Practice Exam A PDF

Summary

This document is a multiple-choice practice exam for a security course. It contains questions about different aspects of information security, such as passive reconnaissance, threat actors, and security controls.

Full Transcript

Practice Exam A
Multiple Choice Questions
A6. A company has hired a third-party to gather information
about the company’s servers and data. This third-party
will not have direct access to the company's internal
network, but they can gather information from any other
source. Which of the following would BEST describe
this approach?
❍ A. Vulnerability scanning Quick
Answer: 33
❍ B. Passive reconnaissance
❍ C. Supply chain analysis The Details: 43

❍ D. Regulatory audit

A7. A company's email server has received an email from a
third-party, but the origination server does not match the
list of authorized devices. Which of the following would
determine the disposition of this message?
Quick
❍ A. SPF
Answer: 33
❍ B. NAC
The Details: 44
❍ C. DMARC
❍ D. DKIM

A8. Which of these threat actors would be MOST likely to
attack systems for direct financial gain?
❍ A. Organized crime Quick
Answer: 33
❍ B. Hacktivist
❍ C. Nation state The Details: 45
❍ D. Shadow IT

A9. A security administrator has examined a server recently
compromised by an attacker, and has determined the
system was exploited due to a known operating system
vulnerability. Which of the following would BEST
describe this finding?
Quick
❍ A. Root cause analysis
Answer: 33
❍ B. E-discovery
The Details: 46
❍ C. Risk appetite
❍ D. Data subject
Practice Exam A - Questions 5
A10. A city is building an ambulance service network for
emergency medical dispatching. Which of the following
should have the highest priority?
❍ A. Integration costs Quick
Answer: 33
❍ B. Patch availability
❍ C. System availability The Details: 47

❍ D. Power usage

A11. A system administrator receives a text alert when access
rights are changed on a database containing private
customer information. Which of the following would
describe this alert?
Quick
❍ A. Maintenance window
Answer: 33
❍ B. Attestation and acknowledgment
❍ C. Automation The Details: 48

❍ D. External audit

A12. A security administrator is concerned about the potential
for data exfiltration using external storage drives. Which
of the following would be the BEST way to prevent this
method of data exfiltration?
❍ A. Create an operating system security policy Quick
to block the use of removable media Answer: 33
❍ B. Monitor removable media usage in The Details: 49
host-based firewall logs
❍ C. Only allow applications that do not use
removable media
❍ D. Define a removable media block rule in the UTM

6 Practice Exam A - Questions
A13. A company creates a standard set of government reports
each calendar quarter. Which of the following would
describe this type of data?
❍ A. Data in use Quick
Answer: 33
❍ B. Obfuscated
❍ C. Trade secrets The Details: 50

❍ D. Regulated

A14. An insurance company has created a set of policies to
handle data breaches. The security team has been given
this set of requirements based on these policies:
Access records from all devices must be
saved and archived
Any data access outside of normal working hours
must be immediately reported
Data access must only occur inside of the country
Access logs and audit reports must be created from a
single database
Which of the following should be implemented by the
security team to meet these requirements?
(Select THREE)
❍ A. Restrict login access by IP address and Quick
GPS location Answer: 33

❍ B. Require government-issued identification The Details: 51
during the onboarding process
❍ C. Add additional password complexity for accounts
that access data
❍ D. Conduct monthly permission auditing
❍ E. Consolidate all logs on a SIEM
❍ F. Archive the encryption keys of all disabled
accounts
❍ G. Enable time-of-day restrictions on the
authentication server

Practice Exam A - Questions 7
A15. A security engineer is viewing this record from the
firewall logs:
UTC 04/05/2023 03:09:15809 AV Gateway Alert
136.127.92.171 80 -> 10.16.10.14 60818
Gateway Anti-Virus Alert:
XPACK.A_7854 (Trojan) blocked.
Which of the following can be observed from this
log information?
❍ A. The victim's IP address is 136.127.92.171 Quick
Answer: 33
❍ B. A download was blocked from a web server
❍ C. A botnet DDoS attack was blocked The Details: 53

❍ D. The Trojan was blocked, but the file was not

A16. A user connects to a third-party website and receives this
message:

Your connection is not private.
NET::ERR_CERT_INVALID

Which of the following attacks would be the MOST
likely reason
for this message?
Quick
❍ A. Brute force
Answer: 33
❍ B. DoS
The Details: 54
❍ C. On-path
❍ D. Deauthentication

A17. Which of the following would be the BEST way to
provide a website login using existing credentials from a
third-party site?
❍ A. Federation Quick
Answer: 33
❍ B. 802.1X
❍ C. EAP The Details: 55
❍ D. SSO

8 Practice Exam A - Questions
A18. A system administrator is working on a contract that will
specify a minimum required uptime for a set of Internet-
facing firewalls. The administrator needs to know how
often the firewall hardware is expected to fail between
repairs. Which of the following would BEST describe
this information?
❍ A. MTBF Quick
Answer: 33
❍ B. RTO
❍ C. MTTR The Details: 56
❍ D. RPO

A19. An attacker calls into a company’s help desk
and pretends to be the director of the company’s
manufacturing department. The attacker states that they
have forgotten their password and they need to have the
password reset quickly for an important meeting. What
kind of attack would BEST describe this phone call?
❍ A. Social engineering Quick
Answer: 33
❍ B. Supply chain
❍ C. Watering hole The Details: 57
❍ D. On-path

A20. Two companies have been working together for a
number of months, and they would now like to qualify
their partnership with a broad formal agreement between
both organizations. Which of the following would
describe this agreement?
❍ A. SLA Quick
Answer: 33
❍ B. SOW
❍ C. MOA The Details: 58

❍ D. NDA

Practice Exam A - Questions 9
A21. Which of the following would explain why a company
would automatically add a digital signature to each
outgoing email message?
❍ A. Confidentiality Quick
Answer: 33
❍ B. Integrity
❍ C. Authentication The Details: 59
❍ D. Availability

A22. The embedded OS in a company’s time clock appliance is
configured to reset the file system and reboot when a file
system error occurs. On one of the time clocks, this file
system error occurs during the startup process and causes
the system to constantly reboot. Which of the following
BEST describes this issue?
❍ A. Memory injection Quick
Answer: 33
❍ B. Resource consumption
❍ C. Race condition The Details: 60
❍ D. Malicious update

A23. A recent audit has found that existing password policies
do not include any restrictions on password attempts,
and users are not required to periodically change their
passwords. Which of the following would correct these
policy issues? (Select TWO)
❍ A. Password complexity Quick
Answer: 33
❍ B. Password expiration
❍ C. Password reuse The Details: 61
❍ D. Account lockout
❍ E. Password managers

10 Practice Exam A - Questions
A24. What kind of security control is associated with
a login banner?
❍ A. Preventive Quick
Answer: 33
❍ B. Deterrent
❍ C. Corrective The Details: 62

❍ D. Detective
❍ E. Compensating
❍ F. Directive

A25. An internal audit has discovered four servers that have
not been updated in over a year, and it will take two
weeks to test and deploy the latest patches. Which of
the following would be the best way to quickly Quick
Answer: 33
respond to this situation in the meantime?
❍ A. Purchase cybersecurity insurance The Details: 63
❍ B. Implement an exception for all data center services
❍ C. Move the servers to a protected segment
❍ D. Hire a third-party to perform an extensive audit

A26. A business manager is documenting a set of steps for
processing orders if the primary Internet connection fails.
Which of these would BEST describe these steps?
❍ A. Platform diversity Quick
Answer: 33
❍ B. Continuity of operations
❍ C. Cold site recovery The Details: 64

❍ D. Tabletop exercise

A27. A company would like to examine the credentials of each
individual entering the data center building. Which of
the following would BEST facilitate this requirement?
❍ A. Access control vestibule Quick
Answer: 33
❍ B. Video surveillance
❍ C. Pressure sensors The Details: 65

❍ D. Bollards

Practice Exam A - Questions 11
A28. A company stores some employee information in
encrypted form, but other public details are stored as
plaintext. Which of the following would BEST describe
this encryption strategy?
❍ A. Full-disk Quick
Answer: 33
❍ B. Record
❍ C. Asymmetric The Details: 66
❍ D. Key escrow

A29. A company would like to minimize database corruption
if power is lost to a server. Which of the following would
be the BEST strategy to follow?
❍ A. Encryption Quick
Answer: 33
❍ B. Off-site backups
❍ C. Journaling The Details: 67

❍ D. Replication

A30. A company is creating a security policy for corporate
mobile devices:
All mobile devices must be automatically locked after a
predefined time period.
The location of each device needs to be traceable.
All of the user’s information should be completely
separate from company data.
Which of the following would be the BEST way to
establish these security policy rules?
❍ A. Segmentation
Quick
❍ B. Biometrics Answer: 33
❍ C. COPE
The Details: 68
❍ D. MDM

12 Practice Exam A - Questions
A31. A security engineer runs a monthly vulnerability scan.
The scan doesn’t list any vulnerabilities for Windows
servers, but a significant vulnerability was announced last
week and none of the servers are patched yet. Which of
the following best describes this result?
❍ A. Exploit Quick
Answer: 33
❍ B. Compensating controls
❍ C. Zero-day attack The Details: 69
❍ D. False negative

A32. An IT help desk is using automation to improve the
response time for security events. Which of the following
use cases would apply to this process?
❍ A. Escalation Quick
Answer: 33
❍ B. Guard rails
❍ C. Continuous integration The Details: 70

❍ D. Resource provisioning

A33. A network administrator would like each user to
authenticate with their corporate username and
password when connecting to the company's wireless
network. Which of the following should the network
administrator configure on the wireless access points?
❍ A. WPA3 Quick
❍ B. 802.1X Answer: 33

❍ C. PSK The Details: 71
❍ D. MFA

A34. A company's VPN service performs a posture assessment
during the login process. Which of the following
mitigation techniques would this describe?
❍ A. Encryption Quick
Answer: 33
❍ B. Decommissioning
The Details: 72
❍ C. Least privilege
❍ D. Configuration enforcement

Practice Exam A - Questions 13
A35. A user has assigned individual rights and permissions
to a file on their network drive. The user adds three
additional individuals to have read-only access to the
file. Which of the following would describe this access
control model?
❍ A. Discretionary Quick
Answer: 33
❍ B. Mandatory
The Details: 73
❍ C. Attribute-based
❍ D. Role-based

A36. A remote user has received a text message with a link to
login and confirm their upcoming work schedule. Which
of the following would BEST describe this attack?
❍ A. Brute force Quick
❍ B. Watering hole Answer: 33
❍ C. Typosquatting The Details: 74
❍ D. Smishing

A37. A company is formalizing the design and deployment
process used by their application programmers. Which of
the following policies would apply?
❍ A. Business continuity Quick
Answer: 33
❍ B. Acceptable use policy
❍ C. Incident response The Details: 75

❍ D. Development lifecycle

A38. A security administrator has copied a suspected malware
executable from a user's computer and is running the
program in a sandbox. Which of the following would
describe this part of the incident response process?
❍ A. Eradication Quick
Answer: 33
❍ B. Preparation
❍ C. Recovery The Details: 76

❍ D. Containment

14 Practice Exam A - Questions
A39. A server administrator at a bank has noticed a decrease
in the number of visitors to the bank's website.
Additional research shows that users are being directed
to a different IP address than the bank's web server.
Which of the following would MOST likely describe
this attack?
❍ A. Deauthentication Quick
Answer: 33
❍ B. DDoS
❍ C. Buffer overflow The Details: 77

❍ D. DNS poisoning

A40. Which of the following considerations are MOST
commonly associated with a hybrid cloud model?
❍ A. Microservice outages Quick
❍ B. IoT support Answer: 33

❍ C. Network protection mismatches The Details: 78
❍ D. Containerization backups

A41. A company hires a large number of seasonal employees,
and their system access should normally be disabled
when the employee leaves the company. The security
administrator would like to verify that their systems
cannot be accessed by any of the former employees.
Which of the following would be the BEST way to
provide this verification?
Quick
❍ A. Confirm that no unauthorized accounts have Answer: 33
administrator access
The Details: 79
❍ B. Validate the account lockout policy
❍ C. Validate the offboarding processes and procedures
❍ D. Create a report that shows all authentications
for a 24-hour period

Practice Exam A - Questions 15
A42. Which of the following is used to describe how cautious
an organization might be to taking a specific risk?
❍ A. Risk appetite Quick
Answer: 33
❍ B. Risk register
❍ C. Risk transfer The Details: 80
❍ D. Risk reporting

A43. A technician is applying a series of patches to fifty web
servers during a scheduled maintenance window. After
patching and rebooting the first server, the web service
fails with a critical error. Which of the following should
the technician do NEXT?
❍ A. Contact the stakeholders regarding the outage Quick
Answer: 33
❍ B. Follow the steps listed in the backout plan
❍ C. Test the upgrade process in the lab The Details: 81

❍ D. Evaluate the impact analysis associated with
the change

A44. An attacker has discovered a way to disable a server by
sending specially crafted packets from many remote
devices to the operating system. When the packet is
received, the system crashes and must be rebooted to
restore normal operations. Which of the following would
BEST describe this attack? Quick
Answer: 33
❍ A. Privilege escalation
❍ B. SQL injection The Details: 82
❍ C. Replay attack
❍ D. DDoS

A45. A data breach has occurred in a large insurance company.
A security administrator is building new servers and
security systems to get all of the financial systems back
online. Which part of the incident response process
would BEST describe these actions?
❍ A. Lessons learned Quick
Answer: 33
❍ B. Containment
The Details: 83
❍ C. Recovery
❍ D. Analysis
16 Practice Exam A - Questions
A46. A network team has installed new access points to
support an application launch. In less than 24 hours,
the wireless network was attacked and private company
information was accessed. Which of the following would
be the MOST likely reason for this breach?
❍ A. Race condition Quick
Answer: 33
❍ B. Jailbreaking
❍ C. Impersonation The Details: 84

❍ D. Misconfiguration

A47. An organization has identified a significant vulnerability
in an Internet-facing firewall. The firewall company has
stated the firewall is no longer available for sale and
there are no plans to create a patch for this vulnerability.
Which of the following would BEST describe this issue?
❍ A. End-of-life Quick
Answer: 33
❍ B. Improper input handling
❍ C. Improper key management The Details: 85
❍ D. Incompatible OS

A48. A company has decided to perform a disaster recovery
exercise during an annual meeting with the IT directors
and senior directors. A simulated disaster will be
presented, and the participants will discuss the logistics
and processes required to resolve the disaster. Which of
the following would BEST describe this exercise?
❍ A. Capacity planning Quick
Answer: 33
❍ B. Business impact analysis
❍ C. Continuity of operations The Details: 86

❍ D. Tabletop exercise

Practice Exam A - Questions 17
A49. A security administrator needs to block users from
visiting websites hosting malicious software. Which of
the following would be the BEST way to control this
access?
❍ A. Honeynet Quick
Answer: 33
❍ B. Data masking
The Details: 87
❍ C. DNS filtering
❍ D. Data loss prevention

A50. A system administrator has been called to a system with
a malware infection. As part of the incident response
process, the administrator has imaged the operating
system to a known-good version. Which of these
incident response steps is the administrator following?
❍ A. Lessons learned Quick
❍ B. Recovery Answer: 33

❍ C. Detection The Details: 88
❍ D. Containment

A51. A company has placed a SCADA system on a segmented
network with limited access from the rest of the
corporate network. Which of the following would
describe this process?
❍ A. Load balancing Quick
Answer: 33
❍ B. Least privilege
❍ C. Data retention The Details: 89

❍ D. Hardening

18 Practice Exam A - Questions
A52. An administrator is viewing the following security log:
Dec 30 08:40:03 web01 Failed password for root
from 10.101.88.230 port 26244 ssh2

Dec 30 08:40:05 web01 Failed password for root
from 10.101.88.230 port 26244 ssh2

Dec 30 08:40:09 web01 445 more authentication
failures; rhost=10.101.88.230 user=root

Which of the following would describe this attack?
❍ A. Spraying Quick
❍ B. Downgrade Answer: 33

❍ C. Brute force The Details: 90
❍ D. DDoS

A53. During a morning login process, a user's laptop was
moved to a private VLAN and a series of updates were
automatically installed. Which of the following would
describe this process?
❍ A. Account lockout Quick
Answer: 33
❍ B. Configuration enforcement
❍ C. Decommissioning The Details: 91
❍ D. Sideloading

A54. Which of the following describes two-factor
authentication?
Quick
❍ A. A printer uses a password and a PIN Answer: 33
❍ B. The door to a building requires a fingerprint scan
The Details: 92
❍ C. An application requires a pseudo-random code
❍ D. A Windows Domain requires a password and
smart card

Practice Exam A - Questions 19
A55. A company is deploying a new application to all
employees in the field. Some of the problems associated
with this roll out include:
The company does not have a way to manage the
devices in the field
Team members have many different kinds of
mobile devices
The same device needs to be used for both corporate
and private use
Which of the following deployment models would
address these concerns?
❍ A. CYOD Quick
Answer: 33
❍ B. SSO
The Details: 93
❍ C. COPE
❍ D. BYOD

A56. An organization is installing a UPS for their new data
center. Which of the following would BEST describe
this control type?
❍ A. Compensating Quick
Answer: 33
❍ B. Directive
❍ C. Deterrent The Details: 94

❍ D. Detective

A57. A manufacturing company would like to track the
progress of parts used on an assembly line. Which of the
following technologies would be the BEST choice for
this task?
❍ A. Secure enclave Quick
Answer: 33
❍ B. Blockchain
❍ C. Hashing The Details: 95

❍ D. Asymmetric encryption

20 Practice Exam A - Questions
A58. A company's website has been compromised and the
website content has been replaced with a political
message. Which of the following threat actors would be
the MOST likely culprit?
❍ A. Insider Quick
Answer: 33
❍ B. Organized crime
The Details: 96
❍ C. Shadow IT
❍ D. Hacktivist

A59. A Linux administrator is downloading an updated
version of her Linux distribution. The download site
shows a link to the ISO and a SHA256 hash value.
Which of these would describe the use of this
hash value?
❍ A. Verifies that the file was not corrupted during Quick
the file transfer Answer: 33

❍ B. Provides a key for decrypting the ISO The Details: 97
after download
❍ C. Authenticates the site as an official ISO
distribution site
❍ D. Confirms that the file does not contain
any malware

A60. A company's security policy requires that login access
should only be available if a person is physically within
the same building as the server. Which of the following
would be the BEST way to provide this requirement?
❍ A. USB security key Quick
Answer: 33
❍ B. Biometric scanner
The Details: 98
❍ C. PIN
❍ D. SMS

Practice Exam A - Questions 21
A61. A development team has installed a new application and
database to a cloud service. After running a vulnerability
scanner on the application instance, a security
administrator finds the database is available for anyone
to query without providing any authentication. Which of
these vulnerabilities is MOST associated with this issue?
❍ A. Legacy software Quick
Answer: 33
❍ B. Open permissions
❍ C. Race condition The Details: 99

❍ D. Malicious update

A62. Employees of an organization have received an email
with a link offering a cash bonus for completing an
internal training course. Which of the following would
BEST describe this email?
❍ A. Watering hole attack Quick
Answer: 33
❍ B. Cross-site scripting
❍ C. Zero-day The Details: 100

❍ D. Phishing campaign

A63. Which of the following risk management strategies
would include the purchase and installation of an
NGFW?
❍ A. Transfer Quick
Answer: 33
❍ B. Mitigate
The Details: 101
❍ C. Accept
❍ D. Avoid

A64. An organization is implementing a security model where
all application requests must be validated at a policy
enforcement point. Which of the following would BEST
describe this model?
Quick
❍ A. Public key infrastructure
Answer: 33
❍ B. Zero trust
The Details: 102
❍ C. Discretionary access control
❍ D. Federation

22 Practice Exam A - Questions
A65. A company is installing a new application in a
public cloud. Which of the following determines the
assignment of data security in this cloud infrastructure?
❍ A. Playbook Quick
Answer: 33
❍ B. Audit committee
❍ C. Responsibility matrix The Details: 103

❍ D. Right-to-audit clause

A66. When decommissioning a device, a company documents
the type and size of storage drive, the amount of RAM,
and any installed adapter cards. Which of the following
describes this process?
❍ A. Destruction Quick
Answer: 33
❍ B. Sanitization
❍ C. Certification The Details: 104

❍ D. Enumeration

A67. An attacker has sent more information than expected
in a single API call, and this has allowed the execution
of arbitrary code. Which of the following would BEST
describe this attack?
Quick
❍ A. Buffer overflow Answer: 33
❍ B. Replay attack
The Details: 105
❍ C. Cross-site scripting
❍ D. DDoS

A68. A company encourages users to encrypt all of
their confidential materials on a central server. The
organization would like to enable key escrow as a backup
option. Which of these keys should the organization
place into escrow?
❍ A. Private Quick
Answer: 33
❍ B. CA
The Details: 106
❍ C. Session
❍ D. Public

Practice Exam A - Questions 23
A69. A company is in the process of configuring and enabling
host-based firewalls on all user devices. Which of the
following threats is the company addressing?
❍ A. Default credentials Quick
Answer: 33
❍ B. Vishing
❍ C. Instant messaging The Details: 107

❍ D. On-path

A70. A manufacturing company would like to use an
existing router to separate a corporate network from
a manufacturing floor. Both networks use the same
physical switch, and the company does not want to install
any additional hardware. Which of the following would
be the BEST choice for this segmentation? Quick
Answer: 33
❍ A. Connect the corporate network and the
manufacturing floor with a VPN The Details: 108
❍ B. Build an air gapped manufacturing floor network
❍ C. Use host-based firewalls on each device
❍ D. Create separate VLANs for the corporate network
and the manufacturing floor

A71. An organization needs to provide a remote access
solution for a newly deployed cloud-based application.
This application is designed to be used by mobile field
service technicians. Which of the following would be the
best option for this requirement?
❍ A. RTOS Quick
Answer: 33
❍ B. CRL
❍ C. Zero-trust The Details: 109

❍ D. SASE

24 Practice Exam A - Questions
A72. A company is implementing a quarterly security
awareness campaign. Which of the following would
MOST likely be part of this campaign?
❍ A. Suspicious message reports from users Quick
Answer: 33
❍ B. An itemized statement of work
❍ C. An IaC configuration file The Details: 110

❍ D. An acceptable use policy document

A73. A recent report shows the return of a vulnerability
that was previously patched four months ago. After
researching this issue, the security team has found a
recent patch has reintroduced this vulnerability on the
servers. Which of the following should the security
administrator implement to prevent this issue from
occurring in the future?
❍ A. Containerization Quick
Answer: 33
❍ B. Data masking
The Details: 111
❍ C. 802.1X
❍ D. Change management

A74. A security manager would like to ensure that unique
hashes are used with an application login process. Which
of the following would be the BEST way to add random
data when generating a set of stored password hashes?
❍ A. Salting Quick
❍ B. Obfuscation Answer: 33

❍ C. Key stretching The Details: 112

❍ D. Digital signature

A75. Which cryptographic method is used to add trust to a
digital certificate?
❍ A. Steganography Quick
Answer: 33
❍ B. Hash
The Details: 113
❍ C. Symmetric encryption
❍ D. Digital signature

Practice Exam A - Questions 25
A76. A company is using SCAP as part of their security
monitoring processes. Which of the following would
BEST describe this implementation?
❍ A. Train the user community to better identify
phishing attempts
❍ B. Present the results of an internal audit to the board
❍ C. Automate the validation and patching of Quick
security issues Answer: 33

❍ D. Identify and document authorized data The Details: 114
center visitors

A77. An organization maintains a large database of customer
information for sales tracking and customer support.
Which person in the organization would be responsible
for managing the access rights to this data?
❍ A. Data processor Quick
Answer: 33
❍ B. Data owner
The Details: 115
❍ C. Data subject
❍ D. Data custodian

A78. An organization’s content management system currently
labels files and documents as “Public” and “Restricted.”
On a recent update, a new classification type of “Private”
was added. Which of the following would be the MOST
likely reason for this addition?
❍ A. Minimized attack surface Quick
Answer: 33
❍ B. Simplified categorization
The Details: 116
❍ C. Expanded privacy compliance
❍ D. Decreased search time

26 Practice Exam A - Questions
A79. A corporate security team would like to consolidate and
protect the private keys across all of their web servers.
Which of these would be the BEST way to securely store
these keys?
Quick
❍ A. Integrate an HSM Answer: 33
❍ B. Implement full disk encryption on the web servers
The Details: 117
❍ C. Use a TPM
❍ D. Upgrade the web servers to use a UEFI BIOS

A80. A security technician is reviewing this security log from
an IPS:
ALERT 2023-06-01 13:07:29 [163bcf65118-179b547b]
Cross-Site Scripting in JSON Data
222.43.112.74:3332 -> 64.235.145.35:80
URL/index.html - Method POST - Query String "-"
User Agent: curl/7.21.3 (i386-redhat-linux-gnu) libcurl/7.21.3
NSS/3.13.1.0 zlib/1.2.5 libidn/1.19 libssh2/1.2.7
Detail: token="" key="key7" value="alert(2)"
Which of the following can be determined from this log
information? (Select TWO)
❍ A. The alert was generated from a malformed
User Agent header
❍ B. The alert was generated from an embedded script
❍ C. The attacker’s IP address is 222.43.112.74 Quick
Answer: 33
❍ D. The attacker’s IP address is 64.235.145.35
❍ E. The alert was generated due to an invalid The Details: 118
client port number

A81. Which of the following describes a monetary loss if one
event occurs?
❍ A. ALE Quick
Answer: 33
❍ B. SLE
❍ C. RTO The Details: 119

❍ D. ARO

Practice Exam A - Questions 27
A82. A user with restricted access has typed this text in a
search field of an internal web-based application:

USER77' OR '1'='1

After submitting this search request, all database records
are displayed on the screen. Which of the following
would BEST describe this search?
❍ A. Cross-site scripting Quick
Answer: 33
❍ B. Buffer overflow
The Details: 120
❍ C. SQL injection
❍ D. SSL stripping

A83. A user has opened a helpdesk ticket complaining of poor
system performance, excessive pop up messages, and
the cursor moving without anyone touching the mouse.
This issue began after they opened a spreadsheet from a
vendor containing part numbers and pricing information.
Which of the following is MOST likely the cause of this
user's issues?
❍ A. On-path Quick
Answer: 33
❍ B. Worm
The Details: 121
❍ C. Trojan horse
❍ D. Logic bomb

A84. A web-based manufacturing company processes
monthly charges to credit card information saved in the
customer's profile. All of the customer information is
encrypted and protected with additional authentication
factors. Which of the following would be the justification
for these security controls?
❍ A. Chain of custody Quick
Answer: 33
❍ B. Password vaulting
The Details: 122
❍ C. Compliance reporting
❍ D. Sandboxing

28 Practice Exam A - Questions
A85. A security manager has created a report showing
intermittent network communication from certain
workstations on the internal network to one external
IP address. These traffic patterns occur at random times
during the day. Which of the following would be the
MOST likely reason for these traffic patterns?
❍ A. On-path attack Quick
Answer: 33
❍ B. Keylogger
The Details: 123
❍ C. Replay attack
❍ D. Brute force

A86. The security policies in a manufacturing company
prohibit the transmission of customer information.
However, a security administrator has received an alert
that credit card numbers were transmitted as an email
attachment. Which of the following was the MOST
likely source of this alert message?
❍ A. IPS Quick
Answer: 33
❍ B. DLP
The Details: 124
❍ C. RADIUS
❍ D. IPsec

A87. A security administrator has configured a virtual machine
in a screened subnet with a guest login account and no
password. Which of the following would be the MOST
likely reason for this configuration?
❍ A. The server is a honeypot for attracting Quick
potential attackers Answer: 33

❍ B. The server is a cloud storage service for The Details: 125
remote users
❍ C. The server will be used as a VPN concentrator
❍ D. The server is a development sandbox for third-
party programming projects

Practice Exam A - Questions 29
A88. A security administrator is configuring a DNS server
with a SPF record. Which of the following would be the
reason for this configuration?
❍ A. Transmit all outgoing email over an Quick
encrypted tunnel Answer: 33
❍ B. List all servers authorized to send emails The Details: 126
❍ C. Digitally sign all outgoing email messages
❍ D. Obtain disposition instructions for emails
marked as spam

A89. A company would like to securely deploy applications
without the overhead of installing a virtual machine for
each system. Which of the following would be the BEST
way to deploy these applications?
❍ A. Containerization Quick
Answer: 33
❍ B. IoT
❍ C. Proxy The Details: 127

❍ D. RTOS

A90. A company has just purchased a new application server,
and the security director wants to determine if the
system is secure. The system is currently installed in a test
environment and will not be available to users until the
roll out to production next week. Which of the following
would be the BEST way to determine if any part of the
system can be exploited?
❍ A. Tabletop exercise Quick
Answer: 33
❍ B. Vulnerability scanner
❍ C. DDoS The Details: 128

❍ D. Penetration test

30 Practice Exam A - Questions
Practice Exam B
Multiple Choice Questions
B6. A security administrator has performed an audit of the
organization’s production web servers, and the results have
identified default configurations, web services running
from a privileged account, and inconsistencies with SSL
certificates. Which of the following would be the BEST
way to resolve these issues?
❍ A. Server hardening Quick
Answer: 161
❍ B. Multi-factor authentication
❍ C. Enable HTTPS The Details: 168

❍ D. Run operating system updates

B7. A shipping company stores information in small regional
warehouses around the country. The company maintains
an IPS at each warehouse to watch for suspicious traffic
patterns. Which of the following would BEST describe
the security control used at the warehouse?
❍ A. Deterrent Quick
❍ B. Compensating Answer: 161

❍ C. Directive The Details: 169
❍ D. Detective

B8. The Vice President of Sales has asked the IT team to
create daily backups of the sales data. The Vice President
is an example of a:
❍ A. Data owner Quick
Answer: 161
❍ B. Data controller
❍ C. Data steward The Details: 170
❍ D. Data processor

Practice Exam B - Questions 135
B9. A security engineer is preparing to conduct a penetration
test of a third-party website. Part of the preparation
involves reading through social media posts for
information about this site. Which of the following
describes this practice?
❍ A. Partially known environment Quick
Answer: 161
❍ B. OSINT
❍ C. Exfiltration The Details: 171
❍ D. Active reconnaissance

B10. A company would like to orchestrate the response when
a virus is detected on company devices. Which of the
following would be the BEST way to implement this
function?
❍ A. Active reconnaissance Quick
Answer: 161
❍ B. Log aggregation
❍ C. Vulnerability scan The Details: 172

❍ D. Escalation scripting

B11. A user in the accounting department has received a text
message from the CEO. The message requests payment
by cryptocurrency for a recently purchased tablet. Which
of the following would BEST describe this attack?
❍ A. Brand impersonation Quick
Answer: 161
❍ B. Watering hole attack
❍ C. Smishing The Details: 173
❍ D. Typosquatting

B12. A company has been informed of a hypervisor
vulnerability that could allow users on one virtual
machine to access resources on another virtual machine.
Which of the following would BEST describe this
vulnerability?
❍ A. Containerization Quick
Answer: 161
❍ B. Jailbreaking
❍ C. SDN The Details: 174
❍ D. Escape

136 Practice Exam B - Questions
B13. While working from home, users are attending a project
meeting over a web conference. When typing in the
meeting link, the browser is unexpectedly directed to a
different website than the web conference. Users in the
office do not have any issues accessing the conference
site. Which of the following would be the MOST likely
reason for this issue?
❍ A. Buffer overflow Quick
Answer: 161
❍ B. Wireless disassociation
❍ C. Amplified DDoS The Details: 175

❍ D. DNS poisoning

B14. A company is launching a new internal application that
will not start until a username and password is entered
and a smart card is plugged into the computer. Which of
the following BEST describes this process?
❍ A. Federation Quick
Answer: 161
❍ B. Accounting
❍ C. Authentication The Details: 176
❍ D. Authorization

B15. An online retailer is planning a penetration test as part
of their PCI DSS validation. A third-party organization
will be performing the test, and the online retailer has
provided the Internet-facing IP addresses for their public
web servers. No other details were provided.
What penetration testing methodology is the online
retailer using?
❍ A. Known environment Quick
Answer: 161
❍ B. Passive reconnaissance
❍ C. Partially known environment The Details: 177
❍ D. Benchmarks

Practice Exam B - Questions 137
B16. A manufacturing company produces radar used by
commercial and military organizations. A recently
proposed policy change would allow the use of mobile
devices inside the facility. Which of the following would
be the MOST significant threat vector issue associated
with this change in policy?
❍ A. Unauthorized software on rooted devices Quick
Answer: 161
❍ B. Remote access clients on the mobile devices
❍ C. Out of date mobile operating systems The Details: 178
❍ D. Loss of intellectual property

B17. Which of the following would be the BEST way for an
organization to verify the digital signature provided by an
external email server?
❍ A. Perform a vulnerability scan Quick
Answer: 161
❍ B. View the server's device certificate
❍ C. Authenticate to a RADIUS server The Details: 179
❍ D. Check the DKIM record

B18. A company is using older operating systems for their
web servers and are concerned of their stability during
periods of high use. Which of the following should the
company use to maximize the uptime and availability of
this service?
Quick
❍ A. Cold site Answer: 161
❍ B. UPS
The Details: 180
❍ C. Redundant routers
❍ D. Load balancer

B19. A user in the accounting department would like to email
a spreadsheet with sensitive information to a list of third-
party vendors. Which of the following would be the
BEST way to protect the data in this email?
❍ A. Full disk encryption Quick
Answer: 161
❍ B. Key exchange algorithm
❍ C. Salted hash The Details: 181
❍ D. Asymmetric encryption

138 Practice Exam B - Questions
B20. A system administrator would like to segment the
network to give the marketing, accounting, and
manufacturing departments their own private network.
The network communication between departments
would be restricted for additional security. Which of the
following should be configured on this network?
❍ A. VPN Quick
Answer: 161
❍ B. RBAC
❍ C. VLAN The Details: 182
❍ D. SDN

B21. A technician at an MSP has been asked to manage
devices on third-party private network. The technician
needs command line access to internal routers, switches,
and firewalls. Which of the following would provide the
necessary access?
Quick
❍ A. HSM Answer: 161
❍ B. Jump server
The Details: 183
❍ C. NAC
❍ D. Air gap

B22. A transportation company is installing new wireless
access points in their corporate office. The manufacturer
estimates the access points will operate an average of
100,000 hours before a hardware-related outage. Which
of the following describes this estimate?
❍ A. MTTR Quick
Answer: 161
❍ B. RPO
❍ C. RTO The Details: 184

❍ D. MTBF

Practice Exam B - Questions 139
B23. A security administrator is creating a policy to prevent
the disclosure of credit card numbers in a customer
support application. Users of the application would
only be able to view the last four digits of a credit card
number. Which of the following would provide this
functionality?
❍ A. Hashing Quick
Answer: 161
❍ B. Tokenization
❍ C. Masking The Details: 185

❍ D. Salting

B24. A user is authenticating through the use of a PIN and a
fingerprint. Which of the following would describe these
authentication factors?
❍ A. Something you know, something you are Quick
Answer: 161
❍ B. Something you are, somewhere you are
❍ C. Something you have, something you know The Details: 186
❍ D. Somewhere you are, something you are

B25. A security administrator is configuring the
authentication process used by technicians when logging
into wireless access points and switches. Instead of using
local accounts, the administrator would like to pass all
login requests to a centralized database. Which of the
following would be the BEST way to implement this
requirement?
❍ A. COPE Quick
Answer: 161
❍ B. AAA
❍ C. IPsec The Details: 187

❍ D. SIEM

140 Practice Exam B - Questions
B26. A recent audit has determined that many IT department
accounts have been granted Administrator access. The
audit recommends replacing these permissions with
limited access rights. Which of the following would
describe this policy?
❍ A. Password vaulting Quick
Answer: 161
❍ B. Offboarding
❍ C. Least privilege The Details: 188
❍ D. Discretionary access control

B27. A recent security audit has discovered email addresses
and passwords located in a packet capture. Which of the
following did the audit identify?
❍ A. Weak encryption Quick
Answer: 161
❍ B. Improper patch management
❍ C. Insecure protocols The Details: 189

❍ D. Open ports

B28. Before deploying a new application, a company is
performing an internal audit to ensure all of their
servers are configured with the appropriate security
features. Which of the following would BEST describe
this process?
❍ A. Due care Quick
Answer: 161
❍ B. Active reconnaissance
❍ C. Data retention The Details: 190

❍ D. Statement of work

B29. An organization has previously purchased insurance to
cover a ransomware attack, but the costs of maintaining
the policy have increased above the acceptable budget.
The company has now decided to cancel the insurance
policies and address potential ransomware issues
internally. Which of the following would best describe
this action?
❍ A. Mitigation Quick
Answer: 161
❍ B. Acceptance
❍ C. Transference The Details: 191

❍ D. Risk-avoidance
Practice Exam B - Questions 141
B30. Which of these threat actors would be MOST likely to
install a company's internal application on a public cloud
provider?
❍ A. Organized crime Quick
Answer: 161
❍ B. Nation state
❍ C. Shadow IT The Details: 192
❍ D. Hacktivist

B31. An IPS report shows a series of exploit attempts were
made against externally facing web servers. The system
administrator of the web servers has identified a number
of unusual log entries on each system. Which of the
following would be the NEXT step in the incident
response process?
❍ A. Check the IPS logs for any other potential attacks
❍ B. Create a plan for removing malware from the Quick
web servers Answer: 161
❍ C. Disable any breached user accounts The Details: 193
❍ D. Disconnect the web servers from the network

B32. A security administrator is viewing the logs on a laptop
in the shipping and receiving department and identifies
these events:
8:55:30 AM | D:\Downloads\ChangeLog-5.0.4.scr | Quarantine Success
9:22:54 AM | C:\Program Files\Photo Viewer\ViewerBase.dll | Quarantine Failure
9:44:05 AM | C:\Sales\Sample32.dat | Quarantine Success

Which of the following would BEST describe the
circumstances surrounding these events?
❍ A. The antivirus application identified three
viruses and quarantined two viruses
❍ B. The host-based firewall blocked two traffic flows
❍ C. A host-based allow list has blocked two Quick
applications from executing Answer: 161
❍ D. A network-based IPS has identified two The Details: 194
known vulnerabilities

142 Practice Exam B - Questions
B33. In the past, an organization has relied on the curated
Apple App Store to avoid issues associated with malware
and insecure applications. However, the IT department
has discovered an iPhone in the shipping department
with applications not available on the Apple App Store.
How did the shipping department user install these apps
on their mobile device?
❍ A. Side loading Quick
Answer: 161
❍ B. Malicious update
❍ C. VM escape The Details: 196
❍ D. Cross-site scripting

B34. A company has noticed an increase in support calls from
attackers. These attackers are using social engineering
to gain unauthorized access to customer data. Which of
the following would be the BEST way to prevent these
attacks?
❍ A. User training Quick
Answer: 161
❍ B. Next-generation firewall
❍ C. Internal audit The Details: 197
❍ D. Penetration testing

B35. As part of an internal audit, each department of a
company has been asked to compile a list of all devices,
operating systems, and applications in use. Which of the
following would BEST describe this audit?
❍ A. Attestation Quick
Answer: 161
❍ B. Self-assessment
❍ C. Regulatory compliance The Details: 198
❍ D. Vendor monitoring

B36. A company is concerned about security issues at their
remote sites. Which of the following would provide
the IT team with more information of potential
shortcomings?
Quick
❍ A. Gap analysis
Answer: 161
❍ B. Policy administrator
❍ C. Change management The Details: 199

❍ D. Dependency list
Practice Exam B - Questions 143
B37. An attacker has identified a number of devices on a
corporate network with the username of “admin” and the
password of “admin.” Which of the following describes
this situation?
❍ A. Open service ports Quick
Answer: 161
❍ B. Default credentials
❍ C. Unsupported systems The Details: 200

❍ D. Phishing

B38. A security administrator attends an annual industry
convention with other security professionals from around
the world. Which of the following attacks would be
MOST likely in this situation?
❍ A. Smishing Quick
Answer: 161
❍ B. Supply chain
❍ C. SQL injection The Details: 201
❍ D. Watering hole

B39. A transportation company headquarters is located in an
area with frequent power surges and outages. The security
administrator is concerned about the potential for
downtime and hardware failures. Which of the following
would provide the most protection against these issues?
Select TWO.
❍ A. UPS Quick
Answer: 161
❍ B. Parallel processing
❍ C. Snapshots The Details: 202
❍ D. Multi-cloud system
❍ E. Load balancing
❍ F. Generator

144 Practice Exam B - Questions
B40. An organization has developed an in-house mobile
device app for order processing. The developers would
like the app to identify revoked server certificates
without sending any traffic over the corporate Internet
connection. Which of the following must be configured
to allow this functionality?
Quick
❍ A. CSR generation Answer: 161
❍ B. OCSP stapling
The Details: 203
❍ C. Key escrow
❍ D. Wildcard

B41. A security administrator has been asked to build a
network link to secure all communication between two
remote locations. Which of the following would be the
best choice for this task?
❍ A. SCAP Quick
Answer: 161
❍ B. Screened subnet
❍ C. IPsec The Details: 204

❍ D. Network access control

B42. A Linux administrator has received a ticket complaining
of response issues with a database server. After
connecting to the server, the administrator views
this information:
Filesystem Size Used Avail Use% Mounted on
/dev/xvda1 158G 158G 0 100% /

Which of the following would BEST describe this
information?
❍ A. Buffer overflow Quick
Answer: 161
❍ B. Resource consumption
❍ C. SQL injection The Details: 205
❍ D. Race condition

Practice Exam B - Questions 145
B43. Which of the following can be used for credit card
transactions from a mobile device without sending the
actual credit card number across the network?
❍ A. Tokenization Quick
Answer: 161
❍ B. Hashing
❍ C. Steganography The Details: 206
❍ D. Masking

B44. A security administrator receives a report each week
showing a Linux vulnerability associated with a
Windows server. Which of the following would prevent
this information from appearing in the report?
❍ A. Alert tuning Quick
Answer: 161
❍ B. Application benchmarking
❍ C. SIEM aggregation The Details: 207
❍ D. Data archiving

B45. Which of the following would a company use to
calculate the loss of a business activity if a vulnerability is
exploited?
❍ A. Risk tolerance Quick
Answer: 161
❍ B. Vulnerability classification
❍ C. Environmental variables The Details: 208
❍ D. Exposure factor

B46. An administrator is designing a network to be compliant
with a security standard for storing credit card numbers.
Which of the following would be the BEST choice to
provide this compliance?
❍ A. Implement RAID for all storage systems Quick
Answer: 161
❍ B. Connect a UPS to all servers
❍ C. DNS should be available on redundant servers The Details: 209

❍ D. Perform regular audits and vulnerability scans

146 Practice Exam B - Questions
B47. A company is accepting proposals for an upcoming
project, and one of the responses is from a business
owned by a board member. Which of the following
would describe this situation?
❍ A. Due diligence Quick
Answer: 161
❍ B. Vendor monitoring
❍ C. Conflict of interest The Details: 210

❍ D. Right-to-audit

B48. A company has rolled out a new application that requires
the use of a hardware-based token generator. Which of
the following would be the BEST description of this
access feature?
❍ A. Something you know Quick
Answer: 161
❍ B. Somewhere you are
❍ C. Something you are The Details: 211
❍ D. Something you have

B49. A company has signed an SLA with an Internet service
provider. Which of the following would BEST describe
the requirements of this SLA?
❍ A. The customer will connect to remote sites over
Quick
an IPsec tunnel Answer: 161
❍ B. The service provider will provide 99.99% uptime
The Details: 212
❍ C. The customer applications use HTTPS over
tcp/443
❍ D. Customer application use will be busiest on the
15th of each month

B50. An attacker has created multiple social media accounts
and is posting information in an attempt to get the
attention of the media. Which of the following would
BEST describe this attack?
❍ A. On-path Quick
Answer: 161
❍ B. Watering hole
❍ C. Misinformation campaign The Details: 213

❍ D. Phishing

Practice Exam B - Questions 147
B51. Which of the following would be the BEST way to
protect credit card account information when performing
real-time purchase authorizations?
❍ A. Masking Quick
Answer: 161
❍ B. DLP
❍ C. Tokenization The Details: 214
❍ D. NGFW

B52. A company must comply with legal requirements
for storing customer data in the same country as the
customer's mailing address. Which of the following
would describe this requirement?
❍ A. Geographic dispersion Quick
Answer: 161
❍ B. Least privilege
❍ C. Data sovereignty The Details: 215
❍ D. Exfiltration

B53. A company is installing access points in all of their
remote sites. Which of the following would provide
confidentiality for all wireless data?
❍ A. 802.1X Quick
Answer: 161
❍ B. WPA3
❍ C. RADIUS The Details: 216

❍ D. MDM

B54. A security administrator has found a keylogger installed
in an update of the company's accounting software.
Which of the following would prevent the transmission
of the collected logs?
❍ A. Prevent the installation of all software Quick
Answer: 161
❍ B. Block all unknown outbound network traffic
at the Internet firewall The Details: 217
❍ C. Install host-based anti-virus software
❍ D. Scan all incoming email attachments at
the email gateway

148 Practice Exam B - Questions
B55. A user in the marketing department is unable to connect
to the wireless network. After authenticating with a
username and password, the user receives this message:
-- -- --
The connection attempt could not be completed.
The Credentials provided by the server could not be validated.
Radius Server: radius.example.com
Root CA: Example.com Internal CA Root Certificate
-- -- --

The AP is configured with WPA3 encryption and
802.1X authentication.

Which of the following is the MOST likely reason for
this login issue? Quick
Answer: 161
❍ A. The user’s computer is in the incorrect VLAN
❍ B. The RADIUS server is not responding The Details: 218
❍ C. The user’s computer does not support
WPA3 encryption
❍ D. The user is in a location with an insufficient
wireless signal
❍ E. The client computer does not have the proper
certificate installed

B56. A security administrator has created a new policy
prohibiting the use of MD5 hashes due to collision
problems. Which of the following describes the reason
for this new policy?
Quick
❍ A. Two different messages have different hashes Answer: 161
❍ B. The original message can be derived from the hash
The Details: 220
❍ C. Two identical messages have the same hash
❍ D. Two different messages share the same hash

Practice Exam B - Questions 149
B57. A security administrator has been tasked with hardening
all internal web servers to control access from certain
IP address ranges and ensure all transferred data
remains confidential. Which of the following should the
administrator include in his project plan? (Select TWO)
❍ A. Change the administrator password Quick
Answer: 161
❍ B. Use HTTPS for all server communication
❍ C. Uninstall all unused software The Details: 221
❍ D. Enable a host-based firewall
❍ E. Install the latest operating system update

B58. A security administrator has identified the installation of
ransomware on a database server and has quarantined the
system. Which of the following should be followed to
ensure that the integrity of the evidence is maintained?
❍ A. E-discovery Quick
❍ B. Non-repudiation Answer: 161

❍ C. Chain of custody The Details: 222
❍ D. Legal hold

B59. Which of the following would be the BEST option
for application testing in an environment completely
separated from the production network?
❍ A. Virtualization Quick
Answer: 161
❍ B. VLANs
❍ C. Cloud computing The Details: 223
❍ D. Air gap

B60. A security engineer is planning the installation of a new
IPS. The network must remain operational if the IPS is
turned off or disabled. Which of the following would
describe this configuration?
❍ A. Containerization Quick
Answer: 161
❍ B. Load balancing
❍ C. Fail open The Details: 224
❍ D. Tunneling

150 Practice Exam B - Questions
B61. Which of the following describes the process of hiding
data from others by embedding the data inside of a
different media type?
❍ A. Hashing Quick
Answer: 161
❍ B. Obfuscation
❍ C. Encryption The Details: 225

❍ D. Masking

B62. Which of the following vulnerabilities would be the
MOST significant security concern when protecting
against a hacktivist?
❍ A. Data center access with only one Quick
authentication factor Answer: 161
❍ B. Spoofing of internal IP addresses when The Details: 226
accessing an intranet server
❍ C. Employee VPN access uses a weak
encryption cipher
❍ D. Lack of patch updates on an Internet-facing
database server

B63. A company is installing a security appliance to protect
the organization's web-based applications from attacks
such as SQL injections and unexpected input. Which of
the following would BEST describe this appliance?
❍ A. WAF Quick
Answer: 161
❍ B. VPN concentrator
❍ C. UTM The Details: 227
❍ D. SASE

B64. Which of the following would be the BEST way to
determine if files have been modified after the forensics
data acquisition process has occurred? Quick
❍ A. Use a tamper seal on all storage devices Answer: 161

❍ B. Create a hash of the data The Details: 228
❍ C. Image each storage device for future comparison
❍ D. Take screenshots of file directories with file sizes

Practice Exam B - Questions 151
B65. A system administrator is implementing a password
policy that would require letters, numbers, and special
characters to be included in every password. Which of
the following controls MUST be in place to enforce this
password policy?
Quick
❍ A. Length Answer: 161
❍ B. Expiration
The Details: 229
❍ C. Reuse
❍ D. Complexity

B66. Which of the following would a company follow to
deploy a weekly operating system patch?
❍ A. Tabletop exercise Quick
Answer: 161
❍ B. Penetration testing
❍ C. Change management The Details: 230

❍ D. Internal audit

B67. Which of the following would be the MOST likely
result of plaintext application communication?
❍ A. Buffer overflow Quick
Answer: 161
❍ B. Replay attack
❍ C. Resource consumption The Details: 231

❍ D. Directory traversal

B68. A system administrator believes that certain
configuration files on a Linux server have been modified
from their original state. The administrator has reverted
the configurations to their original state, but he would
like to be notified if they are changed again. Which of
the following would be the BEST way to provide this
functionality?
Quick
❍ A. HIPS Answer: 161
❍ B. File integrity monitoring
The Details: 232
❍ C. Application allow list
❍ D. WAF

152 Practice Exam B - Questions
B69. A security administrator is updating the network
infrastructure to support 802.1X. Which of the following
would be the BEST choice for this configuration?
❍ A. LDAP Quick
Answer: 161
❍ B. SIEM
❍ C. SNMP traps The Details: 233
❍ D. SPF

B70. A company owns a time clock appliance, but the time
clock doesn’t provide any access to the operating system
and it doesn't provide a method to upgrade the firmware.
Which of the following describes this appliance?
❍ A. End-of-life Quick
Answer: 161
❍ B. ICS
❍ C. SDN The Details: 234
❍ D. Embedded system

B71. A company has deployed laptops to all employees, and
each laptop is enumerated during each login. Which of
the following is supported with this configuration?
❍ A. If the laptop hardware is modified, the security
team is alerted
Quick
❍ B. Any malware identified on the system is Answer: 161
automatically deleted
❍ C. Users are required to use at least two factors The Details: 235
of authentication
❍ D. The laptop is added to a private VLAN after the
login process

Practice Exam B - Questions 153
B72. A security manager believes that an employee is using
their laptop to circumvent the corporate Internet security
controls through the use of a cellular hotspot. Which
of the following could be used to validate this belief ?
(Select TWO)
Quick
❍ A. HIPS
Answer: 161
❍ B. UTM logs
❍ C. Web application firewall events The Details: 236

❍ D. Host-based firewall logs
❍ E. Next-generation firewall logs

B73. An application developer is creating a mobile device
app that will require a true random number generator
real-time memory encryption. Which of the following
technologies would be the BEST choice for this app?
❍ A. HSM Quick
Answer: 161
❍ B. Secure enclave
❍ C. NGFW The Details: 237
❍ D. Self-signed certificates

B74. Which of the following would be a common result of a
successful vulnerability scan?
❍ A. Usernames and password hashes from a server Quick
Answer: 161
❍ B. A list of missing software patches
❍ C. A copy of image files from a private file share The Details: 238
❍ D. The BIOS configuration of a server

B75. When connected to the wireless network, users at a
remote site receive an IP address which is not part of
the corporate address scheme. Communication over this
network is also slower than the wireless connections
elsewhere in the building. Which of the following would
be the MOST likely reason for these issues?
❍ A. Rogue access point Quick
Answer: 161
❍ B. Domain hijack
❍ C. DDoS The Details: 239

❍ D. Encryption is enabled

154 Practice Exam B - Questions
B76. A company has identified a compromised server, and
the security team would like to know if an attacker has
used this device to move between systems. Which of
the following would be the BEST way to provide this
information?
❍ A. DNS server logs Quick
Answer: 161
❍ B. Penetration test
❍ C. NetFlow logs The Details: 240

❍ D. Email metadata

B77. A system administrator has protected a set of
system backups with an encryption key. The system
administrator used the same key when restoring files
from this backup. Which of the following would BEST
describe this encryption type?
❍ A. Asymmetric Quick
Answer: 161
❍ B. Key escrow
❍ C. Symmetric The Details: 241

❍ D. Out-of-band key exchange

B78. A new malware variant takes advantage of a vulnerability
in a popular email client. Once installed, the malware
forwards all email attachments containing credit card
information to an external email address. Which of the
following would limit the scope of this attack?
❍ A. Enable MFA on the email client Quick
Answer: 161
❍ B. Scan outgoing traffic with DLP
❍ C. Require users to enable the VPN when The Details: 242
using email
❍ D. Update the list of malicious URLs in the firewall

Practice Exam B - Questions 155
B79. An organization has identified a security breach and has
removed the affected servers from the network. Which of
the following is the NEXT step in the incident response
process?
❍ A. Eradication Quick
Answer: 161
❍ B. Preparation
❍ C. Recovery The Details: 243

❍ D. Detection
❍ E. Containment

B80. A security administrator has been tasked with storing
and protecting customer payment and shipping
information for a three-year period. Which of the
following would describe the source of this data?
❍ A. Controller Quick
❍ B. Owner Answer: 161

❍ C. Data subject The Details: 244
❍ D. Processor

B81. Which of the following would be the main reasons
why a system administrator would use a TPM when
configuring full disk encryption? (Select TWO)
❍ A. Allows the encryption of multiple volumes
Quick
❍ B. Uses burned-in cryptographic keys Answer: 161
❍ C. Stores certificates in a hardware security module
The Details: 245
❍ D. Maintains a copy of the CRL
❍ E. Includes built-in protections against
brute-force attacks

156 Practice Exam B - Questions
B82. A security administrator is using an access control
where each file or folder is assigned a security clearance
level, such as “confidential” or “secret.” The security
administrator then assigns a maximum security level to
each user. What type of access control is used in this
network?
❍ A. Mandatory Quick
Answer: 161
❍ B. Rule-based
❍ C. Discretionary The Details: 246
❍ D. Role-based

B83. Cameron, a security administrator, is reviewing a report
that shows a number of devices on internal networks
attempting to connect with servers in the data center
network. Which of the following security controls should
Cameron add to prevent internal systems from accessing
data center devices?
❍ A. VPN
❍ B. IPS Quick
Answer: 161
❍ C. SIEM
❍ D. ACL The Details: 247

B84. A financial services company is headquartered in an area
with a high occurrence of tropical storms and hurricanes.
Which of the following would be MOST important
when restoring services disabled by a storm?
❍ A. Disaster recovery plan Quick
❍ B. Stakeholder management Answer: 161

❍ C. Change management The Details: 248
❍ D. Retention policies

Practice Exam B - Questions 157
B85. A user in the mail room has reported an overall
slowdown of his shipping management software. An
anti-virus scan did not identify any issues, but a more
thorough malware scan identified a kernel driver which
is not part of the original operating system installation.
Which of the following malware was installed on this
system?
❍ A. Rootkit Quick
Answer: 161
❍ B. Logic bomb
❍ C. Bloatware The Details: 249

❍ D. Ransomware
❍ E. Keylogger

B86. A virus scanner has identified a macro virus in a word
processing file attached to an email. Which of the
following information could be obtained from the
metadata of this file?
❍ A. IPS signature name and number Quick
Answer: 161
❍ B. Operating system version
❍ C. Date and time when the file was created The Details: 250
❍ D. Alert disposition

B87. When a person enters a data center facility, they must
check-in before they are allowed to move further into
the building. People who are leaving must be formally
checked-out before they are able to exit the building.
Which of the following would BEST facilitate this
process?
❍ A. Access control vestibule Quick
Answer: 161
❍ B. Air gap
❍ C. Pressure sensors The Details: 251
❍ D. Bollards

158 Practice Exam B - Questions
B88. A security administrator has discovered an employee
exfiltrating confidential company information by
embedding data within image files and emailing the
images to a third-party. Which of the following would
best describe this activity?
❍ A. Digital signatures Quick
Answer: 161
❍ B. Steganography
❍ C. Salting The Details: 252

❍ D. Data masking

B89. A third-party has been contracted to perform a
penetration test on a company's public web servers. The
testing company has been provided with the external IP
addresses of the servers. Which of the following would
describe this scenario?
❍ A. Defensive Quick
Answer: 161
❍ B. Active reconnaissance
❍ C. Partially known environment The Details: 253

❍ D. Regulatory

B90. Which of the following would be the best way to
describe the estimated number of laptops that might be
stolen in a fiscal year? Quick
Answer: 161
❍ A. ALE
❍ B. SLE The Details: 254
❍ C. ARO
❍ D. MTTR

Practice Exam B - Questions 159
Practice Exam C
Multiple Choice Questions
C6. A finance company is legally required to maintain seven
years of tax records for all of their customers. Which of
the following would be the BEST way to implement this
requirement?
❍ A. Automate a script to remove all tax information
Quick
more than seven years old Answer: 289
❍ B. Print and store all tax records in a seven-year cycle
The Details: 297
❍ C. Allow users to download tax records from their
account login
❍ D. Create a separate daily backup archive for all
applicable tax records

C7. A system administrator is designing a data center for an
insurance company’s new public cloud and would like to
automatically rotate encryption keys on a regular basis.
Which of the following would provide this functionality?