EMT Practice Test

1. Question Content...


Question List

Question1: Which of the following is the proper way to quantify the total monetary damage resulting from an exploited
vulnerability?

Question2: A system administrator wants to provide balance between the security of a wireless network and usability.
The administrator is concerned with wireless encryption compatibility of older devices used by some
employees. Which of the following would provide strong security and backward compatibility when
accessing the wireless network?

Question3: An organization wants to utilize a common, Internet-based third-party provider for authorization and
authentication. The provider uses a technology based on OAuth 2.0 to provide required services. To which
of the following technologies is the provider referring?

Question4: A network administrator needs to allocate a new network for the R&D group. The network must not be
accessible from the Internet regardless of the network firewall or other external misconfigurations. Which of
the following settings should the network administrator implement to accomplish this?

Question5: The availability of a system has been labeled as the highest priority. Which of the following should be
focused on the MOST to ensure the objective?

Question6: A new security administrator ran a vulnerability scanner for the first time and caused a system outage.
Which of the following types of scans MOST likely caused the outage?

Question7: A company is evaluating cloud providers to reduce the cost of its internal IT operations. The company's
aging systems are unable to keep up with customer demand. Which of the following cloud models will the
company MOST likely select?

Question8: While performing surveillance activities, an attacker determines that an organization is using 802.1X to
secure LAN access.
Which of the following attack mechanisms can the attacker utilize to bypass the identified network
security?

Question9: When considering a third-party cloud service provider, which of the following criteria would be the BEST to
include in the security assessment process? (Select two.)

Question10: Users report the following message appears when browsing to the company's secure site: This website
cannot be trusted.Which of the following actions should a security analyst take to resolve these
messages? (Select two.)

Question11: Which of the following attacks specifically impact data availability?

Question12: Legal authorities notify a company that its network has been compromised for the second time in two
years. The investigation shows the attackers were able to use the same vulnerability on different systems
in both attacks.
Which of the following would have allowed the security team to use historical information to protect against
the second attack?

Question13: An organization wishes to provide better security for its name resolution services. Which of the following
technologies BEST supports the deployment of DNSSEC at the organization?

Question14: After a routine audit, a company discovers that engineering documents have been leaving the network on
a particular port. The company must allow outbound traffic on this port, as it has a legitimate business use.
Blocking the port would cause an outage. Which of the following technology controls should the company
implement?

Question15: A member of a digital forensics team, Joe arrives at a crime scene and is preparing to collect system data.
Before powering the system off, Joe knows that he must collect the most volatile date first.
Which of the following is the correct order in which Joe should collect the data?

Question16: A security program manager wants to actively test the security posture of a system. The system is not yet
in production and has no uptime requirement or active user base.
Which of the following methods will produce a report which shows vulnerabilities that were actually
exploited?

Question17: Which of the following encryption methods does PKI typically use to securely protect keys?

Question18: As part of the SDLC, a third party is hired to perform a penetration test. The third party will have access to
the source code, integration tests, and network diagrams. Which of the following BEST describes the
assessment being performed?

Question19: A system administrator wants to provide for and enforce wireless access accountability during events
where external speakers are invited to make presentations to a mixed audience of employees and non-
employees. Which of the following should the administrator implement?

Question20: Company A agrees to provide perimeter protection, power, and environmental support with
measurable goals for Company B, but will not be responsible for user authentication or patching of
operating systems within the perimeter.
Which of the following is being described?

Question21: A systems administrator is attempting to recover from a catastrophic failure in the datacenter. To recover
the domain controller, the systems administrator needs to provide the domain administrator credentials.
Which of the following account types is the systems administrator using?

Question22: An attacker wearing a building maintenance uniform approached a company's receptionist asking for
access to a secure area. The receptionist asks for identification, a building access badge and checks the
company's list approved maintenance personnel prior to granting physical access to the secure are.
The controls used by the receptionist are in place to prevent which of the following types of attacks?

Question23: Which of the following are used to increase the computing time it takes to brute force a password using an
offline attack? (Select TWO)

Question24: Which of the following are methods to implement HA in a web application server environment? (Select
two.)

Question25: A development team has adopted a new approach to projects in which feedback is iterative and multiple
iterations of deployments are provided within an application's full life cycle. Which of the following software
development methodologies is the development team using?

Question26: In determining when it may be necessary to perform a credentialed scan against a system instead of a
non-credentialed scan, which of the following requirements is MOST likely to influence this decision?

Question27: A security analyst is hardening a WiFi infrastructure.
The primary requirements are the following:
The infrastructure must allow staff to authenticate using the most secure method.

The infrastructure must allow guests to use an "open" WiFi network that logs valid email addresses

before granting access to the Internet.
Given these requirements, which of the following statements BEST represents what the analyst should
recommend and configure?

Question28: An in-house penetration tester is using a packet capture device to listen in on network communications.
This is an example of:

Question29: A company has a data classification system with definitions for "Private" and "Public". The company's
security policy outlines how data should be protected based on type. The company recently added the data
type "Proprietary".
Which of the following is the MOST likely reason the company added this data type?

Question30: A security administrator receives an alert from a third-party vendor that indicates a certificate that was
installed in the browser has been hijacked at the root of a small public CA. The security administrator
knows there are at least four different browsers in use on more than a thousand computers in the domain
worldwide.
Which of the following solutions would be BEST for the security administrator to implement to most
efficiently assist with this issue?

Question31: Which of the following would meet the requirements for multifactor authentication?

Question32: A new firewall has been places into service at an organization. However, a configuration has not been
entered on the firewall. Employees on the network segment covered by the new firewall report they are
unable to access the network. Which of the following steps should be completed to BEST resolve the
issue?

Question33: To help prevent one job role from having sufficient access to create, modify, and approve payroll data,
which of the following practices should be employed?

Question34: A security guard has informed the Chief Information Security Officer that a person with a tablet has been
walking around the building. The guard also noticed strange white markings in different areas of the
parking lot.
The person is attempting which of the following types of attacks?

Question35: A security administrator suspects that a DDoS attack is affecting the DNS server. The administrator
accesses a workstation with the hostname of workstation01 on the network and obtains the following
output from the ipconfig command:

The administrator successfully pings the DNS server from the workstation. Which of the following
commands should be issued from the workstation to verify the DDoS attack is no longer occuring?

Question36: Joe a website administrator believes he owns the intellectual property for a company invention and has
been replacing image files on the company's public facing website in the DMZ. Joe is using steganography
to hide stolen data.
Which of the following controls can be implemented to mitigate this type of inside threat?

Question37: A member of the admins group reports being unable to modify the "changes" file on a server.
The permissions on the file are as follows:
Permissions User Group File
-rwxrw-r--+ Admins Admins changes
Based on the output above, which of the following BEST explains why the user is unable to modify the
"changes" file?

Question38: A security analyst is investigating a suspected security breach and discovers the following in the logs of the
potentially compromised server:

Which of the following would be the BEST method for preventing this type of suspected attack in the
future?

Question39: A company recently replaced its unsecure email server with a cloud-based email and collaboration solution
that is managed and insured by a third party. Which of the following actions did the company take
regarding risks related to its email and collaboration services?

Question40: Which of the following threats has sufficient knowledge to cause the MOST danger to an organization?

Question41: An organization has implemented an IPSec VPN access for remote users.
Which of the following IPSec modes would be the MOST secure for this organization to implement?

Question42: A security administrator suspects that data on a server has been exhilarated as a result of un- authorized
remote access.
Which of the following would assist the administrator in con-firming the suspicions? (Select TWO)

Question43: A security engineer is faced with competing requirements from the networking group and database
administrators. The database administrators would like ten application servers on the same subnet for
ease of administration, whereas the networking group would like to segment all applications from one
another.
Which of the following should the security administrator do to rectify this issue?

Question44: Two users need to send each other emails over unsecured channels. The system should support the
principle of non-repudiation. Which of the following should be used to sign the user's certificates?

Question45: Which of the following AES modes of operation provide authentication? (Select two.)

Question46: Joe, a salesman, was assigned to a new project that requires him to travel to a client site. While waiting for
a flight, Joe, decides to connect to the airport wireless network without connecting to a VPN, and the sends
confidential emails to fellow colleagues. A few days later, the company experiences a data breach. Upon
investigation, the company learns Joe's emails were intercepted. Which of the following MOST likely
caused the data breach?

Question47: During a third-party audit, it is determined that a member of the firewall team can request, approve, and
implement a new rule-set on the firewall.
Which of the following will the audit team most l likely recommend during the audit out brief?

Question48: A security analyst is hardening an authentication server. One of the primary requirements is to ensure
there is mutual authentication and delegation. Given these requirements, which of the following
technologies should the analyst recommend and configure?

Question49: A datacenter recently experienced a breach. When access was gained, an RF device was used to access
an air-gapped and locked server rack. Which of the following would BEST prevent this type of attack?

Question50: Refer to the following code:

Which of the following vulnerabilities would occur if this is executed?

Question51: A new hire wants to use a personally owned phone to access company resources. The new hire expresses
concern about what happens to the data on the phone when they leave the company.
Which of the following portions of the company's mobile device management configuration would allow the
company data to be removed from the device without touching the new hire's data?

Question52: To reduce disk consumption, an organization's legal department has recently approved a new policy
setting the data retention period for sent email at six months. Which of the following is the BEST way to
ensure this goal is met?

Question53: A security administrator is tasked with implementing centralized management of all network devices.
Network administrators will be required to logon to network devices using their LDAP credentials. All
command executed by network administrators on network devices must fall within a preset list of
authorized commands and must be logged to a central facility.
Which of the following configuration commands should be implemented to enforce this requirement?

Question54: A technician has installed new vulnerability scanner software on a server that is joined to the company
domain. The vulnerability scanner is able to provide visibility over the patch posture of all company's
clients.
Which of the following is being used?

Question55: A penetration tester is conducting an assessment on Comptia.org and runs the following command from a
coffee shop while connected to the public Internet: c:\nslookup -querytype=MX comptia.org
Server: Unknown
Address: 198.51.100.45
comptia.org MX preference=10, mail exchanger = 92.68.102.33 comptia.org MX preference=20, mail
exchanger = exchg1.comptia.org exchg1.comptia.org internet address = 192.168.102.67
Which of the following should the penetration tester conclude about the command output?

Question56: A company is developing a new system that will unlock a computer automatically when an authorized user
sits in front of it, and then lock the computer when the user leaves. The user does not have to perform any
action for this process to occur. Which of the following technologies provides this capability?

Question57: Which of the following techniques can be bypass a user or computer's web browser privacy settings?
(Select Two)

Question58: An administrator intends to configure an IPSec solution that provides ESP with integrity protection, but not
confidentiality protection.
Which of the following AES modes of operation would meet this integrity-only requirement?

Question59: During a routine vulnerability assessment, the following command was successful:
echo "vrfy 'perl -e 'print "hi" x 500 ' ' " | nc www.company.com 25
Which of the following vulnerabilities is being exploited?

Question60: An attack that is using interference as its main attack to impede network traffic is which of the following?

Question61: A network administrator wants to implement a method of securing internal routing. Which of the following
should the administrator implement?

Question62: A wireless network uses a RADIUS server that is connected to an authenticator, which in turn connects to
a supplicant. Which of the following represents the authentication architecture in use?

Question63: An incident responder receives a call from a user who reports a computer is exhibiting symptoms
consistent with a malware infection. Which of the following steps should the responder perform NEXT?

Question64: A penetration tester has written an application that performs a bit-by-bit XOR 0xFF operation on binaries
prior to transmission over untrusted media. Which of the following BEST describes the action performed by
this type of application?

Question65: Which of the following is the BEST explanation of why control diversity is important in a defense-in-depth
architecture?

Question66: A security engineer is configuring a wireless network with EAP-TLS. Which of the following activities is a
requirement for this configuration?

Question67: Which of the following cryptographic algorithms is irreversible?

Question68: A workstation puts out a network request to locate another system. Joe, a hacker on the network,
responds before the real system does, and he tricks the workstation into communicating with him. Which of
the following BEST describes what occurred?

Question69: An organization uses SSO authentication for employee access to network resources. When an employee
resigns, as per the organization's security policy, the employee's access to all network resources is
terminated immediately. Two weeks later, the former employee sends an email to the help desk for a
password reset to access payroll information from the human resources server. Which of the following
represents the BEST course of action?

Question70: The IT department is deploying new computers. To ease the transition, users will be allowed to access
their old and new systems.
The help desk is receive reports that users are experiencing the following error when attempting to log in
to their previous system:
Logon Failure: Access Denied
Which of the following can cause this issue?

Question71: Which of the following implements two-factor authentication?

Question72: A Chief Information Officer (CIO) recently saw on the news that a significant security flaws exists with a
specific version of a technology the company uses to support many critical application. The CIO wants to
know if this reported vulnerability exists in the organization and, if so, to what extent the company could be
harmed.
Which of the following would BEST provide the needed information?

Question73: Which of the following is an asymmetric function that generates a new and separate key every time it runs?

Question74: Which of the following are MOST susceptible to birthday attacks?

Question75: Which of the following must be intact for evidence to be admissible in court?

Question76: A company researched the root cause of a recent vulnerability in its software. It was determined that the
vulnerability was the result of two updates made in the last release. Each update alone would not have
resulted in the vulnerability.
In order to prevent similar situations in the future, the company should improve which of the following?

Question77: An attacker compromises a public CA and issues unauthorized X.509 certificates for Company.com. In the
future, Company.com wants to mitigate the impact of similar incidents. Which of the following would assist
Company.com with its goal?

Question78: Which of the following specifically describes the exploitation of an interactive process to access otherwise
restricted areas of the OS?

Question79: A mobile device user is concerned about geographic positioning information being included in messages
sent between users on a popular social network platform. The user turns off the functionality in the
application, but wants to ensure the application cannot re-enable the setting without the knowledge of the
user.
Which of the following mobile device capabilities should the user disable to achieve the stated goal?

Question80: The Chief Executive Officer (CEO) of a major defense contracting company a traveling overseas for a
conference. The CEO will be taking a laptop.
Which of the following should the security administrator implement to ensure confidentiality of the data if
the laptop were to be stolen or lost during the trip?

Question81: A vulnerability scan is being conducted against a desktop system. The scan is looking for files, versions,
and registry values known to be associated with system vulnerabilities. Which of the following BEST
describes the type of scan being performed?

Question82: An information security analyst needs to work with an employee who can answer questions about how
data for a specific system is used in the business. The analyst should seek out an employee who has the
role of:

Question83: A security analyst wants to harden the company's VoIP PBX. The analyst is worried that credentials may
be intercepted and compromised when IP phones authenticate with the BPX. Which of the following would
best prevent this from occurring?

Question84: Which of the following refers to the term used to restore a system to its operational state?

Question85: An administrator thinks the UNIX systems may be compromised, but a review of system log files provides
no useful information. After discussing the situation with the security team, the administrator suspects that
the attacker may be altering the log files and removing evidence of intrusion activity.
Which of the following actions will help detect attacker attempts to further alter log files?

Question86: Which of the following should a security analyst perform FIRST to determine the vulnerabilities of a
legacy system?

Question87: Several workstations on a network are found to be on OS versions that are vulnerable to a specific attack.
Which of the following is considered to be a corrective action to combat this vulnerability?

Question88: A security administrator has found a hash in the environment known to belong to malware. The
administrator then finds this file to be in in the preupdate area of the OS, which indicates it was pushed
from the central patch system.
File: winx86_adobe_flash_upgrade.exe
Hash: 99ac28bede43ab869b853ba62c4ea243
The administrator pulls a report from the patch management system with the following output:

Given the above outputs, which of the following MOST likely happened?

Question89: Before an infection was detected, several of the infected devices attempted to access a URL that was
similar to the company name but with two letters transposed. Which of the following BEST describes the
attack vector used to infect the devices?

Question90: A web developer improves client access to the company's REST API. Authentication needs to be
tokenized but not expose the client's password.
Which of the following methods would BEST meet the developer's requirements?

Question91: A security administrator returning from a short vacation receives an account lock-out message when
attempting to log into the computer. After getting the account unlocked the security administrator
immediately notices a large amount of emails alerts pertaining to several different user accounts being
locked out during the past three days. The security administrator uses system logs to determine that the
lock-outs were due to a brute force attack on all accounts that has been previously logged into that
machine.
Which of the following can be implemented to reduce the likelihood of this attack going undetected?

Question92: A company stores highly sensitive data files used by the accounting system on a server file share.
The accounting system uses a service account named accounting-svc to access the file share.
The data is protected will a full disk encryption, and the permissions are set as follows:
File system permissions: Users = Read Only
Share permission: accounting-svc = Read Only
Given the listed protections are in place and unchanged, to which of the following risks is the data still
subject?

Question93: A software developer wants to ensure that the application is verifying that a key is valid before establishing
SSL connections with random remote hosts on the Internet.
Which of the following should be used in the code? (Select TWO.)

Question94: An attacker discovers a new vulnerability in an enterprise application. The attacker takes advantage of the
vulnerability by developing new malware. After installing the malware, the attacker is provided with access
to the infected machine.
Which of the following is being described?

Question95: An attacker uses a network sniffer to capture the packets of a transaction that adds $20 to a gift card. The
attacker then user a function of the sniffer to push those packets back onto the network again, adding
another $20 to the gift card. This can be done many times.
Which of the following describes this type of attack?

Question96: A small company's Chief Executive Officer (CEO) has asked its Chief Security Officer (CSO) to improve
the company's security posture quickly with regard to targeted attacks.
Which of the following should the CSO conduct FIRST?

Question97: An analyst receives an alert from the SIEM showing an IP address that does not belong to the assigned
network can be seen sending packets to the wrong gateway.
Which of the following network devices is misconfigured and which of the following should be done to
remediate the issue?

Question98: A security analyst is working on a project that requires the implementation of a stream cipher. Which of the
following should the analyst use?

Question99: A security analyst conducts a manual scan on a known hardened host that identifies many non-compliant
items.
Which of the following BEST describe why this has occurred? (Select TWO)

Question100: A vice president at a manufacturing organization is concerned about desktops being connected to the
network. Employees need to log onto the desktops' local account to verify that a product is being created
within specifications; otherwise, the desktops should be as isolated as possible. Which of the following is
the BEST way to accomplish this?

Question101: An organization is working with a cloud services provider to transition critical business applications to a
hybrid cloud environment. The organization retains sensitive customer data and wants to ensure the
provider has sufficient administrative and logical controls in place to protect its data.
In which of the following documents would this concern MOST likely be addressed?

Question102: A security analyst is inspecting the results of a recent internal vulnerability scan that was performed
against intranet services.
The scan reports include the following critical-rated vulnerability: Title: Remote Command Execution
vulnerability in web server Rating: Critical (CVSS 10.0)
Threat actor: any remote user of the web server
Confidence: certain
Recommendation: apply vendor patches
Which of the following actions should the security analyst perform FIRST?

Question103: In a corporation where compute utilization spikes several times a year, the Chief Information Officer (CIO)
has requested a cost-effective architecture to handle the variable capacity demand. Which of the following
characteristics BEST describes what the CIO has requested?

Question104: Two users must encrypt and transmit large amounts of data between them.
Which of the following should they use to encrypt and transmit the data?

Question105: After a user reports stow computer performance, a systems administrator detects a suspicious file, which
was installed as part of a freeware software package.
The systems administrator reviews the output below:

Based on the above information, which of the following types of malware was installed on the user's
computer?

Question106: To determine the ALE of a particular risk, which of the following must be calculated? (Select two.)

Question107: A user clicked an email link that led to a website than infected the workstation with a virus. The virus
encrypted all the network shares to which the user had access. The virus was not deleted or blocked by
the company's email filter, website filter, or antivirus. Which of the following describes what occurred?

Question108: An audit reported has identifies a weakness that could allow unauthorized personnel access to the facility
at its main entrance and from there gain access to the network. Which of the following would BEST resolve
the vulnerability?

Question109: Joe, a user, wants to send Ann, another user, a confidential document electronically. Which of the
following should Joe do to ensure the document is protected from eavesdropping?

Question110: A datacenter manager has been asked to prioritize critical system recovery priorities.
Which of the following is the MOST critical for immediate recovery?

Question111: A security analyst is hardening a server with the directory services role installed. The analyst must ensure
LDAP traffic cannot be monitored or sniffed and maintains compatibility with LDAP clients. Which of the
following should the analyst implement to meet these requirements? (Select two.)

Question112: A home invasion occurred recently in which an intruder compromised a home network and accessed a
WiFI- enabled baby monitor while the baby's parents were sleeping.
Which of the following BEST describes how the intruder accessed the monitor?

Question113: An organization's file server has been virtualized to reduce costs. Which of the following types of backups
would be MOST appropriate for the particular file server?

Question114: An administrator discovers the following log entry on a server:
Nov 12 2013 00:23:45 httpd[2342]: GET
/app2/prod/proc/process.php?input=change;cd%20../../../etc;cat%20shadow
Which of the following attacks is being attempted?

Question115: Which of the following attack types is being carried out where a target is being sent unsolicited messages
via Bluetooth?

Question116: New magnetic locks were ordered for an entire building. In accordance with company policy, employee
safety is the top priority.
In case of a fire where electricity is cut, which of the following should be taken into consideration when
installing the new locks?

Question117: Following the successful response to a data-leakage incident, the incident team lead facilitates an exercise
that focuses on continuous improvement of the organization's incident response capabilities. Which of the
following activities has the incident team lead executed?

Question118: Which of the following technologies would be MOST appropriate to utilize when testing a new software
patch before a company-wide deployment?

Question119: A user has attempted to access data at a higher classification level than the user's account is currently
authorized to access. Which of the following access control models has been applied to this user's
account?

Question120: Which of the following penetration testing concepts is being used when an attacker uses public Internet
databases to enumerate and learn more about a target?

Question121: Ann, a customer, is reporting that several important files are missing from her workstation. She recently
received communication from an unknown party who is requesting funds to restore the files. Which of the
following attacks has occurred?

Question122: Which of the following is used to validate the integrity of data?

Question123: Which of the following characteristics differentiate a rainbow table attack from a brute force attack? (Select
two.)

Question124: Many employees are receiving email messages similar to the one shown below:
From IT department
To employee
Subject email quota exceeded
Pease click on the following link http:www.website.info/email.php?quota=1Gb and provide your username
and password to increase your email quota. Upon reviewing other similar emails, the security administrator
realized that all the phishing URLs have the following common elements; they all use HTTP, they all come
from .info domains, and they all contain the same URI.
Which of the following should the security administrator configure on the corporate content filter to prevent
users from accessing the phishing URL, while at the same time minimizing false positives?

Question125: A systems administrator is attempting to recover from a catastrophic failure in the datacenter. To recover
the domain controller, the systems administrator needs to provide the domain administrator credentials.
Which of the following account types is the systems administrator using?

Question126: A company hires a consulting firm to crawl its Active Directory network with a non-domain account looking
for unpatched systems. Actively taking control of systems is out of scope, as is the creation of new
administrator accounts. For which of the following is the company hiring the consulting firm?

Question127: A forensic investigator has run into difficulty recovering usable files from a SAN drive. Which of the
following SAN features might have caused the problem?

Question128: An organization recently moved its custom web applications to the cloud, and it is obtaining managed
services of the back-end environment as part of its subscription. Which of the following types of services is
this company now using?

Question129: Ann, a user, reports she is unable to access an application from her desktop. A security analyst verifies
Ann's access and checks the SIEM for any errors. The security analyst reviews the log file from Ann's
system and notices the following output:

Which of the following is MOST likely preventing Ann from accessing the application from the desktop?

Question130: Confidential emails from an organization were posted to a website without the organization's knowledge.
Upon investigation, it was determined that the emails were obtained from an internal actor who sniffed the
emails in plain text.
Which of the following protocols, if properly implemented, would have MOST likely prevented the emails
from being sniffed? (Select TWO)

Question131: An administrator is configuring access to information located on a network file server named "Bowman".
The files are located in a folder named "BalkFiles". The files are only for use by the "Matthews" division and
should be read-only. The security policy requires permissions for shares to be managed at the file system
layer and also requires those permissions to be set according to a least privilege model. Security policy for
this data type also dictates that administrator-level accounts on the system have full access to the files.
The administrator configures the file share according to the following table:

Which of the following rows has been misconfigured?

Question132: While troubleshooting a client application connecting to the network, the security administrator notices the
following error: Certificate is not valid.
Which of the following is the BEST way to check if the digital certificate is valid?

Question133: A system's administrator has finished configuring firewall ACL to allow access to a new web server.

The security administrator confirms form the following packet capture that there is network traffic from the
internet to the web server:

The company's internal auditor issues a security finding and requests that immediate action be taken. With
which of the following is the auditor MOST concerned?

Question134: Which of the following locations contain the MOST volatile data?

Question135: Due to regulatory requirements, a security analyst must implement full drive encryption on a Windows file
server.
Which of the following should the analyst implement on the system to BEST meet this requirement?
(Choose two.)

Question136: When generating a request for a new x.509 certificate for securing a website, which of the following is the
MOST appropriate hashing algorithm?

Question137: A server administrator needs to administer a server remotely using RDP, but the specified port is closed on
the outbound firewall on the network.
The access the server using RDP on a port other than the typical registered port for the RDP protocol?

Question138: An information security specialist is reviewing the following output from a Linux server.

Based on the above information, which of the following types of malware was installed on the server?

Question139: Systems administrator and key support staff come together to simulate a hypothetical interruption of
service. The team updates the disaster recovery processes and documentation after meeting. Which of the
following describes the team's efforts?

Question140: Which of the following types of penetration test will allow the tester to have access only to password
hashes prior to the penetration test?

Question141: An office manager found a folder that included documents with various types of data relating to corporate
clients. The office manager notified the data included dates of birth, addresses, and phone numbers for the
clients. The office manager then reported this finding to the security compliance officer. Which of the
following portions of the policy would the security officer need to consult to determine if a breach has
occurred?

Question142: Joe, a user, has been trying to send Ann, a different user, an encrypted document via email. Ann has not
received the attachment but is able to receive the header information.
Which of the following is MOST likely preventing Ann from receiving the encrypted file?

Question143: An attacker captures the encrypted communication between two parties for a week, but is unable to
decrypt the messages. The attacker then compromises the session key during one exchange and
successfully compromises a single message. The attacker plans to use this key to decrypt previously
captured and future communications, but is unable to.
This is because the encryption scheme in use adheres to:

Question144: Which of the following delineates why it is important to perform egress filtering and monitoring on Internet
connected security zones of interfaces on a firewall?

Question145: Which of the following can be provided to an AAA system for the identification phase?

Question146: A new Chief Information Officer (CIO) has been reviewing the badging and decides to write a policy that all
employees must have their badges rekeyed at least annually. Which of the following controls BEST
describes this policy?

Question147: Company XYZ has decided to make use of a cloud-based service that requires mutual, certificate- based
authentication with its users. The company uses SSL-inspecting IDS at its network boundary and is
concerned about the confidentiality of the mutual authentication.
Which of the following model prevents the IDS from capturing credentials used to authenticate users to the
new service or keys to decrypt that communication?

Question148: Company A has acquired Company B.
Company A has different domains spread globally, and typically
migrates its acquisitions infrastructure under its own domain infrastructure. Company B, however, cannot
be merged into Company A's domain infrastructure.
Which of the following methods would allow the two companies to access one another's resources?

Question149: A network administrator at a small office wants to simplify the configuration of mobile clients connecting to
an encrypted wireless network. Which of the following should be implemented in the administrator does not
want to provide the wireless password or he certificate to the employees?

Question150: A user receives an email from ISP indicating malicious traffic coming from the user's home network is
detected. The traffic appears to be Linux-based, and it is targeting a website that was recently featured on
the news as being taken offline by an Internet attack. The only Linux device on the network is a home
surveillance camera system.
Which of the following BEST describes what is happening?

Question151: A company is developing a new secure technology and requires computers being used for development to
be isolated. Which of the following should be implemented to provide the MOST secure environment?

Question152: A security administrator needs to address the following audit recommendations for a public-facing
SFTP server:
Users should be restricted to upload and download files to their own home directories only.
Users should not be allowed to use interactive shell login.
Which of the following configuration parameters should be implemented? (Select TWO).

Question153: Joe, a technician, is working remotely with his company provided laptop at the coffee shop near his home.
Joe is concerned that another patron of the coffee shop may be trying to access his laptop.
Which of the following is an appropriate control to use to prevent the other patron from accessing Joe's
laptop directly?

Question154: A supervisor in your organization was demoted on Friday afternoon. The supervisor had the ability to
modify the contents of a confidential database, as well as other managerial permissions. On Monday
morning, the database administrator reported that log files indicated that several records were missing
from the database.
Which of the following risk mitigation strategies should have been implemented when the supervisor was
demoted?

Question155: The chief security officer (CS0) has issued a new policy that requires that all internal websites be
configured for HTTPS traffic only. The network administrator has been tasked to update all internal sites
without incurring additional costs.
Which of the following is the best solution for the network administrator to secure each internal website?

Question156: A security analyst is securing smartphones and laptops for a highly mobile workforce.
Priorities include:
Remote wipe capabilities

Geolocation services

Patch management and reporting

Mandatory screen locks

Ability to require passcodes and pins

Ability to require encryption

Which of the following would BEST meet these requirements?

Question157: Which of the following is the GREATEST risk to a company by allowing employees to physically bring their
personal smartphones to work?

Question158: An external auditor visits the human resources department and performs a physical security assessment.
The auditor observed documents on printers that are unclaimed. A closer look at these documents reveals
employee names, addresses, ages, and types of medical and dental coverage options each employee has
selected.
Which of the following is the MOST appropriate actions to take?

Question159: The help desk received a call after hours from an employee who was attempting to log into the payroll
server remotely. When the help desk returned the call the next morning, the employee was able to log into
the server remotely without incident. However, the incident occurred again the next evening.
Which of the following BEST describes the cause of the issue?

Question160: A web server, which is configured to use TLS with AES-GCM-256, SHA-384, and ECDSA, recently
suffered an information loss breach.
Which of the following is MOST likely the cause?

Question161: The Chief Security Officer (CISO) at a multinational banking corporation is reviewing a plan to upgrade the
entire corporate IT infrastructure. The architecture consists of a centralized cloud environment hosting the
majority of data, small server clusters at each corporate location to handle the majority of customer
transaction processing, ATMs, and a new mobile banking application accessible from smartphones,
tablets, and the Internet via HTTP. The corporation does business having varying data retention and
privacy laws.
Which of the following technical modifications to the architecture and corresponding security controls
should be implemented to provide the MOST complete protection of data?

Question162: Which of the following is the LEAST secure hashing algorithm?

Question163: After a merger, it was determined that several individuals could perform the tasks of a network
administrator in the merged organization. Which of the following should have been performed to ensure
that employees have proper access?

Question164: A security administrator has been tasked with improving the overall security posture related to desktop
machines on the network. An auditor has recently that several machines with confidential customer
information displayed in the screens are left unattended during the course of the day.
Which of the following could the security administrator implement to reduce the risk associated with the
finding?

Question165: Malware that changes its binary pattern on specific dates at specific times to avoid detection is known as a
(n):

Question166: A company's AUP requires:
Passwords must meet complexity requirements.

Passwords are changed at least once every six months.

Passwords must be at least eight characters long.

An auditor is reviewing the following report:

Which of the following controls should the auditor recommend to enforce the AUP?

Question167: Ann, a security administrator, has been instructed to perform fuzz-based testing on the company's
applications.
Which of the following best describes what she will do?

Question168: An analyst wants to implement a more secure wireless authentication for office access points. Which of the
following technologies allows for encrypted authentication of wireless clients over TLS?

Question169: When performing data acquisition on a workstation, which of the following should be captured based on
memory volatility? (Select two.)

Question170: The Chief Information Security Officer (CISO) is asking for ways to protect against zero-day exploits. The
CISO is concerned that an unrecognized threat could compromise corporate data and result in regulatory
fines as well as poor corporate publicity. The network is mostly flat, with split staff/guest wireless
functionality.
Which of the following equipment MUST be deployed to guard against unknown threats?

Question171: A company is terminating an employee for misbehavior. Which of the following steps is MOST important in
the process of disengagement from this employee?

Question172: When sending messages using symmetric encryption, which of the following must happen FIRST?

Question173: A bank uses a wireless network to transmit credit card purchases to a billing system.
Which of the following would be MOST appropriate to protect credit card information from being accessed
by unauthorized individuals outside of the premises?

Question174: A high-security defense installation recently begun utilizing large guard dogs that bark very loudly and
excitedly at the slightest provocation. Which of the following types of controls does this BEST describe?

Question175: Which of the following is an important step to take BEFORE moving any installation packages from a test
environment to production?

Question176: Which of the following is a deployment concept that can be used to ensure only the required OS
access is exposed to software applications?

Question177: A company hires a third-party firm to conduct an assessment of vulnerabilities exposed to the Internet. The
firm informs the company that an exploit exists for an FTP server that had a version installed from eight
years ago. The company has decided to keep the system online anyway, as no upgrade exists form the
vendor. Which of the following BEST describes the reason why the vulnerability exists?

Question178: Ann is the IS manager for several new systems in which the classification of the systems' data are being
decided. She is trying to determine the sensitivity level of the data being processed. Which of the following
people should she consult to determine the data classification?

Question179: Which of the following would provide additional security by adding another factor to a smart card?

Question180: The POODLE attack is an MITM exploit that affects:

Question181: A company is allowing a BYOD policy for its staff.
Which of the following is a best practice that can decrease the risk of users jailbreaking mobile devices?

Question182: A senior incident response manager receives a call about some external IPs communicating with internal
computers during off hours. Which of the following types of malware is MOST likely causing this issue?

Question183: An organization has hired a penetration tester to test the security of its ten web servers. The penetration
tester is able to gain root/administrative access in several servers by exploiting vulnerabilities associated
with the implementation of SMTP, POP, DNS, FTP, Telnet, and IMAP.
Which of the following recommendations should the penetration tester provide to the organization to better
protect their web servers in the future?

Question184: Which of the following authentication concepts is a gait analysis MOST closely associated?

Question185: After surfing the Internet, Joe, a user, woke up to find all his files were corrupted. His wallpaper was
replaced by a message stating the files were encrypted and he needed to transfer money to a foreign
country to recover them. Joe is a victim of:

Question186: Anne, the Chief Executive Officer (CEO), has reported that she is getting multiple telephone calls from
someone claiming to be from the helpdesk. The caller is asking to verify her network authentication
credentials because her computer is broadcasting across the network.
This is MOST likely which of the following types of attacks?

Question187: A security auditor is putting together a report for the Chief Executive Officer (CEO) on personnel security
and its impact on the security posture of the whole organization. Which of the following would be the
MOST important factor to consider when it comes to personnel security?

Question188: An organization requires users to provide their fingerprints to access an application. To improve security,
the application developers intend to implement multifactor authentication. Which of the following should be
implemented?

Question189: A security engineer is configuring a wireless network that must support mutual authentication of the
wireless client and the authentication server before users provide credentials. The wireless network must
also support authentication with usernames and passwords. Which of the following authentication
protocols MUST the security engineer select?

Question190: A forensic expert is given a hard drive from a crime scene and is asked to perform an investigation. Which
of the following is the FIRST step the forensic expert needs to take the chain of custody?

Question191: A Chief Executive Officer (CEO) suspects someone in the lab testing environment is stealing confidential
information after working hours when no one else is around. Which of the following actions can help to
prevent this specific threat?

Question192: A security administrator wants to implement a logon script that will prevent MITM attacks on the local LAN.
Which of the following commands should the security administrator implement within the script to
accomplish this task?

Question193: After attempting to harden a web server, a security analyst needs to determine if an application remains
vulnerable to SQL injection attacks.
Which of the following would BEST assist the analyst in making this determination?

Question194: A penetration testing is preparing for a client engagement in which the tester must provide data that proves
and validates the scanning tools' results.
Which of the following is the best method for collecting this information?

Question195: A company is planning to encrypt the files in several sensitive directories of a file server with a symmetric
key. Which of the following could be used?

Question196: A network administrator adds an ACL to allow only HTTPS connections form host 192.168.2.3 to web
server 192.168.5.2. After applying the rule, the host is unable to access the server. The network
administrator runs the output and notices the configuration below:

Which of the following rules would be BEST to resolve the issue?
A:

B:

C:

D:

Question197: A security administrator is trying to encrypt communication. For which of the following reasons should
administrator take advantage of the Subject Alternative Name (SAM) attribute of a certificate?

Question198: An organization plans to implement multifactor authentication techniques within the enterprise network
architecture. Each authentication factor is expected to be a unique control.
Which of the following BEST describes the proper employment of multifactor authentication?

Question199: A security administrator receives notice that a third-party certificate authority has been compromised, and
new certificates will need to be issued.
Which of the following should the administrator submit to receive a new certificate?

Question200: An organization's employees currently use three different sets of credentials to access multiple internal
resources. Management wants to make this process less complex. Which of the following would be the
BEST option to meet this goal?

Question201: A company wants to implement an access management solution that allows employees to use the same
usernames and passwords for multiple applications without having to keep multiple credentials
synchronized.
Which of the following solutions would BEST meet these requirements?

Question202: A security consultant discovers that an organization is using the PCL protocol to print documents, utilizing
the default driver and print settings. Which of the following is the MOST likely risk in this situation?

Question203: A security administrator installed a new network scanner that identifies new host systems on the network.
Which of the following did the security administrator install?

Question204: Which of the following differentiates a collision attack from a rainbow table attack?

Question205: A technician receives a device with the following anomalies:
Frequent pop-up ads
Show response-time switching between active programs Unresponsive peripherals
The technician reviews the following log file entries:
File Name Source MD5 Target MD5
Status
antivirus.exe F794F21CD33E4F57890DDEA5CF267ED2 F794F21CD33E4F57890DDEA5CF267ED2
Automatic iexplore.exe 7FAAF21CD33E4F57890DDEA5CF29CCEA
AA87F21CD33E4F57890DDEAEE2197333 Automatic service.exe
77FF390CD33E4F57890DDEA5CF28881F 77FF390CD33E4F57890DDEA5CF28881F Manual USB.exe
E289F21CD33E4F57890DDEA5CF28EDC0 E289F21CD33E4F57890DDEA5CF28EDC0 Stopped
Based on the above output, which of the following should be reviewed?

Question206: During a recent audit, it was discovered that many services and desktops were missing security patches.
Which of the following BEST describes the assessment that was performed to discover this issue?

Question207: A company wants to ensure confidential data from storage media is sanitized in such a way that the drive
cannot be reused. Which of the following method should the technician use?

Question208: Which of the following scenarios BEST describes an implementation of non-repudiation?

Question209: Technicians working with servers hosted at the company's datacenter are increasingly complaining of
electric shocks when touching metal items which have been linked to hard drive failures.
Which of the following should be implemented to correct this issue?

Question210: A copy of a highly confidential salary report was recently found on a printer in the IT department. The
human resources department does not have this specific printer mapped to its devices, and it is suspected
that an employee in the IT department browsed to the share where the report was located and printed it
without authorization. Which of the following technical controls would be the BEST choice to immediately
prevent this from happening again?

Question211: Which of the following describes the key difference between vishing and phishing attacks?

Question212: An auditor is reviewing the following output from a password-cracking tool:

Which of the following methods did the auditor MOST likely use?

Question213: A bank is experiencing a DoS attack against an application designed to handle 500 IP-based sessions.
in addition, the perimeter router can only handle 1Gbps of traffic.
Which of the following should be implemented to prevent a DoS attacks in the future?

Question214: Which of the following can affect electrostatic discharge in a network operations center?

Question215: An administrator is replacing a wireless router. The configuration of the old wireless router was not
documented before it stopped functioning. The equipment connecting to the wireless network uses older
legacy equipment that was manufactured prior to the release of the 802.11i standard. Which of the
following configuration options should the administrator select for the new wireless router?

Question216: A user typically works remotely over the holidays using a web-based VPN to access corporate resources.
The user reports getting untrusted host errors and being unable to connect. Which of the following is
MOST likely the case?

Question217: An external attacker can modify the ARP cache of an internal computer.
Which of the following types of attacks is described?

Question218: A network operations manager has added a second row of server racks in the datacenter. These racks
face the opposite direction of the first row of racks.
Which of the following is the reason the manager installed the racks this way?

Question219: A security team wants to establish an Incident Response plan. The team has never experienced an
incident.
Which of the following would BEST help them establish plans and procedures?

Question220: A stock trading company had the budget for enhancing its secondary datacenter approved. Since the main
site is a hurricane-affected area and the disaster recovery site is 100 mi (161 km) away, the company
wants to ensure its business is always operational with the least amount of man hours needed. Which of
the following types of disaster recovery sites should the company implement?

Question221: The security administrator receives an email on a non-company account from a coworker stating that some
reports are not exporting correctly. Attached to the email was an example report file with several
customers' names and credit card numbers with the PIN.
Which of the following is the BEST technical controls that will help mitigate this risk of disclosing sensitive
data?

Question222: A company is deploying smartphones for its mobile salesforce. These devices are for personal and
business use but are owned by the company. Sales personnel will save new customer data via a custom
application developed for the company. This application will integrate with the contact information stored in
the smartphones and will populate new customer records onto it.
The customer application's data is encrypted at rest, and the application's connection to the back office
system is considered secure. The Chief Information Security Officer (CISO) has concerns that customer
contact information may be accidentally leaked due to the limited security capabilities of the devices and
the planned controls.
Which of the following will be the MOST efficient security control to implement to lower this risk?

Question223: A company determines that it is prohibitively expensive to become compliant with new credit card
regulations. Instead, the company decides to purchase insurance to cover the cost of any potential loss.
Which of the following is the company doing?

Question224: A security analyst has set up a network tap to monitor network traffic for vulnerabilities. Which of the
following techniques would BEST describe the approach the analyst has taken?

Question225: A security analyst has been asked to perform a review of an organization's software development lifecycle.
The analyst reports that the lifecycle does not contain a phase in which team members evaluate and
provide critical feedback of another developer's code.
Which of the following assessment techniques is BEST described in the analyst's report?

Question226: A portable data storage device has been determined to have malicious firmware.
Which of the following is the BEST course of action to ensure data confidentiality?

Question227: The Chief Technology Officer (CTO) of a company, Ann, is putting together a hardware budget for the next
10 years. She is asking for the average lifespan of each hardware device so that she is able to calculate
when she will have to replace each device.
Which of the following categories BEST describes what she is looking for?

Question228: After correctly configuring a new wireless enabled thermostat to control the temperature of the company's
meeting room, Joe, a network administrator determines that the thermostat is not connecting to the
internet-based control system. Joe verifies that the thermostat received the expected network parameters
and it is associated with the AP. Additionally, the other wireless mobile devices connected to the same
wireless network are functioning properly. The network administrator verified that the thermostat works
when tested at his residence.
Which of the following is the MOST likely reason the thermostat is not connecting to the internet?

Question229: Multiple employees receive an email with a malicious attachment that begins to encrypt their hard drives
and mapped shares on their devices when it is opened. The network and security teams perform the
following actions:
Shut down all network shares.

Run an email search identifying all employees who received the malicious message.

Reimage all devices belonging to users who opened the attachment.

Next, the teams want to re-enable the network shares. Which of the following BEST describes this phase
of the incident response process?

Question230: A company is using a mobile device deployment model in which employees use their personal devices for
work at their own discretion. Some of the problems the company is encountering include the following:
There is no standardization.

Employees ask for reimbursement for their devices.

Employees do not replace their devices often enough to keep them running efficiently.

The company does not have enough control over the devices.

Which of the following is a deployment model that would help the company overcome these problems?

Question231: A computer on a company network was infected with a zero-day exploit after an employee accidently
opened an email that contained malicious content. The employee recognized the email as malicious and
was attempting to delete it, but accidently opened it.
Which of the following should be done to prevent this scenario from occurring again in the future?

Question232: A security engineer is configuring a system that requires the X.509 certificate information to be pasted into
a form field in Base64 encoded format to import it into the system. Which of the following certificate formats
should the engineer use to obtain the information in the required format?

Question233: An employer requires that employees use a key-generating app on their smartphones to log into corporate
applications. In terms of authentication of an individual, this type of access policy is BEST defined as:

Question234: An in-house penetration tester has been asked to evade a new DLP system. The tester plans to exfiltrate
data through steganography.
Discovery of which of the following would help catch the tester in the act?

Question235: Which of the following BEST describes a network-based attack that can allow an attacker to take full
control of a vulnerable host?

Question236: A company wants to host a publicity available server that performs the following functions:
Evaluates MX record lookup

Can perform authenticated requests for A and AAA records

Uses RRSIG

Which of the following should the company use to fulfill the above requirements?

Question237: A systems administrator has isolated an infected system from the network and terminated the malicious
process from executing.
Which of the following should the administrator do NEXT according to the incident response process?

Question238: A security analyst is hardening a web server, which should allow a secure certificate-based session using
the organization's PKI infrastructure. The web server should also utilize the latest security techniques and
standards. Given this set of requirements, which of the following techniques should the analyst implement
to BEST meet these requirements? (Select two.)

Question239: An administrator is testing the collision resistance of different hashing algorithms.
Which of the following is the strongest collision resistance test?

Question240: A company's user lockout policy is enabled after five unsuccessful login attempts. The help desk notices a
user is repeatedly locked out over the course of a workweek. Upon contacting the user, the help desk
discovers the user is on vacation and does not have network access. Which of the following types of
attacks are MOST likely occurring? (Select two.)

Question241: The computer resource center issued smartphones to all first-level and above managers. The managers
have the ability to install mobile tools. Which of the following tools should be implemented to control the
types of tools the managers install?

Question242: A manager suspects that an IT employee with elevated database access may be knowingly modifying
financial transactions for the benefit of a competitor. Which of the following practices should the manager
implement to validate the concern?

Question243: A penetration tester harvests potential usernames from a social networking site. The penetration tester
then uses social engineering to attempt to obtain associated passwords to gain unauthorized access to
shares on a network server.
Which of the following methods is the penetration tester MOST likely using?

Question244: A security technician would like to obscure sensitive data within a file so that it can be transferred without
causing suspicion.
Which of the following technologies would BEST be suited to accomplish this?

Question245: A botnet has hit a popular website with a massive number of GRE-encapsulated packets to perform a
DDoS attack. News outlets discover a certain type of refrigerator was exploited and used to send outbound
packets to the website that crashed. To which of the following categories does the refrigerator belong?

Question246: Which of the following would a security specialist be able to determine upon examination of a server's
certificate?

Question247: A systems administrator is deploying a new mission essential server into a virtual environment. Which of
the following is BEST mitigated by the environment's rapid elasticity characteristic?

Question248: A security administrator is developing training for corporate users on basic security principles for personal
email accounts.
Which of the following should be mentioned as the MOST secure way for password recovery?

Question249: A systems administrator is reviewing the following information from a compromised server:

Given the above information, which of the following processes was MOST likely exploited via a remote
buffer overflow attack?

Question250: An organization has several production-critical SCADA supervisory systems that cannot follow the normal
30- day patching policy.
Which of the following BEST maximizes the protection of these systems from malicious software?

Question251: A security analyst is reviewing patches on servers. One of the servers is reporting the following error
message in the WSUS management console:
The computer has not reported status in 30 days.
Given this scenario, which of the following statements BEST represents the issue with the output above?

Question252: A security administrator has been assigned to review the security posture of the standard corporate
system image for virtual machines. The security administrator conducts a thorough review of the system
logs, installation procedures, and network configuration of the VM image. Upon reviewing the access logs
and user accounts, the security administrator determines that several accounts will not be used in
production.
Which of the following would correct the deficiencies?

Question253: A security analyst is performing a quantitative risk analysis. The risk analysis should show the potential
monetary loss each time a threat or event occurs. Given this requirement, which of the following concepts
would assist the analyst in determining this value? (Select two.)

Question254: A web application is configured to target browsers and allow access to bank accounts to siphon money to
a foreign account.
This is an example of which of the following attacks?

Question255: Which of the following components of printers and MFDs are MOST likely to be used as vectors of
compromise if they are improperly configured?

Question256: An organization wants to conduct secure transactions of large data files. Before encrypting and
exchanging the data files, the organization wants to ensure a secure exchange of keys.
Which of the following algorithms is appropriate for securing the key exchange?

Question257: A consultant has been tasked to assess a client's network. The client reports frequent network outages.
Upon viewing the spanning tree configuration, the consultant notices that an old and law performing edge
switch on the network has been elected to be the root bridge.
Which of the following explains this scenario?

Question258: Joe, an employee, wants to show his colleagues how much he knows about smartphones. Joe
demonstrates a free movie application that he installed from a third party on his corporate smartphone.
Joe's colleagues were unable to find the application in the app stores. Which of the following allowed Joe
to install the application? (Select two.)

Question259: A security analyst is reviewing an assessment report that includes software versions, running services,
supported encryption algorithms, and permission settings. Which of the following produced the report?

Question260: A computer emergency response team is called at midnight to investigate a case in which a mail server
was restarted. After an initial investigation, it was discovered that email is being exfiltrated through an
active connection.
Which of the following is the NEXT step the team should take?

Question261: A security analyst is reviewing the following output from an IPS:

Given this output, which of the following can be concluded? (Select two.)

Question262: While performing a penetration test, the technicians want their efforts to go unnoticed for as long as
possible while they gather useful data about the network they are assessing.
Which of the following would be the BEST choice for the technicians?

Question263: A website administrator has received an alert from an application designed to check the integrity of the
company's website. The alert indicated that the hash value for a particular MPEG file has changed. Upon
further investigation, the media appears to be the same as it was before the alert.
Which of the following methods has MOST likely been used?

Question264: A procedure differs from a policy in that it:

Question265: Ann, a user, states that her machine has been behaving erratically over the past week. She has
experienced slowness and input lag and found text files that appear to contain pieces of her emails or
online conversations with coworkers. The technician runs a standard virus scan but detects nothing.
Which of the following types of malware has infected the machine?