1.

An information technology manager conducted an audit of the company's support

tickets. The manager noticed a trend with the tickets, where the majority were for
new computer setups. What security control function would the manager's
implementation of a new standard operating procedure have?
A. Compensating
B. Deterrent
C. Directive
D. Corrective

A directive control enforces a rule of behavior, such as a policy, best practice standard,
or standard operating procedure (SOP).

2. A medium-sized mechanical engineering firm wants to better define the account

creation process during the onboarding of new hires. It is looking to ensure that
the new hires have the right programs, file permissions, and security controls
completed ahead of time through automation. What modern access control
implementation would aid the company’s account creation process?
A. IAM
B. LDAP
C. CISO
D. CTO

The company typically implements modern access control as an identity and access
management (IAM) system. The company would want to implement an IAM system to
ensure the proper creation of accounts and their associated permissions.

3. An engineer for a small company is trying to explain the importance of security to

the company's owner. The owner feels the company does not need permissions
added to the shared drive containing highly sensitive information. What security
 concept should the engineer detail for the owner of the company to ensure the
security of the shared drive?
A. Confidentiality
B. Integrity
C. Availability
D. Recovery

With confidentiality, integrity, and availability, also known as the CIA Triad, confidentiality
means that only people with explicit authorization to access the information can read it.
This type of authority involves setting permissions for files and folders.

4. After implementing the National Institute of Standards and Technology (NIST)

Cybersecurity Framework, the chief information security officer (CISO) is
assessing the company's security posture to identify deficiencies from the
framework's recommendations. What process can the CISO run to get a better
sense of what the company needs to improve upon?
A. Implement business continuity plan
B. Penetration test
C. Implement disaster recovery plan
D. Gap analysis

The CISO would be preparing a gap analysis report. This report will show the defects in
the company’s current security posture against the NIST Cybersecurity Framework (or
any other baseline security framework).

5. After restoring a file from a backup, the owner of a small company wants to better
understand the purpose of permissions. A particular situation occurred, and even
though there are permissions on the shared drive, why does the company still not
know who deleted the file? The engineer explained that enabling file auditing
 would help pinpoint all changes to the shared drive and who made them. How
would this help prevent the lack of knowing who changed the files?
A. Confidentiality
B. Non-remediation
C. Non-repudiation
D. Availability

Non-repudiation means a person cannot deny doing something, such as creating,

modifying, or sending a resource. For the company, this would mean enabling file
auditing on its file share.

6. After a recent server outage, the company discovered that an employee

accidentally unplugged the power cable from the server while grabbing some
office supplies from the nearby shelf. What security control did the company lack
that led to the server outage?
A. Managerial
B. Technical
C. Operational
D. Physical

Physical controls such as alarms, gateways, locks, lighting, and security cameras deter
and detect access to premises.

7. A newly hired chief information security officer (CISO) met with the human
resources (HR) department to discuss how to better manage the company’s
access to sensitive information. In what way does this meeting fall under the
responsibility of the new CISO?
A. Monitoring audit logs
B. Reviewing user permissions
C. Documenting access controls
 D. Managing security-related incident response

Working with human resources to ensure the proper user permissions for their given
role falls under the security aspect of the chief information security officer.

8. After a company hires a new chief information security officer (CISO), the chief
executive officer (CEO) requests the CISO to hire staff for the new team. The
purview of the team will be for monitoring and protecting critical information
assets throughout the company. What BEST describes the location of this new
team within the structure of the company?
A. SOC
B. NOC
C. Help desk
D. MSP

A Security Operations Center (SOC) is the team responsible for security-related

activities within a company.

9. A newly hired chief information security officer (CISO) is implementing the

National Institute of Standards and Technology (NIST) Cybersecurity Framework.
What first function would help the CISO better develop the company's security
policies, such as acceptable use policy (AUP), and build out recommendations
for security controls?
A. Protect
B. Identify
C. Detect
D. Respond
The identify function in the National Institute of Standards and Technology's
Cybersecurity Framework refers to developing security policies and capabilities. The
CISO preparing policies and controls would fall under the identify function.

10. What component of modern access controls determines what rights subjects
should have on each resource?
A. Authentication
B. Authorization
C. Identification
D. Accounting

Authorization refers to determining what rights subjects should have on each resource
and enforcing those rights. Authorization may involve permissions, individually, group,
or role-based.

11. After a server outage due to a security breach, a company has taken several
steps to recover from the incident. They have restored critical data from the latest
backups and applied urgent security patches to address the exploited
vulnerabilities. The security team has updated the incident response plan to
incorporate lessons learned from the breach. What category of security control
functional type BEST describes the function of these recent implementations?
A. Corrective
B. Preventive
C. Detective
D. Operational

Corrective controls eliminate or reduce the impact of a security policy violation. A

corrective control occurs after an attack. In this scenario, these actions aim to directly
address the damage caused by the outage and improve the recovery process.
 12. An information technology (IT) department is growing to a size where there is a
need for a new group to manage security. The chief executive officer (CEO)
wants to hire a new executive officer for the role and split it into its own
department, separate from the IT department. The CEO should hire for which
position?
A. CIO
B. CTO
C. CEO
D. CISO

The chief information security officer (CISO) is the title of the individual responsible for
managing security teams or departments within a company.

13. A large multimedia company is experiencing a distributed denial of service

(DDoS) attack that has led the company’s platform to become unresponsive.
Customers are submitting tickets complaining that they can no longer access the
platform and cannot complete their work. What BEST describes what the
company is going through?
A. Service disruption
B. Data exfiltration
C. Disinformation
D. Insider threat

Service disruption prevents an organization from working as it usually does. This

disruption could involve an attack on its website, such as a denial of service attack or
using malware to block access to servers and employee workstations.

14. An accountant received a phone call from an individual requesting information for
an ongoing project. The individual stated to be from a known vendor the
 company is working with. Before giving the information over, the accountant
should protect against what?
A. Typosquatting
B. Impersonation
C. Watering hole attack
D. Consensus technique

Impersonation simply means pretending to be someone else. Impersonation is possible

when the target cannot easily verify the attacker's identity, such as over the phone or via
email.

15. A project manager's assistant received an email requesting information for an

ongoing project. The email attempted to convince the assistant that the project
would fail to complete on time if they did not receive the information. Before
giving the information over, what should the assistant protect against?
A. Urgency
B. Typosquatting
C. Consensus technique
D. Brand impersonation

Coercion or the use of urgency refers to the intimidation of the target with a bogus
appeal to authority or penalty, such as getting fired or not acting quickly enough to
prevent some dire outcome.

16. A construction contractor received a phone call from a prospective client that the
contractor's website looked off from what they expected. After an investigation,
the construction company discovered that the prospect visited a similar-looking
website with a slightly different URL. What caused the client to go to an incorrect
website?
A. Phishing
 B. Impersonation
C. Watering hole attack
D. Typosquatting

Typosquatting means that the threat actor registers a domain name very similar to a real
one, hoping that users will not notice the difference and assume they are browsing a
trusted site.

17. An accountant received a phone call from an individual requesting information for
an ongoing project. The call came from an unrecognized number, but the
individual seemed believable and persuasive. Before giving the information over,
what should the accountant protect against?
A. Social engineering
B. Coercion
C. Typosquatting
D. Brand impersonation

Social engineering refers to eliciting information from users or getting them to perform
some action for the threat actor.

18. A large organization’s security operations center (SOC) noticed in its Extended
Detection and Response (XDR) antivirus software that a phished email gained
access to the company ticketing system, then to the virtual private network (VPN)
software, and lastly, to the company’s file share. What did the SOC find?
A. Threat actor
B. Hacktivist
C. Threat vector
D. Service disruption
A threat vector is the path that a threat actor uses to execute a data exfiltration, service
disruption, or disinformation attack. Sophisticated threat actors will make use of multiple
vectors.

19. A recently terminated employee copied sensitive information from the company’s
shared drive right before permanently leaving. This employee is what kind of
threat to the company?
A. External
B. Nation-state
C. Hacktivist
D. Internal

An insider threat is someone within the company (internal) who intentionally or

unintentionally increases risk or takes company data outside the organization’s security
controls.

20. A construction company that receives several emails with attachments from its
vendors ran into an issue with one of the emails it received. A malicious actor
created an email with an attachment that appeared to be from a known vendor.
As a result, the malicious actor tricked an employee into clicking on that
attachment. How did the malicious actor convince the employee to click on the
attachment?
A. The actor used an email lure.
B. The actor used a physical lure.
C. The actor offered help to improve employee workflow.
D. The actor exploited an outdated email encryption protocol.

Sending out an email with an attachment with similar wording as a company would
expect is an excellent way to get people to click them accidentally. Adding additional
content to the email can help add legitimacy to the malicious attachment.
 21. An employee unknowingly clicked on a malicious attachment but did not notice
any issues right away and assumed nothing happened. A short while later, the
security operations center received a notification of a virus attempting to access
an IP address outside the company. What is the malicious attachment MOST
likely doing?
A. Attempting to disable a remote connection
B. Attempting to create a local connection
C. Attempting to disable a local connection
D. Attempting to create a remote connection

The software in the scenario is attempting to make a remote connection to download

more malicious software, exfiltrate data, or allow the device to become part of a botnet
(a set of hosts infected by a control program or bots that enable attackers to exploit the
hosts to mount attacks).

22. An information technology (IT) manager is trying to persuade the chief financial
officer (CFO) to sign off on a new support and update contract for the company’s
virtualized environment. The CFO sees this as a waste of money since the
company already has the environment up and running. The IT manager
explained to the CFO that the company will no longer receive security updates to
protect the environment. What describes the level of hazard posed by NOT
keeping the systems up-to-date?
A. Vulnerability
B. Threat
C. Risk
D. Insider threat

Risk is the level of hazard posed by vulnerabilities and threats. When a company
identifies a vulnerability, it calculates the risk as the likelihood of exploitation by a threat
actor and the impact of a successful exploitation.
 23. A large multimedia company is in the process of creating a new marketing
campaign for a soon-to-be-released movie. However, before releasing the
campaign, the company noticed an increase in fake accounts mimicking it online
with a similarly-looking campaign. What could the company do to mitigate this
issue?
A. Check for typosquatting
B. Check for brand impersonation
C. Check for coercion
D. Check for consensus technique

Brand impersonation occurs when the threat actor commits resources to accurately
duplicating a company's logos and formatting to make a phishing message or pharming
website visually compelling.

24. An employee reported seeing an individual outside the office drop a few thumb
drives. The employee grabbed those devices and brought them to the
information technology (IT) department. After conducting forensics on the
devices using air-gapped machines, the IT team determined that the individual
was trying to trick employees into plugging the devices into their computers to
steal information. What was the malicious actor attempting on an unsuspecting
employee?
A. The actor used an email lure.
B. The actor tried to improve the company's security posture.
C. The actor used a physical lure.
D. The actor was not being malicious.

A physical lure can occur when an attacker leaves something, such as a removable
flash drive, in an area in which a targeted person would use the device in the work
environment.
 25. An accounts payable clerk received a company-wide email requesting them to
click the link within the email to update their personnel information in the human
resources portal. At first glance, the email appears to be sent from a legitimate
company address. Before giving the information over, what should the clerk
protect against?
A. Typosquatting
B. Coercion
C. Phishing
D. Consensus technique

Phishing is a combination of social engineering and spoofing. It persuades or tricks the

target into interacting with a malicious resource disguised as a trusted one.

26. A company uses a popular password manager. It noticed unusual breaches in its
systems and forced a password reset on all employees' accounts. What is a
consideration when using third-party software for any computer function?
A. Costs can be cheaper than doing it all internally.
B. Every vendor is at risk of threats.
C. The risks outweigh the costs.
D. A company cannot hire employees with specific roles.

There are risks when using any software, including third-party vendor services or
software. It is important to analyze a vendor’s security posture to protect against
breaches.

27. A large financial firm recently brought its information technology (IT) back
in-house. It made this decision after facing issues with its third-party vendor not
properly securing its systems from outside threats. What consideration did the
financial firm deliberate regarding the managed service provider (MSP) and
returning to IT in-house services?
 A. To reduce the risk of supply-chain attacks.
B. To reduce the risk of insider threats
C. To reduce the risk of nation-state threats
D. To improve the company's security posture

By bringing things in-house, a company can limit risk in relation to supply-chain attacks.

28. A local business received numerous complaints from frequent repeat customers
about fraud occurring after they ordered delivery through the company's website,
even though it was the legitimate website. What type of attack did the customers
become victims of?
A. Consensus technique
B. Watering hole attack
C. Typosquatting
D. Coercion

A watering hole attack relies on a group of targets that use an unsecured third-party
website, allowing the attacker to infect a company's computers.

29. A managed service provider (MSP) company decided to delay the

implementation of new antivirus software for its clients after discovering that the
vendor could not patch its software automatically. Why might a company NOT
want software that is unable to update automatically?
A. It can save the company money.
B. It may not fix newly found vulnerabilities in a timely manner.
C. It will require less effort not purchasing software.
D. It will require less effort to update software.
The ability to automatically update is crucial in the cybersecurity landscape, where new
threats emerge rapidly. Antivirus software that cannot update automatically may fail to
address these new threats quickly, leaving clients' systems exposed to emerging
security risks.

30. A large multinational software company experienced a ransomware attack. After

running a forensic audit and recovering data from backups, the company found
that it was an organized, illicit, nonpolitical group that attempted to extort it. What
describes the attack that occurred to the company?
A. Insider threat
B. Hacktivism
C. Service disruption
D. Cybercrime

Cybercrime is the overarching term for the organized criminal activity occurring online.

31. An outside non-government-affiliated group posted a message online claiming

responsibility for shutting down the pipeline of a large oil and gas company. The
group claims to have performed this through a vulnerability in the company's
supervisory control and data acquisition (SCADA) equipment that controls the
flow through the pipes. What BEST describes this group of attackers?
A. Nation-state
B. Hacktivist
C. Insider threat
D. Advanced persistent threat

Hacktivists might attempt to use data exfiltration to obtain and release confidential
information to the public domain, perform service disruption attacks, or deface websites
to spread disinformation.
 32. A recent security flaw allowed a malicious actor to access sensitive data even
though the data never left the server and there is full drive encryption. Which
data state did the malicious actor MOST likely compromise?
A. In transit
B. At rest
C. In use
D. Through Bluetooth

Data in Use (or data in processing) refers to the state in which data is present in volatile
memory, such as system Random Access Memory (RAM) or Central Processing Unit
(CPU) registers and cache. The security flaw allows for data exploitation while in use.

33. A small development company just set up a web server and must ensure a
secure customer connection. Regarding digital certificates, what is a file
containing the information that the subject wants to use in the certificate,
including its public key?
A. CA
B. CSR
C. CRL
D. PKI

The Certificate Signing Request (CSR) is a file containing the information that the
subject wants to use in the certificate, including its public key.

34. After deploying a mobile device management system to all its computers, a
company noticed a small subset failed to encrypt their hard drives. After
inspection, those devices do not have the correct component required for the
drive encryption to function. Which security component would the company need
to install for the drive encryption to work?
A. CRL
 B. CPU
C. TPM
D. RAM

The Trusted Platform Module (TPM) chip holds the cryptographic secrets and hardware
state to help secure an encrypted hard drive.

35. A Certificate Authority (CA) had its issuing authority revoked, and its certificates
expired. How might those certificates still appear valid, even though they should
be on the Certificate Revocation List (CRL)?
A. The company was a Root CA.
B. The CA blocked companies from adding it to the CRL.
C. The company did not implement a CRL.
D. The CRL still requires updating.

When an entity revokes a certificate, they add it to a Certificate Revocation List.

However, it requires a browser to check the list and for the Certificate Authority (CA) to
provide the list. If this does not happen, an invalid certificate may still work.

36. A sole proprietorship construction company contacted an information technology

(IT) consultant for technical support for a computer issue. After resolving that
issue, the consultant suggested the construction company enable computer
encryption. Why might the company want to enable encryption on its computers'
hard drives?
A. To slow down data removal from a stolen device.
B. To prevent phishing
C. To prevent unauthorized access to data on a stolen device
D. To prevent theft
Enabling hard drive encryption is a basic step to prevent data loss in the event of a
stolen device. Without it, anyone can easily access the stolen device, regardless of
needing a password.

37. A security engineer investigates the impacts of a recent breach in which a threat
actor was able to exfiltrate company data. What cryptographic solution serves as
a countermeasure that mitigates the impact of hash table attacks by adding a
random value to each plaintext input?
A. Trusted Platform Module
B. Salt
C. Internet Protocol Security
D. Plaintext

A salt is a security countermeasure that mitigates the impact of precomputed hash table
attacks by adding ("salting") a random value to each plaintext input.

38. A large certificate-issuing company lost its reputation due to poor business
practices. Its higher signing authority revoked the ability to issue new certificates,
and browsers now show it as invalid. What describes the position that the
company once had but has now lost?
A. Root Certificate Authority
B. Certificate Signing Request
C. Certificate Authority
D. Certificate Revocation List

A Certificate Authority (CA) is a server that guarantees subject identities by issuing

signed digital certificate wrappers for their public keys.
 39. A security engineer noticed a high volume of images sent from the company
networks to a popular gaming social media platform. After reviewing the images,
the security engineer saw that the images were seemingly benign. Why might
these images still be a threat?
A. They contain plaintext
B. They contain ciphertext
C. They contain steganography
D. They contain phishing

Steganography embeds information within an unexpected source, such as a message

hidden in a picture. Covertext describes the container document or file that it resides
within.

40. A coffee chain hired a marketing firm to set up a website that allows sign-ups.
However, after running a test on the website, an error message in the browser
stated that the connection was insecure. What framework should the marketing
firm use to ensure this error message does not show up?
A. Public key infrastructure
B. Certificate authority
C. Cryptanalysis
D. Typosquatting

Public key infrastructure (PKI) refers to a framework of Certificate Authorities (CAs),

digital certificates, software, services, and other cryptographic components deployed to
validate subject identities.

41. A coffee chain hired a marketing firm to set up a website that allows sign-ups.
However, after testing the website, an error message in the browser stated that
the connection was insecure. What should the marketing firm purchase and set
up so that the page shows that it is secure?
 A. Digital certificate
B. Certificate Authority
C. Cryptoanalysis
D. Certificate Signing Request

A digital certificate is a wrapper for a subject's public key. It contains information about
the subject and the certificate's issuer. The certificate is digitally signed to prove it came
from a particular Certificate Authority (CA).

42. A chief executive officer pushed back against the information technology
department's proposal to set up disk encryption on all devices. What BEST
describes why the CEO should approve the proposal instead of pushing back
against it?
A. Disk encryption protects stolen devices from data theft.
B. Disk encryption slows down a computer's performance.
C. The cost of disk encryption is not worth incurring.
D. The company does not have enough sensitive data.

Disk encryption protects against data loss when a malicious actor steals a device. The
data remains safe as long as the malicious actor does not have the keys.

43. A consultancy recommended that a large construction company should encrypt

its wireless network. Currently, the network is set to open and allows any device
to connect to it, even employees' personal devices. What encryption product
would help the company secure its wireless networks?
A. Transport Layer Security
B. Trusted Platform Module
C. Internet Protocol Security
D. Wi-Fi Protected Access
Wi-Fi Protected Access (WPA) secures the traffic sent over a wireless network. Based
on this scenario, the company needs to encrypt the wireless traffic.

44. A cancer diagnostic clinic must transfer a large amount of data to a cloud vendor
to migrate from its on-premises server. However, the amount of data would make
the transfer over the internet take extensive time due to the limited bandwidth the
clinic’s internet provides. Instead, it wants to ship an encrypted copy of the data
to the vendor. What type of encryption would BEST fit the clinic’s needs?
A. Symmetric algorithm
B. Asymmetric algorithm
C. Plaintext
D. Cryptography

A symmetric algorithm is one in which the same secret key performs encryption and
decryption. Only authorized persons should know or have the secret key.

45. An indie game developer created a browser based on the Chromium project. The
developer must ensure that anyone using the browser is safe from invalid
certificates. What service should the developer use to ensure that the browser
blocks revoked certificates?
A. CRL
B. CA
C. CSR
D. PKI

A Certificate Authority (CA) or owner can revoke or suspend a certificate for many
reasons. A Certificate Revocation List (CRL) is a list of no longer valid certificates.
 46. A small enterprise needs a key exchange method to ensure perfect forward
secrecy. It needs something that can help future-proof its security while it grows.
Which key exchange method would meet the needs of the enterprise?
A. Hash
B. Diffie-Hellman
C. Advanced Encryption Standard
D. Salt

Perfect Forward Secrecy (PFS) mitigates this risk from a basic key exchange. PFS uses
Diffie-Hellman (D-H) key agreement to create ephemeral session keys without using the
server's private key.

47. A news reporter received an anonymous message containing a potential Pulitzer

Prize-winning story. However, the anonymous sender requested the reporter set
up a communication system that enforced encryption before sending over details
for the story. What is the anonymous sender trying to ensure?
A. The reporter needs to show an interest in the story.
B. The anonymous sender is suspicious of the reporter.
C. Encryption prevents the theft of intellectual property.
D. Encryption allows for confidentiality.

The purpose of encryption is to allow for confidentiality. It prevents third parties from
listening in and knowing what communication is occurring. Encryption is important for
things like whistleblower reporting.

48. A security consultant is working with a client to improve security practices. How
can the consultant describe cryptographic hashing so the client is more likely to
accept recommendations?
A. Hashing speeds up the encryption process.
B. Hashing slows down the encryption process.
 C. Hashing allows any plaintext length to look the same length as
ciphertext
D. Hashing allows the same length of plaintext to be different lengths of
ciphertext.

Hashing encrypted data makes it much more difficult to break. Hashing takes any length
string and makes it the same length. A hashing algorithm is also useful for proving
integrity.