Ransomware encrypted the entire human resources fileshare for a large financial institution. Security operations personnel were unaware of the activity until it was too late to stop it. The restoration will take approximately four hours, and the last backup occurred 48 hours ago. The management team has indicated that the
RPO for a disaster recovery event for this data classification is 24 hours.
Based on RPO requirements, which of the following recommendations should the management team make?

A. Leave the current backup schedule intact and pay the ransom to decrypt the data.

B. Leave the current backup schedule intact and make the human resources fileshare read-only.

C. Increase the frequency of backups and create SIEM alerts for IOCs.

D. Decrease the frequency of backups and pay the ransom to decrypt the data.

A vulnerability analyst identified a zero-day vulnerability in a company's internally developed software. Since the current vulnerability management system does not have any checks for this vulnerability, an engineer has been asked to create one.
Which of the following would be BEST suited to meet these requirements?

A. ARF

B. ISACs

C. Node.js

D. OVAL

A cyberanalyst has been tasked with recovering PDF files from a provided image file. Which of the following is the BEST file-carving tool for PDF recovery?

A. objdump

B. Strings

C. dd

D. Foremost

Which of the following industrial protocols is most likely to be found in public utility applications, such as water or electric?

A. CIP

B. Zigbee

C. Modbus

D. DNP3

A security analyst is investigating unapproved cloud services that are being used in the organization. Which of the following would best allow for discovery of shadow IT?

A. Monitoring for sign-up emails of cloud services

B. Centralizing WAF deployment in the data center

C. Setting up a reverse proxy and web filtering software

D. Performing attack surface analysis

A DevOps team has deployed databases, event-driven services, and an API gateway as PaaS solution that will support a new billing system.
Which of the following security responsibilities will the DevOps team need to perform?

A. Securely configure the authentication mechanisms.

B. Patch the infrastructure at the operating system.

C. Execute port scanning against the services.

D. Upgrade the service as part of life-cycle management.

A systems administrator was given the following IOC to detect the presence of a malicious piece of software communicating with its command-and-control server:
POST /malicious.php -
User-Agent: Malicious Tool V 1.0
Host: www.malicious.com -
The IOC documentation suggests the URL is the only part that could change. Which of the following regular expressions would allow the systems administrator to determine if any of the company hosts are compromised, while reducing false positives?

A. User-Agent: Malicious Tool.*

B. www.malicious.com/malicious.php

C. Post /malicious.php

D. Host: [a-z]*.malicious.com

E. malicious.*

Users are reporting intermittent access issues with a new cloud application that was recently added to the network. Upon investigation, the security administrator notices the human resources department is able to run required queries with the new application, but the marketing department is unable to pull any needed reports on various resources using the new application. Which of the following MOST likely needs to be done to avoid this in the future?

A. Modify the ACLs.

B. Review the Active Directory.

C. Update the marketing department’s browser.

D. Reconfigure the WAF.

A vulnerability scanner detected an obsolete version of an open-source file-sharing application on one of a company's Linux servers. While the software version is no longer supported by the OSS community, the company's Linux vendor backported fixes, applied them for all current vulnerabilities, and agrees to support the software in the future.
Based on this agreement, this finding is BEST categorized as a:

A. true positive.

B. true negative.

C. false positive.

D. false negative.

A security compliance requirement states that specific environments that handle sensitive data must be protected by need-to-know restrictions and can only connect to authorized endpoints. The requirement also states that a DLP solution within the environment must be used to control the data from leaving the environment.
Which of the following should be implemented for privileged users so they can support the environment from their workstations while remaining compliant?

A. NAC to control authorized endpoints

B. FIM on the servers storing the data

C. A jump box in the screened subnet

D. A general VPN solution to the primary network

An organization needs to disable TLS 1.0 on a retail website. Which of the following best explains the reason for this action?

A. Payment card industry compliance requires the change.

B. Digital certificates are dependent on a newer protocol.

C. Most browser manufacturers are ending legacy support.

D. The application software no longer supports TLS 1.0.

Which of the following is the best reason for obtaining file hashes from a confiscated laptop?

A. To prevent metadata tampering on each file

B. To later validate the integrity of each file

C. To generate unique identifiers for each file

D. To preserve the chain of custody of files

A security analyst received a report that a suspicious flash drive was picked up in the office's waiting area, located beyond the secured door. The analyst investigated the drive and found malware designed to harvest and transmit credentials. Security cameras in the area where the flash drive was discovered showed a vendor representative dropping the drive. Which of the following should the analyst recommend as an additional way to identify anyone who enters the building, in the event the camera system fails?

A. Employee badge logs

B. Phone call logs

C. Vehicle registration logs

D. Visitor logs

A network administrator for a completely air-gapped and closed system has noticed that anomalous external files have been uploaded to one of the critical servers. The administrator has reviewed logs in the SIEM that were collected from security appliances, network infrastructure devices, and endpoints. Which of the following processes, if executed, would be MOST likely to expose an attacker?

A. Reviewing video from IP cameras within the facility

B. Reconfiguring the SIEM connectors to collect data from the perimeter network hosts

C. Implementing integrity checks on endpoint computing devices

D. Looking for privileged credential reuse on the network

A security researcher identified the following messages while testing a web application:
/file/admin/myprofile.php ERROR file does not exist.
/file/admin/userinfo.php ERROR file does not exist.
/file/admin/adminprofile.php ERROR file does not exist.
/file/admin/admininfo.php ERROR file does not exist.
/file/admin/universalprofile.php ERROR file does not exist.
/file/admin/universalinfo.php ERROR file does not exist.
/file/admin/restrictedprofile.php ACCESS is denied.
/file/admin/restrictedinfo.php ERROR file does not exist.
Which of the following should the researcher recommend to remediate the issue?

A. Software composition analysis

B. Packet inspection

C. Proper error handling

D. Elimination of the use of unsafe functions

A local government that is investigating a data exfiltration claim was asked to review the fingerprint of the malicious user's actions. An investigator took a forensic image of the VM and downloaded the image to a secured USB drive to share with the government.
Which of the following should be taken into consideration during the process of releasing the drive to the government?

A. Encryption in transit

B. Legal issues

C. Chain of custody

D. Order of volatility

E. Key exchange

After the latest risk assessment, the Chief Information Security Officer (CISO) decides to meet with the development and security teams to find a way to reduce the security task workload. The CISO would like to:
•	Have a solution that uses API to communicate with other security tools.
•	Use the latest technology possible.
•	Have the highest controls possible on the solution.
Which of following is the BEST option to meet these requirements?

A. EDR

B. CSP

C. SOAR

D. CASB

A BIA of a popular online retailer identified several mission-essential functions that would take more than seven days to recover in the event of an outage. Which of the following should be considered when setting priorities for the restoration of these functions?

A. Supply chain issues

B. Revenue generation

C. Warm-site operations

D. Scheduled impacts to future projects

A developer wants to maintain integrity to each module of a program and ensure the code cannot be altered by malicious users.
Which of the following would be BEST for the developer to perform? (Choose two.)

A. Utilize code signing by a trusted third party.

B. Implement certificate-based authentication.

C. Verify MD5 hashes.

D. Compress the program with a password.

E. Encrypt with 3DES.

F. Make the DACL read-only.

A bank hired a security architect to improve its security measures against the latest threats. The solution must meet the following requirements:
•	Recognize and block fake websites.
•	Decrypt and scan encrypted traffic on standard and non-standard ports.
•	Use multiple engines for detection and prevention.
•	Have central reporting.
Which of the following is the BEST solution the security architect can propose?

A. CASB

B. Web filtering

C. NGFW

D. EDR

The results of an internal audit indicate several employees reused passwords that were previously included in a published list of compromised passwords.
The company has the following employee password policy:
 
Which of the following should be implemented to best address the password reuse issue? (Choose two.)

A. Increase the minimum age to two days.

B. Increase the history to 20.

C. Increase the character length to 12.

D. Add case-sensitive requirements to character class.

E. Decrease the maximum age to 30 days.

F. Remove the complexity requirements.

G. Increase the maximum age to 120 days.

A small company recently developed prototype technology for a military program. The company's security engineer is concerned about potential theft of the newly developed, proprietary information.
Which of the following should the security engineer do to BEST manage the threats proactively?

A. Join an information-sharing community that is relevant to the company.

B. Leverage the MITRE ATT&CK framework to map the TTP.

C. Use OSINT techniques to evaluate and analyze the threats.

D. Update security awareness training to address new threats, such as best practices for data security.

An internal security audit determines that Telnet is currently being used within the environment to manage network switches. Which of the following tools should be utilized to identify credentials in plaintext that are used to log in to these devices?

A. Fuzzer

B. Network traffic analyzer

C. HTTP interceptor

D. Port scanner

E. Password cracker

A cloud security architect has been tasked with finding a solution for hardening VMs. The solution must meet the following requirements:
•	Data needs to be stored outside of the VMs.
•	No unauthorized modifications to the VMs are allowed.
•	If a change needs to be done, a new VM needs to be deployed.
Which of the following is the best solution?

A. Immutable system

B. Data loss prevention

C. Storage area network

D. Baseline template

A security architect is reviewing the following proposed corporate firewall architecture and configuration:
 
Both firewalls are stateful and provide Layer 7 filtering and routing. The company has the following requirements:
✑ Web servers must receive all updates via HTTP/S from the corporate network.
Web servers should not initiate communication with the Internet.
 
✑ Web servers should only connect to preapproved corporate database servers.
✑ Employees' computing devices should only connect to web services over ports 80 and 443.
Which of the following should the architect recommend to ensure all requirements are met in the MOST secure manner? (Choose two.)

A. Add the following to Firewall_A: 15 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0/0 TCP 80,443

B. Add the following to Firewall_A: 15 PERMIT FROM 192.168.1.0/24 TO 0.0.0.0 TCP 80,443

C. Add the following to Firewall_A: 15 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0/0 TCP/UDP 0-65535

D. Add the following to Firewall_B: 15 PERMIT FROM 0.0.0.0/0 TO 10.0.0.0/16 TCP/UDP 0-65535

E. Add the following to Firewall_B: 15 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0 TCP/UDP 0-65535

F. Add the following to Firewall_B: 15 PERMIT FROM 192.168.1.0/24 TO 10.0.2.10/32 TCP 80,443

A software development company needs to mitigate third-party risks to its software supply chain. Which of the following techniques should the company use in the development environment to best meet this objective?

A. Performing software composition analysis

B. Requiring multifactor authentication

C. Establishing coding standards and monitoring for compliance

D. Implementing a robust unit and regression-testing scheme

A cloud security architect has been tasked with selecting the appropriate solution given the following:
•	The solution must allow the lowest RTO possible.
•	The solution must have the least shared responsibility possible.
•	Patching should be a responsibility of the CSP.
Which of the following solutions can BEST fulfil the requirements?

A. PaaS

B. IaaS

C. Private

D. SaaS

A company's Chief Information Security Officer is concerned that the company's proposed move to the cloud could lead to a lack of visibility into network traffic flow logs within the VPC.
Which of the following compensating controls would be BEST to implement in this situation?

A. EDR

B. SIEM

C. HIDS

D. UEBA

A managed security provider (MSP) is engaging with a customer who was working through a complete digital transformation. Part of this transformation involves a move to cloud servers to ensure a scalable, high-performance, online user experience. The current architecture includes:
• Directory servers
• Web servers
• Database servers
• Load balancers
• Cloud-native VPN concentrator
• Remote access server
The MSP must secure this environment similarly to the infrastructure on premises. Which of the following should the MSP put in place to BEST meet this objective? (Choose three.)

A. Content delivery network

B. Virtual next-generation firewall

C. Web application firewall

D. Software-defined WAN

E. External vulnerability scans

F. Containers

The following messages are displayed when a VPN client is attempting to connect to an OpenVPN server:
OpenSSL: error: 140760FC:SSL routines: SSL23_GET_CLIENT_HELLO: unknown protocol'
TLS_ERROR: BIO read tls_read_plaintext error'
TLS_ERROR: TLS object->incoming plaintext read error'
TLS_ERROR: TLS handshake failed'
SIGUSR1 [soft, tls_error] received, client_instance restarting'
Which of the following best explains the cause of these messages?

A. The client is attempting to establish an unencrypted connection with the server.

B. The server is unreachable to the client and a connection cannot be established.

C. The client is using LibreSSL libraries while the server is using OpenSSL libraries.

D. A TLS version mismatch exists between the client and the server.

A corporation discovered its internet connection is saturated with traffic originating from multiple IP addresses across the internet. A security analyst needs to find a solution to address future occurrences of this type of attack.
Which of the following would be the BEST solution to meet this goal?

A. Implementing cloud-scrubbing services

B. Upgrading the internet link

C. Deploying a web application firewall

D. Provisioning a reverse proxy

A networking team was asked to provide secure remote access to all company employees. The team decided to use client-to-site VPN as a solution. During a discussion, the Chief Information Security Officer raised a security concern and asked the networking team to route the Internet traffic of remote users through the main office infrastructure. Doing this would prevent remote users from accessing the Internet through their local networks while connected to the VPN.
Which of the following solutions does this describe?

A. Full tunneling

B. Asymmetric routing

C. SSH tunneling

D. Split tunneling

A company processes sensitive cardholder information that is stored in an internal production database and accessed by internet-facing web servers. The company's Chief Information Security Officer (CISO) is concerned with the risks related to sensitive data exposure and wants to implement tokenization of sensitive information at the record level. The company implements a one-to-many mapping of primary credit card numbers to temporary credit card numbers.
Which of the following should the CISO consider in a tokenization system?

A. Data field watermarking

B. Field tagging

C. Single-use translation

D. Salted hashing

Company A acquired Company B. During an initial assessment, the companies discover they are using the same SSO system. To help users with the transition. Company A is requiring the following:
•	Before the merger is complete, users from both companies should use a single set of usernames and passwords.
•	Users in the same departments should have the same set of rights and privileges, but they should have different sets of rights and privileges if they have different IPs.
•	Users from Company B should be able to access Company A's available resources.
Which of the following are the BEST solutions? (Choose two.)

A. Installing new Group Policy Object policies

B. Establishing one-way trust from Company B to Company A

C. Enabling SAML

D. Implementing attribute-based access control

E. Installing Company A’s Kerberos systems in Company B’s network

F. Updating login scripts

When a remote employee traveled overseas, the employee’s laptop and several mobile devices with proprietary tools were stolen. The security team requires technical controls be in place to ensure no electronic data is compromised or changed. Which of the following BEST meets this requirement?

A. Mobile device management with remote wipe capabilities

B. Passwordless smart card authorization with biometrics

C. Next-generation endpoint detection and response agent

D. Full disk encryption with centralized key management

A security engineer is implementing a server-side TLS configuration that provides forward secrecy and authenticated encryption with associated data. Which of the following algorithms, when combined into a cipher suite, will meet these requirements? (Choose three.)

A. EDE

B. CBC

C. GCM

D. AES

E. RSA

F. RC4

G. ECDSA

H. DH

A security analyst for a managed service provider wants to implement the most up-to-date and effective security methodologies to provide clients with the best offerings. Which of the following resources would the analyst MOST likely adopt?

A. OSINT

B. ISO

C. MITRE ATT&CK

D. OWASP

A security operations center analyst is investigating anomalous activity between a database server and an unknown external IP address and gathered the following data:
•	dbadmin last logged in at 7:30 a.m. and logged out at 8:05 a.m.
•	A persistent TCP/6667 connection to the external address was established at 7:55 a.m. The connection is still active.
•	Other than bytes transferred to keep the connection alive, only a few kilobytes of data transfer every hour since the start of the connection.
•	A sample outbound request payload from PCAP showed the ASCII content: "JOIN #community".
Which of the following is the MOST likely root cause?

A. A SQL injection was used to exfiltrate data from the database server.

B. The system has been hijacked for cryptocurrency mining.

C. A botnet Trojan is installed on the database server.

D. The dbadmin user is consulting the community for help via Internet Relay Chat.

An organization recently completed a security controls assessment. The results highlighted the following vulnerabilities:
•	Out-of-date definitions
•	Misconfigured operating systems
•	An inability to detect active attacks
•	Unimpeded access to critical servers’ USB ports
Which of the following will most likely reduce the risks that were identified by the assessment team?

A. Install EDR on endpoints, configure group policy, lock server room doors, and install a camera system with guards watching 24/7.

B. Create an information security program that addresses user training, perform weekly audits of user workstations, and utilize a centralized configuration management program.

C. Update antivirus definitions, install NGFW with logging enabled, use USB port lockers, and run SCAP scans weekly.

D. Implement a vulnerability management program and a SIEM tool with alerting, install a badge system with zones, and restrict privileged access.

A user experiences an HTTPS connection error when trying to access an Internet banking website from a corporate laptop. The user then opens a browser on a mobile phone and is able to access the same Internet banking website without issue. Which of the following security configurations is MOST likely the cause of the error?

A. HSTS

B. TLS 1.2

C. Certificate pinning

D. Client authentication

In comparison with traditional on-premises infrastructure configurations, defining ACLs in a CSP relies on:

A. cloud-native applications.

B. containerization.

C. serverless configurations.

D. software-defined networking.

E. secure access service edge.

A mobile application developer is creating a global, highly scalable, secure chat application. The developer would like to ensure the application is not susceptible to on-path attacks while the user is traveling in potentially hostile regions. Which of the following would BEST achieve that goal?

A. Utilize the SAN certificate to enable a single certificate for all regions.

B. Deploy client certificates to all devices in the network.

C. Configure certificate pinning inside the application.

D. Enable HSTS on the application’s server side for all communication.

An organization needs to classify its systems and data in accordance with external requirements. Which of the following roles is best qualified to perform this task?

A. Systems administrator

B. Data owner

C. Data processor

D. Data custodian

E. Data steward

A penetration tester obtained root access on a Windows server and, according to the rules of engagement, is permitted to perform post-exploitation for persistence.
Which of the following techniques would BEST support this?

A. Configuring systemd services to run automatically at startup

B. Creating a backdoor

C. Exploiting an arbitrary code execution exploit

D. Moving laterally to a more authoritative server/service

A security team received a regulatory notice asking for information regarding collusion and pricing from staff members who are no longer with the organization.
The legal department -
provided the security team with a list of search terms to investigate.
This is an example of:

A. due diligence.

B. e-discovery.

C. due care.

D. legal hold.

An organization is looking to establish more robust security measures by implementing PKI. Which of the following should the security analyst implement when considering mutual authentication?

A. Perfect forward secrecy on both endpoints

B. Shared secret for both endpoints

C. Public keys on both endpoints

D. A common public key on each endpoint

E. A common private key on each endpoint

A security assessor identified an internet-facing web service API provider that was deemed vulnerable. Execution of testssl provided the following insight:
 
Which of the following configuration changes would BEST mitigate chosen ciphertext attacks?

A. Enable 3DES ciphers IDEA.

B. Enable export ciphers.

C. Enable PFS ciphers.

D. Enable AEAD.

A security architect must mitigate the risks from what is suspected to be an exposed, private cryptographic key. Which of the following is the BEST step to take?

A. Revoke the certificate.

B. Inform all the users of the certificate.

C. Contact the company’s Chief Information Security Officer.

D. Disable the website using the suspected certificate.

E. Alert the root CA.

A company wants to improve the security of its web applications that are running on in-house servers. A risk assessment has been performed, and the following capabilities are desired:
•	Terminate SSL connections at a central location
•	Manage both authentication and authorization for incoming and outgoing web service calls
•	Advertise the web service API
•	Implement DLP and anti-malware features
Which of the following technologies will be the BEST option?

A. WAF

B. XML gateway

C. ESB gateway

D. API gateway

When implementing serverless computing, an organization must still account for:

A. the underlying computing network infrastructure.

B. hardware compatibility.

C. the security of its data.

D. patching the service.