EMT Practice Test

1. Question Content...


Question List

Question1: A company is looking to migrate some servers to the cloud to minimize its technology footprint.
The company has a customer relationship management system on premises. Which of the following solutions will require the LEAST infrastructure and application support from the company?

Question2: A company needs to centralize its logs to create a baseline and have visibility on its security events. Which of the following technologies will accomplish this objective?

Question3: An organization is building a single virtual environment that will host customer applications and data that require availability at all times. The data center that is hosting the environment will provide generator power and ISP services. Which of the following is the best solution to support the organization's requirement?

Question4: A large bank with two geographically dispersed data centers is concerned about major power disruptions at both locations. Every day each location experiences very brief outages that last for a few seconds. However, during the summer a high risk of intentional brownouts that last up to an hour exists, particularly at one of the locations near an industrial smelter. Which of the following is the BEST solution to reduce the risk of data loss?

Question5: Law enforcement officials sent a company a notification that states electronically stored information and paper documents cannot be destroyed.
Which of the following explains this process?

Question6: An incident has occurred in the production environment.
Analyze the command outputs and identify the type of compromise. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Question7: While assessing the security of a web application, a security analyst was able to introduce unsecure strings through the application input fields by bypassing client-side controls. Which of the following solutions should the analyst recommend?

Question8: The Chief Information Security Officer wants to pilot a new adaptive, user-based authentication method. The concept Includes granting logical access based on physical location and proximity.
Which of the following Is the BEST solution for the pilot?

Question9: A network analyst is investigating compromised corporate information. The analyst leads to a theory that network traffic was intercepted before being transmitted to the internet. The following output was captured on an internal host:
IPv4 Address ............ 10.0.0.87
Subnet Mask ............. 255.255.255.0
Default Gateway ......... 10.0.0.1
Internet Address Physical Address
10.10.255.255 ff-ff-ff-ff-ff-ff
10.0.0.1 aa-aa-aa-aa-aa-aa
10.0.0.254 aa-aa-aa-aa-aa-aa
244.0.0.2 01-00-5e-00-00-02
Based on the IoCs, which of the following was the most likely attack used to compromise the network communication?

Question10: A spoofed identity was detected for a digital certificate. Which of the following are the type of unidentified key and the certificate that could be in use on the company domain?

Question11: Which of the following is most likely associated with introducing vulnerabilities on a corporate network by the deployment of unapproved software?

Question12: A company recently moved sensitive videos between on-premises, company-owned websites.
The company then learned the videos had been uploaded and shared to the Internet. Which of the following would MOST likely allow the company to find the cause?

Question13: A security engineer at an offline government facility is concerned about the validity of an SSL certificate. The engineer wants to perform the fastest check with the least delay to determine if the certificate has been revoked.
Which of the following would BEST these requirement?

Question14: To further secure a company's email system, an administrator is adding public keys to DNS records in the company's domain Which of the following is being used?

Question15: During an internal penetration test, a security analyst identified a network device that had accepted cleartext authentication and was configured with a default credential. Which of the following recommendations should the security analyst make to secure this device?

Question16: A network engineer and a security engineer are discussing ways to monitor network operations.
Which of the following is the BEST method?

Question17: A financial organization has adopted a new secure, encrypted document-sharing application to help with its customer loan process. Some important PII needs to be shared across this new platform, but it is getting blocked by the DLP systems. Which of the following actions will BEST allow the PII to be shared with the secure application without compromising the organization's security posture?

Question18: A security analyst needs to perform periodic vulnerably scans on production systems. Which of the following scan types would produce the BEST vulnerability scan report?

Question19: An attacker was easily able to log in to a company's security camera by performing a baste online search for a setup guide for that particular camera brand and model.
Which of the following BEST describes the configurations the attacker exploited?

Question20: A company wants to deploy decoy systems alongside production systems in order to entice threat actors and to learn more about attackers. Which of the following best describes these systems?

Question21: A security administrator installed a new web server. The administrator did this to increase the capacity for an application due to resource exhaustion on another server. Which of the following algorithms should the administrator use to split the number of the connections on each server in half?

Question22: An organization's policy requires users to create passwords with an uppercase letter, lowercase letter, number, and symbol. This policy is enforced with technical controls, which also prevents users from using any of their previous 12 passwords. The quantization does not use single sign- on, nor does it centralize storage of passwords.
The incident response team recently discovered that passwords for one system were compromised. Passwords for a completely separate system have NOT been compromised, but unusual login activity has been detected for that separate system. Account login has been detected for users who are on vacation.
Which of the following BEST describes what is happening?

Question23: As part of the building process for a web application, the compliance team requires that all PKI certificates are rotated annually and can only contain wildcards at the secondary subdomain level. Which of the following certificate properties will meet these requirements?

Question24: A well-known organization has been experiencing attacks from APIs. The organization is concerned that custom malware is being created and emailed into the company or installed on USB sticks that are dropped in parking lots. Which of the following is the BEST defense against this scenario?

Question25: A company recently experienced a significant data loss when proprietary information was leaked to a competitor. The company took special precautions by using proper labels; however, email filter logs do not have any record of the incident. An investigation confirmed the corporate network was not breached, but documents were downloaded from an employee's COPE tablet and passed to the competitor via cloud storage. Which of the following is the best mitigation strategy to prevent this from happening in the future?

Question26: Which of the following methods is the most effective for reducing vulnerabilities?

Question27: During an incident, an EDR system detects an increase in the number of encrypted outbound connections from multiple hosts. A firewall is also reporting an increase in outbound connections that use random high ports. An analyst plans to review the correlated logs to find the source of the incident. Which of the following tools will BEST assist the analyst?

Question28: A security analyst is reviewing a secure website that is generating TLS certificate errors. The analyst determines that the browser is unable to receive a response from the OCSP for the certificate. Which of the following actions would most likely resolve the issue?

Question29: A software company adopted the following processes before releasing software to production:
- Peer review
- Static code scanning
- Signing
A considerable number of vulnerabilities are still being detected when code is executed on production.
Which of the following security tools can improve vulnerability detection on this environment?

Question30: An auditor is performing an assessment of a security appliance with an embedded OS that was vulnerable during the last two assessments. Which of the following BEST explains the appliance's vulnerable state?

Question31: Historically, a company has had issues with users plugging in personally owned removable media devices into corporate computers. As a result, the threat of malware incidents is almost constant.
Which of the following would BEST help prevent the malware from being installed on the computers?

Question32: The Chief Security Officer (CSO) at a major hospital wants to implement SSO to help improve in the environment patient data, particularly at shared terminals. The Chief Risk Officer (CRO) is concerned that training and guidance have been provided to frontline staff, and a risk analysis has not been performed.
Which of the following is the MOST likely cause of the CRO's concerns?

Question33: A company needs to keep the fewest records possible, meet compliance needs, and ensure destruction of records that are no longer needed. Which of the following best describes the policy that meets these requirements?

Question34: To mitigate the impact of a single VM being compromised by another VM on the same hypervisor, an administrator would like to utilize a technical control to further segregate the traffic.
Which of the following solutions would BEST accomplish this objective?

Question35: An organization has hired a red team to simulate attacks on its security posture. Which of the following will the blue team do after detecting an IoC?

Question36: Which of the following provides a calculated value for known vulnerabilities so organizations can prioritize mitigation steps?

Question37: An attacker is attempting to exploit users by creating a fake website with the URL users. Which of the following social-engineering attacks does this describe?

Question38: A cybersecurity analyst reviews the log files from a web server and sees a series of files that indicates a directory-traversal attack has occurred. Which of the following is the analyst MOST likely seeing?

Question39: Several employees return to work the day after attending an industry trade show. That same day, the security manager notices several malware alerts coming from each of the employee's workstations. The security manager investigates but finds no signs of an attack on the perimeter firewall or the NIDS. Which of the following is MOST likely causing the malware alerts?

Question40: A security analyst was deploying a new website and found a connection attempting to authenticate on the site's portal.
While Investigating the incident, the analyst identified the following Input in the username field:

Which of the following BEST explains this type of attack?

Question41: Which of the following is the MOST effective control against zero-day vulnerabilities?

Question42: Which of the following is a cryptographic concept that operates on a fixed length of bits?

Question43: Which of the following typically uses a combination of human and artificial intelligence to analyze event data and take action without intervention?

Question44: A security analyst needs to produce a document that details how a security incident occurred, the steps that were taken for recovery, and how future incidents can be avoided. During which of the following stages of the response process will this activity take place?

Question45: A junior security analyst is reviewing web server logs and identifies the following pattern in the log file:

Which of the following types of attacks is being attempted and how can it be mitigated?

Question46: A company wants to ensure that all employees in a given department are trained on each job role to help with employee burnout and continuity of business operations in the event an employee leaves the company. Which of the following should the company implement?

Question47: Stakeholders at an organization must be kept aware of any incidents and receive updates on status changes as they occur. Which of the following plans would fulfill this requirement?

Question48: Which of the following controls is used to make an organization initially aware of a data compromise?

Question49: A security researcher has alerted an organization that its sensitive user data was found for sale on a website. Which of the following should the organization use to inform the affected parties?

Question50: Which of the following rales is responsible for defining the protection type and classification type for a given set of files?

Question51: Which of the following examples would be best mitigated by input sanitization?

Question52: A SOC is implementing an in sider-threat-detection program. The primary concern is that users may be accessing confidential data without authorization. Which of the following should be deployed to detect a potential insider threat?

Question53: A company wants to restrict emailing of PHI documents. The company is implementing a DLP solution. In order to restrict PHI documents, which of the following should be performed FIRST?

Question54: Which of the following would a European company interested in implementing a technical, hands- on set of security standards MOST likely choose?

Question55: Against the recommendation of the IT security analyst, a company set all user passwords on a server as `P@55w0rD`. Upon review of the /etc/passwd file, an attacker found the following:
alice:a8df3b6c4fd75f0617431fd248f35191df8d237f
bob:2d250c5b2976b03d757f324ebd59340df96aa05e
chris:ea981ec3285421d014108089f3f3f997ce0f4150
Which of the following BEST explains why the encrypted passwords do not match?

Question56: After a recent external audit, the compliance team provided a list of several non-compliant, in- scope hosts that were not encrypting cardholder data at rest. Which of the following compliance frameworks would address the compliance team's GREATEST concern?

Question57: A forensics investigator is examining a number of unauthorized payments that were reported on the company's website. Some unusual log entries show users received an email for an unwanted mailing list and clicked on a link to attempt to unsubscribe. One of the users reported the email to the phishing team, and the forwarded email revealed the link to be:
<a
href="https://www.company.com/payto.do?routing=00001111&acct=22223334&a mount=250">Click here to unsubscribe</a> Which of the following will the forensics investigator MOST likely determine has occurred?

Question58: A company network is currently under attack. Although security controls are in place to stop the attack, the security administrator needs more information about the types of attacks being used.
Which of the following network types would BEST help the administrator gather this information?

Question59: A company wants to improve end users' experiences when they log in to a trusted partner website. The company does not want the users to be issued separate credentials for the partner website. Which of the following should be implemented to allow users to authenticate using their own credentials to log in to the trusted partner's website?

Question60: Which of the following is a detective and deterrent control against physical intrusions?

Question61: An attacker is trying to gain access by installing malware on a website that is known to be visited by the target victims. Which of the following is the attacker MOST likely attempting?

Question62: A user reports trouble using a corporate laptop. The laptop freezes and responds slowly when writing documents and the mouse pointer occasional disappears.
The task list shows the following results

Which of the following is MOST likely the issue?

Question63: A security analyst is responding to a malware incident at a company. The malware connects to a command-and-control server on the internet in order to function. Which of the following should the security analyst implement first?

Question64: A security analyst needs to implement security features across smartphones, laptops, and tablets. Which of the following would be the MOST effective across heterogeneous platforms?

Question65: An organization discovered a disgruntled employee exfiltrated a large amount of PII data by uploading files Which of the following controls should the organization consider to mitigate this risk?

Question66: A systems engineer thinks a business system has been compromised and is being used to exfiltrate data to a competitor. The engineer contacts the CSIRT. The CSIRT tells the engineer to immediately disconnect the network cable and to not do anything else. Which of the following is the most likely reason for this request?

Question67: The SOC is reviewing process and procedures after a recent incident. The review indicates it took more than 30 minutes to determine that quarantining an infected host was the best course of action. The allowed the malware to spread to additional hosts before it was contained.
Which of the following would be BEST to improve the incident response process?

Question68: A web server has been compromised due to a ransomware attack. Further investigation reveals the ransomware has been in the server for the past 72 hours. The systems administrator needs to get the services back up as soon as possible. Which of the following should the administrator use to restore services to a secure state?

Question69: A junior security analyst is reviewing web server logs and identifies the following pattern in the log file:
http://comptia.org/../../../etc/passwd
Which of the following types of attacks is being attempted and how can it be mitigated?

Question70: Which of the following can a security director use to prioritize vulnerability patching within a company's IT environment?

Question71: Which of the following actions would be recommended to improve an incident response process?

Question72: Hotspot Question
A newly purchased corporate WAP needs to be configured in the MOST secure manner possible.
INSTRUCTIONS
Please click on the below items on the network diagram and configure them accordingly:
WAP

DHCP Server

AAA Server

Wireless Controller

LDAP Server

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Question73: The SIEM at an organization has detected suspicious traffic coming from a workstation in its internal network. An analyst in the SOC investigates the workstation and discovers malware that is associated with a botnet is installed on the device. A review of the logs on the workstation reveals that the privileges of the local account were escalated to a local administrator. To which of the following groups should the analyst report this real-world event?

Question74: Security analysts are conducting an investigation of an attack that occurred inside the organization's network. An attacker was able to connect network traffic between workstation throughout the network. The analysts review the following logs:

The layer 2 address table has hundred of entries similar to the ones above.
Which of the following attacks has MOST likely occurred?

Question75: A security manager needs to assess the security posture of one of the organization's vendors.
The contract with the vendor does not allow for auditing of the vendor's security controls.
Which of the following should the manager request to complete the assessment?

Question76: A junior security analyst is conducting an analysis after passwords were changed on multiple accounts without users' interaction. The SIEM have multiple login entries with the following text:

Which of the following is the MOST likely attack conducted on the environment?

Question77: Which of the following incident response steps occurs before containment?

Question78: A company has drafted an insider-threat policy that prohibits the use of external storage devices.
Which of the following would BEST protect the company from data exfiltration via removable media?

Question79: An organization's help desk is flooded with phone calls from users stating they can no longer access certain websites. The help desk escalates the issue to the security team, as these websites were accessible the previous day. The security analysts run the following command:
ipconfig /flushdns, but the issue persists. Finally, an analyst changes the DNS server for an impacted machine, and the issue goes away. Which of the following attacks MOST likely occurred on the original DNS server?

Question80: A network engineer is troubleshooting wireless network connectivity issues that were reported by users. The issues are occurring only in the section of the building that is closest to the parking lot.
Users are intermittently experiencing slow speeds when accessing websites and are unable to connect to network drives. The issues appear to increase when laptop users return desks after using their devices in other areas of the building. There have also been reports of users being required to enter their credentials on web pages in order to gain access to them. Which of the following is the MOST likely cause of this issue?

Question81: A forensic analyst needs to prove that data has not been tampered with since it was collected.
Which of the following methods will the analyst MOST likely use?

Question82: Which of the following would BEST identify and remediate a data-loss event in an enterprise using third-party, web-based services and file-sharing platforms?

Question83: A recent audit uncovered a key finding regarding the use of a specific encryption standard in a web application that is used to communicate with business customers. Due to the technical limitations of its customers the company is unable to upgrade the encryption standard.
Which of the following types of controls should be used to reduce the risk created by this scenario?

Question84: A company wants to pragmatically grant access to users who have the same job. Which of the following access controls should the company most likely use?

Question85: Which of the following is an effective tool to stop or prevent the exfiltration of data from a network?

Question86: A user's account is constantly being locked out. Upon further review, a security analyst found the following in the SIEM:

Which of the following describes what is occurring?

Question87: An employee finds a USB flash drive labeled "Salary Info" in an office parking lot. The employee picks up the USB flash drive, goes into the office, and plugs it into a laptop. Later, a technician inspects the laptop and realizes it has been compromised by malware. Which of the following types of social engineering attacks has occurred?

Question88: A security team discovered a large number of company-issued devices with non-work-related software installed. Which of the following policies would MOST likely contain language that would prohibit this activity?

Question89: An attacker has determined the best way to impact operations is to infiltrate third-party software vendors. Which of the following vectors is being exploited?

Question90: A manufacturing company has several one-off legacy information systems that cannot be migrated to a newer OS due to software compatibility issues. The Oss are still supported by the vendor, but the industrial software is no longer supported. The Chief Information Security Officer (CISO) has created a resiliency plan for these systems that will allow OS patches to be installed in a non-production environment, while also creating backups of the systems for recovery.
Which of the following resiliency techniques will provide these capabilities?

Question91: An information security policy stales that separation of duties is required for all highly sensitive database changes that involve customers' financial data. Which of the following will this be BEST to prevent?

Question92: Which of the following provides a catalog of security and privacy controls related to the United States federal information systems?

Question93: An organization would like to remediate the risk associated with its cloud service provider not meeting its advertised 99.999% availability metrics.
Which of the following should the organization consult for the exact requirements for the cloud provider?

Question94: Which of the following BEST describes data streams that are compiled through artificial intelligence that provides insight on current cyber intrusions, phishing, and other malicious cyber activity?

Question95: Which of the following processes will eliminate data using a method that will allow the storage device to be reused after the process is complete?

Question96: A software developer needs to perform code-execution testing, black-box testing, and non- functional testing on a new product before its general release. Which of the following BEST describes the tasks the developer is conducting?

Question97: During an investigation, the incident response team discovers that multiple administrator accounts were suspected of being compromised. The host audit logs indicate a repeated brute- force attack on a single administrator account followed by suspicious logins from unfamiliar geographic locations. Which of the following data sources would be BEST to use to assess the accounts impacted by this attack?

Question98: Which of the following authentication methods sends out a unique password to be used within a specific number of seconds?

Question99: A network manager wants to protect the company's VPN by multifactor authentication that uses:
- Something you know
- Something you have
- Somewhere you are
Which of the following would accomplish the manager's goal?

Question100: A large financial services firm recently released information regarding a security breach within its corporate network that began several years before. During the time frame in which the breach occurred, indicators show an attacker gained administrative access to the network through a file downloaded from a social media site and subsequently installed it without the user's knowledge.
Since the compromise, the attacker was able to take command and control the computer systems anonymously while obtaining sensitive corporate and personal employee information. Which of the following methods did the attacker MOST likely use to gain access?

Question101: A security analyst is reviewing computer logs because a host was compromised by malware.
After the computer was infected it displayed an error screen and shut down. Which of the following should the analyst review first to determine more information?

Question102: Which of the following job roles would sponsor data quality and data entry initiatives that ensure business and regulatory requirements are met?

Question103: Which of the following roles, according to the shared responsibility model, is responsible for securing the company's database in an IaaS model for a cloud environment?

Question104: Which of the following is a reason to publish files' hashes?

Question105: Employees are having issues accessing the company's website. Some employees report very slow performance, while others cannot the website at all. The web and security administrators search the logs and find millions of half-open connections to port 443 on the web server. Further analysis reveals thousands of different source IPs initiating this traffic. Which of the following attacks is MOST likely occurring?

Question106: A company is adopting a BYOD policy and is looking for a comprehensive solution to protect company information on user devices. Which of the following solutions would BEST support the policy?

Question107: Administrators have allowed employee to access their company email from personal computers.
However, the administrators are concerned that these computes are another attach surface and can result in user accounts being breached by foreign actors.
Which of the following actions would provide the MOST secure solution?

Question108: A recent security breach exploited software vulnerabilities in the firewall and within the network management solution. Which of the following will MOST likely be used to identify when the breach occurred through each device?

Question109: An organization wants to minimize the recovery time from backups in case of a disaster. Backups must be retained for one month, while minimizing the storage space used for backups. Which of the following is the best approach for a backup strategy?

Question110: Drag and Drop Question
A security engineer is setting up passwordless authentication for the first time.
INSTRUCTIONS
Use the minimum set of commands to set this up and verify that it works. Commands cannot be reused.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Question111: Multiple beaconing activities to a malicious domain have been observed. The malicious domain is hosting malware from various endpoints on the network. Which of the following technologies would be BEST to correlate the activities between the different endpoints?

Question112: Which of the following tools is effective in preventing a user from accessing unauthorized removable media?

Question113: Which of the following BEST describes a social-engineering attack that relies on an executive at a small business visiting a fake banking website where credit card and account details are harvested?

Question114: Which of the following serves to warn users against downloading and installing pirated software on company devices?

Question115: Following a prolonged datacenter outage that affected web-based sales a company has decided to move its operations to a private cloud solution. The security team has received the following requirements:
- There must be visibility into how teams are using cloud-based
services.
- The company must be able to identify when data related to payment
cards is being sent to the cloud.
- Data must be available regardless of the end user's geographic
location
- Administrators need a single pane-of-glass view into traffic and
trends.
Which of the following should the security analyst recommend?

Question116: An analyst is generating a security report for the management team. Security guidelines recommend disabling all listening unencrypted services. Given this output from Nmap:

Which of the following should the analyst recommend to disable?

Question117: During a security incident, the security operations team identified sustained network traffic from a malicious IP address: 10.1.4.9. A security analyst is creating an inbound firewall rule to block the IP address from accessing the organization's network. Which of the following fulfills this request?

Question118: An analyst just discovered an ongoing attack on a host that is on the network. The analyst observes the below taking place:
- The computer performance is slow
- Ads are appearing from various pop-up windows
- Operating system files are modified
- The computer is receiving AV alerts for execution of malicious
processes
Which of the following steps should the analyst consider FIRST?

Question119: A company is implementing a new SIEM to log and send alerts whenever malicious activity is blocked by its antivirus and web content filters.
Which of the following is the primary use case for this scenario?

Question120: A security engineer obtained the following output from a threat intelligence source that recently performed an attack on the company's server:

Which of the following BEST describes this kind of attack?

Question121: A user enters a username and a password at the login screen for a web portal. A few seconds later the following message appears on the screen: Please use a combination of numbers, special characters, and letters in the password field.
Which of the following concepts does this message describe?

Question122: A company is moving to new location. The systems administrator has provided the following server room requirements to the facilities staff:
- Consistent power levels in case of brownouts or voltage spikes
- A minimum of 30 minutes runtime following a power outage
- Ability to trigger graceful shutdowns of critical systems
Which of the following would BEST meet the requirements?

Question123: A host was infected with malware. During the incident response, Joe, a user, reported that he did not receive any emails with links, but he had been browsing the Internet all day. Which of the following would MOST likely show where the malware originated?

Question124: A security analyst notices an unusual amount of traffic hitting the edge of the network. Upon examining the logs, the analyst identifies a source IP address and blocks that address from communicating with the network. Even though the analyst is blocking this address, the attack is still ongoing and coming from a large number of different source IP addresses. Which of the following describes this type of attack?

Question125: A business operations manager is concerned that a PC that is critical to business operations will have a costly hardware failure soon. The manager is looking for options to continue business operations without incurring large costs. Which of the following would mitigate the managers concerns?

Question126: A security architect at a large, multinational organization is concerned about the complexities and overhead of managing multiple encryption keys securely in a multicloud provider environment.
The security architect is looking for a solution with reduced latency to allow the incorporation of the organization's existing keys and to maintain consistent, centralized control and management regardless of the data location.
Which of the following would BEST meet the architect's objectives?

Question127: A growing company would like to enhance the ability of its security operations center to detect threats but reduce the amount of manual work required for the security analysts. Which of the following would best enable the reduction in manual work?

Question128: After a hardware incident, an unplanned emergency maintenance activity was conducted to rectify the issue. Multiple alerts were generated on the SIEM during this period of time.
Which of the following BEST explains what happened?

Question129: Which of the following is a difference between a DRP and a BCP?

Question130: Which of the following incident response phases should the proper collection of the detected IoCs and establishment of a chain of custody be performed before?

Question131: Which of the following, if compromised, can indirectly impact systems' availability by imposing inadequate environmental conditions for the hardware to operate properly?

Question132: A critical file server is being upgraded and the systems administrator must determine which RAID level the new server will need to achieve parity and handle two simultaneous disk failures.
Which of the following RAID levels meets this requirements?

Question133: A commercial cyber-threat intelligence organization observes IoCs across a variety of unrelated customers. Prior to releasing specific threat intelligence to other paid subscribers, the organization is MOST likely obligated by contracts to:

Question134: A local server recently crashed and the team is attempting to restore the server from a backup.
During the restore process, the team notices the file size of each daily backup is large and will run out of space at the current rate. The current solution appears to do a full backup every night.
Which of the following would use the least amount of storage space for backups?

Question135: A security analyst needs to harden access to a network. One of the requirements is to authenticate users with smart cards. Which of the following should the analyst enable to best meet this requirement?

Question136: An organization routes all of its traffic through a VPN. Most users are remote and connect into a corporate data center that houses confidential information. There is a firewall at the internet border, followed by a DLP appliance, the VPN server, and the data center itself. Which of the following is the weakest design element?

Question137: An organization has decided to host its web application and database in the cloud.
Which of the following BEST describes the security concerns for this decision?

Question138: Which of the following is assured when a user signs an email using a private key?

Question139: A security administrator has discovered that workstations on the LAN are becoming infected with malware. The cause of the infections appears to be users receiving phishing emails that are bypassing the current email-filtering technology. As a result, users are being tricked into clicking on malicious URLs, as no internal controls currently exist in the environment to evaluate their safety. Which of the following would be BEST to implement to address the issue?

Question140: A security analyst receives a SIEM alert that someone logged in to the appadmin test account, which is only used for the early detection of attacks. The security analyst then reviews the following application log:

Which of the following can the security analyst conclude?

Question141: During a recent security incident at a multinational corporation a security analyst found the following logs for an account called user:

Which Of the following account policies would BEST prevent attackers from logging in as user?

Question142: A company wants the ability to restrict web access and monitor the websites that employees visit.
Which of the following would BEST meet these requirements?

Question143: The exploitation of a buffer-overrun vulnerability in an application will MOST likely lead to:

Question144: Which of the following concepts BEST describes tracking and documenting changes to software and managing access to files and systems?

Question145: A dynamic application vulnerability scan identified that code injection could be performed using a web form. Which of the following will be the best remediation to prevent this vulnerability?

Question146: A network engineer needs to create a plan for upgrading the wireless infrastructure in a large office Priority must be given to areas that are currently experiencing latency and connection issues. Which of the following would be the BEST resource for determining the order of priority?

Question147: An organization wants to enable built-in FDE on all laptops. Which of the following should the organization ensure is installed on all laptops?

Question148: Which of the following control Types would be BEST to use in an accounting department to reduce losses from fraudulent transactions?

Question149: After a recent ransomware attack on a company's system, an administrator reviewed the log files.
Which of the following control types did the administrator use?

Question150: After reading a security bulletin, a network security manager is concerned that a malicious actor may have breached the network using the same software flaw. The exploit code is publicly available and has been reported as being used against other industries in the same vertical.
Which of the following should the network security manager consult FIRST to determine a priority list for forensic review?

Question151: A company has a flat network in the cloud. The company needs to implement a solution to segment its production and non-production servers without migrating servers to a new network.
Which of the following solutions should the company implement?

Question152: Which of the following can work as an authentication method and as an alerting mechanism for unauthorized access attempts?

Question153: A Chief Information Officer is concerned about employees using company-issued laptops lo steal data when accessing network shares. Which of the following should the company Implement?

Question154: An incident response technician collected a mobile device during an investigation. Which of the following should the technician do to maintain chain of custody?

Question155: An administrator is configuring a firewall rule set for a subnet to only access DHCP, web pages, and SFTP, and to specifically block FTP.
Which of the following would BEST accomplish this goal?

Question156: A marketing coordinator is trying to access a social media application on a company laptop but is getting blocked. The coordinator opens a help desk ticket to report the issue. Which of the following documents should a security analyst review to determine whether accessing social media applications on a company device is permitted?

Question157: A large bank with two geographically dispersed data centers is concerned about major power disruptions at both locations. Every day each location experiences very brief outages that last for a few seconds. However, during the summer a high risk of intentional under-voltage events that could last up to an hour exists, particularly at one of the locations near an industrial smelter.
Which of the following is the best solution to reduce the risk of data loss?

Question158: While investigating a data leakage incident a security analyst reviews access control to cloud - hosted data. The following information was presented in a security posture report:
Policy to control external application integration: Admin authorized
only
- 47 active integration to third-party applications
- 2 applications authorized by admin
- 45 applications authorized by users
- 32 OAuth apps authorize to access data
Based on the report, which of the following was the MOST likely attack vector used against the company?

Question159: A security analyst reviews web server logs and notices the following line:
Which of the following vulnerabilities is the attacker trying to exploit?

Question160: An employee received a word processing file that was delivered as an email attachment. The subject line and email content enticed the employee to open the attachment.
Which of the following attack vectors BEST matches this malware?

Question161: A security analyst was asked to evaluate a potential attack that occurred on a publicly accessible section of the company's website. The malicious actor posted an entry in an attempt to trick users into clicking the following:
https://www.comptia.com/contact-
us/%3Fname%3D%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E
Which of the following was most likely observed?

Question162: A security analyst is working on a project to implement a solution that monitors network communications and provides alerts when abnormal behavior is detected.
Which of the following is the security analyst MOST likely implementing?

Question163: Which of the following best describes an environment where a business owns the application and operating system but requires the resources to host them in the cloud?

Question164: A security analyst is working with a vendor to get a new SaaS application deployed to an enterprise. The analyst wants to ensure role-based security policies are correctly applied as users access the application. Which of the following is most likely to solve the issue?

Question165: A university is opening a facility in a location where there is an elevated risk of theft The university wants to protect the desktops in its classrooms and labs.
Which of the following should the university use to BEST protect these assets deployed in the facility?

Question166: A manufacturing organization wants to control and monitor access from the internal business network to the segregated production network, while ensuring minimal exposure of the production network to devices. Which of the following solutions would best accomplish this goal?

Question167: An enterprise has hired an outside security firm to facilitate penetration testing on its network and applications. The firm has agreed to pay for each vulnerability that is discovered. Which of the following BEST represents the type of testing that is being used?

Question168: A business is looking for a cloud service provider that offers a la carte services, including cloud backups, VM elasticity, and secure networking. Which of the following cloud service provider types should the business engage?

Question169: A company recently experienced a major breach. An investigation concludes that customer credit card data was stolen and exfiltrated through a dedicated business partner connection to a vendor, who is not held to the same security control standards. Which of the following is the most likely source of the breach?

Question170: During a Chief Information Security Officer (CISO) convention to discuss security awareness, the attendees are provided with a network connection to use as a resource. As the convention progresses, one of the attendees starts to notice delays in the connection, and the HTTPS site requests are reverting to HTTP. Which of the following BEST describes what is happening?

Question171: Several users have opened tickets with the help desk. The help desk has reassigned the tickets to a security analyst for further review. The security analyst reviews the following metrics:

Which of the following is most likely the result of the security analyst's review?

Question172: A Chief Security Officer (CSO) was notified that a customer was able to access confidential internal company files on a commonly used file-sharing service. The file-sharing service is the same one used by company staff as one of its approved third-party applications. After further investigation, the security team determines the sharing of confidential files was accidental and not malicious. However, the CSO wants to implement changes to minimize this type of incident from reoccurring but does not want to impact existing business processes. Which of the following would BEST meet the CSO's objectives?

Question173: A company is receiving emails with links to phishing sites that look very similar to the company's own website address and content.
Which of the following is the BEST way for the company to mitigate this attack?

Question174: An organization implemented a process that compares the settings currently configured on systems against secure configuration guidelines in order to identify any gaps.
Which of the following control types has the organization implemented?

Question175: An organization blocks user access to command-line interpreters but hackers still managed to invoke the interpreters using native administrative tools.
Which of the following should the security team do to prevent this from Happening in the future?

Question176: A network administrator at a large organization Is reviewing methods to improve the security of the wired LAN Any security improvement must be centrally managed and allow corporate-owned devices to have access to the intranet but limit others to Internet access only. Which of the following should the administrator recommend?

Question177: A cloud administrator is configuring five compute instances under the same subnet in a VPC.
Three instances are required to communicate with one another, and the other two must he logically isolated from all other instances in the VPC.
Which of the following must the administrator configure to meet this requirement?

Question178: Which of the following authentication methods is considered to be the LEAST secure?

Question179: The help desk has received calls from users in multiple locations who are unable to access core network services The network team has identified and turned off the network switches using remote commands. Which of the following actions should the network team take NEXT?

Question180: A Chief Security Officer (CSO) has asked a technician to devise a solution that can detect unauthorized execution privileges from the OS in both executable and data files, and can work in conjunction with proxies or UTM.
Which of the following would BEST meet the CSO's requirements?

Question181: A network technician is installing a guest wireless network at a coffee shop. When a customer purchases an Item, the password for the wireless network is printed on the recent so the customer can log in.
Which of the following will the technician MOST likely configure to provide the highest level of security with the least amount of overhead?

Question182: An attacker is attempting, to harvest user credentials on a client's website. A security analyst notices multiple attempts of random usernames and passwords. When the analyst types in a random username and password, the logon screen displays the following message:

Which of the following should the analyst recommend be enabled?

Question183: Which of the following best represents an application that does not have an on-premises requirement and is accessible from anywhere?

Question184: In a rush to meet an end-of-year business goal, the IT department was told to implement a new business application. The security engineer reviews the attributes of the application and decides the time needed to perform due diligence is insufficient from a cybersecurity perspective. Which of the following BEST describes the security engineer's response?

Question185: A cybersecurity department purchased o new PAM solution. The team is planning to randomize the service account credentials of the Windows server first.
Which of the following would be the BEST method to increase the security on the Linux server?

Question186: A network engineer notices the VPN concentrator overloaded and crashes on days when there are a lot of remote workers. Senior management has placed greater importance on the availability of VPN resources for the remote workers than the security of the end users' traffic.
Which of the following would be BEST to solve this issue?

Question187: An attacker was easily able to log in to a company's security camera by performing a basic online search for a setup guide for that particular camera brand and model.
Which of the following BEST describes the configurations the attacker exploited?

Question188: Drag and Drop Question
A security engineer is setting up passwordless authentication for the first time.
INSTRUCTIONS
Drag and drop the MINIMUM set of commands to set this up and verify that it works. Commands may only be used once, and not all will be used.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Question189: A technician needs to apply a high-priority patch to a production system. Which of the following steps should be taken first?

Question190: A systems administrator works for a local hospital and needs to ensure patient data is protected and secure. Which of the following data classifications should be used to secure patient data?

Question191: Which of the following is a known security risk associated with data archives that contain financial information?

Question192: Which of the following best describes why the SMS OTP authentication method is more risky to implement than the TOTP method?

Question193: A manufacturer creates designs for very high security products that are required to be protected and controlled by the government regulations. These designs are not accessible by corporate networks or the Internet. Which of the following is the BEST solution to protect these designs?

Question194: A systems administrator set up an automated process that checks for vulnerabilities across the entire environment every morning. Which of the following activities is the systems administrator conducting?

Question195: A software company adopted the following processes before releasing software to production:
- Peer review
- Static code scanning
- Signing
A considerable number of vulnerabilities are still being detected when code is executed on production. Which of the following security tools can improve vulnerability detection on this environment?

Question196: A large retail store's network was breached recently, and this news was made public. The store did not lose any intellectual property, and no customer information was stolen. Although no fines were incurred as a result, the store lost revenue after the breach. Which of the following is the most likely reason for this issue?

Question197: A company is implementing a vendor's security tool in the cloud. The security director does not want to manage users and passwords specific to this tool but would rather utilize the company's standard user directory. Which of the following should the company implement?

Question198: An analyst visits an internet forum looking for information about a tool. The analyst finds a threat that appears to contain relevant information. One of the posts says the following:

Which of the following BEST describes the attack that was attempted against the forum readers?

Question199: A network administrator is setting up wireless access points in all the conference rooms and wants to authenticate device using PKI. Which of the following should the administrator configure?

Question200: A Chief Executive Officer (CEO) is dissatisfied with the level of service from the company's new service provider. The service provider is preventing the CEO. from sending email from a work account to a personal account. Which of the following types of service providers is being used?

Question201: A company uses a SaaS vendor to host its customer database. The company would like to reduce the risk of customer data exposure if the systems are breached. Which of the following risks should the company focus on to achieve this objective?

Question202: A security analyst is designing the appropriate controls to limit unauthorized access to a physical site. The analyst has a directive to utilize the lowest possible budget. Which of the following would BEST meet the requirements?

Question203: A user s laptop constantly disconnects from the Wi-Fi network. Once the laptop reconnects, the user can reach the internet but cannot access shared folders or other network resources. Which of the following types of attacks is the user most likely experiencing?

Question204: A company is auditing the manner in which its European customers' personal information is handled.
Which of the following should the company consult?

Question205: A security administrator checks the table of a network switch, which shows the following output:

Which of the following is happening to this switch?

Question206: A workwide manufacturing company has been experiencing email account compromised. In one incident, a user logged in from the corporate office in France, but then seconds later, the same user account attempted a login from Brazil. Which of the following account policies would BEST prevent this type of attack?

Question207: While reviewing the wireless router, the systems administrator of a small business determines someone is spoofing the MAC address of an authorized device. Given the table below:

Which of the following should be the administrator's NEXT step to detect if there is a rogue system without impacting availability?

Question208: An organization is developing a plan in the event of a complete loss of critical systems and data.
Which of the following plans is the organization MOST likely developing?

Question209: A security analyst notices several attacks are being blocked by the NIPS but does not see anything on the boundary firewall logs. The attack seems to have been thwarted. Which of the following resiliency techniques was applied to the network to prevent this attack?

Question210: An annual information security assessment has revealed that several OS-level configurations are not in compliance due to outdated hardening standards the company is using. Which of the following would be BEST to use to update and reconfigure the OS-level security configurations?

Question211: A systems administrator reports degraded performance on a virtual server. The administrator increases the virtual memory allocation which improves conditions, but performance degrades again after a few days. The administrator runs an analysis tool and sees the following output:
==3214== timeAttend.exe analyzed
==3214== ERROR SUMMARY:
==3214== malloc/free: in use at exit: 4608 bytes in 18 blocks.
==3214== checked 82116 bytes
==3214== definitely lost: 4608 bytes in 18 blocks.
The administrator terminates the timeAttend.exe observes system performance over the next few days, and notices that the system performance does not degrade.
Which of the following issues is MOST likely occurring?

Question212: A threat actor was able to use a username and password to log in to a stolen company mobile device. Which of the following provides the best solution to increase mobile data security on all employees' company mobile devices?

Question213: An IT security manager requests a report on company information that is publicly available. The managers concern is that malicious actors will be able to access the data without in active reconnaissance. Which of the following is the most efficient approach to perform the analysis?

Question214: A user must introduce a password and a USB key to authenticate against a secure computer, and authentication is limited to the state in which the company resides. Which of the following authentication concepts are in use?

Question215: A security analyst is investigating some users who are being redirected to a fake website that resembles www.comptia.org. The following output was found on the naming server of the organization:

Which of the following attacks has taken place?

Question216: Which of the following can be used to detect a hacker who is stealing company data over port
80?

Question217: A security analyst has been tasked with ensuring all programs that are deployed into the enterprise have been assessed in a runtime environment. Any critical issues found in the program must be sent back to the developer for verification and remediation. Which of the following BEST describes the type of assessment taking place?

Question218: A system that requires an operation availability of 99.99% and has an annual maintenance window available to patching and fixes will require the HIGHEST:

Question219: A company recently experienced a data breach and the source was determined to be an executive who was charging a phone in a public area. Which of the following would MOST likely have prevented this breach?

Question220: The security team received a report of copyright infringement from the IP space of the corporate network. The report provided a precise time stamp for the incident as well as the name of the copyrighted file. The analyst has been tasked with determining the infringing source machine and instructed to implement measures to prevent such incidents from occurring again.
Which of the following is MOST capable of accomplishing both tasks?

Question221: A security analyst discovers several .jpg photos from a cellular phone during a forensics investigation involving a compromised system. The analyst runs a forensics tool to gather file metadata. Which of the following would be part of the images if all the metadata is still intact?

Question222: A security analyst has been tasked with creating a new WiFi network for the company. The requirements received by the analyst are as follows:
- Must be able to differentiate between users connected to WiFi
- The encryption keys need to change routinely without interrupting the users or forcing reauthentication
- Must be able to integrate with RADIUS
- Must not have any open SSIDs
Which of the following options BEST accommodates these requirements?

Question223: Various stakeholders are meeting to discuss their hypothetical roles and responsibilities in a specific situation, such as a security incident or major disaster. Which of the following best describes this meeting?

Question224: An organization discovers that unauthorized applications have been installed on company- provided mobile phones. The organization issues these devices, but some users have managed to bypass the security controls. Which of the following is the MOST likely issue, and how can the organization BEST prevent this from happening?

Question225: To reduce and overhead, an organization wants to move from an on-premises email solution to a cloud-based email solution. At this time, no other services will be moving. Which of the following cloud models would BEST meet the needs of the organization?

Question226: After returning from a conference, a user's laptop has been operating slower than normal and overheating, and the fans have been running constantly. During the diagnosis process, an unknown piece of hardware is found connected to the laptop's motherboard.
Which of the following attack vectors was exploited to install the hardware?

Question227: Which of the following is the most important security concern when using legacy systems to provide production service?

Question228: A government organization is developing an advanced Al defense system. Developers are using information collected from third-party providers. Analysts are noticing inconsistencies in the expected progress of the Al learning and attribute the outcome to a recent attack on one of the suppliers. Which of the following is the most likely reason for the inaccuracy of the system?

Question229: A company recently implemented a patch management policy; however, vulnerability scanners have still been flagging several hosts, even after the completion of the patch process. Which of the following is the MOST likely cause of the issue?

Question230: Which of the following measures the average time that equipment will operate before it breaks?

Question231: Which of the following is a common source of unintentional corporate credential leakage in cloud environments?

Question232: A startup company is using multiple SaaS and IaaS platforms to stand up a corporate infrastructure and build out a customer-facing web application. Which of the following solutions would be BEST to provide security, manageability, and visibility into the platforms?

Question233: Which of the following agreements defines response time, escalation points, and performance metrics?

Question234: A backdoor was detected on the containerized application environment. The investigation detected that a zero-day vulnerability was introduced when the latest container image version was downloaded from a public registry. Which of the following is the BEST solution to prevent this type of incident from occurring again?

Question235: Which of the following is the BEST example of a cost-effective physical control to enforce a USB removable media restriction policy?

Question236: Which of the following can be used to calculate the total loss expected per year due to a threat targeting an asset?

Question237: An attacker browses a company's online job board attempting to find any relevant information regarding the technologies the company uses. Which of the following BEST describes this social engineering technique?

Question238: A user recent an SMS on a mobile phone that asked for bank delays.
Which of the following social-engineering techniques was used in this case?

Question239: An organization has implemented a two-step verification process to protect user access to data that 6 stored in the could. Each employee now uses an email address of mobile number a code to access the data.
Which of the following authentication methods did the organization implement?

Question240: During a trial, a judge determined evidence gathered from a hard drive was not admissible. Which of the following BEST explains this reasoning?

Question241: A website visitor is required to provide properly formatted information in a specific field on a website form. Which of the following security measures is most likely used for this mandate?

Question242: A security architect is implementing a new email architecture for a company. Due to security concerns, the Chief Information Security Officer would like the new architecture to support email encryption, as well as provide for digital signatures. Which of the following should the architect implement?

Question243: An organization wants to quickly assess how effectively the IT team hardened new laptops.
Which of the following would be the best solution to perform this assessment?

Question244: An organization maintains several environments in which patches are developed and tested before deployed to an operation status. Which of the following is the environment in which patches will be deployed just prior to being put into an operational status?

Question245: A company wants to modify its current backup strategy to minimize the number of backups that would need to be restored in case of data loss. Which of the following would be the BEST backup strategy to implement?

Question246: A user wanted to catch up on some work over the weekend but had issues logging in to the corporate network using a VPN. On Monday, the user opened a ticket for this issue but was able to log in successfully. Which of the following BEST describes the policy that is being implemented?

Question247: A database administrator wants to grant access to an application that will be reading and writing data to a database. The database is shared by other applications also used by the finance department.
Which of the following account types Is MOST appropriate for this purpose?

Question248: Which of the following is a reason why an organization would define an AUP?

Question249: A systems administrator wants to implement a backup solution. The solution needs to allow recovery of the entire system, including the operating system, in case of a disaster. Which of the following backup types should the administrator consider?

Question250: A security administrator has received multiple calls from the help desk about customers who are unable to access the organization's web server. Upon reviewing the log files. the security administrator determines multiple open requests have been made from multiple IP addresses, which is consuming system resources. Which of the following attack types does this BEST describe?

Question251: A company recently decided to allow its employees to use their personally owned devices for tasks like checking email and messaging via mobile applications. The company would like to use MDM, but employees are concerned about the loss of personal data. Which of the following should the IT department implement to BEST protect the company against company data loss while still addressing the employees' concerns?

Question252: n organization plans to transition the intrusion detection and prevention techniques on a critical subnet to an anomaly-based system. Which of the following does the organization need to determine for this to be successful?

Question253: Which of the following would BEST provide a systems administrator with the ability to more efficiently identify systems and manage permissions and policies based on location, role, and service level?

Question254: Several users have opened tickets with the help desk. The help desk has reassigned the tickets to a security analyst for further review.
The security analyst reviews the following metrics:

Which of the following is MOST likely the result of the security analyst's review?

Question255: An internet company has created a new collaboration application. To expand the user base, the company wants to implement an option that allows users to log in to the application with the credentials of other popular websites. Which of the following should the company implement?

Question256: An organization is concerned about intellectual property theft by employee who leave the organization. Which of the following will be organization MOST likely implement?

Question257: A desktop support technician recently installed a new document-scanning software program on a computer However, when the end user tried to launch the program, it did not respond.
Which of the following is MOST likely the cause?

Question258: An organization wants to implement a biometric system with the highest likelihood that an unauthorized user will be denied access.
Which of the following should the organization use to compare biometric solutions?

Question259: A user downloaded an extension for a browser, and the uses device later became infected. The analyst who is investigating the incident saw various logs where the attacker was hiding activity by deleting data The following was observed running:

Which of the following is the malware using to execute the attack?

Question260: A security engineer needs to create a network segment that can be used for servers that require connections from untrusted networks. When of the following should the engineer implement?

Question261: A security administrator is reviewing reports about suspicious network activity occurring on a subnet. Users on the network report that connectivity to various websites is intermittent. The administrator logs in to a workstation and reviews the following command output:

Which of the following best describes what is occurring on the network?

Question262: A financial analyst is expecting an email containing sensitive information from a client. When the email arrives the analyst receives an error and is unable to open the encrypted message. Which of the following is the most likely cause of the issue?

Question263: A security engineer was assigned to implement a solution to prevent attackers from gaining access by pretending to be authorized users. Which of the following technologies meets the requirement?

Question264: A user reset the password for a laptop but has been unable to log in to it since then. In addition, several unauthorized emails were sent on the user's behalf recently. The security team investigates the issue and identifies the following findings:
- Firewall logs show excessive traffic from the laptop to an external
site.
- Unknown processes were running on the laptop.
- RDP connections that appeared to be authorized were made to other
network devices from the laptop.
- High bandwidth utilization alerts from that user's username.
Which of the following is most likely installed on the laptop?

Question265: A company just implemented a new telework policy that allows employees to use personal devices for official email and file sharing while working from home. Some of the requirements are:
- Employees must provide an alternate work location (i.e., a home address)
- Employees must install software on the device that will prevent the loss of proprietary data but will not restrict any other software from being installed.
Which of the following BEST describes the MDM options the company is using?

Question266: A Chief Information Security Officer (CISO) wants to implement a new solution that can protect against certain categories of websites whether the employee is in the office or away. Which of the following solutions should the CISO implement?

Question267: Which of the following policies establishes rules to measure third-party work tasks and ensure deliverables are provided within a specific time line?

Question268: Since a recent upgrade to a WLAN infrastructure, several mobile users have been unable to access the internet from the lobby. The networking team performs a heat map survey of the building and finds several WAPs in the area. The WAPs are using similar frequencies with high power settings. Which of the following installation considerations should the security team evaluate next?

Question269: A security analyst discovers that one of the web APIs is being abused by an unknown third party.
Logs indicate that the third party is attempting to manipulate the parameters being passed to the API endpoint. Which of the following solutions would best help to protect against the attack?

Question270: A security analyst is investigating a malware incident at a company. The malware is accessing a command-and-control website at www.comptia.com. All outbound Internet traffic is logged to a syslog server and stored in /logfiles/messages. Which of the following commands would be best for the analyst to use on the syslog server to search for recent traffic to the command-and-control website?

Question271: An organization's RPO for a critical system is two hours. The system is used Monday through Friday, from 9:00 am to 5:00 pm. Currently, the organization performs a full backup every Saturday that takes four hours to complete. Which of the following additional backup implementations would be the BEST way for the analyst to meet the business requirements?

Question272: A security administrator examines the ARP table of an access switch and sees the following output:

Question273: A security analyst has received an alert about PII being sent via email. The analyst's Chief Information Security Officer (CISO) has made it clear that PII must be handled with extreme care.
From which of the following did the alert MOST likely originate?

Question274: On the way into a secure building, an unknown individual strikes up a conversation with an employee. The employee scans the required badge at the door while the unknown individual holds the door open, seemingly out of courtesy, for the employee. Which of the following social engineering techniques is being utilized?

Question275: A security administrator receives alerts from the perimeter UTM. Upon checking the logs, the administrator finds the following output:
Time: 12/25 0300
From Zone: Untrust
To Zone: DMZ
Attacker: externalip.com
Victim: 172.16.0.20
To Port: 80
Action: Alert
Severity: Critical
When examining the PCAP associated with the event, the security administrator finds the following information:
<script> alert ("Click here for important information regarding your
account! http://externalip.com/account.php"); </script>
Which of the following actions should the security administrator take?

Question276: Joe, an employee, receives an email stating he won the lottery. The email includes a link that requests a name, mobile phone number, address, and date of birth be provided to confirm Joe's identity before sending him the prize. Which of the following BEST describes this type of email?

Question277: Which of the following prevents an employee from seeing a colleague who is visiting an inappropriate website?

Question278: While troubleshooting a firewall configuration, a technician determines that a "deny any" policy should be added to the bottom of the ACL. The technician updates the policy, but the new policy causes several company servers to become unreachable. Which of the following actions would prevent this issue?

Question279: A systems analyst determines the source of a high number of connections to a web server that were initiated by ten different IP addresses that belong to a network block in a specific country.
Which of the following techniques will the systems analyst MOST likely implement to address this issue?

Question280: A security analyst needs to determine how an attacker was able to use User3 to gain a foothold within a company's network. The company's lockout policy requires that an account be locked out for a minimum of 15 minutes after three unsuccessful attempts.
While reviewing the log files, the analyst discovers the following:

Which of the following attacks MOST likely occurred?

Question281: A security analyst is reviewing the vulnerability scan report for a web server following an incident.
The vulnerability that was used to exploit the server is present in historical vulnerability scan reports, and a patch is available for the vulnerability. Which of the following is the MOST likely cause?

Question282: Following a recent security breach, an analyst discovered that user permissions were added when joining another part of the organization but were not removed from existing groups. Which of the following policies would help to correct these issues in the future?

Question283: A company Is planning to install a guest wireless network so visitors will be able to access the Internet. The stakeholders want the network to be easy to connect to so time is not wasted during meetings. The WAPs are configured so that power levels and antennas cover only the conference rooms where visitors will attend meetings. Which of the following would BEST protect the company's Internal wireless network against visitors accessing company resources?

Question284: A security administrator needs to inspect in-transit files on the enterprise network to search for Pll, credit card data, and classification words. Which of the following would be the BEST to use?

Question285: A company is launching a website in a different country in order to capture user information that a marketing business can use. The company itself will not be using the information. Which of the following roles is the company assuming?

Question286: A SOC operator is analyzing a log file that contains the following entries:

Question287: A network administrator has been asked to design a solution to improve a company's security posture The administrator is given the following, requirements?
- The solution must be inline in the network
- The solution must be able to block known malicious traffic
- The solution must be able to stop network-based attacks
Which of the following should the network administrator implement to BEST meet these requirements?

Question288: Which of the following BEST describes a technique that compensates researchers for finding vulnerabilities?

Question289: A company's public-facing website, https://www.organization.com, has an IP address of
166.18.75.6. However, over the past hour the SOC has received reports of the site's homepage displaying incorrect information. A quick nslookup search shows https://www.organization.com is pointing to 151.191.122.115. Which of the following is occurring?

Question290: A large industrial system's smart generator monitors the system status and sends alerts to third- party maintenance personnel when critical failures occur. While reviewing the network logs the company's security manager notices the generator's IP is sending packets to an internal file server's IP. Which of the following mitigations would be BEST for the security manager to implement while maintaining alerting capabilities?

Question291: An enterprise has hired an outside security firm to conduct penetration testing on its network and applications. The firm has been given all the developer's documentation about the internal architecture. Which of the following BEST represents the type of testing that will occur?

Question292: A systems engineer is building a new system for production. Which of the following is the FINAL step to be performed prior to promoting to production?

Question293: A security analyst is performing a forensic investigation compromised account credentials.
Using the Event Viewer, the analyst able to detect the following message:
"Special privileges assigned to new login."
Several of these messages did not have a valid logon associated with the user before these privileges were assigned.
Which of the following attacks is MOST likely being detected?

Question294: A security team suspects that the cause of recent power consumption overloads is the unauthorized use of empty power outlets in the network rack.
Which of the following options will mitigate this issue without compromising the number of outlets available?

Question295: A security analyst wants to verify that a client-server (non-web) application is sending encrypted traffic. Which of the following should the analyst use?

Question296: A report delivered to the Chief Information Security Officer (CISO) shows that some user credentials could be exfiltrated. The report also indicates that users tend to choose the same credentials on different systems and applications.
Which of the following policies should the CISO use to prevent someone from using the exfiltrated credentials?

Question297: Which of the following should a technician use to protect a cellular phone that is needed for an investigation, to ensure the data will not be removed remotely?

Question298: Which of the following tools can assist with detecting an employee who has accidentally emailed a file containing a customer's PII?

Question299: Which of the following types of disaster recovery plan exercises requires the least interruption to IT operations?

Question300: An employee who is using a mobile device for work, is required to use a fingerprint to unlock the device. Which of the following is this an example of?

Question301: Which of the following would a security analyst use to determine if other companies in the same sector have seen similar malicious activity against their systems?

Question302: Which of the following is the final step of the incident response process?

Question303: The local administrator account for a company's VPN appliance was unexpectedly used to log in to the remote management interface. Which of the following would have prevented this from happening?

Question304: A company recently experienced an inside attack using a corporate machine that resulted in data compromise. Analysis indicated an unauthorized change to the software circumvented technological protection measures. The analyst was tasked with determining the best method to ensure the integrity of the systems remains intact and local and remote boot attestation can take place. Which of the following would provide the BEST solution?

Question305: An analyst needs to set up a method for securely transferring files between systems. One of the requirements is to authenticate the IP header and the payload. Which of the following services would BEST meet the criteria?

Question306: As part of a company's ongoing SOC maturation process, the company wants to implement a method to share cyberthreat intelligence data with outside security partners. Which of the following will the company MOST likely implement?

Question307: Which of the following refers to applications and systems that are used within an organization without consent or approval?

Question308: Which two features are available only in next-generation firewalls? (Choose two)

Question309: A security analyst is using a recently released security advisory to review historical logs, looking for the specific activity that was outlined in the advisory. Which of the following is the analyst doing?

Question310: An information security incident recently occurred at an organization, and the organization was required to report the incident to authorities and notify the affected parties. When the organization's customers became of aware of the incident, some reduced their orders or stopped placing orders entirely. Which of the following is the organization experiencing?

Question311: A new company wants to avoid channel interference when building a WLAN. The company needs to know the radio frequency behavior, identify dead zones, and determine the best place for access points. Which of the following should be done FIRST?

Question312: Which of the following BEST describes the team that acts as a referee during a penetration- testing exercise?

Question313: A root cause analysis reveals that a web application outage was caused by one of the company's developers uploading a newer version of the third-party libraries that were shared among several applications. Which of the following implementations would be BEST to prevent the issue from reoccurring?

Question314: The following are the logs of a successful attack.

Which of the following controls would be BEST to use to prevent such a breach in the future?

Question315: An engineer recently deployed a group of 100 web servers in a cloud environment.
Per the security policy, all web-server ports except 443 should be disabled.
Which of the following can be used to accomplish this task?

Question316: Which of the following would be indicative of a hidden audio file found inside of a piece of source code?

Question317: A company is launching a new internet platform for its clients. The company does not want to implement its own authorization solution but instead wants to rely on the authorization provided by another platform.
Which of the following is the BEST approach to implement the desired solution?

Question318: A privileged user at a company stole several proprietary documents from a server. The user also went into the log files and deleted all records of the incident. The systems administrator has Just informed investigators that other log files are available for review.
Which of the following did the administrator MOST likely configure that will assist the investigators?

Question319: A company is experiencing an increasing number of systems that are locking up on Windows startup. The security analyst clones a machine, enters into safe mode, and discovers a file in the startup process that runs Wstart.bat.
@echo off
:asdhbawdhbasdhbawdhb
start notepad.exe
start notepad.exe
start calculator.exe
start calculator.exe
goto asdhbawdhbasdhbawdhb
Given the file contents and the system's issues, which of the following types of malware is present?

Question320: An information security manager for an organization is completing a PCI DSS self-assessment for the first time. Which of the is following MOST likely reason for this type of assessment?

Question321: Which of the following terms should be included in a contract to help a company monitor the ongoing security maturity of a new vendor?

Question322: Which of the following is a valid multifactor authentication combination?

Question323: A security professional wants to enhance the protection of a critical environment that is used to store and manage a company's encryption keys. The selected technology should be tamper resistant. Which of the following should the security professional implement to achieve the goal?

Question324: A new plug-and-play storage device was installed on a PC in the corporate environment.
Which of the following safeguards will BEST help to protect the PC from malicious files on the storage device?

Question325: Several employees have noticed other bystanders can clearly observe a terminal where passcodes are being entered.
Which of the following can be eliminated with the use of a privacy screen?

Question326: Security analysts notice a server login from a user who has been on vacation for two weeks. The analysts confirm that the user did not log in to the system while on vacation. After reviewing packet capture logs, the analysts notice the following:

Which of the following occurred?

Question327: A security team created a document that details the order in which critical systems should be brought back online after a major outage. Which of the following documents did the team create?

Question328: A Chief Information Security Officer (CISO) is evaluating the dangers involved in deploying a new ERP system for the company. The CISO categorizes the system, selects the controls that apply to the system, implements the controls, and then assesses the success of the controls before authorizing the system. Which of the following is the CISO using to evaluate the environment for this new ERP system?

Question329: A company has had several malware incidents that have been traced back to users accessing personal SaaS applications on the internet from the company network. The company has a policy that states users can only access business-related cloud applications from within the company network. Which of the following technical solutions should be used to enforce the policy?

Question330: Which of the following techniques eliminates the use of rainbow tables for password cracking?

Question331: A systems administrator is troubleshooting a server's connection to an internal web server. The administrator needs to determine the correct ports to use. Which of the following tools BEST shows which ports on the web server are in a listening state?

Question332: A company just developed a new web application for a government agency. The application must be assessed and authorized prior to being deployed. Which of the following is required to assess the vulnerabilities resident in the application?

Question333: A company wants to implement MFA. Which of the following enables the additional factor while using a smart card?

Question334: Which of the following would be BEST for a technician to review to determine the total risk an organization can bear when assessing a "cloud-first" adoption strategy?

Question335: The marketing department at a retail company wants to publish an internal website to the internet so it is reachable by a limited number of specific, external service providers in a secure manner.
Which of the following configurations would be BEST to fulfil this requirement?

Question336: A security administrator needs to publish multiple application URLs that will run on different internal web servers but use only one external IP address. Which of the following is the best way for the administrator to achieve this goal?

Question337: A security administrator is analyzing the corporate wireless network. The network only has two access points running on channels 1 and 11. While using airodump-ng, the administrator notices other access points are running with the same corporate ESSID on all available channels and with the same BSSID of one of the legitimate access points. Which of the following attacks is happening on the corporate network?

Question338: When implementing automation with loT devices, which of the following should be considered FIRST to keep the network secure?

Question339: A security analyst needs to propose a remediation plan for each item in a risk register. The item with the highest priority requires employees to have separate logins for SaaS solutions and different password complexity requirements for each solution. Which of the following implementation plans will most likely resolve this security issue?

Question340: An organization has a growing workforce that is mostly driven by additions to the sales department. Each newly hired salesperson relies on a mobile device to conduct business. The Chief Information Officer (CIO) is wondering it the organization may need to scale down just as quickly as it scaled up. The ClO is also concerned about the organization's security and customer privacy. Which of the following would be BEST to address the ClO's concerns?

Question341: Which of the following BEST describes when an organization utilizes a ready-to-use application from a cloud provider?

Question342: A security analyst is reviewing the following logs:

Which of the following attacks is most likely occurring?

Question343: An organization is having difficulty correlating events from its individual AV. EDR. DLP. SWG.
WAF. MOM. HIPS, and CASB systems. Which of the following is the BEST way to improve the situation?

Question344: A network administrator deployed a DNS logging tool that logs suspicious websites that are visited and then sends a daily report based on various weighted metrics. Which of the following best describes the type of control the administrator put in place?

Question345: A security engineer is installing a WAF to protect the company's website from malicious web requests over SSL. Which of the following is needed to meet the objective?

Question346: A recent vulnerability scan revealed multiple servers have non-standard ports open for applications that are no longer in use. The security team is working to ensure all devices are patched and hardened. Which of the following would the security team perform to ensure the task is completed with minimal impact to production?

Question347: A financial institution would like to store its customer data in a cloud but still allow the data to be accessed and manipulated while encrypted. Doing so would prevent the cloud service provider from being able to decipher the data due to its sensitivity. The financial institution is not concerned about computational overheads and slow speeds. Which of the following cryptographic techniques would BEST meet the requirement?

Question348: A company discovered that terabytes of data have been exfiltrated over the past year after an employee clicked on an email link. The threat continued to evolve and remain undetected until a security analyst noticed an abnormal amount of external connections when the employee was not working. Which of the following is the MOST likely threat actor?

Question349: A network engineer created two subnets that will be used for production and development servers. Per security policy, production and development servers must each have a dedicated network that cannot communicate with one another directly.
Which of the following should be deployed so that server administrators can access these devices?

Question350: An organization suffered an outage and a critical system took 90 minutes to come back online.
Though there was no data loss during the outage, the expectation was that the critical system would be available again within 60 minutes.
Which of the following is the 60- minute expectation an example of:

Question351: Which of the following provides guidelines for the management and reduction of information security risk?

Question352: An external vendor recently visited a company's headquarters for a presentation. Following the visit, a member of the hosting team found a file that the external vendor left behind on a server.
The file contained detailed architecture information and code snippets. Which of the following data types best describes this file?

Question353: An analyst is working on an email security incident in which the target opened an attachment containing a worm. The analyst wants to implement mitigation techniques to prevent further spread. Which of the following is the best course of action for the analyst to take?

Question354: Which of the following control types fixes a previously identified issue and mitigates a risk?

Question355: An organization's Chief Security Officer (CSO) wants to validate the business's involvement in the incident response plan to ensure its validity and thoroughness. Which of the following will the CSO MOST likely use?

Question356: An employee has been charged with fraud and is suspected of using corporate assets. As authorities collect evidence, and to preserve the admissibility of the evidence, which of the following forensic techniques should be used?

Question357: Which of the following types of attacks is specific to the individual it targets?

Question358: A security analyst needs to generate a server certificate to be used for 802.1X and secure RDP connections. The analyst is unsure what is required to perform the task and solicits help from a senior colleague.
Which of the following is the FIRST step the senior colleague will most likely tell the analyst to perform to accomplish this task?

Question359: A security analyst is reviewing the following system command history on a computer that was recently utilized in a larger attack on the corporate infrastructure:

Which of the following best describes what the analyst has discovered?

Question360: Two hospitals merged into a single organization. The privacy officer requested a review of all records to ensure encryption was used during record storage, in compliance with regulations.
During the review, the officer discovered thai medical diagnosis codes and patient names were left unsecured. Which of the following types of data does this combination BEST represent?

Question361: A security analyst wants to fingerprint a web server. Which of the following tools will the security analyst MOST likely use to accomplish this task?

Question362: A security analyst finds a rogue device during a monthly audit of current endpoint assets that are connected to the network. The corporate network utilizes 802.1 X for access control. To be allowed on the network, a device must have a known hardware address, and a valid username and password must be entered in a captive portal. The following is the audit report:

Which of the following is the most likely way a rogue device was allowed to connect?

Question363: An organization's corporate offices were destroyed due to a natural disaster, so the organization is now setting up offices in a temporary work space. Which of the following will the organization MOST likely consult?

Question364: Given the following logs:

Which of the following BEST describes the type of attack that is occurring?

Question365: A malicious actor recently penetration a company's network and moved laterally to the datacenter. Upon investigation, a forensics firm wants to know was in the memory on the compromised server. Which of the following files should be given to the forensics firm?

Question366: Which of the following can be used to identify potential attacker activities without affecting production servers?

Question367: A security analyst is reviewing SIEM logs during an ongoing attack and notices the following:

Which of the following best describes the type of attack?

Question368: Which of the following security controls can be used to prevent multiple people from using a unique card swipe and being admitted to a secure entrance?

Question369: Which of the following scenarios BEST describes a risk reduction technique?

Question370: A data administrator is configuring authentication for a SaaS application and would like to reduce the number of credentials employees need to maintain. The company prefers to use domain credentials to access new SaaS applications. Which of the following methods would allow this functionality?

Question371: Which of the following roles would MOST likely have direct access to the senior management team?

Question372: A user downloaded an extension for a browser and the user's device later became infected. The analyst who is investigating the incident saw various logs where the attacker was hiding activity by deleting data. The following was observed running:
New-Partition -DiskNumber 2 -UseMaximumSize -AssignDriveLetter C| Format-Volume - DriveLetter C - FileSystemLabel "New"-FileSystem NTFS - Full -Force -Confirm:$false | Which of the following is the malware using to execute the attack?

Question373: An organization has activated an incident response plan due to a malware outbreak on its network. The organization has brought in a forensics team that has identified an internet-facing Windows server as the likely point of initial compromise. The malware family that was detected is known to be distributed by manually logging on to servers and running the malicious code. Which of the following actions would be BEST to prevent reinfection from the infection vector?

Question374: The Chief Information Security Officer of an organization needs to ensure recovery from ransomware would likely occur within the organization's agreed-upon RPOs and RTOs. Which of the following backup scenarios would best ensure recovery?

Question375: A newly identified network access vulnerability has been found in the OS of legacy IoT devices.
Which of the following would best mitigate this vulnerability quickly?

Question376: A small business uses kiosks on the sales floor to display product information for customers. A security team discovers the kiosks use end-of-life operating systems. Which of the following is the security team most likely to document as a security implication of the current architecture?

Question377: A company's security team received notice of a critical vulnerability affecting a high-profile device within the web infrastructure. The vendor patch was just made available online but has not yet been regression tested in development environments. In the interim, firewall rules were implemented to reduce the access to the interface affected by the vulnerability. Which of the following controls does this scenario describe?

Question378: An audit report indicates multiple suspicious attempts to access company resources were made.
These attempts were not detected by the company. Which of the following would be the best solution to implement on the company's network?

Question379: An organization relies on third-party videoconferencing to conduct daily business. Recent security changes now require all remote workers to utilize a VPN to corporate resources. Which of the following would best maintain high-quality videoconferencing while minimizing latency when connected to the VPN?

Question380: A global pandemic is forcing a private organization to close some business units and reduce staffing at others. Which of the following would be BEST to help the organization's executives determine the next course of action?

Question381: Server administrators want to configure a cloud solution so that computing memory and processor usage is maximized most efficiently across a number or virtual servers.
They also need to avoid potential denial-of-service situations caused by availability.
Which of the following should administrators configure to maximize system availability while efficiently utilizing available computing power?

Question382: Hotspot Question
The security administration has installed a new firewall which implements an implicit DENY policy by default.
INSTRUCTIONS
Click on the firewall and configure it to allow ONLY the following communication:
The Accounting workstation can ONLY access the web server on the public network over the

default HTTPS port. The accounting workstation should not access other networks.
The HR workstation should be restricted to communicate with the Financial server ONLY, over

the default SCP port.
The Admin workstation should ONLY be able to access the servers on the secure network over

the default TFTP port.
The firewall will process the rules in a top-down manner in order as a first match. The port number must be typed in and only one port number can be entered per rule. Type ANY for all ports.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Question383: Remote workers in an organization use company-provided laptops with locally installed applications and locally stored data Users can store data on a remote server using an encrypted connection. The organization discovered data stored on a laptop had been made available to the public. Which of the following security solutions would mitigate the risk of future data disclosures?

Question384: A Chief Security Office's (CSO's) key priorities are to improve preparation, response, and recovery practices to minimize system downtime and enhance organizational resilience to ransomware attacks. Which of the following would BEST meet the CSO's objectives?

Question385: A customer service representative reported an unusual text message that was sent to the help desk. The message contained an unrecognized invoice number with a large balance due and a link to click for more details. Which of the following BEST describes this technique?

Question386: A company has installed badge readers for building access but is finding unauthorized individuals roaming the hallways. Which of the following is the most likely cause?

Question387: Which biometric error would allow an unauthorized user to access a system?

Question388: A security analyst is configuring a large number of new company-issued laptops. The analyst received the following requirements:
- The devices will be used internationally by staff who travel
extensively.
- Occasional personal use is acceptable due to the travel requirements.
- Users must be able to install and configure sanctioned programs and
productivity suites.
- The devices must be encrypted
- The devices must be capable of operating in low-bandwidth
environments.
Which of the following would provide the GREATEST benefit to the security posture of the devices?

Question389: A security engineer is reviewing the logs from a SAML application that is configured to use MFA, during this review the engineer notices a high volume of successful logins that did not require MFA from users who were traveling internationally. The application, which can be accessed without a VPB, has a policy that allows time-based tokens to be generated. Users who changed locations should be required to reauthenticate but have been Which of the following statements BEST explains the issue?

Question390: The concept of connecting a user account across the systems of multiple enterprises is BEST known as:

Question391: A security analyst is assisting a team of developers with best practices for coding. The security analyst would like to defend against the use of SQL injection attacks. Which of the following should the security analyst recommend first?

Question392: A security analyst is reviewing logs on a server and observes the following output:

Which of the following is the security analyst observing?

Question393: A security analyst is reviewing web-application logs and finds the following log:
https://www.comptia.org/contact-us/%3Ffile%3D..%2F.A2F.A2Fescgs2Fpasswd Which of the following attacks is being observed?

Question394: A network architect wants a server to have the ability to retain network availability even if one of the network switches it is connected to goes down. Which of the following should the architect implement on the server to achieve this goal?

Question395: Company engineers regularly participate in a public Internet forum with other engineers throughout the industry. Which of the following tactics would an attacker MOST likely use in this scenario?

Question396: Which of the following terms describes a broad range of information that is sensitive to a specific organization?

Question397: A news article states hackers have been selling access to IoT camera feeds.
Which of the following is the Most likely reason for this issue?

Question398: A cryptomining company recently deployed a new antivirus application to all of its mining systems. The installation of the antivirus application was tested on many personal devices, and no issues were observed. Once the antivirus application was rolled out to the servers, constant issues were reported. As a result, the company decided to remove the mining software. The antivirus application was MOST likely classifying the software as:

Question399: A security analyst discovers that a company username and password database was posted on an internet forum. The username and passwords are stored in plan text.
Which of the following would mitigate the damage done by this type of data exfiltration in the future?

Question400: A company employee recently retired, and there was a schedule delay because no one was capable of filling the employee's position. Which of the following practices would BEST help to prevent this situation in the future?

Question401: After a recent security breach, a security analyst reports that several administrative usernames and passwords are being sent via cleartext across the network to access network devices over port 23. Which of the following should be implemented so all credentials sent over the network are encrypted when remotely accessing and configuring network devices?

Question402: A new vulnerability enables a type of malware that allows the unauthorized movement of data from a system. Which of the following would detect this behavior?

Question403: A security analyst is investigating an incident to determine what an attacker was able to do on a compromised laptop. The analyst reviews the following SIEM log:

Which of the following describes the method that was used to compromise the laptop?

Question404: A hospital's administration is concerned about a potential loss of patient data that is stored on tablets. A security administrator needs to implement controls to alert the SOC any time the devices are near exits. Which of the following would BEST achieve this objective?

Question405: A retail company that is launching a new website to showcase the company's product line and other information for online shoppers registered the following URLs:
www.companysite.com

shop.companysite.com

about-us.companysite.com

contact-us.companysite.com

secure-logon.companysite.com

Which of the following should the company use to secure its website if the company is concerned with convenience and cost?

Question406: A company that provides an online streaming service made its customers' personal data, including names and email addresses, publicly available in a cloud storage service. As a result, the company experienced an increase in the number of requests to delete user accounts. Which of the following BEST describes the consequence of this data disclosure?

Question407: An enterprise needs to keep cryptographic keys in a safe manner. Which of the following network appliances can achieve this goal?

Question408: Which of the following security controls is used to isolate a section of the network and its externally available resources from the internal corporate network in order to reduce the number of possible attacks?

Question409: A user forwarded a suspicious email to the security team, Upon investigation, a malicious URL was discovered. Which of the following should be done FIRST to prevent other users from accessing the malicious URL?

Question410: Which of the following would be the BEST resource for a software developer who is looking to improve secure coding practices for web applications?

Question411: A company is providing security awareness training regarding the importance of not forwarding social media messages from unverified sources. Which of the following risks would this training help to prevent?

Question412: Which of the following BEST describes the MFA attribute that requires a callback on a predefined landline?

Question413: Which of the following uses six initial steps that provide basic control over system security by including hardware and software inventory, vulnerability management, and continuous monitoring to minimize risk in all network environments?

Question414: Which of the following is the MOST relevant security check to be performed before embedding third-parry libraries in developed code?

Question415: A user reports that a bank's website no longer displays a padlock symbol. A security analyst views the user's screen and notices the connection is using HTTP instead of HTTPS. Which of the following attacks is most likely occurring?

Question416: A security incident has been resolved. Which of the following BEST described the importance of the final phase of the incident response plan?

Question417: A systems administrator is redesigning how devices will perform network authentication. The following requirements need to be met:
- An existing internal certificate must be used.
- Wired and wireless networks must be supported.
- Any unapproved device should be isolated in a quarantine subnet.
- Approved devices should be updated before accessing resources.
Which of the following would best meet the requirements?

Question418: A nuclear plant was the victim of a recent attack, and all the networks were air gapped. A subsequent investigation revealed a worm as the source of the issue. Which of the following BEST explains what happened?

Question419: In which of the following situations would it be BEST to use a detective control type for mitigation?

Question420: A security analyst needs an overview of vulnerabilities for a host on the network.
Which of the following is the BEST type of scan for the analyst to run to discover which vulnerable services are running?

Question421: Which of the following scenarios would make a DNS sinkhole effective in thwarting an attack?

Question422: A security analyst generated a file named host1.pcap and shared it with a team member who is going to use it for further incident analysis.
Which of the following tools will the other team member MOST likely use to open this file?

Question423: An employee recently resigned from a company. The employee was responsible for managing and supporting weekly batch jobs over the past five years. A few weeks after the employee resigned, one of the batch jobs failed and caused a major disruption. Which of the following would work best to prevent this type of incident from reoccurring?

Question424: Which of the following describes the exploitation of an interactive process to gain access to restricted areas?

Question425: Which of the following best describes a legal hold?

Question426: An organization is tuning SIEM rules based off of threat intelligence reports. Which of the following phases of the incident response process does this scenario represent?

Question427: An amusement park is implementing a biometric system that validates customers' fingerprints to ensure they are not sharing tickets. The park's owner values customers above all and would prefer customers' convenience over security. For this reason, which of the following features should the security team prioritize FIRST?

Question428: Several universities are participating in a collaborative research project and need to share compute and storage resources. Which of the following cloud deployment strategies would BEST meet this need?

Question429: A SOC is currently being outsourced. Which of the following is being used?

Question430: A company posts a sign indicating its server room is under video surveillance. Which of the following control types is represented?

Question431: A business uses Wi-Fi with content filtering enabled. An employee noticed a coworker accessed a blocked site from a work computer and reported the issue. While investigating the issue, a security administrator found another device providing internet access to certain employees.
Which of the following best describes the security risk?

Question432: An organization has developed an application that needs a patch to fix a critical vulnerability.
In which of the following environments should the patch be deployed LAST?

Question433: Which of the follow ng disaster recovery sites is the most cost effective to operate?

Question434: Which of the following is the BEST use of a WAF?

Question435: A security modern may have occurred on the desktop PC of an organization's Chief Executive Officer (CEO) A duplicate copy of the CEO's hard drive must be stored securely to ensure appropriate forensic processes and the chain of custody are followed. Which of the following should be performed to accomplish this task?

Question436: A user attempts to load a web-based application, but the expected login screen does not appear.
A help desk analyst troubleshoots the issue by running the following command and reviewing the output on the user's PC:
user> nalookup software-solution.com
Server: rogue.comptia.com
Address: 172.16.1.250
Non-authoritative answer:
Name: software-solution.com Address: 10.20.10.10
The help desk analyst then runs the same command on the local PC:
helpdesk> nslookup software-solution.com
Server: dns.comptia.com Address: 172.16.1.1
Non-authoritative answer:
Name: software-solution.com Address: 172.16.1.10
Which of the following BEST describes the attack that is being detected?

Question437: A network administrator has been alerted that web pages are experiencing long load times. After determining it is not a routing or DNS issue, the administrator logs in to the router, runs a command, and receives the following output:

Which of the following is the router experiencing?

Question438: A penetration-testing firm is working with a local community bank to create a proposal that best fits the needs of the bank. The bank's information security manager would like the penetration test to resemble a real attack scenario, but it cannot afford the hours required by the penetration- testing firm. Which of the following would best address the bank's desired scenario and budget?

Question439: Users reported several suspicious activities within the last two weeks that resulted in several unauthorized transactions. Upon investigation, the security analyst found the following:
- Multiple reports of breached credentials within that time period
- Traffic being redirected in certain parts of the network
- Fraudulent emails being sent by various internal users without their
consent
Which of the following types of attacks was MOST likely used?

Question440: A company is working on mobile device security after a report revealed that users granted non- verified software access to corporate data. Which of the following is the most enforced security control to mitigate this risk?

Question441: A security analyst is investigating what appears to be unauthorized access to a corporate web application. The security analyst reviews the web server logs and finds the flowing entries:

Which of the following password attacks is taking place?

Question442: A security analyst needs to find real-time data on the latest malware and IoCs. Which of the following would BEST describes the solution the analyst should pursue?

Question443: A security analyst is concerned about traffic initiated to the dark web form the corporate LAN.
Which of the following networks should the analyst monitor?

Question444: A company is implementing MFA for all applications that store sensitive data. The IT manager wants MFA to be non-disruptive and user friendly. Which of the following technologies should the IT manager use when implementing MFA?

Question445: A technician enables full disk encryption on a laptop that will be taken on a business trip. Which of the following does this process BEST protect?

Question446: The Chief Executive Officer announced a new partnership with a strategic vendor and asked the Chief Information Security Officer to federate user digital identities using SAML-based protocols.
Which of the following will this enable?

Question447: A transitive trust:

Question448: Which of the following is used to ensure that evidence is admissible in legal proceedings when it is collected and provided to the authorities?

Question449: Which of the following would be MOST effective to contain a rapidly attack that is affecting a large number of organizations?

Question450: The manager who is responsible for a data set has asked a security engineer to apply encryption to the data on a hard disk. The security engineer is an example of a:

Question451: A financial analyst is expecting an email containing sensitive information from a client. When the email arrives, the analyst receives an error and is unable to open the encrypted message. Which of the following is the MOST likely cause of the issue?

Question452: The most recent vulnerability scan flagged the domain controller with a critical vulnerability. The systems administrator researched the vulnerability and discovered the domain controller does not run the associated application with the vulnerability. Which of the following steps should the administrator take next?

Question453: An analyst is reviewing an incident in which a user clicked on a link in a phishing email. Which of the following log sources would the analyst utilize to determine whether the connection was successful?

Question454: A company would like to provide flexibility for employees on device preference. However, the company is concerned about supporting too many different types of hardware. Which of the following deployment models will provide the needed flexibility with the greatest amount of control and security over company data and infrastructure?

Question455: Which of the following describes the exploitation of an interactive process to gain access to restricted areas?

Question456: An attacker is attempting to harvest user credentials on a client's website. A security analyst notices multiple attempts of random usernames and passwords. When the analyst types in a random username and password, the logon screen displays the following message:
The username you entered does not exist.
Which of the following should the analyst recommend be enabled?

Question457: A global company is experiencing unauthorized logging due to credential theft and account lockouts caused by brute-force attacks. The company is considering implementing a third-party identity provider to help mitigate these attacks. Which of the following would be the BEST control for the company to require from prospective vendors'?

Question458: A company recently transitioned to a strictly BYOD culture due to the cost of replacing lost or damaged corporate-owned mobile devices. Which of the following technologies would be BEST to balance the BYOD culture while also protecting the company's data?

Question459: A security administrator needs to inspect in-transit files on the enterprise network to search for PII, credit card data, and classification words. Which of the following would be the BEST to use?

Question460: Which of the following should a data owner require all personnel to sign to legally protect intellectual property?

Question461: During an engagement, penetration testers left USB keys that contained specially crafted malware in the company's parking lot. A couple days later, the malware contacted the command- and-control server, giving the penetration testers unauthorized access to the company endpoints.
Which of the following will most likely be a recommendation in the engagement report?

Question462: An attacker has successfully exfiltrated several non-salted password hashes from an online system.
Given the logs below:

Which of the following BEST describes the type of password attack the attacker is performing?

Question463: A vulnerability scan returned the following results:
- 2 Critical
- 5 High
- 15 Medium
- 98 Low
Which of the following would the information security team most likely use to decide if all discovered vulnerabilities must be addressed and the order in which they should be addressed?

Question464: A security analyst is responding to an alert from the SIEM. The alert states that malware was discovered on a host and was not automatically deleted. Which of the following would be BEST for the analyst to perform?

Question465: A security manager for a retailer needs to reduce the scope of a project to comply with PCI DSS.
The PCI data is located in different offices than where credit cards are accepted. All the offices are connected via MPLS back to the primary datacenter. Which of the following should the security manager implement to achieve the objective?

Question466: A customer has reported that an organization's website displayed an image of a smiley (ace rather than the expected web page for a short time two days earlier.
A security analyst reviews log tries and sees the following around the lime of the incident:

Which of the following is MOST likely occurring?

Question467: During an incident response process involving a laptop, a host was identified as the entry point for malware. The management team would like to have the laptop restored and given back to the user. The cybersecurity analyst would like to continue investigating the intrusion on the host.
Which of the following would allow the analyst to continue the investigation and also return the laptop to the user as soon as possible?

Question468: A security administrator manages five on-site APs. Each AP uses different channels on a 5GHz network. The administrator notices that another access point with the same corporate SSID on an overlapping channel was created. Which of the following attacks most likely occurred?

Question469: The spread of misinformation surrounding the outbreak of a novel virus on election day led to eligible voters choosing not to take the risk of going the polls. This is an example of:

Question470: An IT manager is estimating the mobile device budget for the upcoming year.
Over the last five years, the number of devices that were replaced due to loss damage or theft steadily increased by 10%.
Which of the following would BEST describe the estimated number of devices to be replaced next year?

Question471: During a security incident investigation, an analyst consults the company's SIEM and sees an event concerning high traffic to a known, malicious command-and-control server. The analyst would like to determine the number of company workstations that may be impacted by this issue.
Which of the following can provide the information?

Question472: Which of the following best describes why a company would erase a newly purchased device and install its own image with an operating system and applications?

Question473: A security engineer needs to enhance MFA access to sensitive areas in a building. A key card and fingerprint scan are already in use.
Which of the following would add another factor of authentication?

Question474: A retail executive recently accepted a job with a major competitor. The following week, a security analyst reviews the security logs and identifies successful logon attempts to access the departed executive's accounts. Which of the following security practices would have addressed the issue?

Question475: Two companies are in the process of merging. The companies need to decide how to standardize their information security programs. Which of the following would best align the security programs?

Question476: Which of the following threat actors is MOST likely to be motivated by ideology?

Question477: A security analyst has identified malware spreading through the corporate network and has activated the CSIRT Which of the following should the analyst do NEXT?

Question478: A company was recently breached Part of the company's new cybersecurity strategy is to centralize the logs from all security devices.
Which of the following components forwards the logs to a central source?

Question479: The Chief information Security Officer has directed the security and networking team to retire the use of shared passwords on routers and switches.
Which of the following choices BEST meets the requirements?

Question480: A security administrator suspects there may be unnecessary services running on a server. Which of the following tools will the administrator MOST likely use to confirm the suspicions?

Question481: An organization is building backup server rooms in geographically diverse locations. The Chief Information Security Officer implemented a requirement on the project that states the new hardware cannot be susceptible to the same vulnerabilities in the existing server room. Which of the following should the systems engineer consider?

Question482: Certain users are reporting their accounts are being used to send unauthorized emails and conduct suspicious activities. After further investigation, a security analyst notices the following:
- All users share workstations throughout the day.
- Endpoint protection was disabled on several workstations throughout
the network.
- Travel times on logins from the affected users are impossible.
- Sensitive data is being uploaded to external sites.
- All user account passwords were forced to be reset and the issue
continued.
Which of the following attacks is being used to compromise the user accounts?

Question483: Which of the following describes a maintenance metric that measures the average time required to troubleshoot and restore failed equipment?

Question484: A security analyst discovers that a large number of employee credentials had been stolen and were being sold on the dark web. The analyst investigates and discovers that some hourly employee credentials were compromised, but salaried employee credentials were not affected.
Most employees clocked in and out while they were inside the building using one of the kiosks connected to the network. However, some clocked out and recorded their time after leaving to go home. Only those who clocked in and out while inside the building had credentials stolen. Each of the kiosks are on different floors, and there are multiple routers, since the business segments environments for certain business functions.
Hourly employees are required to use a website called acmetimekeeping.com to clock in and out.
This website is accessible from the internet. Which of the following is the most likely reason for this compromise?

Question485: A Chief Security Officer (CSO) is concerned about the volume and integrity of sensitive information that is exchanged between the organization and a third party through email. The CSO is particularly concerned about an unauthorized party who is intercepting information that is in transit between the two organizations. Which of the following would address the CSO's concerns?

Question486: A Chief Information Security Officer (CISO) needs to create a policy set that meets international standards for data privacy and sharing. Which of the following should the CISO read and understand before writing the policies?

Question487: A software development manager wants to ensure the authenticity of the code created by the company. Which of the following options is the most appropriate?

Question488: Which of the following would be the BEST way to analyze diskless malware that has infected a VDI?

Question489: Which of the following describes the ability of code to target a hypervisor from inside a guest OS?

Question490: Which of the following would cause a Chief Information Security Officer (CISO) the MOST concern regarding newly installed Internet-accessible 4K surveillance cameras?

Question491: A user reports constant lag and performance issues with the wireless network when working at a local coffee shop.
A security analyst walks the user through an installation of Wireshark and get a five-minute pcap to analyze. The analyst observes the following output:

Which of the following attacks does the analyst MOST likely see in this packet capture?

Question492: A security analyst is investigating suspicious traffic on the web server located at IP address
10.10.1.1. A search of the WAF logs reveals the following output:

Which of the following is MOST likely occurring?

Question493: A company wants to get alerts when others are researching and doing reconnaissance on the company. One approach would be to host a part of the infrastructure online with known vulnerabilities that would appear to be company assets. Which of the following describes this approach?

Question494: In which of the following scenarios is tokenization the best privacy technique to use?

Question495: A security analyst is reviewing application logs to determine the source of a breach and locates the following log:

Which Of the following has been observed?

Question496: Hotspot Question
You are a security administrator investigating a potential infection on a network.
INSTRUCTIONS
Click on each host and firewall. Review all logs to determine which host originated the infection and then identify if each remaining host is clean or infected.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.






Question497: Phishing and spear-phishing attacks have been occurring more frequently against a company's staff. Which of the following would MOST likely help mitigate this issue?

Question498: An organization has expanded its operations by opening a remote office. The new office is fully furnished with office resources to support up to 50 employees working on any given day.
Which of the following VPN solutions would BEST support the new office?

Question499: Hackers recently attacked a company's network and obtained several unfavorable pictures from the Chief Executive Officer's workstation. The hackers are threatening to send the images to the press if a ransom is not paid. Which of the following is impacted the MOST?

Question500: A company wants to deploy systems alongside production systems in order to entice threat actors and to learn more about attackers. Which of the following BEST describe these systems?

Question501: A small company that does not have security staff wants to improve its security posture. Which of the following would BEST assist the company?

Question502: Under GDPR, which of the following is MOST responsible for the protection of privacy and website user rights?

Question503: Audit logs indicate an administrative account that belongs to a security engineer has been locked out multiple times during the day. The security engineer has been on vacation for a few days.
Which of the following attacks can the account lockout be attributed to?

Question504: A cyber threat intelligence analyst is gathering data about a specific adversary using OSINT techniques.
Which of the following should the analyst use?

Question505: A company recently decided to allow employees to work remotely. The company wants to protect its data without using a VPN. Which of the following technologies should the company implement?

Question506: The chief compliance officer from a bank has approved a background check policy for all new hires. Which of the following is the policy MOST likely protecting against?

Question507: A security analyst has been reading about a newly discovered cyber attack from a known threat actor. Which of the following would BEST support the analyst's review of the tactics, techniques, and protocols the threat actor was observed using in previous campaigns?

Question508: A network administrator is concerned about users being exposed to malicious content when accessing company cloud applications. The administrator wants to be able to block access to sites based on the AUP. The users must also be protected because many of them work from home or at remote locations, providing on-site customer support.
Which of the following should the administrator employ to meet these criteria?

Question509: A security operations center wants to implement a solution that can execute files to test for malicious activity. The solution should provide a report of the files' activity against known threats.
Which of the following should the security operations center implement?

Question510: A security analyst is receiving several alerts per user and is trying to determine If various logins are malicious. The security analyst would like to create a baseline of normal operations and reduce noise. Which of the following actions should the security analyst perform?

Question511: A security analyst is reviewing the following output from a system:

Which of the following is MOST likely being observed?

Question512: Which of the following would provide guidelines on how to label new network devices as part of the initial configuration?

Question513: Which of the following best describes a threat actor who is attempting to use commands found on a public code repository?

Question514: Which of the following should customers who are involved with UI developer agreements be concerned with when considering the use of these products on highly sensitive projects?

Question515: A large financial services firm recently released information regarding a security bfeach within its corporate network that began several years before. During the time frame in which the breach occurred, indicators show an attacker gained administrative access to the network through a file download from a social media site and subsequently installed it without the user's knowledge.
Since the compromise, the attacker was able to take command and control of the computer systems anonymously while obtaining sensitive corporate and personal employee information.
Which of the following methods did the attacker MOST likely use to gam access?

Question516: A security analyst is tasked with classifying data to be stored on company servers. Which of the following should be classified as proprietary?

Question517: A grocery store is expressing security and reliability concerns regarding the on-site backup strategy currently being performed by locally attached disks. The main concerns are the physical security of the backup media and the durability of the data stored on these devices.
Which of the following is a cost-effective approach to address these concerns?

Question518: An organization is concerned about hackers bypassing MFA through social engineering of phone carriers. Which of the following would most likely protect against such an attack?

Question519: Which of the following is an algorithm performed to verify that data has not been modified?

Question520: An organization with a low tolerance for user inconvenience wants to protect laptop hard drives against loss or data theft. Which of the following would be the MOST acceptable?

Question521: An organization routes all of its traffic through a VPN Most users are remote and connect into a corporate datacenter that houses confidential information There is a firewall at the Internet border followed by a DIP appliance, the VPN server and the datacenter itself.
Which of the following is the WEAKEST design element?

Question522: A recent phishing campaign resulted in several compromised user accounts. The security incident response team has been tasked with reducing the manual labor of filtering through all the phishing emails as they arrive and blocking the sender's email address, along with other time consuming mitigation actions. Which of the following can be configured to streamline those tasks?

Question523: The board of doctors at a company contracted with an insurance firm to limit the organization's liability. Which of the following risk management practices does the BEST describe?

Question524: An attacker replaces a digitally signed document with another version that goes unnoticed. Upon reviewing the document's contents, the author notices some additional verbiage that was not originally in the document but cannot validate an integrity issue. Which of the following attacks was used?

Question525: After entering a username and password, an administrator must draw a gesture on a touch screen. Which of the following demonstrates what the administrator is providing?

Question526: During a forensic investigation, an analyst uses software to create a checksum of the affected subject's email file. Which of the following is the analyst practicing?

Question527: A company's end users are reporting that they are unable to reach external websites. After reviewing the performance data for the DNS severs, the analyst discovers that the CPU, disk, and memory usage are minimal, but the network interface is flooded with inbound traffic. Network logs show only a small number of DNS queries sent to this server. Which of the following best describes what the security analyst is seeing?

Question528: Adding a value to the end of a password to create a different password hash is called:

Question529: An engineer is setting up a VDI environment for a factory location, and the business wants to deploy a low-cost solution to enable users on the shop floor to log in to the VDI environment directly. Which of the following should the engineer select to meet these requirements?

Question530: Which of the following best describes a penetration test that resembles an actual external attack?

Question531: A security administrator currently spends a large amount of time on common security tasks, such aa report generation, phishing investigations, and user provisioning and deprovisioning This prevents the administrator from spending time on other security projects. The business does not have the budget to add more staff members. Which of the following should the administrator implement?

Question532: Physical access to the organization's servers in the data center requires entry and exit through multiple access points: a lobby, an access control vestibule, three doors leading to the server floor, a door to the server floor itself, and eventually to a caged area solely for the organization's hardware. Which of the following controls is described in this scenario?

Question533: A security manager runs Nessus scans of the network after every maintenance window. Which of the following is the security manger MOST likely trying to accomplish?

Question534: The chief information security officer (CISO) has requested that a third-party vendor provide supporting documents that show proper controls are in place to protect customer data which of the following would be BEST for the third-party vendor to provide the CISO?

Question535: A web application for a bank displays the following output when showing details about a customer's bank account:

Which of the following techniques is most likely implemented in this web application?

Question536: An organization wants to ensure it can track changes between software deployments. Which of the following concepts should the organization implement?

Question537: A security engineer is working to address the growing risks that shadow IT services are introducing to the organization. The organization has taken a cloud-first approach and does not have an on-premises IT infrastructure. Which of the following would best secure the organization?

Question538: During a recent incident an external attacker was able to exploit an SMB vulnerability over the internet.
Which of the following action items should a security analyst perform FIRST to prevent this from occurring again?

Question539: A security forensics analyst is examining a virtual server. The analyst wants to preserve the present state of the virtual server, including memory contents.
Which of the following backup types should be used?

Question540: A security analyst wants to fingerprint a web server. Which of the following tools will the security analyst MOST likely use to accomplish this task?

Question541: While investigating a recent security breach, an analyst finds that an attacker gained access by SQL injection through a company website. Which of the following should the analyst recommend to the website developers to prevent this from reoccurring?

Question542: A systems administrator is looking for a solution that will help prevent OAuth applications from being leveraged by hackers to trick users into authorizing the use of their corporate credentials.
Which of the following BEST describes this solution?

Question543: An organization would like to give remote workers the ability to use applications hosted inside the corporate network. Users will be allowed to use their personal computers or they will be provided organization assets. Either way no data or applications will be installed locally on any user systems. Which of the following mobile solutions would accomplish these goals?

Question544: A large financial services firm recently released information regarding a security breach within its corporate network that began several years before. During the time frame in which the breach occurred, indicators show an attacker gained administrative access to the network through a file downloaded from a social media site and subsequently installed it without the user's knowledge.
Since the compromise, the attacker was able to take command and control of the computer systems anonymously while obtaining sensitive corporate and personal employee information.
Which of the following methods did the attacker most likely use to gain access?

Question545: An enterprise has hired an outside security firm to conduct penetration testing on its network and applications. The firm has only been given the documentation available to the customers of the applications. Which of the following BEST represents the type of testing that will occur?

Question546: A help desk technician receives a phone call from someone claiming to be a part of the organizations cybersecurity incident response team. The caller asks the technician to verify networks internal firewall IP address. Which of the following is the technicians BEST course of action?

Question547: Customers reported their antivirus software flagged one of the company's primary software products as suspicious. The company's Chief Information Security Officer has tasked the developer with determining a method to create a trust model between the software and the customer's antivirus software. Which of the following would be the BEST solution?

Question548: Which of the following is an example of transference of risk?

Question549: A company recently suffered a breach in which an attacker was able to access the internal mail servers and directly access several user inboxes. A large number of email messages were later posted online. Which of the following would BEST prevent email contents from being released should another breach occur?

Question550: Which of the following employee roles is responsible for protecting an organization's collected personal information?

Question551: Several attempts have been made to pick the door lock of a secure facility. As a result, the security engineer has been assigned to implement a stronger preventative access control. Which of the following would BEST complete the engineer's assignment?

Question552: A Chief Information Officer receives an email stating a database will be encrypted within 24 hours unless a payment of $20,000 is credited to the account mentioned In the email. This BEST describes a scenario related to:

Question553: A cybersecurity analyst at Company A is working to establish a secure communication channel with a counterpart at Company B, which is 3,000 miles (4,828 kilometers) away. Which of the following concepts would help the analyst meet this goal in a secure manner?

Question554: While troubleshooting service disruption on a mission-critical server, a technician discovered the user account that was configured to run automated processes was disabled because the user s password failed to meet password complexity requirements. Which of the following would be the best solution to securely prevent future issues?

Question555: An application owner reports suspicious activity on an internal financial application from various internal users within the past 14 days. A security analyst notices the following:
- Financial transactions were occurring during irregular time frames and outside of business hours by unauthorized users.
- Internal users in question were changing their passwords frequently during that time period.
- A jump box that several domain administrator users use to connect to remote devices was recently compromised.
- The authentication method used in the environment is NTLM.
Which of the following types of attacks is MOST likely being used to gain unauthorized access?

Question556: A user's login credentials were recently compromised During the investigation, the security analyst determined the user input credentials into a pop-up window when prompted to confirm the username and password. However the trusted website does not use a pop-up for entering user credentials. Which of the following attacks occurred?

Question557: An IT security team is concerned about the confidentiality of documents left unattended in MFPs.
Which of the following should the security team do to mitigate the situation?

Question558: An administrator identifies some locations on the third floor of the building that have a poor wireless signal Multiple users confirm the incident and report it is not an isolated event. Which of the following should the administrator use to find the areas with a poor or non-existent wireless signal?

Question559: Which of the following attacks MOST likely occurred on the user's internal network?
Name: Wikipedia.org
Address: 208.80.154.224

Question560: A company has been experiencing very brief power outages from its utility company over the last few months. These outages only last for one second each time. The utility company is aware of the issue and is working to replace a faulty transformer. Which of the following BEST describes what the company should purchase to ensure its critical servers and network devices stay online?

Question561: Drag and Drop Question
Leveraging the information supplied below, complete the CSR for the server to set up TLS (HTTPS).
- Hostnam : ws01
- Domain: comptia.org
- IPv4: 10.1.9.50
- IPV4: 10.2.10.50
- Root: home.aspx
- DNS CNAME:homesite.
INSTRUCTIONS
Drag the various data points to the correct locations within the CSR. Extension criteria belong in the left-hand column and values belong in the corresponding row in the right-hand column.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Question562: A security analyst is using OSINT to gather information to verify whether company data is available publicly. Which of the following is the best application for the analyst to use?

Question563: A company uses wireless tor all laptops and keeps a very detailed record of its assets, along with a comprehensive list of devices that are authorized to be on the wireless network. The Chief Information Officer (CIO) is concerned about a script kiddie potentially using an unauthorized device to brute force the wireless PSK and obtain access to the internal network. Which of the following should the company implement to BEST prevent this from occurring?

Question564: During an investigation, events from two affected servers in the same subnetwork occurred at the same time:
Server 1: 192.168.10.1 [01/Apr/2021:06:00:00 PST] SAN access denied for user 'admin' Server 2: 192.168.10.6 [01/Apr/2021:06:01:01 CST] SAN access successful for user 'admin' Which of the following should be consistently configured to prevent the issue seen in the logs?

Question565: Which of the following allows for functional test data to be used in new systems for testing and training purposes to protect the read data?

Question566: An application developer accidentally uploaded a company's code-signing certificate private key to a public web server. The company is concerned about malicious use of its certificate.
Which of the following should the company do FIRST?

Question567: The president of a company that specializes in military contracts receives a request for an interview. During the interview, the reporter seems more interested in discussing the president's family life and personal history than the details of a recent company success. Which of the following security concerns is this MOST likely an example of?

Question568: As part of annual audit requirements, the security team performed a review of exceptions to the company policy that allows specific users the ability to use USB storage devices on their laptops.
The review yielded the following results:
- The exception process and policy have been correctly followed by the
majority of users.
- A small number of users did not create tickets for the requests but
were granted access.
- All access had been approved by supervisors.
- Valid requests for the access sporadically occurred across multiple
departments.
- Access, in most cases, had not been removed when it was no longer
needed.
Which of the following should the company do to ensure that appropriate access is not disrupted but unneeded access is removed in a reasonable time frame?

Question569: The compliance team requires an annual recertification of privileged and non-privileged user access. However, multiple users who left the company six months ago still have access. Which of the following would have prevented this compliance violation?

Question570: A security administrator is integrating several segments onto a single network. One of the segments, which includes legacy devices, presents a significant amount of risk to the network.
Which of the following would allow users to access to the legacy devices without compromising the security of the entire network?