A SaaS startup is maturing its DevSecOps program and wants to identify weaknesses earlier in the development process in order to reduce the average time to identify serverless application vulnerabilities and the costs associated with remediation. The startup began its early security testing efforts with DAST to cover public-facing application components and recently implemented a bug bounty program. Which of the following will BEST accomplish the company’s objectives?

A. RASP

B. SAST

C. WAF

D. CMS

A security engineer notices the company website allows users to select which country they reside in, such as the following example:
https://mycompany.com/main.php?Country=US
Which of the following vulnerabilities would MOST likely affect this site?

A. SQL injection

B. Remote file inclusion

C. Directory traversal

D. Unsecure references

A compliance officer is responsible for selecting the right governance framework to protect individuals' data. Which of the following is the appropriate framework for the company to consult when collecting international user data for the purpose of processing credit cards?

A. ISO 27001

B. COPPA

C. NIST 800-53

D. PCI DSS

Following a successful exploitation of an RCE vulnerability during a penetration test, a systems administrator is performing remediation activities of the target system. Since the systems administrator was not involved in the planning process for the penetration test, a production server was inadvertently targeted and impacted by the actions of the penetration tester. Which of the following would be the most appropriate to reduce the impact of the penetration test in the future?

A. Leverage a purple team approach to refine scope definition.

B. Exclude non-production systems from the penetration test.

C. Implement a black-box approach for the penetration test.

D. Include an intercepting proxy in the production environment.

E. Rely on web application vulnerability scans instead of penetration testing.

An organization has deployed a cloud-based application that provides virtual event services globally to clients. During a typical event, thousands of users access various entry pages within a short period of time. The entry pages include sponsor-related content that is relatively static and is pulled from a database. When the first major event occurs, users report poor response time on the entry pages. Which of the following features is the most appropriate for the company to implement?

A. Horizontal scalability

B. Vertical scalability

C. Containerization

D. Static code analysis

E. Caching

A developer is creating a new mobile application for a company. The application uses REST API and TLS 1.2 to communicate securely with the external back-end server. Due to this configuration, the company is concerned about HTTPS interception attacks.
Which of the following would be the BEST solution against this type of attack?

A. Cookies

B. Wildcard certificates

C. HSTS

D. Certificate pinning

A company's Chief Information Security Officer is concerned that the company's proposed move to the cloud could lead to a lack of visibility into network traffic flow logs within the VPC.
Which of the following compensating controls would be BEST to implement in this situation?

A. EDR

B. SIEM

C. HIDS

D. UEBA

A security administrator wants to detect a potential forged sender claim in the envelope of an email. Which of the following should the security administrator implement? (Choose two.)

A. MX record

B. DMARC

C. SPF

D. DNSSEC

E. S/MIME

F. TLS

An organization has just been breached, and the attacker is exfiltrating data from workstations. The security analyst validates this information with the firewall logs and must stop the activity immediately. Which of the following steps should the security analyst perform NEXT?

A. Determine what data is being stolen and change the folder permissions to read only.

B. Determine which users may have clicked on a malicious email link and suspend their accounts.

C. Determine where the data is being transmitted and create a block rule.

D. Determine if a user inadvertently installed malware from a USB drive and update antivirus definitions.

E. Determine if users have been notified to save their work and turn off their workstations.

A security engineer is implementing DLP. Which of the following should the security engineer include in the overall DLP strategy?

A. Tokenization

B. Network traffic analysis

C. Data classification

D. Multifactor authentication

An organization wants to perform a scan of all its systems against best practice security configurations.
Which of the following SCAP standards, when combined, will enable the organization to view each of the configuration checks in a machine-readable checklist format for full automation? (Choose two.)

A. ARF

B. XCCDF

C. CPE

D. CVE

E. CVSS

F. OVAL

An organization's existing infrastructure includes site-to-site VPNs between datacenters. In the past year, a sophisticated attacker exploited a zero-day vulnerability on the VPN concentrator. Consequently, the Chief Information Security Officer (CISO) is making infrastructure changes to mitigate the risk of service loss should another zero-day exploit be used against the VPN solution.
Which of the following designs would be BEST for the CISO to use?

A. Adding a second redundant layer of alternate vendor VPN concentrators

B. Using Base64 encoding within the existing site-to-site VPN connections

C. Distributing security resources across VPN sites

D. Implementing IDS services with each VPN concentrator

E. Transitioning to a container-based architecture for site-based services

Which of the following is the best reason for obtaining file hashes from a confiscated laptop?

A. To prevent metadata tampering on each file

B. To later validate the integrity of each file

C. To generate unique identifiers for each file

D. To preserve the chain of custody of files

A cybersecurity analyst discovered a private key that could have been exposed.
Which of the following is the BEST way for the analyst to determine if the key has been compromised?

A. HSTS

B. CRL

C. CSRs

D. OCSP

A bank is working with a security architect to find the BEST solution to detect database management system compromises. The solution should meet the following requirements:
✑ Work at the application layer
✑ Send alerts on attacks from both privileged and malicious users
✑ Have a very low false positive
Which of the following should the architect recommend?

A. FIM

B. WAF

C. NIPS

D. DAM

E. UTM

A security analyst discovered that the company's WAF was not properly configured. The main web server was breached, and the following payload was found in one of the malicious requests:
(&(objectClass=*)(objectClass=*))(&(objectClass=void)(type=admin))
Which of the following would BEST mitigate this vulnerability?

A. Network intrusion prevention

B. Data encoding

C. Input validation

D. CAPTCHA

A company just released a new video card. Due to limited supply and high demand, attackers are employing automated systems to purchase the device through the company's web store so they can resell it on the secondary market. The company's intended customers are frustrated. A security engineer suggests implementing a CAPTCHA system on the web store to help reduce the number of video cards purchased through automated systems.
Which of the following now describes the level of risk?

A. Inherent

B. Low

C. Mitigated

D. Residual

E. Transferred

An organization is implementing a new identity and access management architecture with the following objectives:
✑ Supporting MFA against on-premises infrastructure
✑ Improving the user experience by integrating with SaaS applications
✑ Applying risk-based policies based on location
✑ Performing just-in-time provisioning
Which of the following authentication protocols should the organization implement to support these requirements?

A. Kerberos and TACACS

B. SAML and RADIUS

C. OAuth and OpenID

D. OTP and 802.1X

An organization is looking to establish more robust security measures by implementing PKI. Which of the following should the security analyst implement when considering mutual authentication?

A. Perfect forward secrecy on both endpoints

B. Shared secret for both endpoints

C. Public keys on both endpoints

D. A common public key on each endpoint

E. A common private key on each endpoint

In comparison to other types of alternative processing sites that may be invoked as a part of disaster recovery, cold sites are different because they:

A. have basic utility coverage, including power and water.

B. provide workstations and read-only domain controllers.

C. are generally the least costly to sustain.

D. are the quickest way to restore business.

E. are geographically separated from the company’s primary facilities.

A company implements the following access control methodology based on the following data classifications:
 
The Chief Information Security Officer (CISO) wants to implement an additional layer of access control based on the geographic location of the underlying system that processes and stores data. The additional layer will be added to the existing access control system. Which of the following components must be implemented to achieve these goals? (Choose two.)

A. Tagging

B. Attribute-based access control

C. Role-based access control

D. Groups

E. Tokenization

F. Digital rights management

A security administrator is trying to securely provide public access to specific data from a web application. Clients who want to access the application will be required to:
•	Only allow the POST and GET options.
•	Transmit all data secured with TLS 1.2 or greater.
•	Use specific URLs to access each type of data that is requested.
•	Authenticate with a bearer token.
Which of the following should the security administrator recommend to meet these requirements?

A. API gateway

B. Application load balancer

C. Web application firewall

D. Reverse proxy

Leveraging cryptographic solutions to protect data that is in use ensures the data is encrypted:

A. when it is passed across a local network.

B. in memory during processing

C. when it is written to a system’s solid-state drive.

D. by an enterprise hardware security module.

A security engineer is reviewing a record of events after a recent data breach incident that involved the following:
✑ A hacker conducted reconnaissance and developed a footprint of the company's Internet-facing web application assets.
✑ A vulnerability in a third-party library was exploited by the hacker, resulting in the compromise of a local account.
✑ The hacker took advantage of the account's excessive privileges to access a data store and exfiltrate the data without detection.
Which of the following is the BEST solution to help prevent this type of attack from being successful in the future?

A. Dynamic analysis

B. Secure web gateway

C. Software composition analysis

D. User behavior analysis

E. Web application firewall

A security analyst is evaluating the security of an online customer banking system. The analyst has a 12-character password for the test account. At the login screen, the analyst is asked to enter the third, eighth, and eleventh characters of the password. Which of the following describes why this request is a security concern? (Choose two.)

A. The request is evidence that the password is more open to being captured via a keylogger.

B. The request proves that salt has not been added to the password hash, thus making it vulnerable to rainbow tables.

C. The request proves the password is encoded rather than encrypted and thus less secure as it can be easily reversed.

D. The request proves a potential attacker only needs to be able to guess or brute force three characters rather than 12 characters of the password.

E. The request proves the password is stored in a reversible format, making it readable by anyone at the bank who is given access.

F. The request proves the password must be in cleartext during transit, making it open to on-path attacks.

A forensics investigator is analyzing an executable file extracted from storage media that was submitted for evidence. The investigator must use a tool that can identify whether the executable has indicators, which may point to the creator of the file. Which of the following should the investigator use while preserving evidence integrity?

A. ldd

B. bcrypt

C. SHA-3

D. ssdeep

E. dcfldd

A security engineer performed an assessment on a recently deployed web application. The engineer was able to exfiltrate a company report by visiting the following URL:
www.intranet.abc.com/get-files.jsp?file=report.pdf
Which of the following mitigation techniques would be BEST for the security engineer to recommend?

A. Input validation

B. Firewall

C. WAF

D. DLP

Law enforcement officials informed an organization that an investigation has begun. Which of the following is the FIRST step the organization should take?

A. Initiate a legal hold.

B. Refer to the retention policy.

C. Perform e-discovery.

D. Review the subpoena.

A company plans to build an entirely remote workforce that utilizes a cloud-based infrastructure. The Chief Information Security Officer asks the security engineer to design connectivity to meet the following requirements:
✑ Only users with corporate-owned devices can directly access servers hosted by the cloud provider.
✑ The company can control what SaaS applications each individual user can access.
✑ User browser activity can be monitored.
Which of the following solutions would BEST meet these requirements?

A. IAM gateway, MDM, and reverse proxy

B. VPN, CASB, and secure web gateway

C. SSL tunnel, DLP, and host-based firewall

D. API gateway, UEM, and forward proxy

A significant weather event caused all systems to fail over to the disaster recovery site successfully. However, successful data replication has not occurred in the last six months, which has resulted in the service being unavailable. Which of the following would BEST prevent this scenario form happening again?

A. Performing routine tabletop exercises

B. Implementing scheduled, full interruption tests

C. Backing up system log reviews

D. Performing department disaster recovery walk-throughs

An organization established an agreement with a partner company for specialized help desk services. A senior security officer within the organization is tasked with providing documentation required to set up a dedicated VPN between the two entities. Which of the following should be required?

A. SLA

B. ISA

C. NDA

D. MOU

A BIA of a popular online retailer identified several mission-essential functions that would take more than seven days to recover in the event of an outage. Which of the following should be considered when setting priorities for the restoration of these functions?

A. Supply chain issues

B. Revenue generation

C. Warm-site operations

D. Scheduled impacts to future projects

The Chief Information Officer (CIO) wants to implement enterprise mobility throughout the organization. The goal is to allow employees access to company resources. However, the CIO wants the ability to enforce configuration settings, manage data, and manage both company-owned and personal devices. Which of the following should the CIO implement to achieve this goal?

A. BYOD

B. CYOD

C. COPE

D. MDM

An organization developed an incident response plan. Which of the following would be BEST to assess the effectiveness of the plan?

A. Requesting a third-party review

B. Generating a checklist by organizational unit

C. Establishing role succession and call lists

D. Creating a playbook

E. Performing a tabletop exercise

A company invested a total of $10 million for a new storage solution installed across five on-site datacenters. Fifty percent of the cost of this investment was for solid-state storage. Due to the high rate of wear on this storage, the company is estimating that 5% will need to be replaced per year. Which of the following is the
ALE due to storage replacement?

A. $50,000

B. $125,000

C. $250,000

D. $500,000

E. $1,000,000

A company was recently infected by malware. During the root cause analysis, the company determined that several users were installing their own applications.
To prevent further compromises, the company has decided it will only allow authorized applications to run on its systems. Which of the following should the company implement?

A. Signing

B. Access control

C. HIPS

D. Permit listing

A company is implementing SSL inspection. During the next six months, multiple web applications that will be separated out with subdomains will be deployed.
Which of the following will allow the inspection of the data without multiple certificate deployments?

A. Include all available cipher suites.

B. Create a wildcard certificate.

C. Use a third-party CA.

D. Implement certificate pinning.

A security analyst received a report that a suspicious flash drive was picked up in the office's waiting area, located beyond the secured door. The analyst investigated the drive and found malware designed to harvest and transmit credentials. Security cameras in the area where the flash drive was discovered showed a vendor representative dropping the drive. Which of the following should the analyst recommend as an additional way to identify anyone who enters the building, in the event the camera system fails?

A. Employee badge logs

B. Phone call logs

C. Vehicle registration logs

D. Visitor logs

A networking team was asked to provide secure remote access to all company employees. The team decided to use client-to-site VPN as a solution. During a discussion, the Chief Information Security Officer raised a security concern and asked the networking team to route the Internet traffic of remote users through the main office infrastructure. Doing this would prevent remote users from accessing the Internet through their local networks while connected to the VPN.
Which of the following solutions does this describe?

A. Full tunneling

B. Asymmetric routing

C. SSH tunneling

D. Split tunneling

A security researcher identified the following messages while testing a web application:
/file/admin/myprofile.php ERROR file does not exist.
/file/admin/userinfo.php ERROR file does not exist.
/file/admin/adminprofile.php ERROR file does not exist.
/file/admin/admininfo.php ERROR file does not exist.
/file/admin/universalprofile.php ERROR file does not exist.
/file/admin/universalinfo.php ERROR file does not exist.
/file/admin/restrictedprofile.php ACCESS is denied.
/file/admin/restrictedinfo.php ERROR file does not exist.
Which of the following should the researcher recommend to remediate the issue?

A. Software composition analysis

B. Packet inspection

C. Proper error handling

D. Elimination of the use of unsafe functions

A city government's IT director was notified by the city council that the following cybersecurity requirements must be met to be awarded a large federal grant:
•	Logs for all critical devices must be retained for 365 days to enable monitoring and threat hunting.
•	All privileged user access must be tightly controlled and tracked to mitigate compromised accounts.
•	Ransomware threats and zero-day vulnerabilities must be quickly identified.
Which of the following technologies would BEST satisfy these requirements? (Choose three.)

A. Endpoint protection

B. Log aggregator

C. Zero trust network access

D. PAM

E. Cloud sandbox

F. SIEM

G. NGFW

A security architect is analyzing an old application that is not covered for maintenance anymore because the software company is no longer in business. Which of the following techniques should have been implemented to prevent these types of risks?

A. Code reviews

B. Supply chain visibility

C. Software audits

D. Source code escrows

A security consultant needs to protect a network of electrical relays that are used for monitoring and controlling the energy used in a manufacturing facility.
Which of the following systems should the consultant review before making a recommendation?

A. CAN

B. ASIC

C. FPGA

D. SCADA

A vulnerability analyst identified a zero-day vulnerability in a company's internally developed software. Since the current vulnerability management system does not have any checks for this vulnerability, an engineer has been asked to create one.
Which of the following would be BEST suited to meet these requirements?

A. ARF

B. ISACs

C. Node.js

D. OVAL

A review of the past year's attack patterns shows that attackers stopped reconnaissance after finding a susceptible system to compromise. The company would like to find a way to use this information to protect the environment while still gaining valuable attack information.
Which of the following would be BEST for the company to implement?

A. A WAF

B. An IDS

C. A SIEM

D. A honeypot

The following messages are displayed when a VPN client is attempting to connect to an OpenVPN server:
OpenSSL: error: 140760FC:SSL routines: SSL23_GET_CLIENT_HELLO: unknown protocol'
TLS_ERROR: BIO read tls_read_plaintext error'
TLS_ERROR: TLS object->incoming plaintext read error'
TLS_ERROR: TLS handshake failed'
SIGUSR1 [soft, tls_error] received, client_instance restarting'
Which of the following best explains the cause of these messages?

A. The client is attempting to establish an unencrypted connection with the server.

B. The server is unreachable to the client and a connection cannot be established.

C. The client is using LibreSSL libraries while the server is using OpenSSL libraries.

D. A TLS version mismatch exists between the client and the server.

A developer wants to maintain integrity to each module of a program and ensure controls are in place to detect unauthorized code modification. Which of the following would be BEST for the developer to perform? (Choose two.)

A. Utilize code signing by a trusted third party.

B. Implement certificate-based authentication.

C. Verify MD5 hashes.

D. Compress the program with a password.

E. Encrypt with 3DES.

F. Make the DACL read-only.

Which of the following industrial protocols is most likely to be found in public utility applications, such as water or electric?

A. CIP

B. Zigbee

C. Modbus

D. DNP3

An organization offers SaaS services through a public email and storage provider. To facilitate password resets, a simple online system is set up. During a routine check of the storage each month, a significant increase in use of storage can be seen. Which of the following techniques would remediate the attack?

A. Including input sanitization to the logon page

B. Configuring an account lockout policy

C. Implementing a new password reset system

D. Adding MFA to all accounts

A Chief Information Officer (CIO) wants to implement a cloud solution that will satisfy the following requirements:
✑ Support all phases of the SDLC.
✑ Use tailored website portal software.
✑ Allow the company to build and use its own gateway software.
✑ Utilize its own data management platform.
✑ Continue using agent-based security tools.
Which of the following cloud-computing models should the CIO implement?

A. SaaS

B. PaaS

C. MaaS

D. IaaS