SY0-701 V14.35.pdf

Full Transcript

IT Certification Guaranteed, The Easy Way!

Exam : SY0-701

Title : CompTIA Security+
Certification Exam

Vendor : CompTIA

Version : V14.35

1
 IT Certification Guaranteed, The Easy Way!

NO.1 Which of the following must be considered when designing a high-availability network? (Select
two).
A. Ease of recovery
B. Ability to patch
C. Physical isolation
D. Responsiveness
E. Attack surface
F. Extensible authentication
Answer: A E
Explanation:
A high-availability network is a network that is designed to minimize downtime and ensure
continuous operation of critical services and applications. To achieve this goal, a high-availability
network must consider two important factors: ease of recovery and attack surface.
Ease of recovery refers to the ability of a network to quickly restore normal functionality after a
failure, disruption, or disaster. A high-availability network should have mechanisms such as
redundancy, failover, backup, and restore to ensure that any single point of failure does not cause a
complete network outage. A high-availability network should also have procedures and policies for
incident response, disaster recovery, and business continuity to minimize the impact of any network
issue on the organization's operations and reputation.
Attack surface refers to the exposure of a network to potential threats and vulnerabilities. A high-
availability network should have measures such as encryption, authentication, authorization, firewall,
intrusion detection and prevention, and patch management to protect the network from
unauthorized access, data breaches, malware, denial-of-service attacks, and other cyberattacks. A
high-availability network should also have processes and tools for risk assessment, threat
intelligence, vulnerability scanning, and penetration testing to identify and mitigate any weaknesses
or gaps in the network security.
References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 4: Architecture and
Design, pages 164-1651. CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 4:
Architecture and Design, pages 164-1652.

NO.2 A company needs to provide administrative access to internal resources while minimizing the
traffic allowed through the security boundary. Which of the following methods is most secure?
A. Implementing a bastion host
B. Deploying a perimeter network
C. Installing a WAF
D. Utilizing single sign-on
Answer: A
Explanation:
A bastion host is a special-purpose server that is designed to withstand attacks and provide secure
access to internal resources. A bastion host is usually placed on the edge of a network, acting as a
gateway or proxy to the internal network. A bastion host can be configured to allow only certain
types of traffic, such as SSH or HTTP, and block all other traffic. A bastion host can also run security
software such as firewalls, intrusion detection systems, and antivirus programs to monitor and filter
incoming and outgoing traffic. A bastion host can provide administrative access to internal resources
by requiring strong authentication and encryption, and by logging all activities for auditing

2
 IT Certification Guaranteed, The Easy Way!

purposes12.
A bastion host is the most secure method among the given options because it minimizes the traffic
allowed through the security boundary and provides a single point of control and defense. A bastion
host can also isolate the internal network from direct exposure to the internet or other untrusted
networks, reducing the attack surface and the risk of compromise3.

NO.3 A company is discarding a classified storage array and hires an outside vendor to complete the
disposal.
Which of the following should the company request from the vendor?

A. Certification
B. Inventory list
C. Classification
D. Proof of ownership
Answer: A
Explanation:
The company should request a certification from the vendor that confirms the storage array has been
disposed of securely and in compliance with the company's policies and standards. A certification
provides evidence that the vendor has followed the proper procedures and methods to destroy the
classified data and prevent unauthorized access or recovery. A certification may also include details
such as the date, time, location, and method of disposal, as well as the names and signatures of the
personnel involved. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter
3, page 1441

3
 IT Certification Guaranteed, The Easy Way!

NO.4 A systems administrator works for a local hospital and needs to ensure patient data is
protected and secure.
Which of the following data classifications should be used to secure patient data?
A. Private
B. Critical
C. Sensitive
D. Public
Answer: C
Explanation:

Patient data in a hospital setting typically falls under the category of sensitive data. Sensitive data
classifications are used to indicate information that requires a higher level of protection due to its
confidentiality, integrity, and/or availability concerns. Patient data, including medical records,
diagnoses, treatments, and personal information, is considered sensitive and should be treated as
such to ensure compliance with privacy regulations like HIPAA (Health Insurance Portability and
Accountability Act) in the United States or similar regulations in other countries.

NO.5 Which of the following is used to protect a computer from viruses, malware, and Trojans being
installed and moving laterally across the network?
A. IDS
B. ACL
C. EDR
D. NAC
Answer: C
Explanation:
Endpoint detection and response (EDR) is a technology that monitors and analyzes the activity and
behavior of endpoints, such as computers, laptops, mobile devices, and servers. EDR can help to
detect and prevent malicious software, such as viruses, malware, and Trojans, from infecting the

4
 IT Certification Guaranteed, The Easy Way!

endpoints and spreading across the network. EDR can also provide visibility and response capabilities
to contain and remediate threats. EDR is different from IDS, which is a network-based technology
that monitors and alerts on network traffic anomalies. EDR is also different from ACL, which is a list of
rules that control the access to network resources. EDR is also different from NAC, which is a
technology that enforces policies on the network access of devices based on their identity and
compliance status. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page
2561

NO.6 During a security incident, the security operations team identified sustained network traffic
from a malicious IP address:
10.1.4.9. A security analyst is creating an inbound firewall rule to block the IP address from accessing
the organization's network. Which of the following fulfills this request?
A. access-list inbound deny ig source 0.0.0.0/0 destination 10.1.4.9/32
B. access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0
C. access-list inbound permit ig source 10.1.4.9/32 destination 0.0.0.0/0
D. access-list inbound permit ig source 0.0.0.0/0 destination 10.1.4.9/32
Answer: B
Explanation:
--"access-list inbound" indicates that this rule is being applied to an inbound access list.
--"deny" specifies that the traffic matching this rule should be denied.
--"ig" (which might represent an interface group or interface) is not explicitly defined in the question
but is likely referring to the interface where the inbound traffic is being filtered.
--"source 10.1.4.9/32" specifies the source IP address that the rule applies to. The /32 subnet mask
indicates a single IP address.
--"destination 0.0.0.0/0" indicates that the rule applies to traffic destined for any IP address.

NO.7 During an investigation, an incident response team attempts to understand the source of an
incident. Which of the following incident response activities describes this process?
A. Analysis
B. Lessons learned
C. Detection

5
 IT Certification Guaranteed, The Easy Way!

D. Containment
Answer: A
Explanation:
Analysis is the incident response activity that describes the process of understanding the source of an
incident.
Analysis involves collecting and examining evidence, identifying the root cause, determining the
scope and impact, and assessing the threat actor's motives and capabilities. Analysis helps the
incident response team to formulate an appropriate response strategy, as well as to prevent or
mitigate future incidents. Analysis is usually performed after detection and before containment,
eradication, recovery, and lessons learned.
References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701,
9th Edition, Chapter 6, page 223. CompTIA Security+ SY0-701 Exam Objectives, Domain 4.2, page 13.

NO.8 A network manager wants to protect the company's VPN by implementing multifactor
authentication that uses:. Something you know. Something you have. Something you are
Which of the following would accomplish the manager's goal?
A. Domain name, PKI, GeolP lookup
B. VPN IP address, company ID, facial structure
C. Password, authentication token, thumbprint
D. Company URL, TLS certificate, home address
Answer: C
Explanation:
The correct answer is C. Password, authentication token, thumbprint. This combination of
authentication factors satisfies the manager's goal of implementing multifactor authentication that
uses something you know, something you have, and something you are.
* Something you know is a type of authentication factor that relies on the user's knowledge of a
secret or personal information, such as a password, a PIN, or a security question. A password is a
common example of something you know that can be used to access a VPN12
* Something you have is a type of authentication factor that relies on the user's possession of a
physical object or device, such as a smart card, a token, or a smartphone. An authentication token is
a common example of something you have that can be used to generate a one-time password (OTP)
or a code that can be used to access a VPN12
* Something you are is a type of authentication factor that relies on the user's biometric
characteristics, such as a fingerprint, a face, or an iris. A thumbprint is a common example of
something you are that can be used to scan and verify the user's identity to access a VPN12
References:

NO.9 Which of the following is the best way to consistently determine on a daily basis whether
security settings on servers have been modified?

6
 IT Certification Guaranteed, The Easy Way!

A. Automation
B. Compliance checklist
C. Attestation
D. Manual audit
Answer: A
Explanation:
Automation is the best way to consistently determine on a daily basis whether security settings on
servers have been modified. Automation is the process of using software, hardware, or other tools to
perform tasks that would otherwise require human intervention or manual effort. Automation can
help to improve the efficiency, accuracy, and consistency of security operations, as well as reduce
human errors and costs.
Automation can be used to monitor, audit, and enforce security settings on servers, such as firewall
rules, encryption keys, access controls, patch levels, and configuration files. Automation can also alert
security personnel of any changes or anomalies that may indicate a security breach or
compromise12.
The other options are not the best ways to consistently determine on a daily basis whether security
settings on servers have been modified:
* Compliance checklist: This is a document that lists the security requirements, standards, or best
practices that an organization must follow or adhere to. A compliance checklist can help to ensure
that the security settings on servers are aligned with the organizational policies and regulations, but
it does not automatically detect or report any changes or modifications that may occur on a daily
basis3.
* Attestation: This is a process of verifying or confirming the validity or accuracy of a statement,
claim, or fact. Attestation can be used to provide assurance or evidence that the security settings on
servers are correct and authorized, but it does not continuously monitor or audit any changes or
modifications that may occur on a daily basis4.
* Manual audit: This is a process of examining or reviewing the security settings on servers by human
inspectors or auditors. A manual audit can help to identify and correct any security issues or
discrepancies on servers, but it is time-consuming, labor-intensive, and prone to human errors. A
manual audit may not be feasible or practical to perform on a daily basis.

NO.10 A company has begun labeling all laptops with asset inventory stickers and associating them
with employee IDs. Which of the following security benefits do these actions provide? (Choose two.)
A. If a security incident occurs on the device, the correct employee can be notified.
B. The security team will be able to send user awareness training to the appropriate device.
C. Users can be mapped to their devices when configuring software MFA tokens.
D. User-based firewall policies can be correctly targeted to the appropriate laptops.
E. When conducting penetration testing, the security team will be able to target the desired laptops.
F. Company data can be accounted for when the employee leaves the organization.
Answer: A F

7
 IT Certification Guaranteed, The Easy Way!

Explanation:
Labeling all laptops with asset inventory stickers and associating them with employee IDs can provide
several security benefits for a company. Two of these benefits are:
* A: If a security incident occurs on the device, the correct employee can be notified. An asset
inventory sticker is a label that contains a unique identifier for a laptop, such as a serial number, a
barcode, or a QR code. By associating this identifier with an employee ID, the security team can easily
track and locate the owner of the laptop in case of a security incident, such as a malware infection, a
data breach, or a theft. This way, the security team can notify the correct employee about the
incident, and provide them with the necessary instructions or actions to take, such as changing
passwords, scanning for viruses, or reporting the loss. This can help to contain the incident, minimize
the damage, and prevent further escalation.
* F: Company data can be accounted for when the employee leaves the organization. When an
employee leaves the organization, the company needs to ensure that all the company data and assets
are returned or deleted from the employee's laptop. By labeling the laptop with an asset inventory
sticker and associating it with an employee ID, the company can easily identify and verify the laptop
that belongs to the departing employee, and perform the appropriate data backup, wipe, or transfer
procedures. This can help to protect the company data from unauthorized access, disclosure, or
misuse by the former employee or any other party.
The other options are not correct because they are not related to the security benefits of labeling
laptops with asset inventory stickers and associating them with employee IDs.

NO.11 A user is attempting to patch a critical system, but the patch fails to transfer. Which of the
following access controls is most likely inhibiting the transfer?
A. Attribute-based
B. Time of day

8
 IT Certification Guaranteed, The Easy Way!

C. Role-based
D. Least privilege
Answer: D
Explanation:
The least privilege principle states that users and processes should only have the minimum level of
access required to perform their tasks. This helps to prevent unauthorized or unnecessary actions
that could compromise security. In this case, the patch transfer might be failing because the user or
process does not have the appropriate permissions to access the critical system or the network
resources needed for the transfer. Applying the least privilege principle can help to avoid this issue by
granting the user or process the necessary access rights for the patching activity.

NO.12 An organization's internet-facing website was compromised when an attacker exploited a
buffer overflow.
Which of the following should the organization deploy to best protect against similar attacks in the
future?
A. NGFW
B. WAF
C. TLS
D. SD-WAN
Answer: B
Explanation:
A buffer overflow is a type of software vulnerability that occurs when an application writes more data
to a memory buffer than it can hold, causing the excess data to overwrite adjacent memory locations.
This can lead to unexpected behavior, such as crashes, errors, or code execution. A buffer overflow
can be exploited by an attacker to inject malicious code or commands into the application, which can
compromise the security and functionality of the system. An organization's internet-facing website
was compromised when an attacker exploited a buffer overflow. To best protect against similar
attacks in the future, the organization should deploy a web application firewall (WAF). A WAF is a
type of firewall that monitors and filters the traffic between a web application and the internet. A
WAF can detect and block common web attacks, such as buffer overflows, SQL injections, cross-site
scripting (XSS), and more. A WAF can also enforce security policies and rules, such as input validation,
output encoding, and encryption. A WAF can provide a layer of protection for the web application,
preventing attackers from exploiting its vulnerabilities and compromising its data. References =
Buffer Overflows - CompTIA Security+ SY0-701 - 2.3, Web Application Firewalls - CompTIA Securit
y+ SY0-701 - 2.4, [CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0
-701, 9th Edition]

NO.13 A Chief Information Security Officer wants to monitor the company's servers for SQLi attacks
and allow for comprehensive investigations if an attack occurs. The company uses SSL decryption to
allow traffic monitoring. Which of the following strategies would best accomplish this goal?
A. Logging all NetFlow traffic into a SIEM
B. Deploying network traffic sensors on the same subnet as the servers
C. Logging endpoint and OS-specific security logs
D. Enabling full packet capture for traffic entering and exiting the servers

9
 IT Certification Guaranteed, The Easy Way!

Answer: D
Explanation:
Full packet capture is a technique that records all network traffic passing through a device, such as a
router or firewall. It allows for detailed analysis and investigation of network events, such as SQLi
attacks, by providing the complete content and context of the packets. Full packet capture can help
identify the source, destination, payload, and timing of an SQLi attack, as well as the impact on the
server and database. Logging NetFlow traffic, network traffic sensors, and endpoint and OS-specific
security logs can provide some information about network activity, but they do not capture the full
content of the packets, which may limit the scope and depth of the investigation. References:

NO.14 A systems administrator is working on a solution with the following requirements:
* Provide a secure zone.
* Enforce a company-wide access control policy.
* Reduce the scope of threats.
Which of the following is the systems administrator setting up?
A. Zero Trust
B. AAA
C. Non-repudiation
D. CIA
Answer: A
Explanation:
Zero Trust is a security concept based on the idea that organizations should not automatically trust
anything inside or outside their perimeters and must verify anything and everything trying to
connect to its systems before granting access. It emphasizes strict access controls and verification
processes, effectively creating secure zones within the network while reducing the scope of
potential threats.

NO.15 An administrator notices that several users are logging in from suspicious IP addresses. After
speaking with the users, the administrator determines that the employees were not logging in from
those IP addresses and resets the affected users' passwords. Which of the following should the
administrator implement to prevent this type of attack from succeeding in the future?
A. Multifactor authentication
B. Permissions assignment
C. Access management
D. Password complexity
Answer: A
Explanation:

10
 IT Certification Guaranteed, The Easy Way!

The correct answer is A because multifactor authentication (MFA) is a method of verifying a user's
identity by requiring more than one factor, such as something the user knows (e.g., password),
something the user has (e.g., token), or something the user is (e.g., biometric). MFA can prevent
unauthorized access even if the user's password is compromised, as the attacker would need to
provide another factor to log in. The other options are incorrect because they do not address the root
cause of the attack, which is weak authentication.

NO.16 An enterprise is trying to limit outbound DNS traffic originating from its internal network.
Outbound DNS requests will only be allowed from one device with the IP address 10.50.10.25. Which
of the following firewall ACLs will accomplish this goal?
A. Access list outbound permit 0.0.0.0/0 0.0.0.0/0 port 53
Access list outbound deny 10.50.10.25/32 0.0.0.0/0 port 53
B. Access list outbound permit 0.0.0.0/0 10.50.10.25/32 port 53
Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53
C. Access list outbound permit 0.0.0.0/0 0.0.0.0/0 port 53
Access list outbound deny 0.0.0.0/0 10.50.10.25/32 port 53
D. Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53
Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53
Answer: D
Explanation:
A firewall ACL (access control list) is a set of rules that determines which traffic is allowed or denied
by the firewall. The rules are processed in order, from top to bottom, until a match is found. The
syntax of a firewall ACL rule is:
Access list To limit
outbound DNS traffic originating from the internal network, the firewall ACL should allow only the
device with the IP address 10.50.10.25 to send DNS requests to any destination on port 53, and deny
all other outbound traffic on port 53. The correct firewall ACL is:
Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0
0.0.0.0/0 port 53 The first rule permits outbound traffic from the source address 10.50.10.25/32 (a
single host) to any destination address (0.0.0.0/0) on port 53 (DNS). The second rule denies all other
outbound traffic on port 532.

11
 IT Certification Guaranteed, The Easy Way!

NO.17 Employees in the research and development business unit receive extensive training to
ensure they understand how to best protect company data. Which of the following is the type of data
these employees are most likely to use in day-to-day work activities?
A. Encrypted
B. Intellectual property
C. Critical
D. Data in transit
Answer: B
Explanation:
Employees in the research and development (R&D) business unit are likely to work with intellectual
property data on a day-to-day basis. Intellectual property refers to creations of the mind, such as
inventions, designs, processes, or information, which can be legally protected. In an R&D
environment, employees are often involved in creating, refining, and managing intellectual property,
making it crucial for them to understand how to best protect such data.

NO.18 A technician is opening ports on a firewall for a new system being deployed and supported by
a SaaS provider.
Which of the following is a risk in the new system?
A. Default credentials
B. Non-segmented network
C. Supply chain vendor
D. Vulnerable software
Answer: C
Explanation:
A supply chain vendor is a third-party entity that provides goods or services to an organization, such
as a SaaS provider. A supply chain vendor can pose a risk to the new system if the vendor has poor
security practices, breaches, or compromises that could affect the confidentiality, integrity, or
availability of the system or its data. The organization should perform due diligence and establish a
service level agreement with the vendor to mitigate this risk. The other options are not specific to the
scenario of using a SaaS provider, but rather general risks that could apply to any system.

NO.19 An organization is struggling with scaling issues on its VPN concentrator and internet circuit
due to remote work. The organization is looking for a software solution that will allow it to reduce
traffic on the VPN and internet circuit, while still providing encrypted tunnel access to the data center
and monitoring of remote employee internet traffic. Which of the following will help achieve these
objectives?
A. Deploying a SASE solution to remote employees
B. Building a load-balanced VPN solution with redundant internet
C. Purchasing a low-cost SD-WAN solution for VPN traffic
D. Using a cloud provider to create additional VPN concentrators

12
 IT Certification Guaranteed, The Easy Way!

Answer: A
Explanation:
SASE stands for Secure Access Service Edge. It is a cloud-based service that combines network and
security functions into a single integrated solution. SASE can help reduce traffic on the VPN and
internet circuit by providing secure and optimized access to the data center and cloud applications
for remote employees. SASE can also monitor and enforce security policies on the remote employee
internet traffic, regardless of their location or device. SASE can offer benefits such as lower costs,
improved performance, scalability, and flexibility compared to traditional VPN solutions.

NO.20 An employee clicked a link in an email from a payment website that asked the employee to
update contact information. The employee entered the log-in information but received a "page not
found" error message.
Which of the following types of social engineering attacks occurred?
A. Brand impersonation
B. Pretexting
C. Typosquatting
D. Phishing
Answer: D
Explanation:
Phishing is a type of social engineering attack that involves sending fraudulent emails that appear to
be from legitimate sources, such as payment websites, banks, or other trusted entities. The goal of
phishing is to trick the recipients into clicking on malicious links, opening malicious attachments, or
providing sensitive information, such as log-in credentials, personal data, or financial details. In this
scenario, the employee received an email from a payment website that asked the employee to
update contact information. The email contained a link that directed the employee to a fake website
that mimicked the appearance of the real one.
The employee entered the log-in information, but received a "page not found" error message. This
indicates that the employee fell victim to a phishing attack, and the attacker may have captured the
employee's credentials for the payment website..

NO.21 Which of the following vulnerabilities is associated with installing software outside of a
manufacturer's approved software repository?

A. Jailbreaking
B. Memory injection
C. Resource reuse
D. Side loading
Answer: D
Explanation:
Side loading is the process of installing software outside of a manufacturer's approved software
repository.
This can expose the device to potential vulnerabilities, such as malware, spyware, or unauthorized

13
 IT Certification Guaranteed, The Easy Way!

access. Side loading can also bypass security controls and policies that are enforced by the
manufacturer or the organization. Side loading is often done by users who want to access
applications or features that are not available or allowed on their devices.

NO.22 A company is concerned about weather events causing damage to the server room and
downtime. Which of the following should the company consider?

A. Clustering servers
B. Geographic dispersion
C. Load balancers
D. Off-site backups
Answer: B
Explanation:
Geographic dispersion is a strategy that involves distributing the servers or data centers across
different geographic locations. Geographic dispersion can help the company to mitigate the risk of
weather events causing damage to the server room and downtime, as well as improve the
availability, performance, and resilience of the network. Geographic dispersion can also enhance the
disaster recovery and business continuity capabilities of the company, as it can provide backup and
failover options in case of a regional outage or disruption

NO.23 After an audit, an administrator discovers all users have access to confidential data on a file
server. Which of the following should the administrator use to restrict access to the data quickly?
A. Group Policy
B. Content filtering
C. Data loss prevention
D. Access control lists

14
 IT Certification Guaranteed, The Easy Way!

Answer: D
Explanation:
Access control lists (ACLs) are rules that specify which users or groups can access which resources on
a file server. They can help restrict access to confidential data by granting or denying permissions
based on the identity or role of the user. In this case, the administrator can use ACLs to quickly
modify the access rights of the users and prevent them from accessing the data they are not
authorized to see. References:

NO.24 A company is working with a vendor to perform a penetration test Which of the following
includes an estimate about the number of hours required to complete the engagement?

A. SOW
B. BPA
C. SLA
D. NDA
Answer: A
Explanation:
A statement of work (SOW) is a document that defines the scope, objectives, deliverables, timeline,
and costs of a project or service. It typically includes an estimate of the number of hours required to
complete the engagement, as well as the roles and responsibilities of the parties involved. A SOW is
often used for penetration testing projects to ensure that both the client and the vendor have a clear
and mutual understanding of what is expected and how the work will be performed.

NO.25 A systems administrator receives the following alert from a file integrity monitoring tool:
The hash of the cmd.exe file has changed.
The systems administrator checks the OS logs and notices that no patches were applied in the last
two months.
Which of the following most likely occurred?
A. The end user changed the file permissions.
B. A cryptographic collision was detected.
C. A snapshot of the file system was taken.
D. A rootkit was deployed.
Answer: D
Explanation:
A rootkit is a type of malware that modifies or replaces system files or processes to hide its presence
and activity. A rootkit can change the hash of the cmd.exe file, which is a command-line interpreter
for Windows systems, to avoid detection by antivirus or file integrity monitoring tools. A rootkit can
also grant the attacker remote access and control over the infected system, as well as perform
malicious actions such as stealing data, installing backdoors, or launching attacks on other systems. A
rootkit is one of the most difficult types of malware to remove, as it can persist even after rebooting

15
 IT Certification Guaranteed, The Easy Way!

or reinstalling the OS.

NO.26 Which of the following has been implemented when a host-based firewall on a legacy Linux
system allows connections from only specific internal IP addresses?
A. Compensating control
B. Network segmentation
C. Transfer of risk
D. SNMP traps
Answer: A
Explanation:
A compensating control is a security measure that is implemented to mitigate the risk of a
vulnerability or a weakness that cannot be resolved by the primary control. A compensating control
does not prevent or eliminate the vulnerability or weakness, but it can reduce the likelihood or
impact of an attack. A host-based firewall on a legacy Linux system that allows connections from only
specific internal IP addresses is an example of a compensating control, as it can limit the exposure of
the system to potential threats from external or unauthorized sources. A host-based firewall is a
software application that monitors and filters the incoming and outgoing network traffic on a single
host, based on a set of rules or policies. A legacy Linux system is an older version of the Linux
operating system that may not be compatible with the latest security updates or patches, and may
have known vulnerabilities or weaknesses that could be exploited by attackers.

NO.27 Which of the following is required for an organization to properly manage its restore process
in the event of system failure?
A. IRP
B. DRP
C. RPO
D. SDLC
Answer: B
Explanation:
A disaster recovery plan (DRP) is a set of policies and procedures that aim to restore the normal
operations of an organization in the event of a system failure, natural disaster, or other emergency.

16
 IT Certification Guaranteed, The Easy Way!

NO.28 A security analyst receives alerts about an internal system sending a large amount of unusual
DNS queries to systems on the internet over short periods of time during non-business hours. Which
of the following is most likely occurring?

A. A worm is propagating across the network.
B. Data is being exfiltrated.
C. A logic bomb is deleting data.
D. Ransomware is encrypting files.
Answer: B
Explanation:
Data exfiltration is a technique that attackers use to steal sensitive data from a target system or
network by transmitting it through DNS queries and responses. This method is often used in advanced
persistent threat (APT) attacks, in which attackers seek to persistently evade detection in the target
environment. A large amount of unusual DNS queries to systems on the internet over short periods of
time during non-business hours is a strong indicator of data exfiltration.

NO.29 Which of the following security concepts is the best reason for permissions on a human
resources fileshare to follow the principle of least privilege?
A. Integrity
B. Availability
C. Confidentiality
D. Non-repudiation
Answer: C
Explanation:
Confidentiality is the security concept that ensures data is protected from unauthorized access or
disclosure.

17
 IT Certification Guaranteed, The Easy Way!

NO.30 A security analyst is investigating an application server and discovers that software on the
server is behaving abnormally. The software normally runs batch jobs locally and does not generate
traffic, but the process is now generating outbound traffic over random high ports. Which of the
following vulnerabilities has likely been exploited in this software?

A. Memory injection
B. Race condition
C. Side loading
D. SQL injection
Answer: A
Explanation:
Memory injection vulnerabilities allow unauthorized code or commands to be executed within a
software program, leading to abnormal behavior such as generating outbound traffic over random
high ports. This issue often arises from software not properly validating or encoding input, which can
be exploited by attackers to inject malicious code.

NO.31 Which of the following factors are the most important to address when formulating a training
curriculum plan for a security awareness program? (Select two).
A. Channels by which the organization communicates with customers
B. The reporting mechanisms for ethics violations
C. Threat vectors based on the industry in which the organization operates
D. Secure software development training for all personnel
E. Cadence and duration of training events
F. Retraining requirements for individuals who fail phishing simulations
Answer: C E
Explanation:
A training curriculum plan for a security awareness program should address the following factors:
* The threat vectors based on the industry in which the organization operates. This will help the
employees to understand the specific risks and challenges that their organization faces, and how to
protect themselves and the organization from cyberattacks. For example, a healthcare organization
may face different threat vectors than a financial organization, such as ransomware, data breaches,
or medical device hacking1.
* The cadence and duration of training events. This will help the employees to retain the information
and skills they learn, and to keep up with the changing security landscape. The training events should
be frequent enough to reinforce the key concepts and behaviors, but not too long or too short to lose
the attention or interest of the employees. For example, a security awareness program may include
monthly newsletters, quarterly webinars, annual workshops, or periodic quizzes2.

18
 IT Certification Guaranteed, The Easy Way!

NO.32 Which of the following is the most likely to be used to document risks, responsible parties,
and thresholds?
A. Risk tolerance
B. Risk transfer
C. Risk register
D. Risk analysis
Answer: C
Explanation:
A risk register is a document that records and tracks the risks associated with a project, system, or
organization. A risk register typically includes information such as the risk description, the risk owner,
the risk probability, the risk impact, the risk level, the risk response strategy, and the risk status. A risk
register can help identify, assess, prioritize, monitor, and control risks, as well as communicate them
to relevant stakeholders. A risk register can also help document the risk tolerance and thresholds of
an organization, which are the acceptable levels of risk exposure and the criteria for escalating or
mitigating risks.

NO.33 A cyber operations team informs a security analyst about a new tactic malicious actors are
using to compromise networks.
SIEM alerts have not yet been configured. Which of the following best describes what the security
analyst should do to identify this behavior?
A. [Digital forensics
B. E-discovery
C. Incident response
D. Threat hunting
Answer: D
Explanation:
Threat hunting is the process of proactively searching for signs of malicious activity or compromise in
a network, rather than waiting for alerts or indicators of compromise (IOCs) to appear. Threat
hunting can help identify new tactics, techniques, and procedures (TTPs) used by malicious actors, as
well as uncover hidden or stealthy threats that may have evaded detection by security tools. Threat
hunting requires a combination of skills, tools, and methodologies, such as hypothesis generation,
data collection and analysis, threat intelligence, and incident response..

19
 IT Certification Guaranteed, The Easy Way!

Answer:

21
 IT Certification Guaranteed, The Easy Way!

22
 IT Certification Guaranteed, The Easy Way!

NO.35 A newly appointed board member with cybersecurity knowledge wants the board of directors
to receive a quarterly report detailing the number of incidents that impacted the organization. The
systems administrator is creating a way to present the data to the board of directors. Which of the
following should the systems administrator use?
A. Packet captures
B. Vulnerability scans
C. Metadata
D. Dashboard
Answer: D
Explanation:
A dashboard is a graphical user interface that provides a visual representation of key performance
indicators, metrics, and trends related to security events and incidents. A dashboard can help the
board of directors to understand the number and impact of incidents that affected the organization
in a given period, as well as the status and effectiveness of the security controls and processes. A
dashboard can also allow the board of directors to drill down into specific details or filter the data by
various criteria

23
 IT Certification Guaranteed, The Easy Way!

NO.36 A systems administrator wants to prevent users from being able to access data based on their
responsibilities.
The administrator also wants to apply the required access structure via a simplified format. Which of
the following should the administrator apply to the site recovery resource group?

A. RBAC
B. ACL
C. SAML
D. GPO
Answer: A
Explanation:
RBAC stands for Role-Based Access Control, which is a method of restricting access to data and
resources based on the roles or responsibilities of users. Job / Task / Function

NO.37 Which of the following threat actors is the most likely to be hired by a foreign government to
attack critical systems located in other countries?
A. Hacktivist
B. Whistleblower
C. Organized crime
D. Unskilled attacker
Answer: C
Explanation:
Organized crime is a type of threat actor that is motivated by financial gain and often operates across
national borders. Organized crime groups may be hired by foreign governments to conduct
cyberattacks on critical systems located in other countries, such as power grids, military networks, or
financial institutions. Should be APTs

NO.38 Which of the following is a primary security concern for a company setting up a BYOD
program?
A. End of life
B. Buffer overflow

24
 IT Certification Guaranteed, The Easy Way!

C. VM escape
D. Jailbreaking
Answer: D
Explanation:
Jailbreaking is a primary security concern for a company setting up a BYOD (Bring Your Own Device)
program. Jailbreaking is the process of removing the manufacturer's or the carrier's restrictions on a
device, such as a smartphone or a tablet, to gain root access and install unauthorized or custom
software. Jailbreaking can compromise the security of the device and the data stored on it, as well as
expose it to malware, viruses, or hacking. Jailbreaking can also violate the warranty and the terms of
service of the device, and make it incompatible with the company's security policies and standards.
Therefore, a company setting up a BYOD program should prohibit jailbreaking and enforce device
compliance and encryption.

NO.39 A security analyst locates a potentially malicious video file on a server and needs to identify
both the creation date and the file's creator. Which of the following actions would most likely give
the security analyst the information required?
A. Obtain the file's SHA-256 hash.
B. Use hexdump on the file's contents.
C. Check endpoint logs.
D. Query the file's metadata.
Answer: D
Explanation:
Metadata is data that describes other data, such as its format, origin, creation date, author, and other
attributes.

NO.40 A security administrator would like to protect data on employees' laptops. Which of the
following encryption techniques should the security administrator use?
A. Partition

25
 IT Certification Guaranteed, The Easy Way!

B. Asymmetric
C. Full disk
D. Database
Answer: C
Explanation:
Full disk encryption (FDE) is a technique that encrypts all the data on a hard drive, including the
operating system, applications, and files. FDE protects the data from unauthorized access in case the
laptop is lost, stolen, or disposed of without proper sanitization.

NO.41 Which of the following must be considered when designing a high-availability network?
(Choose two).
A. Ease of recovery
B. Ability to patch
C. Physical isolation
D. Responsiveness
E. Attack surface
F. Extensible authentication
Answer: A E
Explanation:

26
 IT Certification Guaranteed, The Easy Way!

A. Ease of recovery: High-availability networks should be designed with redundancy and failover
mechanisms to minimize downtime in the event of failures. Ease of recovery refers to how quickly
and efficiently the network can be restored to normal operation following a failure.

E. Attack surface: High-availability networks should be designed to minimize the attack surface, which
is the sum of all possible points where an attacker can try to enter or extract data from a system. By
reducing the attack surface, the network becomes more resilient to potential security threats and less
susceptible to downtime caused by malicious activities.

NO.42 Which of the following can best protect against an employee inadvertently installing malware
on a company system?
A. Host-based firewall
B. System isolation
C. Least privilege
D. Application allow list
Answer: D
Explanation:
An application allow list is a security technique that specifies which applications are authorized to run
on a system and blocks all other applications. An application allow list can best protect against an
employee inadvertently installing malware on a company system because it prevents the execution of
any unauthorized or malicious software, such as viruses, worms, trojans, ransomware, or spyware. An
application allow list can also reduce the attack surface and improve the performance of the system.

NO.43 A company is expanding its threat surface program and allowing individuals to security test
the company's internet-facing application. The company will compensate researchers based on the
vulnerabilities discovered.
Which of the following best describes the program the company is setting up?

27
 IT Certification Guaranteed, The Easy Way!

A. Open-source intelligence
B. Bug bounty
C. Red team
D. Penetration testing
Answer: B
Explanation:
A bug bounty is a program that rewards security researchers for finding and reporting vulnerabilities
in an application or system. Bug bounties are often used by companies to improve their security
posture and incentivize ethical hacking. A bug bounty program typically defines the scope, rules, and
compensation for the researchers.

NO.44 An employee receives a text message from an unknown number claiming to be the
company's Chief Executive Officer and asking the employee to purchase several gift cards. Which of
the following types of attacks does this describe?
A. Vishing
B. Smishing
C. Pretexting
D. Phishing
Answer: B
Explanation:
Smishing is a type of phishing attack that uses text messages or common messaging apps to trick
victims into clicking on malicious links or providing personal information.

NO.45 The marketing department set up its own project management software without telling the
appropriate departments. Which of the following describes this scenario?
A. Shadow IT
B. Insider threat
C. Data exfiltration
D. Service disruption
Answer: A
Explanation:
Shadow IT is the term used to describe the use of unauthorized or unapproved IT resources within an
organization. The marketing department set up its own project management software without telling
the appropriate departments, such as IT, security, or compliance. This could pose a risk to the
organization's security posture, data integrity, and regulatory compliance1.

28
 IT Certification Guaranteed, The Easy Way!

NO.46 A security analyst scans a company's public network and discovers a host is running a remote
desktop that can be used to access the production network. Which of the following changes should
the security analyst recommend?
A. Changing the remote desktop port to a non-standard number
B. Setting up a VPN and placing the jump server inside the firewall
C. Using a proxy for web connections from the remote desktop server
D. Connecting the remote server to the domain and increasing the password length
Answer: B
Explanation:
A VPN is a virtual private network that creates a secure tunnel between two or more devices over a
public network. A VPN can encrypt and authenticate the data, as well as hide the IP addresses and
locations of the devices. A jump server is a server that acts as an intermediary between a user and a
target server, such as a production server. A jump server can provide an additional layer of security
and access control, as well as logging and auditing capabilities.

NO.47 An administrator finds that all user workstations and servers are displaying a message that is
associated with files containing an extension of.ryk. Which of the following types of infections is
present on the systems?
A. Virus
B. Trojan
C. Spyware
D. Ransomware
Answer: D
Explanation:
Ransomware is a type of malware that encrypts the victim's files and demands a ransom for the
decryption key. The ransomware usually displays a message on the infected system with instructions
on how to pay the ransom and recover the files. The.ryk extension is associated with a ransomware
variant called Ryuk, which targets large organizations and demands high ransoms

NO.48 A security operations center determines that the malicious activity detected on a server is
normal. Which of the following activities describes the act of ignoring detected activity in the future?
A. Tuning
B. Aggregating
C. Quarantining
D. Archiving

29
 IT Certification Guaranteed, The Easy Way!

Answer: A
Explanation:
Tuning is the activity of adjusting the configuration or parameters of a security tool or system to
optimize its performance and reduce false positives or false negatives. Tuning can help to filter out
the normal or benign activity that is detected by the security tool or system, and focus on the
malicious or anomalous activity that requires further investigation or response. Tuning can also help
to improve the efficiency and effectiveness of the security operations center by reducing the
workload and alert fatigue of the analysts

NO.49 A security engineer is implementing FDE for all laptops in an organization. Which of the
following are the most important for the engineer to consider as part of the planning process? (Select
two).
A. Key escrow
B. TPM presence
C. Digital signatures
D. Data tokenization
E. Public key management
F. Certificate authority linking
Answer: E B
* B. TPM presence: Trusted Platform Module (TPM) is a hardware-based security feature that
provides a secure foundation for encryption keys. It ensures that encryption keys are stored securely
and are not accessible to unauthorized users, thereby enhancing the security of FDE
implementations.
* E. Public key management: Public key management is crucial for securely encrypting and decrypting
data in FDE systems. It involves managing the public keys used for encryption and ensuring that
authorized users have access to the appropriate keys to decrypt data when needed.

NO.50 During the onboarding process, an employee needs to create a password for an intranet
account. The password must include ten characters, numbers, and letters, and two special
characters. Once the password is created, the company will grant the employee access to other
company-owned websites based on the intranet profile.
Which of the following access management concepts is the company most likely using to safeguard

30
 IT Certification Guaranteed, The Easy Way!

intranet accounts and grant access to multiple sites based on a user's intranet account? (Select two).
A. Federation
B. Identity proofing
C. Password complexity
D. Default password changes
E. Password manager
F. Open authentication
Answer: A C
Explanation:
Federation is an access management concept that allows users to authenticate once and access
multiple resources or services across different domains or organizations. Federation relies on a
trusted third party that stores the user's credentials and provides them to the requested resources or
services without exposing them.
Password complexity is a security measure that requires users to create passwords that meet certain
criteria, such as length, character types, and uniqueness. Password complexity can help prevent
brute-force attacks, password guessing, and credential stuffing by making passwords harder to crack
or guess.

NO.51 Which of the following roles, according to the shared responsibility model, is responsible for
securing the company's database in an IaaS model for a cloud environment?
A. Client
B. Third-party vendor
C. Cloud provider
D. DBA
Answer: A
Explanation:
According to the shared responsibility model, the client and the cloud provider have different roles
and responsibilities for securing the cloud environment, depending on the service model. In an IaaS
(Infrastructure as a Service) model, the cloud provider is responsible for securing the physical
infrastructure, such as the servers, storage, and network devices, while the client is responsible for
securing the operating systems, applications, and data that run on the cloud infrastructure.
Therefore, the client is responsible for securing the company's database in an IaaS model for a cloud
environment, as the database is an application that stores data.

NO.52 Which of the following describes the process of concealing code or text inside a graphical
image?
A. Symmetric encryption
B. Hashing

31
 IT Certification Guaranteed, The Easy Way!

C. Data masking
D. Steganography
Answer: D
Explanation:
Steganography is the process of hiding information within another medium, such as an image, audio,
video, or text file. The hidden information is not visible or noticeable to the casual observer, and can
only be extracted by using a specific technique or key. Steganography can be used for various
purposes, such as concealing secret messages, watermarking, or evading detection by antivirus

NO.53 An organization recently updated its security policy to include the following statement:
Regular expressions are included in source code to remove special characters such as $, |, ;. &, `, and
? from variables set by forms in a web application.
Which of the following best explains the security technique the organization adopted by making this
addition to the policy?
A. Identify embedded keys
B. Code debugging
C. Input validation
D. Static code analysis
Answer: C
Explanation:
Input validation is a security technique that checks the user input for any malicious or unexpected
data before processing it by the application. Input validation can prevent various types of attacks, 's

32
 IT Certification Guaranteed, The Easy Way!

NO.54 A company's legal department drafted sensitive documents in a SaaS application and wants
to ensure the documents cannot be accessed by individuals in high-risk countries. Which of the
following is the most effective way to limit this access?

A. Data masking
B. Encryption
C. Geolocation policy
D. Data sovereignty regulation
Answer: C
Explanation:
A geolocation policy is a policy that restricts or allows access to data or resources based on the
geographic location of the user or device. A geolocation policy can be implemented using various
methods, such as IP address filtering, GPS tracking, or geofencing.

NO.55 A bank insists all of its vendors must prevent data loss on stolen laptops. Which of the
following strategies is the bank requiring?
A. Encryption at rest
B. Masking
C. Data classification
D. Permission restrictions
Answer: A
Explanation:
Encryption at rest is a strategy that protects data stored on a device, such as a laptop, by converting it
into an unreadable format that can only be accessed with a decryption key or password.

33
 IT Certification Guaranteed, The Easy Way!

NO.56 A security consultant needs secure, remote access to a client environment. Which of the
following should the security consultant most likely use to gain access?

A. EAP
B. DHCP
C. IPSec
D. NAT
Answer: C
Explanation:
IPSec is a protocol suite that provides secure communication over IP networks. IPSec can be used to
create virtual private networks (VPNs) that encrypt and authenticate the data exchanged between
two or more parties.
IPSec can also provide data integrity, confidentiality, replay protection, and access control.

NO.57 A technician needs to apply a high-priority patch to a production system. Which of the
following steps should be taken first?
A. Air gap the system.
B. Move the system to a different network segment.
C. Create a change control request.
D. Apply the patch to the system.
Answer: C
Explanation:
= A change control request is a document that describes the proposed change to a system, the
reason for the change, the expected impact, the approval process, the testing plan, the
implementation plan, the rollback plan, and the communication plan. A change control request is a
best practice for applying any patch to a production system, especially a high-priority one, as it
ensures that the change is authorized, documented, tested, and communicated.

34
 IT Certification Guaranteed, The Easy Way!

NO.58 An administrator assists the legal and compliance team with ensuring information about
customer transactions is archived for the proper time period. Which of the following data policies is
the administrator carrying out?
A. Compromise
B. Retention
C. Analysis
D. Transfer
E. Inventory
Answer: B
Explanation:
A data retention policy is a set of rules that defines how long data should be stored and when it
should be deleted or archived.

NO.59 A hacker gained access to a system via a phishing attempt that was a direct result of a user
clicking a suspicious link. The link laterally deployed ransomware, which laid dormant for multiple
weeks, across the network. Which of the following would have mitigated the spread?
A. IPS
B. IDS
C. WAF
D. UAT
Answer: A
Explanation:
IPS stands for intrusion prevention system, which is a network security device that monitors and
blocks malicious traffic in real time.. I

NO.60 A systems administrator is creating a script that would save time and prevent human error
when performing account creation for a large number of end users. Which of the following would be
a good use case for this task?
A. Off-the-shelf software
B. Orchestration
C. Baseline
D. Policy enforcement
Answer: B
Explanation:

35
 IT Certification Guaranteed, The Easy Way!

Orchestration is the process of automating multiple tasks across different systems and applications. It
can help save time and reduce human error by executing predefined workflows and scripts.

NO.61 Visitors to a secured facility are required to check in with a photo ID and enter the facility
through an access control vestibule Which of the following but describes this form of security
control?

A. Physical
B. Managerial
C. Technical
D. Operational
Answer: A
Explanation:
A physical security control is a device or mechanism that prevents unauthorized access to a physical
location or asset. An access control vestibule, also known as a mantrap, is a physical security control
that consists of a small space with two sets of interlocking doors, such that the first set of doors must
close before the second set opens.

NO.62 An administrator discovers that some files on a database server were recently encrypted. The
administrator sees from the security logs that the data was last accessed by a domain user. Which of
the following best describes the type of attack that occurred?
A. Insider threat
B. Social engineering
C. Watering-hole
D. Unauthorized attacker
Answer: A
Explanation:
An insider threat is a type of attack that originates from someone who has legitimate access to an
organization's network, systems, or data. In this case, the domain user who encrypted the files on the
database server is an example of an insider threat, as they abused their access privileges to cause
harm to the organization. Insider threats can be motivated by various factors, such as financial gain,
revenge, espionage, or sabotage.

NO.63 An organization disabled unneeded services and placed a firewall in front of a business-
critical legacy system.

36
 IT Certification Guaranteed, The Easy Way!

Which of the following best describes the actions taken by the organization?
A. Risk transfer
B. Exception
C. Compensating controls
D. Segmentation
Answer: C

NO.64 A technician wants to improve the situational and environmental awareness of existing users
as they transition from remote to in-office work. Which of the following is the best option?
A. Send out periodic security reminders.
B. Update the content of new hire documentation.
C. Modify the content of recurring training.
D Implement a phishing campaign
Answer: C
Explanation:
Recurring training is a type of security awareness training that is conducted periodically to refresh
and update the knowledge and skills of the users. Recurring training can help improve the situational
and environmental awareness of existing users as they transition from remote to in-office work, as it
can cover the latest threats, best practices, and policies that are relevant to their work environment.

NO.65 A company prevented direct access from the database administrators' workstations to the
network segment that contains database servers. Which of the following should a database
administrator use to access the database servers?
A. Jump server
B. RADIUS
C. HSM
D. Load balancer
Answer: A
Explanation:
A jump server is a device or virtual machine that acts as an intermediary between a user's
workstation and a remote network segment. A jump server can be used to securely access servers or
devices that are not directly reachable from the user's workstation, such as database servers. A jump
server can also provide audit logs and access control for the remote connections. A jump server is
also known as a jump box or a jump host

37
 IT Certification Guaranteed, The Easy Way!

NO.66 A healthcare organization wants to provide a web application that allows individuals to
digitally report health emergencies.
Which of the following is the most important consideration during development?
A. Scalability
B. Availability
C. Cost
D. Ease of deployment
Answer: B
Explanation:
Availability is the ability of a system or service to be accessible and usable when needed. For a web
application that allows individuals to digitally report health emergencies, availability is the most
important consideration during development, because any downtime or delay could have serious
consequences for the health and safety of the users. The web application should be designed to
handle high traffic, prevent denial-of-service attacks, and have backup and recovery plans in case of
failures

NO.67 Which of the following would be the best way to block unknown programs from executing?
A. Access control list
B. Application allow list.
C. Host-based firewall
D. DLP solution
Answer: B
Explanation:
An application allow list is a security technique that specifies which applications are permitted to run
on a system or a network. An application allow list can block unknown programs from executing by
only allowing the execution of programs that are explicitly authorized and verified. An application
allow list can prevent malware, unauthorized software, or unwanted applications from running and
compromising the security of the system or the network12.

38
 IT Certification Guaranteed, The Easy Way!

*

NO.68 A newly identified network access vulnerability has been found in the OS of legacy loT
devices. Which of the following would best mitigate this vulnerability quickly?

A. Insurance
B. Patching
C. Segmentation
D. Replacement
Answer: C
Explanation:
Segmentation is a technique that divides a network into smaller subnetworks or segments, each with
its own security policies and controls. Segmentation can help mitigate network access vulnerabilities
in legacy loT devices by isolating them from other devices and systems, reducing their attack surface
and limiting the potential impact of a breach.

NO.69 Which of the following describes the maximum allowance of accepted risk?

A. Risk indicator
B. Risk level
C. Risk score
D. Risk threshold
Answer: D
Explanation:
Risk threshold is the maximum amount of risk that an organization is willing to accept for a given

39
 IT Certification Guaranteed, The Easy Way!

NO.70 An analyst is evaluating the implementation of Zero Trust principles within the data plane.
Which of the following would be most relevant for the analyst to evaluate?

A. Secured zones
B. Subject role
C. Adaptive identity
D. Threat scope reduction
Answer: A
Explanation:
Secured zones are a key component of the Zero Trust data plane, which is the layer where data is
stored, processed, and transmitted. Secured zones are logical or physical segments of the network
that isolate data and resources based on their sensitivity and risk. Secured zones enforce granular
policies and controls to prevent unauthorized access and lateral movement within the network.

NO.71 A security analyst reviews domain activity logs and notices the following:

Which of the following is the best explanation for what the security analyst has discovered?
A. The user jsmith's account has been locked out.
B. A keylogger is installed on [smith's workstation
C. An attacker is attempting to brute force ismith's account.
D. Ransomware has been deployed in the domain.
Answer: C
Explanation:
Brute force is a type of attack that tries to guess the password or other credentials of a user account
by using a large number of possible combinations. An attacker can use automated tools or scripts to
perform a brute force attack and gain unauthorized access to the account.

40
 IT Certification Guaranteed, The Easy Way!

NO.72 Which of the following automation use cases would best enhance the security posture of an
organization by rapidly updating permissions when employees leave a company?
A. Provisioning resources
B. Disabling access
C. Reviewing change approvals
D. Escalating permission requests
Answer: B
Explanation:
Disabling access is an automation use case that would best enhance the security posture of an
organization by rapidly updating permissions when employees leave a company. Disabling access is
the process of revoking or suspending the access rights of a user account, such as login credentials,
email, VPN, cloud services, etc.
Disabling access can prevent unauthorized or malicious use of the account by former employees or
attackers who may have compromised the account.

NO.73 A Chief Information Security Officer (CISO) wants to explicitly raise awareness about the
increase of ransomware-as-a-service in a report to the management team. Which of the following
best describes the threat actor in the CISO's report?
A. Insider threat
B. Hacktivist
C. Nation-state
D. Organized crime
Answer: D
Explanation:
Ransomware-as-a-service is a type of cybercrime where hackers sell or rent ransomware tools or
services to other criminals who use them to launch attacks and extort money from victims. This is a
typical example of organized crime, which is a group of criminals who work together to conduct
illegal activities for profit. O

NO.74 Which of the following vulnerabilities is exploited when an attacker overwrites a register with
a malicious address?
A. VM escape
B. SQL injection
C. Buffer overflow

41
 IT Certification Guaranteed, The Easy Way!

D. Race condition
Answer: C
Explanation:
A buffer overflow is a vulnerability that occurs when an application writes more data to a memory
buffer than it can hold, causing the excess data to overwrite adjacent memory locations. A register is
a small storage area in the CPU that holds temporary data or instructions. An attacker can exploit a
buffer overflow to overwrite a register with a malicious address that points to a shellcode, which is a
piece of code that gives the attacker control over the system.

NO.75 A company's end users are reporting that they are unable to reach external websites. After
reviewing the performance data for the DNS severs, the analyst discovers that the CPU, disk, and
memory usage are minimal, but the network interface is flooded with inbound traffic. Network logs
show only a small number of DNS queries sent to this server. Which of the following best describes
what the security analyst is seeing?
A. Concurrent session usage
B. Secure DNS cryptographic downgrade
C. On-path resource consumption
D. Reflected denial of service
Answer: D
Explanation:
A reflected denial of service (RDoS) attack is a type of DDoS attack that uses spoofed source IP
addresses to send requests to a third-party server, which then sends responses to the victim server.
The attacker exploits the difference in size between the request and the response, which can amplify
the amount of traffic sent to the victim server. The attacker also hides their identity by using the
victim's IP address as the source. A RDoS attack can target DNS servers by sending forged DNS queries
that generate large DNS responses. This can flood the network interface of the DNS server and
prevent it from serving legitimate requests from end users.

NO.76 A security analyst is reviewing alerts in the SIEM related to potential malicious network traffic
coming from an employee's corporate laptop. The security analyst has determined that additional
data about the executable running on the machine is necessary to continue the investigation. Which
of the following logs should the analyst use as a data source?
A. Application
B. IPS/IDS
C. Network
D. Endpoint
Answer: D
Explanation:
An endpoint log is a file that contains information about the activities and events that occur on an
end-user device, such as a laptop, desktop, tablet, or smartphone. Endpoint logs can provide valuable

42
 IT Certification Guaranteed, The Easy Way!

data for security analysts, such as the processes running on the device, the network connections
established, the files accessed or modified, the user actions performed, and the applications installed
or updated. Endpoint logs can also record the details of any executable files running on the device,
such as the name, path, size, hash, signature, and permissions of the executable.

NO.77 Users at a company are reporting they are unable to access the URL for a new retail website
because it is flagged as gambling and is being blocked.
Which of the following changes would allow users to access the site?

A. Creating a firewall rule to allow HTTPS traffic
B. Configuring the IPS to allow shopping
C. Tuning the DLP rule that detects credit card data
D. Updating the categorization in the content filter
Answer: D
Explanation:
A content filter is a device or software that blocks or allows access to web content based on
predefined rules or categories. In this case, the new retail website is mistakenly categorized as
gambling by the content filter, which prevents users from accessing it. To resolve this issue, the
content filter's categorization needs to be updated to reflect the correct category of the website,
such as shopping or retail. This will allow the content filter to allow access to the website instead of
blocking it.

NO.78 A company's web filter is configured to scan the URL for strings and deny access when

43
 IT Certification Guaranteed, The Easy Way!

matches are found.
Which of the following search strings should an analyst employ to prohibit access to non-encrypted
websites?
A. encryption=off\
B. http://
C. www.*.com
D. :443
Answer: B
Explanation:
A web filter is a device or software that can monitor, block, or allow web traffic based on predefined
rules or policies. One of the common methods of web filtering is to scan the URL for strings and deny
access when matches are found. The port is an optional number that identifies the specific service or
application running on the web server, such as 80 for HTTP or 443 for HTTPS.

44
 IT Certification Guaranteed, The Easy Way!

NO.79 An organization wants a third-party vendor to do a penetration test that targets a specific
device. The organization has provided basic information about the device. Which of the following
best describes this kind of penetration test?
A. Partially known environment
B. Unknown environment
C. Integrated
D. Known environment
Answer: A
Explanation:
A partially known environment is a type of penetration test where the tester has some information
about the target, such as the IP address, the operating system, or the device type. This can help the
tester focus on specific vulnerabilities and reduce the scope of the test.

NO.80 An organization is leveraging a VPN between its headquarters and a branch location. Which
of the following is the VPN protecting?
A. Data in use
B. Data in transit
C. Geographic restrictions
D. Data sovereignty
Answer: B
Explanation:
Data in transit is data that is moving from one location to another, such as over a network or through
the air.

NO.81 A U.S.-based cloud-hosting provider wants to expand its data centers to new international
locations. Which of the following should the hosting provider consider first?
A. Local data protection regulations
B. Risks from hackers residing in other countries
C. Impacts to existing contractual obligations
D. Time zone differences in log correlation
Answer: A
Explanation:
Local data protection regulations are the first thing that a cloud-hosting provider should consider
before expanding its data centers to new international locations. Data protection regulations are laws
or standards that govern how personal or sensitive data is collected, stored, processed, and
transferred across borders.

45
 IT Certification Guaranteed, The Easy Way!

NO.82 A company purchased cyber insurance to address items listed on the risk register. Which of
the following strategies does this represent?

A. Accept
B. Transfer
C. Mitigate
D. Avoid
Answer: B
Explanation:
Cyber insurance is a type of insurance that covers the financial losses and liabilities that result from
cyberattacks,

NO.83 Which of the following exercises should an organization use to improve its incident response
process?
A. Tabletop
B. Replication

46
 IT Certification Guaranteed, The Easy Way!

C. Failover
D. Recovery
Answer: A
Explanation:
A tabletop exercise is a simulated scenario that tests the organization's incident response plan and
procedures.
It involves key stakeholders and decision-makers who discuss their roles and actions in response to a
hypothetical incident. It can help identify gaps, weaknesses, and improvement areas in the incident
response process.

NO.84 Which of the following agreement types defines the time frame in which a vendor needs to
respond?
A. SOW
B. SLA
C. MOA
D. MOU
Answer: B
Explanation:
A service level agreement (SLA) is a type of agreement that defines the expectations and
responsibilities between a service provider and a customer. It usually includes the quality, availability,
and performance metrics of the service, as well as the time frame in which the provider needs to
respond to service requests, incidents, or complaints.

NO.85 Which of the following security control types does an acceptable use policy best represent?
A. Detective
B. Compensating
C. Corrective
D. Preventive
Answer: D
Explanation:
An acceptable use policy (AUP) is a set of rules that govern how users can access and use a corporate
network or the internet. The AUP helps companies minimize their exposure to cyber security threats
and limit other risks. The AUP also serves as a notice to users about what they are not allowed to do
and protects the company against misuse of their network. Users usually have to acknowledge that
they understand and agree to the rules before accessing the network

47
 IT Certification Guaranteed, The Easy Way!

NO.86 A security team is reviewing the findings in a report that was delivered after a third party
performed a penetration test. One of the findings indicated that a web application form field is
vulnerable to cross-site scripting. Which of the following application security techniques should the
security analyst recommend the developer implement to prevent this vulnerability?
A. Secure cookies
B. Version control
C. Input validation
D. Code signing
Answer: C
Explanation:
Input validation is a technique that checks the user input for any malicious or unexpected data before
processing it by the web application. Input validation can prevent cross-site scripting (XSS) attacks,
which exploit the vulnerability of a web application to execute malicious scripts in the browser of a
victim.

48
 IT Certification Guaranteed, The Easy Way!

NO.87 In order to strengthen a password and prevent a hacker from cracking it, a random string of
36 characters was added to the password. Which of the following best describes this technique?

A. Key stretching
B. Tokenization
C. Data masking
D. Salting
Answer: D
Explanation:
Adding a random string of characters, known as a "salt," to a password before hashing it is known as
salting.
This technique strengthens passwords by ensuring that even if two users have the same password,
their hashes will be different due to the unique salt, making it much harder for attackers to crack
passwords using rainbow tables.References:

NO.88 Which of the following is the most likely outcome if a large bank fails an internal PCI DSS
compliance assessment?
A. Fines
B. Audit findings
C. Sanctions
D. Reputation damage
Answer: A
Explanation:
PCI DSS is the Payment Card Industry Data Security Standard, which is a set of security requirements
for organizations that store, process, or transmit cardholder data. PCI DSS aims to protect the
confidentiality, integrity, and availability of cardholder data and prevent fraud, identity theft, and
data breaches. PCI DSS is enforced by the payment card brands, s
If a large bank fails an internal PCI DSS compliance assessment, the most likely outcome is that the
bank will face fines from the payment card brands.

49
 IT Certification Guaranteed, The Easy Way!

NO.89 A company is planning a disaster recovery site and needs to ensure that a single natural
disaster would not result in the complete loss of regulated backup data. Which of the following
should the company consider?

A. Geographic dispersion
B. Platform diversity
C. Hot site

50
 IT Certification Guaranteed, The Easy Way!

D. Load balancing
Answer: A
Explanation:
Geographic dispersion is the practice of having backup data stored in different locations that are far
enough apart to minimize the risk of a single natural disaster affecting both sites. This ensures that
the company can recover its regulated data in case of a disaster at the primary site.

NO.90 Which of the following enables the use of an input field to run commands that can view or
manipulate data?

A. Cross-site scripting
B. Side loading
C. Buffer overflow
D. SQL injection
Answer: D
Explanation:
= SQL injection is a type of attack that enables the use of an input field to run commands that can
view or manipulate data in a database. SQL stands for Structured Query Language

NO.91 Which of the following describes a security alerting and monitoring tool that collects system,
application, and network logs from multiple sources in a centralized system?
A. SIEM
B. DLP
C. IDS
D. SNMP
Answer: A
Explanation:
SIEM stands for Security Information and Event Management. It is a security alerting and monitoring
tool that collects system, application, and network logs from multiple sources in a centralized system.
SIEM can analyze the collected data, correlate events, generate alerts, and provide reports and
dashboards.

51
 IT Certification Guaranteed, The Easy Way!

NO.92 Which of the following risk management strategies should an enterprise adopt first if a legacy
application is critical to business operations and there are preventative controls that are not yet
implemented?

A. Mitigate
B. Accept
C. Transfer
D. Avoid
Answer: A
Explanation:
Mitigate is the risk management strategy that involves reducing the likelihood or impact of a risk. If a
legacy application is critical to business operations and there are preventative controls that are not
yet implemented, the enterprise should adopt the mitigate strategy first to address the existing
vulnerabilities and gaps in the application.

NO.93 Which of the following would be best suited for constantly changing environments?
A. RTOS
B. Containers
C. Embedded systems
D. SCADA
Answer: B
Explanation:
Containers are a method of virtualization that allows applications to run in isolated environments
with their own dependencies, libraries, and configurations. Containers are best suited for constantly
changing environments because they are lightweight, portable, scalable, and easy to deploy and
update. Containers can also support microservices architectures, which enable faster and more
frequent delivery of software features.

NO.94 Which of the following would help ensure a security analyst is able to accurately measure the
overall risk to an organization when a new vulnerability is disclosed?
A. A full inventory of all hardware and software
B. Documentation of system classifications
C. A list of system owners and their departments

52
 IT Certification Guaranteed, The Easy Way!

D. Third-party risk assessment documentation
Answer: A
Explanation:
A full inventory of all hardware and software is essential for measuring the overall risk to an
organization when a new vulnerability is disclosed, because it allows the security analyst to identify
which systems are affected by the vulnerability and prioritize the remediation efforts. Without a full
inventory, the security analyst may miss some vulnerable systems or waste time and resources on
irrelevant ones.

NO.95 A software development manager wants to ensure the authenticity of the code created by
the company. Which of the following options is the most appropriate?

A. Testing input validation on the user input fields
B. Performing code signing on company-developed software
C. Performing static code analysis on the software
D. Ensuring secure cookies are use
Answer: B
Explanation:
Code signing is a technique that uses cryptography to verify the authenticity and integrity of the code
created by the company. Code signing involves applying a digital signature to the code using a private
key that only the company possesses. The digital signature can be verified by anyone who has the
corresponding public key, which can be distributed through a trusted certificate authority.

NO.96 The local administrator account for a company's VPN appliance was unexpectedly used to log
in to the remote management interface. Which of the following would have most likely prevented
this from happening'?
A. Using least privilege
B. Changing the default password
C. Assigning individual user IDs
D. Reviewing logs more frequently
Answer: B
Explanation:
Changing the default password for the local administrator account on a VPN appliance is a basic
security measure that would have most likely prevented the unexpected login to the remote
management interface.
Default passwords are often easy to guess or publicly available, and attackers can use them to gain
unauthorized access to devices and systems.

53
 IT Certification Guaranteed, The Easy Way!

NO.97 A company is planning to set up a SIEM system and assign an analyst to review the logs on a
weekly basis.
Which of the following types of controls is the company setting up?

A. Corrective
B. Preventive
C. Detective
D. Deterrent
Answer: C
Explanation:
A detective control is a type of control that monitors and analyzes the events and activities in a
system or a network, and alerts or reports when an incident or a violation occurs. A SIEM (Security
Information and Event Management) system is a tool that collects, correlates, and analyzes the logs
from various sources, such as firewalls, routers, servers, or applications, and provides a centralized
view of the security status and incidents.

NO.98 A systems administrator is looking for a low-cost application-hosting solution that is cloud-
based. Which of the following meets these requirements?
A. Serverless framework
B. Type 1 hvpervisor
C. SD-WAN
D. SDN
Answer: A
Explanation:
A serverless framework is a cloud-based application-hosting solution that meets the requirements of
low-cost and cloud-based. A serverless framework is a type of cloud computing service that allows
developers to run applications without managing or provisioning any servers. The cloud provider
handles the server-side infrastructure, such as scaling, load balancing, security, and maintenance, and
charges the developer only for the resources consumed by the application. A serverless framework
enables developers to focus on the application logic and functionality, and reduces the operational
costs and complexity of hosting applications.

54
 IT Certification Guaranteed, The Easy Way!

NO.99 An attacker posing as the Chief Executive Officer calls an employee and instructs the
employee to buy gift cards. Which of the following techniques is the attacker using?

A. Smishing
B. Disinformation
C. Impersonating
D. Whaling
Answer: C
Explanation:
Whaling is a type of phishing attack that targets high-profile individuals, such as executives,
celebrities, or politicians. The attacker impersonates someone with authority or influence and tries to
trick the victim into performing an action, such as transferring money, revealing sensitive
information, or clicking on a malicious link.

NO.100 A security administrator needs a method to secure data in an environment that includes
some form of checks so that the administrator can track any changes. Which of the following should
the administrator set up to achieve this goal?
A. SPF
B. GPO
C. NAC

55
 IT Certification Guaranteed, The Easy Way!

D. FIM
Answer: D
Explanation:
FIM stands for File Integrity Monitoring, which is a method to secure data by detecting any changes
or modifications to files, directories, or registry keys. FIM can help a security administrator track any
unauthorized or malicious changes to the data, as well as verify the integrity and compliance of the
data. FIM can also alert the administrator of any potential breaches or incidents involving the data.
Some of the benefits of FIM are:

NO.101 A security manager created new documentation to use in response to various types of
security incidents.
Which of the following is the next step the manager should take?
A. Set the maximum data retention policy.
B. Securely store the documents on an air-gapped network.
C. Review the documents' data classification policy.
D. Conduct a tabletop exercise with the team.
Answer: D
Explanation:
A tabletop exercise is a simulated scenario that tests the effectiveness of a security incident response
plan.

NO.102 While troubleshooting a firewall configuration, a technician determines that a "deny any"
policy should be added to the bottom of the ACL. The technician updates the policy, but the new
policy causes several company servers to become unreachable.
Which of the following actions would prevent this issue?
A. Documenting the new policy in a change request and submitting the request to change

56
 IT Certification Guaranteed, The Easy Way!

management
B. Testing the policy in a non-production environment before enabling the policy in the production
network
C. Disabling any intrusion prevention signatures on the 'deny any* policy prior to enabling the new
policy
D. Including an 'allow any1 policy above the 'deny any* policy
Answer: B
Explanation:
A firewall policy is a set of rules that defines what traffic is allowed or denied on a network. A firewall
policy should be carefully designed and tested before being implemented, as a misconfigured policy
can cause network disruptions or security breaches.

NO.103 Which of the following incident response activities ensures evidence is properly handied?
A. E-discovery
B. Chain of custody
C. Legal hold
D. Preservation
Answer: B
Explanation:

57
 IT Certification Guaranteed, The Easy Way!

Chain of custody is the process of documenting and preserving the integrity of evidence collected
during an incident response. It involves recording the details of each person who handled the
evidence, the time and date of each transfer, and the location where the evidence was stored. Chain
of custody ensures that the evidence is admissible in legal proceedings and can be traced back to its
source.

NO.104 Security controls in a data center are being reviewed to ensure data is properly protected
and that human life considerations are included. Which of the following best describes how the
controls should be set up?

A. Remote access points should fail closed.
B. Logging controls should fail open.
C. Safety controls should fail open.
D. Logical security controls should fail closed.
Answer: C
Explanation:
Safety controls are security controls that are designed to protect human life and physical assets from
harm or damage.

NO.105 After reviewing the following vulnerability scanning report:
Server:192.168.14.6

58
 IT Certification Guaranteed, The Easy Way!

Service: Telnet
Port: 23 Protocol: TCP
Status: Open Severity: High
Vulnerability: Use of an insecure network protocol
A security analyst performs the following test:
nmap -p 23 192.168.14.6 -script telnet-encryption
PORT STATE SERVICE REASON
23/tcp open telnet syn-ack
I telnet encryption:
| _ Telnet server supports encryption
Which of the following would the security analyst conclude for this reported vulnerability?
A. It is a false positive.
B. A rescan is required.
C. It is considered noise.
D. Compensating controls exist.
Answer: A
Explanation:
A false positive is a result that indicates a vulnerability or a problem when there is none. In this case,
the vulnerability scanning report shows that the telnet service on port 23 is open and uses an
insecure network protocol. However, the security analyst performs a test using nmap and a script
that checks for telnet encryption support. The result shows that the telnet server supports
encryption, which means that the data transmitted between the client and the server can be
protected from eavesdropping. Therefore, the reported vulnerability is a false positive and does not
reflect the actual security posture of the server.

NO.106 Which of the following scenarios describes a possible business email compromise attack?
A. An employee receives a gift card request in an email that has an executive's name in the display
field of the email.
B. Employees who open an email attachment receive messages demanding payment in order to
access files.
C. A service desk employee receives an email from the HR director asking for log-in credentials to a
cloud administrator account.
D. An employee receives an email with a link to a phishing site that is designed to look like the
company's email portal.
Answer: A
Explanation:
A business email compromise (BEC) attack is a type of phishing attack that targets employees who
have access to company funds or sensitive information. The attacker impersonates a trusted person,
such as an executive, a vendor, or a client, and requests a fraudulent payment, a wire transfer, or
confidential data. The attacker often uses social engineering techniques, such as urgency, pressure,
or familiarity, to convince the victim to comply with the request12.
In this scenario, option A describes a possible BEC attack, where an employee receives a gift card
request in an email that has an executive's name in the display field of the email. The email may look

59
 IT Certification Guaranteed, The Easy Way!

like it is coming from the executive, but the actual email address may be spoofed or compromised.
The attacker may claim that the gift cards are needed for a business purpose, such as rewarding
employees or clients, and ask the employee to purchase them and send the codes. This is a common
tactic used by BEC attackers to steal money from unsuspecting victims

NO.107 A company is developing a business continuity strategy and needs to determine how many
staff members would be required to sustain the business in the case of a disruption. Which of the
following best describes this step?

A. Capacity planning
B. Redundancy
C. Geographic dispersion
D. Tablet exercise
Answer: A
Explanation:
Capacity planning is the process of determining the resources needed to meet the current and future
demands of an organization. Capacity planning can help a company develop a business continuity
strategy by estimating how many staff members would be required to sustain the business in the
case of a disruption,

NO.108 Several employees received a fraudulent text message from someone claiming to be the
Chief Executive Officer (CEO). The message stated:
"I'm in an airport right now with no access to email. I need you to buy gift cards for employee
recognition awards. Please send the gift cards to following email address." Which of the following are
the best responses to this situation? (Choose two).
A. Cancel current employee recognition gift cards.
B. Add a smishing exercise to the annual company training.
C. Issue a general email warning to the company.
D. Have the CEO change phone numbers.
E. Conduct a forensic investigation on the CEO's phone.
F. Implement mobile device management.
Answer: B C
Explanation:

60
 IT Certification Guaranteed, The Easy Way!

This situation is an example of smishing, which is a type of phishing that uses text messages (SMS) to
entice individuals into providing personal or sensitive information to cybercriminals. The best
responses to this situation are to add a smishing exercise to the annual company training and to issue
a general email warning to the company. A smishing exercise can help raise awareness and educate
employees on how to recognize and avoid smishing attacks. An email warning can alert employees to
the fraudulent text message and remind them to verify the identity and legitimacy of any requests for
information or money.

NO.109 A security analyst is reviewing the following logs:

Which of the following attacks is most likely occurring?
A. Password spraying
B. Account forgery
C. Pass-t he-hash
D. Brute-force
Answer: A
Explanation:
Password spraying is a type of brute force attack that tries common passwords across several
accounts to find a match.

61
 IT Certification Guaranteed, The Easy Way!

NO.110 Which of the following threat actors is the most likely to use large financial resources to
attack critic