A security analyst is reviewing the data portion acquired from the following command:
tcpdump -lnvi icmp and src net 192.168.1.0/24 and dst net 0.0.0.0/0 -w output.pcap
The data portion of the packet capture shows the following:
 
The analyst suspects that a data exfiltration attack is occurring using a pattern in which the last five digits are encoding sensitive information. Which of the following technologies and associated rules should the analyst implement to stop this specific attack? (Choose two.)

A. Intrusion prevention system

B. Data loss prevention

C. sed -e ‘s/a-z.*0-9.*//g’

D. reject icmp any any any any (msg:”alert”; regex [a-z]{26}[0-9]{5})

E. Second-generation firewall

F. drop icmp from 192.168.1.0/24 to 0.0.0.0/0

An architectural firm is working with its security team to ensure that any draft images that are leaked to the public can be traced back to a specific external party. Which of the following would BEST accomplish this goal?

A. Properly configure a secure file transfer system to ensure file integrity.

B. Have the external parties sign non-disclosure agreements before sending any images.

C. Only share images with external parties that have worked with the firm previously.

D. Utilize watermarks in the images that are specific to each external party.

Which of the following communication protocols is used to create PANs with small, low-power digital radios and supports a large number of nodes?

A. Zigbee

B. Wi-Fi

C. CAN

D. Modbus

E. DNP3

A systems administrator at a web-hosting provider has been tasked with renewing the public certificates of all customer sites. Which of the following would BEST support multiple domain names while minimizing the amount of certificates needed?

A. OCSP

B. CRL

C. SAN

D. CA

SIMULATION
-
An IPSec solution is being deployed. The configuration files for both the VPN concentrator and the AAA server are shown in the diagram.
Complete the configuration files to meet the following requirements:
• The EAP method must use mutual certificate-based authentication (with issued client certificates).
• The IKEv2 cipher suite must be configured to the MOST secure authenticated mode of operation.
• The secret must contain at least one uppercase character, one lowercase character, one numeric character, and one special character, and it must meet a minimum length requirement of eight characters.
INSTRUCTIONS
-
Click on the AAA server and VPN concentrator to complete the configuration. Fill in the appropriate fields and make selections from the drop-down menus.
If at any time you would like to bung back the initial state of the simulation, please click the Reset All button.
 
 
 

A security architect is reviewing the following organizational specifications for a new application:
•	Be sessionless and API-based
•	Accept uploaded documents with PII, so all storage must be ephemeral
•	Be able to scale on-demand across multiple nodes
•	Restrict all network access except for the TLS port
Which of the following ways should the architect recommend the application be deployed in order to meet security and organizational infrastructure requirements?

A. Utilizing the cloud container service

B. On server instances with autoscaling groups

C. Using scripted delivery

D. With a content delivery network

A security administrator has been tasked with hardening a domain controller against lateral movement attacks. Below is an output of running services:
 
Which of the following configuration changes must be made to complete this task?

A. Stop the Print Spooler service and set the startup type to disabled.

B. Stop the DNS Server service and set the startup type to disabled.

C. Stop the Active Directory Web Services service and set the startup type to disabled.

D. Stop Credential Manager service and leave the startup type to disabled.

An organization that provides a SaaS solution recently experienced an incident involving customer data loss. The system has a level of self-healing that includes monitoring performance and available resources. When the system detects an issue, the self-healing process is supposed to restart parts of the software.
During the incident, when the self-healing system attempted to restart the services, available disk space on the data drive to restart all the services was inadequate. The self-healing system did not detect that some services did not fully restart and declared the system as fully operational.
Which of the following BEST describes the reason why the silent failure occurred?

A. The system logs rotated prematurely.

B. The disk utilization alarms are higher than what the service restarts require.

C. The number of nodes in the self-healing cluster was healthy.

D. Conditional checks prior to the service restart succeeded.

A company is rewriting a vulnerable application and adding the mprotect() system call in multiple parts of the application's code that was being leveraged by a recent exploitation tool. Which of the following should be enabled to ensure the application can leverage the new system call against similar attacks in the future?

A. TPM

B. Secure boot

C. NX bit

D. HSM

The primary advantage of an organization creating and maintaining a vendor risk registry is to:

A. define the risk assessment methodology.

B. study a variety of risks and review the threat landscape.

C. ensure that inventory of potential risk is maintained.

D. ensure that all assets have low residual risk.

A global financial firm wants to onboard a new vendor that sells a very specific SaaS application. The application is only hosted in the vendor's home country, and the firm cannot afford any significant downtime. Which of the following is the GREATEST risk to the firm, assuming the decision is made to work with the new vendor?

A. The application’s performance will be different in regional offices.

B. There are regulatory concerns with using SaaS applications.

C. The SaaS application will only be available to users in one country.

D. There is no geographical redundancy in case of network outages.

An administrator at a software development company would like to protect the integrity of the company's applications with digital signatures. The developers report that the signing process keeps failing on all applications. The same key pair used for signing, however, is working properly on the website, is valid, and is issued by a trusted CA. Which of the following is MOST likely the cause of the signature failing?

A. The NTP server is set incorrectly for the developers.

B. The CA has included the certificate in its CRL.

C. The certificate is set for the wrong key usage.

D. Each application is missing a SAN or wildcard entry on the certificate.

A local university that has a global footprint is undertaking a complete overhaul of its website and associated systems Some of the requirements are:
•	Handle an increase in customer demand of resources
•	Provide quick and easy access to information
•	Provide high-quality streaming media
•	Create a user-friendly interface
Which of the following actions should be taken FIRST?

A. Deploy high-availability web servers.

B. Enhance network access controls.

C. Implement a content delivery network.

D. Migrate to a virtualized environment.

Users are claiming that a web server is not accessible. A security engineer is unable to view the Internet Services logs for the site. The engineer connects to the server and runs netstat – an and receives the following output:
 
Which of the following is MOST likely happening to the server?

A. Port scanning

B. ARP spoofing

C. Buffer overflow

D. Denial of service

A mobile administrator is reviewing the following mobile device DHCP logs to ensure the proper mobile settings are applied to managed devices:
 
Which of the following mobile configuration settings is the mobile administrator verifying?

A. Service set identifier authentication

B. Wireless network auto joining

C. 802.1X with mutual authentication

D. Association MAC address randomization

A security architect is reviewing the following proposed corporate firewall architecture and configuration:
 
Both firewalls are stateful and provide Layer 7 filtering and routing. The company has the following requirements:
✑ Web servers must receive all updates via HTTP/S from the corporate network.
Web servers should not initiate communication with the Internet.
 
✑ Web servers should only connect to preapproved corporate database servers.
✑ Employees' computing devices should only connect to web services over ports 80 and 443.
Which of the following should the architect recommend to ensure all requirements are met in the MOST secure manner? (Choose two.)

A. Add the following to Firewall_A: 15 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0/0 TCP 80,443

B. Add the following to Firewall_A: 15 PERMIT FROM 192.168.1.0/24 TO 0.0.0.0 TCP 80,443

C. Add the following to Firewall_A: 15 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0/0 TCP/UDP 0-65535

D. Add the following to Firewall_B: 15 PERMIT FROM 0.0.0.0/0 TO 10.0.0.0/16 TCP/UDP 0-65535

E. Add the following to Firewall_B: 15 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0 TCP/UDP 0-65535

F. Add the following to Firewall_B: 15 PERMIT FROM 192.168.1.0/24 TO 10.0.2.10/32 TCP 80,443

A company wants to securely manage the APIs that were developed for its in-house applications. Previous penetration tests revealed that developers were embedding unencrypted passwords in the code. Which of the following can the company do to address this finding? (Choose two.)

A. Implement complex, key-length API key management.

B. Implement user session logging.

C. Implement time-based API key management.

D. Use SOAP instead of restful services.

E. Incorporate a DAST into the DevSecOps process to identify the exposure of secrets.

F. Enforce MFA on the developers’ workstations and production systems.

A disaster recovery team learned of several mistakes that were made during the last disaster recovery parallel test. Computational resources ran out at 70% of restoration of critical services.
Which of the following should be modified to prevent the issue from reoccurring?

A. Recovery point objective

B. Recovery time objective

C. Mission-essential functions

D. Recovery service level

An organization handles sensitive information that must be displayed on call center technicians’ screens to verify the identities of remote callers. The technicians use three randomly selected fields of information to complete the identity verification process. Some of the fields contain PII that are unique identifiers for the remote callers. Which of the following should be implemented to identify remote callers while also reducing the risk that technicians could improperly use the identification information?

A. Data masking

B. Encryption

C. Tokenization

D. Scrubbing

E. Substitution

An organization is referencing NIST best practices for BCP creation while reviewing current internal organizational processes for mission-essential items.
Which of the following phases establishes the identification and prioritization of critical systems and functions?

A. Review a recent gap analysis.

B. Perform a cost-benefit analysis.

C. Conduct a business impact analysis.

D. Develop an exposure factor matrix.

A company wants to use a process to embed a sign of ownership covertly inside a proprietary document without adding any identifying attributes. Which of the following would be BEST to use as part of the process to support copyright protections of the document?

A. Steganography

B. E-signature

C. Watermarking

D. Cryptography

A security analyst discovered that the company's WAF was not properly configured. The main web server was breached, and the following payload was found in one of the malicious requests:
 
Which of the following would BEST mitigate this vulnerability?

A. CAPTCHA

B. Input validation

C. Data encoding

D. Network intrusion prevention

As part of its risk strategy, a company is considering buying insurance for cybersecurity incidents.
Which of the following BEST describes this kind of risk response?

A. Risk rejection

B. Risk mitigation

C. Risk transference

D. Risk avoidance

A company wants to protect its intellectual property from theft. The company has already applied ACLs and DACs.
Which of the following should the company use to prevent data theft?

A. Watermarking

B. DRM

C. NDA

D. Access logging

A security architect was asked to modify an existing internal network design to accommodate the following requirements for RDP:
✑ Enforce MFA for RDP.
✑ Ensure RDP connections are only allowed with secure ciphers.
The existing network is extremely complex and not well segmented. Because of these limitations, the company has requested that the connections not be restricted by network-level firewalls or ACLs.
Which of the following should the security architect recommend to meet these requirements?

A. Implement a reverse proxy for remote desktop with a secure cipher configuration enforced.

B. Implement a bastion host with a secure cipher configuration enforced.

C. Implement a remote desktop gateway server, enforce secure ciphers, and configure to use OTP.

D. Implement a GPO that enforces TLS cipher suites and limits remote desktop access to only VPN users.

Which of the following represents the MOST significant benefit of implementing a passwordless authentication solution?

A. Biometric authenticators are immutable.

B. The likelihood of account compromise is reduced.

C. Zero trust is achieved.

D. Privacy risks are minimized.

An executive has decided to move a company's customer-facing application to the cloud after experiencing a lengthy power outage at a locally managed service provider's data center. The executive would like a solution that can be implemented as soon as possible. Which of the following will BEST prevent similar issues when the service is running in the cloud? (Choose two.)

A. Placing the application instances in different availability zones

B. Restoring the snapshot and starting the new application instance from a different zone

C. Enabling autoscaling based on application instance usage

D. Having several application instances running in different VPCs

E. Using the combination of block storage and multiple CDNs in each application instance

F. Setting up application instances in multiple regions

A security analyst is concerned that a malicious piece of code was downloaded on a Linux system. After some research, the analyst determines that the suspected piece of code is performing a lot of input/output (I/O) on the disk drive.
 
Based on the output above, from which of the following process IDs can the analyst begin an investigation?

A. 65

B. 77

C. 83

D. 87

A forensic investigator would use the foremost command for:

A. cloning disks.

B. analyzing network-captured packets.

C. recovering lost files.

D. extracting features such as email addresses.

A product manager at a new company needs to ensure the development team produces high-quality code on time. The manager has decided to implement an agile development approach instead of waterfall. Which of the following are reasons to choose an agile development approach? (Choose two.)

A. The product manager gives the developers more autonomy to write quality code prior to deployment.

B. An agile approach incorporates greater application security in the development process than a waterfall approach does.

C. The scope of work is expected to evolve during the lifetime of project development.

D. The product manager prefers to have code iteratively tested throughout development.

E. The product manager would like to produce code in linear phases.

F. Budgeting and creating a timeline for the entire project is often more straightforward using an agile approach rather than waterfall.

A Chief Information Security Officer (CISO) received a call from the Chief Executive Officer (CEO) about a data breach from the SOC lead around 9:00 a.m. At 10:00 a.m. The CEO informs the CISO that a breach of the firm is being reported on national news. Upon investigation, it is determined that a network administrator has reached out to a vendor prior to the breach for information on a security patch that failed to be installed. Which of the following should the CISO do to prevent this from happening again?

A. Properly triage events based on brand imaging and ensure the CEO is on the call roster.

B. Create an effective communication plan and socialize it with all employees.

C. Send out a press release denying the breach until more information can be obtained.

D. Implement a more robust vulnerability identification process.

An organization has just been breached, and the attacker is exfiltrating data from workstations. The security analyst validates this information with the firewall logs and must stop the activity immediately. Which of the following steps should the security analyst perform NEXT?

A. Determine what data is being stolen and change the folder permissions to read only.

B. Determine which users may have clicked on a malicious email link and suspend their accounts.

C. Determine where the data is being transmitted and create a block rule.

D. Determine if a user inadvertently installed malware from a USB drive and update antivirus definitions.

E. Determine if users have been notified to save their work and turn off their workstations.

A software developer was just informed by the security team that the company’s product has several vulnerabilities. Most of these vulnerabilities were traced to code the developer did not write. The developer does not recognize some of the code, as it was in the software before the developer started on the program and is not tracked for licensing purposes. Which of the following would the developer MOST likely do to mitigate the risks and prevent further issues like these from occurring?

A. Perform supply chain analysis and require third-party suppliers to implement vulnerability management programs.

B. Perform software composition analysis and remediate vulnerabilities found in the software.

C. Perform reverse engineering on the code and rewrite the code in a more secure manner.

D. Perform fuzz testing and implement DAST in the code repositories to find vulnerabilities prior to deployment.

A digital forensics expert has obtained an ARM binary suspected of including malicious behavior. The expert would like to trace and analyze the ARM binary’s execution. Which of the following tools would BEST support this effort?

A. objdump

B. OllyDbg

C. FTK Imager

D. Ghidra

Law enforcement officials informed an organization that an investigation has begun. Which of the following is the FIRST step the organization should take?

A. Initiate a legal hold.

B. Refer to the retention policy.

C. Perform e-discovery.

D. Review the subpoena.

A company is on a deadline to roll out an entire CRM platform to all users at one time. However, the company is behind schedule due to reliance on third-party vendors. Which of the following development approaches will allow the company to begin releases but also continue testing and development for future releases?

A. Implement iterative software releases

B. Revise the scope of the project to use a waterfall approach.

C. Change the scope of the project to use the spiral development methodology.

D. Perform continuous integration.

In preparation for the holiday season, a company redesigned the system that manages retail sales and moved it to a cloud service provider. The new infrastructure did not meet the company's availability requirements. During a postmortem analysis, the following issues were highlighted:
1. International users reported latency when images on the web page were initially loading.
2. During times of report processing, users reported issues with inventory when attempting to place orders.
3. Despite the fact that ten new API servers were added, the load across servers was heavy at peak times.
Which of the following infrastructure design changes would be BEST for the organization to implement to avoid these issues in the future?

A. Serve static content via distributed CDNs, create a read replica of the central database and pull reports from there, and auto-scale API servers based on performance.

B. Increase the bandwidth for the server that delivers images, use a CDN, change the database to a non-relational database, and split the ten API servers across two load balancers.

C. Serve images from an object storage bucket with infrequent read times, replicate the database across different regions, and dynamically create API servers based on load.

D. Serve static-content object storage across different regions, increase the instance size on the managed relational database, and distribute the ten API servers across multiple regions.

A small company recently developed prototype technology for a military program. The company's security engineer is concerned about potential theft of the newly developed, proprietary information.
Which of the following should the security engineer do to BEST manage the threats proactively?

A. Join an information-sharing community that is relevant to the company.

B. Leverage the MITRE ATT&CK framework to map the TTP.

C. Use OSINT techniques to evaluate and analyze the threats.

D. Update security awareness training to address new threats, such as best practices for data security.

A security engineer has been informed by the firewall team that a specific Windows workstation is part of a command-and-control network. The only information the security engineer is receiving is that the traffic is occurring on a non-standard port (TCP 40322). Which of the following commands should the security engineer use FIRST to find the malicious process?

A. tcpdump

B. netstat

C. tasklist

D. traceroute

E. ipconfig

A financial institution generates a list of newly created accounts and sensitive information on a daily basis. The financial institution then sends out a file containing thousands of lines of data. Which of the following would be the best way to reduce the risk of a malicious insider making changes to the file that could go undetected?

A. Write a SIEM rule that generates a critical alert when files are created on the application server.

B. Implement a FIM that automatically generates alerts when the file is accessed by IP addresses that are not associated with the application.

C. Create a script that compares the size of the file on an hourly basis and generates alerts when changes are identified.

D. Tune the rules on the host-based IDS for the application server to trigger automated alerts when the application server is accessed from the internet.

Which of the following technologies would benefit the most from the use of biometric readers, proximity badge entry systems, and the use of hardware security tokens to access various environments and data entry systems?

A. Deep learning

B. Machine learning

C. Nanotechnology

D. Passwordless authentication

E. Biometric impersonation

A security engineer is implementing a server-side TLS configuration that provides forward secrecy and authenticated encryption with associated data. Which of the following algorithms, when combined into a cipher suite, will meet these requirements? (Choose three.)

A. EDE

B. CBC

C. GCM

D. AES

E. RSA

F. RC4

G. ECDSA

H. DH

Which of the following should be established when configuring a mobile device to protect user internet privacy, to ensure the connection is encrypted, and to keep user activity hidden? (Choose two.)

A. Proxy

B. Tunneling

C. VDI

D. MDM

E. RDP

F. MAC address randomization

The Chief Executive Officer of an online retailer notices a sudden drop in sales. A security analyst at the retailer detects a redirection of unsecure web traffic to a competitor’s site. Which of the following would best prevent this type of attack?

A. Enabling HSTS

B. Configuring certificate pinning

C. Enforcing DNSSEC

D. Deploying certificate stapling

Which of the following processes involves searching and collecting evidence during an investigation or lawsuit?

A. E-discovery

B. Review analysis

C. Information governance

D. Chain of custody

The Chief Information Officer (CIO) wants to implement enterprise mobility throughout the organization. The goal is to allow employees access to company resources. However, the CIO wants the ability to enforce configuration settings, manage data, and manage both company-owned and personal devices. Which of the following should the CIO implement to achieve this goal?

A. BYOD

B. CYOD

C. COPE

D. MDM

A security administrator configured the account policies per security implementation guidelines. However, the accounts still appear to be susceptible to brute-force attacks. The following settings meet the existing compliance guidelines:
✑ Must have a minimum of 15 characters
✑ Must use one number
✑ Must use one capital letter
✑ Must not be one of the last 12 passwords used
Which of the following policies should be added to provide additional security?

A. Shared accounts

B. Password complexity

C. Account lockout

D. Password history

E. Time-based logins

A cybersecurity analyst discovered a private key that could have been exposed.
Which of the following is the BEST way for the analyst to determine if the key has been compromised?

A. HSTS

B. CRL

C. CSRs

D. OCSP

A security architect must mitigate the risks from what is suspected to be an exposed, private cryptographic key. Which of the following is the BEST step to take?

A. Revoke the certificate.

B. Inform all the users of the certificate.

C. Contact the company’s Chief Information Security Officer.

D. Disable the website using the suspected certificate.

E. Alert the root CA.

An IT department is currently working to implement an enterprise DLP solution. Due diligence and best practices must be followed in regard to mitigating risk. Which of the following ensures that authorized modifications are well planned and executed?

A. Risk management

B. Network management

C. Configuration management

D. Change management