A penetration tester has written an application that performs a bit-by-bit XOR 0xFF operation on binaries prior to transmission over un-trusted media. Which of the following BEST describes the action performed by this type of application?
A. Hashing
B. K
C. y exchange
D. EncryptionÂ
E. Obfuscation
Encryption
2.) A company wants to ensure confidential data storage media is sanitized in such a way that the drive cannot be reused. Which of the following methods should the technician use?
A. Shredding
B. Wiping
C. Low-level formatting
D. Repartitioning
E. Ov+rwriting
Shredding
4.) Which of the following specifically describes the exploitation of an interactive process to access otherwise restricted areas of the OS?
A. Privilege escalation
B. Pivot
C. +ing
D. Process affinity
E. Buffer overflow
Pivot
5.) When developing an application, executing a preconfigured set of instructions is known as:
A. A code library
B. Code signing
C. A stored procedure
D. Infrastructure as a code
A stored procedure
6.) A network administrator needs to allocate a new network for the R&D group. The network must not be accessible from the internet, regardless of the network firewall or other external misconfigurations. Which of the following settings should the network administrator implement to accomplish this?
A. Configure the OS default TTL to 1
B. Use NAT on the R&D network
C. Implement a router ACL
D. Enable protected ports on the switch
Enable protected ports on the switch
7.) An application was recently compromised after some malformed data came in via a web form. Which of the following would MOST likely have prevented this?
A. Input validation
B. Proxy server
C. Stress testing
D. Encoding
Input validation
8.) When attackers use a compromised host as a platform for launching attacks deeper into a company?s network, it is said that they are:
A. Escalating privilege
B. Becoming persistent
C. Fingerprinting
D. Pivoting
Pivoting
9.) A new Chief Information Officer has been reviewing the badging procedures and decides to write a policy that all employees must have their badges rekeyed at least annually. Which of the following controls BEST describes this policy?
A. PhysicalÂ
B. Corrective
C. Technical
D. Administrative
Administrative
10.) Which of the following refers to the term used to restore a system to its operational state?
A. MTBF
B. MTTR
C. RTO
D. RPO
RPO
11.) A security manager is creating an account management policy for a global organization with sales personnel who must access corporate network resources while traveling all over the world. Which of the following practices is the security manager MOST likely to enforce with the policy? (Select TWO)
C. Password complexity
D. Group-based access control
12.) Which of the following would provide additional security by adding another factor to a smart card?
A. Token
B. Proximity badge
C. Physical key
D. PIN
PIN
13.) A security analyst is mitigating a pass-the-hash vulnerability on a Windows infrastructure. Given the requirement, which of the following should the security analyst do to MINIMIZE the risk?
D. Disable NTLM
14.) A security administrator is diagnosing a server where the CPU utilization is at 100% for 24 hours. The main culprit of CPU utilization is the antivirus program. Which of the following issues could occour if left unresolved?(Select TWO)
B. DoS attack
E. Resource exhaustion
15.) A company has a data classification system with definitions for ?Private? and ?Public.? The company?s security policy outlines how data should be protected based on type. The company recently added the data type ?Proprietary? which of the following is the MOST likely reason the company added this data type.
D. More searchable data
16.) A computer emergency response team is called at midnight to investigate a case in which a mail server was restarted. After an initial investigation, it was discovered that email is being exfiltrated through an active connection. Which of the following is the NEXT step the team should take?
D. Perform a containment procedure by disconnecting the server
17.) A security engineer must install the same x.509 certificate on three different servers. The client application that connects to the server performs a check to ensure the certificate matches the host name. Which of the following should the security engineer use?
A. Certificate chaining
18.) Which of the following BEST describes an important security advantage yielded by implementing vendor diversity?
D. Resiliency
20.) Which of the following differentiates a collision attack from a rainbow table attack?
C. A rainbow table attack performs a hash lookup
Which of the following should the security administrator recommend?
A. Enforce the use of HTTPS
B. Block outbound traffic initiated from the user network
C. Block incoming traffic to the guest network
D. Allow the server network to initiate outbound connections to the internet
E. Allow incoming traffic initiated from the internet
A. Enforce the use of HTTPS
B. Block outbound traffic initiated from the user network
C. Block incoming traffic to the guest network
D. Allow the server network to initiate outbound connections to the internet
E. Allow incoming traffic initiated from the internet
114.) A vice president at a manufacturing organization is concerned about desktops being connected to the network. Employees need to log onto the desktops? local account to verify that a product is being created within specifications, otherwise, the desktops should be as isolated as possible. Which of the following is the BEST way to accomplish this?
A. Put the desktops in the DMZ
B. Create a separate VLAN for the desktops
C. Air gap the desktops
D. Join the desktops to an ad-hoc network
115.) An administrator has configured a new Linux server with the FTP service. Upon verifying that the service was configured correctly, the administrator has several users test the FTP service. Users report that they are able to connect to the FTP service and download their personal files, however, they cannot transfer new files to the server. Which of the following will MOST likely fix the uploading issue for the users?
A. Create an ACL to allow the FTP service write access to user directories
B. Set the Boolean SELinux value to allow FTP home directory uploads
C. Reconfigure the FTP daemon to operate without utilizing the PASV mode
D. Configure the FTP daemon to utilize PAM authentication pass through user permissions
116.) The Chief Information Office has asked a security analyst to determine the estimated costs associated with each potential breach of the database that contains customer information. Which of the following is the risk calculation the CIO is asking for?
A. Impact
B. SLE
C. ARO
D. ALE
117.) An employer requires that employees use a key-generating app on their smart phones to log into corporate applications. In terms of authentication to the individual, this type of access policy is BEST defined as:
A. Something you have
B. Something you know
C. Something you do
D. Something you are
118.) A project manager is working with an architectural firm that focuses on physical security. The project manager would like to provide requirements that support the primary goal of safety. Based on the project manager?s desires, which of the following controls would be BEST to incorporate into the facility design?
A. Biometrics
B. Escape routes
C. Reinforcements
D. Access controls
119.) A small company has recently purchased cell phones for managers to use while working outside of the office. The company does not currently have a budget for mobile device management and is primarily concerned with deterring leaks of sensitive information obtained by unauthorized access to unattended phones. Which of the following would provide the solution that BEST meets the company?s requirements?
A. Screen lock
B. Disable removable storage
C. Full-device encryption
D. Remote wiping
120.) Which of the following attack types is being carried out when a target is being sent unsolicited messages via Bluetooth?
A. War chalking
B. Bluejacking
C. Bluesnarfing
D. Rogue tethering
121.) When analyzing the behavior of a malicious piece of software, which of the following environments should be used?
A. Production
B. Development
C. Test
D. Sandbox
122.) An employee needs to connect to a server using a secure protocol on the default port. Which of the following ports should be used?
A. 21
B. 22
C. 80
D. 110
123.) Which of the following technologies would be MOST appropriate to utilize when testing a new software patch before a company-wide deployment?
A. Cloud computing
B. Virtualization
C. Redundancy
D. Application control
124.) Which of the following would an attacker use to generate and capture additional traffic prior to performing an IV attack?
A. DNS poisoning
B. DDOS
C. Replay attack
D. Dictionary attack
125.) A company executive?s laptop was compromised leading to a security breach. The laptop was placed into storage by a junior system administrator and was subsequently wiped and reimaged. When it was determined that the authorities would need to be involved, there was little evidence to present to the investigators. Which of the following procedures should have been implemented to aid the authorities in their investigation?
A. A comparison should have been created from the original system?s file hashes
B. Witness testimony should have been taken by the administrator
C. The company should have established a chain of custody to track the laptop
D. A system image should have been created and stored
126.) An administrator wants to establish a WiFi network using a high gain directional antenna with a narrow radiation pattern to connect two buildings separated by a very long distance. Which of the following antennas would be BEST for this situation?
A. Dipole
B. Yagi
C. Sector
D. Omni
127.) Joe, the system administrator, has been asked to calculate the Annual Loss Expectancy (ALE) for a $5,000 server, which often crashes. In the past year, the server has crashed 10 times, requiring a system reboot to recover with only 10% loss of data or function. Which of the following is the ALE of this server?
A. $500
B. $5,000
C. $25,000
D. $50,000
128.) The Chief Information Officer (CIO) has asked a security analyst to determine the estimated costs associated with each potential breach of their database that contains customer information. Which of the following is the risk calculation that the CIO is asking for?
A. Impact
B. SLE
C. ARO
D. ALE
129.) A system administrator wants to confidentially send a user name and password list to an individual outside the company without the information being detected by security controls. Which of the following would BEST meet this security goal?
A. Digital Signatures
B. Hashing
C. Full-disk encryption
D. Steganography
130.) Which of the following provides the strongest authentication security on a wireless network?
A. MAC filter
B. WPA2
C. WEP
D. Disable SSID broadcast
131.) A security administrator is notified that users attached to a particular switch are having intermittent connectivity issues. Upon further research, the administrator finds evidence of an ARP spoofing attack. Which of the following could be utilized to provide protection from this type of attack?
A. Configure MAC filtering on the switch
B. Configure loop protection on the switch
C. Configure flood guards on the switch
D. Configure 802.1x authentication on the switch
132.) An administrator has to determine host operating systems on the network and has deployed a transparent proxy. Which of the following fingerprint types would this solution use?
A. Packet
B. Active
C. Port
D. Passive
133.) Which of the following ports is used for TELNET by default?
A. 22
B. 23
C. 21
D. 20
134.) Which of the following can be used to ensure that sensitive records stored on a backend server can only be accessed by a front end server with the appropriate record key?
A. File encryption
B. Storage encryption
C. Database encryption
D. Full disk encryption
135.) A system administrator is configuring UNIX accounts to authenticate against an external server. The configuration file asks for the following information DC=ServerName and DC=COM. Which of the following authentication services is being used?
A. RADIUS
B. SAML
C. TACACS+
D. LDAP
136.) Which of the following is an XML based open standard used in the exchange of authentication and authorization information between different parties?
A. LDAP
B. SAML
C. TACACS+
D. Kerberos
137.) Which of the following is an authentication method that can be secured by using SSL?
A. RADIUS
B. LDAP
C. TACACS+
D. Kerberos
138.) Ann a member of the Sales Department has been issued a company-owned laptop for use when traveling to remote sites. Which of the following would be MOST appropriate when configuring security on her laptop?
A. Configure the laptop with a BIOS password
B. Configure a host-based firewall on the laptop
C. Configure the laptop as a virtual server
D. Configure a host based IDS on the laptop
139.) An overseas branch office within a company has many more technical and non-technical security incidents than other parts of the company. Which of the following management controls should be introduced to the branch office to improve their state of security?
A. Initial baseline configuration snapshots
B. Firewall, IPS and network segmentation
C. Event log analysis and incident response
D. Continuous security monitoring process
140.) When designing a new network infrastructure, a security administrator requests that the intranet web server be placed in an isolated area of the network for security purposes. Which of the following design elements would be implemented to comply with the security administrator's request?
A. DMZ
B. Cloud services
C. Virtualization
D. Sandboxing
141.) Which of the following can be used to maintain a higher level of security in a SAN by allowing isolation of mis-configurations or faults?
A. VLAN
B. Protocol security
C. Port security
D. VSAN
142.) A company determines a need for additional protection from rogue devices plugging into physical
ports around the building. Which of the following provides the highest degree of protection from unauthorized wired network access?
A. Intrusion Prevention Systems
B. MAC filtering
C. Flood guards
D. 802.1x
143.) An access point has been configured for AES encryption but a client is unable to connect to it. Which of the following should be configured on the client to fix this issue?
A. WEP
B. CCMP
C. TKIP
D. RC4
144.) Which of the following is the BEST concept to maintain required but non-critical server availability?
A. SaaS site
B. Cold site
C. Hot site
D. Warm site
145.) Virutalization would provide an ROI when implemented under which of the following situations?
A. Numerous servers with no fail-over requirement
B. Multiple existing 100% utilized physical servers
C. Numerous clients with a requirement for fast processors
D. Multiple existing but underutilized physical servers
146.) Which of the following remote authentication methods uses a reliable transport layer protocol for communication?
A. RADIUS
B. LDAP
C. TACACS+
D. SAML
147.) An administrator wants to restrict traffic between two VLANs. The network devices connecting the two VLANs are layer 3 switches. Which of the following should the admin configure?
A. IDS rule
B. Subnet mask
C. ACL
D. Firewall
148.) A security architect is choosing a cryptographic suite for the TLS 1.2 configuration for a new web-based financial management application that will be used heavily by mobile devices. Which of the following would be the architects MOST secure selection for both key exchange and the session key algorithms? (Select Two)
A. 3DES
B. AES-GCM
C. TKIP
D. SHA256
E. SHA1
F. ECDHE
149.) A security administrator creates separate VLANs for employee devices and HVAC equipment that is network attached. Which of the following are security reasons for this design? ( Select Three)
A. IDS often requires network segmentation of HVAC endpoints for better reporting
B. Broadcasts from HVAC equipment will be confined to their own network segment
C. HVAC equipment can be isolated from compromised employee workstations
D. VLANs are providing loop protection for the HVAC devices
E. Access to and from the HVAC equipment can be more easily controlled
F. Employee devices often interfere with proper functioning of HVAC devices
150.) A security administrator is reviewing the password security configuration of a company?s directory service domain. The administrator recognizes that the domain controller has been configured to store LM hashes. Which of the following explains why the domain controller might be configured like this? (Select TWO)
A. Default configuration
B. File system synchronization
C. Mobile device support
D. NTLMv2 support
E. Backward compatibility
151.) A finance manager is responsible for approving wire transfers and processing the transfers using the software provided by the company?s bank. A number of discrepancies have been found related to the wires in a recent financial audit and the wires appearance to be fraudulent. Which of the following controls should be implemented to reduce the likelihood of fraud related to the use of wire transfers?
A. Separation of duties
B. Least Privilege
C. Qualitative auditing
D. Acceptable use policy
152.) The security manager has learned a user inadvertanly sent encrypted PII to an incorrect distribution group. The manager has instructed the user to immediately recall the message. Recipients are instructed to delete the email from all queues and devices. This is an example of which of the following incident response procedures
A. Reporting
B. Escalation
C. Mitigation
D. Isolation
153.) Joe, a system administrator, configured a device to block network traffic from entering the network. The configuration consisted of zero-day exploit awareness at the application layer of the OSI model. The exploit signatures have been seen on the internet daily. Which of the following does this describe?
A. NIDS
B. HIPS
C. HIDS
D. NIPS
154.) An organization is developing a plan to ensure an earthquake at a datacenter does not disrupt business. The organization has identified all the critical applications within the datacenter, determining the financial loss of an outage of different duration for each application. This effort is known as a
A. Tabletop exercise
B. High availability
C. Disaster recovery
D. Business impact analysis
E. Risk assessment
155.) From a network security point of view, the primary reason to implement VLANs is to
A. Provide Quality of Service
B. Provide load balancing across the network
C. Provide network segmentation
D. Ensure separation of duties
156.) A network administrator is configuring a web server to ensure the use of only strong ciphers. Which of the following stream ciphers should the administrator configure?
A. RC4
B. MD5
C. AES-CBC
D. 3DES
157.) An engineer is designing a system that needs the fastest encryption possible due to system requirements. Which of the following should the engineer use?
A. Symmetric key
B. RSA-1024
C. Rainbow tables
D. SHA-256
E. Public key encryption
158.) An organization?s security policy requires secure file transfers to and from internal hosts. An employee is attempting to upload a file using an unsecured method to a Linux-based dedicated file server and fails. Which of the following should the employee use to transfer the file?
A. FTP
B. HTTPS
C. SSL
D. SCP
E. TLS
159.) A security administrator suspects that a server has been compromised with zero-day malware, and that it is now being used to host various copyrighted material, which is being shared through an IRC network. Which of the following should the system administrator use to determine if the server has been compromised?
A. Patch report
B. OS backup
C. Antivirus logs
D. Baseline
160.) Which of the following BEST describes the benefits of using Extended Validation?
A. Does not use standard x.509 V3 certificates
B. Enhances SSL session key exchange preventing man-in-the-middle attacks
C. The website provider demonstrates an additional level of trust
D. Provides stronger enforcement of SSL encryption algorithms
161.) Which of the following is susceptible to an attack that can obtain the wireless password by brute-forcing a 4-digit PIN followed by a 3-digit PIN?
A. WPA
B. WPS
C. WEP
D. WPA2
162.) A server administrator is investigating a breach and determines an attacker modified the application log to obscure the attack vector. During the lessons learned activity, the facilitator asks for a mitigation response to protect the integrity of the logs should a similar attack occur. Which of the following mitigations would be MOST appropriate to fulfill the requirement?
A. Host-based OS
B. Automated log analysis
C. Enterprise SIEM
D. Real-time event cancelation
163.) In order to comply with new auditing standards, a security administrator must be able to complete system security alert logs directly with the employee who triggers the alert. Which of the following should the security administrator implement in order to meet this requirement?
A. Access control lists on the servers
B. Elimination of shared accounts
C. Group-based privileges for accounts
D. Periodic user account access reviews
164.) On a campus network, users frequently remove the network cable from desktop NIC?s and plug personal laptops into the school network. Which of the following could be used to reduce the likelihood of unauthorized laptops on the campus network?
A. Port security
B. Loop protection
C. Flood guards
D. VLANs
165.) An employee is using company time and assets to use a third party tool to share downloadable media with other users around the world. Sharing downloadable media is not expressly forbidden in the company security policy or acceptable use policy. Which of the following BEST describes what the security staff should consider adding to these policies?
A. P2P
B. Data handling
C. Social networking
D. Mobile Device Management
166.) The network administrator wants to assign VLANs based on which user is logging into the network. Which of the following should the administrator use to accomplish this? (select Two)
A. MAC filtering
B. RADIUS
C. 802.1af
D. 802.11ac
E. 802.1x
F. 802.3q
167.) An application is performing slowly. Management asks the security team to determine if a security compromise is the underlying cause. The security team finds two processes with high resource utilization. Which of the following actions should the team take NEXT?
A. Monitor the IDS/IPS for incidents
B. Perform a vulnerability assessment
C. Initiate a source code review
D. Conduct a baseline comparison
168.) A company implemented a public-facing authentication system that uses PKI and extended attributes to allow third-party, web-based application integration. This is an example of which of the following? (select three)
A. Federation
B. Two-factor authentication
C. Transitive trust
D. Trusted OS
E. Single sign-on
F. TOTP
G. MAC
169.) An employee connects to a public wireless hotspot during a business trip. The employee attempts to go to a secure website but instead connects to an attacker who is performing a MITM attack. Which of the following should the employee do to mitigate the vulnerability described In the scenario?
A. Connect to a VPN when using public wireless networks
B. Connect only to WPA2 networks regardless of whether the network is public or private
C. Ensure a host-based firewall is installed and running when using public wireless networks
D. Check the address in the web browser before entering credentials
170.) Joe, a security administrator, recently configured a method of secure access for remote administration of network devices. When he attempts to connect to an access layer switch in the organization from outside the network he is unable to successfully connect. Which of the following ports should be open on the firewall for Joe to successfully connect to the switch?
A. TCP 110
B. TCP 161
C. UDP 161
D. UDP 500
171.) Which of the following is a suitable method of checking for revoked certificates in a client/server environment with connectivity to the issuing PKI?
A. HSM
B. CRL
C. OCSP
D. CSR
172.) During an audit of a software development organization, an auditor finds the organization did not properly follow industry best practices, including peer review and board approval, prior to moving applications into the production environment. The auditor recommends adopting a formal process incorporating these steps. To remediate the finding, the organization implements
A. Incident management
B. A configuration management board
C. Asset management
D. Change management
173.) Two companies are partnering to bid on a contract. Normally these companies are fierce competitors, but for this procurement they have determined that a partnership is the only way they can win the job. Both companies are concerned about unauthorized data sharing and want to ensure other divisions within each company will not have access to proprietary data. To best protect against unauthorized data sharing they should each sign a
A. NDA
B. SLA
C. MOU
D. BPA
174.) A recent network audit revealed several devices on the internal network were not running antivirus or HIPS. Upon further investigation, it was discovered that these devices were new laptops that were deployed without installing the end-point protection suite used by the company. Which of the following could be used to mitigate the risk of authorized devices that are unprotected residing on the network?
A. Host-based firewall
B. Network-based IPS
C. Centralized end-point management
D. MAC filtering
175.) Ann is attempting to send a digitally signed message to Joe. Which of the following should Ann do?
A. Encrypt a hash of the message with her private key
B. Encrypt a certificate signing request with her private key
C. Encrypt a hash of the message with Joe?s public key
D. Encrypt a certificate signing request with Joe?s public key
176.) Which of the following would provide you with a measure of -the frequency at which critical business systems experience breakdowns?
A. MTTR
B. MTBF
C. MTTF
D. MTU
177.) Which of the following should be used to secure data-in-use?
A. Full memory encryption
B. Symmetric key encryption
C. SSL/TLS
D. PGP
178.) Which of the following provides a safe, contained environment in which to enforce physical security?
A. Hot site
B. Mantrap
C. Virtualized sandbox
D. Bollards
179.) A local coffee shop provides guests with wireless access but disabled the SSID broadcast for security purposes. When guests make a purchase, they are provided with the SSID to the router. A new customer?s laptop shows the coffee shop?s SSID appears to be broadcasting despite the fact that the wireless router configuration shows the broadcast is disabled. Which of the following situations is likely occurring?
A. The coffee shop is using WEP instead of WPA or WPA2 encryption
B. A user has set up an evil twin access point near the coffee shop
C. WiFi Protected Setup has been hacked and the SSID is being covertly broadcast
D. Once connected to the router it will appear that the SSID is being broadcast
180.) A security technician notices that several successful attacks are being carried out on the network. The Chief information Security Officer tells the technician to deploy countermeasures that will help actively stop these ongoing attacks. Which of the following technologies will accomplish this task?
A. A network-based IPS with advanced heuristic capability
B. A honeypot that generates alerts when a new attack is discovered
C. Host-based IDS that uses anomaly and behavior-based detection
D. An automated security log analyzer that reports system breaches
181.) Ann, a security administrator, is hardening the user password policies. She currently has the following in place.. Password expire every 60 days, password length is at least eight characters, passwords must contain at least one capital letter and one numeric character. She learns that several employees are still using their original passwords after the 60-day forced change. Which of the following can she implement to BEST mitigate this?
A. Lower the password expire time to every 30 days instead of 60 days
B. Require that the password contains at least one capital letter, one numeric character and one special character
C. Change the re-usage time from eight to 16 changes before a password can be repeated
D. Create a rule that users can only change their passwords once every two weeks
182.) The administrator set up a new WPA2 Enterprise wireless network using EAP-TLS for authentication. The administrator configured the RADIUS servers with certificates that are trusted by the endpoint devices and rules to authenticate a particular group of users. The administrator is part of the group that is authorized to connect but is unable to connect successfully during the first test of the network. Which of the following is the MOST likely cause of the issue?
A. A rogue access point is intercepting the connection
B. Administrator accounts are not allowed to connect to the network
C. The client NIC does not support AES hardware encryption
D. The DHCP scope is full
E. Client certificates were not deployed
183.) A company has an email server dedicated to only outbound email, inbound email retrieval to this server must be blocked. Which of the following ports must be set to explicit deny?
A. 25
B. 53
C. 110
D. 123
E. 139
F. 143
184.) A PKI architect is implementing a corporate enterprise solution. The solution will incorporate key escrow and recovery agents, as well as a tiered architecture. Which of the following is required to implement the architecture correctly?
A. CRL
B. Strong ciphers
C. Intermediate authorities
D. IPSec between CA?s
185.) The Chief Information Security Officer wants to move the web server from the public network because it has been breached a number of times in the past month. The CISO does not want to place it in the private network since many external users access the web server to fill out their orders. The company policy does not allow any non-secure protocols into the internal network. Given the circumstances, which of the following would be the BEST course of action?
A. Create an external DMZ network
B. Use NAT on the web server
C. Implement a remote access server
D. Configure a new internal subnet
186.) A security auditor has full knowledge of company configuration and equipment. The auditor performed a test on the network, resulting in an exploitation of a zero-day vulnerability. Which of the following did the security auditor perform?
A. Gray box test
B. Vulnerability scan
C. Black box test
D. Penetration test
187.) Which of the following authentication services is BEST suited for an environment that requires the TCP protocol with a clear-text payload?
A. LDAP
B. TACACS+
C. SAML
D. RADIUS
188.) A security administrator receives a hard drive that must be imaged for forensics analysis. The paperwork that comes with the hard drive shows: 10:00 technician A-Hard drive removed, 10:30- Technician A- Hard drive delivered to Manager A and 11:00-IT director-Hard drive delivered to the security administrator. Which of the following should the security administrator do?
A. Image the hard drive and sign the chain of custody log
B. Hash the chain of custody log
C. Report a problem with the chain of custody log
D. Sign the chain of custody log
189.) The network administrator is installing RS-485 terminal servers to provide card readers to vending machines. Which of the following should be performed to protect the terminal servers?
A. Flood guard
B. 802.1x
C. Network separation
D. Port security
190.) An attacker drives past a company, captures the name of the WiFi network, and locates a coffee shop near the company. The attacker creates a mobile hotspot with the same name as the company?s WiFi. Which of the following BEST describes this wireless attack?
A. War driving
B. Rogue access point
C. Near-field communication
D. Evil twin
191.) Which of the following MUST be implemented to ensure accountability?
A. Employ access control lists
B. Configure password complexity
C. Disable shared accounts
D. Change default passwords
192.) Which of the following attack types is MOST likely to cause damage or data loss for an organization and be difficult to investigate?
A. Man-in-the-middle
B. Spoofing
C. DDoS
D. Malicious insider
193.) The remote branch of an organization has been assigned two public IP addresses by an ISP. The organization has ten workstations and a wireless router. Which of the following should be deployed to ensure that all devices have internet access?
A. VLAN
B. PAT
C. NAC
D. DMZ
194.) A security administrator wishes to perform authentication, authorization, and accounting, but does not wish to use a proprietary protocol. Which of the following services would fulfill these requirements?
A. SAML
B. RADIUS
C. TACACS+
D. Kerberos
195.) Which of the following is the FASTEST method to disclose one way hashed passwords?
A. Rainbow tables
B. Private key disclosure
C. Dictionary attack
D. Brute Force
196.) A network has been impacted by downtime resulting from unauthorized devices connecting directly to the wired network. The network administrator has been tasked to research and evaluate technical controls that would effectively mitigate risks associated with such devices. Which of the following capabilities would be MOST suitable for implementation in this scenario?
A. Host hardening
B. NIDS
C. HIDS
D. Loop protection
E. Port Security
197.) A company is providing mobile devices to all employees. The system administrator has been tasked with providing input for the company?s mobile device policy. Which of the following are valid security concepts that the system administrator should include when offering feedback to management? (Select Two)
A. Transitive trust
B. Asset tracking
C. Remote wiping
D. HSM
E. Key management
198.) Forensics analyst is asked to identify identical files on a hard drive. Due to the large number of files to be compared, the analyst must use an algorithm that is known to have the lowest collision rate. Which of the following should be selected?
A. MD4
B. MD5
C. SHA-128
D. AES-256
199.) John wants to secure an 802.11n network. Which of the following encryption methods would provide the highest level of protection?
A. WPA
B. WEP
C. WPA2 with AES
D. WPA2 with TKIP
200.) Which of the following is the MOST influential concern that contributes to an organization?s ability to extend enterprise policies to mobile devices?
A. Support of mobile OS
B. Availability of mobile browsers
C. Support of mobile apps
D. Public key management
201.) An application service provider has notified customers of a breach resulting from improper configuration changes. In the incident, a server intended for internal access only was made accessible to external parties. Which of the following configurations were likely to have been improperly modified resulting in the breach?
A. IDS
B. CRL
C. VPN
D. NAT
202.) Joe just installed a new (ECS) environmental control system for a room that is critical to the company?s operation and needs the ability to manage and monitor the system from any part of the network. Which of the following should the security administrator utilize to minimize the attack surface and still allow the needed access?
A. Create and encrypted connection between the ECS and the engineer?s computer
B. Configure the ECS host-based firewall to block non-ECS application traffic
C. Implement an ACL that permits the necessary management and monitoring traffic
D. Install a firewall that only allows traffic to the ECS from a single management and monitoring network
203.) Numerous users within an organization are unable to log into the web based financial application. The network team places a sniffer on the segment where the application resides and sees the following log entries.
05:31:14.312254 10.10.10.25.3389 ? 192.168.2.100.80: SYN
05:31:14:312255 10.10.10.25.3389 ? 192.168.2.100.80: SYN
204.) You want to communicate securely with a third party via email using PGP. Which of the following should you send to the third party to enable the third party to securely encrypt email replies?
A. Private key
B. Key escrow
C. Public key
D. Recovery key
205.) Which of the following should you implement if you want to preserve your internal authentication and authorization process and credentials if you are going to a cloud service provider?
A. Dual factor authentication
B. Federation
C. Single sign on
D. TOTP
206.) A university police department is housed on the first floor of a student dormitory. Which of the following would prevent students from using ARP spoofing attacks against computers at the police department?
A. Private network addresses
B. Disable SSID broadcast
C. Separate Layer 2 vlans
D. Enable proxy arp on router
207.) During a recent vulnerability assessment, the pen testers were able to successfully crack a large number of employee passwords. The company technology use agreement clearly states that passwords used on the company network must be at least eight characters long and contain at least one uppercase letter and special character. What can they do to standardize and enforce these rules across the entire organization to resolve this issue?
A. LDAP
B. Group Policy
C. User policy
D. Kerberos
208.) You want to create several different environments for application development, testing, and quality control. Controls are being put into place to manage how software is moved into the production environment. Which of the following should the software development manager request to be put into place to implement the three new environments?
A. Application firewalls
B. Network segmentation
C. Trusted computing
D. NAT
209.) A research user needs to transfer multiple terabytes of data across a network. The data is not confidential, so for performance reasons, does not need to be encrypted. However, the authentication process must be confidential. Which of the following is the BEST solution to satisfy these requirements?
A. Secured LDAP
B. Kerberized FTP
C. SCP
D. SAML 2.0
210.) What technology would you use to ensure that the systems that your organization is using is going to deployed as securely as possible and prevent files and services from operation outside of a strict rule set?
A. Host based intrusion detection
B. Host based firewall
C. Trusted OS
D. Antivirus
211.) A security specialist has implemented antivirus software and whitelisting controls to prevent malware and unauthorized application installation on the company systems. The combination of these two technologies is an example of which of the following?
A. Defense in depth
B. Vulnerability scanning
C. Application hardening
D. Anti-malware
212.) What can be implemented to address the findings that revealed a company is lacking deterrent security controls?
A. Rogue machine detection
B. Continuous security monitoring
C. Security cameras
D. IDS
213.) A technician is about to perform a major upgrade to the operating system of a critical system. This system is currently in a virtualization environment. Which of the following actions would result in the LEAST amount of downtime if the upgrade were to fail?
A. Enabling live migration in the VM settings on the virtual server
B. Clustering the storage for the server to add redundancy
C. Performing a full backup of the virtual machine
D. Taking an initial snapshot of the system
214.) What is the name for an attack that can be used to guess the PIN of an access point for the purpose of connecting to the wireless network?
A. IV attack
B. Rainbow table attack
C. Replay attack
D. WPS attack
215.) When performing a risk analysis, which of the following is considered a threat?
A. The potential exploitation of vulnerability
B. The presence of a risk in the environment
C. The transference of risk to another party
D. The lack of mitigation for vulnerabilities
216.) A company would like to protect its e-commerce site from SQL injection and cross site scripting (XSS). The company should consider deploying which of the following technologies?
A. IDS
B. Web application firewall
C. Proxy
D. Sandbox
217.) A company uses digital signatures to sign contracts. The company requires external entities to create an account with a third party digital signature provider and to sign an agreement stating that they will protect the account from unauthorized access. Which of the following security goals is the company trying to address in the given scenario?
A. Availability
B. Non-repudiation
C. Authentication
D. Confidentiality
E. Due diligence
218.) The security administrator generates a key pair and sends one key inside a request file to a third party. The third party sends back a signed file. In this scenario the file sent by the administrator is a :
A. CA
B. CRL
C. KEK
D. PKI
E. CSR
219.) A third party has been contracted to perform a remote penetration test of the DMZ network. The company has only provided the third party with the billing department contact information for final payment and a technical point of contact who will receive the penetration test results. Which of the following tests will be performed?
A. Gray box
B. White box
C. Black box
D. False positive
220.) An administrator is reviewing the logs for a content management system that supports the organizations public facing websites. The administrator is concerned about the number of attempted login failures from other countries for administrator accounts. Which of the following capabilities is BEST to implement if the administrator wants the system to dynamically react to such attacks?
A. Netflow-based rate timing
B. Disable generic administrative accounts
C. Automated log analysis
D. Intrusion prevention system
221.) Jane, a security analyst, is monitoring the IDS console and noticed multiple connections from an internal host to a suspicious call back domain. Which of the following tools would aid her to decipher the network traffic?
A. Vulnerability scanner
B. Nmap
C. Netstat
D. Packet analyzer
222.) A high traffic website is experiencing numerous brute force attacks against its user base. The attackers are using a very large botnet to carry out the attack. As a result, many users passwords are being compromised. Which of the following actions is appropriate for the website administrators to take in order to reduce the threat from this type of attack in the future?
A. Temporarily ban each IP address after five failed login attempts
B. Prevent users from using dictionary words in their passwords
C. Prevent users from using passwords that they have used before
D. Require user passwords to be at least ten characters in length
223.) An employee connects a wireless access point to the only jack in the conference room to provide internet access during a meeting. The access point is configured to secure its users with WPA2-TKIP. A malicious user is able to intercept clear text HTTP communication between the meeting attendees and the internet. Which of the following is the reason the malicious user is able to intercept and see the clear text communications?
A. The malicious user is running a wireless sniffer
B. The wireless access point is broadcasting the SSID
C. The malicious user is able to capture the wired communication
D. The meeting attendees are using unencrypted hard drives
224.) A user is able to access shares that store confidential information that is not related to the users current job duties. Which of the following should be implemented to prevent this from occurring?
A. Authorization
B. Authentication
C. Federation
D. Identification
225.) A security administrator is having continued issues with malware variants infecting systems and encrypting several types of files. The malware users a document macro to create a randomly named executable that downloads the encrypting payload of the malware. Once downloaded the malware searches all drives, creates an HTML file with decryption instructions in the directory, and then proceeds to encrypt the target files. Which of the following actions would BEST interrupt the malware before it encrypts the other files while minimizing adverse impacts to the users?
A. Block execution of documents with macros
B. Block addition of documents with macros
C. Block the creation of the HTML document on the local system
D. Block running external files from within documents
226.) A healthcare organization is in the process of building and deploying a new web server in the DMZ that will enable public internet users the ability to securely send and receive messages from their primary care physicians. Which of the following should the security administrator consider?
A. An in-band method for key exchange and an out of band method for the session
B. An out of band method for key exchange and an in band method for the session
C. A symmetric algorithm for key exchange and an asymmetric algorithm for the session
D. An asymmetric algorithm for key exchange and a symmetric algorithm for the session
227.) Which of the following should be used to implement voice encryption?
A. SSLv3
B. VDSL
C. SRTP
D. VoIP
228.) A company wants to ensure that all software executing on a corporate server has been authorized to do so by a central control point. Which of the following can be implemented to enable such control?
A. Digital signatures
B. Role-based access control
C. Session keys
D. Non-repudiation
229.) Company policy states that when a virus or malware alert is received, the suspected host is immediately removed from the company network. Which of the following BEST describes this component of incident response?
A. Mitigation
B. Isolation
C. Recovery
D. Reporting
E. Remediation
230.) A security manager has noticed several unrecognized devices connecting to the company?s internal wireless network. Only company ?issued devices should be connected to the network. Which of the following controls should be implemented to prevent the unauthorized devices from connecting to the wireless network? ( Select Two)
A. MAC filtering
B. Create a separate wireless VLAN
C. Implement 802.11n
D. Enable WPA2
E. Configure DHCP reservations
231.) A security administrator receives reports from various organizations that a system on the company network is port scanning hosts on various networks across the internet. The administrator determines that the compromised system is a Linux host and notifies the owner that the system will be quarantined and isolated from the network. The system does not contain confidential data, and the root user was not compromised. The administrator would like to know how the system was compromised, what the attackers did, and what remnants the attackers may have left behind. Which of the following are the administrators NEXT steps in the investigation? (Select two)
A. Reinstall the procps package in case system utilities were modified
B. Look for recently modified files in user and tmp directories
C. Switch SELinux to enforcing mode and reboot
D. Monitor perimeter firewall for suspicious traffic from the system
E. Check running processes and kernel modules
F. Remove unnecessary accounts and services
232.) A manager is reviewing bids for internet service in support of a new corporate office location. The location will provide 24 hour service in the organization?s global user population. In which of the following documents would the manager MOST likely find quantitative data regarding latency levels and MTTR?
A. ISA
B. SLA
C. MOU
D. BPA
233.) A system administrator decided to perform maintenance on a production server servicing retail store operations. The system rebooted in the middle of the day due to the installations of monthly operating system patches. The downtime results in lost revenue due to the system being unavailable. Which of the following would reduce the likelihood of this issue occurring again?
A. Routine system auditing
B. Change management controls
C. Business continuity planning
D. Data loss prevention implementation
234.) A UNIX server recently had restricted directories deleted as the result of an insider threat. The root account was used to delete the directories while logged on at the server console. There are five administrators that know the root password. Which of the following could BEST identify the administrator that removed the restricted directories?
A. DHCP logs
B. CCTV review
C. DNS Logs
D. Network traffic
235.) A system administrator is part of the organizations contingency and business continuity planning process. The systems administrator and relevant team participate in the analysis of a contingency situation intended to elicit constructive discussion. Which of the following types of activity is MOST accurately described in this scenario?
A. Business impact analysis
B. Full-interruption exercise
C. Tabletop exercise
D. Lessons learned
E. Parallel simulation
236.) Recently, the desktop support group has been performing a hardware refresh and has replaced numerous computers. An auditor discovered that a number of the new computers did not have the company?s antivirus software installed on them. Which of the following could be utilized to notify the network support group when computers without the antivirus software are added to the network?
A. Network port protection
B. NAC
C. NIDS
D. MAC filtering
237.) Which of the following types of attacks uses email to specifically target high level officials within an organization?
A. Spim
B. Spear Phishing
C. Pharming
D. Spoofing
238.) A security architect is supporting a project team responsible for a new extranet application. As part of their activities, the team is identifying roles within the system and documenting possible conflicts between roles that could lead to collusion between users. Which of the following principles of risk mitigation is the team implementing?
A. Dual Control
B. Least Privilege
C. Separation of duties
D. Job rotation
239.) A company just purchased a new digital thermostat that automatically will update to a new firmware version when needed. Upon connecting it to the network a system administrator notices that he cannot get access to the thermostat but can get access to all other network devices. Which of the following is the MOST likely reason the thermostat is not connecting to the internet?
A. The company implements a captive portal
B. The thermostat is using the incorrect encryption algorithm
C. The WPA2 shared key is incorrect
D. The company?s DHCP server scope is full
240.) A company has a proprietary device that requires access to the network be disabled. Only authorized users should have access to the device. To further protect the device from unauthorized access, which of the following would also need to be implemented?
A. Install NIPS within the company to protect all assets
B. Block port 80 and 443 on the firewall
C. Install a cable lock to prevent theft of the device
D. Install software to encrypt access to the hard drive
241.) A company uses PKI certificates stored on a smart chip enabled badge. The badge is used for a small number of devices that connect to a wireless network. A user reported that their badge was stolen. Which of the following could the security administrator implement to prevent the stolen badge from being used to compromise the wireless network?
A. Asset tracking
B. Honeynet
C. Strong PSK
D. MAC filering
242.) The CSO is concerned with unauthorized access at the company?s off-site datacenter. The CSO would like to enhance the security posture of the datacenter. Which of the following would BEST prevent unauthorized individuals from gaining access to the datacenter?
A. Security guard
B. Video monitoring
C. Magnetic entry cards
D. Fencing
243.) One of the driving factors towards moving an application to a cloud infrastructure is increased application availability. In the case where a company creates a private cloud, the risk of application downtime is being:
A. Transferred
B. Avoided
C. Mitigated
D. Accepted
244.) A security administrator wishes to set up a site to site IPSec VPN tunnel between two locations. Which of the following IPSec encryptions and hashing algorithms would be chosen for the least performance impact?
A. 3DES/SHA
B. AES/SHA
C. RSA/MD5
D. DES/MD5
245.) Which of the following is a security weakness associated with software-based disk encryption?
A. Employed encryption algorithms are generally weaker when implemented In software
B. A dedicated processor is used by the cryptomodule
C. The key can be physically extracted from the encrypted medium
D. Cryptographic operations can be far slower than with hardware based encryption
246.) A network administrator discovers that telnet was enabled on the companys human resources payroll server and that someone outside of the HR subnet has been attempting to log into the server. The network administrator has disabled telnet on the payroll server. Which of the following is a method of tracking attempts to log onto telnet without exposing important company data?
A. Banner grabbing
B. Active port numbers
C. Honeypot
D. Passive IPS
247.) A penetration tester is attempting to determine the operating system of a remote host. Which of the following methods will provide this information?
A. Protocol analyzer
B. Honeypot
C. Fuzzer
D. Banner grabbing
248.) A company?s security analyst is investigating the suspected compromise of the company?s intranet web server. The compromise occurred at a time when no users were logged into the domain. Which of the following is Most likely to have prevented the attack from a new machine introduced to the corporate network?
A. Domain log review
B. 802.1x
C. NIDS
D. Rogue detection
249.) Which of the following types of attacks are MOST likely to be successful when using fuzzing against an executable program? ( select Two)
A. SQL injection
B. Session hijacking
C. Integer overflow
D. Buffer overflow
E. Header manipulation
250.) Which of the following authentication services utilizes UDP for communication between client and server?
A. Kerberos
B. TACACS+
C. LDAP
D. RADIUS
251.) As their data set rapidly grows and changes, a company is experiencing availability problems with their database. The security manager recommends switching to a more scalable system with dynamic schemas. Which of the following would meet the security manager?s requirements?
A. SSDs
B. NoSQL
C. MariaDB
D. RDMBS
252.) A company provides wireless access for employees and a guest wireless network for visitors. The employee wireless network is encrypted and requires a password. The guest wireless network does not use an encrypted connection and does not require a password. An administrator walks by a visitors laptop and notices the following command line output: reaver ?I mon ?b 7A:E5:9A:42:2C:C1 ?vv
Which of the following should the administrator implement and why?
A. Initiate employee password changes because the visitor has captured passwords and is attempting offline cracking of those passwords
B. Implement two factor wireless authentication because the visitor will eventually brute force the network key
C. Apply WPA or WPA2 encryption because the visitor is trying to crack the employee network that is encrypted with WEP
D. Disable WPS because the visitor is trying to crack the employee network
E. Apply MAC filtering because the visitor already has the network password
253.) When implementing a mobile security strategy for an organization, which of the following is the MOST influential concern that contributes to that organizations ability to extend enterprise policies to mobile devices?
A. Support for mobile OS
B. Support of mobile apps
C. Availability of mobile browsers
D. Public key management
254.) A system administrator runs a network inventory scan every Friday at 11:00 am to track the progress of a large organizations operating system upgrade of all laptops. The system administrator discovers that some laptops are now only being reported as IP addresses. Which of the following is MOST likely the cause of this issue?
A. HIDS
B. Host-based firewalls rules
C. All the laptops are currently turned off
D. DNS replication
255.) A company is exploring the possibility to integrate some of its internal processes with an external cloud service provider. Which of the following should be implemented if the company wants to preserve its internal authentication and authorization process and credentials?
A. Single sign-on
B. Dual factor authentication
C. Federation
D. TOTP
256.) An employee has been terminated due to inappropriate internet use. A computer forensics technician at the organization acquired an image of the hard drive and hashed it using MD5. The former employee has filed a lawsuit. The former employee?s attorney requests a copy of the image so it can be independently reviewed by the legal team. Upon receiving the image, the attorney?s technician also generates an MD5 hash of the image and comes up with a different output than what was provided. Which of the following MOST likely occurred?
A. The wrong preshared key was used
B. The hashes were produced using different algorithms
C. The hashes were produced on two different operating systems
D. Files on the image have been altered
257.) A security architect is supporting a project team responsible for a new extranet application. As part of their activities, the team is identifying roles within the system and documenting possible conflicts between roles that could lead to collusion between users. Which of the following principles of risk mitigation is the team implementing?
A. Dual control
B. Least privilege
C. Separation of duties
D. Job rotation
258.) A company hosts sites for multiple vendors and provides information to users globally. Which of the following is a critical security consideration in this environment?
A. Proxy servers to enforce a single access mechanism to the data warehouse
B. Firewalls to ensure that the data warehouse is not accessible to the internet
C. Access controls to prevent users from accessing the entire data warehouse
D. Query protocols should use non-standard ports to protect user result-sets
259.) A security administrator, believing it to be a security risk, disables IGMP snooping on a switch. This breaks a video application. The application is MOST likely using:
A. RTP
B. Multicast
C. Anycast
D. VoIP
260.) A security engineer is monitoring suspicious traffic from an internal endpoint to a malicious landing page of an external entity. The internal endpoint is configured using a limited account, is fully patched to current standards, and has current antivirus signatures. No alerts have been received involving this endpoint. The security engineer finds malicious code on the endpoint during a forensics analysis. Which of the following MOST likely explains this occurrence?
A. The external entity breached the IDS
B. The antivirus engine was evaded
C. The DLP did not detect the malicious code
D. The endpoint was running on a hypervisor
261.) A security administrator recently implemented IPSec for remote users. Which of the following ports must be allowed through the firewall in order for remote access to be successful if the tunneling protocol is PPTP?
A. UDP 500
B. UDP 1723
C. TCP 1723
D. TCP 4500
262.) A user has been working on a project to implement controls for data storage. Which of the following policies defines how long specific data should remain on company equipment?
A. Data retention policy
B. Data wiping policy
C. Data classification policy
D. Data disposal policy
263.) A system administrator has received several service desk tickets relating to users receiving rejection notices from third-party destination email servers. The users in question were previously able to send emails to the recipients mentioned in the ticket. Which of the following items should the system administrator review to determine a possible cause for the issue?
A. DNS blacklists
B. Spam filter configuration
C. Local hosts file
D. SMTP queue
264.) An enterprise needs to be able to receive files that contain PII from many customers at different times. The data must remain encrypted during transport and while at rest. Which of the following encryption solutions would meet both of these requirements?
A. PGP
B. SCP
C. SSL
D. TLS
265.) A security analyst has been asked to perform penetration testing against a web application being deployed for the first time. When performing the test the application stops responding and returns an error referring to failed database connections. Upon further investigation, the analyst finds the database server was inundated with commits which exhausted available space on the volume. Which of the following attacks has been performed against the database server?
A. DoS
B. SQL injection
C. SYN flood
D. DDos
E. Cross-site scripting
266.) Virtualization would provide an ROI when implemented under which of the following situations?
A. Numerous servers with no fail-over requirement
B. Multiple existing 100% utilized physical servers
C. Numerous clients with a requirement for fast processors
D. Multiple existing but underutilized physical servers
267.) An organization decides to implement a BYOD policy but wants to ensure they address requirements associated with any legal investigations and controls needed to comply with the analysis and recreation of an incident. This concern is also known as which of the following?
A. Data ownership
B. Forensics
C. Chain of custody
D. Acceptable use
268.) When implementing a new system, a systems administrator works with the information system owner to identify and document the responsibilities of various positions within the organization. Once responsibilities are identified, groups are created within the system to accommodate the various responsibilities of each position type, with users being placed in these groups. Which of the following principles of authorization is being developed?
A. Rule-based access control
B. Least privilege
C. Separation of duties
D. Access control lists
E. Role-based access control
269.) Which of the following network design components would assist in separating network traffic based on the logical location of users?
A. IPSec
B. NAC
C. VLAN
D. DMZ
270.) The SSID broadcast for a wireless router has been disabled but a network administrator notices that unauthorized users are accessing the wireless network. The administrator has determined that attackers are still able to detect the presence of the wireless network despite the fact that the SSID has been disabled. Which of the following would further obscure the presence of the wireless network?
A. Upgrade the encryption to WPA or WPA2
B. Create a non-zero length SSID for the wireless router
C. Reroute wireless users to a honeynet
D. Disable responses to a broadcast probe request
271.) A web application is configured to target browsers and allow access to bank accounts to siphon money to a foreign account. This is an example of which of the following attacks?
A. SQL injection
B. Header manipulation
C. Cross-site scripting
D. Flash cookie exploitation
272.) Virtualization that allows an operating system kernel to run multiple isolated instances of a guest OS is :
A. Process segregation
B. Software defined network
C. Containers
D. Emulation
273.) A plant security officer is continually losing connection to two IP cameras that monitor several critical high voltage motors. Which of the following should the network administrator do to BEST ensure the availability of the IP camera connections?
A. Use a wireless bridge instead of the network cables
B. Replace patch cables with shielded cables
C. Change existing cables with optical cables
D. Add new conduit runs for the network cables
274.) During a trial for possession of illegal content, a defense attorney argues that several of the files on the forensic image may have been tampered with. How can a technician BEST disprove this argument?
A. Trace the chain-of-custody from the time of arrest until the time of trial
B. Have a forensic investigator undergo a polygraph examination
C. Take hashes from the suspect source drive, and compare them to hashes on the forensics image
D. Access the system logs on the forensic image, and see if any logins occurred after the suspect?s arrest
275.) An auditing organization frequently deploys field employees to customer sites worldwide. While at the customer sites, the field employees often need to connect to the local network to access documents and data. Management is concerned that the field employee laptops might become infected with malware while on the customer networks. Which of the following could be deployed to decrease the amount of risk incurred by the field employees?
A. HIPS
B. HOTP
C. HIDS
D. HSM
276.) Joe, a user, wants to configure his workstation to make certain that the certificate he receives when connecting to websites is still valid. Which of the following should Joe enable on his workstation to achieve this?
A. Certificate revocation
B. Key escrow
C. Registration authority
D. Digital signatures
277.) When implementing a new system, a systems administrator works with the information system owner to identify and document the responsibilities of various positions within the organization. Once responsibilities are identified, groups are created within the system to accommodate the various responsibilities of each position type, with users being placed in these groups. Which of the following principles of authorization is being developed?
A. Rule-based access control
B. Least privilege
C. Separation of duties
D. Access control lists
E. Role-based access control
278.) An organization received a subpoena requesting access to data that resides on an employee?s computer. The organization uses PKI. Which of the following is the BEST way to comply with the request?
A. Certificate authority
B. Public key
C. Key escrow
D. Registration authority
E. Key recovery agent
279.) Which of the following is a security weakness associated with software-based disk encryption?
A. Employed encryption algorithms are generally weaker when implemented in software
B. A dedicated processor is used by the cryptomodule
C. The key can be physically extracted from the encrypted medium
D. Cryptographic operations can be far slower than with hardware based encryption
280.) A large retail vendor provides access to a heating, ventilation, and air conditioning vendor for the purpose of issuing billing statements and receiving payments. A security administrator wants to prevent attackers from using compromised credentials to access the billing system, moving literally to the point-of-sale system, and installing malware to skim credit card data. Which of the following is the MOST important security architecture consideration the retail vendor should impose?
A. Data encryption
B. Network segregation
C. Virtual private networking
D. Application firewalls
281.) A security administrator, believing it to be a security risk, disables IGMP snooping on a switch. This breaks a video application. The application is MOST likely using.
A. RTP
B. Multicast
C. Anycast
D. VoIP
282.) A global gaming console manufacturer is launching a new gaming platform to its customers. Which of the following controls reduces the risk created by malicious gaming customers attempting to circumvent controls by way of modifying consoles? ( select two)
A. Firmware version control
B. Manual software upgrades
C. Vulnerability scanning
D. Automatic updates
E. Network segmentation
F. Application firewalls
283.) The security administrator for a growing company is concerned about the increasing prevalence of personal devices connected to the corporate WLAN. Which of the following actions should the administrator take FIRST to address this concern?
A. Implement RADIUS to centrally manage access to the corporate network over Wi-Fi
B. Request that senior management support the development of a policy that addresses personal devices
C. Establish a guest-access wireless network and request that employees use the guest network
D. Distribute a memo addressing the security risks associated with the use of personally-owned devices on the corporate WLAN
284.) After disabling SSID broadcast, a network administrator still sees the wireless network listed in available networks on a client laptop. Which of the following attacks may be occurring ?
A. Evil twin
B. Rod?s access point
C. Arp spoofing
D. Rogue access point
E. TKIP compromise
285.) A recent regulatory audit discovers a large number of former employees with active accounts. Terminated users are removed from the HR system but not from Active Directory. Which of the following processes would close the gap identified?
A. Send a recurring email to managers with a link to IT security policies
B. Perform routing audits against the HR system and Active Directory
C. Set an account expiration date for all Active Directory accounts to expire annually
D. Conduct permissions reviews in Active Directory for group membership
286.) Which of the following is the MAIN purpose for incorporating a DMZ into the design of a network?
A. Incorporate a secure place to house print servers and other networking equipment
B. Have Rod to come out and secure the network even if he knows nothing about it
C. Facilitate the creation of resources accessed by internal users in a secure manner
D. Provide an isolated location for servers accessed from the intra and inter networks
287.) A security engineer wants to communicate securely with a third party via email using PGP. Which of following should the engineer send to the third party to enable the third party to securely encrypt email replies?
A. Public key
B. Private key
C. Key escrow
D. Recovery key
288.) A datacenter manager has been asked to prioritize critical system recovery priorities. Which of the following is the MOST critical for immediate recovery?
A. Remote assistance software
B. Operating system software
C. Weekly summary reports to management
D. Financial and production software
289.) A risk assessment team is concerned about hosting data with a cloud service provider. Which of the following findings would justify this concern?
A. The CSP utilizes encryption for data at rest and in motion
B. The CSP takes into account multinational privacy concerns
C. The financial reveiew indicates the company is a startup
D. SLAs state service tickets will be resolved in less than mins
290.) A security administrator is responsible for the deployment of a new two-factor authentication solution. The administrator has been informed that the solution will use soft tokens. Which of the following are valid token password schemes for the two-factor solution being deployed? ( select Two)
A. Chap
B. PAP
C. NTLMv2
D. HMAC
E. Smart card
F. Time-based
291.) A security administrator has implemented a series of computers to research possible intrusions into the organizational network, and to determine the motives as well as the tool used by the malicious entities. Which of the following has the security administrator implemented?
A. Honeypot
B. DMZ
C. Honeynet
D. VLANs
292.) Which of the following allows an application to securely authenticate a user by receiving credentials from a remote web domain?
A. TACACS+
B. RADIUS
C. Kerberos
D. SAML
293.) A company is exploring the possibility to integrate some of its internal processes with an external cloud service provider. Which of the following should be implemented if the company wants to preserve its internal authentication and authorization process and credentials?
A. Single sign-on
B. Dual factor authentication
C. Federation
D. TOTP
294.) Many employees are receiving email messages similar to the one shown below From: IT Department To: Employee Subject: Email quota exceeded Please check on the following link Http://www.getatme.infoemail.php?quota= Gb and provide your username and password to increase your email quota Upon reviewing other similar emails, the security administrator realizes that all the phishing URLs have the following common elements they all use HTTP, they all come from info domains, and they all contain the same URL. Which of the following should the security administrator configure on the corporate content filter to prevent users from accessing the phishing URL, while at the same time minimizing false positives?
A. Block http//www?info?
B. Drop http//?getatme.info/email?php
C. Redirect
D. DENY http://?infoemail.php?quota=Gb
295.) Which of the following social engineering attacks would describe a situation where an attacker calls an employee while impersonating a corporate executive?
A. Vishing
B. Pharming
C. Whaling
D. Pharrming
296.) A security administrator determined that the time required to brute force 90% of the companys password hashes is below the acceptable threshold. Which of the following, if implemented, has the GREATEST impact in bringing this time above the acceptable threshold?
A. Use a shadow password file
B. Increase the number of PBKDF2 iterations
C. Change the algorithm used to salt all passwords
D. Use a stronger hashing algorithm for password storage
297.) Which of the following is important to reduce risk?
A. Separation of duties
B. Risk acceptance
C. Risk transference
D. Threat modeling
298.) An outside testing company performing black box testing against a new application determines that it is possible to enter any characters into the applications web-based form. Which of the following controls should the application developers use to prevent this from occurring?
A. CSRF prevention
B. Sandboxing
C. Fuzzing
D. Input validation
299.) The network administrator for a small business is configuring a wireless network for 20 users. Which of the following explains why the administrator would choose WPA2-Pesonal over WPA-2 Enterprise?
A. It does not require a RADIUS server
B. It uses 3DES encryption
C. It has 14 channels available
D. It allows a separate password for each device
300.) The security director has a mantrap installed for the company?s data center. This control is installed to mitigate:
A. Transitive access
B. Tailgating
C. Shoulder surfing
D. Impersonation
301.) A company needs to ensure that employees that are on vacation or leave cannot access network resources, while still retaining the ability to receive emails in their inboxes. Which of the following will allow the company to achieve this goal?
A. Set up an email alias
B. Remove user privileges
C. Install an SMTP proxy server
D. Reset user passwords
302.) Which of the following is an administrative control used to reduce tailgating?
A. Delivering security training
B. Erecting a fence
C. Implementing magnetic locks and doors
D. Installing a mantrap
303.) Which of the following would enhance the security of accessing data stored in the cloud? (select two)
A. Block level encryption
B. SAML authentication
C. Transport encryption
D. Multifactor authentication
E. Predefined challenge questions
F. Hashing
304.) A company has hired an ex-employee to perform a penetration test of the company?s proprietary application. Although the ex-employee used to be part of the development team, the application has gone through some changes since he employee left. Which of the following can the ex-employee perform if the company is not willing to release any information on te software to the ex-employee?
A. Black box testing
B. Regression testing
C. White box testing
D. Grey box testing
305.) Joe has been in the same IT position for the last 27 years and has developed a lot of the homegrown applications that the company utilizes. The company is concerned that Joe is the only one who can administer these applications. The company should enforce which of the following best security practices to avoid Joe being a single point of failure?
A. Separation of duties
B. Least privilege
C. Job rotation
D. Mandatory vacations
306.) Which of the following are BEST used in the process of hardening a public facing web server? (Select 2)
A. Vulnerability scanner
B. Protocol analyzer
C. Honeynet
D. Port scanner
E. Honeypot
307.) A company is planning to encrypt the files in several sensitive directories of a file server with a symmetric key. Which of the following could be used?
A. RSA
B. TwoFish
C. Diffie-Hellman
D. NTLMv2
E. RIPEMD
308.) In the course of troubleshooting wireless issues from users, a technician discovers that users are connecting to their home SSID?s while at work. The technician scans but detects none of those SSIDs. The technician eventually discovers a rogue access point that spoofs any SSID that a client requests. Which of the following allows wireless use while mitigating this type of attack?
A. Configure the device to verify access point MAC addresses
B. Disable automatic connection to unknown SSIDs
C. Only connect to trusted wireless networks
D. Enable MAC filtering on the wireless access point
309.) Which of the following BEST represents a security challenge faced primarily by organizations employing a mobility BYOD strategy?
A. Balancing between the security of personal information and the company?s information sharing requirements
B. Balancing between the assurance of individual privacy rights and the security of corporate data
C. Balancing between device configuration enforcement and the management of cryptographic keys
D. Balancing between the financial security of the company and the financial security of the user
310.) A security administrator receives reports from various organizations that a system on the company network is port scanning hosts on various networks across the internet. The administrator determines that the compromised system is a Linux host and notifies the owner that the system will be quarantined and isolated from the network. The system does not contain confidential data, and the root user was not compromised. The administrator would like to know how the system was compromised, what the attackers did, and what remnants the attackers may have left behind. Which of the following are the administrator?s NEXT steps in the investigation? (Select Two)
A. Reinstall the procps package in case system utilities were modified
B. Look for recently modified files in use and tmp directories
C. Switch SELinux to enforcing mode and reboot
D. Monitor perimeter firewall for suspicious traffic from the system
E. Check running processes and kernel modules
F. Remove unnecessary accounts and services
311.) A company was recently the victim of a major attack which resulted in significant reputational loss. Joe, a member of the company incident response team, is currently reviewing Standard Operating Procedures for the team in the wake of the attack. Which of the following best identifies the stage of incident response that Joe is in?
A. Reporting
B. Lessons learned
C. Mitigation steps
D. Preparation
312.) An increase in the number of wireless users on the 192.168.6.0/24 subnet has caused the DHCP pool to run out of addresses, which prevents users from accessing important network resources. Which of the following should the administrator do to correct this problem?
A. Decrease the subnet mask network bits
B. Increase the dynamic ARP timeout
C. Switch to static IP address assignment
D. Increase the DHCP lease time
313.) Which of the following should be implemented to enforce the corporate policy requiring up-to-date and OS patches on all computers connecting to the network via VPN?
A. VLAN
B. NAT
C. NAC
D. DMZ
314.) A single server hosts a sensitive SQL-based database and a web service containing static content. A few of the database fields need to be encrypted due to regulatory requirements. Which of the following would provide the BEST encryption solution for this particular server?
A. Individual file
B. Database
C. Full disk
D. Record based
315.) A network was down for several hours due to a contractor entering the premises and plugging both ends of a network cable into adjacent network jacks. Which of the following would have prevented the network outage?
A. Port security
B. Loop protection
C. Implicit deny
D. Log analysis
E. MAC filtering
F. Trunk port
316.) A media company would like to securely stream live video feeds over the internet to clients. The security administrator suggests that the video feeds be encrypted in transport and configures the web server to prefer ciphers suited for the live video feeds. Which of the following cipher suites should the administrator implement on the web server to minimize the computational and performance overhead of delivering the live feeds?
A. ECDHE-RSA-RC4-SHA
B. DHE-DSA-DE5-CBC-SHA
C. ECDHE-RSA-AES-CBC-SHA
D. ECDHE-RSA-AES256-CBC-SHA
317.) After a wireless security breach, the network administrator discovers the tool used to break into the network. Using a brute force attack, the tool is able to obtain the wireless password in less than 11,000 attempts. Which of the following should be disabled to prevent this type of attack in the future?
A. WPS
B. WEP
C. WIPS
D. WPA2-PSK
318.) While responding to an incident on a new Windows server, the administrator needs to disable unused services. Which of the following commands can be used to see processes that are listening on a TCP port?
A. Ipconfig
B. Netstat
C. Psinfo
D. Net session
319.) A security administrator is tasked with conducting an assessment made to establish the baseline security posture of the corporate IT infrastructure. The assessment must report actual flaws and weaknesses in the infrastructure. Due to the expense of hiring outside consultants, the testing must be performed using in-house or cheaply available resources. There cannot be a possibility of any equipment being damage in the test. Which of the following has the administrator been tasked to perform?
A. Risk transference
B. Penetration test
C. Threat assessment
D. Vulnerability assessment
320.) Following a site survey for an upcoming 5GHz wireless network implementation, the project manager determines that several areas of the facility receive inadequate coverage due to the use of vertical antennas on all access points. Which of the following activities would be MOST likely to remediate the issue without changing the current access point layout in the facility?
A. Convert all access points to models operating at 2.4GHz
B. Install antennas with lower front-to-back ratios to narrow the focus of coverage as needed
C. Reorient the existing antennas in horizontal configuration
D. Install unidirectional antennas to focus coverage where needed
321.) Two companies are partnering to bid on a contract. Normally these companies are fierce competitors but for this procurement they have determined that a partnership is the only way they can win the job. Each company is concerned about unauthorized data sharing and wants to ensure other divisions within each company will not have access to proprietary data. To best protect against unauthorized data sharing they should each sign a(n)
A. NDA
B. SLA
C. MOU
D. BPA
322.) A security administrator runs a port scan against a server and determines that the following ports are open TCP 22, TCP 25, TCP 80, TCP 631, and TCP 995. Which of the following MOST likely describes the server?
A. The server is an email server that requires secure email transmittal
B. The server is a web server that requires secure communication
C. The server is a print server that requires secure authentication
D. The server is an email server that requires secure email retrieval
323.) The security administrator receives a service ticket saying a host-based firewall is interfering with the operation of a new application that is being tested in development. The administrator asks for clarification on which ports need to be open. The software vendor replies that it could use up to 20 ports and many custormers have disabled the host-based firewall. After examining the system, the administrator sees several ports that are open for database and application servers that are only used locally. The vendor continues to recommend disabling the host-based firewall. Which of the following is the BEST course of action for the administrator to take?
A. Allow ports used by the application through the network firewall
B. Allow ports used externally through the host firewall
C. Follow the vendor?s recommendation and disable the host firewall
D. Allow ports used locally through the host firewall
324.) Which of the following can be used by PPP for authentication?
A. CHAP
B. RSA
C. PGP
D. HMAC
325.) An organization uses security tokens as part of two factor authentication. If the seed values for the tokens are suspected to have been compromised, which of the following actions will mitigate the risk and be the MOST cost effective?
A. Replace the tokens
B. Issue smartcards
C. Change the token algorithms
D. Have users change their passwords
326.) During a recent network audit, it was found that several devices on the internal network were not running antivirus or HIPS. Upon further investigation, it was discovered that these devices were new laptops that were deployed without having the end-point protection suite used by the company installed. Which of the following could be used to mitigate the risk of authorized devices that are unprotected residing on the network?
A. Host-based firewall
B. Network-based IPS
C. Centralized end-point management
D. MAC filtering
327.) Several customers received an email from an employee that advertised better rates at a different company. Shortly after the email was sent, Ann, the employee who sent the email, resigned and joined the other company. When confronted, Ann claimed that she did not send the email, it was another person spoofing her email address. Which of the following would eliminate Ann?s excuse in the future?
A. Sender policy framework
B. Non-repudiation
C. Encrypted email
D. Outgoing mail filters
328.) An attacker wants to exfiltrate confidential data from an organization. The attacker decides to implement steganography as the method of exfiltration. Which of the following techniques should the attacker use?
A. Encrypt an existing image file
B. Add information to a sound file
C. Hash a known document
D. Use a substitution cipher
329.) A network administrator is in the process of developing a new network security infrastructure. One of the requirements for the new system is the ability to perform advanced authentication, authorization, and accounting services. Which of the following technologies BEST meets the stated requirement?
A. Kerberos
B. SAML
C. TACSCS+
D. LDAPS
330.) The network sees a ?%CAM-TABLE-FULL? message on a network switch. Upon investigation, the administrator, notices thousands of MAC addresses associated with a single untagged port. Which of the following should be implemented to prevent this type of attack?
A. Port security
B. BPDU guard
C. 802.1x
D. TACACS+
331.) A network technician needs to pass traffic from the company?s external IP address to a front-end mail server in the DMZ without exposing the IP address of the mail server to the external network. Which of the following should the network technician use?
A. NAT
B. SMTP
C. NAC
D. SSH
E. TLS
332.) An engineer is designing a system that needs the fastest encryption possible due to system requirements. Which of the following should the engineer use?
A. Symmetric key
B. RSA-1024
C. Rainbow tables
D. SHA-256
E. Public key encryption
333.) A security administrator is trying to determine the source of a suspected denial of service attack that is consistently disconnecting most systems from the wireless network. Hourly checks verify that there are no rogue wireless access points, unauthorized wireless clients, or de-authentication attacks occurring. Which of the following should the administrator use to BEST identify the reason for the outage?
A. Perform a packet capture
B. Deploy a wireless IDS
C. Use a spectrum analyzer
D. Conduct a wireless site survey
334.) A security analyst at a nuclear power plant needs to secure network traffic from the legacy SCADA systems. Which of the following methods could the analyst use to secure network traffic in this static environment?
A. Implement a firewall
B. Implement a HIDS
C. Implement a NIDS
D. Implement a rootjail
335.) A security administrator receives reports from various organizations that a system on the company network is port scanning hosts on various networks across the internet. The administrator determines that the compromised system is a Linux host and notifies the owner that the system will be quarantined and isolated from the network. The system does not contain confidential data, and the root user was not compromised. The administrator would like to know how the system was compromised, what the attackers did, and what remnants the attackers may have left behind. Which of the following are the administrators NEXT steps in the investigation? (Select Two)
A. Reinstall the procps package in case system utilities were modified
B. Look for recently modified files in user and tmp directories
C. Switch SELinux to enforcing mode and reboot
D. Monitor perimeter firewall for suspicious traffic from the system
E. Check running processes and kernel modules
F. Remove unnecessary accounts and services
336.) Several users require administrative access for software compatibility reasons. Over time, these users have made several changes to important system settings. Which of the following is the BEST course of action to ensure the system settings are properly enforced?
A. Require users to run under a standard user account
B. Use centralized group policy to configure the systems
C. Conduct user access reviews to determine appropriate privileges
D. Implement an application whitelist throughout the company
337.) A company wants to ensure that all software executing on a corporate server has been authorized to do so by a central control point. Which of the following can be implemented to enable such control?
A. Digital signatures
B. Role-Based access control
C. Session keys
D. Non-repudiation
338.) An employee connects to a public wireless hotspot during a business trip. The employee attempts to go to a secure website but instead connects to an attacker who is performing a man-in-the-middle attack. Which of the following should the employee do to mitigate the vulnerability described in the scenario?
A. Connect to a VPN when using public wireless networks
B. Only connect to WPA2 networks regardless of whether the network is public or private
C. Ensure a host-based firewall is installed and running when using public wireless networks
D. Check the address in the web browser before entering credentials
339.) A PKI architect is implementing a corporate enterprise solution. The solution will incorporate key escrow and recovery agents, as well as a tiered architecture. Which of the following is required in order to implement the architecture correctly?
A. Certificate revocation list
B. Strong ciphers
C. Intermediate authorities
D. IPsec between CAs
340.) An administrator would like to restrict traffic between two VLANs. The network devices connecting the two VLANs are layer 3 switches. Which of the following should the administrator configure?
A. IDS rule
B. Firewall
C. ACL
D. Subnet mask
341.) Joe, an administrator, has been in the sam IT position for the past 27 years and has developed a lot of the homegrown applications the company utilizes. The company is concerned that Joe is the only one who can administer these applications. Which of the following best security practices should the company enforce to prevent Joe from being a single point of failure?
A. Separation of duties
B. Least privilege
C. Job rotation
D. Mandatory vacations
342.) A technician has raised concern over employees on the manufacturing floor moving computers between work areas. The technician is concerned that the activity is making it more difficult to track down rogue devices on the network and provide timely support. Which of the following would prevent this from occurring?
A. 802.1X
B. Video surveillance
C. Full-disk encryption
D. Cable locks
343.) Which of the following should mobile devices use in order to protect against data theft in an offline attack?
A. Application controls
B. Full device encryption
C. Storage segmentation
D. Whitelisting
E. Remote wiping
344.) A security administrator is performing a vulnerability scan and discovers that port 21 and 22 are open to support FTPS. Which of the following is this an example of?
A. False positive
B. Input validation
C. Banner grabbing
D. Common misconfiguration
345.) The network engineer for an organization intends to use certificate-based 802.1X authentication on a network. The engineer?s organization has an existing PKI that is used to issue server and user certificates. The PKI is not currently configured to support the issuance of 802.1X certificates. Which of the following represents an item the engineer MUST configure?
A. OCSP
B. Web Enrollment portal
C. Symmetric cryptography
D. Certification extension
346.) An administrator needs to allow a third-party service to authenticate users, but does not want to give the third-party access to user credentials. Which of the following allows this type of authentication?
A. LDAP
B. SAML
C. RADIUS
D. TACACS
347.) While performing surveillance activities, an attacker determined that an organization is using 802.1X to secure LAN access. Which of the following attack mechanisms can the attacker utilize to bypass the identified network security controls?
A. MAC spoofing
B. Pharming
C. Xmas attack
D. ARP Poisoning
348.) An attacker is attempting to determine the patch-level version a web server is running on its open ports. Which of the following is an active technique that will MOST efficiently determine the information the attacker is seeking?
A. Banner grabbing
B. Vulnerability scanning
C. Port scanning
D. Protocol analysis
349.) In order to establish a connection to a server using secure LDAP, which of the following MUST be installed on the client?
A. Server public key
B. Subject alternative name certificate
C. CA anchor of trust
D. Certificate signing request
350.) A help desk technician receives a request for information from a user regarding a new policy a department issued. The policy states that all emails with embedded URLs or images be digitally signed. Which of the following represent possible motivators for this new policy? ( select Two)
A. Service availability
B. Non- repudiation
C. User authentication
D. Confidentiality
E. Anti-malware
F. Message integrity
351.) A bank is planning to implement a third factor to protect customer ATM transactions. Which of the following could the bank implement?
A. SMS
B. Fingerprint
C. Chip and PIN
D. OTP
352.) The content of a document that is routinely used by several employees and contains confidential information has been changed. While investigating the issue, it is discovered that payment information for all of the company?s clients has been removed from the document. Which of the following could be used to determine who changed the information?
A. Audit logs
B. Server baseline
C. Document hashing
D. Change management
353.) An old 802.11b wireless bridge must be configured to provide confidentiality of data in transit to include the MAC addresses of communicating endpoints. Which of the following can be implemented to meet this requirement?
A. MSCHAPv2
B. WPA2
C. WEP
D. IPsec
354.) A web server at an organization has been the target of distributed denial of service attacks. Which of the following, if correctly configured, would BEST mitigate these and future attacks?
A. SYN cookies
B. Implicit deny
C. Blacklisting
D. URL filter
355.) An application developer is working with the server administrator to configure storage of data that the application producers, including any temporary files. Which of the following will securely store the files outside of the application?
A. Database encryption
B. Transparent encryption
C. Full-disk encryption
D. Transit encryption
356.) An auditor is reviewing the following logs from the company?s proxy server that is used to store both sensitive and public documents. The documents are edited via a client web interface, and all processing is performed on the server side.
Which of the following should the auditor recommend be implemented?
A. Two-factor authentication should be implemented for sensitive documents
B. Sensitive documents should be signed using enterprise PKI
C. Encryption should be implemented at the transport level
D. Document hashing should be done to preserve document integrity
357.) Which of the following is a contract with a service provider that typically includes performance parameters like MTBF and MTTR?
A. SLA
B. NDA
C. ISA
D. MOU
E. ALE
358.) An assessment team is conducting a vulnerability scan of an organization?s database servers. During the configuration of the vulnerability scanner, the lead assessor only configures the parameter of the database servers? IP range, and then runs the vulnerability scanner. Which of the following scan types is being run on the database servers?
A. Intrusive
B. Ping sweep
C. Non-credentialed
D. Offline
359.) Which of the following network configurations provides security analysts with the MOST information regarding threats, while minimizing the risk to internal corporate assets?
A. Configuring the wireless access point to be unencrypted
B. Increasing the logging level of internal corporate devices
C. Allowing inbound traffic to a honeypot on the corporate LAN
D. Placing a NIDS between the corporate firewall and ISP
360.) A new help desk employee at a cloud services provider receives a call from a customer. The customer is unable to log into the provider?s web application. The help desk employee is unable to find the customer?s user account in the directory services console, but sees the customer?s information in the application database. The application does not appear to have any fields for a password. The customer then remembers the password and is able to log in. The help desk employee still does not see the user account in directory services. Which of the following is the MOST likely explanation?
A. A bug has been discovered in the application
B. The application uses a weak encryption cipher
C. A federated authentication model is being used
D. The application uses single sign-on
361.) An administrator is reviewing the logs for a content management system that supports the organization?s public-facing website. The administrator is concerned about the number of attempted login failures for administrator accounts from other countries. Which of the following capabilities is BEST to implement if the administrator wants the system to react dynamically to such attacks?
A. Netflow-based rate limiting
B. Disabled generic administrative accounts
C. Automated log analysis
D. Intrusion prevention system
362.) y recent security breach at an organization revealed that the attack leveraged a telnet server that had not been used for some time. Below are partial results of an audit that occurred a week before the breach was detected. OPEN PORTS---TCP 23, TCP 80, TCP 443 OS PATCH LEVEL-CURRENT PASSWORD AUDIT-PASS, STRONG FILE INTEGRITY-PASS. Which of the following could have mitigated or deterred this breach?
A. Routine patch management on the server
B. Greater frequency of auditing the server logs
C. Password protection on the telnet server
D. Disabling unnecessary services
363.) A recent counter threat intelligence notification states that companies should review indicators of compromise on all systems. The notification stated that the presence of a win_32.dll was an identifier of a compromised system. A scan of the network reveals that all systems have this file. Which of the following should the security analyst perform FIRST to determine if the files collected are part of the threat intelligence?
A. Quarantine the file on each machine
B. Take a full system image of each machine
C. Take hashes of the files found for verification
D. Verify the time and date of the files found
364.) A technician is troubleshooting an issue with an employee?s new mobile device that is not associating to the wireless network. The technician verifies the mobile device is in the company?s approved and supported list. The appropriate configuration was entered on the device. All other mobile devices are connecting to the wireless network. Which of the following is the MOST likely cause of the issue?
A. Non-broadcasting SSID
B. MAC address filtering
C. Wrong encryption
D. Full DHCP scope
365.) An organization is developing a plan to ensure an earthquake at a datacenter does not disrupt business. The organization has identified all of the critical applications within the datacenter, determining the financial loss of an outage of different duration for each application. This effort is known as a :
A. Tabletop exercise
B. High availability
C. Disaster recovery
D. Business impact analysis
E. Risk assessment
366.) After installing new digital certificates on a company web server, the network administrator wants to securely store the keys so that no one individual is able to use the keys on any other system. Which of the following would allow the network administrator to achieve this goal?
A. Key hashing
B. Key exchange
C. Key escrow
D. Ephemeral key
367.) Multi-function devices are being deployed in various departments. All departments will be able to copy, print and scan to file. Some departments will be authorized to use their devices to fax and email while other departments will not be authorized to use those functions on their devices. Which of the following is the MOST important mitigation technique to avoid an incident?
A. Disabling unnecessary accounts
B. Password protection
C. Monitoring access logs
D. Disabling unnecessary services
368.) Due to the commonality of Content Management System ( CMS) platforms, a website administrator is concerned about security for the organization?s new CMS application. Which of the following practices should the administrator implement FIRST to mitigate risks associated with CMS platform implementations?
A. Deploy CAPTCHA features
B. Modify the default accounts? password
C. Implement two-factor authentication
D. Configure DNS blacklisting
E. Configure password complexity requirements
369.) Which of the following BEST describes the benefits of using Extended Validation(EV)?
A. Does not use standard x.509 V3 certificates
B. Enhances SSL session key exchange preventing man-in-the-middle attacks
C. The website provider demonstrates an additional level of trust
D. Provides stronger enforcement of SSL encryption algorithms
370.) The network administrator is installing RS-485 terminal servers to provide card readers to vending machines. Which of the following should be performed to protect the terminal servers?
A. Flood guard
B. 802.1X
C. Network separation
D. Port security
371.) An administrator was tasked with reducing the malware infection rate of PC applications. To accomplish this, the administrator restricted the locations from which programs can be launched. After this was complete, the administrator noticed that malware continued to run from locations on the disk and infected the hosts. Which of the following did the administrator forget to do?
A. Restrict write access to the allowed executable paths
B. Install the host-based intrusion detection system
C. Configure browser sandboxing
D. Disable unnecessary services
372.) A developer is programming an SSO module to assist an organization?s internal users with password management. As part of the implementation plan, each user will be required to sign in with existing credentials and submit a new password for the SSO system due to increased security requirements. The developer has been tasked by the security lead to harden the application against automated attacks using the existing credentials. Which of the following will provide an additional security layer against unauthorized access?
A. Log analysis
B. CAPTCHA
C. Web application firewall
D. Security tokens
E. Role-based access control lists
F. One-time pad
373.) A security administrator determined that the time required to brute force 90% of the company?s password hashes is below the acceptable threshold. Which of the following, if implemented, has the GREATEST impact in bringing this time above the acceptable threshold?
A. Use a shadow password file
B. Increase the number of PBKDF2 iterations
C. Change the algorithm used to salt all passwords
D. Use a stronger hashing algorithm for password storage
374.) A security administrator creates separate VLANs for employee devices and HVAC equipment that is network attached. Which of the following are security reasons for this design?
A. IDS often requires network segmentation of HVAC endpoints for better reporting
B. Broadcasts from HVAC equipment will be confined to their own network segment
C. HVAC equipment can be isolated from compromised employee workstations
D. VLANs are providing loop protection for the HVAC devices
E. Access to and from the HVAC equipment can be more easily controlled
F. Employee devices often interfere with proper functioning of HVAC devices
375.) An attacker has breached multiple lines of information security defense. Which of the following BEST describes why delayed containment would be dangerous?
A. The attacker could be blocked by the NIPS before enough forensic data can be collected.
B. The attacker could erase all evidence of how they compromised the network
C. The attacker could cease all attack activities making forensics more difficult
D. The attacker could escalate unauthorized access or compromise other systems
376.) After Ann, a user, left a crowded elevator, she discovered her smartphone browser was open to a malicious website that exploited the phone. Which of the following is the MOST likely reason this occurred?
A. The user was the victim of an CSRF attack
B. The user was the victim of an NFC attack
C. The user was the victim of an IV attack
D. The user was the victim of a bluesnarfing attack
377.) A company has classified the following database records
Which of the following is a management control the company can implement to increase the security of the above information with respect to confidentiality?
A. Implement a client-based software filter to prevent some employees from viewing confidential info.
B. Use a privacy screen on all computers handling and displaying sensitive information
C. Encrypt the records that have a classification of HIGH in the confidentiality column
D. Disseminate the data classification table to all employees and provide training on data disclosure
378.) Joe a system architect wants to implement appropriate solutions to secure the company?s distributed database. Which of the following concepts should be considered to help ensure data security? ( Select Two)
A. Data at rest
B. Data in use
C. Replication
D. Wiping
E. Retention
F. Cloud Storage
379.) A government agency wants to ensure that the systems they have been deployed as secure as possible. Which of the following technologies will enforce protections on these systems to prevent files and services from operating outside of a strict rule set?
A. Host based Intrusion
B. Host-based firewall
C. Trusted OS
D. Antivirus
380.) Joe is a helpdesk specialist. During a routine audit, a company discovered that his credentials were used while he was on vacation. The investigation further confirmed that Joe still has his badge and it was last used to exit the facility. Which of the following access control methods is MOST appropriate for preventing such occurrences in the future?
A. Access control where the credentials cannot be used except when the associated badge is in the facility
B. Access control where system administrators may limit which users can access their systems
C. Access control where employee?s access permissions is based on the job title
D. Access control system where badges are only issued to cleared personnel
381.) After a private key has been compromised, an administrator realized that downloading a CRL once per day was not effective. The administrator wants to immediately revoke certificates. Which of the following should the administrator investigate?
A. CSR
B. PKI
C. IdP
D. OCSP
382.) A datacenter has suffered repeated burglaries that lead to equipment theft and arson. In the past, the thieves have demonstrated a determination to bypass any installed safeguards. After mantraps had been installed to prevent tailgating, the thieves crashed through the wall of the datacenter with a vehicle after normal business hours. Which of the following options could further improve the physical safety and security of the datacenter? (select TWO).
A. Cipher locks
B. CCTV
C. Escape routes
D. K-rated fencing
E. FM200 Fire suppression
383.) Based on a review of the existing access policies the network administrator determines that that changes are needed to meet current regulatory requirements of the organization's access control process. To initiate changes in teh process, the network administrator should FIRST:
A. Update the affected policies and inform the user community of the changes
B. Distribute a memo stating that all new accounts must follow current regulatory requirements
C. Inform senior management that changes are needed to existing policies
D. Notify the user community that non-compliant account will be required to use the new process
384.) When implementing a new system, a systems administrator works with the information system owner to identify and document the responsibilities of various positions within teh organization. Once responsibilities are identified, groups are created within the system to accommodate the various responsibilities of each position type, with users being placed in these groups. Which of the following principles of authorization is being developed?
A. Rule-based access control
B. Least privilege
C. Separation of duties
D. Access control lists
E. Role-Based access control
385.) The operations manager for a sales group wants to ensure that sales personnel are able to use their laptops and other portable devices throughout a building using both wireless and wired connectivity. Which of the following technologies would be MOST effective at increasing security of the network while still maintaining the level of accessibility the operations manager requested?
A. 802.1x
B. 802.11n
C. WPA2 authentication
D. VLAN isolation
E. Authenticated web proxy
386.) A system administrator is configuring a site-to-site IPSec VPN tunnel. Which of the following should be configured on the VPN concentrator for payload encryption?
A. ECDHE
B. SHA256
C. HTTPS
D. 3DES
.
387.) Several computers in an organization are running below the normal performance baseline. A security administrator inspects the computers and finds the following pieces of information:
Several users have uninstalled the antivirus software
Some users have installed unauthorized software
Several users have installed pirated software
Some computers have had automatic updating disabled after being deployed
Users have experienced slow responsiveness when using the Internet browser
Users have complete control over critical system properties
Which of the following solutions would have prevented these issues from occurring? (Select TWO).
A. Using snapshots to revert unwanted user changes
B. Using an IPS instead of an antivirus
C. Placing users in appropriate security groups
D. Disabling unnecessary services
E. Utilizing an application whitelist
F. Utilizing an application blacklist
388.) A data breach is suspected on a currently unidentified server in a datacenter. Which of the following is the BEST method of determining which server was breached?
A. Network traffic logs
B. System image capture
C. Asset inventory review
D. RAM analysis
389.) Due to the commonality of Content Management System (CMS) platforms, a website administrator is concerned about security for the organization's new CMS application. Which of the following practices should the administrator implement FIRST to mitigate risks associated with CMS platform implementations?
A. Deploy CAPTCHA features
B. Modify default accounts password
C. Implement two-factor authentication
D. Configure DNS blacklisting
E. Configure password complexity requirements
390.) The firewall administrator is installing a VPN application and must allow GRE through the firewall. Which of the following MUST the administrator allow through the firewall?
A. IPSec
B. IP protocol 47
C. IP protocol 50
D. IP protocol 51
391.) When generating a request for a new x.509 certificate for securing a website, which of the following is the MOST appropriate hashing algorithm?
A. RC4
B. MD5
C. RIPEMD
D. SHA
392.) The first responder to an incident has been asked to provide an after action report. This supports which of the following Incident Response procedures?
A. Incident identification
B. Mitigation
C. Lessons learned
D. Escalation/Notification
393.) An employee is conducting a presentation at an out-of-town conference center using a laptop. The wireless access point at the employee's office has an SSID of OFFICE. The laptop was set to remember wireless access points. Upon arriving at the conference, the employee powered on the laptop and noticed that it was connected to the OFFICE access point. Which of the following MOST likely occurred?
A. The laptop connected to a legitimate WAP
B. The laptop connected as a result of an IV attack
C. The laptop connected to an evil twin WAP
D. The laptop connected as a result of near field communication
394.) A company has a proprietary device that requires access to the network be disabled. Only authorized users should have access to the device. To further protect the device from unauthorized access, which of the following would also need to be implemented?
A. Install NIPS within the company to protect all assets
B. Block port80 and 443 on the firewall
C. Install a cable lock to prevent theft of the device
D. Install software to encrypt access to the hard drive
395.) After Ann arrives at the company's co-location facility, she determines that she is unable to access the cage that holds the company's equipment after a co-worker updated the key card server the night before. This is an example of failure of which of the following?
A. Testing controls
B. Access signatures
C. Fault tolerance
D. Non-repudiation
396.) A security administrator wants to implement a system that will allow the organization to quickly and securely recover from a computer breach. The security administrator notices that the majority of malware infections are caused by zero-day armored viruses and rootkits. Which of the following solutions should the system administrator implement?
A. Install an antivirus solution that provides HIPS capabilities
B. Implement a thick-client model with local snapshots
C. Deploy an enterprise patch management system
D. Enable the host-based firewall and remove users? administrative rights
397.) The network engineer for an organization intends to use certificate-based 802.1X authentication on a network. The engineer's organization has an existing PKI that is used to issue server and user certificates. The PKI is currently not configured to support the issuance of 802.1X certificates. Which of the following represents an item the engineer MUST configure?
A. OCSP responder
B. Web enrollment portal
C. Symmetric cryptography
D. Certificate extension
398.) During a recent audit, it was discovered that the employee who deploys patches also approves the patches. The audit found there is no documentation supporting the patch management process, and there is no formal vetting of installed patches. Which of the following controls should be implemented to mitigate this risk? (Select TWO).
A. It contingency planning
B. Change management policy
C. Least privilege
D. Separation of duties
E. Dual control
F. Mandatory job rotation
399.) Which of the following remote authentication methods uses a reliable transport layer protocol for communication?
A. RADIUS
B. LDAP
C. TACACS+
D. SAML
400.) Analysis of a recent security breach at an organization revealed that the attack leveraged a telnet server that had not been used in some time. Below are partial results of an audit that occurred a week before the breach was detected.
OPEN PORTS---TCP 23, TCP 80, TCP 443
OS PATCH LEVEL---CURRENT
PASSWORDAUDIT---PASS, STRONG
FILE INTEGRITY---PASS
Which of the following could have mitigated or deterred this breach?
A. Routine patch management on the server
B. Greater frequency of auditing the server logs
C. Password protection on the telnet server
D. Disabling unnecessary services
401.) A security administrator receives an IDS alert that a single internal IP address is connecting to several known malicious command and control domains. The administrator connects to the switch and adds a MAC filter to Port 18 to block the system from the network.
BEFORE
AFTER
MAC Address
VLAN
Port
MAC Address
VLAN
Port
67A7.353B.5064
101
4
67A7.353B.5064
101
4
7055.4961.1F33
100
9
7055.4961.1F33
100
9
0046.6416.5809
101
21
0046.6416.5809
101
21
7027.0108.31B5
100
16
7027.0108.31B5
100
16
5243.6353.7720
101
6
5243.6353.7720
101
6
1484.A471.6542
100
2
1484.A471.6542
100
2
80C7.8669.5845
101
7
80C7.8669.5845
101
7
7513.77B9.4130
101
18
0046.6419.5809
101
18
5A77.1816.3859
101
19
5A77.1816.3859
101
19
8294.7E31.3270
100
8
8294.7E31.3270
100
8
A few minutes later, the same malicious traffic starts again from a different IP. Which of the following is the MOST likely reason that the system was able to bypass the administrator's MAC filter?
A. The system is now ARP spoofing a device on the switch
B. The system is no VLAN hopping to bypass the switch port MAC fiter
C. The system is now spoofing a MAC address
D. The system is now connecting to the switch
402.) A recent policy change at an organization requires that all remote access connections to and from file servers at remote locations must be encrypted. Which of the following protocols would accomplish this new objective? (Select TWO).
A. TFTP
B. SSH
C. FTP
D. RDP
E. HTTP
403.) A security administrator has been tasked hardening operating system security on tablets that will be deployed for use by floor salespeople at retail outlets. Which of the following could the administrator implement to reduce the likelihood that unauthorized users will be able to access information on the tablets?
A. GPS device tracking
B. Remote wiping
C. Cable locks
D. Password protection
404.) An organization that uses a cloud infrastructure to present a payment portal is using:
A. Software as a service
B. Platform as a service
C. Monitoring as a service
D. Infrastructure as a service
405.) A forensics investigator needs to be able to prove that digital evidence was not tampered with after being taken into custody. Which of teh following is useful in this scenario?
A. Encryption
B. Non-repudiation
C. Hashing
D. Perfect forward secrecy
E. Steganography
406.) A penetration tester is attempting to determine the operating system of a remote host. Which of the following will provide this information?
A. Protocol analyzer
B. Honeypot
C. Fuzzer
D. Banner grabbing
407.) A company is hosting both sensitive and public information at a cloud provider. Prior to the company going out of business, the administrator will decommission all virtual servers hosted in the cloud. When wiping the virtual hard drive, which of the following should be removed?
A. Hardware specifications
B. Encrypted files
C. Data remnants
D. Encrypted keys
408.) A software development manager needs to create several different environments for application development, testing, and quality control. Controls are being put in place to manage how software is moved into the production environment. Which of the following should the software development manager request be put in place to implement the three new environments?
A. Application firewalls
B. Network segmentation
C. Trusted computing
D. Network address translation
409.) A security manager needs to implement a backup solution as part of the disaster recovery plan. The system owners have indicated that the business cannot afford to lose more than a day of transactions following an event where data would have been restored. The security manager should set a value of 24 hours for the:
A. Recovery time objective
B. Service level agreement
C. Recovery point objective
D. System backup window
E. Disaster recovery plan
410.) A security analyst needs to ensure all external traffic is able to access the company's front-end servers but protect all access to internal resources. Which of the following network design elements would MOST likely be recommended?
A. DMZ
B. Cloud Computing
C. VLAN
D. Virtualization
411.) Which of the following network design elements allows for many internal devices to share one public IP address?
A. DNAT
B. PAT
C. DNS
D. DMZ
412.) Ann, a security administrator, needs to implement a transport encryption solution that will enable her to detect attempts to sniff packets. Which of the following could be implemented?
A. Eliptical curve algorithms
B. Ephemeral keys
C. Quantum cryptography
D. Steganography
413.) After Ann arrives at the company's co-location facility, she determines that she is unable to access the cage that holds the company's equipment after a co-worker updated the key card server the night before. This is an example of failure of which of the following?
A. Testing controls
B. Access signatures
C. Fault tolerance
D. Non-repudiation
414.) Which of the following is a security advantage of using NoSQL vs. SQL databases in a three-tier environment?
A. NoSQL databases are not vulnerable to XSRF attacks from the application server.
B. NoSQL databases are not vulnerable to SQL injection attacks.
C. NoSQL databases encrypt sensitive information by default.
D. NoSQL databases perform faster than SQL databases on the same hardware
415.) The Chief Security Officer (CISO) at a multinational banking corporation is reviewing a plan to upgrade the entire corporate IT infrastructure. The architecture consists of a centralized cloud environment hosting the majority of data, small server clusters at each corporate location to handle the majority of customer transaction processing, ATMs, and a new mobile banking application accessible from smartphones, tablets, and the Internet via HTTP. The corporation does business having varying data retention and privacy laws. Which of the following technical modifications to the architecture and corresponding security controls should be implemented to provide the MOST complete protection of data?
A. Revoke exiting root certificates, re-issue new customer certificates, and ensure all transactions are digitally signed to minimize fraud, implement encryption for data in-transit between data centers
B. Ensure all data is encryption according to the most stringent regulatory guidance applicable, implement encryption for data in-transit between data centers, increase data availability by replicating all data, transaction data, logs between each corporate location
C. Store customer data based on national borders, ensure end-to end encryption between ATMs, end users, and servers, test redundancy and COOP plans to ensure data is not inadvertently shifted from one legal jurisdiction to another with more stringent regulations
D. Install redundant servers to handle corporate customer processing, encrypt all customer data to ease the transfer from one country to another, implement end-to-end encryption between mobile applications and the cloud.
416.) A server administrator is investigating a breach and determines that an attacker modified the application log to obfuscate the attack vector. During the lessons learned activity the facilitator asks for a mitigation response to protect the integrity of the logs should a similar attack occur. Which of the following mitigations would be MOST appropriate to fulfill the requirement?
A. Host-based IDS
B. Automated log analysis
C. Enterprise SIEM
D. Real-time event correlation
417.) An administrator has to determine host operating systems on the network and has deployed a transparent proxy. Which of the following fingerprint types would this solution use?
A. Packet
B. Active
C. Port
D. Passive
418.) Which of the following can be used to maintain a higher level of security in a SAN by allowing isolation of mis-configurations or faults?
A. VLAN
B. Protocol security
C. Port security
D. VSAN
419.) Due to hardware limitation, a technician must implement a wireless encryption algorithm that uses the RC4 protocol. Which of the following is a wireless encryption solution that the technician should implement while ensuring the STRONGEST level of security?
A. WPA2-AES
B. 802.11ac
C. WPA-TKIP
D. WEP
420.) Ann, the software security engineer, works for a major software vendor. Which of the following practices should be implemented to help prevent race conditions, buffer overflows, and other similar vulnerabilities prior to each production release?
A. Product baseline report
B. Input validation
C. Patch regression testing
D. Code review
421.) The security administrator is analyzing a user's history file on a Unix server to determine if the user was attempting to break out of a rootjail. Which of the following lines in the user's history log shows evidence that the user attempted to escape the rootjail?
A. cd ../../../../bin/bash
B. whoami
C. ls /root
D. sudo -u root
422.) A company has implemented full disk encryption. Clients must authenticate with a username and password at a pre-boot level to unlock the disk and again a username and password at the network login. Which of the following are being used? (Select TWO)
A. Multifactor authentication
B. Single factor authentication
C. Something a user is
D. Something a user has
E. Single sign-on
F. Something a user knows
423.) The sales force in an organization frequently travel to remote sites and requires secure access to an internal server with an IP address of 192.168.0.220. Assuming services are using default ports, which of the following firewall rules would accomplish this objective? (Select Two)
A. Permit TCP 20 any 192.168.0.200
B. Permit TCP 21 any 192.168.0.200
C. Permit TCP 22 any 192.168.0.200
D. Permit TCP 110 any 192.168.0.200
E. Permit TCP 139 any 192.168.0.200
F. Permit TCP 3389 any 192.168.0.200
424.) Which of the following could a security administrator implement to mitigate the risk of tailgating for a large organization?
A. Train employees on correct data disposal techniques and enforce policies.
B. Only allow employees to enter or leave through one door at specified times of the day.
C. Only allow employees to go on break one at a time and post security guards 24/7 at each entrance.
D. Train employees on risks associated with social engineering attacks and enforce policies.
425.) A system administrator has concerns regarding their users accessing systems and secured areas using others' credentials. Which of the following can BEST address this concern?
A. Create conduct policies prohibiting sharing credentials.
B. Enforce a policy shortening the credential expiration timeframe.
C. Implement biometric readers on laptops and restricted areas.
D. Install security cameras in areas containing sensitive systems.
426.) An administrator needs to allow both secure and regular web traffic into a network. Which of the following ports should be configured? (Select TWO)
A. 25
B. 53
C. 80
D. 110
E. 143
F. 443
427.) A forensic analyst is reviewing electronic evidence after a robbery. Security cameras installed at the site were facing the wrong direction to capture the incident. The analyst ensures the cameras are turned to face the proper direction. Which of the following types of controls is being used?
A. Detective
B. Deterrent
C. Corrective
D. Preventive
428.) An administrator is investigating a system that may potentially be compromised, and sees the following log entries on the router.
Which of the following BEST describes the compromised system?
A. It is running a rogue web server
B. It is being used in a man-in-the-middle attack
C. It is participating in a botnet
D. It is an ARP poisoning attack
429.) Joe must send Ann a message and provide Ann with assurance that he was the actual sender. Which of the following will Joe need to use to BEST accomplish the objective?
A. A pre-shared private key
B. His private key C
C. Ann's public key
D. His public key
430.) Log file analysis on a router reveals several unsuccessful telnet attempts to the virtual terminal (VTY) lines. Which of the following represents the BEST configuration used in order to prevent unauthorized remote access while maintaining secure availability for legitimate users?
A. Disable telnet access to the VTY lines, enable SHH access to the VTY lines with RSA encryption
B. Disable both telnet and SSH access to the VTY lines, requiring users to log in using HTTP
C. Disable telnet access to the VTY lines, enable SHH access to the VTY lines with PSK encryption
D. Disable telnet access to the VTY lines, enable SSL access to the VTY lines with RSA encryption
431.) Ann, the network administrator, is receiving reports regarding a particular wireless network in the building. The network was implemented for specific machines issued to the developer department, but the developers are stating that they are having connection issues as well as slow bandwidth. Reviewing the wireless router's logs, she sees that devices not belonging to the developers are connecting to the access point. Which of the following would BEST alleviate the developer's reports?
A. Configure the router so that wireless access is based upon the connecting device's hardware address.
B. Modify the connection's encryption method so that it is using WEP instead of WPA2.
C. Implement connections via secure tunnel with additional software on the developer's computers.
D. Configure the router so that its name is not visible to devices scanning for wireless networks
432.) Which of the following is a Data Loss Prevention (DLP) strategy and is MOST useful for securing data in use?
A. Email scanning
B. Content discovery
C. Database fingerprinting
D. Endpoint protection
433.) After a company has standardized to a single operating system, not all servers are immune to a well-known OS vulnerability. Which of the following solutions would mitigate this issue?
A. Host based firewall
B. Initial baseline configurations
C. Discretionary access control
D. Patch management system
434.) A network security administrator is trying to determine how an attacker gained access to the corporate wireless network. The network is configured with SSID broadcast disabled. The senior network administrator explains that this configuration setting would only have determined an unsophisticated attacker because of which of the following?
A. The SSID can be obtained with a wireless packet analyzer
B. The required information can be brute forced over time
C. Disabling the SSID only hides the network from other WAPs
D. The network name could be obtained through a social engineering campaign
435.) Joe a user upon arriving to work on Monday morning noticed several files were deleted from the system. There were no records of any scheduled network outages or upgrades to the system. Joe notifies the security department of the anomaly found and removes the system from the network. Which of the following is the NEXT action that Joe should perform?
A. Screenshots of systems
B. Call the local police
C. Perform a backup
D. Capture system image
436.) A network technician at a company, Joe is working on a network device. He creates a rule to prevent users from connecting to a toy website during the holiday shopping season. This website is blacklisted and is known to have SQL injections and malware. Which of the following has been implemented?
A. Mandatory access
B. Network separation
C. Firewall rules
D. Implicit Deny
437.) After a few users report problems with the wireless network, a system administrator notices that a new wireless access point has been powered up in the cafeteria. The access point has the same SSID as the corporate network and is set to the same channel as nearby access points. However, the AP has not been connected to the Ethernet network. Which of the following is the MOST likely cause of the user's wireless problems?
A. AP channel bonding
B. An evil twin attack
C. Wireless interference
D. A rogue access point
438.) Which of the following is considered the MOST effective practice when securing printers or scanners in an enterprise environment?
A. Routine vulnerability scanning of peripherals
B. Install in a hardened network segment
C. Turn off the power to the peripherals at night
D. Enable print sharing only from workstations
439.) A system requires administrators to be logged in as the "root" in order to make administrator changes. Which of the following controls BEST mitigates the risk associated with this scenario?
A. Require that all administrators keep a log book of times and justification for accessing root
B. Encrypt all users home directories using file-level encryption
C. Implement a more restrictive password rotation policy for the shared root account
D. Force administrator to log in with individual accounts and switch to root
E. Add the administrator to the local group
440.) The user of a news service accidently accesses another user's browsing history. From this the user can tell what competitors are reading, querying, and researching. The news service has failed to properly implement which of the following?
A. Application white listing
B. In-transit protection
C. Access controls
D. Full disk encryption
441.) A security engineer discovers that during certain times of day, the corporate wireless network is dropping enough packets to significantly degrade service. Which of the following should be the engineer's FIRST step in troubleshooting the issues?
A. Configure stronger encryption
B. Increase the power level
C. Change to a higher gain antenna
D. Perform a site survey
442.) A company is exploring the option of letting employees use their personal laptops on the internal network. Which of the following would be the MOST common security concern in this scenario?
A. Credential management
B. Support ownership
C. Device access control
D. Antivirus management
443.) While testing a new host based firewall configuration a security administrator inadvertently blocks access to localhost which causes problems with applications running on the host. Which of the following addresses refer to localhost?
A. . ::0
B. 127.0.0.0
C. 127.0.0.1
D. 127.0.0/8
E. 127::0.1
444.) A company discovers an unauthorized device accessing network resources through one of many network drops in a common area used by visitors. The company decides that is wants to quickly prevent unauthorized devices from accessing the network but policy prevents the company from making changes on every connecting client. Which of the following should the company implement?
A. Port security
B. WPA2
C. Mandatory Access Control
D. Network Intrusion Prevention
445.) A software company sends their offsite backup tapes to a third party storage facility. TO meet confidentiality the tapes should be:
A. Labeled
B. Hashed
C. Encrypted
D. Duplicated
446.) Which of the following authentication services uses a default TCP of 389?
A. SAML
B. TACACS+
C. Kerberos
D. LDAP
447.) Which of the following ports will be used for logging into secure websites?
A. 80
B. 110
C. 142
D. 443
448.) A security administrator would like to write an access rule to block the three IP addresses given below. Which of the following combinations should be used to include all of the given IP addresses? 192.168.12.255
192.168.12.227
192.168.12.229
A. 192.168.12.0/25
B. 192.168.12.128/28
C. 192.168.12.224/29
D. 192.168.12.225/30
449.) A web startup wants to implement single sign-on where its customers can log on to the site by suing their personal and existing corporate email credentials regardless of which company they work for. Is this directly supported by SAML?
A. No not without extensive partnering and API integration with all required email providers
B. Yes SAML is a web based single sign-on implementation exactly fir this purpose
C. No a better approach would be to use required email providers LDAP or RADIUS repositories
D. Yes SAML can use oauth2 to provide this functionality out of the box
450.) Which of the following attacks is generally initiated from a botnet?
A. Cross site scripting attack
B. HTTP header injection
C. Distributed denial of service
D. A war driving attack
451.) A security administrator wishes to implement a method of generating encryption keys from user passwords to enhance account security. Which of the following would accomplish this task?
A. NTLMv2
B. Blowfish
C. Diffie-Hellman
D. PBKDF2
452.) A security technician would like an application to use random salts to generate short lived encryption leys during the secure communication handshake process to increase communication security. Which of the following concepts would BEST meet this goal?
A. Ephemeral keys
B. Symmetric Encryption Keys
C. AES Encryption Keys
D. Key Escrow
453.) A security technician would like to use ciphers that generate ephemeral keys for secure communication. Which of the following algorithms support ephemeral modes? (Select TWO)
A. Diffie-Hellman
B. RC4
C. RIPEMO
D. NTLMv2
E. PAP
F. RSA
454.) A fiber company has acquired permission to bury a fiber cable through a famer's land. Which of the following should be in the agreement with the farmer to protect the availability of the network?
A. No farm animals will graze near the burial site of the cable
B. No digging will occur near the burial site of the cable
C. No buildings or structures will be placed on top of the cable
D. No crops will be planted on top of the cable
455.) When implementing a Public Key Infrastructure, which of the following should the sender use to digitally sign a document?
A. A CSR
B. A private key
C. A certificate authority
D. A public key
456.) A company's BYOD policy requires the installation of a company provide mobile agent on their on their personally owned devices which would allow auditing when an employee wants to connect a device to the corporate email system. Which of the following concerns will MOST affect the decision to use a personal device to receive company email?
A. Personal privacy
B. Email support
C. Data ownership
D. Service availability
457.) Environmental control measures include which of the following?
A. Access list
B. Lighting
C. Motion detection
D. EMI shielding
458.) A user has attempted to access data at a higher classification level than the user's account is currency authorized to access. Which of the following access control models has been applied to this user's account?
A. MAC
B. DAC
C. RBAC
D. ABAC
459.) A company determines that it is prohibitively expensive to become compliant with new credit card regulations. Instead, the company decides to purchase insurance to cover the cost of any potential loss. Which of the following is the company doing?
A. Transferring the risk
B. Accepting the risk
C. Avoiding the risk
D. Mitigating the risk
460.) An organization has determined it can tolerate a maximum of three hours of downtime. Which of the following has been specified?
A. RTO
B. RPO
C. MTBF
D. MTTR
461.) An attacker compromises a public CA and issues unauthorized X.509 certificates for?Company.com.?In the future, impact of similar incidents. Which of the following would assist?Company.com?with its goal?
A. Certificate pinning
B. Certificate stapling
C. Certificate chaining
D. Certificate with extended validation
462.) Malicious traffic from an internal network has been detected on an unauthorized port on an application server. Which of the following network-based security controls should the engineer consider implementing?
A. ACL?s
B. HIPS
C. NAT
D. MAC filtering
463.) A company wants to host a publicly available server that performs the following functions:
- Evaluates MX record lookup
- Can perform authenticated requests for A and AAA records
- Uses RRSIG
Which of the following should the company use to fulfill the above requirements?
A. DNSSEC
B. SFTP
C. Nslookup
D. Dig
464.) Which of the following attack types BEST describes a client-side attack that is used to mandate an HTML iframe with JavaScript code via web browser?
A. MITM
B. XSS
C. SQLi
D. XSRF
465.) A company has a data classification system with definitions for "Private" and ?public". The company's security policy outlines how data should be protected based on type. The company recently added the data type "Proprietary". Which of the following is the MOST likely reason the company added this data type?
A. Reduced cost
B. More searchable data
C. Better data classification
D. Expanded authority of the privacy officer
466.) A security administrator is developing training for corporate users on basic security principles for personal email accounts. Which of the following should be mentioned as the MOST secure way for password recovery?
A. Utilizing a single question for password recovery
B. Sending a PIN to a smartphone through text message
C. Utilizing CAPTCHA to avoid brute force attacks
D. Use a different e-mail address to recover password
467.) A company researched the root cause of a recent vulnerability in its software. It was determined that the vulnerability was the result of two updates made in the last release. Each update alone would not have resulted in the vulnerability. In order to prevent similar situations in the future, the company should improve which of the following?
A. Change management procedures
B. Job rotation policies
C. Incident response management
D. Least privilege access controls
468.) A computer on a company network was infected with a zero-day exploit after an employee accidently opened an email that contained malicious content. The employee recognized the email as malicious and was attempting to delete it, but accidently opened it. Which of the following should be done to prevent this scenario from occurring again in the future?
A. Install host-based firewalls on all computers that have an email client installed
B. Set the email program default to open messages in plain text
C. Install end-point protection on all computers that access web mail
D. Create new email spam filters to delete all messages from that sender
1.) CCTV and Motion=Detective
2.) Delete FDE key for mobile devices to become non-usable
3.) Mobile Device security will be ECC
4.) SE linux server has two connections and should only have one means you have an unauthorized network
5.) Analyze logs of DMZ to see if a brute force password is successful
6.) Deploy OCSP if you need to see if users certs are good
7.) SCP to securely transfer files
8.) Network segmentation to minimize network congestion
9.) Three new environments= network segmentation
10.) Place users in appropriate security groups and white list because users install software like priority and they change things.
11.) Protect integrity you use encryption
12.) Cloud computing concerns are multinational concerns
13.) Non-repudiation and message integrity is done by digital signatures
14.) Cold site can be just HVAC and power
15.) Restrict write access to the allowed executables paths because after locking down group policies people are still able to install.
16.) When you have five nines in a row that is availability
17.) Virtualization is using software to emulate hardware
18.) Ping sweep is to start vulnerability scanner on servers
19.) 3DES and ECDHE are used for key exchange and session key
20.) NAT keeps internal IP addresses hidden
21.) Smart Card and PIN, Biometrics and SSO are things for authentication
22.) IP Spoofing means you have to be on the same network as the victim
