Pre-Summer Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > CompTIA > CompTIA Security+ > SY0-701

SY0-701 CompTIA Security+ Exam 2026 Question and Answers

Question # 4

Which of the following would enable a data center to remain operational through a multiday power outage?

A.

Generator

B.

Uninterruptible power supply

C.

Replication

D.

Parallel processing

Full Access
Question # 5

An organization is evaluating the cost of licensing a new solution to prevent ransomware. Which of the following is the most helpful in making this decision?

A.

ALE

B.

SLE

C.

RTO

D.

ARO

Full Access
Question # 6

Which of the following most securely protects data at rest?

A.

TLS 1.2

B.

AES-256

C.

Masking

D.

Salting

Full Access
Question # 7

An organization disabled unneeded services and placed a firewall in front of a business-critical legacy system. Which of the following best describes the actions taken by the organization?

A.

Exception

B.

Segmentation

C.

Risk transfer

D.

Compensating controls

Full Access
Question # 8

A company wants to verify that the software the company is deploying came from the vendor the company purchased the software from. Which of the following is the best way for the company to confirm this information?

A.

Validate the code signature.

B.

Execute the code in a sandbox.

C.

Search the executable for ASCII strings.

D.

Generate a hash of the files.

Full Access
Question # 9

A company deploys a new server that a client must be able to access it at all times. Which of the following will support this availability requirement?

A.

Proxy server

B.

Jump server

C.

Geographic restrictions

D.

Load balancer

Full Access
Question # 10

Which of the following techniques would attract the attention of a malicious attacker in an insider threat scenario?

A.

Creating a false text file in /docs/salaries

B.

Setting weak passwords in /etc/shadow

C.

Scheduling vulnerable jobs in /etc/crontab

D.

Adding a fake account to /etc/passwd

Full Access
Question # 11

A security administrator is deploying a DLP solution to prevent the exfiltration of sensitive customer data. Which of the following should the administrator do first?

A.

Block access to cloud storage websites.

B.

Create a rule to block outgoing email attachments.

C.

Apply classifications to the data.

D.

Remove all user permissions from shares on the file server.

Full Access
Question # 12

A security team wants WAF policies to be automatically created when applications are deployed. Which concept describes this capability?

A.

IaC

B.

IoT

C.

IoC

D.

IaaS

Full Access
Question # 13

A security analyst receives an alert that an employee has clicked on a phishing email and exposed their credentials. Which of the following should the analyst do?

A.

Notify all employees about the phishing attack and instruct them to avoid suspicious emails.

B.

Wait for confirmation from the employee before making any changes to the account.

C.

Reimage the employee ' s workstation to ensure no malware is present.

D.

Lock the employee ' s account to prevent further unauthorized access.

Full Access
Question # 14

Which of the following describes the reason for using an MDM solution to prevent jailbreaking?

A.

To secure end-of-life devices from incompatible firmware updates

B.

To avoid hypervisor attacks through VM escape

C.

To eliminate buffer overflows at the application layer

D.

To prevent users from changing the OS of mobile devices

Full Access
Question # 15

Which of the following strategies should an organization use to efficiently manage and analyze multiple types of logs?

A.

Deploy a SIEM solution

B.

Create custom scripts to aggregate and analyze logs

C.

Implement EDR technology

D.

Install a unified threat management appliance

Full Access
Question # 16

Which of the following threat actors would most likely deface the website of a high-profile music group?

A.

Unskilled attacker

B.

Organized crime

C.

Nation-state

D.

Insider threat

Full Access
Question # 17

A network manager wants to protect the company ' s VPN by implementing multifactor authentication that uses:

. Something you know

. Something you have

. Something you are

Which of the following would accomplish the manager ' s goal?

A.

Domain name, PKI, GeolP lookup

B.

VPN IP address, company ID, facial structure

C.

Password, authentication token, thumbprint

D.

Company URL, TLS certificate, home address

Full Access
Question # 18

A legal department must maintain a backup from all devices that have been shredded and recycled by a third party. Which of the following best describes this requirement?

A.

Data retention

B.

Certification

C.

Sanitation

D.

Destruction

Full Access
Question # 19

A penetration tester must conduct a vulnerability assessment on a target network to identify potential security weaknesses. Which of the following tools will best achieve this goal?

A.

Metasploit

B.

Burp Suite

C.

Nessus

D.

Wireshark

Full Access
Question # 20

An analyst is reviewing an incident in which a user clicked on a link in a phishing email. Which of the following log sources would the analyst utilize to determine whether the connection was successful?

A.

Network

B.

System

C.

Application

D.

Authentication

Full Access
Question # 21

A company is changing its mobile device policy. The company has the following requirements:

Company-owned devices

Ability to harden the devices

Reduced security risk

Compatibility with company resources

Which of the following would best meet these requirements?

A.

BYOD

B.

CYOD

C.

COPE

D.

COBO

Full Access
Question # 22

Which of the following is the best safeguard to protect against an extended power failure?

A.

Off-site backups

B.

Batteries

C.

Uninterruptible power supplies

D.

Generators

Full Access
Question # 23

A security analyst is reviewing the source code of an application to identify misconfigurations and vulnerabilities. Which of the following kinds of analysis best describes this review?

A.

Dynamic

B.

Static

C.

Gap

D.

Impact

Full Access
Question # 24

An organization is adopting cloud services at a rapid pace and now has multiple SaaS applications in use. Each application has a separate log-in. so the security team wants to reduce the number of credentials each employee must maintain. Which of the following is the first step the security team should take?

A.

Enable SAML

B.

Create OAuth tokens.

C.

Use password vaulting.

D.

Select an IdP

Full Access
Question # 25

A security team must help secure a company site after attackers defaced it. The site must be available to a wide range of countries over a secure protocol, but access from known malicious networks should be blocked. Which of the following will best secure the site?

A.

Next-generation firewall

B.

Reverse proxy

C.

IPSec gateway

D.

Access control server

Full Access
Question # 26

A security analyst is prioritizing vulnerability scan results using a risk-based approach. Which of the following is the most efficient resource for the analyst to use?

A.

Business impact analysis

B.

Common Vulnerability Scoring System

C.

Risk register

D.

Exposure factor

Full Access
Question # 27

While investigating a possible incident, a security analyst discovers the following log entries:

67.118.34.157 ----- [28/Jul/2022:10:26:59 -0300] " GET /query.php?q-wireless%20headphones / HTTP/1.0 " 200 12737

132.18.222.103 ----[28/Jul/2022:10:27:10 -0300] " GET /query.php?q=123 INSERT INTO users VALUES( ' temp ' , ' pass123 ' )# / HTTP/1.0 " 200 935

12.45.101.121 ----- [28/Jul/2022:10:27:22 -0300] " GET /query.php?q=mp3%20players I HTTP/1.0 " 200 14650

Which of the following should the analyst do first?

A.

Implement a WAF

B.

Disable the query .php script

C.

Block brute-force attempts on temporary users

D.

Check the users table for new accounts

Full Access
Question # 28

Employees are missing features on company-provided tablets, affecting productivity. Management demands resolution in 48 hours. Which is the best solution?

A.

EDR

B.

COPE

C.

MDM

D.

FDE

Full Access
Question # 29

After an audit, an administrator discovers all users have access to confidential data on a file server. Which of the following should the administrator use to restrict access to the data quickly?

A.

Group Policy

B.

Content filtering

C.

Data loss prevention

D.

Access control lists

Full Access
Question # 30

Which of the following describes the difference between encryption and hashing?

A.

Encryption protects data in transit, while hashing protects data at rest.

B.

Encryption replaces cleartext with ciphertext, while hashing calculates a checksum.

C.

Encryption ensures data integrity, while hashing ensures data confidentiality.

D.

Encryption uses a public-key exchange, while hashing uses a private key.

Full Access
Question # 31

A business is expanding to a new country and must protect customers from accidental disclosure of specific national identity information. Which of the following should the security engineer update to best meet business requirements?

A.

SIEM

B.

SCAP

C.

DLP

D.

WAF

Full Access
Question # 32

An employee used a company ' s billing system to issue fraudulent checks. The administrator is looking for evidence of other occurrences of this activity. Which of the following should the administrator examine?

A.

Application logs

B.

Vulnerability scanner logs

C.

IDS/IPS logs

D.

Firewall logs

Full Access
Question # 33

Which of the following elements of digital forensics should a company use If It needs to ensure the integrity of evidence?

A.

Preservation

B.

E-discovery

C.

Acquisition

D.

Containment

Full Access
Question # 34

A user is attempting to patch a critical system, but the patch fails to transfer. Which of the following access controls is most likely inhibiting the transfer?

A.

Attribute-based

B.

Time of day

C.

Role-based

D.

Least privilege

Full Access
Question # 35

A growing organization, which hosts an externally accessible application, adds multiple virtual servers to improve application performance and decrease the resource usage on individual servers Which of the following solutions is the organization most likely to employ to further increase performance and availability?

A.

Load balancer

B.

Jump server

C.

Proxy server

D.

SD-WAN

Full Access
Question # 36

Which of the following is a type of vulnerability that involves inserting scripts into web-based applications in order to take control of the client ' s web browser?

A.

SQL injection

B.

Cross-site scripting

C.

Zero-day exploit

D.

On-path attack

Full Access
Question # 37

A company makes a change during the appropriate change window, but the unsuccessful change extends beyond the scheduled time and impacts customers. Which of the following would prevent this from reoccurring?

A.

User notification

B.

Change approval

C.

Risk analysis

D.

Backout plan

Full Access
Question # 38

Which of the following threat actors would most likely target an organization by using a logic bomb within an internally-developed application?

A.

Nation-state

B.

Trusted insider

C.

Organized crime group

D.

Hacktivist

Full Access
Question # 39

A security analyst needs to improve the company’s authentication policy following a password audit. Which of the following should be included in the policy? (Select two).

A.

Length

B.

Complexity

C.

Least privilege

D.

Something you have

E.

Security keys

F.

Biometrics

Full Access
Question # 40

An accounting clerk sent money to an attacker ' s bank account after receiving fraudulent instructions over the phone to use a new account. Which of the following would most likely prevent this activity in the future?

A.

Standardizing security incident reporting

B.

Executing regular phishing campaigns

C.

Implementing insider threat detection measures

D.

Updating processes for sending wire transfers

Full Access
Question # 41

A company is developing a critical system for the government and storing project information on a fileshare. Which of the following describes how this data will most likely be classified? (Select two).

A.

Private

B.

Confidential

C.

Public

D.

Operational

E.

Urgent

F.

Restricted

Full Access
Question # 42

The local administrator account for a company ' s VPN appliance was unexpectedly used to log in to the remote management interface. Which of the following would have most likely prevented this from happening ' ?

A.

Using least privilege

B.

Changing the default password

C.

Assigning individual user IDs

D.

Reviewing logs more frequently

Full Access
Question # 43

Which of the following types of identification methods can be performed on a deployed application during runtime?

A.

Dynamic analysis

B.

Code review

C.

Package monitoring

D.

Bug bounty

Full Access
Question # 44

A security manager created new documentation to use in response to various types of security incidents. Which of the following is the next step the manager should take?

A.

Set the maximum data retention policy.

B.

Securely store the documents on an air-gapped network.

C.

Review the documents ' data classification policy.

D.

Conduct a tabletop exercise with the team.

Full Access
Question # 45

An organization is required to provide assurance that its controls are properly designed and operating effectively. Which of the following reports will best achieve the objective?

A.

Red teaming

B.

Penetration testing

C.

Independent audit

D.

Vulnerability assessment

Full Access
Question # 46

An employee clicked a link in an email from a payment website that asked the employee to update contact information. The employee entered the log-in information but received a “page not found” error message. Which of the following types of social engineering attacks occurred?

A.

Brand impersonation

B.

Pretexting

C.

Typosquatting

D.

Phishing

Full Access
Question # 47

An organization has issues with deleted network share data and improper permissions. Which solution helps track and remediate these?

A.

DLP

B.

EDR

C.

FIM

D.

ACL

Full Access
Question # 48

A client demands at least 99.99% uptime from a service provider ' s hosted security services. Which of the following documents includes the information the service provider should return to the client?

A.

MOA

B.

SOW

C.

MOU

D.

SLA

Full Access
Question # 49

Which of the following security controls are a company implementing by deploying HIPS? (Select two).

A.

Directive

B.

Preventive

C.

Physical

D.

Corrective

E.

Compensating

F.

Detective

Full Access
Question # 50

A systems administrator discovers a system that is no longer receiving support from the vendor. However, this system and its environment are critical to running the business, cannot be modified, and must stay online. Which of the following risk treatments is the most appropriate in this situation?

A.

Refect

B.

Accept

C.

Transfer

D.

Avoid

Full Access
Question # 51

An organization issued new laptops to all employees and wants to provide web filtering both in and out of the office without configuring additional access to the network. Which of the following types of web filtering should a systems administrator configure?

A.

Agent-based

B.

Centralized proxy

C.

URL scanning

D.

Content categorization

Full Access
Question # 52

Which of the following best summarizes the reason for an AUP?

A.

To provide a framework for performing a security assessment

B.

To provide guidance regarding the permitted operations of a system

C.

To provide procedures for restoring a resource in the event of an incident

D.

To provide an agreement between a vendor and service provider

Full Access
Question # 53

Which of the following best represents how frequently an incident is expected to happen each year?

A.

RTO

B.

ALE

C.

SLE

D.

ARO

Full Access
Question # 54

Which of the following is an example of implementing Zero Trust architecture?

A.

Building strong network boundaries to prevent intrusion

B.

Verifying user identity once at the start of the session

C.

Granting resource access after continuous validation

D.

Prioritizing perimeter defense to block external threats

Full Access
Question # 55

An IT manager is increasing the security capabilities of an organization after a data classification initiative determined that sensitive data could be exfiltrated from the environment. Which of the following solutions would mitigate the risk?

A.

XDR

B.

SPF

C.

DLP

D.

DMARC

Full Access
Question # 56

Which of the following exercises should an organization use to improve its incident response process?

A.

Tabletop

B.

Replication

C.

Failover

D.

Recovery

Full Access
Question # 57

As part of new compliance audit requirements, multiple servers need to be segmented on different networks and should be reachable only from authorized internal systems. Which of the following would meet the requirements?

A.

Configure firewall rules to block external access to Internal resources.

B.

Set up a WAP to allow internal access from public networks.

C.

Implement a new IPSec tunnel from internal resources.

D.

Deploy an Internal Jump server to access resources.

Full Access
Question # 58

A company wants to use new Wi-Fi-enabled environmental sensors to automatically collect metrics. Which of the following will the security team most likely do?

A.

Add the sensor software to the risk register.

B.

Create a VLAN for the sensors.

C.

Physically air gap the sensors.

D.

Configure TLS 1.2 on all sensors.

Full Access
Question # 59

A cyber operations team informs a security analyst about a new tactic malicious actors are using to compromise networks.

SIEM alerts have not yet been configured. Which of the following best describes what the security analyst should do to identify this behavior?

A.

[Digital forensics

B.

E-discovery

C.

Incident response

D.

Threat hunting

Full Access
Question # 60

Which of the following explains why an attacker cannot easily decrypt passwords using a rainbow table attack?

A.

Digital signatures

B.

Salting

C.

Hashing

D.

Perfect forward secrecy

Full Access
Question # 61

In which of the following will unencrypted PLC management traffic most likely be found?

A.

SDN

B.

IoT

C.

VPN

D.

SCADA

Full Access
Question # 62

Which of the following cryptographic solutions protects data at rest?

A.

Digital signatures

B.

Full disk encryption

C.

Private key

D.

Steganography

Full Access
Question # 63

The management team wants to assess the cybersecurity team ' s readiness to respond to a threat scenario. Which of the following will adequately assess and formalize a response within a short time?

A.

Send a message to all IT managers and request formal action plans.

B.

Create a bug bounty program and assess the findings.

C.

Execute a tabletop exercise and document the performance results.

D.

Hire an external consultant to independently assess the cybersecurity processes.

Full Access
Question # 64

A security administrator needs to protect the integrity of a compromised laptop. The administrator turns off the laptop for a forensic investigation. Which of the following tasks should the administrator do first before analyzing the hard drive?

A.

Metadata review

B.

Snapshot

C.

Bit-level copy

D.

Memory dump

Full Access
Question # 65

After a security awareness training session, a user called the IT help desk and reported a suspicious call. The suspicious caller stated that the Chief Financial Officer wanted credit card information in order to close an invoice. Which of the following topics did the user recognize from the training?

A.

Insider threat

B.

Email phishing

C.

Social engineering

D.

Executive whaling

Full Access
Question # 66

Which of the following scenarios describes a possible business email compromise attack?

A.

An employee receives a gift card request in an email that has an executive ' s name in the display field of the email.

B.

Employees who open an email attachment receive messages demanding payment in order to access files.

C.

A service desk employee receives an email from the HR director asking for log-in credentials to a cloud administrator account.

D.

An employee receives an email with a link to a phishing site that is designed to look like the company ' s email portal.

Full Access
Question # 67

An analyst identifies that multiple users have the same passwords, but the hashes appear to be completely different. Which of the following most likely explains this issue?

A.

Data masking

B.

Salting

C.

Key escrow

D.

Tokenization

Full Access
Question # 68

A company is utilizing an offshore team to help support the finance department. The company wants to keep the data secure by keeping it on a company device but does not want to provide equipment to the offshore team. Which of the following should the company implement to meet this requirement?

A.

VDI

B.

MDM

C.

VPN

D.

VPC

Full Access
Question # 69

Which of the following activities are associated with vulnerability management? (Select two).

A.

Reporting

B.

Prioritization

C.

Exploiting

D.

Correlation

E.

Containment

F.

Tabletop exercise

Full Access
Question # 70

Which of the following would best explain why a security analyst is running daily vulnerability scans on all corporate endpoints?

A.

To track the status of patch installations

B.

To find shadow IT cloud deployments

C.

To continuously monitor hardware inventory

D.

To hunt for active attackers in the network

Full Access
Question # 71

A store is setting up wireless access for employees. Management wants to limit the number of access points while ensuring full coverage. Which tool will help determine how many access points are needed?

A.

Signal locator

B.

WPA3

C.

Heat map

D.

Site survey

Full Access
Question # 72

An organization is required to provide assurance that its controls are properly designed and operating effectively. Which of the following reports will best achieve this objective?

A.

Red teaming

B.

Penetration testing

C.

Independent audit

D.

Vulnerability assessment

Full Access
Question # 73

Which of the following prevents unauthorized modifications to internal processes, assets, and security controls?

A.

Change management

B.

Playbooks

C.

Incident response

D.

Acceptable use policy

Full Access
Question # 74

Which of the following can be best used to discover a company ' s publicly available breach information?

A.

OSINT

B.

SIEM

C.

CVE

D.

CVSS

Full Access
Question # 75

Which of the following should be deployed on an externally facing web server in order to establish an encrypted connection?

A.

Public key

B.

Private Key

C.

Asymmetric key

D.

Symmetric key

Full Access
Question # 76

An organization experiences a compromise in a cloud-hosted solution that contains customer information. Which of the following strategies will help determine the sensitivity level of the breach?

A.

Permission restrictions

B.

Tabletop exercise

C.

Data classification

D.

Asset inventory

Full Access
Question # 77

Which of the following actions would reduce the number of false positives for an analyst to manually review?

A.

Create playbooks as part of a SOAR platform

B.

Redefine the patch management process

C.

Replace an EDR tool with an XDR solution

D.

Disable AV heuristics scanning

Full Access
Question # 78

Which of the following is a type of vulnerability that refers to the unauthorized installation of applications on a device through means other than the official application store?

A.

Cross-site scripting

B.

Buffer overflow

C.

Jailbreaking

D.

Side loading

Full Access
Question # 79

An organization wants to deploy software in a container environment to increase security. Which of the following will limit the organization ' s ability to achieve this goal?

A.

Regulatory compliance

B.

Patch availability

C.

Kernel version

D.

Monolithic code

Full Access
Question # 80

A security analyst receives an alert from a web server that contains the following logs:

GET /image?filename=../../../etc/passwd

Host: AcmeInc.web.net

useragent: python-request/2.27.1

GET /image?filename=../../../etc/shadow

Host: AcmeInc.web.net

useragent: python-request/2.27.1

Which of the following attacks is being attempted?

A.

File injection

B.

Privilege escalation

C.

Directory traversal

D.

Cookie forgery

Full Access
Question # 81

Which of the following best describes a method for ongoing vendor monitoring in third-party risk management?

A.

Requiring a new MSA for each project

B.

Accepting vendor self-attestation without further verification

C.

Conducting assessments to verify compliance with security requirements

D.

Reviewing SLAs at the start of the contract

Full Access
Question # 82

During a penetration test in a hypervisor, the security engineer is able to inject a malicious payload and access the host filesystem. Which of the following best describes this vulnerability?

A.

VM escape

B.

Cross-site scripting

C.

Malicious update

D.

SQL injection

Full Access
Question # 83

Which of the following vulnerabilities is associated with installing software outside of a manufacturer’s approved software repository?

A.

Jailbreaking

B.

Memory injection

C.

Resource reuse

D.

Side loading

Full Access
Question # 84

A company wants to reduce the time and expense associated with code deployment. Which of the following technologies should the company utilize?

A.

Serverless architecture

B.

Thin clients

C.

Private cloud

D.

Virtual machines

Full Access
Question # 85

A systems administrator notices that one of the systems critical for processing customer transactions is running an end-of-life operating system. Which of the following techniques would increase enterprise security?

A.

Installing HIDS on the system

B.

Placing the system in an isolated VLAN

C.

Decommissioning the system

D.

Encrypting the system ' s hard drive

Full Access
Question # 86

A security analyst discovers that a large number of employee credentials had been stolen and were being sold on the dark web. The analyst investigates and discovers that some hourly employee credentials were compromised, but salaried employee credentials were not affected.

Most employees clocked in and out while they were Inside the building using one of the kiosks connected to the network. However, some clocked out and recorded their time after leaving to go home. Only those who clocked in and out while Inside the building had credentials stolen. Each of the kiosks are on different floors, and there are multiple routers, since the business segments environments for certain business functions.

Hourly employees are required to use a website called acmetimekeeping.com to clock in and out. This website is accessible from the internet. Which of the following Is the most likely reason for this compromise?

A.

A brute-force attack was used against the time-keeping website to scan for common passwords.

B.

A malicious actor compromised the time-keeping website with malicious code using an unpatched vulnerability on the site, stealing the credentials.

C.

The internal DNS servers were poisoned and were redirecting acmetimkeeping.com to malicious domain that intercepted the credentials and then passed them through to the real site

D.

ARP poisoning affected the machines in the building and caused the kiosks lo send a copy of all the submitted credentials to a machine.machine.

Full Access
Question # 87

Which of the following should a security operations center use to improve its incident response procedure?

A.

Playbooks

B.

Frameworks

C.

Baselines

D.

Benchmarks

Full Access
Question # 88

An administrator installs an SSL certificate on a new system. During testing, errors indicate that the certificate is not trusted. The administrator has verified with the issuing CA and has validated the private key. Which of the following should the administrator check for next?

A.

If the wildcard certificate is configured

B.

If the certificate signing request is valid

C.

If the root certificate is installed

D.

If the public key is configured

Full Access
Question # 89

A security officer is implementing a security awareness program and is placing security-themed posters around the building and is assigning online user training. Which of the following would the security officer most likely implement?

A.

Password policy

B.

Access badges

C.

Phishing campaign

D.

Risk assessment

Full Access
Question # 90

A company processes a large volume of business-to-business transactions and prioritizes data confidentiality over transaction availability. The company’s firewall administrator must configure a new hardware-based firewall to replace the current one. Which of the following should the administrator do to best align with the company requirements in case a security event occurs?

A.

Ensure the firewall data plane moves to fail-closed mode.

B.

Implement a deny-all rule as the last firewall ACL rule.

C.

Prioritize business-critical application traffic through the firewall.

D.

Configure rate limiting between the firewall interfaces.

Full Access
Question # 91

A nation-state attacker gains access to the email accounts of several journalists by compromising a website that the journalists frequently use. Which of the following types of attacks describes this example?

A.

On-path

B.

Watering-hole

C.

Typosquatting

D.

Brand impersonation

Full Access
Question # 92

Which of the following describes effective change management procedures?

A.

Approving the change after a successful deployment

B.

Having a backout plan when a patch fails

C.

Using a spreadsheet for tracking changes

D.

Using an automatic change control bypass for security updates

Full Access
Question # 93

Which of the following incident response activities ensures evidence is properly handied?

A.

E-discovery

B.

Chain of custody

C.

Legal hold

D.

Preservation

Full Access
Question # 94

Which of the following is a reason an organization should use different CSPs for a critical financial application?

A.

Application overhead can be better load balanced across multiple providers.

B.

Platform diversity reduces the likelihood of losing access to resources.

C.

Parallel processing allows continued operations while deploying time-critical security updates.

D.

Selection of a hot site minimizes downtime and helps the organization meet its RTO.

Full Access
Question # 95

Which of the following activities would involve members of the incident response team and other stakeholders simul-ating an event?

A.

Lessons learned

B.

Digital forensics

C.

Tabletop exercise

D.

Root cause analysis

Full Access
Question # 96

Which of the following is used to add extra complexity before using a one-way data transformation algorithm?

A.

Key stretching

B.

Data masking

C.

Steganography

D.

Salting

Full Access
Question # 97

When trying to access an internal website, an employee reports that a prompt displays, stating that the site is insecure. Which of the following certificate types is the site most likely using?

A.

Wildcard

B.

Root of trust

C.

Third-party

D.

Self-signed

Full Access
Question # 98

An organization experiences a cybersecurity incident involving a command-and-control server. Which of the following logs should be analyzed to identify the impacted host? (Select two).

A.

Application

B.

Authentication

C.

DHCP

D.

Network

E.

Firewall

F.

Database

Full Access
Question # 99

An organization conducts a self-evaluation with a phishing campaign that requests login credentials. The organization receives the following results:

• None of the staff were fooled by the attempt due to proper security awareness.

• Staff deleted the email without performing any additional actions.

Which of the following security practices would add the most value to the organization?

A.

Implement a strict password reset policy for all senior managers after a security event.

B.

Update user guidance to include suspicious incident reporting.

C.

Conduct end-user training regarding spear-phishing attempts to raise awareness.

D.

Require remote workers to use a VPN when connecting to the organization ' s networks.

Full Access
Question # 100

Which of the following is the final step of the modem response process?

A.

Lessons learned

B.

Eradication

C.

Containment

D.

Recovery

Full Access
Question # 101

A marketing team launches a new AI solution that trains on sensitive customer data to help provide recommendations on its next possible marketing campaign. This team requires granular access to the tool for different levels of sensitive data. Which of the following should a systems administrator prioritize when provisioning access?

A.

Emergency access

B.

Least-privilege accounts

C.

Just-in-time (JIT) access

D.

Group managed service accounts

Full Access
Question # 102

Which of the following is a benefit of launching a bug bounty program? (Select two)

A.

Transference of risk to a third party

B.

Reduction in the number of zero-day vulnerabilities

C.

Increased security awareness for the workforce

D.

Reduced cost of managing the program

E.

Quicker discovery of vulnerabilities

F.

Improved patch management process

Full Access
Question # 103

A security practitioner completes a vulnerability assessment on a company’s network and finds several vulnerabilities, which the operations team remediates. Which of the following should be done next?

A.

Conduct an audit.

B.

Initiate a penetration test.

C.

Rescan the network.

D.

Submit a report.

Full Access
Question # 104

The analyst wants to move data from production to the UAT server for testing the latest release. Which of the following strategies to protect data should the analyst use?

A.

Data masking

B.

Data tokenization

C.

Data obfuscation

D.

Data encryption

Full Access
Question # 105

A security analyst developed a script to automate a trivial and repeatable task. Which of the following best describes the benefits of ensuring other team members understand how the script works?

A.

To reduce implementation cost

B.

To identify complexity

C.

To remediate technical debt

D.

To prevent a single point of failure

Full Access
Question # 106

A security analyst scans a company ' s public network and discovers a host is running a remote desktop that can be used to access the production network. Which of the following changes should the security analyst recommend?

A.

Changing the remote desktop port to a non-standard number

B.

Setting up a VPN and placing the jump server inside the firewall

C.

Using a proxy for web connections from the remote desktop server

D.

Connecting the remote server to the domain and increasing the password length

Full Access
Question # 107

A security operations center determines that the malicious activity detected on a server is normal. Which of the following activities describes the act of ignoring detected activity in the future?

A.

Tuning

B.

Aggregating

C.

Quarantining

D.

Archiving

Full Access
Question # 108

The number of tickets the help desk has been receiving has increased recently due to numerous false-positive phishing reports. Which of the following would be best to help to reduce the false positives?

A.

Performing more phishing simulation campaigns

B.

Improving security awareness training

C.

Hiring more help desk staff

D.

Implementing an incident reporting web page

Full Access
Question # 109

A security analyst notices an increase in port scans on the edge of the corporate network. Which of the following logs should the analyst check to obtain the attacker ' s source IP address?

A.

Security

B.

Firewall

C.

Application

D.

Endpoint

Full Access
Question # 110

Which of the following best explains a core principle of a Zero Trust security model?

A.

Devices connected to the internal network are automatically trusted after initial authentication.

B.

Access to resources is granted only after strict identity verification and continuous monitoring.

C.

Security policies require multifactor authentication for remote access to sensitive data.

D.

Network access is limited by role, and access controls are reviewed on a regular schedule.

Full Access
Question # 111

The executive management team is mandating the company develop a disaster recovery plan. The cost must be kept to a minimum, and the money to fund additional internet connections is not available. Which of the following would be the best option?

A.

Hot site

B.

Cold site

C.

Failover site

D.

Warm site

Full Access
Question # 112

A company is working with a vendor to perform a penetration test Which of the following includes an estimate about the number of hours required to complete the engagement?

A.

SOW

B.

BPA

C.

SLA

D.

NDA

Full Access
Question # 113

A company discovered its data was advertised for sale on the dark web. During the initial investigation, the company determined the data was proprietary data. Which of the following is the next step the company should take?

A.

Identity the attacker sentry methods.

B.

Report the breach to the local authorities.

C.

Notify the applicable parties of the breach.

D.

Implement vulnerability scanning of the company ' s systems.

Full Access
Question # 114

A company hired a consultant to perform an offensive security assessment covering penetration testing and social engineering.

Which of the following teams will conduct this assessment activity?

A.

White

B.

Purple

C.

Blue

D.

Red

Full Access
Question # 115

An analyst is evaluating the implementation of Zero Trust principles within the data plane. Which of the following would be most relevant for the analyst to evaluate?

A.

Secured zones

B.

Subject role

C.

Adaptive identity

D.

Threat scope reduction

Full Access
Question # 116

A security officer observes that a software development team is not complying with its corporate security policy on encrypting confidential data. Which of the following categories refers to this type of non-compliance?

A.

External

B.

Standard

C.

Regulation

D.

Internal

Full Access
Question # 117

A company discovers suspicious transactions that were entered into the company ' s database and attached to a user account that was created as a trap for malicious activity. Which of the following is the user account an example of?

A.

Honeytoken

B.

Honeynet

C.

Honeypot

D.

Honeyfile

Full Access
Question # 118

A systems administrator is looking for a low-cost application-hosting solution that is cloud-based. Which of the following meets these requirements?

A.

Serverless framework

B.

Type 1 hvpervisor

C.

SD-WAN

D.

SDN

Full Access
Question # 119

Which of the following is a hardware-specific vulnerability?

A.

Firmware version

B.

Buffer overflow

C.

SQL injection

D.

Cross-site scripting

Full Access
Question # 120

A Chief Information Security Officer (CISO) implements a new policy that users can no longer access fantasy sports sites while at work. The CISO wants to implement a solution that can adapt to new sites coming online and not have to constantly determine which sites are related to fantasy sports. Which of the following is the best capability for the CISO to leverage?

A.

IPS

B.

URL scanning

C.

Content categorization

D.

Static denial list

E.

DLP

Full Access
Question # 121

Staff members at a company historically click on dangerous links. The leadership team wants to reduce that risk. Which of the following should a security engineer do to help reduce future incidents?

A.

Create and run a realistic email test and provide a refresher.

B.

Leverage plaintext emails to remove clickable links.

C.

Block all unsigned email attachments for all employees.

D.

Perform header analysis for sender reputation.

Full Access
Question # 122

A security consultant is working with a client that wants to physically isolate its secure systems. Which of the following best describes this architecture?

A.

SDN

B.

Air gapped

C.

Containerized

D.

Highly available

Full Access
Question # 123

Which of the following is an example of a false negative vulnerability detection in a scan report?

A.

A vulnerability that does not actually exist

B.

A vulnerability that has already been remediated

C.

A result that shows no known vulnerability

D.

A zero-day vulnerability with a known remediation

Full Access
Question # 124

Which of the following is the most likely motivation for a hacktivist?

A.

Financial gain

B.

Service disruption

C.

Philosophical beliefs

D.

Corporate espionage

Full Access
Question # 125

Which of the following activities should a systems administrator perform to quarantine a potentially infected system?

A.

Move the device into an air-gapped environment.

B.

Disable remote log-in through Group Policy.

C.

Convert the device into a sandbox.

D.

Remote wipe the device using the MDM platform.

Full Access
Question # 126

Which of the following mitigation techniques would a security analyst most likely use to avoid bloatware on devices?

A.

Disabled ports/protocols

B.

Application allow list

C.

Default password changes

D.

Access control permissions

Full Access
Question # 127

A company is in the process of migrating to cloud-based services. The company ' s IT department has limited resources for migration and ongoing support. Which of the following best meets the company ' s needs?

A.

IPS

B.

WAF

C.

SASE

D.

IAM

Full Access
Question # 128

A client asked a security company to provide a document outlining the project, the cost, and the completion time frame. Which of the following documents should the company provide to the client?

A.

MSA

B.

SLA

C.

BPA

D.

SOW

Full Access
Question # 129

Several customers want an organization to verify its security controls are operating effectively and have requested an independent opinion. Which of the following is the most efficient way to address these requests?

A.

Hire a vendor to perform a penetration test.

B.

Perform an annual self-assessment.

C.

Allow each client the right to audit.

D.

Provide a third-party attestation report.

Full Access
Question # 130

A Chief Information Security Officer wants to monitor the company ' s servers for SQLi attacks and allow for comprehensive investigations if an attack occurs. The company uses SSL decryption to allow traffic monitoring. Which of the following strategies would best accomplish this goal?

A.

Logging all NetFlow traffic into a SIEM

B.

Deploying network traffic sensors on the same subnet as the servers

C.

Logging endpoint and OS-specific security logs

D.

Enabling full packet capture for traffic entering and exiting the servers

Full Access
Question # 131

A recent black-box penetration test of http://example.com discovered that external

website vulnerabilities exist, such as directory traversals, cross-site scripting, cross-site forgery, and insecure protocols.

You are tasked with reducing the attack space and enabling secure protocols.

INSTRUCTIONS

Part 1

Use the drop-down menus to select the appropriate technologies for each location to implement a secure and resilient web architecture. Not all technologies will be used, and technologies may be used multiple times.

Part 2

Use the drop-down menus to select the appropriate command snippets from the drop-down menus. Each command section must be filled.

Full Access
Question # 132

Which of the following phases of an incident response involves generating reports?

A.

Recovery

B.

Preparation

C.

Lessons learned

D.

Containment

Full Access
Question # 133

Which of the following should be used to prevent changes to system-level data?

A.

NIDS

B.

DLP

C.

NAC

D.

FIM

Full Access
Question # 134

A company wants to ensure that a mission-critical database can only be accessed from specific internal IP addresses. Which of the following should the company deploy to meet this requirement?

A.

Web application firewall

B.

Network tap

C.

Intrusion prevention system

D.

Jump server

Full Access
Question # 135

An administrator is reviewing a single server ' s security logs and discovers the following;

Which of the following best describes the action captured in this log file?

A.

Brute-force attack

B.

Privilege escalation

C.

Failed password audit

D.

Forgotten password by the user

Full Access
Question # 136

Which of the following is the most likely to be used to document risks, responsible parties, and thresholds?

A.

Risk tolerance

B.

Risk transfer

C.

Risk register

D.

Risk analysis

Full Access
Question # 137

A systems administrator just purchased multiple network devices. Which of the following should the systems administrator perform to prevent attackers from accessing the devices by using publicly available information?

A.

Install endpoint protection

B.

Disable ports/protocols

C.

Change default passwords

D.

Remove unnecessary software

Full Access
Question # 138

A security analyst identifies an incident in the network. Which of the following incident response activities would the security analyst perform next?

A.

Containment

B.

Detection

C.

Eradication

D.

Recovery

Full Access
Question # 139

An unknown source has attacked an organization’s network multiple times. The organization has a firewall but no other source of protection against these attacks. Which of the following is the best security item to add?

A.

SIEM

B.

Load balancer

C.

UTM

D.

IPS

Full Access
Question # 140

Which of the following would be the greatest concern for a company that is aware of the consequences of non-compliance with government regulations?

A.

Right to be forgotten

B.

Sanctions

C.

External compliance reporting

D.

Attestation

Full Access
Question # 141

A university employee logged on to the academic server and attempted to guess the system administrators ' log-in credentials. Which of the following security measures should the university have implemented to detect the employee ' s attempts to gain access to the administrators ' accounts?

A.

Two-factor authentication

B.

Firewall

C.

Intrusion prevention system

D.

User activity logs

Full Access
Question # 142

Which of the following topics would most likely be included within an organization ' s SDLC?

A.

Service-level agreements

B.

Information security policy

C.

Penetration testing methodology

D.

Branch protection requirements

Full Access
Question # 143

A security analyst receives an alert from a corporate endpoint used by employees to issue visitor badges. The alert contains the following details:

Which of the following best describes the indicator that triggered the alert?

A.

Blocked content

B.

Brute-force attack

C.

Concurrent session usage

D.

Account lockout

Full Access
Question # 144

Which of the following best explains how open service ports increase an organization ' s attack surface?

A.

They are commonly overlooked by endpoint antivirus tools during scans.

B.

They can make the company’s remote entry point available to the internet.

C.

They enable automatic application updates to reduce vulnerability windows.

D.

They can expose unnecessary services to unauthorized access if not properly restricted.

Full Access
Question # 145

An accountant is transferring information to a bank over FTP. Which of the following mitigations should the accountant use to protect the confidentiality of the data?

A.

Tokenization

B.

Data masking

C.

Encryption

D.

Obfuscation

Full Access
Question # 146

A spoofed identity was detected for a digital certificate. Which of the following are the type of unidentified key and the certificate mat could be in use on the company domain?

A.

Private key and root certificate

B.

Public key and expired certificate

C.

Private key and self-signed certificate

D.

Public key and wildcard certificate

Full Access
Question # 147

An organization has recently decided to implement SSO. The requirements are to leverage access tokens and focus on application authorization rather than user authentication. Which of the following solutions would the engineering team most likely configure?

A.

LDAP

B.

Federation

C.

SAML

D.

OAuth

Full Access
Question # 148

Users at a company are reporting they are unable to access the URL for a new retail website because it is flagged as gambling and is being blocked.

Which of the following changes would allow users to access the site?

A.

Creating a firewall rule to allow HTTPS traffic

B.

Configuring the IPS to allow shopping

C.

Tuning the DLP rule that detects credit card data

D.

Updating the categorization in the content filter

Full Access
Question # 149

A security analyst reviews domain activity logs and notices the following:

Which of the following is the best explanation for what the security analyst has discovered?

A.

The user jsmith ' s account has been locked out.

B.

A keylogger is installed on [smith ' s workstation

C.

An attacker is attempting to brute force ismith ' s account.

D.

Ransomware has been deployed in the domain.

Full Access
Question # 150

A company is currently utilizing usernames and passwords, and it wants to integrate an MFA method that is seamless, can Integrate easily into a user ' s workflow, and can utilize employee-owned devices. Which of the following will meet these requirements?

A.

Push notifications

B.

Phone call

C.

Smart card

D.

Offline backup codes

Full Access
Question # 151

Which of the following roles, according to the shared responsibility model, is responsible for securing the company’s database in an IaaS model for a cloud environment?

A.

Client

B.

Third-party vendor

C.

Cloud provider

D.

DBA

Full Access
Question # 152

An employee from the accounting department logs in to a website. A desktop application automatically downloads on the employee ' s computer. Which of the following has occurred?

A.

XSS

B.

Watering hole

C.

Typosquatting

D.

Buffer overflow

Full Access
Question # 153

During a routine audit, an analyst discovers that a department at a high school uses a simul-ation program that was not properly vetted before deployment.

Which of the following threats is this an example of?

A.

Espionage

B.

Data exfiltration

C.

Shadow IT

D.

Zero-day

Full Access
Question # 154

An organization has learned that its data is being exchanged on the dark web. The CIO

has requested that you investigate and implement the most secure solution to protect employee accounts.

INSTRUCTIONS

Review the data to identify weak security practices and provide the most appropriate

security solution to meet the CIO ' s requirements.

Full Access
Question # 155

After multiple phishing simulations, the Chief Security Officer announces a new program that incentivizes employees to not click phishing links in the upcoming quarter. Which of the following security awareness execution techniques does this represent?

Full Access
Question # 156

Which of the following methods will most likely be used to identify legacy systems?

A.

Bug bounty program

B.

Vulnerability scan

C.

Package monitoring

D.

Dynamic analysis

Full Access
Question # 157

Which of the following cryptographic methods is preferred for securing communications with limited computing resources?

A.

Hashing algorithm

B.

Public key infrastructure

C.

Symmetric encryption

D.

Elliptic curve cryptography

Full Access
Question # 158

A company processes a large volume of business-to-business transactions and prioritizes data confidentiality over transaction availability. The company ' s firewall administrator must configure a new hardware-based firewall to replace the current one. Which of the following should the administrator do to best align with the company requirements in case a security event occurs?

A.

Ensure the firewall data plane moves to fail-closed mode.

B.

Implement a deny-all rule as the last firewall ACL rule.

C.

Prioritize business-critical application traffic through the firewall.

D.

Configure rate limiting between the firewall interfaces.

Full Access
Question # 159

Which of the following is used to protect a computer from viruses, malware, and Trojans being installed and moving laterally across the network?

A.

IDS

B.

ACL

C.

EDR

D.

NAC

Full Access
Question # 160

Which of the following risk analysis attributes measures the chance that a vulnerability will be exploited?

A.

Exposure factor

B.

Impact

C.

Severity

D.

Likelihood

Full Access
Question # 161

Which of the following digital forensics activities would a security team perform when responding to legal requests in a pending investigation?

A.

E-discovery

B.

User provisioning

C.

Firewall log export

D.

Root cause analysis

Full Access
Question # 162

Which of the following threat actors is the most likely to be hired by a foreign government to attack critical systems located in other countries?

A.

Hacktivist

B.

Whistleblower

C.

Organized crime

D.

Unskilled attacker

Full Access
Question # 163

An unexpected and out-of-character email message from a Chief Executive Officer’s corporate account asked an employee to provide financial information and to change the recipient ' s contact number. Which of the following attack vectors is most likely being used?

A.

Business email compromise

B.

Phishing

C.

Brand impersonation

D.

Pretexting

Full Access
Question # 164

An organization needs to monitor its users ' activities to prevent insider threats. Which of the following solutions would help the organization achieve this goal?

A.

Behavioral analytics

B.

Access control lists

C.

Identity and access management

D.

Network intrusion detection system

Full Access
Question # 165

Various company stakeholders meet to discuss roles and responsibilities in the event of a security breach affecting offshore offices. Which of the following is this an example of?

A.

Tabletop exercise

B.

Penetration test

C.

Geographic dispersion

D.

Incident response

Full Access
Question # 166

Which of the following vulnerabilities will lead to a successful attack that injects < IMG src= ' http://attackersite.net/mycode.sh ' > into a web application?

A.

Directory traversal

B.

Buffer overflow

C.

SQLi

D.

XSS

Full Access
Question # 167

Which of the following would best ensure a controlled version release of a new software application?

A.

Business continuity planning

B.

Quantified risk analysis

C.

Static code analysis

D.

Change management procedures

Full Access
Question # 168

A company ' s marketing department collects, modifies, and stores sensitive customer data. The infrastructure team is responsible for securing the data while in transit and at rest. Which of the following data roles describes the customer?

A.

Processor

B.

Custodian

C.

Subject

D.

Owner

Full Access
Question # 169

Client files can only be accessed by employees who need to know the information and have specified roles in the company. Which of the following best describes this security concept?

A.

Availability

B.

Confidentiality

C.

Integrity

D.

Non-repudiation

Full Access
Question # 170

Which of the following is a security benefit of an effective IT asset tracking system?

A.

Helping identify unauthorized or unmanaged devices connected to the network

B.

Preventing prohibited data exfiltration from endpoints on the network

C.

Assisting with automated root cause analysis for all security incidents on the network

D.

Ensuring proper data backup and recovery procedures are in place

Full Access
Question # 171

After a recent ransomware attack on a company ' s system, an administrator reviewed the log files. Which of the following control types did the administrator use?

A.

Compensating

B.

Detective

C.

Preventive

D.

Corrective

Full Access
Question # 172

A site reliability engineer is designing a recovery strategy that requires quick failover to an identical site if the primary facility goes down. Which of the following types of sites should the engineer consider?

A.

Recovery site

B.

Hot site

C.

Cold site

D.

Warm site

Full Access
Question # 173

Which of the following should a technician perform to verify the integrity of a file transferred from one device to another?

A.

Authentication

B.

Obfuscation

C.

Hashing

D.

Encryption

Full Access
Question # 174

Which of the following activities is included in the post-incident review phase?

A.

Determining the root cause of the incident

B.

Developing steps to mitigate the risks of the incident

C.

Validating the accuracy of the evidence collected during the investigation

D.

Reestablishing the compromised system ' s configuration and settings

Full Access
Question # 175

A security analyst must identify abnormal behavior on the server. Which of the following does the analyst most likely need to do?

A.

Disable unnecessary ports.

B.

Patch the system.

C.

Establish baselines.

D.

Perform alert tuning.

Full Access
Question # 176

Which of the following examples would be best mitigated by input sanitization?

A.

< script > alert ( " Warning! " ) ,- < /script >

B.

nmap - 10.11.1.130

C.

Email message: " Click this link to get your free gift card. "

D.

Browser message: " Your connection is not private. "

Full Access
Question # 177

A company is concerned about weather events causing damage to the server room and downtime. Which of the following should the company consider?

A.

Clustering servers

B.

Geographic dispersion

C.

Load balancers

D.

Off-site backups

Full Access
Question # 178

Which of the following is the best way to consistently determine on a daily basis whether security settings on servers have been modified?

A.

Automation

B.

Compliance checklist

C.

Attestation

D.

Manual audit

Full Access
Question # 179

A store is setting up wireless access for their employees. Management wants to limit the number of access points while ensuring all areas of the store are covered. Which of the following tools will help management determine the number of access points needed?

A.

Signal locator

B.

WPA3

C.

Heat map

D.

Site survey

Full Access
Question # 180

Which of the following explains how regular patching helps mitigate risks when securing an enterprise environment?

A.

It improves server performance by reducing software bugs.

B.

It addresses known software vulnerabilities before they are exploited.

C.

It eliminates the need for firewalls and intrusion detection.

D.

It removes the need for antivirus tools.

Full Access
Question # 181

According to various privacy rules and regulations, users have the power to request that all data pertaining to them is deleted. This is known as:

A.

Right to be forgotten

B.

Attestation and acknowledgement

C.

Data retention

D.

Information deletion

Full Access
Question # 182

A company ' s antivirus solution is effective in blocking malware but often has false positives. The security team has spent a significant amount of time on investigations but cannot determine a root cause. The company is looking for a heuristic solution. Which of the following should replace the antivirus solution?

A.

SIEM

B.

EDR

C.

DLP

D.

IDS

Full Access
Question # 183

Which of the following methods would most likely be used to identify legacy systems?

A.

Bug bounty program

B.

Vulnerability scan

C.

Package monitoring

D.

Dynamic analysis

Full Access
Question # 184

An employee receives a text message from an unknown number claiming to be the company ' s Chief Executive Officer and asking the employee to purchase several gift cards. Which of the following types of attacks does this describe?

A.

Vishing

B.

Smishing

C.

Pretexting

D.

Phishing

Full Access
Question # 185

A security analyst has determined that a security breach would have a financial impact of $15,000 and is expected to occur twice within a three-year period. Which of the following is the ALE for this risk?

A.

$7,500

B.

$10,000

C.

$15,000

D.

$30,000

Full Access
Question # 186

Which of the following is the most likely motivation for a company administrator to look at an employee ' s personal information in a database?

A.

Ideological differences

B.

General curiosity

C.

Gain influence

D.

Intellectual property

Full Access
Question # 187

A security analyst is creating the first draft of a network diagram for the company ' s new customer-facing payment application that will be hosted by a third-party cloud service

provider.

Full Access
Question # 188

Which of the following architecture models ensures that critical systems are physically isolated from the network to prevent access from users with remote access privileges?

A.

Segmentation

B.

Virtualized

C.

Air-gapped

D.

Serverless

Full Access
Question # 189

A group of developers has a shared backup account to access the source code repository. Which of the following is the best way to secure the backup account if there is an SSO failure?

A.

RAS

B.

EAP

C.

SAML

D.

PAM

Full Access
Question # 190

A systems administrator is working on a solution with the following requirements:

Provide a secure zone.

Enforce a company-wide access control policy.

Reduce the scope of threats.

Which of the following is the systems administrator setting up?

A.

Zero Trust

B.

AAA

C.

Non-repudiation

D.

CIA

Full Access
Question # 191

After a security incident, a systems administrator asks the company to buy a NAC platform. Which of the following attack surfaces is the systems administrator trying to protect?

A.

Bluetooth

B.

Wired

C.

NFC

D.

SCADA

Full Access
Question # 192

A security analyst wants to automate a task that shares data between systems. Which of the following is the best option for the analyst to use?

A.

SOAR

B.

API

C.

SFTP

D.

RDP

Full Access
Question # 193

A security administrator wants to implement a security information and event management system. The administrator must first collect network traffic on the switch to gain visibility of the network. Which of the following is the most appropriate method?

A.

Syslog

B.

Port mirroring

C.

Port forwarding

D.

Load balancer logs

Full Access
Question # 194

Which of the following would be the best way to block unknown programs from executing?

A.

Access control list

B.

Application allow list.

C.

Host-based firewall

D.

DLP solution

Full Access
Question # 195

An engineer moved to another team and is unable to access the new team ' s shared folders while still being able to access the shared folders from the former team. After opening a ticket, the engineer discovers that the account was never moved to the new group. Which of the following access controls is most likely causing the lack of access? 1  

A.

Role-based

B.

Discretionary

C.

Time of day

D.

Least privilege

Full Access
Question # 196

An administrator learns that users are receiving large quantities of unsolicited messages. The administrator checks the content filter and sees hundreds of messages sent to multiple users. Which of the following best describes this kind of attack?

A.

Watering hole

B.

Typosquatting

C.

Business email compromise

D.

Phishing

Full Access
Question # 197

Which of the following actors attacking an organization is the most likely to be motivated by personal beliefs?

A.

Nation-state

B.

Organized crime

C.

Hacktvist

D.

Insider threat

Full Access
Question # 198

A security manager is implementing MFA and patch management. Which of the following would best describe the control type and category? (Select two).

A.

Physical

B.

Managerial

C.

Detective

D.

Administrator

E.

Preventative

F.

Technical

Full Access
Question # 199

For which of the following reasons would a systems administrator leverage a 3DES hash from an installer file that is posted on a vendor ' s website?

A.

To test the integrity of the file

B.

To validate the authenticity of the file

C.

To activate the license for the file

D.

To calculate the checksum of the file

Full Access
Question # 200

A company is using a legacy FTP server to transfer financial data to a third party. The legacy system does not support SFTP, so a compensating control is needed to protect the sensitive, financial data in transit. Which of the following would be the most appropriate for the company to use?

A.

Telnet connection

B.

SSH tunneling

C.

Patch installation

D.

Full disk encryption

Full Access
Question # 201

A security administrator wants to determine if the company ' s social engineering training is effective. Which of the following should the administrator do to complete this task?

A.

Set up a honeypot.

B.

Send out a survey.

C.

Set up a focus group.

D.

Conduct a phishing campaign.

Full Access
Question # 202

A company plans to secure its systems by:

Preventing users from sending sensitive data over corporate email

Restricting access to potentially harmful websites

Which of the following features should the company set up? (Select two).

A.

DLP software

B.

DNS filtering

C.

File integrity monitoring

D.

Stateful firewall

E.

Guardralls

F.

Antivirus signatures

Full Access
Question # 203

A company must ensure that log searches are conducted in the shortest time frame. Which of the following should the company do to maintain logs in live storage for 90 days?

A.

Conduct deduplication.

B.

Conduct archiving.

C.

Apply aggregation.

D.

Apply compression.

Full Access
Question # 204

A company is developing a business continuity strategy and needs to determine how many staff members would be required to sustain the business in the case of a disruption. Which of the following best describes this step?

A.

Capacity planning

B.

Redundancy

C.

Geographic dispersion

D.

Tablet exercise

Full Access
Question # 205

Which of the following is the best reason to complete an audit in a banking environment?

A.

Regulatory requirement

B.

Organizational change

C.

Self-assessment requirement

D.

Service-level requirement

Full Access
Question # 206

A security analyst is investigating an alert that was produced by endpoint protection software. The analyst determines this event was a false positive triggered by an employee who attempted to download a file. Which of the following is the most likely reason the download was blocked?

A.

A misconfiguration in the endpoint protection software

B.

A zero-day vulnerability in the file

C.

A supply chain attack on the endpoint protection vendor

D.

Incorrect file permissions

Full Access
Question # 207

A security engineer is implementing FDE for all laptops in an organization. Which of the following are the most important for the engineer to consider as part of the planning process? (Select two).

A.

Key escrow

B.

TPM presence

C.

Digital signatures

D.

Data tokenization

E.

Public key management

F.

Certificate authority linking

Full Access
Question # 208

A systems administrator wants to use a technical solution to explicitly define file permissions for the entire team. Which of the following should the administrator implement?

A.

ACL

B.

Monitoring

C.

Isolation

D.

HIPS

Full Access
Question # 209

An organization is evaluating new regulatory requirements associated with the implementation of corrective controls on a group of interconnected financial systems. Which of the following is the most likely reason for the new requirement?

A.

To defend against insider threats altering banking details

B.

To ensure that errors are not passed to other systems

C.

To allow for business insurance to be purchased

D.

To prevent unauthorized changes to financial data

Full Access
Question # 210

Which of the following are the best methods for hardening end user devices? (Select two)

A.

Full disk encryption

B.

Group-level permissions

C.

Account lockout

D.

Endpoint protection

E.

Proxy server

F.

Segmentation

Full Access
Question # 211

Which of the following objectives is best achieved by a tabletop exercise?

A.

Familiarizing participants with the incident response process

B.

Deciding red and blue team rules of engagement

C.

Quickly determining the impact of an actual security breach

D.

Conducting multiple security investigations in parallel

Full Access
Question # 212

You are security administrator investigating a potential infection on a network.

Click on each host and firewall. Review all logs to determine which host originated the Infecton and then deny each remaining hosts clean or infected.

Full Access
Question # 213

Which of the following is a type of vulnerability that may result from outdated algorithms or keys?

A.

Hash collision

B.

Cryptographic

C.

Buffer overflow

D.

Input validation

Full Access
Question # 214

Which of the following is a vulnerability concern for end-of-life hardware?

A.

Failure to follow hardware disposal procedures could result in unintended data release.

B.

The supply chain may not have replacement hardware.

C.

Newly released software may require computing resources not available on legacy hardware.

D.

The vendor may stop providing patches and updates.

Full Access
Question # 215

A remote employee navigates to a shopping website on their company-owned computer. The employee clicks a link that contains a malicious file. Which of the following would prevent this file from downloading?

A.

DLP

B.

FIM

C.

NAC

D.

EDR

Full Access
Question # 216

Which of the following threat actors is the most likely to use large financial resources to attack critical systems located in other countries?

A.

Insider

B.

Unskilled attacker

C.

Nation-state

D.

Hacktivist

Full Access
Question # 217

Which of the following can assist in recovering data if the decryption key is lost?

A.

CSR

B.

Salting

C.

Root of trust

D.

Escrow

Full Access
Question # 218

A security architect wants to prevent employees from receiving malicious attachments by email. Which of the following functions should the chosen solution do?

A.

Apply IP address reputation data.

B.

Tap and monitor the email feed.

C.

Scan email traffic inline.

D.

Check SPF records.

Full Access
Question # 219

A security analyst estimates that a small security incident will cost $10,000 and will occur twice per year. The analyst recommends a budget of $20,000 for next year. Which of the following does the $10,000 represent?

A.

ARO

B.

SLE

C.

ALE

D.

RPO

Full Access
Question # 220

A company wants to ensure employees are allowed to copy files from a virtual desktop during the workday but are restricted during non-working hours. Which of the following security measures should the company set up?

A.

Digital rights management

B.

Role-based access control

C.

Time-based access control

D.

Network access control

Full Access
Question # 221

A program manager wants to ensure contract employees can only use the company’s computers Monday through Friday from 9 a.m. to 5 p.m. Which of the following would best enforce this access control?

A.

Creating a GPO for all contract employees and setting time-of-day log-in restrictions

B.

Creating a discretionary access policy and setting rule-based access for contract employees

C.

Implementing an OAuth server and then setting least privilege for contract employees

D.

Implementing SAML with federation to the contract employees ' authentication server

Full Access
Question # 222

A security engineer needs to analyze the implications of moving proprietary company data from a local server to a public cloud storage service. Which of the following actions should the engineer take first?

A.

Create an architecture diagram of cloud storage solutions.

B.

Migrate sample data to the cloud to run security tests.

C.

Agree on data classification labels with stakeholders.

D.

Make a backup of the data on cloud-neutral storage.

Full Access
Question # 223

Which of the following outlines the configuration, maintenance, and security roles between a cloud service provider and the customer?

A.

Service-level agreement

B.

Responsibility matrix

C.

Memorandum of understanding

D.

Non-disclosure agreement

Full Access
Question # 224

The Chief Information Security Officer (CISO) requires that new servers include hardware-level memory encryption. Which of the following data states does the CISO want to protect?

A.

Data in use

B.

Data at rest

C.

Data in transit

D.

Data sovereignty

Full Access
Question # 225

A company processes and stores sensitive data on its own systems. Which of the following steps should the company take first to ensure compliance with privacy regulations?

A.

Implement access controls and encryption.

B.

Develop and provide training on data protection policies.

C.

Create incident response and disaster recovery plans.

D.

Purchase and install security software.

Full Access
Question # 226

Which of the following data recovery strategies will result in a quick recovery at low cost?

A.

Hot

B.

Cold

C.

Manual

D.

Warm

Full Access
Question # 227

A company has a website in a server cluster. One server is experiencing very high usage, while others are nearly unused. Which of the following should the company configure to help distribute traffic quickly?

A.

Server multiprocessing

B.

Warm site

C.

Load balancer

D.

Proxy server

Full Access
Question # 228

A Chief Information Officer wants to ensure that network devices cannot connect to the public internet or the local network to directly perform firmware updates. The IT team must manually perform the update process by using a portable device. Which of the following architecture types best fits this description?

A.

Microservices

B.

Air-gapped

C.

Software-defined networking

D.

Serverless

Full Access
Question # 229

Attackers created a new domain name that looks similar to a popular file-sharing website. Which of the following threat vectors is being used?

A.

Watering-hole attack

B.

Brand impersonation

C.

Phishing

D.

Typosquatting

Full Access
Question # 230

A security analyst is reviewing the following logs:

Which of the following attacks is most likely occurring?

A.

Password spraying

B.

Account forgery

C.

Pass-t he-hash

D.

Brute-force

Full Access
Question # 231

A growing company would like to enhance the ability of its security operations center to detect threats but reduce the amount of manual work required tor the security analysts. Which of the following would best enable the reduction in manual work?

A.

SOAR

B.

SIEM

C.

MDM

D.

DLP

Full Access
Question # 232

A company needs to determine whether authentication weaknesses in a customer-facing web application exist. Which of the following is the best technique to use?

A.

Static analysis

B.

Packet capture

C.

Agent-based scanning

D.

Dynamic analysis

E.

Network-based scanning

Full Access
Question # 233

Which of the following can best contribute to prioritizing patch applications?

A.

CVSS

B.

SCAP

C.

OSINT

D.

CVE

Full Access
Question # 234

During a penetration test, a vendor attempts to enter an unauthorized area using an access badge Which of the following types of tests does this represent?

A.

Defensive

B.

Passive

C.

Offensive

D.

Physical

Full Access
Question # 235

A company uses its backups to recover from a ransomware attack. Which of the following best guarantees that the backups are not infected?

A.

Immutability

B.

Destruction

C.

Sanitization

D.

Retention

Full Access
Question # 236

A company decides to purchase an insurance policy. Which of the following risk management strategies is this company implementing?

A.

Mitigate

B.

Accept

C.

Avoid

D.

Transfer

Full Access
Question # 237

Which of the following receives logs from various devices and services, and then presents alerts?

A.

SIEM

B.

SCADA

C.

SNMP

D.

SCAP

Full Access
Question # 238

Which of the following best describes why me SMS DIP authentication method is more risky to implement than the TOTP method?

A.

The SMS OTP method requires an end user to have an active mobile telephone service and SIM card.

B.

Generally. SMS OTP codes are valid for up to 15 minutes while the TOTP time frame is 30 to 60 seconds

C.

The SMS OTP is more likely to be intercepted and lead to unauthorized disclosure of the code than the TOTP method.

D.

The algorithm used to generate on SMS OTP code is weaker than the one used to generate a TOTP code

Full Access
Question # 239

While troubleshooting an internal resource ' s poor performance for an end user, a network engineer performs a traceroute on the end device and receives the following output:

C:\User > tracert 10.100.15.20

Tracing route to [internal.resource.org] 10.100.15.20

over a maximum of 30 hops:

1 200 ms 200 ms 200 ms 10.20.10.10

2 5 ms 3 ms 3 ms 10.20.10.1

3 20 ms 20 ms 10 ms 10.25.10.10

4 10 ms 8 ms 10 ms 10.30.110.1

5 5 ms 6 ms 3 ms 10.100.15.20

The engineer performs a traceroute from a device that is not experiencing poor performance but is connected to the same port. The engineer receives the following output:

C:\Engineer > tracert 10.100.15.20

Tracing route to [internal.resource.org] 10.100.15.20

over a maximum of 30 hops:

1 5 ms 3 ms 3 ms 10.20.10.1

2 20 ms 20 ms 10 ms 10.25.10.10

3 10 ms 8 ms 10 ms 10.30.110.1

4 5 ms 6 ms 3 ms 10.100.15.20

Which of the following is most likely occurring?

A.

ARP cache poisoning

B.

On-path attack

C.

Resource exhaustion

D.

DNS spoofing

Full Access
Question # 240

A technician is opening ports on a firewall for a new system being deployed and supported by a SaaS provider. Which of the following is a risk in the new system?

A.

Default credentials

B.

Non-segmented network

C.

Supply chain vendor

D.

Vulnerable software

Full Access
Question # 241

A security administrator is implementing encryption on all hard drives in an organization. Which of the following security concepts is the administrator applying?

A.

Integrity

B.

Authentication

C.

Zero Trust

D.

Confidentiality

Full Access
Question # 242

Which of the following describes the process of concealing code or text inside a graphical image?

A.

Symmetric encryption

B.

Hashing

C.

Data masking

D.

Steganography

Full Access
Question # 243

Which of the following is the primary purpose of a service that tracks log-ins and time spent using the service?

A.

Availability

B.

Accounting

C.

Authentication

D.

Authorization

Full Access
Question # 244

Which of the following best describes the purpose of using deception technologies in a security strategy?

A.

To prevent malware installation through endpoint protection tools

B.

To block all external traffic before it reaches critical information systems

C.

To lure attackers to controlled environments to collect threat intelligence

D.

To detect insider threats by monitoring privileged user accounts

Full Access
Question # 245

Which of the following should be used to ensure a device is inaccessible to a network-connected resource?

A.

Disablement of unused services

B.

Web application firewall

C.

Host isolation

D.

Network-based IDS

Full Access
Question # 246

An organization is developing a security program that conveys the responsibilities associated with the general operation of systems and software within the organization. Which of the following documents would most likely communicate these expectations?

A.

Business continuity plan

B.

Change management procedure

C.

Acceptable use policy

D.

Software development life cycle policy

Full Access
Question # 247

A software developer released a new application and is distributing the application files through the developer’s website. Which of the following should the developer post on the website to allow users to verify the integrity of the downloaded files?

A.

Hashes

B.

Certificates

C.

Algorithms

D.

Salting

Full Access
Question # 248

A new corporate policy requires all staff to use multifactor authentication to access company resources. Which of the following can be utilized to set up this form of identity and access management? (Select two)

A.

Authentication tokens

B.

Least privilege

C.

Biometrics

D.

LDAP

E.

Password vaulting

F.

SAML

Full Access
Question # 249

Which of the following would help ensure a security analyst is able to accurately measure the overall risk to an organization when a new vulnerability is disclosed?

A.

A full inventory of all hardware and software

B.

Documentation of system classifications

C.

A list of system owners and their departments

D.

Third-party risk assessment documentation

Full Access
Question # 250

Which of the following is most likely to be used as a just-in-time reference document within a security operations center?

A.

Change management policy

B.

Risk profile

C.

Playbook

D.

SIEM profile

Full Access
Question # 251

A company is redesigning its infrastructure and wants to reduce the number of physical servers in use. Which of the following architectures is best suited for this goal?

A.

Isolation

B.

Segmentation

C.

Virtualization

D.

Redundancy

Full Access
Question # 252

A security analyst is reviewing logs and discovers the following:

Which of the following should be used lo best mitigate this type of attack?

A.

Input sanitization

B.

Secure cookies

C.

Static code analysis

D.

Sandboxing

Full Access
Question # 253

Which of the following best explains the benefit of using asymmetric encryption?

A.

It provides mutual authentication by using identical keys for both encryption and decryption.

B.

It uses a shared secret key to reduce the number of keys needed.

C.

It allows faster encryption and decryption than symmetric methods.

D.

It enables secure data exchanges without requiring both parties to share a private key.

Full Access
Question # 254

An administrator is estimating the cost associated with an attack that could result in the replacement of a physical server. Which of the following processes is the administrator performing?

A.

Quantitative risk analysis

B.

Disaster recovery test

C.

Physical security controls review

D.

Threat modeling

Full Access
Question # 255

An employee from the accounting department logs in to the website used for processing the company ' s payments. After logging in, a new desktop application automatically downloads on the employee ' s computer and causes the computer to restart. Which of the following attacks has occurred?

A.

XSS

B.

Watering hole

C.

Typosquatting

D.

Buffer overflow

Full Access
Question # 256

The physical security team at a company receives reports that employees are not displaying their badges. The team also observes employees tailgating at controlled entrances. Which of the following topics will the security team most likely emphasize in upcoming security training?

A.

Social engineering

B.

Situational awareness

C.

Phishing

D.

Acceptable use policy

Full Access
Question # 257

A security administrator ' s account accesses company IT systems from an airport. Shortly after, the administrator ' s manager asks about critical configuration changes made by the administrator ' s account. The administrator was not aware of these changes. Which of the following attack methods did the attacker most likely use?

A.

Rogue access point

B.

Shoulder surfing

C.

Skimming

D.

Keylogger

Full Access
Question # 258

An administrator has configured a quarantine subnet for all guest devices that connect to the network. Which of the following would be best for the security team to configure on the MDM before allowing access to corporate resources?

A.

Device fingerprinting

B.

Compliance attestation

C.

NAC

D.

802.1X

Full Access
Question # 259

To which of the following security categories does an EDR solution belong?

A.

Physical

B.

Operational

C.

Managerial

D.

Technical

Full Access
Question # 260

A security analyst is evaluating a SaaS application that the human resources department would like to implement. The analyst requests a SOC 2 report from the SaaS vendor. Which of the following processes is the analyst most likely conducting?

A.

Internal audit

B.

Penetration testing

C.

Attestation

D.

Due diligence

Full Access
Question # 261

Which of the following should be used to ensure an attacker is unable to read the contents of a mobile device ' s drive if the device is lost?

A.

TPM

B.

ECC

C.

FDE

D.

HSM

Full Access
Question # 262

Which of the following involves an attempt to take advantage of database misconfigurations?

A.

Buffer overflow

B.

SQL injection

C.

VM escape

D.

Memory injection

Full Access
Question # 263

Which of the following considerations is the most important for an organization to evaluate as it establishes and maintains a data privacy program?

A.

Reporting structure for the data privacy officer

B.

Request process for data subject access

C.

Role as controller or processor

D.

Physical location of the company

Full Access
Question # 264

During a penetration test in a hypervisor, the security engineer is able to use a script to inject a malicious payload and access the host filesystem. Which of the following best describes this vulnerability?

A.

VM escape

B.

Cross-site scripting

C.

Malicious update

D.

SQL injection

Full Access
Question # 265

A data administrator is configuring authentication for a SaaS application and would like to reduce the number of credentials employees need to maintain. The company prefers to use domain credentials to access new SaaS applications. Which of the following methods would allow this functionality?

A.

SSO

B.

LEAP

C.

MFA

D.

PEAP

Full Access
Question # 266

A company is concerned about the theft of client data from decommissioned laptops. Which of the following is the most cost-effective method to decrease this risk?

A.

Wiping

B.

Recycling

C.

Shredding

D.

Deletion

Full Access