2021 Update CompTIA Security+ SY0-501 Exam Questions (449 Q&As)

1. Which of the following would a security specialist be able to determine upon examination of a server’s certificate?

2. A security analyst is diagnosing an incident in which a system was compromised from an external IP address. The socket identified on the firewall was traced to 207.46.130.0:6666.

Which of the following should the security analyst do to determine if the compromised system still has an active connection?

3. Multiple organizations operating in the same vertical want to provide seamless wireless access for their employees as they visit the other organizations.

Which of the following should be implemented if all the organizations use the native 802.1x client on their mobile devices?

4. Which of the following BEST describes an important security advantage yielded by implementing vendor diversity?

5. In a corporation where compute utilization spikes several times a year, the Chief Information Officer (CIO) has requested a cost-effective architecture to handle the variable capacity demand.

Which of the following characteristics BEST describes what the CIO has requested?

6. A security engineer is configuring a system that requires the X.509 certificate information to be pasted into a form field in Base64 encoded format to import it into the system.

Which of the following certificate formats should the engineer use to obtain the information in the required format?

7. Which of the following attacks specifically impact data availability?

8. A security analyst is hardening a server with the directory services role installed. The analyst must ensure LDAP traffic cannot be monitored or sniffed and maintains compatibility with LDAP clients.

Which of the following should the analyst implement to meet these requirements? (Choose two.)

9. Which of the following threat actors is MOST likely to steal a company’s proprietary information to gain a market edge and reduce time to market?

10. A penetration tester is crawling a target website that is available to the public.

Which of the following represents the actions the penetration tester is performing?

11. Which of the following characteristics differentiate a rainbow table attack from a brute force attack? (Choose two.)

12. Which of the following best describes routine in which semicolons, dashes, quotes, and commas are removed from a string?

13. A security analyst wishes to increase the security of an FTP server. Currently, all traffic to the FTP server is unencrypted. Users connecting to the FTP server use a variety of modern FTP client software.

The security analyst wants to keep the same port and protocol, while also still allowing unencrypted connections.

Which of the following would BEST accomplish these goals?

14. Which of the following explains why vendors publish MD5 values when they provide software patches for their customers to download over the Internet?

15. Refer to the following code:

Which of the following vulnerabilities would occur if this is executed?

16. Multiple employees receive an email with a malicious attachment that begins to encrypt their hard drives and mapped shares on their devices when it is opened.

The network and security teams perform the following actions:

– Shut down all network shares.

– Run an email search identifying all employees who received the malicious message.

– Reimage all devices belonging to users who opened the attachment.

Next, the teams want to re-enable the network shares.

Which of the following BEST describes this phase of the incident response process?

17. An organization has determined it can tolerate a maximum of three hours of downtime.

Which of the following has been specified?

18. Which of the following types of keys is found in a key escrow?

19. A security analyst is reviewing the following output from an IPS:

Given this output, which of the following can be concluded? (Choose two.)

20. Despite having implemented password policies, users continue to set the same weak passwords and reuse old passwords.

Which of the following technical controls would help prevent these policy violations? (Choose two.)

21. Which of the following types of cloud infrastructures would allow several organizations with similar structures and interests to realize the benefits of shared storage and resources?

22. A company is currently using the following configuration:

– IAS server with certificate-based EAP-PEAP and MSCHAP

– Unencrypted authentication via PAP

A security administrator needs to configure a new wireless setup with the following configurations:

– PAP authentication method

– PEAP and EAP provide two-factor authentication

Which of the following forms of authentication are being used? (Choose two.)

23. An auditor wants to test the security posture of an organization by running a tool that will display the following:

Which of the following commands should be used?

24. A company determines that it is prohibitively expensive to become compliant with new credit card regulations. Instead, the company decides to purchase insurance to cover the cost of any potential loss.

Which of the following is the company doing?

25. A company is using a mobile device deployment model in which employees use their personal devices for work at their own discretion.

Some of the problems the company is encountering include the following:

– There is no standardization.

– Employees ask for reimbursement for their devices.

– Employees do not replace their devices often enough to keep them running efficiently.

– The company does not have enough control over the devices.

Which of the following is a deployment model that would help the company overcome these problems?

26. A botnet has hit a popular website with a massive number of GRE-encapsulated packets to perform a DDoS attack. News outlets discover a certain type of refrigerator was exploited and used to send outbound packets to the website that crashed.

To which of the following categories does the refrigerator belong?

27. Users report the following message appears when browsing to the company’s secure site: This website cannot be trusted.

Which of the following actions should a security analyst take to resolve these messages? (Choose two.)

28. When trying to log onto a company’s new ticketing system, some employees receive the following message: Access denied: too many concurrent sessions . The ticketing system was recently installed on a small VM with only the recommended hardware specifications.

Which of the following is the MOST likely cause for this error message?

29. Joe, an employee, wants to show his colleagues how much he knows about smartphones. Joe demonstrates a free movie application that he installed from a third party on his corporate smartphone. Joe’s colleagues were unable to find the application in the app stores.

Which of the following allowed Joe to install the application? (Choose two.)

30. Which of the following can be provided to an AAA system for the identification phase?

31. Which of the following implements two-factor authentication?

32. Malicious traffic from an internal network has been detected on an unauthorized port on an application server.

Which of the following network-based security controls should the engineer consider implementing?

33. A network administrator wants to implement a method of securing internal routing.

Which of the following should the administrator implement?

34. A security administrator is developing controls for creating audit trails and tracking if a PHI data breach is to occur.

The administrator has been given the following requirements:

– All access must be correlated to a user account.

– All user accounts must be assigned to a single individual.

– User access to the PHI data must be recorded.

– Anomalies in PHI data access must be reported.

– Logs and records cannot be deleted or modified.

Which of the following should the administrator implement to meet the above requirements? (Choose three.)

35. Which of the following encryption methods does PKI typically use to securely protect keys?

36. An organization is using a tool to perform a source code review.

Which of the following describes the case in which the tool incorrectly identifies the vulnerability?

37. An organization’s internal auditor discovers that large sums of money have recently been paid to a vendor that management does not recognize. The IT security department is asked to investigate the organizations the organization’s ERP system to determine how the accounts payable module has been used to make these vendor payments.

The IT security department finds the following security configuration for the accounts payable module:

– New Vendor Entry C Required Role: Accounts Payable Clerk

– New Vendor Approval C Required Role: Accounts Payable Clerk

– Vendor Payment Entry C Required Role: Accounts Payable Clerk

– Vendor Payment Approval C Required Role: Accounts Payable Manager

Which of the following changes to the security configuration of the accounts payable module would BEST mitigate the risk?

A)

B)

C)

D)

38. A department head at a university resigned on the first day of the spring semester. It was subsequently determined that the department head deleted numerous files and directories from the server-based home directory while the campus was closed.

Which of the following policies or procedures could have prevented this from occurring?

39. A database backup schedule consists of weekly full backups performed on Saturday at 12:00 a.m. and daily differential backups also performed at 12:00 a.m.

If the database is restored on Tuesday afternoon, which of the following is the number of individual backups that would need to be applied to complete the database recovery?

40. Which of the following security controls does an iris scanner provide?

41. As part of a new industry regulation, companies are required to utilize secure, standardized OS settings. A technical must ensure the OS settings are hardened.

Which of the following is the BEST way to do this?

42. A user has attempted to access data at a higher classification level than the user’s account is currently authorized to access.

Which of the following access control models has been applied to this user’s account?

43. A security consultant discovers that an organization is using the PCL protocol to print documents, utilizing the default driver and print settings.

Which of the following is the MOST likely risk in this situation?

44. An organization finds that most help desk calls are regarding account lockout due to a variety of applications running on different systems. Management is looking for a solution to reduce the number of account lockouts while improving security.

Which of the following is the BEST solution for this organization?

45. A user suspects someone has been accessing a home network without permission by spoofing the MAC address of an authorized system. While attempting to determine if an authorized user is logged into the home network, the user reviews the wireless router, which shows the following table for systems that are currently on the home network.

Which of the following should be the NEXT step to determine if there is an unauthorized user on the network?

46. When performing data acquisition on a workstation, which of the following should be captured based on memory volatility? (Choose two.)

47. Ann, a security administrator, has been instructed to perform fuzz-based testing on the company’s applications.

Which of the following best describes what she will do?

48. An attacker compromises a public CA and issues unauthorized X.509 certificates for Company.com. In the future, Company.com wants to mitigate the impact of similar incidents.

Which of the following would assist Company.com with its goal?

49. A systems administrator is attempting to recover from a catastrophic failure in the datacenter. To recover the domain controller, the systems administrator needs to provide the domain administrator credentials.

Which of the following account types is the systems administrator using?

50. A network administrator at a small office wants to simplify the configuration of mobile clients connecting to an encrypted wireless network.

Which of the following should be implemented in the administrator does not want to provide the wireless password or he certificate to the employees?

51. When connected to a secure WAP, which of the following encryption technologies is MOST likely to be configured when connecting to WPA2-PSK?

52. A company has a data classification system with definitions for “Private” and “Public”. The company’s security policy outlines how data should be protected based on type. The company recently added the data type “Proprietary”.

Which of the following is the MOST likely reason the company added this data type?

53. When configuring settings in a mandatory access control environment, which of the following specifies the subjects that can access specific data objects?

54. A high-security defense installation recently begun utilizing large guard dogs that bark very loudly and excitedly at the slightest provocation.

Which of the following types of controls does this BEST describe?

55. A company’s user lockout policy is enabled after five unsuccessful login attempts. The help desk notices a user is repeatedly locked out over the course of a workweek. Upon contacting the user, the help desk discovers the user is on vacation and does not have network access.

Which of the following types of attacks are MOST likely occurring? (Select two.)

56. Ann. An employee in the payroll department, has contacted the help desk citing multiple issues with her device, including:

– Slow performance

– Word documents, PDFs, and images no longer opening

– A pop-up

Ann states the issues began after she opened an invoice that a vendor emailed to her. Upon opening the invoice, she had to click several security warnings to view it in her word processor.

With which of the following is the device MOST likely infected?

57. A company is terminating an employee for misbehavior.

Which of the following steps is MOST important in the process of disengagement from this employee?

58. A company is developing a new secure technology and requires computers being used for development to be isolated.

Which of the following should be implemented to provide the MOST secure environment?

59. Which of the following is an important step to take BEFORE moving any installation packages from a test environment to production?

60. A user clicked an email link that led to a website than infected the workstation with a virus. The virus encrypted all the network shares to which the user had access. The virus was not deleted or blocked by the company’s email filter, website filter, or antivirus.

Which of the following describes what occurred?

61. An organization wishes to provide better security for its name resolution services.

Which of the following technologies BEST supports the deployment of DNSSEC at the organization?

62. A company hires a consulting firm to crawl its Active Directory network with a non-domain account looking for unpatched systems. Actively taking control of systems is out of scope, as is the creation of new administrator accounts.

For which of the following is the company hiring the consulting firm?

63. An administrator is replacing a wireless router. The configuration of the old wireless router was not documented before it stopped functioning. The equipment connecting to the wireless network uses older legacy equipment that was manufactured prior to the release of the 802.11i standard.

Which of the following configuration options should the administrator select for the new wireless router?

64. An application team is performing a load-balancing test for a critical application during off-hours and has requested access to the load balancer to review which servers are up without having the administrator on call. The security analyst is hesitant to give the application team full access due to other critical applications running on the load balancer.

Which of the following is the BEST solution for security analyst to process the request?

65. Which of the following cryptographic attacks would salting of passwords render ineffective?

66. A security analyst is hardening an authentication server. One of the primary requirements is to ensure there is mutual authentication and delegation.

Given these requirements, which of the following technologies should the analyst recommend and configure?

67. Two users need to send each other emails over unsecured channels. The system should support the principle of non-repudiation.

Which of the following should be used to sign the user’s certificates?

68. Which of the following attack types BEST describes a client-side attack that is used to manipulate an HTML iframe with JavaScript code via a web browser?

69. An incident responder receives a call from a user who reports a computer is exhibiting symptoms consistent with a malware infection.

Which of the following steps should the responder perform NEXT?

70. A senior incident response manager receives a call about some external IPs communicating with internal computers during off hours.

Which of the following types of malware is MOST likely causing this issue?

71. Which of the following technologies employ the use of SAML? (Choose two.)

72. Which of the following specifically describes the exploitation of an interactive process to access otherwise restricted areas of the OS?

73. After a user reports stow computer performance, a systems administrator detects a suspicious file, which was installed as part of a freeware software package.

The systems administrator reviews the output below:

Based on the above information, which of the following types of malware was installed on the user’s computer?

74. Which of the following network vulnerability scan indicators BEST validates a successful, active scan?

75. An analyst wants to implement a more secure wireless authentication for office access points.

Which of the following technologies allows for encrypted authentication of wireless clients over TLS?

76. When systems, hardware, or software are not supported by the original vendor, it is a vulnerability known as:

77. A company has three divisions, each with its own networks and services. The company decides to make its secure web portal accessible to all employees utilizing their existing usernames and passwords. The security administrator has elected to use SAML to support authentication.

In this scenario, which of the following will occur when users try to authenticate to the portal? (Choose two.)

78. Which of the following is the BEST explanation of why control diversity is important in a defense-in-depth architecture?

79. A system administrator wants to provide balance between the security of a wireless network and usability. The administrator is concerned with wireless encryption compatibility of older devices used by some employees.

Which of the following would provide strong security and backward compatibility when accessing the wireless network?

80. An information security specialist is reviewing the following output from a Linux server.

Based on the above information, which of the following types of malware was installed on the server?

81. In terms of encrypting data, which of the following is BEST described as a way to safeguard password data by adding random data to it in storage?

82. A system administrator wants to provide for and enforce wireless access accountability during events where external speakers are invited to make presentations to a mixed audience of employees and non-employees.

Which of the following should the administrator implement?

83. Which of the following would MOST likely appear in an uncredentialed vulnerability scan?

84. A security analyst observes the following events in the logs of an employee workstation:

Given the information provided, which of the following MOST likely occurred on the workstation?

85. When identifying a company’s most valuable assets as part of a BIA, which of the following should be the FIRST priority?

86. An organization needs to implement a large PKI. Network engineers are concerned that repeated

transmission of the OCSP will impact network performance.

Which of the following should the security analyst recommend is lieu of an OCSP?

87. When considering a third-party cloud service provider, which of the following criteria would be the BEST to include in the security assessment process? (Choose two.)

88. Which of the following occurs when the security of a web application relies on JavaScript for input validation?

89. An analyst is reviewing a simple program for potential security vulnerabilities before being deployed to a Windows server.

Given the following code:

Which of the following vulnerabilities is present?

90. An organization’s file server has been virtualized to reduce costs.

Which of the following types of backups would be MOST appropriate for the particular file server?

91. A wireless network uses a RADIUS server that is connected to an authenticator, which in turn connects to a supplicant.

Which of the following represents the authentication architecture in use?

92. An employer requires that employees use a key-generating app on their smartphones to log into corporate applications.

In terms of authentication of an individual, this type of access policy is BEST defined as:

93. Adhering to a layered security approach, a controlled access facility employs security guards who verify the authorization of all personnel entering the facility.

Which of the following terms BEST describes the security control being employed?

94. A security analyst is hardening a web server, which should allow a secure certificate-based session using the organization’s PKI infrastructure. The web server should also utilize the latest security techniques and standards.

Given this set of requirements, which of the following techniques should the analyst implement to BEST meet these requirements? (Choose two.)

95. A manager wants to distribute a report to several other managers within the company. Some of them reside in remote locations that are not connected to the domain but have a local server. Because there is sensitive data within the report and the size of the report is beyond the limit of the email attachment size, emailing the report is not an option.

Which of the following protocols should be implemented to distribute the report securely? (Choose three.)

96. An auditor is reviewing the following output from a password-cracking tool:

Which of the following methods did the auditor MOST likely use?

97. DRAG DROP

A security administrator wants to implement strong security on the company smart phones and terminal servers located in the data center.

INSTRUCTIONS

Drag and drop the applicable controls to each asset type.

Controls can be used multiple times and not all placeholders need to be filled.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

98. HOTSPOT

Select the appropriate attack from each drop down list to label the corresponding illustrated attack.

Instructions:

Attacks may only be used once, and will disappear from drop down list if selected.

When you have completed the simulation, please select the Done button to submit.

99. DRAG DROP

You have been tasked with designing a security plan for your company.

INSTRUCTIONS

Drag and drop the appropriate security controls on the floor plan.

All objects must be used and all place holders must be filled. Order does not matter.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

100. A technician is designing a solution that will be required to process sensitive information, including classified government data. The system needs to be common criteria certified.

Which of the following should the technician select?

101. A public relations team will be taking a group of guests on a tour through the facility of a large e-commerce company. The day before the tour, the company sends out an email to employees to ensure all whiteboards are cleaned and all desks are cleared. The company is MOST likely trying to protect against.

102. A company Is determining where to host a hot site, and one of the locations Being considered Is In another country.

Which of the following should be considered when evaluating this option?

103. A security administrator is implementing a SIEM and needs to ensure events can be compared against each other based on when the events occurred and were collected.

Which of the following does the administrator need to implement to ensure this can be accomplished?

104. An engineer is configuring a wireless network using PEAP for the authentication protocol.

Which of the following is required?

105. A network administrator was concerned during an audit that users were able to use the same passwords the day after a password change policy took effect.

The following settings are in place:

– Users must change their passwords every 30 days.

– Users cannot reuse the last 10 passwords.

Which of the following settings would prevent users from being able to immediately reuse the same passwords?

106. A user is unable to obtain an IP address from the corporate DHCP server.

Which of the following is MOST likely the cause?

107. A security analyst needs a solution that can execute potential malware in a restricted and isolated environment for analysis. In which of the following technologies is the analyst interested?

108. A company recently experienced data exfiltration via the corporate network. In response to the breach, a security analyst recommends deploying an out-of-band IDS solution. The analyst says the solution can be implemented without purchasing any additional network hardware.

Which of the following solutions will be used to deploy the IDS?

109. A technician needs to prevent data loss in a laboratory. The laboratory is not connected to any external networks.

Which of the following methods would BEST prevent the exfiltration of data? (Select TWO).

110. A security engineer is concerned about susceptibility to HTTP downgrade attacks because the current customer portal redirects users from port 80 to the secure site on port 443.

Which of the following would be MOST appropriate to mitigate the attack?

111. A coding error has been discovered on a customer-facing website. The error causes each request to return confidential PHI data for the incorrect organization. The IT department is unable to identify the specific customers who are affected. As a result, all customers must be notified of the potential breach.

Which of the following would allow the team to determine the scope of future incidents?

112. A vulnerability assessment report will include the CVSS score of the discovered vulnerabilities because the score allows the organization to better:

113. A security analyst is reviewing the password policy for a service account that is used for a critical network service.

The password policy for this account is as follows:

Enforce password history: Three passwords remembered

Maximum password age: 30 days

Minimum password age: Zero days

Complexity requirements: At least one special character, one uppercase

Minimum password length: Seven characters

Lockout duration: One day

Lockout threshold: Five failed attempts in 15 minutes

Which of the following adjustments would be the MOST appropriate for the service account?

114. The Chief Security Officer (CSO) for an online retailer received a report from a penetration test that was performed against the company’s servers. After reviewing the report, the CSO decided not to implement the recommended changes due to cost; instead, the CSO increased insurance coverage for data breaches.

Which of the following describes how the CSO managed the risk?

115. A technician wants to implement PKI-based authentication on an enterprise wireless network.

Which of the following should configure to enforce the use for client-site certificates?

116. After a ransomware attack. a forensics company needs to review a cryptocurrency transaction between the victim and the attacker.

Which of the following will the company MOST likely review to trace this transaction?

117. A coffee company which operates a chain of stores across a large geographical area is deploying tablets to use as point-of-sale devices.

A security consultant has been given the following requirements:

– The cashiers must be able to log in to the devices quickly.

– The devices must be compliant with applicable regulations for credit card usage

– The risk or loss or theft of the devices must be minimized

– If devices are lost or stolen, all data must be removed from the device

– The devices must be capable of being managed from a centralized location

Which of the following should the security consultant configure in the MDM policies for the tablets? (Select TWO)

118. Which of the following are disadvantages of full backups? (Select THREE)

119. The SOC is reviewing processes and procedures after a recent incident. The review indicates it took more than 30 minutes to determine that quarantining an infected host was the best course of action. This allowed the malware to spread to additional hosts before it was contained.

Which of the following would be BEST to improve the incident response process?

120. Which of the following documents would provide specific guidance regarding ports and protocols that should be disabled on an operating system?

121. A company’s IT staff is given the task of securely disposing of 100 server HDDs. The security team informs the IT staff that the data must not be accessible by a third party after disposal.

Which of the following is the MOST time-efficient method to achieve this goal?

122. During incident response procedures, technicians capture a unique identifier for a piece of malware running in memory.

This captured information is referred to as:

123. A penetration tester is checking to see if an internal system is vulnerable to an attack using a remote listener.

Which of the following commands should the penetration tester use to verify if this vulnerability exists? (Choose two.)

124. A company recently experienced a security breach. The security start determined that the intrusion was due to an out-of-date proprietary software program running on a non­compliant server. The server was imaged and copied onto a hardened VM. with the previous connections re-established.

Which of the Mowing Is the NEXT step in the incident response process?

125. A common asymmetric algorithm utilizes the user’s login name to create the key to encrypt communications.

To ensure the key is Afferent each time the user encrypts data which of the following should be added to the login name?

126. A network engineer needs to allow an organization’s users to conned their laptops to wired and wireless networks from multiple locations and facilities, while preventing unauthorized connections to the corporate networks.

Which of the following should be Implemented to fulfill the engineer’s requirements?

127. A technician is recommending preventive physical security controls for a server room.

Which of the technician MOST likely recommend? (Select Two).

128. A recent audit uncovered a key finding regarding the use of a specific encryption standard in a web application that is used to communicate with business customers. Due to the technical limitations of its customers, the company is unable to upgrade the encryption standard.

Which of the following types of controls should be used to reduce the risk created by this scenario?

129. Management wants to ensure any sensitive data on company-provided cell phones is isolated in a single location that can be remotely wiped if the phone is lost.

Which of the following technologies BEST meets this need?

130. A law ofce has been leasing dark ber from a local telecommunications company to connect a remote ofce to company headquarters. The telecommunication company has decided to discontinue its dark ber product and is offering an MPLS connection.

Which the law office feels is too expensive.

Which of the following is the BEST solution for the law office?

131. Exploitation of a system using widely known credentials and network addresses that results in DoS is an example of:

132. Which of the following controls does a mantrap BEST represent?

133. A technician wants to add wireless guest capabilities to an enterprise wireless network that is currently implementing 802.1X EAP-TLS.

The guest network must

– Support client Isolation.

– Issue a unique encryption key to each client.

– Allow guests to register using their personal email addresses

Which of the following should the technician implement? (Select TWO),

134. After discovering a security incident and removing the affected files, an administrator disabled an unneeded service that led to the breach.

Which of the following steps in the incident response process has the administrator just completed?

135. The web platform team is deploying a new web application During testing, the team notices the web application is unable to create a TLS connection to the API gateway. The administrator created a firewall rule that permit TLS traffic from the web application server to the API gateway. However, the firewall logs show all traffic is being dropped.

Which of the following is MOST likely causing the issue’

136. A security administrator has created a new group policy object that utilizes the trusted platform module to compute a hash of system files and compare the value to a known-good value.

Which of the following security concepts is this an example of?

137. Company engineers regularly participate in a public Internet forum with other engineers throughout the industry.

Which of the following tactics would an attacker MOST likely use in this scenario?

138. A chief information security officer (CISO) asks the security architect to design a method for contractors to access the company’s internal wiki, corporate directory, and email services securely without allowing access to systems beyond the scope of their project.

Which of the following methods would BEST fit the needs of the CISO?

139. Which of the following is the main difference between symmetric end asymmetric cryptographic algorithms?

140. A technician is required to configure updates on a guest operating system while maintaining the ability to quickly revert the changes that were made while testing the updates.

Which of the following should the technician implement?

141. When choosing a hashing algorithm for storing passwords in a web server database, which of the following is the BEST explanation for choosing HMAC-MD5 over simple MD5?

142. Staff members of an organization received an email message from the Chief Executive Officer (CEO) asking them for an urgent meeting in the main conference room. When the staff assembled, they learned the message received was not actually from the CEO.

Which of the following BEST represents what happened?

143. Which of the following help find current and future gaps in an existing COOP?

144. A Chief Information Security Officer (CISO) is concerned about the organization’s ability to continue business operations in the event of a prolonged DDoS attack on its local datacenter that consumes server resources.

Which of the following will the CISO MOST likely recommend to mitigate this risk?

145. Which of the following implements a lossy algorithm?

146. A systems administrator wants to secure a backup environment so backups are less prone to ransomware attacks. The administrator would like to have a fully isolated set of backups.

Which of the following would be the MOST secure option for the administrator to Implement?

147. In which of the following risk management strategies would cybersecurity insurance be used?

148. A systems administrator is increasing the security settings on a virtual host to ensure users on one VM cannot access information from another VM.

Which of the following is the administrator protecting against?

149. Which of the following BEST describes the concept of persistence in the context of penetration testing?

150. An Organization requires secure configuration baselines for all platforms and technologies that are used. If any system cannot conform to the secure baseline, the organization must process a risk acceptance and receive approval before the system is placed into production. It may have non-conforming systems in its lower environments (development and staging) without risk acceptance, but must receive risk approval before the system is placed in production. Weekly scan reports identify systems that do not conform to any secure baseline.

The application team receive a report with the following results:

There are currently no risk acceptances for baseline deviations. This is a mission-critical application, and the organization cannot operate If the application is not running. The application fully functions in the development and staging environments.

Which of the following actions should the application team take?

151. An organization handling highly condential information needs to update its systems.

Which of the following is the BEST method to prevent data compromise?

152. A critical enterprise component whose loss or destruction would significantly impede business operations or have an outsized impact on corporate revenue is known as:

153. A security administrator wants to determine if a company’s web servers have the latest operating system and application patches installed.

Which of the following types of vulnerability scans should be conducted?

154. An application developer has neglected to include input validation checks in the design of the company’s new web application. An employee discovers that repeatedly submitting large amounts of data, including custom code to an application will allow the execution of the custom code at the administrator level.

Which of the following BEST identifies this application attack?

155. An organization’s Chief Executive Officer (CEO) directs a newly hired computer technician to install an OS on the CEO‘s: personal laptop. The technician performs the installation, and a software audit later in the month indicates a violation of the EULA occurred as a result.

Which of the following would address this violation going forward?

156. A security analyst is reviewing the logs from a NGFWs automated correlation engine and sees the following:

Which of the following should the analyst perform FIRST?

157. A government agency with sensitive information wants to virtualize its infrastructure.

Which of the following cloud deployment models BEST fits the agency’s needs?

158. Which of the following represents a multifactor authentication system?

159. An organization has created a review process to determine how to best handle data with different sensitivity levels.

The process includes the following requirements:

– Soft copy Pll must be encrypted.

– Hard copy Pll must be placed In a locked container.

– Soft copy PHI must be encrypted and audited monthly.

– Hard copy PHI must be placed in a locked container and inventoried monthly.

Locked containers must be approved and designated for document storage. Any violations must be reported to the Chief Security Officer {CSO}.

While searching for coffee in the kitchen, an employee unlocks a cabinet and discovers a list of customer names and phone numbers.

Which of the following actions should the employee take?

160. Which of the following penetration testing concepts is an attacker MOST interested in when placing the path of a malicious file in the windows/Currentversion/Run registry key?

161. To reduce costs and overhead, an organization wants to move from an on-premises email solution to a cloud-based email solution. At this time, no other services will be moving.

Which of the following cloud models would BEST meet the needs of the organization?

162. Which of the following command line tools would be BEST to identify the services running in a server?

163. An attacker has obtained the user ID and password of a datacenter’s backup operator and has gained access to a production system.

Which of the following would be the attacker’s NEXT action?

164. A technician is configuring an intrusion prevention system to improve its ability to find and stop threats In the past, the system did not detect and stop some threats.

Which of the following BEST describes what the technician is trying to correct with the new configuration?

165. A security analyst is asked to check the configuration of the company’s DNS service on the server.

Which of the following command line tools should the analyst use to perform the Initial assessment?

166. A company uses WPA2-PSK. and it appears there are multiple unauthorized devices connected to the wireless network A technician suspects this is because the wireless password has been shared with unauthorized individuals.

Which of the following should the technician implement to BEST reduce the risk of this happening in the future?

167. A security analyst is implementing mobile device security for a company. To save money,

management has decided on a BYOD model. The company is most concerned with ensuring company data will not be exposed if a phone is lost or stolen.

Which of the following techniques BEST accomplish this goal? (Select TWO)

168. A technician is implementing 802 1X with dynamic VLAN assignment based on a user Active Directory group membership.

Which of the following configurations supports the VLAN definitions?

169. An organization wants to control user accounts and privileged access to database servers. The organization wants to create an audit trail of account requests and approval. but also wants to facilitate operational efficiency when account and access changes are needed. The organization has the following account management practices:

Which of the following should the security consultant configure in the MDM policies for the tables? (Select TWO.)

170. Which of the following is the MOST likely motivation for a script kiddie threat actor?

171. A security administrator has received multiple calls from the help desk about customers who are unable to access the organization’s web server. Upon reviewing the log files the security administrator determines multiple open requests have been made from multiple IP addresses, which is consuming system resources.

Which of the following attack types does this BEST describe?

172. A company is implementing a remote access portal so employees can work remotely from home. The company wants to implement a solution that would securely integrate with a third party.

Which of the following is the BEST solution?

173. During a risk assessment, results show that a fire in one of the company’s datacenters could cost up to $20 million in equipment damages and lost revenue. As a result, the company insures the datacenter for up to $20 million in damages for the cost of $30,000 a year.

Which of the following risk response techniques has the company chosen?

174. A Chief Information Officer (CIO) is concerned that encryption keys might be exfiltrated by a contractor. The CIO wants to keep control over key visibility and management.

Which of the following would be the BEST solution for the CIO to implement?”

175. Users are attempting to access a company’s website but are transparently redirected to another website. The users confirm the URL is correct.

Which of the following would BEST prevent this issue in the future?

176. A Chief Information Security Officer (CISO) is performing a BIA for the organization in case of a natural disaster.

Which of the following should be at the top of the CISO’s list?

177. A security administrator suspects an employee has been emailing proprietary information to a competitor. Company policy requires the administrator to capture an exact copy of the employee’s hard disk.

Which of the following should the administrator use?

178. An administrator performs a workstation audit and finds one that has non-standard software installed. The administrator then requests a report to see if a change request was completed for the installed software. The report shows a request was completed.

Which of the following has the administrator found?

179. An organization’s policy requires users to create passwords with an uppercase letter, lowercase letter, number, and symbol. This policy is enforced with technical controls, which also prevents users from using any of their previous 12 passwords. The quantization does not use single sign-on, nor does it centralize storage of passwords.

The incident response team recently discovered that passwords for one system were compromised. Passwords for a completely separate system have NOT been compromised, but unusual login activity has been detected for that separate system. Account login has been detected for users who are on vacation.

Which of the following BEST describes what is happening?

180. A security administrator is investigating a possible account compromise. The administrator logs onto a desktop computer, executes the command notepad.exe c:Tempqkakforlkgfkja.1og, and reviews the following:

Lee,rI have completed the task that was assigned to merrespectfullyrJohnr

https://www.portal.comrjohnuserrilovemycat2

Given the above output, which of the following is the MOST likely cause of this compromise?

181. An organization wants to control user accounts and privileged access to database servers. The organization wants to create an audit trail of account requests and approvals, Out also wants to facilitate operational efficiency when account and access changes are needed.

The organization has the following account management practices.

– Access requests are processed through a service ticket that requires server and system owner approval.

– Once approved, user access is granted directly to the user’s privileged account

– The requests and approvals are sent to the security officer where they are retained for future audits.

– Account activity and user activity are monitored and audited monthly by the business unit.

Which of the following changes should be implemented?

182. Which of the following is the BEST use of a WAF?

183. A security administrator is choosing an algorithm to generate password hashes.

Which of the following would offer the BEST protection against offline brute force attacks?

184. An organization wants to set up a wireless network in the most secure way. Budget is not a major consideration, and the organization is willing to accept some complexity when clients are connecting. It is also willing to deny wireless connectivity for clients who cannot be connected in the most secure manner.

Which of the following would be the MOST secure setup that conforms to the organization’s requirements?

185. A company is examining possible locations for a hot site.

Which of the following considerations is of MOST concern if the replication technology being used is highly sensitive to network latency?

186. The CSIRT is reviewing the lessons learned from a recent incident A worm was able to spread unhindered throughout the network and infect a large number of computers and servers.

Which of the following recommendations would be BEST to mitigate the impacts of a similar incident in the future?

187. Ann, a new employee, received an email from an unknown source indicating she needed to click on the provided link to update her company’s profile.

Once Ann clicked the link, a command prompt appeared with the following output:

Which of the following types of malware was executed?

188. A red team initiated a DoS attack on the management interface of a switch using a known vulnerability. The monitoring solution then raised an alert prompting a network engineer to log in to the switch to diagnose the issue When the engineer logged in. the red team was able to capture the credentials and subsequently log in to the switch.

Which of the following actions should the network team take to prevent this type of breach from reoccurring?

189. The Chief Information Security Officer (CISO) at a large company tasks a security administrator to provide additional validation for website customers.

Which of the following should the security administrator implement?

190. Which of the following can be used to increase the time needed to brute force a hashed password?

191. Ann. a user, reported to the service desk that many files on her computer will not open or the contents are not readable. The service desk technician asked Ann if she encountered any strange messages on boot-up or login, and Ann indicated she did not.

Which of the following has MOST likely occurred on Ann’s computer?

192. An organization has the following password policies:

– Passwords must be at least 16 characters long.

– Three tailed login attempts will lock the account (or live minutes.

– Passwords must have one uppercase letter, one lowercase letter, and one non-alphanumeric symbol.

A database server was recently breached, and the incident response team suspects the passwords were compromised. Users with permission on that database server were forced to change their passwords for that server. Unauthorized and suspicious logins are now being detected on the same server.

Which of the following is MOST likely the issue, and what should be done?

193. A company has drafted an Insider-threat policy that prohibits the use of external storage devices.

Which of the following would BEST protect the company from data exfiltration via removable media?

194. Poor inventory control practices can lead to undetected and potentially catastrophic system exploitation due to:

195. A systems administrator just issued the ssh-keygen -t rsa command on a Linux terminal.

Which of the following BEST describes what the rsa portion of the command represents?

196. A mobile application developer wants to secure an application that transmits sensitive information.

Which of the following should the developer implement to prevent SSL MITM attacks?

197. A company help desk as received several reports that employees have experienced identify theft and compromised accounts. This occurred several days after receiving an email asking them to update their personal bank information.

Which of the following is a vulnerability that has been exploited?

198. During the penetration testing of an organization, the tester was provided with the names of a few key servers, along with their IP address.

Which of the following is the organization conducting?

199. Which of the following security controls BEST mitigates social engineering attacks?

200. A user loses a COPE device.

Which of the following should the user do NEXT to protect the data on the device?

201. Buffer overflow can be avoided using proper.

202. A systems administrator wants to enforce me use of HTTPS on a new website.

Which of the following should the systems administrator do NEXT after generating the CSR?

203. An organization prefers to apply account permissions to groups and not individual users, but allows for exceptions that are justified. Some systems require a machine-to-machine data exchange and an associated account to perform this data exchange. One particular system has data in a folder that must be modified by another system. No user requires access to this folder; only the other system needs access to this folder.

Which of the following is the BEST account management practice?

204. A security analyst has recently deployed an MDM solution that requires biometric authentication for company-issued smartphones. As the solution was implemented the help desk has seen a dramatic increase in calls by employees frustrated that company-issued phones take several attempts to unlock using the fingerprint scanner.

Which of the following should be reviewed to mitigate this problem?

205. A user’s laptop is being analyzed Because malware was discovered. The forensics analyst has taken the laptop off the corporate network.

Following order of volatility, which of the following actions should be performed FIRST?

206. An authorized user is conducting a penetration scan of a system for an organization. The tester has a set of network diagrams. Source code, version numbers of applications. and other information about the system. Including hostnames and network addresses.

Which of the following BEST describes this type of penetration test?

207. A systems engineer is configuring a wireless network. The network must not require installation of third-party software. Mutual authentication of the client and the server must be used. The company has an internal PKI.

Which of the following configuration should the engineer choose?

208. A company has users and porters in multiple geographic locations and the printers are locked in common areas of the offices. To preserve the confidentially of PII, a security administrator needs to implement the appropriate controls.

Which of the following would BEST meet the confidentiality requirements of the data?

209. Which of the following is an algorithm family that was developed for use cases in which power consumption and lower computing power are constraints?

210. A security administrator is working with the human resources department to classify data held by the company. The administrator has determined the data contains a variety of data types, including health information, employee names and addresses, trade secrets, and confidential customer information.

Which of the following should the security administrator do NEXT?

211. A Security analyst has received an alert about PII being sent via email. The analyst’s Chief Information Security Officer (CISO) has made it clear that PII must be handled with extreme care. From which of the following did the alert MOST likely originate?

212. An organization requires two separate factors as part of an authentication scheme. One of those factors is a password.

Which of the following would BEST meet me requirement for the other factor?

213. A network administrator is configuring a honeypot in a company’s DMZ To provide a method for hackers to access the system easily, the company needs to configure a plaintext authentication method that will send only the username and password to a service in the honeypot.

Which of the following protocols should the company use?

214. A technician is evaluating a security appliance solution. The company needs a system that continues to pass traffic if the system crashes.

Which of the following appliance feature would BEST meet the company’s needs?

215. An analysis of a threat actor, which has been active for several years, reveals the threat actor has high levels of funding, motivation, and sophistication.

Which of the following types of threat actors does this BEST describe?

216. A company occupies the third floor of a leased building that has other tenants. The path from the demarcation point to the company’s controlled space runs through unsecured areas managed by other companies.

Which of the following could be used to protect the company’s cabling as it passes through uncontrolled spaces?

217. A security consultant is analyzing data from a recent compromise.

The following data points are documented

✑ Access to data on share drives and certain networked hosts was lost after an employee logged in to an interactive session as a privileged user.

✑ . The data was unreadable by any known commercial software.

✑ . The issue spread through the enterprise via SMB only when certain users accessed data.

✑ Removal instructions were not available from any major antivirus vendor.

Which of the following types of malware is this example of?

218. An organization recently acquired an ISO 27001 certification.

Which of the following would MOST likely be considered a benefit of this certification?

219. While reviewing system logs, a security analyst notices that a large number of end users are changing their passwords four times on the day the passwords are set to expire. The analyst suspects they are cycling their passwords to circumvent current password controls.

Which of the following would provide a technical control to prevent this activity from occurring?

220. Which of the following are the MOST likely vectors for the unauthorized or unintentional inclusion of vulnerable code in a software company’s final software releases? (Select TWO)

221. A new network administrator is establishing network circuit monitoring guidelines to catch potentially malicious traffic.

The administrator begins monitoring the NetFlow statistics tor the critical Internet circuit and notes the following data after two weeks.

However, after checking the statistics from the weekend following the compiled statistics the administrator notices a spike in traffic to 250Mbps sustained for one hour. The administrator is able to track the source of the spike to a server in the DMZ.

Which of the following is the next BEST course of action the administrator should take?

222. A security administrator is reviewing the following information from a file that was found on a compromised host:

Which of the following types of malware is MOST likely installed on the compromised host?

223. A security team has completed the installation of a new server. The OS and applications have been patched and tested, and the server is ready to be deployed.

Which of the following actions should be taken before deploying the new server?

224. A company moved into a new building next to a sugar mil. Cracks have been discovered in the walls of the server room, which is located on the same side as the sugar mill loading docks. The cracks are believed to have been caused by heavy trucks. Moisture has begun to seep into the server room, causing extreme humidification problems and equipment failure.

Which of the following BEST describes the type of threat the organization faces?

225. An organization discovers that unauthorized applications have been installed on company-provided mobile phones. The organization issues these devices, but some users have managed to bypass the security controls.

Which of the following Is the MOST likely issue, and how can the organization BEST prevent this from happening?

226. An IT manager is estimating the mobile device budget for the upcoming year. Over the last five years, the number of devices that were replaced due to loss, damage, or theft steadily increased by 10%.

Which of the following would BEST describe the estimated number of devices to be replaced next year?

227. A security engineer wants to add SSL to the public web server.

Which of the following would be the FIRST step to implement the SSL certificate?

228. Which of the following describes the BEST approach for deploying application patches?

229. A systems administrator has been assigned to create accounts for summer interns. The interns are only authorized to be in the facility and operate computers under close supervision. They must also leave the facility at designated times each day. However, the interns can access intern file folders without supervision.

Which of the following represents the BEST way to configure the accounts? (Select TWO).

230. A systems developer needs to provide machine-to-machine interface between an application and a database server in the production environment. This interface will exchange data once per day.

Which of the following access control account practices would BEST be used in this situation?

231. A Chief Security Officer’s (CSO’s) key priorities are to improve preparation response, and recovery practices to minimize system downtime and enhance organizational resilience to ransomware attacks.

Which of the following would BEST meet the CSO’s objectives?

232. A security engineer wants to further secure a sensitive VLAN on the network by introducing MFA.

Which of the following is the BEST example of this?

233. After discovering a buffer overflow vulnerability an application the security analyst needs to report it to the development team leader.

Which of the following are MOST to appear m the impact section of the report? (Select TWO).

234. A security administrator has been conducting an account permissions review that has identified several users who belong to functional groups and groups responsible for auditing the functional groups’ actions. Several recent outages have not been able to be traced to any user.

Which of the following should the security administrator recommend to preserve future audit tag integrity?

235. The director of information security at a company has recently directed the security engineering team to implement new security technologies aimed at reducing the impact of insider threats.

Which of the following tools has the team MOST likely deployed? (Select TWO).

236. Joe a new employee, discovered a thumb drive with the company’s logo on it while walking in the parking lot Joe was curious as to the contents of the drive and placed it into his work computer. Shortly after accessing the contents, he noticed the machine was running slower, started to reboot, and displayed new icons on the screen.

Which of the following types of attacks occurred?

237. Several systems and network administrators are determining how to manage access to a facility and enable managers to allow after-hours access.

Which of the following access control methods should managers use to assign after-hours access to the employees?

238. Which of the following is a component of multifactor authentication?

239. Which of the following Is a resiliency strategy that allows a system to automatically adapt to workload changes?

240. A new PKI is being bum at a company, but the network administrator has concerns about spikes of traffic occurring twice a flay due to clients checking the status of the certificates.

Which of the following should be implemented to reduce the spikes in traffic?

241. A systems administrator needs to install the same X.509 certificate on multiple servers.

Which of the following should the administrator use?

242. A systems administrator is installing and configuring an application service that requires access to read and write to log and configuration files on a local hard disk partition. The service must run as an account with authorization to interact with the file system.

Which of the following would reduce the attack surface added by the service and account? (Select TWO)

243. A company has a backup site with equipment on site without any data. This is an example of:

244. A small business just recovered from a ransomware attack against its file servers by purchasing the decryption keys from the attackers. The issue was triggered by a phishing email and the IT administrator wants lo ensure il does not happen again.

Which of the following should the IT administrator do FIRST after recovery?

245. When building a hosted datacenter.

Which of the following is the MOST important consideration for physical security within the datacenter?

246. The security office has had reports of increased tailgating in the datacenter.

Which of the following controls should security put in place?

247. Which of the following is an example of federated access management?

248. After segmenting the network, the network manager wants to control the traffic between the segments.

Which of the following should the manager use to control the network traffic?

249. A customer calls a technician and needs to remotely connect to a web server to change some code manually. The technician needs to configure the user’s machine with protocols to connect to the Unix web server, which is behind a firewall.

Which of the following protocols does the technician MOST likely need to configure?

250. A security analyst investigate a report from an employee in the human resources (HR) department who is issues with Internal access.

When the security analyst pull the UTM logs for the IP addresses in the HR group, the following activity is shown:

Which of the following actions should the security analyst take?

251. Which of the following attacks is used to capture the WPA2 handshake?

252. A network administrator is setting up wireless access points in all the conference rooms and wants to authenticate devices using PKI.

Which of the following should the administrator configure?

253. A security administrator suspects there may be unnecessary services running on a server.

Which of the following tools will the administrator MOST likely use to confirm the suspicions?

254. A network administrator needs to restrict the users of the company’s WAPs to the sales department. The network administrator changes and hides the SSID and then discovers several employees had connected their personal devices to the wireless network.

Which of the following would limit access to the wireless network to only organization-owned devices in the sales department?

255. A company has forbidden the use of external media within its headquarters location. A security analyst is working on adding additional repositories to a server in the environment when the analyst notices some odd processes running on the system.

The analyst runs a command and sees the following:

Given this output, which of the following security issues has been discovered?

256. A software development company needs to augment staff by hiring consultants for a high-stakes project.

The project has the following requirements:

– Consultants will have access to flighty confidential, proprietary data.

– Consultants will not be provided with company-owned assets.

– Work needs to start Immediately.

– Consultants will be provided with Internal email addresses for communications.

Which of the following solutions is the BEST method lor controlling data exfiltration during this project?

257. After a systems administrator installed and configured Kerberos services, several users experienced authentication issues.

Which of the following should be installed to resolve these issues?

258. An application developer is working on a new calendar and scheduling application. The developer wants to test new functionality that is time/date dependent and set the local system time to one year in the future. The application also has a feature that uses SHA-256 hashing and AES encryption for data exchange. The application attempts to connect to a separate remote server using SSL, but the connection fails.

Which of the following is the MOST likely cause and next step?

259. During a penetration test, Joe, an analyst, contacts the target’s service desk Impersonating a user, he attempts to obtain assistance with resetting an email password. Joe claims this needs to be done as soon as possible, as he is the vice president of sales and does not want to contact the Chief Operations Officer (COO) for approval, since the COO is on vacation. When challenged. Joe reaffirms that he needs this done immediately, and threatens to contact the service desk supervisor over the issue.

Which of the following social engineering principles is Joe employing in this scenario? (Select TWO).

260. After being alerted to potential anomalous activity related to trivial DNS lookups, a security analyst looks at the following output of implemented firewall rules:

The analyst notices that the expected policy has no hit count for the day.

Which of the following MOST likely occurred?

261. A security analyst is investigating a call from a user regarding one of the websites receiving a 503: Service Unavailable error. The analyst runs a netstat -an command to discover if the web server is up and listening.

The analyst receives the following output:

TCP 10.1.5.2:80 192.168.2.112:60973 TIME_WAIT

TCP 10.1.5.2:80 192.168.2.112:60974 TIME_WAIT

TCP 10.1.5.2:80 192.168.2.112:60975 TIME_WAIT

TCP 10.1.5.2:80 192.168.2.112:60976 TIME_WAIT

TCP 10.1.5.2:80 192.168.2.112:60977 TIME_WAIT

TCP 10.1.5.2:80 192.168.2.112:60978 TIME_WAIT

Which of the following types of attack is the analyst seeing?

262. Which of the following types of vulnerability scans typically returns more detailed and thorough insights into actual system vulnerabilities?

263. A company recently installed fingerprint scanners at all entrances to increase the facility’s security. The scanners were installed on Monday morning, and by the end of the week it was determined that 1.5% of valid users were denied entry.

Which of the following measurements do these users fall under?

264. Some call center representatives ‘workstations were recently updated by a contractor, who was able to collect customer information from the call center workstations.

Which of the following types of malware was installed on the call center users’ systems?

265. As part of a corporate merger. two companies are combining resources. As a result, they must transfer files through the internet in a secure manner.

Which of the following protocols would BEST meet this objec1ive? (Select TWO)

266. A systems engineer is setting up a RADIUS server to support a wireless network that uses certificate authentication.

Which of the following protocols must be supported by both the RADIUS server and the WAPs?

267. A startup company is using multiple SaaS and laaS platforms to stand up a corporate infrastructure and build out a customer-facing web application.

Which of the following solutions would be BEST to provide security, manageability, and visibility into the platforms?

268. A pass-the-hash attack is commonly used to:

269. A security engineer needs to build a solution to satisfy regulatory requirements that state certain critical server must be accessed using MFA. However, the critical servers are older and are unable to support the addition of MFA.

Which of the following will the engineer MOST likely use to achieve this objective?

270. A network engineer has been asked to investigate why several wireless barcode scanners and wireless computers in a warehouse have intermittent connectivity to the shipping server. The barcode scanners and computers are all on forklift trucks and move around the warehouse during their regular use.

Which of the following should the engineer do to determine the issue? (Select Two)