EMT Practice Test

1. Question Content...


Question List

Question1: Digital signatures use asymmetric encryption. This means the message is encrypted with:

Question2: A user recent an SMS on a mobile phone that asked for bank delays.
Which of the following social-engineering techniques was used in this case?

Question3: Which of the following environments minimizes end-user disruption and is MOST likely to be used to assess the impacts of any database migrations or major system changes by using the final version of the code?

Question4: Which of the following holds staff accountable while escorting unauthorized personnel?

Question5: During a security assessment, a security analyst finds a file with overly permissive permissions.
Which of the following tools will allow the analyst to reduce the permissions for the existing users and groups and remove the set-user-ID bit from the file?

Question6: A network manager is concerned that business may be negatively impacted if the firewall in its datacenter goes offline. The manager would like to Implement a high availability pair to:

Question7: Which of the following is the BEST use of a WAF?

Question8: A transitive trust:

Question9: Customers reported their antivirus software flagged one of the company's primary software products as suspicious. The company's Chief Information Security Officer has tasked the developer with determining a method to create a trust model between the software and the customer's antivirus software. Which of the following would be the BEST solution?

Question10: A security analyst needs to produce a document that details how a security incident occurred, the steps that were taken for recovery, and how future incidents can be avoided. During which of the following stages of the response process will this activity take place?

Question11: A company is experiencing an increasing number of systems that are locking up on Windows startup. The security analyst clones a machine, enters into safe mode, and discovers a file in the startup process that runs Wstart.bat.
@echo off
:asdhbawdhbasdhbawdhb
start notepad.exe
start notepad.exe
start calculator.exe
start calculator.exe
goto asdhbawdhbasdhbawdhb
Given the file contents and the system's issues, which of the following types of malware is present?

Question12: A major clothing company recently lost a large amount of proprietary information The security officer must find a solution to ensure this never happens again.
Which of the following is the BEST technical implementation to prevent this from happening again?

Question13: A security operations analyst is using the company's SIEM solution to correlate alerts. Which of the following stages of the incident response process is this an example of?

Question14: A systems administrator needs to install the same X.509 certificate on multiple servers. Which of the following should the administrator use?

Question15: When planning to build a virtual environment, an administrator need to achieve the following:
- Establish polices in Limit who can create new VMs
- Allocate resources according to actual utilization`
- Require justification for requests outside of the standard
requirements.
- Create standardized categories based on size and resource
requirements
Which of the following is the administrator MOST likely trying to do?

Question16: In which of the following situations would it be BEST to use a detective control type for mitigation?

Question17: Given the following logs:

Which of the following BEST describes the type of attack that is occurring?

Question18: During an investigation, a security manager receives notification from local authorities mat company proprietary data was found on a former employees home computer. The former employee's corporate workstation has since been repurposed, and the data on the hard drive has been overwritten.
Which of the following would BEST provide the security manager with enough details to determine when the data was removed from the company network?

Question19: Which of the following would detect intrusions at the perimeter of an airport?

Question20: A security forensics analyst is examining a virtual server. The analyst wants to preserve the present state of the virtual server, including memory contents.
Which of the following backup types should be used?

Question21: An organization's policy requires users to create passwords with an uppercase letter, lowercase letter, number, and symbol. This policy is enforced with technical controls, which also prevents users from using any of their previous 12 passwords. The quantization does not use single sign- on, nor does it centralize storage of passwords.
The incident response team recently discovered that passwords for one system were compromised. Passwords for a completely separate system have NOT been compromised, but unusual login activity has been detected fc that separate system. Account login has been detected for users who are on vacation.
Which of the following BEST describes what is happening?

Question22: A security analyst generated a file named host1.pcap and shared it with a team member who is going to use it for further incident analysis.
Which of the following tools will the other team member MOST likely use to open this file?

Question23: A company reduced the area utilized in its datacenter by creating virtual networking through automation and by creating provisioning routes and rules through scripting. Which of the following does this example describe?

Question24: A company has decided to move its operations to the cloud. It wants to utilize technology that will prevent users from downloading company applications for personal use, restrict data that is uploaded, and have visibility into which applications are being used across the company.
Which of the following solutions will BEST meet these requirements?

Question25: An enterprise needs to keep cryptographic keys in a safe manner. Which of the following network appliances can achieve this goal?

Question26: A security manager needs to assess the security posture of one of the organization's vendors.
The contract with the vendor does not allow for auditing of the vendor's security controls.
Which of (he following should the manager request to complete the assessment?

Question27: A financial analyst has been accused of violating the company's AUP and there is forensic evidence to substantiate the allegation. Which of the following would dispute the analyst's claim of innocence?

Question28: A junior security analyst is conducting an analysis after passwords were changed on multiple accounts without users' interaction. The SIEM have multiple login entries with the following text:

Which of the following is the MOST likely attack conducted on the environment?

Question29: The IT department at a university is concerned about professors placing servers on the university network in an attempt to bypass security controls. Which of the following BEST represents this type of threat?

Question30: An organization maintains several environments in which patches are developed and tested before deployed to an operation status. Which of the following is the environment in which patches will be deployed just prior to being put into an operational status?

Question31: A cloud service provider has created an environment where customers can connect existing local networks to the cloud lor additional computing resources and block internal HR applications from reaching the cloud. Which of the following cloud models is being used?

Question32: A security administrator checks the table of a network switch, which shows the following output:

Which of the following is happening to this switch?

Question33: A security analyst Is hardening a Linux workstation and must ensure It has public keys forwarded to remote systems for secure login.
Which of the following steps should the analyst perform to meet these requirements? (Select TWO).

Question34: An employee received a word processing file that was delivered as an email attachment. The subject line and email content enticed the employee to open the attachment.
Which of the following attack vectors BEST matches this malware?

Question35: A security administrator has received multiple calls from the help desk about customers who are unable to access the organization's web server. Upon reviewing the log files. the security administrator determines multiple open requests have been made from multiple IP addresses, which is consuming system resources. Which of the following attack types does this BEST describe?

Question36: Developers are about to release a financial application, but the number of fields on the forms that could be abused by an attacker is troubling.
Which of the following techniques should be used to address this vulnerability?

Question37: A network engineer notices the VPN concentrator overloaded and crashes on days when there are a lot of remote workers. Senior management has placed greater importance on the availability of VPN resources for the remote workers than the security of the end users' traffic.
Which of the following would be BEST to solve this issue?

Question38: A consultant is configuring a vulnerability scanner for a large, global organization in multiple countries. The consultant will be using a service account to scan systems with administrative privileges on a weekly basis, but there is a concern that hackers could gain access to account to the account and pivot through the global network. Which of the following would be BEST to help mitigate this concern?

Question39: A security analyst needs to be able to search and correlate logs from multiple sources in a single tool. Which of the following would BEST allow a security analyst to have this ability?

Question40: While investigating a data leakage incident a security analyst reviews access control to cloud - hosted data. The following information was presented in a security posture report:
Policy to control external application integration: Admin authorized
only
- 47 active integration to third-party applications
- 2 applications authorized by admin
- 45 applications authorized by users
- 32 OAuth apps authorize to access data
Based on the report, which of the following was the MOST likely attack vector used against the company?

Question41: An engineer wants to access sensitive data from a corporate-owned mobile device. Personal data is not allowed on the device. Which of the following MDM configurations must be considered when the engineer travels for business?

Question42: When selecting a technical solution for identity management, an architect chooses to go from an in-house to a third-party SaaS provider. Which of the following risk management strategies is this an example of?

Question43: An attacked is attempting to exploit users by creating a fake website with the URL www.validwebsite.com. The attacker s intent is to imitate the look and feel of a legitimate website to obtain personal information from unsuspecting users.
Which of the following social-engineering attacks does this describe?

Question44: A security analyst has been asked to investigate a situation after the SOC started to receive alerts from the SIEM. The analyst first looks at the domain controller and finds the following events:

To better understand what is going on, the analyst runs a command and receives the following output:

Based on the analyst's findings, which of the following attacks is being executed?

Question45: A security analyst reviews the datacenter access logs for a fingerprint scanner and notices an abundance of errors that correlate with users' reports of issues accessing the facility.
Which of the following MOST likely the cause of the cause of the access issues?

Question46: A company Is planning to install a guest wireless network so visitors will be able to access the Internet. The stakeholders want the network to be easy to connect to so time is not wasted during meetings. The WAPs are configured so that power levels and antennas cover only the conference rooms where visitors will attend meetings. Which of the following would BEST protect the company's Internal wireless network against visitors accessing company resources?

Question47: A company suspects that some corporate accounts were compromised. The number of suspicious logins from locations not recognized by the users is increasing. Employees who travel need their accounts protected without the risk of blocking legitimate login requests that may be made over new sign-in properties. Which of the following security controls can be implemented?

Question48: A company has been experiencing very brief power outages from its utility company over the last few months. These outages only last for one second each time. The utility company is aware of the issue and is working to replace a faulty transformer. Which of the following BEST describes what the company should purchase to ensure its critical servers and network devices stay online?

Question49: The website http://companywebsite.com requires users to provide personal Information, Including security question responses, for registration.
Which of the following would MOST likely cause a data breach?

Question50: Local guidelines require that all information systems meet a minimum-security baseline to be compliant. Which of the following can security administrators use to assess their system configurations against the baseline?

Question51: An IT security manager requests a report on company information that is publicly available. The managers concern is that malicious actors will be able to access the data without in active reconnaissance. Which of the following is the most efficient approach to perform the analysis?

Question52: n organization plans to transition the intrusion detection and prevention techniques on a critical subnet to an anomaly-based system. Which of the following does the organization need to determine for this to be successful?

Question53: An analyst is generating a security report for the management team. Security guidelines recommend disabling all listening unencrypted services. Given this output from Nmap.

Which of the following should the analyst recommend to disable?

Question54: Which of the following scenarios BEST describes a risk reduction technique?

Question55: A global pandemic is forcing a private organization to close some business units and reduce staffing at others. Which of the following would be BEST to help the organization's executives determine the next course of action?

Question56: A security analyst is reviewing information regarding recent vulnerabilities. Which of the following will the analyst MOST likely consult to validate which platforms have been affected?

Question57: A company's cybersecurity department is looking for a new solution to maintain high availability.
Which of the following can be utilized to build a solution? (Select Two)

Question58: A security analyst was deploying a new website and found a connection attempting to authenticate on the site's portal.
While Investigating the incident, the analyst identified the following Input in the username field:


Which of the following BEST explains this type of attack?

Question59: A Chief Executive Officer (CEO) is dissatisfied with the level of service from the company's new service provider. The service provider is preventing the CEO. from sending email from a work account to a personal account. Which of the following types of service providers is being used?

Question60: Moving laterally within a network once an initial exploit is used to gain persistent access for the purpose of establishing further control of a system is known as:

Question61: A security analyst is concerned about critical vulnerabilities that have been detected on some applications running inside containers. Which of the following is the BEST remediation strategy?

Question62: A security engineer needs to create a network segment that can be used for servers that require connections from untrusted networks. When of the following should the engineer implement?

Question63: After a ransomware attack a forensics company needs to review a cryptocurrency transaction between the victim and the attacker. Which of the following will the company MOST likely review to trace this transaction?

Question64: A company needs to validate its updated incident response plan using a real-world scenario that will test decision points and relevant incident response actions without interrupting daily operations. Which of the following would BEST meet the company's requirements?

Question65: Following a prolonged datacenter outage that affected web-based sales a company has decided to move its operations to a private cloud solution. The security team has received the following requirements:
- There must be visibility into how teams are using cloud-based
services.
- The company must be able to identify when data related to payment
cards is being sent to the cloud.
- Data must be available regardless of the end user's geographic
location
- Administrators need a single pane-of-glass view into traffic and
trends.
Which of the following should the security analyst recommend?

Question66: After a WiFi scan of a local office was conducted, an unknown wireless signal was identified Upon investigation, an unknown Raspberry Pi device was found connected to an Ethernet port using a single connection. Which of the following BEST describes the purpose of this device?

Question67: Which of the following disaster recovery tests is The LEAST time-consuming for the disaster recovery team?

Question68: An analyst has determined that a server was not patched and an external actor exfiltrated data on port 139.
Which of the following sources should the analyst review to BEST ascertain how the Incident could have been prevented?

Question69: Company engineers regularly participate in a public Internet forum with other engineers throughout the industry. Which of the following tactics would an attacker MOST likely use in this scenario?

Question70: A Chief Security Office's (CSO's) key priorities are to improve preparation, response, and recovery practices to minimize system downtime and enhance organizational resilience to ransomware attacks. Which of the following would BEST meet the CSO's objectives?

Question71: The lessons-learned analysis from a recent incident reveals that an administrative office worker received a call from someone claiming to be from technical support. The caller convinced the office worker to visit a website, and then download and install a program masquerading as an antivirus package. The program was actually a backdoor that an attacker could later use to remote control the worker's PC. Which of the following would be BEST to help prevent this type of attack in the future?

Question72: An application owner reports suspicious activity on an internal financial application from various internal users within the past 14 days. A security analyst notices the following:
- Financial transactions were occurring during irregular time frames and outside of business hours by unauthorized users.
- Internal users in question were changing their passwords frequently during that time period.
- A jump box that several domain administrator users use to connect to remote devices was recently compromised.
- The authentication method used in the environment is NTLM.
Which of the following types of attacks is MOST likely being used to gain unauthorized access?

Question73: After entering a username and password, and administrator must gesture on a touch screen.
Which of the following demonstrates what the administrator is providing?

Question74: A cybersecurity administrator is using iptables as an enterprise firew ll. The administrator created some rules, but the network now seems to be unresponsive All connections are being dropped by the firewall. Which of the following would be the BEST option to remove the rules?

Question75: The concept of connecting a user account across the systems of multiple enterprises is BEST known as:

Question76: A bank detects fraudulent activity on user's account. The user confirms transactions completed yesterday on the bank's website at https://www.company.com. A security analyst then examines the user's Internet usage logs and observes the following output:

Which of the following has MOST likely occurred?

Question77: A company is implementing MFA for all applications that store sensitive data. The IT manager wants MFA to be non-disruptive and user friendly. Which of the following technologies should the IT manager use when implementing MFA?

Question78: Which of the following ISO standards is certified for privacy?

Question79: Which of the following is a difference between a DRP and a BCP?

Question80: A security researcher has alerted an organization that its sensitive user data was found for sale on a website. Which of the following should the organization use to inform the affected parties?

Question81: Which of the following is a benefit of including a risk management framework into an organizations security approach?

Question82: A security administrator receives alerts from the perimeter UTM. Upon checking the logs, the administrator finds the following output:
Time: 12/25 0300
From Zone: Untrust
To Zone: DMZ
Attacker: externalip.com
Victim: 172.16.0.20
To Port: 80
Action: Alert
Severity: Critical
When examining the PCAP associated with the event, the security administrator finds the following information:
<script> alert ("Click here for important information regarding your
account! http://externalip.com/account.php"); </script>
Which of the following actions should the security administrator take?

Question83: An organization has various applications that contain sensitive data hosted in the cloud. The company's leaders are concerned about lateral movement across applications of different trust levels. Which of the following solutions should the organization implement to address the concern?

Question84: Which of the following is MOST likely to outline the roles and responsibilities of data controllers and data processors?

Question85: A Chief Information Security Officer (CISO) needs to create a policy set that meets international standards for data privacy and sharing. Which of the following should the CISO read and understand before writing the policies?

Question86: Which of the following is a risk that is specifically associated with hosting applications in the public cloud?

Question87: Which of the following BEST describes the MFA attribute that requires a callback on a predefined landline?

Question88: A company is implementing a new SIEM to log and send alerts whenever malicious activity is blocked by its antivirus and web content filters.
Which of the following is the primary use case for this scenario?

Question89: A Chief Security Officer (CSO) has asked a technician to devise a solution that can detect unauthorized execution privileges from the OS in both executable and data files, and can work in conjunction with proxies or UTM.
Which of the following would BEST meet the CSO's requirements?

Question90: Which of the following allows for functional test data to be used in new systems for testing and training purposes to protect the read data?

Question91: A security analyst needs to find real-time data on the latest malware and IoCs. Which of the following would BEST describes the solution the analyst should pursue?

Question92: A external forensics investigator has been hired to investigate a data breach at a large enterprise with numerous assets. It is known that the breach started in the DMZ and moved to the sensitive information, generating multiple logs as the attacker traversed through the network.
Which of the following will BEST assist with this investigation?

Question93: A company is under investigation for possible fraud. As part of the investigation the authorities need to renew all emails and ensure data is not deleted. Which of the following company implement to assist in the investigation?

Question94: Which of the following BEST describes a security exploit for which a vendor patch is not readily available?

Question95: A database administrator wants to grant access to an application that will be reading and writing data to a database. The database is shared by other applications also used by the finance department.
Which of the following account types Is MOST appropriate for this purpose?

Question96: Several employees return to work the day after attending an industry trade show. That same day, the security manager notices several malware alerts coming from each of the employee's workstations. The security manager investigates but finds no signs of an attack on the perimeter firewall or the NIDS. Which of the following is MOST likely causing the malware alerts?

Question97: An organization suffered an outage and a critical system took 90 minutes to come back online.
Though there was no data loss during the outage, the expectation was that the critical system would be available again within 60 minutes.
Which of the following is the 60- minute expectation an example of:

Question98: A financial institution would like to store its customer data in a cloud but still allow the data to be accessed and manipulated while encrypted. Doing so would prevent the cloud service provider from being able to decipher the data due to its sensitivity. The financial institution is not concerned about computational overheads and slow speeds.
Which of the following cryptographic techniques would BEST meet the requirement?

Question99: A healthcare company is revamping its IT strategy in light of recent regulations. The company is concerned about compliance and wants to use a pay-per-use model.
Which of the following is the BEST solution?

Question100: A vulnerability assessment report will include the CVSS score of the discovered vulnerabilities because the score allows the organization to better.

Question101: An organization's corporate offices were destroyed due to a natural disaster, so the organization is now setting up offices in a temporary work space. Which of the following will the organization MOST likely consult?

Question102: A company network is currently under attack. Although security controls are in place to stop the attack, the security administrator needs more information about the types of attacks being used.
Which of the following network types would BEST help the administrator gather this information?

Question103: Which of the following would be BEST to establish between organizations to define the responsibilities of each party outline the key deliverables and include monetary penalties for breaches to manage third-party risk?

Question104: Which of the following is an example of risk avoidance?

Question105: A user downloaded an extension for a browser, and the uses device later became infected. The analyst who is investigating the incident saw various logs where the attacker was hiding activity by deleting data The following was observed running:

Which of the following is the malware using to execute the attack?

Question106: To mitigate the impact of a single VM being compromised by another VM on the same hypervisor, an administrator would like to utilize a technical control to further segregate the traffic.
Which of the following solutions would BEST accomplish this objective?

Question107: Which of the following is the MOST likely reason for securing an air-gapped laboratory HVAC system?

Question108: A user recently attended an exposition and received some digital promotional materials.
The user later noticed blue boxes popping up and disappearing on the computer, and reported receiving several spam emails, which the user did not open.
Which of the following is MOST likely the cause of the reported issue?

Question109: An organization just experienced a major cyberattack modem. The attack was well coordinated sophisticated and highly skilled. Which of the following targeted the organization?

Question110: A company recently moved into a new annex of the building. Following the move, the help desk received reports of week Wi-Fi signals from users in that part of the building. Which of the following is the MOST likely cause of this issue?

Question111: A network analyst is setting up a wireless access point for a home office in a remote, rural location. The requirement is that users need to connect to the access point securely but do not want to have to remember passwords.
Which of the following should the network analyst enable to meet the requirement?

Question112: A security analyst has been tasked with creating a new WiFi network for the company. The requirements received by the analyst are as follows:
- Must be able to differentiate between users connected to WiFi
- The encryption keys need to change routinely without interrupting the users or forcing reauthentication
- Must be able to integrate with RADIUS
- Must not have any open SSIDs
Which of the following options BEST accommodates these requirements?

Question113: A user is concerned that a web application will not be able to handle unexpected or random input without crashing.
Which of the following BEST describes the type of testing the user should perform?

Question114: A security administrator suspects an employee has been emailing proprietary information to a competitor. Company policy requires the administrator to capture an exact copy of the employee's hard disk. Which of the following should the administrator use?

Question115: The IT department's on-site developer has been with the team for many years. Each time an application is released, the security team is able to identify multiple vulnerabilities. Which of the following would BEST help the team ensure the application is ready to be released to production?

Question116: A Chief Executive Officer's (CEO) personal information was stolen in a social engineering attack.
Which of the following sources would reveal if the CEO's personal information is for sale?

Question117: A company labeled some documents with the public sensitivity classification. This means the documents can be accessed by?

Question118: In which of the following risk management strategies would cybersecurity insurance be used?

Question119: An organization has decided to host its web application and database in the cloud.
Which of the following BEST describes the security concerns for this decision?

Question120: Which of the following environments utilizes dummy data and is MOST likely to be installed locally on a system that allows code to be assessed directly and modified easily with each build?

Question121: A security analyst is reviewing the following output from a system:

Which of the following is MOST likely being observed?

Question122: A security analyst is preparing a threat for an upcoming internal penetration test. The analyst needs to identify a method for determining the tactics, techniques, and procedures of a threat against the organization's network. Which of the following will the analyst MOST likely use to accomplish the objective?

Question123: Remote workers in an organization use company-provided laptops with locally installed applications and locally stored data Users can store data on a remote server using an encrypted connection. The organization discovered data stored on a laptop had been made available to the public. Which of the following security solutions would mitigate the risk of future data disclosures?

Question124: A security incident has been resolved. Which of the following BEST described the importance of the final phase of the incident response plan?

Question125: Which of the following is a reason why an organization would define an AUP?

Question126: A company recently moved sensitive videos between on-premises. Company-owned websites.
The company then learned the videos had been uploaded and shared to the internet. Which of the following would MOST likely allow the company to find the cause?

Question127: A website developer is working on a new e-commerce website and has asked an information security expert for the most appropriate way to store credit card numbers to create an easy reordering process. Which of the following methods would BEST accomplish this goal?

Question128: A company's Chief Information Office (CIO) is meeting with the Chief Information Security Officer (CISO) to plan some activities to enhance the skill levels of the company's developers. Which of the following would be MOST suitable for training the developers'?

Question129: A security analyst needs to determine how an attacker was able to use User3 to gain a foothold within a company's network. The company's lockout policy requires that an account be locked out for a minimum of 15 minutes after three unsuccessful attempts.
While reviewing the log files, the analyst discovers the following:

Which of the following attacks MOST likely occurred?

Question130: A security analyst has been reading about a newly discovered cyber attack from a known threat actor. Which of the following would BEST support the analyst's review of the tactics, techniques, and protocols the threat actor was observed using in previous campaigns?

Question131: A security analyst is receiving numerous alerts reporting that the response time of an internet- facing application has been degraded. However, the internal network performance has degraded.
Which of the following MOST likely explains this behavior?

Question132: After multiple on premises security solutions were migrated to the cloud, the incident response time increased. The analyst are spending a long time to trace information on different cloud consoles and correlating data in different formats.
Which of the following can be used to optimize the incident response time?

Question133: A company was recently breached Part of the company's new cybersecurity strategy is to centralize the logs from all security devices.
Which of the following components forwards the logs to a central source?

Question134: The new Chief Executive Officer (CEO) of a large company has announced a partnership with a vendor that will provide multiple collaboration applications t make remote work easier. The company has a geographically dispersed staff located in numerous remote offices in different countries. The company's IT administrators are concerned about network traffic and load if all users simultaneously download the application.
Which of the following would work BEST to allow each geographic region to download the software without negatively impacting the corporate network?

Question135: An incident, which is affecting dozens of systems, involves malware that reaches out to an Internet service for rules and updates. The IP addresses for the Internet host appear to be different in each case. The organization would like to determine a common IoC to support response and recovery actions.
Which of the following sources of information would BEST support this solution?

Question136: A security analyst receives an alert from the company's SIEM that anomalous activity is coming from a local source IP address of 192.168.34.26. The Chief Information Security Officer asks the analyst to block the originating source. Several days later another employee opens an internal ticket stating that vulnerability scans are no longer being performed properly. The IP address the employee provides is 192.168.34.26. Which of the following describes this type of alert?

Question137: A development team employs a practice of bringing all the code changes from multiple team members into the same development project through automation. A tool is utilized to validate the code and track source code through version control. Which of the following BEST describes this process?

Question138: A company recently experienced an attack during which its main website was directed to the attacker's web server, allowing the attacker to harvest credentials from unsuspecting customers.
Which of the following should the company implement to prevent this type of attack occurring in the future?

Question139: Which of the following provides the BEST protection for sensitive information and data stored in cloud-based services but still allows for full functionality and searchability of data within the cloud- based services?

Question140: An attack relies on an end user visiting a website the end user would typically visit, however, the site is compromised and uses vulnerabilities in the end users browser to deploy malicious software. Which of the blowing types of attack does this describe?

Question141: An analyst is generating a security report for the management team. Security guidelines recommend disabling all listening unencrypted services. Given this output from Nmap:

Which of the following should the analyst recommend to disable?

Question142: Which of the following employee roles is responsible for protecting an organization's collected personal information?

Question143: Security analyst must enforce policies to harden an MOM infrastructure. The requirements are as follows:
- Ensure mobile devices can be traded and wiped.
- Confirm mobile devices are encrypted.
Which of the following should the analyst enable on all the devices to meet these requirements?

Question144: After consulting with the Chief Risk Officer (CRO). A manager decides to acquire cybersecurity insurance for the company.
Which of the following risk management strategies is the manager adopting?

Question145: During a security audit of a company's network, unsecure protocols were found to be in use.
A network administrator wants to ensure browser-based access to company switches is using the most secure protocol. Which of the following protocols should be implemented?

Question146: Users at organization have been installing programs from the internet on their workstations without first proper authorization. The organization maintains a portal from which users can install standardized programs. However, some users have administrative access on their workstations to enable legacy programs to function property. Which of the following should the security administrator consider implementing to address this issue?

Question147: An organization would like to remediate the risk associated with its cloud service provider not meeting its advertised 99.999% availability metrics.
Which of the following should the organization consult for the exact requirements for the cloud provider?

Question148: A cybersecurity analyst reviews the log files from a web server and sees a series of files that indicates a directory-traversal attack has occurred. Which of the following is the analyst MOST likely seeing?

Question149: A security analyst is looking for a solution to help communicate to the leadership team the seventy levels of the organization's vulnerabilities. Which of the following would BEST meet this need?

Question150: A routine audit of medical billing claims revealed that several claims were submitted without the subscriber's knowledge. A review of the audit logs for the medical billing company's system indicated a company employee downloaded customer records and adjusted the direct deposit information to a personal bank account. Which of the following does this action describe?

Question151: An application developer accidentally uploaded a company's code-signing certificate private key to a public web server. The company is concerned about malicious use of its certificate.
Which of the following should the company do FIRST?

Question152: A security analyst is concerned about traffic initiated to the dark web form the corporate LAN.
Which of the following networks should the analyst monitor?

Question153: Which of the following is the purpose of a risk register?

Question154: Which of the following is the BEST example of a cost-effective physical control to enforce a USB removable media retention policy?

Question155: The Chief Security Officer (CSO) at a major hospital wants to implement SSO to help improve in the environment patient data, particularly at shared terminals. The Chief Risk Officer (CRO) is concerned that training and guidance have been provided to frontline staff, and a risk analysis has not been performed.
Which of the following is the MOST likely cause of the CRO's concerns?

Question156: A network administrator has been asked to design a solution to improve a company's security posture The administrator is given the following, requirements?
- The solution must be inline in the network
- The solution must be able to block known malicious traffic
- The solution must be able to stop network-based attacks
Which of the following should the network administrator implement to BEST meet these requirements?

Question157: Certain users are reporting their accounts are being used to send unauthorized emails and conduct suspicious activities. After further investigation, a security analyst notices the following:
- All users share workstations throughout the day.
- Endpoint protection was disabled on several workstations throughout
the network.
- Travel times on logins from the affected users are impossible.
- Sensitive data is being uploaded to external sites.
- All user account passwords were forced to be reset and the issue
continued.
Which of the following attacks is being used to compromise the user accounts?

Question158: The security team received a report of copyright infringement from the IP space of lire corporate network. The report provided a precise time stamp for the incident as well as the name of the copyrighted file. The analyst has been tasked with determining the infringing source machine and instructed to implement measures to prevent such incidents from occurring again.
Which of the following is MOST capable of accomplishing both tasks?

Question159: A company provides mobile devices to its users to permit access to email and enterprise applications. The company recently started allowing users to select from several different vendors and device models. When configuring the MDM, which of the following is a key security implication of this heterogeneous device approach?

Question160: Which biometric error would allow an unauthorized user to access a system?

Question161: To further secure a company's email system, an administrator is adding public keys to DNS records in the company's domain Which of the following is being used?

Question162: An organization is concerned about video emissions from users' desktops. Which of the following is the BEST solution to implement?

Question163: An organization recently discovered that a purchasing officer approved an invoice for an amount that was different than the original purchase order. After further investigation a security analyst determines that the digital signature for the fraudulent invoice is exactly the same as the digital signature for the correct invoice that had been approved Which of the following attacks MOST likely explains the behavior?

Question164: An administrator is experiencing issues when trying to upload a support file to a vendor. A pop-up message reveals that a payment card number was found in the file, and the file upload was blocked.
Which of the following controls is most likely causing this issue and should be checked FIRST?

Question165: A root cause analysis reveals that a web application outage was caused by one of the company's developers uploading a newer version of the third-party libraries that were shared among several applications. Which of the following implementations would be BEST to prevent the issue from reoccurring?

Question166: Which of the following describes the continuous delivery software development methodology?

Question167: Which of the following serves to warn users against downloading and installing pirated software on company devices?

Question168: An attacker was easily able to log in to a company's security camera by performing a basic online search for a setup guide for that particular camera brand and model.
Which of the following BEST describes the configurations the attacker exploited?

Question169: Due to unexpected circumstances, an IT company must vacate its main office, forcing all operations to alternate, off-site locations.
Which of the following will the company MOST likely reference for guidance during this change?

Question170: An organization's help desk is flooded with phone calls from users stating they can no longer access certain websites. The help desk escalates the issue to the security team, as these websites were accessible the previous day. The security analysts run the following command:
ipconfig /flushdns, but the issue persists. Finally, an analyst changes the DNS server for an impacted machine, and the issue goes away. Which of the following attacks MOST likely occurred on the original DNS server?

Question171: A cloud administrator is configuring five compute instances under the same subnet in a VPC.
Three instances are required to communicate with one another, and the other two must he logically isolated from all other instances in the VPC.
Which of the following must the administrator configure to meet this requirement?

Question172: A major political party experienced a server breach. The hacker then publicly posted stolen internal communications concerning campaign strategies to give the opposition party an advantage. Which of the following BEST describes these threat actors?

Question173: Which of the following encryption algorithms require one encryption key? (Select TWO).

Question174: Which of the following distributes data among nodes, making it more difficult to manipulate the data while also minimizing downtime?

Question175: Which of the following is the correct order of volatility from MOST to LEAST volatile?

Question176: The Chief Technology Officer of a local college would like visitors to utilize the school's WiFi but must be able to associate potential malicious activity to a specific person.
Which of the following would BEST allow this objective to be met?

Question177: Which of the following would be MOST effective to contain a rapidly attack that is affecting a large number of organizations?

Question178: An organization has hired a security analyst to perform a penetration test. The analyst captures
1Gb worth of inbound network traffic to the server and transfer the pcap back to the machine for analysis. Which of the following tools should the analyst use to further review the pcap?

Question179: Which of the following BEST describes the method a security analyst would use to confirm a file that is downloaded from a trusted security website is not altered in transit or corrupted using a verified checksum?

Question180: A security analyst needs to make a recommendation for restricting access to certain segments of the network using only data-link layer security.
Which of the following controls will the analyst MOST likely recommend?

Question181: A financial organization has adopted a new secure, encrypted document-sharing application to help with its customer loan process. Some important PII needs to be shared across this new platform, but it is getting blocked by the DLP systems. Which of the following actions will BEST allow the PII to be shared with the secure application without compromising the organization's security posture?

Question182: A Chief Information Officer receives an email stating a database will be encrypted within 24 hours unless a payment of $20,000 is credited to the account mentioned In the email. This BEST describes a scenario related to:

Question183: An organization with a low tolerance for user inconvenience wants to protect laptop hard drives against loss or data theft. Which of the following would be the MOST acceptable?

Question184: An organization has implemented a policy requiring the use of conductive metal lockboxes for personal electronic devices outside of a secure research lab. Which of the following did the organization determine to be the GREATEST risk to intellectual property when creating this policy?

Question185: A security analyst is investigating a phishing email that contains a malicious document directed to the company's Chief Executive Officer (CEO). Which of the following should the analyst perform to understand the threat and retrieve possible IoCs?

Question186: A recent audit uncovered a key finding regarding the use of a specific encryption standard in a web application that is used to communicate with business customers. Due to the technical limitations of its customers the company is unable to upgrade the encryption standard.
Which of the following types of controls should be used to reduce the risk created by this scenario?

Question187: A systems administrator needs to install a new wireless network for authenticated guest access.
The wireless network should support 802.1X using the most secure encryption and protocol available.
Perform the following slops:
1. Configure the RADIUS server.
2. Configure the WiFi controller.
3. Preconfigure the client for an incoming guest.
The guest AD credentials are:
User: guest01
Password: guestpass



Question188: Which of the following should a data owner require all personnel to sign to legally protect intellectual property?

Question189: The Chief Financial Officer (CFO) of an insurance company received an email from Ann, the company's Chief Executive Officer (CEO), requesting a transfer of $10,000 to an account. The email states Ann is on vacation and has lost her purse, containing cash and credit cards. Which of the following social- engineering techniques is the attacker using?

Question190: An organization recently acquired an ISO 27001 certification. Which of the following would MOST likely be considered a benefit of this certification?

Question191: An end user reports a computer has been acting slower than normal for a few weeks, During an investigation, an analyst determines the system 3 sending the users email address and a ten-digit number ta an IP address once a day. The only resent log entry regarding the user's computer is the following:

Which of the following is the MOST likely cause of the issue?

Question192: An enterprise has hired an outside security firm to conduct penetration testing on its network and applications. The firm has only been given the documentation available to the customers of the applications. Which of the following BEST represents the type of testing that will occur?

Question193: A security analyst receives a SIEM alert that someone logged in to the appadmin test account, which is only used for the early detection of attacks. The security analyst then reviews the following application log:

Which of the following can the security analyst conclude?

Question194: A network engineer needs to create a plan for upgrading the wireless infrastructure in a large office Priority must be given to areas that are currently experiencing latency and connection issues. Which of the following would be the BEST resource for determining the order of priority?

Question195: A network technician is installing a guest wireless network at a coffee shop. When a customer purchases an Item, the password for the wireless network is printed on the recent so the customer can log in.
Which of the following will the technician MOST likely configure to provide the highest level of security with the least amount of overhead?

Question196: Which of the following represents a multifactor authentication system?

Question197: A security audit has revealed that a process control terminal is vulnerable to malicious users installing and executing software on the system. The terminal is beyond end-of-life support and cannot be upgraded, so it is placed on a projected network segment.
Which of the following would be MOST effective to implement to further mitigate the reported vulnerability?

Question198: An analyst visits an internet forum looking for information about a tool. The analyst finds a threat that appears to contain relevant information. One of the posts says the following:

Which of the following BEST describes the attack that was attempted against the forum readers?

Question199: Joe, an employee, is transferring departments and is providing copies of his files to a network share folder for his previous team to access. Joe is granting read-write-execute permissions to his manager but giving read-only access to the rest of the team. Which of the following access controls is Joe using?

Question200: A security analyst is reviewing a penetration-testing report from a third-party contractor. The penetration testers used the organization's new API to bypass a driver to perform privilege escalation on the organization's web servers. Upon looking at the API, the security analyst realizes the particular API call was to a legacy system running an outdated OS.
Which of the following is the MOST likely attack type?

Question201: Ann, a customer, received a notification from her mortgage company stating her PII may be shared with partners, affiliates, and associates to maintain day-to-day business operations.
Which of the following documents did Ann receive?

Question202: A user recently entered a username and password into a recruiting application website that had been forged to look like the legitimate site Upon investigation, a security analyst the identifies the following:
- The legitimate websites IP address is 10.1.1.20 and eRecruit local
resolves to the IP
- The forged website's IP address appears to be 10.2.12.99. based on
NetFtow records
- AH three at the organization's DNS servers show the website correctly resolves to the legitimate IP
- DNS query logs show one of the three DNS servers returned a result of
10.2.12.99 (cached) at the approximate time of the suspected
compromise.
Which of the following MOST likely occurred?

Question203: A workwide manufacturing company has been experiencing email account compromised. In one incident, a user logged in from the corporate office in France, but then seconds later, the same user account attempted a login from Brazil. Which of the following account policies would BEST prevent this type of attack?

Question204: Several employees have noticed other bystanders can clearly observe a terminal where passcodes are being entered.
Which of the following can be eliminated with the use of a privacy screen?

Question205: A company moved into a new building next to a sugar mill. Cracks have been discovered in the walls of the server room, which is located on the same side as the sugar mill loading docks. The cracks are believed to have been caused by heavy trucks. Moisture has begun to seep into the server room, causing extreme humidification problems and equipment failure. Which of the following BEST describes the type of threat the organization faces?

Question206: Which of the following would cause a Chief Information Security Officer (CISO) the MOST concern regarding newly installed Internet-accessible 4K surveillance cameras?

Question207: While checking logs, a security engineer notices a number of end users suddenly downloading files with the .tar.gz extension. Closer examination of the files reveals they are PE32 files. The end users state they did not initiate any of the downloads. Further investigation reveals the end users all clicked on an external email containing an infected MHT file with an href link a week prior. Which of the following is MOST likely occurring?

Question208: A company has limited storage available and online presence that cannot for more than four hours. Which of the following backup methodologies should the company implement to allow for the FASTEST database restore time In the event of a failure, which being maindful of the limited available storage space?

Question209: Which of the following would MOST likely be a result of improperly configured user accounts?

Question210: DDoS attacks are causing an overload on the cluster of cloud servers. A security architect is researching alternatives to make the cloud environment respond to load fluctuation in a cost- effective way. Which of the following options BEST fulfils the architect's requirements?

Question211: An employee has been charged with fraud and is suspected of using corporate assets. As authorities collect evidence, and to preserve the admissibility of the evidence, which of the following forensic techniques should be used?

Question212: A security monitoring company offers a service that alerts ifs customers if their credit cards have been stolen. Which of the following is the MOST likely source of this information?

Question213: A user contacts the help desk to report the following:
- Two days ago, a pop-up browser window prompted the user for a name
and password after connecting to the corporate wireless SSID. This had
never happened before, but the user entered the information as
requested.
- The user was able to access the Internet but had trouble accessing
the department share until the next day.
- The user is now getting notifications from the bank about
unauthorized transactions.
Which of the following attack vectors was MOST likely used in this scenario?

Question214: Which of the following policies would help an organization identify and mitigate potential single points of failure in the company's IT/security operations?

Question215: A security analyst reports a company policy violation in a case in which a large amount of sensitive data is being downloaded after hours from various mobile devices to an external site.
Upon further investigation, the analyst notices that successful login attempts are being conducted with impossible travel times during the same time periods when the unauthorized downloads are occurring. The analyst also discovers a couple of WAPs are using the same SSID, but they have non-standard DHCP configurations and an overlapping channel. Which of the following attacks is being conducted?

Question216: A privileged user at a company stole several proprietary documents from a server. The user also went into the log files and deleted all records of the incident. The systems administrator has Just informed investigators that other log files are available for review.
Which of the following did the administrator MOST likely configure that will assist the investigators?

Question217: An organization is building backup sever moms in geographically diverse locations. The Chief information Security Officer implemented a requirement on the project that states the new hardware cannot be susceptible to the same vulnerabilities in the existing sewer room.
Which of the following should the systems engineer consider'?

Question218: Which of the following would satisfy three-factor authentication?

Question219: Security analysts are conducting an investigation of an attack that occurred inside the organization's network. An attacker was able to connect network traffic between workstation throughout the network. The analysts review the following logs:

The layer 2 address table has hundred of entries similar to the ones above.
Which of the following attacks has MOST likely occurred?

Question220: A security engineer is installing a WAF to protect the company's website from malicious web requests over SSL. Which of the following is needed to meet the objective?

Question221: A systems administrator is considering different backup solutions for the IT infrastructure. The company is looking for a solution that offers the fastest recovery time while also saving the most amount of storage used to maintain the backups. Which of the following recovery solutions would be the BEST option to meet these requirements?

Question222: Several universities are participating in a collaborative research project and need to share compute and storage resources. Which of the following cloud deployment strategies would BEST meet this need?

Question223: The process of passively gathering information poor to launching a cyberattack is called:

Question224: An attacker was eavesdropping on a user who was shopping online. The attacker was able to spoof the IP address associated with the shopping site. Later, the user received an email regarding the credit card statement with unusual purchases.
Which of the following attacks took place?

Question225: Accompany deployed a WiFi access point in a public area and wants to harden the configuration to make it more secure. After performing an assessment, an analyst identifies that the access point is configured to use WPA3, AES, WPS, and RADIUS. Which of the following should the analyst disable to enhance the access point security?

Question226: Entering a secure area requires passing through two doors, both of which require someone who is already inside to initiate access. Which of the following types of physical security controls does this describe?

Question227: A security architect at a large, multinational organization is concerned about the complexities and overhead of managing multiple encryption keys securely in a multicloud provider environment.
The security architect is looking for a solution with reduced latency to allow the incorporation of the organization's existing keys and to maintain consistent, centralized control and management regardless of the data location.
Which of the following would BEST meet the architect's objectives?

Question228: The president of a company that specializes in military contracts receives a request for an interview. During the interview, the reporter seems more interested in discussing the president's family life and personal history than the details of a recent company success. Which of the following security concerns is this MOST likely an example of?

Question229: A document that appears to be malicious has been discovered in an email that was sent to a company's Chief Financial Officer (CFO).
Which of the following would be BEST to allow a security analyst to gather information and confirm it is a malicious document without executing any code it may contain?

Question230: A security analyst is investigating some users who are being redirected to a fake website that resembles www.comptia.org. The following output was found on the naming server of the organization:

Which of the following attacks has taken place?

Question231: Which of the following types of controls is a CCTV camera that is not being monitored?