A security review of the architecture for an application migration was recently completed. The following observations were made:
• External inbound access is blocked.
• A large amount of storage is available.
• Memory and CPU usage are low.
• The load balancer has only a single server assigned.
• Multiple APIs are integrated.
Which of the following needs to be addressed?

A. Scalability

B. Automation

C. Availability

D. Performance

Which of the following communication protocols is used to create PANs with small, low-power digital radios and supports a large number of nodes?

A. Zigbee

B. Wi-Fi

C. CAN

D. Modbus

E. DNP3

A company has moved its sensitive workloads to the cloud and needs to ensure high availability and resiliency of its web-based application. The cloud architecture team was given the following requirements:
•	The application must run at 70% capacity at all times
•	The application must sustain DoS and DDoS attacks.
•	Services must recover automatically.
Which of the following should the cloud architecture team implement? (Choose three.)

A. Read-only replicas

B. BCP

C. Autoscaling

D. WAF

E. CDN

F. Encryption

G. Continuous snapshots

H. Containerization

An attack team performed a penetration test on a new smart card system. The team demonstrated that by subjecting the smart card to high temperatures, the secret key could be revealed.
Which of the following side-channel attacks did the team use?

A. Differential power analysis

B. Differential fault analysis

C. Differential temperature analysis

D. Differential timing analysis

A security administrator needs to implement an X.509 solution for multiple sites within the human resources department. This solution would need to secure all subdomains associated with the domain name of the main human resources web server. Which of the following would need to be implemented to properly secure the sites and provide easier private key management?

A. Certificate revocation list

B. Digital signature

C. Wildcard certificate

D. Registration authority

E. Certificate pinning

An organization requires a contractual document that includes:
✑ An overview of what is covered
✑ Goals and objectives
✑ Performance metrics for each party
✑ A review of how the agreement is managed by all parties
Which of the following BEST describes this type of contractual document?

A. SLA

B. BAA

C. NDA

D. ISA

A security administrator needs to implement a security solution that will:
•	Limit the attack surface in case of an incident.
•	Improve access control for external and internal network security.
•	Improve performance with less congestion on network traffic.
Which of the following should the security administrator do?

A. Integrate threat intelligence feeds into the FIM.

B. Update firewall rules to match new IP addresses in use.

C. Configure SIEM dashboards to provide alerts and visualizations.

D. Deploy DLP rules based on updated PII formatting.

A security architect must mitigate the risks from what is suspected to be an exposed, private cryptographic key. Which of the following is the BEST step to take?

A. Revoke the certificate.

B. Inform all the users of the certificate.

C. Contact the company’s Chief Information Security Officer.

D. Disable the website using the suspected certificate.

E. Alert the root CA.

A company implements the following access control methodology based on the following data classifications:
 
The Chief Information Security Officer (CISO) wants to implement an additional layer of access control based on the geographic location of the underlying system that processes and stores data. The additional layer will be added to the existing access control system. Which of the following components must be implemented to achieve these goals? (Choose two.)

A. Tagging

B. Attribute-based access control

C. Role-based access control

D. Groups

E. Tokenization

F. Digital rights management

A company has identified a number of vulnerable, end-of-support systems with limited defensive capabilities. Which of the following would be the first step in reducing the attack surface in this environment?

A. Utilizing hardening recommendations

B. Deploying IPS/IDS throughout the environment

C. Installing and updating antivirus

D. Installing all available patches

A security analyst is researching containerization concepts for an organization. The analyst is concerned about potential resource exhaustion scenarios on the
Docker host due to a single application that is overconsuming available resources.
Which of the following core Linux concepts BEST reflects the ability to limit resource allocation to containers?

A. Union filesystem overlay

B. Cgroups

C. Linux namespaces

D. Device mapper

A security analyst is reviewing a new IOC in which data is injected into an online process. The IOC shows the data injection could happen in the following ways:
•	Five numerical digits followed by a dash, followed by four numerical digits; or
•	Five numerical digits
When one of these IOCs is identified. the online process stops working. Which of the following regular expressions should be implemented in the NIPS?

A. ^d{4}(-d{5})?$

B. ^d{5}(-d{4})?$

C. ^d{5-4}$

D. ^d{9}$

A company has instituted a new policy in which all outbound traffic must go over TCP ports 80 and 443 for all its managed mobile devices. No other IP traffic is allowed to be initiated from a device. Which of the following should the organization consider implementing to ensure internet access continues without interruption?

A. CYOD

B. MDM

C. WPA3

D. DoH

An e-commerce company is running a web server on premises, and the resource utilization is usually less than 30%. During the last two holiday seasons, the server experienced performance issues because of too many connections, and several customers were not able to finalize purchase orders. The company is looking to change the server configuration to avoid this kind of performance issue.
Which of the following is the MOST cost-effective solution?

A. Move the server to a cloud provider.

B. Change the operating system.

C. Buy a new server and create an active-active cluster.

D. Upgrade the server with a new one.

A cybersecurity analyst discovered a private key that could have been exposed.
Which of the following is the BEST way for the analyst to determine if the key has been compromised?

A. HSTS

B. CRL

C. CSRs

D. OCSP

A security consultant is designing an infrastructure security solution for a client company that has provided the following requirements:
•	Access to critical web services at the edge must be redundant and highly available.
•	Secure access services must be resilient to a proprietary zero-day vulnerability in a single component.
•	Automated transition of secure access solutions must be able to be triggered by defined events or manually by security operations staff.
Which of the following solutions BEST meets these requirements?

A. Implementation of multiple IPSec VPN solutions with diverse endpoint configurations enabling user optionality in the selection of a remote access provider.

B. Remote access services deployed using vendor-diverse redundancy with event response driven by playbooks.

C. Two separate secure access solutions orchestrated by SOAR with components provided by the same vendor for compatibility.

D. Reverse TLS proxy configuration using OpenVPN/OpenSSL with scripted failover functionality that connects critical web services out to endpoint computers.

A security architect was asked to modify an existing internal network design to accommodate the following requirements for RDP:
✑ Enforce MFA for RDP.
✑ Ensure RDP connections are only allowed with secure ciphers.
The existing network is extremely complex and not well segmented. Because of these limitations, the company has requested that the connections not be restricted by network-level firewalls or ACLs.
Which of the following should the security architect recommend to meet these requirements?

A. Implement a reverse proxy for remote desktop with a secure cipher configuration enforced.

B. Implement a bastion host with a secure cipher configuration enforced.

C. Implement a remote desktop gateway server, enforce secure ciphers, and configure to use OTP.

D. Implement a GPO that enforces TLS cipher suites and limits remote desktop access to only VPN users.

A company has hired a third party to develop software as part of its strategy to be quicker to market. The company's policy outlines the following requirements:
✑ The credentials used to publish production software to the container registry should be stored in a secure location.
✑ Access should be restricted to the pipeline service account, without the ability for the third-party developer to read the credentials directly.
Which of the following would be the BEST recommendation for storing and monitoring access to these shared credentials?

A. TPM

B. Local secure password file

C. MFA

D. Key vault

A Chief Information Security Officer (CISO) is concerned that a company's current data disposal procedures could result in data remanence. The company uses only SSDs. Which of the following would be the MOST secure way to dispose of the SSDs given the CISO's concern?

A. Degaussing

B. Overwriting

C. Shredding

D. Formatting

E. Incinerating

A security engineer was auditing an organization's current software development practice and discovered that multiple open-source libraries were Integrated into the organization's software. The organization currently performs SAST and DAST on the software it develops.
Which of the following should the organization incorporate into the SDLC to ensure the security of the open-source libraries?

A. Perform additional SAST/DAST on the open-source libraries.

B. Implement the SDLC security guidelines.

C. Track the library versions and monitor the CVE website for related vulnerabilities.

D. Perform unit testing of the open-source libraries.

A company would like to move its payment card data to a cloud provider. Which of the following solutions will best protect account numbers from unauthorized disclosure?

A. Storing the data in an encoded file

B. Implementing database encryption at rest

C. Only storing tokenized card data

D. Implementing data field masking

The Chief Security Officer (CSO) requested the security team implement technical controls that meet the following requirements:
•	Monitors traffic to and from both local NAS and cloud-based file repositories
•	Prevents on-site staff who are accessing sensitive customer PII documents on file repositories from accidentally or deliberately sharing sensitive documents on personal SaaS solutions
•	Uses document attributes to reduce false positives
•	Is agentless and not installed on staff desktops or laptops
Which of the following when installed and configured would BEST meet the CSO’s requirements? (Choose two.)

A. DLP

B. NGFW

C. UTM

D. UEBA

E. CASB

F. HIPS

A user from the sales department opened a suspicious file attachment. The sales department then contacted the SOC to investigate a number of unresponsive systems, and the team successfully identified the file and the origin of the attack.
Which of the following is the NEXT step of the incident response plan?

A. Remediation

B. Containment

C. Response

D. Recovery

Which of the following BEST describes a common use case for homomorphic encryption?

A. Processing data on a server after decrypting in order to prevent unauthorized access in transit

B. Maintaining the confidentiality of data both at rest and in transit to and from a CSP for processing

C. Transmitting confidential data to a CSP for processing on a large number of resources without revealing information

D. Storing proprietary data across multiple nodes in a private cloud to prevent access by unauthenticated users

Some end users of an e-commerce website are reporting a delay when browsing pages. The website uses TLS 1.2. A security architect for the website troubleshoots by connecting from home to the website and capturing traffic via Wireshark. The security architect finds that the issue is the time required to validate the certificate. Which of the following solutions should the security architect recommend?

A. Adding more nodes to the web server clusters

B. Changing the cipher algorithm used on the web server

C. Implementing OCSP stapling on the server

D. Upgrading to TLS 1.3

Due to internal resource constraints, the management team has asked the principal security architect to recommend a solution that shifts most of the responsibility for application-level controls to the cloud provider. In the shared responsibility model, which of the following levels of service meets this requirement?

A. IaaS

B. SaaS

C. FaaS

D. PaaS

Which of the following indicates when a company might not be viable after a disaster?

A. Maximum tolerable downtime

B. Recovery time objective

C. Mean time to recovery

D. Annual loss expectancy

A corporation discovered its internet connection is saturated with traffic originating from multiple IP addresses across the internet. A security analyst needs to find a solution to address future occurrences of this type of attack.
Which of the following would be the BEST solution to meet this goal?

A. Implementing cloud-scrubbing services

B. Upgrading the internet link

C. Deploying a web application firewall

D. Provisioning a reverse proxy

A security engineer needs to implement a cost-effective authentication scheme for a new web-based application that requires:
•	Rapid authentication
•	Flexible authorization
•	Ease of deployment
•	Low cost but high functionality
Which of the following approaches best meets these objectives?

A. Kerberos

B. EAP

C. SAML

D. OAuth

E. TACACS+

A company was recently infected by malware. During the root cause analysis, the company determined that several users were installing their own applications.
To prevent further compromises, the company has decided it will only allow authorized applications to run on its systems. Which of the following should the company implement?

A. Signing

B. Access control

C. HIPS

D. Permit listing

Technicians have determined that the current server hardware is outdated, so they have decided to throw it out.
Prior to disposal, which of the following is the BEST method to use to ensure no data remnants can be recovered?

A. Drive wiping

B. Degaussing

C. Purging

D. Physical destruction

A software developer created an application for a large, multinational company. The company is concerned the program code could be reverse engineered by a foreign entity and intellectual property would be lost. Which of the following techniques should be used to prevent this situation?

A. Obfuscation

B. Code signing

C. Watermarking

D. Digital certificates

A cloud security architect has been tasked with selecting the appropriate solution given the following:
•	The solution must allow the lowest RTO possible.
•	The solution must have the least shared responsibility possible.
•	Patching should be a responsibility of the CSP.
Which of the following solutions can BEST fulfil the requirements?

A. PaaS

B. IaaS

C. Private

D. SaaS

A company's SOC has received threat intelligence about an active campaign utilizing a specific vulnerability. The company would like to determine whether it is vulnerable to this active campaign.
Which of the following should the company use to make this determination?

A. Threat hunting

B. A system penetration test

C. Log analysis within the SIEM tool

D. The Cyber Kill Chain

A company is looking at sending historical backups containing customer PII to a cloud service provider to save on storage costs. Which of the following is the MOST important consideration before making this decision?

A. Availability

B. Data sovereignty

C. Geography

D. Vendor lock-in

A network administrator for a completely air-gapped and closed system has noticed that anomalous external files have been uploaded to one of the critical servers. The administrator has reviewed logs in the SIEM that were collected from security appliances, network infrastructure devices, and endpoints. Which of the following processes, if executed, would be MOST likely to expose an attacker?

A. Reviewing video from IP cameras within the facility

B. Reconfiguring the SIEM connectors to collect data from the perimeter network hosts

C. Implementing integrity checks on endpoint computing devices

D. Looking for privileged credential reuse on the network

In order to authenticate employees who, call in remotely, a company's help desk staff must be able to view partial information about employees because the full information may be considered sensitive. Which of the following solutions should be implemented to authenticate employees?

A. Data scrubbing

B. Field masking

C. Encryption in transit

D. Metadata

After installing an unapproved application on a personal device, a Chief Executive Officer reported an incident to a security analyst. This device is not controlled by the MDM solution, as stated in the BVOD policy. However, the device contained critical confidential information. The cyber incident response team performed the analysis on the device and found the following log:
Wed 12 Dec 2020 10:00:03 Unknown sources is now enabled on this device.
Which of the following is the MOST likely reason for the successful attack?

A. Lack of MDM controls

B. Auto-join hotspots enabled

C. Sideloading

D. Lack of application segmentation

SIMULATION
-
An organization is planning for disaster recovery and continuity of operations.
INSTRUCTIONS
-
Review the following scenarios and instructions. Match each relevant finding to the affected host.
After associating scenario 3 with the appropriate host(s), click the host to select the appropriate corrective action for that finding.
Each finding may only be used once.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
 
 

A company launched a new service and created a landing page within its website network for users to access the service. Per company policy, all websites must utilize encryption for any authentication pages. A junior network administrator proceeded to use an outdated procedure to order new certificates. Afterward, customers are reporting the following error when accessing a new web page: NET:ERR_CERT_COMMON_NAME_INVALID. Which of the following BEST describes what the administrator should do NEXT?

A. Request a new certificate with the correct subject alternative name that includes the new websites.

B. Request a new certificate with the correct organizational unit for the company’s website.

C. Request a new certificate with a stronger encryption strength and the latest cipher suite.

D. Request a new certificate with the same information but including the old certificate on the CRL.

A forensic expert working on a fraud investigation for a US-based company collected a few disk images as evidence.
Which of the following offers an authoritative decision about whether the evidence was obtained legally?

A. Lawyers

B. Court

C. Upper management team

D. Police

A systems administrator confirms that the company's remote server is providing the following list of preferred ciphers:
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
• TLS_RSA_WITH_RC4_128_SHA (0x5)
• TLS_RSA_WITH_RC4_128_MD5 (0x4)
Nevertheless, when the systems administrator's browser connects to the server, it negotiates TLS_RSA_WITH_RC4_128_MD5 (0x4), while all other employees' browsers negotiate TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030). Which of the following describes a potential attack to the systems administrator's browser?

A. A cipher mismatch

B. Key rotation

C. A downgrade attack

D. A compromised key

E. Rekeying

ACSP, which wants to compete in the market, has been approaching companies in an attempt to gain business, The CSP is able to provide the same uptime as other CSPs at a markedly reduced cost. Which of the following would be the MOST significant business risk to a company that signs a contract with this CSP?

A. Resource exhaustion

B. Geographic location

C. Control plane breach

D. Vendor lock-in

When a remote employee traveled overseas, the employee’s laptop and several mobile devices with proprietary tools were stolen. The security team requires technical controls be in place to ensure no electronic data is compromised or changed. Which of the following BEST meets this requirement?

A. Mobile device management with remote wipe capabilities

B. Passwordless smart card authorization with biometrics

C. Next-generation endpoint detection and response agent

D. Full disk encryption with centralized key management

A company wants to protect its intellectual property from theft. The company has already applied ACLs and DACs.
Which of the following should the company use to prevent data theft?

A. Watermarking

B. DRM

C. NDA

D. Access logging

An organization collects personal data from its global customers. The organization determines how that data is going to be used, why it is going to be used, and how it is manipulated for business processes. Which of the following will the organization need in order to comply with GDPR? (Choose two.)

A. Data processor

B. Data custodian

C. Data owner

D. Data steward

E. Data controller

F. Data manager

A help desk technician is troubleshooting an issue with an employee's laptop that will not boot into its operating system. The employee reported the laptop had been stolen but then found it one day later. The employee has asked the technician for help recovering important data. The technician has identified the following:
• The laptop operating system was not configured with BitLocker.
• The hard drive has no hardware failures.
• Data is present and readable on the hard drive, although it appears to be illegible.
Which if the following is the MOST likely reason the technician is unable to retrieve legible data from the hard drive?

A. The employee’s password was changed, and the new password needs to be used.

B. The PKI certificate was revoked, and a new one must be installed.

C. The hard drive experienced crypto-shredding.

D. The technician is using the incorrect cipher to read the data.

An organization decided to begin issuing corporate mobile device users microSD HSMs that must be installed in the mobile devices in order to access corporate resources remotely. Which of the following features of these devices MOST likely led to this decision? (Choose two.)

A. Software-backed keystore

B. Embedded cryptoprocessor

C. Hardware-backed public key storage

D. Support for stream ciphers

E. Decentralized key management

F. TPM 2.0 attestation services

A security analyst has been provided the following partial Snort IDS rule to review and add into the company's Snort IDS to identify a CVE:
alert tcp any any -> SHOME_NET 3389 (flow:to_server,established; content:"MS_T120|00|"; fasc_pattern:only)
Which of the following should the analyst recommend to mitigate this type of vulnerability?

A. IPSec rules

B. OS patching

C. Two-factor authentication

D. TCP wrappers

A company's Chief Information Security Officer is concerned that the company's proposed move to the cloud could lead to a lack of visibility into network traffic flow logs within the VPC.
Which of the following compensating controls would be BEST to implement in this situation?

A. EDR

B. SIEM

C. HIDS

D. UEBA