https://www.udemy.com/course/comptia-security-sy0-701-comprehensive-practice-exams-2024/learn/quiz/6350080#overview
CompTIA Security+ SY0-701 Full-Length Practice Exam 1 (90 questions) – Results
Back to result overview
Attempt 1
All domains
- 90 all
- 0 correct
- 0 incorrect
- 90 skipped
- 0 marked
Collapse all questions
Question 1Skipped
A company has established an email client on the network using POP3. The company wants a way to digitally sign all emails leaving the organization to uphold its worldwide reputation. Which of the following BEST describes this process?
SPF
Explanation
SPF (Sender Policy Framework) is a protocol used to prevent email spoofing by verifying that the sender’s email server is authorized to send emails on behalf of a specific domain. While SPF helps with email authentication, it does not provide the digital signing of emails that DKIM does.
DMARC
Explanation
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a protocol that builds on SPF and DKIM to provide additional email authentication and reporting capabilities. While DMARC helps prevent email spoofing and phishing attacks, it does not directly handle the digital signing of emails like DKIM does.
Correct answer
DKIM
Explanation
DKIM (DomainKeys Identified Mail) is a method used to digitally sign outgoing emails to verify the authenticity of the sender and ensure the integrity of the message. By adding a digital signature to each outgoing email, DKIM helps prevent email tampering and forgeries, making it the best choice for digitally signing emails leaving the organization.
RADIUS
Explanation
RADIUS (Remote Authentication Dial-In User Service) is a networking protocol used for centralized authentication, authorization, and accounting for network access. While RADIUS is essential for network security and access control, it is not related to digitally signing emails for authentication and integrity purposes like DKIM.
Domain
1.0 General Security Concepts
Question 2Skipped
A shipping company is using Active Directory as a means to manage their internal devices. The company needs to push out a feature to all Windows-based tablets in the organization. Which of the following would BEST permit this?
SASE
Explanation
SASE (Secure Access Service Edge) is a cloud-based security service that combines network security functions with wide-area networking capabilities to support the dynamic secure access needs of organizations. While SASE can provide secure access to resources, it is not specifically designed for pushing out features to Windows-based tablets in an Active Directory environment.
Correct answer
Group policy
Explanation
Group Policy is a feature of Microsoft Windows that provides centralized management and configuration of operating systems, applications, and user settings. It is commonly used in Active Directory environments to push out settings, configurations, and features to devices within the network. Group Policy would be the best option for pushing out a feature to all Windows-based tablets in the organization.
EAP
Explanation
EAP (Extensible Authentication Protocol) is an authentication framework frequently used in wireless networks and point-to-point connections. While EAP plays a role in network authentication, it is not directly related to pushing out features to Windows-based tablets in an Active Directory environment.
RADIUS
Explanation
RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provides centralized authentication, authorization, and accounting management for network access. While RADIUS can be used for authentication purposes, it is not the most suitable option for pushing out features to Windows-based tablets in an Active Directory environment.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 3Skipped
A company CEO wants to detect any movement occurring in large-distance areas. Which of the following technologies would BEST meet these requirements?
Pressure sensor
Explanation
Pressure sensors are typically used to detect changes in pressure, such as on doors and windows. They are not designed to detect movement in large-distance areas, making them not the best option for the organization’s requirements.
Correct answer
Microwave sensor
Explanation
Microwave sensors are ideal for detecting movement in large-distance areas. They emit microwave signals and measure the reflections to detect any changes in movement. This technology is commonly used in security systems for its effectiveness in detecting motion over a wide area.
Ultrasonic sensor
Explanation
Ultrasonic sensors use sound waves to detect objects or movement within a certain range. While they can be effective in specific applications, they are not the best choice for detecting movement in large-distance areas as they have limitations in range and coverage.
Infrared sensor
Explanation
Infrared sensors detect heat signatures and are commonly used for motion detection in security systems. However, they may not be the best option for detecting movement in large-distance areas as their range and coverage may be limited compared to microwave sensors.
Domain
3.0 Security Architecture
Question 4Skipped
A cybersecurity firm is having its systems tested by a penetration tester. The penetration tester discovers SMBv1 running as a vulnerable service across all Windows devices. Which of the following is the organization MOST vulnerable to?
Rootkit
Explanation
A rootkit is a type of malicious software that is designed to hide its presence or control over a system by concealing its activities from the user or administrator. While SMBv1 running as a vulnerable service can potentially be exploited by a rootkit, it is not the most likely vulnerability in this scenario.
Correct answer
Worm
Explanation
A worm is a type of malware that can self-replicate and spread across a network without requiring user interaction. If SMBv1 is running as a vulnerable service on all Windows devices in the organization, it can be exploited by various worms such as the infamous WannaCry worm to rapidly propagate and infect other devices, making the organization most vulnerable to a worm attack.
Logic bomb
Explanation
A logic bomb is a type of malware that is triggered by a specific event or condition, such as a particular date or time. While SMBv1 running as a vulnerable service can potentially be exploited by a logic bomb, it is not the most likely vulnerability in this scenario.
Virus
Explanation
A virus is a type of malware that can replicate itself by attaching to other programs or files. While SMBv1 running as a vulnerable service can potentially be exploited by a virus, it is not the most likely vulnerability in this scenario compared to a worm that can spread rapidly across the network.
Domain
4.0 Security Operations
Question 5Skipped
A system administrator is noticing several malware outbreaks with competitors from an infamous ransomware infecting the network. There is no patch readily available to the public. Which of the following describes the BEST course of action for the administrator to take to prevent further infection?
Antivirus updated on all endpoints
Explanation
Updating the antivirus on all endpoints is a good practice to protect against known malware and viruses. However, in this scenario where a new and unknown ransomware is infecting the network with no public patch available, relying solely on antivirus updates may not be sufficient to prevent further infection.
Correct answer
Isolation
Explanation
Isolation is the best course of action in this scenario to prevent further infection. By isolating the infected systems or segments of the network, the spread of the ransomware can be contained, limiting its impact on the rest of the network until a solution or patch becomes available.
Disable ports and services
Explanation
Disabling ports and services can help reduce the attack surface and limit the potential entry points for malware. While this can be a good security practice, it may not be as effective in preventing further infection in a scenario where a new and unknown ransomware is already spreading through the network.
Offline backups
Explanation
Having offline backups is essential for data recovery in case of a ransomware attack. While offline backups are crucial for restoring data after an infection, they do not directly prevent further infection or stop the spread of the ransomware within the network.
Domain
5.0 Security Program Management and Oversight
Question 6Skipped
A group of selected individuals have been tasked to complete a function and present the results afterwards. Which of the following is being described?
Correct answer
Committees
Explanation
Committees are groups of selected individuals who are tasked with completing a specific function or project. They work together to achieve a common goal and present the results of their work afterwards. This aligns with the description provided in the question.
Board
Explanation
Boards typically refer to a group of individuals who oversee the operations of an organization or company. While they may have specific functions and responsibilities, they are not typically tasked with completing a function and presenting results afterwards.
Government entities
Explanation
Government entities are organizations or agencies within the government that have specific roles and responsibilities. While they may work on functions and projects, they are not typically referred to as groups of selected individuals tasked with completing a function and presenting results afterwards.
Tabletop
Explanation
Tabletop exercises are simulations or discussions that are used to practice and evaluate a specific scenario or response plan. They are not typically groups of selected individuals tasked with completing a function and presenting results afterwards.
Domain
5.0 Security Program Management and Oversight
Question 7Skipped
A network administrator is describing the process of creating systems and processes suboptimally which require changes later down the road, leading to the fear that systems will stop working at any moment. Which of the following BEST describes this process?
Guard rails
Explanation
Guard rails refer to the practices and tools put in place to ensure that automated processes and systems operate within defined parameters and guidelines. It is not directly related to the scenario described in the question.
SCAP
Explanation
SCAP (Security Content Automation Protocol) is a standardized method for expressing and assessing security-related information in standardized ways. It is not directly related to the scenario described in the question.
Key stretching
Explanation
Key stretching is a technique used to make cryptographic keys more secure by increasing the time it takes to brute force them. It is not directly related to the scenario described in the question.
Correct answer
Technical debt
Explanation
Technical debt refers to the consequences of choosing an easy solution now instead of a better solution that would take longer. It often leads to suboptimal systems and processes that require changes later, causing fear that systems may stop working at any moment. This best describes the process described in the question.
Domain
4.0 Security Operations
Question 8Skipped
A data owner is handling specific data types and encounters data that states it needs to abide by government law and industry standards. Which of the following BEST meets this requirement?
Restricted
Explanation
Restricted data typically refers to data that has limitations on who can access it within an organization. While restricted data may have certain access controls, it does not necessarily imply compliance with government laws or regulations.
Private
Explanation
Private data is data that is intended to be kept confidential and only accessed by authorized individuals. While privacy is important, it does not specifically address the requirement to abide by government laws or regulations.
Correct answer
Regulated
Explanation
Regulated data refers to data that is subject to specific government laws, regulations, or industry standards. In this case, the data owner must ensure that the handling of this data complies with the relevant regulations to avoid legal consequences.
Sensitive
Explanation
Sensitive data is data that requires special protection due to its importance or potential impact if compromised. While sensitive data should be handled carefully, it does not explicitly address the requirement to abide by government laws or regulations.
Domain
3.0 Security Architecture
Question 9Skipped
Please fill the blank field(s) in the statement with the right words.
The solution to preventing injection-based attacks in almost every scenario is to implement input __
Correct answer
validation
Explanation
The solution to preventing injection-based attacks such as SQL injection in almost every scenario is input validation or sanitization.
Domain
4.0 Security Operations
Question 10Skipped
An organization is monitoring the logs of all endpoint devices through sensors and collectors. The administrator receives an alert that a user who had logged in 40 minutes ago from the US had recently logged in from Chile. Which of the following BEST describes this process?
Out-of-cycle logging
Explanation
Out-of-cycle logging typically refers to logging events that occur outside of the regular logging cycle or schedule. It does not specifically describe the scenario where a user logs in from two different locations within a short period of time.
Concurrent session usage
Explanation
Concurrent session usage refers to the ability of a user to have multiple active sessions or logins at the same time. While this choice is related to multiple logins, it does not accurately describe the scenario where a user logs in from geographically distant locations within a short time frame.
Correct answer
Impossible travel
Explanation
Impossible travel is the most appropriate term to describe the scenario where a user logs in from two locations that are geographically distant within a short period of time. This term highlights the potential security risk of unauthorized access or compromised credentials.
Account lockout
Explanation
Account lockout refers to a security measure that locks a user account after a certain number of failed login attempts to prevent unauthorized access. It is not directly related to the scenario where a user logs in from different locations within a short time frame.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 11Skipped
Which of the following BEST describes the prime motivator for hacktivists?
Correct answer
Philosophical/political
Explanation
Hacktivists are primarily motivated by political or philosophical beliefs. They aim to use their hacking skills to promote a specific cause or ideology, often targeting organizations or individuals that they perceive as going against their beliefs.
Data exfiltration
Explanation
Data exfiltration is not the primary motivator for hacktivists. While they may engage in activities that involve stealing or leaking data, their main goal is usually to make a political or ideological statement rather than to profit from the stolen information.
Disruption/chaos
Explanation
Disruption and chaos can be a tactic used by hacktivists to achieve their goals, but it is not their primary motivator. Hacktivists typically seek to disrupt systems or services as a means of drawing attention to their cause or sending a message.
Financial gain
Explanation
Financial gain is not a common motivator for hacktivists. Unlike cybercriminals who are motivated by monetary rewards, hacktivists are driven by political or ideological reasons and do not typically seek financial benefits from their activities.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 12Skipped
A network administrator wants to implement network segmentation to prevent malware from spreading to all systems in the event of an outbreak. Which of the following BEST describes this approach?
Correct answer
Screened subnet
Explanation
A screened subnet, also known as a demilitarized zone (DMZ), is a network segment that sits between an internal network and an external network, such as the internet. It provides an additional layer of security by isolating certain systems from the rest of the network, making it an effective solution for network segmentation during a malware outbreak to prevent widespread infection.
VPN
Explanation
A VPN (Virtual Private Network) is used to create a secure, encrypted connection between two networks over the internet. While VPNs are essential for secure remote access, they do not provide network segmentation within the internal network to contain a malware outbreak. Therefore, it is not the most suitable option for this specific requirement.
XDR
Explanation
XDR (Extended Detection and Response) is a security solution that integrates multiple security tools to provide centralized visibility and automated response to threats across different security layers. While XDR is valuable for threat detection and response, it does not inherently provide network segmentation to contain a malware outbreak within a specific network segment.
VLAN
Explanation
A VLAN (Virtual Local Area Network) is a logical segmentation of a network that allows devices to be grouped together based on factors such as department, function, or security requirements. While VLANs can help with network segmentation, they do not provide the same level of isolation and security as a screened subnet (DMZ) would during a malware outbreak scenario.
Domain
4.0 Security Operations
Question 13Skipped
A malware analyst is analyzing the behavior of a well-known malware variant. The analyst observes the following upon executing a file:
Which of the following BEST describes this malware?
Logic bomb
Explanation
A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. It is not typically associated with the behavior described in the question, which involves encrypting files and demanding a ransom.
Trojan
Explanation
A Trojan is a type of malware that disguises itself as a legitimate file or software to trick users into downloading and executing it. While Trojans can have various malicious functions, the behavior described in the question, such as encrypting files and demanding a ransom, is more commonly associated with ransomware.
Worm
Explanation
A worm is a type of malware that can self-replicate and spread independently to other computers over a network. While worms can have destructive capabilities, the behavior described in the question, such as encrypting files and demanding a ransom, is more characteristic of ransomware.
Correct answer
Ransomware
Explanation
Ransomware is a type of malware that encrypts a victim’s files and demands payment, usually in cryptocurrency, in exchange for the decryption key. The behavior described in the question, such as encrypting files and demanding a ransom, aligns with the characteristics of ransomware.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 14Skipped
Individuals from the marketing department in an organization have disabled the antivirus as they stated it slows down computers when enabled. Shortly after, a hacker installed ransomware on a system and pivoted to other devices on the network. Which of the following BEST describes the process taken by the department?
Malicious code
Explanation
Malicious code refers to any code or software that is designed to cause harm, such as ransomware. While the hacker installed ransomware on the system, the disabling of the Antivirus by the marketing department does not directly relate to the creation or distribution of the malicious code itself.
Insider threat
Explanation
An insider threat typically refers to a current or former employee, contractor, or business partner who has access to an organization’s network and intentionally misuses that access to cause harm. In this scenario, the marketing department disabling the Antivirus does not align with the typical motivations or actions of an insider threat.
Unskilled attacker
Explanation
An unskilled attacker may lack the technical knowledge or expertise to successfully carry out a cyber attack. However, in this case, the hacker was able to install ransomware on a system and pivot to other devices on the network, indicating a level of skill and knowledge beyond that of an unskilled attacker.
Correct answer
Shadow IT
Explanation
Shadow IT refers to the use of unauthorized or unapproved software, applications, or devices within an organization. In this scenario, the marketing department disabling the Antivirus without proper authorization can be considered an example of Shadow IT, as it bypasses established security protocols and puts the organization at risk.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 15Skipped
A natural disaster recently impacted an organization, causing most systems to go offline. The company quickly transitioned to a secondary location, hoping to resume operations. While racks and power are available, no other systems are currently set up at this site. Which of the following BEST describes this site?
Correct answer
Cold
Explanation
A cold site is a secondary location that provides only the basic physical infrastructure, such as power and racks, but does not have any pre-configured systems or data in place. It is typically the least expensive option for disaster recovery but requires more time and effort to bring systems back online.
Warm
Explanation
A warm site is a secondary location that has some pre-configured systems and data in place, but not all. It is a middle-ground option between a cold site and a hot site in terms of cost and recovery time. In this scenario, where only racks and power are available, it does not fit the description of a warm site.
Hot
Explanation
A hot site is a secondary location that is fully equipped with pre-configured systems, data, and infrastructure to quickly resume operations in the event of a disaster. It is the most expensive option for disaster recovery but offers the quickest recovery time. The scenario described does not match the characteristics of a hot site.
Geographic dispersion
Explanation
Geographic dispersion refers to the practice of spreading critical systems and data across multiple locations to ensure redundancy and availability in the event of a disaster. While geographic dispersion is a good practice for resilience, the scenario described focuses on a single secondary location with basic infrastructure, rather than multiple dispersed locations.
Domain
3.0 Security Architecture
Question 16Skipped
A startup company is creating a document outlining the steps to recover from a malware infection, detailing who will respond, the actions to take, and which systems to disconnect. Which of the following BEST describes this document?
Policy enforcement point
Explanation
A policy enforcement point (PEP) is a network device or software that controls access to resources based on policies. It is not the best description for a document outlining steps to recover from a malware infection.
Correct answer
Playbook
Explanation
A playbook is a document that outlines the steps to be taken in response to specific incidents or events. In this case, a playbook detailing the steps to recover from a malware infection, including who will respond, actions to take, and systems to disconnect, is the most appropriate description.
Acceptable use policy
Explanation
An acceptable use policy (AUP) is a document that outlines the acceptable use of technology resources within an organization. It is not the best description for a document detailing steps to recover from a malware infection.
Diagram
Explanation
A diagram is a visual representation of information, typically showing relationships between different components or systems. While a diagram could be included in a document outlining steps to recover from a malware infection, it does not best describe the overall purpose of the document.
Domain
5.0 Security Program Management and Oversight
Question 17Skipped
A company is implementing a plan in advance which contains information regarding relocating to an external, mirrored site to get back up and running. Which of the following BEST describes this plan?
Incident response
Explanation
Incident response plans focus on addressing and managing security incidents, such as breaches or cyberattacks, to minimize damage and restore normal operations as quickly as possible. They do not specifically address the relocation to an external mirrored site for business continuity purposes.
Threat hunting
Explanation
Threat hunting involves proactively searching for and identifying potential security threats within an organization’s network or systems. It is not directly related to the process of relocating to an external mirrored site for disaster recovery or business continuity purposes.
Correct answer
Disaster recovery
Explanation
Disaster recovery plans outline the procedures and strategies for recovering and restoring IT systems and data after a disaster or disruptive event. Relocating to an external mirrored site is a common component of disaster recovery plans to ensure business continuity in the event of a major incident.
Business continuity plan
Explanation
Business continuity plans focus on maintaining essential business functions and operations during and after a disaster or disruptive event. The plan includes strategies for ensuring the organization can continue operating, which may involve relocating to an external mirrored site as part of the continuity strategy, but the focus of the question is on a disaster recovery site.
Domain
5.0 Security Program Management and Oversight
Question 18Skipped
A penetration tester discovers login credentials in a file named "KeepSecret.txt" on a user’s desktop. After using the credentials to access the user’s Google account, the tester logs out all existing devices and receives the OTP on their own mobile device. Which of the following authentication methods is being described?
Something you are
Explanation
"Something you are" authentication methods typically involve biometric factors such as fingerprint or facial recognition. In this scenario, the authentication method used involves a physical object (mobile device) rather than a biometric factor.
Correct answer
Something you have
Explanation
"Something you have" authentication methods involve physical objects such as smart cards, tokens, or mobile devices. In this case, the penetration tester used the OTP received on their own mobile device as part of the authentication process.
Somewhere you are
Explanation
"Somewhere you are" authentication methods typically involve geolocation or IP address verification to determine the user’s physical location. The scenario described does not involve any location-based authentication factors.
Something you know
Explanation
"Something you know" authentication methods involve knowledge-based factors such as passwords or PINs. While the penetration tester did initially use login credentials found in a file, the additional step of receiving an OTP on their own mobile device shifts the authentication method to "Something you have" since a phone is required to use the OTP.
Domain
4.0 Security Operations
Question 19Skipped
A user has signed up for a new web hosting service, and when creating a password for the first time, the service requested it contain at least two special characters and two lowercase characters. Which of the following BEST describes this password requirement?
Length
Explanation
This password requirement does not specifically mention the length of the password, but rather focuses on the complexity of the characters included in the password, such as special characters and lowercase letters.
Age
Explanation
The password requirement does not relate to the age of the user or any time-related factor, but rather emphasizes the complexity of the password to enhance security.
Password manager
Explanation
While a password manager can help users create and store complex passwords securely, the requirement for two special characters and two lowercase characters in the password does not directly relate to the use of a password manager.
Correct answer
Complexity
Explanation
The password requirement of including at least two special characters and two lowercase characters emphasizes the complexity of the password, making it more secure against potential attacks. This requirement aligns with the concept of password complexity in enhancing security measures.
Domain
4.0 Security Operations
Question 20Skipped
A Red Hat Linux Systems Administrator is using ephemeral, just-in-time permissions to log into a password vault. Which of the following BEST describes this process?
Correct answer
Privileged access management
Explanation
Privileged access management involves controlling and monitoring access to sensitive systems and data by granting temporary, just-in-time permissions to users. This process ensures that users have the necessary access only when needed, reducing the risk of unauthorized access and potential security breaches.
Single-sign on
Explanation
Single-sign on (SSO) is a method that allows users to access multiple applications with a single set of login credentials. While SSO simplifies the login process, it is not directly related to the concept of ephemeral, just-in-time permissions for accessing a password vault.
OAuth
Explanation
OAuth is an open standard for access delegation that is commonly used for authorization between services. While OAuth can be used for granting permissions and access control, it is not specifically designed for managing temporary, just-in-time permissions for accessing a password vault.
XDR
Explanation
XDR (Extended Detection and Response) is a security technology that integrates and correlates data from multiple security products to provide enhanced threat detection and response capabilities. While XDR is important for overall security posture, it is not directly related to the process of using ephemeral, just-in-time permissions to access a password vault.
Domain
4.0 Security Operations
Question 21Skipped
A digital forensics investigator is using the Tor network for anonymity purposes. The investigator found sensitive information and is obligated to not tamper with it and to keep it safe until a hearing is commenced. Which of the following BEST describes the network used and the obligation required? (Choose two).
Responsible disclosure program
Explanation
A responsible disclosure program is a process through which individuals can report vulnerabilities or security issues they have discovered in a responsible and coordinated manner to the organization or vendor responsible for the software or system. It is not directly related to using the Tor network for anonymity or the obligation to keep sensitive information safe.
Correct selection
Dark web
Explanation
The Dark web is a part of the internet that is not indexed by traditional search engines and is often used for illicit activities. Using the Tor network for anonymity purposes is commonly associated with accessing the Dark web. The obligation to keep sensitive information safe until a hearing is commenced aligns with the need for security and confidentiality often associated with the Dark web.
OSINT
Explanation
OSINT (Open Source Intelligence) refers to the collection and analysis of information from publicly available sources to gather intelligence. While the investigator may use OSINT techniques to gather information, it is not directly related to the use of the Tor network for anonymity or the obligation to keep sensitive data safe.
E-discovery
Explanation
E-discovery refers to the process of identifying, collecting, and producing electronically stored information (ESI) for legal purposes. While the investigator may need to preserve and present digital evidence in a legal setting, it is not directly related to using the Tor network for anonymity or the obligation to keep sensitive data safe.
Correct selection
Legal hold
Explanation
Legal hold is a legal requirement to preserve all relevant information related to a legal matter, such as a hearing or investigation. In this case, the investigator is obligated to keep the sensitive information safe until a hearing is commenced, which aligns with the concept of legal hold.
Chain of custody
Explanation
Chain of custody refers to the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence. While maintaining a chain of custody is important in digital forensics investigations, it is not directly related to using the Tor network for anonymity or the obligation to keep sensitive data safe.
Domain
4.0 Security Operations
Question 22Skipped
An organization wants to implement additional authentication factors as the number of break-ins has drastically increased. The organization is currently using the following authentication:
Users authenticate with a fingerprint and iris scanner
Users use tokens to open doors
Users use GPS to determine the location
Which of the following would provide an additional authentication factor?
Something you are
Explanation
"Something you are" refers to biometric authentication methods such as fingerprint and iris scanners. Since the organization already uses these methods, adding another biometric factor would not provide an additional authentication factor.
Something you have
Explanation
"Something you have" refers to physical tokens or devices used for authentication, such as the tokens used to open doors in the organization. Since this method is already in use, adding another physical token would not provide an additional authentication factor.
Somewhere you are
Explanation
"Somewhere you are" refers to location-based authentication methods such as GPS. Since the organization already uses GPS to determine location as part of the authentication process, adding another location-based factor would not provide an additional authentication factor.
Correct answer
Something you know
Explanation
"Something you know" refers to knowledge-based authentication methods such as passwords or PINs. Since the organization currently does not use this type of authentication factor, adding a knowledge-based factor such as a password would provide an additional layer of security and authentication.
Domain
4.0 Security Operations
Question 23Skipped
An application development team is focused on quickly deploying an application into production. They execute the application to observe its behavior in a controlled test environment. Which of the following BEST describes this type of environment?
Correct answer
Sandboxing
Explanation
Sandboxing is the correct choice as it refers to isolating an application or process in a controlled environment for testing or development purposes. It allows the team to observe how the application behaves without affecting the production environment.
SDLC
Explanation
SDLC (Software Development Life Cycle) is not the best description for the scenario provided. SDLC refers to the process of planning, creating, testing, and deploying software applications, while the question specifically mentions testing the application in a controlled environment.
Tabletop
Explanation
Tabletop exercises are used for scenario-based discussions and planning for potential security incidents or disaster recovery situations. It is not directly related to testing applications in a controlled environment like sandboxing.
Simulation
Explanation
Simulation involves creating a model or representation of a system or process to analyze its behavior or performance. While testing an application in a controlled environment may involve some simulation, the term "sandboxing" more accurately describes the specific scenario mentioned in the question.
Domain
4.0 Security Operations
Question 24Skipped
A well-known APT group has gained media attention as an emerging threat to organizations handling medical data. In response, cybersecurity companies aim to identify active network threats manually rather than relying exclusively on automated systems. Which of the following techniques is being described?
Packet capture
Explanation
Packet capture involves capturing and analyzing network traffic to inspect packets for suspicious activity. While it can be a useful tool in network security monitoring, it is not specifically related to manually identifying active network threats as described in the question.
Correct answer
Threat hunting
Explanation
Threat hunting is the process of proactively searching for and identifying potential security threats within an organization’s network. This technique involves manual investigation and analysis to uncover hidden threats that may not be detected by automated systems. In the context of the question, cybersecurity companies are opting to perform threat hunting to identify active network threats posed by the APT group.
Antivirus signatures
Explanation
Antivirus signatures refer to the patterns or definitions used by antivirus software to detect and block known malware and threats. While antivirus software plays a crucial role in automated threat detection and prevention, it is not the technique being described in the question, which specifically mentions manual identification of active network threats.
Web application firewall
Explanation
Web application firewall (WAF) is a security solution designed to protect web applications from various online threats such as SQL injection, cross-site scripting, and other attacks. While WAFs are important for securing web applications, they are not directly related to the manual identification of active network threats as described in the question.
Domain
4.0 Security Operations
Question 25Skipped
The CISO of a well-known cybersecurity company in Florida has identified that natural disasters such as hurricanes occur multiple times annually. Which of the following BEST describes this type of risk?
Avoidance
Explanation
Avoidance refers to the strategy of completely avoiding the risk by not engaging in the activities that could lead to the risk. In this scenario, the cybersecurity company in Florida cannot completely avoid the risk of natural disasters like hurricanes occurring multiple times annually.
Mitigation
Explanation
Mitigation involves taking actions to reduce the impact or likelihood of a risk. While the cybersecurity company may implement measures to mitigate the effects of hurricanes, such as strengthening infrastructure or creating disaster recovery plans, this does not fully address the nature of the environmental risk.
Correct answer
Acceptance
Explanation
Acceptance means acknowledging the existence of the risk and choosing not to take any action to mitigate or avoid it. In this case, the CISO recognizing that hurricanes are a recurring risk and deciding to accept that they may occur multiple times annually is the most appropriate response.
Transference
Explanation
Transference involves shifting the risk to another party, typically through insurance or outsourcing. While the company may have insurance coverage for natural disasters, simply transferring the risk does not fully address the ongoing nature of the risk of hurricanes in Florida.
Domain
5.0 Security Program Management and Oversight
Question 26Skipped
A systems administrator configures user account permissions in Group Policy and only assigns users the permissions needed to perform their jobs. Which of the following processes is the administrator following?
Due care
Explanation
Due care refers to the responsibility of an organization to take reasonable steps to protect the confidentiality, integrity, and availability of its information assets. While configuring user account permissions in Group Policy is a part of due care, it does not specifically relate to assigning users the least amount of privileges needed to perform their jobs.
Correct answer
Least privilege
Explanation
The administrator is following the principle of least privilege by only assigning users the permissions needed to perform their jobs. This principle ensures that users have the minimum level of access required to complete their tasks, reducing the risk of unauthorized access and potential security breaches.
Due diligence
Explanation
Due diligence involves conducting thorough research and investigation before making decisions or taking actions. While configuring user account permissions in Group Policy may require some level of due diligence to ensure the correct permissions are assigned, it is not the primary process being followed in this scenario.
Right-to-audit clause
Explanation
A right-to-audit clause is a contractual provision that grants one party the right to audit the activities of another party to ensure compliance with the terms of the agreement. While auditing user account permissions may be a part of this clause, it is not the process being followed by the administrator in this scenario.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 27Skipped
A security analyst wants to implement a method of authenticating users to a network before allowing them access to any resources. Which of the following would BEST meet this requirement?
Correct answer
NAC
Explanation
Network Access Control (NAC) is a security solution that enforces security policies on devices seeking to access a network. It authenticates users and their devices before granting access to network resources, making it the best choice for implementing user authentication before accessing any resources.
EDR
Explanation
Endpoint Detection and Response (EDR) is a security solution focused on detecting and responding to security incidents on endpoints. While important for endpoint security, EDR does not directly address user authentication for network access.
XDR
Explanation
Extended Detection and Response (XDR) is a security solution that correlates security data across multiple security layers, such as endpoint, network, and cloud environments. While XDR enhances threat detection and response capabilities, it does not specifically address user authentication for network access.
Adaptive identity
Explanation
Adaptive Identity solutions focus on providing flexible and context-aware authentication methods based on user behavior and risk factors. While adaptive identity solutions enhance authentication security, they may not directly address the requirement of authenticating users to a network before accessing resources.
Domain
4.0 Security Operations
Question 28Skipped
When a user runs an application downloaded from the Internet, they receive a User Account Control (UAC) prompt indicating it has been signed by an official corporation. Which of the following BEST describes this type of signature?
Secure cookies
Explanation
Secure cookies are used to store user-specific information securely in a web browser. They are not related to the process of signing an application for security purposes.
Sandboxing
Explanation
Sandboxing is a security mechanism that isolates applications from each other and the operating system to prevent malicious actions. While sandboxing is important for security, it is not directly related to the process of signing an application.
Input validation
Explanation
Input validation is a security practice that ensures user input is safe and meets certain criteria to prevent attacks like SQL injection or cross-site scripting. It is not related to the process of signing an application for security purposes.
Correct answer
Code signing
Explanation
Code signing involves digitally signing software to verify the authenticity and integrity of the code. It assures users that the application has not been tampered with and comes from a trusted source. This is the best description for the scenario where the user receives a message stating the application was signed by an official corporation.
Domain
4.0 Security Operations
Question 29Skipped
A company CEO describes flowcharts of the development process of an application, using terms such as "Agile", "Waterfall", and "Spiral" to explain the development approach. Which of the following BEST describes this process?
SCAP
Explanation
SCAP (Security Content Automation Protocol) is a standard that provides a way to express and share security-related information in a standardized format. It is not directly related to the development process terms such as "Agile", "Waterfall", and "Spiral" mentioned by the CEO.
Correct answer
SDLC
Explanation
SDLC (Software Development Life Cycle) is the process of planning, creating, testing, and deploying software applications. The terms "Agile", "Waterfall", and "Spiral" are all different methodologies within the SDLC framework, making this choice the most appropriate in describing the development process mentioned by the CEO.
DMARC
Explanation
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a protocol used to prevent email spoofing and phishing attacks. It is not related to the software development process methodologies mentioned by the CEO.
MTBF
Explanation
MTBF (Mean Time Between Failures) is a metric used to measure the reliability of a system by calculating the average time between failures. It is not relevant to the terms "Agile", "Waterfall", and "Spiral" used to describe the development process by the CEO.
Domain
5.0 Security Program Management and Oversight
Question 30Skipped
A housing company seeks to implement cybersecurity insurance to reduce the impact of ransomware attacks. Which of the following BEST describes this type of risk?
Risk acceptance
Explanation
Risk acceptance refers to the decision to acknowledge the potential risks and their consequences without taking any action to mitigate or transfer them. It involves consciously deciding to bear the potential losses that may result from a ransomware attack without any additional protection measures in place.
Correct answer
Risk transference
Explanation
Risk transference involves shifting the financial burden of potential losses from a ransomware attack to a third party, such as an insurance company. By implementing cybersecurity insurance, the housing company is transferring the risk of financial losses resulting from ransomware attacks to the insurance provider.
Risk mitigation
Explanation
Risk mitigation involves taking proactive measures to reduce the likelihood or impact of a ransomware attack. This can include implementing security controls, conducting regular security assessments, and training employees on cybersecurity best practices. While important, cybersecurity insurance does not directly fall under risk mitigation.
Risk avoidance
Explanation
Risk avoidance refers to the strategy of completely eliminating the possibility of a ransomware attack by avoiding activities or situations that could lead to such an event. This could include not storing sensitive data online or not engaging in high-risk online activities. Implementing cybersecurity insurance does not align with the concept of risk avoidance.
Domain
5.0 Security Program Management and Oversight
Question 31Skipped
Please fill the blank field(s) in the statement with the right words.
A web application firewall (WAF) operates at layer __ of the OSI model.
Correct answer
7
Explanation
A web application firewall (WAF) operates at layer 7 of the OSI model, the application layer. Web application firewalls are also referred to as layer 7 firewalls.
Domain
3.0 Security Architecture
Question 32Skipped
A network administrator is configuring a router and wants to gather real-time statistics on the device. The admin also wants to receive alerts when the CPU usage rises above a certain threshold. Which of the following would BEST meet these requirements?
IDS
Explanation
An IDS (Intrusion Detection System) is used to monitor network traffic for suspicious activity and potential security threats. While it can provide some statistics on network activity, it is not designed to gather real-time statistics on device performance like CPU usage or send alerts based on CPU thresholds.
NetFlow
Explanation
NetFlow is a network protocol used for collecting IP traffic information and monitoring network traffic flow. While it can provide insights into network traffic patterns, it is not specifically designed to gather real-time statistics on device performance like CPU usage or send alerts based on CPU thresholds.
Correct answer
SNMP trap
Explanation
SNMP trap (Simple Network Management Protocol trap) is a notification that an SNMP agent sends to a management station when certain events occur. It can be used to gather real-time statistics on device performance, such as CPU usage, and send alerts when the CPU usage rises above a certain threshold, making it the best choice for meeting the administrator’s requirements.
SIEM
Explanation
SIEM (Security Information and Event Management) is a system that provides real-time analysis of security alerts generated by applications and network hardware. While it can provide alerts for security-related events, it is not specifically designed to gather real-time statistics on device performance like CPU usage or send alerts based on CPU thresholds.
Domain
4.0 Security Operations
Question 33Skipped
A penetration tester is sending data over a network using TLS. Upon performing a simple packet capture using Wireshark, the tester notices that all data is encrypted with AES-256 encryption. Which of the following BEST describes this data?
Correct answer
In transit
Explanation
AES-256 encryption is commonly used to secure data during transmission over a network, making it an ideal choice for protecting data in transit. This encryption ensures that the data is secure while being sent from one point to another, which aligns with the concept of data being in-transit.
At rest
Explanation
AES-256 encryption is typically not used to encrypt data at rest, such as data stored on a hard drive or in a database. While AES-256 is a strong encryption algorithm, it is more commonly associated with securing data during transmission rather than when it is stored, making this choice incorrect.
WPA3
Explanation
WPA3 is a security protocol used for securing Wi-Fi networks and is not directly related to the encryption of data being transmitted over a network using TLS. While WPA3 may provide encryption for wireless communication, it is not the best description for data that is encrypted with AES-256 during transmission.
In use
Explanation
In-use typically refers to data that is actively being accessed or processed by applications or users. AES-256 encryption of data during transmission does not specifically relate to data that is currently being used or accessed, making this choice incorrect in the context of the encryption scenario described in the question.
Domain
3.0 Security Architecture
Question 34Skipped
A recent malware infestation has resulted in temporary downtime for an organization. The network administrator calls the incident response team to handle the issue. Which of the following BEST describes this phase?
Recovery
Explanation
The Recovery phase typically involves restoring systems and services to normal operation after an incident has been resolved. It focuses on recovering data, applications, and infrastructure to minimize the impact of the incident and ensure business continuity.
Correct answer
Containment
Explanation
The Containment phase is the immediate response to an incident to prevent it from spreading further within the organization’s network. It involves isolating affected systems, limiting access, and stopping the malware from causing additional damage.
Preparation
Explanation
The Preparation phase involves proactively planning and preparing for potential security incidents before they occur. This includes developing incident response plans, conducting training and drills, and implementing security controls to mitigate risks.
Identification
Explanation
The Identification phase is the initial stage of incident response where the incident is detected and identified. It involves recognizing the signs of a security breach, investigating the scope and impact of the incident, and determining the source of the malware infestation.
Domain
4.0 Security Operations
Question 35Skipped
A company plans to introduce a new policy allowing employees to bring their own devices to work. Which of the following BEST describe the risks associated with BYOD? (Choose three).
Correct selection
Malicious code
Explanation
Malicious code is a significant risk associated with BYOD as personal devices may introduce malware, viruses, or other malicious software into the company’s network, potentially compromising sensitive data and systems.
Agentless system
Explanation
Agentless systems are not directly related to the risks associated with BYOD. The focus is on the potential security vulnerabilities and threats that personal devices may introduce to the corporate network.
Correct selection
End-of-life devices
Explanation
End-of-life devices pose a risk in a BYOD environment as older devices may no longer receive security updates or patches, making them more vulnerable to security breaches and attacks.
In the clear credentials
Explanation
In the clear credentials refer to the transmission of sensitive information in an unencrypted format, which can be intercepted by malicious actors. While this is a security concern, it is not specifically related to the risks associated with BYOD.
Correct selection
Vulnerable software
Explanation
Vulnerable software on personal devices can create security vulnerabilities that can be exploited by attackers to gain unauthorized access to the company’s network or sensitive data. Ensuring that all software on BYOD devices is up-to-date and secure is crucial in mitigating this risk.
Side loading
Explanation
Side loading, the practice of installing applications from unofficial sources, can introduce malware and other security risks to personal devices. While this is a concern for device security, it is not directly related to the risks associated with BYOD in a corporate environment. The organization would typically use a mobile device management (MDM) system to ensure only authorized apps are allowed on the mobile device.
Domain
4.0 Security Operations
Question 36Skipped
A user is about to enter their login information for the PayPal website and notices a set of numbers in the URL, indicating a temporary substitution of login information. Which of the following BEST describes this temporary substitution?
Masking
Explanation
Masking typically involves hiding sensitive information by replacing it with other characters or symbols. It is commonly used to protect data from unauthorized access, but it does not involve the temporary substitution of login information in a URL like the scenario described in the question.
Correct answer
Tokenization
Explanation
Tokenization is the process of substituting sensitive data with unique identifiers called tokens. In the context of the PayPal website login scenario, the set of numbers in the URL likely represents a token that temporarily substitutes the actual login information for security purposes.
Obfuscation
Explanation
Obfuscation involves making data difficult to understand or interpret, often to protect it from unauthorized access. While obfuscation can be used to enhance security, it does not specifically refer to the temporary substitution of login information in a URL as described in the question.
Encryption
Explanation
Encryption is the process of converting data into a coded form to prevent unauthorized access. While encryption is commonly used to secure sensitive information, it does not directly relate to the temporary substitution of login information with a set of numbers in a URL as described in the scenario.
Domain
1.0 General Security Concepts
Question 37Skipped
A penetration tester creates a document outlining details such as the scope of permitted attacks, the CIDR network range to be tested, and contact information in case of issues. Which of the following BEST describes this document?
Correct answer
Rules of engagement
Explanation
Rules of engagement is the correct choice because this document outlines the rules, scope, and limitations of the penetration testing engagement. It specifies what the penetration tester is allowed to do, the network range to be tested, and contact information for reporting issues, ensuring that the testing is conducted within agreed-upon boundaries.
Statement of work
Explanation
Statement of Work typically outlines the project objectives, deliverables, timeline, and costs of a specific project. While it may include details about the scope of work, it does not specifically address the rules and limitations of a penetration testing engagement like the Rules of Engagement document does.
Non-disclosure agreement
Explanation
Non-disclosure Agreement (NDA) is a legal document that protects confidential information shared between parties. While an NDA may be required for a penetration testing engagement to protect sensitive data, it does not describe the scope of permitted attacks or network range to be tested like the Rules of Engagement document does.
Service-level agreement
Explanation
Service-level Agreement (SLA) is a contract that defines the level of service expected from a service provider. It typically includes details such as uptime guarantees, response times, and performance metrics, but it does not outline the rules and scope of a penetration testing engagement like the Rules of Engagement document does.
Domain
5.0 Security Program Management and Oversight
Question 38Skipped
An organization is using biometrics as the only authentication factor for its users. Which of the following BEST describes this authentication? (Choose three).
Somewhere you are
Explanation
"Somewhere you are" does not accurately describe the use of biometrics as the single authentication factor. This phrase typically refers to location-based authentication methods, not biometric authentication.
Correct selection
Single-factor
Explanation
Selecting "Single-factor" is the correct choice when biometrics are the only authentication method used. In this scenario, users rely solely on their biometric data for authentication purposes.
Multi-factor (MFA)
Explanation
"Multi-factor (MFA)" is not applicable in this context as using biometrics alone does not constitute multi-factor authentication, which requires the use of at least two different authentication factors.
Federation
Explanation
"Federation" is not a relevant description for the use of biometrics as the sole authentication factor. Federation involves linking user identities across multiple systems or organizations, which is not directly related to biometric authentication.
Correct selection
Retina
Explanation
Choosing "Retina" is a valid option as it represents a specific type of biometric authentication that uses unique patterns in the blood vessels of the retina to verify a user’s identity.
Correct selection
Something you are
Explanation
Opting for "Something you are" accurately characterizes biometric authentication, as it involves verifying a user’s identity based on unique physical characteristics like fingerprints, retina patterns, or facial features.
Domain
4.0 Security Operations
Question 39Skipped
Please fill the blank field(s) in the statement with the right words.
CSR refers to a certificate signing __
Correct answer
request
Explanation
A CSR (Certificate Signing Request) is a message sent from an applicant to a CA to apply for a digital certificate.
Domain
1.0 General Security Concepts
Question 40Skipped
An unauthorized hacker installed specialized malware on a company’s system. An analyst observes the code in a sandbox environment to test its capabilities and notices that the code is scrambled, making it difficult to understand what functions the code is performing. Which of the following techniques is being described?
Tokenization
Explanation
Tokenization is a process of replacing sensitive data with unique identifiers called tokens. It is not related to scrambling code to make it unreadable, as described in the scenario.
Hashing
Explanation
Hashing is a process of converting input data into a fixed-size string of characters, typically for data integrity verification. It is not related to scrambling code to make it unreadable, as described in the scenario.
Encryption
Explanation
Encryption is a process of converting plaintext data into ciphertext using algorithms and keys. While encryption can make data unreadable, it is not the technique described in the scenario where the code is scrambled to obfuscate its functions.
Correct answer
Obfuscation
Explanation
Obfuscation is the process of intentionally making code difficult to understand or reverse-engineer. It involves techniques like code scrambling, renaming variables, and inserting junk code to confuse analysts. This technique is used to protect intellectual property and prevent unauthorized access to the code’s functionality.
Domain
3.0 Security Architecture
Question 41Skipped
A computer technician quickly provisions a batch of virtual machines using automation systems. The technician is concerned that one of the VMs may be unpatched and takes a point-in-time copy of the system. Which of the following technologies is being described?
Correct answer
Snapshot
Explanation
A snapshot is a point-in-time copy of a virtual machine that captures the VM’s state, including its disk, memory, and settings. It allows the technician to revert the VM to that specific state if needed, making it a suitable technology for capturing an unpatched VM for later analysis or comparison.
Virtualization resource reuse
Explanation
Virtualization resource reuse refers to the practice of efficiently utilizing virtual machine resources to maximize performance and minimize waste. It is not directly related to taking a point-in-time copy of an unpatched VM for analysis or comparison.
Offline backup
Explanation
Offline backup involves creating a backup of a system while it is offline or not actively running. While offline backups can be used to capture a system’s state, they are not typically used for rapidly provisioning and capturing point-in-time copies of virtual machines like snapshots.
Virtual machine escape
Explanation
Virtual machine escape refers to a security vulnerability where a malicious actor gains unauthorized access to the host system from within a virtual machine. It is not related to the process of taking a point-in-time copy of a virtual machine for analysis or comparison purposes.
Domain
3.0 Security Architecture
Question 42Skipped
A company CISO has configured the network to allow all traffic in the event of a system failure to maintain uptime for its customers. Which of the following BEST describes this configuration?
Fail-closed
Explanation
Fail-closed configuration typically refers to a security mechanism that blocks all traffic when a system failure occurs to prevent unauthorized access or potential security breaches. Allowing all traffic in the event of a system failure would not align with a fail-closed configuration.
Jump server
Explanation
A jump server is a secure intermediary server that allows access to other servers in a network. It is not directly related to the scenario described in the question where all traffic is allowed in the event of a system failure.
Correct answer
Fail-open
Explanation
Fail-open configuration allows all traffic to flow in the event of a system failure to maintain uptime for customers. This configuration prioritizes availability over security, ensuring that services remain accessible even during system failures.
UPS
Explanation
A UPS (Uninterruptible Power Supply) is a device that provides emergency power to a load when the input power source fails. While a UPS can help maintain uptime during power outages, it is not directly related to the network configuration described in the question.
Domain
3.0 Security Architecture
Question 43Skipped
A computer technician is configuring a firewall to allow certain traffic as follows:
Which of the following BEST describes this access control type?
Mandatory
Explanation
Mandatory Access Control (MAC) is a security model that restricts access based on predefined security policies set by the system administrator. It enforces access control based on labels assigned to subjects and objects, rather than rules defined by the administrator. This choice does not align with the scenario described in the question where the firewall is configured to deny certain traffic based on rules.
Correct answer
Rule-based
Explanation
Rule-based access control is a type of access control that enforces access restrictions based on rules defined by the system administrator. In the context of firewall configuration, rule-based access control involves setting up rules to allow or deny specific types of traffic based on criteria such as source IP address, destination IP address, port number, and protocol. This choice accurately describes the scenario where the technician is configuring the firewall to deny certain traffic based on rules.
Discretionary
Explanation
Discretionary Access Control (DAC) is a security model where the owner of an object has the discretion to control access to that object. It allows the owner to determine who can access the object and what level of access they have. This choice does not apply to the scenario described in the question, where the focus is on configuring a firewall to deny certain traffic based on specific rules.
Role-based
Explanation
Role-based access control is a security model that assigns permissions to users based on their roles within an organization. Users are granted access based on their roles, rather than individual identities. While role-based access control is a valuable security measure in an organization’s overall access control strategy, it is not directly related to the scenario of configuring a firewall to deny certain traffic based on rules.
Domain
4.0 Security Operations
Question 44Skipped
An organization is implementing a new set of automation and orchestration tools to streamline repetitive processes. Which of the following describes some of the limitations of automation? (Choose three).
Workforce multiplier
Explanation
A workforce multiplier is a benefit of automation, not a limitation. It refers to the ability of automation to increase productivity and efficiency by allowing a smaller workforce to accomplish more tasks.
Correct selection
Technical debt
Explanation
Technical debt is a limitation of automation as it refers to the accumulated cost of additional rework caused by choosing an easy solution now instead of using a better approach that would take longer. Automation can sometimes lead to technical debt if not implemented properly.
Correct selection
Ongoing supportability
Explanation
Ongoing supportability is a limitation of automation as it requires continuous maintenance, updates, and support to ensure that the automated processes remain effective and efficient over time. Neglecting ongoing support can lead to system failures and inefficiencies.
Efficiency/time saving
Explanation
Efficiency/time saving is a benefit of automation, not a limitation. Automation is designed to save time and improve efficiency by reducing manual tasks and streamlining processes.
Resource provisioning
Explanation
Resource provisioning is not a limitation of automation. It refers to the process of allocating and configuring resources such as servers, storage, and networks to support automated processes.
Correct selection
Cost
Explanation
Cost is a limitation of automation as it involves initial investment in tools, training, and implementation. While automation can lead to cost savings in the long run, the upfront costs can be a barrier for some organizations.
Domain
4.0 Security Operations
Question 45Skipped
A user connected to the corporate VPN accesses the internal zone of an organization’s network without needing further identity verification. Which of the following BEST describes this security zone?
Policy enforcement point
Explanation
A policy enforcement point (PEP) is a network security device or software that is responsible for enforcing access control policies. It is not directly related to describing a security zone within a network environment.
Policy engine
Explanation
A policy engine is a component that evaluates and enforces policies within a network. While it plays a role in defining and enforcing security policies, it is not specifically related to describing a security zone within a network environment.
Correct answer
Implicit trust zone
Explanation
An Implicit trust zone refers to a security zone where there is an inherent level of trust between the connected devices or users. In this scenario, the user connected to the corporate VPN is accessing the internal zone of the organization’s network, indicating a level of implicit trust between the user and the internal network resources.
Untrusted zone
Explanation
An Untrusted zone typically refers to a security zone where there is a lack of trust between the connected devices or users. In this scenario, the user connected to the corporate VPN is accessing the internal zone of the organization’s network, which does not align with the characteristics of an untrusted zone.
Domain
1.0 General Security Concepts
Question 46Skipped
An attacker has injected malicious JavaScript into an image on a vulnerable web page. Every time a user visits the site, the user receives an alert stating the website was hacked. Which of the following BEST describes this attack? (Choose two).
File-based
Explanation
File-based attacks typically involve malicious files being executed on a system to compromise its security. In this scenario, the attack is not based on a file being executed, but rather on malicious JavaScript embedded within an image on a web page.
Watering hole
Explanation
Watering hole attacks involve compromising a website that is frequently visited by a specific target group to infect the visitors with malware. In this case, the attack is not targeting a specific group of users but rather injecting malicious JavaScript into an image on a vulnerable web page.
Correct selection
Image-based
Explanation
The attack described in the scenario is image-based because the malicious JavaScript is embedded within an image on the web page. When users visit the site, the JavaScript is executed, resulting in an alert message being displayed.
Downgrade
Explanation
Downgrade attacks involve forcing a system to use older, less secure protocols or versions of software. The scenario described does not involve downgrading any systems but rather injecting malicious JavaScript into an image on a web page.
Correct selection
XSS
Explanation
XSS (Cross-Site Scripting) attacks involve injecting malicious scripts into web pages viewed by other users. In this case, the attacker has injected malicious JavaScript into an image on a web page, which triggers an alert message when users visit the site, making it a form of XSS attack.
Forgery attack
Explanation
Forgery attacks involve creating fake or unauthorized versions of legitimate websites or content to deceive users. While the scenario involves deception by displaying a message stating the website was hacked, it is not a forgery attack. Instead, it is an attack where malicious JavaScript is injected into an image on a vulnerable web page.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 47Skipped
Please fill the blank field(s) in the statement with the right words.
UPS refers to an uninterruptable power __
Correct answer
supply
Explanation
UPS stands for an uninterruptable power supply. A UPS provides backup power to electronic devices in case of a power outage.
Domain
3.0 Security Architecture
Question 48Skipped
An attacker has successfully installed malware on a company’s systems. The attacker then ran the following commands:
sudo systemctl stop rsyslog
shred -f .bash_history
history -c
sudo systemctl start rsyslog
Which of the following is MOST likely the result of these commands?
Resource inaccessibility
Explanation
The commands executed by the attacker do not directly result in resource inaccessibility. The commands are focused on stopping the logging service, deleting command history, and starting the logging service again, which may impact the visibility of the attacker’s actions, but do not necessarily lead to resource inaccessibility.
Correct answer
Missing logs
Explanation
The commands executed by the attacker, specifically stopping the logging service, shredding the command history, and clearing the history, are likely to result in missing logs. By stopping the logging service and deleting the command history, the attacker is attempting to cover their tracks and prevent their actions from being recorded in the logs. Please note that you do not need to know what the provided commands do for your Security+; it’s just to help you visualize how some of these processes actually work in cyber security.
Out-of-cycle logging
Explanation
Out-of-cycle logging is not the most likely result of the commands executed by the attacker. The commands focus on stopping and starting the logging service, as well as deleting the command history, which would typically result in missing logs rather than out-of-cycle logging.
Account lockout
Explanation
The commands executed by the attacker do not directly result in the account being locked out. The focus of the commands is on manipulating the logging service and command history to cover the attacker’s tracks, rather than locking out user accounts.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 49Skipped
A company is reviewing the laws and regulations for saving cloud-based data in another location. Which of the following BEST describes this process?
Hot site
Explanation
A hot site refers to a fully operational backup facility that can immediately take over the primary site’s functions in case of a disaster. It is not directly related to the process of saving cloud-based data in another location due to laws and regulations.
Geographic dispersion
Explanation
Geographic dispersion involves spreading data across multiple physical locations to ensure redundancy and availability. While this concept is related to data storage and backup, it does not specifically address the legal and regulatory aspects of saving cloud-based data in another location.
Cloud responsibility matrix
Explanation
A cloud responsibility matrix outlines the roles and responsibilities of different parties involved in cloud services, including providers and customers. While important for understanding accountability in cloud environments, it does not directly relate to the process of complying with laws and regulations for saving data in another location.
Correct answer
Data sovereignty
Explanation
Data sovereignty refers to the legal concept that data is subject to the laws and regulations of the country in which it is located. When saving cloud-based data in another location, compliance with data sovereignty laws ensures that data is stored and managed in accordance with the legal requirements of that specific jurisdiction.
Domain
3.0 Security Architecture
Question 50Skipped
The incident response team is deliberating and documenting successful actions and improvement areas to enhance future incident remediation efficiency. Which of the following phases is being described?
Recovery
Explanation
The recovery phase focuses on restoring systems and services to normal operation after an incident has been contained and eradicated. It involves actions such as data recovery, system restoration, and service reactivation.
Containment
Explanation
The containment phase involves isolating and limiting the impact of an incident to prevent further damage or spread. It includes actions such as quarantining affected systems, blocking malicious traffic, and securing compromised accounts.
Correct answer
Lessons learned
Explanation
The lessons learned phase involves reflecting on the incident response process, identifying successful actions and improvement areas, and documenting key takeaways to enhance future incident remediation efficiency. It helps organizations learn from past incidents and improve their incident response capabilities.
Analysis
Explanation
The analysis phase involves investigating and analyzing the root cause of an incident, identifying the vulnerabilities or weaknesses that were exploited, and determining the extent of the impact. It helps organizations understand how the incident occurred and how to prevent similar incidents in the future.
Domain
4.0 Security Operations
Question 51Skipped
A SOC analyst observes the log files in a SIEM sent from a web server in real time. The analyst views the following attack in the logs:
www.markdemoras.com../../../../../../../etc/passwd
Which of the following attacks is MOST likely occurring?
XSS
Explanation
Cross-site scripting (XSS) attacks involve injecting malicious scripts into web pages viewed by other users. The attack observed in the log files does not indicate any script injection, so it is not likely to be an XSS attack.
SQLi
Explanation
SQL injection (SQLi) attacks involve inserting malicious SQL queries into input fields to manipulate a database. The attack observed in the log files does not show any SQL queries being executed, so it is not likely to be an SQLi attack.
Correct answer
Directory traversal
Explanation
Directory traversal attacks involve attempting to access files and directories that are outside the web server’s root directory. The attack observed in the log files with the use of multiple "../" indicates an attempt to traverse directories, making it highly likely to be a directory traversal attack.
Replay attack
Explanation
A replay attack involves capturing network traffic and replaying it to gain unauthorized access. The attack observed in the log files does not show any indication of captured network traffic being replayed, so it is not likely to be a replay attack.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 52Skipped
While touring a data center, a helpdesk technician observed the following warning:
Which of the following security controls BEST describes this warning?
Directive
Explanation
Directive security controls provide specific guidance or instructions to users or personnel on what actions are allowed or prohibited. While the warning sign does provide instructions to unauthorized personnel to keep out, it is more focused on deterring individuals from entering the area rather than providing specific directives on what actions to take.
Corrective
Explanation
Corrective security controls are implemented to mitigate the impact of security incidents that have already occurred. The warning in the scenario is aimed at preventing unauthorized access rather than correcting any issues that may arise, making it more in line with a deterrent control.
Preventive
Explanation
Preventive security controls are put in place to stop security incidents from happening in the first place. The warning in the scenario is focused on preventing unauthorized access by deterring individuals from entering the area, making it more closely related to a deterrent control.
Correct answer
Deterrent
Explanation
A deterrent security control is designed to discourage individuals from attempting unauthorized access by warning them of potential risks or consequences. The warning in the scenario serves as a deterrent by alerting unauthorized personnel of the high voltage and the danger associated with entering the area, making it the best description for the security control in this context.
Domain
1.0 General Security Concepts
Question 53Skipped
Please fill the blank field(s) in the statement with the right words.
The process of adding random bits of data to plaintext to obscure the output is known as __
Correct answer
salting
Explanation
The process of adding bits of data to an existing set of strings to randomize the output is known as salting. This would causes two pieces of plaintext to result in completely different output, making it more time-consuming for an attacker to brute-force the hash.
Domain
1.0 General Security Concepts
Question 54Skipped
A network administrator uses virtual local area networks (VLANs) to isolate traffic between several departments, including the marketing and shipping departments. Which of the following BEST describes this isolation?
Gap analysis
Explanation
Gap analysis is a method used to assess the differences between current and desired security postures, focusing on identifying vulnerabilities and risks. It is not directly related to the isolation of traffic between departments using VLANs.
Air gap
Explanation
Air gap refers to physically isolating a system or network from other systems or networks to prevent unauthorized access. While VLANs provide logical isolation, air gapping involves physical separation, making it different from VLAN-based isolation.
Correct answer
Logical segmentation
Explanation
Logical segmentation is the best way to describe the isolation achieved by using VLANs to separate traffic between departments. VLANs create virtual networks within a physical network, allowing for the segregation of traffic based on logical criteria.
Access control list
Explanation
Access control lists (ACLs) are used to control network traffic by filtering packets based on defined criteria. While ACLs can be used in conjunction with VLANs to further control traffic flow, they are not the primary method for isolating traffic between departments using VLANs.
Domain
3.0 Security Architecture
Question 55Skipped
A security engineer at a large corporation plans to purchase a device capable of storing multiple cryptographic keys from various devices while complying with the FIPS standard. Which of the following devices is being described?
Correct answer
HSM
Explanation
HSM (Hardware Security Module) is the correct choice as it is a physical device that securely stores and manages cryptographic keys. HSMs are designed to meet strict security standards, such as FIPS, and are commonly used in large organizations to protect sensitive data and ensure secure encryption processes.
TPM
Explanation
TPM (Trusted Platform Module) is not the correct choice in this scenario. While TPMs also store cryptographic keys, they are typically integrated into devices like computers or servers to provide secure boot and encryption capabilities, rather than storing keys from various devices in a centralized manner.
Key management system
Explanation
Key management systems are software-based solutions that help organizations manage and control cryptographic keys. While they play a crucial role in key lifecycle management, they are not physical devices like HSMs that comply with FIPS standards for secure key storage.
Secure enclave
Explanation
Secure enclave refers to a secure area within a device’s hardware or software that is isolated from the rest of the system to protect sensitive data. While secure enclaves provide a secure environment for processing data, they are not specifically designed to store and manage cryptographic keys from multiple devices while complying with FIPS standards like HSMs.
Domain
1.0 General Security Concepts
Question 56Skipped
A managed service provider has curated a document stating the amount of acceptable downtime per month for internet service, ensuring 99.9% uptime at all times of the month. Which of the following BEST describes this agreement?
RTO
Explanation
RTO (Recovery Time Objective) refers to the maximum acceptable downtime for a system or service after a disruption. It is the time within which a system or service must be restored after an incident to meet business requirements. This is not the best description for the agreement mentioned in the question.
Correct answer
SLA
Explanation
SLA (Service Level Agreement) is a contract between a service provider and a customer that outlines the level of service expected. It defines the metrics, responsibilities, and guarantees for the service provided. In this case, the document stating the acceptable downtime per month for internet service aligns with the concept of an SLA.
RPO
Explanation
RPO (Recovery Point Objective) refers to the maximum amount of data loss that is acceptable after a disruption. It defines the point in time to which data must be recovered after an incident. This is not the best description for the agreement mentioned in the question.
MTBF
Explanation
MTBF (Mean Time Between Failures) is a measure of the average time between failures of a system or component. It is used to predict the reliability and availability of a system. While uptime is related to reliability, MTBF specifically focuses on the frequency of failures rather than acceptable downtime per month as outlined in the agreement.
Domain
5.0 Security Program Management and Oversight
Question 57Skipped
Please fill the blank field(s) in the statement with the right words.
In penetration testing, pentesters focus on the __ aspect.
Correct answer
offensive
Explanation
In penetration testing, pentesters focus on the offensive side while blue teamers work on the defensive side to defend against intrusions and exploits from the red team.
Domain
5.0 Security Program Management and Oversight
Question 58Skipped
A nation-state threat actor conducts a vulnerability scan on a competitor’s website to identify potential weaknesses. Which of the following BEST describes this action?
Correct answer
Active reconnaissance
Explanation
Active reconnaissance involves directly interacting with the target system to gather information, such as conducting vulnerability scans or probing for weaknesses. In this scenario, the nation-state threat actor is actively scanning the competitor’s website to identify vulnerabilities, making it the best description of the action.
Passive reconnaissance
Explanation
Passive reconnaissance involves gathering information about a target without directly interacting with it, such as monitoring network traffic or social media profiles. Since the nation-state threat actor is actively scanning the competitor’s website, this action does not align with passive reconnaissance.
CVE
Explanation
CVE (Common Vulnerabilities and Exposures) is a list of publicly known cybersecurity vulnerabilities and exposures. While the nation-state threat actor may use information from CVE to identify vulnerabilities during the scan, the act of conducting the vulnerability scan itself is not accurately described as CVE.
Zero-day vulnerability
Explanation
A zero-day vulnerability refers to a previously unknown security vulnerability that is exploited by attackers before a patch or fix is available. In this scenario, the nation-state threat actor is conducting a vulnerability scan to identify weaknesses, rather than exploiting a zero-day vulnerability.
Domain
5.0 Security Program Management and Oversight
Question 59Skipped
A company is developing a plan outlining how systems will operate during an outage. The plan also details how employees will continue working remotely without relying on a secondary data center. Which of the following BEST describes this process?
Incident response planning
Explanation
Incident response planning focuses on how to address and manage security incidents and breaches when they occur. It involves steps such as detection, response, and recovery from security events, rather than planning for system outages or remote work scenarios.
Disaster recovery planning
Explanation
Disaster recovery planning involves preparing for and recovering from major disasters that could impact the organization’s IT infrastructure. It typically focuses on restoring systems, data, and services after events like natural disasters, cyber attacks, or equipment failures, rather than addressing remote work arrangements or system usage during outages.
Correct answer
Business continuity planning
Explanation
Business continuity planning focuses on ensuring that critical business functions can continue operating during and after disruptions. It includes plans for remote work, alternate work locations, and maintaining essential operations in the event of system outages or other disruptions, making it the best description for the scenario provided.
Mean time to repair
Explanation
Mean time to repair (MTTR) is a metric used to measure the average time it takes to repair a system or service after a failure. While MTTR is important for assessing system reliability and downtime, it does not encompass the comprehensive planning and strategies needed for remote work arrangements and business continuity during outages.
Domain
5.0 Security Program Management and Oversight
Question 60Skipped
A cyber threat intelligence (CTI) analyst is investigating a recent ransomware data breach that affected millions of users. The analyst wants to be alerted whenever a log file is modified on a SIEM solution. Which of the following technologies would allow this?
DLP
Explanation
Data Loss Prevention (DLP) technology focuses on preventing unauthorized access to sensitive data and monitoring data transfers. While it is important for data protection, it is not directly related to monitoring log file modifications on a SIEM solution.
Correct answer
FIM
Explanation
File Integrity Monitoring (FIM) technology is specifically designed to monitor and detect changes to files, including log files. It can be configured to alert the analyst whenever a log file is modified, making it the correct choice for this scenario.
EDR
Explanation
Endpoint Detection and Response (EDR) technology focuses on detecting and responding to security incidents on endpoints. While it is crucial for endpoint security, it is not primarily used for monitoring log file modifications on a SIEM solution.
NAC
Explanation
Network Access Control (NAC) technology is used to control access to a network based on security policies. While it is important for network security, it is not directly related to monitoring log file modifications on a SIEM solution.
Domain
4.0 Security Operations
Question 61Skipped
A recent Telegram remote code execution (RCE) vulnerability has emerged, and manufacturers have quickly released a patch. A penetration tester performed a vulnerability scan against a system running the Telegram app, but the vulnerability was not detected. Which of the following BEST describes this detection?
Correct answer
False negative
Explanation
A false negative occurs when a vulnerability or issue is present, but it is not detected by the security tool or scanner. In this case, the vulnerability scan did not detect the Telegram RCE vulnerability, which is a false negative as the vulnerability is actually present.
False positive
Explanation
A false positive would occur if the vulnerability scan incorrectly identifies a vulnerability that is not actually present in the system. Since the vulnerability was not detected in this case, it does not fall under the category of a false positive.
CVSS
Explanation
CVSS (Common Vulnerability Scoring System) is a framework used to assess and prioritize vulnerabilities based on their severity. While CVSS scores can be used to evaluate the impact of vulnerabilities, it is not directly related to the issue of the vulnerability not being detected in this scenario.
Vulnerability scanner
Explanation
A vulnerability scanner is a tool used to identify security vulnerabilities in systems or applications. In this case, the vulnerability scanner failed to detect the Telegram RCE vulnerability, leading to a false negative result.
Domain
4.0 Security Operations
Question 62Skipped
Please fill the blank field(s) in the statement with the right words.
Fake and deceptive technology designed to lure attackers and gather insights into their techniques is known as a __
Correct answer
honeypot
Explanation
A piece of technology that is fake and deceptive designed to lure attackers in and gather additional threat intelligence about their tactics, techniques and procedures (TTPs) is known as a honeypot.
Domain
1.0 General Security Concepts
Question 63Skipped
Employees of an organization were instructed to familiarize themselves with the latest phishing scams by attending lunch-and-learns and by reviewing internal training documentation. Which of the following control types is being implemented?
Managerial
Explanation
Managerial controls involve the use of policies, procedures, and guidelines to manage and control security within an organization. While training and awareness programs may be part of managerial controls, in this scenario, the focus is on familiarizing employees with specific phishing scams, which falls more under operational controls.
Correct answer
Operational
Explanation
Operational controls are put in place to ensure that day-to-day operations are conducted securely and efficiently. In this case, the organization is implementing operational controls by providing training sessions and documentation to help employees recognize and respond to phishing scams effectively.
Corrective
Explanation
Corrective controls are designed to address and correct security incidents or weaknesses after they have occurred. In this scenario, the organization is taking proactive measures to prevent phishing attacks by educating employees, which aligns more with operational controls rather than corrective controls.
Compensating
Explanation
Compensating controls are alternative measures put in place to compensate for the lack of effectiveness in other controls. In this case, the organization is not implementing compensating controls but rather operational controls to educate employees about phishing scams.
Domain
1.0 General Security Concepts
Question 64Skipped
A company’s security administrator implements technical and preventive controls, including firewalls, IPS, UTM, and XDR solutions. Which of the following BEST describes the administrator’s technical actions?
Threat scope reduction
Explanation
Threat scope reduction refers to limiting the potential attack surface by implementing security measures such as network segmentation, access controls, and vulnerability management. While firewalls, IPS, UTM, and XDR solutions can help reduce the threat scope, it is not the best description of the administrator’s technical actions in this scenario.
Decommissioning
Explanation
Decommissioning involves removing or shutting down systems, services, or applications that are no longer needed or pose a security risk. While this can be a part of security measures, it is not the best description of the administrator’s technical actions in this scenario where the focus is on implementing security controls like firewalls, IPS, UTM, and XDR solutions.
Installation of endpoint protection
Explanation
Installation of endpoint protection typically refers to deploying security software on individual devices to protect against malware, unauthorized access, and other threats. While endpoint protection is an important security measure, it is not the best description of the administrator’s technical actions in this scenario where the emphasis is on implementing network-based security controls like firewalls, IPS, UTM, and XDR solutions.
Correct answer
Hardening
Explanation
Hardening involves securing systems by reducing their attack surface, eliminating unnecessary services, applying security patches, and configuring settings to enhance security. In this scenario, implementing firewalls, IPS, UTM, and XDR solutions aligns with the concept of hardening as it strengthens the organization’s overall security posture by fortifying its defenses against various threats.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 65Skipped
A hospital handles PHI and PII information from its patients. The hospital consults a cybersecurity engineer to determine the appropriate data classification. Which of the following BEST describes this data?
Confidential
Explanation
Confidential data typically refers to information that requires a high level of protection due to its sensitivity. While PHI and PII information are important and should be protected, the term "confidential" may not fully capture the specific requirements for handling this type of data in a healthcare setting.
Correct answer
Sensitive
Explanation
Sensitive data is the most appropriate classification for PHI and PII information in a hospital setting. This type of data requires special handling and protection to prevent unauthorized access or disclosure. It is crucial to classify this data as sensitive to ensure proper security measures are in place.
Private
Explanation
Private data typically refers to information that is personal or individual in nature but may not carry the same level of sensitivity as PHI and PII data. While protecting private data is important, the classification of "sensitive" is more suitable for healthcare-related information like PHI and PII.
Restricted
Explanation
Restricted data usually refers to information that has strict access controls and limited distribution. While PHI and PII data should have restricted access, the term "restricted" may not fully capture the specific requirements and implications of handling this type of sensitive information in a healthcare environment.
Domain
3.0 Security Architecture
Question 66Skipped
A cybersecurity organization is using RAID to duplicate data for redundancy among multiple drives. Which of the following BEST describes the duplication of this data?
Correct answer
Replication
Explanation
Replication is the process of duplicating data across multiple drives or systems to ensure redundancy and fault tolerance. In the context of RAID, data duplication is achieved through replication, making it the best description for the duplication of data in this scenario.
Snapshots
Explanation
Snapshots are point-in-time copies of data that capture the state of a system at a specific moment. While snapshots can be used for data backup and recovery, they are not the primary method for duplicating data for redundancy in RAID configurations.
Load balancing
Explanation
Load balancing involves distributing network traffic or workload across multiple resources to optimize resource utilization, maximize throughput, minimize response time, and avoid overload. It is not directly related to duplicating data for redundancy in RAID configurations.
Clustering
Explanation
Clustering is the process of grouping multiple servers together to act as a single entity to provide high availability, load balancing, and failover capabilities. While clustering can enhance system reliability, it is not specifically focused on duplicating data for redundancy in RAID setups.
Domain
3.0 Security Architecture
Question 67Skipped
Which of the following roles is responsible for managing the purposes and means by which data is processed?
Correct answer
Data controller
Explanation
A data controller is responsible for managing the purposes and means by which data is processed. They determine the reasons for processing data and the methods used to do so, ensuring compliance with data protection regulations and privacy laws.
Data processor
Explanation
A data processor, on the other hand, is responsible for processing data on behalf of the data controller. They act on the instructions of the data controller and must ensure the security and confidentiality of the data they process.
Data owner
Explanation
A data owner is the individual or entity that has ownership rights over the data. While they may have some control over how the data is processed, their primary role is to assert ownership rights and ensure data is used in accordance with their wishes.
Data steward
Explanation
A data steward is responsible for overseeing the management and governance of data within an organization. They ensure that data is handled responsibly, ethically, and in compliance with regulations, but they do not have the authority to determine the purposes and means of data processing.
Domain
5.0 Security Program Management and Oversight
Question 68Skipped
Which of the following domains would not be covered by a certificate issued to the domain *.markdemoras.com?
markdemoras.com
Explanation
A certificate issued to *.markdemoras.com would cover all subdomains of markdemoras.com, including the root domain markdemoras.com itself. Therefore, this domain would be covered by the certificate.
www.markdemoras.com
Explanation
Subdomains such as www.markdemoras.com would be covered by a wildcard certificate issued to .markdemoras.com. The wildcard character () allows for the inclusion of all subdomains under markdemoras.com.
mail.markdemoras.com
Explanation
Subdomains like mail.markdemoras.com would also be covered by a wildcard certificate issued to .markdemoras.com. The wildcard character () includes all possible subdomains under markdemoras.com.
Correct answer
mail.test.markdemoras.com
Explanation
The domain mail.test.markdemoras.com is not a direct subdomain of markdemoras.com. Since the wildcard certificate covers only one level of subdomains, it would not cover this specific domain.
Domain
1.0 General Security Concepts
Question 69Skipped
A SOC analyst is observing real-time logs on a SIEM and notices the following IPS logs:
66.120.6.8 –> 120.9.5.12
Status: Quarantined
File affected: C:\Microsoft\ztztrqaM.exe
4/29/2024 11:15
Which of the following BEST describes this log entry? (Choose two).
Correct selection
The attack originated from 66.120.6.8 and targeted 120.9.5.12.
Explanation
The log indicates that the attack originated from 66.120.6.8 and targeted 120.9.5.12. The status of the attack is listed as "Quarantined," and the file affected is identified as C:\Microsoft\ztztrqaM.exe. This information suggests that the attack was initiated from the source IP address 66.120.6.8 towards the destination IP address 120.9.5.12.
The attack originated from 120.9.5.12 and targeted 66.120.6.8.
Explanation
The log states that the attack originated from 66.120.6.8 and targeted 120.9.5.12. The status of the attack is listed as "Quarantined," indicating that the attack was blocked or contained. The file affected is identified as C:\Microsoft\ztztrqaM.exe, further confirming that the attack originated from 66.120.6.8 towards 120.9.5.12.
The attack originating from 120.9.5.12 was quarantined.
Explanation
The log does not provide any information indicating that the attack originated from 120.9.5.12. Instead, it clearly states that the attack originated from 66.120.6.8 and targeted 120.9.5.12. The status of the attack is listed as "Quarantined," suggesting that the attack was blocked or contained before reaching its target.
Correct selection
The attack originating from 66.120.6.8 was quarantined.
Explanation
The log states that the attack originated from 66.120.6.8 and targeted 120.9.5.12. The status of the attack is listed as "Quarantined," indicating that the attack was blocked or contained. The file affected is identified as C:\Microsoft\ztztrqaM.exe, further confirming that the attack originating from 66.120.6.8 was successfully quarantined.
Domain
4.0 Security Operations
Question 70Skipped
A penetration tester is conducting an assessment against a well-known software company and observes the following in a database file:
Which of the following BEST describes the technology in use?
Tokenization
Explanation
Tokenization is a process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security. It is not related to the scenario described in the question where the data is partially obscured with asterisks.
Hashing
Explanation
Hashing is a process of converting input data into a fixed-size string of bytes using a mathematical algorithm. It is not related to the scenario described in the question where the data is partially obscured with asterisks.
Correct answer
Masking
Explanation
Masking is a technique used to partially obscure sensitive data by replacing certain characters with placeholders like asterisks. In the scenario described in the question, the data "Mark****2190" is an example of masking where part of the data is hidden to protect its confidentiality.
Encryption
Explanation
Encryption is the process of converting plaintext data into ciphertext to secure it from unauthorized access. It is not related to the scenario described in the question where the data is partially obscured with asterisks.
Domain
3.0 Security Architecture
Question 71Skipped
Which of the following data types are regulated by law? (Choose two).
OSINT
Explanation
OSINT (Open Source Intelligence) refers to information collected from publicly available sources. While it is important for security purposes, it is not specifically regulated by law in the context of data types.
Proprietary
Explanation
Proprietary data refers to information that is owned by a specific entity and is protected from disclosure. While it is important for business confidentiality, it is not a data type that is regulated by law.
Intellectual property (IP)
Explanation
Intellectual property (IP) refers to creations of the mind, such as inventions, literary and artistic works, designs, symbols, names, and images used in commerce. While IP is protected by laws, it is not a data type that is specifically regulated.
Trade secrets
Explanation
Trade secrets are confidential information that gives a business a competitive advantage. While trade secrets are protected by laws, they are not considered a data type that is regulated in the same way as personally identifiable information (PII) and protected health information (PHI).
Correct selection
PII
Explanation
Personally identifiable information (PII) refers to data that can be used to identify an individual, such as names, social security numbers, addresses, and biometric records. PII is heavily regulated by laws such as GDPR and HIPAA to protect individuals’ privacy and security.
Correct selection
PHI
Explanation
Protected health information (PHI) refers to information related to an individual’s health status, healthcare services received, or payment for healthcare services. PHI is regulated by laws such as HIPAA to ensure the privacy and security of individuals’ health information.
Domain
3.0 Security Architecture
Question 72Skipped
An administrator opens a terminal, runs a command, and observes the following output:
Which of the following BEST describes this output?
Malicious code
Explanation
The output does not indicate the presence of malicious code. The command "sudo su && whoami" is a standard command to switch to the root user and display the current user, which in this case is "root".
Cross-site scripting
Explanation
Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications, where malicious scripts are injected into trusted websites. The output provided in the question does not relate to XSS as it involves a command line operation, not web scripting.
TOCTOU
Explanation
Time of Check to Time of Use (TOCTOU) is a type of race condition vulnerability where a resource is checked for a specific condition at one point in time, but the condition may change before the resource is used. The output in the question does not indicate a TOCTOU vulnerability.
Correct answer
Privilege escalation
Explanation
The observed output indicates privilege escalation. The command "sudo su" is used to switch to the root user, and the subsequent "whoami" command shows that the user has escalated privileges to the root user, which is a common indicator of privilege escalation.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 73Skipped
A company is looking to reduce their current risk posture. The company purchases additional antivirus, host-based intrusion detection systems (HIDS) and web application firewalls (WAFs). Which of the following is the company practicing?
Correct answer
Risk mitigation
Explanation
By purchasing additional antivirus, host-based intrusion detection systems (HIDS), and web application firewalls (WAFs), the company is actively taking steps to reduce their current risk posture. This aligns with the practice of risk mitigation, which involves implementing controls and measures to reduce the impact and likelihood of risks.
Risk transference
Explanation
Risk transference involves shifting the responsibility for managing a risk to another party, such as through insurance or outsourcing. Purchasing additional security tools like antivirus, HIDS, and WAFs does not involve transferring the risk to another party, but rather directly addressing and mitigating the risks within the company.
Risk appetite
Explanation
Risk appetite refers to the level of risk that an organization is willing to accept in pursuit of its objectives. Purchasing additional security tools to reduce risk posture does not directly relate to defining or adjusting the company’s risk appetite, but rather focuses on actively reducing risks through security measures.
Risk avoidance
Explanation
Risk avoidance involves taking actions to completely eliminate the possibility of a risk occurring. By purchasing additional antivirus, HIDS, and WAFs, the company is not avoiding risks entirely but rather working to mitigate and reduce the impact and likelihood of security incidents.
Domain
5.0 Security Program Management and Oversight
Question 74Skipped
A user intending to visit MarkdeMoras.com accidentally types in MarkMoras.com. Which of the following BEST describes this attack type?
Pretexting
Explanation
Pretexting involves creating a false scenario to obtain sensitive information from individuals. In this case, the user’s mistyped domain name does not involve deception or manipulation to gather information, so it is not considered pretexting.
Watering hole
Explanation
Watering hole attacks involve compromising websites that a target group frequently visits to infect them with malware. The scenario described in the question does not involve compromising a website to target a specific group, so it is not a watering hole attack.
Correct answer
Typosquatting
Explanation
Typosquatting is a type of cybersquatting where attackers register domain names similar to popular websites with the intention of capturing traffic from users who mistype the URL. This aligns with the situation where the user mistakenly typed MarkMoras.com instead of MarkdeMoras.com.
Impersonation
Explanation
Impersonation involves pretending to be someone else to deceive individuals. While mistyping a domain name could potentially lead to a website impersonating another, the act of mistyping itself does not constitute impersonation.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 75Skipped
A system administrator uses multifactor authentication (MFA) and receives a one-time SMS code on their phone that expires after 30 seconds. Which of the following BEST describes this one-time code?
Something you know
Explanation
"Something you know" refers to information that the user possesses, such as a password or PIN. In this case, the one-time SMS code is not something the user already knew, but rather something they receive on their phone.
Something you are
Explanation
"Something you are" refers to biometric factors, such as fingerprint or facial recognition. The one-time SMS code is not a biometric factor, but rather a temporary code sent to the user’s phone.
Correct answer
Something you have
Explanation
"Something you have" refers to physical items that the user possesses, such as a smart card or a mobile device. In this scenario, the one-time SMS code sent to the user’s phone falls under the category of something the user has.
Somewhere you are
Explanation
"Somewhere you are" refers to location-based factors, such as geolocation services. The one-time SMS code is not related to the user’s physical location, but rather to their possession of a specific device to receive the code.
Domain
4.0 Security Operations
Question 76Skipped
A user wants to install a website certificate but needs an organization to digitally verify its legitimacy. The user requests the certificate to be installed on their website as soon as possible. Which of the following actions is the user performing?
CA
Explanation
CA stands for Certificate Authority, which is an entity that digitally signs and verifies the authenticity of website certificates. The user is not performing the action of a CA in this scenario, but rather requesting a certificate to be installed.
Correct answer
CSR
Explanation
CSR stands for Certificate Signing Request, which is a request generated by the user to have a certificate signed by a Certificate Authority (CA). In this case, the user is requesting the certificate to be installed on their website, which involves generating a CSR for verification.
OCSP
Explanation
OCSP stands for Online Certificate Status Protocol, which is used to check the validity of a certificate in real-time. The user in this scenario is not performing the action of OCSP, but rather requesting a certificate to be installed on their website.
Self-signed
Explanation
Self-signed certificates are certificates that are signed by the entity themselves rather than a trusted Certificate Authority. The user in this scenario is not generating a self-signed certificate, but rather requesting a certificate to be installed on their website and verified by an organization.
Domain
1.0 General Security Concepts
Question 77Skipped
A well-known cybersecurity training company seeks a way to scale services on demand while evenly distributing resource usage. Additionally, the company wants to track each user’s resource consumption using affinity. Which of the following technologies would BEST fulfill this requirement?
Multi-cloud systems
Explanation
Multi-cloud systems involve using multiple cloud service providers to distribute workloads and resources across different platforms. While this can help with scalability and resource distribution, it may not provide the level of affinity tracking required for monitoring individual user resource consumption.
Clustering
Explanation
Clustering involves grouping multiple servers together to work as a single system, providing high availability and scalability. While clustering can help with resource distribution, it may not offer the level of affinity tracking needed to monitor individual user resource consumption.
Continuity of operations
Explanation
Continuity of operations focuses on maintaining essential functions during and after a disaster or disruption. While important for business continuity, COOP does not directly address the scalability and resource tracking requirements mentioned in the question.
Correct answer
Load balancing solution
Explanation
A load balancing solution can evenly distribute incoming network traffic across multiple servers or resources to optimize performance, ensure high availability, and prevent overload. This technology can help the cybersecurity training company scale services on demand, evenly distribute resource usage, and track each user’s resource consumption using affinity.
Domain
3.0 Security Architecture
Question 78Skipped
A cybersecurity firm has hired a penetration tester to infiltrate the data center of a Microsoft building. Which type of penetration testing is being described?
Offensive
Explanation
Offensive penetration testing involves simulating real-world cyber attacks to identify vulnerabilities and weaknesses in an organization’s security defenses. It focuses on exploiting these vulnerabilities to gain unauthorized access to systems and data, rather than physical access to a building or facility.
Correct answer
Physical
Explanation
Physical penetration testing specifically involves testing the physical security measures of a building or facility. In this scenario, the penetration tester is attempting to gain access to the data center of a Microsoft building, which falls under the category of physical penetration testing.
Defensive
Explanation
Defensive penetration testing focuses on assessing and improving an organization’s defensive security measures, such as firewalls, intrusion detection systems, and security policies. It does not involve attempting to physically breach a building’s security measures.
Integrated
Explanation
Integrated penetration testing combines various types of testing, including network, application, and physical security assessments, to provide a comprehensive evaluation of an organization’s overall security posture. While physical penetration testing may be included in an integrated approach, it is not the primary focus in this scenario.
Domain
5.0 Security Program Management and Oversight
Question 79Skipped
Please fill the blank field(s) in the statement with the right words.
The person responsible for managing specific types of data, such as the data from the sharing department, is referred to as the data __
Correct answer
owner
Explanation
The person responsible for managing specific types of data, such as the data from the sharing department, is referred to as the data owner.
Domain
5.0 Security Program Management and Oversight
Question 80Skipped
An administrator is implementing a technology that automatically blocks the transmission of social security numbers and credit card information leaving the organization to ensure data confidentiality. Which of the following BEST describes this technology?
IDS monitoring and detection
Explanation
IDS monitoring and detection focuses on identifying and alerting on potential security incidents or policy violations within a network. While it can detect sensitive data transmission, it does not automatically block the transmission of specific data types like social security numbers and credit card information.
Data in transit encryption
Explanation
Data in transit encryption is a method of securing data as it moves between devices or across networks by encrypting the data to prevent unauthorized access. While it helps ensure data confidentiality, it does not automatically block the transmission of specific data types like social security numbers and credit card information.
Security Content Automation Protocol (SCAP)
Explanation
Security Content Automation Protocol (SCAP) is a standardized method for sharing security-related information, such as security policies, configuration checklists, and vulnerability information. It is not specifically designed to automatically block the transmission of sensitive data leaving the organization.
Correct answer
Endpoint-based DLP
Explanation
Endpoint-based DLP (Data Loss Prevention) solution is designed to monitor and control data transfers on endpoints, such as laptops, desktops, and mobile devices, to prevent the unauthorized transmission of sensitive information like social security numbers and credit card information. It automatically blocks the transmission of specific data types to ensure data confidentiality.
Domain
4.0 Security Operations
Question 81Skipped
Please fill the blank field(s) in the statement with the right words.
A system created to perform a single, dedicated function is called an __ system.
Correct answer
embedded
Explanation
A system created to perform a single, dedicated function is called an embedded system.
Domain
4.0 Security Operations
Question 82Skipped
A security engineer is utilizing orchestration to automate the deployment of multiple virtual machines (VMs). Among them is an Internet-accessible 32-bit Linux distribution running version 2.2. Which of the following represents the GREATEST threat to this VM?
VM escape
Explanation
VM escape is a significant threat to virtual machines as it allows an attacker to break out of the virtualized environment and gain access to the underlying host system. However, in this scenario, the focus is on the threat specifically targeting the 32-bit Linux distribution running version 2.2, rather than the virtualization layer itself.
Resource reuse
Explanation
Resource reuse can pose a threat to the performance and stability of the VMs by exhausting resources such as CPU, memory, or disk space. While resource reuse is a concern for overall system health, it is not the greatest threat to the specific 32-bit Linux distribution running version 2.2 in this context.
Correct answer
Inability to patch
Explanation
Inability to patch is the greatest threat to the 32-bit Linux distribution running version 2.2 as it leaves the system vulnerable to known security vulnerabilities and exploits. Without the ability to apply patches and updates, the VM is at risk of being compromised by attackers exploiting known weaknesses in the system.
Credential replay
Explanation
Credential replay involves an attacker intercepting and reusing credentials to gain unauthorized access to systems or resources. While credential replay is a serious security concern, it is not the greatest threat to the specific 32-bit Linux distribution running version 2.2 in this scenario. The inability to patch poses a more immediate risk to the VM’s security posture.
Domain
3.0 Security Architecture
Question 83Skipped
Please fill the blank field(s) in the statement with the right words.
The concept of concealing hidden data in images, audio, or video is known as __
Correct answer
steganography
Explanation
Steganography is the art of concealing hidden information in plain sight. It is a common form of cryptography.
Domain
1.0 General Security Concepts
Question 84Skipped
An attacker exploited a vulnerability in a cloud-based network appliance and gained root access to the system. The exploited vulnerability allowed certain memory areas to leak into others, leading to a system takeover if manipulated. Which of the following BEST describes this vulnerability?
Correct answer
Buffer overflow
Explanation
A buffer overflow vulnerability occurs when a program writes more data to a buffer than it can hold, leading to the excess data overflowing into adjacent memory areas. If an attacker can manipulate this overflow, they can potentially gain unauthorized access to the system, as described in the scenario.
On-path
Explanation
On-path attacks involve intercepting and manipulating network traffic between two parties, but they do not typically involve memory manipulation or leakage. This type of attack is not the best description of the vulnerability described in the scenario.
Downgrade
Explanation
Downgrade attacks involve forcing a system to use older, less secure versions of protocols or software, but they do not typically involve memory manipulation or leakage leading to a system takeover. This type of attack is not the best description of the vulnerability described in the scenario.
Privilege escalation
Explanation
Privilege escalation involves an attacker gaining higher levels of access or permissions on a system than they were originally authorized for. While privilege escalation can be a result of exploiting vulnerabilities, it does not specifically involve memory manipulation or leakage as described in the scenario. This type of attack is not the best description of the vulnerability described in the scenario.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 85Skipped
A network administrator observes unusual outbound traffic patterns originating from a server. Further investigation reveals unauthorized processes running on the server and unauthorized access to critical core files. Which type of malware is MOST likely causing this behavior?
Logic bomb
Explanation
A logic bomb is a type of malware that is designed to execute a malicious action when specific conditions are met, such as a certain date or time. It is not typically associated with unauthorized processes running on a server or unauthorized access to critical core files.
Correct answer
Rootkit
Explanation
A rootkit is a type of malware that is specifically designed to provide unauthorized access to a computer or server while hiding its presence from the user and security software. Rootkits are commonly used to run unauthorized processes and gain access to critical system files, making it the most likely type of malware causing the observed behavior.
Ransomware
Explanation
Ransomware is a type of malware that encrypts files on a system and demands payment in exchange for the decryption key. While ransomware can cause unauthorized access to files, it is not typically associated with running unauthorized processes on a server.
Spyware
Explanation
Spyware is a type of malware that is designed to spy on a user’s activities without their knowledge or consent. While spyware can monitor outbound traffic and access files, it is not typically associated with running unauthorized processes on a server or gaining unauthorized access to critical core files.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 86Skipped
Which of the following are potential consequences of non-compliance? (Select all that apply).
Ongoing supportability
Explanation
Ongoing supportability is not typically a consequence of non-compliance. It refers to the ability to provide support for a product or service over time, which may be impacted by compliance issues but is not a direct consequence of non-compliance.
Correct selection
Fines
Explanation
Fines are a common consequence of non-compliance with regulations, standards, or laws. Organizations may face financial penalties for failing to meet compliance requirements.
Technical debt
Explanation
Technical debt is not directly related to non-compliance. It refers to the additional work that arises from choosing an easy solution now instead of using a better approach that would take longer.
Correct selection
Sanctions
Explanation
Sanctions, such as legal or regulatory penalties, are often imposed on organizations that fail to comply with applicable laws, regulations, or standards.
Correct selection
Reputational damage
Explanation
Reputational damage is a significant consequence of non-compliance. Failing to meet compliance requirements can harm an organization’s reputation and credibility in the eyes of customers, partners, and stakeholders.
Complexity
Explanation
Complexity is not a direct consequence of non-compliance. While non-compliance can lead to additional complexities in managing legal or regulatory issues, complexity itself is not a consequence of non-compliance.
Domain
5.0 Security Program Management and Oversight
Question 87Skipped
After running a vulnerability scan against a system which contains known vulnerabilities, a penetration tester observes the following information:
Which of the following BEST describes the results of this scan?
False positive
Explanation
A false positive occurs when the vulnerability scanner incorrectly identifies a vulnerability that does not actually exist in the system. In this case, the information provided does not indicate a false positive as the vulnerabilities are known to exist in the system.
Correct answer
CVSS
Explanation
CVSS stands for Common Vulnerability Scoring System, which is a framework used to assess the severity of vulnerabilities based on various factors. The information provided by the penetration tester is likely related to the CVSS scores of the vulnerabilities found during the scan.
CVE
Explanation
CVE stands for Common Vulnerabilities and Exposures, which is a list of publicly known cybersecurity vulnerabilities. While the information provided by the penetration tester may include CVE identifiers for the vulnerabilities found, it does not solely describe the CVE system itself.
False negative
Explanation
A false negative occurs when the vulnerability scanner fails to detect a vulnerability that actually exists in the system. The information provided by the penetration tester does not indicate a false negative, as vulnerabilities were indeed identified during the scan.
Domain
4.0 Security Operations
Question 88Skipped
Which of the following defines the maximum amount of downtime an organization can endure without facing severe consequences?
RPO
Explanation
RPO (Recovery Point Objective) refers to the maximum amount of data loss that an organization can tolerate. It is not directly related to the amount of tolerable downtime an organization can sustain.
Correct answer
RTO
Explanation
RTO (Recovery Time Objective) describes the amount of tolerable downtime an organization can sustain to avoid grave consequences. It is crucial for determining how quickly systems and services need to be restored after a disruption.
MTTR
Explanation
MTTR (Mean Time to Repair) refers to the average time it takes to repair a system or service after a failure. While important for measuring system reliability, it does not specifically address the amount of tolerable downtime an organization can sustain.
MTBF
Explanation
MTBF (Mean Time Between Failures) is the average time elapsed between two failures of a system. It is used to measure system reliability but does not directly relate to the amount of tolerable downtime an organization can sustain.
Domain
5.0 Security Program Management and Oversight
Question 89Skipped
A cybersecurity team is meeting around a table to discuss the incident response procedure, ensuring effective time management during an actual incident. Which of the following BEST describes this discussion?
Committees
Explanation
Committees are groups of individuals assigned specific tasks or responsibilities within an organization. While committees may be involved in incident response planning and execution, they do not specifically describe a meeting around a table to discuss incident response procedures and time management.
Simulation
Explanation
Simulation refers to the imitation of a real-world process or system in order to understand and predict outcomes. While simulations can be valuable in incident response training, they do not specifically describe a meeting around a table to discuss incident response procedures and time management.
Board
Explanation
Board typically refers to a group of individuals responsible for making decisions and providing oversight within an organization. While a board may be involved in incident response planning and decision-making, it does not specifically describe a meeting around a table to discuss incident response procedures and time management.
Correct answer
Tabletop exercise
Explanation
Tabletop exercise involves a group of individuals gathering around a table to discuss and simulate an incident response scenario. This allows the cybersecurity team to walk through the steps of the response procedure, identify gaps, and ensure effective time management during an actual incident scenario.
Domain
3.0 Security Architecture
Question 90Skipped
A new zero-day exploit has recently taken advantage of a Microsoft Windows operating system vulnerability. The system administrator of MarkdeMoras company wants to maximize security to provide protection against this exploit. Which of the following should the administrator implement to BEST meet this requirement? (Choose two).
Install host-based IDS systems on all endpoints
Explanation
Installing host-based IDS systems on all endpoints can help detect and prevent malicious activity on individual devices. While this is a good security practice, it may not directly address the specific vulnerability exploited by the zero-day exploit targeting the Microsoft Windows operating system.
Correct selection
Update OS and disable unused ports
Explanation
Updating the operating system and disabling unused ports are crucial steps in mitigating vulnerabilities and reducing the attack surface. By keeping the OS up to date with the latest security patches and closing off unnecessary ports, the system administrator can effectively protect against known vulnerabilities, potentially including the one exploited by the zero-day exploit.
Correct selection
Disable default application password and implement network segmentation
Explanation
Disabling default application passwords and implementing network segmentation are important security measures to prevent unauthorized access and limit the impact of potential security breaches. By removing default passwords and segmenting the network, the administrator can enhance security posture and reduce the risk of exploitation, including the zero-day exploit targeting the Windows OS.
Patch systems from vulnerability
Explanation
Patching systems from vulnerabilities is a critical security practice to address known weaknesses and protect against potential exploits. While patching is essential for overall security, it may not be sufficient to specifically address the zero-day exploit targeting the Microsoft Windows operating system, as there is no patch readily available. Additional measures, such as updating the OS and implementing network segmentation, are needed to provide comprehensive protection against the exploit. The best the company can do is to have the most up to date operating system and ensure maximum security in every other way while awaiting a patch from the operating system manufacturer.
Domain
4.0 Security Operations
