As part of an organization's compliance program, administrators must complete a hardening checklist and note any potential improvements. The process of noting improvements in the checklist is MOST likely driven by:

A. the collection of data as part of the continuous monitoring program.

B. adherence to policies associated with incident response.

C. the organization’s software development life cycle.

D. changes in operating systems or industry trends.

During the deployment of a new system, the implementation team determines that APIs used to integrate the new system with a legacy system are not functioning properly. Further investigation shows there is a misconfigured encryption algorithm used to secure data transfers between systems. Which of the following should the project manager use to determine the source of the defined algorithm in use?

A. Code repositories

B. Security requirements traceability matrix

C. Software development lifecycle

D. Roles matrix

E. Implementation guide

A security architect is implementing security measures in response to an external audit that found vulnerabilities in the corporate collaboration tool suite. The report identified the lack of any mechanism to provide confidentiality for electronic correspondence between users and between users and group mailboxes.
Which of the following controls would BEST mitigate the identified vulnerability?

A. Issue digital certificates to all users, including owners of group mailboxes, and require S/MIME with AES-256.

B. Federate with an existing PKI provider, and reject all non-signed emails

C. Implement two-factor email authentication, and require users to hash all email messages upon receipt

D. Provide digital certificates to all systems, and eliminate the user group or shared mailboxes

An organization is currently performing a market scan for managed security services and EDR capability. Which of the following business documents should be released to the prospective vendors in the first step of the process? (Choose two.)

A. MSA

B. RFP

C. NDA

D. RFI

E. MOU

F. RFQ

A security manager wants to implement a policy that will provide management with the ability to monitor employee's activities with minimum impact to productivity.
Which of the following policies is BEST suited for this scenario?

A. Separation of duties

B. Mandatory vacations

C. Least privilege

D. Incident response

A server (10.0.0.2) on the corporate network is experiencing a DoS from a number of marketing desktops that have been compromised and are connected to a separate network segment. The security engineer implements the following configuration on the management router:
 
Which of the following is the engineer implementing?

A. Remotely triggered black hole

B. Route protection

C. Port security

D. Transport security

E. Address space layout randomization

To meet an SLA, which of the following document should be drafted, defining the company's internal interdependent unit responsibilities and delivery timelines.

A. BPA

B. OLA

C. MSA

D. MOU

An infrastructure team within an energy organization is at the end of a procurement process and has selected a vendor's SaaS platform to deliver services. As part of the legal negotiation, there are a number of outstanding risks, including:
1. There are clauses that confirm a data retention period in line with what is in the energy organization's security policy.
2. The data will be hosted and managed outside of the energy organization's geographical location.
The number of users accessing the system will be small, and no sensitive data will be hosted in the SaaS platform. Which of the following should the project's security consultant recommend as the NEXT step?

A. Develop a security exemption, as the solution does not meet the security policies of the energy organization.

B. Require a solution owner within the energy organization to accept the identified risks and consequences.

C. Mititgate the risks by asking the vendor to accept the in-country privacy principles and modify the retention period.

D. Review the procurement process to determine the lessons learned in relation to discovering risks toward the end of the process.

A technician is validating compliance with organizational policies. The user and machine accounts in the AD are not set to expire, which is non-compliant. Which of the following network tools would provide this type of information?

A. SIEM server

B. IDS appliance

C. SCAP scanner

D. HTTP interceptor

A hospital is deploying new imaging software that requires a web server for access to images for both local and remote users. The web server allows user authentication via secure LDAP. The information security officer wants to ensure the server does not allow unencrypted access to the imaging server by using
Nmap to gather additional information. Given the following:
✑ The imaging server IP is 192.168.101.24.
✑ The domain controller IP is 192.168.100.1.
✑ The client machine IP is 192.168.200.37.
Which of the following should be used to confirm this is the only open port on the web server?

A. nmap -p 80,443 192.168.101.24

B. nmap -p 80, 443,389,636 192.168.100.1

C. nmap ג€”p 80,389 192.168.200.37

D. nmap -p- 192.168.101.24

A healthcare company wants to increase the value of the data it collects on its patients by making the data available to third-party researchers for a fee. Which of the following BEST mitigates the risk to the company?

A. Log all access to the data and correlate with the researcher.

B. Anonymize identifiable information using keyed strings.

C. Ensure all data is encrypted in transit to the researcher.

D. Ensure all researchers sign and abide by non-disclosure agreements.

E. Sanitize date and time stamp information in the records.

A penetration tester is conducting an assessment on Comptia.org and runs the following command from a coffee shop while connected to the public Internet:
 
Which of the following should the penetration tester conclude about the command output?

A. The public/private views on the Comptia.org DNS servers are misconfigured

B. Comptia.org is running an older mail server, which may be vulnerable to exploits

C. The DNS SPF records have not been updated for Comptia.org

D. 192.168.102.67 is a backup mail server that may be more vulnerable to attack

The code snippet below controls all electronic door locks to a secure facility in which the doors should only fail open in an emergency. In the code, `criticalValue` indicates if an emergency is underway:
 
Which of the following is the BEST course of action for a security analyst to recommend to the software developer?

A. Rewrite the software to implement fine-grained, conditions-based testing

B. Add additional exception handling logic to the main program to prevent doors from being opened

C. Apply for a life-safety-based risk exception allowing secure doors to fail open

D. Rewrite the software’s exception handling routine to fail in a secure state

A company's chief cybersecurity architect wants to configure mutual authentication to access an internal payroll website. The architect has asked the administration team to determine the configuration that would provide the best defense against MITM attacks. Which of the following implementation approaches would BEST support the architect's goals?

A. Utilize a challenge-response prompt as required input at username/password entry.

B. Implement TLS and require the client to use its own certificate during handshake.

C. Configure a web application proxy and institute monitoring of HTTPS transactions.

D. Install a reverse proxy in the corporate DMZ configured to decrypt TLS sessions.

An internal staff member logs into an ERP platform and clicks on a record. The browser URL changes to:
URL: http://192.168.0.100/ERP/accountId=5&action=SELECT
Which of the following is the MOST likely vulnerability in this ERP platform?

A. Brute forcing of account credentials

B. Plain-text credentials transmitted over the Internet

C. Insecure direct object reference

D. SQL injection of ERP back end

A security architect is determining the best solution for a new project. The project is developing a new intranet with advanced authentication capabilities, SSO for users, and automated provisioning to streamline Day 1 access to systems. The security architect has identified the following requirements:
1. Information should be sourced from the trusted master data source.
2. There must be future requirements for identity proofing of devices and users.
3. A generic identity connector that can be reused must be developed.
4. The current project scope is for internally hosted applications only.
Which of the following solution building blocks should the security architect use to BEST meet the requirements?

A. LDAP, multifactor authentication, OAuth, XACML

B. AD, certificate-based authentication, Kerberos, SPML

C. SAML, context-aware authentication, OAuth, WAYF

D. NAC, radius, 802.1x, centralized active directory

A product manager is concerned about the unintentional sharing of the company's intellectual property through employees' use of social media. Which of the following would BEST mitigate this risk?

A. Virtual desktop environment

B. Network segmentation

C. Web application firewall

D. Web content filter

A security engineer is attempting to convey the importance of including job rotation in a company's standard security policies. Which of the following would be the
BEST justification?

A. Making employees rotate through jobs ensures succession plans can be implemented and prevents single points of failure.

B. Forcing different people to perform the same job minimizes the amount of time malicious actions go undetected by forcing malicious actors to attempt collusion between two or more people.

C. Administrators and engineers who perform multiple job functions throughout the day benefit from being cross-trained in new job areas.

D. It eliminates the need to share administrative account passwords because employees gain administrative rights as they rotate into a new job area.

A corporate forensic investigator has been asked to acquire five forensic images of an employee database application. There are three images to capture in the
United States, one in the United Kingdom, and one in Germany. Upon completing the work, the forensics investigator saves the images to a local workstation.
Which of the following types of concerns should the forensic investigator have about this work assignment?

A. Environmental

B. Privacy

C. Ethical

D. Criminal

A new employee is plugged into the network on a BYOD machine but cannot access the network. Which of the following must be configured so the employee can connect to the network?

A. Port security

B. Firewall

C. Remote access

D. VPN

A medical device company is implementing a new COTS antivirus solution in its manufacturing plant. All validated machines and instruments must be retested for interoperability with the new software.
Which of the following would BEST ensure the software and instruments are working as designed?

A. System design documentation

B. User acceptance testing

C. Peer review

D. Static code analysis testing

E. Change control documentation

An incident responder wants to capture volatile memory comprehensively from a running machine for forensic purposes. The machine is running a very recent release of the Linux OS.
Which of the following technical approaches would be the MOST feasible way to accomplish this capture?

A. Run the memdump utility with the -k flag.

B. Use a loadable kernel module capture utility, such as LiME.

C. Run dd on/dev/mem.

D. Employ a stand-alone utility, such as FTK Imager.

A recent CRM upgrade at a branch office was completed after the desired deadline. Several technical issues were found during the upgrade and need to be discussed in depth before the next branch office is upgraded.
Which of the following should be used to identify weak processes and other vulnerabilities?

A. Gap analysis

B. Benchmarks and baseline results

C. Risk assessment

D. Lessons learned report

An organization is improving its web services to enable better customer engagement and self-service. The organization has a native mobile application and a rewards portal provided by a third party. The business wants to provide customers with the ability to log in once and have SSO between each of the applications.
The integrity of the identity is important so it can be propagated through to back-end systems to maintain a consistent audit trail. Which of the following authentication and authorization types BEST meet the requirements? (Choose two.)

A. SAML

B. Social login

C. OpenID connect

D. XACML

E. SPML

F. OAuth

An organization's Chief Financial Officer (CFO) was the target of several different social engineering attacks recently. The CFO has subsequently worked closely with the Chief Information Security Officer (CISO) to increase awareness of what attacks may look like. An unexpected email arrives in the CFO's inbox from a familiar name with an attachment. Which of the following should the CISO task a security analyst with to determine whether or not the attachment is safe?

A. Place it in a malware sandbox.

B. Perform a code review of the attachment.

C. Conduct a memory dump of the CFO’s PC.

D. Run a vulnerability scan on the email server.

A security administrator is advocating for enforcement of a new policy that would require employers with privileged access accounts to undergo periodic inspections and review of certain job performance data. To which of the following policies is the security administrator MOST likely referring?

A. Background investigation

B. Mandatory vacation

C. Least privilege

D. Separation of duties

A company wants to secure a newly developed application that is used to access sensitive information and data from corporate resources. The application was developed by a third-party organization, and it is now being used heavily, despite lacking the following controls:
✑ Certificate pinning
✑ Tokenization
✑ Biometric authentication
The company has already implemented the following controls:
✑ Full device encryption
✑ Screen lock
✑ Device password
✑ Remote wipe
The company wants to defend against interception of data attacks. Which of the following compensating controls should the company implement NEXT?

A. Enforce the use of a VPN when using the newly developed application

B. Implement a geofencing solution that disables the application according to company requirements

C. Implement an out-of-band second factor to authenticate authorized users

D. Install the application in a secure container requiring additional authentication controls

An organization that develops military technology is considering expansion into a foreign country. The organization's owners want to understand the risks associated with such an expansion, and the organization does not want to fund an intensive assessment. Which of the following approaches should be taken?

A. Penetration test

B. Tabletop assessment

C. Compliance assessment

D. Configuration security test

A network service on a production system keeps crashing at random times. The systems administrator suspects a bug in the listener is causing the service to crash, resulting in a DoS. When the service crashes, a core dump is left in the /tmp directory. Which of the following tools can the systems administrator use to reproduce these symptoms?

A. Fuzzer

B. Vulnerability scanner

C. Core dump analyzer

D. Debugger

An analyst is investigating anomalous
behavior on a corporate-owned, corporate-managed mobile device with application whitelisting enabled, based on a name string. The employee to whom the device is assigned reports the approved email client is displaying warning messages that can launch browser windows and is adding unrecognized email addresses to the `compose` window.
Which of the following would provide the analyst the BEST chance of understanding and characterizing the malicious behavior?

A. Reverse engineer the application binary.

B. Perform static code analysis on the source code.

C. Analyze the device firmware via the JTAG interface.

D. Change to a whitelist that uses cryptographic hashing.

E. Penetration test the mobile application.

An organization just merged with an organization in another legal jurisdiction and must improve its network security posture in ways that do not require additional resources to implement data isolation. One recommendation is to block communication between endpoint PCs. Which of the following would be the BEST solution?

A. Installing HIDS

B. Configuring a host-based firewall

C. Configuring EDR

D. Implementing network segmentation

An organization has established the following controls matrix:
 
The following control sets have been defined by the organization and are applied in aggregate fashion:
✑ Systems containing PII are protected with the minimum control set.
✑ Systems containing medical data are protected at the moderate level.
✑ Systems containing cardholder data are protected at the high level.
The organization is preparing to deploy a system that protects the confidentially of a database containing PII and medical data from clients. Based on the controls classification, which of the following controls would BEST meet these requirements?

A. Proximity card access to the server room, context-based authentication, UPS, and full-disk encryption for the database server.

B. Cipher lock on the server room door, FDE, surge protector, and static analysis of all application code.

C. Peer review of all application changes, static analysis of application code, UPS, and penetration testing of the complete system.

D. Intrusion detection capabilities, network-based IPS, generator, and context-based authentication.

A recent assessment identified that several users' mobile devices are running outdated versions of endpoint security software that do not meet the company's security policy. Which of the following should be performed to ensure the users can access the network and meet the company's security requirements?

A. Vulnerability assessment

B. Risk assessment

C. Patch management

D. Device quarantine

E. Incident management

An engineer is assisting with the design of a new virtualized environment that will house critical company services and reduce the datacenter's physical footprint.
The company has expressed concern about the integrity of operating systems and wants to ensure a vulnerability exploited in one datacenter segment would not lead to the compromise of all others. Which of the following design objectives should the engineer complete to BEST mitigate the company's concerns? (Choose two.)

A. Deploy virtual desktop infrastructure with an OOB management network

B. Employ the use of vTPM with boot attestation

C. Leverage separate physical hardware for sensitive services and data

D. Use a community CSP with independently managed security services

E. Deploy to a private cloud with hosted hypervisors on each physical machine

A security architect has designated that a server segment of an enterprise network will require each server to have secure and measured boot capabilities. The architect now wishes to ensure service consumers and peers can verify the integrity of hosted services. Which of the following capabilities must the architect consider for enabling the verification?

A. Centralized attestation server

B. Enterprise HSM

C. vTPM

D. SIEM

A user workstation was infected with a new malware variant as a result of a drive-by download. The security administrator reviews key controls on the infected workstation and discovers the following:
 
Which of the following would BEST prevent the problem from reoccurring in the future? (Choose two.)

A. Install HIPS

B. Enable DLP

C. Install EDR

D. Install HIDS

E. Enable application blacklisting

F. Improve patch management processes

A security engineer has implemented an internal user access review tool so service teams can baseline user accounts and group memberships. The tool is functional and popular among its initial set of onboarded teams. However, the tool has not been built to cater to a broader set of internal teams yet. The engineer has sought feedback from internal stakeholders, and a list of summarized requirements is as follows:
✑ The tool needs to be responsive so service teams can query it, and then perform an automated response action.
✑ The tool needs to be resilient to outages so service teams can perform the user access review at any point in time and meet their own SLAs.
✑ The tool will become the system-of-record for approval, reapproval, and removal life cycles of group memberships and must allow for data retrieval after failure.
Which of the following need specific attention to meet the requirements listed above? (Choose three.)

A. Scalability

B. Latency

C. Availability

D. Usability

E. Recoverability

F. Maintainability

A technician is reviewing the following log:
 
Which of the following tools should the organization implement to reduce the highest risk identified in this log?

A. NIPS

B. DLP

C. NGFW

D. SIEM

Users have reported that an internally developed web application is acting erratically, and the response output is inconsistent. The issue began after a web application dependency patch was applied to improve security. Which of the following would be the MOST appropriate tool to help identify the issue?

A. Fuzzer

B. SCAP scanner

C. Vulnerability scanner

D. HTTP interceptor

A security administrator wants to implement controls to harden company-owned mobile devices. Company policy specifies the following requirements:
✑ Mandatory access control must be enforced by the OS.
✑ Devices must only use the mobile carrier data transport.
Which of the following controls should the security administrator implement? (Choose three.)

A. Enable DLP

B. Enable SEAndroid

C. Enable EDR

D. Enable secure boot

E. Enable remote wipe

F. Disable Bluetooth

G. Disable 802.11

H. Disable geotagging

Ann, a security administrator, is conducting an assessment on a new firewall, which was placed at the perimeter of a network containing PII. Ann runs the following commands on a server (10.0.1.19) behind the firewall:
 
From her own workstation (192.168.2.45) outside the firewall, Ann then runs a port scan against the server and records the following packet capture of the port scan:
 
Connectivity to the server from outside the firewall worked as expected prior to executing these commands.
Which of the following can be said about the new firewall?

A. It is correctly dropping all packets destined for the server.

B. It is not blocking or filtering any traffic to the server.

C. Iptables needs to be restarted.

D. The IDS functionality of the firewall is currently disabled.

Given the following code snippet:
 
Which of the following failure modes would the code exhibit?

A. Open

B. Secure

C. Halt

D. Exception

A security consultant is improving the physical security of a sensitive site and takes pictures of the unbranded building to include in the report. Two weeks later, the security consultant misplaces the phone, which only has one hour of charge left on it. The person who finds the phone removes the MicroSD card in an attempt to discover the owner to return it.
The person extracts the following data from the phone and EXIF data from some files:
DCIM Images folder -
Audio books folder -
Torrentz -
My TAX.xls -
Consultancy HR Manual.doc -
Camera: SM-G950F -
Exposure time: 1/60s -
Location: 3500 Lacey Road USA -
Which of the following BEST describes the security problem?

A. MicroSD in not encrypted and also contains personal data.

B. MicroSD contains a mixture of personal and work data.

C. MicroSD in not encrypted and contains geotagging information.

D. MicroSD contains pirated software and is not encrypted.

A company has entered into a business agreement with a business partner for managed human resources services. The Chief Information Security Officer (CISO) has been asked to provide documentation that is required to set up a business-to-business VPN between the two organizations. Which of the following is required in this scenario?

A. ISA

B. BIA

C. SLA

D. RA

A company's user community is being adversely affected by various types of emails whose authenticity cannot be trusted. The Chief Information Security Officer
(CISO) must address the problem.
Which of the following solutions would BEST support trustworthy communication solutions?

A. Enabling spam filtering and DMARC.

B. Using MFA when logging into email clients and the domain.

C. Enforcing HTTPS everywhere so web traffic, including email, is secure.

D. Enabling SPF and DKIM on company servers.

E. Enforcing data classification labels before an email is sent to an outside party.

A company's employees are not permitted to access company systems while traveling internationally. The company email system is configured to block logins based on geographic location, but some employees report their mobile phones continue to sync email while traveling. Which of the following is the MOST likely explanation? (Choose two.)

A. Outdated geographic IP information

B. Privilege escalation attack

C. VPN on the mobile device

D. Unrestricted email administrator accounts

E. Client use of UDP protocols

F. Disabled GPS on mobile devices

A government entity is developing requirements for an RFP to acquire a biometric authentication system. When developing these requirements, which of the following considerations is MOST critical to the verification and validation of the SRTM?

A. Local and national laws and regulations

B. Secure software development requirements

C. Environmental constraint requirements

D. Testability of requirements

A security analyst has requested network engineers integrate sFlow into the SOC's overall monitoring picture. For this to be a useful addition to the monitoring capabilities, which of the following must be considered by the engineering team?

A. Effective deployment of network taps

B. Overall bandwidth available at Internet PoP

C. Optimal placement of log aggregators

D. Availability of application layer visualizers

A penetration test is being scoped for a set of web services with API endpoints. The APIs will be hosted on existing web application servers. Some of the new
APIs will be available to unauthenticated users, but some will only be available to authenticated users. Which of the following tools or activities would the penetration tester MOST likely use or do during the engagement? (Choose two.)

A. Static code analyzer

B. Intercepting proxy

C. Port scanner

D. Reverse engineering

E. Reconnaissance gathering

F. User acceptance testing

A network engineer is upgrading the network perimeter and installing a new firewall, IDS, and external edge router. The IDS is reporting elevated UDP traffic, and the internal routers are reporting high utilization. Which of the following is the BEST solution?

A. Reconfigure the firewall to block external UDP traffic.

B. Establish a security baseline on the IDS.

C. Block echo reply traffic at the firewall.

D. Modify the edge router to not forward broadcast traffic.