CompTIA SEC+ SY0-701 Exam Version 1
This content explains key concepts for managing organizational risk and ensuring data resiliency, including understanding risk tolerance in cloud strategies, selecting efficient backup methods for quicker recovery, and applying defense in depth to strengthen network security against layered threats.
Which of the following would be BEST for a technician to review to determine the total risk an organization can bear when assessing a “cloud-first” adoption strategy?
A. Risk matrix
B. Risk tolerance
C. Risk register
D. Risk appetite
Risk tolerance
To determine the total risk an organization can bear, a technician should review the organization’s risk tolerance, which is the amount of risk the organization is willing to accept. This information will help determine the organization’s “cloud-first” adoption strategy.
Key Terms
Which of the following would be BEST for a technician to review to determine the total risk an organization can bear when assessing a “cloud-first” adoption strategy?
A. Risk matrix
B. Risk tolerance
C. Risk register
D. Risk appetite
Risk tolerance
To determine the total risk an organization can bear, a technician should review the organization’s r...
A company wants to modify its current backup strategy to minimize the number of backups that would need to be restored in case of data loss. Which of the following would be the BEST backup strategy
A. Incremental backups followed by differential backups
B. Full backups followed by incremental backups
C. Delta backups followed by differential backups
D. Incremental backups followed by delta backups
E. Full backup followed by different backups
Full backups followed by incremental backups
This strategy allows for a complete restoration of data by restoring th...
A security analyst notices several attacks are being blocked by the network intrusion protection system (NIPS) but does not see anything on the boundary firewall logs. The attack seems to have been thwarted. Which of the following resiliency techniques was applied to the network to prevent this attack?
A. NIC Teaming
B. Port mirroring
C. Defense in depth
D. High availability
E. Geographic dispersal
Network Intrusion Protection System (NIPS)
Network Interface Card (NIC)
Defense in depth
A resiliency technique that involves implementing multiple layers of security controls to protect a...
A company is required to continue using legacy software to support a critical service. Which of the following BEST explains a risk of this practice?
A. Default system configuration
B. Unsecure protocols
C. Lack of vendor support
D. Weak encryption
Lack of vendor support
Using legacy software to support a critical service poses a risk due to lack of vendor suppor...
Which of the following is a risk that is specifically associated with hosting applications in the public cloud?
A. Unsecured root accounts
B. Zero day
C. Shared tenancy
D. Insider threat
Shared tenancy
When hosting applications in the public cloud, there is a risk of shared tenancy, meaning that multip...
After a hardware incident, an unplanned emergency maintenance activity was conducted to rectify the issue. Multiple alerts were generated on the SIEM during this period of time. Which of the following BEST explains what happened?
A. The unexpected traffic correlated against multiple rules, generating multiple alerts.
B. Multiple alerts were generated due to an attack occurring at the same time.
C. An error in the correlation rules triggered multiple alerts.
D. The SIEM was unable to correlate the rules, triggering the alerts.
Security information and event management (SIEM)
The unexpected traffic correlated against multiple rules, generating multiple alerts.
The SIEM generates alerts when...
Related Flashcard Decks
Study Tips
- Press F to enter focus mode for distraction-free studying
- Review cards regularly to improve retention
- Try to recall the answer before flipping the card
- Share this deck with friends to study together
| Term | Definition |
|---|---|
Which of the following would be BEST for a technician to review to determine the total risk an organization can bear when assessing a “cloud-first” adoption strategy? A. Risk matrix | Risk tolerance To determine the total risk an organization can bear, a technician should review the organization’s risk tolerance, which is the amount of risk the organization is willing to accept. This information will help determine the organization’s “cloud-first” adoption strategy. |
A company wants to modify its current backup strategy to minimize the number of backups that would need to be restored in case of data loss. Which of the following would be the BEST backup strategy A. Incremental backups followed by differential backups | Full backups followed by incremental backups This strategy allows for a complete restoration of data by restoring the most recent full backup followed by the most recent incremental backup. |
A security analyst notices several attacks are being blocked by the network intrusion protection system (NIPS) but does not see anything on the boundary firewall logs. The attack seems to have been thwarted. Which of the following resiliency techniques was applied to the network to prevent this attack? A. NIC Teaming Network Intrusion Protection System (NIPS) | Defense in depth A resiliency technique that involves implementing multiple layers of security controls to protect against different types of threats. In this scenario, the NIPS likely provided protection at a different layer than the boundary firewall, demonstrating the effectiveness of defense in depth. |
A company is required to continue using legacy software to support a critical service. Which of the following BEST explains a risk of this practice? A. Default system configuration | Lack of vendor support Using legacy software to support a critical service poses a risk due to lack of vendor support. Legacy software is often outdated and unsupported, which means that security patches and upgrades are no longer available. This can leave the system vulnerable to exploitation by attackers who may exploit known vulnerabilities in the software to gain unauthorized access to the system. |
Which of the following is a risk that is specifically associated with hosting applications in the public cloud? A. Unsecured root accounts | Shared tenancy When hosting applications in the public cloud, there is a risk of shared tenancy, meaning that multiple organizations are sharing the same infrastructure. This can potentially allow one tenant to access another tenant’s data, creating a security risk. |
After a hardware incident, an unplanned emergency maintenance activity was conducted to rectify the issue. Multiple alerts were generated on the SIEM during this period of time. Which of the following BEST explains what happened? A. The unexpected traffic correlated against multiple rules, generating multiple alerts. Security information and event management (SIEM) | The unexpected traffic correlated against multiple rules, generating multiple alerts. The SIEM generates alerts when it detects an event that matches a rule in its rulebase. If the event matches multiple rules, the SIEM will generate multiple alerts |
A security administrator is setting up a SIEM to help monitor for notable events across the enterprise. Which of the following control types does this BEST represent? A. Preventive Security information and event management (SIEM) | Detective A SIEM is a security solution that helps detect security incidents by monitoring for notable events across the enterprise. A detective control is a control that is designed to detect security incidents and respond to them. Therefore, a SIEM represents a detective control. |
A network analyst is setting up a wireless access point for a home office in a remote, rural location. The requirement is that users need to connect to the access point securely but do not want to have to remember passwords. Which of the following should the network analyst enable to meet the requirement? A. MAC address filtering Media Access Control (MAC) | WPS The network analyst should enable Wi-Fi Protected Setup (WPS) to allow users to connect to the wireless access point securely without having to remember passwords. WPS allows users to connect to a wireless network by pressing a button or entering a PIN instead of entering a password. |
Which of the following environments utilizes dummy data and is MOST likely to be installed locally on a system that allows code to be assessed directly and modified easily with each build? A. Production | Development An environment that is used to develop and test software. It is typically installed locally on a system that allows code to be assessed directly and modified easily with each build. In this environment, dummy data is often utilized to test the software’s functionality. |
While reviewing pcap data, a network security analyst is able to locate plain text usernames and passwords being sent from workstations to network switches. Which of the following is the security analyst MOST likely observing? A. SNMP traps Packet Capture (PCAP) | A Telnet session The security analyst is likely observing a Telnet session, as Telnet transmits data in plain text format, including usernames and passwords. |
A client sent several inquiries to a project manager about the delinquent delivery status of some critical reports. The project manager claimed the reports were previously sent via email, but then quickly generated and backdated the reports before submitting them as plain text within the body of a new email message thread. Which of the following actions MOST likely supports an investigation for fraudulent submission? A. Establish chain of custody. | Review the email event logs Can support an investigation for fraudulent submission, as these logs can provide details about the history of emails, including the message content, timestamps, and sender/receiver information. |
A new vulnerability in the SMB protocol on the Windows systems was recently discovered, but no patches are currently available to resolve the issue. The security administrator is concerned if servers in the company’s DMZ will be vulnerable to external attack; however, the administrator cannot disable the service on the servers, as SMB is used by a number of internal systems and applications on the LAN. Which of the following TCP ports should be blocked for all external inbound connections to the DMZ as a workaround to protect the servers? (Select TWO). A. 135 Server Message Block (SMB) | 139 & 445 To protect the servers in the company’s DMZ from external attack due to the new vulnerability in the SMB protocol on the Windows systems, the security administrator should block TCP ports 139 and 445 for all external inbound connections to the DMZ. SMB uses TCP port 139 and 445. Blocking these ports will prevent external attackers from exploiting the vulnerability in SMB protocol on Windows systems. |
When planning to build a virtual environment, an administrator needs to achieve the following:
Which of the following is the administrator MOST likely trying to do? A. Implement IaaS replication Virtual Machine (VM) | Avoid VM sprawl The administrator is most likely trying to avoid VM sprawl, which occurs when too many VMs are created and managed poorly, leading to resource waste and increased security risks. The listed actions can help establish policies, resource allocation, and categorization to prevent unnecessary VM creation and ensure proper management. |
A security analyst wants to verify that a client-server (non-web) application is sending encrypted traffic. Which of the following should the analyst use? A. openssl | openssl To verify that a client-server (non-web) application is sending encrypted traffic, a security analyst can use OpenSSL. OpenSSL is a software library that provides cryptographic functions, including encryption and decryption, in support of various security protocols, including SSL/TLS. It can be used to check whether a client-server application is using encryption to protect traffic. Secure Sockets Layer (SSL) |
Ann, a customer, received a notification from her mortgage company stating her PII may be shared with partners, affiliates, and associates to maintain day-to-day business operations. Which of the following documents did Ann receive? A. An annual privacy notice Personal Identifiable Information (PII) | An annual privacy notice Ann received an annual privacy notice from her mortgage company. An annual privacy notice is a statement from a financial institution or creditor that outlines the institution’s privacy policy and explains how the institution collects, uses, and shares customers’ personal information. It informs the customer about their rights under the Gramm-Leach-Bliley Act (GLBA) and the institution’s practices for protecting their personal information. |
A large enterprise has moved all its data to the cloud behind strong authentication and encryption. A sales director recently had a laptop stolen, and later, enterprise data was found to have been compromised from a local database. Which of the following was MOST likely the cause? A. Shadow IT Structured Query Language (SQL) | Shadow IT The most likely cause of the enterprise data being compromised from a local database is Shadow IT. Shadow IT is the use of unauthorized applications or devices by employees to access company resources. In this case, the sales director’s laptop was stolen, and the attacker was able to use it to access the local database, which was not secured properly, allowing unauthorized access to sensitive data. |
A security analyst must enforce policies to harden an MDM infrastructure. The requirements are as follows:
Which of the following should the analyst enable on all the devices to meet these requirements? A. Geofencing Mobile Device Management (MDM) | Geofencing A technology used in mobile device management (MDM) to allow administrators to define geographical boundaries within which mobile devices can operate. This can be used to |
A company installed several crosscut shredders as part of increased information security practices targeting data leakage risks. Which of the following will this practice reduce? A. Dumpster diving | Dumpster diving Dumpster diving is a method of retrieving sensitive information from paper waste by searching through discarded documents. |
Which of the following conditions impacts data sovereignty? A. Rights management | International operations Data sovereignty refers to the legal concept that data is subject to the laws and regulations of the country in which it is located. International operations can impact data sovereignty as companies operating in multiple countries may need to comply with different laws and regulations. |
A company uses a drone for precise perimeter and boundary monitoring. Which of the following should be MOST concerning to the company? A. Privacy Global Positioning System (GPS) | Privacy The use of a drone for perimeter and boundary monitoring can raise privacy concerns, as it may capture video and images of individuals on or near the monitored premises. The company should take measures to ensure that privacy rights are not violated. |
The security team received a report of copyright infringement from the IP space of the corporate network. The report provided a precise time stamp for the incident as well as the name of the copyrighted files. The analyst has been tasked with determining the infringing source machine and instructed to implement measures to prevent such incidents from occurring again. Which of the following is MOST capable of accomplishing both tasks? A. HIDS Host-Based Intrusion Detection System (HIDS) | NGFW Next-Generation Firewalls (NGFWs) are designed to provide advanced threat protection by combining traditional firewall capabilities with intrusion prevention, application control, and other security features. NGFWs can detect and block unauthorized access attempts, malware infections, and other suspicious activity. They can also be used to monitor file access and detect unauthorized copying or distribution of copyrighted material. |
A financial institution would like to store its customer data in a cloud but still allow the data to be accessed and manipulated while encrypted. Doing so would prevent the cloud service provider from being able to decipher the data due to its sensitivity. The financial institution is not concerned about computational overheads and slow speeds. Which of the following cryptographic techniques would BEST meet the requirement? A. Asymmetric | Symmetric Allows data to be encrypted and decrypted using the same key. This is useful when the data needs to be accessed and manipulated while still encrypted. |
A company reduced the area utilized in its data center by creating virtual networking through automation and by creating provisioning routes and rules through scripting. Which of the following does this example describe? A. laC Infrastructure as Code (IaC) | laaS (Infrastructure as a Service) Allows the creation of virtual networks, automation, and scripting to reduce the area utilized in a data center. |
A global company is experiencing unauthorized logging due to credential theft and account lockouts caused by brute-force attacks. The company is considering implementing a third-party identity provider to help mitigate these attacks. Which of the following would be the BEST control for the company to require from prospective vendors? A. IP restrictions | Multifactor authentication The best control to require from a third-party identity provider to help mitigate attacks such as credential theft and brute-force attacks. |
An organization wants to integrate its incident response processes into a workflow with automated decision points and actions based on predefined playbooks. Which of the following should the organization implement? A. SIEM Security Information and Event Management (SIEM) | SOAR Should be implemented to integrate incident response processes into a workflow with automated decision points and actions based on predefined playbooks. |
Which of the following must be in place before implementing a Cybersecurity Business Continuity Plan (BCP)? A. SLA Service Level Agreement (SLA) | BIA A Business Impact Analysis (BIA) is a critical component of a Business Continuity Plan (BCP). It identifies and prioritizes critical business functions and determines the impact of their disruption. |
An organization wants seamless authentication to its applications. Which of the following should the organization employ to meet this requirement? A. SOAP Simple Object Access Protocol (SOAP) | SSO Single Sign-On (SSO) is a mechanism that allows users to access multiple applications with a single set of login credentials. |
A security analyst is running a vulnerability scan to check for missing patches during a suspected security incident. During which of the following phases of the response process is this activity MOST likely occurring? A. Containment | Identification Vulnerability scanning is a proactive security measure used to identify vulnerabilities in the network and systems. |
Which of the following cryptographic concepts would a security engineer utilize while implementing non-repudiation? (Select TWO) A. Block cipher | Hashing & Private key Non-repudiation is the ability to ensure that a party cannot deny a previous action or event. Cryptographic concepts that can be used to implement non-repudiation include hashing and digital signatures, which use a private key to sign a message and ensure that the signature is unique to the signer. |
The SIEM at an organization has detected suspicious traffic coming from a workstation in its internal network. An analyst in the SOC workstation discovers malware that is associated with a botnet is installed on the device. A review of the logs on the workstation reveals that the privileges of the local account were escalated to a local administrator. To which of the following groups should the analyst report this real-world event? A. The NOC team Security Information and Event Management (SIEM) | The CIRT The Computer Incident Response Team (CIRT) is responsible for handling incidents and ensuring that the incident response plan is followed. |
Which of the following environments would MOST likely be used to assess the execution of component parts of a system at both the hardware and software levels and to measure performance A. Test | Test The test environment is used to assess the execution of component parts of a system at both the hardware and software levels and to measure performance characteristics. |
A company is implementing a new SIEM to log and send alerts whenever malicious activity is blocked by its antivirus and web content filters. Which of the following is the primary use case for this scenario? A. Implementation of preventive controls Security Information and Event Management (SIEM) | Implementation of detective controls A Security Information and Event Management (SIEM) system is a tool that collects and analyzes security-related data from various sources to detect and respond to security incidents. |
Implementation of detective controls A Security Information and Event Management (SIEM) system is a tool that collects and analyzes security-related data from various sources to detect and respond to security incidents. | RAM & Cache In a forensic investigation, volatile data should be collected first, based on the order of volatility. RAM and Cache are examples of volatile data. |
Which of the following would produce the closest experience of responding to an actual incident response scenario? A. Lessons learned | Simulation A simulation exercise is designed to create an experience that is as close as possible to a real-world incident response scenario. It involves simulating an attack or other security incident and then having security personnel respond to the situation as they would in a real incident. |
A security analyst was deploying a new website and found a connection attempting to authenticate on the site's portal. While Investigating the incident, the analyst identified the following Input in the username field: "admin' or 1=1--" Which of the following BEST explains this type of attack? A. DLL injection to hijack administrator services Dynamic Link Libraries (DLL) | SQLi on the field to bypass authentication The input "admin' or 1=1--" in the username field is an example of SQL injection (SQLi) attack. In this case, the attacker is attempting to bypass authentication by injecting SQL code into the username field that will cause the authentication check to always return true. |
The Chief Information Security Officer directed a risk reduction in shadow IT and created a policy requiring all unsanctioned high-risk SaaS applications to be blocked from user access. Which of the following is the BEST security solution to reduce this risk? A. CASB Software as a Service (SaaS) | CASB A Cloud Access Security Broker (CASB) can be used to monitor and control access to cloud-based applications, including unsanctioned SaaS applications. It can help enforce policies that prevent access to high-risk SaaS applications and provide visibility into the use of such applications by employees. |
After a WiFi scan of a local office was conducted, an unknown wireless signal was identified. Upon investigation, an unknown Raspberry Pi device was found connected to an Ethernet port using a single connection. Which of the following BEST describes the purpose of this device? A. loT sensor Wireless Fidelity (WiFi) | Rogue access point A Raspberry Pi device connected to an Ethernet port could be configured as a rogue access point, allowing an attacker to intercept and analyze network traffic or perform other malicious activities. |
The Chief Information Security Officer wants to pilot a new adaptive, user-based authentication method. The concept Includes granting logical access based on physical location and proximity. Which of the following Is the BEST solution for the pilot? A. Geofencing Public key infrastructure (PKI) | Geofencing A location-based technology that allows an organization to define and enforce logical access control policies based on physical location and proximity. Geofencing can be used to grant or restrict access to systems, data, or facilities based on an individual's location, and it can be integrated into a user's device or the infrastructure. This makes it a suitable solution for the pilot project to test the adaptive, user-based authentication method that includes granting logical access based on physical location and proximity. |
A systems analyst determines the source of a high number of connections to a web server that were initiated by ten different IP addresses that belong to a network block in a specific country. Which of the following techniques will the systems analyst MOST likely implement to address this issue? A. Content filter Security Information and Event Manager (SIEM) | Firewall rules A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. The systems analyst can use firewall rules to block connections from the ten IP addresses in question, or from the entire network block in the specific country. This would be a quick and effective way to address the issue of high connections to the web server initiated by these IP addresses. |
During an investigation, the incident response team discovers that multiple administrator accounts were suspected of being compromised. The host audit logs indicate a repeated brute-force attack on a single administrator account followed by suspicious logins from unfamiliar geographic locations. Which of the following data sources would be BEST to use to assess the accounts impacted by this attack? A. User behavior analytics | User behavior analytics User behavior analytics (UBA) would be the best data source to assess the accounts impacted by the attack, as it can identify abnormal activity, such as repeated brute-force attacks and logins from unfamiliar geographic locations, and provide insights into the behavior of the impacted accounts. |
Which of the following provides a catalog of security and privacy controls related to the United States federal information systems? A. GDPR General Data Protection Regulation (GDPR) | NIST 800-53 NIST 800-53 provides a catalog of security and privacy controls related to the United States federal information systems. |
As part of the lessons-learned phase, the SOC is tasked with building methods to detect if a previous incident is happening again. Which of the following would allow the security analyst to alert the SOC if an event is reoccurring? A. Creating a playbook within the SOAR Security Operation Center (SOC) | Creating a playbook within the SOAR Creating a playbook within the Security Orchestration, Automation and Response (SOAR) tool would allow the security analyst to detect if an event is reoccurring by triggering automated actions based on the previous incident's characteristics. This can help the SOC to respond quickly and effectively to the incident. |
A software company is analyzing a process that detects software vulnerabilities at the earliest stage possible. The goal is to scan the source looking for insecure practices and weaknesses before the application is deployed in a runtime environment. Which of the following would BEST assist the company with this objective? A. Use fuzzing testing | Use static code analysis This method involves analyzing the source code without actually running the software, which can identify security vulnerabilities that may not be detected by other testing methods. |
A systems engineer is building a new system for production. Which of the following is the FINAL step to be performed prior to promoting to production? A. Disable unneeded services. | Run a vulnerability scan. Running a vulnerability scan is the final step to be performed prior to promoting a system to production. This allows any remaining security issues to be identified and resolved before the system is put into production. |
An application owner reports suspicious activity on an internal financial application from various internal users within the past 14 days. A security analyst notices the following:
Which of the following types of attacks is MOST likely being used to gain unauthorized access? A. Pass-the-hash New Technology LAN Manager (NTLM) | Pass-the-hash The suspicious activity reported by the application owner, combined with the recent compromise of the jump box and the use of NTLM authentication, suggests that an attacker is likely using a pass-the-hash attack to gain unauthorized access to the financial application. This type of attack involves stealing hashed passwords from memory and then using them to authenticate as the compromised user without needing to know the user's plaintext password. |
The Chief information Security Officer has directed the security and networking team to retire the use of shared passwords on routers and switches. Which of the following choices BEST meets the requirements? A. SAML Security Assertion Markup Language (SAML) | TACACS+ TACACS+ is a protocol used for remote authentication, authorization, and accounting (AAA) that can be used to replace shared passwords on routers and switches. It provides a more secure method of authentication that allows for centralized management of access control policies. |
The Chief Information Security Officer (CISO) has decided to reorganize security staff to concentrate on incident response and to outsource outbound Internet URL categorization and filtering to an outside company. Additionally, the CISO would like this solution to provide the same protections even when a company laptop or mobile device is away from a home office. Which of the following should the CISO choose? A. CASB Cloud Access Security Broker (CASB) | Next-generation SWG The solution that the CISO should choose is Next-generation Secure Web Gateway (SWG), which provides URL filtering and categorization to prevent users from accessing malicious sites, even when they are away from the office. NGFWs are typically cloud-based and offer multiple security layers, including malware detection, intrusion prevention, and data loss prevention. |
A store receives reports that shoppers’ credit card information is being stolen. Upon further analysis, those same shoppers also withdrew money from an ATM in that store. The attackers are using the targeted shoppers’ credit card information to make online purchases. Which of the following attacks is the MOST probable cause? A. Identity theft Radio Frequency Identification (RFID) | Card skimming The attackers are using card skimming to steal shoppers' credit card information, which they use to make online purchases. |
During a security assessment, a security finds a file with overly permissive permissions. Which of the following tools will allow the analyst to reduce the permission for the existing users and groups and remove the set-user-ID from the file? A. 1s | chmod The chmod command is used to change the permissions of a file or directory. The analyst can use chmod to reduce the permissions for existing users and groups and remove the set-user-ID bit from the file. |
Which of the following controls would be the MOST cost-effective and time-efficient to deter intrusions at the perimeter of a restricted, remote military training area? (Select TWO). A. Barricades | Barricades & Signage Barricades and signage are the most cost-effective and time-efficient controls to deter intrusions at the perimeter of a restricted, remote military training area. |
A Chief Information Officer is concerned about employees using company-issued laptops to steal data when accessing network shares. Which of the following should the company Implement? A. DLP Data Loss Prevention (DLP) | DLP The company should implement Data Loss Prevention (DLP) to prevent employees from stealing data when accessing network shares. DLP can also detect and block attempts to transfer sensitive data outside of the organization, such as via email, file transfer, or cloud storage. |
Certain users are reporting their accounts are being used to send unauthorized emails and conduct suspicious activities. After further investigation, a security analyst notices the following:
Which of the following attacks is being used to compromise the user accounts? A. Brute-force | Keylogger The symptoms suggest a keylogger is being used to compromise the user accounts, allowing the attackers to obtain the users' passwords and other sensitive information. |
An organization is moving away from the use of client-side and server-side certificates for EAP. The company would like for the new EAP solution to have the ability to detect rogue access points. Which of the following would accomplish these requirements? A. PEAP Export Administration Regulations (EAR) | EAP-FAST Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) supports mutual authentication and is designed to simplify the deployment of strong, password-based authentication. EAP-FAST includes a mechanism for detecting rogue access points. |
A company Is planning to install a guest wireless network so visitors will be able to access the Internet. The stakeholders want the network to be easy to connect to so time is not wasted during meetings. The WAPs are configured so that power levels and antennas cover only the conference rooms where visitors will attend meetings. Which of the following would BEST protect the company's Internal wireless network against visitors accessing company resources? A. Configure the guest wireless network to be on a separate VLAN from the company's internal wireless network Wireless Application Protocol (WAP) | Configure the guest wireless network to be on a separate VLAN from the company's internal wireless network. Configuring the guest wireless network on a separate VLAN from the company's internal wireless network will prevent visitors from accessing company resources. |
A security manager needs to assess the security posture of one of the organization's vendors. The contract with the vendor does not allow for auditing of the vendor's security controls. Which of the following should the manager request to complete the assessment? A. A service-level agreement Service Organization Control 2 (SOC 2) | A SOC 2 Type 2 report SOC 2 (Service Organization Control 2) is a type of audit report that evaluates the controls of service providers to verify their compliance with industry standards for security, availability, processing A Type 2 report is based on an audit that tests the effectiveness A SOC 2 Type 2 report would provide evidence of the vendor's security controls and how effective they are over time, which can help the security manager assess the vendor's security posture despite the vendor not allowing for a direct audit. The security manager should request a SOC 2 Type 2 report to assess the security posture of the |
A security administrator has discovered that workstations on the LAN are becoming infected with malware. The cause of the infections appears to be users receiving phishing emails that are bypassing the current email-filtering technology. As a result, users are being tricked into clicking on malicious URLs, as no internal controls currently exist in the environment to evaluate their safety. Which of the following would be BEST to implement to address the issue? A. Forward proxy local area network (LAN) | Awareness training Awareness training should be implemented to educate users on the risks of clicking on malicious URLs. |
A company's public-facing website, "https://www.organization.com", has an IP address of 166.18.75.6. However, over the past hour the SOC has received reports of the site's homepage displaying incorrect information. A quick nslookup search shows "hitps://;www.organization.com" is pointing to 151.191.122.115. Which of the following is occurring? A. DoS attack Security Operation Center (SOC) | DNS spoofing The issue is DNS spoofing, where the DNS resolution has been compromised and is pointing to a malicious IP address. |
A dynamic application vulnerability scan identified code injection could be performed using a web form. Which of the following will be BEST remediation to prevent this vulnerability? A. Implement input validations Multi-factor Authentication (MFA) | Implement input validations Implementing input validations will prevent code injection attacks by verifying the type and format of user input. |
A junior security analyst is reviewing web server logs and identifies the following pattern in the log file: Which of the following types of attacks is being attempted and how can it be mitigated? A. XSS. Implement a SIEM Cross-Site Scripting (XSS) | Directory traversal, Implement a WAF The attack being attempted is directory traversal, which is a web application attack that allows an attacker to access files and directories outside of the web root directory. A WAF can help |
A security analyst has been tasked with creating a new WiFi network for the company. The requirements received by the analyst are as follows:
Which of the following options BEST accommodates these requirements? A. WPA2-Enterprise Wireless Fidelity (WiFi) | WPA2-Enterprise WPA2-Enterprise can accommodate all of the requirements listed. WPA2-Enterprise uses 802.1X authentication to differentiate between users, supports the use of RADIUS for authentication, and allows for the use of dynamic encryption keys that can be changed without disrupting the users or requiring re-authentication. Additionally, WPA2-Enterprise does not allow for open SSIDs. |
Which of the following incident response steps occurs before containment? A. Eradication | Identification Identification is the first step in the incident response process, which involves recognizing that an incident has occurred. Containment is the second step, followed by eradication, recovery, and lessons learned. |
A network engineer and a security engineer are discussing ways to monitor network operations. Which of the following is the BEST method? A. Disable Telnet and force SSH. Secure Shell (SSH) | Utilize an agent-less monitor An agent-less monitor is the best method to monitor network operations because it does not require any software or agents to be installed on the devices being monitored, making it less intrusive and less likely to disrupt network operations. This method can monitor various aspects of network operations, such as traffic, performance, and security. |
Which of the following BEST describes data streams that are compiled through artificial intelligence that provides insight on current cyber intrusions, phishing, and other malicious cyber activity? A. Intelligence fusion | Intelligence fusion Intelligence fusion is a process that involves aggregating and analyzing data from multiple sources, including artificial intelligence, to provide insight on current cyber intrusions, phishing, and other malicious cyber activity. |
Which of the technologies is used to actively monitor for specific file types being transmitted on the network? A. File integrity monitoring | Data loss prevention Data loss prevention (DLP) is a technology used to actively monitor for specific file types being transmitted on the network. DLP solutions can prevent the unauthorized transfer of sensitive information, such as credit card numbers and social security numbers, by monitoring data in motion. |
A Chief Information Security Officer (CISO) is evaluating the dangers involved in deploying a new ERP system tor the company. The CISO categorizes the system, selects the controls that apply to the system, implements the controls, and then assesses the success of the controls before authorizing the system. Which of the following is the CISO using to evaluate the environment for this new ERP system? A. The Diamond Model of Intrusion Analysis Enterprise Resource Planning (ERP) | NIST Risk Management Framework The CISO is using the NIST Risk Management Framework (RMF) to evaluate the environment for the new ERP system. The RMF is a structured process for managing risks that involves categorizing the system, selecting controls, implementing controls, assessing controls, and authorizing the system. |
A third party asked a user to share a public key for secure communication. Which of the following file formats should the user choose to share the key? A. .pfx | .cer A user should choose the .cer file format to share a public key for secure communication. A .cer file is a public key certificate that can be shared with third parties to enable secure communication. A public key is a cryptographic key that can be used to encrypt or verify data. A public key file is a file that contains one or more public keys in a specific format. |
A security administrator wants to implement a program that tests a user's ability to recognize attacks over the organization's email system. Which of the following would be BEST suited for this task? A. Social media analysis | Phishing campaign A phishing campaign is a simulated attack that tests a user's ability to recognize attacks over the organization's email system. Phishing campaigns can be used to train users on how to identify and report suspicious emails. |
Which of the following identifies the point in time when an organization will recover data in the event of an outage? A. SLA service level agreement (SLA) | RPO Recovery Point Objective (RPO) is the maximum duration of time that an organization can tolerate data loss in the event of an outage. It identifies the point in time when data recovery must |
The help desk has received calls from users in multiple locations who are unable to access core network services. The network team has identified and turned off the network switches using remote commands. Which of the following actions should the network team take next? A. Disconnect all external network connections from the firewall | Initiate the organization's incident response plan. An incident response plan is a set of procedures and guidelines that defines how an organization should respond to a security incident. An incident response plan typically includes the following phases: preparation, identification, containment, eradication, recovery, and lessons learned. If the help desk has received calls from users in multiple locations who are unable to access core network services, it could indicate that a network outage or a denial-of-service attack has occurred. The next action that the network team should take is to initiate the organization’s incident response plan, which would involve notifying the appropriate stakeholders, such as management, security team, legal team, etc., and following the predefined steps to investigate, analyze, document, and resolve the incident. |
Which of the following controls would provide the BEST protection against tailgating? A. Access control vestibule | Access control vestibule Access control vestibules, also known as mantraps or airlocks, are physical security features that require individuals to pass through two or more doors to enter a secure area. They are effective at |
A security architect is implementing a new email architecture for a company. Due to security concerns, the Chief Information Security Officer would like the new architecture to support email encryption, as well as provide for digital signatures. Which of the following should the architect implement? A. TOP Internet Message Access Protocol (IMAP) | S/MIME S/MIME (Secure/Multipurpose Internet Mail Extensions) is a protocol that enables secure email messages to be sent and received. It provides email encryption, as well as digital signatures, which point-of-presence (POP) |
A security analyst is reviewing the vulnerability scan report for a web server following an incident. The vulnerability that was used to exploit the server is present in historical vulnerability scan reports, and a patch is available for the vulnerability. Which of the following is the MOST likely cause? A. Security patches were uninstalled due to user impact. | Security patches were uninstalled due to user impact. A security patch is a software update that fixes a vulnerability or bug that could be exploited by attackers. Security patches are essential for maintaining the security and functionality of systems and applications. If the vulnerability that was used to exploit the server is present in historical vulnerability scan reports, and a patch is available for the vulnerability, it means that the patch was either not applied or was uninstalled at some point. A possible reason for uninstalling a security patch could be user impact, such as performance degradation, compatibility issues, or functionality loss. |
A security researcher is using an adversary's infrastructure and TTPs and creating a named group to track those targeted. Which of the following is the researcher MOST likely using? A. The Cyber Kill Chain Tactics, Techniques and Procedures (TTPs) | MITRE ATT&CK The researcher is most likely using the MITRE ATT&CK framework. MITRE ATT&CK is a globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real- |
A company recently decided to allow its employees to use their personally owned devices for tasks like checking email and messaging via mobile applications. The company would like to use MDM, but employees are concerned about the loss of personal data. Which of the following should the IT department implement to BEST protect the company against company data loss while still addressing the employees’ concerns? A. Enable the remote-wiping option in the MDM software in case the phone is stolen. | Configure MDM for FDE without enabling the lock screen. MDM software is a type of remote asset-management software that runs from a central server. It is used by businesses to optimize the functionality and security of their mobile devices, including FDE stands for full disk encryption, which is a method of encrypting all data on a device’s storage. FDE can protect data from unauthorized access in case the device is lost or stolen. Remote wiping is a feature that allows the company |
Which of the following roles would MOST likely have direct access to the senior management team? A. Data custodian | Data protection officer A data protection officer (DPO) is a role that oversees the data protection strategy and compliance of an organization. A DPO is responsible for ensuring that the organization follows data protection laws and regulations, such as the General Data Protection Regulation (GDPR), and protects the privacy rights of data subjects. A DPO also acts as a liaison between the organization and data protection authorities, as well as data subjects and other stakeholders. |
A security analyst needs to implement an MDM solution for BYOD users that will allow the company to retain control over company emails residing on the devices and limit data exfiltration that might occur if the devices are lost or stolen. Which of the following would BEST meet these requirements? (Select TWO). A. Full-device encryption Mobile device management (MDM) | Containerization & Application whitelisting MDM solutions emerged to solve problems created by BYOD. With MDM, IT teams can remotely wipe devices clean if they are lost or stolen. MDM also makes the life of an IT administrator a lot easier as it allows them to enforce corporate policies, apply software updates, and even ensure that password protection is used on each device. Containerization and application whitelisting are two features of MDM that can help retain control over company emails residing on the devices and limit data exfiltration that might occur if the devices are lost or stolen. Containerization is a technique that creates a separate and secure space on the device for work- related data and applications. This way, personal and corporate data are isolated from each other, and IT admins can manage only the work container without affecting the user’s privacy. Containerization also allows IT admins to remotely wipe only the work container if needed, leaving the personal data intact. Application whitelisting is a technique that allows only authorized applications to run on the device. This way, IT admins can prevent users from installing or using malicious or unapproved applications that might compromise the security of corporate data. Application whitelisting also allows IT admins to control which applications can access corporate resources, such as email servers or cloud storage. |
An organization discovered a disgruntled employee exfiltrated a large amount of PII data by uploading files. Which of the following controls should the organization consider to mitigate this risk? A. EDR Endpoint Detection and Response (EDR) | DLP DLP stands for data loss prevention, which is a set of tools and processes that aim to prevent unauthorized access, use, or transfer of sensitive data. DLP can help mitigate the risk of data exfiltration by disgruntled employees or external attackers by monitoring and controlling data flows across endpoints, networks, and cloud services. DLP can also detect and block attempts to copy, print, email, upload, or download sensitive data based on predefined policies and rules. |
A security team suspects that the cause of recent power consumption overloads is the unauthorized use of empty power outlets in the network rack. Which of the following options will mitigate this issue without compromising the number of outlets available? A. Adding a new UPS dedicated to the rack Uninterruptible Power Supply (UPS) | Installing a managed PDU A managed Power Distribution Unit (PDU) allows you to monitor and control power outlets on the rack. This will allow the security team to identify which devices are drawing power and from which outlets, which can help to identify any unauthorized devices. Moreover, with a managed PDU, you can also control the power to outlets, turn off outlets that are not in use, and set up alerts if an outlet is overloaded. This will help to mitigate the issue of power consumption overloads without compromising the number of outlets available. |
An employee, receives an email stating he won the lottery. The email includes a link that requests a name, mobile phone number, address, and date of birth be provided to confirm employee's identity before sending him the prize. Which of the following BEST describes this type of email? A. Spear phishing | Phishing Phishing is a type of social engineering attack that uses fraudulent emails or other forms of communication to trick users into revealing sensitive information, such as passwords, credit card numbers, or personal details. Phishing emails often impersonate legitimate entities, such as banks, online services, or lottery organizations, and entice users to click on malicious links or attachments that lead to fake websites or malware downloads. Phishing emails usually target a large number of users indiscriminately, hoping that some of them will fall for the scam. |
A security administrator is working on a solution to protect passwords stored in a database against rainbow table attacks. Which of the following should the administrator consider? A. Hashing | Salting A technique that adds random data to a password before hashing it. This makes the hash output more unique and unpredictable, and prevents attackers from using pre-computed tables (such as rainbow tables) to crack the password hash. Salting also reduces the risk of collisions, which occur when different passwords produce the same hash. |
As part of annual audit requirements, the security team performed a review of exceptions to the company policy that allows specific users the ability to use USB storage devices on their laptops. The review yielded the following results:
Which of the following should the company do to ensure that appropriate access is not disrupted but unneeded access is removed in a reasonable time frame? A. Create an automated, monthly attestation process that removes access if an employee's supervisor denies the approval | Create an automated, monthly attestation process that removes access if an employee's Create an automated, monthly attestation process that removes access if an employee’s supervisor denies the approval. This option ensures that appropriate access is not disrupted but unneeded access is removed in a reasonable time frame by requiring supervisors to approve or deny the exceptions on a regular basis. It also reduces the manual workload of the security team and improves the compliance with the |
Which of the following would satisfy three-factor authentication requirements? A. Password, PIN, and physical token | Password, fingerprint scan, and physical token Three-factor authentication combines three types of authentication methods: something you know (password), something you have (physical token), and something you are (fingerprint scan). Option C satisfies these requirements, as it uses a password (something you know), a physical token (something you have), and a fingerprint scan (something you are) for authentication. |
Which of the following Is the BEST reason to maintain a functional and effective asset management policy that aids in ensuring the security of an organization? A. To provide data to quantify risk based on the organization's systems | To provide data to quantify risk based on the organization's systems An effective asset management policy helps an organization understand and manage the systems, hardware, and software it uses, and how they are used, including their vulnerabilities and risks. This information is crucial for accurately identifying and assessing risks to the organization, and making informed decisions about how to mitigate those risks. This is the best reason to maintain an effective asset management policy. |
A company owns a public-facing e-commerce website. The company outsources credit card transactions to a payment company. Which of the following BEST describes the role of the payment company? A. Data controller | Data processor A data processor is an organization that processes personal data on behalf of a data controller. In this scenario, the company that owns the e-commerce website is the data controller, as it determines the purposes and means of processing personal data (e.g. credit card information). The payment company is a data processor, as it processes personal data on behalf of the e-commerce company |
While troubleshooting a service disruption on a mission-critical server, a technician discovered the user account that was configured to run automated processes was disabled because the user's password failed to meet password complexity requirements. Which of the following would be the BEST solution to securely prevent future issues? A. Using an administrator account to run the processes and disabling the account when it is not in use | Configuring a service account to run the processes A service account is a user account that is created specifically to run automated processes and services. These accounts are typically not associated with an individual user, and are used for running background services and scheduled tasks. By configuring a service account to run the automated processes, you can ensure that the account will not be disabled due to password complexity requirements and other user-related issues. |
A company completed a vulnerability scan. The scan found malware on several systems that were running older versions of Windows. Which of the following is MOST likely the cause of the malware A. Open permissions | Improper or weak patch management The reason for this is that older versions of Windows may have known vulnerabilities that have been patched in more recent versions. If a company is not regularly patching their systems, they are leaving those vulnerabilities open to exploit, which can allow malware to infect the systems. It is important to regularly update and patch systems to address known vulnerabilities and protect against potential malware infections. This is an important aspect of proper security management. Properly configuring and maintaining software, including patch management, is critical to protecting systems and data. |
A security team will be outsourcing several key functions to a third party and will require that:
Which of the following BEST describes the document that is used to define these requirements and stipulate how and when they are performed by the third party? A. MOU Memorandum of Understanding (MOU) | SLA A service level agreement (SLA) is a contract between a service provider and a customer that outlines the services that are to be provided and the expected levels of performance. It is used to define the requirements for the service, including any attestations and reports that must be generated, and the timescales in which these must be completed. It also outlines any penalties for failing to meet these requirements. SLAs are essential for ensuring that third-party services are meeting the agreed upon performance levels. |
A network administrator needs to determine the sequence of a server farm's logs. Which of the following should the administrator consider? (Select TWO). A. Chain of custody | Time stamps & Time offset A server farm’s logs are records of events that occur on a group of servers that provide the same service or function. Logs can contain information such as date, time, source, destination, message, error code, and severity level. Logs can help administrators monitor the performance, security, and availability of the servers and troubleshoot any issues. To determine the sequence of a server farm’s logs, the administrator should consider the following Time stamps: Time stamps are indicators of when an event occurred on a server. Time stamps can help administrators sort and correlate events across different servers based on chronological order. Time offset: Time offset is the difference between the local time of a server and a reference time, such as Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). Time offset can help |