A security analyst is reviewing the following vulnerability assessment report:
 
Which of the following should be patched FIRST to minimize attacks against Internet-facing hosts?

A. Server1

B. Server2

C. Server3

D. Server4

A BIA of a popular online retailer identified several mission-essential functions that would take more than seven days to recover in the event of an outage. Which of the following should be considered when setting priorities for the restoration of these functions?

A. Supply chain issues

B. Revenue generation

C. Warm-site operations

D. Scheduled impacts to future projects

An organization's senior security architect would like to develop cyberdefensive strategies based on standardized adversary techniques, tactics, and procedures commonly observed. Which of the following would BEST support this objective?

A. OSINT analysis

B. The Diamond Model of Intrusion Analysis

C. MITRE ATT&CK

D. Deepfake generation

E. Closed-source intelligence reporting

An organization is in frequent litigation and has a large number of legal holds. Which of the following types of functionality should the organization's new email system provide?

A. DLP

B. Encryption

C. E-discovery

D. Privacy-level agreements

In a shared responsibility model for PaaS, which of the following is a customer's responsibility?

A. Network security

B. Physical security

C. OS security

D. Host infrastructure

A SaaS startup is maturing its DevSecOps program and wants to identify weaknesses earlier in the development process in order to reduce the average time to identify serverless application vulnerabilities and the costs associated with remediation. The startup began its early security testing efforts with DAST to cover public-facing application components and recently implemented a bug bounty program. Which of the following will BEST accomplish the company’s objectives?

A. RASP

B. SAST

C. WAF

D. CMS

A company is migrating from company-owned phones to a BYOD strategy for mobile devices. The pilot program will start with the executive management team and be rolled out to the rest of the staff in phases. The company's Chief Financial Officer loses a phone multiple times a year.
Which of the following will MOST likely secure the data on the lost device?

A. Require a VPN to be active to access company data.

B. Set up different profiles based on the person’s risk.

C. Remotely wipe the device.

D. Require MFA to access company applications.

Signed applications reduce risks by:

A. encrypting the application’s data on the device

B. requiring the developer to use code-level hardening techniques.

C. providing assurance that the application is using unmodified source code.

D. costing the developer money to publish, which reduces the likelihood of malicious intent.

A security analyst is using data provided from a recent penetration test to calculate CVSS scores to prioritize remediation. Which of the following metric groups would the analyst need to determine to get the overall scores? (Choose three.)

A. Temporal

B. Availability

C. Integrity

D. Confidentiality

E. Base

F. Environmental

G. Impact

H. Attack vector

A security engineer is reviewing a record of events after a recent data breach incident that involved the following:
✑ A hacker conducted reconnaissance and developed a footprint of the company's Internet-facing web application assets.
✑ A vulnerability in a third-party library was exploited by the hacker, resulting in the compromise of a local account.
✑ The hacker took advantage of the account's excessive privileges to access a data store and exfiltrate the data without detection.
Which of the following is the BEST solution to help prevent this type of attack from being successful in the future?

A. Dynamic analysis

B. Secure web gateway

C. Software composition analysis

D. User behavior analysis

E. Web application firewall

A disaster recovery team learned of several mistakes that were made during the last disaster recovery parallel test. Computational resources ran out at 70% of restoration of critical services.
Which of the following should be modified to prevent the issue from reoccurring?

A. Recovery point objective

B. Recovery time objective

C. Mission-essential functions

D. Recovery service level

An attack team performed a penetration test on a new smart card system. The team demonstrated that by subjecting the smart card to high temperatures, the secret key could be revealed.
Which of the following side-channel attacks did the team use?

A. Differential power analysis

B. Differential fault analysis

C. Differential temperature analysis

D. Differential timing analysis

A systems administrator was given the following IOC to detect the presence of a malicious piece of software communicating with its command-and-control server:
POST /malicious.php -
User-Agent: Malicious Tool V 1.0
Host: www.malicious.com -
The IOC documentation suggests the URL is the only part that could change. Which of the following regular expressions would allow the systems administrator to determine if any of the company hosts are compromised, while reducing false positives?

A. User-Agent: Malicious Tool.*

B. www.malicious.com/malicious.php

C. Post /malicious.php

D. Host: [a-z]*.malicious.com

E. malicious.*

The general counsel at an organization has received written notice of upcoming litigation. The general counsel has issued a legal records hold. Which of the following actions should the organization take to comply with the request?

A. Preserve all communication matching the requested search terms.

B. Block communication with the customer while litigation is ongoing.

C. Require employees to be trained on legal record holds.

D. Request that all users do not delete any files.

A corporation discovered its internet connection is saturated with traffic originating from multiple IP addresses across the internet. A security analyst needs to find a solution to address future occurrences of this type of attack.
Which of the following would be the BEST solution to meet this goal?

A. Implementing cloud-scrubbing services

B. Upgrading the internet link

C. Deploying a web application firewall

D. Provisioning a reverse proxy

In preparation for the holiday season, a company redesigned the system that manages retail sales and moved it to a cloud service provider. The new infrastructure did not meet the company's availability requirements. During a postmortem analysis, the following issues were highlighted:
1. International users reported latency when images on the web page were initially loading.
2. During times of report processing, users reported issues with inventory when attempting to place orders.
3. Despite the fact that ten new API servers were added, the load across servers was heavy at peak times.
Which of the following infrastructure design changes would be BEST for the organization to implement to avoid these issues in the future?

A. Serve static content via distributed CDNs, create a read replica of the central database and pull reports from there, and auto-scale API servers based on performance.

B. Increase the bandwidth for the server that delivers images, use a CDN, change the database to a non-relational database, and split the ten API servers across two load balancers.

C. Serve images from an object storage bucket with infrequent read times, replicate the database across different regions, and dynamically create API servers based on load.

D. Serve static-content object storage across different regions, increase the instance size on the managed relational database, and distribute the ten API servers across multiple regions.

A security assessor identified an internet-facing web service API provider that was deemed vulnerable. Execution of testssl provided the following insight:
 
Which of the following configuration changes would BEST mitigate chosen ciphertext attacks?

A. Enable 3DES ciphers IDEA.

B. Enable export ciphers.

C. Enable PFS ciphers.

D. Enable AEAD.

A company created an external application for its customers. A security researcher now reports that the application has a serious LDAP injection vulnerability that could be leveraged to bypass authentication and authorization.
Which of the following actions would BEST resolve the issue? (Choose two.)

A. Conduct input sanitization.

B. Deploy a SIEM.

C. Use containers.

D. Patch the OS

E. Deploy a WAF.

F. Deploy a reverse proxy

G. Deploy an IDS.

A security manager wants to transition the organization to a zero trust architecture. To meet this requirement, the security manager has instructed administrators to remove trusted zones, role-based access, and one-time authentication. Which of the following will need to be implemented to achieve this objective? (Choose three.)

A. Least privilege

B. VPN

C. Policy automation

D. PKI

E. Firewall

F. Continuous validation

G. Continuous integration

H. IaaS

A home automation company just purchased and installed tools for its SOC to enable incident identification and response on software the company develops. The company would like to prioritize defenses against the following attack scenarios:
✑ Unauthorized insertions into application development environments
✑ Authorized insiders making unauthorized changes to environment configurations
Which of the following actions will enable the data feeds needed to detect these types of attacks on development environments? (Choose two.)

A. Perform static code analysis of committed code and generate summary reports.

B. Implement an XML gateway and monitor for policy violations.

C. Monitor dependency management tools and report on susceptible third-party libraries.

D. Install an IDS on the development subnet and passively monitor for vulnerable services.

E. Model user behavior and monitor for deviations from normal.

F. Continuously monitor code commits to repositories and generate summary logs.

An executive has decided to move a company's customer-facing application to the cloud after experiencing a lengthy power outage at a locally managed service provider's data center. The executive would like a solution that can be implemented as soon as possible. Which of the following will BEST prevent similar issues when the service is running in the cloud? (Choose two.)

A. Placing the application instances in different availability zones

B. Restoring the snapshot and starting the new application instance from a different zone

C. Enabling autoscaling based on application instance usage

D. Having several application instances running in different VPCs

E. Using the combination of block storage and multiple CDNs in each application instance

F. Setting up application instances in multiple regions

A small bank is evaluating different methods to address and resolve the following requirements:
•	Must be able to store credit card data using the smallest amount of data possible.
•	Must be compliant with PCI DSS.
•	Must maintain confidentiality if one piece of the layer is compromised.
Which of the following is the BEST solution for the bank?

A. Scrubbing

B. Tokenization

C. Masking

D. Homomorphic encryption

A security analyst receives an alert from the SIEM regarding unusual activity on an authorized public SSH jump server. To further investigate, the analyst pulls the event logs directly from /var/log/auth.log: graphic.ssh_auth_log.
Which of the following actions would BEST address the potential risks posed by the activity in the logs?

A. Altering the misconfigured service account password

B. Modifying the AllowUsers configuration directive

C. Restricting external port 22 access

D. Implementing host-key preferences

A cyberanalyst has been tasked with recovering PDF files from a provided image file. Which of the following is the BEST file-carving tool for PDF recovery?

A. objdump

B. Strings

C. dd

D. Foremost

When managing and mitigating SaaS cloud vendor risk, which of the following responsibilities belongs to the client?

A. Data

B. Storage

C. Physical security

D. Network

Due to locality and budget constraints, an organization's satellite office has a lower bandwidth allocation than other offices in the organization. As a result, the local security infrastructure staff is assessing architectural options that will help preserve network bandwidth and increase speed to both internal and external resources while not sacrificing threat visibility.
Which of the following would be the BEST option to implement?

A. Distributed connection allocation

B. Local caching

C. Content delivery network

D. SD-WAN vertical heterogeneity

A security researcher has been given an executable that was captured by a honeypot. Which of the following should the security researcher implement to test the executable?

A. OSINT

B. SAST

C. DAST

D. OWASP

A digital forensics expert has obtained an ARM binary suspected of including malicious behavior. The expert would like to trace and analyze the ARM binary’s execution. Which of the following tools would BEST support this effort?

A. objdump

B. OllyDbg

C. FTK Imager

D. Ghidra

A security consultant needs to set up wireless security for a small office that does not have Active Directory. Despite the lack of central account management, the office manager wants to ensure a high level of defense to prevent brute-force attacks against wireless authentication.
Which of the following technologies would BEST meet this need?

A. Faraday cage

B. WPA2 PSK

C. WPA3 SAE

D. WEP 128 bit

An organization had been leveraging RC4 to protect the confidentiality of a continuous, high-throughput 4K video stream but must upgrade to a more modern cipher. The new cipher must maximize speed, particularly on endpoints without crypto instruction sets or coprocessors. Which of the following is MOST likely to meet the organization's requirements?

A. ChaCha20

B. ECDSA

C. Blowfish

D. AES-GCM

E. AES-CBC

A security engineer is assessing a legacy server and needs to determine if FTP is running and on which port. The service cannot be turned off, as it would impact a critical application's ability to function. Which of the following commands would provide the information necessary to create a firewall rule to prevent that service from being exploited?

A. service –-status-all | grep ftpd

B. chkconfig –-list

C. netstat –tulpn

D. systemctl list-unit-file –-type service ftpd

E. service ftpd status

The Chief Executive Officer (CEO) of a small wholesaler with low margins is concerned about the use of a newly developed artificial intelligence algorithm being used in the organization's marketing tool. The tool can make automated purchasing approval decisions based on data provided by customers and collected from the Internet. Which of the following is MOST likely the concern? (Choose two.)

A. Required computing power

B. Cost to maintain

C. Customer privacy

D. Adversarial attacks

E. Information bias

F. Customer approval speed

Given the following log snippet from a web server:
 
Which of the following BEST describes this type of attack?

A. SQL injection

B. Cross-site scripting

C. Brute-force

D. Cross-site request forgery

A systems administrator is preparing to run a vulnerability scan on a set of information systems in the organization. The systems administrator wants to ensure that the targeted systems produce accurate information especially regarding configuration settings.
Which of the following scan types will provide the systems administrator with the MOST accurate information?

A. A passive, credentialed scan

B. A passive, non-credentialed scan

C. An active, non-credentialed scan

D. An active, credentialed scan

An organization wants to perform a scan of all its systems against best practice security configurations.
Which of the following SCAP standards, when combined, will enable the organization to view each of the configuration checks in a machine-readable checklist format for full automation? (Choose two.)

A. ARF

B. XCCDF

C. CPE

D. CVE

E. CVSS

F. OVAL

An organization does not have visibility into when company-owned assets are off network or not connected via a VPN. The lack of visibility prevents the organization from meeting security and operational objectives. Which of the following cloud-hosted solutions should the organization implement to help mitigate the risk?

A. Antivirus

B. UEBA

C. EDR

D. HIDS

A bank hired a security architect to improve its security measures against the latest threats. The solution must meet the following requirements:
•	Recognize and block fake websites.
•	Decrypt and scan encrypted traffic on standard and non-standard ports.
•	Use multiple engines for detection and prevention.
•	Have central reporting.
Which of the following is the BEST solution the security architect can propose?

A. CASB

B. Web filtering

C. NGFW

D. EDR

A company invested a total of $10 million for a new storage solution installed across five on-site datacenters. Fifty percent of the cost of this investment was for solid-state storage. Due to the high rate of wear on this storage, the company is estimating that 5% will need to be replaced per year. Which of the following is the
ALE due to storage replacement?

A. $50,000

B. $125,000

C. $250,000

D. $500,000

E. $1,000,000

A pharmaceutical company was recently compromised by ransomware. Given the following EDR output from the process investigation:
 
On which of the following devices and processes did the ransomware originate?

A. cpt-ws018, powershell.exe

B. cpt-ws026, DearCry.exe

C. cpt-ws002, NO-AV.exe

D. cpt-ws026, NO-AV.exe

E. cpt-ws002, DearCry.exe

A multinational organization was hacked, and the incident response team’s timely action prevented a major disaster. Following the event, the team created an after action report. Which of the following is the primary goal of an after action review?

A. To gather evidence for subsequent legal action

B. To determine the identity of the attacker

C. To identify ways to improve the response process

D. To create a plan of action and milestones

A bank has multiple subsidiaries that have independent infrastructures. The bank's support teams manage all these environments and want to use a single set of credentials. Which of the following is the BEST way to achieve this goal?

A. SSO

B. Federation

C. Cross-domain

D. Shared credentials

A partner organization is requesting that a security administrator exchange S/MIME certificates for email between the two organizations. The partner organization is most likely trying to:

A. utilize digital signatures to ensure data integrity.

B. reduce the amount of impersonation spam the organization receives.

C. enable a more decentralized IT infrastructure.

D. eliminate the organization’s business email compromise risks.

A security analyst is performing a review of a web application. During testing as a standard user, the following error log appears:
 
Which of the following BEST describes the analyst's findings and a potential mitigation technique?

A. The findings indicate unsecure references. All potential user input needs to be properly sanitized.

B. The findings indicate unsecure protocols All cookies should be marked as HttpOnly.

C. The findings indicate information disclosure. The displayed error message should be modified.

D. The findings indicate a SQL injection. The database needs to be upgraded.

A user from the sales department opened a suspicious file attachment. The sales department then contacted the SOC to investigate a number of unresponsive systems, and the team successfully identified the file and the origin of the attack.
Which of the following is the NEXT step of the incident response plan?

A. Remediation

B. Containment

C. Response

D. Recovery

A systems administrator confirms that the company's remote server is providing the following list of preferred ciphers:
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
• TLS_RSA_WITH_RC4_128_SHA (0x5)
• TLS_RSA_WITH_RC4_128_MD5 (0x4)
Nevertheless, when the systems administrator's browser connects to the server, it negotiates TLS_RSA_WITH_RC4_128_MD5 (0x4), while all other employees' browsers negotiate TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030). Which of the following describes a potential attack to the systems administrator's browser?

A. A cipher mismatch

B. Key rotation

C. A downgrade attack

D. A compromised key

E. Rekeying

An internal security assessor identified large gaps in a company’s IT asset inventory system during a monthly asset review. The assessor is aware of an external audit that is underway. In an effort to avoid external findings, the assessor chooses not to report the gaps in the inventory system. Which of the following legal considerations is the assessor directly violating?

A. Due care

B. Due diligence

C. Due process

D. Due notice

The Chief Information Security Officer (CISO) is working with a new company and needs a legal document to ensure all parties understand their roles during an assessment. Which of the following should the CISO have each party sign?

A. SLA

B. ISA

C. Permissions and access

D. Rules of engagement

Ransomware encrypted the entire human resources fileshare for a large financial institution. Security operations personnel were unaware of the activity until it was too late to stop it. The restoration will take approximately four hours, and the last backup occurred 48 hours ago. The management team has indicated that the
RPO for a disaster recovery event for this data classification is 24 hours.
Based on RPO requirements, which of the following recommendations should the management team make?

A. Leave the current backup schedule intact and pay the ransom to decrypt the data.

B. Leave the current backup schedule intact and make the human resources fileshare read-only.

C. Increase the frequency of backups and create SIEM alerts for IOCs.

D. Decrease the frequency of backups and pay the ransom to decrypt the data.

A security analyst detected a malicious PowerShell attack on a single server. The malware used the Invoke-Expression function to execute an external malicious script. The security analyst scanned the disk with an antivirus application and did not find any IOCs. The security analyst now needs to deploy a protection solution against this type of malware.
Which of the following BEST describes the type of malware the solution should protect against?

A. Worm

B. Logic bomb

C. Fileless

D. Rootkit

A security analyst has been tasked with assessing a new API. The analyst needs to be able to test for a variety of different inputs, both malicious and benign, in order to close any vulnerabilities. Which of the following should the analyst use to achieve this goal?

A. Static analysis

B. Input validation

C. Fuzz testing

D. Post-exploitation