EMT Practice Test

1. Question Content...


Question List

Question1: The IT department at a university is concerned about professors placing servers on the university network in an attempt to bypass security controls. Which of the following BEST represents this type of threat?

Question2: During a security assessment, a security analyst finds a file with overly permissive permissions.
Which of the following tools will allow the analyst to reduce the permissions for the existing users and groups and remove the set-user-ID bit from the file?

Question3: The human resources department of a large online retailer has received multiple customer complaints about the rudeness of the automated chatbots It uses to interface and assist online shoppers. The system, which continuously learns and adapts, was working fine when it was installed a few months ago. Which of the following BEST describes the method being used to exploit the system?

Question4: Which of the following would MOST likely support the integrity of a voting machine?

Question5: The security team received a report of copyright infringement from the IP space of lire corporate network. The report provided a precise time stamp for the incident as well as the name of the copyrighted file. The analyst has been tasked with determining the infringing source machine and instructed to implement measures to prevent such incidents from occurring again.
Which of the following is MOST capable of accomplishing both tasks?

Question6: Which of the following is the MOST likely motivation for a script kiddie threat actor?

Question7: A security analyst has been asked by the Chief Information Security Officer to:
- develop a secure method of providing centralized management of
infrastructure
- reduce the need to constantly replace aging end user machines
- provide a consistent user desktop experience
Which of the following BEST meets these requirements?

Question8: An analyst needs to set up a method for securely transferring files between systems. One of the requirements is to authenticate the IP header and the payload. Which of the following services would BEST meet the criteria?

Question9: A company recently suffered a breach in which an attacker was able to access the internal mail servers and directly access several user inboxes. A large number of email messages were later posted online. Which of the following would BEST prevent email contents from being released should another breach occur?

Question10: A vulnerability assessment report will include the CVSS score of the discovered vulnerabilities because the score allows the organization to better.

Question11: Moving laterally within a network once an initial exploit is used to gain persistent access for the purpose of establishing further control of a system is known as:

Question12: A company is adopting a BYOD policy and is looking for a comprehensive solution to protect company information on user devices. Which of the following solutions would BEST support the policy?

Question13: A security analyst is investigation an incident that was first reported as an issue connecting to network shares and the internet, While reviewing logs and tool output, the analyst sees the following:

Which of the following attacks has occurred?

Question14: An organization has implemented a two-step verification process to protect user access to data that 6 stored in the could. Each employee now uses an email address of mobile number a code to access the data.
Which of the following authentication methods did the organization implement?

Question15: A security analyst has identified malware spreading through the corporate network and has activated the CSIRT. Which of the following should the analyst do NEXT?

Question16: DDoS attacks are causing an overload on the cluster of cloud servers. A security architect is researching alternatives to make the cloud environment respond to load fluctuation in a cost- effective way. Which of the following options BEST fulfils the architect's requirements?

Question17: Which of the following BEST describes the MFA attribute that requires a callback on a predefined landline?

Question18: The lessons-learned analysis from a recent incident reveals that an administrative office worker received a call from someone claiming to be from technical support. The caller convinced the office worker to visit a website, and then download and install a program masquerading as an antivirus package. The program was actually a backdoor that an attacker could later use to remote control the worker's PC. Which of the following would be BEST to help prevent this type of attack in the future?

Question19: A news article states that a popular web browser deployed on all corporate PCs is vulnerable a zero-day attack. Which of the following MOST concern the Chief Information Security Officer about the information in the new article?

Question20: A security analyst needs to determine how an attacker was able to use User3 to gain a foothold within a company's network. The company's lockout policy requires that an account be locked out for a minimum of 15 minutes after three unsuccessful attempts.
While reviewing the log files, the analyst discovers the following:

Which of the following attacks MOST likely occurred?

Question21: A Chief Security Officer (CSO) has asked a technician to devise a solution that can detect unauthorized execution privileges from the OS in both executable and data files, and can work in conjunction with proxies or UTM.
Which of the following would BEST meet the CSO's requirements?

Question22: Administrators have allowed employee to access their company email from personal computers.
However, the administrators are concerned that these computes are another attach surface and can result in user accounts being breached by foreign actors.
Which of the following actions would provide the MOST secure solution?

Question23: A customer service representative reported an unusual text message that was sent to the help desk. The message contained an unrecognized invoice number with a large balance due and a link to click for more details. Which of the following BEST describes this technique?

Question24: A security analyst is investigating some users who are being redirected to a fake website that resembles www.comptia.org. The following output was found on the naming server of the organization:

Which of the following attacks has taken place?

Question25: A systems analyst determines the source of a high number of connections to a web server that were initiated by ten different IP addresses that belong to a network block in a specific country.
Which of the following techniques will the systems analyst MOST likely implement to address this issue?

Question26: A junior security analyst is conducting an analysis after passwords were changed on multiple accounts without users' interaction. The SIEM have multiple login entries with the following text:

Which of the following is the MOST likely attack conducted on the environment?

Question27: A company needs to validate its updated incident response plan using a real-world scenario that will test decision points and relevant incident response actions without interrupting daily operations. Which of the following would BEST meet the company's requirements?

Question28: A cybersecurity department purchased o new PAM solution. The team is planning to randomize the service account credentials of the Windows server first.
Which of the following would be the BEST method to increase the security on the Linux server?

Question29: A security analyst is looking for a solution to help communicate to the leadership team the seventy levels of the organization's vulnerabilities. Which of the following would BEST meet this need?

Question30: An engineer wants to access sensitive data from a corporate-owned mobile device. Personal data is not allowed on the device. Which of the following MDM configurations must be considered when the engineer travels for business?

Question31: Which of the following would a European company interested in implementing a technical, hands- on set of security standards MOST likely choose?

Question32: Which of the following refers to applications and systems that are used within an organization without consent or approval?

Question33: A security analyst discovers that a company username and password database was posted on an internet forum. The username and passwords are stored in plan text.
Which of the following would mitigate the damage done by this type of data exfiltration in the future?

Question34: A company Is planning to install a guest wireless network so visitors will be able to access the Internet. The stakeholders want the network to be easy to connect to so time is not wasted during meetings. The WAPs are configured so that power levels and antennas cover only the conference rooms where visitors will attend meetings. Which of the following would BEST protect the company's Internal wireless network against visitors accessing company resources?

Question35: An employee opens a web browser and types a URL into the address bar. Instead of reaching the requested site, the browser opens a completely different site. Which of the following types of attacks have MOST likely occurred? (Select TWO).

Question36: An organization has hired a red team to simulate attacks on its security posture.
Which of the following will the blue team do after detecting an loC?

Question37: An attack relies on an end user visiting a website the end user would typically visit, however, the site is compromised and uses vulnerabilities in the end users browser to deploy malicious software. Which of the blowing types of attack does this describe?

Question38: In which of the following common use cases would steganography be employed?

Question39: A network administrator has been alerted that web pages are experiencing long load times. After determining it is not a routing or DNS issue, the administrator logs in to the router, runs a command, and receives the following output:

Which of the following is the router experiencing?

Question40: An analyst visits an internet forum looking for information about a tool. The analyst finds a threat that appears to contain relevant information. One of the posts says the following:

Which of the following BEST describes the attack that was attempted against the forum readers?

Question41: After a ransomware attack a forensics company needs to review a cryptocurrency transaction between the victim and the attacker. Which of the following will the company MOST likely review to trace this transaction?

Question42: A company recently moved sensitive videos between on-premises. Company-owned websites.
The company then learned the videos had been uploaded and shared to the internet. Which of the following would MOST likely allow the company to find the cause?

Question43: As part of a company's ongoing SOC maturation process, the company wants to implement a method to share cyberthreat intelligence data with outside security partners. Which of the following will the company MOST likely implement?

Question44: A routine audit of medical billing claims revealed that several claims were submitted without the subscriber's knowledge. A review of the audit logs for the medical billing company's system indicated a company employee downloaded customer records and adjusted the direct deposit information to a personal bank account. Which of the following does this action describe?

Question45: An application developer accidentally uploaded a company's code-signing certificate private key to a public web server. The company is concerned about malicious use of its certificate.
Which of the following should the company do FIRST?

Question46: Following a prolonged datacenter outage that affected web-based sales a company has decided to move its operations to a private cloud solution. The security team has received the following requirements:
- There must be visibility into how teams are using cloud-based
services.
- The company must be able to identify when data related to payment
cards is being sent to the cloud.
- Data must be available regardless of the end user's geographic
location
- Administrators need a single pane-of-glass view into traffic and
trends.
Which of the following should the security analyst recommend?

Question47: A financial analyst has been accused of violating the company's AUP and there is forensic evidence to substantiate the allegation. Which of the following would dispute the analyst's claim of innocence?

Question48: To further secure a company's email system, an administrator is adding public keys to DNS records in the company's domain Which of the following is being used?

Question49: A company recently experienced an attack in which a malicious actor was able to exfiltrate data by cracking stolen passwords, using a rainbow table the sensitive data.
Which of the following should a security engineer do to prevent such an attack in the future?

Question50: A customer called a company's security team to report that all invoices the customer has received over the last five days from the company appear to have fraudulent banking details. An investigation into the matter reveals the following:
- The manager of the accounts payable department is using the same password across multiple external websites and the corporate account.
- One of the websites the manager used recently experienced a data breach.
- The manager's corporate email account was successfully accessed in the last five days by an IP address located in a foreign country Which of the following attacks has MOST likely been used to compromise the manager's corporate account?

Question51: An auditor is performing an assessment of a security appliance with an embedded OS that was vulnerable during the last two assessments. Which of the following BEST explains the appliance's vulnerable state?

Question52: The new Chief Executive Officer (CEO) of a large company has announced a partnership with a vendor that will provide multiple collaboration applications t make remote work easier. The company has a geographically dispersed staff located in numerous remote offices in different countries. The company's IT administrators are concerned about network traffic and load if all users simultaneously download the application.
Which of the following would work BEST to allow each geographic region to download the software without negatively impacting the corporate network?

Question53:

Question54: A cybersecurity analyst reviews the log files from a web server and sees a series of files that indicates a directory-traversal attack has occurred. Which of the following is the analyst MOST likely seeing?

Question55: Which of the following BEST describes the method a security analyst would use to confirm a file that is downloaded from a trusted security website is not altered in transit or corrupted using a verified checksum?

Question56: Customers reported their antivirus software flagged one of the company's primary software products as suspicious. The company's Chief Information Security Officer has tasked the developer with determining a method to create a trust model between the software and the customer's antivirus software. Which of the following would be the BEST solution?

Question57: An organization is building backup sever moms in geographically diverse locations. The Chief information Security Officer implemented a requirement on the project that states the new hardware cannot be susceptible to the same vulnerabilities in the existing sewer room.
Which of the following should the systems engineer consider'?

Question58: An organization recently acquired an ISO 27001 certification. Which of the following would MOST likely be considered a benefit of this certification?

Question59: A company suspects that some corporate accounts were compromised. The number of suspicious logins from locations not recognized by the users is increasing. Employees who travel need their accounts protected without the risk of blocking legitimate login requests that may be made over new sign-in properties. Which of the following security controls can be implemented?

Question60: After reading a security bulletin, a network security manager is concerned that a malicious actor may have breached the network using the same software flaw. The exploit code is publicly available and has been reported as being used against other industries in the same vertical.
Which of the following should the network security manager consult FIRST to determine a priority list for forensic review?

Question61: A security analyst is investigating an incident to determine what an attacker was able to do on a compromised laptop. The analyst reviews the following SIEM log:

Which of the following describes the method that was used to compromise the laptop?

Question62: Which of the following distributes data among nodes, making it more difficult to manipulate the data while also minimizing downtime?

Question63: A security analyst is preparing a threat for an upcoming internal penetration test. The analyst needs to identify a method for determining the tactics, techniques, and procedures of a threat against the organization's network. Which of the following will the analyst MOST likely use to accomplish the objective?

Question64: A new security engineer has started hardening systems. One of the hardening techniques the engineer is using involves disabling remote logins to the NAS. Users are now reporting the inability to use SCP to transfer files to the NAS, even though the data is still viewable from the users PCs. Which of the following is the MOST likely cause of this issue?

Question65: Which of the following is the correct order of volatility from MOST to LEAST volatile?

Question66: Which of the following would satisfy three-factor authentication?

Question67: A commercial cyber-threat intelligence organization observes IoCs across a variety of unrelated customers. Prior to releasing specific threat intelligence to other paid subscribers, the organization is MOST likely obligated by contracts to:

Question68: A security architect at a large, multinational organization is concerned about the complexities and overhead of managing multiple encryption keys securely in a multicloud provider environment.
The security architect is looking for a solution with reduced latency to allow the incorporation of the organization's existing keys and to maintain consistent, centralized control and management regardless of the data location.
Which of the following would BEST meet the architect's objectives?

Question69: Which of the following would cause a Chief Information Security Officer (CISO) the MOST concern regarding newly installed Internet-accessible 4K surveillance cameras?

Question70: Which two features are available only in next-generation firewalls? (Choose two )

Question71: A security manager needs to assess the security posture of one of the organization's vendors.
The contract with the vendor does not allow for auditing of the vendor's security controls.
Which of (he following should the manager request to complete the assessment?

Question72: A user must introduce a password and a USB key to authenticate against a secure computer, and authentication is limited to the state in which the company resides. Which of the following authentication concepts are in use?

Question73: An attacker was easily able to log in to a company's security camera by performing a baste online search for a setup guide for that particular camera brand and model.
Which of the following BEST describes the configurations the attacker exploited?

Question74: Which of the following employee roles is responsible for protecting an organization's collected personal information?

Question75: Which of the following environments typically hosts the current version configurations and code, compares user-story responses and workflow, and uses a modified version of actual data for testing?

Question76:

Question77: A security engineer is installing a WAF to protect the company's website from malicious web requests over SSL. Which of the following is needed to meet the objective?

Question78: Law enforcement officials sent a company a notification that states electronically stored information and paper documents cannot be destroyed.
Which of the following explains this process?

Question79: A security researcher has alerted an organization that its sensitive user data was found for sale on a website. Which of the following should the organization use to inform the affected parties?

Question80: A network technician is installing a guest wireless network at a coffee shop. When a customer purchases an Item, the password for the wireless network is printed on the recent so the customer can log in.
Which of the following will the technician MOST likely configure to provide the highest level of security with the least amount of overhead?

Question81: Which of the following environments would MOST likely be used to assess the execution of component parts of a system at both the hardware and software levels and to measure performance characteristics?

Question82: Which of the following BEST explains the difference between a data owner and a data custodian?

Question83: Which of the following BEST reduces the security risks introduced when running systems that have expired vendor support and lack an immediate replacement?

Question84: An information security incident recently occurred at an organization, and the organization was required to report the incident to authorities and notify the affected parties. When the organization's customers became of aware of the incident, some reduced their orders or stopped placing orders entirely. Which of the following is the organization experiencing?

Question85: A security analyst is reviewing the following attack log output:

Which of the following types of attacks does this MOST likely represent?

Question86: A network engineer needs to build a solution that will allow guests at the company's headquarters to access the Internet via WiFi. This solution should not allow access to the internal corporate network, but it should require guests to sign off on the acceptable use policy before accessing the Internet. Which of the following should the engineer employ to meet these requirements?

Question87: Which of the following describes the continuous delivery software development methodology?

Question88: After entering a username and password, and administrator must gesture on a touch screen.
Which of the following demonstrates what the administrator is providing?

Question89: A security analyst receives an alert from the company's SIEM that anomalous activity is coming from a local source IP address of 192.168.34.26. The Chief Information Security Officer asks the analyst to block the originating source. Several days later another employee opens an internal ticket stating that vulnerability scans are no longer being performed properly. The IP address the employee provides is 192.168.34.26. Which of the following describes this type of alert?

Question90: A network administrator at a large organization Is reviewing methods to improve the security of the wired LAN Any security improvement must be centrally managed and allow corporate-owned devices to have access to the intranet but limit others to Internet access only. Which of the following should the administrator recommend?

Question91: A company is looking to migrate some servers to the cloud to minimize its technology footprint.
The company has 100 databases that are on premises. Which of the following solutions will require the LEAST management and support from the company?

Question92: A security administrator has discovered that workstations on the LAN are becoming infected with malware. The cause of the infections appears to be users receiving phishing emails that are bypassing the current email-filtering technology. As a result, users are being tricked into clicking on malicious URLs, as no internal controls currently exist in the environment to evaluate their safety. Which of the following would be BEST to implement to address the issue?

Question93: When planning to build a virtual environment, an administrator need to achieve the following:
- Establish polices in Limit who can create new VMs
- Allocate resources according to actual utilization`
- Require justification for requests outside of the standard
requirements.
- Create standardized categories based on size and resource
requirements
Which of the following is the administrator MOST likely trying to do?

Question94: A dynamic application vulnerability scan identified code injection could be performed using a web form. Which of the following will be BEST remediation to prevent this vulnerability?

Question95: An organization's policy requires users to create passwords with an uppercase letter, lowercase letter, number, and symbol. This policy is enforced with technical controls, which also prevents users from using any of their previous 12 passwords. The quantization does not use single sign- on, nor does it centralize storage of passwords.
The incident response team recently discovered that passwords for one system were compromised. Passwords for a completely separate system have NOT been compromised, but unusual login activity has been detected fc that separate system. Account login has been detected for users who are on vacation.
Which of the following BEST describes what is happening?

Question96: Which of the following BEST explains the reason why a server administrator would place a document named password.txt on the desktop of an administrator account on a server?

Question97: A company is implementing a new SIEM to log and send alerts whenever malicious activity is blocked by its antivirus and web content filters.
Which of the following is the primary use case for this scenario?

Question98: A security assessment determines DES and 3DES at still being used on recently deployed production servers. Which of the following did the assessment identify?

Question99: Which of the following is the MOST secure but LEAST expensive data destruction method for data that is stored on hard drives?

Question100: A user recent an SMS on a mobile phone that asked for bank delays.
Which of the following social-engineering techniques was used in this case?

Question101: A consultant is configuring a vulnerability scanner for a large, global organization in multiple countries. The consultant will be using a service account to scan systems with administrative privileges on a weekly basis, but there is a concern that hackers could gain access to account to the account and pivot through the global network. Which of the following would be BEST to help mitigate this concern?

Question102: The president of a company that specializes in military contracts receives a request for an interview. During the interview, the reporter seems more interested in discussing the president's family life and personal history than the details of a recent company success. Which of the following security concerns is this MOST likely an example of?

Question103: A manufacturer creates designs for very high security products that are required to be protected and controlled by the government regulations. These designs are not accessible by corporate networks or the Internet. Which of the following is the BEST solution to protect these designs?

Question104: After gaining access to a dual-homed (i.e.. wired and wireless) multifunction device by exploiting a vulnerability in the device's firmware, a penetration tester then gains shell access on another networked asset. This technique is an example of:

Question105: A security analyst has been asked to investigate a situation after the SOC started to receive alerts from the SIEM. The analyst first looks at the domain controller and finds the following events:

To better understand what is going on, the analyst runs a command and receives the following output:

Based on the analyst's findings, which of the following attacks is being executed?

Question106: A university is opening a facility in a location where there is an elevated risk of theft The university wants to protect the desktops in its classrooms and labs.
Which of the following should the university use to BEST protect these assets deployed in the facility?

Question107: A security analyst notices several attacks are being blocked by the NIPS but does not see anything on the boundary firewall logs. The attack seems to have been thwarted. Which of the following resiliency techniques was applied to the network to prevent this attack?

Question108: Hackers recently attacked a company's network and obtained several unfavorable pictures from the Chief Executive Officer's workstation. The hackers are threatening to send the images to the press if a ransom is not paid. Which of the following is impacted the MOST?

Question109: Which of the following holds staff accountable while escorting unauthorized personnel?

Question110: After a phishing scam for a user's credentials, the red team was able to craft a payload to deploy on a server. The attack allowed the installation of malicious software that initiates a new remote session.
Which of the following types of attacks has occurred?

Question111: A web server administrator has redundant servers and needs to ensure failover to the secondary server when the primary server goes down. Which of the following should the administrator implement to avoid disruption?

Question112: A security analyst is investigating multiple hosts that are communicating to external IP addresses during the hours of 2:00 a.m - 4:00 am. The malware has evaded detection by traditional antivirus software. Which of the following types of malware is MOST likely infecting the hosts?

Question113: When implementing automation with loT devices, which of the following should be considered FIRST to keep the network secure?

Question114: A company has three technicians who share the same credentials for troubleshooting system.
Every time credentials are changed, the new ones are sent by email to all three technicians. The security administrator has become aware of this situation and wants to implement a solution to mitigate the risk. Which of the following is the BEST solution for company to implement?

Question115: A SOC is implementing an in sider-threat-detection program. The primary concern is that users may be accessing confidential data without authorization. Which of the following should be deployed to detect a potential insider threat?

Question116: Which of the following encryption algorithms require one encryption key? (Select TWO).

Question117: A global pandemic is forcing a private organization to close some business units and reduce staffing at others. Which of the following would be BEST to help the organization's executives determine the next course of action?

Question118: An incident response technician collected a mobile device during an investigation. Which of the following should the technician do to maintain chain of custody?

Question119: A user downloaded an extension for a browser, and the uses device later became infected. The analyst who is investigating the incident saw various logs where the attacker was hiding activity by deleting data The following was observed running:

Which of the following is the malware using to execute the attack?

Question120: During an investigation, the incident response team discovers that multiple administrator accounts were suspected of being compromised. The host audit logs indicate a repeated brute- force attack on a single administrator account followed by suspicious logins from unfamiliar geographic locations. Which of the following data sources would be BEST to use to assess the accounts impacted by this attack?

Question121: An engineer needs to deploy a security measure to identify and prevent data tampering within the enterprise.
Which of the following will accomplish this goal?

Question122: A malicious actor recently penetration a company's network and moved laterally to the datacenter. Upon investigation, a forensics firm wants to know was in the memory on the compromised server. Which of the following files should be given to the forensics firm?

Question123: The process of passively gathering information poor to launching a cyberattack is called:

Question124: A security monitoring company offers a service that alerts ifs customers if their credit cards have been stolen. Which of the following is the MOST likely source of this information?

Question125: Employees are having issues accessing the company's website. Some employees report very slow performance, while others cannot the website at all. The web and security administrators search the logs and find millions of half-open connections to port 443 on the web server. Further analysis reveals thousands of different source IPs initiating this traffic. Which of the following attacks is MOST likely occurring?

Question126: A systems administrator reports degraded performance on a virtual server. The administrator increases the virtual memory allocation, which improves conditions, but performance degrades again after a few days. The administrator runs an analysis tool and sees the following output:

The administrator terminates the timeAttend.exe, observes system performance over the next few days and notices that the system performance does not degrade.
Which of the following issues is MOST likely occurring?

Question127: An attacked is attempting to exploit users by creating a fake website with the URL www.validwebsite.com. The attacker s intent is to imitate the look and feel of a legitimate website to obtain personal information from unsuspecting users.
Which of the following social-engineering attacks does this describe?

Question128: An analyst is generating a security report for the management team. Security guidelines recommend disabling all listening unencrypted services. Given this output from Nmap.

Which of the following should the analyst recommend to disable?

Question129: A bank detects fraudulent activity on user's account. The user confirms transactions completed yesterday on the bank's website at https://www.company.com. A security analyst then examines the user's Internet usage logs and observes the following output:

Which of the following has MOST likely occurred?

Question130: A security engineer needs to build a solution to satisfy regulatory requirements that state certain critical servers must be accessed using MFA. However, the critical servers are older and are unable to support the addition of MFA.
Which of the following will the engineer MOST likely use to achieve this objective?

Question131: Which of the following should be put in place when negotiating with a new vendor about the timeliness of the response to a significant outage or incident?

Question132: A security analyst has been reading about a newly discovered cyber attack from a known threat actor. Which of the following would BEST support the analyst's review of the tactics, techniques, and protocols the threat actor was observed using in previous campaigns?

Question133: A company uses specially configured workstations tor any work that requires administrator privileges to its Tier 0 and Tier 1 systems. The company follows a strict process to harden systems immediately upon delivery. Even with these strict security measures in place, an incident occurred from one of the workstations. The root cause appears to be that the SoC was tampered with or replaced. Which of the following MOST likely occurred?

Question134: The following is an administrative control that would be MOST effective to reduce the occurrence of malware execution?

Question135:

Question136: The concept of connecting a user account across the systems of multiple enterprises is BEST known as:

Question137: The IT department's on-site developer has been with the team for many years. Each time an application is released, the security team is able to identify multiple vulnerabilities. Which of the following would BEST help the team ensure the application is ready to be released to production?

Question138: An organization just experienced a major cyberattack modem. The attack was well coordinated sophisticated and highly skilled. Which of the following targeted the organization?

Question139: A security administrator checks the table of a network switch, which shows the following output:

Which of the following is happening to this switch?

Question140: An analyst has determined that a server was not patched and an external actor exfiltrated data on port 139.
Which of the following sources should the analyst review to BEST ascertain how the Incident could have been prevented?

Question141: A Chief Security Officer (CSO) is concerned about the amount of PII that is stored locally on each salesperson's laptop. The sales department has a higher-than-average rate of lost equipment.
Which of the following recommendations would BEST address the CSO's concern?

Question142: An organization recently discovered that a purchasing officer approved an invoice for an amount that was different than the original purchase order. After further investigation a security analyst determines that the digital signature for the fraudulent invoice is exactly the same as the digital signature for the correct invoice that had been approved Which of the following attacks MOST likely explains the behavior?

Question143: A company reduced the area utilized in its datacenter by creating virtual networking through automation and by creating provisioning routes and rules through scripting. Which of the following does this example describe?

Question144: A Chief Executive Officer's (CEO) personal information was stolen in a social engineering attack.
Which of the following sources would reveal if the CEO's personal information is for sale?

Question145: A security analyst needs to find real-time data on the latest malware and IoCs. Which of the following would BEST describes the solution the analyst should pursue?

Question146: A security operations analyst is using the company's SIEM solution to correlate alerts. Which of the following stages of the incident response process is this an example of?

Question147: A security analyst needs to generate a server certificate to be used for 802.1X and secure RDP connections. The analyst is unsure what is required to perform the task and solicits help from a senior colleague.
Which of the following is the FIRST step the senior colleague will most likely tell the analyst to perform to accomplish this task?

Question148: A security analyst generated a file named host1.pcap and shared it with a team member who is going to use it for further incident analysis.
Which of the following tools will the other team member MOST likely use to open this file?

Question149: A Chief Information Security Officer (CISO) is concerned about the organization's ability to continue business operation in the event of a prolonged DDoS attack on its local datacenter that consumes database resources. Which of the following will the CISO MOST likely recommend to mitigate this risk?

Question150: A company processes highly sensitive data and senior management wants to protect the sensitive data by utilizing classification labels. Which of the following access control schemes would be BEST for the company to implement?

Question151: An organization's Chief Information Security Officer is creating a position that will be responsible for implementing technical controls to protect data, including ensuring backups are properly maintained. Which of the following roles would MOST likely include these responsibilities?

Question152: A company recently implemented a new security system. In the course of configuration, the security administrator adds the following entry:
#Whitelist
USB\VID13FE&PID_4127&REV_0100
Which of the following security technologies is MOST likely being configured?

Question153: A company Is concerned about is security after a red-team exercise. The report shows the team was able to reach the critical servers due to the SMB being exposed to the Internet and running NTLMV1, Which of the following BEST explains the findings?

Question154: As part of the lessons-learned phase, the SOC is tasked with building methods to detect if a previous incident is happening again. Which of the following would allow the security analyst to alert the SOC if an event is reoccurring?

Question155: Phishing and spear-phishing attacks have been occurring more frequently against a company's staff. Which of the following would MOST likely help mitigate this issue?

Question156: Which of the following incident response steps involves actions to protect critical systems while maintaining business operations?

Question157: A company just developed a new web application for a government agency. The application must be assessed and authorized prior to being deployed. Which of the following is required to assess the vulnerabilities resident in the application?

Question158: A preventive control differs from a compensating control in that a preventive control is:

Question159: A security auditor is reviewing vulnerability scan data provided by an internal security team.
Which of the following BEST indicates that valid credentials were used?

Question160: A systems administrator is troubleshooting a server's connection to an internal web server. The administrator needs to determine the correct ports to use. Which of the following tools BEST shows which ports on the web server are in a listening state?

Question161: The SIEM at an organization has detected suspicious traffic coming a workstation in its internal network. An analyst in the SOC the workstation and discovers malware that is associated with a botnet is installed on the device A review of the logs on the workstation reveals that the privileges of the local account were escalated to a local administrator. To which of the following groups should the analyst report this real-world event?

Question162: A security analyst wants to verify that a client-server (non-web) application is sending encrypted traffic. Which of the following should the analyst use?

Question163: A Chief Information Security Officer (CISO) is concerned about the organization's ability to continue business operation in the event of a prolonged DDoS attack on its local datacenter that consumes database resources. Which of the following will the CISO MOST likely recommend to mitigate this risk?

Question164: Ann, a customer, received a notification from her mortgage company stating her PII may be shared with partners, affiliates, and associates to maintain day-to-day business operations.
Which of the following documents did Ann receive?

Question165: To secure an application after a large data breach, an e-commerce site will be resetting all users' credentials. Which of the following will BEST ensure the site's users are not compromised after the reset?

Question166: Which of the following ISO standards is certified for privacy?

Question167: Which of the following threat actors is MOST likely to be motivated by ideology?

Question168: Which of the following components can be used to consolidate and forward inbound Interne!
traffic to multiple cloud environments though a single firewall?

Question169: A penetration tester gains access to the network by exploiting a vulnerability on a public-facing web server. Which of the following techniques will the tester most likely perform NEXT?

Question170: Which of the following allows for functional test data to be used in new systems for testing and training purposes to protect the read data?

Question171: A company uses wireless tor all laptops and keeps a very detailed record of its assets, along with a comprehensive list of devices that are authorized to be on the wireless network. The Chief Information Officer (CIO) is concerned about a script kiddie potentially using an unauthorized device to brute force the wireless PSK and obtain access to the internal network. Which of the following should the company implement to BEST prevent this from occurring?

Question172: A external forensics investigator has been hired to investigate a data breach at a large enterprise with numerous assets. It is known that the breach started in the DMZ and moved to the sensitive information, generating multiple logs as the attacker traversed through the network.
Which of the following will BEST assist with this investigation?

Question173: A critical file server is being upgraded and the systems administrator must determine which RAID level the new server will need to achieve parity and handle two simultaneous disk failures.
Which of the following RAID levels meets this requirements?

Question174: A security modern may have occurred on the desktop PC of an organization's Chief Executive Officer (CEO) A duplicate copy of the CEO's hard drive must be stored securely to ensure appropriate forensic processes and the chain of custody are followed. Which of the following should be performed to accomplish this task?

Question175: Which of the following will Increase cryptographic security?

Question176: A company's Chief Information Security Officer (CISO) recently warned the security manager that the company's Chief Executive Officer (CEO) is planning to publish a controversial opinion article in a national newspaper, which may result in new cyberattacks.
Which of the following would be BEST for the security manager to use in a threat model?

Question177: A security analyst is concerned about critical vulnerabilities that have been detected on some applications running inside containers. Which of the following is the BEST remediation strategy?

Question178: A development team employs a practice of bringing all the code changes from multiple team members into the same development project through automation. A tool is utilized to validate the code and track source code through version control. Which of the following BEST describes this process?

Question179: A remote user recently took a two-week vacation abroad and brought along a corporate-owned laptop. Upon returning to work, the user has been unable to connect the laptop to the VPN.
Which of the following is the MOST likely reason for the user's inability to connect the laptop to the VPN?

Question180: A hospital's administration is concerned about a potential loss of patient data that is stored on tablets. A security administrator needs to implement controls to alert the SOC any time the devices are near exits. Which of the following would BEST achieve this objective?

Question181: An organization has decided to host its web application and database in the cloud.
Which of the following BEST describes the security concerns for this decision?

Question182: Which of the following should be monitored by threat intelligence researchers who search for leaked credentials?

Question183: An organization has implemented a policy requiring the use of conductive metal lockboxes for personal electronic devices outside of a secure research lab. Which of the following did the organization determine to be the GREATEST risk to intellectual property when creating this policy?

Question184: A manufacturing company has several one-off legacy information systems that cannot be migrated to a newer OS due to software compatibility issues. The Oss are still supported by the vendor, but the industrial software is no longer supported. The Chief Information Security Officer (CISO) has created a resiliency plan for these systems that will allow OS patches to be installed in a non-production environment, while also creating backups of the systems for recovery.
Which of the following resiliency techniques will provide these capabilities?

Question185: Which of the following would BEST identify and remediate a data-loss event in an enterprise using third-party, web-based services and file-sharing platforms?

Question186: Which of the following serves to warn users against downloading and installing pirated software on company devices?

Question187: A Chief Security Officer (CSO) was notified that a customer was able to access confidential internal company files on a commonly used file-sharing service. The file-sharing service is the same one used by company staff as one of its approved third-party applications. After further investigation, the security team determines the sharing of confidential files was accidental and not malicious. However, the CSO wants to implement changes to minimize this type of incident from reoccurring but does not want to impact existing business processes. Which of the following would BEST meet the CSO's objectives?

Question188: A cloud administrator is configuring five compute instances under the same subnet in a VPC.
Three instances are required to communicate with one another, and the other two must he logically isolated from all other instances in the VPC.
Which of the following must the administrator configure to meet this requirement?

Question189: A company has limited storage available and online presence that cannot for more than four hours. Which of the following backup methodologies should the company implement to allow for the FASTEST database restore time In the event of a failure, which being maindful of the limited available storage space?

Question190: A researcher has been analyzing large data sets for the last ten months. The researcher works with colleagues from other institutions and typically connects via SSH to retrieve additional data.
Historically, this setup has worked without issue, but the researcher recently started getting the following message:

Which of the following network attacks is the researcher MOST likely experiencing?

Question191: A systems administrator wants to disable the use of usernames and passwords for SSH authentication and enforce key-based authentication. Which of the following should the administrator do NEXT to enforce this new configuration?

Question192: After multiple on premises security solutions were migrated to the cloud, the incident response time increased. The analyst are spending a long time to trace information on different cloud consoles and correlating data in different formats.
Which of the following can be used to optimize the incident response time?

Question193: Accompany deployed a WiFi access point in a public area and wants to harden the configuration to make it more secure. After performing an assessment, an analyst identifies that the access point is configured to use WPA3, AES, WPS, and RADIUS. Which of the following should the analyst disable to enhance the access point security?

Question194: A workwide manufacturing company has been experiencing email account compromised. In one incident, a user logged in from the corporate office in France, but then seconds later, the same user account attempted a login from Brazil. Which of the following account policies would BEST prevent this type of attack?

Question195: When used at the design stage, which of the following improves the efficiency, accuracy, and speed of a database?

Question196: The website http://companywebsite.com requires users to provide personal Information, Including security question responses, for registration.
Which of the following would MOST likely cause a data breach?

Question197: All security analysts workstations at a company have network access to a critical server VLAN.
The information security manager wants to further enhance the controls by requiring that all access to the secure VLAN be authorized only from a given single location. Which of the following will the information security manager MOST likely implement?

Question198: A recently discovered zero-day exploit utilizes an unknown vulnerability in the SMB network protocol to rapidly infect computers. Once infected, computers are encrypted and held for ransom. Which of the following would BEST prevent this attack from reoccurring?

Question199: A user reports trouble using a corporate laptop. The laptop freezes and responds slowly when writing documents and the mouse pointer occasional disappears.
The task list shows the following results

Which of the following is MOST likely the issue?

Question200: An enterprise has hired an outside security firm to facilitate penetration testing on its network and applications. The firm has agreed to pay for each vulnerability that is discovered. Which of the following BEST represents the type of testing that is being used?

Question201: An attacker was eavesdropping on a user who was shopping online. The attacker was able to spoof the IP address associated with the shopping site. Later, the user received an email regarding the credit card statement with unusual purchases.
Which of the following attacks took place?

Question202: An organization blocks user access to command-line interpreters but hackers still managed to invoke the interpreters using native administrative tools.
Which of the following should the security team do to prevent this from Happening in the future?

Question203: A user's PC was recently infected by malware. The user has a legacy printer without vendor support, and the user's OS is fully patched. The user downloaded a driver package from the internet. No threats were found on the downloaded file, but during file installation, a malicious runtime threat was detected. Which of the following is MOST likely cause of the infection?

Question204: Under GDPR, which of the following is MOST responsible for the protection of privacy and website user rights?

Question205: A security analyst needs to perform periodic vulnerably scans on production systems. Which of the following scan types would produce the BEST vulnerability scan report?

Question206: A company is receiving emails with links to phishing sites that look very similar to the company's own website address and content.
Which of the following is the BEST way for the company to mitigate this attack?

Question207: A cybersecurity manager has scheduled biannual meetings with the IT team and department leaders to discuss how they would respond to hypothetical cyberattacks. During these meetings, the manager presents a scenario and injects additional information throughout the session to replicate what might occur in a dynamic cybersecurity event involving the company, its facilities, its data, and its staff. Which of the following describes what the manager is doing?

Question208: A cybersecurity administrator has a reduced team and needs to operate an on-premises network and security infrastructure efficiently. To help with the situation, the administrator decides to hire a service provider. Which of the following should the administrator use?

Question209: An organization is concerned that is hosted web servers are not running the most updated version of the software. Which of the following would work BEST to help identify potential vulnerabilities?

Question210: The Chief Information Security Officer (CISO) has decided to reorganize security staff to concentrate on incident response and to outsource outbound Internet URL categorization and filtering to an outside company. Additionally, the CISO would like this solution to provide the same protections even when a company laptop or mobile device is away from a home office. Which of the following should the CISO choose?

Question211: A backdoor was detected on the containerized application environment. The investigation detected that a zero-day vulnerability was introduced when the latest container image version was downloaded from a public registry. Which of the following is the BEST solution to prevent this type of incident from occurring again?

Question212: A company needs to centralize its logs to create a baseline and have visibility on its security events. Which of the following technologies will accomplish this objective?

Question213: Drag and Drop Question
Leveraging the information supplied below, complete the CSR for the server to set up TLS (HTTPS).
- Hostnam : ws01
- Domain: comptia.org
- IPv4: 10.1.9.50
- IPV4: 10.2.10.50
- Root: home.aspx
- DNS CNAME:homesite.
INSTRUCTIONS
Drag the various data points to the correct locations within the CSR. Extension criteria belong in the left-hand column and values belong in the corresponding row in the right-hand column.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Question214: A recent security assessment revealed that an actor exploited a vulnerable workstation within an organization and has persisted on the network for several months.
The organization realizes the need to reassess its security strategy for mitigating risks within the perimeter.
Which of the following solutions would BEST support the organization's strategy?

Question215: A security analyst has received an alert about being sent via email. The analyst's Chief information Security Officer (CISO) has made it clear that PII must be handle with extreme care From which of the following did the alert MOST likely originate?

Question216: Certain users are reporting their accounts are being used to send unauthorized emails and conduct suspicious activities. After further investigation, a security analyst notices the following:
- All users share workstations throughout the day.
- Endpoint protection was disabled on several workstations throughout
the network.
- Travel times on logins from the affected users are impossible.
- Sensitive data is being uploaded to external sites.
- All user account passwords were forced to be reset and the issue
continued.
Which of the following attacks is being used to compromise the user accounts?

Question217: A root cause analysis reveals that a web application outage was caused by one of the company's developers uploading a newer version of the third-party libraries that were shared among several applications. Which of the following implementations would be BEST to prevent the issue from reoccurring?

Question218: A retail company that is launching a new website to showcase the company's product line and other information for online shoppers registered the following URLs:
* www.companysite.com
* shop.companysite.com
* about-us.companysite.com
* contact-us.companysite.com
* secure-logon.companysite.com
Which of the following should the company use to secure its website if the company is concerned with convenience and cost?

Question219: An organization is moving away from the use of client-side and server-side certificates for EAR The company would like for the new EAP solution to have the ability to detect rogue access points. Which of the following would accomplish these requirements?