https://www.udemy.com/course/comptia-security-sy0-701-comprehensive-practice-exams-2024/learn/quiz/6338552/result/1550483111#overview
CompTIA Security+ SY0-701 Full-Length Practice Exam 2 (90 questions) – Results
Back to result overview
Attempt 1
All domains
- 90 all
- 0 correct
- 0 incorrect
- 90 skipped
- 0 marked
Collapse all questions
Question 1Skipped
An organization is dealing with a malware outbreak and promptly isolates the impacted systems. Which phase of incident response does this represent?
Preparation
Explanation
The Preparation phase in incident response involves activities such as creating incident response plans, training staff, and implementing security controls to prevent and mitigate security incidents. Isolating affected systems during a malware outbreak is not part of the Preparation phase.
Recovery
Explanation
The Recovery phase in incident response focuses on restoring systems and services to normal operation after an incident. Isolating affected systems is typically done in the Containment phase before moving on to the Recovery phase.
Correct answer
Containment
Explanation
The Containment phase in incident response involves isolating and limiting the impact of a security incident to prevent further spread. Isolating affected systems during a malware outbreak is a key step in the Containment phase.
Eradication
Explanation
The Eradication phase in incident response involves removing the root cause of the security incident and ensuring that all systems are clean and secure. Isolating affected systems is typically done before moving on to the Eradication phase.
Question 2Skipped
A network administrator is setting up the organization’s wireless network. While analyzing real-time network traffic with a packet capture tool, the administrator observes AES-256 being used. Which of the following BEST describes the network traffic? (Choose two).
Public
Explanation
Public traffic refers to data that is accessible to anyone on the network without encryption. AES-256 being used indicates that the network traffic is encrypted, so it is not considered public.
Data at rest
Explanation
Data at rest refers to data that is stored on a device or server. Since the network traffic is being analyzed in real-time with a packet capture tool, it is not data at rest.
Correct selection
Encrypted
Explanation
The use of AES-256 indicates that the network traffic is encrypted. Encrypted data is protected from unauthorized access, making it a secure method for transmitting data over the network.
Correct selection
Data in transit
Explanation
AES-256 encryption is commonly used to protect data while it is in transit over a network. Data in transit refers to data being actively transmitted between devices, making this choice the best description of the network traffic.
Data in use
Explanation
Data in use refers to data that is actively being processed by a system or application. Since the network traffic is being transmitted and encrypted, it is not considered data in use.
Data sovereignty
Explanation
Data sovereignty refers to the legal concept that data is subject to the laws of the country in which it is located. The use of AES-256 encryption does not directly relate to data sovereignty, so it is not the best description of the network traffic.
Question 3Skipped
A penetration tester is performing a vulnerability scan to detect open ports and protocols. The tester compares the scan results to a known vulnerability database. Which of the following BEST describes CVSS?
Provides recommendations for vulnerability remediations
Explanation
CVSS does not provide recommendations for vulnerability remediations. It is a scoring system used to rate the severity of vulnerabilities based on specific criteria.
Correct answer
Rates the severity of vulnerabilities based on a standardized scoring system
Explanation
This choice is correct because CVSS (Common Vulnerability Scoring System) rates the severity of vulnerabilities based on a standardized scoring system. This scoring system helps organizations prioritize and address security vulnerabilities effectively.
Lists known exploits and attack vectors associated with vulnerabilities
Explanation
CVSS does not list known exploits and attack vectors associated with vulnerabilities. It focuses on assessing the severity of vulnerabilities based on specific metrics rather than detailing specific attack vectors.
Identifies vulnerabilities by comparing system configurations to baseline security standards
Explanation
CVSS does not identify vulnerabilities by comparing system configurations to baseline security standards. It is specifically designed to provide a standardized method for rating the severity of vulnerabilities based on specific criteria, not for comparing system configurations.
Question 4Skipped
A disgruntled former employee has sent an email stating that at exactly 1 A.M., all files from the marketing department will be erased. Which type of attack is being described?
Correct answer
Logic bomb
Explanation
A logic bomb is a type of malicious code that is set to execute at a specific time or when certain conditions are met. In this scenario, the disgruntled former employee has set up a logic bomb to erase all files from the marketing department at 1 A.M., making this choice the correct answer.
Impersonation
Explanation
Impersonation involves pretending to be someone else in order to gain unauthorized access to systems or information. While impersonation can be used in various types of attacks, it is not the specific type of attack described in the scenario where files are set to be erased at a specific time.
Pretexting
Explanation
Pretexting is a social engineering technique where an attacker creates a false scenario to manipulate individuals into providing sensitive information. While pretexting can be used in various types of attacks, it is not the specific type of attack described in the scenario where files are set to be erased at a specific time.
Ransomware
Explanation
Ransomware is a type of malware that encrypts files or locks users out of their systems until a ransom is paid. While ransomware can cause data loss or destruction, it does not involve setting up a specific time for files to be erased, making this choice incorrect in the context of the scenario described.
Question 5Skipped
A systems administrator is adding new hardware to an organization and wants to use a cryptographic processor to secure sensitive information like biometrics and retina scans. Which of the following is the administrator most likely implementing?
TPM
Explanation
TPM (Trusted Platform Module) is a hardware-based security solution that provides a secure area for storing cryptographic keys and sensitive data. While TPM can be used for securing information, it is more commonly used for securing the boot process and ensuring the integrity of the system.
HSM
Explanation
HSM (Hardware Security Module) is a physical device that provides secure storage and management of cryptographic keys. While HSMs are commonly used for securing sensitive information, they are typically used for key management and encryption rather than securing specific types of data like biometrics and retina scans.
Parallel processing
Explanation
Parallel processing refers to the simultaneous execution of multiple tasks using multiple processors or cores. While parallel processing can improve performance and efficiency, it is not specifically related to securing sensitive information like biometrics and retina scans.
Correct answer
Secure enclave
Explanation
Secure enclave is a hardware-based security feature that provides a secure and isolated environment for storing and processing sensitive information. Secure enclaves are commonly used to protect biometric data, cryptographic keys, and other sensitive information from unauthorized access or tampering.
Question 6Skipped
A penetration tester uses a network tool to detect clear-text credentials. Upon investigation, the tester finds that these credentials originated from a web server on port 80. Which of the following actions is the tester most likely performing? (Choose two).
Correct selection
Packet capture
Explanation
Packet capture is the process of capturing and analyzing data packets as they travel across a network. By using a network utility to identify credentials in clear text originating from a web server on port 80, the penetration tester is likely performing a packet capture to intercept and analyze the network traffic.
Vulnerability scan
Explanation
Vulnerability scanning is the process of identifying security vulnerabilities in a system or network. While the penetration tester may have identified credentials in clear text, the act of performing a vulnerability scan is not directly related to this specific scenario of identifying credentials from a web server on port 80.
Correct selection
Penetration test
Explanation
Penetration testing involves simulating cyber attacks to identify security weaknesses in a system or network. By using a network utility to identify credentials in clear text originating from a web server on port 80, the penetration tester is likely performing a penetration test to assess the security posture of the system.
Incident response
Explanation
Incident response is the process of responding to and managing security incidents. While the identification of credentials in clear text may be an incident, the act of performing a packet capture from a web server on port 80 is more indicative of a penetration testing activity rather than an incident response.
Bug bounty
Explanation
Bug bounty programs involve rewarding individuals for discovering and reporting security vulnerabilities in a system or network. While the penetration tester may have identified credentials in clear text, the act of performing a packet capture from a web server on port 80 is more aligned with penetration testing rather than participating in a bug bounty program.
Threat hunting
Explanation
Threat hunting is the proactive process of searching for indicators of compromise within a system or network. While the identification of credentials in clear text may be indicative of a security threat, the act of performing a packet capture from a web server on port 80 is more aligned with penetration testing activities rather than threat hunting.
Question 7Skipped
A company recently suffered a data breach that exposed individuals’ usernames. Upon reviewing the web server logs, an administrator identifies how the attacker gained access to the resource. Which type of attack MOST likely occurred?
SQL injection
Explanation
SQL injection is a type of attack that targets databases by inserting malicious SQL code into input fields. It is not related to accessing resources on a web server through directory traversal as described in the scenario.
Cross-site scripting
Explanation
Cross-site scripting (XSS) is a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. It is not related to accessing resources on a web server through directory traversal as described in the scenario.
Pass the hash
Explanation
Pass the hash is a technique used to authenticate to a system using the hash of a user’s password instead of the actual password. It is not related to accessing resources on a web server through directory traversal as described in the scenario.
Correct answer
Directory traversal
Explanation
Directory traversal is an attack that allows an attacker to access files and directories outside of the web server’s root directory. In this scenario, the attacker accessed the resource by manipulating the URL to traverse directories, making this the correct choice for the type of attack that took place.
Question 8Skipped
An administrator is utilizing Microsoft Intune as a Mobile Device Management (MDM) solution to block the installation of unauthorized apps on mobile devices. Which of the following BEST describes this process?
Mobile device hardening
Explanation
Mobile device hardening typically refers to the process of securing mobile devices by implementing security measures such as encryption, password protection, and remote wipe capabilities. While blocking the installation of unauthorized apps is a security measure, it is more specifically related to application control rather than device hardening.
Application deny list
Explanation
An application deny list is a list of specific applications that are explicitly blocked or denied from being installed or run on a device. In this case, the administrator is looking to block the installation of unauthorized apps, which aligns more closely with the concept of an application deny list.
Web Application Firewall
Explanation
A Web Application Firewall (WAF) is a security solution designed to protect web applications from various types of attacks, such as SQL injection, cross-site scripting, and DDoS attacks. While a WAF is an important security tool, it is not directly related to the process of blocking the installation of unauthorized apps on mobile devices.
Correct answer
Application allow list
Explanation
An application allow list, also known as an application whitelist, is a list of approved applications that are allowed to be installed and run on a device. By utilizing Microsoft Intune to block the installation of unauthorized apps, the administrator is essentially creating an application allow list to ensure that only approved apps can be installed on the mobile devices. All applications except those authorized by the administrator are implicitly blocked.
Question 9Skipped
A hacker is conducting a scan on an organization’s subnet to identify vulnerable devices, services, and open ports. In which of the following is exploiting the discovered vulnerabilities permitted?
Zero-day
Explanation
Zero-day vulnerabilities are previously unknown vulnerabilities that have not been patched or fixed by the software vendor. Exploiting zero-day vulnerabilities without authorization is illegal and unethical, as it can lead to significant security breaches and damage to the organization’s systems.
Correct answer
Penetration test
Explanation
Penetration tests are authorized simulated attacks on a system or network to identify security vulnerabilities and assess the effectiveness of existing security measures. Exploiting vulnerabilities discovered during a penetration test is permitted within the scope of the test and with proper authorization from the organization.
Vulnerability scan
Explanation
Vulnerability scans are automated processes that identify known security weaknesses in systems, networks, and applications. Exploiting vulnerabilities discovered during a vulnerability scan without authorization is considered unauthorized access and is illegal.
Bug bounty
Explanation
Bug bounty programs are initiatives offered by organizations to incentivize security researchers and ethical hackers to responsibly disclose security vulnerabilities in exchange for monetary rewards. Exploiting vulnerabilities discovered through a bug bounty program without following the program’s guidelines and rules is not permitted and may result in disqualification from the program.
Question 10Skipped
The security team is working to recover systems after a ransomware infection that spread across the network. They are gradually bringing systems back online. Which incident response phase is the team currently in?
Eradication
Explanation
Eradication is the step in incident response where the security team identifies and removes the root cause of the security incident. This step aims to eliminate the threat actor’s access to the network and prevent further damage.
Lessons learned
Explanation
Lessons learned is the step in incident response where the security team reviews the incident, identifies what went wrong, and determines how to improve future incident response processes. It involves documenting the incident response process and implementing changes based on the lessons learned.
Correct answer
Recovery
Explanation
Recovery is the step in incident response where the security team focuses on restoring systems and data to normal operation after a security incident. This step involves bringing systems back online, ensuring data integrity, and verifying that the network is secure before resuming normal operations.
Identification
Explanation
Identification is the step in incident response where the security team detects and confirms the security incident. This step involves understanding the nature and scope of the incident, determining the affected systems, and initiating the incident response process.
Question 11Skipped
A company has recently experienced a data breach and wants a way to rapidly identify revoked certificates. Which of the following would BEST meet this requirement?
CRL
Explanation
A CRL (Certificate Revocation List) is a list of certificates that have been revoked by the certificate authority before their expiration date. While it can help identify revoked certificates, it may not be the fastest or most efficient method for rapidly identifying revoked certificates in real-time.
RA
Explanation
RA (Registration Authority) is responsible for verifying the identity of individuals requesting digital certificates and forwarding the requests to the CA (Certificate Authority) for issuance. It does not directly deal with identifying revoked certificates, so it is not the best option for rapidly identifying revoked certificates.
Correct answer
OCSP
Explanation
OCSP (Online Certificate Status Protocol) is a protocol used to check the revocation status of a digital certificate in real-time. It provides a more efficient and timely way to identify revoked certificates compared to CRLs. Therefore, it is the best choice for rapidly identifying revoked certificates in this scenario.
PKI
Explanation
PKI (Public Key Infrastructure) is a framework that includes policies, processes, and technologies to manage digital certificates and public-private key pairs. While PKI is essential for managing certificates, it is not a direct solution for rapidly identifying revoked certificates.
Question 12Skipped
A user installed an app from a suspicious website on their Windows virtual machine to test its functionality. After executing the app, an attacker moves between VMs and eventually escapes the hypervisor, gaining remote code execution (RCE) on the host system. Which of the following BEST describes the attack method used by the hacker?
Malware outbreak
Explanation
A malware outbreak refers to the rapid spread of malicious software across multiple systems. While the scenario involves the installation of a suspicious app, the issue here is not a widespread outbreak of malware, but rather a targeted attack on the virtual machines.
Insufficient hash integrity check
Explanation
Insufficient hash integrity check typically refers to a security measure that validates the integrity of files by comparing their hash values. While this is an important security practice, it is not directly related to how the attacker escaped the VMs in this scenario.
Lack of firewall rules
Explanation
Lack of firewall rules could potentially allow unauthorized network traffic to pass through, but in this scenario, the attacker’s method of escaping the VMs and gaining RCE on the host computer is more likely related to a different security vulnerability.
Correct answer
Unpatched systems
Explanation
Unpatched systems are vulnerable to known security flaws that attackers can exploit to gain unauthorized access. In this case, the attacker likely exploited a vulnerability in the virtualization software or the host operating system due to unpatched systems, allowing them to escape the VMs and execute remote code on the host computer.
Question 13Skipped
A Security Operations Center (SOC) is monitoring a system within the network and receives the below notification from Windows Defender. Which of the following BEST describes the actions taken by the system and the identified threat? (Choose three).
Sandboxing
Explanation
Sandboxing is a security mechanism that isolates applications from critical system resources and other applications. While sandboxing can be used to contain and analyze potentially malicious code, in this scenario, the threat was already identified as a Trojan and quarantined, not sandboxed.
Correct selection
Malicious code
Explanation
The term "Malicious code" refers to any code designed to cause harm or exploit vulnerabilities in a system. In this case, the threat detected by Windows Defender is identified as a Trojan, which falls under the category of malicious code.
Zero-day
Explanation
Zero-day refers to a vulnerability that is unknown to the software vendor or the public. In this scenario, the threat detected is not related to a zero-day vulnerability, but rather a specific type of known malware known as a Trojan.
Correct selection
Quarantine
Explanation
Quarantine is the action taken by security software to isolate and contain a detected threat to prevent it from causing harm to the system. In this case, the Windows Defender notification indicates that the identified threat, a Trojan, has been successfully quarantined.
Correct selection
Trojan
Explanation
A Trojan is a type of malware that disguises itself as a legitimate file or program to trick users into downloading and executing it. The threat detected by Windows Defender is specifically identified as a Trojan, named Trojan:Win32/Wacatac.B!ml.
Virus
Explanation
A virus is a type of malware that can replicate itself and spread to other files or systems. While viruses are a common type of malware, the threat detected in this scenario is specifically identified as a Trojan, not a virus.
Question 14Skipped
A company wants to enhance the availability of its most critical cloud-based applications and ensure that multiple servers are able to absorb DDoS attacks and remain online. Which of the following BEST describes the technology to achieve this?
Implementing an intrusion prevention system
Explanation
Implementing an intrusion prevention system (IPS) is focused on identifying and blocking malicious activities within the network. While an IPS can help with security measures, it does not directly address the need for enhancing availability and distributing traffic across multiple servers to absorb DDoS attacks.
Installing a web application firewall
Explanation
Installing a web application firewall (WAF) is designed to protect web applications from various attacks, such as SQL injection and cross-site scripting. While a WAF can enhance security for cloud-based applications, it does not specifically address the need for load balancing to improve availability and absorb DDoS attacks.
Correct answer
Deploying a load balancer
Explanation
Deploying a load balancer is the best option for enhancing availability of critical cloud-based applications and ensuring that multiple servers can absorb DDoS attacks. A load balancer distributes incoming traffic across multiple servers, helping to prevent server overload and ensuring that applications remain online even during high traffic or attack scenarios.
Secure access service edge
Explanation
Secure access service edge (SASE) is a security framework that combines network security functions with wide-area networking capabilities. While SASE can provide security for cloud-based applications, it does not directly address the need for load balancing to improve availability and absorb DDoS attacks.
Question 15Skipped
A company allows employees to bring their devices to work. Which of the following security considerations is MOST important when implementing BYOD programs?
Standardizing on a single mobile device operating system
Explanation
Standardizing on a single mobile device operating system may help simplify management and security measures, but it is not the most important consideration for BYOD programs. It may limit employee choice and flexibility, which can impact productivity and user satisfaction.
Correct answer
Implementing mobile device management (MDM) to enforce security policies
Explanation
Implementing mobile device management (MDM) to enforce security policies is the most important consideration for BYOD programs. MDM solutions allow organizations to remotely manage and secure employee-owned devices by enforcing security policies, monitoring device usage, and remotely wiping data if necessary.
Requiring employees to use strong passwords for their personal devices
Explanation
Requiring employees to use strong passwords for their personal devices is a good security practice, but it is not the most important consideration for BYOD programs. Strong passwords are just one aspect of overall device security, and MDM solutions can provide more comprehensive security measures.
Providing company-issued mobile devices to all employees
Explanation
Providing company-issued mobile devices to all employees may seem like a secure option, but it is not the most important consideration for BYOD programs. BYOD programs aim to allow employees to use their own devices for work, and providing company-issued devices may not be cost-effective or practical for all organizations.
Question 16Skipped
A company is deploying a flexible, versatile system. Which type of device would be most effective for inspecting and filtering traffic at the application layer?
Unified threat management
Explanation
Unified threat management (UTM) devices are all-in-one security appliances that typically combine features such as firewall, antivirus, intrusion detection, and content filtering. While they provide comprehensive security capabilities, they may not be as effective at inspecting and filtering traffic at the application layer compared to other specialized devices.
Intrusion prevention system
Explanation
Intrusion prevention systems (IPS) are designed to monitor network traffic for malicious activity and take action to prevent potential threats. While they are effective at detecting and blocking suspicious behavior, they may not have the same level of granularity and control over application-layer traffic as other devices specifically designed for that purpose.
Correct answer
Next-generation firewall
Explanation
Next-generation firewalls (NGFW) are advanced security devices that can inspect and filter traffic at the application layer based on application-specific rules and policies. They offer more granular control over network traffic, allowing for better protection against application-layer threats and vulnerabilities.
Web application firewall
Explanation
Web application firewalls (WAF) are specifically designed to protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. While they are effective at securing web applications, they may not provide the same level of comprehensive protection for all types of application-layer traffic as a next-generation firewall (NGFW) would.
Question 17Skipped
An organization has alerted the incident response team after discovering a worm that has infected several systems and is spreading uncontrollably. Which phase of the incident response process is currently underway?
Identification
Explanation
The Identification phase involves recognizing and confirming the presence of an incident. In this scenario, the organization has already identified the worm infection and alerted the incident response team, so this phase has been completed.
Eradication
Explanation
The Eradication phase focuses on removing the root cause of the incident and preventing it from spreading further. In this case, the organization is still in the process of containing the worm, so the Eradication phase has not yet begun.
Recovery
Explanation
The Recovery phase involves restoring affected systems to normal operation after an incident. Since the organization is still actively dealing with the worm infection and preventing its spread, the Recovery phase has not yet started.
Correct answer
Containment
Explanation
The Containment phase aims to prevent the incident from spreading further and causing more damage. In this scenario, the incident response team is working to contain the worm infection and stop its uncontrollable spread, making the Containment phase the current focus of the incident response process.
Question 18Skipped
A security team is investigating a possible security incident on a server and has detected unusual outbound network traffic. Which of the following tools would be MOST effective in analyzing the network traffic for signs of malicious activity? (Choose two).
Vulnerability scanner
Explanation
A vulnerability scanner is used to identify weaknesses in a system or network that could be exploited by attackers. While it can help in identifying potential security vulnerabilities, it is not the most helpful tool for analyzing network traffic for malicious activity.
Correct selection
NetFlow
Explanation
NetFlow is a network protocol that collects and monitors network traffic data. It can provide valuable insights into the flow of traffic, including source and destination IP addresses, ports, protocols, and more. Analyzing NetFlow data can help in identifying suspicious outbound network traffic and potential malicious activity.
Data loss prevention solution
Explanation
Data loss prevention (DLP) solutions are designed to prevent unauthorized access and exfiltration of sensitive data. While important for protecting data, DLP solutions are not specifically designed for analyzing network traffic for malicious activity.
SCAP
Explanation
SCAP (Security Content Automation Protocol) is a set of standards for automating vulnerability management, measurement, and policy compliance evaluation. It is not primarily used for analyzing network traffic for malicious activity.
Dark web
Explanation
The dark web is a part of the internet that is not indexed by traditional search engines and is often associated with illegal activities. While monitoring the dark web can provide intelligence on potential threats, it is not a tool for analyzing network traffic for malicious activity.
Correct selection
Packet capture tool
Explanation
A packet capture tool, such as Wireshark, is essential for capturing and analyzing network traffic in real-time. It allows security teams to inspect individual packets, identify suspicious patterns, and detect potential malicious activity on the network. This tool is crucial for investigating security incidents related to network traffic.
Question 19Skipped
An employee within an organization has been covertly collecting information for several months. The employee received an email from a ransomware group offering a large sum of money in exchange for gathering specific details. Which of the following best describes this threat?
Unskilled attacker
Explanation
An unskilled attacker typically lacks the knowledge and expertise to carry out sophisticated attacks such as covertly collecting information over an extended period of time within an organization. This choice does not accurately describe the situation presented in the question.
Correct answer
Insider threat
Explanation
An insider threat refers to a current or former employee, contractor, or business partner who has access to an organization’s internal systems and data and poses a security risk. In this scenario, the employee who has been covertly collecting information and receives an email from a ransomware group fits the definition of an insider threat.
APT
Explanation
Advanced Persistent Threat (APT) actors are typically nation-state sponsored groups or highly skilled cybercriminals who conduct prolonged and targeted attacks against specific organizations. While the situation described in the question involves a prolonged collection of information, the involvement of a ransomware group offering money does not align with the typical motives of APT actors.
Organized crime
Explanation
Organized crime groups often engage in cybercriminal activities such as ransomware attacks, data theft, and extortion for financial gain. While the ransomware group mentioned in the email could be associated with organized crime, the key aspect of this situation is the insider threat posed by the employee within the organization.
Question 20Skipped
An attacker has breached physical security measures and set up an evil twin access point. The attacker is using a packet capture tool to intercept and analyze raw data packets on the network. Which of the following attacks is MOST likely taking place?
Rogue access point
Explanation
A rogue access point is a wireless access point that has been installed on a secure network without authorization. While this could be a potential threat in this scenario, the attacker has intentionally set up an evil twin access point, which is a specific type of rogue access point used for malicious purposes.
Tailgaiting
Explanation
Tailgating is a physical security breach where an unauthorized person follows an authorized individual into a secure area. While physical security measures have been breached in this scenario, the attacker is using a packet capture tool to intercept and analyze raw data packets on the network, indicating a different type of attack is taking place. The exact technique used to breach the area was not mentioned in the question.
Bluesnarfing
Explanation
Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth connection. While this could be a potential threat in certain scenarios, the attacker in this situation is using a packet capture tool to intercept and analyze raw data packets on the network, suggesting a different type of attack is occurring.
Correct answer
On-path
Explanation
The on-path attack involves an attacker intercepting and analyzing network traffic by placing themselves in the communication path between two parties. In this scenario, the attacker has set up an evil twin access point and is using a packet capture tool to intercept and analyze raw data packets on the network, indicating that an on-path attack is the most likely type of attack taking place.
Question 21Skipped
An organization is configuring user accounts in batches using automation. Which principle of least privilege is MOST important to consider when creating new accounts?
Grant users access to all resources they might need
Explanation
Granting users access to all resources they might need goes against the principle of least privilege. This principle states that users should only have access to the minimum level of permissions required to perform their job function, reducing the risk of unauthorized access or misuse of resources.
Correct answer
Assign users the minimum level of permissions required for their job function
Explanation
Assigning users the minimum level of permissions required for their job function is the most important aspect of the principle of least privilege. This ensures that users only have access to the resources necessary to perform their specific tasks, limiting the potential damage that could occur in case of a security breach.
Allow users to share their credentials with colleagues
Explanation
Allowing users to share their credentials with colleagues violates the principle of least privilege. Each user should have their own unique credentials and access permissions based on their individual job roles and responsibilities to maintain security and accountability.
Regularly review and update user access privileges
Explanation
Regularly reviewing and updating user access privileges is important for maintaining the principle of least privilege over time. This helps ensure that users continue to have only the necessary level of access required for their job function, reducing the risk of unauthorized access as job roles and responsibilities change.
Question 22Skipped
A web application developer is focused on securing user-submitted data in web forms. Which security control would be the most effective in preventing SQL injection attacks during the development of the application?
Firewalls
Explanation
Firewalls are network security devices that monitor and control incoming and outgoing network traffic based on predetermined security rules. While firewalls are essential for protecting network infrastructure, they are not specifically designed to prevent SQL injection attacks in web applications.
Correct answer
Input validation
Explanation
Input validation is the most effective security control for preventing SQL injection attacks during the development of web applications. By validating and sanitizing user input, developers can ensure that malicious SQL queries are not executed on the database. This control helps to mitigate the risk of SQL injection vulnerabilities in the application.
Data encryption
Explanation
Data encryption is a security control that protects data by converting it into a code that can only be read with the correct decryption key. While data encryption is important for protecting sensitive information, it does not directly prevent SQL injection attacks in web applications.
Intrusion detection systems
Explanation
Intrusion detection systems (IDS) are security tools that monitor network or system activities for malicious activities or policy violations. While IDS can help detect and respond to security incidents, they are not specifically designed to prevent SQL injection attacks in web applications during the development phase.
Question 23Skipped
A security analyst is investigating multiple failed login attempts on a critical server. The attacker knows some valid usernames but is unable to guess the passwords. Which security controls would be MOST effective in preventing this brute-force attack? (Choose two)
Enforcing just-in-time permissions on the server
Explanation
Enforcing just-in-time (JIT) permissions on the server can help in limiting the exposure of permissions by providing temporary access only when needed. However, it may not directly prevent brute-force attacks as it focuses more on access control and privilege management.
Correct selection
Implementing multi-factor authentication (MFA)
Explanation
Implementing multi-factor authentication (MFA) is an effective security control in preventing brute-force attacks. By requiring users to provide multiple forms of verification, such as a password and a one-time code sent to their phone, it significantly increases the security of the authentication process.
Correct selection
Locking accounts after a set number of failed login attempts
Explanation
Locking accounts after a set number of failed login attempts is a crucial security control to prevent brute-force attacks. By locking out an account after multiple unsuccessful login attempts, it can thwart automated password guessing attempts by attackers.
Deploying an IPS on the server to detect login attempt attacks
Explanation
Deploying an IPS on the server to detect login attempt attacks can help in identifying and blocking malicious login attempts. However, while it can provide additional visibility into potential attacks, it may not be as effective as implementing measures like MFA or account lockouts in preventing brute-force attacks.
Question 24Skipped
An organization evaluates its risk posture by identifying all critical regulations. Customer data is stored across multiple continents. Which types of data are influenced by regulations? (Choose two.)
Correct selection
PII
Explanation
Personally Identifiable Information (PII) is data that can be used to identify or contact an individual. It is often subject to regulations such as GDPR, HIPAA, and CCPA, making it a critical data type affected by regulations when stored globally.
PCI
Explanation
Payment Card Industry (PCI) data includes credit card information and is subject to regulations such as PCI DSS. Storing PCI data across different continents requires compliance with various data protection laws and regulations.
Correct selection
PHI
Explanation
Protected Health Information (PHI) includes medical records, treatment information, and other health-related data. PHI is regulated by laws such as HIPAA in the United States, making it a critical data type affected by regulations when stored globally.
OSINT
Explanation
Open Source Intelligence (OSINT) refers to publicly available information that can be used for intelligence purposes. While important for security assessments, OSINT is not typically subject to the same regulations as PII, PCI, or PHI data.
IP
Explanation
Intellectual Property (IP) refers to creations of the mind, such as inventions, literary and artistic works, designs, and symbols. While valuable to an organization, IP is not typically subject to the same data protection regulations as PII, PCI, or PHI data.
Question 25Skipped
A user recently restored a keygen for a video-editing program that was quarantined by Windows Defender, hoping it was a false positive. After running the keygen, a few days later, the user received an email from their ISP about the device’s IP address, the type of malware infection, and a warning that leaving the malware unchecked violates their internet usage policy. What type of malware was likely installed?
Correct answer
Botnet DDoS
Explanation
Botnet DDoS malware is likely installed because the user’s device is being used as part of a botnet to launch distributed denial-of-service attacks. Running the keygen may have installed this malware on the user’s device, causing it to participate in malicious activities without the user’s knowledge.
On-path
Explanation
On-path malware typically intercepts and modifies network traffic, but it does not usually result in the user receiving warnings from their ISP about malware infections. The behavior described in the scenario is more indicative of a different type of malware.
Virus
Explanation
While viruses can cause significant harm to a system, they do not typically result in the user’s device being flagged by the ISP for malware infection. The warning received by the user indicates a more severe form of malware, making a generic virus less likely in this situation.
Phishing
Explanation
Phishing attacks involve tricking users into providing sensitive information, such as passwords or credit card details, but they do not typically result in the installation of malware on the user’s device. The warning from the ISP suggests that the user’s device is actively involved in malicious activities, making phishing less likely as the type of malware installed.
Question 26Skipped
A system administrator is using IMAP as their email client, storing emails on the server. They need a method to specify which mail servers are permitted to send emails on their behalf. Which of the following technologies would BEST meet this requirement?
DMARC
Explanation
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a technology used to prevent email spoofing and phishing attacks by providing a way for email senders to specify how their messages should be handled if they fail authentication checks. While DMARC is important for email security, it is not specifically designed to specify which mail servers are permitted to send emails on behalf of a domain.
DKIM
Explanation
DKIM (DomainKeys Identified Mail) is a technology used to verify the authenticity of email messages by adding a digital signature to the message header. While DKIM helps prevent email spoofing and ensures message integrity, it does not specifically address the requirement of specifying which mail servers are permitted to send emails on behalf of a domain.
Correct answer
SPF
Explanation
SPF (Sender Policy Framework) is a technology used to prevent email spoofing by allowing domain owners to specify which mail servers are authorized to send emails on behalf of their domain. SPF records are published in the domain’s DNS settings and help email servers verify the authenticity of incoming messages. This technology aligns with the system administrator’s requirement to specify permitted mail servers.
SELinux
Explanation
SELinux (Security-Enhanced Linux) is a security feature in Linux operating systems that provides mandatory access control policies. While SELinux is important for securing the operating system, it is not directly related to specifying which mail servers are permitted to send emails on behalf of a domain in an email client using IMAP.
Question 27Skipped
A security team is performing a tabletop exercise to simulate a ransomware attack. Which of the following BEST describes the purpose of a tabletop exercise?
Testing the effectiveness of the company’s security tools
Explanation
Testing the effectiveness of the company’s security tools is not the primary purpose of a tabletop exercise. While the exercise may reveal weaknesses in security tools, the main focus is on preparedness, communication, and response strategies during a simulated incident.
Identifying and patching vulnerabilities in the network
Explanation
Identifying and patching vulnerabilities in the network is not the main goal of a tabletop exercise. While vulnerabilities may be identified during the exercise, the primary purpose is to assess and improve the organization’s incident response procedures and communication strategies.
Correct answer
Assessing the communication and coordination during an incident
Explanation
Assessing the communication and coordination during an incident is the main purpose of a tabletop exercise. It allows the security team to practice how they would respond to a real-life ransomware attack, test communication channels, and evaluate the effectiveness of coordination between different teams within the organization.
Training employees on how to use specific security software
Explanation
Training employees on how to use specific security software is not the primary objective of a tabletop exercise. While employees may gain familiarity with security tools during the exercise, the main focus is on testing incident response procedures and enhancing overall preparedness for cybersecurity incidents.
Question 28Skipped
IT technicians at a hardware company are implementing the change management process and are creating a plan to rollback updates in case of compatibility issues. Which of the following BEST describes this step?
Approval process
Explanation
The approval process refers to the step where changes are reviewed and authorized before implementation. It does not specifically address the plan to roll back updates in case of compatibility issues.
Maintenance window
Explanation
The maintenance window is the designated time frame during which system updates or changes are implemented. While it is important for scheduling changes, it does not specifically address the plan to roll back updates in case of compatibility issues.
Correct answer
Backout plan
Explanation
The backout plan is the correct choice as it refers to the strategy or procedure put in place to revert changes or updates in case of issues or failures. It is crucial for ensuring system stability and minimizing downtime.
Impact analysis
Explanation
Impact analysis involves assessing the potential effects or consequences of a proposed change on the system or organization. While important for understanding the implications of changes, it does not specifically address the plan to roll back updates in case of compatibility issues.
Question 29Skipped
A security administrator wants to implement a device that can proactively block web-based attacks in real-time. Which of the following should the administrator implement to accomplish this goal?
Host-based firewall
Explanation
A host-based firewall is designed to protect a single device or host from unauthorized access and malicious activity. While it can help enhance the security of the device itself, it is not specifically designed to proactively block web-based attacks in real-time.
SWG
Explanation
SWG (Secure Web Gateway) is a security solution that filters and monitors web traffic to protect users from internet threats. While SWGs are effective in filtering web content and protecting against web-based threats, they are not specifically designed to proactively block web-based attacks in real-time.
UTM
Explanation
UTM (Unified Threat Management) is a comprehensive security solution that combines multiple security features such as firewall, intrusion detection/prevention, antivirus, and content filtering. While UTMs offer a wide range of security capabilities, they may not be specifically tailored to proactively block web-based attacks in real-time.
Correct answer
WAF
Explanation
WAF (Web Application Firewall) is specifically designed to protect web applications from a variety of attacks, including SQL injection, cross-site scripting (XSS), and other web-based threats. A WAF can proactively block web-based attacks in real-time by inspecting and filtering HTTP traffic to and from a web application.
Question 30Skipped
An authorized hacker is targeting a company website and enters the following URL into the search bar: companywebsitename.com../../../../../../../etc/shadow. Which type of attack is being carried out?
DLL injection
Explanation
DLL injection involves inserting malicious code into a Dynamic Link Library (DLL) to execute arbitrary code in the context of another process. It is not related to the URL manipulation seen in the given scenario.
Pass the hash
Explanation
Pass the hash is a technique used to authenticate to a remote server or service by using the hash of the user’s password instead of the actual password. It is not related to the URL manipulation seen in the given scenario.
SQL injection
Explanation
SQL injection is a type of attack that allows an attacker to execute malicious SQL statements to control a database server. It is not related to the URL manipulation seen in the given scenario.
Correct answer
Directory traversal
Explanation
Directory traversal, also known as path traversal, is a web security vulnerability that allows an attacker to access files and directories that are outside the web root directory. In the given scenario, the attacker is attempting to navigate to sensitive system files by manipulating the URL with excessive "../" sequences. This behavior indicates a directory traversal attack.
Question 31Skipped
An organization is monitoring its Internet-facing IoT devices. Shortly after, an attacker compromised the company’s systems and obtained administrator access to a webpage. Which vulnerability was MOST likely exploited to carry out the attack?
Vulnerable software
Explanation
Vulnerable software could be a potential attack vector for an attacker to exploit, but in this scenario, the attacker obtained administrator access to a webpage. This indicates that the attack was more likely carried out through a different vulnerability.
Correct answer
Default credentials
Explanation
Default credentials are a common security issue in many systems, especially IoT devices. If the attacker was able to compromise the company’s systems and obtain administrator access to a webpage, it is highly likely that default credentials were exploited to carry out the attack.
Open service ports
Explanation
Open service ports could also be a potential attack vector for an attacker, but in this scenario, the attacker obtained administrator access to a webpage. While open service ports can be exploited for attacks, the given scenario points more towards default credentials being the vulnerability exploited.
Supply chain
Explanation
Supply chain attacks involve compromising the software supply chain to introduce malicious code into the organization’s systems. While this is a valid concern for security, the scenario described in the question, where the attacker obtained administrator access to a webpage, is more indicative of default credentials being the vulnerability exploited.
Question 32Skipped
A security analyst examines firewall logs and notices an unusual increase in failed login attempts from a particular IP address. Which action would be the MOST appropriate response in this situation?
Ignore the failed login attempts as they were unsuccessful.
Explanation
Ignoring the failed login attempts, even if they were unsuccessful, is not a recommended course of action. It is important to investigate and take preventive measures to mitigate potential security risks.
Correct answer
Block the IP address at the firewall to prevent further attempts.
Explanation
Blocking the IP address at the firewall is the most appropriate action in this scenario. By blocking the source of the unusual spike in failed login attempts, the security analyst can prevent further unauthorized access attempts from that specific IP address.
Reset the passwords for all user accounts on the network.
Explanation
Resetting the passwords for all user accounts on the network may be an excessive and unnecessary response to the identified spike in failed login attempts from a specific IP address. It is more effective to target the specific source of the suspicious activity.
Send a warning email to the owner of the IP address.
Explanation
Sending a warning email to the owner of the IP address may not be sufficient to address the security issue at hand. Blocking the IP address at the firewall would be a more proactive and effective measure to prevent further unauthorized access attempts.
Question 33Skipped
A user accidentally downloaded a suspicious file from an unknown email attachment onto their device. Which of the following would be MOST critical in preventing a malware infection in this scenario?
Data loss prevention
Explanation
Data loss prevention focuses on protecting sensitive data from unauthorized access, exfiltration, or deletion. While important for overall security, it may not directly prevent malware infections caused by downloading suspicious files.
Correct answer
Application allow list
Explanation
An application allow list is the most important functionality for preventing malware infections on user devices. By allowing only approved applications to run and blocking all others, application whitelisting can effectively prevent the execution of malicious software and unauthorized applications.
Host-based intrusion prevention system
Explanation
Host-based intrusion prevention systems monitor and analyze network traffic for signs of malicious activity or known threats. While they can help detect and prevent malware infections, they may not be as effective in preventing the initial execution of a suspicious file downloaded by a user.
Web filtering
Explanation
Web filtering controls and restricts access to websites based on predefined criteria. While it can help prevent users from accessing known malicious websites and downloading harmful files, it may not be as effective in preventing malware infections from files that have already been downloaded onto the device.
Question 34Skipped
A company adopts a network segmentation strategy using Virtual Local Area Networks. What advantages do VLANs provide over traditional flat networks?
Increased network bandwidth for all devices
Explanation
VLANs do not inherently increase network bandwidth for all devices. While they can help segregate network traffic and improve network performance in specific scenarios, their primary benefit is not related to increasing network bandwidth for all devices.
Correct answer
Improved broadcast control and traffic isolation
Explanation
VLANs offer improved broadcast control and traffic isolation compared to traditional flat networks. By segmenting the network into separate VLANs, broadcast traffic is contained within each VLAN, reducing the overall network congestion and improving network performance. Additionally, VLANs provide traffic isolation, ensuring that data flows only between devices within the same VLAN, enhancing network security.
Simplified network management
Explanation
While VLANs can help organize and segment network traffic, they do not necessarily simplify network management. In fact, managing VLAN configurations, ensuring proper VLAN tagging, and troubleshooting VLAN-related issues can add complexity to network management tasks. Therefore, VLANs may not offer a simplified network management experience compared to traditional flat networks.
Enhanced encryption for data in transit
Explanation
VLANs do not directly enhance encryption for data in transit. While VLANs can help segregate and isolate network traffic, they do not provide encryption mechanisms for data transmission between devices within the same VLAN. Encryption for data in transit typically requires additional security measures such as VPNs, SSL/TLS protocols, or other encryption technologies.
Question 35Skipped
A digital forensics investigator analyzes hidden details within photos on a mobile device to determine when the photo was taken, the operating system used, and other technical data. Which of the following technologies is being described?
Log file
Explanation
Log files are records of events that occur within an operating system, application, or device. They typically contain information about system activities, errors, and user actions, but they do not store details about when a photo was taken or the technical data related to the photo.
Correct answer
Metadata
Explanation
Metadata is data that provides information about other data. In the context of digital photos, metadata includes details such as the date and time the photo was taken, the camera settings used, the location where the photo was taken, and other technical information. This makes metadata a crucial source of information for digital forensics investigators analyzing photos on a mobile device.
Honeyfile
Explanation
Honeyfiles are decoy files or systems designed to attract and deceive attackers, allowing organizations to monitor and analyze their behavior. While honeyfiles can be used in cybersecurity defense strategies, they are not directly related to the analysis of hidden details within photos on a mobile device to determine technical data such as the operating system used or the date the photo was taken.
Geolocation
Explanation
Geolocation refers to the process of identifying the geographic location of a device or user. While geolocation data can be embedded in the metadata of a photo to indicate where the photo was taken, it does not encompass all the technical details that a digital forensics investigator would analyze when examining hidden details within photos on a mobile device.
Question 36Skipped
A cybersecurity company is seeking a backup solution to ensure data accessibility in the event of a natural disaster. Which of the following options would BEST enable users to access data from any location?
Geographical dispersion
Explanation
Geographical dispersion involves spreading data across multiple physical locations to ensure redundancy and availability in case of a natural disaster. While this can help with data accessibility, it may not be the best option for ensuring access regardless of a user’s location.
Hot site
Explanation
A hot site is a fully equipped data center that can be activated in a short period of time to resume operations after a disaster. While it can provide high availability, it may not be the best option for ensuring data accessibility regardless of a user’s location.
Correct answer
Cloud
Explanation
Cloud storage allows data to be stored and accessed over the internet from anywhere, providing seamless access regardless of the user’s location. This option is the best choice for ensuring data accessibility in the case of a natural disaster.
NAS
Explanation
Network-Attached Storage (NAS) is a storage device connected to a network that allows multiple users and devices to access data. While NAS can provide centralized storage, it may not be the best option for ensuring data accessibility regardless of a user’s location in the event of a natural disaster.
Question 37Skipped
A company is evaluating a Mobile Device Management (MDM) solution. Which of the following features represents the MOST significant advantage MDM in an organization?
Enforcing strong password policies for mobile devices
Explanation
Enforcing strong password policies for mobile devices is an important security measure, but it may not be the most significant advantage of MDM. While strong passwords enhance device security, the ability to remotely wipe lost or stolen devices is a more critical feature in protecting sensitive data in case of device loss or theft. Strong passwords can be set on mobile devices without requiring additional software such as an MDM.
Correct answer
Remotely wiping lost or stolen devices to protect sensitive data
Explanation
Remotely wiping lost or stolen devices to protect sensitive data is the most significant advantage of MDM in an organization. This feature ensures that if a mobile device is lost or stolen, sensitive data can be securely erased to prevent unauthorized access, minimizing the risk of data breaches and maintaining data security.
Enabling employees to download productivity applications from a corporate app store
Explanation
Enabling employees to download productivity applications from a corporate app store is a useful feature for managing application access and ensuring compliance with organizational policies. However, it may not be the most significant advantage of MDM compared to the ability to remotely wipe lost or stolen devices to protect sensitive data.
Providing a centralized location for software updates and patches for mobile devices
Explanation
Providing a centralized location for software updates and patches for mobile devices is essential for maintaining device security and ensuring that devices are up to date with the latest security patches. While this feature is important for overall device security, it may not be as significant as the ability to remotely wipe lost or stolen devices to protect sensitive data.
Question 38Skipped
A company is targeted by a phishing campaign where emails appear to be from a legitimate source, such as the IT department. Which type of social engineering attack is this MOST likely to be?
Smishing
Explanation
Smishing is a type of social engineering attack that involves using SMS or text messages to deceive individuals into providing sensitive information. Since the scenario in the question involves emails, smishing is not the most likely type of attack in this case.
Correct answer
Pretexting
Explanation
Pretexting is a social engineering attack where the attacker creates a fabricated scenario to gain the trust of the target and extract sensitive information. In the given scenario where emails appear to be from a legitimate source like the IT department, pretexting is the most likely type of attack.
Baiting
Explanation
Baiting is a social engineering attack that involves offering something enticing to the target to trick them into providing sensitive information. While baiting can be used in phishing campaigns, the scenario in the question specifically mentions emails from a legitimate source, making pretexting a more likely type of attack.
Tailgating
Explanation
Tailgating is a physical security breach where an unauthorized person follows an authorized individual into a restricted area. Since the scenario in the question involves emails and not physical access, tailgating is not the most likely type of attack in this case.
Question 39Skipped
An administrator is introducing randomization to hashed passwords to ensure that identical inputs yield unique outputs. Which of the following BEST describes this process?
Correct answer
Salting
Explanation
Salting is the process of adding random data to hashed passwords before storing them in a database. This randomization ensures that even identical passwords will have unique hash values, making it more difficult for attackers to use precomputed hash tables or rainbow tables to crack passwords.
Hashing
Explanation
Hashing is the process of converting plain text passwords into a fixed-length string of characters using a mathematical algorithm. While hashing is an essential part of password security, it does not inherently include the concept of salting to prevent identical inputs from yielding the same output.
Key stretching
Explanation
Key stretching is a technique used to increase the computational cost of generating a key from a password. It involves repeatedly applying a cryptographic hash function to the password, making it more time-consuming for attackers to brute force the password. While key stretching enhances password security, it is not directly related to the concept of salting for randomization.
IPSec
Explanation
IPSec (Internet Protocol Security) is a set of protocols used to secure internet communications by authenticating and encrypting data packets. While IPSec is crucial for network security, it is not directly related to the process of salting passwords to introduce randomization and prevent identical inputs from producing the same output.
Question 40Skipped
A bug bounty hunter is practicing their skills on the HackerOne platform. They are provided with a list of permitted attacks. Which of the following BEST describes the purpose of a bug bounty program?
Correct answer
Identifying and report vulnerabilities through responsible disclosure
Explanation
A bug bounty program is primarily designed to encourage ethical hackers to identify and report vulnerabilities in an organization’s systems through responsible disclosure. This helps the organization identify and fix security issues before they can be exploited by malicious actors.
Conducting penetration testing on an organization’s systems
Explanation
Conducting penetration testing on an organization’s systems is a separate activity from a bug bounty program. While both involve testing for vulnerabilities, a bug bounty program specifically relies on external researchers to identify and report issues.
Providing vulnerability remediation services
Explanation
Providing vulnerability remediation services is not the primary purpose of a bug bounty program. The main goal of a bug bounty program is to crowdsource security testing and incentivize researchers to find and report vulnerabilities.
Implementing security awareness training for employees
Explanation
Implementing security awareness training for employees is important for overall security posture, but it is not the primary purpose of a bug bounty program. Bug bounty programs focus on leveraging external expertise to identify and report vulnerabilities in systems.
Question 41Skipped
A company relies on a cloud-based storage solution to store sensitive financial data. Which security control is MOST critical to ensure the safe storage of this information in case of a breach?
Data masking to hide specific data elements
Explanation
Data masking is a technique used to hide specific data elements within a dataset. While it can help protect sensitive information from unauthorized access, it is not the most critical security control for ensuring the safe storage of sensitive financial data in case of a breach.
User access controls to restrict who can access the data
Explanation
User access controls are essential for restricting who can access sensitive financial data stored in a cloud-based storage solution. While user access controls play a crucial role in data security, they are not the most critical security control for ensuring the safe storage of this information in case of a breach.
Regular backups to ensure data recovery in case of a disaster
Explanation
Regular backups are important for ensuring data recovery in case of a disaster or data loss. While backups are a key component of a comprehensive data protection strategy, they are not the most critical security control for ensuring the safe storage of sensitive financial data in case of a breach.
Correct answer
Encryption to scramble the data at rest
Explanation
Encryption is the most critical security control for ensuring the safe storage of sensitive financial data in case of a breach. Encryption scrambles the data at rest, making it unreadable without the appropriate decryption key. This helps protect the data from unauthorized access and ensures that even if the data is breached, it remains secure and confidential.
Question 42Skipped
A company implements a security architecture that utilizes a layered approach. Which of the following security controls represents the outermost layer of defense in a typical network security model?
Intrusion detection and prevention systems
Explanation
Intrusion detection and prevention systems are typically placed within the network to monitor and analyze traffic for signs of malicious activity. While important for detecting and preventing intrusions, they are not considered the outermost layer of defense in a typical network security model.
Correct answer
Firewalls
Explanation
Firewalls are considered the outermost layer of defense in a typical network security model. They act as a barrier between a trusted internal network and untrusted external networks, controlling incoming and outgoing traffic based on a set of security rules.
Data loss prevention
Explanation
Data loss prevention (DLP) solutions are designed to prevent unauthorized access and transmission of sensitive data. While important for protecting data, they are not typically considered the outermost layer of defense in a network security model.
Endpoint security software
Explanation
Endpoint security software is designed to protect individual devices, such as laptops, desktops, and mobile devices, from security threats. While important for securing endpoints, they are not typically considered the outermost layer of defense in a network security model.
Question 43Skipped
A security team is deploying a Data Loss Prevention solution to protect sensitive information from being exfiltrated. Which DLP feature would be MOST effective in detecting attempts to send sensitive data through email attachments?
Correct answer
Content inspection based on keywords or data patterns
Explanation
Content inspection based on keywords or data patterns is the most effective DLP feature for detecting attempts to send sensitive data through email attachments. By scanning the content of email attachments for specific keywords or patterns that match sensitive information, the DLP solution can accurately identify and prevent the exfiltration of sensitive data.
Network traffic monitoring for suspicious file types
Explanation
Network traffic monitoring for suspicious file types may help in detecting potential threats, but it may not be as effective as content inspection based on keywords or data patterns when it comes to detecting attempts to send sensitive data through email attachments. This feature focuses more on file types rather than the actual content of the files.
Deep packet inspection to analyze all data transferred over the network
Explanation
Deep packet inspection to analyze all data transferred over the network is a comprehensive approach to network security, but it may not be the most effective feature for detecting attempts to send sensitive data through email attachments specifically. This feature examines all network traffic, not just email attachments, and may not be as targeted towards email data exfiltration.
User activity monitoring to identify suspicious behavior
Explanation
User activity monitoring to identify suspicious behavior is important for overall security monitoring, but it may not be as effective as content inspection based on keywords or data patterns in detecting attempts to send sensitive data through email attachments. This feature focuses on user behavior rather than the content of email attachments.
Question 44Skipped
A company is adopting a risk management framework to identify, assess, and prioritize security risks. Which of the following risk assessment methodologies is MOST likely to assign a numerical value to the potential impact of a security risk?
Qualitative risk assessment
Explanation
Qualitative risk assessment involves assessing risks based on subjective criteria such as high, medium, or low impact, likelihood, or severity. It does not involve assigning numerical values to the potential impact of security risks.
Correct answer
Quantitative risk assessment
Explanation
Quantitative risk assessment involves assigning numerical values to the potential impact of security risks. This methodology allows for a more precise and measurable analysis of risks based on financial impact, potential loss, or other quantitative factors.
RPO
Explanation
RPO (Recovery Point Objective) and RTO (Recovery Time Objective) are not risk assessment methodologies but rather metrics used in business continuity planning to determine how much data loss and downtime a company can tolerate.
RTO
Explanation
RTO (Recovery Time Objective) is a metric used in business continuity planning to determine the maximum acceptable downtime for systems or services. It is not a risk assessment methodology that involves assigning numerical values to the potential impact of security risks.
Question 45Skipped
A company is implementing a solution to ensure that all critical functions of the organization can continue without disruption in the event of a disaster. Which of the following is being described?
Correct answer
Continuity of operations
Explanation
Continuity of operations (COOP) refers to the process of ensuring that critical functions of an organization can continue without disruption in the event of a disaster. It involves developing plans, procedures, and policies to maintain essential services and operations during and after a disaster or emergency situation.
Incident response team
Explanation
Incident response team is a group of individuals within an organization responsible for responding to and managing security incidents. While they play a crucial role in handling security incidents, they are not specifically focused on ensuring continuity of operations in the event of a disaster.
Stakeholder management
Explanation
Stakeholder management involves identifying, communicating with, and engaging stakeholders who have an interest in or are impacted by the organization’s activities. While stakeholder management is important for overall organizational success, it is not directly related to ensuring continuity of operations in the event of a disaster.
Cyber Kill Chain
Explanation
The Cyber Kill Chain is a concept used in cybersecurity to describe the stages of a cyber attack, from initial reconnaissance to data exfiltration. While understanding the Cyber Kill Chain is important for incident response and threat mitigation, it is not directly related to ensuring continuity of operations in the event of a disaster.
Question 46Skipped
A security analyst identifies a zero-day exploit affecting a critical system in the network, with no patch available from the vendor. Which of the following BEST describes the analyst’s next step?
Update antivirus signatures on all endpoint devices
Explanation
Updating antivirus signatures on all endpoint devices may help in detecting known malware and threats, but it may not be effective in mitigating a zero-day exploit for which no patch is available yet.
Implement additional access controls for the system
Explanation
Implementing additional access controls for the system may enhance security, but it may not directly address the immediate risk posed by the zero-day exploit targeting the critical system.
Increase the password complexity requirements for all user accounts
Explanation
Increasing password complexity requirements for all user accounts is a good security practice, but it may not be the most appropriate initial action to take in response to a zero-day exploit targeting a critical system.
Correct answer
Isolate the critical system from the network
Explanation
Isolating the critical system from the network is the most appropriate initial action to take to mitigate the risk posed by the zero-day exploit. By isolating the system, the impact of the exploit can be minimized, and further spread of the exploit can be prevented until a patch becomes available.
Question 47Skipped
A company is designing a new cloud-based infrastructure. Which security principle should take the HIGHEST priority during the design of the cloud environment?
Minimizing the number of security tools used
Explanation
Minimizing the number of security tools used may seem like a cost-effective approach, but it can lead to gaps in security coverage and make the cloud environment more vulnerable to attacks. Using a variety of security tools can provide defense in depth and enhance overall security posture.
Correct answer
Implementing strong access controls and authentication
Explanation
Implementing strong access controls and authentication is crucial in a cloud environment to prevent unauthorized access to sensitive data and resources. Strong access controls help ensure that only authorized users can access the cloud infrastructure, reducing the risk of data breaches and unauthorized activities.
Prioritizing cost savings over security features
Explanation
Prioritizing cost savings over security features can compromise the security of the cloud environment. While cost considerations are important, security should always be a top priority in cloud design to protect sensitive data, maintain compliance, and mitigate cybersecurity risks.
Centralizing all security management on-premises
Explanation
Centralizing all security management on-premises may not be the most effective approach for securing a cloud-based infrastructure. Cloud environments require specialized security measures and tools that are designed to protect cloud resources and data. Centralizing security management on-premises may limit the ability to effectively monitor and secure cloud assets.
Question 48Skipped
A user is currently authenticating with a PIN and an RFID badge. The organization wants to add more authentication factors. Which of the following would provide the MOST secure additional authentication?
Something you know
Explanation
"Something you know" typically refers to passwords, PINs, or security questions. While adding another knowledge-based factor can enhance security, it may not be as secure as other factors that are more difficult to compromise.
Somewhere you are
Explanation
"Somewhere you are" refers to location-based authentication, such as geofencing or IP address verification. While this factor can add an extra layer of security, it may not be as secure as other factors that directly authenticate the user’s identity.
Something you have
Explanation
"Something you have" refers to physical tokens, smart cards, or mobile devices used for authentication. While this factor can provide a higher level of security compared to knowledge-based factors, it may still be susceptible to theft or duplication.
Correct answer
Something you are
Explanation
"Something you are" refers to biometric authentication factors such as fingerprint scans, facial recognition, or iris scans. Biometric authentication is considered one of the most secure methods as it directly verifies the user’s unique biological characteristics, making it difficult for unauthorized users to replicate or bypass.
Question 49Skipped
An up-and-coming AI company is adopting SOAR systems to lower overall operational costs. Which of the following are key benefits of automation and orchestration in security operations? (Choose two).
Correct selection
Efficiency/time saving
Explanation
Efficiency and time-saving are key benefits of automation and orchestration in security operations. By automating repetitive tasks and orchestrating workflows, security teams can streamline processes, reduce manual effort, and respond to incidents more quickly and effectively.
Single point of failure
Explanation
Single point of failure is not a key benefit of automation and orchestration in security operations. In fact, one of the goals of automation and orchestration is to reduce the risk of single points of failure by distributing tasks and responsibilities across systems and processes.
Technical debt
Explanation
Technical debt is not a key benefit of automation and orchestration in security operations. Technical debt refers to the extra work that accumulates when shortcuts are taken during the software development process, and it is not directly related to the benefits of automation and orchestration in security operations.
Correct selection
Reaction time
Explanation
Reaction time is a key benefit of automation and orchestration in security operations. By automating incident response processes and orchestrating workflows, security teams can reduce the time it takes to detect, analyze, and respond to security incidents, ultimately improving the organization’s overall security posture.
Question 50Skipped
A company enters into a Master Service Agreement (MSA) with a vendor for ongoing IT support services. Later, the company requires the vendor to complete a specific project. Which supplementary agreement should be used to outline the project’s scope, timeline, and cost?
Service-level agreement
Explanation
A Service-Level Agreement (SLA) typically outlines the agreed-upon levels of service that the vendor will provide, such as response times, uptime guarantees, and performance metrics. It does not typically detail the specific scope, timeline, and cost of a project, making it less suitable for outlining the requirements of a specific project within the MSA.
Memorandum of understanding
Explanation
A Memorandum of Understanding (MOU) is a non-binding agreement that outlines the intentions of parties to collaborate or work together on a project. While it may provide a high-level overview of the project, it does not typically include detailed information on the project’s scope, timeline, and cost, which are essential for the specific project requirements within the MSA.
Correct answer
Statement of work (SOW)
Explanation
A Statement of Work (SOW) is the correct choice for outlining the specific project’s scope, timeline, and cost within the context of the MSA. It provides detailed information on the project deliverables, milestones, resources, timelines, and costs, ensuring that both parties have a clear understanding of the project requirements.
Business partners agreement (BPA)
Explanation
A Business Partners Agreement (BPA) typically outlines the terms and conditions of a partnership between two businesses, including profit-sharing, decision-making processes, and responsibilities. While it may touch on project-related aspects, it is not specifically designed to detail the scope, timeline, and cost of a specific project within the MSA.
Question 51Skipped
A penetration tester is using CVSS to assess vulnerabilities on an AWS-hosted web server. Which of the following CVSS metrics reflects the potential impact of a vulnerability on a system?
Exploitability score
Explanation
The exploitability score in CVSS reflects how easy it is for an attacker to exploit a vulnerability, rather than the potential impact of the vulnerability on a system. It assesses the likelihood of successful exploitation, not the severity of the consequences.
Scope
Explanation
The scope in CVSS refers to the extent of the impact a vulnerability can have on a system, such as whether it affects only the local system or has broader implications. While scope is an important metric, it does not directly reflect the potential impact of a vulnerability on a system.
Correct answer
Severity
Explanation
The severity metric in CVSS is specifically designed to reflect the potential impact of a vulnerability on a system. It takes into account factors such as the potential damage that could be caused, the level of access an attacker could gain, and the overall risk to the system. This metric helps prioritize vulnerabilities based on their potential impact.
Authentication required
Explanation
The authentication required metric in CVSS indicates whether an attacker needs to authenticate before exploiting a vulnerability. While authentication requirements can impact the exploitability of a vulnerability, they do not directly reflect the potential impact of the vulnerability on a system.
Question 52Skipped
An attacker found a cross-site scripting vulnerability on a newly-registered website that is gaining popularity. The attacker exploits this vulnerability, causing a message to appear whenever users visit the site. Which of the following BEST describes the attacker’s actions?
Race condition
Explanation
Race condition refers to a situation where the outcome of a process depends on the timing of other uncontrollable events. It is not related to the scenario described in the question where an attacker exploits a cross-site scripting vulnerability to display a message on a website.
Correct answer
Watering hole
Explanation
Watering hole attack involves compromising a website that the targeted group of users frequently visits, with the intention of infecting the users’ devices. In this case, the attacker exploits a cross-site scripting vulnerability on a popular website to display a message, which aligns with the description provided in the question.
Structured Query Language injection
Explanation
Structured Query Language (SQL) injection is a type of attack where malicious SQL statements are inserted into an entry field for execution. It is not relevant to the scenario where an attacker exploits a cross-site scripting vulnerability to display a message on a website.
Memory injection
Explanation
Memory injection involves injecting code into a running process to alter its behavior. This type of attack is not applicable to the scenario described in the question, where the attacker exploits a cross-site scripting vulnerability to display a message on a website.
Question 53Skipped
A cybersecurity company is finalizing a contract with an internet service provider, which specifies a guaranteed minimum internet speed of 300 Mbps. Which of the following BEST describes this type of agreement?
SOW
Explanation
SOW (Statement of Work) is a document that defines the work activities, deliverables, and timeline for a specific project. It does not typically include details about internet speed guarantees or service level agreements.
RPO
Explanation
RPO (Recovery Point Objective) refers to the maximum acceptable amount of data loss in a disaster recovery scenario. It is not related to internet speed guarantees or service level agreements.
Correct answer
SLA
Explanation
SLA (Service Level Agreement) is a contract between a service provider and a customer that outlines the level of service expected, including metrics such as uptime, response times, and in this case, internet speed guarantees.
RTO
Explanation
RTO (Recovery Time Objective) refers to the maximum acceptable downtime for recovering systems after a disaster. It is not related to internet speed guarantees or service level agreements.
Question 54Skipped
An analyst is reviewing system logs and observes that a regular user executed a suspicious script, resulting in the account being upgraded to NT Authority. Which of the following is the MOST likely explanation?
Account takeover
Explanation
Account takeover refers to unauthorized access to a user’s account by an attacker. In this scenario, the regular user executing a suspicious script does not necessarily indicate that the user’s account was taken over by an external entity.
Correct answer
Privilege escalation
Explanation
Privilege escalation occurs when a user gains higher levels of access or permissions than originally intended. In this case, the regular user executing a suspicious script resulting in the account being upgraded to NT Authority suggests that the user exploited a vulnerability to elevate their privileges.
Single-factor authentication
Explanation
Single-factor authentication is a method of authentication that requires only one form of verification, such as a password. While the use of single-factor authentication may contribute to security vulnerabilities, it is not directly related to the scenario described in the question.
VM escape
Explanation
VM escape refers to a security vulnerability that allows an attacker to break out of a virtual machine (VM) and access the host system. The scenario described in the question does not involve a VM environment, making VM escape an unlikely explanation for the observed behavior.
Question 55Skipped
A criminal organization has recently targeted multiple companies, including cybersecurity firms. What is the MOST likely motivation for organized crime in this scenario?
Philosophical/political beliefs
Explanation
Philosophical/political beliefs are not typically the primary motivator for organized crime groups targeting organizations. While some cyber attacks may have ideological motivations, organized crime groups are more likely to be driven by financial gain rather than philosophical or political beliefs.
Espionage
Explanation
Espionage is more commonly associated with state-sponsored cyber attacks or intelligence agencies rather than organized crime groups. While espionage may involve targeting organizations for information gathering, organized crime groups are more likely motivated by financial gain through activities such as ransomware attacks or data theft.
Blackmail
Explanation
Blackmail is a possible motivator for cyber attacks, but it is not the most likely motivator for organized crime groups targeting organizations. Blackmail typically involves threatening to reveal sensitive information unless a demand is met, which may not align with the primary goals of organized crime groups focused on financial gain.
Correct answer
Financial gain
Explanation
Financial gain is the most likely motivator for organized crime groups targeting organizations. These groups often engage in cyber attacks to extort money through ransomware, steal valuable data for sale on the dark web, or engage in other activities that generate profit. Financial gain is a common driving force behind cybercrime activities conducted by organized crime groups.
Question 56Skipped
A company is deploying a cybersecurity solution for a client who requires all network traffic to be correlated, monitored, and analyzed in a centralized location. Which technology would BEST fulfill these requirements?
NetFlow
Explanation
NetFlow is a network protocol used for monitoring network traffic flow. While it can provide visibility into network traffic patterns, it does not offer centralized correlation and analysis capabilities required for this scenario.
LDAP
Explanation
LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and maintaining directory services. It is not designed for network traffic monitoring, correlation, and analysis, which are the primary requirements in this case.
Correct answer
SIEM
Explanation
SIEM (Security Information and Event Management) is a technology that combines security information management (SIM) and security event management (SEM) to provide real-time analysis of security alerts generated by network hardware and applications. It can centrally correlate, monitor, and analyze network traffic, making it the best option for fulfilling the client’s requirements.
Air-gap
Explanation
Air-gap is a security measure that physically isolates a secure network from unsecured networks, typically by using an air gap or physical barrier. While air-gapping can enhance security by preventing unauthorized access, it does not provide the centralized monitoring and analysis capabilities needed for this scenario.
Question 57Skipped
Which of the following BEST describes the functionality of a risk register in cybersecurity?
Correct answer
Documenting and tracking identified risks
Explanation
A risk register is used to document and track identified risks throughout the risk management process. It helps in maintaining a centralized repository of all potential risks, including their likelihood, impact, and mitigation plans.
Perform risk assessments
Explanation
While risk assessments are an important part of risk management, the primary purpose of a risk register is not to perform risk assessments. Risk assessments involve evaluating the likelihood and impact of risks, which are then documented in the risk register.
Implement risk mitigation strategies
Explanation
Implementing risk mitigation strategies is a crucial step in managing risks, but the risk register itself is not responsible for implementing these strategies. The risk register is used to document risks, track their status, and monitor the effectiveness of mitigation efforts.
Calculate risk exposure and impact
Explanation
While calculating risk exposure and impact is essential in risk management, the risk register is not specifically designed for this purpose. The risk register focuses on documenting and tracking identified risks, while risk exposure and impact calculations may be part of the risk assessment process.
Question 58Skipped
A helpdesk technician accesses a university’s network and is prompted to sign an agreement outlining the permitted activities while using the WiFi. The agreement specifies restrictions, such as prohibiting software torrenting or accessing malicious websites. Which of the following BEST describes this type of agreement?
SLA
Explanation
SLA (Service Level Agreement) is a contract between a service provider and a customer that outlines the level of service expected from the provider. It typically includes details such as uptime guarantees, response times, and support availability. It is not related to user agreements outlining permitted activities on a network.
SLE
Explanation
SLE (Service Level Expectation) is a metric used to measure the performance of a service provider against the agreed-upon service levels in an SLA. It is not related to user agreements outlining permitted activities on a network.
Correct answer
AUP
Explanation
AUP (Acceptable Use Policy) is a document that outlines the permitted and prohibited activities for users accessing a network or system. It typically includes restrictions on activities such as downloading copyrighted material, accessing inappropriate content, or engaging in illegal activities. In this scenario, the agreement outlining restrictions on software torrenting and accessing malicious websites aligns with the concept of an AUP.
ALE
Explanation
ALE (Annualized Loss Expectancy) is a calculation used in risk management to estimate the potential financial loss from a security incident over a one-year period. It is not related to user agreements outlining permitted activities on a network.
Question 59Skipped
A user has received the message mentioned above.
Which of the following would BEST explain this threat?
File-based
Explanation
File-based threats typically involve malicious files or attachments that can harm a user’s system when opened or executed. In this scenario, the threat is not related to any file or attachment, so it is not a file-based threat.
Correct answer
Messaged-based
Explanation
Message-based threats involve malicious messages or communication that aim to deceive or manipulate users into taking harmful actions. In this case, the user received a message from someone claiming to be from Indeed, which could potentially be a form of social engineering or phishing attack, making it a message-based threat.
Image-based
Explanation
Image-based threats usually involve malicious images or graphics that can exploit vulnerabilities in image processing software. Since the threat in this scenario is related to a message from someone claiming to be from Indeed, it is not an image-based threat.
Unskilled attacker
Explanation
An unskilled attacker refers to an individual who lacks the technical expertise or knowledge to carry out sophisticated cyber attacks. In this case, the threat appears to be more focused on social engineering or phishing tactics rather than technical skills, so it is not necessarily indicative of an unskilled attacker.
Question 60Skipped
A user has just spilled water onto their laptop and has called the helpdesk. A technician arrives on the scene and explains that it will take a few hours before the computer becomes available again. Which of the following BEST describes this scenario?
RPO
Explanation
RPO (Recovery Point Objective) refers to the maximum amount of data loss that an organization is willing to accept. It is not relevant to the scenario described, as it does not involve data loss considerations.
MTBF
Explanation
MTBF (Mean Time Between Failures) is the average time between failures of a system or component. It is not applicable in this scenario as it does not involve the time between failures.
Correct answer
MTTR
Explanation
MTTR (Mean Time to Recovery) is the time it takes to restore a failed system or component to normal operation. In this scenario, the technician’s explanation of needing a few hours before the laptop becomes available again aligns with the concept of MTTR.
RTO
Explanation
RTO (Recovery Time Objective) is the maximum amount of time allowed to recover a system after a disruption. While related to the concept of recovery, the scenario does not specify a specific time frame for recovery, making it less relevant in this context.
Question 61Skipped
A company implements a security architecture that utilizes a zero-trust security model. Which of the following BEST describes the zero-trust security model?
Every system is air-gapped to increase security
Explanation
Air-gapping systems may provide a high level of security by physically isolating them from other networks, but it is not the core principle of a zero-trust security model. Zero-trust focuses on continuous verification of access requests regardless of the user or device, rather than relying solely on physical isolation. Not every system would be air-gapped.
Correct answer
All access requests are continuously verified regardless of user or device
Explanation
The core principle of a zero-trust security model is to continuously verify all access requests, regardless of the user or device making the request. This approach ensures that trust is never assumed, and access is granted based on specific conditions and policies, rather than relying on traditional perimeter-based security measures.
Security controls are only applied to external users and devices
Explanation
Applying security controls only to external users and devices does not align with the core principle of a zero-trust security model. Zero-trust emphasizes the need to verify all access requests, regardless of whether they originate from internal or external sources, to prevent unauthorized access and reduce the risk of security breaches from insider threats.
The network perimeter is the only line of defense
Explanation
Relying solely on the network perimeter as the line of defense is contrary to the core principle of a zero-trust security model. Zero-trust advocates for a more granular approach to security, where access is continuously verified and controlled based on specific policies and conditions, rather than relying on perimeter-based defenses.
Question 62Skipped
A hacker scanned the Internet and successfully logged into a vulnerable machine using "admin" for both the username and password. Which of the following vulnerabilities was MOST likely exploited?
Vulnerable software
Explanation
Vulnerable software refers to software that has known security flaws or weaknesses that can be exploited by attackers. While this could be a potential vulnerability, in this scenario, the hacker successfully logged in using default credentials, not by exploiting a software vulnerability.
Cryptographic
Explanation
Cryptographic vulnerabilities involve weaknesses in encryption algorithms, key management, or cryptographic protocols that can be exploited by attackers to gain unauthorized access. In this case, the hacker logged in using default credentials, not by exploiting a cryptographic vulnerability.
Open service ports
Explanation
Open service ports can expose a system to potential attacks if the services running on those ports have security vulnerabilities. However, in this scenario, the hacker successfully logged in using default credentials, not by exploiting open service ports.
Correct answer
Default credentials
Explanation
Default credentials are pre-configured usernames and passwords that are often set by manufacturers or users and are commonly known. Using default credentials is a common attack vector for hackers as many users fail to change the default login information, making it easy for attackers to gain unauthorized access. In this case, the hacker successfully logged in using default credentials, making it the most likely vulnerability exploited.
Question 63Skipped
An organization is developing a disaster recovery plan and plans to establish a remote site that will serve as a fully duplicated replica of its current systems. Which of the following BEST describes this type of remote site?
Warm
Explanation
A warm site is a remote facility that is partially equipped with hardware and software but does not have live data. It requires some setup and configuration before it can be fully operational in the event of a disaster.
Correct answer
Hot
Explanation
A hot site is a remote facility that is fully equipped with hardware, software, and live data that mirrors the primary site. It is ready to take over operations immediately in the event of a disaster, providing minimal downtime and maximum continuity.
RAID
Explanation
RAID (Redundant Array of Independent Disks) is a data storage technology that combines multiple disk drives into a single logical unit to improve data redundancy, performance, or both. While RAID can be used as part of a disaster recovery plan, it is not specifically related to the establishment of a fully duplicated replica remote site.
Cold
Explanation
A cold site is a remote facility that is not equipped with hardware, software, or live data. It requires significant setup and configuration in the event of a disaster, resulting in longer downtime compared to hot sites.
Question 64Skipped
A company is setting up a new wireless network in their office building. A technician needs to determine the best placement for access points to ensure full Wi-Fi coverage. Which of the following should the technician complete FIRST?
Configuring the security settings on the wireless routers
Explanation
Configuring the security settings on the wireless routers is an important step in setting up a secure wireless network, but it is not directly related to determining the optimal placement of access points for adequate Wi-Fi coverage. This step comes after the access points have been strategically placed.
Upgrading the internet bandwidth to support more devices
Explanation
Upgrading the internet bandwidth to support more devices is crucial for ensuring a fast and reliable internet connection for all users, but it does not directly impact the placement of access points for optimal Wi-Fi coverage. This step is more related to network capacity rather than coverage.
Correct answer
Conducting a site survey to assess the building layout and potential interference
Explanation
Conducting a site survey to assess the building layout and potential interference is the most important step in determining the optimal placement of access points for adequate Wi-Fi coverage. This survey helps identify areas with weak signal strength, potential sources of interference, and the best locations for access points to ensure comprehensive coverage throughout the building.
Downloading a Wi-Fi analyzer app for employees to use
Explanation
Downloading a Wi-Fi analyzer app for employees to use can be helpful for troubleshooting Wi-Fi connectivity issues and monitoring network performance, but it is not the most important step in determining the optimal placement of access points. This step comes after the access points have been strategically placed based on the site survey results.
Question 65Skipped
A digital forensics investigator is notified that all sensitive information must be preserved during pending litigation. The investigator is prohibited from deleting any sensitive information under any circumstances. Which of the following is being described?
Chain of custody
Explanation
Chain of custody refers to the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence. It ensures the integrity and admissibility of evidence in a legal proceeding but does not specifically address the preservation of sensitive information during pending litigation.
Correct answer
Legal hold
Explanation
Legal hold is the correct choice as it refers to the process of preserving all relevant information related to pending or anticipated litigation. It prohibits the deletion or alteration of any sensitive information that may be relevant to the legal case, ensuring that all data is retained in its original state for potential use as evidence.
Tabletop exercise
Explanation
Tabletop exercise is a simulated scenario where key personnel discuss and practice their roles and responsibilities in response to a hypothetical situation, such as a cybersecurity incident. It does not relate to the preservation of sensitive information during pending litigation.
E-discovery
Explanation
E-discovery refers to the process of identifying, collecting, and producing electronically stored information (ESI) in response to a legal request or investigation. While e-discovery may involve the preservation of sensitive information, it is not specifically focused on the prohibition of deleting such information during pending litigation.
Question 66Skipped
A malware analyst seeks a method to permanently disable Windows Defender on a computer to avoid triggering alerts from false positives. Which of the following would BEST achieve this?
Correct answer
Group policy
Explanation
Group Policy is the best option to permanently disable Windows Defender on a computer. Group Policy allows administrators to manage settings for groups of users and computers in an Active Directory environment, including disabling Windows Defender to prevent false positives alerts.
Network access control
Explanation
Network access control is not the best option to permanently disable Windows Defender on a computer. Network access control is used to restrict access to network resources based on certain policies and security requirements, but it does not directly disable Windows Defender.
SAML
Explanation
SAML (Security Assertion Markup Language) is not the best option to permanently disable Windows Defender on a computer. SAML is an XML-based open standard for exchanging authentication and authorization data between parties, typically used for single sign-on, and is not related to disabling security software like Windows Defender.
Extended detection and response
Explanation
Extended Detection and Response (XDR) is not the best option to permanently disable Windows Defender on a computer. XDR is a security solution that correlates data across multiple security layers to provide more comprehensive threat detection and response capabilities, but it does not involve disabling specific security software like Windows Defender.
Question 67Skipped
An administrator notices a physical device attached to the keyboard while managing a computer. The administrator unplugged the device and notified the security team immediately. Which of the following BEST describes the attack vector used?
Rootkit
Explanation
A rootkit is a type of malicious software that is designed to gain unauthorized access to a computer system. It is typically installed by an attacker after they have already compromised the system, rather than being physically attached to a device like in this scenario.
Supply chain
Explanation
The supply chain attack vector involves targeting the software or hardware supply chain to introduce vulnerabilities or malicious components into the system. This attack vector is not applicable in this scenario where a physical device was attached to the computer.
Correct answer
Removable device
Explanation
The removable device attack vector involves using external devices such as USB drives or external hard drives to introduce malware or gain unauthorized access to a system. In this scenario, the physical device attached to the keyboard falls under this category.
USB
Explanation
USB is a type of connection interface used to connect external devices to a computer. While the physical device attached to the keyboard may have used a USB connection, the attack vector in this scenario is more accurately described as a removable device attack.
Question 68Skipped
An organization’s blue team has implemented a system designed to entice the red team into revealing their techniques. When the opposing team engaged, the system captured attempted username and password logins. Which of the following technologies BEST describes this solution?
On-path attack
Explanation
On-path attacks involve intercepting and manipulating network traffic between two parties. In this scenario, the system is not actively intercepting or manipulating network traffic, but rather enticing the red team into revealing their techniques through a different method.
MITRE ATT&CK
Explanation
MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. While it is a valuable resource for understanding and categorizing cyber threats, it is not directly related to the system described in the question that captures attempted username and password logins.
Correct answer
Honeypot
Explanation
A honeypot is a security mechanism designed to lure attackers into interacting with a decoy system, such as by attempting to login with usernames and passwords. The captured information can then be used to study the attackers’ techniques and improve overall security defenses.
DNS sinkhole
Explanation
A DNS sinkhole is a DNS server that resolves domain names to incorrect or non-existent IP addresses. While it can be used to block malicious traffic, it is not directly related to the system described in the question that captures attempted username and password logins.
Question 69Skipped
An organization is developing a disaster recovery plan. Which component of the plan is MOST crucial for ensuring a successful recovery? (Choose two).
Correct selection
Clearly defined roles and responsibilities for recovery personnel
Explanation
Clearly defined roles and responsibilities for recovery personnel are crucial in a disaster recovery plan as they ensure that everyone knows their tasks and responsibilities during a recovery situation. This clarity helps in efficient and effective execution of the recovery plan, minimizing confusion and errors.
Implementation of a secondary data center for redundancy
Explanation
Implementation of a secondary data center for redundancy is important for ensuring business continuity and minimizing downtime in case of a disaster. While this is a crucial component of a disaster recovery plan, having clearly defined roles and responsibilities for recovery personnel is considered the most crucial for successful recovery as it focuses on the human aspect of executing the plan.
A comprehensive list of external vendors and service providers
Explanation
While having a comprehensive list of external vendors and service providers can be beneficial in a disaster recovery situation, it is not the most crucial component for ensuring a successful recovery. External vendors and service providers can be helpful, but the internal roles and responsibilities of recovery personnel play a more critical role in executing the recovery plan.
Correct selection
Regular testing and validation of backup systems
Explanation
Regular testing and validation of backup systems are important in a disaster recovery plan to ensure that the backups are reliable and can be successfully restored in case of a disaster. This practice helps in identifying any issues or gaps in the backup systems before an actual disaster occurs.
Question 70Skipped
An organization is classifying its customers’ PII and PHI documents. Which of the following BEST defines these documents?
Critical
Explanation
Critical typically refers to information that is essential for the organization’s operations and may have severe consequences if compromised. While PII and PHI documents are important, they may not necessarily fall under the category of critical information.
Private
Explanation
Private information is typically related to personal details that are not meant to be shared publicly. While PII and PHI documents are private in nature, the term "private" may not fully capture the sensitivity and regulatory requirements associated with these documents.
Confidential
Explanation
Confidential information is usually restricted to a certain group of individuals within the organization. While PII and PHI documents are indeed confidential, the term "confidential" may not fully encompass the legal and privacy implications of handling such sensitive information.
Correct answer
Sensitive
Explanation
Sensitive accurately describes PII (Personally Identifiable Information) and PHI (Protected Health Information) documents, as they contain personal and health-related data that require special protection due to privacy regulations and potential risks if exposed. This term best reflects the nature of these documents in terms of security and privacy considerations.
Question 71Skipped
The board of directors is assessing the risks to their organization and wants to understand the remaining risks after all security measures are implemented. Which of the following best describes this risk?
Correct answer
Residual
Explanation
The organization is describing the concept of residual risk, which refers to the level of risk that remains after security measures have been applied. It represents the risk that the organization is willing to accept or retain.
Appetite
Explanation
Risk appetite refers to the amount and type of risk that an organization is willing to take on in pursuit of its objectives. It is not directly related to quantifying existing risks after security measures are applied.
Inherent
Explanation
Inherent risk is the level of risk that exists before any controls or security measures are implemented. It represents the risk that is inherent in the organization’s operations and environment.
Risk register
Explanation
A risk register is a document used to record and track risks within an organization. It typically includes information such as the risk description, likelihood, impact, and mitigation strategies. It is not specifically related to quantifying existing risks after security measures are applied.
Question 72Skipped
An organization is looking to enhance its disaster recovery capabilities. Which of the following is the BEST way to evaluate the effectiveness of its disaster recovery plan?
Conduct regular penetration testing
Explanation
Conducting regular penetration testing is important for identifying vulnerabilities in the organization’s systems and networks. However, it may not directly evaluate the effectiveness of the disaster recovery plan, as penetration testing focuses more on identifying weaknesses that could be exploited by attackers rather than testing the organization’s ability to recover from a disaster.
Correct answer
Perform tabletop exercises
Explanation
Performing tabletop exercises is the best way to evaluate the effectiveness of a disaster recovery plan. Tabletop exercises involve simulating various disaster scenarios and walking through the steps the organization would take to respond and recover. This allows the organization to identify gaps in the plan, test communication and coordination among team members, and improve overall readiness for a real disaster.
Implement vulnerability scanning tools
Explanation
Implementing vulnerability scanning tools is essential for identifying and addressing security vulnerabilities in the organization’s systems. While vulnerability scanning is an important aspect of overall security, it may not directly evaluate the effectiveness of the disaster recovery plan, as it focuses more on identifying weaknesses that could be exploited by attackers rather than testing the organization’s ability to recover from a disaster.
Review security policies and procedures
Explanation
Reviewing security policies and procedures is important for ensuring that the organization has appropriate security measures in place. While reviewing security policies and procedures is a good practice, it may not directly evaluate the effectiveness of the disaster recovery plan. The focus of security policy review is on ensuring compliance and adherence to security standards rather than testing the organization’s ability to recover from a disaster.
Question 73Skipped
An attacker intercepted a user account hash using on-path techniques and attempted to brute-force it offline. Which of the following is the MOST likely cause of the attack?
Correct answer
Downgrade
Explanation
Downgrade attacks involve manipulating the communication between a client and a server to force the use of weaker security protocols or algorithms. In this scenario, the attacker may have downgraded the security protocol used for hashing the user account, making it easier to brute-force offline.
WPA2
Explanation
WPA2 is a Wi-Fi security protocol and is not directly related to the interception and brute-forcing of user account hashes. While WPA2 may be vulnerable to other types of attacks, it is not the most likely cause of the described attack scenario.
Spyware
Explanation
Spyware is malicious software designed to spy on a user’s activities, gather sensitive information, and send it to a third party. While spyware can be used to intercept user credentials, it is not the most likely cause of the attack described in the scenario, which involves intercepting and brute-forcing a user account hash.
Collision
Explanation
Collision attacks involve creating two different inputs that produce the same hash output, which is not the case in the described scenario. Collision attacks are not typically used to intercept user account hashes and brute-force them offline.
Question 74Skipped
A company has decided to include a "right-to-audit" clause in its vendor agreements as part of its ongoing risk management strategy. Which of the following BEST describes this clause?
Correct answer
Verifying the vendor meets agreed-upon service levels
Explanation
The "right-to-audit" clause allows the company to verify that the vendor is meeting the agreed-upon service levels. This helps ensure that the vendor is delivering the services as promised and helps the company monitor the vendor’s performance.
Ensuring the vendor offers competitive pricing
Explanation
Ensuring competitive pricing is not the primary purpose of a "right-to-audit" clause. While cost-effectiveness is important, this clause is more focused on verifying service levels and performance.
Conducting independent security assessments of the vendor
Explanation
Conducting independent security assessments of the vendor is a separate process from the "right-to-audit" clause. While security assessments are crucial for ensuring the vendor’s security posture, they are not directly related to the verification of service levels.
Auditing the vendor’s financial records for accuracy
Explanation
Auditing the vendor’s financial records for accuracy is not the main purpose of a "right-to-audit" clause. This clause is typically focused on verifying service levels and performance rather than financial records.
Question 75Skipped
A company is implementing new data privacy policies to comply with global regulations. Which of the following rights allows individuals to request the removal of their personal data?
Playbook
Explanation
Playbook is a document that contains strategies, procedures, and guidelines for handling specific situations or tasks within an organization. It is not related to data privacy rights or the removal of personal data.
Correct answer
Right to be forgotten
Explanation
The Right to be forgotten allows individuals to request the removal of their personal data from an organization’s databases and systems. This right is essential for data privacy compliance and gives individuals control over their personal information.
Acceptable use policy
Explanation
An Acceptable Use Policy outlines the acceptable ways in which employees or users can utilize company resources, systems, and data. It does not grant individuals the right to request the removal of their personal data.
Responsible disclosure program
Explanation
A Responsible Disclosure Program is a process through which individuals can report security vulnerabilities or issues to an organization in a responsible manner. It is not related to the right to request the removal of personal data.
Question 76Skipped
A company is highlighting the importance of security awareness training for its employees. Which primary benefit of this training is MOST relevant in mitigating social engineering attacks?
Teaches employees how to configure firewalls and intrusion detection systems
Explanation
While knowing how to configure firewalls and intrusion detection systems is important for overall security, it is not directly related to mitigating social engineering attacks. Social engineering attacks rely on manipulating individuals rather than bypassing technical security measures.
Encourages employees to follow security policies and procedures
Explanation
Encouraging employees to follow security policies and procedures is essential for maintaining a secure environment, but it may not directly address the specific tactics used in social engineering attacks. Social engineering attacks often exploit human behavior rather than policy violations.
Reinforces the concept of least privilege for user accounts
Explanation
Reinforcing the concept of least privilege for user accounts is crucial for limiting access and reducing the impact of potential security incidents. However, it may not directly help employees recognize and respond to social engineering tactics, which rely on manipulation rather than unauthorized access.
Correct answer
Equips employees to identify and report suspicious activity
Explanation
Equipping employees to identify and report suspicious activity is the most relevant benefit of security awareness training in mitigating social engineering attacks. Social engineering attacks often rely on tricking individuals into revealing sensitive information or taking harmful actions, and training employees to recognize and report suspicious behavior can help prevent successful attacks.
Question 77Skipped
An organization is looking for a solution to quickly identify revoked certificates using a responder. The solution should also be capable of verifying online certificates. Which technology does this describe?
Self-signed
Explanation
Self-signed certificates are certificates that are signed by the same entity that issued them, without the need for a Certificate Authority (CA). They are not directly related to quickly identifying revoked certificates using a responder or verifying online certificates.
Correct answer
OCSP
Explanation
OCSP (Online Certificate Status Protocol) is a technology used to quickly identify revoked certificates by checking the status of a certificate with the issuing CA in real-time. It allows for the verification of online certificates by providing immediate responses regarding the validity of a certificate.
CRL
Explanation
CRL (Certificate Revocation List) is a technology used to identify revoked certificates by maintaining a list of revoked certificates that can be checked periodically. While it can help identify revoked certificates, it may not provide as quick of a response as OCSP for verifying online certificates.
Wildcard
Explanation
Wildcard certificates are SSL certificates that secure a domain and all its subdomains with a single certificate. They are not directly related to identifying revoked certificates using a responder or verifying online certificates.
Question 78Skipped
An attacker is conducting research on a company using publicly available tools, collecting details like the company name, IP address, and email addresses. What type of reconnaissance is this?
Scanning
Explanation
Scanning typically involves actively probing a target system or network to gather information about its vulnerabilities, services, and configurations. It usually goes beyond just collecting basic information like company name, IP address, and email address.
Correct answer
Passive
Explanation
Passive reconnaissance involves gathering information about a target without directly interacting with the target system or network. This type of reconnaissance is typically done using open-source tools and publicly available information, such as company name, IP address, and email address.
Active
Explanation
Active reconnaissance involves actively engaging with the target system or network to gather information. This can include scanning, probing, and interacting with the target to collect data. It goes beyond just passively collecting basic information.
Penetration tester
Explanation
A penetration tester is an individual or team hired by a company to simulate real-world cyber attacks on their systems to identify vulnerabilities and weaknesses. They typically have permission to actively test the security of the systems, unlike an attacker performing reconnaissance without authorization.
Question 79Skipped
Cybersecurity professionals in an organization gather to discuss the incident response plan. They each focus on their own role, clarifying specific responsibilities such as identifying the attack vector and isolating compromised systems. Which of the following BEST describes this process?
Simulation
Explanation
Simulation typically involves creating a realistic scenario to test the effectiveness of the incident response plan in a controlled environment. It often includes active participation and hands-on activities to simulate a real attack or incident. In this scenario, they are only discussing how the incident would plan out.
Correct answer
Tabletop exercise
Explanation
A tabletop exercise is a type of discussion-based exercise where key stakeholders gather to review and discuss the incident response plan. Each participant focuses on their role and responsibilities, clarifying specific actions to take in the event of a security incident.
Preparation
Explanation
Preparation refers to the activities and processes undertaken to ensure that the organization is ready to respond effectively to security incidents. This may include developing and testing incident response plans, training staff, and implementing security controls.
MTTR
Explanation
MTTR stands for Mean Time to Respond, which is a metric used to measure the average time it takes for an organization to respond to a security incident. It is not directly related to the process of reviewing and clarifying roles and responsibilities in an incident response plan.
Question 80Skipped
A security administrator would like a way to segment a network from the rest of the organization. This separate network will be used solely for VoIP traffic. Which of the following would provide this functionality?
Screened subnet
Explanation
A screened subnet, also known as a demilitarized zone (DMZ), is a network segment that sits between an internal network and an external network, such as the internet. It is typically used to host services that need to be accessible from both networks, rather than segmenting a network for a specific purpose like VoIP traffic.
Air-gap
Explanation
An air-gap refers to physically isolating a network from other networks, typically by keeping them disconnected from each other. While this provides a high level of security, it is not a practical solution for segmenting a network for VoIP traffic within an organization.
Zero trust
Explanation
Zero trust is a security model that assumes no trust in any user or device, even if they are inside the network perimeter. While zero-trust principles are important for network security, they do not specifically address the need to segment a network for VoIP traffic.
Correct answer
VLAN
Explanation
VLANs (Virtual Local Area Networks) allow network administrators to segment a single physical network into multiple logical networks. By assigning VoIP devices to a specific VLAN, the network traffic can be isolated and prioritized, providing the functionality needed to segment a network for VoIP traffic.
Question 81Skipped
An incident responder receives an alert from their file integrity monitoring software regarding unauthorized access to a file. Which forensic principle is MOST important to consider when investigating this incident?
Minimize impact on ongoing operations.
Explanation
Minimizing the impact on ongoing operations is an important principle in incident response to ensure that the investigation does not disrupt critical business functions. However, preserving evidence for potential legal action is the most crucial aspect when investigating unauthorized access to a file as it can be used in legal proceedings.
Correct answer
Preserve evidence for potential legal action.
Explanation
Preserving evidence for potential legal action is the most important forensic principle to consider when investigating unauthorized access to a file. This principle ensures that the integrity of the evidence is maintained, allowing for a thorough investigation and potential legal action against the unauthorized access perpetrator.
Document all actions taken during the investigation.
Explanation
While documenting all actions taken during the investigation is important for maintaining a clear record of the incident response process, preserving evidence for potential legal action takes precedence in cases of unauthorized access to files. Documentation is essential for transparency and accountability, but evidence preservation is critical for legal proceedings.
Identify and remediate the vulnerability that allowed the access.
Explanation
Identifying and remediating the vulnerability that allowed the unauthorized access is an important step in the incident response process. However, preserving evidence for potential legal action is the most crucial forensic principle to consider when investigating unauthorized access to a file. Remediation can come after evidence preservation to prevent future incidents.
Question 82Skipped
A company has implemented a data inventory system to keep track of all its data assets. Which of the following is the MOST significant advantage of maintaining an up-to-date and accurate data inventory?
Reducing storage costs by identifying and deleting unused data.
Explanation
While maintaining an up-to-date and accurate data inventory can help identify unused data and potentially reduce storage costs, this is not the MOST significant advantage. The primary focus of a data inventory system in terms of security is to identify and mitigate security risks associated with sensitive data.
Simplifying software license management for various applications.
Explanation
Simplifying software license management for various applications is an important benefit of maintaining a data inventory system, but it is not the MOST significant advantage. The primary focus of a data inventory system in terms of security is to identify and mitigate security risks associated with sensitive data.
Enhancing the efficiency of data backup and recovery processes.
Explanation
Enhancing the efficiency of data backup and recovery processes is a valuable outcome of maintaining an up-to-date and accurate data inventory, but it is not the MOST significant advantage. The primary focus of a data inventory system in terms of security is to identify and mitigate security risks associated with sensitive data.
Correct answer
Identifying and mitigating security risks associated with sensitive data.
Explanation
Identifying and mitigating security risks associated with sensitive data is the MOST significant advantage of maintaining an up-to-date and accurate data inventory. By knowing what data assets exist, where they are located, and how they are being used, organizations can proactively address security vulnerabilities and protect sensitive information from unauthorized access or breaches.
Question 83Skipped
A medical device manufacturer is designing a device that requires precise timing and immediate responsiveness to critical events. The system must ensure consistent performance with minimal latency. Which of the following would BEST meet this requirement?
Correct answer
RTOS
Explanation
Real-Time Operating System (RTOS) is designed to provide precise timing and immediate responsiveness to critical events. It ensures consistent performance with minimal latency, making it the best choice for the medical device manufacturer’s requirements.
DLP
Explanation
Data Loss Prevention (DLP) solutions focus on preventing unauthorized access and data leakage, but they do not directly address the need for precise timing and immediate responsiveness required by the medical device manufacturer.
SIEM
Explanation
Security Information and Event Management (SIEM) systems are used for monitoring, detecting, and responding to security events, but they do not specifically address the need for precise timing and immediate responsiveness in critical event handling.
ICS/SCADA
Explanation
Industrial Control Systems/Supervisory Control and Data Acquisition (ICS/SCADA) systems are used for controlling and monitoring industrial processes, but they do not provide the real-time capabilities required for precise timing and immediate responsiveness in critical event handling for the medical device manufacturer’s device.
Question 84Skipped
A company is replacing an old server that stores customer financial data. Before physically disposing of the server, which action is MOST critical to ensure the security of the data?
Formatting the hard drive of the old server
Explanation
Formatting the hard drive of the old server may not completely erase the data stored on it. Data can still be recovered using data recovery tools, posing a security risk. It is not the most critical action to ensure the security of the data.
Decommissioning the server according to a documented procedure
Explanation
Decommissioning the server according to a documented procedure is important for proper disposal but may not guarantee the security of the data stored on the server. It is a necessary step but not the most critical one for data security.
Correct answer
Wiping the hard drive of the old server using a secure data sanitization method
Explanation
Wiping the hard drive of the old server using a secure data sanitization method is the most critical action to ensure the security of the data. This method ensures that data is securely erased and cannot be recovered, protecting sensitive customer financial information from unauthorized access.
Selling the old server to a third-party vendor for data recovery purposes
Explanation
Selling the old server to a third-party vendor for data recovery purposes is a significant security risk as it exposes the customer financial data to potential unauthorized access. It is not a recommended action for ensuring the security of the data during server disposal.
Question 85Skipped
A company acquires a new customer database through a merger. What is the MOST important security action after acquiring this new data asset?
Integrating the new data into existing systems as quickly as possible
Explanation
Integrating the new data into existing systems as quickly as possible may introduce security risks if proper security assessments and measures are not implemented during the integration process. Rushing the integration without considering security implications can lead to data breaches and unauthorized access.
Correct answer
Classifying the data in the new customer database according to its sensitivity
Explanation
Classifying the data in the new customer database according to its sensitivity is crucial for determining the appropriate level of protection and access controls needed to safeguard the information. By understanding the sensitivity of the data, the company can implement tailored security measures to mitigate risks effectively.
Granting all employees access to the new customer data
Explanation
Granting all employees access to the new customer data without proper authorization and access controls can result in data exposure and potential misuse. It is essential to follow the principle of least privilege and restrict access to only those employees who require the data to perform their job responsibilities.
Deleting any duplicate customer records identified during integration
Explanation
Deleting any duplicate customer records identified during integration is a data management task that focuses on data accuracy and efficiency. While data cleanup is important, the most critical security action after acquiring the new data asset is to prioritize the protection of the data through proper classification and security measures.
Question 86Skipped
A software company is disposing of hard drives that previously stored sensitive information and needs a method to confirm that the drives have been destroyed and their data is unrecoverable. Which of the following BEST fulfills this requirement?
Digital forensics
Explanation
Digital forensics is the process of collecting, preserving, analyzing, and presenting digital evidence in a legal context. While digital forensics can be used to investigate data breaches and cybercrimes, it is not the best method for confirming the destruction of data on hard drives.
Destruction
Explanation
Destruction refers to physically destroying the hard drives, such as shredding or crushing them, to ensure that the data is unrecoverable. While destruction is a valid method for confirming data destruction, it does not provide a formal confirmation or certification of the process.
Sanitization
Explanation
Sanitization involves securely wiping or overwriting the data on the hard drives to ensure that it cannot be recovered. While sanitization is a common method for data disposal, it may not provide the level of formal confirmation required by the software company to ensure data destruction.
Correct answer
Certification
Explanation
Certification involves obtaining a formal document or statement from a reputable third party that confirms the destruction of the hard drives and the unrecoverability of the data. Certification provides a clear and documented confirmation of the data destruction process, making it the best option for fulfilling the software company’s requirement.
Question 87Skipped
An application developer is using the same key for both encrypting and decrypting data to improve data transfer speeds. Which of the following BEST describes this type of encryption?
Correct answer
Symmetric
Explanation
Symmetric encryption uses the same key for both encryption and decryption processes. It is a faster and more efficient encryption method compared to asymmetric encryption, making it suitable for encrypting large amounts of data.
Asymmetric
Explanation
Asymmetric encryption uses different keys for encryption and decryption processes, providing a higher level of security compared to symmetric encryption. Using the same key for both processes is not characteristic of asymmetric encryption.
Key length
Explanation
Key length refers to the size of the encryption key used in the encryption process. While key length is an important factor in encryption security, using the same key for both encryption and decryption processes is not related to key length.
Hashing
Explanation
Hashing is a process that generates a fixed-size string of bytes from input data, typically used for data integrity verification. It is not used for encryption and does not involve the use of keys for encryption and decryption processes.
Question 88Skipped
A cybersecurity analyst is using specialized software to investigate a marketplace where illegal goods and services, such as stolen credit card information and ransomware kits, are being bought and sold anonymously. Which of the following BEST describes this marketplace?
Threat feed
Explanation
A threat feed is a source of threat intelligence that provides information on current cybersecurity threats, such as malware signatures, IP addresses, and domain names associated with malicious activity. It is not specifically related to investigating illegal goods and services on the dark web.
Shadow IT
Explanation
Shadow IT refers to the use of unauthorized software, applications, or services within an organization without the knowledge or approval of the IT department. It is not related to investigating illegal activities on the dark web.
Correct answer
Dark web
Explanation
The dark web is a part of the internet that is not indexed by traditional search engines and requires special software, such as Tor, to access. It is known for hosting illegal activities, such as the buying and selling of stolen data and malware kits, making it the best description for the marketplace in question.
SCAP
Explanation
SCAP (Security Content Automation Protocol) is a standardized method for exchanging security-related information, such as vulnerability assessments and security configuration checks. It is not directly related to investigating illegal activities on the dark web.
Question 89Skipped
A mobile app developer unknowingly installs a malicious application by bypassing the official app store and downloading it from an unverified third-party website. Which of the following BEST describes this method of application installation?
Watering hole
Explanation
Watering hole refers to a technique where attackers compromise a legitimate website frequented by their target audience to distribute malware. It does not involve the direct installation of malicious applications by bypassing official app stores.
Correct answer
Side loading
Explanation
Side loading is the process of installing applications on a device from a source other than the official app store, such as downloading from a website or transferring from a computer. This method can expose users to security risks as the apps may not undergo the same level of scrutiny and validation as those from official stores.
Trojan
Explanation
A Trojan is a type of malware that disguises itself as a legitimate file or software to trick users into downloading and installing it. While the malicious application in this scenario may indeed be a Trojan, the method of installation described is more accurately categorized as side loading.
Jailbreaking
Explanation
Jailbreaking refers to the process of removing software restrictions imposed by the device manufacturer or operating system to gain access to unauthorized apps and features. While jailbreaking can lead to the installation of malicious apps, the act of side loading from unverified sources is a separate method of installing applications.
Question 90Skipped
An organization has recently conducted an employee offboarding process. As part of the process, they are removing access to internal systems and deactivating user accounts to ensure that former employees can no longer access sensitive data. Which of the following BEST describes this action?
Password expiration
Explanation
Password expiration refers to the practice of setting a time limit on the validity of a user’s password. This is typically done to enforce regular password changes and enhance security. However, in the scenario described, the organization is not simply expiring passwords but actively removing access to internal systems and deactivating user accounts.
Account lockout
Explanation
Account lockout is a security feature that automatically locks a user’s account after a certain number of failed login attempts. While this can help prevent unauthorized access, it is not the same as actively deactivating user accounts and removing access to internal systems during an offboarding process.
Correct answer
De-provisioning user accounts
Explanation
De-provisioning user accounts involves the process of removing access to internal systems and deactivating user accounts when an employee leaves the organization. This is the best description of the action taken during an employee offboarding process to ensure that former employees can no longer access sensitive data.
Identity proofing
Explanation
Identity proofing is the process of verifying the identity of an individual before granting access to systems or resources. While important for security, it is not directly related to the action of deactivating user accounts and removing access during an offboarding process.
