EMT Practice Test

1. Question Content...


Question List

Question1: A company hosts a platform-as-a-service solution with a web-based front end, through which customer interact with data sets. A security administrator needs to deploy controls to prevent application-focused attacks. Which of the following most directly supports the administrator's objective'

Question2: Developers have been creating and managing cryptographic material on their personal laptops fix use in production environment. A security engineer needs to initiate a more secure process. Which of the following is the best strategy for the engineer to use?

Question3: During the course of normal SOC operations, three anomalous events occurred and were flagged as potential IoCs. Evidence for each of these potential IoCs is provided.
INSTRUCTIONS
Review each of the events and select the appropriate analysis and remediation options for each IoC.


Question4: An organization hires a security consultant to establish a SOC that includes a threat-modeling function.
During initial activities, the consultant works with system engineers to identify antipatterns within the environment. Which of the following is most critical for the engineers to disclose to the consultant during this phase?

Question5: A company'sSIEMis designed to associate the company'sasset inventorywith user events. Given the following report:

Which of the following should asecurity engineer investigate firstas part of alog audit?

Question6: An organization is researching the automation capabilities for systems within an OT network. A security analyst wants to assist with creating secure coding practices and would like to learn about the programming languages used on the PLCs. Which of the following programming languages is the most relevant for PLCs?

Question7:
Which of the following is the security engineer most likely doing?

Question8: An organization that performs real-time financial processing is implementing a new backup solution. Given the following business requirements:
* The backup solution must reduce the risk of potential backup compromise.
* The backup solution must be resilient to a ransomware attack.
* The time to restore from backups is less important than backup data integrity.
* Multiple copies of production data must be maintained.
Which of the following backup strategies best meets these requirements?

Question9: A systems engineer is configuring SSO for a business that will be using SaaS applications for its remote-only workforce. Privileged actions in SaaS applications must be allowed only from corporate mobile devices that meet minimum security requirements, but BYOD must also be permitted for other activity. Which of the following would best meet this objective?

Question10: A security analyst is reviewing suspicious log-in activity and sees the following data in the SICM:

Which of the following is the most appropriate action for the analyst to take?

Question11: Which of the following best explains the business requirement a healthcare provider fulfills by encrypting patient data at rest?

Question12: An organization is developing on Al-enabled digital worker to help employees complete common tasks such as template development, editing, research, and scheduling. As part of the Al workload the organization wants to Implement guardrails within the platform. Which of the following should the company do to secure the Al environment?

Question13: A security analyst is reviewing the following event timeline from an COR solution:

Which of the following most likely has occurred and needs to be fixed?

Question14: All organization is concerned about insider threats from employees who have individual access to encrypted material. Which of the following techniques best addresses this issue?

Question15: A security engineer needs 10 secure the OT environment based on me following requirements
* Isolate the OT network segment
* Restrict Internet access.
* Apply security updates two workstations
* Provide remote access to third-party vendors
Which of the following design strategies should the engineer implement to best meet these requirements?

Question16: A user submits a help desk ticket stating then account does not authenticate sometimes. An analyst reviews the following logs for the user:
Which of the following best explains the reason the user's access is being denied?

Question17: A security architect is mitigating a vulnerability that previously led to a web application data breach. An analysis into the root cause of the issue finds the following:
* An administrator's account was hijacked and used on several Autonomous System Numbers within 30 minutes.
* All administrators use named accounts that require multifactor authentication.
* Single sign-on is used for all company applications.Which of the following should the security architect do to mitigate the issue?

Question18: Audit findings indicate several user endpoints are not utilizing full disk encryption During me remediation process, a compliance analyst reviews the testing details for the endpoints and notes the endpoint device configuration does not support full disk encryption Which of the following is the most likely reason me device must be replaced'

Question19: An IPSec solution is being deployed. The configuration files for both the VPN concentrator and the AAA server are shown in the diagram.
Complete the configuration files to meet the following requirements:
* The EAP method must use mutual certificate-based authentication (With issued client certificates).
* The IKEv2 Cipher suite must be configured to the MOST secure
authenticated mode of operation,
* The secret must contain at least one uppercase character, one lowercase character, one numeric character, and one special character, and it must meet a minimum length requirement of eight characters, INSTRUCTIONS Click on the AAA server and VPN concentrator to complete the configuration.
Fill in the appropriate fields and make selections from the drop-down menus.

VPN Concentrator:

AAA Server:

Question20: Which of the following key management practices ensures that an encryption key is maintained within the organization?

Question21: A security analyst is reviewing the following vulnerability assessment report:
192.168.1.5, Host = Server1, CVSS 7.5, Web Server, Remotely Executable = Yes, Exploit = Yes
205.1.3.5, Host = Server2, CVSS 6.5, Bind Server, Remotely Executable = Yes, Exploit = POC
207.1.5.7, Host = Server3, CVSS 5.5, Email Server, Remotely Executable = Yes, Exploit = Yes
192.168.1.6, Host = Server4, CVSS 9.8, Domain Controller, Remotely Executable = Yes, Exploit = Yes Which of the following should be patched first to minimize attacks against internet-facing hosts?

Question22: During a vulnerability assessment, a scan reveals the following finding:
Windows Server 2016 Missing hotfix KB87728 - CVSS 3.1 Score: 8.1 [High] - Affected host 172.16.15.2 Later in the review process, the remediation team marks the finding as a false positive. Which of the following is the best way to avoid this issue on future scans?

Question23: An organization wants to implement a platform to better identify which specific assets are affected by a given vulnerability. Which of the following components provides the best foundation to achieve this goal?

Question24: A company recently experienced an incident in which an advanced threat actor was able to shim malicious code against the hardware static of a domain controller The forensic team cryptographically validated that com the underlying firmware of the box and the operating system had not been compromised. However, the attacker was able to exfiltrate information from the server using a steganographic technique within LOAP Which of the following is me best way to reduce the risk oi reoccurrence?

Question25: Users must accept the terms presented in a captive petal when connecting to a guest network. Recently, users have reported that they are unable to access the Internet after joining the network A network engineer observes the following:
* Users should be redirected to the captive portal.
* The Motive portal runs Tl. S 1 2
* Newer browser versions encounter security errors that cannot be bypassed
* Certain websites cause unexpected re directs
Which of the following mow likely explains this behavior?

Question26: A senior security engineer flags me following log file snippet as hawing likely facilitated an attacker's lateral movement in a recent breach:

Which of the following solutions, if implemented, would mitigate the nsk of this issue reoccurnnp?

Question27: A security officer received several complaints from users about excessive MPA push notifications at night The security team investigates and suspects malicious activities regardinguser account authentication Which of the following is the best way for the security officer to restrict MI~A notifications''

Question28: A security analyst Detected unusual network traffic related to program updating processes The analyst collected artifacts from compromised user workstations. The discovered artifacts were binary files with the same name as existing, valid binaries but. with different hashes which of the following solutions would most likely prevent this situation from reoccurring?

Question29: A company must build and deploy security standards for all servers in its on-premises and cloud environments based on hardening guidelines. Which of the following solutions most likely meets the requirements?

Question30: After an incident occurred, a team reported during the lessons-learned review that the team.
* Lost important Information for further analysis.
* Did not utilize the chain of communication
* Did not follow the right steps for a proper response
Which of the following solutions is the best way to address these findinds?

Question31: A compliance officer is reviewing the data sovereignty laws in several countries where the organization has no presence Which of the following is the most likely reason for reviewing these laws?

Question32: Which of the following best explains the business requirement a healthcare provider fulfills by encrypting patient data at rest?

Question33: An organization is implementing Zero Trust architecture A systems administrator must increase the effectiveness of the organization's context-aware access system. Which of the following is the best way to improve the effectiveness of the system?

Question34: An audit finding reveals that a legacy platform has not retained loos for more than 30 days The platform has been segmented due to its interoperability with newer technology. As a temporary solution, the IT department changed the log retention to 120 days. Which of the following should the security engineer do to ensure the logs are being properly retained?

Question35: You are tasked with integrating a new B2B client application with an existing OAuth workflow that must meet the following requirements:
. The application does not need to know the users' credentials.
. An approval interaction between the users and the HTTP service must be orchestrated.
. The application must have limited access to users' data.
INSTRUCTIONS
Use the drop-down menus to select the action items for the appropriate locations. All placeholders must be filled.

Question36: A security analyst discovered requests associated with IP addresses known for born legitimate 3nd bot-related traffic. Which of the following should the analyst use to determine whether the requests are malicious?

Question37: Users are willing passwords on paper because of the number of passwords needed in an environment. Which of the following solutions is the best way to manage this situation and decrease risks?

Question38: A company wants to implement hardware security key authentication for accessing sensitive information systems The goal is to prevent unauthorized users from gaining access with a stolen password Which of the following models should the company implement to best solve this issue?

Question39: A company wants to use loT devices to manage and monitor thermostats at all facilities The thermostats must receive vendor security updates and limit access to other devices within the organization Which of the following best addresses the company's requirements''

Question40: A security analyst is performing a review of a web application. During testing as a standard user, the following error log appears:
Error Message in Database Connection
Connection to host USA-WebApp-Database failed
Database "Prod-DB01" not found
Table "CustomerInfo" not found
Please retry your request later
Which of the following best describes the analyst's findings and a potential mitigation technique?

Question41: Employees use their badges to track the number of hours they work. The badge readers cannot be upgraded due to facility constraints. The software for the badge readers uses a legacy platform and requires connectivity to the enterprise resource planning solution. Which of the following is the best to ensure the security of the badge readers?

Question42: A company reduced its staff 60 days ago, and applications are now starting to fail. The security analyst is investigating to determine if there is malicious intent for the application failures. The security analyst reviews the following logs:
Mar 5 22:09:50 akj3 sshd[21502]: Success login for userOl from 192.168.2.5 Mar 5 22:10:00 akj3 sshd[21502]: Failed login for userID from 192.168.2.5 Which of the following is the most likely reason for the application failures?

Question43: An analyst reviews a SIEM and generates the following report:

OnlyHOST002is authorized for internet traffic. Which of the following statements is accurate?

Question44: A security analyst needs to ensure email domains that send phishing attempts without previous communications are not delivered to mailboxes The following email headers are being reviewed

Which of the following is the best action for the security analyst to take?

Question45:
An organization is planning for disaster recovery and continuity of operations.
INSTRUCTIONS
Review the following scenarios and instructions. Match each relevant finding to the affected host.
After associating scenario 3 with the appropriate host(s), click the host to select the appropriate corrective action for that finding.
Each finding may be used more than once.
If at any time you would like to bring back the initial state of the simul-ation, please click the Reset All button.

Question46: An organization is required to
* Respond to internal and external inquiries in a timely manner
* Provide transparency.
* Comply with regulatory requirements
The organization has not experienced any reportable breaches but wants to be prepared if a breach occurs in the future. Which of the following is the best way for the organization to prepare?

Question47: An analyst has prepared several possible solutions to a successful attack on the company. The solutions need to be implemented with the least amount of downtime. Which of the following should the analyst perform?

Question48: An external SaaS solution user reports a bug associated with the role-based access control module. This bug allows users to bypass system logic associated with client segmentation in the multitenant deployment model.
When assessing the bug report, the developer finds that the same bug was previously identified and addressed in an earlier release. The developer then determines the bug was reintroduced when an existing software component was integrated from a prior version of the platform. Which of the following is the best way to prevent this scenario?

Question49: Recent repents indicate that a software tool is being exploited Attackers were able to bypass user access controls and load a database. A security analyst needs to find the vulnerability and recommend a mitigation.
The analyst generates the following output:

Which of the following would the analyst most likely recommend?

Question50: An organization is looking for gaps in its detection capabilities based on the APTs that may target the industry Which of the following should the security analyst use to perform threat modeling?

Question51: Which of the following best explains the importance of determining organization risk appetite when operating with a constrained budget?

Question52: A security analyst received a report that an internal web page is down after a company-wide update to the web browser Given the following error message:

Which of the following is the best way to fix this issue?

Question53: After an incident response exercise, a security administrator reviews the following table:

Which of the following should the administrator do to beat support rapid incident response in the future?

Question54: Which of the following AI concerns is most adequately addressed by input sanitation?

Question55: A user reports application access issues to the help desk. The help desk reviews the logs for the user:

Which of the following is most likely the reason for the issue?

Question56: Within a SCADA a business needs access to the historian server in order together metric about the functionality of the environment. Which of the following actions should be taken to address this requirement?

Question57: A company that relies on an COL system must keep it operating until a new solution is available Which of the following is the most secure way to meet this goal?

Question58: An organization determines existing business continuity practices areinadequateto support critical internal process dependencies during a contingency event. Acompliance analystwants the Chief Information Officer (CIO) to identify the level ofresidual riskthat is acceptable to guide remediation activities. Which of the following does the CIO need to clarify?

Question59: A company recently experienced aransomware attack. Although the company performssystems and data backupon a schedule that aligns with itsRPO (Recovery Point Objective) requirements, thebackup administratorcould not recovercritical systems and datafrom its offline backups to meet the RPO.
Eventually, the systems and data were restored with information that wassix months outside of RPO requirements.
Which of the following actions should the company take to reduce the risk of a similar attack?

Question60: After some employees were caught uploading data to online personal storage accounts, a company becomes concerned about data leaks related to sensitive, internal documentation. Which of the following would the company most likely do to decrease this type of risk?

Question61: A company plans to implement a research facility with Intellectual property data that should be protected The following is the security diagram proposed by the security architect

Which of the following security architect models is illustrated by the diagram?

Question62: A developer makes a small change to a resource allocation module on a popular social media website and causes a memory leak. During a peak utilization period, several web servers crash, causing the website to go offline. Which of the following testing techniques is the most efficient way to prevent this from reoccurring?

Question63: An auditor is reviewing the logs from a web application to determine the source of an incident. The web application architecture includes an internet-accessible application load balancer, a number of web servers in a private subnet, application servers, and one database server in a tiered configuration. The application load balancer cannot store the logs. The following are sample log snippets:
Web server logs:
192.168.1.10 - - [24/Oct/2020 11:24:34 +05:00] "GET /bin/bash" HTTP/1.1" 200 453 Safari/536.36
192.168.1.10 - - [24/Oct/2020 11:24:35 +05:00] "GET / HTTP/1.1" 200 453 Safari/536.36 Application server logs:
24/Oct/2020 11:24:34 +05:00 - 192.168.2.11 - request does not match a known local user. Querying DB
24/Oct/2020 11:24:35 +05:00 - 192.168.2.12 - root path. Begin processing Database server logs:
24/Oct/2020 11:24:34 +05:00 [Warning] 'option read_buffer_size1 unassigned value 0 adjusted to 2048
24/Oct/2020 11:24:35 +05:00 [Warning] CA certificate ca.pem is self-signed.
Which of the following should the auditor recommend to ensure future incidents can be traced back to the sources?

Question64: A user reports application access issues to the help desk. The help desk reviews the logs for the user

Which of the following is most likely The reason for the issue?

Question65: A technician is reviewing the logs and notices a large number of files were transferred to remote sites over the course of three months. This activity then stopped. The files were transferred via TLS-protected HTTP sessions from systems that do not normally send traffic to those sites. The technician will define this threat as:

Question66: A company receives reports about misconfigurations and vulnerabilities in a third-party hardware device that is part of its released products. Which of the following solutions is the best way for the company to identify possible issues at an earlier stage?

Question67: A company's internal network is experiencing a security breach, and the threat actor is still active. Due to business requirements, users in this environment are allowed to utilize multiple machines at the same time.
Given the following log snippet:

Which of the following accounts should a security analyst disable to best contain the incident without impacting valid users?

Question68: A security engineer is implementing a code signing requirement for all code developed by the organization.
Currently, the PKI only generates website certificates. Which of the following steps should the engineer perform first?

Question69: During a periodic internal audit, a company identifies a few new, critical security controls that are missing.
The company has a mature risk management program in place, and the following requirements must be met:
* The stakeholders should be able to see all the risks.
* The risks need to have someone accountable for them.
Which of the following actions should the GRC analyst take next?

Question70: Company A and Company D ate merging Company A's compliance reports indicate branch protections are not in place A security analyst needs to ensure that potential threats to the software development life cycle are addressed. Which of the following should me analyst cons<der when completing this basic?

Question71: A security engineer must ensure that sensitive corporate information is not exposed if a company laptop is stolen. Which of the following actions best addresses this requirement?

Question72: A news organization wants to implement workflows that allow users to request that untruthful data be retraced and scrubbed from online publications to comply with the right to be forgotten Which of the following regulations is the organization most likely trying to address'

Question73: A company wants to invest in research capabilities with the goal to operationalize the research output. Which of the following is the best option for a security architect to recommend?

Question74: A company wants to protect against the most common attacks and rapidly integrate with different programming languages. Which of the following technologies is most likely to meet this need?

Question75: An organization has been using self-managed encryption keys rather than the free keys managed by the cloud provider. The Chief Information Security Officer (CISO) reviews the monthly bill and realizes the self- managed keys are more costly than anticipated. Which of the following should the CISO recommend to reduce costs while maintaining a strong security posture?

Question76: Which of the following is the main reason quantum computing advancements are leading companies and countries to deploy new encryption algorithms?

Question77: A threat hunter is identifying potentially malicious activity associated with an APT. When the threat hunter runs queries against the SIEM platform with a date range of 60 to 90 days ago, the involved account seems to be typically most active in the evenings. When the threat hunter reruns the same query with a date range of 5 to 30 days ago, the account appears to be most active in the early morning. Which of the following techniques is the threat hunter using to better understand the data?

Question78: A network engineer must ensure that always-on VPN access is enabled Curt restricted to company assets Which of the following best describes what the engineer needs to do''

Question79: A security analyst received a notification from a cloud service provider regarding an attack detected on a web server The cloud service provider shared the following information about the attack:
* The attack came from inside the network.
* The attacking source IP was from the internal vulnerability scanners.
* The scanner is not configured to target the cloud servers.
Which of the following actions should the security analyst take first?

Question80: A software company deployed a new application based on its internal code repository Several customers are reporting anti-malware alerts on workstations used to test the application Which of the following is the most likely cause of the alerts?

Question81: An organization is prioritizing efforts to remediate or mitigate risks identified during the latest assessment.
For one of the risks, a full remediation was not possible, but the organization was able to successfully apply mitigations to reduce the likelihood of the impact. Which of the following should the organization perform next?