Free CASP+ Certification Practice Test with Answers and Explanations. CAS-004

In this post you’ll find a completely FREE CASP+ (Comptia Advanced Security Practitioner) Certification Practice Test with Answers and Explanations written by experts. Full test. No tricks, just learn smarter.

Over 500 questions based on the real actual certification exam. Get certified on your first attempt.

We’ll cover the models:

  • Security Architecture
  • Security Operations
  • Security Engineering and Cryptography
  • Governance, Risk, and Compliance

Jess is investigating a breach and traces it back to the unified communications tool. The malicious user attacked the UC network using a phishing email and spoofed a MAC address to register an employee’s soft phone and made international calls through your DC network. Which one of the following options will not have affected this attack?

  • A. Vulnerabilities in the UC platform
  • B. Weak firewall configurations
  • C. Social engineering
  • D. Cipher lock on the server room door

Explanation: D. The cipher lock on the server room door is a physical security control, unlike technical controls which were exploited in this attack."

What type of address does a switch use to forward frames?

  • A. IP address
  • B. Frame address
  • C. TCP/IP address
  • D. MAC address

Explanation: D. Switches rely on Media Access Control (MAC) addresses for forwarding frames. A MAC address is composed of 48 bits and comprises two components: the organizationally unique identifier (OUI) that identifies the manufacturer of the network interface card (NIC) to which the MAC is assigned, and the device ID or vendor-assigned number assigned by the NIC manufacturer. Furthermore, MAC addresses play a significant role in facilitating communication between network devices, as they enable switches to accurately send data packets to their intended destinations.

You have been assigned the responsibility of developing a security plan for your point-of-sale systems. Which methodology is considered the most effective when initiating the architectural process?

  • A. Outside-in
  • B. Assets-out
  • C. No write-up
  • D. No write-down

Explanation: B. The recommended approach for designing a robust security system is to prioritize the identification and protection of mission-critical assets, and then extend the security measures outwards from there. It should be noted that assets-out methodology is in contrast to the outside-in approach."

Your organization has deployed various mobile devices throughout the network, but unfortunately, many of these devices lack proper security mechanisms. Can you suggest one measure that can be taken to enhance the security of these mobile devices?

  • A. Loading project management tools on them
  • B. Utilizing MSM technology FOTA
  • C. Installing a HIDS/HIPS on them
  • D. Downloading the firmware update to your PC

Explanation: B. Maintaining the latest firmware on mobile devices is crucial for eliminating known vulnerabilities. Firmware Over-the-Air (FOTA) is a mobile software management (MSM) technology that allows wireless upgrading and updating of the operating firmware by the manufacturer. FOTA-capable phones can directly download upgrades from the service provider. The upgrading process usually takes 3 to 10 minutes, depending on connection speed and file size.

Grace is investigating the encryption of data at rest and data in transit and trying to determine which algorithm is best in each situation. Which of the following does not contain data at rest?

  • A. SAN
  • B. NAS
  • C. SSD
  • D. VPN

Explanation: D. Data at rest is stored on a device. A VPN contains data in transit, meaning data that is moving. VPNs provide secure communications over an insecure network like the Internet. A variety of encryption protocols can be used to protect data as it moves across a VPN. On the other hand, a SAN refers to storage-attached network, NAS stands for network-attached storage, and an SSD is a solid-state hard drive.

Marie, the senior security analyst for a large online news organization, received a briefing stating that the organization has been targeted by an XSS attack, resulting in the execution of malicious web-scripting code on a trusted web page. How can she prevent this type of attack in the future?

  • A. Ensure that the web application is capable of validating and sanitizing user input.
  • B. Implement immediate patch management.
  • C. Request an external penetration test.
  • D. Marie cannot prevent this type of attack on a public-facing web server.

Explanation: A. To mitigate an XSS attack, it is essential to implement input validation and sanitization within the web application. Similar to an XSRF attack, an XSS attack aims to extract sensitive information from users. Without proper input sanitization, malicious code can be injected through form input by the attacker. Additionally, ensuring the web application can validate and sanitize input will help prevent future attacks.

You are a systems analyst conducting a vulnerability assessment. Which of the following is not a requirement for you to know?

  • A. Access controls
  • B. Understanding of the systems to be evaluated
  • C. Potential threats
  • D. Passwords

Explanation: D. A list of root passwords is not required for a vulnerability assessment. A vulnerability assessment involves testing systems and access controls to identify weaknesses. It is important for the systems analyst to have knowledge of access controls, an understanding of the systems being evaluated, and awareness of potential threats. However, a specific list of root passwords is not necessary for the assessment process.

Your company planned to develop custom IDS/IPS rules this quarter to be proactive and stay ahead of new rules released by IDS/IPS manufacturers. How should you prepare for this shift in methodology?

  • A. Penetration test results
  • B. Network monitoring
  • C. OSINT and threat databases
  • D. Vulnerability scans

Explanation: C. By utilizing open source intelligence sources and threat databases, you can create your own IDS rules, incorporating the expertise of external sources. This allows you to customize your IDS rules according to your specific requirements, utilizing your own threat landscape as a model. Furthermore, by employing this method, you can ensure that your IDS/IPS rules are aligned with your unique use case.

You want to assess the most secure authentication method on a mobile device, specifically your phone. Authentication encompasses various options and may involve the use of multiple methods for ensuring secure access. Which of the following is a piece of information that you do not possess?

  • A. Password
  • B. Pattern lock
  • C. Fingerprint
  • D. PIN

Explanation: It is important to note that a fingerprint is considered a biometric characteristic. Unlike a password or PIN, it is categorized as something you are, rather than something you know. This distinction highlights the unique nature of biometric authentication methods.

You are made aware of a threat that involves a hacking group holding large amounts of information about your company. What best describes the threat you face from this hacking group?

  • A. DoS
  • B. TCO
  • C. Latency
  • D. Data mining

Explanation: D. With the proliferation of online information, data mining has become a significant threat. It involves the extraction of vast amounts of data for aggregation. This technique allows attackers to identify patterns in your business operations and exploit vulnerabilities during critical periods.

  • A. Epic
  • B. Intermediate
  • C. Maximum
  • D. Minimal

Explanation: D. Commodity malware, which can be easily acquired online, is employed by various threat actors. The scope of a breach or incident is determined by its extent of reach or prevalence. In this case, as the breach is limited to just one machine, it is considered minimal in scope. Additionally, it is worth noting that the objective of this question is to assess your understanding of malware propagation and the classification of its scope.

Because of time constraints and budget, your organization has chosen to hire a third-party organization to begin working on a crucial new project. From a security perspective, what is the best way to balance the needs of the organization with the inherent risks of using a third-party vendor?

  • A. Outsourcing is a valid option, and any security issues would be the responsibility of the third party.
  • B. If the company has a satisfactory security record, outsourcing makes sense.
  • C. Outsourcing should never be done as it leads to legal and compliance problems.
  • D. The third party should have proper NDAs, SLAs, and OLAs in place and should be obliged to perform adequate security activities.

Explanation: D. The third-party organization should be contractually obligated to carry out the security activities mentioned in the business documents between the parties. Evidence of these contracts should be negotiated, investigated, and confirmed before starting the project. Any agreement for recovery should include specific metrics, such as time, cost, availability, response time, throughput, and bandwidth. These metrics fall under the category of service level agreements (SLAs) and include various elements like response time to initial service requests and guarantees. It is also important to review recovery SLAs in the context of existing agreements with external parties, such as clients or customers. This review will help ensure that risk mitigation strategies align with the organization’s contractual obligations.

Robert’s employees complain that when they connect to the network through the VPN, they are unable to access their social media posts and pictures. Which of the following is most likely implemented?

  • A. Split tunnels
  • B. DNS tunneling
  • C. ARP cache
  • D. Full tunnels

Explanation: D. In a full tunnel, all network traffic is directed through the VPN. Depending on the configuration, access may be restricted to the internal network while the VPN is active. Split VPN tunnels only encrypt certain traffic. DNS tunneling involves using the DNS system to conceal data and send it to a malicious server. An ARP cache stores ARP entries, which are used to link IP addresses to MAC addresses. Additionally, it resolves IP addresses to MAC addresses.

Duane, a pentester, is conducting the type of reconnaissance that focuses on maintaining anonymity. What type of reconnaissance is he performing?

  • A. Active reconnaissance
  • B. Passive reconnaissance
  • C. OSINT

Explanation: B. Passive reconnaissance is the process of acquiring information about a company without actively interacting with any systems or individuals. It involves using tools such as social media and OSINT. Active reconnaissance, on the other hand, entails actively engaging with people or technologies, such as making phone calls or performing a port scan. Open source intelligence (OSINT) is a methodology that involves collecting, analyzing, and making decisions based on publicly available data. HUMINT, or human intelligence, is collected through clandestine acquisition of pictures, documents, and materials from individuals, according to the Central Intelligence Agency (CIA).

Your new program using biometrics for authentication is going well. Biometrics are difficult to fake and enhance convenience. What is not considered an advantage of using biometrics for authentication?

  • A. Servers require less database memory.
  • B. Ease of use.
  • C. Stability and endurance with minimal variation.
  • D. Technical accuracy; partial capture of data.

Explanation: D. One major challenge is the process of capturing and mapping data to an identity. If this process is flawed and the data is inaccurate, a partial capture of data can result in a system failure. Additionally, it is important to ensure technical accuracy when utilizing biometrics for authentication.

You are evaluating the risk for your data center. You have assigned scores from 1 to 10 for threat, vulnerability, and impact. The scores for the data center are as follows: Threat: 4, Vulnerability: 2, Impact: 6. What is the overall risk level?

  • A. 12
  • B. 16
  • C. 48
  • D. 35

Explanation: In order to quantitatively evaluate risk, it is necessary to assess the levels of threat, vulnerability, and impact. The formula to calculate risk is Risk = Threat x Vulnerability x Impact. In this specific scenario, the calculation is 4 x 2 x 6, resulting in a risk level of 48.

Your software company is acquiring a competitor start-up. All the individuals working with that company will become your employees. They will maintain access to their previous network and resources for a duration of two weeks to facilitate the transition. In order to enhance productivity, it has been decided to integrate the two networks. What is the most significant risk for your company?

  • A. IP filters
  • B. Loss of code
  • C. Malware
  • D. Combining the networks

Explanation: D. The primary concern when merging two distinct organizations lies in the security aspect of integrating their networks. The convergence of different physical assets, tactical standards, and operational processes, in addition to the objective of improving productivity, poses a high risk of neglecting any remaining security vulnerabilities and threats within the merged network. Moreover, the merged network may inadvertently expose the company to potential risks.

An audit of your mobile device policies has revealed that your COPE devices are allowing the installation of unsigned applications. The default setting on these devices is set to $true, meaning that new apps do not require a digital signature before being installed. However, it is important to note that after developing an app, the developer must sign it or make it traceable and publish it to the Play Store. The question is, is there a valid business justification for installing unsigned applications on a company device?

  • A. If a developer needs to test and troubleshoot an app.
  • B. To verify the keystore for both debug and release purposes.
  • C. To remove the digitally signed certificates from the app.
  • D. No, there is never a valid reason to use unsigned apps.

Explanation: A. In the Android operating system, all apps must be digitally signed with a certificate before they can be installed by end users. This certificate serves as proof of authorship and ensures that the app originates from a trusted source, such as your company, rather than a potentially malicious entity.

Robin’s company is merging with another healthcare organization. The stakeholders are discussing the security aspects of combining digital communications. The primary agreed-upon criterion for compliance and security is to safeguard the sharing of the company’s domains. What is the most suitable choice for this organization?

  • B. TLS
  • C. SSL 2.0
  • D. Keeping both entities separate

Explanation: A. DNSSEC enhances authentication by employing digital signatures based on public/private key cryptography. With DNSSEC, you ensure data origin authentication and data integrity. Transport Layer Security (TLS) is a cryptographic protocol intended to provide security for communication on a computer network. Secure Sockets Layer (SSL), similar to TLS, is a protocol utilized for encryption in web browsing, email, and VoIP, but it has been replaced by TLS. Keeping the entities separate was not considered a viable option.

  • A. Dark web
  • B. Deep web
  • C. Proprietary
  • D. Clearnet

Explanation: B. The deep web refers to a portion of the Internet that can only be accessed by navigating to a specific database, which is not publicly indexed by a search engine. The dark web, on the other hand, is a more private section of the Internet that requires a specialized browser to ensure anonymity. Proprietary means that something is owned by a particular business or organization. The Clearnet, also known as the surface web, includes information that can be found through popular search engines like Google or Bing.

You build a web application for your new retail organization. However, your developer neglected to verify the length of the input before executing the code. What type of vulnerability is this code prone to?

  • A. Session management
  • B. XSS
  • C. Privilege escalation
  • D. Buffer overflow

Explanation: D. Buffer overflow attacks can occur when programmers fail to validate the length and format of input data before processing it. This issue is particularly common in web servers, which often lack protection against buffer overflow vulnerabilities. Additionally, buffer overflow attacks can enable hackers to execute malicious code and potentially gain unauthorized access to systems.

You have been assigned the task of selecting the appropriate encryption for your mobile device management program. Which asymmetric encryption algorithm is most suitable for mobile devices?

  • A. AES
  • B. ECC
  • C. IDEA
  • D. Serpent

Explanation: B. The Elliptic Curve Cryptography (ECC) algorithm is highly recommended for mobile devices as it requires less computational power for calculations while still maintaining a high level of security. AES encryption is commonly utilized in wireless security, processor security, file encryption, and SSL/TLS. IDEA was employed in Pretty Good Privacy (PGP) v2.0, and Serpent encryption was a contender to AES but has not been patented. An additional advantage of ECC is its ability to provide efficient cryptographic operations on resource-constrained devices.

You are a network security administrator for a SOHO. Unfortunately, your staff often works from coffee shops without fully understanding the importance of using a VPN. It is crucial to demonstrate to them the potential dangers involved. In the event of a replay attack, which network traffic packets are commonly captured and exploited?

  • A. Packet headers
  • B. Authentication
  • C. FTP
  • D. DNS

Explanation: B. In a replay attack, authentication traffic is the most frequently captured and utilized network traffic. If an attacker is successful in replaying the series of authentication packets accurately, they can gain access to the same systems as the original user. Additionally, a packet header is the part of an IP packet that precedes the body and contains addressing information. FTP refers to File Transfer Protocol, and DNS is a naming system that associates domain names, such as, with corresponding IP addresses.

Which of the following application security threats is mitigated by the use of garbage collection?

  • A. Object reuse
  • B. XSS
  • C. Ransomware
  • D. Sandboxing

Explanation: A. Object reuse is the process by which authentication credentials that an application or process may have in memory are utilized to authenticate a user or application. This practice helps in mitigating the threat posed by the use of garbage collection.

Your objectives and key results (OKRs) for this quarter include the realization of the benefits of a multitenancy cloud architecture. Which of the following results is not applicable to a multitenancy cloud service?

  • A. Financial
  • B. Usage
  • C. Location
  • D. Onboarding

Explanation: C. Although a multitenancy cloud service may be less expensive due to shared usage and resources, it operates at maximum efficiency. Additionally, it is easier to set up due to a high volume of customers with a good onboarding experience. However, multitenancy does have limitations, such as multiple access points, less control, and the potential for all tenants to be affected if one tenant is affected. This exposes vulnerabilities and poses a certain level of risk.

You are traveling for work and there is no Wi-Fi available. In a public space, you require your laptop to connect to the internet. If possible, you can tether through a mobile device to access the internet. What are the disadvantages of tethering?

  • A. Your mobile connection will be slow and your mobile device’s battery will drain quickly.
  • B. You need to have a specific app to establish a tethering connection between your phone and laptop.
  • C. Incoming phone calls will be directed straight to voicemail.
  • D. Security concerns may arise.

Explanation: A. The advantages of tethering include the ability to securely upload and download files and check your account balances through your PAN. However, there may be potential costs with your carrier, the mobile connection may be slow, and your phone or tablet battery may drain rapidly.

Which security program aims to equip employees with the necessary knowledge to meet their job requirements and safeguard the organization?

  • A. Awareness
  • B. Training
  • C. Indoctrination
  • D. Development

Explanation: B. Training serves as the primary barrier against security risks, as one cannot safeguard what they are unaware of. To adhere to both regulatory demands and organizational goals, training is essential. Cultivating a sense of awareness is accomplished by intertwining cultural attitudes with comprehensive training programs. Additionally, it is crucial to stay updated with emerging security measures and adapt accordingly.

Sally needs to implement a network security device at the border of her corporate network and the Internet. This device examines network traffic using source and destination IP addresses, source and destination port numbers, and protocols. Which network security device is most appropriate for her requirements?

  • A. Packet filter firewall
  • B. Proxy server
  • C. HSM
  • D. DMZ

Explanation: A. A packet filter firewall inspects packets as they travel through the network and allows the user to control traffic based on source and destination IP, source and destination port, and the protocol used for communication. A proxy server is a server application or appliance that acts as an intermediary for client machines seeking resources. A hardware security module (HSM) is a physical computing device that securely stores and manages digital keys, as well as performs other cryptographic processes. A DMZ (demilitarized zone) is a network segment, either physical or logical, that houses and exposes externally facing services to the Internet.

  • A. Public relations
  • B. Infrastructure
  • C. Legal
  • D. Data owner

Explanation: A. Public relations is responsible for disclosing the hack. By taking charge of the disclosure, you can control the message and ensure that the information is presented accurately. This allows you to reinforce your business reputation by demonstrating responsible handling of the breach. For instance, in cases where only a limited number of customers are affected, it is important to notify them promptly and appropriately. Additionally, it is advisable to provide updates and address any concerns in a timely manner to maintain trust and confidence.

IT support called you and told you to disable your antivirus software because they have a patch that needs to run on your machine to keep you safe. What social engineering technique did this attacker use?

  • A. Tailgating
  • B. Honeytrap
  • C. Quid pro quo
  • D. Rogue access point

Explanation: C. Quid pro quo is a Latin phrase meaning ““something for something.”” In this scenario, an individual posing as ““IT support”” contacts you, offering something in return for a favor. This deceptive tactic is commonly employed to trick individuals into installing malware or ransomware on their machines. To accomplish this, the attacker requests that you disable your antivirus software under the pretense of installing a necessary patch for your safety. By exploiting your trust in IT support, they attempt to gain unauthorized access to your machine.

Meena has called the IT help desk and reported that she has lost her corporate iPad. You try to use location services to physically locate the device, but she mentions that she has just returned from a trip and is concerned that the device is in airplane mode. What would you suggest in this situation?

  • A. Incident detection and response
  • B. Remote lock and data wipe
  • C. Replacement of the device and destruction of the old one
  • D. Termination of the employee

Explanation: B. One of the most crucial methods for an organization to minimize mobile device risks and threats is to enforce a strict policy of remote lock and data wipe. This policy provides an additional layer of protection for the organization’s mobile devices. Even if the device is in airplane mode, the remote lock and data wipe will be activated once the device is powered on and taken out of airplane mode. Hence, this is the recommended action, despite the fact that the device will not immediately receive the instructions in airplane mode.

The IT security department was given the task of suggesting a single security device that is capable of performing various security functions. These security functions encompass antivirus protection, antispyware, a firewall, and an IDP. Which device should the IT security department recommend?

  • A. Next-generation firewall
  • B. Unified threat management system
  • C. Quantum proxy
  • D. Next-generation IDP

Explanation: B. A unified threat management (UTM) system is a single device that offers multiple security functions, including antivirus protection, antispyware, a firewall, and an IDP. However, one concern with using a UTM is that it could potentially become a single point of failure. On the other hand, a next-generation firewall (NGFW) combines a conventional firewall with additional network device filtering functions like deep packet inspection or IPS. As for a quantum proxy, it is a signature scheme that enables a proxy signer to generate a signature on behalf of the original signer. However, it is important to note that there is no security model for quantum proxy, thus making it vulnerable to forgery attacks. Lastly, there is no such thing as a next-generation IDP.

You have implemented a Simple Certificate Enrollment Protocol (SCEP) in your organization. SCEP is designed to support the issuance of certificates in a scalable manner. How does SCEP function in an enterprise environment?

  • A. The SCEP server CA issues and approves the certificate.
  • B. The SCEP server RA automatically issues pending certificates, and the IAM admin grants approval.
  • C. A certificate is requested from the SCEP server and is automatically issued.
  • D. The SCEP issues the certificate, and the CA approves and issues it.

Explanation: A. There are two enrollment methods in SCEP: the certificate is automatically issued by an SCEP server CA, or the SCEP is requested and set to PENDING, and then the CA admin manually approves or denies the certificate. Additionally, the certificate can be issued automatically.

Your CFO received an email from a vendor requesting payment for services rendered. The CFO reached out to your team because the vendor’s name is spelled with an extra vowel. What type of social engineering technique was being used?

  • A. Spear phishing
  • B. Water holing
  • C. Pretext
  • D. Bait and switch

Explanation: A. Spear phishing is a term used to identify the process of attempting to acquire sensitive information by masquerading as a trustworthy organization to one specific individual. If the email was sent in bulk, then it’s called plain phishing. Emails claiming to be from common banks, retail sites, or social media are commonly used to lure the victim.

You have a web server within your network that is currently being targeted by a distributed denial-of-service attack. Numerous systems are overwhelming the bandwidth of this server. This particular type of attack directly affects which objective of information security?

  • A. Availability
  • B. Baselines
  • C. Integrity
  • D. Emergency response

Explanation: A. A distributed denial-of-service (DDoS) attack takes place when the authorized users are unable to access devices or network resources. Consequently, it diminishes the availability of these resources. In this scenario, the server is overwhelmed by the flood of requests, impacting its availability for legitimate users.

Your healthcare organization has made the decision to start outsourcing some of its IT systems. Which of the following statements is correct?

  • A. Outsourcing releases your organization from all rules and requirements.
  • B. The provider takes on all compliance and regulatory requirements.
  • C. Your organization is no longer responsible for configuring, maintaining, or evaluating the IT systems.
  • D. The outsourcing organization is exempt from all rules and regulations.

Explanation: B. When opting to outsource any IT function, process, or system, there are risks involved in terms of operations, process flows, confidentiality, continuity, and compliance. It is important to note that you cannot evade accountability with the excuse ““It wasn’t me.”” Regulators and compliance auditors will still hold your organization responsible for conducting proper due diligence to ensure that the third-party service possesses the necessary people, processes, and technology to support your business needs. Furthermore, this also means adhering to the required level of compliance.

Your IT department is investigating the use of DNS over HTTPS (DoH) to enhance security measures. By employing DoH, all DNS resolutions are conducted through an encrypted channel, thereby bolstering protection against which of the following attacks?

  • A. Insecure protocols
  • B. Key mismanagement
  • C. Man-in-the-middle attacks
  • D. Bad sector on a hard drive

Explanation: DNS resolution refers to the determination of the responsible server for delivering the website you requested, which is an integral part of browsing. Incorporating DoH ensures that all DNS resolutions take place within an encrypted channel, effectively fortifying security and privacy by preventing unauthorized access and tampering with DNS data. To further safeguard against potential cyber threats, adopting DoH serves as a pivotal tool.

One of your network administrators reports that they are unable to establish a connection with a device on the local network using its IP address. The device is operational and has an IP address of Other hosts are able to communicate with the device successfully. The default gateway is set to, and your local IP address is What is the most appropriate type of scan to perform in order to determine the MAC address of the problematic machine?

  • A. ARP
  • B. NAT gateway
  • C. IPConfig
  • D. IFConfig

Explanation: A. An Address Resolution Protocol (ARP) scan is performed to retrieve MAC addresses. By sending an ARP request to the device with the known IP address, you can acquire its MAC address through the received ARP reply. This information is then stored in the ARP table, which maps the IP to its corresponding MAC address. A NAT gateway allows cloud resources without public IP addresses to access the Internet while safeguarding them from incoming connections. IPConfig is a command-line utility in Windows DOS that displays the current TCP/IP network configuration, including the assigned IP, subnet mask, and default gateway addresses. IFConfig serves a similar purpose as IPConfig but is used in Unix operating systems.

Employees at Olivia’s entertainment company want Bluetooth enabled for their mobile devices. What is their primary security concern?

  • A. Bluetooth can be overused.
  • B. Bluetooth sends data as clear text.
  • C. Bluetooth uses weak encryption.
  • D. Bluetooth is a lower-power wireless technology.

Explanation: C. The main concern regarding Bluetooth for business purposes lies in its usage of a weak encryption cipher, EO. Although EO employs a 128-bit key, cryptanalysis has revealed that the EO cipher is as secure as a mere 38-bit key. Therefore, there are potential vulnerabilities in the encryption strength of Bluetooth that need to be addressed.

Your company is concerned about Internet-facing servers. They hired a security organization to conduct a black-box test of to ensure its security. Which of the following commands assists the tester in identifying which servers are externally facing before proceeding with any further actions?

  • A. Whois
  • B. Whatls
  • C. SMTP
  • D. IPConfig

Explanation: A. Whois is a protocol used to query databases that store registered users of a domain name or IP address. Additionally, it helps the tester in determining which servers are externally facing.

Your office manager received a voicemail from a vendor seeking to verify a delivery time and address. The delivery time is accurate, but the address is incorrect. What could have potentially occurred?

  • A. Baiting
  • B. Water holing
  • C. Phishing
  • D. Diversion

Explanation: D. Diversion is a form of social engineering strategy that specifically targets vendor delivery or transport companies. This manipulative tactic aims to redirect the delivery of goods to an alternative location instead of the intended destination. Additionally, it involves adding an extra layer of deception to mislead the recipient.

Your organization must comply with PCI DSS and regulations that mandate annual and ongoing penetration testing after any system changes at both the network and application layers. What is the primary purpose of penetration testing?

  • A. Creates security awareness
  • B. Evaluates IDS
  • C. Tests the security perimeter
  • D. Accesses the internal guidelines

Explanation: C. The primary purpose of penetration testing is to test the effectiveness of your security policies, procedures, and guidelines. It helps evaluate the robustness of your organization’s security measures and identify any vulnerabilities that could potentially be exploited by attackers. It is crucial to seek proper approval before initiating a penetration test to ensure compliance and avoid any unintended consequences.

You have determined that the ISP-supplied DNS servers are either slow or not properly configured for caching, resulting in a slow connection. This issue becomes more prominent when accessing a webpage that pulls content from various domains, such as advertisers and affiliates. What is a potential solution to enhance your connection speed and security simultaneously?

  • A. TTL records
  • B. Custom DNS server
  • C. DHCP
  • D. NS lookup

Explanation: Customizing your DNS servers to optimize efficiency can significantly improve web surfing speed. Additionally, DNS servers can enhance security by blocking access to malicious websites at the DNS level, preventing them from reaching the user’s browser. Furthermore, they may also filter out other inappropriate websites for workplace use.

Ronald has implemented a network architecture to conceal the origin of a network connection. Which device is most likely utilized for this purpose?

  • A. Proxy firewall
  • B. Internet gateway
  • C. Layer 3 switch
  • D. Bastion host

Explanation: A. A proxy firewall, also known as an application-level gateway firewall, is primarily employed to mask the source of a network connection by terminating and initiating a new connection. This enables the concealment of the actual traffic source. An Internet gateway serves as a stopping point for data on its way to or from other networks. A Layer 3 switch combines the features of a switch and a router, functioning as a switch to connect devices within the same subnet while incorporating IP routing similar to a router. A bastion host is a specially designed host that is resilient against attacks and usually hosts a single application, such as a proxy server, to minimize the threat landscape.

You have an application that needs to encrypt data on old equipment with limited hardware resources. Which kind of cipher is most suitable for this situation?

  • A. Stream cipher
  • B. Serial cipher
  • C. Block cipher
  • D. Parallel cipher

Explanation: A. A stream cipher encrypts data on a bit-by-bit basis. It is a better option for this situation because it needs fewer hardware resources compared to other ciphers like block ciphers. Additionally, it ensures efficient encryption of the data.

Your U.S.-based company manufactures children’s clothing and is considering expanding their business into the European Union. You have concerns about regulation and compliance. What should your organization investigate first?

  • A. Payment Card Industry (PCI)
  • B. General Data Protection Regulation (GDPR)
  • C. Children’s Online Privacy Protection (COPPA)
  • D. Family Educational Rights and Privacy Act (FERPA)

Explanation: B. The General Data Protection Regulation (GDPR) is a European Union law that focuses on data protection and privacy for all citizens of the European Union and the European Economic Area. It was adopted in April 2016 and imposes requirements on data processors, controllers, and custodians, ensuring that they obtain explicit consent from individuals whose data is used for specific purposes. Additionally, GDPR grants individuals the right to request access to their information and to request that their data be deleted. It is crucial for your organization to prioritize understanding and complying with GDPR regulations as it expands into the European Union market.

Your new CISC wants to implement a mobile device strategy. All staff have mobile devices, and you need something quickly implemented that is not very expensive. Which of the following strategies is the best one for your organization?

  • A. BYOD
  • B. CYOD
  • C. COPE
  • D. IDEA

Explanation: A. There is no one-size-fits-all solution, and each mobile device strategy has its own pros and cons. With bring your own device (BYOD), there is no need to engage a wireless carrier, and fast deployment is available at a lower cost since the employee owns the device. Choose your own device (CYOD) allows for business-supplied devices, but employees get to choose the devices they prefer. Corporate-owned, personally enabled (COPE) architectures offer the flexibility of allowing both enterprises and employees to install applications onto organization-owned mobile devices. IDEA is an encryption algorithm.

The IT group within your organization wants to implement a request filtering system between clients and servers. They aim to place a device that acts as a mediator between the clients and the servers. This device will receive requests from the clients and forward them to the servers. The servers will respond to the requests by sending the replies to the device. The device will then forward the replies back to the clients. Which device best matches this description?

  • A. Firewall
  • B. NIDS
  • C. Reverse proxy
  • D. Proxy

Explanation: C. A reverse proxy is the device that fulfills the mentioned function. As traffic intended for the servers passes through the reverse proxy, it is able to filter out malicious traffic targeted at the servers. A proxy is positioned in front of clients, receiving their requests and forwarding them to the desired destination. Replies associated with these requests are also forwarded through the proxy back to the clients. A basic firewall filters traffic based on packet header information, while a network-based intrusion detection system (NIDS) examines traffic for malicious content.

You are a security analyst and have been assigned by your company to identify all external Internet-connected devices, including webcams, routers, servers, and IoT devices on your corporate network. Which search engine would be the most efficient and fastest for completing this task?

  • A. Yahoo
  • B. Shodan
  • C. Google
  • D. Bing

Explanation: B. Shodan is a search engine specifically designed to locate and provide information about devices connected to the Internet, such as their geographical location and usage. Additionally, Shodan is a free tool that greatly aids in digital footprinting. Moreover, Shodan offers a public API that allows other tools to access its comprehensive data.

Your compliance auditor requires an inventory of all wireless devices. Which search engine would be the most suitable for this task?

  • A. Shodan
  • B. WiGLE
  • C. Wireshark
  • D. BurpSuite

Explanation: B. WiGLE is a search engine specifically designed to map 802.11 wireless networks. It provides network administrators and compliance auditors with extensive statistics and is also accessible to potential attackers. Moreover, it offers a wide range of search capabilities, making it the ideal choice for conducting an inventory of wireless devices.

Your global banking organization intends to incorporate mobile devices in both their main offices and remote branches. Employees are responsible for handling sensitive financial documents, including bank statements, loan applications, and mortgage documents. Considering your organization’s strong aversion to risk, which type of mobile strategy would be the most suitable in this scenario?

  • A. BYOD
  • B. CYOD
  • C. COPE
  • D. OSPF

Explanation: C. In a situation where security and data protection are of utmost importance, the company-owned, personally enabled (COPE) mobile device strategy is ideal. COPE ensures strict procurement standards and incurs the highest hardware costs among the available options. Adding to this explanation, adopting a COPE strategy allows for comprehensive control over security measures and minimizes potential risks associated with sensitive financial documents.

Brett, a new CISO, is currently assessing various controls to ensure availability. Which set of controls would be the most suitable choice for him?

  • A. RAID 1, data classification, and load balancing
  • B. Digital signatures, encryption, and hashes
  • C. Steganography, ACLs, and vulnerability management
  • D. Checksums, DOS attacks, and RAID 0

Explanation: A. RAID 1 provides redundancy to enhance availability. Data classification assists in determining the level of sensitivity and applying appropriate security measures and access controls. Load balancers ensure efficient routing of requests to available servers. The other options primarily focus on confidentiality or integrity, rather than availability. Adding these controls will ensure Brett optimizes the availability of the system.

When performing a peer review of software, you thoroughly analyze each line of code, as well as every object, method, and routine, with the aim of identifying any potential errors or areas for improvement and confirming compliance with security requirements. What is the primary drawback of conducting a peer review?

  • A. Money
  • B. Damage
  • C. Time
  • D. Reproducibility

Explanation: C. A peer review, also known as a code review, entails a comprehensive examination and evaluation of all the code to ensure its proper functioning and alignment with security and business needs. However, this process can be time-consuming, resulting in potential delays that may outweigh the benefits. Therefore, the main disadvantage of a peer review is the significant investment of time and effort it requires.

A company needs to adhere to a new HIPAA regulation which mandates the assessment of external attackers’ ability to access systems beyond the network perimeter. How can the company ensure compliance with this regulation?

  • A. Code review
  • B. Black-box penetration test
  • C. Inventory of hardware and software
  • D. Vulnerability scan

Explanation: B. A black-box penetration test is conducted without any prior knowledge about the organization, thereby simulating a real-world attack by an external party. It helps in identifying potential security vulnerabilities that can be exploited by malicious actors.

A member of your development team was fired for harassment. The company is concerned with the security of the project and proprietary code this developer had access to. What is the best way to ensure the integrity of this project?

  • A. Peer review
  • B. Red-box test
  • C. Gray-box test
  • D. Black-box test

Explanation: D. In order to ensure the integrity of the project and the security of the proprietary code, it is recommended to hire an expert external red team to conduct a black-box test of the program/product/code. A peer review may not be able to identify all potential issues, especially if collusion was involved. Therefore, a thorough black-box test conducted by a third-party team is the most effective measure to safeguard the project.

You seek to implement best practices and have identified other departments or individuals who have prior experience with their implementation. In addition to these sources, where else could you turn to for guidance on cybersecurity best practices?

  • A. NIST
  • B. ADA
  • C. FBI
  • D. GLBA

Explanation: A. The National Institute of Standards and Technology (NIST) operates within the U.S. Department of Commerce. NIST plays a vital role in promoting innovation and industrial competitiveness by advancing scientific research and supporting advanced technologies, including cybersecurity. Its guidance and resources can serve as invaluable references for establishing and maintaining best practices.

In the next fiscal year, all your company’s salespeople will receive a company-issued cell phone. While devising a security policy to tackle concerns such as lost or stolen data, malware, and malicious applications, one crucial risk to address is the possibility of a lost or stolen device. How should you approach this particular risk?

  • A. MDM
  • B. MAM
  • C. BYOD
  • D. TPM

Explanation: A. Mobile device management (MDM) is responsible for overseeing the hardware and cellular connection of the device. To be more specific, mobile application management (MAM) focuses on controlling the apps, storage, and restrictions on the device itself. Additionally, it provides additional security measures to mitigate risks associated with a lost or stolen device.

Your network administrator, George, contacts you to investigate the reason behind your e-commerce site experiencing two outages within the last three days. After assessing your network, you determine that the issue lies with your Internet Service Provider (ISP). You suspect that an attacker has deployed botnets that are inundating your DNS server with invalid requests. By examining your external logging service, you discover evidence of this particular kind of attack. What is the term used to describe this type of attack?

  • A. DDoS
  • B. Spamming
  • C. IP spoofing
  • D. Containerization

Explanation: A. A DoS attack involves a single-source computer system initiating the attack. In contrast, a distributed DoS (DDoS) attack involves coordinating the efforts of numerous source computers, overwhelming the system. Spamming refers to sending unsolicited messages in large quantities through messaging systems. IP spoofing entails creating IP packets with a falsified source IP address to impersonate another computer system. Containerization is an approach to virtualization that encapsulates software code and its dependencies, enabling it to function consistently across different infrastructures.

Your auditor informs you that vulnerability scans for some compliance requirements will be run quarterly. Your organization’s roadmap states the organization will begin weekly patch management. How frequently should you conduct vulnerability scans?

  • A. Monthly
  • B. Annually
  • C. Weekly
  • D. Biweekly

Explanation: C. All it takes for an attacker to gain access to your network is just one vulnerability. Therefore, even with quarterly compliance requirements, if you are patching weekly, it is crucial to scan for vulnerabilities on a weekly basis. This ensures that you can assess whether the implemented patches or compensating controls have been effective by following the vulnerability life cycle and conducting scans after the patching process. Additionally, regular scanning helps to maintain the security integrity of your network.

Your new CTO is concerned that the IT staff is not able to secure and remediate new vulnerabilities found in the latest financial software adopted by the company. The CTO is focused on reliability and performance of the cloud software. Which of the following is the best way to meet the CTO’s testing requirements?

  • A. A small firm conducts a black-box test.
  • B. A large firm conducts a white-box test.
  • C. An internal team conducts a black-box test. D3 An internal team conducts a white-box test.

Explanation: The black-box penetration test conducted by a small firm that has signed a non-disclosure agreement (NDA) provides a true external perspective of the environment, addressing the CTO’s requirements. Additionally, this type of test ensures the reliability and performance of the cloud software.

As a security architect, your responsibility is to ensure the proper and secure functioning of all systems. Currently, your tester is logged into the system as a user and is conducting internal mechanism tests. This allows for a comprehensive examination similar to that of an attacker. What is the name of this particular test?

  • A. A gray box
  • B. A black box
  • C. A red box
  • D. A clear box

Explanation: A gray-box test is categorized as an intermediary-level test. Testers, possessing knowledge of the system, input specific commands and subsequently verify if the obtained results align with the expected ones. This type of test combines elements of both white-box and black-box testing.

A publicly traded financial company’s security policies and procedures were recently reevaluated after experiencing a breach six months prior. Upon reviewing the incident report, they have determined the need for changes to communication procedures regarding strategic intelligence in order to enhance organizational agility and facilitate faster recovery in future situations. Why is this modification crucial for the organization?

  • A. By transmitting actionable intelligence, informed decisions can be made to effectively manage risks and ensure the safety of individuals.
  • B. Responding swiftly to an incident is the utmost priority in dealing with it.
  • C. Enhancing event response capabilities poses a challenge that no leaders wish to confront.
  • D. The ability to analyze incident feedback from stakeholders is vital for improving guidelines in incident detection.

Explanation: A. When an organization encounters a breach, it presents an opportunity for learning from the incident. By communicating strategic intelligence to the entire organization, risks can be met with expertise, ensuring the safety of company assets, including individuals. Moreover, this enables the organization to make informed decisions.

Your organization is revisiting its mobile device strategies due to the need for secure hardware on corporate networks. You aim to provide employees with options while also reducing costs. Which strategy would be most effective for deployment?

  • A. BYOD
  • B. CYOD
  • C. COPE
  • D. TPM

Explanation: B. A mobile strategy that proves successful for certain organizations is the ““choose your own device”” (CYOD) approach. In this model, employees are offered a selection of devices to choose from upon starting a job, such as a Mac laptop or a PC tablet. To ensure security on corporate networks, it is essential to carefully vet the available device options. Additionally, keep in mind that a CYOD strategy can help control costs while giving employees some freedom in selecting their preferred mobile device.

Identifying all potential threats is a significant responsibility. Threats can be categorized into all of the following except for:

  • A. Human error
  • B. Unsafe functions
  • C. Malicious software
  • D. Financial loss

Explanation: D. Financial loss is not included as a categorization of threats because it is better described as an impact or result to the organization. It is generally associated with a vulnerability rather than being a standalone threat.

  • A. Black box
  • B. Gray box
  • C. White box
  • D. Clear box

Explanation: A. The Common Vulnerability Scoring System (CVSS) is a generic mathematical algorithm used to assess vulnerabilities based on factors such as the CIA triad, attack vector, authentication, and complexity. However, it is crucial to understand how these vulnerabilities specifically impact your environment. To achieve this, a black-box test is necessary to prioritize vulnerabilities based on their localized impact. Additionally, it enables effective remediation of the vulnerabilities identified in the test.

What is the name of the process in which the product or system being evaluated is referred to as the ““target of evaluation”” and rated on evaluation levels EO through E6?

  • A. COPPA
  • C. ITSEC
  • D. Common Criteria

Explanation: ITSEC, also known as Information Technology Security Evaluation Criteria, is an organization that still utilizes the term ““target of evaluation”” (ToE) and has seven evaluation levels. ITSEC was developed in Europe following the creation of TCSEC by the U.S. Department of Defense, which was more stringent and commonly known as the ““orange book.”” Additionally, the Children’s Online Privacy Protection Act (COPPA) enforces regulations for websites or online services targeted towards children under 13 years old, while the Cloud Security Alliance (CSA) Security Trust and Risk (STAR) provides a three-level certification framework for auditing and transparency. Finally, Common Criteria serves as the technical foundation for an international agreement regarding the utilization of secure IT products.

You are a security analyst for a small office or home office (SOHO). Despite your advice, upper management has decided to implement a Bring Your Own Device (BYOD) policy for salespeople, believing it will save costs and foster employee camaraderie. As a result, you are now faced with security challenges such as duplicate IP addresses and infected systems on the company’s network. Which of the following options should you use to address these issues?

  • A. NAC
  • B. HIDS
  • C. HIPS
  • D. Port security

Explanation: A. Network access control (NAC) provides a solution for managing visibility and access on a network through the enforcement of policies on devices and users. With the increasing use of mobile devices in organizations, it is crucial to have better visibility into these assets and strengthen the security of the network infrastructure. To mitigate the risks associated with BYOD, implementing NAC can help in addressing duplicate IP addresses and infected systems. By enforcing policies, you can gain better control over network access and reduce potential security threats.

Ian has joined a company that licenses third-party software and email services which are accessible to end users through a web browser. What is the type of organization Ian works for?

  • A. laaS
  • B. SaaS
  • C. PaaS
  • D. BaaS

Explanation: B. SaaS providers utilize an Internet-enabled streaming service or web application to provide end users with access to software that would otherwise need to be locally or server installed. Examples of SaaS providers include Gmail and Hotmail. laaS refers to infrastructure as a service, PaaS refers to platform as a service, and BaaS does not actually exist.

As a security architect, have you created a blended environment of both Windows and Linux? If so, which technology do you prefer to use for virtualizing an instance on top of either operating system’s kernel?

  • A. Hypervisor 1
  • B. Hypervisor 2
  • C. Containerization
  • D. Automation

Explanation: C. Containerization is a standardized unit for development and deployment, providing a standalone lightweight instance of software that includes code, system tools, third-party libraries, and settings. It is worth noting that Docker and Kubernetes are the two most popular containerization tools available.

Which option demonstrates an example of both a routable protocol and a routing protocol?

  • A. Frames and OSPF
  • B. Frames and RIP
  • C. IP and OSPF
  • D. Segments and RIP

Explanation: C. The primary routable protocol utilized in contemporary networks is IP. Open Shortest Path First (OSPF) and Routing Information Protocol (RIP) serve as illustrations of routing protocols. Frames and segments, however, are not classified as either routable or routing protocols.

Your organization was breached, but you have been able to prove that sufficient due care was taken. What burden is eliminated?

  • A. Liability
  • B. Investigation
  • C. Financial loss
  • D. Negligence

Explanation: B. Due care refers to acting responsibly. By demonstrating due care, an organization proves that it took all reasonable precautions to safeguard its assets and environment. In the event of a breach, the organization is relieved of negligence for any losses but may still be held liable. It is important to note that due diligence involves verifying the adequacy of those actions.

You are asked to recommend a lightweight and mobile key management solution for your company’s users. Which of the following options fulfills this requirement?

  • A. EFS
  • B. TPM
  • C. microSD HSM
  • D. NTFS

Explanation: C. A microSD HSM provides hardware security module functionality on a microSD card. It is a lightweight and mobile solution. Encrypted File System (EFS) is used for encryption and not key management. A Trusted Platform Module (TPM) is a chip for key management installed on a computer’s motherboard. NTFS is a Microsoft filesystem.

A network engineer must configure a router on the network remotely. Which protocol should be utilized to establish a secure connection?

  • A. Telnet
  • B. FTP
  • C. HTTP
  • D. SSH

Explanation: D. Secure Shell (SSH) should be used in this scenario as it provides encryption for the data transmission between the engineer and the router. By encrypting the data, SSH prevents any potential attackers from being able to understand or manipulate the traffic if they were to intercept it. Conversely, the other protocols listed (Telnet, FTP, and HTTP) transmit data in plain text, which makes it susceptible to unauthorized access if it is intercepted.

VoIP relies heavily on a continuous and stable flow of packets. This becomes a concern in the face of various attacks. When there is a significant amount of packet loss, it raises doubts about the reliability of VoIP. Which of the following attacks can be likened to the familiar ““busy signal”” encountered in VoIP?

  • A. DDoS
  • B. SQLi
  • C. MiTM
  • D. Bluejacking

Explanation: A. A distributed denial-of-service (DDOS) attack occurs when a large number of systems target a single entity, such as a website or VoIP service. The targeted entity is flooded with a massive influx of messages, requests, or calls, leading to system overload and denial of service to legitimate users and customers. It is similar to experiencing a busy signal when trying to make a phone call.

Alice discovered a meterpreter shell running a keylogger on the CFO’s laptop. What security principle is the keylogger most likely violating?

  • A. Availability
  • B. Threats
  • C. Integrity
  • D. Confidentiality

Explanation: D. A keylogger, by design, is intended to capture the keystrokes made by the user on the keyboard. With this information, an attacker can potentially exploit websites, usernames, and passwords entered by the victim. This compromises the confidentiality of sensitive information.

When reviewing the business impact analysis presented for your approval, you observe that it contains an excessive amount of mathematical calculations, neglecting a narrative approach. How can the balance of this BIA be improved?

  • A. Increase the inclusion of qualitative analysis
  • B. Increase the inclusion of quantitative analysis
  • C. Increase the inclusion of gap analysis
  • D. Increase the inclusion of risk analysis

Quantitative analysis relies on numerical data and calculations, while qualitative research relies on written descriptions. Both approaches should be incorporated into a comprehensive BIA to provide an accurate and informative assessment for decision-making purposes. Failure to include both types of analysis may result in an incomplete understanding of the situation. Enhancing the balance of the BIA involves considering and including both quantitative and qualitative aspects.

Mobile apps in your environment are causing concern due to unintentional data leakage. ““Riskware”” applications pose the biggest threat to mobile device users who grant all permissions requested without considering the necessity or security of these permissions on their laptops, tablets, and wearable devices. These types of apps are typically free and can be found in official app stores. What advice should you give to mobile device users regarding data leakage?

  • A. Ensure that your network is fast.
  • B. Instruct users to frequently check for upgrades.
  • C. Only grant apps the permissions they absolutely need, and uninstall any app that requests excessive permissions.
  • D. Grant apps all the permissions they ask for.

Explanation: C. Only grant apps the permissions they absolutely need and uninstall any app that requests excessive permissions. For instance, there is no valid reason for a flashlight app to record your voice or have access to all your photos and videos.

You are working on the maturity of your vulnerability management processes. You have implemented network vulnerability testing, but you have concerns about the internal applications and web forms on the intranet. Which type of tool should you utilize to scan for Common Weakness Enumerations (CWEs)?

  • A. Application scanner
  • B. Fuzzer
  • C. Attack scanners
  • D. CIS scanners

Explanation: An application scanner can assist in ensuring that software applications are devoid of the flaws and weaknesses often exploited by attackers to extract and misuse data. Flaws such as backdoors, malicious code, and threats can be found in both commercial and open source software. Additionally, it is crucial to scan internal applications and web forms to identify and mitigate any potential CWEs.

An employee brings you a computer to retrieve data from, but you are unable to boot it up by turning on the power button. You ask the employee if they have backed up their files, and they respond negatively. What steps should you take to recover as much data as possible?

  • A. Remove the hard drive from the computer and install it in a new machine, then attempt to boot up from the hard drive.
  • B. Utilize the operating system’s data recovery wizard to move files to the cloud.
  • C. Disconnect the power and battery, followed by removing the hard drive. Connect it to a new PC, boot up, and access the hard drive if feasible.
  • D. If the computer cannot boot up in its default state, recovery is not possible.

Explanation: In cases where the damage is either physical or logical, the standard procedure involves removing the hard drive if the computer cannot boot up. By connecting it to a functioning computer, files can be retrieved immediately. However, if the hard drive’s platters do not spin, it becomes necessary to send it to a professional company, unless you possess a clean room.

An analyst has been trying to obtain a budget for a new security tool. What should the analyst provide to management as support for the request?

  • A. Threat reports and a trend analysis
  • B. Interconnection security agreement (ISA)
  • C. Master service agreement (MSA)
  • D. Request for information (RFI)

Explanation: A. The analyst should provide threat reports and a trend analysis to support the request. An ISA, MSA, and RFI are business documents that are typically used after management has approved the budget. An ISA is an agreement between organizations to document the technical requirements of interconnection. It also supports a memorandum of understanding or agreement (MOU/A) between the organizations. An MSA is a contract made between two or more parties that governs future agreements or transactions. An RFI is a process used to collect information about suppliers for comparison.

Your terminated IT network administrator turned in their company iPhone. You found that they were able to remove the limitations put in place by the device’s manufacturer. Third-party software is installed on the device. What did the IT network administrator do?

  • A. Locking
  • B. Rooting
  • C. Jailbreaking
  • D. Recompiling

Explanation: C. Some people have the perception that jailbreaking is used only to engage in malicious activities or piracy. However, jailbreaking also allows users to make changes to the default browser and mail client, as well as use software that is not approved by the manufacturer. In addition to maintaining an inventory of mobile devices, it is important for companies to have a security policy and a scanning process in place. Some organizations conduct an annual ““eyes on inventory”” where IT physically scans mobile devices once a year. This helps ensure the security and compliance of company devices.

The Cisco switch port you are using for traffic analysis and troubleshooting is currently in an ““error-disabled state””. How can you reenable it after entering privilege exec mode?

  • A. Issue the no shutdown command on the error-disabled interface.
  • B. Issue the shutdown and then the no shutdown command on the error-disabled interface.
  • C. Issue the no error command on the error-disabled interface.
  • D. Issue the no error-disable command on the error-disabled interface.

Explanation: B. A switched port analyzer (SPAN) port is a dedicated port on a switch that receives a mirrored copy of network traffic and sends it to a monitoring device. To bring a switch port out of the error-disabled state, you should go to the interface and issue the shutdown and then the no shutdown commands. By doing this, the port will be reenabled and operational again.

  • A. Hashcat
  • B. Netcat
  • C. Wireshark
  • D. Splunk

Explanation: A. Hashcat is a powerful tool used for fast password cracking and recovery. It offers different cracking techniques such as straight and brute-forcing cracking, reverse masking, and dictionary attacks. Hashcat takes a password, hashes it, and compares the resulting hash with the target hash it is attempting to crack. If the hashes match, the password is successfully determined. It is worth noting that Hashcat can utilize a massive wordlist, such as the one available at, containing 14 million passwords. It is crucial to verify that your passwords are not present in this list to maintain security."

Your company has hired a security engineering consultant to conduct a black-box penetration test on the client-facing web portal. Which of the following options is the most suitable?

  • A. Increase the use of protocol analysis on the site to check if the browser is replaying ports.
  • B. Utilize a port scanner to scan the site and identify any vulnerable services running on the web application server.
  • C. Develop network enumeration tools to locate the server.
  • D. Employ an HTTP interceptor to scan the site and identify potential areas for code injection.

Explanation: Option B is the only legitimate process. It involves scanning the client-facing web portal to identify any exposed ports and determine if the services running on those ports are susceptible to vulnerabilities.

Your system administrator has attempted to access low-level systems on their phone in order to uninstall system applications and revoke permissions on installed apps. What is the term used to describe this type of access?

  • A. Malware
  • B. Unlocking
  • C. Rooting
  • D. Jailbreaking

Explanation: C. Rooting is the process of gaining root access on a mobile device. This process is commonly performed on Android devices, while jailbreaking is typically performed on iPhones. Rooting allows users to bypass the security architecture of the device, but it can result in damage if not executed correctly. Manufacturers generally discourage end users from having root access.

You were asked to recommend a solution for intercepting and mirroring network traffic to analyze its content for malicious activity without interacting with the host computer. Of the following, which solution is considered the best?

  • A. System scanner
  • B. Application scanner
  • C. Active vulnerability scanner
  • D. Passive vulnerability scanner

Explanation: D. A passive vulnerability scanner is capable of intercepting network traffic and analyzing its content for malicious activity without causing any interference with the host computer. It should be noted that both the system scanner and application scanner are active vulnerability scanners, which interact with the host computer and may potentially lead to a host computer crash. Adding to the explanation, it is important to choose a solution that ensures a secure and efficient analysis of network traffic.

After conducting a vulnerability scan, critical vulnerabilities were detected in certain services that are installed on a Windows server. These vulnerabilities have the potential to pave the way for a server-side attack. Which of the following mitigation techniques is the least efficient in tackling this issue?

  • A. Patching
  • B. System hardening
  • C. Firewalls
  • D. Identity management

Explanation: D. Patching, hardening, and firewalls are all effective mitigation techniques employed to safeguard against server-side attacks. On the other hand, identity management primarily focuses on access control. Therefore, among the given options, identity management is the least effective in addressing these vulnerabilities.

Your department was given the web application by your web application designers for a Q&A review. What is the most effective tool to identify flaws such as SQLi or CSS in the web application that require approval?

  • A. Nessus
  • B. LogRhythm
  • C. Acunetix WVS
  • D. Autopsy

Explanation: C. Acunetix WVS (web vulnerability scanner) is specifically designed to uncover web vulnerabilities. It offers a login sequence recorder that allows access to password-protected areas of a website. Additionally, it can scan any WordPress site for over 1,200 vulnerabilities.

You consider yourself to be a white-hat hacker with expertise in social engineering. Do you possess the qualifications required for a red team black-box engagement?

  • A. No, the skill set remains unchanged.
  • B. Yes, the skill set differs.
  • C. No, the skill set required is completely opposite.
  • D. Yes, the skill set is similar.

Explanation: D. A white-hat hacker has a passion for assisting, while the black-hat hacker is typically motivated by financial gain. Red team and blue team members possess similar skill sets, with the red team acting as the aggressor and the blue team as the defender. In a white-box engagement, you are familiar with the company’s processes and landscape, whereas in a black-box engagement, you approach the target from an external standpoint. Additionally, it is essential to note that no additional text should be included before or after this passage.

You work for a software company and are building an SLA template. The SLA is what the IT organization as a whole is promising to the customer. Which of the following documents can best be used to support the SLA?

  • A. PLA
  • B. OLA
  • C. NDA
  • D. DBA

Explanation: B. A service level agreement offers precisely measured statements such as ““There will be less than 50 lost labor hours per year due to computer maintenance.”” The operational level agreement (OLA) states what the functional IT group will need to do in relation to each other to support the SLA. For example, an OLA may state, ““The server team will perform server patching every Friday at 5 p.m.” A privacy level agreement (PLA) is a cloud-based document that contractually agrees that the information hosted will not be shared or seen by anyone with a conflict of interest. A nondisclosure agreement (NDA) establishes a confidential relationship. The party or parties signing the NDA agree that sensitive information they may obtain will not be made available to any others. Doing business as (DBA) refers to a company’s operating name rather than its legal name.

The corporate contract with your current mobile device provider is nearly over, and you are considering moving to a new provider. Many phones, particularly those subsidized with a contract, are locked into a specific carrier. Additionally, you want to ensure that there is no data theft or leakage from the devices. The phone is specifically configured to operate only with that carrier. What is the necessary action to transfer your mobile phone fleet to a new carrier?

  • A. Jailbreak
  • B. Root
  • C. Lock
  • D. Unlock

Explanation: D. When attempting to insert a SIM card from a different carrier into a phone that is locked to another carrier, a message will appear stating that the phone is locked. While certain carriers may unlock the phone once the contract is complete, others may refuse to do so. To ensure compatibility with a new carrier, it is necessary to unlock the phone. Furthermore, be aware that some phones may be able to be unlocked through a jailbreaking or rooting process, but this can void warranties and may not be supported by all carriers.

Charles has received the final documentation from a compliance audit, which suggests that his organization should implement an additional security tool to complement the firewall and detect any scanning attempts. Which device will Charles choose?

  • A. RAS
  • B. PBX
  • C. IDS
  • D. DDT

Explanation: C. An intrusion detection system (IDS) is utilized to identify and defend against intrusion from an external untrusted network into an internal trusted network. It can be deployed to monitor network traffic behind the firewall, detecting any successful attempts to bypass the firewall, as well as any suspicious activity originating from within the trusted network. Moreover, a RAS (remote access service) is a combination of hardware and software that facilitates remote access tools connecting a client to a host computer. As for a private branch exchange (PBX), it is a telephone network exclusively used within a specific company. Lastly, DDT refers to a synthetic insecticide that was originally developed to combat malaria.

One of Robert’s objectives and key results (OKRs) for the upcoming year is to modernize the IT strategy by adopting a virtual cloud and utilizing new features and storage. He understands that when intellectual property is stored in the cloud, he may have reduced visibility and control as a consumer. What is another significant security concern for important data stored in the public cloud compared to the private cloud?

  • A. Cost effectiveness
  • B. Elastic use
  • C. On-demand availability
  • D. Data remnants

Explanation: D. In addition to the risk of lost data due to attacks or accidents, it is crucial to consider whether the vendor can ensure that your data is securely deleted on demand and that remnants of the data are not accessible to others in the cloud. While the public cloud offers cost-effectiveness and the ability to scale machines elastically, both public and private clouds can provide on-demand deployment of assets. Hence, the primary security concern in this context would be the presence of public data remnants.

You are assisting with a physical penetration test for a jewelry store chain. The organization’s goal is to deter potential thieves from utilizing a vehicle to forcefully enter the store and steal valuable merchandise. Based on this scenario, what defense mechanism would you recommend?

  • A. Security guards
  • B. Iron gate
  • C. Motion detector
  • D. Bollards

Explanation: D. Bollards are sturdy and robust posts strategically positioned in front of buildings to prevent accidental collisions or unauthorized vehicular intrusion into a secure facility. In addition to serving as a visual deterrent, they act as a physical barrier, effectively safeguarding the store against potential threats.

You are tasked with conducting a risk analysis based on its impact on business processes. What is the actual activity you are performing?

  • A. Gap analysis
  • B. Disaster recovery
  • C. Intrusion detection system
  • D. Business impact analysis

Explanation: D. A business impact analysis (BIA) is crucial for the survival of a business as it helps identify the priority processes, systems, and operations. It determines how the interruption of your business operations could affect your organization. Key areas to focus on include the loss of data, equipment, and revenue, as well as the loss of staff, reputational damage, and other types of business losses. Business impact analysis is an essential step in developing a disaster recovery (DR) plan. Gap analysis assesses the performance differences between a business’s information systems or software applications to ensure that business requirements are being met. Disaster recovery is a security planning area that aims to protect an organization from the consequences of significant negative events. An intrusion detection system (IDS) is a device or software application that monitors a network for malicious activity or policy violations.

Your organization creates a business case for purchasing company-owned, personally enabled (COPE) mobile devices. One issue with mobile device open source operating systems is the increased disparity that arises from manufacturers creating their own versions and updates. How can we best describe this problem?

  • A. Morphism
  • B. Instantiation
  • C. Fragmentation
  • D. Mutation

Explanation: C. When an original equipment manufacturer (OEM) creates a new phone, they have the ability to customize the open source operating system for their specific device. With numerous manufacturers in existence, this customization process leads to an increased fragmentation of the operating system over time.

Your news organization is dealing with a recent defacement of your website and secure web server. The server was compromised during a three-day holiday weekend when most of the IT staff was not working. The network diagram, in order from outside to inside, includes the Internet, firewall, IDS, SSL accelerator, web server farm, internal firewall, and internal network. You attempt a forensic analysis, but all the web server logs have been deleted, and the internal firewall logs show no activity. As the security administrator, what should you do?

  • A. Review sensor placement and examine the external firewall logs to identify the attack.
  • B. Review the IDS logs to determine the origin of the attack.
  • C. Correlate all logs from all devices to identify where the organization was compromised.
  • D. Reconfigure the network and place the IDS between the SSL accelerator and server farm to better identify the cause of future attacks.

Explanation: A. Placing an IDS sensor in your network for intrusion detection requires considering your end goal. If you want to identify threats from the Internet that are targeted at your organization, you should place the IDS outside the firewall. If you want to detect potentially malicious internal traffic within your network perimeter, you should place the monitor between the firewall and the internal LAN. Consider the importance of your network traffic and identify the relevant point in your network that the traffic must pass through to reach its destination.

You have an employee, Face, who has downloaded a health app in their browser. The browser extension is tracking all physical locations and accessing photos, videos, and browser activity. What is this referred to as?

  • A. Worm
  • B. Trojan
  • C. Virus
  • D. Ransomware

Explanation: B. Trojans are malicious software that masquerade as legitimate programs. In a recent study conducted by Kaspersky Lab, it was discovered that a Trojan called Razy is utilizing unique techniques to infect systems. This Trojan target authentic browser extensions and manipulates search results in order to steal virtual coins from cryptocurrency wallets owned by victims.

  • A. NIST
  • B. Wireshark
  • C. Maltego
  • D. Nmap

Explanation: C. Maltego is an open-source platform that can be used as a forensics tool to demonstrate the complexity of your infrastructure. With Maltego, you can discover individuals, the structure of emails, websites, domains, IP addresses, DNS, and even documents and passwords. It features a customizable GUI interface. Additionally, it allows for the creation of a real-world connection between people, websites, and your company.

Matthew’s enterprise network is dealing with an increase of malicious activity that is being traced back to insiders. Much of the activity seems to target privileged users, but Matthew does not believe that most of this activity is coming from the actual employees on the network. What is the most likely solution to deter these attacks?

  • A. Role-based training and best practices
  • B. More frequent vulnerability scans
  • C. Full disk encryption
  • D. Tightening security policy for least privilege and separation of duties

Explanation: D. If you analyze the kill chain for cybersecurity, you will find that attackers often use phishing campaigns to target insiders. Once they gain access, the attacker will employ privilege escalation techniques to move laterally and attempt to gain higher permissions across the network. They specifically target domain administrators and other privileged accounts to cause extensive damage or retrieve valuable proprietary information. Therefore, tightening the security policy for least privilege and separation of duties would be the most effective method to deter these attacks.

Your organization’s primary network backup server went down at midnight. Your Recovery Point Objective (RPO) is nine hours. What time will you exceed the tolerable business process recovery given the volume of data lost within that time frame?

  • A. 6 a.m.
  • B. 9 a.m.
  • C. Noon
  • D. 3 p.m.

Explanation: B. If your RPO is nine hours and the last available backup copy is from midnight, you have until 9 a.m. to restore the network backup server before it surpasses the RPO. However, it is crucial to ensure that the backup server is up and running by then to avoid exceeding the recovery time objective.”

Data privacy is of utmost importance to your organization, and this includes Protected Health Information (PHI) and Personal Health (PH) information. As a security architect, your responsibility is to safeguard instant messages. Which option among the following is the most effective in protecting these messages?

  • A. SMS
  • B. Encryption
  • C. Surveillance
  • D. Transmission

Explanation: B. In the event that a service provider is compromised, it can lead to the unauthorized disclosure of crucial or sensitive information. To mitigate such risks, implementing end-to-end encryption is highly recommended as it minimizes the possibility of an attack. It ensures that only the intended recipient(s) can access the encrypted messages, ensuring the confidentiality and integrity of the communication.

After merging with a newly acquired company, Gavin arrives at work on Monday morning only to discover a metamorphic worm has infiltrated the parent organization from the newly acquired network. The security administrator has already contained the worm by using a network traffic access point (TAP) that mirrors all the traffic from the new network. It has been identified that the worm is spreading on TCP port 445. What advice does Gavin give the administrator to minimize the attack immediately?

  • A. Run Wireshark to monitor traffic on TCP port 445.
  • B. Update the antivirus software and conduct a full scan of the entire enterprise.
  • C. Check the SIEM for alerts regarding any asset with TCP port 445 open.
  • D. Deploy an ACL to all HIPS: DENY-TCP-ANY-ANY-445.

Explanation: D. A network TAP is an external network device used to create a copy of the traffic for monitoring purposes. It plays a crucial role in the organization’s network stack by allowing traffic mirroring. The network TAP device is strategically placed in the network’s path to capture and forward data packets to a monitoring device. By deploying the appropriate ACL rule, all data transactions through port 445 will be immediately blocked. While the other options may be effective, they would require more time to halt the spread of the worm.

Your end users utilize Microsoft Office. A few users have reached out for approval to install ActiveX. How can you advise those end users to use ActiveX securely?

  • A. If you come across a website that prompts you to install an ActiveX control, it is advisable to decline the installation request.
  • B. In the event that a website requests the installation of an ActiveX control, it is recommended to accept the installation.
  • C. It is advised to request the software being downloaded to undergo a vetting process.
  • D. ActiveX cannot be used securely; alternatively, Flash must be utilized.

Explanation: A. Microsoft ActiveX controls should only be installed when essential, uninstalled when no longer needed, and downloaded exclusively from trusted sources. ActiveX controls, also known as add-ons, are inherently insecure and deprecated as of August 31, 2020. Flash, which was used for multimedia content and audio streaming, has reached its end of life as of December 31, 2020. Adobe strongly advises immediate uninstallation of Flash Player to safeguard systems.

You assisted your networking organization in upgrading the speed and capabilities of your wireless local area network (WLAN). Currently, everyone is using equipment based on the 802.11g standard with central access points. Which of the following options would increase the speed?

  • A. 802.11a
  • B. 802.11b
  • C. 802.1In
  • D. WiMAX

Explanation: Among these options, 802.1In would provide the best speed for devices compatible with 802.11g, with a throughput of up to 600 Mbps. Devices using the 802.1In standard can transmit in both the 2.4 GHz and 5.0 GHz frequency ranges. WiMAX, on the other hand, is based on IEEE 802.16.

Your company has encountered an unexpected emergency and now requires the implementation of a business continuity plan (BCP). Who bears the responsibility of initiating the BCP?

  • A. Senior management
  • B. Security personnel
  • C. Recovery team
  • D. Database admins

Explanation: A. In the event of a disaster or emergency, it falls upon the senior management to initiate the BCP. The recovery team assumes the duty of executing the necessary actions outlined in the BCP. Although security personnel may play a role in the BCP, they will receive instructions from either management or the recovery team.

Your security manager has requested an addendum to your corporate security policy. This policy states that whenever a device is lost or stolen, the enterprise should have measures in place to safeguard its data on that device. Simply relying on applications to locate the missing device is not sufficient. What should this policy recommend?

  • A. Incident detection and response
  • B. Implementation of remote lock and data wipe
  • C. Replacement of the lost/stolen device and destruction of the old one
  • D. Termination of the employee if necessary

Explanation: B. One of the most crucial steps in mitigating risks and threats associated with mobile devices is to enforce a rigorous remote lock and data wipe policy. This additional layer of protection ensures the safety of sensitive information. Additionally, such policies should be regularly reviewed and updated to maintain the highest level of data security.

Jonathan, a senior architect, has submitted budget requests to the CISO for upgrading their security landscape, which includes purchasing a security information and event management (SIEM) system in the new year. The primary function of a SIEM tool is:

  • A. Blocking malicious users and traffic
  • B. Monitoring the network
  • C. Automating DNS servers
  • D. Monitoring servers

Explanation: D. A SIEM tool performs real-time analysis of security incidents and events by monitoring servers on your network. It can examine and correlate the logs produced by the servers, either through hardware or software. Additionally, a SIEM can be utilized for monitoring alerts from an IDS and conducting trend analysis. In case of any anomaly, rules are written to inform security administrators.

Legacy applications in your environment are using a Java applet written in Pascal to display data in 3D. However, Java applets were phased out in 2017 according to JEP 289 in the OpenJDK. What steps should you consider taking in the near future?

  • A. Coding the business logic in Java and rendering in HTML5
  • B. Building the program in Silverfrost
  • C. Requesting an extension to maintain Java SE10—the last version of Java to support Java applets
  • D. No need to deprecate the existing legacy equipment

Explanation: A. HTML5 is a revised version of the Hypertext Markup Language (HTML), which is the standard programming language for describing the appearance and contents of web pages. HTML5 was developed to address compatibility issues present in the previous standard, HTML4. One major difference is that older versions required proprietary plug-ins and APIs, causing compatibility issues across different browsers. HTML5 provides a common interface that simplifies loading elements, eliminating the need for Flash plug-ins. Additionally, HTML5 defines the behaviors of web page content and encourages interoperability.

You decide to use a Type 2 hypervisor to deploy commercial software for suitability, vulnerabilities, and functionality testing. Your CISO questions your decision to use a Type 2 hypervisor rather than a VMM. Which of the following is not a valid explanation?

  • A. A virtual machine monitor (VMM) is another term for a hypervisor. A hypervisor is software that can virtualize the physical components of computer hardware.
  • B. A Type 1 hypervisor is installed directly on a bare-metal server, meaning it functions as its own operating system. Type 2 hypervisors utilize a host OS that is compatible with commercial software.
  • C. A virtual machine (VM) is an instance of a device that runs on a hypervisor. It creates a computing virtual environment that relies on a hypervisor to communicate with the underlying physical hardware.
  • D. The term ““virtual machine”” is used to describe internet-enabled streaming services or web applications that allow end users to activate software locally.

Explanation: D. Software as a service (SaaS) is a cloud computing term. SaaS providers utilize streaming services or web applications to enable users to interact with software. Additionally, virtual machines do not refer to internet-enabled streaming services or web applications in this context.

You have completed a structured walk-through of your disaster recovery plan. Senior management is requesting that you utilize the most effective method to ensure that the DRP is adequate and lacks any deficiencies. What test would you opt for next?

  • A. Round-table exercises
  • B. Dry-run exercises
  • C. Full interrupt test
  • D. External audit

Explanation: C. To truly ascertain the effectiveness of a disaster recovery plan (DRP) test, conducting a full interrupt test is the ultimate choice. It is essential to obtain approval from senior management. Only through the complete implementation in a real-world scenario can you validate the plan’s efficacy. However, it is important to note that a full interrupt test can be expensive and can disrupt normal business operations if the test fails. The primary site is temporarily shut down, and operations are shifted into recovery mode.

You have deployed containers to bundle and run applications in your production environment. It is crucial to manage these containers effectively and ensure minimal downtime. In the event of a container failure, you need a technology that automatically spins up another container without manual intervention. Which technology fulfills this requirement?

  • A. Kubernetes
  • B. Instantiation
  • C. Rollback
  • D. Tiagra

Explanation: A. Kubernetes is a powerful framework that enables the operation of resilient distributed systems. It not only takes care of scaling, failovers, and load balancing but can also be configured to automatically terminate containers that fail a health check. With Kubernetes, you can ensure continuous availability and reduce the need for manual intervention in case of failures.

Janet has critical files and intellectual property on several filesystems and needs to be alerted if these files are altered by either trusted insiders abusing their privileges or malware. What should she implement?

  • A. File Integrity Monitoring (FIM)
  • B. Payment Card Industry (PCI)
  • C. Domain Name System (DNS)
  • D. Transmission Control Protocol (TCP)

Explanation: A. File Integrity Monitoring (FIM) is a security technique used to protect IT infrastructure and business data. FIM can detect changes made to application files, operating system files, and log files, indicating a potential breach by an attacker or malicious insider. The PCI Standard, mandated by card brands and administered by the Payment Card Industry Security Standards Council, ensures the security of payment card transactions. The Domain Name System (DNS) is a hierarchical and decentralized naming system used to identify computers, services, and resources on the internet or a private network. Transmission Control Protocol (TCP) is a primary protocol in the Internet Protocol suite and is commonly referred to as TCP/IP. It complements the Internet Protocol in network implementation.

A new business has been acquired by your organization. Your CISO informs you that you will be responsible for overseeing the project that merges the two organizations. As the security manager, what is your first course of action?

  • A. Check for possible grammar and OCR errors, fixing them as necessary.
  • B. Rewrite a single question to give it a slightly different phrasing while maintaining the same meaning.
  • C. Retain the original answer options.
  • D. Expand the explanation by adding 1-2 sentences for further elaboration.
  • E. Do not include any additional text before or after the given information.

Explanation: A. The initial step in merging two distinct organizations is to conduct a thorough risk analysis. This analysis will inform the development of an interconnection policy, allowing for a secure merger of the two entities.

You work as a security program manager in a large hospital complex. Your supplier has requested the exchange of documents through EDI. How does this impact your hospital?

  • A. Utilizing purchase orders
  • B. Utilizing postal mail, fax, and email
  • C. Utilizing order management systems
  • D. Utilizing an electronic format

Explanation: D. Electronic Data Interchange (EDI) refers to the computer-to-computer exchange of business documentation in a standardized electronic format. Implementing EDI correctly can lead to cost reduction, faster processing speed, and a decrease in errors. This exchange of EDI documents typically occurs between business partners.

You are a security administrator for a network that employs Fibre Channel over Ethernet (FCoE). The network administrator wishes to retrieve raw data from the storage array and restore it to another host. Which of the following could potentially impact availability?

  • A. The compatibility of the new host with FCoE might pose a problem.
  • B. The data may not be in an accessible format.
  • C. The process could lead to bottlenecks.
  • D. Deduplication will take place.

Explanation: B. In some cases, the data retrieved may not be in a compatible format, making it difficult to restore to a different application or host. It is important to ensure that the restored data can be utilized effectively.

You are a server administrator for a large enterprise using Windows, Linux, and macOS. You need to find a web service that supports XML-based protocols for enabling HTTP and SMTP. Which technology is most suitable for this method of information exchange?

  • A. HTTPS
  • B. SSL
  • C. SOAP
  • D. SAMLv2

Explanation: C. Simple Object Access Protocol (SOAP) is a straightforward messaging protocol used for exchanging information through web services that have different protocols and operating systems. SOAP allows developers to authenticate, authorize, and communicate using Extensible Markup Language (XML). In this case, SOAP would be the best technology to enable HTTP and SMTP communication using XML-based protocols.

Your business needs to adhere to PCI requirements, which involve following certain standards and regulations. These standards and regulations emphasize the importance of monitoring and managing data to maintain its integrity. Which software should you implement for this purpose?

  • A. SOX
  • B. FIM
  • C. laaS
  • D. Cloud

Explanation: B. File integrity monitoring (FIM) is a crucial aspect of PCI DSS compliance. It helps ensure the integrity of data by monitoring and managing any changes to files and configurations. FIM software creates a baseline to determine the current status and stores it in an uneditable database using cryptographic hashes. It is essential for maintaining compliance with PCI standards, especially as configurations and networks evolve.

You are an IT manager, and the software list that your employees must use has grown to the point where it is required to implement federated identity SSO. It is necessary to use an extensible markup language for exchanging provisioning requests for account creation. Which of the following options is the most suitable for this task?

  • A. SAML
  • B. cURL
  • C. SOAP
  • D. SPML

Explanation: D. SPML is a standard used for federated identity that enhances the automation of user account management operations. It presents LDAP in an XML format. SAML is also XML and is utilized for exchanging authentication and authorization. Moreover, it is commonly used in browsers for SSO.

Which code consists of binary instructions that are directly understandable by the CPU?

  • A. Byte code
  • B. Machine code
  • C. Source code
  • D. JavaScript

Explanation: Machine code, also known as machine language, is a set of instructions that is directly machine-understandable and processed by the CPU. Unlike byte code and source code, machine code is in binary format (0s and 1s). It is considered the lowest-level representation of source code and is obtained after compilation or interpretation. Byte code serves as an intermediary between source code and machine code and is the result of compiling a high-level language source code.

Your organization is currently undergoing a physical penetration test. Which of the following tools is typically found in the tester’s toolkit?

  • A. Buttset
  • B. Toner probe
  • C. Amp set
  • D. Lock picks

Explanation: D. Locks are utilized to secure and fasten something, ensuring that only individuals with the corresponding key can access it. In order to unlock a lock, testers may utilize lock picks or skeleton keys to manipulate the internal tumblers. These tools allow unauthorized access to be gained.

New zero-day attacks are released on a regular timeline against many different technology stacks. Which of the following actions would be most beneficial for you, as a security manager, to implement in order to mitigate the risk from these attacks?

  • A. Check for any grammar and/or possible OCR errors and correct them.
  • B. Rewrite a single question so that it conveys a slightly different meaning, but retains the same overall objective.
  • C. Maintain the answer options unchanged.
  • D. Expand the explanation by adding 1-2 sentences to provide further clarity.
  • E. Do not include any extra text before or after.

Explanation: A. CIS Top 20 controls is a prioritized set of best practices developed by leading security experts. Among the most crucial of these practices is having a comprehensive inventory of your hardware and software, as well as their locations.

You oversee hardware distribution for your global enterprise. You conduct a data analysis to determine the failure rates of a particular brand and model of laptop. Your objective is to calculate the average frequency of occurrences when this specific model is expected to break within a year. Which of the following options best defines your calculation?

  • A. Annualized rate of occurrence
  • B. Exposure factor
  • C. Single loss expectancy
  • D. Annualized loss expectancy

Explanation: A. An annualized rate of occurrence (ARO) refers to the average number of times a specific event is expected to occur within a year. The annualized loss expectancy (ALE) is calculated by multiplying the ARO by the single loss expectancy (SLE), which represents the estimated loss per year. In simple terms, ALE = ARO x SLE.

For security purposes, it is important to consider both hardware and software when examining the system development life cycle. In order to achieve this, it is necessary to have a CPU that can distinguish between different memory areas, one for instructions and the other for storage. What is the term used to describe this function?

  • A. NX
  • B. CN
  • C. AR
  • D. C++

Explanation: A. NX stands for no execute and is a feature in a CPU that enables the segregation of storage and instruction functions. Some companies may use their own acronyms to promote their security features. Intel, for example, refers to this feature as XD, which stands for execute disable, while AMD uses EVP, which stands for enhanced virus protection, to describe the same functionality.

One of your managers has asked you to conduct research on data loss prevention techniques in order to safeguard data from cyber attackers who aim to monetize stolen information. Which DLP solution would you suggest?

  • A. Encryption and tokenization
  • B. HIPAA and PCI
  • C. Identity and access management
  • D. NIST frameworks

Explanation: A. By implementing encryption and tokenization, you can ensure that even if data is compromised, it cannot be exploited for financial gain. These measures also enable secure data transfer within a large organization, facilitate data analysis, minimize risks, and align with compliance requirements such as PCI, PII, and PHI. Additionally, encryption and tokenization help protect sensitive information from unauthorized access.

Edwin, a senior security analyst for a large online news organization, recently discovered that his organization experienced an XSS attack, which allowed malicious web-scripting code to execute on a trusted web page. How can Edwin ensure that this does not occur in the future?

  • A. To prevent XSS attacks, it is crucial to ensure that the web application can effectively validate and sanitize input provided by users.
  • B. Immediate implementation of patch management is necessary to address any vulnerabilities that may have allowed the XSS attack to occur.
  • C. Edwin should consider requesting an external penetration test to further assess the security measures of the organization’s web application.
  • D. It is important to note that Edwin may not be able to entirely prevent this type of attack on a web server that is publicly accessible.

Explanation: XSS attacks, similar to XSRF attacks, aim to steal sensitive user information. By implementing proper input validation and sanitization, a web application can effectively mitigate the risks associated with XSS attacks. Failure to properly sanitize user input allows attackers to inject malicious code via form input, enabling them to exploit vulnerabilities. It is important for Edwin to stay proactive in his security measures to safeguard the organization’s web application from future attacks.

Your facility was broken into, but the cameras did not have sufficient light to capture anything of substance. Your manager tasks you with exchanging the cameras with ones that are better suited for night recording. What type of camera do you choose?

  • A. IDR
  • B. IR
  • C. CDR
  • D. Dome

Explanation: B. Infrared (IR) cameras enable night vision by utilizing light with wavelengths that are imperceptible to the human eye. If you require nocturnal surveillance, opt for an IR camera. Additionally, these cameras are capable of capturing clear footage even in low-light conditions.

You are hired by a large enterprise as a systems security consultant to evaluate and make recommendations for increasing the network security posture. It is your first meeting with the stakeholders. What is your first question?

  • A. What are your business needs and the corporate assets that need to be protected?
  • B. What hardware and software do you currently have, and what would be most effective in securing your network?
  • C. What is your budget?
  • D. When is your next audit, and who will be on my team to carry out this security plan?

Explanation: After being hired as an expert in network security, it is crucial to understand the specific needs of the business and identify the corporate assets that require protection. Different businesses will have different priorities and requirements depending on their industry, for instance, a bank will have a distinct set of priorities compared to a healthcare facility. Therefore, understanding the business needs and the assets that require protection is essential in formulating an effective security plan.

You have been handling an incident and have finally arrived at the final step of the incident response process. What is the final step?

  • A. Recovery
  • B. Announcement
  • C. Public relations
  • D. Lessons learned

Explanation: D. You do not want to encounter the same incident again. Once you have completed all the steps in the incident response process, it is essential to gather all stakeholders and document the lessons learned to prevent the repetition of such incidents. This step is commonly referred to as building the afteraction report (AAR) in certain organizations.

An internal security audit of your organization shows that consistent security configurations are required. To address this, your department decides to implement a standard image across all servers and workstations. How can you identify any unauthorized changes?

  • A. Vulnerability assessments
  • B. Compliance reports
  • C. Continuously monitor audit logs
  • D. Scan computers against the established baseline

Explanation: D. There are various tools available that enable baseline scans for configuration. These scans assess each configuration item either on a predetermined timeline or by utilizing agents. In this way, any deviations from the established baseline can be detected.

Eddie is in search of an antivirus detection tool that employs a rule or weight-based system to assess the potential threat of a program function. Which type of antivirus would be suitable for him?

  • A. Behavioral
  • B. Signature-based
  • C. Heuristic
  • D. Automated

Explanation: C. A heuristic antivirus application scrutinizes the code and seeks out particular commands or instructions that are not typically present in an application. In addition to this, a behavioral detection antivirus program monitors the operating system for any suspicious activity or behavior that deviates from the normal range.

  • A. CSRF
  • B. XSS
  • C. SQLi
  • D. Directory traversal

Explanation: A. When the webpage is loaded, the victim’s browser sends a request using the legitimate cookie from the initial login. Cross-site request forgery, also known as CSRF or XSRF, is a malicious exploit where unauthorized commands are submitted from a user that the web application trusts. Cross-site scripting attacks, also known as XSS attacks, target scripts embedded in a page that execute on the client side (in the user’s web browser) rather than the server side. SQL injection is a web security vulnerability that allows an attacker to interfere with the database queries made by an application, potentially giving them access to unauthorized data. The directory traversal attack, also known as a path traversal attack, grants an attacker access to files, directories, and commands stored outside the root directory. This attack manipulates the resource location requested in the URL using the special-character sequence “”../”". If successful, an attacker might be able to read or modify arbitrary files on the server and gain control of the server.

Your department is overwhelmed with requests for personally identifiable information (PII). What measures should you implement to safeguard this information?

  • A. Utilize encryption, strong passwords, multi-factor authentication (MFA), and regularly create backups.
  • B. Retain old media containing personal data indefinitely.
  • C. Avoid automating updates, as it may disrupt workflows.
  • D. Opt for public Wi-Fi instead of a corporate wireless network.

Explanation: A. There are several effective methods to protect personally identifiable information (PII). Employ encryption, strong passwords, multi-factor authentication (MFA), and backups. Additionally, it is essential to establish policies regarding the duration for retaining personal information, the frequency of system updates, and the imperative use of a secure wireless network when handling PII. In this way, you can ensure comprehensive information security.

Your division is responsible for managing a range of expensive equipment, with prices varying from several hundred to several thousand dollars. Multiple facilities are involved in monitoring these tools, and it is essential to have an efficient tracking system in place to minimize replacement costs and improve employee productivity. Which option do you prefer for tracking?

  • A. RFID tags
  • B. QR codes
  • C. Bar codes
  • D. ISBNs

Explanation: A. RFID (Radio Frequency Identification) is a tracking system that utilizes radio frequency technology. By attaching RFID tags to the equipment, you can easily track the tools and identify the user who has checked them out. Additionally, if you have a portal-type entrance/exit reader, it enables you to determine whether a specific tool is needed elsewhere and if it has been checked out by someone else. Adding RFID tags to your equipment will enhance your ability to monitor and manage it effectively.

In an enterprise environment, which common security services would include firewalls and enterprise-grade border routers?

  • A. Access control
  • B. Cryptography and encryption
  • C. Boundary control
  • D. Authentication and automation

Explanation: C. Boundary control includes security services typically provided by devices focused on protecting a system’s entry point. Additionally, firewalls can be used to safeguard a network’s border from potential threats originating from the Internet. In addition to firewalls, routers and proxies can also be utilized for boundary control to ensure comprehensive protection.

As a CISO, you have assembled a team consisting of security developers, managers, educators, architects, and administrators. However, some individuals in these roles have noticed that they are duplicating efforts and not utilizing their time effectively. How can you institute effective administrative control over this situation?

  • A. AUP
  • B. TCO
  • C. Mandatory vacation
  • D. Job descriptions

Explanation: D. By providing written job descriptions, you can clearly define all responsibilities. Job descriptions enable you to establish and meet expectations, as well as effectively communicate them to employees and evaluate their performance. Additionally, a well-written job description will help establish a solid foundation for employers and employees alike.

Your CIO has requested a meeting with you, the security manager, to discuss the SQL administrators’ request for a service-oriented architecture (SOA) and an application programming interface (API). In the context of SOA and APIs, services are provided over a network. What is your primary concern?

  • A. Users and services are centralized and only accessible during business hours.
  • B. SOA is responsible for managing all legacy systems that may have vulnerabilities.
  • C. SOA implementation relies on VMs, making it susceptible to exploitation through VMEscape.
  • D. Users and services are distributed over the Internet, exposing them to external threats.

Explanation: D. SOA serves as the underlying architecture that enables the functionality of the service, while the API functions as the service itself. Concerns regarding this setup include potential slowdown of applications and increased processing power requirements, leading to higher costs. Additionally, scalability may become an issue, and the absence of industry-specific security standards can expose the system to external threats. One important measure to enhance security is the removal of unnecessary services and disabling unused accounts within these systems.

Simon’s organization has endpoints that are considered low-priority systems. Although they are considered low priority, they still need protection against malicious code that can destroy data and corrupt systems. Malicious code is capable of infecting files but typically requires assistance to move between systems. What security product specifically guards against this type of malicious code?

  • A. Antimalware
  • B. Antispyware
  • C. Antivirus
  • D. Anti-adware

Explanation: C. A virus is malicious code that can destroy data and corrupt systems. It usually requires assistance to move between systems. Antivirus products are designed to identify and eliminate viruses from a system. Antimalware products are capable of detecting different types of malware, including viruses. Anti-adware products detect and remove programs created to display ads on an infected user’s screen. Additionally, it is important to prioritize securing low-priority systems to prevent any potential vulnerabilities.

You are examining SQL server logs and are seeing userid: 101 or 1=1:–. What is most likely happening on that SQL server?

  • A. XMLi
  • B. XSS
  • C. SQLi
  • D. Buffer overflow

Explanation: C. This log indicates a SQL injection. The SQL query is valid and will return all rows from the UserID table because the statement ““OR 1 = 1"” is always true. Without additional SQL statements, it is difficult to determine the specific table being referenced as UserID, as the SQL is likely checking the userid column for a row where the userid is 101. In this case, the injection occurs with the input ““101 or 1=1"”, which evaluates to true. The presence of the semicolon and double hyphen is significant; if there were additional checks on the password during the login process, the semicolon would terminate the SQL, ignoring the rest of the statement. Developers should validate all end-user input to safeguard against injection attacks.

RFID gained popularity in your organization due to its low maintenance cost. You are contemplating expanding the utilization of RFID; however, your security analyst cautions you about the vulnerability of the backend database. What is the primary concern of your analyst?

  • A. Virus attack
  • B. Infrared intrusion
  • C. Lockpicking
  • D. Credentials

Explanation: A. The susceptibility of RFID to virus attacks poses a significant threat to the backend database, which is the prime target. An RFID virus has the potential to divulge tag data or disrupt the database, leading to service disruptions. Additionally, an attack could potentially destroy the data stored in the database, further exacerbating the consequences.

You are exploring the best option for your organization to move from a physical data center to virtual machines hosted on bare-metal servers. Which of the following is the best option for that move?

  • A. Type 1 hypervisor
  • B. Type 2 hypervisor
  • C. iPaaS
  • D. laaS

Explanation: A Type 1 hypervisor is installed directly onto a bare-metal server, functioning as its own operating system. This configuration allows for superior performance as it provides direct access to the physical hardware. To optimize your organization’s move to virtual machines on bare-metal servers, a Type 1 hypervisor is the recommended option.

Your company has a newly-appointed CIO, who has a preferred vulnerability management tool and a close connection with the software company. As you transition to the new software, which document would necessitate the most modifications?

  • A. Policies
  • B. Guidelines
  • C. Baselines
  • D. Procedures

Explanation: D. Since the new software is expected to be significantly different in terms of its usage, the policy documentation would need to specify how vulnerability management will be carried out. Procedures, on the other hand, would provide a checklist outlining the detailed steps and processes required to operate the new software effectively. In order to accommodate this transition, the procedures document would require the most changes.

Your growing startup wants to take advantage of single sign-on (SSO). Which of the following is not an advantage?

  • A. Multiple user accounts and passwords can be eliminated.
  • B. Users can sign on once for access to resources.
  • C. SSO is convenient and leads to fewer tech support password resets.
  • D. The attacker needs only one password to compromise everything without two-factor authentication.

Explanation: D. To prevent losing everything with just one password being exposed, enterprise-level single sign-on requires two-factor authentication, such as texting a mobile phone or using a one-time password, biometrics, or proximity card, making systems much harder to compromise. Additionally, hardening techniques like disabling unused accounts and removing unneeded services running can further enhance security.

Nicole, the security administrator for a large governmental agency, has implemented various measures such as port security, restricted network traffic, and the installation of NIDS, firewalls, and spam filters. She believes that the network is now secure and wants to focus on endpoint security. Which plan should she follow to achieve the most comprehensive endpoint security?

  • A. Antimalware/virus/spyware, host-based firewall, and MFA
  • B. Antivirus/spam, host-based IDS, and TFA
  • C. Antimalware/virus, host-based IDS, and biometrics
  • D. Antivirus/spam, host-based IDS, and SSO

Explanation: A. In order to protect the endpoints from malware, viruses, and spyware, Nicole should implement antimalware/virus/spyware software. Additionally, a host-based firewall is necessary to prevent malicious traffic. While an intrusion detection system (IDS) will only report an intrusion, multifactor authentication (MFA) provides more comprehensive security. It requires the presentation of several separate pieces of evidence from different categories, such as something you are, something you know, and something you have. Two-factor authentication (TFA) is a form of MFA that requires two pieces of evidence.”

  • A. Mobile device configuration profile
  • B. Group Policy
  • C. Root the devices and install a golden mobile image
  • D. Containerization

Explanation: A. Mobile device configuration profiles are XML files that define all the settings and restrictions that should be applied to your mobile devices. XML is a widely used format for representing structured information, such as documents, data, and configuration settings. Derived from SGML, XML is designed to be suitable for web use and is commonly used for sharing structured information between programs, people, and computers across networks. Additionally, it provides a simple and text-based format for representing information.

Your CFO has unintentionally deleted an essential folder from their computer. They have approached you to assist in recovering the data. You are aware that the files still exist on the drive, but they are not referenced in the directory structure. What should be your initial course of action?

  • A. Refrain from saving any documents or files.
  • B. Power off the computer.
  • C. Reboot the computer.
  • D. Install a new program to facilitate file rescue.

Explanation: A. As saving program files or documents prompts the computer to write data to the hard drive, there is a higher likelihood of the data you are attempting to recover being overwritten. Therefore, it is advisable not to move files or folders or reboot the machine. Additionally, exercise caution not to save any new data on the computer to prevent further complications during the recovery process.

Your company hires a third party to provide cloud-based processing that will have several different types of virtual hosts configured for different purposes, such as multiple Linux Apache web server farms for different divisions. Which option below accurately describes this service?

  • A. SaaS
  • B. PaaS
  • C. laaS
  • D. AaaS

Explanation: C. Infrastructure as a service (laaS) allows a company to utilize hardware resources provided by a third party, including processing and networking capabilities, to host multiple diverse hosts. This service offers flexibility in configuring virtual hosts for various purposes within the cloud-based environment.

Your internal auditor has completed the quarterly PCI DSS audit of the financial systems and has identified that accounts payable did not follow proper procedures during a tabletop exercise. What action do you recommend taking?

  • A. Review the procedures and provide additional training to employees.
  • B. Await the completion of the external auditor’s annual review.
  • C. Eliminate all unnecessary financial transactions.
  • D. Conduct a comprehensive parallel test of the accounts payable systems.

Explanation: A tabletop exercise is a simulation used to practice and discuss procedures and policies without actually implementing the business continuity plan. It is crucial to involve all stakeholders in this exercise to gather diverse perspectives on the processes. In order to address the observed lapses in accounts payable procedures, reviewing and enhancing the existing procedures and providing additional training to employees is recommended.

You are employed as a security analyst in a healthcare organization. As part of an acquisition, a small legacy cluster of computers from a small hospital clinic has been obtained. All virtual machines in this cluster are connected to the network using the same NIC. Some of these machines contain patient data, while others hold financial data. Additionally, one of these VMs is responsible for hosting an externally accessible web application. What is the main concern you identify with this particular situation?

  • A. Confidentiality
  • B. Threats
  • C. Integrity
  • D. Utilization

Explanation: A. Visibility into the data through the traffic on these virtual machines can compromise confidentiality and also lead to compliance issues, such as PCI regulations for financial data and HIPAA regulations for patient data. It is essential to have a plan in place to replace these outdated machines before they reach the end of their lifespan.

You have conducted a security assessment and discovered that legacy systems with vital business processes are utilizing standard Telnet protocols. How can you effectively mitigate this risk?

  • A. Migrate from IPv4 to IPv6.
  • B. Install PuTTY.
  • C. Move the system to a secure VLAN.
  • D. Unplug the system until a replacement can be ordered.

Explanation: C. In a flat network topology, where there is a single large broadcast domain, any device that sends an ARP broadcast will receive a reply. This creates a potential access point to every system within the network. However, by implementing network segmentation using virtual local area networks (VLANs), you can create isolated networks in separate broadcast domains. When configured correctly, VLAN segmentation acts as a barrier against unauthorized access to systems, providing you with sufficient time to identify a solution for utilizing outdated and vulnerable protocols.

Sandra is utilizing the native Lightweight Directory Access Protocol (LDAP) for her authentication solution. What is the primary weakness of LDAP?

  • A. Hard to deploy.
  • B. Passwords are transmitted as clear text.
  • C. The session can be easily replayed.
  • D. Authorizations are not included in the header response.

Explanation: B. Transmitting LDAP passwords as clear text has always been considered insecure, as it enables attackers to easily intercept credentials through network sniffing. In large organizations, identifying and rectifying all applications that still employ this vulnerable LDAP method can be a time-consuming process. Microsoft recommends system administrators to enable detailed diagnostic logging on their domain controllers to identify any applications employing this method. However, this may generate a significant number of events in the Directory Service event log.

Your department is examining the CIA triad and its application to storage. You aim to ensure confidentiality, integrity, and availability for all authorized users while also focusing on implementing robust systems that require attackers to exert more effort than the data is worth. What factor is crucial for achieving this objective?

  • A. Cost and value of data
  • B. Cost and value of privacy
  • C. Cost and value of encryption
  • D. Cost and value of potential breach

Explanation: A. When it comes to storage, it is essential to have security systems that are strong enough to make any potential breach cost attackers more time and effort (i.e., work factor) than the value of the data. The cost and value of data are of utmost importance as no one wants to invest in systems that are more expensive than the actual worth of the data.

A guest OS escapes from within VM encapsulation to interact directly with the hypervisor. If the VM becomes compromised, this can give an attacker access to all the VMs as well as the host machine. What is this scenario called?

  • A. DoS
  • B. VM escape
  • C. VM jacking
  • D. VM isolation

Explanation: B. While difficult to perpetrate, VM escape is considered a serious threat to VM security. VM escape is perpetrated against Type 2 hypervisors. If you manage to escape a Type 1 hypervisor, it is referred to as hyperjacking.

Charles is reviewing threat intelligence reports that focus on advanced persistent threats from nation-state actors and their tactics and capabilities. He is seeking to gather valuable insights to effectively utilize this intelligence within his enterprise. Which of the following is not a category of assessment conducted using cyberthreat intelligence?

  • A. Arbitrary
  • B. Strategic
  • C. Operational
  • D. Tactical

Explanation: A. Strategic cyber intelligence provides decision-makers with insights into long-term matters and overall intentions. Operational cyber intelligence aids in supporting response operations and is often presented as a forensic report. Tactical intelligence evaluates real-time events and assists with day-to-day operations. Cyberthreat intelligence is not utilized for arbitrary assessments.

Your team was assigned the responsibility of conducting a penetration test on a prominent automotive corporation. The necessary documentation has been duly signed by both parties. As this is a black-box penetration test, where should your team commence their work?

  • A. Vulnerability scanning
  • B. Social engineering
  • C. Reconnaissance
  • D. Malware distribution

Explanation: C. A black-box penetration tester possesses no prior knowledge about the system or network being tested, except for perhaps the organization’s name and address. Therefore, the initial step for a pentester is to carry out reconnaissance, aiming to gather maximal information about the target organization. Additionally, in the process, one can add further context as to why reconnaissance is crucial for the success of the test.

You are a system administrator and have been tasked with creating a policy for several mission-critical legacy application servers that need to be replaced in six months due to the server manufacturer’s end of support. What policy will you develop?

  • A. Data provisioning
  • B. Data remanence
  • C. Data retention
  • D. Data encryption

Explanation: C. A data retention policy is a documentation that your organization has created to specify when data is no longer useful and should be deleted or if the data retention period has been fulfilled. Implementing a data retention policy involves identifying the types of data your organization possesses and categorizing them accordingly. This policy is crucial in ensuring compliance with both local and federal regulations and retention schedules. It encompasses retaining data and records for a designated duration and properly disposing of them once the retention period expires, as well as detailing how data should be transitioned to new systems.

  • A. Implementing HIDS
  • B. Building gateway firewalls
  • C. Configuring ERP
  • D. Creating network microsegmentation

Explanation: D. Network microsegmentation allows you to enhance network security by implementing a multi-layered defense strategy. Given the current threat landscape, it is crucial to operate under the assumption that you are constantly under attack and may eventually experience a breach. Network microsegmentation significantly complicates an attacker’s ability to launch an attack across your entire network, which would be possible in a flat network infrastructure. Additionally, it provides an added layer of protection against potential breaches.

Your organization is currently undergoing an external penetration test. While examining a web page field, you come across the following data: password’ OR 1=1;—. What type of attack is this?

  • A. CSRF
  • B. XSS
  • C. SQLi
  • D. Buffer overflow

Explanation: C. Input fields in web applications can be susceptible to SQL injection. An attacker can exploit this vulnerability by manipulating the input field in a manner that alters the server’s executed statement. By executing the given command, the following SQL query is triggered: SELECT id FROM users WHERE usemame=‘username’ AND password^’ password’ OR 1 = 1;. Due to the condition OR 1 = 1 always being true, the attacker will be able to gain access to the account associated with the supplied username in the field.

Your CISO tasks you with creating an addendum to the security policies and procedures as it relates to security at rest. Which of the following is not a concern to be addressed in your high-level security policy and more granular procedures?

  • A. Data and cyberattack growth
  • B. Cost of breaches and increased data value
  • C. Regulation and business continuity
  • D. Network topology and subnets

Explanation: D. In relation to data-at-rest policies and procedures, network topology and subnets are not a concern that needs to be addressed. However, it is important to focus on the other options, such as data and cyberattack growth, cost of breaches and increased data value, regulation, and business continuity. These factors play vital roles in ensuring the security and protection of data at rest.

One of the concerns you have for your hypervisor environment is the flooding of network traffic to leverage a host’s own resources. The availability of botnets to rent on the dark web makes it easy for attackers to carry out a campaign against specific virtual servers or applications with the goal of bringing services down. What is this type of attack called?

  • A. VM DoS
  • B. VM scraping
  • C. VM isolation
  • D. VM migration

Explanation: A. A denial of service (DoS) attack affects availability and can be perpetrated against on-premise assets and virtual assets, as well as poorly configured cloud assets. These attacks exploit many hypervisor platforms by flooding the network with traffic and bringing operations to a halt.

A governmental agency purchases new computers for its employees and wants to ensure that the computers’ boot loader process is protected from rootkits loading during startup. Which protection mechanism requires the combined use of UEFI’s Secure Boot process and TPM encryption to allow the loading of an OS and determine the permissible execution of specific components?

  • A. Early Launch Antimalware
  • B. Integrity Measurement Architecture
  • C. Measured Launch
  • D. Attestation Services

Explanation: C. Measured Launch acts as a safeguard for the boot loader process and relies on the collaboration between UEFI’s Secure Boot and TPM encryption to authorize the loading of an OS and restrict the execution of particular components. Commonly known as a measured boot, it enhances security measures.

A corporation expanded its business by acquiring several similar businesses. What should the security team prioritize?

  • A. Development of an ISA and a risk analysis
  • B. Installation of firewalls between the businesses
  • C. Removal of unnecessary assets and Internet access
  • D. Scan of the new networks for vulnerabilities

Explanation: A. The initial step in integrating businesses through acquisition is to create an interconnection agreement, followed by conducting qualitative and quantitative risk assessments. This ensures that security objectives are established and the existing security landscape is evaluated accurately. Additionally, by conducting a risk analysis, the security team can ascertain their current security position and define their future goals.

You have made the decision to establish your own company, which aims to provide integrated security services to corporate entities through a subscription-based model, ensuring cost-effectiveness when it comes to evaluating the total cost of ownership (TCO) of cybersecurity. What business model does your creation represent?

  • A. DaaS
  • B. PaaS
  • C. SECaaS
  • D. laaS

Explanation: C. SECaaS, also referred to as SaaS, stands for Security as a Service. While SaaS traditionally refers to software as a service, SECaaS specifically pertains to information security services that do not require on-premises hardware. By adopting SECaaS, companies can avoid large capital expenditures. The range of security services provided may involve authentication, antivirus and antimalware solutions, as well as intrusion detection, incident response, and penetration testing. Additionally, it is worth noting that SECaaS is highly beneficial in terms of cost efficiency and ease of implementation.

You want to test the fault tolerance of your hardware systems. Which of the following is a method to prevent a disruption caused by a single point of hardware failure during a test?

  • A. A database containing customer information backed up in a data warehouse
  • B. Duplicate alternative power sources
  • C. Utilizing an identical server with all operations running concurrently
  • D. A duplicate database

Explanation: C. The most effective example of fault tolerance for hardware would involve having an identical server running concurrently. Fault-tolerant systems utilize backup components that automatically replace failed components, guaranteeing uninterrupted service. Additionally, having parallel operations further enhances the system’s ability to withstand hardware failure.

You are exploring the best option for your organization to move from a physical data center to VMs hosted on bare-metal servers. Moving to a Type 1 hypervisor was discussed, but these hypervisors are difficult to deploy. Now, it has been decided to use hosted hypervisors on Windows 10 machines by enabling CPU virtualization. What is this type of environment called?

  • A. Type 1 hypervisor
  • B. Type 2 hypervisor
  • C. iPaaS
  • D. laaS

Explanation: B. Type 2 hypervisors are applications installed on host OSs like Microsoft Windows or Linux. They are also known as hosted hypervisors because there is a host OS that acts as an intermediary between the OS, the VM, and the server hardware. Type 2 hypervisors are easier to deploy, but Type 1 hypervisors typically offer better and faster performance. As a best practice, virtualization should be explicitly disabled unless necessary. While it is true that you should not enable VT unless it is needed, there is no added risk whether the feature is on or off.

Your CISO has requested that you implement a solution on your DMZ’s jump servers to identify and prevent any malicious activity. Which of the following options achieves this objective?

  • A. HIDS
  • B. NIDS
  • C. HIPS
  • D. NIPS

Explanation: C. A host-based intrusion prevention system (HIPS) serves as an intrusion detection system utilized to identify and prevent intrusions on a host. It effectively halts any suspicious activity. Jump servers, also known as jump boxes, are usually positioned between a secure zone and a DMZ to facilitate device management within the DMZ once a management session has been established. The jump server acts as a centralized audit point for traffic, requiring prospective administrators to log in to gain access to the DMZ assets. Additionally, the proposed solution strengthens the security measures within the DMZ.

What feature does UEFI incorporate to safeguard the boot process against malware hijacking?

  • A. Secure Boot
  • B. Secure Bootup
  • C. Secure Start
  • D. Secure Run

Explanation: A. Secure Boot is an essential security mechanism integrated into the Unified Extensible Firmware Interface (UEFI) that enforces the certification of an operating system boot loader before it is loaded. The certification process is conducted through the verification of signed certificates. Additionally, Secure Boot helps prevent unauthorized software or firmware from executing during the boot process.

You work for an organization that requires a network uptime of 99.99 percent. However, there have been two instances of internal DAS hardware failures in the past six months, causing downtime. How do you solve this issue?

  • A. USB
  • B. SSD
  • C. SAN
  • D. DASv2

Explanation: C. A storage area network (SAN) is a network of servers that are connected to a centralized storage space. This allows for easy expansion of storage and enhanced data recovery capabilities. Additionally, if the servers boot from the SAN instead of DAS, a failover server can boot from the original SAN disk, reducing downtime. Although it is more expensive, the benefits outweigh the cost.

Your organization aims to automate the task of assigning corporate resources to employees. When an HR representative inputs data for a new employee into the HR system, the organization desires the HR system to communicate with different systems, such as the email system, in order to configure resources for the new employee automatically. Which automated identity management solution could facilitate this process?

  • A. SPML
  • B. SOAP
  • C. Active Directory
  • D. SSO

Explanation: A. Service Provisioning Markup Language (SPML) is a mechanism specifically designed for automating identity management tasks. It enables the automation of provisioning activities to streamline the process of assigning resources to employees.

You want to gather your team together to evaluate potential corrective and recovery controls for your company. You want to encourage them to contribute and evaluate, taking an active role in the discussion. The three-tiered approach consists of brainstorming ideas for solutions, evaluating the best possible solutions, and which of the following?

  • A. Deciding
  • B. Committing
  • C. Administering
  • D. Recovering

Explanation: The three-tiered approach consists of a brainstorming session, evaluating the ideas that arise from the brainstorming session, and then deciding which solution is most suitable. It is important to consider factors such as cost and complexity to effectively incorporate these security controls into the budget and timeline. By using this approach, the team will be able to actively participate in the evaluation and planning process for corrective and recovery controls.

What type of storage deteriorates over time, requires constant refreshing, and can always be encrypted with data being decrypted only within the CPU?

  • A. RAM
  • B. Hard drive
  • C. ROM
  • D. BIOS

Explanation: A. Dynamic RAM is a type of storage on a motherboard that must be continuously refreshed due to the changing nature of stored information over time. Unlike a hard drive, ROM, and BIOS, RAM is considered volatile and requires constant refreshing. While RAM can be encrypted with data being decrypted only within the CPU, it cannot be simultaneously encrypted and useful. However, organizations are implementing solutions to address this issue, sacrificing convenience and functionality to protect against side-channel attacks on RAM, such as cold boot attacks. These solutions involve handling encryption keys and sensitive operations in the CPU, while keeping everything else in RAM encrypted at all times. Though resource-intensive, several organizations are successfully implementing this approach at scale.

As a network administrator, you are asked to connect a server to a storage-attached network. If availability and access control are of utmost importance, which option would meet the requirements?

  • A. Installing a NIC in the server with deduplication enabled
  • B. Installing a NIC in the server with deduplication disabled
  • C. Installing an HBA in the server and creating a LUN on the SAN
  • D. Installing a clustered HBA in the server and creating two LUNs on a NAS

Explanation: C. An HBA, or host bus adapter, is a hardware device that enhances performance by connecting a server to a storage-attached network. The configuration also relies on the use of LUN storage. A LUN, or logical unit number, is a unique identifier assigned to separate devices to allow access within a storage disk array. Adding to the explanation, it is crucial to carefully consider the chosen option to ensure optimal availability and access control.

Matthew’s company recently discovered that an intruder gained unauthorized access to highly classified information by querying the external DNS server. In order to prevent this from happening again, which of the following options is the most effective?

  • A. Implement a split DNS system, where both an internal and external zone are created to handle all domain queries.
  • B. Implement a split DNS system, where an internal zone is created for resolution within the internal network, and an external zone is created for Internet users.
  • C. Create DNS parking to enable round-robin DNSBL.
  • D. Create DNS parking exclusively for cloud users.

Explanation: B. In a split DNS infrastructure, two separate zones are set up for a single domain. The internal zone is used for network internal purposes, while the external zone is accessible for Internet users. This segregation ensures that internal information remains hidden from outsiders. Additionally, having an internal and external zone allows for better control and security management.

Your security team needs to stay up-to-date and worked hard to develop a training program. They were taught to identify and report the early warning stages of an attack campaign. Which of the following options is not an indicator of a compromise?

  • A. Slow Internet and unexplained system reboots
  • B. Multiple failed logins and locked-out accounts
  • C. Anomalies in network traffic, especially after hours
  • D. Patch management

Explanation: D. Patch management is expected, but unexpected software installs are not. It is important to have a clear understanding of your network, including what is considered normal and abnormal, and always stay vigilant assuming you are under attack.

Your organization has partnerships with various other companies that require employees of each company to access information from the others. Of course, each company has an authentication process for their employees. What identity management system would allow employees of each company to log in to their respective company and also access the needed information at the others?

  • A. SSO
  • B. SSL
  • C. Federal Identity Management
  • D. Kerberos

Explanation: C. A Federated Identity Management solution would allow employees from the various companies to log in once and access resources they are authenticated to access at all companies. Additionally, implementing a Federated Identity Management system would enhance security and streamline the access process for employees working across different companies.

Your team is conducting a risk evaluation to assign an asset value to the collaboration servers in your data center based on an after-action report of the last incident. The primary concern is determining what needs to be replaced and how in the event of a disaster. Which option listed below is the most appropriate choice?

  • A. Purchase cost
  • B. Depreciated cost
  • C. Retail cost
  • D. Replacement cost

Explanation: D. Replacement cost is the expense incurred to replace the property within the same location with assets of similar material and quality, serving the same purpose. It takes into account the total cost of the replacement process.

Robert has conferred with security and system administrators regarding the hardening measures to be implemented on end users’ systems. Which of the following restrictions can be employed to limit the utilization of commands, programs, and scripts?

  • A. Port restrictions
  • B. Web restrictions
  • C. App restrictions
  • D. Shell restrictions

Explanation: D. A shell is an interface that allows interaction with a Unix system. It collects input and executes programs based on that input, displaying the output upon completion. The shell serves as an environment to run commands, programs, and shell scripts. Various operating systems have different shell versions, each with its own set of recognized commands and functions. Restricting access to shell features is considered a best practice in securing end users’ machines.

Peyton, an IT administrator, is in need of visibility into his staging network. He believes that he has all the necessary tools and controls in place, but is currently lacking the ability to detect and investigate attackers who may be exploiting the network. Which tool should Peyton choose to help identify any vulnerabilities or potential threats in his environment?

  • A. Fuzzer
  • B. HTTP interceptor
  • C. Port scanner
  • D. SIEM

Explanation: D. Most assets on a network generate logs in various formats and to varying extents. Analyzing these logs is crucial for compliance purposes. A security information and event management (SIEM) tool is capable of collecting data from different assets such as servers, domain controllers, and hosts. This tool then normalizes the data, which is subsequently analyzed to detect and uncover any potential threats. A fuzzer is an automated software tester that generates random and invalid data to assess potential crashes or memory leaks in the software. An HTTP interceptor is capable of intercepting and potentially modifying incoming or outgoing HTTP requests. A port scanner, on the other hand, allows you to locate open ports on a network and identify the programs running on those ports.

You have been tasked with securing the Ethernet ports on the switches used by the company to connect to host systems in order to prevent a VLAN hopping attack. Which of the following actions can help address this issue?

  • A. Ensuring that the Ethernet ports are statically defined as trunk ports.
  • B. Ensuring that the Ethernet ports have DPT disabled.
  • C. Ensuring that the Ethernet ports have DTP enabled.
  • D. Ensuring that the Ethernet ports are configured as access ports.

Explanation: VLAN hopping is an attack where an attacker modifies the VLAN tag of a frame to gain access to a different VLAN. In order to execute this attack, the attacker needs to establish a trunk link between the targeted switch port and their own system. If the switch port is configured either as a static trunk port or has the Dynamic Trunking Protocol (DTP) enabled, a trunk link can be established. To prevent this, it is necessary to ensure that the Ethernet ports are configured as access ports only. It is important to note that ““DPT”” is a misspelling of ““DTP””.

Your organization has recently received a notification from a three-letter agency stating that your POS systems have been compromised. Instead of panicking, you remained calm and focused on assembling your incident team and assigning roles. Which role is deemed less significant in an immediate data breach incident response team?

  • A. Legal
  • B. Public relations
  • C. Technical
  • D. Sales

Explanation: D. While every company has its distinct characteristics, it is crucial to ensure that all parties – technical, legal, and public relations – are on the same page. The technical team is responsible for handling the incident, legal ensures compliance with the law, and public relations requires a clearly defined corporate stance for effective communication with the media and the entire organization. Sales, for instance, will need to be aware of how to address customers regarding the incident, but they will likely obtain that information from the public relations team. Furthermore, it is essential to note that there should not be any additional text included before or after this information.

You are managing a new project to implement the OAuth framework in your organization. Which of the following statements is incorrect?

  • A. OAuth allows a third-party application to access resources.
  • B. OAuth is an authorization framework that follows an open standard.
  • C. OAuth is centered around four roles: owner, client, resource server, and authorization server.
  • D. OAuth shares password information with third-party applications.

Explanation: D. It is important to note that OAuth does not share password information with third-party applications. Instead, OAuth offers a framework that grants access to a third-party application without revealing the owner’s credentials to the application. This enhances security and protects the owner’s sensitive information.

Your senior management wants to measure how risky an activity will be. This metric is used to provide a signal of increasing risk exposure. You need to identify which of the following options?

  • A. Key risk indicators (KRIs)
  • B. Key performance indicators
  • C. Total cost of ownership
  • D. Risk assessment

Explanation: A. KRI identification measures the level of risk associated with an activity. To identify a KRI, you should first identify the existing metrics, assess any gaps, establish a control environment, and track any changes in the risk profile. By doing so, you can effectively measure the potential risk and signal any increase in risk exposure.

Your organization is analyzing the risk of using more and more diverse technology. Your task is to assess collaboration tools as they contain your most critical information, including customer data and innovative ideas, in a single space. With data security being a priority, what recommendations do you have to protect against privileged users jeopardizing sensitive data?

  • A. Implementing varying levels of access throughout the platform.
  • B. Enabling alerts when specific file types are uploaded.
  • C. Allocating separate dedicated spaces for individual projects with restricted access.
  • D. Enforcing a rigorous password policy.

Explanation: C. Privileged users have the potential to compromise sensitive data. It is important to evaluate the flexibility of user access levels offered by the collaboration tool and assess potential security risks associated with each level. The ideal collaboration tool should enable administrators to establish controls for user visibility and terminate access rights for compromised accounts. Additionally, consider the importance of implementing strong password policies to enhance overall data security.

You want to replace an access point’s removable antenna with a better one based on the results gathered by a wireless site survey. You want to be able to focus more energy in one direction and less in another to better distinguish between networks. What type of antenna should you purchase?

  • A. Directional
  • B. Omnidirectional
  • C. Parabolic dish
  • D. Radio

Explanation: A. A directional Wi-Fi antenna will not amplify any signal; instead, it directs the energy from the transmitter. The signal gain and angle of a directional antenna can be adjusted to provide the specific range required. Additionally, with a directional antenna, unauthorized personnel in the parking lot will have limited access to your corporate guest Wi-Fi, ensuring greater security.

Jean’s organization provides cloud computing for a highly classified project. She has implemented a virtual data center with multifactor authentication. Using the SIEM, she discovered a breach affecting confidential data. Sensitive information was found within the hypervisor. What has most likely occurred?

  • A. Jean discovered a token and a RAM exploit that were used to transfer data.
  • B. Jean discovered a local admin who had the ability to transfer data to their own hard drive.
  • C. A vulnerable server was left unpatched, allowing the attacker to utilize VMEscape for access.
  • D. A guest account used privilege escalation to transfer data from one virtual token to another.

Explanation: C. Virtual Machine Escape is an exploit in which attackers can execute code on a virtual machine, enabling an operating system to directly interact with the hypervisor. This type of vulnerability exploit poses a significant risk as the attacker could gain access to the host operating system as well as all other virtual machines running on that host.

Your hunt team wants to prove compliance at a glance. You want them to have a strong security posture, but you need some help mapping regulations. What should they map regulations to in order to demonstrate compliance?

  • A. Security metrics
  • B. Security standards
  • C. Security threats
  • D. Threat intelligence

Explanation: A. Mapping regulations to security metrics allows hunt team members to swiftly demonstrate compliance. Otherwise, they would need to collect, arrange, and store the required metrics every time they need to prove compliance, which could be better utilized elsewhere. Additionally, having predefined security metrics helps in easily identifying any compliance gaps or areas of improvement.

You suspect that an employee is stealing company information, but you’re unsure of the method they are using to remove the information from the premises. During the investigation, you come across a folder containing numerous pictures. Later, you also discover that many of these pictures were sent to an external email account. What deductions can you make from this information and what further investigation should be conducted?

  • A. Someone may have a passion for photography and enjoys sharing photos via email.
  • B. The pictures may contain hidden information.
  • C. The recipient of the photos could potentially be a member of the marketing department.
  • D. It would be advisable to contact human resources to schedule a discussion with the suspected employee and review the Non-Disclosure Agreement (NDA) they signed.

Explanation: B. The hidden information within the pictures might not be easily visible to the naked eye. One technique used for extracting information from an organization involves concealing it within unsuspecting files, such as image, music, and video files. It is essential to expand the investigation to determine if any sensitive data is being compromised through this method.

  • A. In 72 hours.
  • B. It is not advisable to return to the primary location.
  • C. Immediately after the disaster.
  • D. Only after it is deemed safe to return to the primary location.

Explanation: D. The initiation of work is not solely determined by time. The top priority is the health and safety of individuals, and it is essential not to expose employees to unnecessary risks. You may only return when the relevant authorities responsible for emergency management have declared it safe to do so. Additionally, it is crucial to ensure that appropriate measures are in place to safeguard against potential dangers before resuming operations.

Your security team is small and must work efficiently to minimize risk. With limited time available, what options can be considered to streamline the process of patching internal applications?

  • A. VPN
  • B. PaaS
  • C. laaS
  • D. Terminal server

Explanation: D. Terminal servers offer centralized management of host applications, providing access to company resources from any location and device. This eliminates the need for repeated installations and allows for regular updates. As a result, time spent on patching internal applications can be significantly reduced.

Which of the following protocols provides a graphical interface to a Windows system over a network?

  • A. RDP
  • B. VNC
  • C. VDI
  • D. DLP

Explanation: A. Among these options, Remote Desktop Protocol (RDP) is the only protocol that allows remote access to a Windows system through a network connection, providing the user with a graphical interface of the desktop. Virtual Network Computing (VNC) utilizes the Remote Frame Buffer (RFB) protocol to enable network viewing and control of a desktop. Virtual Desktop Infrastructure (VDI) is a remote desktop-hosting environment where a desktop image is stored on a virtual machine and accessed remotely via a network. Data loss prevention (DLP) refers to the measures taken to detect and prevent unauthorized transfer of data from the owner’s system.

To facilitate ease of access for mobile device users, many apps utilize tokens, which allow users to perform multiple actions without needing to reauthenticate their identity. Which of the following actions is considered a best practice when using this methodology?

  • A. Generating new tokens each time access is attempted.
  • B. Retaining old tokens for a specific duration of time.
  • C. Utilizing tokens until the app or page is closed.
  • D. Ensuring tokens never expire.

Explanation: A. It is essential to generate new tokens with each access attempt. Neglecting to do so can lead to improper session handling, where apps unintentionally share session tokens with malicious attackers, enabling them to impersonate legitimate users. Therefore, generating fresh tokens for each access attempt is crucial to maintain security and protect users.

Your security policy was rules-based until now, with conditions needing to match either good or bad events. While important, it is necessary for these rules to be more adaptable based on patterns. Which of the following options describes this type of correlation most accurately?

  • A. Threat intelligence
  • B. Heuristics
  • C. Complexity
  • D. Categorical

Explanation: B. Heuristics and behavior analysis enhance the rules by providing nuanced and comprehensive interpretations of event patterns, drawing from experiential knowledge rather than a strict binary rule set.

Your end users are using mobile devices to access confidential information on the corporate network. You need to ensure that the information is securely transmitted to these mobile devices through encryption. Which of the following options best describes a significant concern when implementing encryption on mobile devices?

  • A. Mobile devices have superior processing power compared to other computing devices.
  • B. Mobile devices usually have lower processing power than other computing devices.
  • C. Increased complexities.
  • D. Obfuscation.

Explanation: B. Mobile devices typically have much less processing power than other computing devices, which necessitates the use of encryption technology that is not resource-intensive. Additionally, implementing encryption on mobile devices may introduce additional complexities.

As a marketing analyst for a large retail enterprise organization, you want to deploy a technology that will responsibly personalize the in-person shopping experience. What technology would you consider using for your retail app?

  • A. Home delivery
  • B. Personal shoppers
  • C. Geotagging
  • D. Customer feedback

Explanation: C. Large retailers are currently experimenting with location-sensing technologies, such as geotagging, which allows them to track a customer’s location through their phone’s GPS capability. Some organizations utilize this tool as a heat map and compare stores and department layouts, ultimately optimizing the shopping experience for customers. By implementing geotagging technology, retailers can personalize the in-person shopping experience in a responsible and efficient manner, catering to the specific needs and preferences of their customers.

An attacker scanned your network and discovered a host system running a vulnerable version of VNC. Which actions can an attacker perform if they gain access to VNC on the host?

  • A. Remotely access the host system’s BIOS.
  • B. Remotely view and control the host system’s desktop.
  • C. Remotely view critical failures, leading to a stop error or the blue screen of death on the host system.
  • D. All of the above.

Explanation: B. Virtual Network Computing (VNC) utilizes the Remote Frame Buffer (RFB) protocol to allow viewing and control of a host desktop via a network connection. VNC cannot be used to access the host’s BIOS during the boot process or in the event of an operating system crash resulting in the display of the blue screen of death.

Your MDM for COPE devices has failed to implement restrictions on the use of NFC. What is the primary concern for employees who utilize NFC for transactions?

  • A. Absence of login/password
  • B. Intercepting data
  • C. Security breaches
  • D. Legal ramifications

Explanation: A. The mobile device management (MDM) set up for company-owned, personally-enabled (COPE) devices utilizing near-field communication (NFC) prioritized convenience over security. With NFC, all it takes is a simple bump, tap, or swipe against an NFC reader for the connection to be established, without requiring any login or password. NFC solely focuses on the proximity between devices. It is advisable to disable NFC by default when not in use. While intercepting data is a concern, it is not the most significant worry in this scenario.

You receive a phone call from one of your employees stating that their machine has encountered a Blue Screen of Death (BSOD). What occurs when a Windows machine experiences a bluescreen?

  • A. Collects all operating system data
  • B. Machine simply requires a reboot
  • C. Creates a tcpdump
  • D. Creates a crash dump

Explanation: D. When a Windows machine encounters a bluescreen, it generates a memory dump or a crash dump. This file contains all the computer’s memory at the time of the crash, which can be helpful in diagnosing the underlying issues causing the crash.

  • A. Risk assessment
  • B. Penetration test
  • C. Compliance audit
  • D. Black-box testing

Explanation: A. To ensure an effective network security policy, it is crucial to conduct a comprehensive risk and needs assessment. Furthermore, it is important to integrate the policy into the official company manual and provide all employees with both security awareness training and a copy of the policy.

Now that you have already implemented all the technical improvements to enhance security, what other measures can you take to improve business processes?

  • A. Modify the company’s security policies and procedures.
  • B. Arrange a meeting with upper management to obtain approval for new company standards and a mission statement.
  • C. Conduct another technical quantitative risk analysis on all current controls.
  • D. Perform a gap analysis and provide recommendations on non-technical controls to be incorporated into company documentation.

Explanation: D. Gap analysis involves comparing the actual performance with the desired or potential performance. It helps identify areas where the organization may be performing below its potential due to inefficient resource utilization. Therefore, conducting a gap analysis for non-technical controls can further enhance the improvement of business processes.

Sally’s CISO has requested her assistance in finding an intrusion system capable of recognizing network intrusions and sending email alerts to the IT staff upon detection. What specific type of intrusion system is the CISO looking for?

  • A. HIDS
  • B. NIDS
  • C. HIPS
  • D. NIPS

Explanation: B. A NIDS, or network-based intrusion detection system, actively monitors network traffic and can provide alerts when attacks or intrusions are observed. These alerts can be delivered via email, text messages, or other methods. It is important to note that HIDS (host-based intrusion detection systems) as well as HIPS and NIPS are different types of intrusion prevention systems.

You test an application by mapping out all areas where a user’s input is used to reference objects. This input accesses a file, and you try to change the value, bypassing all authorization. What type of attack is this?

  • A. CSRF
  • B. DDoS
  • C. Insecure direct object reference
  • D. Click-jacking

Explanation: C. Insecure direct object references enable an attacker to bypass authorization and directly access a resource that they should not have access to, such as database records, files, or other application pages. Additionally, this type of attack can lead to potential data breaches and compromises the security of the system.

The impact of an incident or breach can be measured in several different levels. Which of the following is not included in the various levels?

  • A. Critical
  • B. High
  • C. Low
  • D. Junior

Explanation: D. In addition to the categories such as Critical, High, and Low, some organizations may also include a category known as Junior. Most organizations, however, follow the incident classification framework based on the same categories as the NIST CVE, which are Critical, High, Moderate, and Low.

You have decided that an IPSec VPN is not a suitable choice for your organization. Instead of granting access to the entire network, employees only require access to specific applications. Which VPN option would be the most suitable in this scenario?

  • A. SSH
  • B. SSL
  • C. IKE
  • D. RDP

Explanation: B. SSL VPNs provide fine-grained access to a corporate network. With this option, remote users can only access the applications that are essential for their work. For instance, they can access a mailbox on an Exchange Server instance or a specific subset of URLs on the intranet. Additionally, SSL VPNs offer an enhanced level of security through encryption and authentication protocols.

Your research determines what type of data your organization should preserve and the length of time the data should be stored. Which of the following is not another component of a comprehensive data retention policy?

  • A. Format
  • B. Certification
  • C. Access control
  • D. Destruction

Explanation: B. In addition to determining the format for storing the data, controlling who has access to that data, and outlining the process for eventual data destruction are essential aspects of a thorough data retention policy. These components help ensure that data is protected, managed, and eventually disposed of properly.

Your security team has implemented NAC lists for authentication and corporate policy enforcement. Initially, the team installed software on the devices to carry out these tasks. However, the team has decided that this method is no longer preferable. They now want to implement a solution that serves the same purpose but does not require software installation on the devices. In the context of NAC, what is this configuration referred to as?

  • A. Agent
  • B. Agentless
  • C. Volatile
  • D. Persistent

Explanation: B. When NAC is utilized without installing an agent on the devices, it is known as an agentless configuration. In agentless NAC, the enforcement of policies is integrated into an authentication system like Windows Active Directory. Policy enforcement occurs during device log on or log off from the network. Furthermore, this method eliminates the need for additional software installation on the devices.

Your incident response team attempts to estimate the cost of a breach. This estimate is based on whether the data records were customer and employee or employee only. Additionally, the scope of the breach, including the number of people affected, is taken into consideration. Now that you have identified the individuals affected and their extent, what other information do you need?

  • A. When
  • B. Where
  • C. What
  • D. How long

Explanation: C. In order to accurately evaluate the cost of the breach, you need to determine what specific types of records were compromised. Was it personal information along with credit card details, or personal information along with healthcare data? Not only do these different types of data have distinct values on the dark web, but they are also subject to different fines based on your compliance obligations. Therefore, understanding the nature of the compromised records is crucial for estimating the financial impact of the breach.

Your SMB organization is exploring a tool that combines VoIP, video, chat, and email together in one messaging system. What is the term for this type of tool?

  • A. Cloud computing
  • B. Unified communications
  • C. Global transformation
  • D. Competitive collaboration

Explanation: B. Using unified communications presents serious security challenges because it brings together disparate technologies. As technology becomes more complex and accessible from the public Internet, the threat increases. It is important to be diligent in protecting vital communications. Additionally, the integration of multiple communication methods into one system can increase efficiency and streamline communication processes within an organization.

Darryl was tasked to lead a project setting up a security operations center (SOC) where one of the tools his company already owns could potentially be utilized due to its threat intelligence and data mining capabilities. Which tool has the dual functionality for both compliance and SOC?

  • A. Protocol analyzers
  • B. SIEM
  • C. Wired scanner
  • D. Password crackers

Explanation: B. Organizations have vast amounts of data, making it impractical for a human team to manually perform threat hunting. A security incident and event management (SIEM) tool can effectively manage and organize this data, utilizing external threat intelligence to identify patterns or detect data anomalies within the organization’s network. Additionally, the SIEM tool facilitates compliance with various regulations and guidelines.

Jason’s organization recently implemented standard Linux systems within their network. The system administrator responsible for these Linux systems aims to enhance their security by utilizing SELinux, as mandated by their security policy. Which of the following options describes a benefit of implementing SELinux?

  • A. Transition from a discretionary access control system to a system where the file creator governs the file permissions.
  • B. Transition from a discretionary access control system to a mandatory access control system.
  • C. Transition from a mandatory access control system to a system where the file creator governs the file permissions.
  • D. Transition from a mandatory access control system to a discretionary access control system.

Explanation: B. Standard versions of Linux employ a discretionary access control (DAC) system, which allows the file creator to manage file permissions. In contrast, SELinux, a security architecture for Linux, operates on mandatory access control (MAC), where a predetermined security policy determines the permissions associated with a file. Implementing SELinux adds an additional layer of security to the Linux systems within the organization’s network.

Bernie, a member of your board of directors, has inquired with your CEO about the proactive defense measures in place at your company. Subsequently, the CEO has turned to you seeking information on proactive defense strategies. Which of the following tools serves as an illustration of proactive defense measures?

  • A. Running Nexpose/Nessus
  • B. Installing botnets
  • C. War chalking
  • D. Rootkits

Explanation: A. Utilizing a vulnerability scanner, such as Nexpose or Nessus, exemplifies an organization proactively identifying vulnerabilities within the systems on their network. Upon discovering these vulnerabilities, they can be addressed by either applying patches or disabling the services, thereby strengthening the system’s resilience against future attacks. Additionally, these measures contribute to the overall proactive defense strategy of the company.

A hard disk fails in a mission-critical server, and there is no redundancy. Many options exist when it comes to recovering data from a hard disk failure. Sometimes the corrective action has the potential to render the data unrecoverable. What is the first rule of data recovery?

  • A. Install a recovery tool.
  • B. Open the drive to examine the platters.
  • C. Minimize access to the drive.
  • D. Attempt to boot the drive in another machine.

Explanation: C. If the hard disk fails due to a mechanical issue, repeated access to the drive can result in the loss of more data or corruption of what still remains. It is important to minimize access to the drive. Additionally, it is recommended to avoid returning any additional text before or after the provided information.

What is the most effective method to ensure that your collaborative software remains up-to-date with patches and bug fixes while also understanding the potential impact of these updates on the system?

  • A. Patch management
  • B. Vulnerability management
  • C. Encryption
  • D. Security policy and procedures

Explanation: A. It is crucial to adhere to best practices when updating a UC server. Before proceeding with the update, ensure that you have a backup of the system in place and schedule the update during a designated maintenance window. Additionally, familiarize yourself with the changes made by the update and comprehend how it may affect the overall environment.

You have a well-configured firewall and IDS. Which of the following could potentially steal intellectual property or trade secrets without leaving any system audit trail?

  • A. Hacktivist
  • B. Auditors
  • C. Malware
  • D. Employees

Explanation: D. Disgruntled employees have the ability to conceal their malicious activities, making it difficult for employers to assess the extent of the damage. Unhappy employees can put at risk not only funds, trade secrets, and intellectual property but also gain unauthorized access to your entire IT infrastructure. It is important to be aware of this potential threat and implement measures to mitigate it.

Bobby, a security risk manager with a global organization, is faced with evaluating the risk of flash floods on the organization’s operations in various regions. It has been determined that the cost of responding to these risks is expensive. At present, the organization has chosen not to take any action. What risk management strategy has been implemented in this scenario?

  • A. Risk mitigation
  • B. Risk acceptance
  • C. Risk avoidance
  • D. Risk transference

Explanation: B. In situations where the cost of implementing controls outweighs the benefits gained from responding to the risk, the recommended approach is to accept the risk for a certain period and then reassess it. In this case, the organization has chosen to accept the risk and will evaluate it again in the future.

You build a team of cyber-investigators who actively seek out threats on your network, purposely searching for anomalies and striving to uncover patterns in data in order to stay one step ahead of criminals. What is this team called?

  • A. Black box
  • B. Gray box
  • C. Hunt team
  • D. Data analytics

Explanation: C. A hunt team is a well-known concept in cybersecurity, although it is typically only found within large enterprise organizations. Hunt teams play a critical role in effectively detecting, identifying, and comprehending advanced persistent threats, allowing them to correlate data and track down malicious actors.

Understanding the regular traffic patterns within your organization plays a crucial role in identifying which of the options below?

  • A. Malware
  • B. DDoS attack
  • C. Ransomware
  • D. Spoofing attack

Explanation: B. In order to properly detect a distributed denial-of-service (DDoS) attack, it is imperative to have a clear understanding of your organization’s typical traffic patterns. Without this knowledge, it becomes difficult to differentiate between normal traffic and attack traffic. Therefore, being familiar with your normal traffic pattern enables you to recognize an abnormal pattern associated with a DDoS attack.

  • A. Attempt to compromise the website in order to delete the information.
  • B. Utilize Whois to identify the owner of the website and contact them directly.
  • C. Report any suspected violation of security or policies to the appropriate authority.
  • D. Investigate how the information was shared.

Explanation: C. In situations where data users perceive a potential risk to information security, it is crucial to promptly report the matter to the appropriate authority, typically the data owner. Additionally, reporting such incidents allows for timely resolution and mitigation of security breaches.

Randolf, a newly hired CISO, is currently assessing controls for the confidentiality aspect of the CIA triad. Which set of controls should he prioritize in order to ensure confidentiality?

  • A. RAID 1, data classification, and load balancing
  • B. Digital signatures, encryption, and hashes
  • C. Steganography, ACL, and vulnerability management
  • D. Checksum, DOS attacks, and RAID 0

Explanation: C. Implementing controls for confidentiality is crucial for maintaining data privacy. In this context, steganography serves as a technique to conceal messages within various media forms such as pictures, music, or videos. Access control lists (ACLs) represent tables that dictate the individuals authorized to access specific objects or directories. Furthermore, vulnerability management entails identifying software weaknesses to effectively mitigate any associated risks to confidentiality.

Your organization currently uses FTP to transfer files, and you have been assigned to upgrade the file transfer solution to meet the requirements of both integrity and confidentiality. Which of the following statements accurately describes the current state of business?

  • A. Port 20 is utilized for transfer and port 21 is used for control.
  • B. Port 20 is utilized for control and port 21 is used for transfer.
  • C. The client uses port 20 while the server uses port 21.
  • D. Port 20 is used for integrity and port 21 is used for confidentiality.

Explanation: A. In FTP, TCP port 20 is specifically designated for transferring data, while TCP port 21 is utilized for control commands. The FTP server listens on port 21 for a client to initiate a session and then establishes the data connection through port 20. Additionally, this ensures both the integrity and confidentiality of the file transfer process.

You are selecting a collaboration tool for use throughout the finance department. Which of the subsequent questions is not as crucial as the others?

  • A. How well-established is the solution?
  • B. What level of support is needed to implement the solution?
  • C. Is it possible to modify the brand logo and color scheme?
  • D. What kind of training and best practices can be provided to prevent future issues?

Explanation: C. In order for your team to succeed, it is important to ensure that your vendor offers the required support. Additionally, considering training options can help minimize any potential problems that may arise during the implementation process. The best programs available today have a team of security experts working around the clock to identify and prevent issues.

In a healthcare organization, which role is responsible for assigning access, producing reports, logging access, and implementing physical safeguards to protect data confidentiality, availability, and integrity?

  • A. Data owner
  • B. Data custodian
  • C. Data user
  • D. Data protector

Explanation: The data custodian, as opposed to the data owner, is responsible for the technical control and administration. They handle tasks such as assigning access, generating reports, logging access, and implementing physical safeguards. This division ensures that both administrative and technical aspects of data protection are properly managed.

Your organization’s container ecosystem handles extremely sensitive data. You want to scan and validate the configuration of each container as it is added to the container registry. Which of the following is the most critical aspect to consider when securing and monitoring the container registry?

  • A. It can be expensive to deploy containers that are not being utilized by your team.
  • B. It guarantees that only containers that comply with the team’s development processes and security policies are added to the environment.
  • C. There is a limit to the number of containers that can function within a single deployment.
  • D. The container image’s hypervisor may contain vulnerabilities that could now be easily exploited in the cloud.

Explanation: B. By securely locking down and monitoring the container registry, you ensure that there are no unauthorized container environments operating in an insecure manner, posing a risk to your systems and sensitive data. Additionally, this process ensures that only containers that meet the team’s development processes and security policies are allowed to be added. Furthermore, securing and monitoring the container registry helps to mitigate the potential vulnerabilities that may exist within the hypervisor of the container image.

Which confidentiality security model guarantees that a subject with a Secret clearance can only write to objects classified as Secret or Top Secret?

  • A. Biba
  • B. Clark-Wilson
  • C. Brewer-Nash
  • D. Bell-LaPadula

Explanation: The Bell-LaPadula confidentiality model aims to maintain the confidentiality of secret data and allows for the sharing of secret data when it is authorized to be shared. Additionally, it ensures that subjects with lower clearance levels cannot access or modify objects with higher classification levels.

Alberto has been researching deceptive technologies with the goal of creating a system to gather information about intruders and their attack methods. This system should be designed to attract malicious activities and provide valuable insights. What kind of tool should Alberto build?

  • A. Botnet
  • B. Zombie master
  • C. Honeypot
  • D. Honeynet

Explanation: C. A honeypot is specifically designed to attract malicious users, allowing administrators to gather information and protect legitimate assets. The location, services, and data of the honeypot will determine its vulnerability to different types of attacks. It is important to note that a honeynet refers to an entire network set up to attract attackers, while a botnet is a collection of compromised computers controlled by a zombie master.

You work as an independent security consultant for a small town in the Midwest that was just breached by a foreign country. When it came time for payment to a town vendor, someone changed the transfers of monies from a physical check to an electronic payment. In response, what is the first security practice suggestion you make to prevent this from recurring?

  • A. Incorporation
  • B. Investigation
  • C. Zero trust
  • D. Data diddling

Explanation: C. Zero trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters, and instead must verify anything and everything trying to connect to its systems before granting access.

Marilyn, your CISO, has asked about the type of deception strategy the company utilizes. One of the tools she wants you to assess is Deception Toolkit, an open source honeypot software. What is the purpose of honeypot software?

  • A. Gathers information regarding intruders
  • B. Gathers information regarding external networks
  • C. Gathers information regarding botnets
  • D. Gathers information regarding network infections

Explanation: A. Honeypot software serves as a tool for gathering information about intruders and their methods. This valuable threat intelligence analysis examines the tools utilized in an attack, which enables the safeguarding of legitimate assets.

A virtual machine hosted on an ESX server in your data center contains confidential data that is no longer needed by your company. You recommend shutting down the virtual machine and deleting the VM disk (VMDK) from the host. What is the security risk?

  • A. Data retention
  • B. Data encryption
  • C. Data protection
  • D. Data remanence

Explanation: D. The described situation poses a security risk known as data remanence. Data remanence refers to the residual information that remains on a disk even after it has been erased. Although the virtual machine is no longer accessible, it does not guarantee that the data has been completely destroyed. It is recommended to take further measures to ensure data protection.

Bob is conducting a risk assessment and wants to assign an asset value to the servers in the data center. His organization wants to ensure there is a budget to rebuild in case of a natural disaster. Which method should Bob use to evaluate the assets?

  • A. Depreciated cost
  • B. Purchase cost
  • C. Replacement cost
  • D. Conditional cost

Explanation: C. The replacement cost is the actual cost to replace an asset and restore it to its previous state. It is not the cash value of the asset. The difference between replacement cost and cash value is the deduction taken for depreciation. Both are based on the cost today to replace the damaged asset. In order for Bob to accurately assess the assets, he should use the replacement cost method.

You are a network engineer for an SMB and you are currently assessing the placement of your new unified communications (UC) server. Although the server has some built-in attack mitigation capabilities, you want to ensure additional security measures. Where is the most appropriate location to place the UC server?

  • A. Behind a firewall to ensure network security
  • B. Directly connected to the Internet
  • C. Positioned between two web servers, email, and messaging systems
  • D. Connected directly to your intranet

Explanation: A. The network’s security can be maximized by utilizing a firewall, which is specifically designed to block unknown traffic and only allow access from trusted resources. By placing the UC server behind a firewall, the network’s overall security is enhanced as firewalls are proficient in managing traffic, whereas the UC server’s capabilities are not as efficient. Additionally, this ensures that the UC server is utilized for its intended purpose, optimizing network security.

A hospital database is hosting PHI data with high volatility. Data changes constantly and is utilized by doctors, nurses, and surgeons, as well as the finance department for billing. The database is situated in a secure air-gapped network where access is restricted. What is the most probable threat?

  • A. Internal user fraud
  • B. Manipulated key-value pairs
  • C. Compliance
  • D. Inappropriate admin access

Explanation: D. The database is located in a secure air-gapped network with limited access, indicating it is likely compliant and difficult for most attackers to reach. A key-value pair (KVP) refers to a pair of interconnected data items: a key, which serves as a unique identifier for particular data, and the value, which represents either the identified data or a pointer leading to its location. Key-value pairs are commonly employed in lookup tables, hash tables, and configuration files. In consideration of these factors, the most appropriate answer is inappropriate administrator access.

Your CIO has asked you to identify control types and control functions for risk mitigation. What would be the control type and function for a honeypot or honeyfile?

  • A. Detective/technical
  • B. Preventative/physical
  • C. Corrective/administrative
  • D. Recovery/technical

Explanation: A honeypot or honeyfile would serve as a detective control function and a technical control type. These control functions encompass preventive, detective, and corrective functionalities. Moreover, control types can be classified as physical, technical, and administrative.

Your organization has experienced growth and is now in need of hiring an individual to handle information management. This particular role will be responsible for the important tasks of security marking and labeling. Which of the following statements most accurately describes the responsibilities associated with this role?

  • A. Security marking/labeling involves utilizing the internal data structure of information systems to determine criticality.
  • B. Security labeling is of higher importance than security marking, as it is required for all types of information, including marketing information that is released to the general public.
  • C. Security marking and security labeling are essentially the same thing.
  • D. Security marking and labeling encompass adherence to compliance, requirements, applicable laws, directives, policies, and standards.

Explanation: D. Security marking involves the use of human-readable labels, while security labeling revolves around the utilization of security attributes within the internal data structure of information systems. Security marking allows for the enforcement of security policies based on organizational processes, whereas labeling allows for the enforcement of security policies based on information system operation. In order to ensure and maintain security, both marking and labeling play crucial roles.

To enter your facility, a guest must sign in and present a picture ID. A security guard will check for grammar and/or possible OCR errors and fix them. The question should be slightly rewritten so it sounds a little different but has the same meaning. The answer options should remain the same. Additionally, 1-2 sentences should be added to the explanation to expand on the topic. No additional text should be returned before or after. Question: What action has the security guard taken?

  • A. Identity proofing
  • B. Identity authentication
  • C. Identity accounting
  • D. Identity confidentiality

Explanation: A. Identity proofing is the process of verifying someone’s identity based on information provided by a trusted authority. In this case, the security guard is performing identity proofing by checking the guest’s picture ID. This ensures that the individual entering the facility is indeed the person they claim to be and helps maintain security within the building.

You work for a university, and the registrar is the data owner for student data. This department is responsible for managing access, classification, and regulatory requirements. Who does the data owner collaborate with to implement and uphold the technical control?

  • A. Other data owners
  • B. Data users
  • C. Data custodians
  • D. Data classifiers

Explanation: C. A data custodian, typically a system administrator, possesses the necessary technical skills and expertise. They are granted admin/sysadmin/root level access and play a vital role in working closely with the data owner to safeguard the organization’s critical information. In addition to their responsibilities in protecting data, data custodians also assist in implementing technical controls.

As a security engineer, you have discovered that some of your computers are still utilizing BIOS for hardware initialization. Which security feature, not present in BIOS but available through UEFI, provides protection?

  • A. Loads boot loader
  • B. Setting system clock
  • C. Secure Boot
  • D. Initializes system hardware components

Explanation: C. Secure Boot is a crucial security feature provided by Unified Extensible Firmware Interface (UEFI). It exclusively permits operating system boot loaders that have been certified by the software vendor. Additionally, this feature helps prevent the execution of malware during the boot process.

Jeremiah, an employee of a global construction company, has discovered that cloud computing fulfills 90 percent of his IT requirements. When evaluating cloud computing, which aspect is the least significant?

  • A. Data classification
  • B. Encryption methodology
  • C. Incident response and disaster recovery
  • D. Physical location of data center

Explanation: D. While utilizing the cloud, determining the exact location of your data storage becomes challenging. The service provider you employ could be registered in the United States, but have server facilities in Brazil. Numerous companies choose outsourcing to minimize expenses. The remaining three aspects hold greater importance in the context of cloud computing.

Your security vulnerability management team has a specific timeline for patching all systems in your organization. Which of the following options will automate this process?

  • A. Patching the management system
  • B. Using an automated patching system
  • C. Updating the management system
  • D. Automating the update system

Explanation: A patch management system provides an automated process of retrieving, testing, and installing patches on systems. Patching software can be inconvenient for end users, and sometimes recommended patches are ignored. Ensuring all systems are adequately patched can be challenging for system administrators. Software patches and updates are crucial as they prevent vulnerabilities, bugs, malware, and major issues. A software patch involves updating the code of existing programs to fix potential security vulnerabilities or other issues. Patches are designed, tested, and can be applied either manually by an admin or automatically using a tool.

Phishing is a successful way to initiate a security breach. One of the collaboration-based attacks that your company suffered last quarter was phishing, which involved the use of malicious URLs through an instant messaging tool. What is the main reason behind the success of this attack?

  • A. Your guard was down, you were anxious about meeting deadlines, and you had trust in those individuals.
  • B. You utilized your credentials to log into the collaborative tools.
  • C. Phishing is exclusively employed in emails.
  • D. IMs do not automatically block malicious files or URLs.

Explanation: A. By employing the traditional method of acquiring credentials, attackers are able to gain unauthorized access to collaboration accounts and send seemingly legitimate URLs to team members. Although we provide social awareness training for employees regarding email security, it is also important to educate them about different methods attackers can use to infiltrate a network.

You must identify a person who will have administrative control and be accountable for a specific set of information and data set. This person could potentially be the most senior individual within a department. What is their designated role?

  • A. Data custodian
  • B. Data user
  • C. Data owner
  • D. Data administrator

Explanation: C. A data owner holds administrative control over a specific dataset. For instance, a treasurer who is responsible for financial data or a human resources director who oversees employee data can be considered as examples of data owners. It is important to note that in the majority of enterprise organizations, the data owner is different from the custodian.

Your CIO has included the use of HSM in security baseline documentation. What is the purpose of HSM?

  • A. Managing keys for authentication
  • B. Managing CRLs
  • C. Managing data in transit
  • D. Managing TPM

Explanation: A. A hardware security module (HSM) is a physical device that is used to manage keys for strong authentication. It is typically an external device that can be plugged into a network server or a plug-in card. An HSM serves as a secure and tamper-resistant cryptographic processor specifically designed to protect the life cycle of cryptographic keys and perform encryption and decryption routines. With its robust security features, an HSM ensures confidentiality, integrity, and availability of cryptographic keys and any sensitive data processed. Additionally, HSMs provide a high level of security in terms of key management and authentication.

  • A. Remote wipe and controls, encryption, and vendor track record.
  • B. Encryption, IPV6, cost, and color.
  • C. Remote wipe, maintenance, and inventory management.
  • D. Remote monitoring, cost, SSD, and vendor track record.

Explanation: A. The most crucial security measures for any mobile device include the ability to remotely wipe it in case of loss or theft, as well as having control over access to the device. Encryption adds an extra layer of protection in terms of physical and digital security. The track record of the vendor in addressing security vulnerabilities also plays a significant role in the risk assessment.

You are a blue team member for a medium-sized business. Your goal is to automate and simulate social engineering tests using a Python-based tool that is available for free. Which of the following options is the most suitable tool for this purpose?

  • A. SET
  • B. Nmap
  • C. BurpSuite
  • D. Metasploit

Explanation: A. The Social-Engineer Toolkit (SET) developed by David Kennedy’s TrustedSec is a comprehensive framework designed for simulating various types of attacks, including credential harvesting, phishing, and PowerShell attacks. It is utilized in the famous TV show Mr. Robot, where the SMS spoofing attack is demonstrated. SET, being Python-based, enables the automation of these attacks and provides capabilities for creating malicious web pages and more. In summary, SET efficiently facilitates the execution of social engineering tests.

A third-party software vendor disclosed that a backdoor was unintentionally left in one of its products. What is the term for this occurrence?

  • A. A security patch
  • B. A rootkit
  • C. A virus
  • D. A maintenance hook

Explanation: D. Software developers commonly include a backdoor in their tools, but it is essential to remove them before the software is released to the market. However, in the event that a backdoor is unintentionally retained in a product, it is referred to as a maintenance hook. To eliminate this maintenance hook, a security patch is frequently employed.

You are evaluating remote desktop software that enables help-desk personnel to remotely access a user’s computer for troubleshooting purposes. In order to ensure ease of use, you prefer the product to be browser-based. During the evaluation, you observe a padlock icon located next to the URL in the browser. What is the significance of this padlock symbol?

  • A. You are connected using HTTP.
  • B. You are connected using SSH.
  • C. You are connected using TLS.
  • D. You are connected using TPM.

Explanation: C. The presence of a padlock icon in the URL field indicates that TLS or SSL encryption is being used to secure the transmitted data. This provides a secure connection between the help-desk personnel’s computer and the user’s computer during the troubleshooting process.

Your global software organization is required to conduct a BIA for any new company acquisition. Your organization has recently acquired a new software startup. Both your organization and the startup outsource the LMS and CMS for education to noncompatible third parties. What is your primary concern regarding this situation?

  • A. Data sovereignty
  • B. Encryption
  • C. Data migration
  • D. Disaster recovery

Explanation: A. When a global organization collects data from customers, it is crucial to consider data sovereignty. In this case, the LMS and CMS collect information on international students participating in classes, watching videos, and accessing files. This data is subject to the laws and regulations of the country where it was obtained. Many countries have enacted laws concerning data control and storage. Therefore, ensuring compliance with data sovereignty regulations becomes a significant concern for the organization’s global software operations.

You decided to start a new consulting business. You began the risk analysis process and developed employee policies and researched and tested third-party security. What is the next riskiest problem for SOHO?

A: Mobile devices B: Email C: Training D: Guidelines

Explanation: Mobile devices represent the weakest security link in a SOHO (Small Office/Home Office) environment. Every mobile device has the potential to be exploited by attackers, despite the presence of passcodes, facial recognition, thumbprint scanners, and remote wipe capabilities. Bring Your Own Device (BYOD) remains a vulnerability for many organizations. Therefore, mobile devices should be considered as the next riskiest problem in this context.

Eduardo’s security department is maturing by utilizing processing pipelines and aims to present data in a more easily understandable format. After utilizing pie charts in Excel, Eduardo plans to transition to a business intelligence tool for the next step. What is the term used to describe this process?

  • A. Visualization
  • B. Hypervisor
  • C. Data complexity
  • D. Clarity

Explanation: A. Data visualization is a technique that effectively and meaningfully conveys insights from machine analytics to humans. By using visualization tools such as Domo or Google Analytics, the message conveyed by the data becomes clearer. Adding a business intelligence tool to the data analysis process would enhance the visualization capabilities, allowing for better comprehension and decision-making.

You are building a decentralized privilege management solution for your financial organization with user accounts that are defined on each system rather than a centralized server. Which of the following best describes this?

  • A. A workgroup
  • C. Client/server
  • D. Terminal services

Explanation: A. A workgroup is an excellent example of privilege management where the user accounts are decentralized. The other options, B, C, and D, are all centralized privilege management solutions. Additionally, implementing a decentralized privilege management solution can provide enhanced security and flexibility within your financial organization’s system.

You are a network engineer and need to access network equipment on the corporate LAN remotely. The solution to provide this function must include a secure login per user that is easily managed. Tracking login activity is also important. Which of the following is the best solution?

  • A. Common passwords should be set on each network device.
  • B. A common username and password should be set on each network device.
  • C. Unique usernames and passwords should be set on each network device.
  • D. Use a RADIUS solution and configure each network device to use it.

Explanation: D. Using a RADIUS solution would provide an authentication, authorization, and accounting (AAA) function that allows for easy management of credentials from a central location, while also providing login tracking. Using common usernames and passwords would not allow for tracking login activity per user. Having unique usernames and passwords on each device would be difficult to manage, as credentials would need to be modified for each device separately. Implementing a RADIUS solution is the best option to achieve secure, easily managed login access with login tracking.

You are a developer for a security software company. Your CISO tasks you with conducting a “white-box” test. The advantages include optimization and thoroughness, given the fact that the developer has full knowledge of the code and libraries used. Which of the following should be considered a disadvantage to a white-box test?

  • A. Complexity and duration
  • B. Simplicity and impartiality
  • C. Redundancy and simplicity
  • D. Accuracy and superficiality

Explanation: A. Conducting a white-box test requires the expertise of testers who possess competences in programming and have full knowledge of the code being tested. Due to the extensive knowledge and length of code involved, these tests can be time-consuming, leading to increased complexity and duration.

Brian’s new insurance company is collaborating with an ISP, and he desires to gather technical information regarding system numbers, port numbers, IP addressing, and the protocols utilized. Which document contains this information?

  • A. Memorandum of understanding
  • B. Disclosure of assets
  • C. Operation level agreement
  • D. Interconnection security agreement

Explanation: D. The interconnection security agreement (ISA), detailed in NIST SP 800-47, is a contractual agreement between telecommunication organizations that aims to connect networks and facilitate traffic exchange. It governs the security-related aspects when two entities operate under distinct authorities. An MOU (memorandum of understanding) is a non-legally binding agreement between two or more parties. Disclosure of assets serves to prevent conflicts of interest and acts as a discouragement against collusion, typically required of public officials. An OLA (operation level agreement) outlines the responsibilities of each support group to other support groups.

Your security compliance audit failed because there was a lack of data streaming into a logging tool, resulting in an inability to analyze the data. You have been assigned the task to lead a team in implementing a logging tool that can proactively index and search logs, thereby mitigating this risk. Which tool do you choose to implement and lead the team towards achieving compliance?

  • A. SIEM
  • B. VM
  • C. DNS
  • D. LASE

Explanation: A. A security information and event management (SIEM) tool provides near real-time alerts and analysis of network hardware, servers, and applications. It captures logs from various devices, aggregates the data, correlates it, identifies commonalities, and links events that fall outside the normal range. Leading SIEM vendors include QRadar, ArcSight, and Spltmk. Additionally, SIEM aids in achieving compliance by facilitating effective monitoring and analysis of security events.

  • A. Implement IPSec on critical systems.
  • B. Utilize threat emulation.
  • C. Employ encryption.
  • D. Establish Key Performance Indicators (KPIs) to measure progress.

Explanation: Threat emulation plays a critical role in identifying malware during the exploit phase, before hackers can employ evasion techniques. By promptly quarantining and inspecting files, running them virtually, any malicious behavior can be detected before it accesses your network. Additionally, threat emulation has the ability to convert newly identified unknown attacks into known signatures, allowing for the blocking of these threats before they have a chance to proliferate.

You are working on a business continuity and incident response plan for your health organization. What is the control type of this function?

  • A. Detective
  • B. Preventive
  • C. Corrective
  • D. Reconciliation

Explanation: B. There are three main types of controls: detective, preventive, and corrective. Controls are policies and procedures or technical safeguards that are implemented to prevent problems and protect the organization. A business continuity and incident response plan is a preventive control type. Preventive internal controls are those controls put in place to avoid a negative event from occurring. Corrective controls are typically implemented after the detective internal controls discover a problem. These controls could include disciplinary action, software patches, or modifications.

  • A. BPA
  • B. MOU
  • C. ISA
  • D. NDA

Explanation: C. An Interconnection Security Agreement (ISA) is the appropriate choice as it specifically outlines the technical requirements for secure connections, such as Network Intrusion Detection Systems (NIDS) or Network Intrusion Prevention Systems (NIPS). Additionally, it ensures that the data is encrypted properly, possibly through the utilization of self-encrypting drives (SEDs). On the other hand, a Business Partnership Agreement (BPA) refers to an agreement between two parties to enter into a business partnership, while a Memorandum of Understanding (MOU) is a document that establishes an understanding between two parties who need to collaborate. Lastly, an NDA, which stands for Non-Disclosure Agreement, is a contract that is typically signed by two parties to protect confidential information that they intend to share with each other.

Your company underwent a merger, and now you need to consolidate domains. Which tool should you utilize in order to determine the domain owner, expiration date, and contract details?

  • A. Netstat
  • B. Whois
  • C. SSH
  • D. TCPDump

Explanation: B. When migrating mail and web services, it is advisable to contact all administrators listed on the domains found through Whois. Netstat is a command-line network utility that displays network connections. SSH is employed for encryption. TCPDump functions as a packet analyzer.

Your company deployed various databases throughout its network. A solution is needed to monitor the databases and analyze the type of activity occurring on them. Which of the following options provides the best solution?

  • A. DAM (Database Activity Monitor)
  • B. SIEM (Security Information and Event Management)
  • C. XSS (Cross-Site Scripting)
  • D. WAF (Web Application Firewall)

Explanation: A. Database activity monitors (DAMs) are specifically designed to monitor databases and analyze the type of activity occurring on them. DAMs are similar to SIEMs, but they focus solely on databases, whereas SIEMs are designed to handle various networked devices. Selecting a DAM would be the most suitable solution for monitoring and analyzing the activity on your company’s databases.

One of your teammates is struggling with understanding why a program is not responding as expected when it runs. What would you suggest they try next to troubleshoot?

  • A. Kernel dumping
  • B. Check internal data flow
  • C. Runtime debugging
  • D. Automation

Explanation: C. Runtime debugging is a useful technique for examining the state of a program during runtime. By setting breakpoints and executing small sections of code at a time, it becomes easier to identify why a piece of code that should be correct is not executing as expected. Additionally, runtime debugging provides valuable insight into the program’s flow and behavior, helping to diagnose and solve issues effectively.

You found that an attacker compromised a web conferencing server by exploiting a known vulnerability in the software. What should be done to prevent this intrusion?

  • A. Install a firewall in front of the server.
  • B. Ensure the web conferencing software is regularly updated with patches.
  • C. Install antivirus software on the web conferencing server.
  • D. Always use HTTPS.

Explanation: It is important to address a known vulnerability by either applying patches or implementing compensating controls to prevent exploitation of the vulnerability.

Employees in your organization must use a Windows 10 desktop with a multicore CPU, a minimum of 8 GB of memory, and a solid-state drive. Which option accurately describes these technical aspects?

  • A. A policy
  • B. A procedure
  • C. A standard
  • D. A responsibility

Explanation: C. Standards define the technical aspects of a security program and include any hardware or software that is required by your organization. As such, they should be detailed enough to eliminate any ambiguity regarding the implementation of hardware or software. Standards ensure consistency in the organization’s systems and processes.

Alice is responsible for ensuring PCI compliance for her organization. According to the policy, she needs to remove certain information from a database. However, she is unable to do so due to technical limitations. In order to mitigate the risk, Alice is exploring the option of implementing a compensating control. What would be the most suitable course of action for Alice to take in this situation?

  • A. Insurance
  • B. Encryption
  • C. Deletion
  • D. Exceptions

Explanation: B. By encrypting her database, Alice would be utilizing an algorithm to convert readable data into unreadable data. The data can only be deciphered with the key or algorithm, making it impossible to reconstruct the original information without this knowledge. The primary purpose of encryption is to safeguard data from theft, malicious intent, or improper usage. Additionally, implementing encryption ensures compliance with PCI standards and helps protect sensitive information.

Your department is searching for a new storage solution that allows an undetermined number of systems to connect using file-based protocols, such as NFS and SMB, for peering purposes. Additionally, this solution will be used for filesharing services such as data storage, access, and management for network clients. What is the most suitable storage solution for your organization?

  • A. SAN
  • B. NAS
  • C. DAG
  • D. DAS

Explanation: B. Network-attached storage (NAS) provides file-sharing services using file-based protocols. NAS can connect an unlimited number of devices without being limited by physical constraints, like port availability. NAS performance depends on network congestion and speed. A SAN (storage area network) is a dedicated network of storage devices inaccessible through the local area network. Although a SAN only offers block-level access, file-level access can be achieved through shared-disk filesystems built on SANs. A DAG (directed acyclic graph) is a type of graph with no cycles. A DAS (distributed antenna system) is a network of antenna nodes connected to a central source, providing wireless service within a limited geographical area.

Your CISO has requested that you assess an antivirus tool for all laptops issued by the company. The cost of implementing the tool for all 90 laptops is $3,000. Based on historical data, it is expected that 12 computers will be affected, resulting in a Single Loss Expectancy (SLE) of $1,500. What is your recommendation to the CISO?

  • A. Accept the risk.
  • B. Mitigate the risk.
  • C. Transfer the risk.
  • D. Avoid the risk.

Explanation: B. The Annualized Rate of Occurrence (ARO) multiplied by the SLE equals the Annualized Loss Expectancy (ALE) or 12/1,500 = 18,000. If the computers are left unprotected, the company could face a potential loss of $18,000 per year. In order to address this risk, it is recommended to mitigate it by purchasing the antivirus tool. Antivirus software is specifically designed to protect computers from various forms of malware such as viruses, worms, spyware, botnets, rootkits, and keyloggers. To ensure the security of company-issued laptops, implementing the antivirus tool is crucial.

Your CISO requires a solution to mitigate a DDoS attack in the event that it is launched against the company. The CISO has tasked you with identifying a technique that can drop malicious DDoS traffic targeting a specific IP address or range of IP addresses. What technique accomplishes this task?

  • A. Remotely triggered black hole
  • B. Transport security
  • C. Trunking security
  • D. Port security

Explanation: A. A remotely triggered black hole is a technique in which a device, such as a router, can detect DDoS traffic and send a routing update to other network routers. This action creates a black hole through which the malicious traffic is dropped. Transport security involves securing data while it is being transmitted over a network. Trunking security focuses on securing trunk links used for VLAN traffic propagation. Port security pertains to the implementation of measures to secure ports on an Ethernet switch.

Your company undergoes a three-year cycle of tech refreshes on mobile devices and a five-year cycle on servers and workstations. You are evaluating the latest versions of operating systems to determine the safest and most functional option for your mission-critical assets. What is your initial step in this process?

  • A. Build a threat model.
  • B. Conduct developer interviews.
  • C. Write a report.
  • D. Triage results.

Explanation: A. To effectively prioritize the identification of high-severity vulnerabilities within the time frame for deploying the new assets, it is essential to focus on specific areas. Therefore, creating a threat model ensures targeted and efficient evaluation.

You have a user, Charles, who wants to conduct videoconferences from his computer. He finds a free program that fulfills his requirements and downloads it. However, the program, which has only been released for a few months, unfortunately contains malware that infects not only his system but also others. What technological measure could have potentially averted this situation?

  • A. Redlisting
  • B. Blacklisting
  • C. Graylisting
  • D. Whitelisting

Explanation: D. Whitelisting programs can effectively prevent users from downloading and installing software that is not included in the pre-approved whitelist. This ensures that only known and tested software is installed on a system. In this scenario, employing a whitelisting technology could have prevented the user from installing the malware-infected program, thereby averting the issue altogether.

You have completed a vulnerability scan on your network without utilizing any SMB or SSH service credentials, which provides you with an understanding of how your network appears to the external world. The subsequent step involves employing shared IT service account credentials. What is the name given to this type of vulnerability scan?

  • A. Authenticated
  • B. Unauthenticated
  • C. Secured
  • D. Accessible

Explanation: A. Authenticated scanning involves the vulnerability manager logging in as a network user, allowing the scan to reveal vulnerabilities that are accessible to trusted insiders or an attacker who has compromised a trusted user’s account. This type of scan provides a comprehensive assessment of potential vulnerabilities within the network.

Your CISO wants to install a security product capable of detecting and removing various types of malicious programs, such as viruses, Trojans, ransomware, spyware, adware, and other similar threats. Which option is best suited to meet this criteria?

  • A. Antivirus
  • B. Antimalware
  • C. Anti-adware
  • D. Application controls

Explanation: B. Antimalware products are capable of detecting and removing a wide range of malware, including viruses, Trojans, ransomware, spyware, adware, and other malicious programs or code. Antivirus products specifically focus on recognizing and removing viruses. Antispyware products target programs that covertly collect information on the infected system. Anti-adware products are designed to detect and remove programs that display advertisements on an infected user’s screen. Application controls, on the other hand, enhance the security of data input into a database by using features like validity checks, which ensure that the entered data meets specific criteria.

Your CISO asks you to develop deployment solutions for internally developed software that offer the best customization and control over the product, regardless of cost. Which solution would be the ideal choice?

  • A. A hosted deployment solution with a lower initial cost, but requiring hardware maintenance for the software.
  • B. Cloud-based deployment solutions that only require a monthly fee.
  • C. Elastic virtual hosting based on need.
  • D. An on-premises traditional deployment solution.

Explanation: D. An on-premises deployment solution is the only option that provides complete control over the network, hardware, and software. While it may have a higher upfront cost compared to hosted or cloud-based solutions, the local organization will have direct access to the system and all the data. Additionally, choosing this solution ensures maximum customization and control over the product.

In the past, your global organization tasked individual locations and departments with creating their own separate disaster recovery plans with immutable infrastructure. The organization realizes that these employees have the best knowledge of how their division operates. Your new CISO has assigned your team with the responsibility of developing a viable plan in the event that your company faces a disaster. What is your objective?

  • A. Ensure that numerous separate plans are recorded accordingly.
  • B. Develop a fully integrated business continuity plan.
  • C. Implement separate plans for each geographic location.
  • D. Maintain separate plans for each logical department, regardless of their physical location.

Explanation: B. A business continuity plan (BCP) and disaster recovery plan (DRP) are never considered complete, as they require continuous updation and enhancement over time. Management oversees a single fully integrated plan, which requires approval and testing and may consist of multiple subplans. Immutable infrastructure refers to an approach in managing services and software deployments on IT resources, where components are replaced rather than modified. With this approach, a device, component, application, or service is effectively redeployed with each occurrence of change or disaster.

Your CISO has expressed concerns regarding employees posting confidential information on social media. Which of the following options provides the most effective solution for addressing this issue?

  • A. Block access to social media sites on corporate resources.
  • B. Conduct training sessions for employees to emphasize the importance of not disclosing company information on social media.
  • C. Prohibit employees from maintaining social media accounts.
  • D. Develop a corporate policy outlining the requirement of not disclosing corporate information on social media platforms and the associated consequences.

Explanation: D. Among the available options, developing a corporate policy that explicitly states employees are not allowed to disclose corporate information on social media platforms, along with the consequences of doing so, is an excellent initial step. Additionally, it would be beneficial to provide training to employees to ensure they understand the policy and recognize the significance of refraining from divulging such information.

  • A. Modify the content of the cookie.
  • B. Alter session data.
  • C. Inject malicious content.
  • D. Consume it.

Explanation: D. I couldn’t resist. Regardless, it’s important to note that cookies are not always intended to store sensitive information. In fact, certain cookies utilized with the ““Remember Me”” feature may contain usernames and passwords encoded in Base64, which can be deciphered on various websites.

Your CISO has requested that you implement a solution on the servers in your data center that is capable of detecting any malicious activity and sending alerts to the IT staff upon detection. Which of the following solutions can achieve this objective?

  • A. Host-Based Intrusion Detection System (HIDS)
  • B. Network-Based Intrusion Detection System (NIDS)
  • C. Host-Based Intrusion Prevention System (HIPS)
  • D. Network-Based Intrusion Prevention System (NIPS)

Explanation: A. A Host-Based Intrusion Detection System (HIDS) is used to detect intrusions on a system and subsequently alert the appropriate personnel. These alerts can be delivered through various channels, such as email and text messages. Furthermore, a Host-Based Intrusion Prevention System (HIPS) analyses events occurring within a single host in order to identify suspicious activity. HIPS solutions provide comprehensive protection for the host, safeguarding it against both known and unknown malicious attacks, from the network layer to the application layer. It is worth noting that network intrusion detection/protection solutions are not host-based.

Your organization requires a security model for maintaining integrity, where the subject is unable to transmit messages to an object of higher integrity. Which feature of the Biba model is specifically designed to fulfill this requirement?

  • A. Simple
  • B. Star
  • C. Invocation
  • D. Strong

Explanation: C. The Biba model is a state transition system for computer security that organizes data into ordered levels of integrity. Its unique feature, invocation properties, ensures that a process from a lower level cannot even request higher access privileges; it can only interact with the same or lower levels. This concept can be seen as the opposite of the Bell-LaPadula model, which focuses on security and individuals. It is worth noting that the Biba model aims to prevent data corruption by limiting subject behaviors.

Fletcher, a security engineer for a government agency, is tasked with determining the control of highly classified customer information. Who should advise him on coordinating the control of this sensitive data?

  • A. Sales
  • B. HR
  • C. Board of directors
  • D. Legal counsel

Explanation: D. Legal counsel should always be involved in discussions regarding the control of sensitive information. They possess knowledge of current laws and regulations that may impact the protection of this valuable resource. Adding legal expertise ensures that the organization remains compliant and up to date with legal requirements.

You are a technical project manager on a VoIP/teleconference project. The customer has shared their requirements with your department. Availability must be at least ninety-nine point nine nine nine percent (99.999%), and all devices must support collaboration and be hardened for security. What is the optimal combination of controls to implement in this ecosystem?

  • A. Standardize all images and ensure double redundancy.
  • B. Implement network access controls and high-speed processing as part of the security policies.
  • C. Utilize RAID 0 and hot sites.
  • D. Enforce security policies, implement standard images/configurations, and maintain backup on all storage devices.

Explanation: D. Although the importance of speed is acknowledged, the primary focus of the question is availability. To prioritize availability, it is crucial to enforce security policies aligned with the requirements, establish a standard image and configuration for hardening, and ensure backups are available. Additionally, speed can contribute to overall system effectiveness and should be considered.

Your best practices are outlined in the compliance requirements of the Payment Card Industry Data Security Standard (PCI DSS). This standard specifically defines the digital framework for which type of organization?

  • A. Any organization, regardless of its size or the number of transactions it handles, that stores any cardholder data.
  • B. The financial industry, with the exception of trading companies.
  • C. Only publicly traded mortgage companies and banks.
  • D. Retail organizations that conduct more than 30,000 transactions per month.

Explanation: A. The PCI DSS was collectively created in 2006 by American Express, Discover, Visa, Mastercard, and JDB International to apply to any organization, regardless of its size or the number of transactions it handles, that accepts, transmits, or stores any cardholder data. These best practices aim to enhance the security posture of an organization and protect cardholder information. You can find PCI DSS best practices at

An organization installed various Ethernet ports in its facility. Each port allows anyone to plug their computer into the network without any restrictions, which poses a security risk even with network segmentation. What technology should be implemented to ensure that only authorized computer equipment can connect to the network through these Ethernet ports?

  • A. Network access control
  • B. Proxy
  • C. Next-generation firewall
  • D. Security information and event management system

Explanation: A. Network access control (NAC) is a technology that allows IT staff to manage the devices that can connect to a network. NAC offers different authentication methods, such as using the device’s MAC address or installing NAC software on the device. By implementing NAC, the organization can ensure that only authorized devices are granted access to the network through the Ethernet ports.

You have completed a penetration test and discovered a critical vulnerability in a web server that is essential for your organization’s operations. This web server must maintain an uptime of 99.9 percent. However, patching the vulnerability may potentially disrupt the application running on the server. How can you secure the web server temporarily until an alternative solution is found?

  • A. Utilizing a stateful inspection firewall
  • B. Installing antivirus protection
  • C. Using a circuit-level gateway
  • D. Implementing a HIDS/HIPS

Explanation: D. A HIDS/HIPS provides monitoring and analysis of both the system’s internal operations and network behavior. By utilizing a HIDS/HIPS, you can determine what programs are being accessed by the system and whether there have been any alterations to the security policy on that machine. In this way, the HIDS/HIPS can help protect the web server until a permanent solution is implemented.

Two CISOs brought their IT leadership together to discuss the BIA and DRP for a merger between two automobile manufacturers. Their first priority is to communicate securely using encryption. What is the best recommendation?

  • A. Use DNSSEC on both domains
  • B. Use TLS on both domains
  • C. Use SMime in select email transmissions
  • D. Push all communication to the cloud

Explanation: A. All Internet usage begins with DNS. However, DNS was designed in the 1980s before security became a priority. To address this, the Internet Engineering Task Force (IETF) introduced DNS Security Extensions (DNSSEC). DNSSEC utilizes digital signatures and public key cryptography to secure the DNS data.

You found a suspicious USB in the corporate parking lot and brought it back to your lab to be detonated in a sandbox. The USB contains unreadable documents and audio files. You select one file that is unusually large for analysis, in order to search for concealed information. What is the term used to describe this process?

  • A. Stego-analyzer
  • B. Stegoanalysis
  • C. Steganography
  • D. Steganalysis

Explanation: D. Steganalysis is the process of searching for hidden information within steganography data. In this case, it involves analyzing the abnormally large file in order to uncover any concealed information within it.

Your database administrator (DBA) has contacted you regarding modifications made to the relational database used by the security department. Instead of using names, secret projects are now referred to by an identification number. Please identify the security control that has been implemented.

  • A. Encryption
  • B. Randomization
  • C. Pseudonymization
  • D. Tokenization

Explanation: C. Pseudonymization involves the use of aliases or fake identifiers to represent sensitive data that requires protection. In this case, secret projects are now referred to by an identification number to ensure confidentiality. With pseudonymization, the original names are replaced with anonymous identifiers, adding an additional layer of security to the database. This helps prevent unauthorized access or exposure of sensitive information.

  • A. Increased capability and increased risk and higher total cost of ownership (TCO)
  • B. Decreased capability and increased risk and higher TCO
  • C. Increased capability and decreased risk and lower TCO
  • D. Decreased capability and decreased risk and lower TCO

Explanation: A. With the evolution of adding wireless access (802.1 lx) to any network, it brings increased capability to the system due to its ease of use and movement. However, it also introduces an increased risk as data is transmitted over the airwaves. This leads to a higher total cost of ownership as additional security measures, personnel, and network assets need to be acquired and maintained.

You are a developer for a research organization and have been assigned the task of testing a new team member’s code. Your objective is to gather as much diagnostic information as possible to identify and troubleshoot potential problems. Which of the following options would be the most effective in achieving this goal?

  • A. Memory dump
  • B. Pivoting
  • C. DNS records
  • D. Internal audit

Explanation: A. A memory dump, also known as a crash dump, is the process of capturing and storing all the information present in the computer’s RAM. It is commonly caused by corrupted files in the registry, and can also occur due to accidental overclocking or overheating. Generally, a memory dump results in the display of a blue screen of death (BSOD).

Your incident detection team is responsible for finding intruders on the endpoints, on the network, and in your infrastructure. They utilize endpoint protection tools to trace intruder activity, contain the threat, and remove it. Acquiring knowledge on how attackers gain access and navigate within your network is highly valuable. What term is used to describe this process?

  • A. INS
  • B. IDR
  • C. CIA
  • D. DNS

Explanation: B. This process is known as incident detection and response (IDR). By familiarizing yourself with the different stages of the attack life cycle, you enhance your ability to identify, respond to, and mitigate a threat before criminals can compromise your data.

Your IT staff is in need of a wireless solution to transmit data in a manufacturing area that has a significant number of electrical motors. It is crucial that the technology can transmit approximately 1 Mbps of data over a distance of approximately 1 meter, all with a clear line of sight. There are no obstacles between the devices that will be using this technology. Due to the specific environment, the use of radio energy (RE) is not a viable option. Which technology would be the most suitable for this particular situation?

  • A. Wi-Fi
  • B. Bluetooth
  • C. IrDA
  • D. RF

Explanation: C. Infrared Data Association (IrDA) is an organization that supports protocols for wireless infrared technology using infrared signals. Since infrared signals require a line of sight, they are considered highly secure as it is difficult to intercept or sniff the traffic. Additionally, it may be worth mentioning that incorporating IrDA into the manufacturing area would involve adding 1-2 additional sentences expanding on how this technology functions and its advantages in this specific scenario.

New security technology is necessary because data thieves have discovered another method of stealing your company’s information. It is widely recognized that usernames and passwords are not sufficient for ensuring security. Which of the following options is a newly emerging and highly secure form of authentication for further investigation?

  • A. Hardware authentication
  • B. Rule-based access control
  • C. Vulnerability management
  • D. Incident detection

Explanation: A. Hardware authentication is a method of authentication that involves the use of hardware in a unique manner. In the past, authentication was done through licensing and tokens, but implementing authentication into hardware has become particularly crucial for the Internet of Things (IoT). Effective authentication requires users to provide three elements: what they know, who they are, and what they have. The device itself serves as the ““what they have”” component, ensuring that only authorized entities can gain access to the network. To enhance security, it is imperative to explore and study hardware authentication as a potential solution.

You are developing an information security program to safeguard critical business processes, data, and assets. What are the three components necessary for implementing information security programs?

  • A. People, processes, policies
  • B. Assets, authentication, authorization
  • C. Backups, broadband, BCPs
  • D. Servers, SaaS, supply chains

Explanation: A. In order to create a robust security program, it is important to consider the involvement of people, who possess the technical expertise to update policies or modify processes. This is crucial as any security requirement that relies on people should not be bypassed; the organization should be knowledgeable about security protocols and should refrain from attempting to circumvent such controls. Additionally, effective cybersecurity measures require comprehensive procedures and well-defined policies.

You are employed as a security consultant by a petroleum chemical company. The company relies on SCADA for the monitoring of sensors and control valves across their premises. Which of the following options would provide the most effective security measures for the company’s SCADA system?

  • A. Installing HIDS on the various devices that constitute the SCADA system
  • B. Implementing a defense in depth strategy in front of the SCADA system
  • C. Ensuring that devices within the SCADA system have implicit allow rules on the firewall
  • D. Installing antivirus software on the devices that make up the SCADA system

Explanation: B. Regrettably, most SCADA systems have insufficient security measures in place. Consequently, two methods can be employed to enhance the security of these systems. First, it is crucial to ensure that all systems have the latest firmware installed. Second, the implementation of a defense in depth strategy should be considered, where multiple security devices are positioned in front of the SCADA systems to effectively filter out malicious content. It is important to note that most SCADA systems do not support the installation of software such as HIDS and antivirus products.

Your newly formed IT team is investigating cloud computing models. You would like to use a subscription-based cloud computing model for common services, where the vendor oversees developing, managing, and maintaining the shared pool of computer resources across the network for multiple tenants. Which option below is most suitable for this situation?

  • A. Public
  • B. Private
  • C. Agnostic
  • D. Hybrid

Explanation: A. A public cloud is a cloud computing model where IT services are delivered over the Internet. Public clouds are characterized by their elasticity and scalability, providing cost-effective solutions for various computing needs. They offer a wide range of choices for different requirements.”

Amos is creating allow lists and block lists of IP addresses while editing an ACL. What device is Amos most likely configuring?

  • A. A switch
  • B. A modem
  • C. A router
  • D. A hub

Explanation: C. A router is the device most commonly associated with managing access control lists (ACLs). An ACL is a fundamental firewall control that is used to permit or deny network traffic. It allows Amos to manage the flow of traffic into a network, determining which IP addresses are allowed and which are blocked. In this case, Amos is configuring a router to control access to the network based on IP addresses.

The performance on the server running SQL is degrading and occasionally fails. You ran diagnostics, and despite having adequate RAM, your OS is not correctly managing the resources. What is most likely happening?

  • A. Memory leak
  • B. Dysfunctional dependency
  • C. SQLi
  • D. Virus

Explanation: A. When a computer functions normally, RAM is used dynamically and resources are allocated as needed. However, in certain situations, the RAM may not be freed up when no longer needed, leading to a memory leak. This can result in degrading performance and occasional failures of the server running SQL.

You examine activity in a data center on the corporate network. There is nonuser behavior that appears to be both malicious and suspicious. Which type of model would you utilize to determine your response?

  • A. COBIT
  • B. Advanced threats
  • C. Machine learning
  • D. GDPR

Explanation: C. In order to identify the source of this malicious behavior, machine learning would be the most appropriate model to use. By analyzing the behavior of the entity rather than just focusing on individual users, machine learning can provide insights into how a specific data center typically behaves. Any abnormal activity would then trigger an alert, allowing for swift action to be taken.

You are a service provider responsible for ensuring that an audit for PCI DSS occurs and that the correct documentation is completed by the relevant parties. This is part of the assessment you provide. What is this process called?

  • A. Service provider request
  • B. Attestation of compliance
  • C. Payment requests
  • D. Security standards council

Explanation: B. The definition of attestation, according to Merriam-Webster’s dictionary, is “an act or instance of proving the existence of something through evidence."" The Payment Card Industry (PCI) is governed by the PCI Security Standards Council, which certifies that an organization has completed and passed or failed an audit with an attestation of compliance. In this process, the service provider ensures that the necessary audit is conducted, and the relevant individuals complete the required documentation to comply with the PCI DSS assessment. This step is crucial to validate the organization’s adherence to the applicable standards and regulations.

In large enterprise data systems, the operation and maintenance work is crucial in ensuring the overall stability of platforms by preventing service interruptions caused by hardware and software failures. Given the challenges faced in massive data environments, what kind of automated solutions can facilitate response efforts?

  • A. EDR
  • B. Self-encrypting devices
  • C. SSO
  • D. Self-healing hardware

Explanation: D. In a business that encompasses hundreds of thousands of server units, it is difficult to detect hardware failures at the software level due to their offline nature. Each failure poses a significant threat to the stability of the system. Dealing with these issues involves timely discovery of hardware failures and effective service migration of failed machines. Automated self-healing hardware platforms simplify the response process.

Alice and Bob are discussing federated identity and the differences between 2FA and MFA. Bob says it is the same thing, and Alice is explaining to him that it isn’t. Which statement best describes the difference?

  • A. Multifactor authentication (MFA) requires users to verify their identity by providing multiple pieces of evidence, such as something they know, something they have, or something they are. Two-factor authentication (2FA) is when a user provides two authentication methods, such as a password and a fingerprint.
  • B. 2FA and MFA follow the same process, with the only difference being that 2FA requires two separate types of authentication methods, while MFA can include two or more of the same methods.
  • C. 2FA is considered safer and more user-friendly compared to MFA.
  • D. Multifactor authentication (MFA) requires users to verify their identity by providing at least two pieces of evidence, such as something they know, something they have, or something they are. Two-factor authentication (2FA) is when a user provides two or more authentication methods, such as a password and a fingerprint.

Explanation: A. Multifactor authentication can involve two or three different factors, while two-factor authentication is always limited to only two factors. Requiring users to authenticate with three factors enhances security, although it’s important to ensure that the MFA solution remains user-friendly. It’s crucial to make the security controls easy to use, as end users may try to bypass them otherwise.

As a security analyst for a hospital, you rely on certain assets that are running high-end customized legacy software. Your task is to check for grammar and/or possible OCR errors and fix them. Additionally, you need to slightly rewrite a question, maintaining its meaning. Make sure to keep the answer options the same. Finally, you are required to expand the explanation by adding 1-2 sentences. Remember not to add any additional text before or after. What precaution should you implement to protect yourself if this developer goes bankrupt?

  • A. Access control
  • B. Service level agreement
  • C. Code escrow
  • D. Outsourcing

Explanation: C. Code escrow is a storage facility hosted by a trusted third party that will ensure you have access to the code even if the developer goes out of business. This arrangement provides an added layer of security and guarantees that you can still make necessary changes or updates to the software even in the absence of the original developer.

While constructing a new VoIP framework, what additional element must be incorporated to ensure redundancy?

  • A. Power
  • B. Budget
  • C. Legal
  • D. ISP

Explanation: A. In comparison to the traditional plain old telephone system (POTS), Voice over IP (VoIP) is more vulnerable to power interruptions. In the event of a power outage, the entire VoIP system ceases to function. Hence, the inclusion of a reliable power backup or alternative power source is crucial for ensuring redundancy. Additionally, this backup power solution should be capable of sustaining the VoIP system’s operations during any power disruptions.

Paul’s company has discovered that some of his organization’s employees are using personal devices, including cell phones, within highly secure areas. The CISO wants to know which employees are violating this policy. Which of the following devices can help the CISO identify employees who are violating this policy?

  • A. DLP
  • B. WIDS
  • C. NIPS
  • D. Firewall

Explanation: B. Wireless intrusion detection system (WIDS) solutions can locate and identify Wi-Fi devices, as well as Bluetooth, Bluetooth Lower Energy, and devices emitting cellular signals. This means that a WIDS can detect a cell phone even when the Wi-Fi and Bluetooth features are not active. Network-based IDSs and IPSs monitor for suspicious network-based activities. A firewall is responsible for filtering content flowing through the unit.

You have deployed an operating system that uses atomic operations. Atomic operations are commonly used in modern operating systems at the kernel level and in parallel processing systems. Atomic operations in concurrent programming are program operations that run completely independently of any other processes. What is the main issue that can occur with this type of operating system or programming?

  • A. In the scenario where two operations run in parallel and utilize the same data, a discrepancy can be observed in the results of the operation.
  • B. Can atomic operations only exist in nonsequential processing environments?
  • C. The guarantee of data integrity is not assured.
  • D. Does this system require a significant amount of RAM to function properly?

Explanation: A. The main issue arises when two concurrent operations utilize the same data and produce different results. Locking is an approach that allows for locking in variable data, ensuring sequential operation of atomic processes that access the same data.

Your penetration test of several SQL databases returned the following error: ““ERROR: unterminated quoted string at or near ‘””. How should you label this in your report?

  • A. Incorrect error handling
  • B. Correct error handling
  • C. Vulnerability
  • D. XSS

Explanation: In the development of any application, it is crucial to assume that all users may have malicious intent. Improper error message handling by developers can expose sensitive information that can be exploited by attackers. It is important to identify this issue in the report for further attention.

You and your organization are performing an annual threat-modeling exercise, where you search for potential threats arising from both physical and digital vulnerabilities. Employing the well-known Microsoft IT threat-modeling methodology, you aim to identify threats that are relevant to your product. What is the name of this methodology?

  • B. PASTA
  • C. TRIKE
  • D. VAST

Explanation: A. All of these options represent different threat models. However, the STRIDE methodology, developed by Microsoft in 1999, focuses on the following threats: spoofing identity, tampering with data, repudiation, information disclosure, denial of service, and elevation of privilege. This methodology helps to systematically analyze how attackers can exploit these threats. PASTA is a seven-step risk assessment model, while TRIKE is used for security auditing. VAST allows for scaling the threat model across an entire ecosystem and SDLC, providing actionable output.

Forming a response team and assigning responsibilities is a critical step in emergency response planning. If the assigned roles are unfamiliar to the team, important actions may be overlooked when a security incident occurs. In summary, a cyber-emergency response team should analyze incident data, discuss observations, manage communications, remediate, and close the incident with which response option?

  • A. Understanding lessons learned
  • B. Negotiating a contract
  • C. Building an SOC
  • D. Performing risk analysis

Explanation: A. After an incident, the team should recommend changes in technology, policy, governance, and training to prevent a similar incident from reoccurring. Understanding the lessons learned will facilitate sharing of information throughout the company and provide valuable additions to existing security policies and procedures.

One of your domain administrator’s username and password combinations was compromised. An attacker with those credentials can engage your network in nefarious ways. How can you detect this type of behavior and raise a red flag alert?

  • A. IDR
  • B. UEBA
  • C. RBAC
  • D. AM

Explanation: B. User and entity behavior analytics (UEBA) involves using analytics to identify unusual or abnormal behavior by users. By establishing a baseline of normal activity over a specific period of time, any deviations from this baseline can trigger an alert. This allows you to distinguish between legitimate and illegitimate activity.

You need to perform a repetitive task on a Linux machine. Which of the following options is the most suitable for executing this type of task?

  • A. Bash
  • B. Python
  • C. Cron job
  • D. PowerShell

Explanation: Cron is a Linux command used for scheduling tasks. Cron jobs allow you to automate commands or scripts on your server to perform repetitive tasks automatically. This tool can be very useful as it allows you to schedule tasks at specific time intervals or days of the week/mo Bash is the default user shell on most Linux installations. Its main purpose is to allow users to interact effectively with the system through the command line. It provides features such as sending output of one program as input to another and interacting with the filesystem. Python is a popular general-purpose programming language known for its versatility. It offers high-level data structures, dynamic typing, dynamic binding, and many other features that make it suitable for complex application development. PowerShell is a powerful tool for automating tasks and simplifying configuration on Windows systems, including tasks related to Active Directory and Exchange.

Your company’s HR department has notified IT that an end user is reporting a suspicious web page on the intranet. According to the user, when they clicked a button to download software updates, it instead directed them to their personal bank account homepage. What kind of attack is most likely to have occurred against your organization?

  • A. CSRF
  • B. Phishing
  • C. Social engineering
  • D. Click-jacking

Explanation: When a web user accesses a fake website or clicks a button to download a file or win a prize, they are deceived into clicking a hidden button that could result in a payment on another site. This type of attack is known as click-jacking. It is not a CSRF attack, which involves forging the entire request without the user’s knowledge or input.

You have mission-critical software running on a server in your data center with a known security flaw. The software vendor does not have a patch in place to fix the problem, and there is potential for attacker exploitation. What is this called?

  • A. No-day vulnerability
  • B. Zero-day vulnerability
  • C. Patch vulnerability
  • D. Java vulnerability

Explanation: B. A zero-day vulnerability is an unintended flaw left in software or an operating system where there is no patch or fix available. These vulnerabilities expose an organization to potential exploitation by cybercriminals. The term ““zero-day”” refers to a software vulnerability without a fix. Once the vulnerability becomes known to the public, the software vendor must work quickly to provide a fix. If the vulnerability is exploited against an organization before the fix or patch is available, it is known as a zero-day attack.

Your organization has increasingly relied on cloud access security broker (CASB) vendors to effectively manage cloud service risks, enforce security policies, protect against insider threats, and ensure compliance with regulations. Which of the following is not considered one of the fundamental pillars of CASB?

  • A. Visibility
  • B. Data security
  • C. Database normalization
  • D. Threat protection

Explanation: C. CASB primarily focuses on enhancing security measures. In addition to requiring visibility and access control for cloud assets, organizations also rely on CASB for data loss prevention and protection against malware and insider threats. This is crucial as insiders may intentionally or unintentionally compromise sensitive data for various purposes. It is important for organizations to prioritize comprehensive security strategies provided by CASB vendors to mitigate potential risks effectively.

What was the primary composition of the Mirai botnet that launched a massive DDoS attack in 2016?

  • A. Internet of Things (IoT) devices
  • B. Servers
  • C. Laptop computers
  • D. Switches

Explanation: A. The Mirai botnet, which gained notoriety for its colossal distributed denial-of-service (DDoS) attack in 2016, was predominantly made up of Internet of Things (IoT) devices. A DDoS attack aims to overload a web server or online system with excessive data, resulting in disrupted services. These attacks can have various motives, ranging from mischievous pranks to targeted acts of revenge or hacktivism. The IoT represents the convergence of wireless connectivity and intelligent sensors within embedded systems. With the integration of advanced low-power microcontrollers, these interconnected ““things”” can easily and affordably access the Internet, driving both technological progress and introducing numerous security vulnerabilities.

A security engineer is concerned about potential log loss on their hybrid SDN network in case of device failure or compromise by attackers. What solution can ensure the preservation of logs on these devices?

  • A. Configuring a firewall on the local machine
  • B. Archiving the logs on the local machine
  • C. Sending the logs to a syslog server
  • D. Installing a NIPS (Network Intrusion Prevention System)

Explanation: C. A hybrid SDN network comprises both traditional networking and SDN protocols. By sending the logs to a syslog server, log retention is guaranteed even if the device fails, reboots, or is compromised by an attacker who tries to disable logging. It provides an additional layer of security and ensures the availability of log records.

Your company possesses a fence surrounding the perimeter of its data center. There is a light sensor connected to the fence, which activates an alarm whenever the fence is impacted or movement is detected and subsequently records it on video. The data center is located in an area where tumbleweeds regularly collide with the fence during the fall season, leading to alarm fatigue. In this given scenario, which type of alert is responsible for causing alarm fatigue?

  • A. True positive
  • B. True negative
  • C. False positive
  • D. False negative

Explanation: C. Alarm fatigue is generated by false positive alerts, which are alerts that are generated without any association to an actual attack. The scenario of tumbleweeds setting off alarms serves as a prime example of a false positive alert. On the other hand, a true positive alert is triggered by an actual attack, while a true negative indicates that no alert was triggered because no attack occurred. Lastly, a false negative denotes that an attack has transpired without triggering any alert.

You have implemented a CAPTCHA system on your corporate web server in order to prevent spam. Which of the following attacks are most likely to be thwarted by this implementation?

  • A. XSRF
  • B. XSS
  • C. Two-factor authentication
  • D. XMLi

Explanation: A. A cross-site request forgery (XSRF) is an attack that exploits a vulnerability in a software and redirects static content from a trusted website. For example, it may involve stealing online banking credentials and account information from a user who logs into a legitimate banking site. CAPTCHA forms require users to solve puzzles or challenges, thereby verifying their humanity and ensuring the authenticity of the user. So, utilizing a CAPTCHA system can effectively prevent XSRF attacks.

Your security manager has requested that management prohibit access to social media accounts on company-issued devices. Nonetheless, upper management believes that completely giving up social media access is not a feasible solution. You have been assigned the task of safeguarding your company from prevalent social media threats. Which of the following poses a significant risk to your company?

  • A. Unattended social media accounts
  • B. Strict privacy settings
  • C. Social media policy
  • D. Audits

Explanation: A. As an organization, it is crucial to secure your brand across all social media platforms. This allows for seamless communication and facilitates business operations. However, neglecting dormant or infrequently used accounts can expose you to fraudulent activities, including the dissemination of false information that can potentially harm your business. It is essential to actively manage and monitor all social media accounts to mitigate such risks.

Your global organization has tech support offices that ““follow the sun.”” This means tech support is open 24/7, and some of those support offices are located in other countries. Depending on the time of day, it may be necessary for tech support personnel to remotely access systems over the Internet and manage their own server without relying on a centralized service. What option would best fulfill the support personnel needs?

  • A. MRA
  • B. VNC
  • C. RDP
  • D. Teamviewer

Explanation: B. VNC allows for remote access to a computer and use of the desktop over the Internet. While Windows does have Remote Desktop, it is only available on certain editions. Although some individuals use Teamviewer, VNC is the optimal choice as it enables the installation and management of your own servers and is compatible with all operating systems.

  • A. Adding network intrusion devices
  • B. Performing inventory management
  • C. Adding more security tools
  • D. Reducing the attack surface

Explanation: D. In order to combat this threat, organizations must focus on reducing their IoT attack surface, increasing the attack surfaces they monitor, and minimizing false positive alerts that often impact IoT devices.

Your Chief Information Security Officer (CISO) has expressed genuine concern about the potential impact of supply chain breaches on major organizations after watching recent news. As a security analyst, he requests your assistance in gathering information on implementing controls within your SDN network to protect against such attacks. How should you initiate this process?

  • A. Obtain the latest IOCs from open source intelligence (OSINT) sources.
  • B. Conduct research on industry best practices.
  • C. Utilize Artificial Intelligence (AI) and Security Information and Event Management (SIEM) tools.
  • D. Perform a comprehensive network sweep using threat modeling techniques.

Explanation: A. Accessing a wide range of open source intelligence (OSINT) can significantly enhance an organization’s security measures. Utilizing overlay networking, or SDN overlay, allows for the creation of multiple virtualized network layers on top of the physical network, offering enhanced security benefits and introducing new applications. By employing indicators of compromise (IOCs), organizations can effectively detect data breaches and instances of malware/ransomware. Consequently, conducting a thorough network sweep, identifying matches, scrutinizing suspicious activities within a sandbox environment, and reporting any findings to relevant authorities becomes possible.

Sean is walking into a secured office building in a governmental complex, escorting an approved visitor. He scans his RFID badge to gain access and guides his visitor to sign in. As the door is closing, someone behind him yells at Sean to hold the door for them. What is the intention of that person?

  • A. Tailgating
  • B. Baiting
  • C. Water holing
  • D. Man in the middle

Explanation: A. Tailgating is utilized by social engineers to gain unauthorized entry into a building or secure location. The tailgater strategically waits for an authorized individual to open a door and follows closely behind, taking advantage of their distraction or lack of awareness. It is a method employed to catch victims off guard.

Your IT group has implemented limited filtering of known malicious traffic entering the border router from the Internet. Which of the following source IP addresses should not be filtered inbound from the Internet?

  • A.
  • B. RFC 1918 addresses
  • C.
  • D.

Explanation: C. Among the options provided, the only valid range of source IP addresses for traffic entering from the Internet is The other IP addresses in A, B, and D are special addresses that cannot be routed over the Internet. Traffic from these addresses should be dropped at the border router as it indicates potentially malicious activity. While a firewall is typically responsible for filtering the majority of IP traffic, a router can perform limited filtering without impacting its routing function.

You travel a great deal for work. What tool would you use to find a hidden infrared camera in your hotel room?

  • A. Fuzzer
  • B. Metal detector
  • C. Tethering
  • D. Smartphone

Explanation: D. Smartphones today have very advanced technology, including system-on-a-chip (SOC) embedded architecture. A SOC can include a primary central processing unit (CPU), graphics processor, flash memory, and voltage regulator. Additionally, the cameras on modern smartphones are so sophisticated that they can detect infrared light and the illuminating light from IR cameras. Therefore, a smartphone would be the most suitable tool for finding a hidden infrared camera in your hotel room.

Cameron, a newly promoted network security administrator, has been instructed by his manager to focus on building a physical and SDN topology map. The main objective is to identify which ports are open on each asset across the entire enterprise. Which tool is best suited for this task?

  • A. Netcat
  • B. Nmap
  • C. BurpSuite
  • D. IPConfig

Explanation: B. Nmap, also known as Network Mapper, is widely regarded as the most popular network discovery and port scanner tool. It is both free and open source, making it a favored choice among system administrators and network engineers for conducting audits on local and remote networks. By sequentially sending connection requests to a target computer on each port, Nmap can determine which ports respond. In the context of software-defined networking (SDN), the separation of control and forwarding planes is a critical aspect. SDN administrators can utilize Nmap’s comprehensive functionality to manage the SDN network through the out-of-band control plane.

You are conducting a physical site security survey. This facility includes an open area that leads into a confined space. Your objective is to ensure that only one authenticated person can enter the building at a specific point while keeping a log of everyone who enters the facility. How can authentication be best achieved, and what perimeter defense measures do you recommend?

  • A. Utilize a badge system as access through a turnstile.
  • B. Implement a procedure where individuals sign a log book, then provide access through an interlocking door controller for everyone.
  • C. Demand the presentation of an ID at a closed gate.
  • D. Employ bollards and a physical locked door.

Explanation: A. A turnstile serves as a form of physical access control, guaranteeing that only one authenticated person can enter at a time. By using badges, each user’s authentication can be verified. If managed effectively, this method of physical security enables authorities to determine the individuals present in the building during an emergency situation.

You have a team of people working on social media messaging and customer service. While your focus may be on external threats, studies indicate that employees are more likely to be the cause of cybersecurity incidents. What is your primary line of defense?

  • A. Restrict the number of individuals authorized to post on your company’s social media accounts.
  • B. Only provide marketing personnel with access to the login credentials for social network accounts.
  • C. Disable social media access for employees who have left the organization.
  • D. Develop brand guidelines that outline appropriate communication about your company on social media platforms.

Explanation: A. It is essential for your organization to carefully consider who should have permission to post and access to passwords for social media accounts. Limiting access is the most effective way to ensure their security. Additionally, it is crucial to regularly review and update access privileges to maintain a high level of protection. A clear and concise access management strategy will contribute to safeguarding your accounts against potential cybersecurity risks.

A security consultant on your team has been cited for numerous offenses and the most recent transgression has compelled you to terminate their employment. When informing the employee about their separation from the company, which of the following actions is the most crucial?

  • A. Allowing them to complete their ongoing project.
  • B. Granting them a two-week severance package.
  • C. Permitting them to retrieve their personal belongings.
  • D. Disabling their network access and changing the passwords to devices they had privileges to.

Explanation: D. Termination is a challenging situation for both the employer and the employee. Typically, when an employee is terminated, they are required to attend an exit interview with HR where they are reminded of their Non-Disclosure Agreement (NDA) and then escorted off the premises. However, it is essential to disable their network access, revoke their accounts, and modify the passwords of all devices they may have had access to. For instance, if the terminated employee had access to the vulnerability management program and credentials, they could potentially gain control over every single device on your network. The other options provide the employee with the opportunity to disrupt and inflict damage upon your network.

You are a security administrator for a network that uses a special microprocessor for environmental monitoring. What type of microchips would be used for this purpose?

  • A. TPM
  • B. ASIC
  • C. CISC
  • D. AAHA

Explanation: B. The application-specific integrated circuit (ASIC) can be premanufactured for a special application. It is a microchip designed specifically for environmental monitoring, such as in auto emission control or personal digital assistants (PDAs), and it is also used in bitcoin mining. Additionally, the Trusted Platform Module (TPM) is a microcontroller that enhances the security and integrity of a platform. The complex instruction set chip (CISC) is designed for executing multiple low-level operations or instructions in a single instruction. AAHA, on the other hand, is the type of microchip commonly found in our beloved pets like dogs and cats.

You need to assign permissions to ensure that users have access to only the resources necessary for their specific tasks. Which security principle did you utilize to address this requirement?

  • A. Separation of duties
  • B. Need to know
  • C. Job rotation
  • D. Least privilege

Explanation: D. Least privilege involves assigning permissions in a way that allows users to access only the resources they require to perform their job functions. In addition to least privilege, job rotation helps prevent single points of failure, the need to know principle promotes confidentiality, and separation of duties provides clear and distinct roles for employees. Consequently, all these principles contribute to maintaining security.

While performing unit testing on software requested by your department, you found that there is a possibility of privilege escalation. Privilege escalation refers to the situation where an attacker can raise their level of privilege on a system from a lower level to an administrator level. What are the two performance unit testing techniques that you need to employ?

  • A. Vertical and horizontal
  • B. Left and right
  • C. North to south
  • D. Ring 1 to 3

Explanation: A. Most attackers focus on vertical privilege escalation, which involves a lower privilege user or application accessing functions reserved for a higher privileged user. However, smart attackers also exploit horizontal privilege escalation, where a normal user gains access to certain functions of another normal user. Horizontal privilege escalation is often overlooked, yet it can result in the theft of valuable information. Therefore, it is important to test for both vertical and horizontal privilege escalation during unit testing.

Your company is utilizing a traditional signature-based IDS, but it appears to be encountering some issues. You and your fellow analysts have noticed an increasing number of false positives. What could potentially be the cause of this problem?

  • A. Anomaly detection necessitates a significant amount of resources.
  • B. FIM is consuming excessive computational power.
  • C. There is an excess of FTP traffic.
  • D. The signatures have been poorly constructed.

Explanation: D. The primary drawback of employing a signature-based IDS is the occurrence of false positives. These can arise when the IDS mistakenly identifies legitimate traffic as an attack. IDS signatures are regularly updated by the vendor in response to emerging vulnerabilities. However, if a signature is inadequately written, it can lead to both false positives and false negatives. False negatives occur when the signature fails to accurately identify malicious activity. Additionally, it is worth mentioning that poorly constructed signatures can contribute to the false positive problem in the system.

A subset of programmers in your organization tested the beta version of your application. During the testing phase, they were instructed to install the software by selecting optional components during the setup procedure. In order to make any changes in the future, they will need to rerun the installation process. What is this concept called?

  • A. Secure by design
  • B. Secure by default
  • C. Secure by deployment
  • D. Secure by download

Explanation: B. Users typically do not modify default settings or passwords after installation. Therefore, it is important to have security settings set as default. However, if a user specifically desires a particular feature, they can enable it in the future by rerunning the installation process.

  • A. Guidelines for brand management and copyright protection
  • B. Rules pertaining to the confidentiality of information and personal social media use, as well as instructions on whom to notify if a concern arises
  • C. Guidelines for password creation and rotation
  • D. Information on the latest social media threats

Explanation: D. The information on the latest threats on social media would be covered in your social media training. While your social media policy should be easily comprehensible, the training session allows employees to actively engage, ask questions, review the latest threats on social media, and discuss whether any updates are necessary for the social media policy.

Your initial deployment of FIM was successful, but it is currently facing some difficulties. FIM is designed to detect changes, so it is crucial to carefully adjust the solution to minimize false positives and manage the volume of changes. The issues primarily relate to performance and noise. What do you need to integrate with FIM to ensure that it meets your organizational requirements?

  • A. Project management
  • B. Program management
  • C. Change management
  • D. Staff management

Explanation: C. In order for a FIM program to be successful in the long run, it must be well integrated with change management. The main purpose of FIM is to detect changes, and it should be capable of meeting the organization’s needs without negatively impacting performance. Additionally, it is important to note that it should not impede performance.

Sandra has been given the responsibility of finding a hardware-based processor approach to handle demanding tasks such as face detection, performing calculations, and controlling programmable logic. Which option would Sandra choose?

  • A. FPGA
  • B. SCADA
  • C. PLC
  • D. Closed circuit

Explanation: A. The field-programmable gate array (FPGA) is a collection of interconnected digital subcircuits that implement common functions while also providing a high level of flexibility. It is a suitable choice for intensive processing tasks. Supervisory control and data acquisition (SCADA) refers to a networked data communication architecture used for high-level management. Programmable logic controllers (PLCs) are computer systems that have been modified for use in manufacturing processes, particularly assembly lines and industrial manufacturing. A closed circuit is a complete electrical circuit through which current can flow freely.

Your organization has opted for a hybrid cloud solution to meet the IT requirements of its strategic organizations with multiple verticals. Which of the following is an advantage of this solution?

  • A. Flexibility, scalability, reliability, and an improved security posture
  • B. Meeting strong compatibility and integration requirements
  • C. Dealing with complexity as the organization evolves
  • D. The option can sometimes incur high costs

Explanation: A. In a hybrid cloud solution, organizations can choose to use a private cloud, public cloud, or a combination of both, depending on their specific needs for factors such as security, compliance, and limitations. As organizations grow and evolve, they may find it necessary to utilize all three types of cloud solutions. Furthermore, the advantages of a hybrid cloud include its capability to provide greater flexibility, scalability, reliability, and an enhanced security posture.

You are the CIO of an organization with many governmental contracts. The board of directors has challenged you to reduce staff and minimize the need for staff to perform repetitive, low-value decision-making activities in order to allow your staff to work strategically. What tool would you utilize to achieve this objective?

  • A. Machine learning
  • B. Zero-day exploits
  • C. Triaged threats
  • D. Human resources

Explanation: A. In today’s business environment, many organizations are leveraging Artificial Intelligence and machine learning to effectively triage threats. By allowing machines to handle repetitive tasks, valuable time is freed up for dealing with critical attacks and strategic issues, such as infrastructure modernization.

Your role in developing secure software requires that you follow a defense in-depth methodology known as SD3. What type of strategy does SD3 represent?

  • A. Secure by design, default, and deployment.
  • B. Secure review code three times.
  • C. An outside SD3 audit as recommended by NIST.
  • D. No methodology is called SD3.

Explanation: A. SD3, also known as Microsoft’s defense-in-depth strategy, stands for secure by design, secure by default, and secure in deployment. Design involves the use of secure coding best practices. Default implies that end users install applications without modifying the default settings, and deployment ensures that the software can be securely maintained through patching and auditing. Thus, SD3 encompasses a comprehensive approach to secure software development.

You were tasked with performing a quarterly audit on your social media accounts. Social media security threats are constantly changing, and attackers are constantly coming up with new strategies. Performing a regular audit can help you stay ahead of these attackers. Which of the following should be included in your regular audit and is the most important?

  • A. Privacy settings, access, and publishing privileges
  • B. All network attack vectors and access management
  • C. Social network trending of competitors
  • D. All mentions of your company on the Internet

Explanation: A. It is crucial to regularly update your privacy settings on social media platforms as the company often introduces changes that may affect your account. This ensures that you have more control over how your data is collected and used. Additionally, it is important to review who has access to your social media platforms and make sure that only authorized individuals have publishing rights. As part of this audit, it is recommended to suspend access for any employee who is no longer associated with your company.

In software development, a timing problem can occur when there is a misalignment between the time to check (ToC) and the time of use (ToU). This time gap can be exploited by an attacker when it is scheduled for execution after each operation by the victim. To prevent ToCToU (pronounced Toctoo), which of the following options is the most effective?

  • A. Do not perform a check before use.
  • B. Alter the file owned by the current user.
  • C. Request the timing gap be closed.
  • D. Limit multiple processes and operations.

Explanation: A. In this scenario, software checks the state of a resource, but the state can change between the time of check (ToC) and the time of use (ToU). This change can potentially cause the software to crash or pose a security risk if an attacker can manipulate the state of the resource between the check and use. The simplest solution is to avoid performing a check, which helps reduce the false sense of security provided by the ToC. By skipping the check, potential vulnerabilities due to the timing issue can be mitigated.

An employee’s company-issued cell phone was accidentally left in the back of a ridesharing vehicle and has not been returned in a timely manner. According to the security policy, the employee has contacted the IT department. Now, your task is to perform a remote wipe on that device. Which type of server allows for remote wiping of the device?

  • A. MAM
  • B. MDM
  • C. RDP
  • D. DNS

Explanation: B. When a device is enrolled in a mobile device management (MDM) server, the server is capable of implementing device-level policies and executing security commands such as a remote wipe or lock. It also has the capability to check the content and applications installed on the device, and install necessary or updated applications as required.

Suzette’s company has discovered that some employees are copying corporate documents to Microsoft blob cloud drives without the company’s control. Suzette has been instructed to put an end to this practice. Which of the following options can she use to stop this from happening?

  • A. DLP
  • B. NIDS
  • C. NIPS
  • D. Firewall

Explanation: A. Data loss prevention (DLP) systems, also known as data loss protection systems, are specifically designed to monitor the movement of data from the host system to prevent unauthorized transfers. Examples of unauthorized transfers include transferring data to a cloud provider, using USB drives, or sending data via email. Network-based IDSs and IPSs are responsible for detecting malicious activities on the network. Firewalls are used to filter and monitor the content flowing through the device. By implementing DLP systems, Suzette can effectively prevent the unauthorized copying of corporate documents to Microsoft blob cloud drives."

Your CISO wants you to perform a risk assessment for a critical new healthcare system that needs to be implemented quickly. While conducting the assessment, you come across a review by a competitor who is using the software, which mentions a vulnerability with a low chance of being exploited. Why might your CISO still have concerns about deploying this system?

  • A. The CISO is concerned about compliance with government regulations.
  • B. The CISO is feeling pressured to make a decision.
  • C. Other competitors have chosen not to adopt this system.
  • D. Even a single attack could have disastrous consequences for the organization, both financially and in terms of its reputation.

Explanation: D. Exploitation of the vital new healthcare system could have severe consequences for the company. The healthcare industry is a prime target for cyberattacks and faces significant cybersecurity challenges that not only impact financial stability but also the reputation of hospitals, pharmaceutical companies, and other healthcare institutions. Additionally, these attacks pose substantial risks to patient safety and privacy.

You are assigned the task of hiring a third party to conduct a security assessment of your manufacturing plant. Which type of testing provides the most unbiased evaluation of your security profile?

  • A. White box
  • B. Gray box
  • C. Black hat
  • D. Blue hat

Explanation: B. A gray-box test is performed with limited knowledge. Gray-box testing is an effective method for identifying security vulnerabilities in programs. It can help in identifying bugs or exploits caused by incorrect code structure or improper use of applications. By combining the techniques of white-box and black-box testing, gray-box testing aims to achieve the best results. A white-box test is conducted with complete internal knowledge. On the other hand, black-hat hackers possess extensive knowledge of breaking into systems, often for financial gain. Additionally, it should be noted that there are blue-hat hackers who test systems for bugs before they are launched.

One of the requirements for a new device being added to the network is a minimum availability of 99.9 percent. The vendor states that the newly acquired device has an MTBF (Mean Time Between Failures) of 20,000 hours and an MTTR (Mean Time to Repair) of 3 hours. Which statement most accurately reflects the device’s availability?

  • A. The device will meet availability because it will be at 99.985 percent.
  • B. The device will not meet availability because it will be at 99.89 percent.
  • C. The device will not meet availability because it will be at 99.85 percent.
  • D. The device will meet availability because it will be at 99.958 percent.

Explanation: The availability of a device can be calculated using the formula: Availability = MTBF / (MTBF + MTTR). Therefore, the availability of the device in this scenario would be 20000 / (20000 + 3) which equals approximately 0.99985 or 99.985 percent. Based on this calculation, option A is the most accurate statement, as it correctly reflects the device’s availability.

You are helping to develop a security awareness policy that specifically addresses social engineering and email safety. Within this policy, you are focusing on ways to prevent malware downloads through phishing attempts. What would not be considered beneficial within this policy?

  • A. Not utilizing public Wi-Fi on mobile devices
  • B. Utilizing antimalware and anti-phishing software
  • C. Using digital certificates
  • D. Not disclosing personal information in emails

Explanation: A. While it is important to understand the risks associated with public Wi-Fi, it may not be as essential within the context of this policy. Guidelines regarding the use of public Wi-Fi should be incorporated into an Internet usage policy to ensure the safety of both the organization and its employees. By having such a policy in place, employees will be aware of the prohibited actions such as browsing certain websites, connecting corporate assets to public Internet providers, or downloading files. Adhering to this policy will help mitigate potential security risks resulting from employee negligence.

A large pharmaceutical company uses social media for press releases. A hacktivist organization believes that this pharmaceutical company earns an excessive amount of money from the drugs they sell. After the company tweets a press release about a newly approved drug treatment, the social media platforms experience a surge in traffic, with one particular negative comment gaining significant attention. This comment is then rapidly retweeted by numerous social media users. What is the nature of this attack?

  • A. Click farming
  • B. Retweet storm
  • C. Spray and pray
  • D. Watering hole

Explanation: B. Many social networks actively monitor for malevolent activity and misinformation. When a post is immediately reposted by thousands of users, it is a clear sign of malicious activity on that particular social media platform. The original account that made the post is often banned and referred to as the martyr bot. The hacktivist’s original account is sacrificed to propagate the attack.

How is a frame forwarded through a switch?

  • A. The destination MAC address of an incoming frame and the CAM table are used to determine the destination port for forwarding the frame.
  • B. Frames entering a switch are forwarded out of all ports, except for the port from which they originated.
  • C. Frames entering a switch are forwarded out of all ports, including the port from which they originated.
  • D. The destination IP address of an incoming frame and the CAM table are used to find the destination port for forwarding the frame.

Explanation: A switch uses the destination MAC address of an incoming frame to compare it with the MAC address and port assignments in the CAM table. If a match is found, the frame is forwarded out of the assigned port. If there is no match, the frame is forwarded out of all ports, except for the port it originated from. This ensures that the frame reaches its destination efficiently within the network.

Alice is seeking assistance in creating security policy documentation. Specifically, she requires guidance on producing a document that provides instructions and information to ensure compliance with regulations. What type of document should be developed?

  • A. Procedures
  • B. Standards
  • C. Policy
  • D. Guidelines

Explanation: B. A standard is a type of security policy that outlines the necessary measures to adhere to industry best practices and standards. Procedures entail step-by-step instructions for implementing these best practices, while guidelines serve as a basis for creating the procedures. Policies, on the other hand, represent the highest level of documentation, defining the overall mission and objectives. Policies tend to be broad in nature and focus on goals rather than specific details. By adhering to these policies, organizations can maintain regulatory compliance.

The art of coaxing individuals to disclose confidential information pertaining to the organization or themselves through posing as a legitimate identity on your collaboration platform is commonly referred to as which of the following?

  • A. Dumpster diving
  • B. Phishing
  • C. Social engineering
  • D. Active reconnaissance

Explanation: C. Social engineering involves manipulating individuals to relinquish information. A social engineering attack may come in the form of an email from a friend or another trusted source, employing a plausible story or pretext. The peril of social engineering through collaboration tools lies in the fact that end users tend to lower their guard, assuming they can trust their colleagues, thereby facilitating the extraction of information. Additionally, it is crucial to remain vigilant in such scenarios to prevent falling victim to such attacks.

You need to calculate the annual loss expectancy (ALE) for a critical server in your network. Which of the following formulas is correct?

  • A. ARO x EF x AV
  • B. ARO x AV
  • C. EF x SLE
  • D. EF x SLE x AV

Explanation: A. An asset can be hardware, software, or people. The value of the asset (AV) is assessed first, for example, $100,000. The single loss expectancy (SLE) provides information about the potential loss when a threat occurs. It is calculated as SLE = AV x EF, where EF is the exposure factor. The exposure factor describes the percentage of loss that will happen to the asset due to the threat. In our example, when EF is estimated to be 0.3, SLE is $30,000. The annualized rate of occurrence (ARO) is an estimation of the frequency of the threat occurring in one year. ALE (annualized loss expectancy) is calculated as ALE = SLE x ARO. In our example, when ARO is estimated to be 0.5 (once in two years), ALE equals $15,000 ($30,000 x 0.5). The risk assesses the impact of the vulnerability on the business and the probability of the vulnerability being exploited. The correct equation in this list is ALE = ARO x EF x AV.

A home user wants to secure their new wireless router. Which of the following should they not do?

  • A. Change the default administrator name and use a strong password.
  • B. Set SSID broadcast to nonbroadcast.
  • C. Use WEP.
  • D. Use MAC filtering.

Explanation: C. Using Wireless Equivalent Protection (WEP) is not recommended as it is obsolete. Instead, it is advisable to use WPA2/3 or a newer security protocol. Attackers often target unsecured home Wi-Fi networks, so it is crucial to secure your network with strong encryption. This will not only protect your network from unauthorized access but also safeguard you from getting involved in any illegal activities that may be happening through your network. To enable encryption, access your router’s Wireless or Security menu. If you have an older router, select an encryption starting with WPA2. If your router is not WPA3 compatible, the best option is to choose WPA2-PSK AES for now.

Lisa is building a network intrusion detection system (NIDS). What capabilities does an NIDS have with encrypted network traffic?

  • A. Look for viruses
  • B. Examine contents of email
  • C. Bypass VPN
  • D. Nothing

Explanation: D. Encrypted packets are typically not processed by the majority of intrusion detection devices due to their encryption. Additionally, NIDSs can face other challenges such as high-speed network data overload and difficulties with tuning and signature development lag time. It is important to note these potential limitations when considering the use of NIDSs in network security.

Carolina, an IT administrator, has received an alert regarding multiple connection requests from a single host across various ports. She suspects that a script kiddie is engaged in reconnaissance to identify systems. What is the most probable activity of this attacker?

  • A. Vulnerability scan
  • B. Port scan
  • C. Scap scan
  • D. Host-to-host scan

Explanation: B. A script kiddie, lacking the necessary skills to write their own hacking algorithms, typically utilizes pre-existing software or code to gain unauthorized access to computers. Regardless of the attacker’s proficiency level, it is crucial for an IT administrator to identify and address any port scanning activity with malicious intent. Experienced attackers tend to perform port scans in strobe or stealth mode, focusing on specific ports and slowing down the scan process to minimize the likelihood of an alert being triggered.

Prioritization is a crucial component of your role as a security analyst. It is essential to check for any grammar or possible OCR errors and fix them in the following tasks. Additionally, you must slightly rephrase a question while maintaining its original meaning. The answer options should remain unchanged, and you should expand the explanation by adding 1-2 sentences. There should not be any additional text before or after. Question: You are aiming to calculate the ALE for all assets and risks. What is the purpose of this calculation?

  • A. To assess insurance estimates.
  • B. To determine budget and personnel allocation.
  • C. To prioritize countermeasures.
  • D. To provide input for design.

Explanation: C. The primary objective of ALE calculations is to prioritize countermeasures. Countermeasures are actions taken to mitigate or counteract potential risks or threats. By addressing the asset-risk pair with the highest ALE first, security analysts can effectively allocate resources to reduce the likelihood and impact of potential incidents.

Your organization is attempting to make the best use of all the resources allocated to a security project. If your organization is not making the best use of currently held resources, the project may not perform as planned. What type of analysis needs to be done?

  • A. BDR
  • B. BIA
  • C. Gap
  • D. Risk

Explanation: C. Gap analysis is the comparison of performance, actual versus potential. It helps identify areas for improvement and empowers an organization to quickly diagnose a problem. Additionally, conducting a gap analysis allows the organization to prioritize and allocate resources more effectively, ensuring that the security project performs as planned and achieves its objectives.

  • A. MDM
  • B. ICMP
  • C. RDP
  • D. SCEP

Explanation: D. The Simple Certificate Enrollment Protocol (SCEP) is a standard protocol used for certificate distribution. It is commonly utilized for certificate-based authentication, enabling secure access to Wi-Fi, VPN, and email through certificates. The advantages of SCEP include user-independent deployment and secure encrypted network communication. In this scenario, implementing SCEP would be the best solution.

  • A. Vulnerability management
  • B. Pentesting
  • C. Threat and risk assessment
  • D. Data reclassification

Explanation: Utilizing threat and risk assessments is considered the most effective approach to identify the risks faced by the company in question. It should be noted that conducting pentesting comes after implementing the security controls. It is worth mentioning that threat and risk assessment allows a comprehensive analysis and understanding of potential vulnerabilities and threats faced by information technology systems. This method aids in formulating appropriate countermeasures and control measures to address these risks effectively.

What is the system used for gathering and analyzing data logs from different network devices and reporting identified security incidents?

  • A. Syslog server
  • B. NIPS
  • C. WIPS
  • D. SIEM system

Explanation: D. A security information and event management (SIEM) system is utilized to collect logs from diverse devices across a network and analyze them for security issues. With the ability to review logs from various devices, a SIEM offers a comprehensive overview of network activities, unlike a solitary appliance that analyzes only the traffic passing through it. A syslog server serves the purpose of collecting and monitoring network devices. NIPSs and WIPSs refer to network and wireless intrusion protection systems that examine traffic flows to identify and prevent vulnerability exploits. Additionally, a SIEM system can provide enhanced insights into detected security events by expanding the explanatory information.

Julia was contacted by senior management to conduct a threat hunt investigation. Management is aware that there are malicious activities occurring, but they are unsure whether it is the work of organized crime or internal personnel. They want to determine whether these activities are intentional or unintentional. After completing the investigation, Julia concludes that the activity is unintentional and caused by internal personnel. What is the most likely cause from the following options?

  • A. Fraud
  • B. Espionage
  • C. Embezzlement
  • D. Social engineering

Explanation: D. Social engineering is a type of malicious activity where data is inadvertently disclosed. Typically, it is carried out by an external attacker with the objective of persuading the victim to reveal confidential or sensitive information. Espionage, fraud, and embezzlement are all malicious activities as well, but they are intentionally committed by internal individuals.

One of the software developers made a change in the code that inadvertently reduces the level of security. Which of the following change control processes would be the most effective in addressing this situation?

  • A. Rollback
  • B. Logging
  • C. Compiling
  • D. Patching

Explanation: A rollback is a change control process that allows for the reversal of any change that has a negative impact. In this situation, if a software developer unintentionally reduces security, using the rollback process would enable the team to revert the code back to its previous state and restore the previous level of security.

The IT department has made the decision to deploy a security appliance in front of their web servers to analyze HTTP/HTTPS/SOAP traffic for potential malicious activity. Which solution would be the most suitable for this purpose?

  • A. Screened host firewall
  • B. Packet filter firewall
  • C. DMZ
  • D. WAF

Explanation: D. A web application firewall (WAF) is utilized to examine data at the OSI Layer 7 level for any signs of malicious behavior. HTTP/HTTPS/SOAP are all web application protocols that operate at OSI Layer 7. Neither screened host firewalls nor packet filter firewalls are capable of inspecting data at the OSI Layer 7 level. A DMZ, on the other hand, is a form of screened subnet that grants external users access to a portion of a private network.

A network engineer wants to prevent people outside of the corporate network from pinging systems within the network but to allow all other traffic. The router’s Ethernet 0 interface is connected to the Internet. Which ACL prevents this type of traffic?

  • A. interface ethernet0 ip access-group 101 in! access-list 101 deny icmp any any access-list 101 permit ip any any
  • B. ! interface ethernet0 ip access-group 1 in! access-list 1 deny icmp any any access-list 1 permit ip any any
  • C. interface ethernet0 ip access-group 101 in! access-list 101 permit ip any any access-list 101 deny icmp any any
  • D. ! interface ethernet0 ip access-group 1 in! access-list 1 permit ip any any access-list 1 deny icmp any any

Explanation: A. This option is an extended ACL that denies inbound ICMP traffic from the Internet and allows all other types of traffic. Additionally, it permits any IP traffic.

Your external auditor submitted the final report to the board of directors and upper management. Who is accountable for executing the suggestions within this report?

  • A. End users
  • B. Internal auditors
  • C. Security administrators
  • D. Senior management

Explanation: D. Senior management is consistently accountable for ensuring the security measures within an organization. It is their responsibility to adhere to the recommendations provided by the auditor. In order to effectively maintain the security of the organization, it is essential for senior management to take active participation and implement the suggested measures.

Your organization was the victim of brute-force attacks, where the attacker discovered usernames and repeatedly attempted to log in to the corporate network using different passwords until the account was compromised. Which option could potentially decrease the chances of a successful brute-force attack?

  • A. Allowing only one login attempt for privileged users.
  • B. Configuring Group Policy in Active Directory to lock out an account for 10 minutes after 5 unsuccessful login attempts.
  • C. Creating federated identities with single sign-on (SSO).
  • D. Enforcing stricter password requirements.

Explanation: B. By utilizing Group Policy in Active Directory, you can set up lockout durations for failed login attempts. By enforcing a 10-minute lockout period for an account that is under attack, you significantly prolong the time it takes for the attacker to successfully execute a brute-force attack. Additionally, this measure enhances the security of the account and network.

A security audit was conducted for your organization, revealing that any computer connected to an Ethernet port in the shipping facility can access network resources without authentication. It is imperative to address this security vulnerability. Which standard can potentially resolve this issue?

  • A. 802.lx
  • B. 802.3
  • C. 802.Iq
  • D. 802.11

Explanation: A. The 802.lx standard, as specified by IEEE, offers port-based network access control (NAC). This standard facilitates device authentication when attempting to establish a network connection. Upon successful authentication, the Ethernet port can be assigned to the appropriate VLAN for that device. In cases where a device fails to authenticate, the port can be designated to a quarantined VLAN or configured to allow only Internet access.

Alex works for a financial institution that has made the decision to purchase expensive custom computer systems and software. Within the supply chain, one of the vendors responsible for supplying the custom computer software is experiencing an unexplained delay in their delivery to the customer. What precautions should Alex take to minimize any potential risks?

  • A. SLA
  • B. Penalty clause
  • C. Supply chain attack
  • D. Proof of insurance in the RFP

Explanation: C. The importance of being cautious about supply chain attacks cannot be underestimated. Recent incidents of supply chain attacks have led to increased public awareness and scrutiny from regulators. Furthermore, the perpetrators behind such attacks now possess more resources and tools than ever before. A supply chain attack, also referred to as a third-party attack, occurs when an external partner, vendor, or provider with access to your software, systems, updates, patches, and/or data infiltrates your enterprise. It is crucial to be vigilant against these threats to safeguard against potential vulnerabilities.

A security vulnerability was discovered while the system went through the accreditation process. What should be the next course of action?

  • A. Begin the accreditation process again once the issue has been resolved.
  • B. Initiate the accreditation process once more from the point of identifying the issue.
  • C. Reimage the system and initiate the accreditation process from the initial stage.
  • D. Reimage the system and continue the accreditation process from the current stage.

Explanation: Accreditation refers to the official recognition of a security status being qualified to perform a specific function. If a vulnerability is identified during the accreditation process, it must be addressed and the entire process needs to be restarted. Thus, the correct action is to fix the vulnerability and commence the accreditation process from the beginning.

Your company has established a recently developed e-commerce website. There is mutual consensus that potential risks are present; however, the advantages derived from the increased cash flow surpass these risks. How is this described?

  • A. Risk acceptance
  • B. Risk reduction
  • C. Risk transference
  • D. Risk rejection

Explanation: A. The risk evaluation process has been conducted, and the management has concluded that the benefits surpass the risks. In light of this evaluation, the decision is made to accept the risks.

Some employees were issued NFC-capable corporate phones. As part of the security department, you are tasked with recommending how to use these devices securely. Which of the following should be included in your recommendation?

  • A. Keeping patches up-to-date
  • B. Turning off pairing mode
  • C. Turning off discovery mode
  • D. Turning on NFC when not in use

Explanation: A. Keeping your NFC-capable device up-to-date and turning it off when not in use are two recommendations that should be mentioned. It is important to minimize your attack surface by disabling features that are not needed, as is commonly practiced in cybersecurity measures.

Your CISO is concerned with unauthorized network access to the corporate wireless network. You want to implement a mechanism that not only verifies the authenticity of the wireless devices but also requires them to adhere to a predefined corporate policy before granting access to the network. Which technology is most suitable for fulfilling this purpose?

  • A. HIDS
  • B. NAC
  • C. Software agent
  • D. NIPS

Explanation: B. Network access control (NAC) can not only authenticate network devices but also enforce corporate policies governing these devices. If a system fails to comply with the corporate policy, it can be isolated until the policy issues are resolved. An HIDS is specifically designed for host detection, an agent refers to a software program that acts on behalf of a user or other program, and NIPS is focused on network protection.

The CIO of your company, Benjamin, created a quarterly goal for the security team: to reduce vulnerabilities. He wants to address vulnerabilities that are not high profile and which already have compensating controls in place for security purposes. Currently, the budget has been fully utilized. What is the most effective risk strategy to employ?

  • A. Accepting risk
  • B. Mitigating risk
  • C. Transferring risk
  • D. Avoiding risk

Explanation: A. All organizations have vulnerabilities. There is a popular saying that the only completely secure asset is the one encased in concrete and buried 6 feet under. If you have exhausted the budget and have minimal vulnerabilities that are already protected by compensating controls, accepting the risk is the only option. If a vulnerability has a critical score of 0 and you are aware of compensating controls that prevent its exploitation, most vulnerability management tools can create an exception to exclude that vulnerability from future reports.

Your company policy states that only authorized software is allowed on the corporate network and that BYOD needs to be configured by IT to adhere to the company policy for proper software and security controls. However, the marketing manager violated this policy by plugging in a USB received at a conference, which automatically launched on their laptop. In light of this situation, what is the greatest risk?

  • A. Employee transferring the customer database and IP
  • B. Employee using nonapproved accounting applications
  • C. Infecting the network with malware
  • D. File corruption by the USB exiting out improperly

Explanation: C. Many people mistakenly perceive USBs as passive storage devices. However, they are actually one of the most common methods for transferring malware. Penetration testers often use USB attacks, taking advantage of end users’ limited understanding of the potential consequences. Therefore, plugging in an unknown USB poses the greatest risk of infecting the network with malware.

An audit revealed a lack of security controls in the handling of employee terminations. According to the current company policy, terminated employees’ accounts should be disabled within one hour of termination. However, the audit discovered that over 10 percent of terminated employees still have active accounts. What action should be taken to address this issue?

  • A. Review the requirements for employee termination.
  • B. Introduce a monthly review of terminated employees.
  • C. Update the policy to account for any delays.
  • D. Discuss the termination policy with managers.

Explanation: D. It is crucial for managers to fully comprehend the consequences and risks involved in a hostile termination, and they should ensure that the former employee’s accounts are promptly disabled. If the terminated employee had access to sensitive accounts, it is imperative to change the passwords immediately.

David’s security team is implementing Network Access Control (NAC) for authentication and corporate policy enforcement. It is necessary to install software on the devices to perform these tasks. What is the term used to refer to this software in the context of NAC?

  • A. Program
  • B. Process
  • C. Agent
  • D. Thread

Explanation: C. The software installed on devices that will connect to the network using NAC is known as an agent. A program consists of instructions for digital operations. A process involves a series of activities and outcomes that result in a software product. A thread of execution refers to the smallest sequence of instructions, typically part of the operating system. In order to implement NAC, the security team must install an agent software on the devices.

A security engineer is concerned about the possibility of a sophisticated attacker bypassing the authentication of an operating system on a computer, especially if the attacker gains physical access to the device. The primary concern is that the attacker may exploit the access to the BIOS and manipulate the computer’s boot process to boot from a removable drive. How can this potential security risk be mitigated?

  • A. Install a Host-based Intrusion Detection System (HIDS) on the system.
  • B. Utilize Group Policy to disable all removable drives.
  • C. Implement a password protection mechanism for the BIOS.
  • D. Install anti-malware software on the system.

Explanation: C. By password-protecting the BIOS, it ensures that an attacker cannot reconfigure the boot sequence to prioritize booting from a removable drive, even if they have physical access to the computer. Additionally, this security measure adds an extra layer of protection against unauthorized access.

As a mobile application management administrator, you want to set specific policy elements to be applied to your company’s mobile devices. You do not want to change the underlying application. Which of the following should you implement?

  • A. Sandboxing
  • B. App wrapping
  • C. Risk analysis
  • D. USB OTG

Explanation: B. App wrapping enables mobile application management administrators to establish specific policies. This includes determining if user authentication is necessary for a particular application and deciding if data related to that application should be stored on the device or in the cloud. Additionally, administrators can configure other policies using app wrapping to meet their company’s needs.

You are planning the site security for a new building. The network administrators would like the server room door to be secured with RFID. The security team would like to use a cipher lock. Loss of the data on these servers is high risk. What should be the initial step in your plan?

  • A. Inquire about different security options through a meeting.
  • B. Implement the usage of smart cards.
  • C. Have both a cipher lock and RFID for Two-Factor Authentication (TFA).
  • D. Use a keyed lock as the sole security measure.

Explanation: A. When offering choices to users, it is important to hold a meeting to discuss the convenience of a security process in relation to the required level of protection for the valuable asset. As opinions may differ among individuals, consulting all stakeholders is crucial for both educating them and gaining insight into determining the most suitable system for this particular scenario. In this meeting, various options can be explored, enabling a comprehensive understanding and decision-making process.

How is qualitative risk assessment defined?

  • A. Can be conducted by individuals with a limited comprehension of risk assessment and is simple to execute.
  • B. Should be carried out by individuals with proficient understanding and employs thorough analysis for evaluation.
  • C. Is conducted by subject-matter experts and can be challenging to implement.
  • D. Combines SME with precise metrics to address a complex implementation.

Explanation: A. Utilizing qualitative approaches in risk assessment involves gathering non-numerical information. This method takes into account subjective factors such as emotions or behavior, which do not necessitate technical expertise. Additionally, it is relatively straightforward to implement.

Your CISO is seeking a solution to wirelessly display their phone or other mobile device screen on a larger screen in a conference room for presentations and direct sharing of feedback from applications. Which of the following options would be the most suitable for them?

  • A. Screen mirroring
  • B. Videoconferencing
  • C. IMS
  • D. TPM

Explanation: A. Screen mirroring involves the use of two devices - one for sending and one for receiving. The sending device utilizes a screen mirroring protocol such as Apple AirPlay for iPhones, Google Cast for Chromebooks, or Miracast for Windows devices. Additionally, screen mirroring allows for seamless sharing of the device screen with a larger screen in real-time.

A competitor of your company experienced a security breach, and forensic analysis reveals that it was a result of a phishing attack through social engineering techniques. What is the initial action you should take to safeguard your company from similar incidents?

  • A. Educate all employees about the risks associated with social engineering and provide them with countermeasures.
  • B. Revise and publish a new company mission statement.
  • C. Implement IPSec on all critical systems.
  • D. Utilize encryption.

Explanation: A. Training and enforcing policies are crucial in preventing social engineering attacks. Many users may not be aware of the potential risks involved. Training helps raise awareness and should include clear instructions on how to handle and report any suspicious activity, as well as guidelines on which channels to forward any suspicious emails to. Additionally, creating and enforcing policies can contribute to a more secure environment.

A senior security architect for a hospital is creating a hardened version of the newest GUI OS. The testing will focus on the CIA triad as well as on compliance and reporting. Which life cycle is the most suitable for the architect to use in deploying the final image?

  • A. Employing proper disposal protocols for existing equipment and ensuring compliance with corporate data retention policies
  • B. Updating whole-disk encryption and testing operational models
  • C. Employing interoperability, integrity of the data at rest, network availability, and compliance with all government regulations
  • D. Creating a plan to decommission the existing OS infrastructure, implementing test and operational procedures for the new components in advance, and ensuring compliance with applicable regulations

Explanation: D. Any transition to new software or hardware should be projectized to ensure smooth processes. The best life cycle involves creating a plan to decommission the existing OS infrastructure, implementing test and operational procedures for the new components in advance, and ensuring compliance with applicable regulations. Additionally, it is important to have a rollback or regression process in case the project fails.

A small insurance business implemented least privilege. Management is concerned that staff might accidentally aid in fraud with the customers. Which of the following addresses security concerns with this risk?

  • A. Policy
  • B. Job rotation
  • C. Separation of duties
  • D. Security awareness training

Explanation: D. Security awareness training is crucial for any organization that interacts with customers directly as a high percentage of compromises today start with social engineering. Unfortunately, it is often the first thing to be eliminated from the IT budget. By providing security awareness training, employees can be educated on potential risks and how to effectively prevent fraud. Additionally, this training helps instill a security-conscious mindset among staff members.

You are a penetration tester, searching for unlinked content on a web server. What type of attack is this?

  • A. CSRF
  • B. Forced browsing
  • C. SQLi
  • D. Click-jacking

Explanation: B. Forced browsing is a technique used by attackers while searching for content that is not linked together on a web server. This is often considered to be a type of brute-force attack. An attacker may type in a URL, such as, and then change it to to see what else they might find.

Your FIM deployment solution leverages the ability to install on target systems for the most powerful analysis. The challenge, however, is that it requires regular updates. What is the term used to describe this utilization of FIM?

  • A. Agentless
  • B. Agent-based
  • C. Cloned
  • D. SaaS

Explanation: B. Agent-based file integrity management (FIM) utilizes software agents installed on the systems that need monitoring. This allows for in-depth analysis. In contrast, agentless FIM offers a quicker setup but lacks the same level of analysis as agent-based FIM.

An employee downloads a video of someone stealing a package from their porch captured by their smart doorbell. How can you minimize the risk associated with storing this kind of data on your business network?

  • A. Implementing a security policy and creating awareness
  • B. Conducting audits
  • C. Monitoring networks for specific file types
  • D. Utilizing third-party threat intelligence reports

Explanation: A. With the advent of the Internet of Things (IoT), devices such as smart doorbells have become valuable to both employees and customers. However, they also bring about potential risks. Keeping the corporate security policy updated for IoT and conducting a comprehensive security awareness campaign are effective measures to mitigate these risks. Additionally, after performing a thorough technical risk analysis, implementing compensating controls, network segmentation, and stringent network access controls can enhance security.

As a new security administrator in a global organization, you have come across the issue of CVE 2017-5689, a critical firmware flaw in the Intel Management Engine that has been left unaddressed for over a decade. This flaw also includes an undocumented kill switch. What immediate actions do you take?

  • A. Nothing. Most affected chip buyers have already been directly notified by the company.
  • B. Immediately update the Intel ME firmware and then proceed to block ports 16992-16995 on endpoints and firewalls.
  • C. Seek further input from upper management regarding prioritization.
  • D. Disregard the issue as there are no real consequences from this CVE.

Explanation: B. When an organization becomes aware of a firmware vulnerability, it is crucial for the company to assess their vulnerability and determine if a fix is available. If a fix is indeed available, it should be implemented as soon as possible. In cases where a fix is not available, alternative control measures should be put in place, especially if the affected assets are critical to the company’s operations. It is important to note that the risk of exploitation increases significantly as more threat actors become aware of the vulnerable firmware. Furthermore, this particular vulnerability defaults to exfiltrating data over ports 16992-16995.

As a security analyst for a large retail organization, you research best practices for PCI compliance levels. How do you determine the appropriate level for your organization’s security framework?

  • A. Transaction volume for 6 months
  • B. Transaction volume for 12 months
  • C. Financial total for 6 months
  • D. Financial total for 12 months

Explanation: B. All merchants are categorized into four levels based on their transaction volume over a 12-month period. Transaction volume refers to the number of credit, debit, or prepaid cards processed by a business. Merchant Level 1 handles more than 6 million transactions annually, while Merchant Level 4 processes 20,000 or fewer transactions. In the event of a data breach and compromised data, a merchant may be moved to a higher level.

As a security analyst, you have analyzed suspicious traffic originating from a host on your network. Upon further examination, it has been determined that the data consists of website addresses, downloaded items, sent and received emails, and other types of data. Suspicion arises that there may be malicious software present on the host. In order to detect and remove this expected software, which of the following products would most likely be effective?

  • A. Anti-adware
  • B. Antivirus
  • C. Antispyware
  • D. Antimalware

Explanation: C. Antispyware products are specifically designed to identify and eliminate programs that secretly collect information from an infected system. Antimalware products are capable of detecting various forms of malware, such as viruses, Trojans, ransomware, spyware, adware, and other malicious programs or code. Antivirus products are designed to recognize and remove viruses. Anti-adware products are specifically tailored to identify and eliminate programs created to display advertisements on an infected user’s screen. Additionally, it is important to note that both antispyware and antimalware products can address a wide range of malicious activities, making them suitable options for identifying and removing the suspected malicious software in this scenario.

As a security architect of a medical complex, you have concerns about data theft from highly secure systems. Your objective is to prepare for a system attack that gradually exfiltrates data through existing channels. What is the purpose of your preparations?

  • A. Encryption
  • B. Backdoors
  • C. Covert channels
  • D. Viruses

Explanation: C. A covert channel is a type of computer attack that allows the leakage of information through existing information channels or networks using the current infrastructure. It has been utilized to steal sensitive data by utilizing available space within network packets, enabling the attacker to receive the data without leaving any trace. A packet may only contain a single bit of covert data, making it extremely difficult to detect. In order to defend against covert channels, it is essential to analyze source code and monitor the resource usage of critical systems. Additionally, it is important to stay vigilant and proactive in identifying and preventing potential covert channel attacks.

  • A. Turn off Bluetooth when not in use.
  • B. Ensure Bluetooth is in hidden mode.
  • C. Disable Bluetooth pairing unless necessary.
  • D. Ensure Wi-Fi is turned off when not needed.

Explanation: D. Whether the Wi-Fi is enabled or disabled on a device usually does not affect the functionality of Bluetooth. However, it is always a good practice to turn off Wi-Fi when not needed to reduce the chances of unauthorized connections.

As a senior security architect, one of the most crucial principles of enterprise security is promptly identifying a data breach. Unfortunately, many organizations fail to detect breaches for weeks or even months due to their heavy investment in perimeter security rather than actively seeking out threats. Which of the following options will not aid in detecting a breach before it causes significant harm to your organization?

  • A. Modern breach detection tools
  • B. Periodic logging
  • C. Security expertise on the team
  • D. Global threat intelligence

Explanation: B. It is essential to avoid security analysts wasting time chasing irrelevant alerts. Modern cyberattacks occur over an extended period, progressing through various stages of the kill chain. To detect attack campaigns rather than isolated alerts, consistent logging is necessary, and periodic logging does not fulfill this requirement.

As part of your Capability Maturity Model Integration (CMMI), it is crucial to properly capture lessons learned in your technical project management. This data will be utilized in the future to enhance processes and improve performance. Failing to learn from project failures can result in which of the following?

  • A. Repeating the same failures
  • B. Missing out on opportunities
  • C. Implementing effective processes
  • D. Preparing for current projects

Explanation: A. Capturing lessons learned is essential for technical project managers as it allows them to review both successful and unsuccessful aspects of a project. This documentation provides valuable insights for future project teams, enabling them to become more efficient and effective. Capability Maturity Model Integration is a training and appraisal program for process-level improvement, administered by the CMMI Institute, which is a subsidiary of ISACA. It was originally developed at Carnegie Mellon University and is often mandated by U.S. government contracts, particularly in software development.

As part of your security audit, your CISO suggested leaving an infected USB in the breakroom with the label ““wedding pics.”” However, as soon as you place the USB next to the refrigerator and return to your desk, someone has already found it and plugged it in, resulting in the installation of the malicious file on the USB. What is the name of this type of social engineering technique?

  • A. Mantrap
  • B. Quid pro quo
  • C. Watering hole
  • D. Baiting

Explanation: D. It is called baiting because it involves tempting the victim with something interesting, such as a movie file or something labeled as “confidential.” Once the victim downloads and installs the malicious file, they become infected, allowing the attacker to gain control of the network. In this case, the USB acts as the bait to deceive the victim.

Cody configured the application programming interface (API) connection between your web application, which manages retail transactions, and your bank. It is crucial for this connection to be highly secure. When designing an API, what is the best option for ensuring its security?

  • A. SOAP
  • B. HTTPS
  • C. REST
  • D. XML

Explanation: A. SOAP and REST are two different web service formats. SOAP, or Simple Object Access Protocol, is used for exchanging data in a distributed environment. REST, or Representational State Transfer, is an architectural style for hypermedia systems. Among the two, SOAP has specific security extensions, while REST focuses on the delivery and consumption of data. HTTPS, or Hypertext Transfer Protocol Secure, is widely used for secure communication over computer networks. XML, or Extensible Markup Language, defines a set of rules for encoding documents for both humans and machines.

You have JavaScript installed as the foundation of most of your web applications because it is fast and interactive. You attempt to harden systems found with JavaScript vulnerabilities. Which of the following are the most commonly exploited JavaScript attacks?

  • A. Click-jacking
  • B. DNS and ARP
  • C. XSS and CSRF
  • D. SQLiandXMLi

Explanation: JavaScript vulnerabilities are common in web applications. Insecure JavaScript and bad coding can cost time and money. Several tools, like ZAP and Grabber, can help examine those web applications, scanning a site for vulnerabilities.

As the hospital’s security architect, you have multiple concerns, including confidentiality attacks like PHI theft and availability attacks like DoS. One of the commonly encountered attacks you aim to prevent is buffer overflow. Which of the following techniques is implemented to protect against buffer overflow attacks?

  • A. MAC
  • B. OSPF
  • C. ASLR
  • D. RLSA

Explanation: C. In a buffer overflow attack, the attacker identifies a function’s code that accepts input and deliberately provides excessive information, which may contain a malicious payload. To mitigate this threat, modern operating systems employ address space layout randomization (ASLR) to randomize the memory addresses of different sections of the code. Essentially, ASLR transformed a buffer overflow attack into a game of ““whack-a-mole,”” forcing the attacker to accurately guess the address space locations.

You want to use a USB drive with your phone to read data from the USB device without a PC. What type of cable do you need?

  • A. USB to USB
  • B. Paraflex Matrix
  • C. MicroUSB to C
  • D. USB OTG

Explanation: D. USB On-the-Go is a standardized specification that enables a device to read data from a USB device. The device becomes a USB host. To achieve this, you will need an OTG cable or connector.

You have been given the task of creating a team responsible for handling computer security incidents. This team will utilize the incident response plan. What has this team historically been referred to as?

  • A. NIST
  • B. CERT
  • C. ADA
  • D. Red Cross

Explanation: B. A Computer Emergency Response Team (CERT) is a specialized group that deals with incidents. CERT is also an organization that provides training for FEMA, preparing volunteers for emergencies. The term ““Computer Emergency Response Team”” originated from Carnegie Mellon University (CMU). CMU has the ability to certify organizations that are in the process of building a Computer Security Incident Response Team (CSIRT).

The application you are developing has a vulnerability that can be mitigated by using SSL and TLS. Which of these attacks can be prevented by using cryptographic protocols?

  • A. DDoS
  • B. VLAN hopping
  • C. On-path
  • D. BGP hijacking

Explanation: C. The security offered by SSL and TLS can help prevent on-path attacks, also known as man-in-the-middle (MiTM) attacks. These protocols are used to encrypt segments of TCP/IP traffic. An on-path attack occurs when an attacker gains access to traffic sent between two devices. If the data is unencrypted, the attacker can view all the traffic. SSL and TLS are used by HTTPS over port 443. A distributed denial-of-service (DDoS) attack is an attempt by attackers to make it impossible for a service to be delivered. In a DDoS attack, multiple systems are used to send malicious data or requests. These attacks involve overwhelming a system with requests for data, such as sending a web server so many requests to serve a page that it crashes under the demand. The result is an overload of available Internet bandwidth, CPU, and RAM capacity. VLAN hopping (virtual local area network hopping) is a method of attacking a network by sending packets to a port that is not normally accessible from a given end system. Border Gateway Protocol (BGP) hijacking is an illicit process that involves taking control of a group of IP prefixes assigned to a potential victim. This can be achieved by changing paths used for forwarding network traffic, exploiting the weaknesses of BGP.

Your marketing team wants to share files between local devices without using the network or a physical memory card at the next conference. Which of the following terms is best suited for the preceding situation?

  • A. Uploading
  • B. Downloading
  • C. Sideloading
  • D. P2TP

Explanation: C. Sideloading is a term that refers to transferring a file from one local device to another using a USB, a lightning cable, or Bluetooth without utilizing the network or a physical memory card. The process involves establishing a direct connection between the two devices and moving files to the appropriate destination.

Your primary SCSI storage has an embedded array controller, and redundancy is managed by hardware-level RAID. What is the name for this type of storage?

  • A. SAN
  • B. NAS
  • C. DAS
  • D. RAS

Explanation: C. A direct-attached storage (DAS) system is often the most cost-effective option. One limitation of DAS is its limited disk space, as some servers may only have two or three disk slots. Depending on the type of RAID used, this disk space can be quickly consumed. Additionally, DAS systems need frequent backups and cannot share data with other servers on the network. However, DAS is ideal for operating systems.

Your organization has a policy stating that passwords must be a minimum of 12 characters long, and include a combination of uppercase and lowercase letters, numbers, and special characters. Additionally, passwords must be changed every 30 days. Which of the following solutions can be used to enforce this policy organization-wide?

  • A. Active Directory GPO
  • B. LDAP

Explanation: A. Within Active Directory, you can configure various security-related settings under Group Policy. This includes settings related to the password policy mentioned in the question.

As a security analyst, you conducted a security assessment divided into internal and external exploitation. The external activities have a time limit set by the statement of work. After the time limitation expires, which method would you attempt?

  • A. Social engineering
  • B. OSINT
  • C. Vulnerability scan
  • D. Pivoting

Explanation: D. With the time limit set on external exploitation, once a system is compromised, you can use it to navigate through the network. With internal access, you can try to exfiltrate acquired data and exploit other machines in the environment.

Many users within your organization have clicked on emails that, despite appearing legitimate, turned out to be malicious. Once opened, these emails execute malicious code that infects the user’s system with malware. How can the email server be configured to prevent such emails from reaching the end user?

  • A. Firewall
  • B. Spam filters
  • C. WAF
  • D. Forward proxy

Explanation: B. Spam filters inspect and filter out malicious emails before they reach the end user, providing an added layer of protection. While a basic firewall does not examine emails for malicious content, it can help secure the network against other types of threats. A web application firewall (WAF) examines web traffic for malicious activity, focusing on protecting web applications. A forward proxy is an Internet-facing proxy that retrieves data from various sources, serving as an intermediary between clients and servers. The requested server will send a response to the forward proxy server, which will then deliver it to the internal client.

Your new CISO is interested in upgrading from open source to an enterprise vulnerability management tool. Which tool will meet your organization’s need for comprehensive vulnerability management?

  • A. Nexpose
  • B. Optimi
  • C. Splunk
  • D. Security Analytics

Explanation: A. Rapid? owns both Metasploit and Nexpose. Using these tools together enables you to identify vulnerabilities and actively attempt to exploit them, allowing you to prioritize what needs to be fixed first. Additionally, Nexpose provides comprehensive vulnerability management capabilities, making it an ideal choice for your organization.

Your organization experiences a security incident that costs $20,000 in downtime each time it occurs. It has occurred twice this fiscal year. The device causing the issue is scheduled to be upgraded next year. The cost of implementing a fix is more than $250,000 and also requires maintenance contracts. What is the most cost-effective way to handle this risk?

  • A. Mitigate the risk
  • B. Avoid the risk
  • C. Accept the risk
  • D. Transfer the risk

Explanation: A. The strategy of risk mitigation allows an organization to prepare and reduce the impact of threats they face. Risk mitigation involves taking steps to minimize the negative effects of threats and ensure business continuity. Avoiding the risk means not pursuing the project. Accepting the risk means dealing with any potential consequences if something goes wrong. Alternatively, the risk can be transferred by outsourcing it to someone else. This allows the responsibility to fall on another party.

Your company has reached a point where a screened host firewall solution is no longer feasible. The IT department wants to transition to a screened subnet solution. Which of the following is considered a type of screened subnet?

  • A. LAN
  • B. DMZ
  • C. Egress
  • D. WAN

Explanation: B. A demilitarized zone (DMZ) is a type of screened subnet. It serves as the public-facing part of a network accessible by the public, such as customers. A local or wide area network encompasses the entire network topology. In networking, egress refers to traffic leaving a device or network boundary.

  • A. GLBA
  • B. HIPAA
  • C. SOX
  • D. All of the above

Explanation: D. Many local, state, federal, and international laws, as well as industry restrictions, necessitate the retention of data for specific periods of time. It is crucial to comply with these legal requirements to ensure data is kept for the appropriate duration.

You are part of a small startup nonprofit that has reached a development stage where implementing a security policy is essential. Which of the following components would you not include in your security policy?

  • A. Purpose
  • B. Scope
  • C. Compliance
  • D. Procedures

Explanation: A security policy serves as a high-level document outlining the overall approach to security measures. Conversely, procedures are detailed and specific. For instance, during my time in the military, the security policy mandated the use of port security, while procedures outlined the enforcement methods such as implementing ““sticky MAC”” protocols.

Aniket needs a web server to handle XML requests. Which technology is the most suitable for this task?

  • A. REST
  • B. SOAP
  • C. Ajax
  • D. XSS

Explanation: C. Ajax, or Asynchronous JavaScript and XML, is a web development pattern that allows web pages to use web services using JavaScript and XML. It enables the creation of fast dynamic web pages, allowing specific parts of a page to update without having to reload the entire page. SOAP, or Simple Object Access Protocol, is used for exchanging data in distributed environments. REST, or Representational State Transfer, is an architectural style for hypermedia systems, focusing on how to deliver and consume resources. While SOAP has extensions for specific security concerns, REST emphasizes hyperlinked systems. XSS, or cross-site scripting, is a type of injection attack where malicious scripts are injected into websites.

What is the best way to define risk in IT?

  • A. You have a vulnerability with a known active threat.
  • B. You have a threat with a known vulnerability.
  • C. You have a risk with a known threat.
  • D. You have a threat with a known exploit.

Explanation: A. The best way to define risk in IT is when you have a vulnerability in your system with a known active threat actor, increasing the likelihood of a compromise. Threat actors can include cyber-criminals who are driven by financial gain, nation-state actors with abundant resources, and insiders who may have malicious intentions for personal gain or revenge.

You remove hard drives from old servers, workstations, and copy machines. Your security policy requires that no sensitive data remains on those drives. It is not in the budget to replace the drives, so you must be able to use them again. What type of tool do you use to accomplish this task?

  • A. DeFraggler
  • B. KillDisk
  • C. Nmap
  • D. OS .iso

Explanation: B. KillDisk is a tool that enables you to overwrite hard drives numerous times. Hard drives contain sectors, and groups of sectors are called clusters. When data is written to a sector, the operating system (OS) can allocate the entire cluster to that data. Deleting data by using the OS does not remove the data from clusters. It removes the filename from the file allocation table and makes the space available for writing again. However, the data is still present, even when you delete the contents of the recycle bin.

Your CEO has purchased the latest and greatest mobile device (BYOD) and now wants you to connect it to the company’s intranet. You have been instructed to research this process in accordance with change management and security policy. What security recommendation do you suggest that would have the greatest impact on reducing risk?

  • A. Making this a new corporate policy available for everyone.
  • B. Adding a PIN to access the device.
  • C. Encrypting nonvolatile memory.
  • D. Auditing requirements.

Explanation: C. The act of encrypting nonvolatile memory will have the biggest impact and increase the difficulty for anyone attempting to break into the phone. A PIN alone would not serve as a strong enough deterrent, particularly when this phone has apps that connect to the corporate intranet. Using a complex password would be a better option than simply using a PIN.

Your mobile device receives its software or data update wirelessly over-the-air (OTA). The company has determined that this method does not pose a security risk to your device. In order to avoid losing access to your mobile device during business hours, how would you configure the type of OTA update?

  • A. Manual
  • B. Instinctive
  • C. Responsive
  • D. Automatic

Explanation: A. With manual OTA updates, the end user receives a notification when an update is available and can choose whether to download and install it. This gives the end user the freedom to select an appropriate time for the update installation. In contrast, automatic OTA updates are performed from the back end, where the update is pushed directly to the device. This means the end user does not need to manually initiate or approve the update process.

Instead of having salespeople travel back to the corporate office to upload customer information and download new electronic marketing materials, upper management tasked the IT department with recommending a secure but simple-to-use solution. This solution should enable the salespeople to remain in the field but utilize internet access to transfer the necessary information to and from the corporate office. All salespeople are familiar with using a web browser. What solution best suits this need?

  • A. A VPN solution using SSL/TLS via a web browser.
  • B. A VPN solution using an application solution with IPSec.
  • C. A VPN solution using a web browser with WAF.
  • D. A VPN solution using an application solution with HIDS.

Explanation: A. A VPN solution using SSL/TLS via a web browser is likely the best solution. It provides secure communication with the corporate office as well as ease of use because it uses a web browser interface.

Which solution is most suitable for enabling salespeople to transfer necessary information to and from the corporate office while remaining in the field?

  • A. A VPN solution using SSL/TLS via a web browser.
  • B. A VPN solution using an application solution with IPSec.
  • C. A VPN solution using a web browser with WAF.
  • D. A VPN solution using an application solution with HIDS.

Explanation: A. A VPN solution using SSL/TLS via a web browser is likely the best solution. It provides secure communication with the corporate office as well as ease of use because it uses a web browser interface.

You are evaluating a browser-based remote desktop solution. While conducting the evaluation, you discover that the latest version of SSL is being used to encrypt data. Which statement is correct regarding this connection?

  • A. The connection is using SSL, and it is secure.
  • B. The latest version of SSL is version 1.96.
  • C. SSL is outdated. TLS should be used instead.
  • D. TLS is outdated. SSL is the best solution.

Explanation: C. Although SSL does encrypt data, TLS is currently the latest and most secure means of securing web-based communications. It is recommended to use TLS instead of SSL for better security.

Your IT department has discovered that some of your legacy computers and servers do not have a TPM chipset. What security feature is missing from these computers?

  • A. Time synchronization of logs
  • B. Program sandboxing
  • C. Throttling of bandwidth protection
  • D. Storage of cryptographic keys

Explanation: D. A Trusted Platform Module (TPM) is essential for storing cryptographic keys securely. The TPM can be either embedded on a motherboard or added via a PCI card. Having a TPM ensures the protection of sensitive cryptographic keys used for encryption and authentication purposes.

You work for a university and are monitoring your dedicated faculty wireless network. You have configured Wi-Fi profiles to deploy wireless network settings to users in your organization, but you still see many unauthorized mobile devices connected to the network. Malicious activity has been reported. Your IT security manager suggested adding contextual authentication. Which of the following falls into that category?

  • A. GPS
  • B. IDS
  • C. MAC filtering
  • D. Bluetooth

Explanation: A. A common method for contextual authentication is utilizing the geographic location or time of day. For example, if a professor typically accesses their account during their planning period while in a specific location such as their office or classroom, any login attempt that falls outside these parameters will be unsuccessful. Contextual authentication helps ensure that only authorized devices can connect to the network, enhancing security measures.

You tested forms on a school’s website by inputting odd information in a given field. Instead of using the expected five numerical characters for the ZIP code, you used the numerical characters 1234 in addition to the ZIP code. What type of testing did you conduct?

  • A. PDCA
  • B. Boundary
  • C. White hat
  • D. Form testing

Explanation: B. Boundary testing is a specific form of testing where values that are known to be outside acceptable ranges are placed into the form to see how the application handles the errors. This type of testing helps identify any issues that may arise when unexpected or invalid data is entered into a form.

Your organization struggles with distinguishing what data can be shared with customers and what should remain internal. They have assigned you the task of data classification. What is the primary purpose of performing this task?

  • A. Justifying expenses
  • B. Assigning value to data
  • C. Defining necessary security protections
  • D. Controlling user access

Explanation: C. The primary purpose of data classification is to define necessary security protections. Data classification is done based on the value of the object, not to assign value to it. While data classification helps in defining security protections, it does not directly control user access. User classification or clearance is responsible for controlling user access.

You are bidding on a military contract that requires the validation of hardware components for security reasons. What is the term used to describe the validation process carried out by a third party?

  • A. Authorization
  • B. Authentication
  • C. Isolation
  • D. Attestation

Explanation: D. Attestation is the process of validating something to be true. In the context of this military contract, it involves hiring a third-party organization to verify and ensure the security of the hardware components. This verification process is crucial in meeting the security requirements of the contract.

You have selected a vendor for your collaboration tool and are about to sign an agreement that mandates the vendor to maintain confidentiality of any information obtained during the proof of concept, deployment, and usage of the tool. Which document must be signed by both your organization and the vendor?

  • A. SLA
  • B. MOU
  • C. NDA
  • D. RFP

Explanation: C. A nondisclosure agreement (NDA) is a legally binding document that restricts the sharing of information by either party. A service level agreement (SLA) defines the agreed-upon level of service between a customer and a vendor. A memorandum of understanding (MOU) is a formal agreement between two or more companies establishing an official partnership. A request for proposal (RFP) is a solicitation for a proposal from an organization.

Your organization has migrated to the cloud to host your traditional on-premises IT. Which security technique that is typically used on-premises should you not research and adopt in the cloud?

  • A. Virtual firewalls
  • B. Virtual IDS and IPS
  • C. Virtual security hardware
  • D. Virtual physical security

Explanation: D. More security approaches are being created and evolved specifically for cloud environments. Some cloud hosting organizations, such as Amazon, offer certified data centers with above-average data center security. The responsibility for implementing physical security measures lies with the provider.

Your department was assigned with the implementation of Bluetooth connectivity controls in order to mitigate risk. Which of these options best describes the network you will be creating?

  • A. PAN
  • B. LAN
  • C. WAN
  • D. WLAN

Explanation: A. Bluetooth is a personal area network (PAN) that allows connections and data sharing with devices in close physical proximity. Risks associated with Bluetooth include bluejacking, which involves sending unsolicited text messages to other Bluetooth users. Bluebugging refers to the unauthorized use of someone else’s phone to make calls or send texts without their knowledge.

You need a way to enable tech support from your organization to have complete remote access to your systems. It has become difficult for end users to walk through a complicated set of steps, so it is best to let a well-trained technician do it for them. Which of the following are the major risks associated with desktop sharing and remote access?

  • A. Authentication and access control
  • B. Authorization and verification
  • C. Validation and isolation
  • D. Regulation and application

Explanation: A. Anyone, anywhere can log into a desktop sharing tool. A remote support session usually starts with an employee clicking a link and giving up control of a system. If the person initiating the session is malicious, serious trouble can occur. Once they gain control of the system, they can access other enterprise systems, such as databases and supporting servers. This poses a significant security risk.

You examine your cybersecurity toolkit for the blue team and wish to include a tool that generates evidence of an exploit and supports JavaScript and Ajax-based applications. Which of the following options would be the most suitable to use?

  • A. SET
  • B. Nmap
  • C. Netsparker
  • D. SQLi

Explanation: C. Netsparker is a widely used web application scanner that is capable of supporting JavaScript and Ajax-based applications. It can identify vulnerabilities such as SQLi and local file inclusion and even suggest actions for remediation. With Netsparker, you do not need to verify the vulnerability. In case Netsparker is unable to verify the flaw, it will notify you. JavaScript is a scripting language that runs on the client side, meaning the web browser of the client processes its source code rather than the web server. This allows functions to be executed after the web page has loaded without needing to communicate with the server. Ajax (Asynchronous JavaScript and XML) is a technique that utilizes XML, HTML, CSS, and JavaScript to create more interactive and efficient web applications.

You are the new CISO for a software organization revising security best practices. Which of these statements about best practices is the most accurate?

  • A. They should be endorsed by end users.
  • B. They should be extremely specific.
  • C. They should be extremely general.
  • D. They should be as short as possible.

Explanation: D. Security best practices and policies should be kept short, with a maximum length of two to three pages. Shorter policies are further elaborated on by including procedures, standards, and guidelines. Shorter policies are not only easier to comprehend but also make it easier for an organization to comply with.

Paula, your CEO, brought you a device on which she accidentally deleted a set of folders containing sensitive information that must be recovered. You want to use a program to recover only specific files based on their headers, footers, or data structure. Which tool do you choose?

  • A. foremost
  • B. dd
  • C. nbtstat
  • D. nc

Explanation: A. In forensics, when you are recovering only specific files based on their headers, footers, or data structure, it is called data carving. Foremost, created by the USAF, is a reliable tool for this purpose and can be downloaded at SourceForge.

You are hired by a burgeoning retail startup that needs to upgrade its IT operations to a more mature model. What is the best framework to use for the initial internal audit of the organization?

  • A. ITIL
  • B. CISA
  • C. COBIT
  • D. ISO 27001

Explanation: C. COBIT defines requirements for governance, management, and control of IT processes. It includes process descriptions, objectives, maturity, and guidelines. ISO 27001 is the framework for security, while ITIL focuses on enabling IT services and life cycles.

You have been assigned the task of implementing a system that operates at a single classification level. All users who access this system have the same clearance, classification, and need to know. What is the operating mode of this system?

  • A. High mode
  • B. Dedicated
  • C. Peer to peer
  • D. Multilevel

Explanation: B. A dedicated system operates at a single level of a specific classification and all users of that system have the same clearance and need to know, similar to a dedicated system. High mode indicates a single level of classification, but not everyone has the same level of need to know. Multilevel consists of multiple levels of classification and various clearance levels where not everyone has a need to know. Peer-to-peer computing or networking is a distributed application architecture that distributes tasks or workloads equally among peers who have equal privileges.

Your organization has recently opened new offices on a different continent. This expansion necessitates internal security as well as compliance, particularly regarding export controls. The existing policy also stipulates that all employee activity may be monitored. What could be a potential reason for a change in this policy?

  • A. Teams in other countries are subject to different legal or regulatory requirements.
  • B. The time it takes to export data to the data warehouse.
  • C. A shortage of qualified analysts in the field of cybersecurity.
  • D. Social networking initiatives.

Explanation: A. Laws and regulations vary from country to country. By opening offices in other countries, these offices will fall under different jurisdictions, requiring a potential revision of the existing policy. Additionally, it is important to ensure compliance with the legal and regulatory requirements of each country the organization operates in.

You are currently on hold with tech support, and they have guided you to the command screen. Your computer has a command prompt, and you need to view all the current TCP/IP network configuration values for this specific asset. What command do they instruct you to enter?

  • A. ipconfig
  • B. arp
  • C. rarp
  • D. dns

Explanation: A. The command ipconfig /all provides a more detailed display of information compared to just ipconfig. Additionally, you can use the command ipconfig /release to force an asset to relinquish its lease by notifying the DHCP server. Another option is to request a new lease using ipconfig /renew.

You have contracted with a company to develop a new web application for processing credit cards in your retail outlets. Which of the following assessments provides the highest level of assurance for the web application they create?

  • A. Penetration testing
  • B. Vulnerability assessment
  • C. Implementation
  • D. Code review

Explanation: D. A code review, also known as a peer review, involves systematically checking a program by reviewing its source code for errors. This process helps identify and rectify any mistakes in the code, ensuring higher quality and security in the web application.

You are presented with a command prompt and need to determine if there is connectivity between your machine and another machine on the network. Which command should you execute?

  • A. arp
  • B. vnstat
  • C. ipconfig
  • D. ping

Explanation: D. ping is a fundamental network command that is used to assess connectivity and can also be utilized to measure speed or latency. It sends a series of packets to the target machine and measures the response time to determine if there is a connection.

Aaron’s end users are having difficulty signing into the network. The investigation of the situation leads him to believe it is which type of attack?

  • A. Port scanning
  • B. DDoS
  • C. Pass-the-hash
  • D. Trojan

Explanation: B. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks block legitimate users from accessing a system. Attackers overwhelm the target system with large volumes of packets or requests. To mitigate DDoS attacks, reducing the attack surface and deploying firewalls for sophisticated application attacks can be effective. Additionally, it is important to understand normal and abnormal traffic on the network.

Allan is a network engineer who enters the following commands on an Ethernet port of a router. The port is currently in its default configuration. What command needs to be entered after the given commands in order to bring up the interface?

Router> enable Router# configure terminal Router(config)# interface fastethernet 0/1 Router(config-if)# ip address

  • A. no shutdown
  • B. up
  • C. restart
  • D. start

Explanation: A. By default, Ethernet ports on a router are shut down. To bring the port up and activate it, the ““no shutdown”” command must be entered after the last command listed in the question. This command overrides the default shut down status, allowing the interface to be functional and operational.

A vendor of software deployed across your corporate network announced that an update is needed for a specific vulnerability. Your CIO wants to know the vulnerability time (Vt). When can you provide them with that information?

  • A. After the patch has been downloaded and installed on the affected system or device.
  • B. After the patch has been released and made available to the public.
  • C. After the patch has been created by the vendor.
  • D. After an inherent vulnerability has been discovered.

Explanation: A. The vulnerability time (Vt) refers to the time between when a vulnerability is discovered and when it is patched. It is crucial to determine this timeframe as it helps identify the vulnerability window, during which an IT asset is most vulnerable. This window has grown increasingly significant due to the shrinking timeframe within which malware is created based on inherent vulnerabilities.

Your web application is undergoing a user experience (UX) review. The application has become complex due to the use of text fields, radio buttons, and other input fields that are impacted by the state of other text fields and radio buttons. What type of issue are you facing?

  • A. State management
  • B. Redundant libraries
  • C. Request frameworks
  • D. Centralized data store

Explanation: A. When managing a graphical user interface with text fields and radio buttons that can trigger other text or input fields, one input state can influence another input state. This can lead to issues related to state management and can make the application more complex to handle.

You need a security assessment that resembles real-world attacks. What type of team should you hire to carry out this test externally, with limited or no knowledge of your company?

  • A. Red team
  • B. Blue team
  • C. Yellow team
  • D. White team

Explanation: A. A red team is capable of executing all the necessary steps that genuine attackers would utilize against your company. By assuming this role, they can identify your company’s vulnerabilities and weaknesses.

One of your reports is on a server that you typically access through You are unable to download it from that address, but you can access the file server through the IP address What is the first tool you should check?

  • A. ARP cache
  • B. DHCP server
  • C. FTP server
  • D. DNS server

Explanation: D. To resolve the issue, you should check the DNS server because the FTP server is mapped to an IP address. The DNS server is responsible for translating hostnames or fully qualified domain names (FQDNs) to their respective IP addresses. By checking the DNS server, you can ensure that the correct IP address is associated with the FTP server.

You work for a security organization that performs penetration tests for large corporations. A corporation asks for a black-box test. You begin the process of passive reconnaissance. What should be the first thing you access?

  • A. DNS
  • B. Nmap
  • C. Netcat
  • D. Social media

Explanation: D. In passive reconnaissance, you use tools like social media to gather information about an organization and its employees. There are various techniques, including social engineering, that can be employed to discover email addresses, available job positions, and the tools utilized in the organization’s environment. This information is crucial for understanding potential vulnerabilities and creating an effective penetration testing strategy.

You have a command prompt at a terminal window and need to determine the path taken by an IP packet through the network. What command should you use?

  • A. fins

  • B. ipconfig

  • C. traceroute

  • D. ping

Explanation: C. Traceroute is a helpful diagnostic network command that shows us the route a packet takes to reach its destination. By using traceroute, we can determine if the network is functioning correctly and identify any potential issues along the way. This command provides valuable insights into the path of the packet, helping us troubleshoot and identify any network problems.

Your CISO mandates the security department implement the Center for Internet Security Top 20 controls, starting with the first control: Inventory and Control of Hardware Assets. This control states that an organization must actively manage all hardware devices on a network. The main function of this control is to prevent which of the following?

  • A. Authorized access
  • B. Indefinite access
  • C. Unauthorized access
  • D. Continuous access

Explanation: C. The official definition of this control is to actively manage, inventory, and track all hardware devices on the network so that only authorized devices are given access. Unauthorized and unmanaged devices should be prevented from gaining access. Additionally, this control helps in identifying any potential security risks and ensuring that the network remains protected from unauthorized access.

Your organization needs to be able to use a third party’s development tools to deploy specific cloud-based applications. Platform as a service (PaaS) is the choice that has been approved to launch these cloud services. Which of the following is not a true statement?

  • A. PaaS can use an API to develop and deploy specific cloud-based services.
  • B. Cloud storage is a term used to describe the use of a third-party vendor’s virtual filesystem as a document or repository.
  • C. You can purchase the resources you need from a cloud service provider on a pay-as-you-go basis.
  • D. With PaaS, you must buy and manage software licenses.

Explanation: D. PaaS enables you to avoid the expense and complexity of having to buy and manage software licenses, application infrastructure, development tools, and other resources. You manage the applications and services that you have developed, and the cloud provider handles everything else.

You want to create an IT disaster recovery solution for your organization, and your budget is small. The MTD for your company is five days. Any downtime more than five days will harm the company. Which of the following is your best option?

  • A. Hot site
  • B. Warm site
  • C. Cold site
  • D. Mobile site

Explanation: B. A warm site would be the best option. A cold site would take much longer than your maximum tolerable downtime (MTD) would allow, and a hot site is extremely expensive. A warm site usually has equipment and power but no data, but it could be operational within the MTD. A cold site usually has office or data center space without any server-related equipment installed. A hot site allows a business to continue computer and network operations in the event of a computer or equipment disaster. For example, if an enterprise’s data center becomes inoperable, that enterprise can move all data processing.

One of your internal security tests finds that it is not detecting the newest security threats. Management wants you to investigate what type of IDS is the best tool to implement. Which of the following is your suggestion?

  • A. Protocol-based
  • B. Hash-based
  • C. Pattern matching
  • D. Anomaly detection

Explanation: D. An anomaly detection-based IDS is best at detecting the newest security threats. An anomaly detection device finds the oddities in network traffic behavior by taking a baseline first of what normal patterns look like. Once you have a baseline, it will compare current traffic to detect abnormal traffic.

In the event of application failure or error, it is important to have a system in place that provides a general error indicator for end users and logs the events for future reference. What term is commonly used to describe this system in production?

  • A. Secure by design
  • B. Secure by default
  • C. Secure in deployment
  • D. Secure in download

Explanation: C. An application can be securely maintained after deployment through the implementation of patch management and auditing. Additionally, a process should be established for monitoring events at regular intervals or after any failure to ensure further security.

Kenneth, the CISO of an engineering organization, has requested that the security department recommend a system to be installed on business-critical servers in order to identify and prevent unauthorized access. Which of the following options fulfills Kenneth’s requirement?

  • A. HIPS
  • B. NIDS
  • C. HIDS
  • D. NIPS

Explanation: A. A host-based intrusion prevention system (HIPS) is designed to identify and prevent unauthorized intrusions on a specific host, such as a server. HIPS can also notify personnel of any detected intrusions. On the other hand, NIPSs are network-based and HIDSs/NIDSs are focused solely on detection, allowing for alert configurations but not actual intervention. It is recommended to utilize a HIPS in this particular scenario.

A new program that you are responsible for requires the replacement of legacy hardware and software. These applications will impact three major operational systems within the company. You have established security requirements and have engaged with the infrastructure and networking teams. What is the next step in the process?

  • A. Document all the technical and non-technical requirements.
  • B. Conduct a tabletop exercise involving all technical personnel.
  • C. Inform all stakeholders about the security requirements.
  • D. Schedule a meeting with database and application consultants for migration advice.

Explanation: C. Once you have established the security requirements for replacing the legacy equipment at the core, it is important to communicate these requirements to all project stakeholders. This ensures that everyone involved is aware of the security measures to be implemented.

  • A. Meterpreter
  • B. Exploitation
  • C. Metasploit
  • D. BurpSuite

Explanation: C. Metasploit is an open-source compilation of exploitative tools that can be personalized with your own implementations. Backed by countless users, it is one of the most popular tools available. As a pentester, this tool allows you to identify vulnerabilities and seamlessly integrate with Nexpose, a top-notch vulnerability management tool.

You possess an asset that has a valuation of $1,000. The EF (Exposure Factor) for this asset is 10 percent. The ARO (Annualized Rate of Occurrence) is 2. What is the ALE (Annual Loss Expectancy)?

  • A. The ALE is $200.
  • B. The ALE is $100.
  • C. The ALE is $400.
  • D. ALE cannot be calculated with the given numbers.

Explanation: The ALE is calculated by multiplying the ARO by the SLE (Single Loss Expectancy). In this question, there are two equations to solve. The SLE is equal to 10% of $1,000, which amounts to $100. Therefore, the ALE is 2 times $100.

You are satisfied with the security measures implemented by your department for data at rest. However, your concern lies with data in transit. Which of the following does not raise any concerns?

  • A. Insecure protocols
  • B. Key mismanagement
  • C. Man-in-the-middle attacks
  • D. Bad sector on a hard drive

Explanation: Data in transit is more vulnerable compared to data at rest, as there is a higher risk of it being compromised. To secure data in transit, it is crucial to implement mandatory access control and authentication along with the ability to detect and address suspicious behavior and threats effectively.

Your employees need internal access while traveling to remote locations. You need a service that enables them to securely connect back to a private corporate network from a public network to log into a centralized portal. You want the traffic to be encrypted. Which of the following is the best tool?

  • A. Wi-Fi
  • B. VPN
  • C. RDP
  • D. NIC

Explanation: B. A virtual private network (VPN) enables employees to securely access sensitive data and systems on mobile devices while away from the secure corporate network. A VPN’s traditional role is to allow employees to authenticate from anywhere in the world and seamlessly access the company’s network. Wi-Fi is wireless networking technology that allows equipment to connect to the Internet. The Remote Desktop Protocol (RDP) is a Microsoft technology that provides end users with a graphical user interface to connect to another computer. A network interface card (NIC) is hardware that connects a computer to a network.

You are a member of the blue team for your company. This team is tasked with engaging with a red team of mock attackers. What team referees this engagement?

  • A. White team
  • B. Stakeholders
  • C. CISO
  • D. Yellow team

Explanation: The Committee on National Security Systems (CNSS) Instruction defines a white team as a group that is responsible for refereeing an engagement of red team attackers versus the blue team, the actual defenders of information systems. Additionally, the white team ensures fair play and impartial evaluation of the red team’s tactics and the blue team’s defensive strategies.

You work for a SOHO and replace servers whenever there is money readily available for expenditure. Over the past few tech-refresh cycles, you have received many servers and workstations from several different vendors. What is the challenge and risk to this style of asset management?

  • A. OS and asset EOL issues and updates
  • B. OS complexities and OS patch version dependencies
  • C. Failure rate of legacy equipment, replacement parts, and firmware updates and management
  • D. Poor security posture, inability to manage performance on old OS

Explanation: This is hardware. You can put an operating system on most any hardware out there. When old equipment has maintenance issues, it is sometimes difficult to find the parts and perform regular updates to those assets.

Your company holds large amounts of company data in electronic databases as well as personally identifiable information (PH) of customers and employees. What do you do to ensure that implemented controls provide the right amount of protection?

  • A. Best practices
  • B. Forensics
  • C. Due diligence
  • D. Auditing

Explanation: C. Due diligence has the meaning of ““required carefulness.”” Due diligence is exercising informed care that is expected of reasonable people. Performing this kind of process ensures that the proper information is systematically and deliberately protected.

You have event logging turned on so that you can build a chronological list of steps to provide documentary evidence of the sequence of activities that affect a specific operation or event. What is this called?

  • A. Audit trail
  • B. Vulnerability scanning
  • C. Patch management
  • D. Compliance and reporting

Explanation: The body of data that is gathered by event logging is called an audit trail. Audit trails allow a security professional to build a timeline of events and actions that happened on a system to prove an individual or entity is responsible for malicious activity. It is essential for investigations and maintaining security integrity.

Your staff wants to use Bluetooth on their networked mobile devices, and you have been assigned as the Bluetooth administrator. What type of network are you implementing?

  • A. MAN
  • B. LAN
  • C. WLAN
  • D. PAN

Explanation: D. Bluetooth is best described as a personal area network (PAN). A PAN is used to create a network to connect and share data with devices that are close together. For example, a network consisting of a PC, a phone, a printer, and wireless headphones would be considered a PAN. A MAN refers to a metropolitan area network, a LAN refers to a local area network, and a WLAN refers to a wireless LAN.

You conduct a privacy audit for your organization and are concerned about possible violations. Which of the following is most concerning?

  • A. FTP
  • B. VPN
  • C. Rogue access points
  • D. Cookies

Explanation: D. Depending on your security policy and compliance, the use of cookies could be a violation of privacy. Cookies can be used to record data, websurfing habits, and so forth. Secure environments and organizations concerned about privacy should restrict the use of cookies. Cookies could possibly aid an attacker in spoofing a user’s identity or contain connection and session management information.

To protect your company’s web applications, you first must determine any highly problematic area of the application. You have applications that enable users to use large amounts of data like blog posts. When these blog posts are done through HTML, they are at a high risk of what type of attack?

  • A. NGINX
  • B. Injection
  • C. Arbitrary
  • D. Recursive

Explanation: B. An application that uses a large amount of data, especially when done with an HTML editor, is at a high risk of injection attacks if proper prevention measures are not enforced. Additionally, it is important to ensure that all input data is properly validated and sanitized to prevent any potential vulnerabilities.

Frederick, a security analyst, is reviewing corporate settings on multiple assets. He observes that some settings have been disabled, allowing untrusted programs to be installed on mobile devices. Which settings should be adjusted to ensure that applications can be sandboxed and tested before secure deployment?

  • A. Updates
  • B. Digitally signed applications
  • C. Containerization
  • D. Remote wiping

Explanation: C. Containerization establishes a separate and encrypted space on employees’ mobile devices, where business data is kept separate from everything else on the device. This allows an administrator to manage the contents of the container and restricts access to the corporate network. To enhance security and prevent the installation of untrusted programs, adjusting the containerization settings is recommended.

Which of these helps prevent accidental data loss by ensuring that a class defines the data it needs?

  • A. Modules
  • B. Classes
  • C. Segmentation
  • D. Encapsulation

Explanation: D. Encapsulation is a characteristic of object-oriented programming (OOP). OOP uses objects and instances of classes. Data that is defined for a specific class relates only to that specific class. This means that an object cannot accidentally read data from other objects. Furthermore, encapsulation allows for better control and protection of data, as it restricts access to certain variables and methods.

You are configuring SNMP on a Windows server and have discovered that you are currently using SNMPv2c. What are the reasons to upgrade to SNMPv3?

  • A. Cryptographic security system
  • B. Party-based security system
  • C. Easier to set up
  • D. Supports UDP

Explanation: A. SNMP version 3 (SNMPv3) introduces encryption and authentication, which can be utilized independently or in conjunction with each other. Upgrading to SNMPv3 enhances the security of your SNMP configuration.

The National Institute of Standards and Technology (NIST) recommends the physical destruction of data storage media at what stage of media life?

  • A. Initial
  • B. Backups
  • C. Final
  • D. Retention

Explanation: NIST recommends that data storage media be physically destroyed during the final stage of its life. This method is considered the most effective way to sanitize data and ensure its complete destruction.

You downloaded a driver to the C: drive for a component you must install on a Linux machine. The file is called printer_driver.dll. One of the first things to do is verify that the file was not corrupted during download. What is the command you used in the CLI to ensure this file has not been tampered with using the 128-bit MD5 algorithm?

  • A. md5_C:printer_driver.dll
  • B. md5 ““C:\printer_driver.dll””
  • C. md5 printer_driver
  • D. cd/ ““printerdriver.dll”” md5 -n

Explanation: B. After running the command ““md5 ““C:printer_driver.dll””””, the program will return a series of characters known as checksum, which you can compare against the checksum provided on the file’s original download page. This helps ensure that the downloaded file has not been tampered with using the 128-bit MD5 algorithm.

What happens to a packet if it is examined by a router’s ACL and no statement in the ACL matches the packet?

  • A. The packet is dropped.
  • B. The packet is forwarded.
  • C. The packet is sent to another queue for further examination.
  • D. The packet is returned to the sender.

Explanation: If no statement in the ACL matches the packet being examined, the packet is dropped. This is because there is an implicit deny at the end of an access control list, which means any packet that doesn’t match a specific statement will be denied and discarded.

What is the structured approach to aligning IT with business objectives?

  • A. GRC
  • B. ITIL
  • C. PMI
  • D. CRMA

Explanation: A. GRC stands for governance, risk, and compliance. A good GRC strategy leads to better decision-making, stronger return on investments, the elimination of silos, and reduced fragmentation. Governance ensures that activities align with business goals. Risk ensures that any risk associated with an activity supports the business goals. Compliance ensures that all activities meet laws and that regulations are used and secured properly. ITIL, PMI, and CRMA are certifications you can attain in GRC.

Your company decides to shift the eDiscovery processes from external third parties to in-house. Which of the following is not a stage of eDiscovery?

  • A. Identification
  • B. Interpretation
  • C. Collection
  • D. Processing

Explanation: B. eDiscovery is the collection of intangible digital data. It differs from paper information due to volume, transience, and persistence. The six stages of eDiscovery include identification, preservation, collection, processing, review, and production.

The firewall administrator implemented the following rules. Which statement is true concerning these rules?

Rule# Rule Protocol Source Destination Port 1 Permit IP 80 2 Permit TCP 23 3 Deny TCP Any 22 4 Deny TCP 23 5 Deny IP Any Any Any

  • A. TCP traffic from source IP will be allowed to destination IP port 23 because rule 2 will be performed.
  • B. TCP traffic from source IP will not be allowed to destination IP port 23 because rule 4 will be performed.
  • C. TCP traffic from source IP will be allowed to destination IP port 23 because rule 5 will be performed.
  • D. TCP traffic from source IP will not be allowed to destination IP port 23 because of the implicit deny at the end of the firewall list.

Explanation: The first rule in a firewall list is the one that matches the packet being processed, and no further processing through the rules occurs. Therefore, rules 3, 4, and 5, as well as the implicit deny at the end of the list, are not evaluated because the packet matched rule 2 and was permitted through the firewall.

Your organization experienced a security event that led to the loss and disruption of services. You were chosen to investigate the disruption to prevent the risk of it happening again. What is this process called?

  • A. Incident management
  • B. Forensic tasks
  • C. Mandatory vacation
  • D. Job rotation

Explanation: A. An incident is an event that could lead to loss of, or disruption to, an organization’s operation, services, or functions. Incident management is a term describing the activities of an organization to identify, correct, and analyze to prevent a future occurrence. Forensics are performed to find artifacts in an environment. Mandatory vacations and job rotation are administrative controls.

You are a SQL database administrator managing and implementing security initiatives from the kernel to middleware. Based on controlling the confidentiality of your customers’ financial information, what controls best meet the needs of your company?

  • A. UPS and partial disk encryption
  • B. IPS, generator, and strong authentication controls
  • C. Vulnerability scanning and peer review of all changes
  • D. CMDB and an analysis of all code modifications

Explanation: B. Of all these answers, having a generator for backup power, intrusion prevention, and strong authentication would best meet the need of protecting your customers’ information.

You are a SQL database administrator managing and implementing security initiatives from the kernel to middleware. Based on controlling the confidentiality of your customers’ financial information, what controls would be most suitable for your company?

  • A. UPS and partial disk encryption
  • B. IPS, generator, and strong authentication controls
  • C. Vulnerability scanning and peer review of all changes
  • D. CMDB and an analysis of all code modifications

Explanation: B. Of all these answers, having a generator for backup power, intrusion prevention, and strong authentication would be the most appropriate choice for protecting your customers’ information.

You would like to periodically update records in multiple remote locations to ensure the appropriate levels of fault tolerance and redundancy. What is this known as?

  • A. Shadowing
  • B. Mirroring
  • C. Archiving
  • D. Fail safe

Explanation: A. Shadowing refers to manual or automatic copies of computer files to a local or remote location, providing a form of redundancy and fault tolerance. It ensures that updated records are available in multiple locations for increased reliability.

For security purposes, Ted is transitioning from LDAP to LDAPS, which is a standards-based specification for interacting with directory data. LDAPS ensures security by utilizing which of the following options?

  • A. SSL
  • B. SSH
  • C. PGP
  • D. AES

Explanation: A. By default, LDAP communication between the client and server is not encrypted, making it possible to capture and view the transmitted information, including usernames and passwords. LDAPS adds SSL encryption, mitigating security risks and protecting sensitive data.

The after-action report (AAR) received from the incident response team contains lessons learned. It states that the enterprise environment’s security policies were insufficient in dealing with the current level of vulnerabilities and the allotted timeline for patching. This allowed attackers a large window of time to exploit unpatched software. Based on the AAR and lessons learned, what actions should the security department take?

  • A. Investigate the current patch management system and explore ways to improve or automate it.
  • B. There are no ways to improve an existing patch management program.
  • C. Employ more IT analysts.
  • D. Hire a third-party agency to review the AAR and provide recommendations to eliminate all vulnerabilities in the software.

Explanation: A. Patch management is crucial for reducing risk when dealing with vulnerabilities. Some vulnerabilities may require compensating controls, while others may need to be completely removed from the organization. An AAR can help in reevaluating response times, acquiring additional staff, and improving processes.

The system admins on your network have noticed that certain subsystems are failing, taking too long to respond, or consuming excessive power. Which IBM technology enables dynamic reprogramming of a computer chip?

  • A. Guardium
  • B. eFUSE
  • C. QRadar
  • D. Veeam on IBM Cloud

Explanation: B. These options all consist of IBM products. eFUSE is a technology developed by IBM that allows for real-time reprogramming of computer chips. Typically, computer logic is permanently etched onto a chip and cannot be altered once manufacturing is completed. However, with eFUSE technology, a chip manufacturer can enable circuit modifications while the chip is in operation. This technology is primarily used for optimizing in-chip performance. IBM Guardium is a security solution specifically designed for databases and compliance. QRadar is a security incident and event management (SIEM) tool. Veeam on IBM Cloud combines backup, restore, and replication functionalities to manage virtual environments.

To curtail end-user visits to known malicious websites, the security team has made the decision to prevent users from accessing them. Which solution from the following options accomplishes this task?

  • A. Pinklisting
  • B. Graylisting
  • C. Whitelisting
  • D. Blacklisting

Explanation: D. Blacklisting is the process of blocking known malicious entities, such as known malicious websites. However, blacklisting has the limitation of not including all newly emerging malicious sites due to the constantly evolving nature of threats. To address this limitation, additional proactive measures such as monitoring, updating, and implementing dynamic threat intelligence are recommended.

Levi’s corporate public cloud network is configured such that all network devices reach each other without going through a routing device. The CISO wants the network reconfigured so that the network is segmented based on geography. In addition, the servers must be on their own subnetwork. What is one benefit of subdividing the network in this way?

  • A. No benefit at all.
  • B. By subdividing the network, the port numbers can be better distributed among assets.
  • C. By subdividing the network, rules can be placed to control the flow of traffic from one subnetwork to another.
  • D. Ease of deployment.

Explanation: C. By subdividing the network, you create an additional routing layer for messages. This additional layer can increase security or allow assigning each subnet available to individual network administrators. Additionally, ease of troubleshooting and bandwidth utilization are other benefits, as well as customizing rules between subnetworks. Availability zones are isolated locations within a data center region where the public cloud operates.

Troy is faced with the decision of how to approach his organization’s file integrity monitoring (FIM) system. The first option is to use a standalone FIM, which solely focuses on file analysis. Alternatively, Troy can choose to integrate it with the host in order to identify threats in areas such as system memory or I/O. In order to go with the integration option, which of the following should Troy utilize?

  • A. HIDS
  • C. NIDS
  • D. Change management

Explanation: A. Some advanced FIM solutions are part of a host-based intrusion detection system (HIDS), which means they are capable of detecting threats in areas beyond just files. An NIDS is a network intrusion detection system, and change management refers to an administrative control. ADVFIM is not a valid option.

Victor, employed in a high-risk geographically diverse environment leveraging Cisco IOS, heavily relies on which of the following service advantages of NetFlow?

  • A. Peer-to-peer tunneling encryption
  • B. Network traffic accounting and usage-based billing
  • C. Network planning and security
  • D. DoS monitoring capabilities

Explanation: A. Introduced around 1996, NetFlow is a feature on Cisco routers that enables the collection of IP network traffic upon entering or exiting an interface. It efficiently offers various key services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, denial-of-service (DoS) monitoring capabilities, and network monitoring. NetFlow provides valuable insights into network users, applications, peak usage times, and traffic routing, making it a crucial tool in a diverse environment heavily using Cisco IOS.

What is the name of the NSA project that encouraged the implementation of SELinux in Android devices?

  • A. SEinAndroid
  • B. SEAndroid
  • C. SELinAndroid
  • D. SAndroid

Explanation: B. SEAndroid, later renamed SEforAndroid, was an NSA project that encouraged the implementation of SELinux in Android devices. Additionally, the project aimed to improve the security of the Android operating system.

While running laaS environments, you are responsible for ensuring the security of all operating systems, applications, and network traffic. Which of the following options would not provide a technical advantage in protecting the cloud environment?

  • A. Advanced antimalware applied to the OS
  • B. Application whitelisting and machine learning-based protection
  • C. Memory exploit prevention for single-purpose workloads
  • D. Negotiation of an SLA spelling out the details of the data the provider will share in case of an incident

Explanation: Negotiating an SLA is an administrative contract that guarantees service. It is created for, not deployed to, a cloud environment. However, it is crucial to have an SLA to protect the business and its processes. Additionally, it is important to consider options A, B, and C as they can provide technical advantages in securing the cloud environment.

You are a network security administrator on a network of more than 50,000 nodes. In the past week, your end users have complained about specific pages on the Internet not loading. You have tested these pages from your tablet with cellular service and they load perfectly fine. After verifying firewall rules, what would you expect to find in the router logs?

  • A. Route poisoning
  • B. Device fingerprinting
  • C. Gray-box testing
  • D. PKI

Explanation: A. A routing table is a dataset used to determine the destination of packets on a network. Routing table poisoning refers to the unauthorized or malicious changes made in the routing table that can cause network issues.

You believe you have successfully secured your company’s social media accounts. However, while conducting further research, you discover another potential method for malicious attackers to gain access to your social media account through app vulnerabilities. Which of the following options could provide an attacker with this opportunity?

  • A. Imposter accounts
  • B. Third-party apps
  • C. Privacy settings
  • D. Authentication

Explanation: B. Even when you have implemented security measures for your social media accounts, it is essential to remain cautious of third-party applications that are integrated with popular social networks. For example, Forbes’ Twitter account was compromised by attackers who used a third-party app called Twitter Counter, which is utilized for analysis purposes.

You have completed the SDLC’s accreditation process for a system that your organization is planning to deploy globally. Management has given approval for the system. What phase in the SDLC follows next?

  • A. Documentation
  • B. Acceptance
  • C. Accreditation
  • D. Implementation

Explanation: D. In the implementation phase, the system is transferred from a development and testing environment to production. Additionally, this phase involves ensuring that the system is fully functional and operational in its intended environment.

You have joined an ERM team and completed a risk assessment for your organization. After evaluating all cyber-risk, you have found an area that needs to be mitigated by risk transfer mechanisms. Which option below represents an example of risk transfer?

  • A. Patching
  • B. Pentesting
  • C. Insurance
  • D. Simulations

Explanation: C. An enterprise risk management (ERM) team identifies risk and adopts risk management best practices to either avoid, accept, transfer, or limit risk. Insurance is an example of risk transference.

You set the following command on a switch port, and a host sends frames to it. Assuming defaults for all other settings, which of the following statements is correct?

  • A. When a frame enters the port with a source MAC address other than 00:0E:08:34:7C:9B, the port will be placed in restricted mode.
  • B. Nothing. The command format is incorrect.
  • C. Enables only frames without source MAC address 00:0E:08:34:7C:9B into the port.
  • D. Enables only frames with source MAC address 00:0E:08:34:7C:9B into the port.

Explanation: D. The command enables frames with a source MAC address of 00:0E:08:34:7C:9B to pass. If a frame is received on the port with a MAC address other than 00:0E:08:34:7C:9B, the port is shut down. Shutdown is the default violation action.

You work in the computer lab provisioning hardware to be deployed throughout your enterprise. Your company policy states that end users are responsible for backing up their files. After an operating system upgrade, some people lost mission-critical files and are now seeking assistance in recovering their lost files. What is the term used to describe this process?

  • A. Data salvaging
  • B. Data retrieving
  • C. Data recovery
  • D. Data destruction

Explanation: C. Most often, data is recovered from hard drives, flash drives, RAID drives, and other storage media. Data loss could be caused by physical damage or logical damage due to software updates. Additionally, data recovery involves the retrieval of lost or inaccessible data from various devices and media.

Your organization has experienced network failures in the core part of its network, specifically with the static assignment of IP addresses. These failures have resulted in significant financial losses due to decreased productivity. Upper management is determined to prevent these failures. The IT department has informed upper management that while the failures cannot be completely avoided, the network can be reconfigured at an expense to significantly minimize the impact of such failures. Which network configuration is the IT department likely to suggest?

  • A. Hub and spoke with all static IP addresses
  • B. Full mesh with static and dynamic IP addresses
  • C. Point-to-point with all dynamic IP addresses
  • D. Partial mesh with all static IP addresses

Explanation: B. A full mesh network configuration provides maximum redundancy by connecting all network devices, in this case, the core devices, to one another. If one device fails, network traffic can always be routed through an alternate path. Most users do not require static IP addresses, as they are more important for external devices or websites that need to remember your IP address. One example of this is VPN or other remote access solutions that trust certain IPs for security purposes. Hosting a server does not necessarily require a static IP address, although it can simplify the setup process. Most devices use dynamic IP addresses, which are assigned by the network upon connection and can change over time.

  • A. Link encryption enhances flow confidentiality and routing.
  • B. Link encryption ensures the encryption of routing information and is commonly utilized in satellite communication.
  • C. Link encryption is utilized for ensuring message confidentiality.
  • D. Link encryption is implemented to enhance traffic integrity.

Explanation: A. Deploying link encryption can effectively secure your data by encrypting the transmitted information at the Data Link layer, providing an added layer of protection against unauthorized access and interception. This not only ensures the confidentiality of the data but also improves the routing functionality, making it an ideal solution for reducing risk in a high-risk geographically diverse production environment.

Your company hired a third-party company to fulfill compliance requirements and assess the weaknesses in your company’s security before an audit. The contractor made unauthorized attempts to breach wireless networks and enter secure areas, as well as utilized phishing techniques to obtain access credentials. What term best describes this procedure?

  • A. Vulnerability scans
  • B. Active reconnaissance
  • C. Penetration test
  • D. Passive reconnaissance

Explanation: C. A penetration test is considered to be one of the most intrusive forms of vulnerability testing where weaknesses are actively sought out and exploited. It involves physical and digital attempts to gain unauthorized access without proper authorization. In other words, a penetration test aims to identify security vulnerabilities by simulating real-world hacking scenarios.

You’re a hero! You did it. Now, earn some karma points by sharing this free resource with your potential future co-workers.