1.) A penetration tester has written an application that performs a bit-by-bit XOR 0xFF operation on binaries prior to transmission over un-trusted media. Which of the following BEST describes the action performed by this type of application? A. Hashing B. Key exchange C. Encryption D. Obfuscation 2.) A company wants to ensure confidential data storage media is sanitized in such a way that the drive cannot be reused. Which of the following methods should the technician use? A. Shredding B. Wiping C. Low-level formatting D. Repartitioning E. Overwriting 3.) A remote intruder wants to take inventory of a network so exploits can be researched. The intruder is looking for information about software versions on the network. Which of the following techniques is the intruder using? A. Banner grabbing B. Port scanning C. Packet sniffing D. Virus scanning 4.) Which of the following specifically describes the exploitation of an interactive process to access otherwise restricted areas of the OS? A. Privilege escalation B. Pivoting C. Process affinity D. Buffer overflow 5.) A. B. C. D. When developing an application, executing a preconfigured set of instructions is known as: A code library Code signing A stored procedure Infrastructure as a code 6.) A network administrator needs to allocate a new network for the R&D group. The network must not be accessible from the internet, regardless of the network firewall or other external misconfigurations. Which of the following settings should the network administrator implement to accomplish this? A. Configure the OS default TTL to 1 B. Use NAT on the R&D network C. Implement a router ACL D. Enable protected ports on the switch 7.) An application was recently compromised after some malformed data came in via a web form. Which of the following would MOST likely have prevented this? A. Input validation B. Proxy server C. Stress testing D. Encoding 8.) When attackers use a compromised host as a platform for launching attacks deeper into a company’s network, it is said that they are: A. Escalating privilege B. Becoming persistent C. Fingerprinting D. Pivoting 9.) A new Chief Information Officer has been reviewing the badging procedures and decides to write a policy that all employees must have their badges rekeyed at least annually. Which of the following controls BEST describes this policy? A. Physical B. Corrective C. Technical D. Administrative 10.) Which of the following refers to the term used to restore a system to its operational state? A. MTBF B. MTTR C. RTO D. RPO 11.) A security manager is creating an account management policy for a global organization with sales personnel who must access corporate network resources while traveling all over the world. Which of the following practices is the security manager MOST likely to enforce with the policy? (Select TWO) A. Time-of-day restrictions B. Password complexity C. Location-based authentication D. Group-based access control E. Standard naming convention 12.) Which of the following would provide additional security by adding another factor to a smart card? A. Token B. Proximity badge C. Physical key D. PIN 13.) A security analyst is mitigating a pass-the-hash vulnerability on a Windows infrastructure. Given the requirement, which of the following should the security analyst do to MINIMIZE the risk? A. B. C. D. Enable CHAP Disable NTLM Enable Kerberos Disable PAP 14.) A security administrator is diagnosing a server where the CPU utilization is at 100% for 24 hours. The main culprit of CPU utilization is the antivirus program. Which of the following issues could occour if left unresolved?(Select TWO) A. MITM attack B. DoS attack C. DLL injection D. Buffer overflow E. Resource exhaustion 15.) A company has a data classification system with definitions for “Private” and “Public.” The company’s security policy outlines how data should be protected based on type. The company recently added the data type “Proprietary” which of the following is the MOST likely reason the company added this data type. A. Reduced cost B. More searchable data C. Better data classification D. Expanded authority of the privacy officer 16.) A computer emergency response team is called at midnight to investigate a case in which a mail server was restarted. After an initial investigation, it was discovered that email is being exfiltrated through an active connection. Which of the following is the NEXT step the team should take? A. Identify the source of the active connection B. Perform eradication of the active connection and recover C. Perform a containment procedure by disconnecting the server D. Format the server and restore its initial configuration 17.) A security engineer must install the same x.509 certificate on three different servers. The client application that connects to the server performs a check to ensure the certificate matches the host name. Which of the following should the security engineer use? A. Wildcard certificate B. Extended validation certificate C. Certificate chaining D. Certificate utilizing the SAN field 18.) Which of the following BEST describes an important security advantage yielded by implementing vendor diversity? A. Sustainability B. Homogeneity C. Resiliency D. Configurability 19.) A security administrator has found a hash in the environment known to belong to malware. The administrator then finds this file to be in the preupdate area of the OS, which indicates it was pushed form the central patch system: The administrator pulls a report from the patch management system with the following output: A. B. C. D. Given the above outputs, which of the following MOST likely happened? The file was corrupted after it left the patch system The file was infected when the patch manager downloaded it The file was not approved in the application whitelist system The file was embedded with a logic bomb to evade detection 20.) Which of the following differentiates a collision attack from a rainbow table attack? A. A rainbow table attack performs a hash lookup B. A rainbow table attack uses the hash as a password C. In a collision attack, the hash and the input data are equivalent D. In a collision attack, the same input results in different hashes 21.) Ransomware is detected on a database administrators workstation. Which of the following forensic procedures should be performed FIRST to mitigate the threat? A. Capture volatile memory B. Create a system image C. Isolate the workstation D. Review network traffic logs 22.) Ann, a new security specialists, is attempting to access the internet using the company’s open wireless network. The wireless network is not encrypted, however, once associated, Ann cannot access the internet or other resources. In an attempt to troubleshoot, she scans the wireless network with NMAP and discovers the firewall is the only other device on the wireless network. Which of the following BEST describes the company’s wireless network situation? A. The company uses VPN to authenticate and encrypt connections and traffic B. The company’s WAP is being spoofed C. The company allows unencrypted traffic to the internet D. The company is using a wireless connection for internet traffic, so it does not need additional encryption 23.) RJ-45 ports have been implemented on an embedded system to allow engineers more convenient access. The network administrator has concerns regarding placing the equipment on the internal network and exposing the devices. Which of the following would BEST meet both concerns if the equipment is placed on the internal network? A. Install the latest OS patches, and implement an antivirus solution on the equipment B. Create a separate network segment for the equipment that only the engineers can access C. Configure the switch that the proprietary system equipment is on to block all incoming traffic D. Install a host-based prevention system on every piece of equipment to filter unknown traffic 24.) Which of the following threats is BEST mitigated by application hardening and patching rather than security training? A. Vishing B. Shoulder surfing C. Spimming D. Software exploits 25.) A security administrator generates a key pair and sends one key inside a request file to a third party. The third party sends back a signed file. In this scenario, the key sent to the third party is called a: A. Private key B. Session key C. Public key D. Recovery key 26.) An attacker drives past a company, captures the name of the WiFi network and locates a coffee shop near the company. The attacker creates a mobile hotspot with the same name as the company’s WiFi. Which of the following Best describes this wireless attack? A. War driving B. Rogue access point C. Near field communication D. Evil twin 27.) A developer needs to store sensitive employee information on a backend database. The sensitive database records must be accessed by a public web server in the DMZ. Which of the following should be implemented to secure the sensitive information stored in the database? A. Store the sensitive records using symmetric encryption B. Implement an ACL that prevents the web server from accessing the sensitive records C. Hash the sensitive records before storing them in the database D. Store the sensitive records using irreversible encryption 28.) To protect the confidentiality of a VPN session key, the administrator copies the key to a USB drive and ships it overnight to a remote location. This type of key exchange is BEST described as: A. Insecure B. Out-of-band C. Transport encryption D. In-band 29.) A company is experiencing problems with performance and downtime because application updates and patching are being conducted on production systems during business hours. Users and other IT staff are not being notified of the updates. Which of the following should be instituted to BEST resolve the problems? A. Incident management B. Change management C. User right review D. Acceptable use policy 30.) A Linux server using TCP wrappers is utilized in a SCADA environment. Which of the following entries should be placed in the hosts.allow file to allow access on port 22 for a client at 192.168.14.127? A. Sshd: 192.168.14.127 B. In.ssh 192.168.14.127 C. In. sftp 192.168.14.127 D. In. telnet 192.168.14.127 31.) A service desk manager is developing an SLA to be used with a new customer. As part of the SLA, various metrics regarding uptime, responsiveness, and remediation are being identified. Given the manager’s unfamiliarity with the products being supported, which of the following metrics would be MOST important to solicit from the customer to determine how much downtime should be expected? A. MTBF, MTTF B. ALE, SLE C. ARO, MTTR, MTBF D. ARO, ALE, MTTF 32.) Members of a production team have been using the username and password of Ann, and employee, to log into their workstations because Ann has elevated privileges. The administrator wants to prevent unauthorized users from logging in with false credentials, while still allowing Ann to continue to utilize her provided equipment. Which of the following should the administrator configure to achieve this? A. Concurrent login B. Password complexity C. Account lockout D. Authorized workstations 33.) A company needs to adopt a single tenant CSP due to strict regulatory compliance issues. The company wants the CSP to be available at all times and accessible from anywhere over the internet. Which of the following solutions should the company adopt? A. Private cloud B. Hybrid cloud C. Public cloud D. Community cloud 34.) A security administrator spots the following log entry fragment on a web server: GET /home.aspx?id=<script>alert(document.cookie) </script> Which of the following types of attacks was attempted? A. Cross-site request forgery B. Session enumeration C. Cross-site scripting D. Buffer overflow 35.) A systems administrator wants to install a new PKI certificate on a web server. The administrator creates a CSR. Which of the following should the administrator send to the CA to issue a trusted certificate? A. The web server’s public key B. The web server’s private key C. The web server’s private/public key pair D. The web server’s CA public key 36.) A malicious user attempts to access a company’s wireless network from the parking lot. Upon launching the wireless network from the parking lot. Upon launching the wireless scanner, the malicious user activates the SSID decloak feature and views many other SSID’s. However, the company’s SSID does not appear as an available network in the tool. Which of the following is preventing the malicious user form scanning the company’s wireless network? A. Authentication via a captive portal B. Low-power directional antennas C. Disable SSID broadcast on each access point D. MAC filtering on every wireless device 37.) A new security policy being implemented requires all email within the organization be digitally signed by the author using PGP. Which of the following would needs to be created for each user? A. A certificate authority B. A key escrow C. A trusted key D. A public and private key 38.) While responding to an incident on a Linux server, the administrator needs to disable unused services. Which of the following commands can be used to see processes that are listening on a TCP port? A. Lsof B. Tcpdump C. Top D. Ifconfig 39.) An administrator wants to ensure that the reclaimed space of a hard drive has been sanitized while the computer is in use. Which of the following can be implemented A. Cluster tip wiping B. Individual file encryption C. Full disk encryption D. Storage retention 40.) Which of the following access controls enforces permissions based on data labeling at specific levels? A. Mandatory access control B. Separation of duties access control C. Discretionary access control D. Role based access control 41.) A security technician would like an application to use random salts to generate short lived encryption leys during the secure communication handshake process to increase communication security. Which of the following concepts would BEST meet this goal? A. Ephemeral keys B. Symmetric Encryption Keys C. AES Encryption keys D. Key Escrow 42.) Joe, an employee, was escorted from the company premises due to suspicion of revealing trade secrets to a competitor. Joe had already been working for two hours before leaving the premises. A security technician was asked to prepare a report of files that had changed since last night's integrity scan. Which of the following could the technician use to prepare the report? (Select TWO). A. PGP B. MD5 C. ECC D. AES E. Blowfish F. HMAC 43.) A breach at a credit card company resulted in customers credit card information being exposed . The company has conducted a full forensic investigation and identified the source of the breach. Which of the following should the company do NEXT? A. Move to the incident identification phase B. Implement the risk assessment plan C. Implement damage and loss control procedures D. Implement first responder processes 44.) A security administrator discovered that all communication over the company's encrypted wireless network is being captured by savvy employees with a wireless sniffing tool and is then being decrypted in an attempt to steal other employee's credentials. Which of the following technology is MOST likely in use on the company's wireless? A. WPA with TKIP B. VPN over open wireless C. WEP 128-PSK D. WPA2-Enterprise 45.) An administrator is implementing a new management system for the machinery on the company's production line. One requirement is that the system only be accessible while within the production facility. Which of the following will be the MOST effective solution in limiting access based on this requirement? A. Access control list B. Firewall policy C. Air Gap D. MAC filter 46.) Which of the following is a security concern regarding users bringing personally-owned devices that they connect to the corporate network? A. Cross-platform compatibility issues between personal devices and server-based applications B. Lack of controls in place to ensure that the devices have the latest system patches and signature files C. Non-corporate devices are more difficult to locate when a user is terminated D. Non-purchased or leased equipment may cause failure during the audits of company-owned assets 47.) Which of the following offerings typically allows the customer to apply operating system patches? A. Software as a service B. Public Clouds C. Cloud Based Storage D. Infrastructure as a service 48.) A thief has stolen mobile device and removed its battery to circumvent GPS location tracking. The device user is a four digit PIN. Which of the following is a mobile device security control that ensures the confidentiality of company data? A. Remote wiping B. Mobile Access control C. Full device encryption D. Inventory control 49.) The security administrator is analyzing a user's history file on a Unix server to determine if the user was attempting to break out of a rootjail. Which of the following lines in the user's history log shows evidence that the user attempted to escape the rootjail? A. cd ../../../../bin/bash B. whoami C. ls/root D. sudo –u root 50.) Due to issues with building keys being duplicated and distributed, a security administrator wishes to change to a different security control regarding a restricted area. The goal is to provide access based upon facial recognition. Which of the following will address this requirement? A. Set up mantraps to avoid tailgating of approved users. B. Place a guard at the entrance to approve access. C. Install a fingerprint scanner at the entrance. D. Implement proximity readers to scan users' badges. 51.) Anne an employee receives the following email: From: Human Resources To: Employee Subject: Updated employee code of conduct Please click on the following link: http//external.site.com/codeofconduct.exe to review the updated code of conduct at your earliest convenience. After clicking the email link, her computer is compromised. Which of the following principles of social engineering was used to lure Anne into clicking the phishing link in the above email? A. Authority B. Familiarity C. Intimidation D. Urgency 52.) Which of the following is an XML based open standard used in the exchange of authentication and authorization information between different parties? A. LDAP B. SAML C. TACACS+ D. Kerberos 53.) A security administrator must implement a network that is immune to ARP spoofing attacks. Which of the following should be implemented to ensure that a malicious insider will not be able to successfully use ARP spoofing techniques? A. UDP B. IPv6 C. IPSec D. VPN 54.) Although a vulnerability scan report shows no vulnerabilities have been discovered, a subsequent penetration test reveals vulnerabilities on the network. Which of the following has been reported by the vulnerability scan? A. Passive scan B. Active scan C. False positive D. False negative 55.) A company used a partner company to develop critical components of an application. Several employees of the partner company have been arrested for cybercrime activities. Which of the following should be done to protect the interest of the company? A. Perform a penetration test against the application B. Conduct a source code review of the application C. Perform a baseline review of the application D. Scan the application with antivirus and anti-spyware products. 56.) A recently installed application update caused a vital application to crash during the middle of the workday. The application remained down until a previous version could be reinstalled on the server, and this resulted in a significant loss of data and revenue. Which of the following could BEST prevent this issue from occurring again? A. Application configuration baselines B. Application hardening C. Application access controls D. Application patch management 57.) A systems administrator has implemented PKI on a classified government network. In the event that a disconnect occurs from the primary CA, which of the following should be accessible locally from every site to ensure users with bad certificates cannot gain access to the network? A. A CRL B. Make the RA available C. A verification authority D. A redundant CA 58.) The loss prevention department has purchased a new application that allows the employees to monitor the alarm systems at remote locations. However, the application fails to connect to the vendor's server and the users are unable to log in. Which of the following are the MOST likely causes of this issue? (Select TWO). A. URL filtering B. Role-based access controls C. MAC filtering D. Port Security E. Firewall rules 59.) Which of the following steps in incident response procedures entails of the incident and identification of knowledge gained that can be applied to future handling of incidents? A. Recovery procedures B. Escalation and notification C. Reporting D. Lessons learned 60.) Which of the following protocols operates at the HIGHEST level of the OSI model? A. ICMP B. IPSec C. SCP D. TCP 61.) An administrator implements SELinux on a production web server. After implementing this, the web server no longer serves up files from users’ home directories. To rectify this, the administrator creates a new policy as the root user. This is an example of which of the following? (Select Two). A. Enforcing SELinux in the OS kernel is role-based access control B. Enforcing SELinux in the OS kernel is rule-based access control C. The policy added by the root user is mandatory access control D. Enforcing SELinux in the OS kernel is mandatory access control E. The policy added by the root user is role-based access control F. The policy added by the root user is rule-based access control 62.) Which of the following documents outlines the technical and security requirements of an agreement between organizations? A. BPA B. RFQ C. ISA D. RFC 63.) Which of the following is a penetration testing method? A. Searching the WHOIS database for administrator contact information B. Running a port scanner against the targets network C. War driving from a target’s parking lot to footprint the wireless network D. Calling the target’s helpdesk, requesting a password reset 64.) Which of the following types of technologies is used by security and research personnel for identification and analysis of new security threats in a networked environment by using false data/hosts for information collection? A. Honeynet B. Vulnerability scanner C. Port scanner D. Protocol analyzer 65.) When confidentiality is the primary concern, and a secure channel for key exchange is not available, which of the following should be used for transmitting company documents? A. Digital signature B. Symmetric C. Asymmetric D. Hashing 66.) A new web server has been provisioned at a third party hosting provider for processing credit card transactions. The security administrator runs the netstat command on the server and notices that ports 80, 443 and 3389 are in listening state. No other ports are open. Which of the following services should be disabled to ensure secure communications? A. HTTPS B. HTTP C. RDP D. TELENT 67.) A security administrator must implement a network that is immune to ARP spoofing attacks. Which of the following should be implemented to ensure that a malicious insider will not be able to successfully use ARP spoofing techniques? A. UDP B. IPv6 C. IPSec D. VPN 68.) After working on his doctoral dissertation for two years, Joe, a user, is unable to open his dissertation file. The screen shows a warning that the dissertation file is corrupted because it is infected with a backdoor, and can only be recovered by upgrading the antivirus software from the free version to the commercial version. Which of the following types of malware is the laptop MOST likely infected with? A. Ransomware B. Trojan C. Backdoor D. Armored virus 69.) The loss prevention department has purchased a new application that allows the employees to monitor the alarm systems at remote locations. However, the application fails to connect to the vendor's server and the users are unable to log in. Which of the following are the MOST likely causes of this issue? A. URL filtering B. Role-based access controls C. MAC filtering D. Port security E. Firewall Rules 70.) Joe must send Ann a message and provide Ann with assurance that he was the actual sender. Which of the following will Joe need to use to BEST accomplish the objective? A. A pre-shared key private key B. His private key C. Ann’s public key D. His public key 71.) Which of the following protocols is MOST likely to be leveraged by users who need additional information about another user? A. LDAP B. RADIUS C. Kerberos D. TACACS+ 72.) A retail store uses a wireless network for its employees to access inventory from anywhere in the store. Due to concerns regarding the aging wireless network, the store manager has brought in a consultant to harden the network. During the site survey, the consultant discovers that the network was using WEP encryption. Which of the following would be the BEST course of action for the consultant to recommend? A. Replace the unidirectional antenna at the front of the store with an omni-directional antenna. B. Change the encryption used so that the encryption protocol is CCMP-based. C. Disable the network's SSID and configure the router to only access store devices based on MAC addresses. D. Increase the access point's encryption from WEP to WPA TKIP. 73.) A security team has established a security awareness program. Which of the following would BEST prove the success of the program? A. Policies B. Procedures C. Metrics D. Standards 74.) Which of the following should an administrator implement to research current attack methodologies? A. Design reviews B. Honeypot C. Vulnerability scanner D. Code reviews 75.) After analyzing and correlating activity from multiple sensors, the security administrator has determined that a group of very well organized individuals from an enemy country is responsible for various attempts to breach the company network, through the use of very sophisticated and targeted attacks. Which of the following is this an example of? A. Privilege escalation B. Advanced persistent threat C. Malicious insider threat D. Spear phishing 76.) Which of the following types of attacks involves interception of authentication traffic in an attempt to gain unauthorized access to a wireless network? A. Near field communication B. IV attack C. Evil twin D. Replay attack 77.) Alice, a security analyst, is reviewing logs from hosts across the Internet which her company uses to gather data on new malware. Which of the following is being implemented by Alice's company? A. Vulnerability scanner B. Honeynet C. Protocol analyzer D. Port scanner 78.) A company is looking to improve their security posture by addressing risks uncovered by a recent penetration test. Which of the following risks is MOST likely to affect the business on a day-to-day basis? A. Insufficient encryption methods B. Large scale natural disasters C. Corporate espionage D. Lack of antivirus software 79.) Which system should you implement if you want to create a file system access control model where you can label files as "Secret", "Confidential", "Restricted", or "Unclassified"? A. SCADA system B. Trusted OS C. Version control D. White and black listing 80.) Bob, an employee, was escorted from the company premises due to suspicion of revealing trade secrets to a competitor. Bob had already been working for two hours before leaving the premises. A security technician was asked to prepare a report of files that had changed since last night's integrity scan. Which of the following could the technician use to prepare the report? (Select TWO). A. PGP B. MD5 C. ECC D. AES E. Blowfish F. HMAC 81.) Which is the hardest to crack and requires both parties to exchange the encryption key before communicating? A. AES B. PGP/GPG C. 3DES D. One-time pads 82.) Bob needs to send Sally a digitally signed and encrypted email. Which algorithms and keys is used to complete these actions? A. Bob's public key to encrypt using SHA, Sally's private key to sign using 3DES B. Bob's private key to encrypt using 3DES, Sally's public key to sign using SHA C. Sally's public key to encrypt using 3DES, Bob's private key to sign using SHA D. Sally's private key to encrypt using SHA, Bob's public key to sign using 3DES 83.) In order to digitally sign your emails with PGP, what needs to be created first? A. A public and private key B. A trusted key C. A key escrow D. A certificate authority 84.) If you need to look at a former employee’s email for a court case but the emails have been deleted, you should take a look at your? A. Key escrow B. Data retention policies C. Certificate authority D. Key recovery agent 85.) Which of the following can be used to ensure that sensitive records stored on a backend server can only be accessed by a front end server with the appropriate record key? A. File encryption B. Storage encryption C. Database encryption D. Full disk encryption 86.) In Kerberos, the Ticket Granting Ticket (TGT) is used for which of the following? A. Identification B. Authorization C. Authentication D. Multifactor authentication 87.) In order to secure additional budget, a security manager wants to quantify the financial impact of a onetime compromise. Which of the following is MOST important to the security manager? A. Impact B. SLE C. ALE D. ARO 88.) A security technician is implementing PKI on a Network. The technician wishes to reduce the amount of bandwidth used when verifying the validity of a certificate. Which of the following should the technician implement? A. CSR B. Key escrow C. OSCR D. CRL 89.) An access point has been configured for AES encryption but a client is unable to connect to it. Which of the following should be configured on the client to fix this issue? A. WEP B. CCMP C. TKIP D. RC4 90.) A company wants to improve its overall security posture by deploying environmental controls in its datacenter. Which of the following is considered an environmental control that can be deployed to meet this goal? A. Full-disk encryption B. Proximity readers C. Hardwood locs D. Fire suppression 91.) Ann, a security administrator, is strengthening the security controls of the company's campus. Her goal is to prevent people from accessing open locations that are not supervised, such as around the receiving dock. She is also concerned that employees are using these entry points as a way of bypassing the security guard at the main entrance. Which of the following should Ann recommend that would BEST address her concerns? A. Increase the lighting surrounding every building on campus B. Build fences around campus with gate entrances C. Install cameras to monitor the unsupervised areas D. Construct bollards to prevent vehicle entry in non-supervised areas 92.) A security administrator is responsible for ensuring that there are no unauthorized devices utilizing the corporate network. During a routine scan, the security administrator discovers an unauthorized device belonging to a user in the marketing department. The user is using an android phone in order to browse websites. Which of the following device attributes was used to determine that the device was unauthorized? A. An IMEI address B. A phone number C. A MAC address D. An asset ID 93.) A security administrator is notified that users attached to a particular switch are having intermittent connectivity issues. Upon further research, the administrator finds evidence of an ARP spoofing attack. Which of the following could be utilized to provide protection from this type of attack? A. Configure MAC filtering on the switch B. Configure loop protection on the switch C. Configure flood guards on the switch D. Configure 802.1x authentication on the switch 94.) A software security concern when dealing with hardware and devices that have embedded software or operating systems is: A. Patching may not always be possible B. Configuration support may not be available C. There is no way to verify if a patch is authorized or not D. The vendor may not have a method for installation of patches 95.) Ann a technician received a spear-phishing email asking her to update her personal information by clicking the link within the body of the email. Which of the following type of training would prevent Ann and other employees from becoming victims to such attacks? A. User awareness B. Acceptable use policy C. Personal identifiable information D. Information sharing 96.) Which of the following is a step in deploying a WPA2-Enterprise wireless network? A. Install a token on the authentication server B. Install a DHCP server on the authentication server C. Install an encryption key on the authentication server D. Install a digital certificate on the authentication server 97.) A system administrator needs to implement 802.1x whereby when a user logs into the network the authentication server communicates with a switch and assigns the user to the proper VLAN. Which of the following protocols should be used? A. RADIUS B. Kerberos C. LDAP D. MSCHAP 98.) Which of the following can be provided to an AAA system for the identification phase? A. Username B. Permissions C. One-time token D. Private certificate 99.) A security administrator is notified that users attached to a particular switch are having intermittent connectivity issues. Upon further research, the administrator finds evidence of an ARP spoofing attack. Which of the following could be utilized to provide protection from this type of attack? A. Configure MAC filtering on the switch B. Configure loop protection on the switch C. Configure flood guards on the switch D. Configure 802.1x authentication on the switch 100.) The Chief Information Security Officer is concerned that users could bring their personal laptops to work and plug them directly into the network ports under their desks. Which of the following should be configured on the network switch to prevent this from happening? A. Access control lists B. Loop protection C. Firewall rule D. Port security 101.) Recently, several employees were victims of a phishing email that appeared to originate from the company president. The email claimed the employees would be disciplined if they did not click on a malicious link in the message. Which of the following principles of social engineering made this attack successful? A. Authority B. Spamming C. Social proof D. Scarcity 102.) Which of the following would enhance the security of accessing data stored in the cloud? (select two) A. Block-level encryption B. SAML authentication C. Transport encryption D. Multifactor authentication E. Predefined challenge questions F. Hashing 103.) A dumpster driver recovers several hard drives from a company and is able to obtain confidential data from one of the hard drives. The company then discovers its information is posted online. Which of the following methods would have MOST likely prevented the data from being exposed? A. Removing the hard drive from its enclosure B. Using software to repeatedly rewrite over the disk space C. Using blowfish encryption on the hard drives D. Using magnetic fields to erase the data 104.) Ann, a systems administrator, is installing an extremely critical system that can support zero downtime. Which of the following BEST describes the type of system Ann is installing? A. High availability B. Clustered C. RAID D. Load balanced 105.) An administrator has to determine host operating systems on the network and has deployed a transparent proxy. Which of the following fingerprint types would this solution use? A. Packet B. Active C. Port D. Passive 106.) An administrator needs to protect against downgrade attacks due to various vulnerabilities in SSL/TLS. Which of the following actions should be performed? (select Two) A. Set the minimum protocol supported B. Request a new certificate from the CA C. Configure the cipher order D. Disable flash cookie support E. Rekey the SSL certificate F. Add the old certificate to the CRL 107.) Which of the following is a step in deploying a WPA2-Enterprise wireless network? A. Install a token on the authentication server B. Install a DHCP server on the authentication server C. Install an encryption key on the authentication server D. Install a digital certificate on the authentication server 108.) The security manager must store a copy of a sensitive document and needs to verify at a later point in time that the document has not been altered. Which of the following will accomplish the security manager’s objective? A. RSA B. AES C. MD5 D. RC4 109.) An organization currently employs signature-based NIPS and a firewall, though a recent penetration test demonstrated this existing implementation is insufficient. Which of the following represents the BEST approach to reduce risk? A. Deploy technologies that will detect and stop deviations from normal B. Develop firewall rules that only allow communication to/from unauthorized systems C. Apply the latest updates for all firewalls and NIPS D. Deploy a SIEM with appropriate sensors and collectors for log correlation 110.) An administrator is instructed to disable IP-directed broadcasts on all routers in an organization. Which of the following attacks does this prevent? A. Pharming B. Smurf C. Replay D. Xmas 111.) Which of the following can be used for both encryption and digital signatures? A. 3DES B. AES C. RSA D. MD5 112.) A security technician would like to obscure sensitive data within a file so it can be transferred without causing suspicion. Which of the following technologies would be BEST suited to accomplish this? A. Transport encryption B. Stream encryption C. Digital signature D. Steganography 113.) A security administrator is reviewing the following log from the company’s UTM, which is installed at the network perimeter PERMIT 172.165.143.5:80 192.168.2.6:1020 FIN PERMIT 10.76.23.5:42331 192.168.1.4:80 SYN PERMIT 192.168.1.4:80 10.76.23.5:42331 SYN/ACK PERMIT 10.76.23.5:42331 192.168.1.4:80 ACK DENY 10.100.34.5:1331 192.168.3.10:445 ACK PERMIT 172.132.5.6:1432 192.168.3.2:80 SYN Given the following additional information: Guess Network: 192.168.1.0/24 User Network: 192.168.2.0/24 Server Network: 192.168.3.0/24 Which of the following should the security administrator recommend? A. Enforce the use of HTTPS B. Block outbound traffic initiated from the user network C. Block incoming traffic to the guest network D. Allow the server network to initiate outbound connections to the internet E. Allow incoming traffic initiated from the internet 114.) A vice president at a manufacturing organization is concerned about desktops being connected to the network. Employees need to log onto the desktops’ local account to verify that a product is being created within specifications, otherwise, the desktops should be as isolated as possible. Which of the following is the BEST way to accomplish this? A. Put the desktops in the DMZ B. Create a separate VLAN for the desktops C. Air gap the desktops D. Join the desktops to an ad-hoc network 115.) An administrator has configured a new Linux server with the FTP service. Upon verifying that the service was configured correctly, the administrator has several users test the FTP service. Users report that they are able to connect to the FTP service and download their personal files, however, they cannot transfer new files to the server. Which of the following will MOST likely fix the uploading issue for the users? A. Create an ACL to allow the FTP service write access to user directories B. Set the Boolean SELinux value to allow FTP home directory uploads C. Reconfigure the FTP daemon to operate without utilizing the PASV mode D. Configure the FTP daemon to utilize PAM authentication pass through user permissions 116.) The Chief Information Office has asked a security analyst to determine the estimated costs associated with each potential breach of the database that contains customer information. Which of the following is the risk calculation the CIO is asking for? A. Impact B. SLE C. ARO D. ALE 117.) An employer requires that employees use a key-generating app on their smart phones to log into corporate applications. In terms of authentication to the individual, this type of access policy is BEST defined as: A. Something you have B. Something you know C. Something you do D. Something you are 118.) A project manager is working with an architectural firm that focuses on physical security. The project manager would like to provide requirements that support the primary goal of safety. Based on the project manager’s desires, which of the following controls would be BEST to incorporate into the facility design? A. Biometrics B. Escape routes C. Reinforcements D. Access controls 119.) A small company has recently purchased cell phones for managers to use while working outside of the office. The company does not currently have a budget for mobile device management and is primarily concerned with deterring leaks of sensitive information obtained by unauthorized access to unattended phones. Which of the following would provide the solution that BEST meets the company’s requirements? A. Screen lock B. Disable removable storage C. Full-device encryption D. Remote wiping 120.) Which of the following attack types is being carried out when a target is being sent unsolicited messages via Bluetooth? A. War chalking B. Bluejacking C. Bluesnarfing D. Rogue tethering 121.) When analyzing the behavior of a malicious piece of software, which of the following environments should be used? A. Production B. Development C. Test D. Sandbox 122.) An employee needs to connect to a server using a secure protocol on the default port. Which of the following ports should be used? A. 21 B. 22 C. 80 D. 110 123.) Which of the following technologies would be MOST appropriate to utilize when testing a new software patch before a company-wide deployment? A. Cloud computing B. Virtualization C. Redundancy D. Application control 124.) Which of the following would an attacker use to generate and capture additional traffic prior to performing an IV attack? A. DNS poisoning B. DDOS C. Replay attack D. Dictionary attack 125.) A company executive’s laptop was compromised leading to a security breach. The laptop was placed into storage by a junior system administrator and was subsequently wiped and reimaged. When it was determined that the authorities would need to be involved, there was little evidence to present to the investigators. Which of the following procedures should have been implemented to aid the authorities in their investigation? A. A comparison should have been created from the original system’s file hashes B. Witness testimony should have been taken by the administrator C. The company should have established a chain of custody to track the laptop D. A system image should have been created and stored 126.) An administrator wants to establish a WiFi network using a high gain directional antenna with a narrow radiation pattern to connect two buildings separated by a very long distance. Which of the following antennas would be BEST for this situation? A. Dipole B. Yagi C. Sector D. Omni 127.) Joe, the system administrator, has been asked to calculate the Annual Loss Expectancy (ALE) for a $5,000 server, which often crashes. In the past year, the server has crashed 10 times, requiring a system reboot to recover with only 10% loss of data or function. Which of the following is the ALE of this server? A. $500 B. $5,000 C. $25,000 D. $50,000 128.) The Chief Information Officer (CIO) has asked a security analyst to determine the estimated costs associated with each potential breach of their database that contains customer information. Which of the following is the risk calculation that the CIO is asking for? A. Impact B. SLE C. ARO D. ALE 129.) A system administrator wants to confidentially send a user name and password list to an individual outside the company without the information being detected by security controls. Which of the following would BEST meet this security goal? A. Digital Signatures B. Hashing C. Full-disk encryption D. Steganography 130.) Which of the following provides the strongest authentication security on a wireless network? A. MAC filter B. WPA2 C. WEP D. Disable SSID broadcast 131.) A security administrator is notified that users attached to a particular switch are having intermittent connectivity issues. Upon further research, the administrator finds evidence of an ARP spoofing attack. Which of the following could be utilized to provide protection from this type of attack? A. Configure MAC filtering on the switch B. Configure loop protection on the switch C. Configure flood guards on the switch D. Configure 802.1x authentication on the switch 132.) An administrator has to determine host operating systems on the network and has deployed a transparent proxy. Which of the following fingerprint types would this solution use? A. Packet B. Active C. Port D. Passive 133.) Which of the following ports is used for TELNET by default? A. 22 B. 23 C. 21 D. 20 134.) Which of the following can be used to ensure that sensitive records stored on a backend server can only be accessed by a front end server with the appropriate record key? A. File encryption B. Storage encryption C. Database encryption D. Full disk encryption 135.) A system administrator is configuring UNIX accounts to authenticate against an external server. The configuration file asks for the following information DC=ServerName and DC=COM. Which of the following authentication services is being used? A. RADIUS B. SAML C. TACACS+ D. LDAP 136.) Which of the following is an XML based open standard used in the exchange of authentication and authorization information between different parties? A. LDAP B. SAML C. TACACS+ D. Kerberos 137.) Which of the following is an authentication method that can be secured by using SSL? A. RADIUS B. LDAP C. TACACS+ D. Kerberos 138.) Ann a member of the Sales Department has been issued a company-owned laptop for use when traveling to remote sites. Which of the following would be MOST appropriate when configuring security on her laptop? A. Configure the laptop with a BIOS password B. Configure a host-based firewall on the laptop C. Configure the laptop as a virtual server D. Configure a host based IDS on the laptop 139.) An overseas branch office within a company has many more technical and non-technical security incidents than other parts of the company. Which of the following management controls should be introduced to the branch office to improve their state of security? A. Initial baseline configuration snapshots B. Firewall, IPS and network segmentation C. Event log analysis and incident response D. Continuous security monitoring process 140.) When designing a new network infrastructure, a security administrator requests that the intranet web server be placed in an isolated area of the network for security purposes. Which of the following design elements would be implemented to comply with the security administrator's request? A. DMZ B. Cloud services C. Virtualization D. Sandboxing 141.) Which of the following can be used to maintain a higher level of security in a SAN by allowing isolation of mis-configurations or faults? A. VLAN B. Protocol security C. Port security D. VSAN 142.) A company determines a need for additional protection from rogue devices plugging into physical ports around the building. Which of the following provides the highest degree of protection from unauthorized wired network access? A. Intrusion Prevention Systems B. MAC filtering C. Flood guards D. 802.1x 143.) An access point has been configured for AES encryption but a client is unable to connect to it. Which of the following should be configured on the client to fix this issue? A. WEP B. CCMP C. TKIP D. RC4 144.) Which of the following is the BEST concept to maintain required but non-critical server availability? A. SaaS site B. Cold site C. Hot site D. Warm site 145.) Virutalization would provide an ROI when implemented under which of the following situations? A. Numerous servers with no fail-over requirement B. Multiple existing 100% utilized physical servers C. Numerous clients with a requirement for fast processors D. Multiple existing but underutilized physical servers 146.) Which of the following remote authentication methods uses a reliable transport layer protocol for communication? A. RADIUS B. LDAP C. TACACS+ D. SAML 147.) An administrator wants to restrict traffic between two VLANs. The network devices connecting the two VLANs are layer 3 switches. Which of the following should the admin configure? A. IDS rule B. Subnet mask C. ACL D. Firewall 148.) A security architect is choosing a cryptographic suite for the TLS 1.2 configuration for a new web-based financial management application that will be used heavily by mobile devices. Which of the following would be the architects MOST secure selection for both key exchange and the session key algorithms? (Select Two) A. 3DES B. AES-GCM C. TKIP D. SHA256 E. SHA1 F. ECDHE 149.) A security administrator creates separate VLANs for employee devices and HVAC equipment that is network attached. Which of the following are security reasons for this design? ( Select Three) A. IDS often requires network segmentation of HVAC endpoints for better reporting B. Broadcasts from HVAC equipment will be confined to their own network segment C. HVAC equipment can be isolated from compromised employee workstations D. VLANs are providing loop protection for the HVAC devices E. Access to and from the HVAC equipment can be more easily controlled F. Employee devices often interfere with proper functioning of HVAC devices 150.) A security administrator is reviewing the password security configuration of a company’s directory service domain. The administrator recognizes that the domain controller has been configured to store LM hashes. Which of the following explains why the domain controller might be configured like this? (Select TWO) A. Default configuration B. File system synchronization C. Mobile device support D. NTLMv2 support E. Backward compatibility 151.) A finance manager is responsible for approving wire transfers and processing the transfers using the software provided by the company’s bank. A number of discrepancies have been found related to the wires in a recent financial audit and the wires appearance to be fraudulent. Which of the following controls should be implemented to reduce the likelihood of fraud related to the use of wire transfers? A. Separation of duties B. Least Privilege C. Qualitative auditing D. Acceptable use policy 152.) The security manager has learned a user inadvertanly sent encrypted PII to an incorrect distribution group. The manager has instructed the user to immediately recall the message. Recipients are instructed to delete the email from all queues and devices. This is an example of which of the following incident response procedures A. Reporting B. Escalation C. Mitigation D. Isolation 153.) Joe, a system administrator, configured a device to block network traffic from entering the network. The configuration consisted of zero-day exploit awareness at the application layer of the OSI model. The exploit signatures have been seen on the internet daily. Which of the following does this describe? A. NIDS B. HIPS C. HIDS D. NIPS 154.) An organization is developing a plan to ensure an earthquake at a datacenter does not disrupt business. The organization has identified all the critical applications within the datacenter, determining the financial loss of an outage of different duration for each application. This effort is known as a A. Tabletop exercise B. High availability C. Disaster recovery D. Business impact analysis E. Risk assessment 155.) From a network security point of view, the primary reason to implement VLANs is to A. Provide Quality of Service B. Provide load balancing across the network C. Provide network segmentation D. Ensure separation of duties 156.) A network administrator is configuring a web server to ensure the use of only strong ciphers. Which of the following stream ciphers should the administrator configure? A. RC4 B. MD5 C. AES-CBC D. 3DES 157.) An engineer is designing a system that needs the fastest encryption possible due to system requirements. Which of the following should the engineer use? A. Symmetric key B. RSA-1024 C. Rainbow tables D. SHA-256 E. Public key encryption 158.) An organization’s security policy requires secure file transfers to and from internal hosts. An employee is attempting to upload a file using an unsecured method to a Linux-based dedicated file server and fails. Which of the following should the employee use to transfer the file? A. FTP B. HTTPS C. SSL D. SCP E. TLS 159.) A security administrator suspects that a server has been compromised with zero-day malware, and that it is now being used to host various copyrighted material, which is being shared through an IRC network. Which of the following should the system administrator use to determine if the server has been compromised? A. Patch report B. OS backup C. Antivirus logs D. Baseline 160.) Which of the following BEST describes the benefits of using Extended Validation? A. Does not use standard x.509 V3 certificates B. Enhances SSL session key exchange preventing man-in-the-middle attacks C. The website provider demonstrates an additional level of trust D. Provides stronger enforcement of SSL encryption algorithms 161.) Which of the following is susceptible to an attack that can obtain the wireless password by brute-forcing a 4-digit PIN followed by a 3-digit PIN? A. WPA B. WPS C. WEP D. WPA2 162.) A server administrator is investigating a breach and determines an attacker modified the application log to obscure the attack vector. During the lessons learned activity, the facilitator asks for a mitigation response to protect the integrity of the logs should a similar attack occur. Which of the following mitigations would be MOST appropriate to fulfill the requirement? A. Host-based OS B. Automated log analysis C. Enterprise SIEM D. Real-time event cancelation 163.) In order to comply with new auditing standards, a security administrator must be able to complete system security alert logs directly with the employee who triggers the alert. Which of the following should the security administrator implement in order to meet this requirement? A. Access control lists on the servers B. Elimination of shared accounts C. Group-based privileges for accounts D. Periodic user account access reviews 164.) On a campus network, users frequently remove the network cable from desktop NIC’s and plug personal laptops into the school network. Which of the following could be used to reduce the likelihood of unauthorized laptops on the campus network? A. Port security B. Loop protection C. Flood guards D. VLANs 165.) An employee is using company time and assets to use a third party tool to share downloadable media with other users around the world. Sharing downloadable media is not expressly forbidden in the company security policy or acceptable use policy. Which of the following BEST describes what the security staff should consider adding to these policies? A. P2P B. Data handling C. Social networking D. Mobile Device Management 166.) The network administrator wants to assign VLANs based on which user is logging into the network. Which of the following should the administrator use to accomplish this? (select Two) A. MAC filtering B. RADIUS C. 802.1af D. 802.11ac E. 802.1x F. 802.3q 167.) An application is performing slowly. Management asks the security team to determine if a security compromise is the underlying cause. The security team finds two processes with high resource utilization. Which of the following actions should the team take NEXT? A. Monitor the IDS/IPS for incidents B. Perform a vulnerability assessment C. Initiate a source code review D. Conduct a baseline comparison 168.) A company implemented a public-facing authentication system that uses PKI and extended attributes to allow third-party, web-based application integration. This is an example of which of the following? (select three) A. Federation B. Two-factor authentication C. Transitive trust D. Trusted OS E. Single sign-on F. TOTP G. MAC 169.) An employee connects to a public wireless hotspot during a business trip. The employee attempts to go to a secure website but instead connects to an attacker who is performing a MITM attack. Which of the following should the employee do to mitigate the vulnerability described In the scenario? A. Connect to a VPN when using public wireless networks B. Connect only to WPA2 networks regardless of whether the network is public or private C. Ensure a host-based firewall is installed and running when using public wireless networks D. Check the address in the web browser before entering credentials 170.) Joe, a security administrator, recently configured a method of secure access for remote administration of network devices. When he attempts to connect to an access layer switch in the organization from outside the network he is unable to successfully connect. Which of the following ports should be open on the firewall for Joe to successfully connect to the switch? A. TCP 110 B. TCP 161 C. UDP 161 D. UDP 500 171.) Which of the following is a suitable method of checking for revoked certificates in a client/server environment with connectivity to the issuing PKI? A. HSM B. CRL C. OCSP D. CSR 172.) During an audit of a software development organization, an auditor finds the organization did not properly follow industry best practices, including peer review and board approval, prior to moving applications into the production environment. The auditor recommends adopting a formal process incorporating these steps. To remediate the finding, the organization implements A. Incident management B. A configuration management board C. Asset management D. Change management 173.) Two companies are partnering to bid on a contract. Normally these companies are fierce competitors, but for this procurement they have determined that a partnership is the only way they can win the job. Both companies are concerned about unauthorized data sharing and want to ensure other divisions within each company will not have access to proprietary data. To best protect against unauthorized data sharing they should each sign a A. NDA B. SLA C. MOU D. BPA 174.) A recent network audit revealed several devices on the internal network were not running antivirus or HIPS. Upon further investigation, it was discovered that these devices were new laptops that were deployed without installing the end-point protection suite used by the company. Which of the following could be used to mitigate the risk of authorized devices that are unprotected residing on the network? A. Host-based firewall B. Network-based IPS C. Centralized end-point management D. MAC filtering 175.) Ann is attempting to send a digitally signed message to Joe. Which of the following should Ann do? A. Encrypt a hash of the message with her private key B. Encrypt a certificate signing request with her private key C. Encrypt a hash of the message with Joe’s public key D. Encrypt a certificate signing request with Joe’s public key 176.) Which of the following would provide you with a measure of the frequency at which critical business systems experience breakdowns? A. MTTR B. MTBF C. MTTF D. MTU 177.) Which of the following should be used to secure data-in-use? A. Full memory encryption B. Symmetric key encryption C. SSL/TLS D. PGP 178.) Which of the following provides a safe, contained environment in which to enforce physical security? A. Hot site B. Mantrap C. Virtualized sandbox D. Bollards 179.) A local coffee shop provides guests with wireless access but disabled the SSID broadcast for security purposes. When guests make a purchase, they are provided with the SSID to the router. A new customer’s laptop shows the coffee shop’s SSID appears to be broadcasting despite the fact that the wireless router configuration shows the broadcast is disabled. Which of the following situations is likely occurring? A. The coffee shop is using WEP instead of WPA or WPA2 encryption B. A user has set up an evil twin access point near the coffee shop C. WiFi Protected Setup has been hacked and the SSID is being covertly broadcast D. Once connected to the router it will appear that the SSID is being broadcast 180.) A security technician notices that several successful attacks are being carried out on the network. The Chief information Security Officer tells the technician to deploy countermeasures that will help actively stop these ongoing attacks. Which of the following technologies will accomplish this task? A. A network-based IPS with advanced heuristic capability B. A honeypot that generates alerts when a new attack is discovered C. Host-based IDS that uses anomaly and behavior-based detection D. An automated security log analyzer that reports system breaches 181.) Ann, a security administrator, is hardening the user password policies. She currently has the following in place.. Password expire every 60 days, password length is at least eight characters, passwords must contain at least one capital letter and one numeric character. She learns that several employees are still using their original passwords after the 60-day forced change. Which of the following can she implement to BEST mitigate this? A. Lower the password expire time to every 30 days instead of 60 days B. Require that the password contains at least one capital letter, one numeric character and one special character C. Change the re-usage time from eight to 16 changes before a password can be repeated D. Create a rule that users can only change their passwords once every two weeks 182.) The administrator set up a new WPA2 Enterprise wireless network using EAP-TLS for authentication. The administrator configured the RADIUS servers with certificates that are trusted by the endpoint devices and rules to authenticate a particular group of users. The administrator is part of the group that is authorized to connect but is unable to connect successfully during the first test of the network. Which of the following is the MOST likely cause of the issue? A. A rogue access point is intercepting the connection B. Administrator accounts are not allowed to connect to the network C. The client NIC does not support AES hardware encryption D. The DHCP scope is full E. Client certificates were not deployed 183.) A company has an email server dedicated to only outbound email, inbound email retrieval to this server must be blocked. Which of the following ports must be set to explicit deny? A. 25 B. 53 C. 110 D. 123 E. 139 F. 143 184.) A PKI architect is implementing a corporate enterprise solution. The solution will incorporate key escrow and recovery agents, as well as a tiered architecture. Which of the following is required to implement the architecture correctly? A. CRL B. Strong ciphers C. Intermediate authorities D. IPSec between CA’s 185.) The Chief Information Security Officer wants to move the web server from the public network because it has been breached a number of times in the past month. The CISO does not want to place it in the private network since many external users access the web server to fill out their orders. The company policy does not allow any non-secure protocols into the internal network. Given the circumstances, which of the following would be the BEST course of action? A. Create an external DMZ network B. Use NAT on the web server C. Implement a remote access server D. Configure a new internal subnet 186.) A security auditor has full knowledge of company configuration and equipment. The auditor performed a test on the network, resulting in an exploitation of a zero-day vulnerability. Which of the following did the security auditor perform? A. Gray box test B. Vulnerability scan C. Black box test D. Penetration test 187.) Which of the following authentication services is BEST suited for an environment that requires the TCP protocol with a clear-text payload? A. LDAP B. TACACS+ C. SAML D. RADIUS 188.) A security administrator receives a hard drive that must be imaged for forensics analysis. The paperwork that comes with the hard drive shows: 10:00 technician A-Hard drive removed, 10:30Technician A- Hard drive delivered to Manager A and 11:00-IT director-Hard drive delivered to the security administrator. Which of the following should the security administrator do? A. Image the hard drive and sign the chain of custody log B. Hash the chain of custody log C. Report a problem with the chain of custody log D. Sign the chain of custody log 189.) The network administrator is installing RS-485 terminal servers to provide card readers to vending machines. Which of the following should be performed to protect the terminal servers? A. Flood guard B. 802.1x C. Network separation D. Port security 190.) An attacker drives past a company, captures the name of the WiFi network, and locates a coffee shop near the company. The attacker creates a mobile hotspot with the same name as the company’s WiFi. Which of the following BEST describes this wireless attack? A. War driving B. Rogue access point C. Near-field communication D. Evil twin 191.) Which of the following MUST be implemented to ensure accountability? A. Employ access control lists B. Configure password complexity C. shared accounts D. Change default passwords 192.) Which of the following attack types is MOST likely to cause damage or data loss for an organization and be difficult to investigate? A. Man-in-the-middle B. Spoofing C. DDoS D. Malicious insider 193.) The remote branch of an organization has been assigned two public IP addresses by an ISP. The organization has ten workstations and a wireless router. Which of the following should be deployed to ensure that all devices have internet access? A. VLAN B. PAT C. NAC D. DMZ 194.) A security administrator wishes to perform authentication, authorization, and accounting, but does not wish to use a proprietary protocol. Which of the following services would fulfill these requirements? A. SAML B. RADIUS C. TACACS+ D. Kerberos 195.) Which of the following is the FASTEST method to disclose one way hashed passwords? A. Rainbow tables B. Private key disclosure C. Dictionary attack D. Brute Force 196.) A network has been impacted by downtime resulting from unauthorized devices connecting directly to the wired network. The network administrator has been tasked to research and evaluate technical controls that would effectively mitigate risks associated with such devices. Which of the following capabilities would be MOST suitable for implementation in this scenario? A. Host hardening B. NIDS C. HIDS D. Loop protection E. Port Security 197.) A company is providing mobile devices to all employees. The system administrator has been tasked with providing input for the company’s mobile device policy. Which of the following are valid security concepts that the system administrator should include when offering feedback to management? (Select Two) A. Transitive trust B. Asset tracking C. Remote wiping D. HSM E. Key management 198.) Forensics analyst is asked to identify identical files on a hard drive. Due to the large number of files to be compared, the analyst must use an algorithm that is known to have the lowest collision rate. Which of the following should be selected? A. MD4 B. MD5 C. SHA-128 D. AES-256 199.) John wants to secure an 802.11n network. Which of the following encryption methods would provide the highest level of protection? A. WPA B. WEP C. WPA2 with AES D. WPA2 with TKIP 200.) Which of the following is the MOST influential concern that contributes to an organization’s ability to extend enterprise policies to mobile devices? A. Support of mobile OS B. Availability of mobile browsers C. Support of mobile apps D. Public key management 201.) An application service provider has notified customers of a breach resulting from improper configuration changes. In the incident, a server intended for internal access only was made accessible to A. B. C. D. external parties. Which of the following configurations were likely to have been improperly modified resulting in the breach? IDS CRL VPN NAT 202.) Joe just installed a new (ECS) environmental control system for a room that is critical to the company’s operation and needs the ability to manage and monitor the system from any part of the network. Which of the following should the security administrator utilize to minimize the attack surface and still allow the needed access? A. Create and encrypted connection between the ECS and the engineer’s computer B. Configure the ECS host-based firewall to block non-ECS application traffic C. Implement an ACL that permits the necessary management and monitoring traffic D. Install a firewall that only allows traffic to the ECS from a single management and monitoring network 203.) Numerous users within an organization are unable to log into the web based financial application. The network team places a sniffer on the segment where the application resides and sees the following log entries. 05:31:14.312254 10.10.10.25.3389 192.168.2.100.80: SYN 05:31:14:312255 10.10.10.25.3389 192.168.2.100.80: SYN 05:31:14:312256 10.10.10.25.3389 192.168.2.100.80:SYN Which of the following is MOST likely occurring? A. B. C. D. E. DOS attack Ping flood attack Smurf attack Replay attack Xmas attack 204.) You want to communicate securely with a third party via email using PGP. Which of the following should you send to the third party to enable the third party to securely encrypt email replies? A. Private key B. Key escrow C. Public key D. Recovery key 205.) Which of the following should you implement if you want to preserve your internal authentication and authorization process and credentials if you are going to a cloud service provider? A. Dual factor authentication B. Federation C. Single sign on D. TOTP 206.) A university police department is housed on the first floor of a student dormitory. Which of the following would prevent students from using ARP spoofing attacks against computers at the police department? A. Private network addresses B. Disable SSID broadcast C. Separate Layer 2 vlans D. Enable proxy arp on router 207.) During a recent vulnerability assessment, the pen testers were able to successfully crack a large number of employee passwords. The company technology use agreement clearly states that passwords used on the company network must be at least eight characters long and contain at least one uppercase letter and special character. What can they do to standardize and enforce these rules across the entire organization to resolve this issue? A. LDAP B. Group Policy C. User policy D. Kerberos 208.) You want to create several different environments for application development, testing, and quality control. Controls are being put into place to manage how software is moved into the production environment. Which of the following should the software development manager request to be put into place to implement the three new environments? A. Application firewalls B. Network segmentation C. Trusted computing D. NAT 209.) A research user needs to transfer multiple terabytes of data across a network. The data is not confidential, so for performance reasons, does not need to be encrypted. However, the authentication process must be confidential. Which of the following is the BEST solution to satisfy these requirements? A. Secured LDAP B. Kerberized FTP C. SCP D. SAML 2.0 210.) What technology would you use to ensure that the systems that your organization is using is going to deployed as securely as possible and prevent files and services from operation outside of a strict rule set? A. Host based intrusion detection B. Host based firewall C. Trusted OS D. Antivirus 211.) A security specialist has implemented antivirus software and whitelisting controls to prevent malware and unauthorized application installation on the company systems. The combination of these two technologies is an example of which of the following? A. Defense in depth B. Vulnerability scanning C. Application hardening D. Anti-malware 212.) What can be implemented to address the findings that revealed a company is lacking deterrent security controls? A. Rogue machine detection B. Continuous security monitoring C. Security cameras D. IDS 213.) A technician is about to perform a major upgrade to the operating system of a critical system. This system is currently in a virtualization environment. Which of the following actions would result in the LEAST amount of downtime if the upgrade were to fail? A. Enabling live migration in the VM settings on the virtual server B. Clustering the storage for the server to add redundancy C. Performing a full backup of the virtual machine D. Taking an initial snapshot of the system 214.) What is the name for an attack that can be used to guess the PIN of an access point for the purpose of connecting to the wireless network? A. IV attack B. Rainbow table attack C. Replay attack D. WPS attack 215.) When performing a risk analysis, which of the following is considered a threat? A. The potential exploitation of vulnerability B. The presence of a risk in the environment C. The transference of risk to another party D. The lack of mitigation for vulnerabilities 216.) A company would like to protect its e-commerce site from SQL injection and cross site scripting (XSS). The company should consider deploying which of the following technologies? A. IDS B. Web application firewall C. Proxy D. Sandbox 217.) A company uses digital signatures to sign contracts. The company requires external entities to create an account with a third party digital signature provider and to sign an agreement stating that they A. B. C. D. E. will protect the account from unauthorized access. Which of the following security goals is the company trying to address in the given scenario? Availability Non-repudiation Authentication Confidentiality Due diligence 218.) The security administrator generates a key pair and sends one key inside a request file to a third party. The third party sends back a signed file. In this scenario the file sent by the administrator is a : A. CA B. CRL C. KEK D. PKI E. CSR 219.) A third party has been contracted to perform a remote penetration test of the DMZ network. The company has only provided the third party with the billing department contact information for final payment and a technical point of contact who will receive the penetration test results. Which of the following tests will be performed? A. Gray box B. White box C. Black box D. False positive 220.) An administrator is reviewing the logs for a content management system that supports the organizations public facing websites. The administrator is concerned about the number of attempted login failures from other countries for administrator accounts. Which of the following capabilities is BEST to implement if the administrator wants the system to dynamically react to such attacks? A. Netflow-based rate timing B. Disable generic administrative accounts C. Automated log analysis D. Intrusion prevention system 221.) Jane, a security analyst, is monitoring the IDS console and noticed multiple connections from an internal host to a suspicious call back domain. Which of the following tools would aid her to decipher the network traffic? A. Vulnerability scanner B. Nmap C. Netstat D. Packet analyzer 222.) A high traffic website is experiencing numerous brute force attacks against its user base. The attackers are using a very large botnet to carry out the attack. As a result, many users passwords are A. B. C. D. being compromised. Which of the following actions is appropriate for the website administrators to take in order to reduce the threat from this type of attack in the future? Temporarily ban each IP address after five failed login attempts Prevent users from using dictionary words in their passwords Prevent users from using passwords that they have used before Require user passwords to be at least ten characters in length 223.) An employee connects a wireless access point to the only jack in the conference room to provide internet access during a meeting. The access point is configured to secure its users with WPA2TKIP. A malicious user is able to intercept clear text HTTP communication between the meeting attendees and the internet. Which of the following is the reason the malicious user is able to intercept and see the clear text communications? A. The malicious user is running a wireless sniffer B. The wireless access point is broadcasting the SSID C. The malicious user is able to capture the wired communication D. The meeting attendees are using unencrypted hard drives 224.) A user is able to access shares that store confidential information that is not related to the users current job duties. Which of the following should be implemented to prevent this from occurring? A. Authorization B. Authentication C. Federation D. Identification 225.) A security administrator is having continued issues with malware variants infecting systems and encrypting several types of files. The malware users a document macro to create a randomly named executable that downloads the encrypting payload of the malware. Once downloaded the malware searches all drives, creates an HTML file with decryption instructions in the directory, and then proceeds to encrypt the target files. Which of the following actions would BEST interrupt the malware before it encrypts the other files while minimizing adverse impacts to the users? A. Block execution of documents with macros B. Block addition of documents with macros C. Block the creation of the HTML document on the local system D. Block running external files from within documents 226.) A healthcare organization is in the process of building and deploying a new web server in the DMZ that will enable public internet users the ability to securely send and receive messages from their primary care physicians. Which of the following should the security administrator consider? A. An in-band method for key exchange and an out of band method for the session B. An out of band method for key exchange and an in band method for the session C. A symmetric algorithm for key exchange and an asymmetric algorithm for the session D. An asymmetric algorithm for key exchange and a symmetric algorithm for the session 227.) A. SSLv3 B. VDSL Which of the following should be used to implement voice encryption? C. SRTP D. VoIP 228.) A company wants to ensure that all software executing on a corporate server has been authorized to do so by a central control point. Which of the following can be implemented to enable such control? A. Digital signatures B. Role-based access control C. Session keys D. Non-repudiation 229.) Company policy states that when a virus or malware alert is received, the suspected host is immediately removed from the company network. Which of the following BEST describes this component of incident response? A. Mitigation B. Isolation C. Recovery D. Reporting E. Remediation 230.) A security manager has noticed several unrecognized devices connecting to the company’s internal wireless network. Only company –issued devices should be connected to the network. Which of the following controls should be implemented to prevent the unauthorized devices from connecting to the wireless network? ( Select Two) A. MAC filtering B. Create a separate wireless VLAN C. Implement 802.11n D. Enable WPA2 E. Configure DHCP reservations 231.) A security administrator receives reports from various organizations that a system on the company network is port scanning hosts on various networks across the internet. The administrator determines that the compromised system is a Linux host and notifies the owner that the system will be quarantined and isolated from the network. The system does not contain confidential data, and the root user was not compromised. The administrator would like to know how the system was compromised, what the attackers did, and what remnants the attackers may have left behind. Which of the following are the administrators NEXT steps in the investigation? (Select two) A. Reinstall the procps package in case system utilities were modified B. Look for recently modified files in user and tmp directories C. Switch SELinux to enforcing mode and reboot D. Monitor perimeter firewall for suspicious traffic from the system E. Check running processes and kernel modules F. Remove unnecessary accounts and services 232.) A manager is reviewing bids for internet service in support of a new corporate office location. The location will provide 24 hour service in the organization’s global user population. In which of the A. B. C. D. following documents would the manager MOST likely find quantitative data regarding latency levels and MTTR? ISA SLA MOU BPA 233.) A system administrator decided to perform maintenance on a production server servicing retail store operations. The system rebooted in the middle of the day due to the installations of monthly operating system patches. The downtime results in lost revenue due to the system being unavailable. Which of the following would reduce the likelihood of this issue occurring again? A. Routine system auditing B. Change management controls C. Business continuity planning D. Data loss prevention implementation 234.) A UNIX server recently had restricted directories deleted as the result of an insider threat. The root account was used to delete the directories while logged on at the server console. There are five administrators that know the root password. Which of the following could BEST identify the administrator that removed the restricted directories? A. DHCP logs B. CCTV review C. DNS Logs D. Network traffic 235.) A system administrator is part of the organizations contingency and business continuity planning process. The systems administrator and relevant team participate in the analysis of a contingency situation intended to elicit constructive discussion. Which of the following types of activity is MOST accurately described in this scenario? A. Business impact analysis B. Full-interruption exercise C. Tabletop exercise D. Lessons learned E. Parallel simulation 236.) Recently, the desktop support group has been performing a hardware refresh and has replaced numerous computers. An auditor discovered that a number of the new computers did not have the company’s antivirus software installed on them. Which of the following could be utilized to notify the network support group when computers without the antivirus software are added to the network? A. Network port protection B. NAC C. NIDS D. MAC filtering 237.) Which of the following types of attacks uses email to specifically target high level officials within an organization? A. Spim B. Spear Phishing C. Pharming D. Spoofing 238.) A security architect is supporting a project team responsible for a new extranet application. As part of their activities, the team is identifying roles within the system and documenting possible conflicts between roles that could lead to collusion between users. Which of the following principles of risk mitigation is the team implementing? A. Dual Control B. Least Privilege C. Separation of duties D. Job rotation 239.) A company just purchased a new digital thermostat that automatically will update to a new firmware version when needed. Upon connecting it to the network a system administrator notices that he cannot get access to the thermostat but can get access to all other network devices. Which of the following is the MOST likely reason the thermostat is not connecting to the internet? A. The company implements a captive portal B. The thermostat is using the incorrect encryption algorithm C. The WPA2 shared key is incorrect D. The company’s DHCP server scope is full 240.) A company has a proprietary device that requires access to the network be disabled. Only authorized users should have access to the device. To further protect the device from unauthorized access, which of the following would also need to be implemented? A. Install NIPS within the company to protect all assets B. Block port 80 and 443 on the firewall C. Install a cable lock to prevent theft of the device D. Install software to encrypt access to the hard drive 241.) A company uses PKI certificates stored on a smart chip enabled badge. The badge is used for a small number of devices that connect to a wireless network. A user reported that their badge was stolen. Which of the following could the security administrator implement to prevent the stolen badge from being used to compromise the wireless network? A. Asset tracking B. Honeynet C. Strong PSK D. MAC filering 242.) The CSO is concerned with unauthorized access at the company’s off-site datacenter. The CSO would like to enhance the security posture of the datacenter. Which of the following would BEST prevent unauthorized individuals from gaining access to the datacenter? A. B. C. D. Security guard Video monitoring Magnetic entry cards Fencing 243.) One of the driving factors towards moving an application to a cloud infrastructure is increased application availability. In the case where a company creates a private cloud, the risk of application downtime is being: A. Transferred B. Avoided C. Mitigated D. Accepted 244.) A security administrator wishes to set up a site to site IPSec VPN tunnel between two locations. Which of the following IPSec encryptions and hashing algorithms would be chosen for the least performance impact? A. 3DES/SHA B. AES/SHA C. RSA/MD5 D. DES/MD5 245.) Which of the following is a security weakness associated with software-based disk encryption? A. Employed encryption algorithms are generally weaker when implemented In software B. A dedicated processor is used by the cryptomodule C. The key can be physically extracted from the encrypted medium D. Cryptographic operations can be far slower than with hardware based encryption 246.) A network administrator discovers that telnet was enabled on the companys human resources payroll server and that someone outside of the HR subnet has been attempting to log into the server. The network administrator has disabled telnet on the payroll server. Which of the following is a method of tracking attempts to log onto telnet without exposing important company data? A. Banner grabbing B. Active port numbers C. Honeypot D. Passive IPS 247.) A penetration tester is attempting to determine the operating system of a remote host. Which of the following methods will provide this information? A. Protocol analyzer B. Honeypot C. Fuzzer D. Banner grabbing 248.) A company’s security analyst is investigating the suspected compromise of the company’s intranet web server. The compromise occurred at a time when no users were logged into the domain. A. B. C. D. Which of the following is Most likely to have prevented the attack from a new machine introduced to the corporate network? Domain log review 802.1x NIDS Rogue detection 249.) Which of the following types of attacks are MOST likely to be successful when using fuzzing against an executable program? ( select Two) A. SQL injection B. Session hijacking C. Integer overflow D. Buffer overflow E. Header manipulation 250.) Which of the following authentication services utilizes UDP for communication between client and server? A. Kerberos B. TACACS+ C. LDAP D. RADIUS 251.) As their data set rapidly grows and changes, a company is experiencing availability problems with their database. The security manager recommends switching to a more scalable system with dynamic schemas. Which of the following would meet the security manager’s requirements? A. SSDs B. NoSQL C. MariaDB D. RDMBS 252.) A company provides wireless access for employees and a guest wireless network for visitors. The employee wireless network is encrypted and requires a password. The guest wireless network does not use an encrypted connection and does not require a password. An administrator walks by a visitors laptop and notices the following command line output: reaver –I mon –b 7A:E5:9A:42:2C:C1 –vv Starting… [+] Trying pin 12345678 [+] 93.41% complete @ 2016-04-16 11:25:15 (15 seconds) [+] WARNING: 10 failed connections in a row [+] Trying pin 12345688 Which of the following should the administrator implement and why? A. Initiate employee password changes because the visitor has captured passwords and is attempting offline cracking of those passwords B. Implement two factor wireless authentication because the visitor will eventually brute force the network key C. Apply WPA or WPA2 encryption because the visitor is trying to crack the employee network that is encrypted with WEP D. Disable WPS because the visitor is trying to crack the employee network E. Apply MAC filtering because the visitor already has the network password 253.) When implementing a mobile security strategy for an organization, which of the following is the MOST influential concern that contributes to that organizations ability to extend enterprise policies to mobile devices? A. Support for mobile OS B. Support of mobile apps C. Availability of mobile browsers D. Public key management 254.) A system administrator runs a network inventory scan every Friday at 11:00 am to track the progress of a large organizations operating system upgrade of all laptops. The system administrator discovers that some laptops are now only being reported as IP addresses. Which of the following is MOST likely the cause of this issue? A. HIDS B. Host-based firewalls rules C. All the laptops are currently turned off D. DNS replication 255.) A company is exploring the possibility to integrate some of its internal processes with an external cloud service provider. Which of the following should be implemented if the company wants to preserve its internal authentication and authorization process and credentials? A. Single sign-on B. Dual factor authentication C. Federation D. TOTP 256.) An employee has been terminated due to inappropriate internet use. A computer forensics technician at the organization acquired an image of the hard drive and hashed it using MD5. The former employee has filed a lawsuit. The former employee’s attorney requests a copy of the image so it can be independently reviewed by the legal team. Upon receiving the image, the attorney’s technician also generates an MD5 hash of the image and comes up with a different output than what was provided. Which of the following MOST likely occurred? A. The wrong preshared key was used B. The hashes were produced using different algorithms C. The hashes were produced on two different operating systems D. Files on the image have been altered 257.) A security architect is supporting a project team responsible for a new extranet application. As part of their activities, the team is identifying roles within the system and documenting possible conflicts between roles that could lead to collusion between users. Which of the following principles of risk mitigation is the team implementing? A. Dual control B. Least privilege C. Separation of duties D. Job rotation 258.) A company hosts sites for multiple vendors and provides information to users globally. Which of the following is a critical security consideration in this environment? A. Proxy servers to enforce a single access mechanism to the data warehouse B. Firewalls to ensure that the data warehouse is not accessible to the internet C. Access controls to prevent users from accessing the entire data warehouse D. Query protocols should use non-standard ports to protect user result-sets 259.) A security administrator, believing it to be a security risk, disables IGMP snooping on a switch. This breaks a video application. The application is MOST likely using: A. RTP B. Multicast C. Anycast D. VoIP 260.) A security engineer is monitoring suspicious traffic from an internal endpoint to a malicious landing page of an external entity. The internal endpoint is configured using a limited account, is fully patched to current standards, and has current antivirus signatures. No alerts have been received involving this endpoint. The security engineer finds malicious code on the endpoint during a forensics analysis. Which of the following MOST likely explains this occurrence? A. The external entity breached the IDS B. The antivirus engine was evaded C. The DLP did not detect the malicious code D. The endpoint was running on a hypervisor 261.) A security administrator recently implemented IPSec for remote users. Which of the following ports must be allowed through the firewall in order for remote access to be successful if the tunneling protocol is PPTP? A. UDP 500 B. UDP 1723 C. TCP 1723 D. TCP 4500 262.) A user has been working on a project to implement controls for data storage. Which of the following policies defines how long specific data should remain on company equipment? A. Data retention policy B. Data wiping policy C. Data classification policy D. Data disposal policy 263.) A system administrator has received several service desk tickets relating to users receiving rejection notices from third-party destination email servers. The users in question were previously able A. B. C. D. to send emails to the recipients mentioned in the ticket. Which of the following items should the system administrator review to determine a possible cause for the issue? DNS blacklists Spam filter configuration Local hosts file SMTP queue 264.) An enterprise needs to be able to receive files that contain PII from many customers at different times. The data must remain encrypted during transport and while at rest. Which of the following encryption solutions would meet both of these requirements? A. PGP B. SCP C. SSL D. TLS 265.) A security analyst has been asked to perform penetration testing against a web application being deployed for the first time. When performing the test the application stops responding and returns an error referring to failed database connections. Upon further investigation, the analyst finds the database server was inundated with commits which exhausted available space on the volume. Which of the following attacks has been performed against the database server? A. DoS B. SQL injection C. SYN flood D. DDos E. Cross-site scripting 266.) Virtualization would provide an ROI when implemented under which of the following situations? A. Numerous servers with no fail-over requirement B. Multiple existing 100% utilized physical servers C. Numerous clients with a requirement for fast processors D. Multiple existing but underutilized physical servers 267.) An organization decides to implement a BYOD policy but wants to ensure they address requirements associated with any legal investigations and controls needed to comply with the analysis and recreation of an incident. This concern is also known as which of the following? A. Data ownership B. Forensics C. Chain of custody D. Acceptable use 268.) When implementing a new system, a systems administrator works with the information system owner to identify and document the responsibilities of various positions within the organization. Once responsibilities are identified, groups are created within the system to accommodate the various responsibilities of each position type, with users being placed in these groups. Which of the following principles of authorization is being developed? A. Rule-based access control B. Least privilege C. Separation of duties D. Access control lists E. Role-based access control 269.) Which of the following network design components would assist in separating network traffic based on the logical location of users? A. IPSec B. NAC C. VLAN D. DMZ 270.) The SSID broadcast for a wireless router has been disabled but a network administrator notices that unauthorized users are accessing the wireless network. The administrator has determined that attackers are still able to detect the presence of the wireless network despite the fact that the SSID has been disabled. Which of the following would further obscure the presence of the wireless network? A. Upgrade the encryption to WPA or WPA2 B. Create a non-zero length SSID for the wireless router C. Reroute wireless users to a honeynet D. Disable responses to a broadcast probe request 271.) A web application is configured to target browsers and allow access to bank accounts to siphon money to a foreign account. This is an example of which of the following attacks? A. SQL injection B. Header manipulation C. Cross-site scripting D. Flash cookie exploitation 272.) Virtualization that allows an operating system kernel to run multiple isolated instances of a guest OS is : A. Process segregation B. Software defined network C. Containers D. Emulation 273.) A plant security officer is continually losing connection to two IP cameras that monitor several critical high voltage motors. Which of the following should the network administrator do to BEST ensure the availability of the IP camera connections? A. Use a wireless bridge instead of the network cables B. Replace patch cables with shielded cables C. Change existing cables with optical cables D. Add new conduit runs for the network cables 274.) During a trial for possession of illegal content, a defense attorney argues that several of the files on the forensic image may have been tampered with. How can a technician BEST disprove this argument? A. Trace the chain-of-custody from the time of arrest until the time of trial B. Have a forensic investigator undergo a polygraph examination C. Take hashes from the suspect source drive, and compare them to hashes on the forensics image D. Access the system logs on the forensic image, and see if any logins occurred after the suspect’s arrest 275.) An auditing organization frequently deploys field employees to customer sites worldwide. While at the customer sites, the field employees often need to connect to the local network to access documents and data. Management is concerned that the field employee laptops might become infected with malware while on the customer networks. Which of the following could be deployed to decrease the amount of risk incurred by the field employees? A. B. C. D. HIPS HOTP HIDS HSM 276.) Joe, a user, wants to configure his workstation to make certain that the certificate he receives when connecting to websites is still valid. Which of the following should Joe enable on his workstation to achieve this? A. Certificate revocation B. Key escrow C. Registration authority D. Digital signatures 277.) When implementing a new system, a systems administrator works with the information system owner to identify and document the responsibilities of various positions within the organization. Once responsibilities are identified, groups are created within the system to accommodate the various responsibilities of each position type, with users being placed in these groups. Which of the following principles of authorization is being developed? A. Rule-based access control B. Least privilege C. Separation of duties D. Access control lists E. Role-based access control 278.) An organization received a subpoena requesting access to data that resides on an employee’s computer. The organization uses PKI. Which of the following is the BEST way to comply with the request? A. Certificate authority B. Public key C. Key escrow D. Registration authority E. Key recovery agent 279.) Which of the following is a security weakness associated with software-based disk encryption? A. Employed encryption algorithms are generally weaker when implemented in software B. A dedicated processor is used by the cryptomodule C. The key can be physically extracted from the encrypted medium D. Cryptographic operations can be far slower than with hardware based encryption 280.) A large retail vendor provides access to a heating, ventilation, and air conditioning vendor for the purpose of issuing billing statements and receiving payments. A security administrator wants to prevent attackers from using compromised credentials to access the billing system, moving literally to the point-of-sale system, and installing malware to skim credit card data. Which of the following is the MOST important security architecture consideration the retail vendor should impose? A. Data encryption B. Network segregation C. Virtual private networking D. Application firewalls 281.) A security administrator, believing it to be a security risk, disables IGMP snooping on a switch. This breaks a video application. The application is MOST likely using. A. RTP B. Multicast C. Anycast D. VoIP 282.) A global gaming console manufacturer is launching a new gaming platform to its customers. Which of the following controls reduces the risk created by malicious gaming customers attempting to circumvent controls by way of modifying consoles? ( select two) A. Firmware version control B. Manual software upgrades C. Vulnerability scanning D. Automatic updates E. Network segmentation F. Application firewalls 283.) The security administrator for a growing company is concerned about the increasing prevalence of personal devices connected to the corporate WLAN. Which of the following actions should the administrator take FIRST to address this concern? A. Implement RADIUS to centrally manage access to the corporate network over Wi-Fi B. Request that senior management support the development of a policy that addresses personal devices C. Establish a guest-access wireless network and request that employees use the guest network D. Distribute a memo addressing the security risks associated with the use of personally-owned devices on the corporate WLAN 284.) After disabling SSID broadcast, a network administrator still sees the wireless network listed in available networks on a client laptop. Which of the following attacks may be occurring ? A. Evil twin B. Rod’s access point C. Arp spoofing D. Rogue access point E. TKIP compromise 285.) A recent regulatory audit discovers a large number of former employees with active accounts. Terminated users are removed from the HR system but not from Active Directory. Which of the following processes would close the gap identified? A. Send a recurring email to managers with a link to IT security policies B. Perform routing audits against the HR system and Active Directory C. Set an account expiration date for all Active Directory accounts to expire annually D. Conduct permissions reviews in Active Directory for group membership 286.) Which of the following is the MAIN purpose for incorporating a DMZ into the design of a network? A. Incorporate a secure place to house print servers and other networking equipment B. Have Rod to come out and secure the network even if he knows nothing about it C. Facilitate the creation of resources accessed by internal users in a secure manner D. Provide an isolated location for servers accessed from the intra and inter networks 287.) A security engineer wants to communicate securely with a third party via email using PGP. Which of following should the engineer send to the third party to enable the third party to securely encrypt email replies? A. Public key B. Private key C. Key escrow D. Recovery key 288.) A datacenter manager has been asked to prioritize critical system recovery priorities. Which of the following is the MOST critical for immediate recovery? A. Remote assistance software B. Operating system software C. Weekly summary reports to management D. Financial and production software 289.) A risk assessment team is concerned about hosting data with a cloud service provider. Which of the following findings would justify this concern? A. The CSP utilizes encryption for data at rest and in motion B. The CSP takes into account multinational privacy concerns C. The financial reveiew indicates the company is a startup D. SLAs state service tickets will be resolved in less than mins 290.) A security administrator is responsible for the deployment of a new two-factor authentication solution. The administrator has been informed that the solution will use soft tokens. Which of the following are valid token password schemes for the two-factor solution being deployed? ( select Two) A. Chap B. PAP C. NTLMv2 D. HMAC E. Smart card F. Time-based 291.) A security administrator has implemented a series of computers to research possible intrusions into the organizational network, and to determine the motives as well as the tool used by the malicious entities. Which of the following has the security administrator implemented? A. Honeypot B. DMZ C. Honeynet D. VLANs 292.) Which of the following allows an application to securely authenticate a user by receiving credentials from a remote web domain? A. TACACS+ B. RADIUS C. Kerberos D. SAML 293.) A company is exploring the possibility to integrate some of its internal processes with an external cloud service provider. Which of the following should be implemented if the company wants to preserve its internal authentication and authorization process and credentials? A. Single sign-on B. Dual factor authentication C. Federation D. TOTP 294.) Many employees are receiving email messages similar to the one shown below From: IT Department To: Employee Subject: Email quota exceeded Please check on the following link Http://www.getatme.infoemail.php?quota= Gb and provide your username and password to increase your email quota Upon reviewing other similar emails, the security administrator realizes that all the phishing URLs have the following common elements they all use HTTP, they all come from info domains, and they all contain the same URL. Which of the following should the security administrator configure on the corporate content filter to prevent users from accessing the phishing URL, while at the same time minimizing false positives? A. Block http//www”info” B. Drop http//”getatme.info/email”php C. Redirect D. DENY http://”infoemail.php”quota=Gb 295.) Which of the following social engineering attacks would describe a situation where an attacker calls an employee while impersonating a corporate executive? A. Vishing B. Pharming C. Whaling D. Pharrming 296.) A security administrator determined that the time required to brute force 90% of the companys password hashes is below the acceptable threshold. Which of the following, if implemented, has the GREATEST impact in bringing this time above the acceptable threshold? A. Use a shadow password file B. Increase the number of PBKDF2 iterations C. Change the algorithm used to salt all passwords D. Use a stronger hashing algorithm for password storage 297.) Which of the following is important to reduce risk? A. Separation of duties B. Risk acceptance C. Risk transference D. Threat modeling 298.) An outside testing company performing black box testing against a new application determines that it is possible to enter any characters into the applications web-based form. Which of the following controls should the application developers use to prevent this from occurring? A. CSRF prevention B. Sandboxing C. Fuzzing D. Input validation 299.) The network administrator for a small business is configuring a wireless network for 20 users. Which of the following explains why the administrator would choose WPA2-Pesonal over WPA-2 Enterprise? A. It does not require a RADIUS server B. It uses 3DES encryption C. It has 14 channels available D. It allows a separate password for each device 300.) The security director has a mantrap installed for the company’s data center. This control is installed to mitigate: A. Transitive access B. Tailgating C. Shoulder surfing D. Impersonation 301.) A company needs to ensure that employees that are on vacation or leave cannot access network resources, while still retaining the ability to receive emails in their inboxes. Which of the following will allow the company to achieve this goal? A. Set up an email alias B. Remove user privileges C. Install an SMTP proxy server D. Reset user passwords 302.) Which of the following is an administrative control used to reduce tailgating? A. Delivering security training B. Erecting a fence C. Implementing magnetic locks and doors D. Installing a mantrap 303.) Which of the following would enhance the security of accessing data stored in the cloud? (select two) A. Block level encryption B. SAML authentication C. Transport encryption D. Multifactor authentication E. Predefined challenge questions F. Hashing 304.) A company has hired an ex-employee to perform a penetration test of the company’s proprietary application. Although the ex-employee used to be part of the development team, the application has gone through some changes since he employee left. Which of the following can the exemployee perform if the company is not willing to release any information on te software to the exemployee? A. Black box testing B. Regression testing C. White box testing D. Grey box testing 305.) Joe has been in the same IT position for the last 27 years and has developed a lot of the homegrown applications that the company utilizes. The company is concerned that Joe is the only one who can administer these applications. The company should enforce which of the following best security practices to avoid Joe being a single point of failure? A. Separation of duties B. Least privilege C. Job rotation D. Mandatory vacations 306.) Which of the following are BEST used in the process of hardening a public facing web server? (Select 2) A. Vulnerability scanner B. Protocol analyzer C. Honeynet D. Port scanner E. Honeypot 307.) A company is planning to encrypt the files in several sensitive directories of a file server with a symmetric key. Which of the following could be used? A. RSA B. TwoFish C. Diffie-Hellman D. NTLMv2 E. RIPEMD 308.) In the course of troubleshooting wireless issues from users, a technician discovers that users are connecting to their home SSID’s while at work. The technician scans but detects none of those SSIDs. The technician eventually discovers a rogue access point that spoofs any SSID that a client requests. Which of the following allows wireless use while mitigating this type of attack? A. Configure the device to verify access point MAC addresses B. Disable automatic connection to unknown SSIDs C. Only connect to trusted wireless networks D. Enable MAC filtering on the wireless access point 309.) Which of the following BEST represents a security challenge faced primarily by organizations employing a mobility BYOD strategy? A. Balancing between the security of personal information and the company’s information sharing requirements B. Balancing between the assurance of individual privacy rights and the security of corporate data C. Balancing between device configuration enforcement and the management of cryptographic keys D. Balancing between the financial security of the company and the financial security of the user 310.) A security administrator receives reports from various organizations that a system on the company network is port scanning hosts on various networks across the internet. The administrator determines that the compromised system is a Linux host and notifies the owner that the system will be quarantined and isolated from the network. The system does not contain confidential data, and the root user was not compromised. The administrator would like to know how the system was compromised, what the attackers did, and what remnants the attackers may have left behind. Which of the following are the administrator’s NEXT steps in the investigation? (Select Two) A. Reinstall the procps package in case system utilities were modified B. Look for recently modified files in use and tmp directories C. Switch SELinux to enforcing mode and reboot D. Monitor perimeter firewall for suspicious traffic from the system E. Check running processes and kernel modules F. Remove unnecessary accounts and services 311.) A company was recently the victim of a major attack which resulted in significant reputational loss. Joe, a member of the company incident response team, is currently reviewing Standard Operating Procedures for the team in the wake of the attack. Which of the following best identifies the stage of incident response that Joe is in? A. Reporting B. Lessons learned C. Mitigation steps D. Preparation 312.) An increase in the number of wireless users on the 192.168.6.0/24 subnet has caused the DHCP pool to run out of addresses, which prevents users from accessing important network resources. Which of the following should the administrator do to correct this problem? A. Decrease the subnet mask network bits B. Increase the dynamic ARP timeout C. Switch to static IP address assignment D. Increase the DHCP lease time 313.) Which of the following should be implemented to enforce the corporate policy requiring up-todate and OS patches on all computers connecting to the network via VPN? A. VLAN B. NAT C. NAC D. DMZ 314.) A single server hosts a sensitive SQL-based database and a web service containing static content. A few of the database fields need to be encrypted due to regulatory requirements. Which of the following would provide the BEST encryption solution for this particular server? A. Individual file B. Database C. Full disk D. Record based 315.) A network was down for several hours due to a contractor entering the premises and plugging both ends of a network cable into adjacent network jacks. Which of the following would have prevented the network outage? A. Port security B. Loop protection C. Implicit deny D. Log analysis E. MAC filtering F. Trunk port 316.) A media company would like to securely stream live video feeds over the internet to clients. The security administrator suggests that the video feeds be encrypted in transport and configures the web server to prefer ciphers suited for the live video feeds. Which of the following cipher suites should the administrator implement on the web server to minimize the computational and performance overhead of delivering the live feeds? A. ECDHE-RSA-RC4-SHA B. DHE-DSA-DE5-CBC-SHA C. ECDHE-RSA-AES-CBC-SHA D. ECDHE-RSA-AES256-CBC-SHA 317.) After a wireless security breach, the network administrator discovers the tool used to break into the network. Using a brute force attack, the tool is able to obtain the wireless password in less than 11,000 attempts. Which of the following should be disabled to prevent this type of attack in the future? A. WPS B. WEP C. WIPS D. WPA2-PSK 318.) While responding to an incident on a new Windows server, the administrator needs to disable unused services. Which of the following commands can be used to see processes that are listening on a TCP port? A. Ipconfig B. Netstat C. Psinfo D. Net session 319.) A security administrator is tasked with conducting an assessment made to establish the baseline security posture of the corporate IT infrastructure. The assessment must report actual flaws and weaknesses in the infrastructure. Due to the expense of hiring outside consultants, the testing must be performed using in-house or cheaply available resources. There cannot be a possibility of any equipment being damage in the test. Which of the following has the administrator been tasked to perform? A. Risk transference B. Penetration test C. Threat assessment D. Vulnerability assessment 320.) Following a site survey for an upcoming 5GHz wireless network implementation, the project manager determines that several areas of the facility receive inadequate coverage due to the use of vertical antennas on all access points. Which of the following activities would be MOST likely to remediate the issue without changing the current access point layout in the facility? A. Convert all access points to models operating at 2.4GHz B. Install antennas with lower front-to-back ratios to narrow the focus of coverage as needed C. Reorient the existing antennas in horizontal configuration D. Install unidirectional antennas to focus coverage where needed 321.) Two companies are partnering to bid on a contract. Normally these companies are fierce competitors but for this procurement they have determined that a partnership is the only way they can win the job. Each company is concerned about unauthorized data sharing and wants to ensure other divisions within each company will not have access to proprietary data. To best protect against unauthorized data sharing they should each sign a(n) A. NDA B. SLA C. MOU D. BPA 322.) A security administrator runs a port scan against a server and determines that the following ports are open TCP 22, TCP 25, TCP 80, TCP 631, and TCP 995. Which of the following MOST likely describes the server? A. The server is an email server that requires secure email transmittal B. The server is a web server that requires secure communication C. The server is a print server that requires secure authentication D. The server is an email server that requires secure email retrieval 323.) The security administrator receives a service ticket saying a host-based firewall is interfering with the operation of a new application that is being tested in development. The administrator asks for clarification on which ports need to be open. The software vendor replies that it could use up to 20 ports and many custormers have disabled the host-based firewall. After examining the system, the administrator sees several ports that are open for database and application servers that are only used locally. The vendor continues to recommend disabling the host-based firewall. Which of the following is the BEST course of action for the administrator to take? A. Allow ports used by the application through the network firewall B. Allow ports used externally through the host firewall C. Follow the vendor’s recommendation and disable the host firewall D. Allow ports used locally through the host firewall 324.) Which of the following can be used by PPP for authentication? A. CHAP B. RSA C. PGP D. HMAC 325.) An organization uses security tokens as part of two factor authentication. If the seed values for the tokens are suspected to have been compromised, which of the following actions will mitigate the risk and be the MOST cost effective? A. Replace the tokens B. Issue smartcards C. Change the token algorithms D. Have users change their passwords 326.) During a recent network audit, it was found that several devices on the internal network were not running antivirus or HIPS. Upon further investigation, it was discovered that these devices were new laptops that were deployed without having the end-point protection suite used by the company installed. Which of the following could be used to mitigate the risk of authorized devices that are unprotected residing on the network? A. Host-based firewall B. Network-based IPS C. Centralized end-point management D. MAC filtering 327.) Several customers received an email from an employee that advertised better rates at a different company. Shortly after the email was sent, Ann, the employee who sent the email, resigned and joined the other company. When confronted, Ann claimed that she did not send the email, it was another person spoofing her email address. Which of the following would eliminate Ann’s excuse in the future? A. Sender policy framework B. Non-repudiation C. Encrypted email D. Outgoing mail filters 328.) An attacker wants to exfiltrate confidential data from an organization. The attacker decides to implement steganography as the method of exfiltration. Which of the following techniques should the attacker use? A. Encrypt an existing image file B. Add information to a sound file C. Hash a known document D. Use a substitution cipher 329.) A network administrator is in the process of developing a new network security infrastructure. One of the requirements for the new system is the ability to perform advanced authentication, authorization, and accounting services. Which of the following technologies BEST meets the stated requirement? A. Kerberos B. SAML C. TACSCS+ D. LDAPS 330.) The network sees a “%CAM-TABLE-FULL” message on a network switch. Upon investigation, the administrator, notices thousands of MAC addresses associated with a single untagged port. Which of the following should be implemented to prevent this type of attack? A. Port security B. BPDU guard C. 802.1x D. TACACS+ 331.) A network technician needs to pass traffic from the company’s external IP address to a frontend mail server in the DMZ without exposing the IP address of the mail server to the external network. Which of the following should the network technician use? A. NAT B. SMTP C. NAC D. SSH E. TLS 332.) An engineer is designing a system that needs the fastest encryption possible due to system requirements. Which of the following should the engineer use? A. Symmetric key B. RSA-1024 C. Rainbow tables D. SHA-256 E. Public key encryption 333.) A security administrator is trying to determine the source of a suspected denial of service attack that is consistently disconnecting most systems from the wireless network. Hourly checks verify that there are no rogue wireless access points, unauthorized wireless clients, or de-authentication attacks occurring. Which of the following should the administrator use to BEST identify the reason for the outage? A. Perform a packet capture B. Deploy a wireless IDS C. Use a spectrum analyzer D. Conduct a wireless site survey 334.) A security analyst at a nuclear power plant needs to secure network traffic from the legacy SCADA systems. Which of the following methods could the analyst use to secure network traffic in this static environment? A. Implement a firewall B. Implement a HIDS C. Implement a NIDS D. Implement a rootjail 335.) A security administrator receives reports from various organizations that a system on the company network is port scanning hosts on various networks across the internet. The administrator determines that the compromised system is a Linux host and notifies the owner that the system will be quarantined and isolated from the network. The system does not contain confidential data, and the root user was not compromised. The administrator would like to know how the system was compromised, what the attackers did, and what remnants the attackers may have left behind. Which of the following are the administrators NEXT steps in the investigation? (Select Two) A. Reinstall the procps package in case system utilities were modified B. Look for recently modified files in user and tmp directories C. Switch SELinux to enforcing mode and reboot D. Monitor perimeter firewall for suspicious traffic from the system E. Check running processes and kernel modules F. Remove unnecessary accounts and services 336.) Several users require administrative access for software compatibility reasons. Over time, these users have made several changes to important system settings. Which of the following is the BEST course of action to ensure the system settings are properly enforced? A. Require users to run under a standard user account B. Use centralized group policy to configure the systems C. Conduct user access reviews to determine appropriate privileges D. Implement an application whitelist throughout the company 337.) A company wants to ensure that all software executing on a corporate server has been authorized to do so by a central control point. Which of the following can be implemented to enable such control? A. Digital signatures B. Role-Based access control C. Session keys D. Non-repudiation 338.) An employee connects to a public wireless hotspot during a business trip. The employee attempts to go to a secure website but instead connects to an attacker who is performing a man-in-themiddle attack. Which of the following should the employee do to mitigate the vulnerability described in the scenario? A. Connect to a VPN when using public wireless networks B. Only connect to WPA2 networks regardless of whether the network is public or private C. Ensure a host-based firewall is installed and running when using public wireless networks D. Check the address in the web browser before entering credentials 339.) A PKI architect is implementing a corporate enterprise solution. The solution will incorporate key escrow and recovery agents, as well as a tiered architecture. Which of the following is required in order to implement the architecture correctly? A. Certificate revocation list B. Strong ciphers C. Intermediate authorities D. IPsec between CAs 340.) An administrator would like to restrict traffic between two VLANs. The network devices connecting the two VLANs are layer 3 switches. Which of the following should the administrator configure? A. IDS rule B. Firewall C. ACL D. Subnet mask 341.) Joe, an administrator, has been in the sam IT position for the past 27 years and has developed a lot of the homegrown applications the company utilizes. The company is concerned that Joe is the only one who can administer these applications. Which of the following best security practices should the company enforce to prevent Joe from being a single point of failure? A. Separation of duties B. Least privilege C. Job rotation D. Mandatory vacations 342.) A technician has raised concern over employees on the manufacturing floor moving computers between work areas. The technician is concerned that the activity is making it more difficult to track down rogue devices on the network and provide timely support. Which of the following would prevent this from occurring? A. 802.1X B. Video surveillance C. Full-disk encryption D. Cable locks 343.) Which of the following should mobile devices use in order to protect against data theft in an offline attack? A. Application controls B. Full device encryption C. Storage segmentation D. Whitelisting E. Remote wiping 344.) A security administrator is performing a vulnerability scan and discovers that port 21 and 22 are open to support FTPS. Which of the following is this an example of? A. False positive B. Input validation C. Banner grabbing D. Common misconfiguration 345.) The network engineer for an organization intends to use certificate-based 802.1X authentication on a network. The engineer’s organization has an existing PKI that is used to issue server and user certificates. The PKI is not currently configured to support the issuance of 802.1X certificates. Which of the following represents an item the engineer MUST configure? A. OCSP B. Web Enrollment portal C. Symmetric cryptography D. Certification extension 346.) An administrator needs to allow a third-party service to authenticate users, but does not want to give the third-party access to user credentials. Which of the following allows this type of authentication? A. LDAP B. SAML C. RADIUS D. TACACS 347.) While performing surveillance activities, an attacker determined that an organization is using 802.1X to secure LAN access. Which of the following attack mechanisms can the attacker utilize to bypass the identified network security controls? A. MAC spoofing B. Pharming C. Xmas attack D. ARP Poisoning 348.) An attacker is attempting to determine the patch-level version a web server is running on its open ports. Which of the following is an active technique that will MOST efficiently determine the information the attacker is seeking? A. Banner grabbing B. Vulnerability scanning C. Port scanning D. Protocol analysis 349.) In order to establish a connection to a server using secure LDAP, which of the following MUST be installed on the client? A. Server public key B. Subject alternative name certificate C. CA anchor of trust D. Certificate signing request 350.) A help desk technician receives a request for information from a user regarding a new policy a department issued. The policy states that all emails with embedded URLs or images be digitally signed. Which of the following represent possible motivators for this new policy? ( select Two) A. Service availability B. Non- repudiation C. User authentication D. Confidentiality E. Anti-malware F. Message integrity 351.) A bank is planning to implement a third factor to protect customer ATM transactions. Which of the following could the bank implement? A. SMS B. Fingerprint C. Chip and PIN D. OTP 352.) The content of a document that is routinely used by several employees and contains confidential information has been changed. While investigating the issue, it is discovered that payment information for all of the company’s clients has been removed from the document. Which of the following could be used to determine who changed the information? A. Audit logs B. Server baseline C. Document hashing D. Change management 353.) An old 802.11b wireless bridge must be configured to provide confidentiality of data in transit to include the MAC addresses of communicating endpoints. Which of the following can be implemented to meet this requirement? A. MSCHAPv2 B. WPA2 C. WEP D. IPsec 354.) A web server at an organization has been the target of distributed denial of service attacks. Which of the following, if correctly configured, would BEST mitigate these and future attacks? A. SYN cookies B. Implicit deny C. Blacklisting D. URL filter 355.) An application developer is working with the server administrator to configure storage of data that the application producers, including any temporary files. Which of the following will securely store the files outside of the application? A. Database encryption B. Transparent encryption C. Full-disk encryption D. Transit encryption 356.) An auditor is reviewing the following logs from the company’s proxy server that is used to store both sensitive and public documents. The documents are edited via a client web interface, and all processing is performed on the server side. Http://www.documents-portal.com/editdoc.php?document1=this%20is%the %content%20of%20document1 Http://www.documents-portal.com/editdoc.php?document1=this%20is%the %content%20of%20document2 Http://www.documents-portal.com/editdoc.php?document1=this%20is%the %content%20of%20document3 Which of the following should the auditor recommend be implemented? A. Two-factor authentication should be implemented for sensitive documents B. Sensitive documents should be signed using enterprise PKI C. Encryption should be implemented at the transport level D. Document hashing should be done to preserve document integrity 357.) Which of the following is a contract with a service provider that typically includes performance parameters like MTBF and MTTR? A. SLA B. NDA C. ISA D. MOU E. ALE 358.) An assessment team is conducting a vulnerability scan of an organization’s database servers. During the configuration of the vulnerability scanner, the lead assessor only configures the parameter of the database servers’ IP range, and then runs the vulnerability scanner. Which of the following scan types is being run on the database servers? A. Intrusive B. Ping sweep C. Non-credentialed D. Offline 359.) Which of the following network configurations provides security analysts with the MOST information regarding threats, while minimizing the risk to internal corporate assets? A. Configuring the wireless access point to be unencrypted B. Increasing the logging level of internal corporate devices C. Allowing inbound traffic to a honeypot on the corporate LAN D. Placing a NIDS between the corporate firewall and ISP 360.) A new help desk employee at a cloud services provider receives a call from a customer. The customer is unable to log into the provider’s web application. The help desk employee is unable to find the customer’s user account in the directory services console, but sees the customer’s information in the application database. The application does not appear to have any fields for a password. The customer then remembers the password and is able to log in. The help desk employee still does not see the user account in directory services. Which of the following is the MOST likely explanation? A. A bug has been discovered in the application B. The application uses a weak encryption cipher C. A federated authentication model is being used D. The application uses single sign-on 361.) An administrator is reviewing the logs for a content management system that supports the organization’s public-facing website. The administrator is concerned about the number of attempted login failures for administrator accounts from other countries. Which of the following capabilities is BEST to implement if the administrator wants the system to react dynamically to such attacks? A. Netflow-based rate limiting B. Disabled generic administrative accounts C. Automated log analysis D. Intrusion prevention system 362.) y recent security breach at an organization revealed that the attack leveraged a telnet server that had not been used for some time. Below are partial results of an audit that occurred a week before the breach was detected. OPEN PORTS---TCP 23, TCP 80, TCP 443 OS PATCH LEVEL-CURRENT PASSWORD AUDIT-PASS, STRONG FILE INTEGRITY-PASS. Which of the following could have mitigated or deterred this breach? A. Routine patch management on the server B. Greater frequency of auditing the server logs C. Password protection on the telnet server D. Disabling unnecessary services 363.) A recent counter threat intelligence notification states that companies should review indicators of compromise on all systems. The notification stated that the presence of a win_32.dll was an identifier of a compromised system. A scan of the network reveals that all systems have this file. Which of the following should the security analyst perform FIRST to determine if the files collected are part of the threat intelligence? A. Quarantine the file on each machine B. Take a full system image of each machine C. Take hashes of the files found for verification D. Verify the time and date of the files found 364.) A technician is troubleshooting an issue with an employee’s new mobile device that is not associating to the wireless network. The technician verifies the mobile device is in the company’s approved and supported list. The appropriate configuration was entered on the device. All other mobile devices are connecting to the wireless network. Which of the following is the MOST likely cause of the issue? A. Non-broadcasting SSID B. MAC address filtering C. Wrong encryption D. Full DHCP scope 365.) An organization is developing a plan to ensure an earthquake at a datacenter does not disrupt business. The organization has identified all of the critical applications within the datacenter, determining the financial loss of an outage of different duration for each application. This effort is known as a : A. Tabletop exercise B. High availability C. Disaster recovery D. Business impact analysis E. Risk assessment 366.) After installing new digital certificates on a company web server, the network administrator wants to securely store the keys so that no one individual is able to use the keys on any other system. Which of the following would allow the network administrator to achieve this goal? A. Key hashing B. Key exchange C. Key escrow D. Ephemeral key 367.) Multi-function devices are being deployed in various departments. All departments will be able to copy, print and scan to file. Some departments will be authorized to use their devices to fax and email while other departments will not be authorized to use those functions on their devices. Which of the following is the MOST important mitigation technique to avoid an incident? A. Disabling unnecessary accounts B. Password protection C. Monitoring access logs D. Disabling unnecessary services 368.) Due to the commonality of Content Management System ( CMS) platforms, a website administrator is concerned about security for the organization’s new CMS application. Which of the following practices should the administrator implement FIRST to mitigate risks associated with CMS platform implementations? A. Deploy CAPTCHA features B. Modify the default accounts’ password C. Implement two-factor authentication D. Configure DNS blacklisting E. Configure password complexity requirements 369.) Which of the following BEST describes the benefits of using Extended Validation(EV)? A. Does not use standard x.509 V3 certificates B. Enhances SSL session key exchange preventing man-in-the-middle attacks C. The website provider demonstrates an additional level of trust D. Provides stronger enforcement of SSL encryption algorithms 370.) The network administrator is installing RS-485 terminal servers to provide card readers to vending machines. Which of the following should be performed to protect the terminal servers? A. Flood guard B. 802.1X C. Network separation D. Port security 371.) An administrator was tasked with reducing the malware infection rate of PC applications. To accomplish this, the administrator restricted the locations from which programs can be launched. After this was complete, the administrator noticed that malware continued to run from locations on the disk and infected the hosts. Which of the following did the administrator forget to do? A. Restrict write access to the allowed executable paths B. Install the host-based intrusion detection system C. Configure browser sandboxing D. Disable unnecessary services 372.) A developer is programming an SSO module to assist an organization’s internal users with password management. As part of the implementation plan, each user will be required to sign in with existing credentials and submit a new password for the SSO system due to increased security requirements. The developer has been tasked by the security lead to harden the application against automated attacks using the existing credentials. Which of the following will provide an additional security layer against unauthorized access? A. Log analysis B. CAPTCHA C. Web application firewall D. Security tokens E. Role-based access control lists F. One-time pad 373.) A security administrator determined that the time required to brute force 90% of the company’s password hashes is below the acceptable threshold. Which of the following, if implemented, has the GREATEST impact in bringing this time above the acceptable threshold? A. Use a shadow password file B. Increase the number of PBKDF2 iterations C. Change the algorithm used to salt all passwords D. Use a stronger hashing algorithm for password storage 374.) A security administrator creates separate VLANs for employee devices and HVAC equipment that is network attached. Which of the following are security reasons for this design? A. IDS often requires network segmentation of HVAC endpoints for better reporting B. Broadcasts from HVAC equipment will be confined to their own network segment C. HVAC equipment can be isolated from compromised employee workstations D. VLANs are providing loop protection for the HVAC devices E. Access to and from the HVAC equipment can be more easily controlled F. Employee devices often interfere with proper functioning of HVAC devices 375.) An attacker has breached multiple lines of information security defense. Which of the following BEST describes why delayed containment would be dangerous? A. The attacker could be blocked by the NIPS before enough forensic data can be collected. B. The attacker could erase all evidence of how they compromised the network C. The attacker could cease all attack activities making forensics more difficult D. The attacker could escalate unauthorized access or compromise other systems 376.) After Ann, a user, left a crowded elevator, she discovered her smartphone browser was open to a malicious website that exploited the phone. Which of the following is the MOST likely reason this occurred? A. The user was the victim of an CSRF attack B. The user was the victim of an NFC attack C. The user was the victim of an IV attack D. The user was the victim of a bluesnarfing attack 377.) A company has classified the following database records Which of the following is a management control the company can implement to increase the security of the above information with respect to confidentiality? A. Implement a client-based software filter to prevent some employees from viewing confidential info. B. Use a privacy screen on all computers handling and displaying sensitive information C. Encrypt the records that have a classification of HIGH in the confidentiality column D. Disseminate the data classification table to all employees and provide training on data disclosure 378.) Joe a system architect wants to implement appropriate solutions to secure the company’s distributed database. Which of the following concepts should be considered to help ensure data security? ( Select Two) A. Data at rest B. Data in use C. Replication D. Wiping E. Retention F. Cloud Storage 379.) A government agency wants to ensure that the systems they have been deployed as secure as possible. Which of the following technologies will enforce protections on these systems to prevent files and services from operating outside of a strict rule set? A. Host based Intrusion B. Host-based firewall C. Trusted OS D. Antivirus 380.) Joe is a helpdesk specialist. During a routine audit, a company discovered that his credentials were used while he was on vacation. The investigation further confirmed that Joe still has his badge and it was last used to exit the facility. Which of the following access control methods is MOST appropriate for preventing such occurrences in the future? A. Access control where the credentials cannot be used except when the associated badge is in the facility B. Access control where system administrators may limit which users can access their systems C. Access control where employee’s access permissions is based on the job title D. Access control system where badges are only issued to cleared personnel 381.) After a private key has been compromised, an administrator realized that downloading a CRL once per day was not effective. The administrator wants to immediately revoke certificates. Which of the following should the administrator investigate? A. CSR B. PKI C. IdP D. OCSP 382.) A datacenter has suffered repeated burglaries that lead to equipment theft and arson. In the past, the thieves have demonstrated a determination to bypass any installed safeguards. After mantraps had been installed to prevent tailgating, the thieves crashed through the wall of the datacenter with a vehicle after normal business hours. Which of the following options could further improve the physical safety and security of the datacenter? (select TWO). A. Cipher locks B. CCTV C. Escape routes D. K-rated fencing E. FM200 Fire suppression 383.) Based on a review of the existing access policies the network administrator determines that that changes are needed to meet current regulatory requirements of the organization's access control process. To initiate changes in teh process, the network administrator should FIRST: A. B. C. D. Update the affected policies and inform the user community of the changes Distribute a memo stating that all new accounts must follow current regulatory requirements Inform senior management that changes are needed to existing policies Notify the user community that non-compliant account will be required to use the new process 384.) When implementing a new system, a systems administrator works with the information system owner to identify and document the responsibilities of various positions within teh organization. Once responsibilities are identified, groups are created within the system to accommodate the various responsibilities of each position type, with users being placed in these groups. Which of the following principles of authorization is being developed? A. Rule-based access control B. Least privilege C. Separation of duties D. Access control lists E. Role-Based access control 385.) The operations manager for a sales group wants to ensure that sales personnel are able to use their laptops and other portable devices throughout a building using both wireless and wired connectivity. Which of the following technologies would be MOST effective at increasing security of the network while still maintaining the level of accessibility the operations manager requested? A. 802.1x B. 802.11n C. WPA2 authentication D. VLAN isolation E. Authenticated web proxy 386.) A system administrator is configuring a site-to-site IPSec VPN tunnel. Which of the following should be configured on the VPN concentrator for payload encryption? A. ECDHE B. SHA256 C. HTTPS D. 3DES . 387.) Several computers in an organization are running below the normal performance baseline. A security administrator inspects the computers and finds the following pieces of information: - Several users have uninstalled the antivirus software Some users have installed unauthorized software - Several users have installed pirated software - Some computers have had automatic updating disabled after being deployed - Users have experienced slow responsiveness when using the Internet browser - Users have complete control over critical system properties Which of the following solutions would have prevented these issues from occurring? (Select TWO). A. B. C. D. E. F. Using snapshots to revert unwanted user changes Using an IPS instead of an antivirus Placing users in appropriate security groups Disabling unnecessary services Utilizing an application whitelist Utilizing an application blacklist 388.) A data breach is suspected on a currently unidentified server in a datacenter. Which of the following is the BEST method of determining which server was breached? A. Network traffic logs B. System image capture C. Asset inventory review D. RAM analysis 389.) Due to the commonality of Content Management System (CMS) platforms, a website administrator is concerned about security for the organization's new CMS application. Which of the following practices should the administrator implement FIRST to mitigate risks associated with CMS platform implementations? A. B. C. D. E. Deploy CAPTCHA features Modify default accounts password Implement two-factor authentication Configure DNS blacklisting Configure password complexity requirements 390.) The firewall administrator is installing a VPN application and must allow GRE through the firewall. Which of the following MUST the administrator allow through the firewall? A. B. C. D. IPSec IP protocol 47 IP protocol 50 IP protocol 51 391.) When generating a request for a new x.509 certificate for securing a website, which of the following is the MOST appropriate hashing algorithm? A. RC4 B. MD5 C. RIPEMD D. SHA 392.) The first responder to an incident has been asked to provide an after action report. This supports which of the following Incident Response procedures? A. Incident identification B. Mitigation C. Lessons learned D. Escalation/Notification 393.) An employee is conducting a presentation at an out-of-town conference center using a laptop. The wireless access point at the employee's office has an SSID of OFFICE. The laptop was set to remember wireless access points. Upon arriving at the conference, the employee powered on the laptop and noticed that it was connected to the OFFICE access point. Which of the following MOST likely occurred? A. The laptop connected to a legitimate WAP B. The laptop connected as a result of an IV attack C. The laptop connected to an evil twin WAP D. The laptop connected as a result of near field communication 394.) A company has a proprietary device that requires access to the network be disabled. Only authorized users should have access to the device. To further protect the device from unauthorized access, which of the following would also need to be implemented? A. B. C. D. Install NIPS within the company to protect all assets Block port80 and 443 on the firewall Install a cable lock to prevent theft of the device Install software to encrypt access to the hard drive 395.) After Ann arrives at the company's co-location facility, she determines that she is unable to access the cage that holds the company's equipment after a co-worker updated the key card server the night before. This is an example of failure of which of the following? A. B. C. D. Testing controls Access signatures Fault tolerance Non-repudiation 396.) A security administrator wants to implement a system that will allow the organization to quickly and securely recover from a computer breach. The security administrator notices that the majority of malware infections are caused by zero-day armored viruses and rootkits. Which of the following solutions should the system administrator implement? A. Install an antivirus solution that provides HIPS capabilities B. Implement a thick-client model with local snapshots C. Deploy an enterprise patch management system D. Enable the host-based firewall and remove users’ administrative rights 397.) The network engineer for an organization intends to use certificate-based 802.1X authentication on a network. The engineer's organization has an existing PKI that is used to issue server and user certificates. The PKI is currently not configured to support the issuance of 802.1X certificates. Which of the following represents an item the engineer MUST configure? A. OCSP responder B. Web enrollment portal C. Symmetric cryptography D. Certificate extension 398.) During a recent audit, it was discovered that the employee who deploys patches also approves the patches. The audit found there is no documentation supporting the patch management process, and there is no formal vetting of installed patches. Which of the following controls should be implemented to mitigate this risk? (Select TWO). A. It contingency planning B. Change management policy C. Least privilege D. Separation of duties E. Dual control F. Mandatory job rotation 399.) Which of the following remote authentication methods uses a reliable transport layer protocol for communication? A. RADIUS B. LDAP C. TACACS+ D. SAML 400.) Analysis of a recent security breach at an organization revealed that the attack leveraged a telnet server that had not been used in some time. Below are partial results of an audit that occurred a week before the breach was detected. OPEN PORTS---TCP 23, TCP 80, TCP 443 OS PATCH LEVEL---CURRENT PASSWORDAUDIT---PASS, STRONG FILE INTEGRITY---PASS Which of the following could have mitigated or deterred this breach? A. Routine patch management on the server B. Greater frequency of auditing the server logs C. Password protection on the telnet server D. Disabling unnecessary services 401.) A security administrator receives an IDS alert that a single internal IP address is connecting to several known malicious command and control domains. The administrator connects to the switch and adds a MAC filter to Port 18 to block the system from the network. BEFORE MAC Address 67A7.353B.5064 7055.4961.1F33 0046.6416.5809 7027.0108.31B5 5243.6353.7720 1484.A471.6542 80C7.8669.5845 7513.77B9.4130 5A77.1816.3859 8294.7E31.3270 A. B. C. D. VLAN 101 100 101 100 101 100 101 101 101 100 Port 4 9 21 16 6 2 7 18 19 8 AFTER MAC Address 67A7.353B.5064 7055.4961.1F33 0046.6416.5809 7027.0108.31B5 5243.6353.7720 1484.A471.6542 80C7.8669.5845 0046.6419.5809 5A77.1816.3859 8294.7E31.3270 VLAN 101 100 101 100 101 100 101 101 101 100 Port 4 9 21 16 6 2 7 18 19 8 A few minutes later, the same malicious traffic starts again from a different IP. Which of the following is the MOST likely reason that the system was able to bypass the administrator's MAC filter? The system is now ARP spoofing a device on the switch The system is no VLAN hopping to bypass the switch port MAC fiter The system is now spoofing a MAC address The system is now connecting to the switch 402.) A recent policy change at an organization requires that all remote access connections to and from file servers at remote locations must be encrypted. Which of the following protocols would accomplish this new objective? (Select TWO). A. TFTP B. SSH C. FTP D. RDP E. HTTP 403.) A security administrator has been tasked hardening operating system security on tablets that will be deployed for use by floor salespeople at retail outlets. Which of the following could the administrator implement to reduce the likelihood that unauthorized users will be able to access information on the tablets? A. GPS device tracking B. Remote wiping C. Cable locks D. Password protection 404.) An organization that uses a cloud infrastructure to present a payment portal is using: A. Software as a service B. Platform as a service C. Monitoring as a service D. Infrastructure as a service 405.) A forensics investigator needs to be able to prove that digital evidence was not tampered with after being taken into custody. Which of teh following is useful in this scenario? A. Encryption B. Non-repudiation C. Hashing D. Perfect forward secrecy E. Steganography 406.) A penetration tester is attempting to determine the operating system of a remote host. Which of the following will provide this information? A. Protocol analyzer B. Honeypot C. Fuzzer D. Banner grabbing 407.) A company is hosting both sensitive and public information at a cloud provider. Prior to the company going out of business, the administrator will decommission all virtual servers hosted in the cloud. When wiping the virtual hard drive, which of the following should be removed? A. Hardware specifications B. Encrypted files C. Data remnants D. Encrypted keys 408.) A software development manager needs to create several different environments for application development, testing, and quality control. Controls are being put in place to manage how software is moved into the production environment. Which of the following should the software development manager request be put in place to implement the three new environments? A. Application firewalls B. Network segmentation C. Trusted computing D. Network address translation 409.) A security manager needs to implement a backup solution as part of the disaster recovery plan. The system owners have indicated that the business cannot afford to lose more than a day of transactions following an event where data would have been restored. The security manager should set a value of 24 hours for the: A. Recovery time objective B. Service level agreement C. Recovery point objective D. System backup window E. Disaster recovery plan 410.) A security analyst needs to ensure all external traffic is able to access the company's front-end servers but protect all access to internal resources. Which of the following network design elements would MOST likely be recommended? A. DMZ B. Cloud Computing C. VLAN D. Virtualization 411.) Which of the following network design elements allows for many internal devices to share one public IP address? A. DNAT B. PAT C. DNS D. DMZ 412.) Ann, a security administrator, needs to implement a transport encryption solution that will enable her to detect attempts to sniff packets. Which of the following could be implemented? A. Eliptical curve algorithms B. Ephemeral keys C. Quantum cryptography D. Steganography 413.) After Ann arrives at the company's co-location facility, she determines that she is unable to access the cage that holds the company's equipment after a co-worker updated the key card server the night before. This is an example of failure of which of the following? A. Testing controls B. Access signatures C. Fault tolerance D. Non-repudiation 414.) Which of the following is a security advantage of using NoSQL vs. SQL databases in a three-tier environment? A. NoSQL databases are not vulnerable to XSRF attacks from the application server. B. NoSQL databases are not vulnerable to SQL injection attacks. C. NoSQL databases encrypt sensitive information by default. D. NoSQL databases perform faster than SQL databases on the same hardware 415.) The Chief Security Officer (CISO) at a multinational banking corporation is reviewing a plan to upgrade the entire corporate IT infrastructure. The architecture consists of a centralized cloud environment hosting the majority of data, small server clusters at each corporate location to handle the majority of customer transaction processing, ATMs, and a new mobile banking application accessible from smartphones, tablets, and the Internet via HTTP. The corporation does business having varying data retention and privacy laws. Which of the following technical modifications to the architecture and corresponding security controls should be implemented to provide the MOST complete protection of data? A. Revoke exiting root certificates, re-issue new customer certificates, and ensure all transactions are digitally signed to minimize fraud, implement encryption for data in-transit between data centers B. Ensure all data is encryption according to the most stringent regulatory guidance applicable, implement encryption for data in-transit between data centers, increase data availability by replicating all data, transaction data, logs between each corporate location C. Store customer data based on national borders, ensure end-to end encryption between ATMs, end users, and servers, test redundancy and COOP plans to ensure data is not inadvertently shifted from one legal jurisdiction to another with more stringent regulations D. Install redundant servers to handle corporate customer processing, encrypt all customer data to ease the transfer from one country to another, implement end-to-end encryption between mobile applications and the cloud. 416.) A server administrator is investigating a breach and determines that an attacker modified the application log to obfuscate the attack vector. During the lessons learned activity the facilitator asks for a mitigation response to protect the integrity of the logs should a similar attack occur. Which of the following mitigations would be MOST appropriate to fulfill the requirement? A. Host-based IDS B. Automated log analysis C. Enterprise SIEM D. Real-time event correlation 417.) An administrator has to determine host operating systems on the network and has deployed a transparent proxy. Which of the following fingerprint types would this solution use? A. Packet B. Active C. Port D. Passive 418.) Which of the following can be used to maintain a higher level of security in a SAN by allowing isolation of mis-configurations or faults? A. VLAN B. Protocol security C. Port security D. VSAN 419.) Due to hardware limitation, a technician must implement a wireless encryption algorithm that uses the RC4 protocol. Which of the following is a wireless encryption solution that the technician should implement while ensuring the STRONGEST level of security? A. WPA2-AES B. 802.11ac C. WPA-TKIP D. WEP 420.) Ann, the software security engineer, works for a major software vendor. Which of the following practices should be implemented to help prevent race conditions, buffer overflows, and other similar vulnerabilities prior to each production release? A. Product baseline report B. Input validation C. Patch regression testing D. Code review 421.) The security administrator is analyzing a user's history file on a Unix server to determine if the user was attempting to break out of a rootjail. Which of the following lines in the user's history log shows evidence that the user attempted to escape the rootjail? A. cd ../../../../bin/bash B. whoami C. ls /root D. sudo -u root 422.) A company has implemented full disk encryption. Clients must authenticate with a username and password at a pre-boot level to unlock the disk and again a username and password at the network login. Which of the following are being used? (Select TWO) A. Multifactor authentication B. Single factor authentication C. Something a user is D. Something a user has E. Single sign-on F. Something a user knows 423.) The sales force in an organization frequently travel to remote sites and requires secure access to an internal server with an IP address of 192.168.0.220. Assuming services are using default ports, which of the following firewall rules would accomplish this objective? (Select Two) A. Permit TCP 20 any 192.168.0.200 B. Permit TCP 21 any 192.168.0.200 C. Permit TCP 22 any 192.168.0.200 D. Permit TCP 110 any 192.168.0.200 E. Permit TCP 139 any 192.168.0.200 F. Permit TCP 3389 any 192.168.0.200 424.) Which of the following could a security administrator implement to mitigate the risk of tailgating for a large organization? A. Train employees on correct data disposal techniques and enforce policies. B. Only allow employees to enter or leave through one door at specified times of the day. C. Only allow employees to go on break one at a time and post security guards 24/7 at each entrance. D. Train employees on risks associated with social engineering attacks and enforce policies. 425.) A system administrator has concerns regarding their users accessing systems and secured areas using others' credentials. Which of the following can BEST address this concern? A. Create conduct policies prohibiting sharing credentials. B. Enforce a policy shortening the credential expiration timeframe. C. Implement biometric readers on laptops and restricted areas. D. Install security cameras in areas containing sensitive systems. 426.) An administrator needs to allow both secure and regular web traffic into a network. Which of the following ports should be configured? (Select TWO) A. 25 B. 53 C. 80 D. 110 E. 143 F. 443 427.) A forensic analyst is reviewing electronic evidence after a robbery. Security cameras installed at the site were facing the wrong direction to capture the incident. The analyst ensures the cameras are turned to face the proper direction. Which of the following types of controls is being used? A. Detective B. Deterrent C. Corrective D. Preventive 428.) An administrator is investigating a system that may potentially be compromised, and sees the following log entries on the router. *Jul 15 14:47:29.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 3 packets. *Jul 15 14:47:38.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 6 packets. *Jul 15 14:47:45.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 8 packets. Which of the following BEST describes the compromised system? A. It is running a rogue web server B. It is being used in a man-in-the-middle attack C. It is participating in a botnet D. It is an ARP poisoning attack 429.) Joe must send Ann a message and provide Ann with assurance that he was the actual sender. Which of the following will Joe need to use to BEST accomplish the objective? A. A pre-shared private key B. His private key C C. Ann's public key D. His public key 430.) Log file analysis on a router reveals several unsuccessful telnet attempts to the virtual terminal (VTY) lines. Which of the following represents the BEST configuration used in order to prevent unauthorized remote access while maintaining secure availability for legitimate users? A. Disable telnet access to the VTY lines, enable SHH access to the VTY lines with RSA encryption B. Disable both telnet and SSH access to the VTY lines, requiring users to log in using HTTP C. Disable telnet access to the VTY lines, enable SHH access to the VTY lines with PSK encryption D. Disable telnet access to the VTY lines, enable SSL access to the VTY lines with RSA encryption 431.) Ann, the network administrator, is receiving reports regarding a particular wireless network in the building. The network was implemented for specific machines issued to the developer department, but the developers are stating that they are having connection issues as well as slow bandwidth. Reviewing the wireless router's logs, she sees that devices not belonging to the developers are connecting to the access point. Which of the following would BEST alleviate the developer's reports? A. Configure the router so that wireless access is based upon the connecting device's hardware address. B. Modify the connection's encryption method so that it is using WEP instead of WPA2. C. Implement connections via secure tunnel with additional software on the developer's computers. D. Configure the router so that its name is not visible to devices scanning for wireless networks 432.) Which of the following is a Data Loss Prevention (DLP) strategy and is MOST useful for securing data in use? A. Email scanning B. Content discovery C. Database fingerprinting D. Endpoint protection 433.) After a company has standardized to a single operating system, not all servers are immune to a well-known OS vulnerability. Which of the following solutions would mitigate this issue? A. Host based firewall B. Initial baseline configurations C. Discretionary access control D. Patch management system 434.) A network security administrator is trying to determine how an attacker gained access to the corporate wireless network. The network is configured with SSID broadcast disabled. The senior network administrator explains that this configuration setting would only have determined an unsophisticated attacker because of which of the following? A. The SSID can be obtained with a wireless packet analyzer B. The required information can be brute forced over time C. Disabling the SSID only hides the network from other WAPs D. The network name could be obtained through a social engineering campaign 435.) Joe a user upon arriving to work on Monday morning noticed several files were deleted from the system. There were no records of any scheduled network outages or upgrades to the system. Joe notifies the security department of the anomaly found and removes the system from the network. Which of the following is the NEXT action that Joe should perform? A. Screenshots of systems B. Call the local police C. Perform a backup D. Capture system image 436.) A network technician at a company, Joe is working on a network device. He creates a rule to prevent users from connecting to a toy website during the holiday shopping season. This website is blacklisted and is known to have SQL injections and malware. Which of the following has been implemented? A. Mandatory access B. Network separation C. Firewall rules D. Implicit Deny 437.) After a few users report problems with the wireless network, a system administrator notices that a new wireless access point has been powered up in the cafeteria. The access point has the same SSID as the corporate network and is set to the same channel as nearby access points. However, the AP has not been connected to the Ethernet network. Which of the following is the MOST likely cause of the user's wireless problems? A. AP channel bonding B. An evil twin attack C. Wireless interference D. A rogue access point 438.) Which of the following is considered the MOST effective practice when securing printers or scanners in an enterprise environment? A. Routine vulnerability scanning of peripherals B. Install in a hardened network segment C. Turn off the power to the peripherals at night D. Enable print sharing only from workstations 439.) A system requires administrators to be logged in as the "root" in order to make administrator changes. Which of the following controls BEST mitigates the risk associated with this scenario? A. Require that all administrators keep a log book of times and justification for accessing root B. Encrypt all users home directories using file-level encryption C. Implement a more restrictive password rotation policy for the shared root account D. Force administrator to log in with individual accounts and switch to root E. Add the administrator to the local group 440.) The user of a news service accidently accesses another user's browsing history. From this the user can tell what competitors are reading, querying, and researching. The news service has failed to properly implement which of the following? A. Application white listing B. In-transit protection C. Access controls D. Full disk encryption 441.) A security engineer discovers that during certain times of day, the corporate wireless network is dropping enough packets to significantly degrade service. Which of the following should be the engineer's FIRST step in troubleshooting the issues? A. Configure stronger encryption B. Increase the power level C. Change to a higher gain antenna D. Perform a site survey 442.) A company is exploring the option of letting employees use their personal laptops on the internal network. Which of the following would be the MOST common security concern in this scenario? A. Credential management B. Support ownership C. Device access control D. Antivirus management 443.) While testing a new host based firewall configuration a security administrator inadvertently blocks access to localhost which causes problems with applications running on the host. Which of the following addresses refer to localhost? A. . ::0 B. 127.0.0.0 C. 127.0.0.1 D. 127.0.0/8 E. 127::0.1 444.) A company discovers an unauthorized device accessing network resources through one of many network drops in a common area used by visitors. The company decides that is wants to quickly prevent unauthorized devices from accessing the network but policy prevents the company from making changes on every connecting client. Which of the following should the company implement? A. Port security B. WPA2 C. Mandatory Access Control D. Network Intrusion Prevention 445.) A software company sends their offsite backup tapes to a third party storage facility. TO meet confidentiality the tapes should be: A. Labeled B. Hashed C. Encrypted D. Duplicated 446.) Which of the following authentication services uses a default TCP of 389? A. SAML B. TACACS+ C. Kerberos D. LDAP 447.) Which of the following ports will be used for logging into secure websites? A. 80 B. 110 C. 142 D. 443 448.) A security administrator would like to write an access rule to block the three IP addresses given below. Which of the following combinations should be used to include all of the given IP addresses? 192.168.12.255 192.168.12.227 192.168.12.229 A. 192.168.12.0/25 B. 192.168.12.128/28 C. 192.168.12.224/29 D. 192.168.12.225/30 449.) A web startup wants to implement single sign-on where its customers can log on to the site by suing their personal and existing corporate email credentials regardless of which company they work for. Is this directly supported by SAML? A. No not without extensive partnering and API integration with all required email providers B. Yes SAML is a web based single sign-on implementation exactly fir this purpose C. No a better approach would be to use required email providers LDAP or RADIUS repositories D. Yes SAML can use oauth2 to provide this functionality out of the box 450.) Which of the following attacks is generally initiated from a botnet? A. Cross site scripting attack B. HTTP header injection C. Distributed denial of service D. A war driving attack 451.) A security administrator wishes to implement a method of generating encryption keys from user passwords to enhance account security. Which of the following would accomplish this task? A. NTLMv2 B. Blowfish C. Diffie-Hellman D. PBKDF2 452.) A security technician would like an application to use random salts to generate short lived encryption leys during the secure communication handshake process to increase communication security. Which of the following concepts would BEST meet this goal? A. Ephemeral keys B. Symmetric Encryption Keys C. AES Encryption Keys D. Key Escrow 453.) A security technician would like to use ciphers that generate ephemeral keys for secure communication. Which of the following algorithms support ephemeral modes? (Select TWO) A. Diffie-Hellman B. RC4 C. RIPEMO D. NTLMv2 E. PAP F. RSA 454.) A fiber company has acquired permission to bury a fiber cable through a famer's land. Which of the following should be in the agreement with the farmer to protect the availability of the network? A. No farm animals will graze near the burial site of the cable B. No digging will occur near the burial site of the cable C. No buildings or structures will be placed on top of the cable D. No crops will be planted on top of the cable 455.) When implementing a Public Key Infrastructure, which of the following should the sender use to digitally sign a document? A. A CSR B. A private key C. A certificate authority D. A public key 456.) A company's BYOD policy requires the installation of a company provide mobile agent on their on their personally owned devices which would allow auditing when an employee wants to connect a device to the corporate email system. Which of the following concerns will MOST affect the decision to use a personal device to receive company email? A. Personal privacy B. Email support C. Data ownership D. Service availability 457.) Environmental control measures include which of the following? A. Access list B. Lighting C. Motion detection D. EMI shielding 458.) A user has attempted to access data at a higher classification level than the user's account is currency authorized to access. Which of the following access control models has been applied to this user's account? A. MAC B. DAC C. RBAC D. ABAC 459.) A company determines that it is prohibitively expensive to become compliant with new credit card regulations. Instead, the company decides to purchase insurance to cover the cost of any potential loss. Which of the following is the company doing? A. Transferring the risk B. Accepting the risk C. Avoiding the risk D. Mitigating the risk 460.) An organization has determined it can tolerate a maximum of three hours of downtime. Which of the following has been specified? A. RTO B. RPO C. MTBF D. MTTR 461.) An attacker compromises a public CA and issues unauthorized X.509 certificates for Company.com. In the future, impact of similar incidents. Which of the following would assist Company.com with its goal? A. Certificate pinning B. Certificate stapling C. Certificate chaining D. Certificate with extended validation 462.) Malicious traffic from an internal network has been detected on an unauthorized port on an application server. Which of the following network-based security controls should the engineer consider implementing? A. ACL’s B. HIPS C. NAT D. MAC filtering 463.) A company wants to host a publicly available server that performs the following functions: - Evaluates MX record lookup - Can perform authenticated requests for A and AAA records - Uses RRSIG Which of the following should the company use to fulfill the above requirements? A. DNSSEC B. SFTP C. Nslookup D. Dig 464.) Which of the following attack types BEST describes a client-side attack that is used to mandate an HTML iframe with JavaScript code via web browser? A. MITM B. XSS C. SQLi D. XSRF 465.) A company has a data classification system with definitions for "Private" and “public". The company's security policy outlines how data should be protected based on type. The company recently added the data type "Proprietary". Which of the following is the MOST likely reason the company added this data type? A. Reduced cost B. More searchable data C. Better data classification D. Expanded authority of the privacy officer 466.) A security administrator is developing training for corporate users on basic security principles for personal email accounts. Which of the following should be mentioned as the MOST secure way for password recovery? A. Utilizing a single question for password recovery B. Sending a PIN to a smartphone through text message C. Utilizing CAPTCHA to avoid brute force attacks D. Use a different e-mail address to recover password 467.) A company researched the root cause of a recent vulnerability in its software. It was determined that the vulnerability was the result of two updates made in the last release. Each update alone would not have resulted in the vulnerability. In order to prevent similar situations in the future, the company should improve which of the following? A. Change management procedures B. Job rotation policies C. Incident response management D. Least privilege access controls 468.) A computer on a company network was infected with a zero-day exploit after an employee accidently opened an email that contained malicious content. The employee recognized the email as malicious and was attempting to delete it, but accidently opened it. Which of the following should be done to prevent this scenario from occurring again in the future? A. Install host-based firewalls on all computers that have an email client installed B. Set the email program default to open messages in plain text C. Install end-point protection on all computers that access web mail D. Create new email spam filters to delete all messages from that sender 1.) CCTV and Motion=Detective 2.) Delete FDE key for mobile devices to become non-usable 3.) Mobile Device security will be ECC 4.) SE linux server has two connections and should only have one means you have an unauthorized network 5.) Analyze logs of DMZ to see if a brute force password is successful 6.) Deploy OCSP if you need to see if users certs are good 7.) SCP to securely transfer files 8.) Network segmentation to minimize network congestion 9.) Three new environments= network segmentation 10.) Place users in appropriate security groups and white list because users install software like priority and they change things. 11.) Protect integrity you use encryption 12.) Cloud computing concerns are multinational concerns 13.) Non-repudiation and message integrity is done by digital signatures 14.) Cold site can be just HVAC and power 15.) Restrict write access to the allowed executables paths because after locking down group policies people are still able to install. 16.) When you have five nines in a row that is availability 17.) Virtualization is using software to emulate hardware 18.) Ping sweep is to start vulnerability scanner on servers 19.) 3DES and ECDHE are used for key exchange and session key 20.) NAT keeps internal IP addresses hidden 21.) Smart Card and PIN, Biometrics and SSO are things for authentication 22.) IP Spoofing means you have to be on the same network as the victim