A security manager is determining the best DLP solution for an enterprise. A list of requirements was created to use during the source selection. The security manager wants to confirm a solution exists for the requirements that have been defined. Which of the following should the security manager use?

A. NDA

B. RFP

C. RFQ

D. MSA

E. RFI

A company makes consumer health devices and needs to maintain strict confidentiality of unreleased product designs. Recently, unauthorized photos of products still in development have been for sale on the dark web. The Chief Information Security Officer (CISO) suspects an insider threat, but the team that uses the secret outdoor testing area has been vetted many times, and nothing suspicious has been found. Which of the following is the MOST likely cause of the unauthorized photos?

A. The location of the testing facility was discovered by analyzing fitness device information the test engineers posted on a website.

B. One of the test engineers is working for a competitor and covertly installed a RAT on the marketing department’s servers.

C. The company failed to implement least privilege on network devices, and a hacktivist published stolen public relations photos.

D. Pre-release marketing materials for a single device were accidentally left in a public location.

A security administrator is updating a company's SCADA authentication system with a new application. To ensure interoperability between the legacy system and the new application, which of the following stakeholders should be involved in the configuration process before deployment? (Choose two.)

A. Network engineer

B. Service desk personnel

C. Human resources administrator

D. Incident response coordinator

E. Facilities manager

F. Compliance manager

The email administrator must reduce the number of phishing emails by utilizing more appropriate security controls. The following configurations already are in place:
✑ Keyword blocking based on word lists
✑ URL rewriting and protection
✑ Stripping executable files from messages
Which of the following is the BEST configuration change for the administrator to make?

A. Configure more robust word lists for blocking suspicious emails.

B. Configure appropriate regular expression rules per suspicious email received.

C. Configure Bayesian filtering to block suspicious inbound email.

D. Configure the mail gateway to strip any attachments.

A network administrator is concerned about a particular server that is attacked occasionally from hosts on the Internet. The server is not critical; however, the attacks impact the rest of the network.
While the company's current ISP is cost effective, the ISP is slow to respond to reported issues. The administrator needs to be able to mitigate the effects of an attack immediately without opening a trouble ticket with the ISP. The ISP is willing to accept a very small network route advertised with a particular BGP community string. Which of the following is the BEST way for the administrator to mitigate the effects of these attacks?

A. Use the route protection offered by the ISP to accept only BGP routes from trusted hosts on the Internet, which will discard traffic from attacking hosts.

B. Work with the ISP and subscribe to an IPS filter that can recognize the attack patterns of the attacking hosts, and block those hosts at the local IPS device.

C. Advertise a /32 route to the ISP to initiate a remotely triggered black hole, which will discard traffic destined to the problem server at the upstream provider.

D. Add a redundant connection to a second local ISP, so a redundant connection is available for use if the server is being attacked on one connection.

At a meeting, the systems administrator states the security controls a company wishes to implement seem excessive, since all of the information on the company's web servers can be obtained publicly and is not proprietary in any way. The next day the company's website is defaced as part of an SQL injection attack, and the company receives press inquiries about the message the attackers displayed on the website.
Which of the following is the FIRST action the company should take?

A. Refer to and follow procedures from the company’s incident response plan.

B. Call a press conference to explain that the company has been hacked.

C. Establish chain of custody for all systems to which the systems administrator has access.

D. Conduct a detailed forensic analysis of the compromised system.

E. Inform the communications and marketing department of the attack details.

A company that has been breached multiple times is looking to protect cardholder data. The previous undetected attacks all mimicked normal administrative-type behavior. The company must deploy a host solution to meet the following requirements:
✑ Detect administrative actions
✑ Block unwanted MD5 hashes
✑ Provide alerts
✑ Stop exfiltration of cardholder data
Which of the following solutions would BEST meet these requirements? (Choose two.)

A. AV

B. EDR

C. HIDS

D. DLP

E. HIPS

F. EFS

A recent security assessment revealed a web application may be vulnerable to clickjacking. According to the application developers, a fix may be months away.
Which of the following should a security engineer configure on the web server to help mitigate the issue?

A. File upload size limits

B. HttpOnly cookie field

C. X-Frame-Options header

D. Input validation

A vulnerability was recently announced that allows a malicious user to gain root privileges on other virtual machines running within the same hardware cluster.
Customers of which of the following cloud-based solutions should be MOST concerned about this vulnerability?

A. Single-tenant private cloud

B. Multitenant SaaS cloud

C. Single-tenant hybrid cloud

D. Multitenant IaaS cloud

E. Multitenant PaaS cloud

F. Single-tenant public cloud

A consulting firm was hired to conduct assessment for a company. During the first stage, a penetration tester used a tool that provided the following output:
TCP 80 open -
TCP 443 open -
TCP 1434 filtered -
The penetration tester then used a different tool to make the following requests:
GET / script/login.php?token=45$MHT000MND876
GET / script/login.php?token=@#984DCSPQ%091DF
Which of the following tools did the penetration tester use?

A. Protocol analyzer

B. Port scanner

C. Fuzzer

D. Brute forcer

E. Log analyzer

F. HTTP interceptor

A company monitors the performance of all web servers using WMI. A network administrator informs the security engineer that web servers hosting the company's client-facing portal are running slowly today. After some investigation, the security engineer notices a large number of attempts at enumerating host information via
SNMP from multiple IP addresses. Which of the following would be the BEST technique for the security engineer to employ in an attempt to prevent reconnaissance activity?

A. Install a HIPS on the web servers

B. Disable inbound traffic from offending sources

C. Disable SNMP on the web servers

D. Install anti-DDoS protection in the DMZ

A hospital is deploying new imaging software that requires a web server for access to images for both local and remote users. The web server allows user authentication via secure LDAP. The information security officer wants to ensure the server does not allow unencrypted access to the imaging server by using
Nmap to gather additional information. Given the following:
✑ The imaging server IP is 192.168.101.24.
✑ The domain controller IP is 192.168.100.1.
✑ The client machine IP is 192.168.200.37.
Which of the following should be used to confirm this is the only open port on the web server?

A. nmap -p 80,443 192.168.101.24

B. nmap -p 80, 443,389,636 192.168.100.1

C. nmap ג€”p 80,389 192.168.200.37

D. nmap -p- 192.168.101.24

A recent CRM upgrade at a branch office was completed after the desired deadline. Several technical issues were found during the upgrade and need to be discussed in depth before the next branch office is upgraded.
Which of the following should be used to identify weak processes and other vulnerabilities?

A. Gap analysis

B. Benchmarks and baseline results

C. Risk assessment

D. Lessons learned report

A managed service provider is designing a log aggregation service for customers who no longer want to manage an internal SIEM infrastructure. The provider expects that customers will send all types of logs to them, and that log files could contain very sensitive entries. Customers have indicated they want on-premises and cloud-based infrastructure logs to be stored in this new service. An engineer, who is designing the new service, is deciding how to segment customers.
Which of the following is the BEST statement for the engineer to take into consideration?

A. Single-tenancy is often more expensive and has less efficient resource utilization. Multitenancy may increase the risk of cross-customer exposure in the event of service vulnerabilities.

B. The managed service provider should outsource security of the platform to an existing cloud company. This will allow the new log service to be launched faster and with well-tested security controls.

C. Due to the likelihood of large log volumes, the service provider should use a multitenancy model for the data storage tier, enable data deduplication for storage cost efficiencies, and encrypt data at rest.

D. The most secure design approach would be to give customers on-premises appliances, install agents on endpoints, and then remotely manage the service via a VPN.

While conducting online research about a company to prepare for an upcoming penetration test, a security analyst discovers detailed financial information on an investor website the company did not make public. The analyst shares this information with the Chief Financial Officer (CFO), who confirms the information is accurate, as it was recently discussed at a board of directors meeting. Many of the details are verbatim discussion comments captured by the board secretary for purposes of transcription on a mobile device. Which of the following would MOST likely prevent a similar breach in the future?

A. Remote wipe

B. FDE

C. Geolocation

D. eFuse

E. VPN

A security engineer is investigating a compromise that occurred between two internal computers. The engineer has determined during the investigation that one computer infected another. While reviewing the IDS logs, the engineer can view the outbound callback traffic, but sees no traffic between the two computers.
Which of the following would BEST address the IDS visibility gap?

A. Install network taps at the edge of the network.

B. Send syslog from the IDS into the SIEM.

C. Install HIDS on each computer.

D. SPAN traffic form the network core into the IDS.

A security engineer is performing an assessment again for a company. The security engineer examines the following output from the review:
 
Which of the following tools is the engineer utilizing to perform this assessment?

A. Vulnerability scanner

B. SCAP scanner

C. Port scanner

D. Interception proxy

An external red team is brought into an organization to perform a penetration test of a new network-based application. The organization deploying the network application wants the red team to act like remote, external attackers, and instructs the team to use a black-box approach. Which of the following is the BEST methodology for the red team to follow?

A. Run a protocol analyzer to determine what traffic is flowing in and out of the server, and look for ways to alter the data stream that will result in information leakage or a system failure.

B. Send out spear-phishing emails against users who are known to have access to the network-based application, so the red team can go on-site with valid credentials and use the software.

C. Examine the application using a port scanner, then run a vulnerability scanner against open ports looking for known, exploitable weaknesses the application and related services may have.

D. Ask for more details regarding the engagement using social engineering tactics in an attempt to get the organization to disclose more information about the network application to make attacks easier.

A creative services firm has a limited security budget and staff. Due to its business model, the company sends and receives a high volume of files every day through the preferred method defined by its customers. These include email, secure file transfers, and various cloud service providers. Which of the following would BEST reduce the risk of malware infection while meeting the company's resource requirements and maintaining its current workflow?

A. Configure a network-based intrusion prevention system

B. Contract a cloud-based sandbox security service

C. Enable customers to send and receive files via SFTP

D. Implement appropriate DLP systems with strict policies

A security assessor is working with an organization to review the policies and procedures associated with managing the organization's virtual infrastructure. During a review of the virtual environment, the assessor determines the organization is using servers to provide more than one primary function, which violates a regulatory requirement. The assessor reviews hardening guides and determines policy allows for this configuration. It would be MOST appropriate for the assessor to advise the organization to:

A. segment dual-purpose systems on a hardened network segment with no external access

B. assess the risks associated with accepting non-compliance with regulatory requirements

C. update system implementation procedures to comply with regulations

D. review regulatory requirements and implement new policies on any newly provisioned servers

A security administrator is updating corporate policies to respond to an incident involving collusion between two systems administrators that went undetected for more than six months.
Which of the following policies would have MOST likely uncovered the collusion sooner? (Choose two.)

A. Mandatory vacation

B. Separation of duties

C. Continuous monitoring

D. Incident response

E. Time-of-day restrictions

F. Job rotation

The finance department has started to use a new payment system that requires strict PII security restrictions on various network devices. The company decides to enforce the restrictions and configure all devices appropriately. Which of the following risk response strategies is being used?

A. Avoid

B. Mitigate

C. Transfer

D. Accept

A security researcher at an organization is reviewing potential threats to the VoIP phone system infrastructure, which uses a gigabit Internet connection. The researcher finds a vulnerability and knows placing an IPS in front of the phone system will mitigate the risk. The researcher gathers the following information about various IPS systems:
 
The organization is concerned about cost, but call quality is critical to its operations. Which of the following vendors would be BEST for the organization to choose?

A. Vendor 1

B. Vendor 2

C. Vendor 3

D. Vendor 4

E. Vendor 5

A new security policy states all wireless and wired authentication must include the use of certificates when connecting to internal resources within the enterprise
LAN by all employees.
Which of the following should be configured to comply with the new security policy? (Choose two.)

A. SSO

B. New pre-shared key

C. 802.1X

D. OAuth

E. Push-based authentication

F. PKI

A company is developing requirements for a customized OS build that will be used in an embedded environment. The company procured hardware that is capable of reducing the likelihood of successful buffer overruns while executables are processing. Which of the following capabilities must be included for the OS to take advantage of this critical hardware-based countermeasure?

A. Application whitelisting

B. NX/XN bit

C. ASLR

D. TrustZone

E. SCP

A large enterprise with thousands of users is experiencing a relatively high frequency of malicious activity from the insider threats. Much of the activity appears to involve internal reconnaissance that results in targeted attacks against privileged users and network file shares. Given this scenario, which of the following would
MOST likely prevent or deter these attacks? (Choose two.)

A. Conduct role-based training for privileged users that highlights common threats against them and covers best practices to thwart attacks

B. Increase the frequency at which host operating systems are scanned for vulnerabilities, and decrease the amount of time permitted between vulnerability identification and the application of corresponding patches

C. Enforce command shell restrictions via group policies for all workstations by default to limit which native operating system tools are available for use

D. Modify the existing rules of behavior to include an explicit statement prohibiting users from enumerating user and file directories using available tools and/or accessing visible resources that do not directly pertain to their job functions

E. For all workstations, implement full-disk encryption and configure UEFI instances to require complex passwords for authentication

F. Implement application blacklisting enforced by the operating systems of all machines in the enterprise

An analyst is investigating anomalous
behavior on a corporate-owned, corporate-managed mobile device with application whitelisting enabled, based on a name string. The employee to whom the device is assigned reports the approved email client is displaying warning messages that can launch browser windows and is adding unrecognized email addresses to the `compose` window.
Which of the following would provide the analyst the BEST chance of understanding and characterizing the malicious behavior?

A. Reverse engineer the application binary.

B. Perform static code analysis on the source code.

C. Analyze the device firmware via the JTAG interface.

D. Change to a whitelist that uses cryptographic hashing.

E. Penetration test the mobile application.

A threat advisory alert was just emailed to the IT security staff. The alert references specific types of host operating systems that can allow an unauthorized person to access files on a system remotely. A fix was recently published, but it requires a recent endpoint protection engine to be installed prior to running the fix.
Which of the following MOST likely need to be configured to ensure the system are mitigated accordingly? (Choose two.)

A. Antivirus

B. HIPS

C. Application whitelisting

D. Patch management

E. Group policy implementation

F. Firmware updates

A developer has executed code for a website that allows users to search for employees' phone numbers by last name. The query string sent by the browser is as follows: http://www.companywebsite.com/search.php?q=SMITH
The developer has implemented a well-known JavaScript sanitization library and stored procedures, but a penetration test shows the website is vulnerable to XSS.
Which of the following should the developer implement NEXT to prevent XSS? (Choose two.)

A. Sanitization library

B. Secure cookies

C. TLS encryption

D. Input serialization

E. Output encoding

F. PUT form submission

A security engineer is embedded with a development team to ensure security is built into products being developed. The security engineer wants to ensure developers are not blocked by a large number of security requirements applied at specific schedule points.
Which of the following solutions BEST meets the engineer's goal?

A. Schedule weekly reviews of al unit test results with the entire development team and follow up between meetings with surprise code inspections.

B. Develop and implement a set of automated security tests to be installed on each development team leader’s workstation.

C. Enforce code quality and reuse standards into the requirements definition phase of the waterfall development process.

D. Deploy an integrated software tool that builds and tests each portion of code committed by developers and provides feedback.

A server was compromised recently, and two unauthorized daemons were set up to listen for incoming connections. In addition, CPU cycles were being used by an additional unauthorized cron job. Which of the following would have prevented the breach if it was properly configured?

A. Set up log forwarding and utilize a SIEM for centralized management and alerting.

B. Use a patch management system to close the vulnerabilities in a shorter time frame.

C. Implement a NIDS/NIPS.

D. Deploy SELinux using the system baseline as the starting point.

E. Configure the host firewall to block unauthorized inbound connections.

A breach was caused by an insider threat in which customer PII was compromised. Following the breach, a lead security analyst is asked to determine which vulnerabilities the attacker used to access company resources.
Which of the following should the analyst use to remediate the vulnerabilities?

A. Protocol analyzer

B. Root cause analysis

C. Behavioral analytics

D. Data leak prevention

A security analyst is classifying data based on input from data owners and other stakeholders. The analyst has identified three data types:
1. Financially sensitive data
2. Project data
3. Sensitive project data
The analyst proposes that the data be protected in two major groups, with further access control separating the financially sensitive data from the sensitive project data. The normal project data will be stored in a separate, less secure location. Some stakeholders are concerned about the recommended approach and insist that commingling data from different sensitive projects would leave them vulnerable to industrial espionage.
Which of the following is the BEST course of action for the analyst to recommend?

A. Conduct a quantitative evaluation of the risks associated with commingling the data and reject or accept the concerns raised by the stakeholders.

B. Meet with the affected stakeholders and determine which security controls would be sufficient to address the newly raised risks.

C. Use qualitative methods to determine aggregate risk scores for each project and use the derived scores to more finely segregate the data.

D. Increase the number of available data storage devices to provide enough capacity for physical separation of non-sensitive project data.

A security engineer has been hired to design a device that will enable the exfiltration of data from within a well-defended network perimeter during an authorized test. The device must bypass all firewalls and NIDS in place, as well as allow for the upload of commands from a centralized command and control server . The total cost of the device must be kept to a minimum in case the device is discovered during an assessment.
Which of the following tools should the engineer load onto the device being designed?

A. Custom firmware with rotating key generation

B. Automatic MITM proxy

C. TCP beacon broadcast software

D. Reverse shell endpoint listener

A security researcher is gathering information about a recent spoke in the number of targeted attacks against multinational banks. The spike is on top of already sustained attacks against the banks. Some of the previous attacks have resulted in the loss of sensitive data, but as of yet the attackers have not successfully stolen any funds.
Based on the information available to the researcher, which of the following is the MOST likely threat profile?

A. Nation-state-sponsored attackers conducting espionage for strategic gain.

B. Insiders seeking to gain access to funds for illicit purposes.

C. Opportunists seeking notoriety and fame for personal gain.

D. Hacktivists rolling out a marketing campaign to change landing pages.

A security analyst works for a defense contractor that produces classified research on drones. The contractor faces nearly constant attacks from sophisticated nation-state actors and other APIs.
Which of the following would help protect the confidentiality of the research data?

A. Use diverse components in layers throughout the architecture

B. Implement non-heterogeneous components at the network perimeter

C. Purge all data remnants from client devices’ volatile memory at regularly scheduled intervals

D. Use only in-house developed applications that adhere to strict SDLC security requirements

A security administrator is hardening a TrustedSolaris server that processes sensitive data. The data owner has established the following security requirements:
✑ The data is for internal consumption only and shall not be distributed to outside individuals
✑ The systems administrator should not have access to the data processed by the server
✑ The integrity of the kernel image is maintained
 
Which of the following host-based security controls BEST enforce the data owner's requirements? (Choose three.)

A. SELinux

B. DLP

C. HIDS

D. Host-based firewall

E. Measured boot

F. Data encryption

G. Watermarking

Company leadership believes employees are experiencing an increased number of cyber attacks; however, the metrics do not show this. Currently, the company uses `Number of successful phishing attacks` as a KRI, but it does not show an increase.
Which of the following additional information should be the Chief Information Security Officer (CISO) include in the report?

A. The ratio of phishing emails to non-phishing emails

B. The number of phishing attacks per employee

C. The number of unsuccessful phishing attacks

D. The percent of successful phishing attacks

An employee decides to log into an authorized system. The system does not prompt the employee for authentication prior to granting access to the console, and it cannot authenticate the network resources. Which of the following attack types can this lead to if it is not mitigated?

A. Memory leak

B. Race condition

C. Smurf

D. Deadlock

A security consultant is conducting a penetration test against a customer enterprise that comprises local hosts and cloud-based servers. The hosting service employs a multitenancy model with elastic provisioning to meet customer demand. The customer runs multiple virtualized servers on each provisioned cloud host.
The security consultant is able to obtain multiple sets of administrator credentials without penetrating the customer network. Which of the following is the MOST likely risk the tester exploited?

A. Data-at-rest encryption misconfiguration and repeated key usage

B. Offline attacks against the cloud security broker service

C. The ability to scrape data remnants in a multitenancy environment

D. VM escape attacks against the customer network hypervisors

As part of an organization's compliance program, administrators must complete a hardening checklist and note any potential improvements. The process of noting improvements in the checklist is MOST likely driven by:

A. the collection of data as part of the continuous monitoring program.

B. adherence to policies associated with incident response.

C. the organization’s software development life cycle.

D. changes in operating systems or industry trends.

An organization that develops military technology is considering expansion into a foreign country. The organization's owners want to understand the risks associated with such an expansion, and the organization does not want to fund an intensive assessment. Which of the following approaches should be taken?

A. Penetration test

B. Tabletop assessment

C. Compliance assessment

D. Configuration security test

A systems administrator recently joined an organization and has been asked to perform a security assessment of controls on the organization's file servers, which contain client data from a number of sensitive systems. The administrator needs to compare documented access requirements to the access implemented within the file system.
Which of the following is MOST likely to be reviewed during the assessment? (Choose two.)

A. Access control list

B. Security requirements traceability matrix

C. Data owner matrix

D. Roles matrix

E. Data design document

F. Data access policies

An information security officer is responsible for one secure network and one office network. Recent intelligence suggests there is an opportunity for attackers to gain access to the secure network due to similar login credentials across networks. To determine the users who should change their information, the information security officer uses a tool to scan a file with hashed values on both networks and receives the following data:
 
Which of the following tools was used to gather this information from the hashed values in the file?

A. Vulnerability scanner

B. Fuzzer

C. MD5 generator

D. Password cracker

E. Protocol analyzer

A penetration tester is on an active engagement and has access to a remote system. The penetration tester wants to bypass the DLP, which is blocking emails that are encrypted or contain sensitive company information. Which of the following cryptographic techniques should the penetration tester use?

A. GNU Privacy Guard

B. UUencoding

C. DNSCrypt

D. Steganography

A company is purchasing an application that will be used to manage all IT assets as well as provide an incident and problem management solution for IT activity.
The company narrows the search to two products, Application A and Application B, which meet all of its requirements. Application A is the most cost-effective product, but it is also the riskiest, so the company purchases Application B. Which of the following types of strategies did the company use when determining risk appetite?

A. Mitigation

B. Acceptance

C. Avoidance

D. Transfer

A network service on a production system keeps crashing at random times. The systems administrator suspects a bug in the listener is causing the service to crash, resulting in a DoS. When the service crashes, a core dump is left in the /tmp directory. Which of the following tools can the systems administrator use to reproduce these symptoms?

A. Fuzzer

B. Vulnerability scanner

C. Core dump analyzer

D. Debugger

A company contracts a security engineer to perform a penetration test of its client-facing web portal. Which of the following activities would be MOST appropriate?

A. Use a protocol analyzer against the site to see if data input can be replayed from the browser

B. Scan the website through an interception proxy and identify areas for the code injection

C. Scan the site with a port scanner to identify vulnerable services running on the web server

D. Use network enumeration tools to identify if the server is running behind a load balancer

While attending a meeting with the human resources department, an organization's information security officer sees an employee using a username and password written on a memo pad to log into a specific service. When the information security officer inquires further as to why passwords are being written down, the response is that there are too many passwords to remember for all the different services the human resources department is required to use.
Additionally, each password has specific complexity requirements and different expiration time frames.
Which of the following would be the BEST solution for the information security officer to recommend?

A. Utilizing MFA

B. Implementing SSO

C. Deploying 802.1X

D. Pushing SAML adoption

E. Implementing TACACS

A security appliance vendor is reviewing an RFP that is requesting solutions for the defense of a set of web-based applications. This RFP is from a financial institution with very strict performance requirements. The vendor would like to respond with its solutions.
Before responding, which of the following factors is MOST likely to have an adverse effect on the vendor's qualifications?

A. The solution employs threat information-sharing capabilities using a proprietary data model.

B. The RFP is issued by a financial institution that is headquartered outside of the vendor’s own country.

C. The overall solution proposed by the vendor comes in less that the TCO parameter in the RFP.

D. The vendor’s proposed solution operates below the KPPs indicated in the RFP.