Question #1
An organization is referencing NIST best practices for BCP creation while reviewing current internal organizational processes for missionessential items.
Which of the following phases establishes the identification and prioritization of critical systems and functions?
A. Review a recent gap analysis.
B. Perform a cost-benefit analysis.
C. Conduct a business impact analysis.
D. Develop an exposure factor matrix.
Correct Answer: C
Question #2
During a remodel, a company’s computer equipment was moved to a secure storage room with cameras positioned on both sides of the door. The door is locked using a card reader issued by the security team, and only the security team and department managers have access to the room.
The company wants to be able to identify any unauthorized individuals who enter the storage room by following an authorized employee.
Which of the following processes would BEST satisfy this requirement?
A. Monitor camera footage corresponding to a valid access request.
B. Require both security and management to open the door.
C. Require department managers to review denied-access requests.
D. Issue new entry badges on a weekly basis.
Correct Answer: A
Question #3
A disaster recovery team learned of several mistakes that were made during the last disaster recovery parallel test. Computational resources ran out at 70% of restoration of critical services.
Which of the following should be modified to prevent the issue from reoccurring?
A. Recovery point objective
B. Recovery time objective
C. Mission-essential functions
D. Recovery service level
Correct Answer: D
Question #4
A security engineer has been asked to close all non-secure connections from the corporate network. The engineer is attempting to understand why the corporate
UTM will not allow users to download email via IMAPS. The engineer formulates a theory and begins testing by creating the firewall ID 58, and users are able to download emails correctly by using IMAP instead. The network comprises three VLANs:
The security engineer looks at the UTM firewall rules and finds the following:
Which of the following should the security engineer do to ensure IMAPS functions properly on the corporate user network?
A. Contact the email service provider and ask if the company IP is blocked.
B. Confirm the email server certificate is installed on the corporate computers.
C. Make sure the UTM certificate is imported on the corporate computers.
D. Create an IMAPS firewall rule to ensure email is allowed.
Correct Answer: B
Question #5
A high-severity vulnerability was found on a web application and introduced to the enterprise. The vulnerability could allow an unauthorized user to utilize an open- source library to view privileged user information. The enterprise is unwilling to accept the risk, but the developers cannot fix the issue right away.
Which of the following should be implemented to reduce the risk to an acceptable level until the issue can be fixed?
A. Scan the code with a static code analyzer, change privileged user passwords, and provide security training.
B. Change privileged usernames, review the OS logs, and deploy hardware tokens.
C. Implement MFA, review the application logs, and deploy a WAF.
D. Deploy a VPN, configure an official open-source library repository, and perform a full application review for vulnerabilities.
Correct Answer: C
Question #6
During a system penetration test, a security engineer successfully gained access to a shell on a Linux host as a standard user and wants to elevate the privilege levels.
Which of the following is a valid Linux post-exploitation method to use to accomplish this goal?
A. Spawn a shell using sudo and an escape string such as sudo vim -c ‘!sh’.
B. Perform ASIC password cracking on the host.
C. Read the /etc/passwd file to extract the usernames.
D. Initiate unquoted service path exploits.
E. Use the UNION operator to extract the database schema.
Correct Answer: A
Question #7
DRAG DROP –
An organization is planning for disaster recovery and continuity of operations.
INSTRUCTIONS –
Review the following scenarios and instructions. Match each relevant finding to the affected host.
After associating scenario 3 with the appropriate host(s), click the host to select the appropriate corrective action for that finding.
Each finding may be used more than once.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Select and Place:
Question 8
A security analyst notices a number of SIEM events that show the following activity:
Which of the following response actions should the analyst take FIRST?
A. Disable powershell.exe on all Microsoft Windows endpoints.
B. Restart Microsoft Windows Defender.
C. Configure the forward proxy to block 40.90.23.154.
D. Disable local administrator privileges on the endpoints.
Correct Answer: C
Question 9
A company is migrating from company-owned phones to a BYOD strategy for mobile devices. The pilot program will start with the executive management team and be rolled out to the rest of the staff in phases. The company’s Chief Financial Officer loses a phone multiple times a year.
Which of the following will MOST likely secure the data on the lost device?
A. Require a VPN to be active to access company data.
B. Set up different profiles based on the person’s risk.
C. Remotely wipe the device.
D. Require MFA to access company applications.
Correct Answer: C
Question 10
A security engineer estimates the company’s popular web application experiences 100 attempted breaches per day. In the past four years, the company’s data has been breached two times.
Which of the following should the engineer report as the ARO for successful breaches?
A. 0.5
B. 8
C. 50
D. 36,500
Correct Answer: A
Question 11
A junior developer is informed about the impact of new malware on an Advanced RISC Machine (ARM) CPU, and the code must be fixed accordingly. Based on the debug, the malware is able to insert itself in another process memory location.
Which of the following technologies can the developer enable on the ARM architecture to prevent this type of malware?
A. Execute never
B. No-execute
C. Total memory encryption
D. Virtual memory protection
Correct Answer: A
Question 12
Due to locality and budget constraints, an organization’s satellite office has a lower bandwidth allocation than other offices in the organization. As a result, the local security infrastructure staff is assessing architectural options that will help preserve network bandwidth and increase speed to both internal and external resources while not sacrificing threat visibility.
Which of the following would be the BEST option to implement?
A. Distributed connection allocation
B. Local caching
C. Content delivery network
D. SD-WAN vertical heterogeneity
Correct Answer: B
Question 13
A security architect is implementing a web application that uses a database back end. Prior to the production, the architect is concerned about the possibility of
XSS attacks and wants to identify security controls that could be put in place to prevent these attacks.
Which of the following sources could the architect consult to address this security concern?
A. SDLC
B. OVAL
C. IEEE
D. OWASP
Correct Answer: D
Question 14
A company has decided to purchase a license for software that is used to operate a mission-critical process. The third-party developer is new to the industry but is delivering what the company needs at this time.
Which of the following BEST describes the reason why utilizing a source code escrow will reduce the operational risk to the company if the third party stops supporting the application?
A. The company will have access to the latest version to continue development.
B. The company will be able to force the third-party developer to continue support.
C. The company will be able to manage the third-party developer’s development process.
D. The company will be paid by the third-party developer to hire a new development team.
Correct Answer: A
Question 15
An organization recently started processing, transmitting, and storing its customers’ credit card information. Within a week of doing so, the organization suffered a massive breach that resulted in the exposure of the customers’ information.
Which of the following provides the BEST guidance for protecting such information while it is at rest and in transit?
A. NIST
B. GDPR
C. PCI DSS
D. ISO
Correct Answer: C
Question 16
A company has hired a security architect to address several service outages on the endpoints due to new malware. The Chief Executive Officer’s laptop was impacted while working from home. The goal is to prevent further endpoint disruption. The edge network is protected by a web proxy.
Which of the following solutions should the security architect recommend?
A. Replace the current antivirus with an EDR solution.
B. Remove the web proxy and install a UTM appliance.
C. Implement a deny list feature on the endpoints.
D. Add a firewall module on the current antivirus solution.
Correct Answer: A
Question 17
An organization is designing a network architecture that must meet the following requirements:
✑ Users will only be able to access predefined services.
✑ Each user will have a unique allow list defined for access.
✑ The system will construct one-to-one subject/object access paths dynamically.
Which of the following architectural designs should the organization use to meet these requirements?
A. Peer-to-peer secure communications enabled by mobile applications
B. Proxied application data connections enabled by API gateways
C. Microsegmentation enabled by software-defined networking
D. VLANs enabled by network infrastructure devices
Correct Answer: C
Question 18
A pharmaceutical company recently experienced a security breach within its customer-facing web portal. The attackers performed a SQL injection attack and exported tables from the company’s managed database, exposing customer information.
The company hosts the application with a CSP utilizing the IaaS model. Which of the following parties is ultimately responsible for the breach?
A. The pharmaceutical company
B. The cloud software provider
C. The web portal software vendor
D. The database software vendor
Correct Answer: A
Question 19
A review of the past year’s attack patterns shows that attackers stopped reconnaissance after finding a susceptible system to compromise. The company would like to find a way to use this information to protect the environment while still gaining valuable attack information.
Which of the following would be BEST for the company to implement?
A. A WAF
B. An IDS
C. A SIEM
D. A honeypot
Correct Answer: D
Question 20
A user from the sales department opened a suspicious file attachment. The sales department then contacted the SOC to investigate a number of unresponsive systems, and the team successfully identified the file and the origin of the attack.
Which of the following is the NEXT step of the incident response plan?
A. Remediation
B. Containment
C. Response
D. Recovery
Correct Answer: B
Question 21
An organization is developing a disaster recovery plan that requires data to be backed up and available at a moment’s notice.
Which of the following should the organization consider FIRST to address this requirement?
A. Implement a change management plan to ensure systems are using the appropriate versions.
B. Hire additional on-call staff to be deployed if an event occurs.
C. Design an appropriate warm site for business continuity.
D. Identify critical business processes and determine associated software and hardware requirements.
Correct Answer: D
Question 22
A local government that is investigating a data exfiltration claim was asked to review the fingerprint of the malicious user’s actions. An investigator took a forensic image of the VM and downloaded the image to a secured USB drive to share with the government.
Which of the following should be taken into consideration during the process of releasing the drive to the government?
A. Encryption in transit
B. Legal issues
C. Chain of custody
D. Order of volatility
E. Key exchange
Correct Answer: C
Question 23
A company’s Chief Information Officer wants to implement IDS software onto the current system’s architecture to provide an additional layer of security. The software must be able to monitor system activity, provide information on attempted attacks, and provide analysis of malicious activities to determine the processes or users involved.
Which of the following would provide this information?
A. HIPS
B. UEBA
C. HIDS
D. NIDS
Correct Answer: C
Question 24
A security consultant needs to set up wireless security for a small office that does not have Active Directory. Despite the lack of central account management, the office manager wants to ensure a high level of defense to prevent brute-force attacks against wireless authentication.
Which of the following technologies would BEST meet this need?
A. Faraday cage
B. WPA2 PSK
C. WPA3 SAE
D. WEP 128 bit
Correct Answer: C
Question 25
A security consultant needs to protect a network of electrical relays that are used for monitoring and controlling the energy used in a manufacturing facility.
Which of the following systems should the consultant review before making a recommendation?
A. CAN
B. ASIC
C. FPGA
D. SCADA
Correct Answer: D
Question 26
A security architect for a large, multinational manufacturer needs to design and implement a security solution to monitor traffic.
When designing the solution, which of the following threats should the security architect focus on to prevent attacks against the ׀׀¢ network?
A. Packets that are the wrong size or length
B. Use of any non-DNP3 communication on a DNP3 port
C. Multiple solicited responses over time
D. Application of an unsupported encryption algorithm
Correct Answer: B
Question 27
A company’s Chief Information Security Officer is concerned that the company’s proposed move to the cloud could lead to a lack of visibility into network traffic flow logs within the VPC.
Which of the following compensating controls would be BEST to implement in this situation?
A. EDR
B. SIEM
C. HIDS
D. UEBA
Correct Answer: B
Question 28
A company wants to quantify and communicate the effectiveness of its security controls but must establish measures. Which of the following is
MOST likely to be included in an effective assessment roadmap for these controls?
A. Create a change management process.
B. Establish key performance indicators.
C. Create an integrated master schedule.
D. Develop a communication plan.
E. Perform a security control assessment.
Correct Answer: B
Question 29
A security architect needs to implement a CASB solution for an organization with a highly distributed remote workforce. One of the requirements for the implementation includes the capability to discover SaaS applications and block access to those that are unapproved or identified as risky.
Which of the following would BEST achieve this objective?
A. Deploy endpoint agents that monitor local web traffic to enforce DLP and encryption policies.
B. Implement cloud infrastructure to proxy all user web traffic to enforce DLP and encryption policies.
C. Implement cloud infrastructure to proxy all user web traffic and control access according to centralized policy.
D. Deploy endpoint agents that monitor local web traffic and control access according to centralized policy.
Correct Answer: C
Question 30
A company based in the United States holds insurance details of EU citizens. Which of the following must be adhered to when processing EU citizens’ personal, private, and confidential data?
A. The principle of lawful, fair, and transparent processing
B. The right to be forgotten principle of personal data erasure requests
C. The non-repudiation and deniability principle
D. The principle of encryption, obfuscation, and data masking
Correct Answer: A
Question 31
A large number of emails have been reported, and a security analyst is reviewing the following information from the emails:
As part of the triage process, which of the following is the FIRST step the analyst should take?
A. Block the email address carl.b@comptia1.com, as it is sending spam to subject matter experts.
B. Validate the final ג€Received ג€ header against the DNS entry of the domain.
C. Compare the ג€Return-Path ג€ and ג€Received ג€ fields.
D. Ignore the emails, as SPF validation is successful, and it is a false positive.
Correct Answer: B
Question 32
An organization requires a legacy system to incorporate reference data into a new system. The organization anticipates the legacy system will remain in operation for the next 18 to 24 months. Additionally, the legacy system has multiple critical vulnerabilities with no patches available to resolve them. Which of the following is the BEST design option to optimize security?
A. Limit access to the system using a jump box.
B. Place the new system and legacy system on separate VLANs.
C. Deploy the legacy application on an air-gapped system.
D. Implement MFA to access the legacy system.
Correct Answer: B
Question #33
A healthcare system recently suffered from a ransomware incident. As a result, the board of directors decided to hire a security consultant to improve existing network security. The security consultant found that the healthcare network was completely flat, had no privileged access limits, and had open RDP access to servers with personal health information. As the consultant builds the remediation plan, which of the following solutions would BEST solve these challenges?
(Choose three.)
A. SD-WAN
B. PAM
C. Remote access VPN
D. MFA
E. Network segmentation
F. BGP
G. NAC
Correct Answer: BDE
Question 34
An attacker infiltrated the code base of a hardware manufacturer and inserted malware before the code was compiled. The malicious code is now running at the hardware level across a number of industries and sectors. Which of the following categories BEST describes this type of vendor risk?
A. SDLC attack
B. Side-load attack
C. Remote code signing
D. Supply chain attack
Correct Answer: D
Question 35
A software development company makes its software version available to customers from a web portal. On several occasions, hackers were able to access the software repository to change the package that is automatically published on the website. Which of the following would be the technique to ensure the software the users download is the official software released by the company?
A. Distribute the software via a third-party repository.
B. Close the web repository and deliver the software via email.
C. Email the software link to all customers.
D. Display the SHA checksum on the website.
Correct Answer: D
Question 36
A security analyst is reviewing the following vulnerability assessment report:
Which of the following should be patched FIRST to minimize attacks against Internet-facing hosts?
A. Server1
B. Server2
C. Server3
D. Server4
Correct Answer: B
Question 37
A company wants to improve its active protection capabilities against unknown and zero-day malware. Which of the following is the MOST secure solution?
A. NIDS
B. Application allow list
C. Sandbox detonation
D. Endpoint log collection
E. HIDS
Correct Answer: C
Question 38
An organization collects personal data from its global customers. The organization determines how that data is going to be used, why it is going to be used, and how it is manipulated for business processes. Which of the following will the organization need in order to comply with GDPR?
(Choose two.)
A. Data processor
B. Data custodian
C. Data owner
D. Data steward
E. Data controller
F. Data manager
Correct Answer: AE
Question 39
A developer wants to develop a secure, external-facing web application. The developer is looking for an online community that produces tools, methodologies, articles, and documentation in the field of web-application security. Which of the following is the BEST option?
A. ICANN
B. PCI DSS
C. OWASP
D. CSA
E. NIST
Correct Answer: C
Question 40
Due to adverse events, a medium-sized corporation suffered a major operational disruption that caused its servers to crash and experience a major power outage. Which of the following should be created to prevent this type of issue in the future?
A. SLA
B. BIA
C. BCM
D. BCP
E. RTO
Correct Answer: D
Question 41
A security analyst sees that a hacker has discovered some keys and they are being made available on a public website. The security analyst is then able to successfully decrypt that data using the keys from the website. Which of the following should the security analyst recommend to protect the affected data?
A. Key rotation
B. Key escrow
C. Zeroization
D. Cryptographic obfuscation
Correct Answer: A
Question 42
A security administrator has been tasked with hardening a domain controller against lateral movement attacks. Below is an output of running services:
Which of the following configuration changes must be made to complete this task?
A. Stop the Print Spooler service and set the startup type to disabled.
B. Stop the DNS Server service and set the startup type to disabled.
C. Stop the Active Directory Web Services service and set the startup type to disabled.
D. Stop Credential Manager service and leave the startup type to disabled.
Correct Answer: A
Question 43
A product manager at a new company needs to ensure the development team produces high-quality code on time. The manager has decided to implement an agile development approach instead of waterfall. Which of the following are reasons to choose an agile development approach?
(Choose two.)
A. The product manager gives the developers more autonomy to write quality code prior to deployment.
B. An agile approach incorporates greater application security in the development process than a waterfall approach does.
C. The scope of work is expected to evolve during the lifetime of project development.
D. The product manager prefers to have code iteratively tested throughout development.
E. The product manager would like to produce code in linear phases.
F. Budgeting and creating a timeline for the entire project is often more straightforward using an agile approach rather than waterfall.
Correct Answer: CD
Question 44
An organization’s threat team is creating a model based on a number of incidents in which systems in an air-gapped location are compromised.
Physical access to the location and logical access to the systems are limited to administrators and select, approved, on-site company employees.
Which of the following is the BEST strategy to reduce the risks of data exposure?
A. NDAs
B. Mandatory access control
C. NIPS
D. Security awareness training
Correct Answer: B
Question 45
A security analyst runs a vulnerability scan on a network administrator’s workstation. The network administrator has direct administrative access to the company’s SSO web portal. The vulnerability scan uncovers critical vulnerabilities with equally high CVSS scores for the user’s browser, OS, email client, and an offline password manager. Which of the following should the security analyst patch FIRST?
A. Email client
B. Password manager
C. Browser
D. OS
Correct Answer: B
Question 46
A firewall administrator needs to ensure all traffic across the company network is inspected. The administrator gathers data and finds the following information regarding the typical traffic in the network:
Which of the following is the BEST solution to ensure the administrator can complete the assigned task?
A. A full-tunnel VPN
B. Web content filtering
C. An endpoint DLP solution
D. SSL/TLS decryption
Correct Answer: D
Question 47
An organization is looking to establish more robust security measures by implementing PKI. Which of the following should the security analyst implement when considering mutual authentication?
A. Perfect forward secrecy on both endpoints
B. Shared secret for both endpoints
C. Public keys on both endpoints
D. A common public key on each endpoint
E. A common private key on each endpoint
Correct Answer: C
Question 48
Which of the following is used to assess compliance with internal and external requirements?
A. RACI matrix
B. Audit report
C. After-action report
D. Business continuity plan
Correct Answer: B
Question 49
A security analyst is using data provided from a recent penetration test to calculate CVSS scores to prioritize remediation. Which of the following metric groups would the analyst need to determine to get the overall scores? (Choose three.)
A. Temporal
B. Availability
C. Integrity
D. Confidentiality
E. Base
F. Environmental
G. Impact
H. Attack vector
Correct Answer: EGH
Question 50
A company has received threat intelligence about bad routes being advertised. The company has also been receiving reports of degraded internet activity. When looking at the routing table on the edge router, a security engineer discovers the following:
Which of the following can the company implement to prevent receiving bad routes from peers, while still allowing dynamic updates?
A. OSPF prefix list
B. BGP prefix list
C. EIGRP prefix list
D. DNS
Correct Answer: B
Question 51
Which of the following is the MOST important cloud-specific risk from the CSP’s viewpoint?
A. CI/CD deployment failure
B. Management plane breach
C. Insecure data deletion
D. Resource exhaustion
Correct Answer: D
Question 52
A software assurance analyst reviews an SSH daemon’s source code and sees the following:
Based on this code snippet, which of the following attacks is MOST likely to succeed?
A. Race condition
B. Cross-site scripting
C. Integer overflow
D. Driver shimming
Correct Answer: C
Question 53
A significant weather event caused all systems to fail over to the disaster recovery site successfully. However, successful data replication has not occurred in the last six months, which has resulted in the service being unavailable. Which of the following would BEST prevent this scenario form happening again?
A. Performing routine tabletop exercises
B. Implementing scheduled, full interruption tests
C. Backing up system log reviews
D. Performing department disaster recovery walk-throughs
Correct Answer: B
Question 54
An architect is designing security scheme for an organization that is concerned about APTs. Any proposed architecture must meet the following requirements:
• Services must be able to be reconstituted quickly from a known-good state.
• Network services must be designed to ensure multiple diverse layers of redundancy.
• Defensive and responsive actions must be automated to reduce human operator demands.
Which of the following designs must be considered to ensure the architect meets these requirements? (Choose three.)
A. Increased efficiency by embracing advanced caching capabilities
B. Geographic distribution of critical data and services
C. Hardened and verified container usage
D. Emulated hardware architecture usage
E. Establishment of warm and hot sites for continuity of operations
F. Heterogeneous architecture
G. Deployment of IPS services that can identify and block malicious traffic
H. Implementation and configuration of a SOAR
Correct Answer: EFH