284 terms

Comprehensive Bank!

STUDY
PLAY

Terms in this set (...)

1. A bank is planning to implement a third factor to protect customer ATM transactions. Which of the following could the bank implement?

a. SMS
b. Fingerprint
c. Chip and PIN
d. OTP
b. Fingerprint
2. A company discovers an unauthorized device accessing network resources through one of many network drops in a common area used by visitors. The company decides that is wants to quickly prevent unauthorized devices from accessing the network but policy prevents the company from making changes on every connecting client. Which of the following should the company implement?

a. Port security
b. WPA2
c. Mandatory Access Control
d. Network Intrusion Prevention
a. Port security
3. A company has a proprietary device that requires access to the network be disabled. Only authorized users should have access to the device. To further protect the device from unauthorized access, which of the following would also need to be implemented?

a. Install NIPS within the company to protect all assets
b. Block port80 and 443 on the firewall
c. Install a cable lock to prevent theft of the device
d. Install software to encrypt access to the hard drive
d. Install software to encrypt access to the hard drive
4. A company has an email server dedicated to only outbound email, inbound email retrieval to this server must be blocked. Which of the following ports must be set to explicit deny?

a. 25
b. 53
c. 110
d. 123
e. 139
f. 143
c. 110
f. 143
5. A company has classified the following database records:

Object: Confidentiality: Integrity: Availability:
First Name LOW MED LOW
Last Name LOW MED LOW
Address MED HIGH LOW
Bank Acct Nr HIGH HIGH MED
Credit Card Nr HIGH HIGH MED

Which of the following is a management control the company can implement to increase the security of the above information with respect to confidentiality?

a. Implement a client-based software filter to prevent some employees from viewing confidential info.
b. Use a privacy screen on all computers handling and displaying sensitive information
c. Encrypt the records that have a classification of HIGH in the confidentiality column
d. Disseminate the data classification table to all employees and provide training on data disclosure
d. Disseminate the data classification table to all employees and provide training on data disclosure
6. A company has hired an ex-employee to perform a penetration test of the company's proprietary application. Although the ex-employee used to be part of the development team, the application has gone through some changes since he employee left. Which of the following can the ex-employee perform if the company is not willing to release any information on the software to the ex-employee?

a. Black-box testing
b. Regression testing
c. White-box testing
d. Grey-box testing
d. Grey-box testing
7. A company has implemented full-disk encryption. Clients must authenticate with a username and password at a pre-boot level to unlock the disk and again a username and password at the network login. Which of the following are being used? (Select TWO)

a. Multifactor authentication
b. Single-factor authentication
c. Something a user is
d. Something a user has
e. Single sign-on
f. Something a user knows
b. Single-factor authentication
f. Something a user knows
8. A company hosts sites for multiple vendors and provides information to users globally. Which of the following is a critical security consideration in this environment?

a. Proxy servers to enforce a single access mechanism to the data warehouse
b. Firewalls to ensure that the data warehouse is not accessible to the internet
c. Access controls to prevent users from accessing the entire data warehouse
d. Query protocols should use non-standard ports to protect user result-sets
c. Access controls to prevent users from accessing the entire data warehouse
9. A company implemented a public-facing authentication system that uses PKI and extended attributes to allow third-party, web-based application integration. This is an example of which of the following? (Select THREE)

a. Federation
b. Two-factor authentication
c. Transitive trust
d. Trusted OS
e. Single sign-on
f. TOTP
g. MAC
a. Federation
b. Two-factor authentication
e. Single sign-on
10. A company is exploring the option of letting employees use their personal laptops on the internal network. Which of the following would be the MOST common security concern in this scenario?

a. Credential management
b. Support ownership
c. Device access control
d. Antivirus management
d. Antivirus management
11. A company is exploring the possibility to integrate some of its internal processes with an external cloud service provider. Which of the following should be implemented if the company wants to preserve its internal authentication and authorization process and credentials?

a. Single sign-on
b. Dual-factor authentication
c. Federation
d. TOTP
a. Single sign-on
12. A company is hosting both sensitive and public information at a cloud provider. Prior to the company going out of business, the administrator will decommission all virtual servers hosted in the cloud. When wiping the virtual hard drive, which of the following should be removed?

a. Hardware specifications
b. Encrypted files
c. Data remnants
d. Encrypted keys
c. Data remnants
13. A company is planning to encrypt the files in several sensitive directories of a file server with a symmetric key. Which of the following could be used?

a. RSA
b. TwoFish
c. Diffie-Hellman
d. NTLMv2
e. RIPEMD
b. TwoFish
14. A company is providing mobile devices to all employees. The system administrator has been tasked with providing input for the company's mobile device policy. Which of the following are valid security concepts that the system administrator should include when offering feedback to management? (Select TWO)

a. Transitive trust
b. Asset tracking
c. Remote wiping
d. HSM
e. Key management
b. Asset tracking
c. Remote wiping
15. A company just purchased a new digital thermostat that automatically will update to a new firmware version when needed. Upon connecting it to the network a system administrator notices that he cannot get access to the thermostat but can get access to all other network devices. Which of the following is the MOST likely reason the thermostat is not connecting to the internet?

a. The company implements a captive portal
b. The thermostat is using the incorrect encryption algorithm
c. The WPA2 shared key is incorrect
d. The company's DHCP server scope is full
a. The company implements a captive portal
16. A company needs to ensure that employees that are on vacation or leave cannot access network resources, while still retaining the ability to receive emails in their inboxes. Which of the following will allow the company to achieve this goal?

a. Set up an email alias
b. Remove user privileges
c. Install an SMTP proxy server
d. Reset user passwords
d. Reset user passwords
17. A company provides wireless access for employees and a guest wireless network for visitors. The employee wireless network is encrypted and requires a password. The guest wireless network does not use an encrypted connection and does not require a password. An administrator walks by a visitor's laptop and notices the following command line output:

reaver -I mon -b 7A:E5:9A:42:2C:C1 -vv
Starting...
[+] Trying pin 12345678
[+] 93.41% complete @ 2016-04-16 11:25:15 (15 seconds)
[+] WARNING: 10 failed connections in a row
[+] Trying pin 12345688

Which of the following should the administrator implement and why?

a. Initiate employee password changes because the visitor has captured passwords and is attempting offline cracking of those passwords
b. Implement two-factor wireless authentication because the visitor will eventually brute-force the network key
c. Apply WPA or WPA2 encryption because the visitor is trying to crack the employee network that is encrypted with WEP
d. Disable WPS because the visitor is trying to crack the employee network
e. Apply MAC filtering because the visitor already has the network password
d. Disable WPS because the visitor is trying to crack the employee network
18. A company uses digital signatures to sign contracts. The company requires external entities to create an account with a third-party digital signature provider and to sign an agreement stating that they will protect the account from unauthorized access. Which of the following security goals is the company trying to address in the given scenario?

a. Availability
b. Non-repudiation
c. Authentication
d. Confidentiality
e. Due diligence
b. Non-repudiation
19. A company uses PKI certificates stored on a smart chip-enabled badge. The badge is used for a small number of devices that connect to a wireless network. A user reported that her badge was stolen. Which of the following could the security administrator implement to prevent the stolen badge from being used to compromise the wireless network?

a. Asset tracking
b. Honeynet
c. Strong PSK
d. MAC filtering
c. Strong PSK
20. A company wants to ensure that all software executing on a corporate server has been authorized to do so by a central control point. Which of the following can be implemented to enable such control?

a. Digital signatures
b. Role-Based access control
c. Session keys
d. Non-repudiation
a. Digital signatures
21. A company was recently the victim of a major attack which resulted in significant reputational loss. Joe, a member of the company incident response team, is currently reviewing Standard Operating Procedures for the team in the wake of the attack. Which of the following best identifies the stage of incident response that Joe is in?

a. Reporting
b. Lessons learned
c. Mitigation steps
d. Preparation
b. Lessons learned
22. A company would like to protect its e-commerce site from SQL injection and cross-site scripting (XSS). The company should consider deploying which of the following technologies?

a. IDS
b. Web application firewall
c. Proxy
d. Sandbox
b. Web application firewall
23. A company's security analyst is investigating the suspected compromise of the company's intranet web server. The compromise occurred at a time when no users were logged into the domain. Which of the following is MOST likely to have prevented the attack from a new machine introduced to the corporate network?

a. Domain log review
b. 802.1x
c. NIDS
d. Rogue detection
d. Rogue detection
24. A company's BYOD policy requires the installation of a company-provided mobile agent on their personally owned devices, which would allow auditing when an employee wants to connect a device to the corporate email system. Which of the following concerns will MOST affect the decision to use a personal device to receive company email?

a. Personal privacy
b. Email support
c. Data ownership
d. Service availability
a. Personal privacy
25. A data breach is suspected on a currently unidentified server in a datacenter. Which of the following is the BEST method of determining which server was breached?

a. Network traffic logs
b. System image capture
c. Asset inventory review
d. RAM analysis
a. Network traffic logs
26. A datacenter has suffered repeated burglaries that led to equipment theft and arson. In the past, the thieves have demonstrated a determination to bypass any installed safeguards. After mantraps had been installed to prevent tailgating, the thieves crashed through the wall of the datacenter with a vehicle after normal business hours. Which of the following options could further improve the physical safety and security of the datacenter? (Select TWO)

a. Cipher locks
b. CCTV
c. Escape routes
d. K-rated fencing
e. FM200 Fire suppression
d. K-rated fencing
e. FM200 Fire suppression
27. A datacenter manager has been asked to prioritize critical system recovery priorities. Which of the following is the MOST critical for immediate recovery?

a. Remote-assistance software
b. Operating system software
c. Weekly summary reports to management
d. Financial and production software
d. Financial and production software
28. A developer is programming an SSO module to assist an organization's internal users with password management. As part of the implementation plan, each user will be required to sign in with existing credentials and submit a new password for the SSO system due to increased security requirements. The developer has been tasked by the security lead to harden the application against automated attacks using the existing credentials. Which of the following will provide an additional security layer against unauthorized access?

a. Log analysis
b. CAPTCHA
c. Web application firewall
d. Security tokens
e. Role-based access control lists
f. One-time pad
d. Security tokens
f. One-time pad
29. A fiber company has acquired permission to bury a fiber cable through a famer's land. Which of the following should be in the agreement with the farmer to protect the availability of the network?

a. No farm animals will graze near the burial site of the cable
b. No digging will occur near the burial site of the cable
c. No buildings or structures will be placed on top of the cable
d. No crops will be planted on top of the cable
b. No digging will occur near the burial site of the cable
30. A finance manager is responsible for approving wire transfers and processing the transfers using the software provided by the company's bank. A number of discrepancies have been found related to the wires in a recent financial audit and the wires appear to be fraudulent. Which of the following controls should be implemented to reduce the likelihood of fraud related to the use of wire transfers?

a. Separation of duties
b. Least Privilege
c. Qualitative auditing
d. Acceptable-use policy
a. Separation of duties
31. A forensic analyst is reviewing electronic evidence after a robbery. Security cameras installed at the site were facing the wrong direction to capture the incident. The analyst ensures the cameras are turned to face the proper direction. Which of the following types of controls is being used?

a. Detective
b. Deterrent
c. Corrective
d. Preventive
c. Corrective
32. A forensics investigator needs to be able to prove that digital evidence was not tampered with after being taken into custody. Which of the following is useful in this scenario?

a. Encryption
b. Non-repudiation
c. Hashing
d. Perfect forward secrecy
e. Steganography
c. Hashing
33. A global gaming console manufacturer is launching a new gaming platform to its customers. Which of the following controls reduces the risk created by malicious gaming customers attempting to circumvent controls by way of modifying consoles? (Select TWO)

a. Firmware version control
b. Manual software upgrades
c. Vulnerability scanning
d. Automatic updates
e. Network segmentation
f. Application firewalls
a. Firmware version control
e. Network segmentation
34. A government agency wants to ensure that the systems that have been deployed are as secure as possible. Which of the following technologies will enforce protections on these systems to prevent files and services from operating outside of a strict rule set?

a. Host based Intrusion
b. Host-based firewall
c. Trusted OS
d. Antivirus
b. Host-based firewall
35. A healthcare organization is in the process of building and deploying a new web server in the DMZ that will enable public internet users to securely send and receive messages from their primary care physicians. Which of the following should the security administrator consider?

a. An in-band method for key exchange and an out-of-band method for the session
b. An out-of-band method for key exchange and an in-band method for the session
c. A symmetric algorithm for key exchange and an asymmetric algorithm for the session
d. An asymmetric algorithm for key exchange and a symmetric algorithm for the session
d. An asymmetric algorithm for key exchange and a symmetric algorithm for the session
36. A help desk technician receives a request for information from a user regarding a new policy a department issued. The policy states that all emails with embedded URLs or images be digitally signed. Which of the following represent possible motivators for this new policy? (Select TWO)

a. Service availability
b. Non-repudiation
c. User authentication
d. Confidentiality
e. Anti-malware
f. Message integrity
b. Non-repudiation
f. Message integrity
37. A high-traffic website is experiencing numerous brute-force attacks against its user base. The attackers are using a very large botnet to carry out the attack. As a result, many users' passwords are being compromised. Which of the following actions is appropriate for the website administrators to take in order to reduce the threat from this type of attack in the future?

a. Temporarily ban each IP address after five failed login attempts
b. Prevent users from using dictionary words in their passwords
c. Prevent users from using passwords that they have used before
d. Require user passwords to be at least ten characters in length
a. Temporarily ban each IP address after five failed login attempts
38. A large retail vendor provides access to a heating, ventilation, and air conditioning vendor for the purpose of issuing billing statements and receiving payments. A security administrator wants to prevent attackers from using compromised credentials to access the billing system, moving literally to the point-of-sale system, and installing malware to skim credit card data. Which of the following is the MOST important security architecture consideration the retail vendor should impose?

a. Data encryption
b. Network segregation
c. Virtual private networking
d. Application firewalls
b. Network segregation
39. A local coffee shop provides guests with wireless access but disabled the SSID broadcast for security purposes. When guests make a purchase, they are provided with the SSID to the router. A new customer's laptop shows the coffee shop's SSID appears to be broadcasting despite the fact that the wireless router configuration shows the broadcast is disabled. Which of the following situations is likely occurring?

a. The coffee shop is using WEP instead of WPA or WPA2 encryption
b. A user has set up an evil twin access point near the coffee shop
c. WiFi Protected Setup has been hacked and the SSID is being covertly broadcast
d. Once connected to the router it will appear that the SSID is being broadcast
b. A user has set up an evil twin access point near the coffee shop
40. A manager is reviewing bids for internet service in support of a new corporate office location. The location will provide 24-hour service in the organization's global user population. In which of the following documents would the manager MOST likely find quantitative data regarding latency levels and MTTR?

a. ISA
b. SLA
c. MOU
d. BPA
b. SLA
41. A media company would like to securely stream live video feeds over the internet to clients. The security administrator suggests that the video feeds be encrypted in transport and configures the web server to prefer ciphers suited for the live video feeds. Which of the following cipher suites should the administrator implement on the web server to minimize the computational and performance overhead of delivering the live feeds?

a. ECDHE-RSA-RC4-SHA
b. DHE-DSA-DE5-CBC-SHA
c. ECDHE-RSA-AES-CBC-SHA
d. ECDHE-RSA-AES256-CBC-SHA
a. ECDHE-RSA-RC4-SHA
42. A network administrator discovers that telnet was enabled on the company's human resources payroll server and that someone outside of the HR subnet has been attempting to log into the server. The network administrator has disabled telnet on the payroll server. Which of the following is a method of tracking attempts to log onto telnet without exposing important company data?

a. Banner grabbing
b. Active port numbers
c. Honeypot
d. Passive IPS
c. Honeypot
43. A network administrator is configuring a web server to ensure the use of only strong ciphers. Which of the following stream ciphers should the administrator configure?

a. RC4
b. MD5
c. AES-CBC
d. 3DES
a. RC4
44. A network administrator is in the process of developing a new network security infrastructure. One of the requirements for the new system is the ability to perform advanced authentication, authorization, and accounting services. Which of the following technologies BEST meets the stated requirement?

a. Kerberos
b. SAML
c. TACACS+
d. LDAPS
c. TACACS+
45. A network has been impacted by downtime resulting from unauthorized devices connecting directly to the wired network. The network administrator has been tasked to research and evaluate technical controls that would effectively mitigate risks associated with such devices. Which of the following capabilities would be MOST suitable for implementation in this scenario?

a. Host hardening
b. NIDS
c. HIDS
d. Loop protection
e. Port Security
e. Port Security
46. A network security administrator is trying to determine how an attacker gained access to the corporate wireless network. The network is configured with SSID broadcast disabled. The senior network administrator explains that this configuration setting would only have determined an unsophisticated attacker because of which of the following?

a. The SSID can be obtained with a wireless packet analyzer
b. The required information can be brute-forced over time
c. Disabling the SSID only hides the network from other WAPs
d. The network name could be obtained through a social engineering campaign
a. The SSID can be obtained with a wireless packet analyzer
47. A network technician at a company, Joe is working on a network device. He creates a rule to prevent users from connecting to a toy website during the holiday shopping season. This website is blacklisted and is known to have SQL injections and malware. Which of the following has been implemented?

a. Mandatory access
b. Network separation
c. Firewall rules
d. Implicit Deny
c. Firewall rules
48. A network technician needs to pass traffic from the company's external IP address to a front-end mail server in the DMZ without exposing the IP address of the mail server to the external network. Which of the following should the network technician use?

a. NAT
b. SMTP
c. NAC
d. SSH
e. TLS
a. NAT
49. A network was down for several hours due to a contractor entering the premises and plugging both ends of a network cable into adjacent network jacks. Which of the following would have prevented the network outage?

a. Port security
b. Loop protection
c. Implicit deny
d. Log analysis
e. MAC filtering
f. Trunk port
a. Port security
b. Loop protection
50. A new help desk employee at a cloud services provider receives a call from a customer. The customer is unable to log into the provider's web application. The help desk employee is unable to find the customer's user account in the directory services console, but sees the customer's information in the application database. The application does not appear to have any fields for a password. The customer then remembers the password and is able to log in. The help desk employee still does not see the user account in directory services. Which of the following is the MOST likely explanation?

a. A bug has been discovered in the application
b. The application uses a weak encryption cipher
c. A federated authentication model is being used
d. The application uses single sign-on
c. A federated authentication model is being used
51. A penetration tester is attempting to determine the operating system of a remote host. Which of the following methods will provide this information?

a. Protocol analyzer
b. Honeypot
c. Fuzzer
d. Banner grabbing
d. Banner grabbing
52. A PKI architect is implementing a corporate enterprise solution. The solution will incorporate key escrow and recovery agents, as well as a tiered architecture. Which of the following is required in order to implement the architecture correctly?

a. Certificate revocation list
b. Strong ciphers
c. Intermediate authorities
d. IPsec between CAs
c. Intermediate authorities
53. A plant security officer is continually losing connection to two IP cameras that monitor several critical high-voltage motors. Which of the following should the network administrator do to BEST ensure the availability of the IP camera connections?

a. Use a wireless bridge instead of network cables
b. Replace patch cables with shielded cables
c. Change existing cables with optical cables
d. Add new conduit runs for the network cables
c. Change existing cables with optical cables
54. A recent counter-threat intelligence notification states that companies should review indicators of compromise on all systems. The notification stated that the presence of a win_32.dll was an identifier of a compromised system. A scan of the network reveals that all systems have this file. Which of the following should the security analyst perform FIRST to determine if the files collected are part of the threat intelligence?

a. Quarantine the file on each machine
b. Take a full system image of each machine
c. Take hashes of the files found for verification
d. Verify the time and date of the files found
d. Verify the time and date of the files found
55. A recent network audit revealed several devices on the internal network were not running antivirus or HIPS. Upon further investigation, it was discovered that these devices were new laptops that were deployed without installing the end-point protection suite used by the company. Which of the following could be used to mitigate the risk of authorized devices that are unprotected residing on the network?

a. Host-based firewall
b. Network-based IPS
c. Centralized end-point management
d. MAC filtering
d. MAC filtering
56. A recent policy change at an organization requires that all remote access connections to and from file servers at remote locations must be encrypted. Which of the following protocols would accomplish this new objective? (Select TWO)

a. TFTP
b. SSH
c. FTP
d. RDP
e. HTTP
b. SSH
d. RDP
57. A recent regulatory audit discovers a large number of former employees with active accounts. Terminated users are removed from the HR system but not from Active Directory. Which of the following processes would close the gap identified?

a. Send a recurring email to managers with a link to IT security policies
b. Perform routine audits against the HR system and Active Directory
c. Set an account expiration date for all Active Directory accounts to expire annually
d. Conduct permissions reviews in Active Directory for group membership
b. Perform routine audits against the HR system and Active Directory
58. A research user needs to transfer multiple terabytes of data across a network. The data is not confidential, so for performance reasons, does not need to be encrypted. However, the authentication process must be confidential. Which of the following is the BEST solution to satisfy these requirements?

a. Secured LDAP
b. Kerberized FTP
c. SCP
d. SAML 2.0
b. Kerberized FTP
59. A risk assessment team is concerned about hosting data with a cloud service provider. Which of the following findings would justify this concern?

a. The CSP utilizes encryption for data at rest and in motion
b. The CSP takes into account multinational privacy concerns
c. The financial review indicates the company is a startup
d. SLAs state service tickets will be resolved in less than mins
b. The CSP takes into account multinational privacy concerns
60. A security administrator creates separate VLANs for employee devices and HVAC equipment that is network-attached. Which of the following are security reasons for this design? (Select THREE)

a. IDS often requires network segmentation of HVAC endpoints for better reporting
b. Broadcasts from HVAC equipment will be confined to their own network segment
c. HVAC equipment can be isolated from compromised employee workstations
d. VLANs are providing loop protection for the HVAC devices
e. Access to and from the HVAC equipment can be more easily controlled
f. Employee devices often interfere with proper functioning of HVAC devices
b. Broadcasts from HVAC equipment will be confined to their own network segment
c. HVAC equipment can be isolated from compromised employee workstations
e. Access to and from the HVAC equipment can be more easily controlled
61. A security administrator determined that the time required to brute-force 90% of the company's password hashes is below the acceptable threshold. Which of the following, if implemented, has the GREATEST impact in bringing this time above the acceptable threshold?

a. Use a shadow password file
b. Increase the number of PBKDF2 iterations
c. Change the algorithm used to salt all passwords
d. Use a stronger hashing algorithm for password storage
b. Increase the number of PBKDF2 iterations
62. A security administrator has been tasked with hardening operating system security on tablets that will be deployed for use by floor salespeople at retail outlets. Which of the following could the administrator implement to reduce the likelihood that unauthorized users will be able to access information on the tablets?

a. GPS device tracking
b. Remote wiping
c. Cable locks
d. Password protection
d. Password protection
63. A security administrator has implemented a series of computers to research possible intrusions into the organizational network, and to determine the motives as well as the tool used by the malicious entities. Which of the following has the security administrator implemented?

a. Honeypot
b. DMZ
c. Honeynet
d. VLANs
c. Honeynet
64. A security administrator is having continued issues with malware variants infecting systems and encrypting several types of files. The malware users a document macro to create a randomly named executable that downloads the encrypting payload of the malware. Once downloaded the malware searches all drives, creates an HTML file with decryption instructions in the directory, and then proceeds to encrypt the target files. Which of the following actions would BEST interrupt the malware before it encrypts the other files while minimizing adverse impacts to the users?

a. Block execution of documents with macros
b. Block addition of documents with macros
c. Block the creation of the HTML document on the local system
d. Block running external files from within documents
a. Block execution of documents with macros
65. A security administrator is performing a vulnerability scan and discovers that ports 21 and 22 are open to support FTPS. Which of the following is this an example of?

a. False positive
b. Input validation
c. Banner grabbing
d. Common misconfiguration
d. Common misconfiguration
66. A security administrator is responsible for the deployment of a new two-factor authentication solution. The administrator has been informed that the solution will use soft tokens. Which of the following are valid token password schemes for the two-factor solution being deployed? (Select TWO)

a. Chap
b. PAP
c. NTLMv2
d. HMAC
e. Smart card
f. Time-based
d. HMAC
67. A security administrator is reviewing the password security configuration of a company's directory service domain. The administrator recognizes that the domain controller has been configured to store LM hashes. Which of the following explains why the domain controller might be configured like this? (Select TWO)

a. Default configuration
b. File system synchronization
c. Mobile device support
d. NTLMv2 support
e. Backward compatibility
a. Default configuration
e. Backward compatibility
68. A security administrator is tasked with conducting an assessment made to establish the baseline security posture of the corporate IT infrastructure. The assessment must report actual flaws and weaknesses in the infrastructure. Due to the expense of hiring outside consultants, the testing must be performed using in-house or cheaply available resources. There cannot be a possibility of any equipment being damage in the test. Which of the following has the administrator been tasked to perform?

a. Risk transference
b. Penetration test
c. Threat assessment
d. Vulnerability assessment
d. Vulnerability assessment
69. A security administrator is trying to determine the source of a suspected denial-of-service attack that is consistently disconnecting most systems from the wireless network. Hourly checks verify that there are no rogue wireless access points, unauthorized wireless clients, or de-authentication attacks occurring. Which of the following should the administrator use to BEST identify the reason for the outage?

a. Perform a packet capture
b. Deploy a wireless IDS
c. Use a spectrum analyzer
d. Conduct a wireless site survey
b. Deploy a wireless IDS
70. A security administrator receives a hard drive that must be imaged for forensics analysis. The paperwork that comes with the hard drive shows: 10:00 technician A-Hard drive removed, 10:30-Technician A-Hard drive delivered to Manager A and 11:00-IT Director-Hard drive delivered to the security administrator. Which of the following should the security administrator do?

a. Image the hard drive and sign the chain-of-custody log
b. Hash the chain-of-custody log
c. Report a problem with the chain-of-custody log
d. Sign the chain-of-custody log
d. Sign the chain-of-custody log
71. A security administrator receives an IDS alert that a single internal IP address is connecting to several known malicious command-and-control domains. The administrator connects to the switch and adds a MAC filter to Port 18 to block the system from the network.

BEFORE AFTER
MAC Address VLAN Port MAC Address VLAN Port
67A7.353B.5064 101 4 67A7.353B.5064 101 4
7055.4961.1F33 100 9 7055.4961.1F33 100 9
0046.6416.5809 101 21 0046.6416.5809 101 21
7037.0108.31B5 100 16 7037.0108.31B5 100 16
5243.6353.7720 101 6 5243.6353.7720 101 6
1484.A471.6542 100 2 1484.A471.6542 100 2
80C7.8669.5845 101 7 80C7.8669.5845 101 7
7513.77B9.4130 101 18 0046.6419.5809 101 18
5A77.1816.3859 101 19 5A77.1816.3859 101 19
8294.7E31.3270 100 8 8294.7E31.3270 100 8


A few minutes later, the same malicious traffic starts again from a different IP. Which of the following is the MOST likely reason that the system was able to bypass the administrator's MAC filter?

a. The system is now ARP spoofing a device on the switch
b. The system is no VLAN hopping to bypass the switch port MAC filter
c. The system is now spoofing a MAC address
d. The system is now connecting to the switch
c. The system is now spoofing a MAC address
72. A security administrator receives reports from various organizations that a system on the company network is port scanning hosts on various networks across the internet. The administrator determines that the compromised system is a Linux host and notifies the owner that the system will be quarantined and isolated from the network. The system does not contain confidential data, and the root user was not compromised. The administrator would like to know how the system was compromised, what the attackers did, and what remnants the attackers may have left behind. Which of the following are the administrator's NEXT steps in the investigation? (Select TWO)

a. Reinstall the procps package in case system utilities were modified
b. Look for recently modified files in user and tmp directories
c. Switch SELinux to enforcing mode and reboot
d. Monitor perimeter firewall for suspicious traffic from the system
e. Check running processes and kernel modules
f. Remove unnecessary accounts and services
b. Look for recently modified files in user and tmp directories
e. Check running processes and kernel modules
73. A security administrator recently implemented IPSec for remote users. Which of the following ports must be allowed through the firewall in order for remote access to be successful if the tunneling protocol is PPTP?

a. UDP 500
b. UDP 1723
c. TCP 1723
d. TCP 4500
c. TCP 1723
74. A security administrator runs a port scan against a server and determines that the following ports are open TCP 22, TCP 25, TCP 80, TCP 631, and TCP 995. Which of the following MOST likely describes the server?

a. The server is an email server that requires secure email transmittal
b. The server is a web server that requires secure communication
c. The server is a print server that requires secure authentication
d. The server is an email server that requires secure email retrieval
d. The server is an email server that requires secure email retrieval
75. A security administrator suspects that a server has been compromised with zero-day malware, and that it is now being used to host various copyrighted material, which is being shared through an IRC network. Which of the following should the system administrator use to determine if the server has been compromised?

a. Patch report
b. OS backup
c. Antivirus logs
d. Baseline
d. Baseline
76. A security administrator wants to implement a system that will allow the organization to quickly and securely recover from a computer breach. The security administrator notices that the majority of malware infections are caused by zero-day armored viruses and rootkits. Which of the following solutions should the system administrator implement?

a. Install an antivirus solution that provides HIPS capabilities
b. Implement a thick-client model with local snapshots
c. Deploy an enterprise patch management system
d. Enable the host-based firewall and remove users' administrative rights
a. Install an antivirus solution that provides HIPS capabilities
77. A security administrator wishes to implement a method of generating encryption keys from user passwords to enhance account security. Which of the following would accomplish this task?

a. NTLMv2
b. Blowfish
c. Diffie-Hellman
d. PBKDF2
c. Diffie-Hellman
78. A security administrator wishes to perform authentication, authorization, and accounting, but does not wish to use a proprietary protocol. Which of the following services would fulfill these requirements?

a. SAML
b. RADIUS
c. TACACS+
d. Kerberos
c. TACACS+
79. A security administrator wishes to set up a site-to-site IPSec VPN tunnel between two locations. Which of the following IPSec encryptions and hashing algorithms would be chosen for the least performance impact?

a. 3DES/SHA
b. AES/SHA
c. RSA/MD5
d. DES/MD5
c. RSA/MD5
80. A security administrator would like to write an access rule to block the three IP addresses given below. Which of the following combinations should be used to include all of the given IP addresses?

192.168.12.255
192.168.12.227
192.168.12.229

a. 192.168.12.0/25
b. 192.168.12.128/28
c. 192.168.12.224/29
d. 192.168.12.225/30
b. 192.168.12.128/28
81. A security administrator, believing it to be a security risk, disables IGMP snooping on a switch. This breaks a video application. The application is MOST likely using:

a. RTP
b. Multicast
c. Anycast
d. VoIP
b. Multicast
82. A security analyst at a nuclear power plant needs to secure network traffic from the legacy SCADA systems. Which of the following methods could the analyst use to secure network traffic in this static environment?

a. Implement a firewall
b. Implement a HIDS
c. Implement a NIDS
d. Implement a rootjail
a. Implement a firewall
83. A security analyst has been asked to perform penetration testing against a web application being deployed for the first time. When performing the test the application stops responding and returns an error referring to failed database connections. Upon further investigation, the analyst finds the database server was inundated with commits which exhausted available space on the volume. Which of the following attacks has been performed against the database server?

a. DoS
b. SQL injection
c. SYN flood
d. DDos
e. Cross-site scripting
b. SQL injection
84. A security analyst needs to ensure all external traffic is able to access the company's front-end servers but protect all access to internal resources. Which of the following network design elements would MOST likely be recommended?

a. DMZ
b. Cloud Computing
c. VLAN
d. Virtualization
a. DMZ
85. A security architect is choosing a cryptographic suite for the TLS 1.2 configuration for a new web-based financial management application that will be used heavily by mobile devices. Which of the following would be the architect's MOST secure selection for both key exchange and the session key algorithms? (Select TWO)

a. 3DES
b. AES-GCM
c. TKIP
d. SHA256
e. SHA1
f. ECDHE
a. 3DES
f. ECDHE
86. A security architect is supporting a project team responsible for a new extranet application. As part of their activities, the team is identifying roles within the system and documenting possible conflicts between roles that could lead to collusion between users. Which of the following principles of risk mitigation is the team implementing?

a. Dual control
b. Least privilege
c. Separation of duties
d. Job rotation
c. Separation of duties
87. A security engineer discovers that during certain times of day, the corporate wireless network is dropping enough packets to significantly degrade service. Which of the following should be the engineer's FIRST step in troubleshooting the issues?

a. Configure stronger encryption
b. Increase the power level
c. Change to a higher gain antenna
d. Perform a site survey
b. Increase the power level
88. A security engineer is monitoring suspicious traffic from an internal endpoint to a malicious landing page of an external entity. The internal endpoint is configured using a limited account, is fully patched to current standards, and has current antivirus signatures. No alerts have been received involving this endpoint. The security engineer finds malicious code on the endpoint during a forensics analysis. Which of the following MOST likely explains this occurrence?

a. The external entity breached the IDS
b. The antivirus engine was evaded
c. The DLP did not detect the malicious code
d. The endpoint was running on a hypervisor
b. The antivirus engine was evaded
89. A security engineer wants to communicate securely with a third party via email using PGP. Which of following should the engineer send to the third party to enable the third party to securely encrypt email replies?

a. Public key
b. Private key
c. Key escrow
d. Recovery key
a. Public key
90. A security manager has noticed several unrecognized devices connecting to the company's internal wireless network. Only company-issued devices should be connected to the network. Which of the following controls should be implemented to prevent the unauthorized devices from connecting to the wireless network? (Select TWO)

a. MAC filtering
b. Create a separate wireless VLAN
c. Implement 802.11n
d. Enable WPA2
e. Configure DHCP reservations
a. MAC filtering
e. Configure DHCP reservations
91. A security manager needs to implement a backup solution as part of the disaster recovery plan. The system owners have indicated that the business cannot afford to lose more than a day of transactions following an event where data would have been restored. The security manager should set a value of 24 hours for the:

a. Recovery time objective
b. Service level agreement
c. Recovery point objective
d. System backup window
e. Disaster recovery plan
c. Recovery point objective
92. A security specialist has implemented antivirus software and whitelisting controls to prevent malware and unauthorized application installation on the company systems. The combination of these two technologies is an example of which of the following?

a. Defense-in-depth
b. Vulnerability scanning
c. Application hardening
d. Anti-malware
a. Defense-in-depth
93. A security technician notices that several successful attacks are being carried out on the network. The Chief information Security Officer tells the technician to deploy countermeasures that will help actively stop these ongoing attacks. Which of the following technologies will accomplish this task?

a. A network-based IPS with advanced heuristic capability
b. A honeypot that generates alerts when a new attack is discovered
c. Host-based IDS that uses anomaly and behavior-based detection
d. An automated security log analyzer that reports system breaches
a. A network-based IPS with advanced heuristic capability
94. A security technician would like an application to use random salts to generate short-lived encryption keys during the secure communication handshake process to increase communication security. Which of the following concepts would BEST meet this goal?

a. Ephemeral keys
b. Symmetric Encryption Keys
c. AES Encryption Keys
d. Key Escrow
b. Symmetric Encryption Keys
95. A security technician would like to use ciphers that generate ephemeral keys for secure communication. Which of the following algorithms supports ephemeral modes? (Select TWO)

a. Diffie-Hellman
b. RC4
c. RIPEMO
d. NTLMv2
e. PAP
f. RSA
a. Diffie-Hellman
f. RSA
96. A server administrator is investigating a breach and determines that an attacker modified the application log to obfuscate the attack vector. During the lessons learned activity the facilitator asks for a mitigation response to protect the integrity of the logs should a similar attack occur. Which of the following mitigations would be MOST appropriate to fulfill the requirement?

a. Host-based IDS
b. Automated log analysis
c. Enterprise SIEM
d. Real-time event correlation
c. Enterprise SIEM
97. A single server hosts a sensitive SQL-based database and a web service containing static content. A few of the database fields need to be encrypted due to regulatory requirements. Which of the following would provide the BEST encryption solution for this particular server?

a. Individual file
b. Database
c. Full-disk
d. Record-based
a. Individual file
98. A software company sends their offsite backup tapes to a third-party storage facility. To meet confidentiality the tapes should be:

a. Labeled
b. Hashed
c. Encrypted
d. Duplicated
c. Encrypted
99. A software development manager needs to create several different environments for application development, testing, and quality control. Controls are being put in place to manage how software is moved into the production environment. Which of the following should the software development manager request be put in place to implement the three new environments?

a. Application firewalls
b. Network segmentation
c. Trusted computing
d. Network address translation
b. Network segmentation
100. A system administrator decided to perform maintenance on a production server servicing retail store operations. The system rebooted in the middle of the day due to the installations of monthly operating system patches. The downtime results in lost revenue due to the system being unavailable. Which of the following would reduce the likelihood of this issue occurring again?

a. Routine system auditing
b. Change management controls
c. Business continuity planning
d. Data loss prevention implementation
b. Change management controls
101. A system administrator has concerns regarding their users accessing systems and secured areas using others' credentials. Which of the following can BEST address this concern?

a. Create conduct policies prohibiting sharing credentials.
b. Enforce a policy shortening the credential expiration timeframe.
c. Implement biometric readers on laptops and restricted areas.
d. Install security cameras in areas containing sensitive systems.
c. Implement biometric readers on laptops and restricted areas.
102. A system administrator has received several service desk tickets relating to users receiving rejection notices from third-party destination email servers. The users in question were previously able to send emails to the recipients mentioned in the ticket. Which of the following items should the system administrator review to determine a possible cause for the issue?

a. DNS blacklists
b. Spam filter configuration
c. Local hosts file
d. SMTP queue
a. DNS blacklists
103. A system administrator is configuring a site-to-site IPSec VPN tunnel. Which of the following should be configured on the VPN concentrator for payload encryption?

a. ECDHE
b. SHA256
c. HTTPS
d. 3DES
d. 3DES
104. A system administrator is part of the organization's contingency and business continuity planning process. The system administrator and relevant team participate in the analysis of a contingency situation intended to elicit constructive discussion. Which of the following types of activity is MOST accurately described in this scenario?

a. Business impact analysis
b. Full-interruption exercise
c. Tabletop exercise
d. Lessons learned
e. Parallel simulation
c. Tabletop exercise
105. A system administrator runs a network inventory scan every Friday at 11:00 am to track the progress of a large organization's operating system upgrade of all laptops. The system administrator discovers that some laptops are now only being reported as IP addresses. Which of the following is MOST likely the cause of this issue?

a. HIDS
b. Host-based firewall rules
c. All the laptops are currently turned off
d. DNS replication
b. Host-based firewall rules
106. A system requires administrators to be logged in as the "root" in order to make administrator changes. Which of the following controls BEST mitigates the risk associated with this scenario?

a. Require that all administrators keep a log book of times and justification for accessing root
b. Encrypt all users home directories using file-level encryption
c. Implement a more restrictive password rotation policy for the shared root account
d. Force administrator to log in with individual accounts and switch to root
e. Add the administrator to the local group
d. Force administrator to log in with individual accounts and switch to root
107. A technician has raised concern over employees on the manufacturing floor moving computers between work areas. The technician is concerned that the activity is making it more difficult to track down rogue devices on the network and provide timely support. Which of the following would prevent this from occurring?

a. 802.1X
b. Video surveillance
c. Full-disk encryption
d. Cable locks
d. Cable locks
108. A technician is about to perform a major upgrade to the operating system of a critical system. This system is currently in a virtualization environment. Which of the following actions would result in the LEAST amount of downtime if the upgrade were to fail?

a. Enabling live migration in the VM settings on the virtual server
b. Clustering the storage for the server to add redundancy
c. Performing a full backup of the virtual machine
d. Taking an initial snapshot of the system
d. Taking an initial snapshot of the system
109. A technician is troubleshooting an issue with an employee's new mobile device that is not associating to the wireless network. The technician verifies the mobile device is in the company's approved and supported list. The appropriate configuration was entered on the device. All other mobile devices are connecting to the wireless network. Which of the following is the MOST likely cause of the issue?

a. Non-broadcasting SSID
b. MAC address filtering
c. Wrong encryption
d. Full DHCP scope
d. Full DHCP scope
110. A third party has been contracted to perform a remote penetration test of the DMZ network. The company has only provided the third party with the billing department contact information for final payment and a technical point of contact who will receive the penetration test results. Which of the following tests will be performed?

a. Gray box
b. White box
c. Black box
d. False positive
a. Gray box
111. A university police department is housed on the first floor of a student dormitory. Which of the following would prevent students from using ARP spoofing attacks against computers at the police department?

a. Private network addresses
b. Disable SSID broadcast
c. Separate Layer-2 VLANs
d. Enable proxy arp on router
c. Separate Layer-2 VLANs
112. A UNIX server recently had restricted directories deleted as the result of an insider threat. The root account was used to delete the directories while logged on at the server console. There are five administrators that know the root password. Which of the following could BEST identify the administrator that removed the restricted directories?

a. DHCP logs
b. CCTV review
c. DNS Logs
d. Network traffic
b. CCTV review
113. A user has been working on a project to implement controls for data storage. Which of the following policies defines how long specific data should remain on company equipment?

a. Data retention policy
b. Data wiping policy
c. Data classification policy
d. Data disposal policy
a. Data retention policy
114. A user is able to access shares that store confidential information that is not related to the user's current job duties. Which of the following should be implemented to prevent this from occurring?

a. Authorization
b. Authentication
c. Federation
d. Identification
a. Authorization
115. A web application is configured to target browsers and allow access to bank accounts to siphon money to a foreign account. This is an example of which of the following attacks?

a. SQL injection
b. Header manipulation
c. Cross-site scripting
d. Flash cookie exploitation
c. Cross-site scripting
116. A web server at an organization has been the target of distributed denial-of-service attacks. Which of the following, if correctly configured, would BEST mitigate these and future attacks?

a. SYN cookies
b. Implicit deny
c. Blacklisting
d. URL filter
d. URL filter
117. A web startup wants to implement single sign-on where its customers can log on to the site by using their personal and existing corporate email credentials regardless of which company they work for. Is this directly supported by SAML?

a. No, not without extensive partnering and API integration with all required email providers
b. Yes, SAML is a web-based single sign-on implementation exactly for this purpose
c. No, a better approach would be to use required email providers LDAP or RADIUS repositories
d. Yes, SAML can use oauth2 to provide this functionality out-of-the-box
a. No, not without extensive partnering and API integration with all required email providers
118. After a company has standardized to a single operating system, not all servers are immune to a well-known OS vulnerability. Which of the following solutions would mitigate this issue?

a. Host-based firewall
b. Initial baseline configurations
c. Discretionary access control
d. Patch management system
d. Patch management system
119. After a few users report problems with the wireless network, a system administrator notices that a new wireless access point has been powered up in the cafeteria. The access point has the same SSID as the corporate network and is set to the same channel as nearby access points. However, the AP has not been connected to the Ethernet network. Which of the following is the MOST likely cause of the user's wireless problems?

a. AP channel bonding
b. An evil twin attack
c. Wireless interference
d. A rogue access point
b. An evil twin attack
120. After a private key has been compromised, an administrator realized that downloading a CRL once-per-day was not effective. The administrator wants to immediately revoke certificates. Which of the following should the administrator investigate?

a. CSR
b. PKI
c. IDP
d. OCSP
d. OCSP
121. After a wireless security breach, the network administrator discovers the tool used to break into the network. Using a brute-force attack, the tool is able to obtain the wireless password in less than 11,000 attempts. Which of the following should be disabled to prevent this type of attack in the future?

a. WPS
b. WEP
c. WIPS
d. WPA2-PSK
b. WEP
122. After Ann arrives at the company's co-location facility, she determines that she is unable to access the cage that holds the company's equipment after a co-worker updated the key card server the night before. This is an example of failure of which of the following?

a. Testing controls
b. Access signatures
c. Fault tolerance
d. Non-repudiation
a. Testing controls
123. After Ann, a user, left a crowded elevator, she discovered her smartphone browser was open to a malicious website that exploited the phone. Which of the following is the MOST likely reason this occurred?

a. The user was the victim of an CSRF attack
b. The user was the victim of an NFC attack
c. The user was the victim of an IV attack
d. The user was the victim of a bluesnarfing attack
d. The user was the victim of a bluesnarfing attack
124. After disabling SSID broadcast, a network administrator still sees the wireless network listed in available networks on a client laptop. Which of the following attacks may be occurring ?

a. Evil Twin
b. ARP spoofing
c. Disassociation flooding
d. Rogue access point
e. TKIP compromise
a. Evil twin
125. After installing new digital certificates on a company web server, the network administrator wants to securely store the keys so that no one individual is able to use the keys on any other system. Which of the following would allow the network administrator to achieve this goal?

a. Key hashing
b. Key exchange
c. Key escrow
d. Ephemeral key
c. Key escrow
126. An administrator has to determine host operating systems on the network and has deployed a transparent proxy. Which of the following fingerprint types would this solution use?

a. Packet
b. Active
c. Port
d. Passive
d. Passive
127. An administrator is investigating a system that may potentially be compromised, and sees the following log entries on the router.

*Jul 15 14:47:29.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 3 packets.
*Jul 15 14:47:38.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 6 packets.
*Jul 15 14:47:45.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 8 packets.

Which of the following BEST describes the compromised system?

a. It is running a rogue web server
b. It is being used in a man-in-the-middle attack
c. It is participating in a botnet
d. It is an ARP poisoning attack
c. It is participating in a botnet
128. An administrator is reviewing the logs for a content management system that supports the organization's public-facing websites. The administrator is concerned about the number of attempted login failures from other countries for administrator accounts. Which of the following capabilities is BEST to implement if the administrator wants the system to dynamically react to such attacks?

a. Netflow-based rate timing
b. Disable generic administrative accounts
c. Automated log analysis
d. Intrusion prevention system
d. Intrusion prevention system
129. An administrator needs to allow a third-party service to authenticate users, but does not want to give the third-party access to user credentials. Which of the following allows this type of authentication?

a. LDAP
b. SAML
c. RADIUS
d. TACACS
b. SAML
130. An administrator needs to allow both secure and regular web traffic into a network. Which of the following ports should be configured? (Select TWO)

a. 25
b. 53
c. 80
d. 110
e. 143
f. 443
c. 80
f. 443
131. An administrator wants to restrict traffic between two VLANs. The network devices connecting the two VLANs are layer-3 switches. Which of the following should the admin configure?

a. IDS rule
b. Subnet mask
c. ACL
d. Firewall
c. ACL
132. An administrator was tasked with reducing the malware infection rate of PC applications. To accomplish this, the administrator restricted the locations from which programs can be launched. After this was complete, the administrator noticed that malware continued to run from locations on the disk and infected the hosts. Which of the following did the administrator forget to do?

a. Restrict write access to the allowed executable paths
b. Install the host-based intrusion detection system
c. Configure browser sandboxing
d. Disable unnecessary services
a. Restrict write access to the allowed executable paths
134. An application developer is working with the server administrator to configure storage of data that the application produces, including any temporary files. Which of the following will securely store the files outside of the application?

a. Database encryption
b. Transparent encryption
c. Full-disk encryption
d. Transit encryption
c. Full-disk encryption
135. An application is performing slowly. Management asks the security team to determine if a security compromise is the underlying cause. The security team finds two processes with high resource utilization. Which of the following actions should the team take NEXT?

a. Monitor the IDS/IPS for incidents
b. Perform a vulnerability assessment
c. Initiate a source code review
d. Conduct a baseline comparison
d. Conduct a baseline comparison
136. An application service provider has notified customers of a breach resulting from improper configuration changes. In the incident, a server intended for internal access only was made accessible to external parties. Which of the following configurations were likely to have been improperly modified resulting in the breach?

a. IDS
b. CRL
c. VPN
d. NAT
d. NAT
137. An assessment team is conducting a vulnerability scan of an organization's database servers. During the configuration of the vulnerability scanner, the lead assessor only configures the parameter of the database servers' IP range, and then runs the vulnerability scanner. Which of the following scan types is being run on the database servers?

a. Intrusive
b. Ping sweep
c. Non-credentialed
d. Offline
b. Ping sweep
138. An attacker drives past a company, captures the name of the WiFi network, and locates a coffee shop near the company. The attacker creates a mobile hotspot with the same name as the company's WiFi. Which of the following BEST describes this wireless attack?

a. War-driving
b. Rogue access point
c. Near-field communication
d. Evil twin
d. Evil twin
139. An attacker has breached multiple lines of information security defense. Which of the following BEST describes why delayed containment would be dangerous?

a. The attacker could be blocked by the NIPS before enough forensic data can be collected.
b. The attacker could erase all evidence of how they compromised the network
c. The attacker could cease all attack activities making forensics more difficult
d. The attacker could escalate unauthorized access or compromise other systems
b. The attacker could erase all evidence of how they compromised the network
140. An attacker is attempting to determine the patch-level version a web server is running on its open ports. Which of the following is an active technique that will MOST efficiently determine the information the attacker is seeking?

a. Banner grabbing
b. Vulnerability scanning
c. Port scanning
d. Protocol analysis
a. Banner grabbing
141. An attacker wants to exfiltrate confidential data from an organization. The attacker decides to implement steganography as the method of exfiltration. Which of the following techniques should the attacker use?

a. Encrypt an existing image file
b. Add information to a sound file
c. Hash a known document
d. Use a substitution cipher
b. Add information to a sound file
142. An auditing organization frequently deploys field employees to customer sites worldwide. While at the customer sites, the field employees often need to connect to the local network to access documents and data. Management is concerned that the field employee laptops might become infected with malware while on the customer networks. Which of the following could be deployed to decrease the amount of risk incurred by the field employees?

a. HIPS
b. HOTP
c. HIDS
d. HSM
a. HIPS
143. An auditor is reviewing the following logs from the company's proxy server that is used to store both sensitive and public documents. The documents are edited via a client web interface, and all processing is performed on the server side:

Http://www.documents-portal.com/editdoc.php?document1=this%20is%the %content%20of%20document1
Http://www.documents-portal.com/editdoc.php?document1=this%20is%the %content%20of%20document2
Http://www.documents-portal.com/editdoc.php?document1=this%20is%the %content%20of%20document3

Which of the following should the auditor recommend be implemented?

a. Two-factor authentication should be implemented for sensitive documents
b. Sensitive documents should be signed using enterprise PKI
c. Encryption should be implemented at the transport level
d. Document hashing should be done to preserve document integrity
c. Encryption should be implemented at the transport level
144. An employee connects a wireless access point to the only jack in the conference room to provide internet access during a meeting. The access point is configured to secure its users with WPA2-TKIP. A malicious user is able to intercept clear-text HTTP communication between the meeting attendees and the internet. Which of the following is the reason the malicious user is able to intercept and see the clear-text communications?

a. The malicious user is running a wireless sniffer
b. The wireless access point is broadcasting the SSID
c. The malicious user is able to capture the wired communication
d. The meeting attendees are using unencrypted hard drives
c. The malicious user is able to capture the wired communication
145. An employee connects to a public wireless hotspot during a business trip. The employee attempts to go to a secure website but instead connects to an attacker who is performing a MITM attack. Which of the following should the employee do to mitigate the vulnerability described In the scenario?

a. Connect to a VPN when using public wireless networks
b. Connect only to WPA2 networks regardless of whether the network is public or private
c. Ensure a host-based firewall is installed and running when using public wireless networks
d. Check the address in the web browser before entering credentials
a. Connect to a VPN when using public wireless networks
146. An employee has been terminated due to inappropriate internet use. A computer forensics technician at the organization acquired an image of the hard drive and hashed it using MD5. The former employee has filed a lawsuit. The former employee's attorney requests a copy of the image so it can be independently reviewed by the legal team. Upon receiving the image, the attorney's technician also generates an MD5 hash of the image and comes up with a different output than what was provided. Which of the following MOST likely occurred?

a. The wrong preshared key was used
b. The hashes were produced using different algorithms
c. The hashes were produced on two different operating systems
d. Files on the image have been altered
d. Files on the image have been altered
147. An employee is conducting a presentation at an out-of-town conference center using a laptop. The wireless access point at the employee's office has an SSID of OFFICE. The laptop was set to remember wireless access points. Upon arriving at the conference, the employee powered on the laptop and noticed that it was connected to the OFFICE access point. Which of the following MOST likely occurred?

a. The laptop connected to a legitimate WAP
b. The laptop connected as a result of an IV attack
c. The laptop connected to an evil twin WAP
d. The laptop connected as a result of near field communication
c. The laptop connected to an evil twin WAP
148. An employee is using company time and assets to use a third-party tool to share downloadable media with other users around the world. Sharing downloadable media is not expressly forbidden in the company security policy or acceptable-use policy. Which of the following BEST describes what the security staff should consider adding to these policies?

a. P2P
b. Data handling
c. Social networking
d. Mobile Device Management
a. P2P
149. An engineer is designing a system that needs the fastest encryption possible due to system requirements. Which of the following should the engineer use?

a. Symmetric key
b. RSA-1024
c. Rainbow tables
d. SHA-256
e. Public key encryption
b. RSA-1024
150. An enterprise needs to be able to receive files that contain PII from many customers at different times. The data must remain encrypted during transport and while at rest. Which of the following encryption solutions would meet both of these requirements?

a. PGP
b. SCP
c. SSL
d. TLS
a. PGP
151. An increase in the number of wireless users on the 192.168.6.0/24 subnet has caused the DHCP pool to run out of addresses, which prevents users from accessing important network resources. Which of the following should the administrator do to correct this problem?

a. Decrease the subnet mask network bits
b. Increase the dynamic ARP timeout
c. Switch to static IP address assignment
d. Increase the DHCP lease time
a. Decrease the subnet mask network bits
152. An old 802.11b wireless bridge must be configured to provide confidentiality of data in transit to include the MAC addresses of communicating endpoints. Which of the following can be implemented to meet this requirement?

a. MSCHAPv2
b. WPA2
c. WEP
d. IPsec
b. WPA2
153. An organization decides to implement a BYOD policy but wants to ensure they address requirements associated with any legal investigations and controls needed to comply with the analysis and recreation of an incident. This concern is also known as which of the following?

a. Data ownership
b. Forensics
c. Chain of custody
d. Acceptable use
c. Chain-of-custody
154. An organization is developing a plan to ensure an earthquake at a datacenter does not disrupt business. The organization has identified all the critical applications within the datacenter, determining the financial loss of an outage of different duration for each application. This effort is known as a:

a. Tabletop exercise
b. High availability
c. Disaster recovery
d. Business impact analysis
e. Risk assessment
d. Business impact analysis
155. An organization received a subpoena requesting access to data that resides on an employee's computer. The organization uses PKI. Which of the following is the BEST way to comply with the request?

a. Certificate authority
b. Public key
c. Key escrow
d. Registration authority
e. Key recovery agent
e. Key recovery agent
156. An organization that uses a cloud infrastructure to present a payment portal is using:

a. Software as a service
b. Platform as a service
c. Monitoring as a service
d. Infrastructure as a service
a. Software as a service
157. An organization uses security tokens as part of two-factor authentication. If the seed values for the tokens are suspected to have been compromised, which of the following actions will mitigate the risk and be the MOST cost-effective?

a. Replace the tokens
b. Issue smartcards
c. Change the token algorithms
d. Have users change their passwords
c. Change the token algorithms
158. An organization's security policy requires secure file transfers to and from internal hosts. An employee is attempting to upload a file using an unsecured method to a Linux-based dedicated file server and fails. Which of the following should the employee use to transfer the file?

a. FTP
b. HTTPS
c. SSL
d. SCP
e. TLS
d. SCP
159. An outside testing company performing black-box testing against a new application determines that it is possible to enter any characters into the application's web-based form. Which of the following controls should the application developers use to prevent this from occurring?

a. CSRF prevention
b. Sandboxing
c. Fuzzing
d. Input validation
d. Input validation
160. Analysis of a recent security breach at an organization revealed that the attack leveraged a telnet server that had not been used in some time. Below are partial results of an audit that occurred a week before the breach was detected.

OPEN PORTS---TCP 23, TCP 80, TCP 443
OS PATCH LEVEL---CURRENT
PASSWORDAUDIT---PASS, STRONG
FILE INTEGRITY---PASS

Which of the following could have mitigated or deterred this breach?

a. Routine patch management on the server
b. Greater frequency of auditing the server logs
c. Password protection on the telnet server
d. Disabling unnecessary services
d. Disabling unnecessary services
161. Ann is attempting to send a digitally signed message to Joe. Which of the following should Ann do?

a. Encrypt a hash of the message with her private key
b. Encrypt a certificate signing request with her private key
c. Encrypt a hash of the message with Joe's public key
d. Encrypt a certificate signing request with Joe's public key
b. Encrypt a certificate signing request with her private key
162. Ann, a security administrator, is hardening the user password policies. She currently has the following in place. Password expires every 60 days, password length is at least eight characters, passwords must contain at least one capital letter and one numeric character. She learns that several employees are still using their original passwords after the 60-day forced change. Which of the following can she implement to BEST mitigate this?

a. Lower the password expire time to every 30 days instead of 60 days
b. Require that the password contains at least one capital letter, one numeric character and one special character
c. Change the re-usage time from eight to 16 changes before a password can be repeated
d. Create a rule that users can only change their passwords once every two weeks
d. Create a rule that users can only change their passwords once every two weeks
163. Ann, a security administrator, needs to implement a transport encryption solution that will enable her to detect attempts to sniff packets. Which of the following could be implemented?

a. Elliptical curve algorithms
b. Ephemeral keys
c. Quantum cryptography
d. Steganography
c. Quantum cryptography
164. Ann, the network administrator, is receiving reports regarding a particular wireless network in the building. The network was implemented for specific machines issued to the developer department, but the developers are stating that they are having connection issues as well as slow bandwidth. Reviewing the wireless router's logs, she sees that devices not belonging to the developers are connecting to the access point. Which of the following would BEST alleviate the developer's reports?

a. Configure the router so that wireless access is based upon the connecting device's hardware address.
b. Modify the connection's encryption method so that it is using WEP instead of WPA2.
c. Implement connections via secure tunnel with additional software on the developer's computers.
d. Configure the router so that its name is not visible to devices scanning for wireless networks
a. Configure the router so that wireless access is based upon the connecting device's hardware address.
165. Ann, the software security engineer, works for a major software vendor. Which of the following practices should be implemented to help prevent race conditions, buffer overflows, and other similar vulnerabilities prior to each production release?

a. Product baseline report
b. Input validation
c. Patch regression testing
d. Code review
d. Code review
166. As their data set rapidly grows and changes, a company is experiencing availability problems with their database. The security manager recommends switching to a more scalable system with dynamic schemas. Which of the following would meet the security manager's requirements?

a. SSDs
b. NoSQL
c. MariaDB
d. RDMBS
b. NoSQL
167. Based on a review of the existing access policies the network administrator determines that changes are needed to meet current regulatory requirements of the organization's access control process. To initiate changes in the process, the network administrator should FIRST:

a. Update the affected policies and inform the user community of the changes
b. Distribute a memo stating that all new accounts must follow current regulatory requirements
c. Inform senior management that changes are needed to existing policies
d. Notify the user community that non-compliant accounts will be required to use the new process
c. Inform senior management that changes are needed to existing policies
168. Company policy states that when a virus or malware alert is received, the suspected host is immediately removed from the company network. Which of the following BEST describes this component of incident response?

a. Mitigation
b. Isolation
c. Recovery
d. Reporting
e. Remediation
b. Isolation
A security auditor has full knowledge of company configuration and equipment. The auditor performed a test on the network, resulting in an exploitation of a zero-day vulnerability. Which of the following did the security auditor perform?

a. Gray-box test
b. Vulnerability scan
c. Black-box test
d. Penetration test
d. Penetration test
170. Due to hardware limitations, a technician must implement a wireless encryption algorithm that uses the RC4 protocol. Which of the following is a wireless encryption solution that the technician should implement while ensuring the STRONGEST level of security?

a. WPA2-AES
b. 802.11ac
c. WPA-TKIP
d. WEP
c. WPA-TKIP
171. Due to the commonality of Content Management System ( CMS) platforms, a website administrator is concerned about security for the organization's new CMS application. Which of the following practices should the administrator implement FIRST to mitigate risks associated with CMS platform implementations?

a. Deploy CAPTCHA features
b. Modify the default account's password
c. Implement two-factor authentication
d. Configure DNS blacklisting
e. Configure password complexity requirements
b. Modify the default account's password
172. During a recent audit, it was discovered that the employee who deploys patches also approves the patches. The audit found there is no documentation supporting the patch management process, and there is no formal vetting of installed patches. Which of the following controls should be implemented to mitigate this risk? (Select TWO)

a. IT contingency planning
b. Change management policy
c. Least privilege
d. Separation of duties
e. Dual control
f. Mandatory job rotation
b. Change management policy
d. Separation of duties
173. During a recent network audit, it was found that several devices on the internal network were not running antivirus or HIPS. Upon further investigation, it was discovered that these devices were new laptops that were deployed without having the end-point protection suite used by the company installed. Which of the following could be used to mitigate the risk of authorized devices that are unprotected residing on the network?

a. Host-based firewall
b. Network-based IPS
c. Centralized end-point management
d. MAC filtering
d. MAC filtering
174. During a recent vulnerability assessment, the pen testers were able to successfully crack a large number of employee passwords. The company technology use agreement clearly states that passwords used on the company network must be at least eight characters long and contain at least one uppercase letter and special character. What can they do to standardize and enforce these rules across the entire organization to resolve this issue?

a. LDAP
b. Group Policy
c. User policy
d. Kerberos
b. Group Policy
175. During a trial for possession of illegal content, a defense attorney argues that several of the files on the forensic image may have been tampered with. How can a technician BEST disprove this argument?

a. Trace the chain-of-custody from the time of arrest until the time of trial
b. Have a forensic investigator undergo a polygraph examination
c. Take hashes from the suspect source drive, and compare them to hashes on the forensics image
d. Access the system logs on the forensic image, and see if any logins occurred after the suspect's arrest
c. Take hashes from the suspect source drive, and compare them to hashes on the forensics image
176. During an audit of a software development organization, an auditor finds the organization did not properly follow industry best practices, including peer review and board approval, prior to moving applications into the production environment. The auditor recommends adopting a formal process incorporating these steps. To remediate the finding, the organization implements:

a. Incident management
b. A configuration management board
c. Asset management
d. Change management
d. Change management
177. Environmental control measures include which of the following?

a. Access list
b. Lighting
c. Motion detection
d. EMI shielding
d. EMI shielding
178. Following a site survey for an upcoming 5GHz wireless network implementation, the project manager determines that several areas of the facility receive inadequate coverage due to the use of vertical antennas on all access points. Which of the following activities would be MOST likely to remediate the issue without changing the current access point layout in the facility?

a. Convert all access points to models operating at 2.4GHz
b. Install antennas with lower front-to-back ratios to narrow the focus of coverage as needed
c. Reorient the existing antennas in horizontal configuration
d. Install unidirectional antennas to focus coverage where needed
d. Install unidirectional antennas to focus coverage where needed
179. A forensics analyst is asked to identify identical files on a hard drive. Due to the large number of files to be compared, the analyst must use an algorithm that is known to have the lowest collision rate. Which of the following should be selected?

a. MD4
b. MD5
c. SHA-128
d. AES-256
c. SHA-128
180. From a network security point of view, the primary reason to implement VLANs is to:

a. Provide Quality of Service
b. Provide load balancing across the network
c. Provide network segmentation
d. Ensure separation of duties
c. Provide network segmentation
181. In order to comply with new auditing standards, a security administrator must be able to compare system security alert logs directly with the employee who triggers the alert. Which of the following should the security administrator implement in order to meet this requirement?

a. Access control lists on the servers
b. Elimination of shared accounts
c. Group-based privileges for accounts
d. Periodic user account access reviews
b. Elimination of shared accounts
182. In order to establish a connection to a server using secure LDAP, which of the following MUST be installed on the client?

a. Server public key
b. Subject alternative name certificate
c. CA anchor of trust
d. Certificate signing request
c. CA anchor of trust
183. In the course of troubleshooting wireless issues from users, a technician discovers that users are connecting to their home SSIDs while at work. The technician scans but detects none of those SSIDs. The technician eventually discovers a rogue access point that spoofs any SSID that a client requests. Which of the following allows wireless use while mitigating this type of attack?

a. Configure the device to verify access point MAC addresses
b. Disable automatic connection to unknown SSIDs
c. Only connect to trusted wireless networks
d. Enable MAC filtering on the wireless access point
d. Enable MAC filtering on the wireless access point
184. Jane, a security analyst, is monitoring the IDS console and notices multiple connections from an internal host to a suspicious call-back domain. Which of the following tools would aid her to decipher the network traffic?

a. Vulnerability scanner
b. Nmap
c. Netstat
d. Packet analyzer
d. Packet analyzer
185. Joe, a system architect, wants to implement appropriate solutions to secure the company's distributed database. Which of the following concepts should be considered to help ensure data security? (Select TWO)

a. Data at rest
b. Data in use
c. Replication
d. Wiping
e. Retention
f. Cloud Storage
a. Data at rest
e. Retention
186. Joe, a user, upon arriving to work on Monday morning, notices several files were deleted from the system. There were no records of any scheduled network outages or upgrades to the system. Joe notifies the security department of the anomaly found and removes the system from the network. Which of the following is the NEXT action that Joe should perform?

a. Screenshots of systems
b. Call the local police
c. Perform a backup
d. Capture system image
a. Screenshots of systems
187. Joe has been in the same IT position for the last 27 years and has developed a lot of the homegrown applications that the company utilizes. The company is concerned that Joe is the only one who can administer these applications. The company should enforce which of the following best security practices to avoid Joe being a single point of failure?

a. Separation of duties
b. Least privilege
c. Job rotation
d. Mandatory vacations
c. Job rotation
188. Joe is a helpdesk specialist. During a routine audit, a company discovered that his credentials were used while he was on vacation. The investigation further confirmed that Joe still has his badge and it was last used to exit the facility. Which of the following access control methods is MOST appropriate for preventing such occurrences in the future?

a. Access control where the credentials cannot be used except when the associated badge is in the facility
b. Access control where system administrators may limit which users can access their systems
c. Access control where employee's access permissions is based on the job title
d. Access control system where badges are only issued to cleared personnel
a. Access control where the credentials cannot be used except when the associated badge is in the facility
189. Joe just installed a new (ECS) environmental control system for a room that is critical to the company's operation and needs the ability to manage and monitor the system from any part of the network. Which of the following should the security administrator utilize to minimize the attack surface and still allow the needed access?

a. Create an encrypted connection between the ECS and the engineer's computer
b. Configure the ECS host-based firewall to block non-ECS application traffic
c. Implement an ACL that permits the necessary management and monitoring traffic
d. Install a firewall that only allows traffic to the ECS from a single management and monitoring network
c. Implement an ACL that permits the necessary management and monitoring traffic
190. Joe must send Ann a message and provide Ann with assurance that he was the actual sender. Which of the following will Joe need to use to BEST accomplish the objective?

a. A pre-shared private key
b. His private key
c. Ann's public key
d. His public key
b. His private key
191. Joe, a security administrator, recently configured a method of secure access for remote administration of network devices. When he attempts to connect to an access layer switch in the organization from outside the network he is unable to successfully connect. Which of the following ports should be open on the firewall for Joe to successfully connect to the switch?

a. TCP 110
b. TCP 161
c. UDP 161
d. UDP 500
b. TCP 161
192. Joe, a system administrator, configured a device to block network traffic from entering the network. The configuration consisted of zero-day exploit awareness at the application layer of the OSI model. The exploit signatures have been seen on the internet daily. Which of the following does this describe?

a. NIDS
b. HIPS
c. HIDS
d. NIPS
d. NIPS
194. Joe, a user, wants to configure his workstation to make certain that the certificate he receives when connecting to websites is still valid. Which of the following should Joe enable on his workstation to achieve this?

a. Certificate revocation
b. Key escrow
c. Registration authority
d. Digital signatures
a. Certificate revocation
DELETE ME 195. Joe, an administrator, has been in the same IT position for the past 27 years and has developed a lot of the homegrown applications the company utilizes. The company is concerned that Joe is the only one who can administer these applications. Which of the following best security practices should the company enforce to prevent Joe from being a single point of failure?

a. Separation of duties
b. Least privilege
c. Job rotation
d. Mandatory vacations
c. Job rotation
196. John wants to secure an 802.11n network. Which of the following encryption methods would provide the highest level of protection?

a. WPA
b. WEP
c. WPA2 with AES
d. WPA2 with TKIP
c. WPA2 with AES
197. Log file analysis on a router reveals several unsuccessful telnet attempts to the virtual terminal (VTY) lines. Which of the following represents the BEST configuration used in order to prevent unauthorized remote access while maintaining secure availability for legitimate users?

a. Disable telnet access to the VTY lines, enable SSH access to the VTY lines with RSA encryption
b. Disable both telnet and SSH access to the VTY lines, requiring users to log in using HTTP
c. Disable telnet access to the VTY lines, enable SSH access to the VTY lines with PSK encryption
d. Disable telnet access to the VTY lines, enable SSL access to the VTY lines with RSA encryption
c. Disable telnet access to the VTY lines, enable SSH access to the VTY lines with PSK encryption
198. Many employees are receiving email messages similar to the one shown below:

From: IT Department
To: Employee
Subject: Email quota exceeded

Please check on the following link Http://www.getatme.infoemail.php?quota=Gb and provide your username and password to increase your email quota

Upon reviewing other similar emails, the security administrator realizes that all the phishing URLs have the following common elements: they all use HTTP, they all come from info domains, and they all contain the same URL. Which of the following should the security administrator configure on the corporate content filter to prevent users from accessing the phishing URL, while at the same time minimizing false positives?

a. Block http//www"info"
b. Drop http//"getatme.info/email"php
c. Redirect
d. DENY http://"infoemail.php"quota=Gb
d. DENY http://"infoemail.php"quota=Gb
199. Multi-function devices are being deployed in various departments. All departments will be able to copy, print, and scan to file. Some departments will be authorized to use their devices to fax and email while other departments will not be authorized to use those functions on their devices. Which of the following is the MOST important mitigation technique to avoid an incident?

a. Disabling unnecessary accounts
b. Password protection
c. Monitoring access logs
d. Disabling unnecessary services
d. Disabling unnecessary services
200. Numerous users within an organization are unable to log into the web-based financial application. The network team places a sniffer on the segment where the application resides and sees the following log entries:

05:31:14.312254 10.10.10.25.3389 192.168.2.100.80: SYN
05:31:14:312255 10.10.10.25.3389 192.168.2.100.80: SYN
05:31:14:312256 10.10.10.25.3389 192.168.2.100.80: SYN

Which of the following is MOST likely occurring?

a. DOS attack
b. Ping flood attack
c. Smurf attack
d. Replay attack
e. Xmas attack
a. DOS attack
201. On a campus network, users frequently remove the network cable from desktop NICs and plug personal laptops into the school network. Which of the following could be used to reduce the likelihood of unauthorized laptops on the campus network?

a. Port security
b. Loop protection
c. Flood guards
d. VLANs
a. Port security
202. One of the driving factors towards moving an application to a cloud infrastructure is increased application availability. In the case where a company creates a private cloud, the risk of application downtime is being:
a. Transferred
b. Avoided
c. Mitigated
d. Accepted
b. Avoided
203. Recently, the desktop support group has been performing a hardware refresh and has replaced numerous computers. An auditor discovered that a number of the new computers did not have the company's antivirus software installed on them. Which of the following could be utilized to notify the network support group when computers without the antivirus software are added to the network?

a. Network port protection
b. NAC
c. NIDS
d. MAC filtering
b. NAC
204. Several computers in an organization are running below the normal performance baseline. A security administrator inspects the computers and finds the following pieces of information:

Several users have uninstalled the antivirus software
Some users have installed unauthorized software
Several users have installed pirated software
Some computers have had automatic updating disabled after being deployed
Users have experienced slow responsiveness when using the Internet browser
Users have complete control over critical system properties

Which of the following solutions would have prevented these issues from occurring? (Select TWO)

a. Using snapshots to revert unwanted user changes
b. Using an IPS instead of an antivirus
c. Placing users in appropriate security groups
d. Disabling unnecessary services
e. Utilizing an application whitelist
f. Utilizing an application blacklist
c. Placing users in appropriate security groups
e. Utilizing an application whitelist
205. Several customers received an email from an employee that advertised better rates at a different company. Shortly after the email was sent, Ann, the employee who sent the email, resigned and joined the other company. When confronted, Ann claimed that she did not send the email; it was another person spoofing her email address. Which of the following would eliminate Ann's excuse in the future?

a. Sender policy framework
b. Non-repudiation
c. Encrypted email
d. Outgoing mail filters
b. Non-repudiation
206. Several users require administrative access for software compatibility reasons. Over time, these users have made several changes to important system settings. Which of the following is the BEST course of action to ensure the system settings are properly enforced?

a. Require users to run under a standard user account
b. Use centralized group policy to configure the systems
c. Conduct user access reviews to determine appropriate privileges
d. Implement an application whitelist throughout the company
c. Conduct user access reviews to determine appropriate privileges
207. The administrator set up a new WPA2 Enterprise wireless network using EAP-TLS for authentication. The administrator configured the RADIUS servers with certificates that are trusted by the endpoint devices and rules to authenticate a particular group of users. The administrator is part of the group that is authorized to connect but is unable to connect successfully during the first test of the network. Which of the following is the MOST likely cause of the issue?

a. A rogue access point is intercepting the connection
b. Administrator accounts are not allowed to connect to the network
c. The client NIC does not support AES hardware encryption
d. The DHCP scope is full
e. Client certificates were not deployed
e. Client certificates were not deployed
208. The Chief Information Security Officer wants to move the web server from the public network because it has been breached a number of times in the past month. The CISO does not want to place it in the private network since many external users access the web server to fill out their orders. The company policy does not allow any non-secure protocols into the internal network. Given the circumstances, which of the following would be the BEST course of action?

a. Create an external DMZ network
b. Use NAT on the web server
c. Implement a remote access server
d. Configure a new internal subnet
b. Use NAT on the web server
209. The Chief Security Officer (CISO) at a multinational banking corporation is reviewing a plan to upgrade the entire corporate IT infrastructure. The architecture consists of a centralized cloud environment hosting the majority of data, small server clusters at each corporate location to handle the majority of customer transaction processing, ATMs, and a new mobile banking application accessible from smartphones, tablets, and the Internet via HTTP. The corporation does business having varying data retention and privacy laws. Which of the following technical modifications to the architecture and corresponding security controls should be implemented to provide the MOST complete protection of data?

a. Revoke exiting root certificates, re-issue new customer certificates, and ensure all transactions are digitally signed to minimize fraud, implement encryption for data in-transit between data centers
b. Ensure all data is encryption according to the most stringent regulatory guidance applicable, implement encryption for data in-transit between data centers, increase data availability by replicating all data, transaction data, logs between each corporate location
c. Store customer data based on national borders, ensure end-to end encryption between ATMs, end users, and servers, test redundancy and COOP plans to ensure data is not inadvertently shifted from one legal jurisdiction to another with more stringent regulations
d. Install redundant servers to handle corporate customer processing, encrypt all customer data to ease the transfer from one country to another, implement end-to-end encryption between mobile applications and the cloud.
c. Store customer data based on national borders, ensure end-to end encryption between ATMs, end users, and servers, test redundancy and COOP plans to ensure data is not inadvertently shifted from one legal jurisdiction to another with more stringent regulations
210. The content of a document that is routinely used by several employees and contains confidential information has been changed. While investigating the issue, it is discovered that payment information for all of the company's clients has been removed from the document. Which of the following could be used to determine who changed the information?

a. Audit logs
b. Server baseline
c. Document hashing
d. Change management
a. Audit logs
211. The CSO is concerned with unauthorized access at the company's off-site datacenter. The CSO would like to enhance the security posture of the datacenter. Which of the following would BEST prevent unauthorized individuals from gaining access to the datacenter?

a. Security guard
b. Video monitoring
c. Magnetic entry cards
d. Fencing
a. Security guard
212. The firewall administrator is installing a VPN application and must allow GRE through the firewall. Which of the following MUST the administrator allow through the firewall?

a. IPSec
b. IP protocol 47
c. IP protocol 50
d. IP protocol 51
b. IP protocol 47
213. The first responder to an incident has been asked to provide an after-action report. This supports which of the following Incident Response procedures?

a. Incident identification
b. Mitigation
c. Lessons learned
d. Escalation/Notification
c. Lessons learned
214. The network administrator for a small business is configuring a wireless network for 20 users. Which of the following explains why the administrator would choose WPA2-Personal over WPA-2 Enterprise?

a. It does not require a RADIUS server
b. It uses 3DES encryption
c. It has 14 channels available
d. It allows a separate password for each device
a. It does not require a RADIUS server
215. The network administrator is installing RS-485 terminal servers to provide card readers to vending machines. Which of the following should be performed to protect the terminal servers?

a. Flood guard
b. 802.1X
c. Network separation
d. Port security
c. Network separation
216. The network administrator wants to assign VLANs based on which user is logging into the network. Which of the following should the administrator use to accomplish this? (Select TWO)

a. MAC filtering
b. RADIUS
c. 802.1af
d. 802.11ac
e. 802.1x
f. 802.3q
a. MAC filtering
e. 802.1x
217. The network engineer for an organization intends to use certificate-based 802.1X authentication on a network. The engineer's organization has an existing PKI that is used to issue server and user certificates. The PKI is currently not configured to support the issuance of 802.1X certificates. Which of the following represents an item the engineer MUST configure?

a. OCSP responder
b. Web enrollment portal
c. Symmetric cryptography
d. Certificate extension
d. Certificate extension
218. The network sees a "%CAM-TABLE-FULL" message on a network switch. Upon investigation, the administrator, notices thousands of MAC addresses associated with a single untagged port. Which of the following should be implemented to prevent this type of attack?

a. Port security
b. BPDU guard
c. 802.1x
d. TACACS+
b. BPDU guard
219. The operations manager for a sales group wants to ensure that sales personnel are able to use their laptops and other portable devices throughout a building using both wireless and wired connectivity. Which of the following technologies would be MOST effective at increasing security of the network while still maintaining the level of accessibility the operations manager requested?

a. 802.1x
b. 802.11n
c. WPA2 authentication
d. VLAN isolation
e. Authenticated web proxy
a. 802.1x
220. The remote branch of an organization has been assigned two public IP addresses by an ISP. The organization has ten workstations and a wireless router. Which of the following should be deployed to ensure that all devices have internet access?

a. VLAN
b. PAT
c. NAC
d. DMZ
b. PAT
221. The sales force in an organization frequently travel to remote sites and requires secure access to an internal server with an IP address of 192.168.0.220. Assuming services are using default ports, which of the following firewall rules would accomplish this objective? (Select TWO)

a. Permit TCP 20 any 192.168.0.200
b. Permit TCP 21 any 192.168.0.200
c. Permit TCP 22 any 192.168.0.200
d. Permit TCP 110 any 192.168.0.200
e. Permit TCP 139 any 192.168.0.200
f. Permit TCP 3389 any 192.168.0.200
c. Permit TCP 22 any 192.168.0.200
f. Permit TCP 3389 any 192.168.0.200
222. The security administrator for a growing company is concerned about the increasing prevalence of personal devices connected to the corporate WLAN. Which of the following actions should the administrator take FIRST to address this concern?

a. Implement RADIUS to centrally manage access to the corporate network over Wi-Fi
b. Request that senior management support the development of a policy that addresses personal devices
c. Establish a guest-access wireless network and request that employees use the guest network
d. Distribute a memo addressing the security risks associated with the use of personally-owned devices on the corporate WLAN
b. Request that senior management support the development of a policy that addresses personal devices
223. The security administrator generates a key pair and sends one key inside a request file to a third party. The third party sends back a signed file. In this scenario the file sent by the administrator is a:
a. CA
b. CRL
c. KEK
d. PKI
e. CSR
e. CSR
224. The security administrator is analyzing a user's history file on a Unix server to determine if the user was attempting to break out of a rootjail. Which of the following lines in the user's history log shows evidence that the user attempted to escape the rootjail?

a. cd ../../../../bin/bash
b. whoami
c. ls /root
d. sudo -u root
a. cd ../../../../bin/bash
225. The security administrator receives a service ticket saying a host-based firewall is interfering with the operation of a new application that is being tested in development. The administrator asks for clarification on which ports need to be open. The software vendor replies that it could use up to 20 ports and many custormers have disabled the host-based firewall. After examining the system, the administrator sees several ports that are open for database and application servers that are only used locally. The vendor continues to recommend disabling the host-based firewall. Which of the following is the BEST course of action for the administrator to take?

a. Allow ports used by the application through the network firewall
b. Allow ports used externally through the host firewall
c. Follow the vendor's recommendation and disable the host firewall
d. Allow ports used locally through the host firewall
c. Follow the vendor's recommendation and disable the host firewall
226. The security director has a mantrap installed for the company's data center. This control is installed to mitigate:
a. Transitive access
b. Tailgating
c. Shoulder surfing
d. Impersonation
b. Tailgating
227. The security manager has learned a user inadvertently sent encrypted PII to an incorrect distribution group. The manager has instructed the user to immediately recall the message. Recipients are instructed to delete the email from all queues and devices. This is an example of which of the following incident response procedures?

a. Reporting
b. Escalation
c. Mitigation
d. Isolation
c. Mitigation
228. The SSID broadcast for a wireless router has been disabled, but a network administrator notices that unauthorized users are accessing the wireless network. The administrator has determined that attackers are still able to detect the presence of the wireless network despite the fact that the SSID has been disabled. Which of the following would further obscure the presence of the wireless network?

a. Upgrade the encryption to WPA or WPA2
b. Create a non-zero length SSID for the wireless router
c. Reroute wireless users to a honeynet
d. Disable responses to a broadcast probe request
d. Disable responses to a broadcast probe request
229. The user of a news service accidently accesses another user's browsing history. From this the user can tell what competitors are reading, querying, and researching. The news service has failed to properly implement which of the following?

a. Application white listing
b. In-transit protection
c. Access controls
d. Full-disk encryption
c. Access controls
230. Two companies are partnering to bid on a contract. Normally these companies are fierce competitors but for this procurement they have determined that a partnership is the only way they can win the job. Each company is concerned about unauthorized data sharing and wants to ensure other divisions within each company will not have access to proprietary data. To best protect against unauthorized data sharing they should each sign a(n):
a. NDA
b. SLA
c. MOU
d. BPA
d. BPA
231. Virtualization that allows an operating system kernel to run multiple isolated instances of a guest OS is:
a. Process segregation
b. Software defined network
c. Containers
d. Emulation
c. Containers
232. Virtualization would provide an ROI when implemented under which of the following situations?

a. Numerous servers with no fail-over requirement
b. Multiple existing 100% utilized physical servers
c. Numerous clients with a requirement for fast processors
d. Multiple existing but underutilized physical servers
d. Multiple existing but underutilized physical servers
233. What can be implemented to address the findings that revealed a company is lacking deterrent security controls?

a. Rogue machine detection
b. Continuous security monitoring
c. Security cameras
d. IDS
c. Security cameras
234. What is the name for an attack that can be used to guess the PIN of an access point for the purpose of connecting to the wireless network?

a. IV attack
b. Rainbow table attack
c. Replay attack
d. WPS attack
d. WPS attack
235. What technology would you use to ensure that the systems that your organization is using is going to deployed as securely as possible and prevent files and services from operation outside of a strict rule set?

a. Host-based intrusion detection
b. Host-based firewall
c. Trusted OS
d. Antivirus
b. Host-based firewall
236. When generating a request for a new x.509 certificate for securing a website, which of the following is the MOST appropriate hashing algorithm?

a. RC4
b. MD5
c. RIPEMD
d. SHA
d. SHA
237. When implementing a mobile security strategy for an organization, which of the following is the MOST influential concern that contributes to that organizations ability to extend enterprise policies to mobile devices?

a. Support for mobile OS
b. Support of mobile apps
c. Availability of mobile browsers
d. Public key management
a. Support for mobile OS
238. When implementing a new system, a system administrator works with the information system owner to identify and document the responsibilities of various positions within the organization. Once responsibilities are identified, groups are created within the system to accommodate the various responsibilities of each position type, with users being placed in these groups. Which of the following principles of authorization is being developed?

a. Rule-based access control
b. Least privilege
c. Separation of duties
d. Access control lists
e. Role-Based access control
e. Role-Based access control
240. When implementing a Public Key Infrastructure, which of the following should the sender use to digitally sign a document?

a. A CSR
b. A private key
c. A certificate authority
d. A public key
b. A private key
241. When performing a risk analysis, which of the following is considered a threat?

a. The potential exploitation of vulnerability
b. The presence of a risk in the environment
c. The transference of risk to another party
d. The lack of mitigation for vulnerabilities
a. The potential exploitation of vulnerability
242. Which of the following allows an application to securely authenticate a user by receiving credentials from a remote web domain?

a. TACACS+
b. RADIUS
c. Kerberos
d. SAML
b. RADIUS
243. Which of the following are BEST used in the process of hardening a public facing web server? (Select 2)
a. Vulnerability scanner
b. Protocol analyzer
c. Honeynet
d. Port scanner
e. Honeypot
a. Vulnerability scanner
b. Protocol analyzer
244. Which of the following attack types is MOST likely to cause damage or data loss for an organization and be difficult to investigate?

a. Man-in-the-middle
b. Spoofing
c. DDoS
d. Malicious insider
c. DDoS
245. Which of the following attacks is generally initiated from a botnet?

a. Cross-site scripting attack
b. HTTP header injection
c. Distributed denial-of-service
d. A war-driving attack
c. Distributed denial-of-service
246. Which of the following authentication services is BEST suited for an environment that requires the TCP protocol with a clear-text payload?

a. LDAP
b. TACACS+
c. SAML
d. RADIUS
b. TACACS+
247. Which of the following authentication services uses a default TCP of 389?

a. SAML
b. TACACS+
c. Kerberos
d. LDAP
d. LDAP
248. Which of the following authentication services utilizes UDP for communication between client and server?

a. Kerberos
b. TACACS+
c. LDAP
d. RADIUS
d. RADIUS
249. Which of the following BEST describes the benefits of using Extended Validation?

a. Does not use standard x.509 V3 certificates
b. Enhances SSL session key exchange preventing man-in-the-middle attacks
c. The website provider demonstrates an additional level of trust
d. Provides stronger enforcement of SSL encryption algorithms
c. The website provider demonstrates an additional level of trust
250. Which of the following BEST represents a security challenge faced primarily by organizations employing a mobility BYOD strategy?

a. Balancing between the security of personal information and the company's information sharing requirements
b. Balancing between the assurance of individual privacy rights and the security of corporate data
c. Balancing between device configuration enforcement and the management of cryptographic keys
d. Balancing between the financial security of the company and the financial security of the user
b. Balancing between the assurance of individual privacy rights and the security of corporate data
251. Which of the following can be used by PPP for authentication?

a. CHAP
b. RSA
c. PGP
d. HMAC
a. CHAP
252. Which of the following can be used to maintain a higher level of security in a SAN by allowing isolation of mis-configurations or faults?

a. VLAN
b. Protocol security
c. Port security
d. VSAN
d. VSAN
253. Which of the following could a security administrator implement to mitigate the risk of tailgating for a large organization?

a. Train employees on correct data disposal techniques and enforce policies.
b. Only allow employees to enter or leave through one door at specified times of the day.
c. Only allow employees to go on break one at a time and post security guards 24/7 at each entrance.
d. Train employees on risks associated with social engineering attacks and enforce policies.
d. Train employees on risks associated with social engineering attacks and enforce policies.
254. Which of the following is a contract with a service provider that typically includes performance parameters like MTBF and MTTR?

a. SLA
b. NDA
c. ISA
d. MOU
e. ALE
a. SLA
255. Which of the following is a Data Loss Prevention (DLP) strategy and is MOST useful for securing data in use?

a. Email scanning
b. Content discovery
c. Database fingerprinting
d. Endpoint protection
d. Endpoint protection
256. Which of the following is a security advantage of using NoSQL vs. SQL databases in a three-tier environment?

a. NoSQL databases are not vulnerable to XSRF attacks from the application server.
b. NoSQL databases are not vulnerable to SQL injection attacks.
c. NoSQL databases encrypt sensitive information by default.
d. NoSQL databases perform faster than SQL databases on the same hardware
b. NoSQL databases are not vulnerable to SQL injection attacks.
257. Which of the following is a security weakness associated with software-based disk encryption?

a. Employed encryption algorithms are generally weaker when implemented In software
b. A dedicated processor is used by the cryptomodule
c. The key can be physically extracted from the encrypted medium
d. Cryptographic operations can be far slower than with hardware-based encryption
d. Cryptographic operations can be far slower than with hardware-based encryption
258. Which of the following is a suitable method of checking for revoked certificates in a client/server environment with connectivity to the issuing PKI?

a. HSM
b. CRL
c. OCSP
d. CSR
b. CRL
259. Which of the following is an administrative control used to reduce tailgating?

a. Delivering security training
b. Erecting a fence
c. Implementing magnetic locks and doors
d. Installing a mantrap
a. Delivering security training
260. Which of the following is considered the MOST effective practice when securing printers or scanners in an enterprise environment?

a. Routine vulnerability scanning of peripherals
b. Install in a hardened network segment
c. Turn off the power to the peripherals at night
d. Enable print sharing only from workstations
a. Routine vulnerability scanning of peripherals
261. Which of the following is important to reduce risk?

a. Separation of duties
b. Risk acceptance
c. Risk transference
d. Threat modeling
c. Risk transference
262. Which of the following is susceptible to an attack that can obtain the wireless password by brute-forcing a 4-digit PIN followed by a 3-digit PIN?

a. WPA
b. WPS
c. WEP
d. WPA2
b. WPS
263. Which of the following is the FASTEST method to disclose one-way hashed passwords?

a. Rainbow tables
b. Private key disclosure
c. Dictionary attack
d. Brute Force
a. Rainbow tables
264. Which of the following is the MAIN purpose for incorporating a DMZ into the design of a network?

a. Incorporate a secure place to house print servers and other networking equipment
b. Have Rod to come out and secure the network even if he knows nothing about it
c. Facilitate the creation of resources accessed by internal users in a secure manner
d. Provide an isolated location for servers accessed from the intra and inter networks
d. Provide an isolated location for servers accessed from the intra and inter networks
265. Which of the following is the MOST influential concern that contributes to an organization's ability to extend enterprise policies to mobile devices?

a. Support of mobile OS
b. Availability of mobile browsers
c. Support of mobile apps
d. Public key management
a. Support of mobile OS
266. Which of the following MUST be implemented to ensure accountability?

a. Employ access control lists
b. Configure password complexity
c. Disable shared accounts
d. Change default passwords
c. Disable shared accounts
267. Which of the following network configurations provides security analysts with the MOST information regarding threats, while minimizing the risk to internal corporate assets?

a. Configuring the wireless access point to be unencrypted
b. Increasing the logging level of internal corporate devices
c. Allowing inbound traffic to a honeypot on the corporate LAN
d. Placing a NIDS between the corporate firewall and ISP
c. Allowing inbound traffic to a honeypot on the corporate LAN
268. Which of the following network design components would assist in separating network traffic based on the logical location of users?

a. IPSec
b. NAC
c. VLAN
d. DMZ
c. VLAN
269. Which of the following network design elements allows for many internal devices to share one public IP address?

a. DNAT
b. PAT
c. DNS
d. DMZ
b. PAT
270. Which of the following ports will be used for logging into secure websites?

a. 80
b. 110
c. 142
d. 443
d. 443
271. Which of the following provides a safe, contained environment in which to enforce physical security?

a. Hot site
b. Mantrap
c. Virtualized sandbox
d. Bollards
c. Virtualized sandbox
272. Which of the following remote authentication methods uses a reliable transport layer protocol for communication?

a. RADIUS
b. LDAP
c. TACACS+
d. SAML
c. TACACS+
273. Which of the following should be implemented to enforce the corporate policy requiring up-to-date and OS patches on all computers connecting to the network via VPN?

a. VLAN
b. NAT
c. NAC
d. DMZ
c. NAC
274. Which of the following should be used to implement voice encryption?

a. SSLv3
b. VDSL
c. SRTP
d. VoIP
c. SRTP
275. Which of the following should be used to secure data-in-use?

a. Whole-memory encryption
b. Whole-disk encryption
c. SSL/TLS
d. PGP
a. Whole-memory encryption
276. Which of the following should mobile devices use in order to protect against data theft in an offline attack?

a. Application controls
b. Full-device encryption
c. Storage segmentation
d. Whitelisting
e. Remote wiping
b. Full-device encryption
277. Which of the following should you implement if you want to preserve your internal authentication and authorization process and credentials if you are going to a cloud service provider?

a. Dual-factor authentication
b. Federation
c. Single sign-on
d. TOTP
c. Single sign-on
278. Which of the following social engineering attacks would describe a situation where an attacker calls an employee while impersonating a corporate executive?

a. Vishing
b. Pharming
c. Whaling
d. Pharrming
a. Vishing
279. Which of the following types of attacks are MOST likely to be successful when using fuzzing against an executable program? (Select TWO)

a. SQL injection
b. Session hijacking
c. Integer overflow
d. Buffer overflow
e. Header manipulation
c. Integer overflow
d. Buffer overflow
280. Which of the following types of attacks uses email to specifically target high-level officials within an organization?

a. Spim
b. Spear Phishing
c. Pharming
d. Spoofing
b. Spear Phishing
281. Which of the following would enhance the security of accessing data stored in the cloud? (Select TWO)

a. Block-level encryption
b. SAML authentication
c. Transport encryption
d. Multifactor authentication
e. Predefined challenge questions
f. Hashing
d. Multifactor authentication
e. Predefined challenge questions
282. Which of the following would provide you with a measure of the frequency at which critical business systems experience breakdowns?

a. MTTR
b. MTBF
c. MTTF
d. MTU
b. MTBF
283. While performing surveillance activities, an attacker determined that an organization is using 802.1X to secure LAN access. Which of the following attack mechanisms can the attacker utilize to bypass the identified network security controls?

a. MAC spoofing
b. Pharming
c. Xmas attack
d. ARP Poisoning
a. MAC spoofing
284. While responding to an incident on a new Windows server, the administrator needs to disable unused services. Which of the following commands can be used to see processes that are listening on a TCP port?

a. Ipconfig
b. Netstat
c. Psinfo
d. Net session
b. Netstat
285. While testing a new host-based firewall configuration a security administrator inadvertently blocks access to localhost which causes problems with applications running on the host. Which of the following addresses refer to localhost?

a. . ::0
b. 127.0.0.0
c. 127.0.0.1
d. 127.0.0/8
e. 127::0.1
c. 127.0.0.1
286. You want to communicate securely with a third party via email using PGP. Which of the following should you send to the third party to enable the third party to securely encrypt email replies?

a. Private key
b. Key escrow
c. Public key
d. Recovery key
c. Public key
287. You want to create several different environments for application development, testing, and quality control. Controls are being put into place to manage how software is moved into the production environment. Which of the following should the software development manager request to be put into place to implement the three new environments?

a. Application firewalls
b. Network segmentation
c. Trusted computing
d. NAT
b. Network segmentation