
D. Infrastructure as a service
48.) A thief has stolen mobile device and removed its battery to circumvent GPS location tracking. The device
user is a four digit PIN. Which of the following is a mobile device security control that ensures the
confidentiality of company data?
A. Remote wiping
B. Mobile Access control
C. Full device encryption
D. Inventory control
49.) The security administrator is analyzing a user's history file on a Unix server to determine if the user was
attempting to break out of a rootjail. Which of the following lines in the user's history log shows
evidence that the user attempted to escape the rootjail?
A. cd ../../../../bin/bash
B. whoami
C. ls/root
D. sudo –u root
50.) Due to issues with building keys being duplicated and distributed, a security administrator wishes to
change to a different security control regarding a restricted area. The goal is to provide access based
upon facial recognition. Which of the following will address this requirement?
A. Set up mantraps to avoid tailgating of approved users.
B. Place a guard at the entrance to approve access.
C. Install a fingerprint scanner at the entrance.
D. Implement proximity readers to scan users' badges.
51.) Anne an employee receives the following email:
From: Human Resources
To: Employee
Subject: Updated employee code of conduct
Please click on the following link: http//external.site.com/codeofconduct.exe to review the updated
code of conduct at your earliest convenience.
After clicking the email link, her computer is compromised. Which of the following principles of social
engineering was used to lure Anne into clicking the phishing link in the above email?
A. Authority
B. Familiarity
C. Intimidation
D. Urgency
52.) Which of the following is an XML based open standard used in the exchange of authentication and
authorization information between different parties?
A. LDAP
B. SAML
C. TACACS+
D. Kerberos
53.) A security administrator must implement a network that is immune to ARP spoofing attacks. Which of
the following should be implemented to ensure that a malicious insider will not be able to successfully
use ARP spoofing techniques?
A. UDP
B. IPv6
C. IPSec
D. VPN
54.) Although a vulnerability scan report shows no vulnerabilities have been discovered, a subsequent
penetration test reveals vulnerabilities on the network. Which of the following has been reported by the
vulnerability scan?
A. Passive scan
B. Active scan
C. False positive
D. False negative
55.) A company used a partner company to develop critical components of an application. Several
employees of the partner company have been arrested for cybercrime activities. Which of the following
should be done to protect the interest of the company?
A. Perform a penetration test against the application
B. Conduct a source code review of the application
C. Perform a baseline review of the application
D. Scan the application with antivirus and anti-spyware products.
56.) A recently installed application update caused a vital application to crash during the middle of the
workday. The application remained down until a previous version could be reinstalled on the server, and
this resulted in a significant loss of data and revenue.
Which of the following could BEST prevent this issue from occurring again?
A. Application configuration baselines
B. Application hardening
C. Application access controls
D. Application patch management
57.) A systems administrator has implemented PKI on a classified government network. In the event that a
disconnect occurs from the primary CA, which of the following should be accessible locally from every
site to ensure users with bad certificates cannot gain access to the network?
A. A CRL
B. Make the RA available
C. A verification authority
D. A redundant CA
58.) The loss prevention department has purchased a new application that allows the employees to monitor
the alarm systems at remote locations. However, the application fails to connect to the vendor's server
and the users are unable to log in. Which of the following are the MOST likely causes of this issue?
(Select TWO).
A. URL filtering
B. Role-based access controls
C. MAC filtering
D. Port Security
E. Firewall rules
59.) Which of the following steps in incident response procedures entails of the incident and identification of
knowledge gained that can be applied to future handling of incidents?
A. Recovery procedures
B. Escalation and notification
C. Reporting
D. Lessons learned
60.) Which of the following protocols operates at the HIGHEST level of the OSI model?
A. ICMP
B. IPSec
C. SCP
D. TCP
61.) An administrator implements SELinux on a production web server. After implementing this, the web
server no longer serves up files from users’ home directories. To rectify this, the administrator creates a
new policy as the root user. This is an example of which of the following? (Select Two).
A. Enforcing SELinux in the OS kernel is role-based access control
B. Enforcing SELinux in the OS kernel is rule-based access control
C. The policy added by the root user is mandatory access control
D. Enforcing SELinux in the OS kernel is mandatory access control
E. The policy added by the root user is role-based access control
F. The policy added by the root user is rule-based access control
62.) Which of the following documents outlines the technical and security requirements of an agreement
between organizations?
A. BPA
B. RFQ
C. ISA
D. RFC
63.) Which of the following is a penetration testing method?
A. Searching the WHOIS database for administrator contact information
B. Running a port scanner against the targets network
C. War driving from a target’s parking lot to footprint the wireless network
D. Calling the target’s helpdesk, requesting a password reset
64.) Which of the following types of technologies is used by security and research personnel for
identification and analysis of new security threats in a networked environment by using false data/hosts
for information collection?
A. Honeynet
B. Vulnerability scanner
C. Port scanner
D. Protocol analyzer
65.) When confidentiality is the primary concern, and a secure channel for key exchange is not available,
which of the following should be used for transmitting company documents?
A. Digital signature
B. Symmetric
C. Asymmetric
D. Hashing
66.) A new web server has been provisioned at a third party hosting provider for processing credit card
transactions. The security administrator runs the netstat command on the server and notices that ports
80, 443 and 3389 are in listening state. No other ports are open. Which of the following services should
be disabled to ensure secure communications?
A. HTTPS
B. HTTP
C. RDP
D. TELENT
67.) A security administrator must implement a network that is immune to ARP spoofing attacks. Which of
the following should be implemented to ensure that a malicious insider will not be able to successfully
use ARP spoofing techniques?
A. UDP
B. IPv6
C. IPSec
D. VPN
68.) After working on his doctoral dissertation for two years, Joe, a user, is unable to open his dissertation
file. The screen shows a warning that the dissertation file is corrupted because it is infected with a
backdoor, and can only be recovered by upgrading the antivirus software from the free version to the
commercial version. Which of the following types of malware is the laptop MOST likely infected with?
A. Ransomware
B. Trojan
C. Backdoor
D. Armored virus
69.) The loss prevention department has purchased a new application that allows the employees to monitor
the alarm systems at remote locations. However, the application fails to connect to the vendor's server
and the users are unable to log in. Which of the following are the MOST likely causes of this issue?
A. URL filtering
B. Role-based access controls
C. MAC filtering
D. Port security
E. Firewall Rules
70.) Joe must send Ann a message and provide Ann with assurance that he was the actual sender. Which of
the following will Joe need to use to BEST accomplish the objective?
A. A pre-shared key private key
B. His private key
C. Ann’s public key
D. His public key
71.) Which of the following protocols is MOST likely to be leveraged by users who need additional
information about another user?
A. LDAP
B. RADIUS
C. Kerberos
D. TACACS+
72.) A retail store uses a wireless network for its employees to access inventory from anywhere in the store.
Due to concerns regarding the aging wireless network, the store manager has brought in a consultant to
harden the network. During the site survey, the consultant discovers that the network was using WEP
encryption. Which of the following would be the BEST course of action for the consultant to
recommend?
A. Replace the unidirectional antenna at the front of the store with an omni-directional antenna.
B. Change the encryption used so that the encryption protocol is CCMP-based.
C. Disable the network's SSID and configure the router to only access store devices based on MAC
addresses.
D. Increase the access point's encryption from WEP to WPA TKIP.
73.) A security team has established a security awareness program. Which of the following would BEST prove
the success of the program?
A. Policies
B. Procedures
C. Metrics
D. Standards
74.) Which of the following should an administrator implement to research current attack methodologies?
A. Design reviews
B. Honeypot
C. Vulnerability scanner
D. Code reviews
75.) After analyzing and correlating activity from multiple sensors, the security administrator has determined
that a group of very well organized individuals from an enemy country is responsible for various
attempts to breach the company network, through the use of very sophisticated and targeted attacks.
Which of the following is this an example of?
A. Privilege escalation
B. Advanced persistent threat
C. Malicious insider threat
D. Spear phishing
76.) Which of the following types of attacks involves interception of authentication traffic in an attempt to
gain unauthorized access to a wireless network?
A. Near field communication
B. IV attack
C. Evil twin
D. Replay attack
77.) Alice, a security analyst, is reviewing logs from hosts across the Internet which her company uses to
gather data on new malware. Which of the following is being implemented by Alice's company?
A. Vulnerability scanner
B. Honeynet
C. Protocol analyzer
D. Port scanner
78.) A company is looking to improve their security posture by addressing risks uncovered by a recent
penetration test. Which of the following risks is MOST likely to affect the business on a day-to-day basis?
A. Insufficient encryption methods
B. Large scale natural disasters
C. Corporate espionage
D. Lack of antivirus software
79.) Which system should you implement if you want to create a file system access control model where you
can label files as "Secret", "Confidential", "Restricted", or "Unclassified"?
A. SCADA system
B. Trusted OS
C. Version control
D. White and black listing
80.) Bob, an employee, was escorted from the company premises due to suspicion of revealing trade secrets
to a competitor. Bob had already been working for two hours before leaving the premises. A security
technician was asked to prepare a report of files that had changed since last night's integrity scan. Which
of the following could the technician use to prepare the report? (Select TWO).
A. PGP
B. MD5
C. ECC
D. AES
E. Blowfish
F. HMAC
81.) Which is the hardest to crack and requires both parties to exchange the encryption key before
communicating?
A. AES
B. PGP/GPG
C. 3DES
D. One-time pads
82.) Bob needs to send Sally a digitally signed and encrypted email. Which algorithms and keys is used to
complete these actions?
A. Bob's public key to encrypt using SHA, Sally's private key to sign using 3DES
B. Bob's private key to encrypt using 3DES, Sally's public key to sign using SHA
C. Sally's public key to encrypt using 3DES, Bob's private key to sign using SHA
D. Sally's private key to encrypt using SHA, Bob's public key to sign using 3DES
83.) In order to digitally sign your emails with PGP, what needs to be created first?
A. A public and private key
B. A trusted key
C. A key escrow
D. A certificate authority
84.) If you need to look at a former employee’s email for a court case but the emails have been deleted, you
should take a look at your?
A. Key escrow
B. Data retention policies
C. Certificate authority
D. Key recovery agent
85.) Which of the following can be used to ensure that sensitive records stored on a backend server can only
be accessed by a front end server with the appropriate record key?
A. File encryption
B. Storage encryption
C. Database encryption
D. Full disk encryption
86.) In Kerberos, the Ticket Granting Ticket (TGT) is used for which of the following?
A. Identification
B. Authorization
C. Authentication
D. Multifactor authentication
87.) In order to secure additional budget, a security manager wants to quantify the financial impact of a onetime compromise. Which of the following is MOST important to the security manager?
A. Impact
B. SLE
C. ALE
D. ARO
88.) A security technician is implementing PKI on a Network. The technician wishes to reduce the amount of
bandwidth used when verifying the validity of a certificate. Which of the following should the technician
implement?
A. CSR
B. Key escrow
C. OSCR
D. CRL
89.) An access point has been configured for AES encryption but a client is unable to connect to it. Which of
the following should be configured on the client to fix this issue?
A. WEP
B. CCMP
C. TKIP
D. RC4
90.) A company wants to improve its overall security posture by deploying environmental controls in its
datacenter. Which of the following is considered an environmental control that can be deployed to meet
this goal?
A. Full-disk encryption
B. Proximity readers
C. Hardwood locs
D. Fire suppression
91.) Ann, a security administrator, is strengthening the security controls of the company's campus. Her goal
is to prevent people from accessing open locations that are not supervised, such as around the receiving
dock. She is also concerned that employees are using these entry points as a way of bypassing the
security guard at the main entrance. Which of the following should Ann recommend that would BEST
address her concerns?
A. Increase the lighting surrounding every building on campus
B. Build fences around campus with gate entrances
C. Install cameras to monitor the unsupervised areas
D. Construct bollards to prevent vehicle entry in non-supervised areas
92.) A security administrator is responsible for ensuring that there are no unauthorized devices utilizing the
corporate network. During a routine scan, the security administrator discovers an unauthorized device
belonging to a user in the marketing department. The user is using an android phone in order to browse
websites. Which of the following device attributes was used to determine that the device was
unauthorized?
A. An IMEI address
B. A phone number
C. A MAC address
D. An asset ID
93.) A security administrator is notified that users attached to a particular switch are having intermittent
connectivity issues. Upon further research, the administrator finds evidence of an ARP spoofing attack.
Which of the following could be utilized to provide protection from this type of attack?
A. Configure MAC filtering on the switch
B. Configure loop protection on the switch
C. Configure flood guards on the switch
D. Configure 802.1x authentication on the switch
94.) A software security concern when dealing with hardware and devices that have embedded software or
operating systems is:
A. Patching may not always be possible
B. Configuration support may not be available
C. There is no way to verify if a patch is authorized or not
D. The vendor may not have a method for installation of patches
95.) Ann a technician received a spear-phishing email asking her to update her personal information by
clicking the link within the body of the email. Which of the following type of training would prevent Ann
and other employees from becoming victims to such attacks?
A. User awareness
B. Acceptable use policy
C. Personal identifiable information
D. Information sharing
96.) Which of the following is a step in deploying a WPA2-Enterprise wireless network?
A. Install a token on the authentication server
B. Install a DHCP server on the authentication server
C. Install an encryption key on the authentication server
D. Install a digital certificate on the authentication server
97.) A system administrator needs to implement 802.1x whereby when a user logs into the network the
authentication server communicates with a switch and assigns the user to the proper VLAN. Which of
the following protocols should be used?
A. RADIUS
B. Kerberos
C. LDAP
D. MSCHAP
98.) Which of the following can be provided to an AAA system for the identification phase?
A. Username
B. Permissions
C. One-time token
D. Private certificate
99.) A security administrator is notified that users attached to a particular switch are having intermittent
connectivity issues. Upon further research, the administrator finds evidence of an ARP spoofing attack.
Which of the following could be utilized to provide protection from this type of attack?
A. Configure MAC filtering on the switch
B. Configure loop protection on the switch
C. Configure flood guards on the switch
D. Configure 802.1x authentication on the switch
100.)
The Chief Information Security Officer is concerned that users could bring their personal laptops
to work and plug them directly into the network ports under their desks. Which of the following should
be configured on the network switch to prevent this from happening?
A. Access control lists
B. Loop protection
C. Firewall rule
D. Port security
101.)
Recently, several employees were victims of a phishing email that appeared to originate from
the company president. The email claimed the employees would be disciplined if they did not click on a
malicious link in the message. Which of the following principles of social engineering made this attack
successful?
A. Authority
B. Spamming
C. Social proof
D. Scarcity
102.)
Which of the following would enhance the security of accessing data stored in the cloud? (select
two)
A. Block-level encryption
B. SAML authentication
C. Transport encryption
D. Multifactor authentication
E. Predefined challenge questions
F. Hashing
103.)
A dumpster driver recovers several hard drives from a company and is able to obtain
confidential data from one of the hard drives. The company then discovers its information is posted
online. Which of the following methods would have MOST likely prevented the data from being
exposed?
A. Removing the hard drive from its enclosure
B. Using software to repeatedly rewrite over the disk space
C. Using blowfish encryption on the hard drives
D. Using magnetic fields to erase the data
104.)
Ann, a systems administrator, is installing an extremely critical system that can support zero
downtime. Which of the following BEST describes the type of system Ann is installing?
A. High availability
B. Clustered
C. RAID
D. Load balanced
105.)
An administrator has to determine host operating systems on the network and has deployed a
transparent proxy. Which of the following fingerprint types would this solution use?
A. Packet
B. Active
C. Port
D. Passive
106.)
An administrator needs to protect against downgrade attacks due to various vulnerabilities in
SSL/TLS. Which of the following actions should be performed? (select Two)
A. Set the minimum protocol supported
B. Request a new certificate from the CA
C. Configure the cipher order
D. Disable flash cookie support
E. Rekey the SSL certificate
F. Add the old certificate to the CRL
107.)
Which of the following is a step in deploying a WPA2-Enterprise wireless network?
A. Install a token on the authentication server
B. Install a DHCP server on the authentication server
C. Install an encryption key on the authentication server
D. Install a digital certificate on the authentication server
108.)
The security manager must store a copy of a sensitive document and needs to verify at a later
point in time that the document has not been altered. Which of the following will accomplish the
security manager’s objective?
A. RSA
B. AES
C. MD5
D. RC4
109.)
An organization currently employs signature-based NIPS and a firewall, though a recent
penetration test demonstrated this existing implementation is insufficient. Which of the following
represents the BEST approach to reduce risk?
A. Deploy technologies that will detect and stop deviations from normal
B. Develop firewall rules that only allow communication to/from unauthorized systems
C. Apply the latest updates for all firewalls and NIPS
D. Deploy a SIEM with appropriate sensors and collectors for log correlation
110.)
An administrator is instructed to disable IP-directed broadcasts on all routers in an organization.
Which of the following attacks does this prevent?
A. Pharming
B. Smurf
C. Replay
D. Xmas
111.)
Which of the following can be used for both encryption and digital signatures?
A. 3DES
B. AES
C. RSA
D. MD5
112.)
A security technician would like to obscure sensitive data within a file so it can be transferred
without causing suspicion. Which of the following technologies would be BEST suited to accomplish this?
A. Transport encryption
B. Stream encryption
C. Digital signature
D. Steganography
113.)
A security administrator is reviewing the following log from the company’s UTM, which is
installed at the network perimeter
PERMIT 172.165.143.5:80 192.168.2.6:1020 FIN
PERMIT 10.76.23.5:42331 192.168.1.4:80 SYN
PERMIT 192.168.1.4:80 10.76.23.5:42331 SYN/ACK
PERMIT 10.76.23.5:42331 192.168.1.4:80 ACK
DENY
10.100.34.5:1331 192.168.3.10:445 ACK
PERMIT 172.132.5.6:1432 192.168.3.2:80 SYN
Given the following additional information:
Guess Network: 192.168.1.0/24
User Network: 192.168.2.0/24
Server Network: 192.168.3.0/24
Which of the following should the security administrator recommend?
A. Enforce the use of HTTPS
B. Block outbound traffic initiated from the user network
C. Block incoming traffic to the guest network
D. Allow the server network to initiate outbound connections to the internet
E. Allow incoming traffic initiated from the internet
114.)
A vice president at a manufacturing organization is concerned about desktops being connected
to the network. Employees need to log onto the desktops’ local account to verify that a product is being
created within specifications, otherwise, the desktops should be as isolated as possible. Which of the
following is the BEST way to accomplish this?
A. Put the desktops in the DMZ
B. Create a separate VLAN for the desktops
C. Air gap the desktops
D. Join the desktops to an ad-hoc network
115.)
An administrator has configured a new Linux server with the FTP service. Upon verifying that the
service was configured correctly, the administrator has several users test the FTP service. Users report
that they are able to connect to the FTP service and download their personal files, however, they cannot
transfer new files to the server. Which of the following will MOST likely fix the uploading issue for the
users?
A. Create an ACL to allow the FTP service write access to user directories
B. Set the Boolean SELinux value to allow FTP home directory uploads
C. Reconfigure the FTP daemon to operate without utilizing the PASV mode
D. Configure the FTP daemon to utilize PAM authentication pass through user permissions
116.)
The Chief Information Office has asked a security analyst to determine the estimated costs
associated with each potential breach of the database that contains customer information. Which of the
following is the risk calculation the CIO is asking for?
A. Impact
B. SLE
C. ARO
D. ALE
117.)
An employer requires that employees use a key-generating app on their smart phones to log
into corporate applications. In terms of authentication to the individual, this type of access policy is BEST
defined as:
A. Something you have
B. Something you know
C. Something you do
D. Something you are
118.)
A project manager is working with an architectural firm that focuses on physical security. The
project manager would like to provide requirements that support the primary goal of safety. Based on
the project manager’s desires, which of the following controls would be BEST to incorporate into the
facility design?
A. Biometrics
B. Escape routes
C. Reinforcements
D. Access controls
119.)
A small company has recently purchased cell phones for managers to use while working outside
of the office. The company does not currently have a budget for mobile device management and is
primarily concerned with deterring leaks of sensitive information obtained by unauthorized access to
unattended phones. Which of the following would provide the solution that BEST meets the company’s
requirements?
A. Screen lock
B. Disable removable storage
C. Full-device encryption
D. Remote wiping
120.)
Which of the following attack types is being carried out when a target is being sent unsolicited
messages via Bluetooth?
A. War chalking
B. Bluejacking
C. Bluesnarfing
D. Rogue tethering
121.)
When analyzing the behavior of a malicious piece of software, which of the following
environments should be used?
A. Production
B. Development
C. Test
D. Sandbox
122.)
An employee needs to connect to a server using a secure protocol on the default port. Which of
the following ports should be used?
A. 21
B. 22
C. 80
D. 110
123.)
Which of the following technologies would be MOST appropriate to utilize when testing a new
software patch before a company-wide deployment?
A. Cloud computing
B. Virtualization
C. Redundancy
D. Application control
124.)
Which of the following would an attacker use to generate and capture additional traffic prior to
performing an IV attack?
A. DNS poisoning
B. DDOS
C. Replay attack
D. Dictionary attack
125.)
A company executive’s laptop was compromised leading to a security breach. The laptop was
placed into storage by a junior system administrator and was subsequently wiped and reimaged. When
it was determined that the authorities would need to be involved, there was little evidence to present to
the investigators. Which of the following procedures should have been implemented to aid the
authorities in their investigation?
A. A comparison should have been created from the original system’s file hashes
B. Witness testimony should have been taken by the administrator
C. The company should have established a chain of custody to track the laptop
D. A system image should have been created and stored
126.)
An administrator wants to establish a WiFi network using a high gain directional antenna with a
narrow radiation pattern to connect two buildings separated by a very long distance. Which of the
following antennas would be BEST for this situation?
A. Dipole
B. Yagi
C. Sector
D. Omni
127.)
Joe, the system administrator, has been asked to calculate the Annual Loss Expectancy (ALE) for
a $5,000 server, which often crashes. In the past year, the server has crashed 10 times, requiring a
system reboot to recover with only 10% loss of data or function. Which of the following is the ALE of this
server?
A. $500
B. $5,000
C. $25,000
D. $50,000
128.)
The Chief Information Officer (CIO) has asked a security analyst to determine the estimated
costs associated with each potential breach of their database that contains customer information.
Which of the following is the risk calculation that the CIO is asking for?
A. Impact
B. SLE
C. ARO
D. ALE
129.)
A system administrator wants to confidentially send a user name and password list to an
individual outside the company without the information being detected by security controls. Which of
the following would BEST meet this security goal?
A. Digital Signatures
B. Hashing
C. Full-disk encryption
D. Steganography
130.)
Which of the following provides the strongest authentication security on a wireless network?
A. MAC filter
B. WPA2
C. WEP
D. Disable SSID broadcast
131.)
A security administrator is notified that users attached to a particular switch are having
intermittent connectivity issues. Upon further research, the administrator finds evidence of an ARP
spoofing attack. Which of the following could be utilized to provide protection from this type of attack?
A. Configure MAC filtering on the switch
B. Configure loop protection on the switch
C. Configure flood guards on the switch
D. Configure 802.1x authentication on the switch
132.)
An administrator has to determine host operating systems on the network and has deployed a
transparent proxy. Which of the following fingerprint types would this solution use?
A. Packet
B. Active
C. Port
D. Passive
133.)
Which of the following ports is used for TELNET by default?
A. 22
B. 23
C. 21
D. 20
134.)
Which of the following can be used to ensure that sensitive records stored on a backend server
can only be accessed by a front end server with the appropriate record key?
A. File encryption
B. Storage encryption
C. Database encryption
D. Full disk encryption
135.)
A system administrator is configuring UNIX accounts to authenticate against an external server.
The configuration file asks for the following information DC=ServerName and DC=COM. Which of the
following authentication services is being used?
A. RADIUS
B. SAML
C. TACACS+
D. LDAP
136.)
Which of the following is an XML based open standard used in the exchange of authentication
and authorization information between different parties?
A. LDAP
B. SAML
C. TACACS+
D. Kerberos
137.)
Which of the following is an authentication method that can be secured by using SSL?
A. RADIUS
B. LDAP
C. TACACS+
D. Kerberos
138.)
Ann a member of the Sales Department has been issued a company-owned laptop for use when
traveling to remote sites. Which of the following would be MOST appropriate when configuring security
on her laptop?
A. Configure the laptop with a BIOS password
B. Configure a host-based firewall on the laptop
C. Configure the laptop as a virtual server
D. Configure a host based IDS on the laptop
139.)
An overseas branch office within a company has many more technical and non-technical
security incidents than other parts of the company. Which of the following management controls should
be introduced to the branch office to improve their state of security?
A. Initial baseline configuration snapshots
B. Firewall, IPS and network segmentation
C. Event log analysis and incident response
D. Continuous security monitoring process
140.)
When designing a new network infrastructure, a security administrator requests that the
intranet web server be placed in an isolated area of the network for security purposes. Which of the
following design elements would be implemented to comply with the security administrator's request?
A. DMZ
B. Cloud services
C. Virtualization
D. Sandboxing
141.)
Which of the following can be used to maintain a higher level of security in a SAN by allowing
isolation of mis-configurations or faults?
A. VLAN
B. Protocol security
C. Port security
D. VSAN
142.)
A company determines a need for additional protection from rogue devices plugging into
physical
ports around the building. Which of the following provides the highest degree of protection from
unauthorized wired network access?
A. Intrusion Prevention Systems
B. MAC filtering
C. Flood guards
D. 802.1x
143.)
An access point has been configured for AES encryption but a client is unable to connect to it.
Which of the following should be configured on the client to fix this issue?
A. WEP
B. CCMP
C. TKIP
D. RC4
144.)
Which of the following is the BEST concept to maintain required but non-critical server
availability?
A. SaaS site
B. Cold site
C. Hot site
D. Warm site
145.)
Virutalization would provide an ROI when implemented under which of the following situations?
A. Numerous servers with no fail-over requirement
B. Multiple existing 100% utilized physical servers
C. Numerous clients with a requirement for fast processors
D. Multiple existing but underutilized physical servers
146.)
Which of the following remote authentication methods uses a reliable transport layer protocol
for communication?
A. RADIUS
B. LDAP
C. TACACS+
D. SAML
147.)
An administrator wants to restrict traffic between two VLANs. The network devices connecting
the two VLANs are layer 3 switches. Which of the following should the admin configure?
A. IDS rule
B. Subnet mask
C. ACL
D. Firewall
148.)
A security architect is choosing a cryptographic suite for the TLS 1.2 configuration for a new
web-based financial management application that will be used heavily by mobile devices. Which of the
following would be the architects MOST secure selection for both key exchange and the session key
algorithms? (Select Two)
A. 3DES
B. AES-GCM
C. TKIP
D. SHA256
E. SHA1
F. ECDHE
149.)
A security administrator creates separate VLANs for employee devices and HVAC equipment
that is network attached. Which of the following are security reasons for this design? ( Select Three)
A. IDS often requires network segmentation of HVAC endpoints for better reporting
B. Broadcasts from HVAC equipment will be confined to their own network segment
C. HVAC equipment can be isolated from compromised employee workstations
D. VLANs are providing loop protection for the HVAC devices
E. Access to and from the HVAC equipment can be more easily controlled
F. Employee devices often interfere with proper functioning of HVAC devices
150.)
A security administrator is reviewing the password security configuration of a company’s
directory service domain. The administrator recognizes that the domain controller has been configured
to store LM hashes. Which of the following explains why the domain controller might be configured like
this? (Select TWO)
A. Default configuration
B. File system synchronization
C. Mobile device support
D. NTLMv2 support
E. Backward compatibility
151.)
A finance manager is responsible for approving wire transfers and processing the transfers using
the software provided by the company’s bank. A number of discrepancies have been found related to
the wires in a recent financial audit and the wires appearance to be fraudulent. Which of the following
controls should be implemented to reduce the likelihood of fraud related to the use of wire transfers?
A. Separation of duties
B. Least Privilege
C. Qualitative auditing
D. Acceptable use policy
152.)
The security manager has learned a user inadvertanly sent encrypted PII to an incorrect
distribution group. The manager has instructed the user to immediately recall the message. Recipients
are instructed to delete the email from all queues and devices. This is an example of which of the
following incident response procedures
A. Reporting
B. Escalation
C. Mitigation
D. Isolation
153.)
Joe, a system administrator, configured a device to block network traffic from entering the
network. The configuration consisted of zero-day exploit awareness at the application layer of the OSI
model. The exploit signatures have been seen on the internet daily. Which of the following does this
describe?
A. NIDS
B. HIPS
C. HIDS
D. NIPS
154.)
An organization is developing a plan to ensure an earthquake at a datacenter does not disrupt
business. The organization has identified all the critical applications within the datacenter, determining
the financial loss of an outage of different duration for each application. This effort is known as a
A. Tabletop exercise
B. High availability
C. Disaster recovery
D. Business impact analysis
E. Risk assessment
155.)
From a network security point of view, the primary reason to implement VLANs is to
A. Provide Quality of Service
B. Provide load balancing across the network
C. Provide network segmentation
D. Ensure separation of duties
156.)
A network administrator is configuring a web server to ensure the use of only strong ciphers.
Which of the following stream ciphers should the administrator configure?
A. RC4
B. MD5
C. AES-CBC
D. 3DES
157.)
An engineer is designing a system that needs the fastest encryption possible due to system
requirements. Which of the following should the engineer use?
A. Symmetric key
B. RSA-1024
C. Rainbow tables
D. SHA-256
E. Public key encryption
158.)
An organization’s security policy requires secure file transfers to and from internal hosts. An
employee is attempting to upload a file using an unsecured method to a Linux-based dedicated file
server and fails. Which of the following should the employee use to transfer the file?
A. FTP
B. HTTPS
C. SSL
D. SCP
E. TLS
159.)
A security administrator suspects that a server has been compromised with zero-day malware,
and that it is now being used to host various copyrighted material, which is being shared through an IRC
network. Which of the following should the system administrator use to determine if the server has
been compromised?
A. Patch report
B. OS backup
C. Antivirus logs
D. Baseline
160.)
Which of the following BEST describes the benefits of using Extended Validation?
A. Does not use standard x.509 V3 certificates
B. Enhances SSL session key exchange preventing man-in-the-middle attacks
C. The website provider demonstrates an additional level of trust
D. Provides stronger enforcement of SSL encryption algorithms
161.)
Which of the following is susceptible to an attack that can obtain the wireless password by
brute-forcing a 4-digit PIN followed by a 3-digit PIN?
A. WPA
B. WPS
C. WEP
D. WPA2
162.)
A server administrator is investigating a breach and determines an attacker modified the
application log to obscure the attack vector. During the lessons learned activity, the facilitator asks for a
mitigation response to protect the integrity of the logs should a similar attack occur. Which of the
following mitigations would be MOST appropriate to fulfill the requirement?
A. Host-based OS
B. Automated log analysis
C. Enterprise SIEM
D. Real-time event cancelation
163.)
In order to comply with new auditing standards, a security administrator must be able to
complete system security alert logs directly with the employee who triggers the alert. Which of the
following should the security administrator implement in order to meet this requirement?
A. Access control lists on the servers
B. Elimination of shared accounts
C. Group-based privileges for accounts
D. Periodic user account access reviews
164.)
On a campus network, users frequently remove the network cable from desktop NIC’s and plug
personal laptops into the school network. Which of the following could be used to reduce the likelihood
of unauthorized laptops on the campus network?
A. Port security
B. Loop protection
C. Flood guards
D. VLANs
165.)
An employee is using company time and assets to use a third party tool to share downloadable
media with other users around the world. Sharing downloadable media is not expressly forbidden in the
company security policy or acceptable use policy. Which of the following BEST describes what the
security staff should consider adding to these policies?
A. P2P
B. Data handling
C. Social networking
D. Mobile Device Management
166.)
The network administrator wants to assign VLANs based on which user is logging into the
network. Which of the following should the administrator use to accomplish this? (select Two)
A. MAC filtering
B. RADIUS
C. 802.1af
D. 802.11ac
E. 802.1x
F. 802.3q
167.)
An application is performing slowly. Management asks the security team to determine if a
security compromise is the underlying cause. The security team finds two processes with high resource
utilization. Which of the following actions should the team take NEXT?
A. Monitor the IDS/IPS for incidents
B. Perform a vulnerability assessment
C. Initiate a source code review
D. Conduct a baseline comparison
168.)
A company implemented a public-facing authentication system that uses PKI and extended
attributes to allow third-party, web-based application integration. This is an example of which of the
following? (select three)
A. Federation
B. Two-factor authentication
C. Transitive trust
D. Trusted OS
E. Single sign-on
F. TOTP
G. MAC
169.)
An employee connects to a public wireless hotspot during a business trip. The employee
attempts to go to a secure website but instead connects to an attacker who is performing a MITM
attack. Which of the following should the employee do to mitigate the vulnerability described In the
scenario?
A. Connect to a VPN when using public wireless networks
B. Connect only to WPA2 networks regardless of whether the network is public or private
C. Ensure a host-based firewall is installed and running when using public wireless networks
D. Check the address in the web browser before entering credentials
170.)
Joe, a security administrator, recently configured a method of secure access for remote
administration of network devices. When he attempts to connect to an access layer switch in the
organization from outside the network he is unable to successfully connect. Which of the following ports
should be open on the firewall for Joe to successfully connect to the switch?
A. TCP 110
B. TCP 161
C. UDP 161
D. UDP 500
171.)
Which of the following is a suitable method of checking for revoked certificates in a client/server
environment with connectivity to the issuing PKI?
A. HSM
B. CRL
C. OCSP
D. CSR
172.)
During an audit of a software development organization, an auditor finds the organization did
not properly follow industry best practices, including peer review and board approval, prior to moving
applications into the production environment. The auditor recommends adopting a formal process
incorporating these steps. To remediate the finding, the organization implements
A. Incident management
B. A configuration management board
C. Asset management
D. Change management
173.)
Two companies are partnering to bid on a contract. Normally these companies are fierce
competitors, but for this procurement they have determined that a partnership is the only way they can
win the job. Both companies are concerned about unauthorized data sharing and want to ensure other
divisions within each company will not have access to proprietary data. To best protect against
unauthorized data sharing they should each sign a
A. NDA
B. SLA
C. MOU
D. BPA
174.)
A recent network audit revealed several devices on the internal network were not running
antivirus or HIPS. Upon further investigation, it was discovered that these devices were new laptops that
were deployed without installing the end-point protection suite used by the company. Which of the
following could be used to mitigate the risk of authorized devices that are unprotected residing on the
network?
A. Host-based firewall
B. Network-based IPS
C. Centralized end-point management
D. MAC filtering
175.)
Ann is attempting to send a digitally signed message to Joe. Which of the following should Ann
do?
A. Encrypt a hash of the message with her private key
B. Encrypt a certificate signing request with her private key
C. Encrypt a hash of the message with Joe’s public key
D. Encrypt a certificate signing request with Joe’s public key
176.)
Which of the following would provide you with a measure of the frequency at which critical
business systems experience breakdowns?
A. MTTR
B. MTBF
C. MTTF
D. MTU
177.)
Which of the following should be used to secure data-in-use?
A. Full memory encryption
B. Symmetric key encryption
C. SSL/TLS
D. PGP
178.)
Which of the following provides a safe, contained environment in which to enforce physical
security?
A. Hot site
B. Mantrap
C. Virtualized sandbox
D. Bollards
179.)
A local coffee shop provides guests with wireless access but disabled the SSID broadcast for
security purposes. When guests make a purchase, they are provided with the SSID to the router. A new
customer’s laptop shows the coffee shop’s SSID appears to be broadcasting despite the fact that the
wireless router configuration shows the broadcast is disabled. Which of the following situations is likely
occurring?
A. The coffee shop is using WEP instead of WPA or WPA2 encryption
B. A user has set up an evil twin access point near the coffee shop
C. WiFi Protected Setup has been hacked and the SSID is being covertly broadcast
D. Once connected to the router it will appear that the SSID is being broadcast
180.)
A security technician notices that several successful attacks are being carried out on the
network. The Chief information Security Officer tells the technician to deploy countermeasures that will
help actively stop these ongoing attacks. Which of the following technologies will accomplish this task?
A. A network-based IPS with advanced heuristic capability
B. A honeypot that generates alerts when a new attack is discovered
C. Host-based IDS that uses anomaly and behavior-based detection
D. An automated security log analyzer that reports system breaches
181.)
Ann, a security administrator, is hardening the user password policies. She currently has the
following in place.. Password expire every 60 days, password length is at least eight characters,
passwords must contain at least one capital letter and one numeric character. She learns that several
employees are still using their original passwords after the 60-day forced change. Which of the following
can she implement to BEST mitigate this?
A. Lower the password expire time to every 30 days instead of 60 days
B. Require that the password contains at least one capital letter, one numeric character and one special
character
C. Change the re-usage time from eight to 16 changes before a password can be repeated
D. Create a rule that users can only change their passwords once every two weeks
182.)
The administrator set up a new WPA2 Enterprise wireless network using EAP-TLS for
authentication. The administrator configured the RADIUS servers with certificates that are trusted by
the endpoint devices and rules to authenticate a particular group of users. The administrator is part of
the group that is authorized to connect but is unable to connect successfully during the first test of the
network. Which of the following is the MOST likely cause of the issue?
A. A rogue access point is intercepting the connection
B. Administrator accounts are not allowed to connect to the network
C. The client NIC does not support AES hardware encryption
D. The DHCP scope is full
E. Client certificates were not deployed
183.)
A company has an email server dedicated to only outbound email, inbound email retrieval to
this server must be blocked. Which of the following ports must be set to explicit deny?
A. 25
B. 53
C. 110
D. 123
E. 139
F. 143
184.)
A PKI architect is implementing a corporate enterprise solution. The solution will incorporate
key escrow and recovery agents, as well as a tiered architecture. Which of the following is required to
implement the architecture correctly?
A. CRL
B. Strong ciphers
C. Intermediate authorities
D. IPSec between CA’s
185.)
The Chief Information Security Officer wants to move the web server from the public network
because it has been breached a number of times in the past month. The CISO does not want to place it
in the private network since many external users access the web server to fill out their orders. The
company policy does not allow any non-secure protocols into the internal network. Given the
circumstances, which of the following would be the BEST course of action?
A. Create an external DMZ network
B. Use NAT on the web server
C. Implement a remote access server
D. Configure a new internal subnet
186.)
A security auditor has full knowledge of company configuration and equipment. The auditor
performed a test on the network, resulting in an exploitation of a zero-day vulnerability. Which of the
following did the security auditor perform?
A. Gray box test
B. Vulnerability scan
C. Black box test
D. Penetration test
187.)
Which of the following authentication services is BEST suited for an environment that requires
the TCP protocol with a clear-text payload?
A. LDAP
B. TACACS+
C. SAML
D. RADIUS
188.)
A security administrator receives a hard drive that must be imaged for forensics analysis. The
paperwork that comes with the hard drive shows: 10:00 technician A-Hard drive removed, 10:30Technician A- Hard drive delivered to Manager A and 11:00-IT director-Hard drive delivered to the
security administrator. Which of the following should the security administrator do?
A. Image the hard drive and sign the chain of custody log
B. Hash the chain of custody log
C. Report a problem with the chain of custody log
D. Sign the chain of custody log
189.)
The network administrator is installing RS-485 terminal servers to provide card readers to
vending machines. Which of the following should be performed to protect the terminal servers?
A. Flood guard
B. 802.1x
C. Network separation
D. Port security
190.)
An attacker drives past a company, captures the name of the WiFi network, and locates a coffee
shop near the company. The attacker creates a mobile hotspot with the same name as the company’s
WiFi. Which of the following BEST describes this wireless attack?
A. War driving
B. Rogue access point
C. Near-field communication
D. Evil twin
191.)
Which of the following MUST be implemented to ensure accountability?
A. Employ access control lists
B. Configure password complexity
C. shared accounts
D. Change default passwords
192.)
Which of the following attack types is MOST likely to cause damage or data loss for an
organization and be difficult to investigate?
A. Man-in-the-middle
B. Spoofing
C. DDoS
D. Malicious insider
193.)
The remote branch of an organization has been assigned two public IP addresses by an ISP. The
organization has ten workstations and a wireless router. Which of the following should be deployed to
ensure that all devices have internet access?
A. VLAN
B. PAT
C. NAC
D. DMZ
194.)
A security administrator wishes to perform authentication, authorization, and accounting, but
does not wish to use a proprietary protocol. Which of the following services would fulfill these
requirements?
A. SAML
B. RADIUS
C. TACACS+
D. Kerberos
195.)
Which of the following is the FASTEST method to disclose one way hashed passwords?
A. Rainbow tables
B. Private key disclosure
C. Dictionary attack
D. Brute Force
196.)
A network has been impacted by downtime resulting from unauthorized devices connecting
directly to the wired network. The network administrator has been tasked to research and evaluate
technical controls that would effectively mitigate risks associated with such devices. Which of the
following capabilities would be MOST suitable for implementation in this scenario?
A. Host hardening
B. NIDS
C. HIDS
D. Loop protection
E. Port Security
197.)
A company is providing mobile devices to all employees. The system administrator has been
tasked with providing input for the company’s mobile device policy. Which of the following are valid
security concepts that the system administrator should include when offering feedback to
management? (Select Two)
A. Transitive trust
B. Asset tracking
C. Remote wiping
D. HSM
E. Key management
198.)
Forensics analyst is asked to identify identical files on a hard drive. Due to the large number of
files to be compared, the analyst must use an algorithm that is known to have the lowest collision rate.
Which of the following should be selected?
A. MD4
B. MD5
C. SHA-128
D. AES-256
199.)
John wants to secure an 802.11n network. Which of the following encryption methods would
provide the highest level of protection?
A. WPA
B. WEP
C. WPA2 with AES
D. WPA2 with TKIP
200.)
Which of the following is the MOST influential concern that contributes to an organization’s
ability to extend enterprise policies to mobile devices?
A. Support of mobile OS
B. Availability of mobile browsers
C. Support of mobile apps
D. Public key management
201.)
An application service provider has notified customers of a breach resulting from improper
configuration changes. In the incident, a server intended for internal access only was made accessible to
A.
B.
C.
D.
external parties. Which of the following configurations were likely to have been improperly modified
resulting in the breach?
IDS
CRL
VPN
NAT
202.)
Joe just installed a new (ECS) environmental control system for a room that is critical to the
company’s operation and needs the ability to manage and monitor the system from any part of the
network. Which of the following should the security administrator utilize to minimize the attack surface
and still allow the needed access?
A. Create and encrypted connection between the ECS and the engineer’s computer
B. Configure the ECS host-based firewall to block non-ECS application traffic
C. Implement an ACL that permits the necessary management and monitoring traffic
D. Install a firewall that only allows traffic to the ECS from a single management and monitoring network
203.)
Numerous users within an organization are unable to log into the web based financial
application. The network team places a sniffer on the segment where the application resides and sees
the following log entries.
05:31:14.312254 10.10.10.25.3389  192.168.2.100.80: SYN
05:31:14:312255 10.10.10.25.3389  192.168.2.100.80: SYN
05:31:14:312256 10.10.10.25.3389  192.168.2.100.80:SYN
Which of the following is MOST likely occurring?
A.
B.
C.
D.
E.
DOS attack
Ping flood attack
Smurf attack
Replay attack
Xmas attack
204.)
You want to communicate securely with a third party via email using PGP. Which of the
following should you send to the third party to enable the third party to securely encrypt email replies?
A. Private key
B. Key escrow
C. Public key
D. Recovery key
205.)
Which of the following should you implement if you want to preserve your internal
authentication and authorization process and credentials if you are going to a cloud service provider?
A. Dual factor authentication
B. Federation
C. Single sign on
D. TOTP
206.)
A university police department is housed on the first floor of a student dormitory. Which of the
following would prevent students from using ARP spoofing attacks against computers at the police
department?
A. Private network addresses
B. Disable SSID broadcast
C. Separate Layer 2 vlans
D. Enable proxy arp on router
207.)
During a recent vulnerability assessment, the pen testers were able to successfully crack a large
number of employee passwords. The company technology use agreement clearly states that passwords
used on the company network must be at least eight characters long and contain at least one uppercase
letter and special character. What can they do to standardize and enforce these rules across the entire
organization to resolve this issue?
A. LDAP
B. Group Policy
C. User policy
D. Kerberos
208.)
You want to create several different environments for application development, testing, and
quality control. Controls are being put into place to manage how software is moved into the production
environment. Which of the following should the software development manager request to be put into
place to implement the three new environments?
A. Application firewalls
B. Network segmentation
C. Trusted computing
D. NAT
209.)
A research user needs to transfer multiple terabytes of data across a network. The data is not
confidential, so for performance reasons, does not need to be encrypted. However, the authentication
process must be confidential. Which of the following is the BEST solution to satisfy these requirements?
A. Secured LDAP
B. Kerberized FTP
C. SCP
D. SAML 2.0
210.)
What technology would you use to ensure that the systems that your organization is using is
going to deployed as securely as possible and prevent files and services from operation outside of a
strict rule set?
A. Host based intrusion detection
B. Host based firewall
C. Trusted OS
D. Antivirus
211.)
A security specialist has implemented antivirus software and whitelisting controls to prevent
malware and unauthorized application installation on the company systems. The combination of these
two technologies is an example of which of the following?
A. Defense in depth
B. Vulnerability scanning
C. Application hardening
D. Anti-malware
212.)
What can be implemented to address the findings that revealed a company is lacking deterrent
security controls?
A. Rogue machine detection
B. Continuous security monitoring
C. Security cameras
D. IDS
213.)
A technician is about to perform a major upgrade to the operating system of a critical system.
This system is currently in a virtualization environment. Which of the following actions would result in
the LEAST amount of downtime if the upgrade were to fail?
A. Enabling live migration in the VM settings on the virtual server
B. Clustering the storage for the server to add redundancy
C. Performing a full backup of the virtual machine
D. Taking an initial snapshot of the system
214.)
What is the name for an attack that can be used to guess the PIN of an access point for the
purpose of connecting to the wireless network?
A. IV attack
B. Rainbow table attack
C. Replay attack
D. WPS attack
215.)
When performing a risk analysis, which of the following is considered a threat?
A. The potential exploitation of vulnerability
B. The presence of a risk in the environment
C. The transference of risk to another party
D. The lack of mitigation for vulnerabilities
216.)
A company would like to protect its e-commerce site from SQL injection and cross site scripting
(XSS). The company should consider deploying which of the following technologies?
A. IDS
B. Web application firewall
C. Proxy
D. Sandbox
217.)
A company uses digital signatures to sign contracts. The company requires external entities to
create an account with a third party digital signature provider and to sign an agreement stating that they
A.
B.
C.
D.
E.
will protect the account from unauthorized access. Which of the following security goals is the company
trying to address in the given scenario?
Availability
Non-repudiation
Authentication
Confidentiality
Due diligence
218.)
The security administrator generates a key pair and sends one key inside a request file to a third
party. The third party sends back a signed file. In this scenario the file sent by the administrator is a :
A. CA
B. CRL
C. KEK
D. PKI
E. CSR
219.)
A third party has been contracted to perform a remote penetration test of the DMZ network.
The company has only provided the third party with the billing department contact information for final
payment and a technical point of contact who will receive the penetration test results. Which of the
following tests will be performed?
A. Gray box
B. White box
C. Black box
D. False positive
220.)
An administrator is reviewing the logs for a content management system that supports the
organizations public facing websites. The administrator is concerned about the number of attempted
login failures from other countries for administrator accounts. Which of the following capabilities is BEST
to implement if the administrator wants the system to dynamically react to such attacks?
A. Netflow-based rate timing
B. Disable generic administrative accounts
C. Automated log analysis
D. Intrusion prevention system
221.)
Jane, a security analyst, is monitoring the IDS console and noticed multiple connections from an
internal host to a suspicious call back domain. Which of the following tools would aid her to decipher
the network traffic?
A. Vulnerability scanner
B. Nmap
C. Netstat
D. Packet analyzer
222.)
A high traffic website is experiencing numerous brute force attacks against its user base. The
attackers are using a very large botnet to carry out the attack. As a result, many users passwords are
A.
B.
C.
D.
being compromised. Which of the following actions is appropriate for the website administrators to take
in order to reduce the threat from this type of attack in the future?
Temporarily ban each IP address after five failed login attempts
Prevent users from using dictionary words in their passwords
Prevent users from using passwords that they have used before
Require user passwords to be at least ten characters in length
223.)
An employee connects a wireless access point to the only jack in the conference room to
provide internet access during a meeting. The access point is configured to secure its users with WPA2TKIP. A malicious user is able to intercept clear text HTTP communication between the meeting
attendees and the internet. Which of the following is the reason the malicious user is able to intercept
and see the clear text communications?
A. The malicious user is running a wireless sniffer
B. The wireless access point is broadcasting the SSID
C. The malicious user is able to capture the wired communication
D. The meeting attendees are using unencrypted hard drives
224.)
A user is able to access shares that store confidential information that is not related to the users
current job duties. Which of the following should be implemented to prevent this from occurring?
A. Authorization
B. Authentication
C. Federation
D. Identification
225.)
A security administrator is having continued issues with malware variants infecting systems and
encrypting several types of files. The malware users a document macro to create a randomly named
executable that downloads the encrypting payload of the malware. Once downloaded the malware
searches all drives, creates an HTML file with decryption instructions in the directory, and then proceeds
to encrypt the target files. Which of the following actions would BEST interrupt the malware before it
encrypts the other files while minimizing adverse impacts to the users?
A. Block execution of documents with macros
B. Block addition of documents with macros
C. Block the creation of the HTML document on the local system
D. Block running external files from within documents
226.)
A healthcare organization is in the process of building and deploying a new web server in the
DMZ that will enable public internet users the ability to securely send and receive messages from their
primary care physicians. Which of the following should the security administrator consider?
A. An in-band method for key exchange and an out of band method for the session
B. An out of band method for key exchange and an in band method for the session
C. A symmetric algorithm for key exchange and an asymmetric algorithm for the session
D. An asymmetric algorithm for key exchange and a symmetric algorithm for the session
227.)
A. SSLv3
B. VDSL
Which of the following should be used to implement voice encryption?
C. SRTP
D. VoIP
228.)
A company wants to ensure that all software executing on a corporate server has been
authorized to do so by a central control point. Which of the following can be implemented to enable
such control?
A. Digital signatures
B. Role-based access control
C. Session keys
D. Non-repudiation
229.)
Company policy states that when a virus or malware alert is received, the suspected host is
immediately removed from the company network. Which of the following BEST describes this
component of incident response?
A. Mitigation
B. Isolation
C. Recovery
D. Reporting
E. Remediation
230.)
A security manager has noticed several unrecognized devices connecting to the company’s
internal wireless network. Only company –issued devices should be connected to the network. Which of
the following controls should be implemented to prevent the unauthorized devices from connecting to
the wireless network? ( Select Two)
A. MAC filtering
B. Create a separate wireless VLAN
C. Implement 802.11n
D. Enable WPA2
E. Configure DHCP reservations
231.)
A security administrator receives reports from various organizations that a system on the
company network is port scanning hosts on various networks across the internet. The administrator
determines that the compromised system is a Linux host and notifies the owner that the system will be
quarantined and isolated from the network. The system does not contain confidential data, and the root
user was not compromised. The administrator would like to know how the system was compromised,
what the attackers did, and what remnants the attackers may have left behind. Which of the following
are the administrators NEXT steps in the investigation? (Select two)
A. Reinstall the procps package in case system utilities were modified
B. Look for recently modified files in user and tmp directories
C. Switch SELinux to enforcing mode and reboot
D. Monitor perimeter firewall for suspicious traffic from the system
E. Check running processes and kernel modules
F. Remove unnecessary accounts and services
232.)
A manager is reviewing bids for internet service in support of a new corporate office location.
The location will provide 24 hour service in the organization’s global user population. In which of the
A.
B.
C.
D.
following documents would the manager MOST likely find quantitative data regarding latency levels and
MTTR?
ISA
SLA
MOU
BPA
233.)
A system administrator decided to perform maintenance on a production server servicing retail
store operations. The system rebooted in the middle of the day due to the installations of monthly
operating system patches. The downtime results in lost revenue due to the system being unavailable.
Which of the following would reduce the likelihood of this issue occurring again?
A. Routine system auditing
B. Change management controls
C. Business continuity planning
D. Data loss prevention implementation
234.)
A UNIX server recently had restricted directories deleted as the result of an insider threat. The
root account was used to delete the directories while logged on at the server console. There are five
administrators that know the root password. Which of the following could BEST identify the
administrator that removed the restricted directories?
A. DHCP logs
B. CCTV review
C. DNS Logs
D. Network traffic
235.)
A system administrator is part of the organizations contingency and business continuity
planning process. The systems administrator and relevant team participate in the analysis of a
contingency situation intended to elicit constructive discussion. Which of the following types of activity
is MOST accurately described in this scenario?
A. Business impact analysis
B. Full-interruption exercise
C. Tabletop exercise
D. Lessons learned
E. Parallel simulation
236.)
Recently, the desktop support group has been performing a hardware refresh and has replaced
numerous computers. An auditor discovered that a number of the new computers did not have the
company’s antivirus software installed on them. Which of the following could be utilized to notify the
network support group when computers without the antivirus software are added to the network?
A. Network port protection
B. NAC
C. NIDS
D. MAC filtering
237.)
Which of the following types of attacks uses email to specifically target high level officials within
an organization?
A. Spim
B. Spear Phishing
C. Pharming
D. Spoofing
238.)
A security architect is supporting a project team responsible for a new extranet application. As
part of their activities, the team is identifying roles within the system and documenting possible conflicts
between roles that could lead to collusion between users. Which of the following principles of risk
mitigation is the team implementing?
A. Dual Control
B. Least Privilege
C. Separation of duties
D. Job rotation
239.)
A company just purchased a new digital thermostat that automatically will update to a new
firmware version when needed. Upon connecting it to the network a system administrator notices that
he cannot get access to the thermostat but can get access to all other network devices. Which of the
following is the MOST likely reason the thermostat is not connecting to the internet?
A. The company implements a captive portal
B. The thermostat is using the incorrect encryption algorithm
C. The WPA2 shared key is incorrect
D. The company’s DHCP server scope is full
240.)
A company has a proprietary device that requires access to the network be disabled. Only
authorized users should have access to the device. To further protect the device from unauthorized
access, which of the following would also need to be implemented?
A. Install NIPS within the company to protect all assets
B. Block port 80 and 443 on the firewall
C. Install a cable lock to prevent theft of the device
D. Install software to encrypt access to the hard drive
241.)
A company uses PKI certificates stored on a smart chip enabled badge. The badge is used for a
small number of devices that connect to a wireless network. A user reported that their badge was
stolen. Which of the following could the security administrator implement to prevent the stolen badge
from being used to compromise the wireless network?
A. Asset tracking
B. Honeynet
C. Strong PSK
D. MAC filering
242.)
The CSO is concerned with unauthorized access at the company’s off-site datacenter. The CSO
would like to enhance the security posture of the datacenter. Which of the following would BEST
prevent unauthorized individuals from gaining access to the datacenter?
A.
B.
C.
D.
Security guard
Video monitoring
Magnetic entry cards
Fencing
243.)
One of the driving factors towards moving an application to a cloud infrastructure is increased
application availability. In the case where a company creates a private cloud, the risk of application
downtime is being:
A. Transferred
B. Avoided
C. Mitigated
D. Accepted
244.)
A security administrator wishes to set up a site to site IPSec VPN tunnel between two locations.
Which of the following IPSec encryptions and hashing algorithms would be chosen for the least
performance impact?
A. 3DES/SHA
B. AES/SHA
C. RSA/MD5
D. DES/MD5
245.)
Which of the following is a security weakness associated with software-based disk encryption?
A. Employed encryption algorithms are generally weaker when implemented In software
B. A dedicated processor is used by the cryptomodule
C. The key can be physically extracted from the encrypted medium
D. Cryptographic operations can be far slower than with hardware based encryption
246.)
A network administrator discovers that telnet was enabled on the companys human resources
payroll server and that someone outside of the HR subnet has been attempting to log into the server.
The network administrator has disabled telnet on the payroll server. Which of the following is a method
of tracking attempts to log onto telnet without exposing important company data?
A. Banner grabbing
B. Active port numbers
C. Honeypot
D. Passive IPS
247.)
A penetration tester is attempting to determine the operating system of a remote host. Which
of the following methods will provide this information?
A. Protocol analyzer
B. Honeypot
C. Fuzzer
D. Banner grabbing
248.)
A company’s security analyst is investigating the suspected compromise of the company’s
intranet web server. The compromise occurred at a time when no users were logged into the domain.
A.
B.
C.
D.
Which of the following is Most likely to have prevented the attack from a new machine introduced to
the corporate network?
Domain log review
802.1x
NIDS
Rogue detection
249.)
Which of the following types of attacks are MOST likely to be successful when using fuzzing
against an executable program? ( select Two)
A. SQL injection
B. Session hijacking
C. Integer overflow
D. Buffer overflow
E. Header manipulation
250.)
Which of the following authentication services utilizes UDP for communication between client
and server?
A. Kerberos
B. TACACS+
C. LDAP
D. RADIUS
251.)
As their data set rapidly grows and changes, a company is experiencing availability problems
with their database. The security manager recommends switching to a more scalable system with
dynamic schemas. Which of the following would meet the security manager’s requirements?
A. SSDs
B. NoSQL
C. MariaDB
D. RDMBS
252.)
A company provides wireless access for employees and a guest wireless network for visitors.
The employee wireless network is encrypted and requires a password. The guest wireless network does
not use an encrypted connection and does not require a password. An administrator walks by a visitors
laptop and notices the following command line output:
reaver –I mon –b 7A:E5:9A:42:2C:C1 –vv
Starting…
[+] Trying pin 12345678
[+] 93.41% complete @ 2016-04-16 11:25:15 (15 seconds)
[+] WARNING: 10 failed connections in a row
[+] Trying pin 12345688
Which of the following should the administrator implement and why?
A. Initiate employee password changes because the visitor has captured passwords and is attempting
offline cracking of those passwords
B. Implement two factor wireless authentication because the visitor will eventually brute force the
network key
C. Apply WPA or WPA2 encryption because the visitor is trying to crack the employee network that is
encrypted with WEP
D. Disable WPS because the visitor is trying to crack the employee network
E. Apply MAC filtering because the visitor already has the network password
253.)
When implementing a mobile security strategy for an organization, which of the following is the
MOST influential concern that contributes to that organizations ability to extend enterprise policies to
mobile devices?
A. Support for mobile OS
B. Support of mobile apps
C. Availability of mobile browsers
D. Public key management
254.)
A system administrator runs a network inventory scan every Friday at 11:00 am to track the
progress of a large organizations operating system upgrade of all laptops. The system administrator
discovers that some laptops are now only being reported as IP addresses. Which of the following is
MOST likely the cause of this issue?
A. HIDS
B. Host-based firewalls rules
C. All the laptops are currently turned off
D. DNS replication
255.)
A company is exploring the possibility to integrate some of its internal processes with an
external cloud service provider. Which of the following should be implemented if the company wants to
preserve its internal authentication and authorization process and credentials?
A. Single sign-on
B. Dual factor authentication
C. Federation
D. TOTP
256.)
An employee has been terminated due to inappropriate internet use. A computer forensics
technician at the organization acquired an image of the hard drive and hashed it using MD5. The former
employee has filed a lawsuit. The former employee’s attorney requests a copy of the image so it can be
independently reviewed by the legal team. Upon receiving the image, the attorney’s technician also
generates an MD5 hash of the image and comes up with a different output than what was provided.
Which of the following MOST likely occurred?
A. The wrong preshared key was used
B. The hashes were produced using different algorithms
C. The hashes were produced on two different operating systems
D. Files on the image have been altered
257.)
A security architect is supporting a project team responsible for a new extranet application. As
part of their activities, the team is identifying roles within the system and documenting possible conflicts
between roles that could lead to collusion between users. Which of the following principles of risk
mitigation is the team implementing?
A. Dual control
B. Least privilege
C. Separation of duties
D. Job rotation
258.)
A company hosts sites for multiple vendors and provides information to users globally. Which of
the following is a critical security consideration in this environment?
A. Proxy servers to enforce a single access mechanism to the data warehouse
B. Firewalls to ensure that the data warehouse is not accessible to the internet
C. Access controls to prevent users from accessing the entire data warehouse
D. Query protocols should use non-standard ports to protect user result-sets
259.)
A security administrator, believing it to be a security risk, disables IGMP snooping on a switch.
This breaks a video application. The application is MOST likely using:
A. RTP
B. Multicast
C. Anycast
D. VoIP
260.)
A security engineer is monitoring suspicious traffic from an internal endpoint to a malicious
landing page of an external entity. The internal endpoint is configured using a limited account, is fully
patched to current standards, and has current antivirus signatures. No alerts have been received
involving this endpoint. The security engineer finds malicious code on the endpoint during a forensics
analysis. Which of the following MOST likely explains this occurrence?
A. The external entity breached the IDS
B. The antivirus engine was evaded
C. The DLP did not detect the malicious code
D. The endpoint was running on a hypervisor
261.)
A security administrator recently implemented IPSec for remote users. Which of the following
ports must be allowed through the firewall in order for remote access to be successful if the tunneling
protocol is PPTP?
A. UDP 500
B. UDP 1723
C. TCP 1723
D. TCP 4500
262.)
A user has been working on a project to implement controls for data storage. Which of the
following policies defines how long specific data should remain on company equipment?
A. Data retention policy
B. Data wiping policy
C. Data classification policy
D. Data disposal policy
263.)
A system administrator has received several service desk tickets relating to users receiving
rejection notices from third-party destination email servers. The users in question were previously able
A.
B.
C.
D.
to send emails to the recipients mentioned in the ticket. Which of the following items should the system
administrator review to determine a possible cause for the issue?
DNS blacklists
Spam filter configuration
Local hosts file
SMTP queue
264.)
An enterprise needs to be able to receive files that contain PII from many customers at different
times. The data must remain encrypted during transport and while at rest. Which of the following
encryption solutions would meet both of these requirements?
A. PGP
B. SCP
C. SSL
D. TLS
265.)
A security analyst has been asked to perform penetration testing against a web application
being deployed for the first time. When performing the test the application stops responding and
returns an error referring to failed database connections. Upon further investigation, the analyst finds
the database server was inundated with commits which exhausted available space on the volume.
Which of the following attacks has been performed against the database server?
A. DoS
B. SQL injection
C. SYN flood
D. DDos
E. Cross-site scripting
266.)
Virtualization would provide an ROI when implemented under which of the following situations?
A. Numerous servers with no fail-over requirement
B. Multiple existing 100% utilized physical servers
C. Numerous clients with a requirement for fast processors
D. Multiple existing but underutilized physical servers
267.)
An organization decides to implement a BYOD policy but wants to ensure they address
requirements associated with any legal investigations and controls needed to comply with the analysis
and recreation of an incident. This concern is also known as which of the following?
A. Data ownership
B. Forensics
C. Chain of custody
D. Acceptable use
268.)
When implementing a new system, a systems administrator works with the information system
owner to identify and document the responsibilities of various positions within the organization. Once
responsibilities are identified, groups are created within the system to accommodate the various
responsibilities of each position type, with users being placed in these groups. Which of the following
principles of authorization is being developed?
A. Rule-based access control
B. Least privilege
C. Separation of duties
D. Access control lists
E. Role-based access control
269.)
Which of the following network design components would assist in separating network traffic
based on the logical location of users?
A. IPSec
B. NAC
C. VLAN
D. DMZ
270.)
The SSID broadcast for a wireless router has been disabled but a network administrator notices
that unauthorized users are accessing the wireless network. The administrator has determined that
attackers are still able to detect the presence of the wireless network despite the fact that the SSID has
been disabled. Which of the following would further obscure the presence of the wireless network?
A. Upgrade the encryption to WPA or WPA2
B. Create a non-zero length SSID for the wireless router
C. Reroute wireless users to a honeynet
D. Disable responses to a broadcast probe request
271.)
A web application is configured to target browsers and allow access to bank accounts to siphon
money to a foreign account. This is an example of which of the following attacks?
A. SQL injection
B. Header manipulation
C. Cross-site scripting
D. Flash cookie exploitation
272.)
Virtualization that allows an operating system kernel to run multiple isolated instances of a
guest OS is :
A. Process segregation
B. Software defined network
C. Containers
D. Emulation
273.)
A plant security officer is continually losing connection to two IP cameras that monitor several
critical high voltage motors. Which of the following should the network administrator do to BEST ensure
the availability of the IP camera connections?
A. Use a wireless bridge instead of the network cables
B. Replace patch cables with shielded cables
C. Change existing cables with optical cables
D. Add new conduit runs for the network cables
274.)
During a trial for possession of illegal content, a defense attorney argues that several of the files
on the forensic image may have been tampered with. How can a technician BEST disprove this
argument?
A. Trace the chain-of-custody from the time of arrest until the time of trial
B. Have a forensic investigator undergo a polygraph examination
C. Take hashes from the suspect source drive, and compare them to hashes on the forensics image
D. Access the system logs on the forensic image, and see if any logins occurred after the suspect’s arrest
275.)
An auditing organization frequently deploys field employees to customer sites worldwide.
While at the customer sites, the field employees often need to connect to the local network to access
documents and data. Management is concerned that the field employee laptops might become infected
with malware while on the customer networks. Which of the following could be deployed to decrease
the amount of risk incurred by the field employees?
A.
B.
C.
D.
HIPS
HOTP
HIDS
HSM
276.)
Joe, a user, wants to configure his workstation to make certain that the certificate he receives
when connecting to websites is still valid. Which of the following should Joe enable on his workstation to
achieve this?
A. Certificate revocation
B. Key escrow
C. Registration authority
D. Digital signatures
277.)
When implementing a new system, a systems administrator works with the information system
owner to identify and document the responsibilities of various positions within the organization. Once
responsibilities are identified, groups are created within the system to accommodate the various
responsibilities of each position type, with users being placed in these groups. Which of the following
principles of authorization is being developed?
A. Rule-based access control
B. Least privilege
C. Separation of duties
D. Access control lists
E. Role-based access control
278.)
An organization received a subpoena requesting access to data that resides on an employee’s
computer. The organization uses PKI. Which of the following is the BEST way to comply with the
request?
A. Certificate authority
B. Public key
C. Key escrow
D. Registration authority
E. Key recovery agent
279.)
Which of the following is a security weakness associated with software-based disk encryption?
A. Employed encryption algorithms are generally weaker when implemented in software
B. A dedicated processor is used by the cryptomodule
C. The key can be physically extracted from the encrypted medium
D. Cryptographic operations can be far slower than with hardware based encryption
280.)
A large retail vendor provides access to a heating, ventilation, and air conditioning vendor for
the purpose of issuing billing statements and receiving payments. A security administrator wants to
prevent attackers from using compromised credentials to access the billing system, moving literally to
the point-of-sale system, and installing malware to skim credit card data. Which of the following is the
MOST important security architecture consideration the retail vendor should impose?
A. Data encryption
B. Network segregation
C. Virtual private networking
D. Application firewalls
281.)
A security administrator, believing it to be a security risk, disables IGMP snooping on a switch.
This breaks a video application. The application is MOST likely using.
A. RTP
B. Multicast
C. Anycast
D. VoIP
282.)
A global gaming console manufacturer is launching a new gaming platform to its customers.
Which of the following controls reduces the risk created by malicious gaming customers attempting to
circumvent controls by way of modifying consoles? ( select two)
A. Firmware version control
B. Manual software upgrades
C. Vulnerability scanning
D. Automatic updates
E. Network segmentation
F. Application firewalls
283.)
The security administrator for a growing company is concerned about the increasing
prevalence of personal devices connected to the corporate WLAN. Which of the following actions should
the administrator take FIRST to address this concern?
A. Implement RADIUS to centrally manage access to the corporate network over Wi-Fi
B. Request that senior management support the development of a policy that addresses personal devices
C. Establish a guest-access wireless network and request that employees use the guest network
D. Distribute a memo addressing the security risks associated with the use of personally-owned devices
on the corporate WLAN
284.)
After disabling SSID broadcast, a network administrator still sees the wireless network listed in
available networks on a client laptop. Which of the following attacks may be occurring ?
A. Evil twin
B. Rod’s access point
C. Arp spoofing
D. Rogue access point
E. TKIP compromise
285.)
A recent regulatory audit discovers a large number of former employees with active accounts.
Terminated users are removed from the HR system but not from Active Directory. Which of the
following processes would close the gap identified?
A. Send a recurring email to managers with a link to IT security policies
B. Perform routing audits against the HR system and Active Directory
C. Set an account expiration date for all Active Directory accounts to expire annually
D. Conduct permissions reviews in Active Directory for group membership
286.)
Which of the following is the MAIN purpose for incorporating a DMZ into the design of a
network?
A. Incorporate a secure place to house print servers and other networking equipment
B. Have Rod to come out and secure the network even if he knows nothing about it
C. Facilitate the creation of resources accessed by internal users in a secure manner
D. Provide an isolated location for servers accessed from the intra and inter networks
287.)
A security engineer wants to communicate securely with a third party via email using PGP.
Which of following should the engineer send to the third party to enable the third party to securely
encrypt email replies?
A. Public key
B. Private key
C. Key escrow
D. Recovery key
288.)
A datacenter manager has been asked to prioritize critical system recovery priorities. Which of
the following is the MOST critical for immediate recovery?
A. Remote assistance software
B. Operating system software
C. Weekly summary reports to management
D. Financial and production software
289.)
A risk assessment team is concerned about hosting data with a cloud service provider. Which of
the following findings would justify this concern?
A. The CSP utilizes encryption for data at rest and in motion
B. The CSP takes into account multinational privacy concerns
C. The financial reveiew indicates the company is a startup
D. SLAs state service tickets will be resolved in less than mins
290.)
A security administrator is responsible for the deployment of a new two-factor authentication
solution. The administrator has been informed that the solution will use soft tokens. Which of the
following are valid token password schemes for the two-factor solution being deployed? ( select Two)
A. Chap
B. PAP
C. NTLMv2
D. HMAC
E. Smart card
F. Time-based
291.)
A security administrator has implemented a series of computers to research possible intrusions
into the organizational network, and to determine the motives as well as the tool used by the malicious
entities. Which of the following has the security administrator implemented?
A. Honeypot
B. DMZ
C. Honeynet
D. VLANs
292.)
Which of the following allows an application to securely authenticate a user by receiving
credentials from a remote web domain?
A. TACACS+
B. RADIUS
C. Kerberos
D. SAML
293.)
A company is exploring the possibility to integrate some of its internal processes with an
external cloud service provider. Which of the following should be implemented if the company wants to
preserve its internal authentication and authorization process and credentials?
A. Single sign-on
B. Dual factor authentication
C. Federation
D. TOTP
294.)
Many employees are receiving email messages similar to the one shown below
From: IT Department
To: Employee
Subject: Email quota exceeded
Please check on the following link
Http://www.getatme.infoemail.php?quota=
Gb and provide your
username and password to increase your email quota Upon reviewing other similar emails, the security
administrator realizes that all the phishing URLs have the following common elements they all use HTTP,
they all come from info domains, and they all contain the same URL. Which of the following should the
security administrator configure on the corporate content filter to prevent users from accessing the
phishing URL, while at the same time minimizing false positives?
A. Block http//www”info”
B. Drop http//”getatme.info/email”php
C. Redirect
D. DENY http://”infoemail.php”quota=Gb
295.)
Which of the following social engineering attacks would describe a situation where an attacker
calls an employee while impersonating a corporate executive?
A. Vishing
B. Pharming
C. Whaling
D. Pharrming
296.)
A security administrator determined that the time required to brute force 90% of the companys
password hashes is below the acceptable threshold. Which of the following, if implemented, has the
GREATEST impact in bringing this time above the acceptable threshold?
A. Use a shadow password file
B. Increase the number of PBKDF2 iterations
C. Change the algorithm used to salt all passwords
D. Use a stronger hashing algorithm for password storage
297.)
Which of the following is important to reduce risk?
A. Separation of duties
B. Risk acceptance
C. Risk transference
D. Threat modeling
298.)
An outside testing company performing black box testing against a new application determines
that it is possible to enter any characters into the applications web-based form. Which of the following
controls should the application developers use to prevent this from occurring?
A. CSRF prevention
B. Sandboxing
C. Fuzzing
D. Input validation
299.)
The network administrator for a small business is configuring a wireless network for 20 users.
Which of the following explains why the administrator would choose WPA2-Pesonal over WPA-2
Enterprise?
A. It does not require a RADIUS server
B. It uses 3DES encryption
C. It has 14 channels available
D. It allows a separate password for each device
300.)
The security director has a mantrap installed for the company’s data center. This control is
installed to mitigate:
A. Transitive access
B. Tailgating
C. Shoulder surfing
D. Impersonation
301.)
A company needs to ensure that employees that are on vacation or leave cannot access network
resources, while still retaining the ability to receive emails in their inboxes. Which of the following will
allow the company to achieve this goal?
A. Set up an email alias
B. Remove user privileges
C. Install an SMTP proxy server
D. Reset user passwords
302.)
Which of the following is an administrative control used to reduce tailgating?
A. Delivering security training
B. Erecting a fence
C. Implementing magnetic locks and doors
D. Installing a mantrap
303.)
Which of the following would enhance the security of accessing data stored in the cloud? (select
two)
A. Block level encryption
B. SAML authentication
C. Transport encryption
D. Multifactor authentication
E. Predefined challenge questions
F. Hashing
304.)
A company has hired an ex-employee to perform a penetration test of the company’s
proprietary application. Although the ex-employee used to be part of the development team, the
application has gone through some changes since he employee left. Which of the following can the exemployee perform if the company is not willing to release any information on te software to the exemployee?
A. Black box testing
B. Regression testing
C. White box testing
D. Grey box testing
305.)
Joe has been in the same IT position for the last 27 years and has developed a lot of the
homegrown applications that the company utilizes. The company is concerned that Joe is the only one
who can administer these applications. The company should enforce which of the following best security
practices to avoid Joe being a single point of failure?
A. Separation of duties
B. Least privilege
C. Job rotation
D. Mandatory vacations
306.)
Which of the following are BEST used in the process of hardening a public facing web server?
(Select 2)
A. Vulnerability scanner
B. Protocol analyzer
C. Honeynet
D. Port scanner
E. Honeypot
307.)
A company is planning to encrypt the files in several sensitive directories of a file server with a
symmetric key. Which of the following could be used?
A. RSA
B. TwoFish
C. Diffie-Hellman
D. NTLMv2
E. RIPEMD
308.)
In the course of troubleshooting wireless issues from users, a technician discovers that users are
connecting to their home SSID’s while at work. The technician scans but detects none of those SSIDs.
The technician eventually discovers a rogue access point that spoofs any SSID that a client requests.
Which of the following allows wireless use while mitigating this type of attack?
A. Configure the device to verify access point MAC addresses
B. Disable automatic connection to unknown SSIDs
C. Only connect to trusted wireless networks
D. Enable MAC filtering on the wireless access point
309.)
Which of the following BEST represents a security challenge faced primarily by organizations
employing a mobility BYOD strategy?
A. Balancing between the security of personal information and the company’s information sharing
requirements
B. Balancing between the assurance of individual privacy rights and the security of corporate data
C. Balancing between device configuration enforcement and the management of cryptographic keys
D. Balancing between the financial security of the company and the financial security of the user
310.)
A security administrator receives reports from various organizations that a system on the
company network is port scanning hosts on various networks across the internet. The administrator
determines that the compromised system is a Linux host and notifies the owner that the system will be
quarantined and isolated from the network. The system does not contain confidential data, and the root
user was not compromised. The administrator would like to know how the system was compromised,
what the attackers did, and what remnants the attackers may have left behind. Which of the following
are the administrator’s NEXT steps in the investigation? (Select Two)
A. Reinstall the procps package in case system utilities were modified
B. Look for recently modified files in use and tmp directories
C. Switch SELinux to enforcing mode and reboot
D. Monitor perimeter firewall for suspicious traffic from the system
E. Check running processes and kernel modules
F. Remove unnecessary accounts and services
311.)
A company was recently the victim of a major attack which resulted in significant reputational
loss. Joe, a member of the company incident response team, is currently reviewing Standard Operating
Procedures for the team in the wake of the attack. Which of the following best identifies the stage of
incident response that Joe is in?
A. Reporting
B. Lessons learned
C. Mitigation steps
D. Preparation
312.)
An increase in the number of wireless users on the 192.168.6.0/24 subnet has caused the DHCP
pool to run out of addresses, which prevents users from accessing important network resources. Which
of the following should the administrator do to correct this problem?
A. Decrease the subnet mask network bits
B. Increase the dynamic ARP timeout
C. Switch to static IP address assignment
D. Increase the DHCP lease time
313.)
Which of the following should be implemented to enforce the corporate policy requiring up-todate and OS patches on all computers connecting to the network via VPN?
A. VLAN
B. NAT
C. NAC
D. DMZ
314.)
A single server hosts a sensitive SQL-based database and a web service containing static
content. A few of the database fields need to be encrypted due to regulatory requirements. Which of
the following would provide the BEST encryption solution for this particular server?
A. Individual file
B. Database
C. Full disk
D. Record based
315.)
A network was down for several hours due to a contractor entering the premises and plugging
both ends of a network cable into adjacent network jacks. Which of the following would have prevented
the network outage?
A. Port security
B. Loop protection
C. Implicit deny
D. Log analysis
E. MAC filtering
F. Trunk port
316.)
A media company would like to securely stream live video feeds over the internet to clients. The
security administrator suggests that the video feeds be encrypted in transport and configures the web
server to prefer ciphers suited for the live video feeds. Which of the following cipher suites should the
administrator implement on the web server to minimize the computational and performance overhead
of delivering the live feeds?
A. ECDHE-RSA-RC4-SHA
B. DHE-DSA-DE5-CBC-SHA
C. ECDHE-RSA-AES-CBC-SHA
D. ECDHE-RSA-AES256-CBC-SHA
317.)
After a wireless security breach, the network administrator discovers the tool used to break into
the network. Using a brute force attack, the tool is able to obtain the wireless password in less than
11,000 attempts. Which of the following should be disabled to prevent this type of attack in the future?
A. WPS
B. WEP
C. WIPS
D. WPA2-PSK
318.)
While responding to an incident on a new Windows server, the administrator needs to disable
unused services. Which of the following commands can be used to see processes that are listening on a
TCP port?
A. Ipconfig
B. Netstat
C. Psinfo
D. Net session
319.)
A security administrator is tasked with conducting an assessment made to establish the baseline
security posture of the corporate IT infrastructure. The assessment must report actual flaws and
weaknesses in the infrastructure. Due to the expense of hiring outside consultants, the testing must be
performed using in-house or cheaply available resources. There cannot be a possibility of any equipment
being damage in the test. Which of the following has the administrator been tasked to perform?
A. Risk transference
B. Penetration test
C. Threat assessment
D. Vulnerability assessment
320.)
Following a site survey for an upcoming 5GHz wireless network implementation, the project
manager determines that several areas of the facility receive inadequate coverage due to the use of
vertical antennas on all access points. Which of the following activities would be MOST likely to
remediate the issue without changing the current access point layout in the facility?
A. Convert all access points to models operating at 2.4GHz
B. Install antennas with lower front-to-back ratios to narrow the focus of coverage as needed
C. Reorient the existing antennas in horizontal configuration
D. Install unidirectional antennas to focus coverage where needed
321.)
Two companies are partnering to bid on a contract. Normally these companies are fierce
competitors but for this procurement they have determined that a partnership is the only way they can
win the job. Each company is concerned about unauthorized data sharing and wants to ensure other
divisions within each company will not have access to proprietary data. To best protect against
unauthorized data sharing they should each sign a(n)
A. NDA
B. SLA
C. MOU
D. BPA
322.)
A security administrator runs a port scan against a server and determines that the following
ports are open TCP 22, TCP 25, TCP 80, TCP 631, and TCP 995. Which of the following MOST likely
describes the server?
A. The server is an email server that requires secure email transmittal
B. The server is a web server that requires secure communication
C. The server is a print server that requires secure authentication
D. The server is an email server that requires secure email retrieval
323.)
The security administrator receives a service ticket saying a host-based firewall is interfering
with the operation of a new application that is being tested in development. The administrator asks for
clarification on which ports need to be open. The software vendor replies that it could use up to 20
ports and many custormers have disabled the host-based firewall. After examining the system, the
administrator sees several ports that are open for database and application servers that are only used
locally. The vendor continues to recommend disabling the host-based firewall. Which of the following is
the BEST course of action for the administrator to take?
A. Allow ports used by the application through the network firewall
B. Allow ports used externally through the host firewall
C. Follow the vendor’s recommendation and disable the host firewall
D. Allow ports used locally through the host firewall
324.)
Which of the following can be used by PPP for authentication?
A. CHAP
B. RSA
C. PGP
D. HMAC
325.)
An organization uses security tokens as part of two factor authentication. If the seed values for
the tokens are suspected to have been compromised, which of the following actions will mitigate the
risk and be the MOST cost effective?
A. Replace the tokens
B. Issue smartcards
C. Change the token algorithms
D. Have users change their passwords
326.)
During a recent network audit, it was found that several devices on the internal network were
not running antivirus or HIPS. Upon further investigation, it was discovered that these devices were new
laptops that were deployed without having the end-point protection suite used by the company
installed. Which of the following could be used to mitigate the risk of authorized devices that are
unprotected residing on the network?
A. Host-based firewall
B. Network-based IPS
C. Centralized end-point management
D. MAC filtering
327.)
Several customers received an email from an employee that advertised better rates at a
different company. Shortly after the email was sent, Ann, the employee who sent the email, resigned
and joined the other company. When confronted, Ann claimed that she did not send the email, it was
another person spoofing her email address. Which of the following would eliminate Ann’s excuse in the
future?
A. Sender policy framework
B. Non-repudiation
C. Encrypted email
D. Outgoing mail filters
328.)
An attacker wants to exfiltrate confidential data from an organization. The attacker decides to
implement steganography as the method of exfiltration. Which of the following techniques should the
attacker use?
A. Encrypt an existing image file
B. Add information to a sound file
C. Hash a known document
D. Use a substitution cipher
329.)
A network administrator is in the process of developing a new network security infrastructure.
One of the requirements for the new system is the ability to perform advanced authentication,
authorization, and accounting services. Which of the following technologies BEST meets the stated
requirement?
A. Kerberos
B. SAML
C. TACSCS+
D. LDAPS
330.)
The network sees a “%CAM-TABLE-FULL” message on a network switch. Upon investigation, the
administrator, notices thousands of MAC addresses associated with a single untagged port. Which of the
following should be implemented to prevent this type of attack?
A. Port security
B. BPDU guard
C. 802.1x
D. TACACS+
331.)
A network technician needs to pass traffic from the company’s external IP address to a frontend mail server in the DMZ without exposing the IP address of the mail server to the external network.
Which of the following should the network technician use?
A. NAT
B. SMTP
C. NAC
D. SSH
E. TLS
332.)
An engineer is designing a system that needs the fastest encryption possible due to system
requirements. Which of the following should the engineer use?
A. Symmetric key
B. RSA-1024
C. Rainbow tables
D. SHA-256
E. Public key encryption
333.)
A security administrator is trying to determine the source of a suspected denial of service attack
that is consistently disconnecting most systems from the wireless network. Hourly checks verify that
there are no rogue wireless access points, unauthorized wireless clients, or de-authentication attacks
occurring. Which of the following should the administrator use to BEST identify the reason for the
outage?
A. Perform a packet capture
B. Deploy a wireless IDS
C. Use a spectrum analyzer
D. Conduct a wireless site survey
334.)
A security analyst at a nuclear power plant needs to secure network traffic from the legacy
SCADA systems. Which of the following methods could the analyst use to secure network traffic in this
static environment?
A. Implement a firewall
B. Implement a HIDS
C. Implement a NIDS
D. Implement a rootjail
335.)
A security administrator receives reports from various organizations that a system on the
company network is port scanning hosts on various networks across the internet. The administrator
determines that the compromised system is a Linux host and notifies the owner that the system will be
quarantined and isolated from the network. The system does not contain confidential data, and the root
user was not compromised. The administrator would like to know how the system was compromised,
what the attackers did, and what remnants the attackers may have left behind. Which of the following
are the administrators NEXT steps in the investigation? (Select Two)
A. Reinstall the procps package in case system utilities were modified
B. Look for recently modified files in user and tmp directories
C. Switch SELinux to enforcing mode and reboot
D. Monitor perimeter firewall for suspicious traffic from the system
E. Check running processes and kernel modules
F. Remove unnecessary accounts and services
336.)
Several users require administrative access for software compatibility reasons. Over time, these
users have made several changes to important system settings. Which of the following is the BEST
course of action to ensure the system settings are properly enforced?
A. Require users to run under a standard user account
B. Use centralized group policy to configure the systems
C. Conduct user access reviews to determine appropriate privileges
D. Implement an application whitelist throughout the company
337.)
A company wants to ensure that all software executing on a corporate server has been
authorized to do so by a central control point. Which of the following can be implemented to enable
such control?
A. Digital signatures
B. Role-Based access control
C. Session keys
D. Non-repudiation
338.)
An employee connects to a public wireless hotspot during a business trip. The employee
attempts to go to a secure website but instead connects to an attacker who is performing a man-in-themiddle attack. Which of the following should the employee do to mitigate the vulnerability described in
the scenario?
A. Connect to a VPN when using public wireless networks
B. Only connect to WPA2 networks regardless of whether the network is public or private
C. Ensure a host-based firewall is installed and running when using public wireless networks
D. Check the address in the web browser before entering credentials
339.)
A PKI architect is implementing a corporate enterprise solution. The solution will incorporate
key escrow and recovery agents, as well as a tiered architecture. Which of the following is required in
order to implement the architecture correctly?
A. Certificate revocation list
B. Strong ciphers
C. Intermediate authorities
D. IPsec between CAs
340.)
An administrator would like to restrict traffic between two VLANs. The network devices
connecting the two VLANs are layer 3 switches. Which of the following should the administrator
configure?
A. IDS rule
B. Firewall
C. ACL
D. Subnet mask
341.)
Joe, an administrator, has been in the sam IT position for the past 27 years and has developed a
lot of the homegrown applications the company utilizes. The company is concerned that Joe is the only
one who can administer these applications. Which of the following best security practices should the
company enforce to prevent Joe from being a single point of failure?
A. Separation of duties
B. Least privilege
C. Job rotation
D. Mandatory vacations
342.)
A technician has raised concern over employees on the manufacturing floor moving computers
between work areas. The technician is concerned that the activity is making it more difficult to track
down rogue devices on the network and provide timely support. Which of the following would prevent
this from occurring?
A. 802.1X
B. Video surveillance
C. Full-disk encryption
D. Cable locks
343.)
Which of the following should mobile devices use in order to protect against data theft in an
offline attack?
A. Application controls
B. Full device encryption
C. Storage segmentation
D. Whitelisting
E. Remote wiping
344.)
A security administrator is performing a vulnerability scan and discovers that port 21 and 22 are
open to support FTPS. Which of the following is this an example of?
A. False positive
B. Input validation
C. Banner grabbing
D. Common misconfiguration
345.)
The network engineer for an organization intends to use certificate-based 802.1X authentication
on a network. The engineer’s organization has an existing PKI that is used to issue server and user
certificates. The PKI is not currently configured to support the issuance of 802.1X certificates. Which of
the following represents an item the engineer MUST configure?
A. OCSP
B. Web Enrollment portal
C. Symmetric cryptography
D. Certification extension
346.)
An administrator needs to allow a third-party service to authenticate users, but does not want
to give the third-party access to user credentials. Which of the following allows this type of
authentication?
A. LDAP
B. SAML
C. RADIUS
D. TACACS
347.)
While performing surveillance activities, an attacker determined that an organization is using
802.1X to secure LAN access. Which of the following attack mechanisms can the attacker utilize to
bypass the identified network security controls?
A. MAC spoofing
B. Pharming
C. Xmas attack
D. ARP Poisoning
348.)
An attacker is attempting to determine the patch-level version a web server is running on its
open ports. Which of the following is an active technique that will MOST efficiently determine the
information the attacker is seeking?
A. Banner grabbing
B. Vulnerability scanning
C. Port scanning
D. Protocol analysis
349.)
In order to establish a connection to a server using secure LDAP, which of the following MUST be
installed on the client?
A. Server public key
B. Subject alternative name certificate
C. CA anchor of trust
D. Certificate signing request
350.)
A help desk technician receives a request for information from a user regarding a new policy a
department issued. The policy states that all emails with embedded URLs or images be digitally signed.
Which of the following represent possible motivators for this new policy? ( select Two)
A. Service availability
B. Non- repudiation
C. User authentication
D. Confidentiality
E. Anti-malware
F. Message integrity
351.)
A bank is planning to implement a third factor to protect customer ATM transactions. Which of
the following could the bank implement?
A. SMS
B. Fingerprint
C. Chip and PIN
D. OTP
352.)
The content of a document that is routinely used by several employees and contains
confidential information has been changed. While investigating the issue, it is discovered that payment
information for all of the company’s clients has been removed from the document. Which of the
following could be used to determine who changed the information?
A. Audit logs
B. Server baseline
C. Document hashing
D. Change management
353.)
An old 802.11b wireless bridge must be configured to provide confidentiality of data in transit to
include the MAC addresses of communicating endpoints. Which of the following can be implemented to
meet this requirement?
A. MSCHAPv2
B. WPA2
C. WEP
D. IPsec
354.)
A web server at an organization has been the target of distributed denial of service attacks.
Which of the following, if correctly configured, would BEST mitigate these and future attacks?
A. SYN cookies
B. Implicit deny
C. Blacklisting
D. URL filter
355.)
An application developer is working with the server administrator to configure storage of data
that the application producers, including any temporary files. Which of the following will securely store
the files outside of the application?
A. Database encryption
B. Transparent encryption
C. Full-disk encryption
D. Transit encryption
356.)
An auditor is reviewing the following logs from the company’s proxy server that is used to store
both sensitive and public documents. The documents are edited via a client web interface, and all
processing is performed on the server side.
Http://www.documents-portal.com/editdoc.php?document1=this%20is%the %content%20of%20document1
Http://www.documents-portal.com/editdoc.php?document1=this%20is%the %content%20of%20document2
Http://www.documents-portal.com/editdoc.php?document1=this%20is%the %content%20of%20document3
Which of the following should the auditor recommend be implemented?
A. Two-factor authentication should be implemented for sensitive documents
B. Sensitive documents should be signed using enterprise PKI
C. Encryption should be implemented at the transport level
D. Document hashing should be done to preserve document integrity
357.)
Which of the following is a contract with a service provider that typically includes performance
parameters like MTBF and MTTR?
A. SLA
B. NDA
C. ISA
D. MOU
E. ALE
358.)
An assessment team is conducting a vulnerability scan of an organization’s database servers.
During the configuration of the vulnerability scanner, the lead assessor only configures the parameter of
the database servers’ IP range, and then runs the vulnerability scanner. Which of the following scan
types is being run on the database servers?
A. Intrusive
B. Ping sweep
C. Non-credentialed
D. Offline
359.)
Which of the following network configurations provides security analysts with the MOST
information regarding threats, while minimizing the risk to internal corporate assets?
A. Configuring the wireless access point to be unencrypted
B. Increasing the logging level of internal corporate devices
C. Allowing inbound traffic to a honeypot on the corporate LAN
D. Placing a NIDS between the corporate firewall and ISP
360.)
A new help desk employee at a cloud services provider receives a call from a customer. The
customer is unable to log into the provider’s web application. The help desk employee is unable to find
the customer’s user account in the directory services console, but sees the customer’s information in
the application database. The application does not appear to have any fields for a password. The
customer then remembers the password and is able to log in. The help desk employee still does not see
the user account in directory services. Which of the following is the MOST likely explanation?
A. A bug has been discovered in the application
B. The application uses a weak encryption cipher
C. A federated authentication model is being used
D. The application uses single sign-on
361.)
An administrator is reviewing the logs for a content management system that supports the
organization’s public-facing website. The administrator is concerned about the number of attempted
login failures for administrator accounts from other countries. Which of the following capabilities is BEST
to implement if the administrator wants the system to react dynamically to such attacks?
A. Netflow-based rate limiting
B. Disabled generic administrative accounts
C. Automated log analysis
D. Intrusion prevention system
362.)
y recent security breach at an organization revealed that the attack leveraged a telnet server
that had not been used for some time. Below are partial results of an audit that occurred a week before
the breach was detected. OPEN PORTS---TCP 23, TCP 80, TCP 443 OS PATCH LEVEL-CURRENT
PASSWORD AUDIT-PASS, STRONG FILE INTEGRITY-PASS. Which of the following could have mitigated
or deterred this breach?
A. Routine patch management on the server
B. Greater frequency of auditing the server logs
C. Password protection on the telnet server
D. Disabling unnecessary services
363.)
A recent counter threat intelligence notification states that companies should review indicators
of compromise on all systems. The notification stated that the presence of a win_32.dll was an identifier
of a compromised system. A scan of the network reveals that all systems have this file. Which of the
following should the security analyst perform FIRST to determine if the files collected are part of the
threat intelligence?
A. Quarantine the file on each machine
B. Take a full system image of each machine
C. Take hashes of the files found for verification
D. Verify the time and date of the files found
364.)
A technician is troubleshooting an issue with an employee’s new mobile device that is not
associating to the wireless network. The technician verifies the mobile device is in the company’s
approved and supported list. The appropriate configuration was entered on the device. All other mobile
devices are connecting to the wireless network. Which of the following is the MOST likely cause of the
issue?
A. Non-broadcasting SSID
B. MAC address filtering
C. Wrong encryption
D. Full DHCP scope
365.)
An organization is developing a plan to ensure an earthquake at a datacenter does not disrupt
business. The organization has identified all of the critical applications within the datacenter,
determining the financial loss of an outage of different duration for each application. This effort is
known as a :
A. Tabletop exercise
B. High availability
C. Disaster recovery
D. Business impact analysis
E. Risk assessment
366.)
After installing new digital certificates on a company web server, the network administrator
wants to securely store the keys so that no one individual is able to use the keys on any other system.
Which of the following would allow the network administrator to achieve this goal?
A. Key hashing
B. Key exchange
C. Key escrow
D. Ephemeral key
367.)
Multi-function devices are being deployed in various departments. All departments will be able
to copy, print and scan to file. Some departments will be authorized to use their devices to fax and email
while other departments will not be authorized to use those functions on their devices. Which of the
following is the MOST important mitigation technique to avoid an incident?
A. Disabling unnecessary accounts
B. Password protection
C. Monitoring access logs
D. Disabling unnecessary services
368.)
Due to the commonality of Content Management System ( CMS) platforms, a website
administrator is concerned about security for the organization’s new CMS application. Which of the
following practices should the administrator implement FIRST to mitigate risks associated with CMS
platform implementations?
A. Deploy CAPTCHA features
B. Modify the default accounts’ password
C. Implement two-factor authentication
D. Configure DNS blacklisting
E. Configure password complexity requirements
369.)
Which of the following BEST describes the benefits of using Extended Validation(EV)?
A. Does not use standard x.509 V3 certificates
B. Enhances SSL session key exchange preventing man-in-the-middle attacks
C. The website provider demonstrates an additional level of trust
D. Provides stronger enforcement of SSL encryption algorithms
370.)
The network administrator is installing RS-485 terminal servers to provide card readers to
vending machines. Which of the following should be performed to protect the terminal servers?
A. Flood guard
B. 802.1X
C. Network separation
D. Port security
371.)
An administrator was tasked with reducing the malware infection rate of PC applications. To
accomplish this, the administrator restricted the locations from which programs can be launched. After
this was complete, the administrator noticed that malware continued to run from locations on the disk
and infected the hosts. Which of the following did the administrator forget to do?
A. Restrict write access to the allowed executable paths
B. Install the host-based intrusion detection system
C. Configure browser sandboxing
D. Disable unnecessary services
372.)
A developer is programming an SSO module to assist an organization’s internal users with
password management. As part of the implementation plan, each user will be required to sign in with
existing credentials and submit a new password for the SSO system due to increased security
requirements. The developer has been tasked by the security lead to harden the application against
automated attacks using the existing credentials. Which of the following will provide an additional
security layer against unauthorized access?
A. Log analysis
B. CAPTCHA
C. Web application firewall
D. Security tokens
E. Role-based access control lists
F. One-time pad
373.)
A security administrator determined that the time required to brute force 90% of the company’s
password hashes is below the acceptable threshold. Which of the following, if implemented, has the
GREATEST impact in bringing this time above the acceptable threshold?
A. Use a shadow password file
B. Increase the number of PBKDF2 iterations
C. Change the algorithm used to salt all passwords
D. Use a stronger hashing algorithm for password storage
374.)
A security administrator creates separate VLANs for employee devices and HVAC equipment
that is network attached. Which of the following are security reasons for this design?
A. IDS often requires network segmentation of HVAC endpoints for better reporting
B. Broadcasts from HVAC equipment will be confined to their own network segment
C. HVAC equipment can be isolated from compromised employee workstations
D. VLANs are providing loop protection for the HVAC devices
E. Access to and from the HVAC equipment can be more easily controlled
F. Employee devices often interfere with proper functioning of HVAC devices
375.)
An attacker has breached multiple lines of information security defense. Which of the following
BEST describes why delayed containment would be dangerous?
A. The attacker could be blocked by the NIPS before enough forensic data can be collected.
B. The attacker could erase all evidence of how they compromised the network
C. The attacker could cease all attack activities making forensics more difficult
D. The attacker could escalate unauthorized access or compromise other systems
376.)
After Ann, a user, left a crowded elevator, she discovered her smartphone browser was open to
a malicious website that exploited the phone. Which of the following is the MOST likely reason this
occurred?
A. The user was the victim of an CSRF attack
B. The user was the victim of an NFC attack
C. The user was the victim of an IV attack
D. The user was the victim of a bluesnarfing attack
377.)
A company has classified the following database records
Which of the following is a management control the company can implement to increase the security of the
above information with respect to confidentiality?
A. Implement a client-based software filter to prevent some employees from viewing confidential info.
B. Use a privacy screen on all computers handling and displaying sensitive information
C. Encrypt the records that have a classification of HIGH in the confidentiality column
D. Disseminate the data classification table to all employees and provide training on data disclosure
378.)
Joe a system architect wants to implement appropriate solutions to secure the company’s
distributed database. Which of the following concepts should be considered to help ensure data
security? ( Select Two)
A. Data at rest
B. Data in use
C. Replication
D. Wiping
E. Retention
F. Cloud Storage
379.)
A government agency wants to ensure that the systems they have been deployed as secure as
possible. Which of the following technologies will enforce protections on these systems to prevent files
and services from operating outside of a strict rule set?
A. Host based Intrusion
B. Host-based firewall
C. Trusted OS
D. Antivirus
380.)
Joe is a helpdesk specialist. During a routine audit, a company discovered that his credentials
were used while he was on vacation. The investigation further confirmed that Joe still has his badge and
it was last used to exit the facility. Which of the following access control methods is MOST appropriate
for preventing such occurrences in the future?
A. Access control where the credentials cannot be used except when the associated badge is in the
facility
B. Access control where system administrators may limit which users can access their systems
C. Access control where employee’s access permissions is based on the job title
D. Access control system where badges are only issued to cleared personnel
381.)
After a private key has been compromised, an administrator realized that downloading a CRL once
per day was not effective. The administrator wants to immediately revoke certificates. Which of the
following should the administrator investigate?
A. CSR
B. PKI
C. IdP
D. OCSP
382.)
A datacenter has suffered repeated burglaries that lead to equipment theft and arson. In the past,
the thieves have demonstrated a determination to bypass any installed safeguards. After mantraps had
been installed to prevent tailgating, the thieves crashed through the wall of the datacenter with a vehicle
after normal business hours. Which of the following options could further improve the physical safety
and security of the datacenter? (select TWO).
A. Cipher locks
B. CCTV
C. Escape routes
D. K-rated fencing
E. FM200 Fire suppression
383.)
Based on a review of the existing access policies the network administrator determines that that
changes are needed to meet current regulatory requirements of the organization's access control process.
To initiate changes in teh process, the network administrator should FIRST:
A.
B.
C.
D.
Update the affected policies and inform the user community of the changes
Distribute a memo stating that all new accounts must follow current regulatory requirements
Inform senior management that changes are needed to existing policies
Notify the user community that non-compliant account will be required to use the new process
384.)
When implementing a new system, a systems administrator works with the information
system owner to identify and document the responsibilities of various positions within teh
organization. Once responsibilities are identified, groups are created within the system to
accommodate the various responsibilities of each position type, with users being placed in these
groups. Which of the following principles of authorization is being developed?
A. Rule-based access control
B. Least privilege
C. Separation of duties
D. Access control lists
E. Role-Based access control
385.)
The operations manager for a sales group wants to ensure that sales personnel are able to use
their laptops and other portable devices throughout a building using both wireless and wired
connectivity. Which of the following technologies would be MOST effective at increasing security of the
network while still maintaining the level of accessibility the operations manager requested?
A. 802.1x
B. 802.11n
C. WPA2 authentication
D. VLAN isolation
E. Authenticated web proxy
386.)
A system administrator is configuring a site-to-site IPSec VPN tunnel. Which of the following
should be configured on the VPN concentrator for payload encryption?
A. ECDHE
B. SHA256
C. HTTPS
D. 3DES
.
387.)
Several computers in an organization are running below the normal performance baseline. A
security administrator inspects the computers and finds the following pieces of information:
- Several users have uninstalled the antivirus software
Some users have installed unauthorized software
- Several users have installed pirated software
- Some computers have had automatic updating disabled after being deployed
- Users have experienced slow responsiveness when using the Internet browser
- Users have complete control over critical system properties
Which of the following solutions would have prevented these issues from occurring? (Select TWO).
A.
B.
C.
D.
E.
F.
Using snapshots to revert unwanted user changes
Using an IPS instead of an antivirus
Placing users in appropriate security groups
Disabling unnecessary services
Utilizing an application whitelist
Utilizing an application blacklist
388.)
A data breach is suspected on a currently unidentified server in a datacenter. Which of the
following is the BEST method of determining which server was breached?
A. Network traffic logs
B. System image capture
C. Asset inventory review
D. RAM analysis
389.)
Due to the commonality of Content Management System (CMS) platforms, a website
administrator is concerned about security for the organization's new CMS application. Which of the
following practices should the administrator implement FIRST to mitigate risks associated with CMS
platform implementations?
A.
B.
C.
D.
E.
Deploy CAPTCHA features
Modify default accounts password
Implement two-factor authentication
Configure DNS blacklisting
Configure password complexity requirements
390.)
The firewall administrator is installing a VPN application and must allow GRE through the
firewall. Which of the following MUST the administrator allow through the firewall?
A.
B.
C.
D.
IPSec
IP protocol 47
IP protocol 50
IP protocol 51
391.)
When generating a request for a new x.509 certificate for securing a website, which of the
following is the MOST appropriate hashing algorithm?
A. RC4
B. MD5
C. RIPEMD
D. SHA
392.)
The first responder to an incident has been asked to provide an after action report. This supports
which of the following Incident Response procedures?
A. Incident identification
B. Mitigation
C. Lessons learned
D. Escalation/Notification
393.)
An employee is conducting a presentation at an out-of-town conference center using a laptop.
The wireless access point at the employee's office has an SSID of OFFICE. The laptop was set to
remember wireless access points. Upon arriving at the conference, the employee powered on the laptop
and noticed that it was connected to the OFFICE access point. Which of the following MOST likely
occurred?
A. The laptop connected to a legitimate WAP
B. The laptop connected as a result of an IV attack
C. The laptop connected to an evil twin WAP
D. The laptop connected as a result of near field communication
394.)
A company has a proprietary device that requires access to the network be disabled. Only
authorized users should have access to the device. To further protect the device from unauthorized
access, which of the following would also need to be implemented?
A.
B.
C.
D.
Install NIPS within the company to protect all assets
Block port80 and 443 on the firewall
Install a cable lock to prevent theft of the device
Install software to encrypt access to the hard drive
395.)
After Ann arrives at the company's co-location facility, she determines that she is unable to
access the cage that holds the company's equipment after a co-worker updated the key card server the
night before. This is an example of failure of which of the following?
A.
B.
C.
D.
Testing controls
Access signatures
Fault tolerance
Non-repudiation
396.)
A security administrator wants to implement a system that will allow the organization to
quickly and securely recover from a computer breach. The security administrator notices that the
majority of malware infections are caused by zero-day armored viruses and rootkits. Which of the
following solutions should the system administrator implement?
A. Install an antivirus solution that provides HIPS capabilities
B. Implement a thick-client model with local snapshots
C. Deploy an enterprise patch management system
D. Enable the host-based firewall and remove users’ administrative rights
397.)
The network engineer for an organization intends to use certificate-based 802.1X authentication
on a network. The engineer's organization has an existing PKI that is used to issue server and user
certificates. The PKI is currently not configured to support the issuance of 802.1X certificates. Which of
the following represents an item the engineer MUST configure?
A. OCSP responder
B. Web enrollment portal
C. Symmetric cryptography
D. Certificate extension
398.)
During a recent audit, it was discovered that the employee who deploys patches also approves
the patches. The audit found there is no documentation supporting the patch management process,
and there is no formal vetting of installed patches. Which of the following controls should be
implemented to mitigate this risk? (Select TWO).
A. It contingency planning
B. Change management policy
C. Least privilege
D. Separation of duties
E. Dual control
F. Mandatory job rotation
399.)
Which of the following remote authentication methods uses a reliable transport layer protocol for
communication?
A. RADIUS
B. LDAP
C. TACACS+
D. SAML
400.)
Analysis of a recent security breach at an organization revealed that the attack leveraged a telnet
server that had not been used in some time. Below are partial results of an audit that occurred a week
before the breach was detected.
OPEN PORTS---TCP 23, TCP 80, TCP 443
OS PATCH LEVEL---CURRENT
PASSWORDAUDIT---PASS, STRONG
FILE INTEGRITY---PASS
Which of the following could have mitigated or deterred this breach?
A. Routine patch management on the server
B. Greater frequency of auditing the server logs
C. Password protection on the telnet server
D. Disabling unnecessary services
401.)
A security administrator receives an IDS alert that a single internal IP address is connecting to
several known malicious command and control domains. The administrator connects to the switch and
adds a MAC filter to Port 18 to block the system from the network.
BEFORE
MAC Address
67A7.353B.5064
7055.4961.1F33
0046.6416.5809
7027.0108.31B5
5243.6353.7720
1484.A471.6542
80C7.8669.5845
7513.77B9.4130
5A77.1816.3859
8294.7E31.3270
A.
B.
C.
D.
VLAN
101
100
101
100
101
100
101
101
101
100
Port
4
9
21
16
6
2
7
18
19
8
AFTER
MAC Address
67A7.353B.5064
7055.4961.1F33
0046.6416.5809
7027.0108.31B5
5243.6353.7720
1484.A471.6542
80C7.8669.5845
0046.6419.5809
5A77.1816.3859
8294.7E31.3270
VLAN
101
100
101
100
101
100
101
101
101
100
Port
4
9
21
16
6
2
7
18
19
8
A few minutes later, the same malicious traffic starts again from a different IP. Which of the following is
the MOST likely reason that the system was able to bypass the administrator's MAC filter?
The system is now ARP spoofing a device on the switch
The system is no VLAN hopping to bypass the switch port MAC fiter
The system is now spoofing a MAC address
The system is now connecting to the switch
402.)
A recent policy change at an organization requires that all remote access connections to and from
file servers at remote locations must be encrypted. Which of the following protocols would accomplish
this new objective? (Select TWO).
A. TFTP
B. SSH
C. FTP
D. RDP
E. HTTP
403.)
A security administrator has been tasked hardening operating system security on tablets that will
be deployed for use by floor salespeople at retail outlets. Which of the following could the administrator
implement to reduce the likelihood that unauthorized users will be able to access information on the
tablets?
A. GPS device tracking
B. Remote wiping
C. Cable locks
D. Password protection
404.)
An organization that uses a cloud infrastructure to present a payment portal is using:
A. Software as a service
B. Platform as a service
C. Monitoring as a service
D. Infrastructure as a service
405.)
A forensics investigator needs to be able to prove that digital evidence was not tampered with
after being taken into custody. Which of teh following is useful in this scenario?
A. Encryption
B. Non-repudiation
C. Hashing
D. Perfect forward secrecy
E. Steganography
406.)
A penetration tester is attempting to determine the operating system of a remote host. Which of
the following will provide this information?
A. Protocol analyzer
B. Honeypot
C. Fuzzer
D. Banner grabbing
407.)
A company is hosting both sensitive and public information at a cloud provider. Prior to the
company going out of business, the administrator will decommission all virtual servers hosted in the
cloud. When wiping the virtual hard drive, which of the following should be removed?
A. Hardware specifications
B. Encrypted files
C. Data remnants
D. Encrypted keys
408.)
A software development manager needs to create several different environments for application
development, testing, and quality control. Controls are being put in place to manage how software is
moved into the production environment. Which of the following should the software development
manager request be put in place to implement the three new environments?
A. Application firewalls
B. Network segmentation
C. Trusted computing
D. Network address translation
409.)
A security manager needs to implement a backup solution as part of the disaster recovery plan.
The system owners have indicated that the business cannot afford to lose more than a day of
transactions following an event where data would have been restored. The security manager should set a
value of 24 hours for the:
A. Recovery time objective
B. Service level agreement
C. Recovery point objective
D. System backup window
E. Disaster recovery plan
410.)
A security analyst needs to ensure all external traffic is able to access the company's front-end
servers but protect all access to internal resources. Which of the following network design elements
would MOST likely be recommended?
A. DMZ
B. Cloud Computing
C. VLAN
D. Virtualization
411.)
Which of the following network design elements allows for many internal devices to share one
public IP address?
A. DNAT
B. PAT
C. DNS
D. DMZ
412.)
Ann, a security administrator, needs to implement a transport encryption solution that will
enable her to detect attempts to sniff packets. Which of the following could be implemented?
A. Eliptical curve algorithms
B. Ephemeral keys
C. Quantum cryptography
D. Steganography
413.)
After Ann arrives at the company's co-location facility, she determines that she is unable to
access the cage that holds the company's equipment after a co-worker updated the key card server the
night before. This is an example of failure of which of the following?
A. Testing controls
B. Access signatures
C. Fault tolerance
D. Non-repudiation
414.)
Which of the following is a security advantage of using NoSQL vs. SQL databases in a three-tier
environment?
A. NoSQL databases are not vulnerable to XSRF attacks from the application server.
B. NoSQL databases are not vulnerable to SQL injection attacks.
C. NoSQL databases encrypt sensitive information by default.
D. NoSQL databases perform faster than SQL databases on the same hardware
415.)
The Chief Security Officer (CISO) at a multinational banking corporation is reviewing a plan to
upgrade the entire corporate IT infrastructure. The architecture consists of a centralized cloud
environment hosting the majority of data, small server clusters at each corporate location to handle the
majority of customer transaction processing, ATMs, and a new mobile banking application accessible
from smartphones, tablets, and the Internet via HTTP. The corporation does business having varying data
retention and privacy laws. Which of the following technical modifications to the architecture and
corresponding security controls should be implemented to provide the MOST complete protection of
data?
A. Revoke exiting root certificates, re-issue new customer certificates, and ensure all transactions are
digitally signed to minimize fraud, implement encryption for data in-transit between data centers
B. Ensure all data is encryption according to the most stringent regulatory guidance applicable,
implement encryption for data in-transit between data centers, increase data availability by replicating
all data, transaction data, logs between each corporate location
C. Store customer data based on national borders, ensure end-to end encryption between ATMs, end
users, and servers, test redundancy and COOP plans to ensure data is not inadvertently shifted from
one legal jurisdiction to another with more stringent regulations
D. Install redundant servers to handle corporate customer processing, encrypt all customer data to ease
the transfer from one country to another, implement end-to-end encryption between mobile
applications and the cloud.
416.)
A server administrator is investigating a breach and determines that an attacker modified the
application log to obfuscate the attack vector. During the lessons learned activity the facilitator asks for a
mitigation response to protect the integrity of the logs should a similar attack occur. Which of the
following mitigations would be MOST appropriate to fulfill the requirement?
A. Host-based IDS
B. Automated log analysis
C. Enterprise SIEM
D. Real-time event correlation
417.)
An administrator has to determine host operating systems on the network and has deployed a
transparent proxy. Which of the following fingerprint types would this solution use?
A. Packet
B. Active
C. Port
D. Passive
418.)
Which of the following can be used to maintain a higher level of security in a SAN by allowing
isolation of mis-configurations or faults?
A. VLAN
B. Protocol security
C. Port security
D. VSAN
419.)
Due to hardware limitation, a technician must implement a wireless encryption algorithm that
uses the RC4 protocol. Which of the following is a wireless encryption solution that the technician should
implement while ensuring the STRONGEST level of security?
A. WPA2-AES
B. 802.11ac
C. WPA-TKIP
D. WEP
420.)
Ann, the software security engineer, works for a major software vendor. Which of the following
practices should be implemented to help prevent race conditions, buffer overflows, and other similar
vulnerabilities prior to each production release?
A. Product baseline report
B. Input validation
C. Patch regression testing
D. Code review
421.)
The security administrator is analyzing a user's history file on a Unix server to determine if the
user was attempting to break out of a rootjail. Which of the following lines in the user's history log shows
evidence that the user attempted to escape the rootjail?
A. cd ../../../../bin/bash
B. whoami
C. ls /root
D. sudo -u root
422.)
A company has implemented full disk encryption. Clients must authenticate with a username and
password at a pre-boot level to unlock the disk and again a username and password at the network login.
Which of the following are being used? (Select TWO)
A. Multifactor authentication
B. Single factor authentication
C. Something a user is
D. Something a user has
E. Single sign-on
F. Something a user knows
423.)
The sales force in an organization frequently travel to remote sites and requires secure access to
an internal server with an IP address of 192.168.0.220. Assuming services are using default ports, which
of the following firewall rules would accomplish this objective? (Select Two)
A. Permit TCP 20 any 192.168.0.200
B. Permit TCP 21 any 192.168.0.200
C. Permit TCP 22 any 192.168.0.200
D. Permit TCP 110 any 192.168.0.200
E. Permit TCP 139 any 192.168.0.200
F. Permit TCP 3389 any 192.168.0.200
424.)
Which of the following could a security administrator implement to mitigate the risk of tailgating
for a large organization?
A. Train employees on correct data disposal techniques and enforce policies.
B. Only allow employees to enter or leave through one door at specified times of the day.
C. Only allow employees to go on break one at a time and post security guards 24/7 at each entrance.
D. Train employees on risks associated with social engineering attacks and enforce policies.
425.)
A system administrator has concerns regarding their users accessing systems and secured areas
using others' credentials. Which of the following can BEST address this concern?
A. Create conduct policies prohibiting sharing credentials.
B. Enforce a policy shortening the credential expiration timeframe.
C. Implement biometric readers on laptops and restricted areas.
D. Install security cameras in areas containing sensitive systems.
426.)
An administrator needs to allow both secure and regular web traffic into a network. Which of the
following ports should be configured? (Select TWO)
A. 25
B. 53
C. 80
D. 110
E. 143
F. 443
427.)
A forensic analyst is reviewing electronic evidence after a robbery. Security cameras installed at
the site were facing the wrong direction to capture the incident. The analyst ensures the cameras are
turned to face the proper direction. Which of the following types of controls is being used?
A. Detective
B. Deterrent
C. Corrective
D. Preventive
428.)
An administrator is investigating a system that may potentially be compromised, and sees the
following log entries on the router.
*Jul 15 14:47:29.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) ->
10.10.1.5 (6667), 3 packets.
*Jul 15 14:47:38.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) ->
10.10.1.5 (6667), 6 packets.
*Jul 15 14:47:45.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) ->
10.10.1.5 (6667), 8 packets.
Which of the following BEST describes the compromised system?
A. It is running a rogue web server
B. It is being used in a man-in-the-middle attack
C. It is participating in a botnet
D. It is an ARP poisoning attack
429.)
Joe must send Ann a message and provide Ann with assurance that he was the actual sender.
Which of the following will Joe need to use to BEST accomplish the objective?
A. A pre-shared private key
B. His private key C
C. Ann's public key
D. His public key
430.)
Log file analysis on a router reveals several unsuccessful telnet attempts to the virtual terminal
(VTY) lines. Which of the following represents the BEST configuration used in order to prevent
unauthorized remote access while maintaining secure availability for legitimate users?
A. Disable telnet access to the VTY lines, enable SHH access to the VTY lines with RSA encryption
B. Disable both telnet and SSH access to the VTY lines, requiring users to log in using HTTP
C. Disable telnet access to the VTY lines, enable SHH access to the VTY lines with PSK encryption
D. Disable telnet access to the VTY lines, enable SSL access to the VTY lines with RSA encryption
431.)
Ann, the network administrator, is receiving reports regarding a particular wireless network in
the building. The network was implemented for specific machines issued to the developer department,
but the developers are stating that they are having connection issues as well as slow bandwidth.
Reviewing the wireless router's logs, she sees that devices not belonging to the developers are
connecting to the access point. Which of the following would BEST alleviate the developer's reports?
A. Configure the router so that wireless access is based upon the connecting device's hardware address.
B. Modify the connection's encryption method so that it is using WEP instead of WPA2.
C. Implement connections via secure tunnel with additional software on the developer's computers.
D. Configure the router so that its name is not visible to devices scanning for wireless networks
432.)
Which of the following is a Data Loss Prevention (DLP) strategy and is MOST useful for securing
data in use?
A. Email scanning
B. Content discovery
C. Database fingerprinting
D. Endpoint protection
433.)
After a company has standardized to a single operating system, not all servers are immune to a
well-known OS vulnerability. Which of the following solutions would mitigate this issue?
A. Host based firewall
B. Initial baseline configurations
C. Discretionary access control
D. Patch management system
434.)
A network security administrator is trying to determine how an attacker gained access to the
corporate wireless network. The network is configured with SSID broadcast disabled. The senior network
administrator explains that this configuration setting would only have determined an unsophisticated
attacker because of which of the following?
A. The SSID can be obtained with a wireless packet analyzer
B. The required information can be brute forced over time
C. Disabling the SSID only hides the network from other WAPs
D. The network name could be obtained through a social engineering campaign
435.)
Joe a user upon arriving to work on Monday morning noticed several files were deleted from the
system. There were no records of any scheduled network outages or upgrades to the system. Joe notifies
the security department of the anomaly found and removes the system from the network. Which of the
following is the NEXT action that Joe should perform?
A. Screenshots of systems
B. Call the local police
C. Perform a backup
D. Capture system image
436.)
A network technician at a company, Joe is working on a network device. He creates a rule to
prevent users from connecting to a toy website during the holiday shopping season. This website is
blacklisted and is known to have SQL injections and malware. Which of the following has been
implemented?
A. Mandatory access
B. Network separation
C. Firewall rules
D. Implicit Deny
437.)
After a few users report problems with the wireless network, a system administrator notices that
a new wireless access point has been powered up in the cafeteria. The access point has the same SSID as
the corporate network and is set to the same channel as nearby access points. However, the AP has not
been connected to the Ethernet network. Which of the following is the MOST likely cause of the user's
wireless problems?
A. AP channel bonding
B. An evil twin attack
C. Wireless interference
D. A rogue access point
438.)
Which of the following is considered the MOST effective practice when securing printers or
scanners in an enterprise environment?
A. Routine vulnerability scanning of peripherals
B. Install in a hardened network segment
C. Turn off the power to the peripherals at night
D. Enable print sharing only from workstations
439.)
A system requires administrators to be logged in as the "root" in order to make administrator
changes. Which of the following controls BEST mitigates the risk associated with this scenario?
A. Require that all administrators keep a log book of times and justification for accessing root
B. Encrypt all users home directories using file-level encryption
C. Implement a more restrictive password rotation policy for the shared root account
D. Force administrator to log in with individual accounts and switch to root
E. Add the administrator to the local group
440.)
The user of a news service accidently accesses another user's browsing history. From this the user
can tell what competitors are reading, querying, and researching. The news service has failed to properly
implement which of the following?
A. Application white listing
B. In-transit protection
C. Access controls
D. Full disk encryption
441.)
A security engineer discovers that during certain times of day, the corporate wireless network is
dropping enough packets to significantly degrade service. Which of the following should be the engineer's
FIRST step in troubleshooting the issues?
A. Configure stronger encryption
B. Increase the power level
C. Change to a higher gain antenna
D. Perform a site survey
442.)
A company is exploring the option of letting employees use their personal laptops on the internal
network. Which of the following would be the MOST common security concern in this scenario?
A. Credential management
B. Support ownership
C. Device access control
D. Antivirus management
443.)
While testing a new host based firewall configuration a security administrator inadvertently
blocks access to localhost which causes problems with applications running on the host. Which of the
following addresses refer to localhost?
A. . ::0
B. 127.0.0.0
C. 127.0.0.1
D. 127.0.0/8
E. 127::0.1
444.)
A company discovers an unauthorized device accessing network resources through one of many
network drops in a common area used by visitors. The company decides that is wants to quickly prevent
unauthorized devices from accessing the network but policy prevents the company from making changes
on every connecting client. Which of the following should the company implement?
A. Port security
B. WPA2
C. Mandatory Access Control
D. Network Intrusion Prevention
445.)
A software company sends their offsite backup tapes to a third party storage facility. TO meet
confidentiality the tapes should be:
A. Labeled
B. Hashed
C. Encrypted
D. Duplicated
446.)
Which of the following authentication services uses a default TCP of 389?
A. SAML
B. TACACS+
C. Kerberos
D. LDAP
447.)
Which of the following ports will be used for logging into secure websites?
A. 80
B. 110
C. 142
D. 443
448.)
A security administrator would like to write an access rule to block the three IP addresses given
below. Which of the following combinations should be used to include all of the given IP addresses?
192.168.12.255
192.168.12.227
192.168.12.229
A. 192.168.12.0/25
B. 192.168.12.128/28
C. 192.168.12.224/29
D. 192.168.12.225/30
449.)
A web startup wants to implement single sign-on where its customers can log on to the site by
suing their personal and existing corporate email credentials regardless of which company they work for.
Is this directly supported by SAML?
A. No not without extensive partnering and API integration with all required email providers
B. Yes SAML is a web based single sign-on implementation exactly fir this purpose
C. No a better approach would be to use required email providers LDAP or RADIUS repositories
D. Yes SAML can use oauth2 to provide this functionality out of the box
450.)
Which of the following attacks is generally initiated from a botnet?
A. Cross site scripting attack
B. HTTP header injection
C. Distributed denial of service
D. A war driving attack
451.)
A security administrator wishes to implement a method of generating encryption keys from user
passwords to enhance account security. Which of the following would accomplish this task?
A. NTLMv2
B. Blowfish
C. Diffie-Hellman
D. PBKDF2
452.)
A security technician would like an application to use random salts to generate short lived
encryption leys during the secure communication handshake process to increase communication
security. Which of the following concepts would BEST meet this goal?
A. Ephemeral keys
B. Symmetric Encryption Keys
C. AES Encryption Keys
D. Key Escrow
453.)
A security technician would like to use ciphers that generate ephemeral keys for secure
communication. Which of the following algorithms support ephemeral modes? (Select TWO)
A. Diffie-Hellman
B. RC4
C. RIPEMO
D. NTLMv2
E. PAP
F. RSA
454.)
A fiber company has acquired permission to bury a fiber cable through a famer's land. Which of
the following should be in the agreement with the farmer to protect the availability of the network?
A. No farm animals will graze near the burial site of the cable
B. No digging will occur near the burial site of the cable
C. No buildings or structures will be placed on top of the cable
D. No crops will be planted on top of the cable
455.)
When implementing a Public Key Infrastructure, which of the following should the sender use to
digitally sign a document?
A. A CSR
B. A private key
C. A certificate authority
D. A public key
456.)
A company's BYOD policy requires the installation of a company provide mobile agent on their on
their personally owned devices which would allow auditing when an employee wants to connect a device
to the corporate email system. Which of the following concerns will MOST affect the decision to use a
personal device to receive company email?
A. Personal privacy
B. Email support
C. Data ownership
D. Service availability
457.)
Environmental control measures include which of the following?
A. Access list
B. Lighting
C. Motion detection
D. EMI shielding
458.)
A user has attempted to access data at a higher classification level than the user's account is
currency authorized to access. Which of the following access control models has been applied to this
user's account?
A. MAC
B. DAC
C. RBAC
D. ABAC
459.)
A company determines that it is prohibitively expensive to become compliant with new credit
card regulations. Instead, the company decides to purchase insurance to cover the cost of any potential
loss. Which of the following is the company doing?
A. Transferring the risk
B. Accepting the risk
C. Avoiding the risk
D. Mitigating the risk
460.)
An organization has determined it can tolerate a maximum of three hours of downtime. Which
of the following has been specified?
A. RTO
B. RPO
C. MTBF
D. MTTR
461.)
An attacker compromises a public CA and issues unauthorized X.509 certificates
for Company.com. In the future, impact of similar incidents. Which of the following would
assist Company.com with its goal?
A. Certificate pinning
B. Certificate stapling
C. Certificate chaining
D. Certificate with extended validation
462.)
Malicious traffic from an internal network has been detected on an unauthorized port on an
application server. Which of the following network-based security controls should the engineer consider
implementing?
A. ACL’s
B. HIPS
C. NAT
D. MAC filtering
463.)
A company wants to host a publicly available server that performs the following functions:
- Evaluates MX record lookup
- Can perform authenticated requests for A and AAA records
- Uses RRSIG
Which of the following should the company use to fulfill the above requirements?
A. DNSSEC
B. SFTP
C. Nslookup
D. Dig
464.)
Which of the following attack types BEST describes a client-side attack that is used to mandate
an HTML iframe with JavaScript code via web browser?
A. MITM
B. XSS
C. SQLi
D. XSRF
465.)
A company has a data classification system with definitions for "Private" and “public". The
company's security policy outlines how data should be protected based on type. The company recently
added the data type "Proprietary". Which of the following is the MOST likely reason the company added
this data type?
A. Reduced cost
B. More searchable data
C. Better data classification
D. Expanded authority of the privacy officer
466.)
A security administrator is developing training for corporate users on basic security principles for
personal email accounts. Which of the following should be mentioned as the MOST secure way for
password recovery?
A. Utilizing a single question for password recovery
B. Sending a PIN to a smartphone through text message
C. Utilizing CAPTCHA to avoid brute force attacks
D. Use a different e-mail address to recover password
467.)
A company researched the root cause of a recent vulnerability in its software. It was determined
that the vulnerability was the result of two updates made in the last release. Each update alone would
not have resulted in the vulnerability. In order to prevent similar situations in the future, the company
should improve which of the following?
A. Change management procedures
B. Job rotation policies
C. Incident response management
D. Least privilege access controls
468.)
A computer on a company network was infected with a zero-day exploit after an employee
accidently opened an email that contained malicious content. The employee recognized the email as
malicious and was attempting to delete it, but accidently opened it. Which of the following should be
done to prevent this scenario from occurring again in the future?
A. Install host-based firewalls on all computers that have an email client installed
B. Set the email program default to open messages in plain text
C. Install end-point protection on all computers that access web mail
D. Create new email spam filters to delete all messages from that sender
1.) CCTV and Motion=Detective
2.) Delete FDE key for mobile devices to become non-usable
3.) Mobile Device security will be ECC
4.) SE linux server has two connections and should only have one means you have an
unauthorized network
5.) Analyze logs of DMZ to see if a brute force password is successful
6.) Deploy OCSP if you need to see if users certs are good
7.) SCP to securely transfer files
8.) Network segmentation to minimize network congestion
9.) Three new environments= network segmentation
10.)
Place users in appropriate security groups and white list because users install
software like priority and they change things.
11.)
Protect integrity you use encryption
12.)
Cloud computing concerns are multinational concerns
13.)
Non-repudiation and message integrity is done by digital signatures
14.)
Cold site can be just HVAC and power
15.)
Restrict write access to the allowed executables paths because after locking down
group policies people are still able to install.
16.)
When you have five nines in a row that is availability
17.)
Virtualization is using software to emulate hardware
18.)
Ping sweep is to start vulnerability scanner on servers
19.)
3DES and ECDHE are used for key exchange and session key
20.)
NAT keeps internal IP addresses hidden
21.)
Smart Card and PIN, Biometrics and SSO are things for authentication
22.)
IP Spoofing means you have to be on the same network as the victim
Download