Question 1 of 284

Which of the following is used to calculate the impact to an organization per cybersecurity incident?

A. SLE

B. ALE

C. ARO

D. SLA

Answer: ________

Question 2 of 284

Which of the following roles is most likely to be considered under GDPR legislation?

A. Data processor

B. Data controller

C. Data subject

D. Data custodian

Answer: ________

Question 3 of 284

An administrator needs to log all events that occur on a system. Which of the following logs does the
security administrator need to review?

A. Data loss prevention system

B. Core infrastructure

C. Enterprise

D. DNS resolution

Answer: ________

Question 4 of 284

A security analyst is reviewing the following logs about a suspicious activity alert for a user's VPN log-
ins:
2023-01-23

08:21:41

Success

207.414.201.19

Chicago-IL-USA

2023-01-24

08:23:41

Success

207.414.201.19

Chicago-IL-USA

2023-01-25

08:29:39

Success

207.414.201.19

Chicago-IL-USA

2023-01-26

08:27:44

Success

207.414.201.19

Chicago-IL-USA

2023-01-27

08:22:54

Success

207.414.201.19

Chicago-IL-USA

2023-01-27

08:45:35

Success

185.17.106.237

Rome-Italy

2023-01-27
09:17:55

Success

185.17.105.137

Rome-Italy

2023-01-27

09:55:36

Success

207.414.201.19

Chicago-IL-USA

2023-01-27

16:28:15

Success

207.414.201.19

Chicago-IL-USA

Which of the following malicious activity indicators triggered the alert?

A. Impossible travel

B. Account lockout

C. Blocked content

D. Concurrent session usage

Answer: ________

Question 5 of 284

Which of the following should be implemented to minimize risk between systems?

A. Policy enforcement

B. Authentication

C. Zero trust architecture

D. Confidentiality

Answer: ________
Question 6 of 284

[Text appears garbled/OCR error] — likely intended to be:

"An accounting employee recently used software that was not approved by the company. Which of
the following risks does this most likely represent?"

A. Unskilled attacker

B. Hacktivist

C. Shadow IT

D. Supply chain

Answer: ________

Question 7 of 284

Which of the following activities must be completed prior to closing the incident?

A. End-to-end encryption

B. Detection resource utilization

C. Evidence endpoint protection

D. Configuration enforcement

Answer: ________

Question 8 of 284

Which of the following is a primary advantage that network segmentation provides?

A. Increased user policy

B. Decreased bandwidth utilization

C. Enhanced endpoint protection

D. Cost optimization

Answer: ________

Question 9 of 284
Which of the following is the best way to prevent data from being leaked from a secure network that
does not need to communicate externally?

A. Air gap

B. Containerization

C. Virtualization

D. Decentralization

Answer: ________

Question 10 of 284

[Garbled text] — likely intended to be:

"After following a zero-day exploit, an attacker successfully exploits a hypervisor platform. Which of
the following vulnerabilities was most likely exploited?"

A. Cross-site scripting

B. SQL injection

C. Buffer overflow

D. VM escape

Answer: ________

Question 11 of 284

A penetration tester is able to gain initial access to a hypervisor platform. Which of the following
best describes this type of threat actor?

A. Organized crime

B. Nation-state

C. Hacktivist

D. Unskilled attacker

Answer: ________

Question 12 of 284
An organization is working to reduce the likelihood of compromise in its systems during a
cyberattack. Which of the following could the company use to achieve this goal? (Choose two.)

A. Full disk encryption

B. Multi-factor authentication

C. Network segmentation

D. Virtual private network

E. Emergency key management

F. Digital signatures

Answer: ________

Question 13 of 284

An organization is following a process to evaluate apps daily to match requirements and is

implementing compensating controls to better protect its systems from external threats. Which of
the following would be most effective? (Choose two.)

A. Including the NIST and MITRE as part of the risk assessment

B. Tracking and documenting network risks using a risk register

C. Assigning a level of high, medium, or low to the risk rating

D. Using ALE and ARO to help determine whether a risk should be mitigated

Answer: ________

Question 14 of 284

While a user reviews their email, a host gets infected by malware that came from an external hard
drive plugged into the host. The malware steals all the user’s credentials stored in the browser.
Which of the following best describes this attack?

A. Operational security

B. Removable media and cables

C. Password management

D. Social engineering

Answer: ________
Question 15 of 284

An administrator needs to set up an internal network with multiple VLANs. Which of the following
would best allow the administrator to manage the network effectively?

A. Load balancers

B. Access zones

C. Virtual private networks

D. Proxy servers

Answer: ________

Question 16 of 284

A company recently purchased a new building that does not have an existing wireless or wired
infrastructure. A network engineer at the company needs to determine the placement of the access
points in the new building.

A. Heat map

B. Internal assessment

C. Corporate reconnaissance

D. Site survey

Answer: ________

Question 17 of 284

An organization wants to increase its application availability by configuring redundant web servers.
Which of the following should the systems administrator implement?

A. Containerized

B. Multitenant

C. Load balanced

D. Virtualized

Answer: ________

Question 18 of 284
A database server receives an email that includes a digital signature for verifying authenticity. Which
of the following can ensure the sender did not alter or distort the email?

A. Masking

B. Confidentiality

C. Tokenization

D. Hashing

Answer: ________

Question 19 of 284

An employee’s leadership team wants to react appropriately to a critical situation on a company’s

computer. When the employee clicks on a malicious link, the employee’s screen displays odd text
requesting payment in order to disconnect their computers from the internet and shut them down.
Which of the following describes this type of malware?

A. Trojan

B. Worm

C. Ransomware

D. Virus

Answer: ________

Question 20 of 284

An organization decides that most employees will work remotely. The existing VPN solution does not
have adequate bandwidth, and the content filtering proxy is on premises. Which of the following
strategies will enable remote workers to access the corporate network securely?

A. Integrate with an SASE platform, and deploy the agent to all laptops.

B. Purchase a larger internet circuit, and create a NAT policy for the proxy.

C. Purchase a SOAR solution to decrease response times for remote workers.

D. Install a secondary VPN and proxy at the disaster recovery site, and automate failover.

Answer: ________

Question 21 of 284
Which of the following is the most likely reason a security analyst would review SIEM logs?

A. To check for recent password reset attempts

B. To monitor for potential DDoS attacks

C. To assess the scope of a privacy breach

D. To see correlations across multiple hosts

Answer: ________

Question 22 of 284

Which of the following would best describe the state of a system in the event of a system failure?

A. System rebooting

B. Containment controls

C. Full backup

D. Log aggregation

Answer: ________

Question 23 of 284

During a vulnerability scan, a database administrator finds that the database has been compromised
by an attacker before the update completed in order to allow access to the system. Which of the
following best describes this scenario?

A. Patch management

B. Data exfiltration

C. File backup update

D. Disk imaging

Answer: ________

Question 24 of 284

A company’s accounts payable clerk receives a message from a vendor asking to change their bank
account before paying an invoice. The clerk makes the change and sends the payment to the new
account. Days later, the clerk discovers the original bank account. Which of the following has most
likely occurred?
A. Phishing campaign

B. Data exfiltration

C. Pretext calling

D. Business email compromise

Answer: ________

Question 25 of 284

The board of a company needs to take technical problems into account when defining the
company’s risk management policies. Which of the following risk management policies does the
board need to explain to the stakeholders?

A. The company’s risk assessment

B. The company’s risk acceptance

C. The company’s risk register

D. The company’s risk tolerance

Answer: ________

Question 26 of 284

A systems administrator is concerned with a specific technical problem and wants to define a plan to
resolve it. Which of the following reports should the administrator implement?

A. Mitigation procedure

B. Incident report

C. Change management

D. Risk tracking

Answer: ________

Question 27 of 284

A security analyst receives an alert from a front-end web server connected to a database back end.
The alert contains the following logs:

SELECT * FROM users WHERE UserID = 1=1

SELECT * FROM users WHERE username = 'admin'--' AND password = 'password'

IF 1=1 THEN dbms_lock.sleep(20) ELSE dbms_lock.sleep(0); END IF; END;

Which of the following attacks is occurring?

A. Buffer overflow

B. Brute-force

C. Injection

D. Replay

Answer: ________

Question 28 of 284

Which of the following controls are intended to restrict connectivity to a router’s web management
interface to protect it from being exploited by a vulnerability?

A. Data classified as public in other countries

B. Physically identifiable data while traveling

C. Patient data shared between doctors in other nations

D. Data stored outside of a country’s borders

Answer: ________

Question 29 of 284

[Text garbled] — likely intended to be:

"Which of the following techniques will provide assurance of the application’s integrity?"

A. Data classification

B. Physical identification

C. Static analysis

D. Code signing

Answer: ________

Question 30 of 284
A penetration test reveals that users can easily access internal VLANs from the company’s guest Wi-
Fi. Which of the following security principles would remediate this vulnerability by improving
network authentication?

A. VLAN ACLs

B. Captive portal

C. DNSSEC

D. 802.1X

Answer: ________

Question 31 of 284

A company recently set up a system for employees to access their files remotely. However, the IT
team has noticed that some employees are using personal devices to access the system. Which of
the following security controls should be implemented?

A. Multifactor Authentication

B. Conditional Access Policies

C. Cloud Access Security Broker

D. Data Loss Prevention

Answer: ________

Question 32 of 284

Which of the following security controls is a company implementing by deploying HIPS? (Choose
two.)

A. Directive

B. Preventive

C. Physical

D. Corrective

E. Compensating

F. Detective

Answer: ________
Question 33 of 284

Which of the following are the best physical security measures that discourage unauthorized
vehicles from entering a data center while still allowing foot traffic?

A. Full-size entry gates

B. Bollards

C. Video surveillance

D. Retractable bollards

Answer: ________

Question 34 of 284

Which of the following is the least ideal method for protecting against lost or compromised devices?

A. Access control

B. Data classification

C. Change management

D. Endpoint protection

Answer: ________

Question 35 of 284

A device cannot be reached.

Which of the following logs would most likely help identify the root cause?

A. Firewall

B. IDS

C. Application

D. System

Answer: ________

Question 36 of 284

Which of the following methods is most appropriate to protect data in transit?

A. Encryption

B. Obfuscation

C. Permission restrictions

D. Hashing

Answer: ________

Question 37 of 284

Which of the following best describes a strategy to mitigate the risk of PHI being emailed or
downloaded to unapproved external media?

A. Deploying DLP software on servers and endpoints

B. Enforcing servers and endpoints to use a centralized web proxy

C. Implementing secure protocols on servers and endpoints

D. Installing EDR software on servers and endpoints

Answer: ________

Question 38 of 284

After a successful social engineering attack, an administrator receives a notification that

administrative passwords were changed. Which of the following should be used to prevent this
incident from occurring in the future?

A. Password management

B. Email retention policy

C. Password policy

D. Password vault

Answer: ________

Question 39 of 284

Which of the following would best prepare a security team for a specific incident response scenario?

A. Situational awareness training

B. Qualified risk analysis

C. Root cause analysis

D. Change management procedures

Answer: ________

Question 40 of 284

Several employees proactively patch their own workstations to mitigate a known vulnerability.
Which of the following should the SOC personnel do?

A. Replication allow list

B. Workstation hardening

C. Integration of unsigned code

D. Whitelist

Answer: ________

Question 41 of 284

Employees receive an urgent message from an unknown source instructing them to click a link to
avoid losing access to their email. The message appears to come from the Chief Executive Officer,
but it is later determined to be fraudulent. Which of the following types of attacks is this? (Choose
two.)

A. Impersonation

B. Smishing

C. Spoofing

D. Typosquatting

E. Pretexting

F. Phishing

Answer: ________

Question 42 of 284

An employee needs to patch an OS binary that impacts a large corporation’s laptops. What is the
following risk associated with this action?

A. Ownership
B. Inventory

C. Classification

D. Impersonation

E. Enumeration

F. Typo squatting

Answer: ________

Question 43 of 284

Which of the following is the best way to ensure that all corporate laptops are patched?

A. Quarterly

B. Streaming

C. Validation

D. Patching

Answer: ________

Question 44 of 284

Which of the following is most likely a security concern when installing and using low-cost IoT
devices in infrastructure environments?

A. Counterfeit products

B. Device responsiveness

C. Ease of deployment

D. Data remanence

Answer: ________

Question 45 of 284

All of the following are steps that a security analyst should take before allocating the risk of a
cyberattack. Which of the following should the analyst configure to help secure the enterprise
infrastructure? (Choose two.)

A. Notifying stakeholders
B. Hardening the system

C. Identifying the threat

D. NAC

E. Developing a recovery plan

F. Analyzing the incident

Answer: ________

Question 46 of 284

An attorney prints confidential documents to a copier in an office space near multiple workstations
and a reception desk. When the attorney goes to the copier to retrieve the documents, the
documents are missing. Which of the following is the best course of action?

A. Place the copier in the legal department.

B. Configure DLP on the attorney’s workstation.

C. Set up LDAP authentication on the printer.

D. Conduct a physical penetration test.

Answer: ________

Question 47 of 284

Which of the following actions is deployed in a data center to perform a post-compromise

mitigation?

A. Move the data center to an air-gapped environment.

B. Use the same log-in through Group Policy.

C. Copy the device into a sandbox.

D. Eliminate public access to the MDM platform.

Answer: ________

Question 48 of 284

A user logs into a deployed system and uses a pre-configured account to delete everything to them.
This is known as:
A. Right to be forgotten

B. Data breach acknowledgment

C. Self-destruction

D. Uninterruptible power supply

Answer: ________

Question 49 of 284

A cardholder verifies that only one user has access to their account, but the request displays all the
users’ credit cards. Which of the following most likely explains this issue?

A. Right to be forgotten

B. Misconfiguration and acknowledgement

C. Key extension

D. Information deletion

Answer: ________

Question 50 of 284

An analyst notices that multiple files have been tampered with, but the operating system has
completely ignored the modifications. Which of the following issues occurred?

A. Data misalignment

B. Side loading

C. Key overwrite

D. Jailbreaking

Answer: ________

Question 51 of 284

An employee receives a file that looks legitimate but contains a payload that allows the attacker to
access the gaming platform using administrative credentials. Which of the following issues occurred?

A. Data misalignment

B. Fileless processing
C. Malicious update

D. Jailbreaking

Answer: ________

Question 52 of 284

An employee executes text files that include sensitive data and updates the file. Which of the
following is the correct term for this action?

A. Data obfuscation

B. Fileless processing

C. Malicious update

D. Jailbreaking

Answer: ________

Question 53 of 284

In the following scenario, the engineer runs an IPS to monitor non-traffic-based attacks. Which of
the following should the engineer review to identify the command used by the threat actor?

A. SIEM data

B. Application log

C. WAF log

D. Syslog

Answer: ________

Question 54 of 284

A network architect is designing a global infrastructure and likely to be formed between two
companies. Which of the following infrastructure solutions is the best for this purpose?

A. SDM

B. MPLS

C. MPBG

D. SIGMA
Answer: ________

Question 55 of 284

A security team performs a project and identifies possible vulnerabilities. Which of the following
types of analysis should the security team configure?

A. GNSI

B. PKI

C. Penetration

D. Dynamic

Answer: ________

Question 56 of 284

In the following scenario, a tool is deployed to detect misconfigurations. The team is overwhelmed
by the number of misconfigurations the tool detects. Which of the following should the security
team configure?

A. Flagging

B. Identification

C. Hyperlinking

D. Monitoring

Answer: ________

Question 57 of 284

A company is in the process of cutting costs. The CIO believes that most of the current staff are likely
to be terminated. Which of the following would most likely help the security team mitigate the risk?

A. Standardize data classification

B. Communicate with the CISO

C. Configure DLP to monitor staff who will be terminated

D. Educate executives on social engineering techniques

Answer: ________

Question 58 of 284

A security analyst is performing vulnerability scanning and results in a risk-rated list. Which of the
following is the most efficient tool for the analyst to use?

A. Common impact testing

B. Vulnerability Scoring System

C. Risk delegation

D. Password rotation

Answer: ________

Question 59 of 284

A user receives an email with a malicious attachment. The user opens the attachment and the file is
encrypted. Which of the following is the most likely action performed by the penetration tester?

A. Encrypt all personally identifiable attributes

B. Decrypt all the person’s data

C. Share all of the person’s data

D. Obfuscate all of the person’s data

Answer: ________

Question 60 of 284

An administrator must authenticate users to systems using credentials already authenticated by a

business partner’s LDAP system. Which of the following should the administrator deploy to enable
this functionality?

A. Media access control

B. Interoperability

C. OAUTH

D. Federation

Answer: ________
Question 61 of 284

The chief information security officer determines that several systems are running slowly. Several
users report seeing virus detection alerts. Which of the following mitigation techniques should be
reviewed?

A. Hashing

B. Patching

C. Monitoring

D. Isolation

Answer: ________

Question 62 of 284

Which of the following actions would be part of the review of false positives that an analyst should
conduct?

A. Create playbooks as part of a SOAR platform.

B. Pausing the patch management process.

C. Replace an EDR tool with an XDR solution.

D. Disable AI heuristics scanning.

Answer: ________

Question 63 of 284

A government agency requires publicly traded organizations to report cyber breaches within a
designated time period. By law, these reports are made public. Which of the following could cause
loss of existing and future business?

A. Fines and penalties

B. Reputational damage

C. Board oversight

D. Conflicts of interest

Answer: ________
Question 64 of 284

Which of the following would a service provider supply as an assurance for a disposal service as part
of a disposal process?

A. Insurance

B. Certification

C. Classification

D. Retention

Answer: ________

Question 65 of 284

The security department is remediating vulnerabilities that were found during an audit of newly
deployed systems. Which of the following must be done to ensure compliance?

A. Confirm false positives.

B. Review the attack surface.

C. Conduct a rescan.

D. Report the remediations.

Answer: ________

Question 66 of 284

A company with a high-availability website is looking to harden its controls at any cost. The company
wants to ensure that the site is secure by finding any possible issues. Which of the following would
most likely achieve this goal?

A. Permission restrictions

B. Bug bounty program

C. Vulnerability scan

D. Reconnaissance

Answer: ________

Question 67 of 284
A government official visits a company and posts the content of the email to social media. Which of
the following policies will the HR employee most likely need to review after this incident?

A. Espionage

B. Operation security

C. Financial gain

D. Data loss prevention

E. Blackmail

F. Social engineering

Answer: ________

Question 68 of 284

A Chief Security Officer specifies a requirement to allow access to SSH and RDP ports to connect to a
single jump host. Which of the following best describes this configuration?

A. The company built a new file-sharing site.

B. The company requested a new jump host.

C. The security team is integrating with an SASE platform.

D. The security team created a honeynet.

Answer: ________

Question 69 of 284

Which of the following sites offers immediate service restoration following a disaster?

A. Cloud-based

B. Hot

C. Warm

D. Cold

Answer: ________

Question 70 of 284

Which of the following is an example of a certificate that is generated by an internal source?

A. Digital signature

B. Asymmetric key

C. Self-signed

D. Symmetric key

Answer: ________

Question 71 of 284

Which of the following is a benefit of an RTO when conducting a business impact analysis?

A. It determines the likelihood of an incident and its cost.

B. It determines the roles and responsibilities for incident responders.

C. It determines the state that systems should be restored to following an incident.

D. It determines how long an organization can tolerate downtime after an incident.

Answer: ________

Question 72 of 284

In the following scenario, a device is detected that can be used to send malicious emails from
external devices. The connections appear to be originating from surrounding buildings. Which of the
following would best help mitigate this issue?

A. Mobile device management

B. Encrypted keys

C. Hashing

D. Obfuscation

Answer: ________

Question 73 of 284

A user is trying to download a file to a remote desktop and receives an error indicating that no
empty directories are available. Which of the following was most likely the cause of this failure?

A. Capacity planning

B. Event planning
C. Backups

D. Platform diversity

Answer: ________

Question 74 of 284

An organization has services that involve a large number of computers. These services require a high
degree of control over the configuration of the on-premises web proxy. Which of the following
changes would best improve the security of the system?

A. Implementing access control

B. Configure the local gateway to point to the VPN

C. Create a public NAT to the on-premises proxy

D. Install a cloud-based content filtering solution.

Answer: ________

Question 75 of 284

A security analyst wants to automate a task that shares data between programs. Which of the
following is the best option for the analyst to use?

A. SOAR

B. API

C. SFTP

D. RDP

Answer: ________

Question 76 of 284

An auditor wants to focus on a specific area of an organization’s security posture. Which of the
following should the auditor recommend implementing?

A. Situational awareness

B. Operational security

C. Password management
D. Acceptable use policy

Answer: ________

Question 77 of 284

An auditor is reviewing a legacy web site that is available to a group of developers with
administrative credentials. Which of the following should the auditor recommend implementing?

A. Typo squatting

B. Credential stuffing

C. Data loss prevention

D. Encryption

Answer: ________

Question 78 of 284

Which of the following attacks is most likely to occur if a company is relying on a single sign-on
solution?

A. Typo squatting

B. Organizational change

C. Default password

D. Credential reuse

Answer: ________

Question 79 of 284

Which of the following is the best way to control access to a system in a banking environment?

A. Regularly reported to shareholders

B. Elegant alternative change

C. Critical gaps and required for remediation

D. The manual equipment is eliminated

Answer: ________
Question 80 of 284

A security analyst identifies an employee who added an unauthorized wireless router to an office
branch. After an investigation, the router is removed, and the employee is given mandatory
retraining. Which of the following best describes this scenario?

A. Unskilled attacker

B. Hacktivist

C. Nation-state

D. Shadow IT

Answer: ________

Question 81 of 284

Which of the following is the best safeguard to protect against an extended power failure?

A. Off-site backups

B. Batteries

C. Uninterruptible power supplies

D. Generators

Answer: ________

Question 82 of 284

There is a certificate mismatch, and the client receives a warning about the connection. Which of the
following is most likely to be one of those steps?

A. The server uses a wildcard certificate

B. The server uses a root certificate

C. The server uses no certificate at all

D. The server updates a self-signed certificate

Answer: ________

Question 83 of 284
Prior to implementing a change with an application, the team needs to ensure that it does not cause
any security issues. Which of the following is most likely to be one of those steps?

A. Managed reputation for the organization

B. Load testing

C. Maintenance notifications

D. Procedure updates

E. Quicker discovery of vulnerabilities

F. Improved patch management process

Answer: ________

Question 84 of 284

Which of the following best explains a concern with OS-based vulnerabilities?

A. An exploit would give an attacker access to system functions that span multiple applications

B. The OS vendor’s patch cycle is not frequent enough to mitigate the large number of threats

C. Most users trust the core operating system features and may not notice if the system has been
compromised

D. Exploitation of an operating system vulnerability is typically easier than any other vulnerability

Answer: ________

Question 85 of 284

During a penetration test in a hypervisor, the security engineer is able to use a script to inject a
malicious payload and access the host filesystem. Which of the following best describes this
vulnerability?

A. VM escape

B. Cross-site scripting

C. Malicious update

D. SQL injection

Answer: ________
Question 86 of 284

Which of the following security controls are a company implementing by deploying HIPS? (Choose
two.)

A. Directive

B. Preventive

C. Physical

D. Corrective

E. Compensating

F. Detective

Answer: ________

Question 87 of 284

Which of the following describes effective change management procedures?

A. Approving the change after a successful deployment

B. Having a backout plan when a patch fails

C. Using a spreadsheet for tracking changes

D. Using an automatic change control bypass for security updates

Answer: ________

Question 88 of 284

A company is experiencing a high number of users who are clicking on email-based attacks even
though those users have completed annual training. The company’s Chief Security Officer wants to
identify and reduce the risk. Which of the following is the best course of action?

A. Begin a semiannual in-person training course with mandatory attendance. The users would
perform exercises that simulate answering phone calls from attackers performing social engineering
attacks.

B. Deploy a product that would occasionally send users emails to simulate an attack. The product
would alert the security team whenever a user clicks links in the product’s emails.

C. Hire a security consultant to give a personalized seminar at the company. The consultant would
share stories of famous companies that had breaches and explain the ramifications of those events.

D. Require an MFA when signing in to the email client. Users would need to authenticate once a
week at a minimum and daily when working remotely.
Answer: ________

Question 89 of 284

Which of the following is most likely to be implemented to mitigate the risk of exposing sensitive
company data?

A. Filtered ports/protocols

B. Application allow list

C. Audit password changes

D. Access control permissions

Answer: ________

Question 90 of 284

A company decides to purchase an insurance policy. Which of the following risk management
strategies is this company implementing?

A. Mitigate

B. Accept

C. Avoid

D. Transfer

Answer: ________

Question 91 of 284

Which of the following principles requires that a company must keep files or records for a prescribed
period of time before it disposes of those files or records?

A. Data verification

B. Data backups

C. Data archiving

D. Data retention

Answer: ________
Question 92 of 284

A security analyst is monitoring logs from the organization’s SIEM and identifies logs related to one
of their salespeople:

14:02

72.45.38.27

Atlanta

25687

VPN

Success

14:04

72.45.38.27

Atlanta

25687

Email

Failure

14:07

58.67.47.48

Beijing

25687

VPN

Success

14:15

72.45.38.27

Atlanta

25687

Teams

Success

Which of the following is being displayed in the logs?

A. Impossible travel

B. SMTP replay

C. Directory traversal

D. Cross-site request forgery

Answer: ________

Question 93 of 284

A company wants to update its disaster recovery plan to include a dedicated location for immediate
continued operations if a catastrophic event occurs. Which of the following options is best to include
in the disaster recovery plan?

A. Hot site

B. Warm site

C. Geolocation

D. Cold site

Answer: ________

Question 94 of 284

Which of the following attacks exploits a potential vulnerability as a result of direct access to a
system using weak cryptographic algorithms?

A. Password cracking

B. On-path

C. Digital signing

D. Side-channel

Answer: ________

Question 95 of 284

HOTSPOT

An organization has learned that its data is being exchanged on the dark web. The CIO has requested
that you investigate and implement the most secure solution to protect employee accounts.
INSTRUCTIONS

Review the data to identify weak security practices and provide the most appropriate security
solution to meet the CIO’s requirements.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All
button.

[Image of UI with “Directory contents” and “Compensation report” icons]

Answer: ________

Question 96 of 284

Which of the following describes the reason for using an MDM solution to prevent jailbreaking?

A. To secure end-of-life devices from incompatible firmware updates

B. To avoid hypervisor attacks through VM escape

C. To eliminate buffer overflows at the application layer

D. To prevent users from changing the OS of mobile devices

Answer: ________

Question 97 of 284

Which of the following is the best mitigation for a zero-day vulnerability found in mission-critical
production servers that must be highly available?

A. Virtualizing and migrating to a containerized instance

B. Removing and sandboxing to an isolated network

C. Monitoring and implementing compensating controls

D. Patching and redeploying to production as quickly as possible

Answer: ________

Question 98 of 284

An activity director has reported about high latency and availability issues to the right side of the
network. Following the investigation, the switch is configured to allow VLAN 20 to be active. Which
of the following is the most likely cause of the issue?
A. Buffer overflow

B. ICMP amplification attack

C. VLAN

D. MAC flooding attack

Answer: ________

Question 99 of 284

A computer network architect is modeling networks that include guest Wi-Fi. Initially, involving a
security analyst, the team needs to provide a solution that will allow users to securely access the
corporate internal resources.

A. Segmentation

B. Virtualized

C. Perimeter network

D. Wireless

Answer: ________

Question 100 of 284

In the following scenario, the organization has designed a new architecture that is isolated from the
open-source software. Which of the following should the team configure first within the
infrastructure?

A. Alignment policies

B. Virtualized inspection

C. Integrated reporting

D. Firewall rules

Answer: ________

Question 101 of 284

A security analyst is analyzing an organization’s success rate for detecting and preventing specific
cyberattacks. Which of the following degrees will help the team identify the root cause of the
attack?
A. MFA

B. SIEM

C. NAC

D. IDS

Answer: ________

Question 102 of 284

A security analyst needs to protect internal company assets from being accessed by unauthorized
users. Which of the following should the administrator implement?

A. Mitigation

B. Segmentation

C. ACE/W

D. HIPAA

Answer: ________

Question 103 of 284

Which of the following is used to protect internal company assets from being accessed by
unauthorized users regardless of where they are working?

A. NetFlow

B. Segmentation

C. Development network

D. HIPS

Answer: ________

Question 104 of 284

A remote employee navigates to a shopping website on their company-owned computer. The

employee clicks a link that contains a malicious file. Which of the following would prevent this file
from downloading?

A. DLP
B. FIM

C. NAC

D. EDR

Answer: ________

Question 105 of 284

A security analyst is reviewing the security of a SaaS application that the company intends to
purchase. Which of the following documentations should the security analyst request from the SaaS
application vendor?

A. Service-level agreement

B. Third-party audit

C. Statement of work

D. Data privacy agreement

Answer: ________

Question 106 of 284

A security administrator protects passwords by using hashing. Which of the following best describes
what the administrator is doing?

A. Adding extra characters at the end to increase password length

B. Generating a token to make the passwords temporal

C. Using mathematical algorithms to make passwords unique

D. Creating a rainbow table to protect passwords in a list

Answer: ________

Question 107 of 284

A customer changes the underlying file structure of a new mobile phone to install a keylogger with
administrator permissions. Which of the following does this best describe?

A. Resource reuse

B. Bloatware installation
C. Side loading

D. Jailbreaking

Answer: ________

Question 108 of 284

Which of the following digital forensics activities would a security team perform when responding to
legal requests in a pending investigation?

A. E-discovery

B. User provisioning

C. Firewall log export

D. Root cause analysis

Answer: ________

Question 109 of 284

A security analyst is reviewing the security of a SaaS application that the company intends to
purchase. Which of the following documentations should the security analyst request from the SaaS
application vendor?

A. Service-level agreement

B. Third-party audit

C. Statement of work

D. Data privacy agreement

Answer: ________

Question 110 of 284

Which of the following is the best way to mitigate the risk of a DNS poisoning attack occurring on the
network and then terminates access for the affected applications?

A. Disable Telnet

B. Sharing HIPS

C. Credential stuffing
D. DMARC failure

E. Reconfigure the DNS

F. Delete the public certificate.

Answer: ________

Question 111 of 284

Which of the following are the best practices for managing security patches in a production
environment? (Choose two.)

A. To track the status of patch installations

B. To analyze the impact of patching on cloud deployments

C. To continuously monitor hardware inventory

D. To hunt for active attackers in the network

Answer: ________

Question 112 of 284

A security patch is applied to a server. Which of the following will validate this remediation?

A. Rescanning

B. Dynamic analysis

C. Reporting

D. Static analysis

Answer: ________

Question 113 of 284

The internal security team is investigating a suspicious attachment and wants to perform a behavior
analysis in an isolated environment. Which of the following will the security team most likely use?

A. Sandbox

B. Jump server

C. Work computer

D. Container
Answer: ________

Question 114 of 284

A company is required to use certified hardware when building networks. Which of the following
best addresses the risks associated with procuring counterfeit hardware?

A. A thorough analysis of the supply chain

B. A legally enforceable corporate acquisition policy

C. A right to audit clause in vendor contracts and SOWs

D. An in-depth penetration test of all suppliers and vendors

Answer: ________

Question 115 of 284

An analyst discovers a suspicious item in the SQL server logs. Which of the following could be
evidence of an attempted SQL injection?

A. cat /etc/shadow

B. dig 25.36.99.11

C. od ../..../..

D. UserId - 10 08 1-1

Answer: ________

Question 116 of 284

A company identified the potential for malicious insiders to harm the organization. Which of the
following measures should the organization implement to reduce this risk?

A. Unified threat management

B. Web application firewall

C. User behavior analytics

D. Intrusion detection system

Answer: ________
Question 117 of 284

After completing onboarding at a company and reviewing the company’s handbooks and AUP, an
employee downloads an unapproved application on a company desktop. Which of the following is
the best course of action?

A. Educate the employee’s manager.

B. Silently uninstall the software.

C. Ensure the employee completes focused training.

D. Terminate the employee.

Answer: ________

Question 118 of 284

An organization has published a list of domains that a non-authorized user can access. Which of the
following options can best prevent future access to unauthorized domains?

A. Privileged access management

B. Account lockout

C. Reuse policy

D. Deploy an allow list.

E. Complexity requirements

F. Update the proxy filters.

Answer: ________

Question 119 of 284

Users report that certain applications are not working properly. The company’s IT department
investigates and finds that the applications are communicating with unauthorized websites. Which
of the following is the best way to isolate the ongoing issue?

A. Penetration testing

B. Load balancer

C. Packet capture

D. Vulnerability scan

E. Firewall
F. Firewall rules analysis

Answer: ________

Question 120 of 284

A company is experiencing incidents of employees sending sensitive company data to their personal
email. The employee states that the data was being sent to a single encrypted file before sending
the file to their personal email. The security department wants to prevent this from happening
again. Which of the following types of employee training would most likely reduce the occurrence of
this type of issue? (Choose two.)

A. Privacy legislation

B. Social engineering

C. Perform a factory reset.

D. Risk management

E. Terminate the social media account.

F. Remote work

Answer: ________

Question 121 of 284

A Chief Information Security Officer (CISO) of an enterprise environment wants to ensure that users
cannot navigate to known malicious domains. The CISO also wants web traffic on the network
inspected for malicious content. Which of the following is the best course of action?

A. Place the intrusion system into IPS mode to block incoming malicious domains, and ensure secure
protocol selection is enforced on all network segments.

B. Deploy EDR software on all company systems, and perform user behavior analytics to detect users
going to anomalous domains.

C. Ensure the company’s name servers use DNS filtering, and configure systems to use a centralized
TLS proxy to inspect all HTTP and HTTPS traffic.

D. Set up a NAC on all segments of the company network, and set the network firewall to block
known malicious port numbers at the perimeter.

Answer: ________
Question 122 of 284

A user receives a malicious text message that routes to a fake bank login. Which of the following
attack types does this scenario describe?

A. Impersonation

B. Phishing

C. Vishing

D. Smishing

Answer: ________

Question 123 of 284

A group of people is working together to run multiple ransomware attacks against targets that the
group selected to yield the most financial gain. Which of the following best describes this type of
activity?

A. Organized crime

B. Nation-state actor

C. Shadow IT

D. Hacktivism

Answer: ________

Question 124 of 284

A security officer observes that a software development team is not complying with its corporate
security policy on encrypting confidential data. Which of the following categories refers to this type
of non-compliance?

A. External

B. Standard

C. Regulation

D. Internal

Answer: ________

Question 125 of 284

Which of the following data types best describes an AI tool developed by a company to automate
the ticketing system under a specific contract?

A. Classified

B. Regulated information

C. Open source

D. Intellectual property

Answer: ________

Question 126 of 284

Which of the following would best allow a company to prevent access to systems from the internet?

A. Containerization

B. Virtualization

C. SD-WAN

D. Air-gapped

Answer: ________

Question 127 of 284

While conducting a business continuity tabletop exercise, the security team becomes concerned by
potential impacts if a generator were to develop a fault during an extended outage. Which of the
following is the team most likely to consider when conducting and planning infrastructure
maintenance activities?

A. RPO

B. ARO

C. MTBF

D. MTTR

Answer: ________

Question 128 of 284

Which of the following methods provides the strongest level of assurance that an application has not
been tampered with?
A. Flag conditions

B. Checksum verification

C. Buffer overflow

D. Side loading

Answer: ________

Question 129 of 284

In the following scenario, the security team is investigating a potential insider threat. The team
discovers that an employee has been accessing sensitive company data and moving it to a personal
cloud storage account. Which of the following would best improve the company’s security posture?

A. Change management

B. Playbooks

C. Incident response

D. Acceptable use policy

Answer: ________

Question 130 of 284

A user is receiving a phone call from a government agency stating that their tax return is ready. The
caller asks about where the user works in, what division the user works in, and additional personal
information. Which of the following types of attacks is this?

A. Challenge/response

B. Phishing

C. Social engineering

D. Acceptable use policy

Answer: ________

Question 131 of 284

A security analyst is investigating a potential insider threat. The analyst discovers that the user has
been accessing sensitive company data and moving it to a personal cloud storage account. Which of
the following tools should the incident response team deploy?
A. Insider threat

B. IPS

C. Social engineering

D. SIEM

E. Risky

F. EDR

Answer: ________

Question 132 of 284

Which of the following is a component of a risk register?

A. Key risk indicators

B. Continuous risk assessment

C. Risk appetite

D. Risk culture

Answer: ________

Question 133 of 284

Which of the following most securely protects data at rest?

A. TLS 1.2

B. AES-256

C. Masking

D. Salting

Answer: ________

Question 134 of 284

Which of the following is a vulnerability concern for end-of-life hardware?

A. Failure to follow hardware disposal procedures could result in unintended data release.

B. The supply chain may not have replacement hardware.

C. Newly released software may require computing resources not available on legacy hardware.

D. The vendor may stop providing patches and updates.

Answer: ________

Question 135 of 284

A company’s security team is reviewing its business continuity plan and must determine the amount
of time needed for operations to resume after a disaster. Which of the following describes the time
frame the security team is determining?

A. Recovery time objective

B. Recovery point objective

C. Mean time between failures

D. Mean time to repair

Answer: ________

Question 136 of 284

Which of the following is a risk for a company using end-of-life applications on its network?

A. Default credentials

B. Open service ports

C. Vulnerable software

D. Insecure networks

Answer: ________

Question 137 of 284

Which of the following makes IaC a preferred security architecture over traditional infrastructure
models?

A. Common attacks are less likely to be effective.

B. Configuration can be better managed and replicated.

C. Outsourcing to a third party with more expertise in network defense is possible.

D. Optimization can occur across a number of computing instances

Answer: ________

Question 138 of 284

Which of the following is an advantage of a microservice-based architecture over traditional

software architectures?

A. Updates can be done one or more times per day if security issues arise.

B. Managing communication between microservices is more streamlined.

C. The internal structure of the code is hidden from users, making exploits more difficult to write.

D. The services are written by a single team and can be debugged more quickly.

Answer: ________

Question 139 of 284

A company is evaluating the risk of a software application that is being used internally. The security
team discovers that advertising data from the software is unexpectedly reporting back to the
overseas company. Which of the following best describes this risk?

A. Espionage

B. Supply chain

C. Nation-state

D. EWSR threat

Answer: ________

Question 140 of 284

An audit of the following is conducted: an employee is able to access the company’s internal
network via a phone to use a new account. Which of the following would most likely prevent this
activity in the future?

A. Standardizing security incident reporting

B. Establishing regular phishing campaigns

C. Implementing insider threat detection measures

D. Updating processes for sending wire transfers

Answer: ________

Question 141 of 284

A private equity firm has been the target of protests. The firm discovers its public website has been
defaced. Which of the following is most likely the threat actor?

A. Nation-state

B. Unskilled attacker

C. Organized crime

D. Hacktivist

Answer: ________

Question 142 of 284

During a penetration test, a tester is targeting a web application with confidential data. However,
the tester does not have access to the source code. Which of the following describes the type of test
being performed?

A. Fully known

B. Unknown

C. White box

D. Obfuscated

Answer: ________

Question 143 of 284

A security analyst performs a penetration test on a web application hosted on a server. The analyst
discovers that the web application is vulnerable to a cross-site scripting attack. Which of the
following is the most likely cause of this vulnerability?

A. Partially known

B. Unknown

C. Firewall

D. Obfuscated

Answer: ________
Question 144 of 284

In the following scenario, the analyst is investigating a suspicious file on an IoT device exploit. The
analyst needs to review logs to identify the time of initial exploit. Which of the following logs should
the analyst review?

A. File transfer access point

B. Switching

C. Privilege escalation

D. Code signing

Answer: ________

Question 145 of 284

A security administrator must use a strategy to protect the company’s data. The security
administrator decides to deploy FDE on the end user devices and TLS for all web connections. Which
of the following concepts best describes this strategy?

A. Data segmentation

B. Data in transit

C. Data sovereignty

D. Data in use

E. Data at rest

F. Data redundancy

Answer: ________

Question 146 of 284

An administrator is preparing to migrate an application from on-premises to the cloud. With which
of the following technologies would the admin improve security while reducing maintenance
overhead?

A. Migrating load balancing and HA

B. Migration from on premises to cloud

C. Purchase cybersecurity insurance

D. Decommission end-of-life hardware

Answer: ________

Question 147 of 284

A store is setting up wireless access for their employees. Management wants to limit the number of
access points while ensuring all areas of the store are covered. Which of the following tools will help
management determine the optimal placement of access points?

A. Signal locator

B. WPA3

C. Heat map

D. Site survey

Answer: ________

Question 148 of 284

A security engineer has received an authorization to analyze all email correspondence within a
specific date range. Which of the following actions should be taken to preserve the integrity of the
data?

A. Search logs to hold notifications to identify affected data.

B. Execute a restore to determine root cause analysis.

C. Physical chain of custody

D. Determine the type of preservation needed for evidence.

Answer: ________

Question 149 of 284

In the following scenario, a user is attempting to access a system while disconnected from the
corporate network. Which of the following should the user be allowed to do?

A. Enable replication

B. System to patch

C. Physical penetration test

D. NACFW reconnaissance
Answer: ________

Question 150 of 284

In much of the world, organizations are obligated to notify their clients of a data breach. During the
meeting, the team discusses the metrics that the organization must track in order to better respond
to future incidents. Which of the following metrics is the team discussing?

A. Endpoint protection

B. Analysis patching

C. Lessons learned

D. ESGR investment

Answer: ________

Question 151 of 284

A database engineer needs sample customer data for testing purposes. Which of the following
techniques can be used to remove sensitive information from database records while still providing
sufficient data to perform testing?

A. Obfuscation

B. RBAC

C. Tokenization

D. Filtering

Answer: ________

Question 152 of 284

Which of the following encryption methods protects data if a user loses their laptop?

A. Volume

B. Full disk

C. Partition

D. File

Answer: ________
Question 153 of 284

In the following scenario, an analyst is reviewing suspicious files that were downloaded to a user’s
machine. Which of the following techniques should the analyst use to evaluate the suspicious files
and report back as to whether they are malicious?

A. Sandboxing

B. Sandbox

C. Static analysis

D. Elimination

Answer: ________

Question 154 of 284

An organization is updating its incident response plan to include a simulation and assesses their
performance afterward. Which of the following best describes this activity?

A. Lessons learned

B. Root cause analysis

C. Disaster recovery planning

D. Tabletop exercise

Answer: ________

Question 155 of 284

Which of the following is a reason to perform a one-time risk assessment?

A. Quantifying an annual loss expectancy

B. Updating the risk register periodically

C. Complying with a regulation

D. Decommissioning an application

Answer: ________

Question 156 of 284

An employee from the accounting department logs in to the website used for processing the
company’s payments. After logging in, a new desktop application automatically downloads on the
employee’s computer and installs itself. Which of the following best describes this attack?

A. XSS

B. Watering hole

C. Typosquatting

D. Buffer overflow

Answer: ________

Question 157 of 284

An EDR solution recognizes that a specific workstation has outbound traffic to a malicious IP. Which
of the following would be the best action to take to contain the threat?

A. Change the passwords for all users accessing that workstation.

B. Isolate the workstation as part of immediate response.

C. Patch the workstation because it is likely vulnerable.

D. Review the hardening and policies affecting that workstation.

Answer: ________

Question 158 of 284

Which of the following is most likely to protect an organization from a loss of life, business-critical
system?

A. Financial gain

B. Safety disruption

C. Philosophical beliefs

D. Corporate espionage

Answer: ________

Question 159 of 284

Which of the following is the best way to protect a vehicle from damage?
A. Security guard

B. Sensor

C. Flight path

D. Objects

Answer: ________

Question 160 of 284

In the following scenario, the developer creates a new application that is deployed to a cloud
environment. Which of the following describes this capability?

A. Security guard

B. Balancing

C. Logging

D. Bastion

Answer: ________

Question 161 of 284

In the following scenario, the developer creates a new application that is deployed to a cloud
environment. Which of the following describes this capability?

A. IaaS

B. Microservers

C. Containers

D. IaaS

Answer: ________

Question 162 of 284

Which of the following data recovery strategies will result in a quick recovery at low cost?

A. Hot

B. Cold

C. Manual
D. Warm

Answer: ________

Question 163 of 284

An MSSP manages firewalls for hundreds of clients. Which of the following tools would be most
helpful to create a standard configuration template in order to improve the efficiency of firewall
changes?

A. SNMP

B. Benchmarks

C. Netflow

D. SCAP

Answer: ________

Question 164 of 284

After multiple phishing simulations, the Chief Security Officer announces a new program that
incentivizes employees to not click phishing links in the upcoming quarter. Which of the following
security awareness execution methods is this?

A. Computer-based training

B. Insider threat awareness

C. SOAR playbook

D. Gamification

Answer: ________

Question 165 of 284

In the following scenario, the analyst is investigating a potential insider threat. The analyst discovers
that an employee has been accessing sensitive company data and moving it to a personal cloud
storage account. Which of the following vulnerability types will the analyst most likely find on the
workstations?

A. Malconfiguration

B. Zero-day
C. Object-oriented group

D. Rapid strain

Answer: ________

Question 166 of 284

Which of the following is a threat actor that is most likely to target an organization’s internal
applications?

A. Nation-state actors

B. Phished attacks

C. Organized crime groups

D. Blackmailing

Answer: ________

Question 167 of 284

In the following scenario, a company is evaluating the risk of a software application that is being
used internally. The security team discovers that advertising data from the software is unexpectedly
reporting back to the overseas company. Which of the following best describes this risk?

A. Software outbreaks

B. Financial attacks

C. Unapproved applications

D. Data mining

Answer: ________

Question 168 of 284

A company is experiencing issues with employees leaving the company for a competitor and taking
customer contact information with them. Which of the following tools will help prevent this from
recurring?

A. FIM

B. NAC

C. IDS
D. UBA

Answer: ________

Question 169 of 284

A company is experiencing issues with employees leaving the company for a competitor and taking
customer contact information with them. Which of the following tools will help prevent this from
recurring?

A. Moving each environment to a separate VPC in the company cloud account

B. Deploying firewalls in the company cloud account

C. Migrating the development environment to an on-premises environment

D. Implementing security groups restricting access between environments

Answer: ________

Question 170 of 284

Which of the following security concepts is being followed when applying encryption to sensitive
data?

A. Confidentiality

B. Non-repudiation

C. Availability

D. Integrity

Answer: ________

Question 171 of 284

Which of the following cryptographic solutions would allow an organization to recover encrypted
data after a key becomes corrupted or is deleted?

A. Self-signed certificates

B. Escrow

C. Tokenization

D. Trusted Platform Module

Answer: ________

Question 172 of 284

An organization is evaluating the cost of licensing a new solution to prevent ransomware. Which of
the following is the most helpful in making this decision?

A. ALE

B. SLE

C. RTO

D. ARO

Answer: ________

Question 173 of 284

Which of the following should be used to ensure that a device is inaccessible to a network-
connected resource?

A. Disablement of unused services

B. Web application firewall

C. Host isolation

D. Network-based IDS

Answer: ________

Question 174 of 284

An analyst is investigating a potential insider threat. The analyst discovers that an employee has
been accessing sensitive company data and moving it to a personal cloud storage account. Which of
the following logs should the analyst retrieve?

A. Notification

B. Replication

C. Classification

D. Eventuality
Answer: ________

Question 175 of 284

In the following scenario, a company is evaluating the risk of a software application that is being
used internally. The security team discovers that advertising data from the software is unexpectedly
reporting back to the overseas company. Which of the following best describes this risk?

A. Event notification

B. Change approval

C. Risk analysis

D. Backup plan

Answer: ________

Question 176 of 284

A company is evaluating the risk of a software application that is being used internally. The security
team discovers that advertising data from the software is unexpectedly reporting back to the
overseas company. Which of the following best describes this risk?

A. Chain of custody

B. Legal hold

C. Forensic-style execution

D. Passive preservation

Answer: ________

Question 177 of 284

While reviewing a recent compromise, a forensics team discovers that there are hard-coded
credentials in the database connection strings. Which of the following assessment types should be
performed during software development to prevent this issue?

A. Vulnerability scan

B. Penetration test

C. Static analysis

D. Quality assurance
Answer: ________

Question 178 of 284

In the following scenario, the analyst is investigating a potential insider threat. The analyst discovers
that an employee has been accessing sensitive company data and moving it to a personal cloud
storage account. Which of the following is the most likely reason for the malicious email’s continued
delivery?

A. Employees are flagging legitimate emails as spam.

B. Information from reported emails is not being used to tune email filtering tools.

C. Employees are using shadow IT solutions for email.

D. Employees are forwarding personal emails to company addresses.

Answer: ________

Question 179 of 284

An administrator needs to secure several SCADA devices in an industrial environment. Which of the
following should the administrator do to best secure these devices?

A. Segment the SCADA devices to their own subnet

B. Add the SCADA devices to a network monitoring tool

C. Apply security patches to the SCADA devices

D. Block internet access to the SCADA devices

Answer: ________

Question 180 of 284

An administrator is evaluating the risk of a software application that is being used internally. The
security team discovers that advertising data from the software is unexpectedly reporting back to
the overseas company. Which of the following best describes this risk?

A. Risking

B. Stalking

C. Tailgating

D. Encryption
Answer: ________

Question 181 of 284

Which of the following strategies most effectively protects sensitive data at rest in a database?

A. Hashing

B. Masking

C. Tokenization

D. Obfuscation

Answer: ________

Question 182 of 284

Which of the following would an organization most likely use to minimize the loss of data on a file
server in the event that data needs to be restored due to loss of the primary server?

A. Monitoring

B. Journaling

C. Obfuscation

D. Tokenization

Answer: ________

Question 183 of 284

Which of the following would help reduce the impact of a zero-day vulnerability in NAS installed on a
large office network?

A. Encryption

B. Patching

C. Segmentation

D. Filtering

Answer: ________

Question 184 of 284

Which of the following should a security analyst use to prioritize the remediation of a vulnerability?

A. OSINT

B. CVE

C. IoC

D. CVSS

Answer: ________

Question 185 of 284

An IT team rolls out a new management application that uses a randomly generated MFA token that
is sent to the administrator’s phone. Despite this new MFA precaution, there is a security breach of
the same software. Which of the following best describes the attack?

A. Smishing

B. Typosquatting

C. Espionage

D. Pretexting

Answer: ________

Question 186 of 284

A company is evaluating the risk of a software application that is being used internally. The security
team discovers that advertising data from the software is unexpectedly reporting back to the
overseas company. Which of the following best describes this risk?

A. WAF

B. IPS

C. NAC

D. VPN

Answer: ________

Question 187 of 284

A Chief Security Officer discovers that an application is vulnerable to a cross-site scripting attack.
Which of the following would fulfill this requirement?
A. SIEM

B. PREACS+

C. WAF

D. VPUS

Answer: ________

Question 188 of 284

An administrator is creating domain profiles for each employee within the company. The
administrator wants to make the process more efficient by assigning permissions based on user roles
and departments. Which of the following is the best way to achieve this?

A. Resource provisioning

B. User provisioning

C. Security groups

D. Enforcing baselines

Answer: ________

Question 189 of 284

A systems administrator needs to update systems without disrupting operations. Which of the
following should the systems administrator and company leadership agree on?

A. Maintenance window

B. Backout plan

C. Standard operating procedure

D. Impact analysis

Answer: ________

Question 190 of 284

A security analyst is investigating a potential insider threat. The analyst discovers that an employee
has been accessing sensitive company data and moving it to a personal cloud storage account.
Which of the following should the company deploy to achieve this goal?

A. Enforcement
B. Detection

C. SIEM/EDR

D. Recovery

Answer: ________

Question 191 of 284

A security analyst is investigating a potential insider threat. The analyst discovers that an employee
has been accessing sensitive company data and moving it to a personal cloud storage account.
Which of the following best describes this risk?

A. Post-incident

B. Detection

C. Vulnerability scan

D. Recovery

Answer: ________

Question 192 of 284

A security analyst is investigating a potential insider threat. The analyst discovers that an employee
has been accessing sensitive company data and moving it to a personal cloud storage account.
Which of the following best describes this risk?

A. Specialized support

B. Dedicated workforce

C. Vulnerability scan

D. Technical debt

Answer: ________

Question 193 of 284

Which of the following control types describes an alert from a SIEM tool?

A. Preventive

B. Corrective
C. Compensating

D. Detective

Answer: ________

Question 194 of 284

An analyst is reviewing a report that indicates a potential vulnerability in a web application. The
report recommends implementing controls related to database input validation. Which of the
following best identifies the type of vulnerability that was likely discovered during the assessment?

A. XSS

B. Command injection

C. Buffer overflow

D. RCE

Answer: ________

Question 195 of 284

Which of the following activities is most likely to be involved in an incident response plan?

A. Lessons learned

B. Digital forensics

C. Contingency plan

D. Root cause analysis

Answer: ________

Question 196 of 284

Which of the following technologies can achieve microsegmentation?

A. Next-generation firewalls

B. Software-defined networking

C. Embedded systems

D. Air-gapped
Answer: ________

Question 197 of 284

In the following scenario, the analyst is investigating a potential insider threat. The analyst discovers
that an employee has been accessing sensitive company data and moving it to a personal cloud
storage account. Which of the following best describes this risk?

A. Secure storage

B. Code analysis

C. Input validation

D. Code signing

Answer: ________

Question 198 of 284

After completing an internal penetration test, the company’s security team recommends the
following security practices:

Decommission two unused web servers currently exposed to the internet.

Close all open and unused ports found on their existing production web servers.

Remove company email addresses and contact info from public domain registration records.

Which of the following security practices best describes these recommendations?

A. Attack surface reduction

B. Vulnerability assessment

C. Tabletop exercise

D. Business impact analysis

Answer: ________

Question 199 of 284

Which of the following receives logs from various devices and services, and then presents alerts?

A. SIEM

B. SCADA

C. SNMP
D. SCAP

Answer: ________

Question 200 of 284

In the following scenario, the analyst is investigating a potential insider threat. The analyst discovers
that an employee has been accessing sensitive company data and moving it to a personal cloud
storage account. Which of the following best describes this risk?

A. Logic bomb

B. SIGABA

C. Spyware

D. RANSOMER

Answer: ________

Question 201 of 284

Which of the following describes a situation where a user is authorized before being authenticated?

A. Privilege escalation

B. Race condition

C. Tailgating

D. Impersonation

Answer: ________

Question 202 of 284

An employee is promoted to a higher position within an organization. The employee is now

authorized to access more systems and data. Which of the following threats does the employee now
represent?

A. Privilege escalation

B. Race condition

C. Tailgating

D. Impersonation
Answer: ________

Question 203 of 284

An employee is promoted to a higher position within an organization. The employee is now

authorized to access more systems and data. Which of the following threats does the employee now
represent?

A. Insider threat

B. Nation-state

C. Disgruntled

D. Malicious

Answer: ________

Question 204 of 284

An administrator is estimating the cost associated with an attack that could result in the
replacement of a physical server. Which of the following processes is the administrator performing?

A. Quantitative risk analysis

B. Disaster recovery test

C. Physical security controls

D. Threat modeling

Answer: ________

Question 205 of 284

A user’s system became infected when malware was downloaded and extracted. The malware is
now active in the computer’s volatile storage. Which of the following best describes the technique
leveraged by the malware?

A. Race condition

B. Zero-day exploit

C. Buffer overflow

D. Memory injection
Answer: ________

Question 206 of 284

An administrator receives a message that is causing a large volume of messages to be sent to

multiple users. Which of the following best describes this attack?

A. Watering hole

B. Typosquatting

C. Privilege escalation

D. Logic bomb

Answer: ________

Question 207 of 284

In the following scenario, the analyst is investigating a potential insider threat. The analyst discovers
that an employee has been accessing sensitive company data and moving it to a personal cloud
storage account. Which of the following best describes this risk?

A. CSIRT

B. SIEM

C. Rule of trust

D. Ediscovery

Answer: ________

Question 208 of 284

A company is experiencing issues with employees leaving the company for a competitor and taking
customer contact information with them. Which of the following tools will help prevent this from
recurring?

A. Red team

B. Blue team

C. Purple team

D. Yellow team

Answer: ________
Question 209 of 284

Which of the following best describes the practice of researching laws and regulations related to
information security operations within a specific industry?

A. Compliance reporting

B. GDPR

C. Due diligence

D. Attestation

Answer: ________

Question 210 of 284

Which of the following should a technician perform to verify the integrity of a file transferred from
one device to another?

A. Authentication

B. Obfuscation

C. Hashing

D. Encryption

Answer: ________

Question 211 of 284

During an investigation, a security analyst discovers traffic going out to a command-and-control

server. The analyst must find out if any data exfiltration has occurred. Which of the following would
best help the analyst determine this?

A. Application log

B. Metadata

C. Network log

D. Packet capture

Answer: ________
Question 212 of 284

A company is evaluating the risk of a software application that is being used internally. The security
team discovers that advertising data from the software is unexpectedly reporting back to the
overseas company. Which of the following best describes this risk?

A. Misconfiguration in the endpoint protection software

B. Zero-day vulnerability in the file

C. Supply chain attack on the endpoint protection vendor

D. Data exfiltration permissions

Answer: ________

Question 213 of 284

In the following scenario, the analyst is investigating a potential insider threat. The analyst discovers
that an employee has been accessing sensitive company data and moving it to a personal cloud
storage account. Which of the following best describes this risk?

A. Service-level agreement

B. Responsibility matrix

C. Memorandum of understanding

D. Nondisclosure agreement

Answer: ________

Question 214 of 284

An attacker used XSS to compromise a web server. Which of the following solutions could have been
used to prevent this attack?

A. NGFW

B. UTM

C. WAF

D. NAC

Answer: ________

Question 215 of 284

SIMULATION

A recent black-box penetration test of http://example.com discovered that external website

vulnerabilities exist, such as directory traversals, cross-site scripting, cross-site forgery, and insecure
protocols. You are tasked with implementing a secure and resilient web architecture.

Part 1

Use the drop-down menus to select the appropriate technologies for each location to implement a
secure and resilient web architecture. Not all technologies will be used, and technologies may be
used multiple times.

Part 2

Use the drop-down menus to select the appropriate command snippets from the drop-down menus.
Each command section must be filled.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All
button.

[Image of simulation interface with dropdowns for Router, Web server, Switch, Firewall, WAF, PKI
certificate]

Answer: ________

Question 216 of 284

A few weeks after deploying additional email servers, a company begins to receive complaints from
employees that messages they send are going into their recipients’ spam folders. Which of the
following needs to be configured to resolve this issue?

A. CNAME

B. SMTP

C. DLP

D. SPF

Answer: ________

Question 217 of 284

A company uses a cloud-based platform for file storage and wants to ensure the security of its data
in transit. Which of the following should the company verify are in place to secure this type of
communication? (Choose two.)

A. TLS certificates

B. WPA2 encryption

C. HTTPS

D. Virtual private network

E. Encryption key management

F. Digital signatures

Answer: ________

Question 218 of 284

A company uses a cloud-based platform for file storage and wants to ensure the security of its data
in transit. Which of the following should the company verify are in place to secure this type of
communication? (Choose two.)

A. TLS certificates

B. WPA2 encryption

C. HTTPS

D. Virtual private network

E. Encryption key management

F. Digital signatures

Answer: ________

Question 219 of 284

A company uses a cloud-based platform for file storage and wants to ensure the security of its data
in transit. Which of the following should the company verify are in place to secure this type of
communication? (Choose two.)

A. TLS certificates

B. WPA2 encryption

C. HTTPS

D. Virtual private network

E. Encryption key management

F. Digital signatures

Answer: ________

Question 220 of 284

A security administrator is configuring a new wireless network for guest access. Which of the
following is the most secure way to isolate guest traffic from internal corporate resources?

A. Enable WPA3-Personal

B. Place guests on a separate VLAN with firewall rules

C. Use MAC address filtering

D. Disable SSID broadcasting

Answer: ________

Question 221 of 284

Which of the following best describes the purpose of a certificate revocation list (CRL)?

A. To list all trusted root certificates

B. To identify certificates that are no longer valid before expiration

C. To store public keys for encryption

D. To verify the identity of a certificate authority

Answer: ________

Question 222 of 284

An organization wants to ensure that only company-managed devices can access its internal
resources. Which of the following should be implemented?

A. BYOD policy

B. Containerization

C. Device compliance policy

D. Full disk encryption

Answer: ________

Question 223 of 284

Which of the following is a key benefit of using OAuth for authentication?

A. It encrypts user passwords during transmission

B. It allows users to authenticate without sharing credentials with the application

C. It provides end-to-end encryption for email

D. It enforces password complexity requirements

Answer: ________

Question 224 of 284

A security analyst notices unusual outbound traffic from a workstation at 3 a.m. Which of the
following tools would best help determine if this is malicious?

A. Antivirus scan

B. NetFlow analysis

C. Patch management report

D. Asset inventory

Answer: ________

Question 225 of 284

Which of the following is the primary purpose of a honeypot?

A. To block malicious traffic

B. To detect and analyze attacker behavior

C. To encrypt sensitive data

D. To authenticate remote users

Answer: ________

Question 226 of 284

After a ransomware attack, a company restored systems from backups but later found that the
backups were also encrypted. Which of the following would have best prevented this?

A. Air-gapped backups

B. Full disk encryption

C. Cloud-based backups

D. Incremental backups

Answer: ________

Question 227 of 284

Which of the following best describes the concept of "least privilege"?

A. Users are granted only the permissions needed to perform their job

B. All users have the same access level

C. Administrators must use two-factor authentication

D. Systems are patched within 30 days

Answer: ________

Question 228 of 284

A developer is implementing input validation to prevent injection attacks. Which of the following
techniques is most effective?

A. Whitelisting allowed characters

B. Blacklisting special characters

C. Using CAPTCHA

D. Enabling SSL/TLS

Answer: ________

Question 229 of 284

Which of the following is a common indicator of a phishing email?

A. Correct spelling and grammar

B. Generic greetings like "Dear Customer"

C. HTTPS in the URL

D. Digital signature from sender

Answer: ________

Question 230 of 284

An organization is migrating to a cloud provider and wants to ensure data remains within a specific
geographic region. Which of the following should be addressed in the contract?

A. Data sovereignty

B. Data obfuscation

C. Data masking

D. Data deduplication

Answer: ________

Question 231 of 284

Which of the following protocols is most secure for transferring files?

A. FTP

B. TFTP

C. SFTP

D. HTTP

Answer: ________

Question 232 of 284

A security team is implementing a new policy requiring all mobile devices to use biometric
authentication. Which of the following concepts does this support?

A. Confidentiality

B. Integrity

C. Availability

D. Non-repudiation
Answer: ________

Question 233 of 284

Which of the following is the best defense against credential stuffing attacks?

A. Password complexity requirements

B. Account lockout after failed attempts

C. Multi-factor authentication

D. Regular password expiration

Answer: ________

Question 234 of 284

During an incident response, which of the following is the first step?

A. Eradication

B. Identification

C. Containment

D. Recovery

Answer: ________

Question 235 of 284

Which of the following best describes a "cold site" in disaster recovery?

A. Fully operational with real-time data sync

B. Partially configured with backup power

C. Empty facility with no equipment

D. Cloud-based failover environment

Answer: ________

Question 236 of 284

An attacker intercepts unencrypted communication between two parties. Which of the following
attacks is this?

A. On-path (Man-in-the-Middle)

B. Replay

C. Spoofing

D. Smurf

Answer: ________

Question 237 of 284

Which of the following is used to verify that a message has not been altered in transit?

A. Digital signature

B. Encryption

C. Hashing

D. Steganography

Answer: ________

Question 238 of 284

A company wants to reduce the risk of insider threats. Which of the following is most effective?

A. Mandatory vacations

B. Full disk encryption

C. Network segmentation

D. Antivirus software

Answer: ________

Question 239 of 284

Which of the following is a characteristic of symmetric encryption?

A. Uses a public and private key pair

B. Faster than asymmetric encryption

C. Used for digital signatures

D. Requires PKI

Answer: ________

Question 240 of 284

An employee reports that their laptop was stolen while traveling. Which of the following would best
protect the data?

A. BIOS password

B. Full disk encryption

C. Strong login password

D. Remote wipe capability

Answer: ________

Question 241 of 284

Which of the following is the primary purpose of a risk assessment?

A. To eliminate all threats

B. To identify and evaluate potential risks

C. To implement firewalls

D. To train employees

Answer: ________

Question 242 of 284

A web application allows users to upload profile pictures. Attackers upload a script file disguised as
an image. Which of the following would prevent this?

A. File type validation and sandboxing

B. SSL/TLS encryption

C. Input length limits

D. Session timeouts
Answer: ________

Question 243 of 284

Which of the following best describes "tailgating"?

A. Sending fraudulent emails

B. Following an authorized person into a secure area

C. Installing keyloggers

D. Brute-forcing passwords

Answer: ________

Question 244 of 284

Which of the following is a benefit of using a SIEM system?

A. Automatic patch deployment

B. Centralized log collection and correlation

C. Endpoint encryption

D. Network bandwidth optimization

Answer: ________

Question 245 of 284

An organization requires all employees to acknowledge a policy before accessing systems. Which of
the following is this?

A. AUP (Acceptable Use Policy)

B. SLA

C. BPA

D. MOU

Answer: ________

Question 246 of 284

Which of the following is the most secure way to store passwords in a database?

A. Plain text

B. Encrypted with AES

C. Hashed with salt

D. Base64 encoded

Answer: ________

Question 247 of 284

A security analyst sees the following in logs: ../../../etc/passwd. What type of attack is this?

A. SQL injection

B. Cross-site scripting

C. Directory traversal

D. Buffer overflow

Answer: ________

Question 248 of 284

Which of the following is used to ensure non-repudiation?

A. Hashing

B. Digital signatures

C. Symmetric encryption

D. Tokenization

Answer: ________

Question 249 of 284

Which of the following is a key principle of zero trust architecture?

A. Trust but verify

B. Never trust, always verify

C. Encrypt all data at rest

D. Segment the network perimeter

Answer: ________

Question 250 of 284

An attacker sends a large number of ICMP packets to a server, causing it to become unresponsive.
What type of attack is this?

A. Smurf

B. Fraggle

C. Ping flood

D. SYN flood

Answer: ________

Question 251 of 284

Which of the following is the best way to secure a legacy system that cannot be patched?

A. Replace it immediately

B. Isolate it on a separate network segment

C. Disable all user accounts

D. Install antivirus software

Answer: ________

Question 252 of 284

Which of the following is a common use of steganography?

A. Encrypting email

B. Hiding data within an image file

C. Blocking malicious websites

D. Authenticating users

Answer: ________
Question 253 of 284

A company wants to test its employees' susceptibility to social engineering. Which of the following is
the best approach?

A. Conduct phishing simulations

B. Install EDR on all endpoints

C. Require annual password changes

D. Deploy a WAF

Answer: ________

Question 254 of 284

Which of the following best describes a "warm site"?

A. Fully operational with live data

B. Ready to go with hardware but no data

C. No infrastructure in place

D. Cloud-based with auto-scaling

Answer: ________

Question 255 of 284

Which of the following protocols uses port 443 by default?

A. HTTP

B. HTTPS

C. FTPS

D. SSH

Answer: ________

Question 256 of 284

An organization is required to retain emails for seven years. Which policy governs this?
A. Data retention

B. Data classification

C. Data disposal

D. Data encryption

Answer: ________

Question 257 of 284

Which of the following is the most effective way to prevent USB-based malware infections?

A. Disable USB ports via GPO

B. Install antivirus software

C. Educate users

D. Use USB encryption

Answer: ________

Question 258 of 284

Which of the following is a characteristic of a logic bomb?

A. Activates when a condition is met

B. Spreads automatically

C. Encrypts files for ransom

D. Logs keystrokes

Answer: ________

Question 259 of 284

Which of the following is used to verify the integrity of a downloaded software package?

A. Digital certificate

B. Hash value (e.g., SHA-256)

C. License key

D. Version number
Answer: ________

Question 260 of 284

A security team wants to detect anomalies in user behavior. Which technology should they
implement?

A. UBA (User Behavior Analytics)

B. DLP

C. NAC

D. HIDS

Answer: ________

Question 261 of 284

Which of the following best describes "shoulder surfing"?

A. Intercepting wireless signals

B. Watching someone enter a password

C. Phishing via phone calls

D. Installing spyware

Answer: ________

Question 262 of 284

Which of the following is a key component of an incident response plan?

A. Asset inventory

B. Communication plan

C. Firewall rules

D. Password policy

Answer: ________
Question 263 of 284

An attacker exploits a vulnerability in a web server to execute commands on the host. What type of
attack is this?

A. XSS

B. SQLi

C. RCE (Remote Code Execution)

D. CSRF

Answer: ________

Question 264 of 284

Which of the following is the purpose of a business impact analysis (BIA)?

A. Identify critical systems and recovery priorities

B. Train employees on security policies

C. Patch vulnerabilities

D. Encrypt sensitive data

Answer: ________

Question 265 of 284

Which of the following is the best example of multifactor authentication?

A. Password and PIN

B. Fingerprint and smart card

C. Username and password

D. Security question and email

Answer: ________

Question 266 of 284

A company discovers that an employee has been copying customer data to a personal USB drive.
Which of the following would best prevent this?

A. DLP (Data Loss Prevention)

B. Antivirus

C. Firewall

D. IDS

Answer: ________

Question 267 of 284

Which of the following is a common use of blockchain in security?

A. Encrypting email

B. Ensuring data integrity and immutability

C. Blocking malware

D. Authenticating users

Answer: ________

Question 268 of 284

Which of the following is the most secure wireless encryption standard?

A. WEP

B. WPA

C. WPA2

D. WPA3

Answer: ________

Question 269 of 284

An organization wants to ensure that only authorized applications run on endpoints. Which of the
following should be implemented?

A. Antivirus

B. Application allowlisting

C. Patch management

D. Full disk encryption

Answer: ________

Question 270 of 284

Which of the following is a key benefit of using containers?

A. Stronger encryption

B. Isolation of applications

C. Faster internet speeds

D. Reduced need for firewalls

Answer: ________

Question 271 of 284

Which of the following best describes "vishing"?

A. Phishing via email

B. Phishing via text message

C. Phishing via phone call

D. Phishing via social media

Answer: ________

Question 272 of 284

A security analyst needs to securely erase data from a decommissioned hard drive. Which method is
most effective?

A. Reformatting

B. Degaussing

C. Deleting files

D. Overwriting once

Answer: ________
Question 273 of 284

Which of the following is the primary purpose of a firewall?

A. Encrypt data

B. Filter network traffic based on rules

C. Detect malware

D. Authenticate users

Answer: ________

Question 274 of 284

Which of the following is a common sign of a compromised system?

A. Increased disk space

B. Unusual outbound network traffic

C. Faster boot times

D. Updated software

Answer: ________

Question 275 of 284

An organization is implementing a new authentication system that uses something you know,
something you have, and something you are. What is this called?

A. Single sign-on

B. Three-factor authentication

C. Federated identity

D. Kerberos

Answer: ________

Question 276 of 284

Which of the following is the best defense against DNS spoofing?

A. DNSSEC
B. DHCP snooping

C. MAC filtering

D. VLANs

Answer: ________

Question 277 of 284

Which of the following is used to prevent replay attacks?

A. Digital certificates

B. Nonces or timestamps

C. Hashing

D. Salting

Answer: ________

Question 278 of 284

A company wants to outsource its email security. Which service model is this?

A. IaaS

B. PaaS

C. SaaS

D. SECaaS

Answer: ________

Question 279 of 284

Which of the following is a key feature of EDR (Endpoint Detection and Response)?

A. Automatic patching

B. Real-time monitoring and response

C. Data encryption

D. Network segmentation
Answer: ________

Question 280 of 284

Which of the following best describes "fuzzing"?

A. Sending random data to an application to find vulnerabilities

B. Encrypting network traffic

C. Blocking IP addresses

D. Phishing users

Answer: ________

Question 281 of 284

An attacker uses a fake Wi-Fi hotspot to capture user credentials. What is this called?

A. Evil twin

B. Rogue AP

C. Both A and B

D. None of the above

Answer: ________

Question 282 of 284

Which of the following is the most important factor when determining data classification levels?

A. Data storage cost

B. Sensitivity of the data

C. Age of the data

D. File format

Answer: ________

Question 283 of 284

Which of the following is a key principle of secure software development?

A. Security through obscurity

B. Security as an afterthought

C. Secure by design

D. Minimal testing

Answer: ________

Question 284 of 284

After a security incident, the team conducts a meeting to discuss what happened and how to
improve. What is this called?

A. Root cause analysis

B. Lessons learned

C. Tabletop exercise

D. Risk assessment

Answer: ________