SY0-701 V14.35.pdf
Document Details
Uploaded by SensibleCyclops
CompTIA
Tags
Full Transcript
IT Certification Guaranteed, The Easy Way! Exam : SY0-701 Title : CompTIA Security+ Certification Exam Vendor : CompTIA Version : V14.35 1 IT C...
IT Certification Guaranteed, The Easy Way! Exam : SY0-701 Title : CompTIA Security+ Certification Exam Vendor : CompTIA Version : V14.35 1 IT Certification Guaranteed, The Easy Way! NO.1 Which of the following must be considered when designing a high-availability network? (Select two). A. Ease of recovery B. Ability to patch C. Physical isolation D. Responsiveness E. Attack surface F. Extensible authentication Answer: A E Explanation: A high-availability network is a network that is designed to minimize downtime and ensure continuous operation of critical services and applications. To achieve this goal, a high-availability network must consider two important factors: ease of recovery and attack surface. Ease of recovery refers to the ability of a network to quickly restore normal functionality after a failure, disruption, or disaster. A high-availability network should have mechanisms such as redundancy, failover, backup, and restore to ensure that any single point of failure does not cause a complete network outage. A high-availability network should also have procedures and policies for incident response, disaster recovery, and business continuity to minimize the impact of any network issue on the organization's operations and reputation. Attack surface refers to the exposure of a network to potential threats and vulnerabilities. A high- availability network should have measures such as encryption, authentication, authorization, firewall, intrusion detection and prevention, and patch management to protect the network from unauthorized access, data breaches, malware, denial-of-service attacks, and other cyberattacks. A high-availability network should also have processes and tools for risk assessment, threat intelligence, vulnerability scanning, and penetration testing to identify and mitigate any weaknesses or gaps in the network security. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 4: Architecture and Design, pages 164-1651. CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 4: Architecture and Design, pages 164-1652. NO.2 A company needs to provide administrative access to internal resources while minimizing the traffic allowed through the security boundary. Which of the following methods is most secure? A. Implementing a bastion host B. Deploying a perimeter network C. Installing a WAF D. Utilizing single sign-on Answer: A Explanation: A bastion host is a special-purpose server that is designed to withstand attacks and provide secure access to internal resources. A bastion host is usually placed on the edge of a network, acting as a gateway or proxy to the internal network. A bastion host can be configured to allow only certain types of traffic, such as SSH or HTTP, and block all other traffic. A bastion host can also run security software such as firewalls, intrusion detection systems, and antivirus programs to monitor and filter incoming and outgoing traffic. A bastion host can provide administrative access to internal resources by requiring strong authentication and encryption, and by logging all activities for auditing 2 IT Certification Guaranteed, The Easy Way! purposes12. A bastion host is the most secure method among the given options because it minimizes the traffic allowed through the security boundary and provides a single point of control and defense. A bastion host can also isolate the internal network from direct exposure to the internet or other untrusted networks, reducing the attack surface and the risk of compromise3. NO.3 A company is discarding a classified storage array and hires an outside vendor to complete the disposal. Which of the following should the company request from the vendor? A. Certification B. Inventory list C. Classification D. Proof of ownership Answer: A Explanation: The company should request a certification from the vendor that confirms the storage array has been disposed of securely and in compliance with the company's policies and standards. A certification provides evidence that the vendor has followed the proper procedures and methods to destroy the classified data and prevent unauthorized access or recovery. A certification may also include details such as the date, time, location, and method of disposal, as well as the names and signatures of the personnel involved. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 3, page 1441 3 IT Certification Guaranteed, The Easy Way! NO.4 A systems administrator works for a local hospital and needs to ensure patient data is protected and secure. Which of the following data classifications should be used to secure patient data? A. Private B. Critical C. Sensitive D. Public Answer: C Explanation: Patient data in a hospital setting typically falls under the category of sensitive data. Sensitive data classifications are used to indicate information that requires a higher level of protection due to its confidentiality, integrity, and/or availability concerns. Patient data, including medical records, diagnoses, treatments, and personal information, is considered sensitive and should be treated as such to ensure compliance with privacy regulations like HIPAA (Health Insurance Portability and Accountability Act) in the United States or similar regulations in other countries. NO.5 Which of the following is used to protect a computer from viruses, malware, and Trojans being installed and moving laterally across the network? A. IDS B. ACL C. EDR D. NAC Answer: C Explanation: Endpoint detection and response (EDR) is a technology that monitors and analyzes the activity and behavior of endpoints, such as computers, laptops, mobile devices, and servers. EDR can help to detect and prevent malicious software, such as viruses, malware, and Trojans, from infecting the 4 IT Certification Guaranteed, The Easy Way! endpoints and spreading across the network. EDR can also provide visibility and response capabilities to contain and remediate threats. EDR is different from IDS, which is a network-based technology that monitors and alerts on network traffic anomalies. EDR is also different from ACL, which is a list of rules that control the access to network resources. EDR is also different from NAC, which is a technology that enforces policies on the network access of devices based on their identity and compliance status. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 2561 NO.6 During a security incident, the security operations team identified sustained network traffic from a malicious IP address: 10.1.4.9. A security analyst is creating an inbound firewall rule to block the IP address from accessing the organization's network. Which of the following fulfills this request? A. access-list inbound deny ig source 0.0.0.0/0 destination 10.1.4.9/32 B. access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0 C. access-list inbound permit ig source 10.1.4.9/32 destination 0.0.0.0/0 D. access-list inbound permit ig source 0.0.0.0/0 destination 10.1.4.9/32 Answer: B Explanation: --"access-list inbound" indicates that this rule is being applied to an inbound access list. --"deny" specifies that the traffic matching this rule should be denied. --"ig" (which might represent an interface group or interface) is not explicitly defined in the question but is likely referring to the interface where the inbound traffic is being filtered. --"source 10.1.4.9/32" specifies the source IP address that the rule applies to. The /32 subnet mask indicates a single IP address. --"destination 0.0.0.0/0" indicates that the rule applies to traffic destined for any IP address. NO.7 During an investigation, an incident response team attempts to understand the source of an incident. Which of the following incident response activities describes this process? A. Analysis B. Lessons learned C. Detection 5 IT Certification Guaranteed, The Easy Way! D. Containment Answer: A Explanation: Analysis is the incident response activity that describes the process of understanding the source of an incident. Analysis involves collecting and examining evidence, identifying the root cause, determining the scope and impact, and assessing the threat actor's motives and capabilities. Analysis helps the incident response team to formulate an appropriate response strategy, as well as to prevent or mitigate future incidents. Analysis is usually performed after detection and before containment, eradication, recovery, and lessons learned. References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701, 9th Edition, Chapter 6, page 223. CompTIA Security+ SY0-701 Exam Objectives, Domain 4.2, page 13. NO.8 A network manager wants to protect the company's VPN by implementing multifactor authentication that uses:. Something you know. Something you have. Something you are Which of the following would accomplish the manager's goal? A. Domain name, PKI, GeolP lookup B. VPN IP address, company ID, facial structure C. Password, authentication token, thumbprint D. Company URL, TLS certificate, home address Answer: C Explanation: The correct answer is C. Password, authentication token, thumbprint. This combination of authentication factors satisfies the manager's goal of implementing multifactor authentication that uses something you know, something you have, and something you are. * Something you know is a type of authentication factor that relies on the user's knowledge of a secret or personal information, such as a password, a PIN, or a security question. A password is a common example of something you know that can be used to access a VPN12 * Something you have is a type of authentication factor that relies on the user's possession of a physical object or device, such as a smart card, a token, or a smartphone. An authentication token is a common example of something you have that can be used to generate a one-time password (OTP) or a code that can be used to access a VPN12 * Something you are is a type of authentication factor that relies on the user's biometric characteristics, such as a fingerprint, a face, or an iris. A thumbprint is a common example of something you are that can be used to scan and verify the user's identity to access a VPN12 References: NO.9 Which of the following is the best way to consistently determine on a daily basis whether security settings on servers have been modified? 6 IT Certification Guaranteed, The Easy Way! A. Automation B. Compliance checklist C. Attestation D. Manual audit Answer: A Explanation: Automation is the best way to consistently determine on a daily basis whether security settings on servers have been modified. Automation is the process of using software, hardware, or other tools to perform tasks that would otherwise require human intervention or manual effort. Automation can help to improve the efficiency, accuracy, and consistency of security operations, as well as reduce human errors and costs. Automation can be used to monitor, audit, and enforce security settings on servers, such as firewall rules, encryption keys, access controls, patch levels, and configuration files. Automation can also alert security personnel of any changes or anomalies that may indicate a security breach or compromise12. The other options are not the best ways to consistently determine on a daily basis whether security settings on servers have been modified: * Compliance checklist: This is a document that lists the security requirements, standards, or best practices that an organization must follow or adhere to. A compliance checklist can help to ensure that the security settings on servers are aligned with the organizational policies and regulations, but it does not automatically detect or report any changes or modifications that may occur on a daily basis3. * Attestation: This is a process of verifying or confirming the validity or accuracy of a statement, claim, or fact. Attestation can be used to provide assurance or evidence that the security settings on servers are correct and authorized, but it does not continuously monitor or audit any changes or modifications that may occur on a daily basis4. * Manual audit: This is a process of examining or reviewing the security settings on servers by human inspectors or auditors. A manual audit can help to identify and correct any security issues or discrepancies on servers, but it is time-consuming, labor-intensive, and prone to human errors. A manual audit may not be feasible or practical to perform on a daily basis. NO.10 A company has begun labeling all laptops with asset inventory stickers and associating them with employee IDs. Which of the following security benefits do these actions provide? (Choose two.) A. If a security incident occurs on the device, the correct employee can be notified. B. The security team will be able to send user awareness training to the appropriate device. C. Users can be mapped to their devices when configuring software MFA tokens. D. User-based firewall policies can be correctly targeted to the appropriate laptops. E. When conducting penetration testing, the security team will be able to target the desired laptops. F. Company data can be accounted for when the employee leaves the organization. Answer: A F 7 IT Certification Guaranteed, The Easy Way! Explanation: Labeling all laptops with asset inventory stickers and associating them with employee IDs can provide several security benefits for a company. Two of these benefits are: * A: If a security incident occurs on the device, the correct employee can be notified. An asset inventory sticker is a label that contains a unique identifier for a laptop, such as a serial number, a barcode, or a QR code. By associating this identifier with an employee ID, the security team can easily track and locate the owner of the laptop in case of a security incident, such as a malware infection, a data breach, or a theft. This way, the security team can notify the correct employee about the incident, and provide them with the necessary instructions or actions to take, such as changing passwords, scanning for viruses, or reporting the loss. This can help to contain the incident, minimize the damage, and prevent further escalation. * F: Company data can be accounted for when the employee leaves the organization. When an employee leaves the organization, the company needs to ensure that all the company data and assets are returned or deleted from the employee's laptop. By labeling the laptop with an asset inventory sticker and associating it with an employee ID, the company can easily identify and verify the laptop that belongs to the departing employee, and perform the appropriate data backup, wipe, or transfer procedures. This can help to protect the company data from unauthorized access, disclosure, or misuse by the former employee or any other party. The other options are not correct because they are not related to the security benefits of labeling laptops with asset inventory stickers and associating them with employee IDs. NO.11 A user is attempting to patch a critical system, but the patch fails to transfer. Which of the following access controls is most likely inhibiting the transfer? A. Attribute-based B. Time of day 8 IT Certification Guaranteed, The Easy Way! C. Role-based D. Least privilege Answer: D Explanation: The least privilege principle states that users and processes should only have the minimum level of access required to perform their tasks. This helps to prevent unauthorized or unnecessary actions that could compromise security. In this case, the patch transfer might be failing because the user or process does not have the appropriate permissions to access the critical system or the network resources needed for the transfer. Applying the least privilege principle can help to avoid this issue by granting the user or process the necessary access rights for the patching activity. NO.12 An organization's internet-facing website was compromised when an attacker exploited a buffer overflow. Which of the following should the organization deploy to best protect against similar attacks in the future? A. NGFW B. WAF C. TLS D. SD-WAN Answer: B Explanation: A buffer overflow is a type of software vulnerability that occurs when an application writes more data to a memory buffer than it can hold, causing the excess data to overwrite adjacent memory locations. This can lead to unexpected behavior, such as crashes, errors, or code execution. A buffer overflow can be exploited by an attacker to inject malicious code or commands into the application, which can compromise the security and functionality of the system. An organization's internet-facing website was compromised when an attacker exploited a buffer overflow. To best protect against similar attacks in the future, the organization should deploy a web application firewall (WAF). A WAF is a type of firewall that monitors and filters the traffic between a web application and the internet. A WAF can detect and block common web attacks, such as buffer overflows, SQL injections, cross-site scripting (XSS), and more. A WAF can also enforce security policies and rules, such as input validation, output encoding, and encryption. A WAF can provide a layer of protection for the web application, preventing attackers from exploiting its vulnerabilities and compromising its data. References = Buffer Overflows - CompTIA Security+ SY0-701 - 2.3, Web Application Firewalls - CompTIA Securit y+ SY0-701 - 2.4, [CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0 -701, 9th Edition] NO.13 A Chief Information Security Officer wants to monitor the company's servers for SQLi attacks and allow for comprehensive investigations if an attack occurs. The company uses SSL decryption to allow traffic monitoring. Which of the following strategies would best accomplish this goal? A. Logging all NetFlow traffic into a SIEM B. Deploying network traffic sensors on the same subnet as the servers C. Logging endpoint and OS-specific security logs D. Enabling full packet capture for traffic entering and exiting the servers 9 IT Certification Guaranteed, The Easy Way! Answer: D Explanation: Full packet capture is a technique that records all network traffic passing through a device, such as a router or firewall. It allows for detailed analysis and investigation of network events, such as SQLi attacks, by providing the complete content and context of the packets. Full packet capture can help identify the source, destination, payload, and timing of an SQLi attack, as well as the impact on the server and database. Logging NetFlow traffic, network traffic sensors, and endpoint and OS-specific security logs can provide some information about network activity, but they do not capture the full content of the packets, which may limit the scope and depth of the investigation. References: NO.14 A systems administrator is working on a solution with the following requirements: * Provide a secure zone. * Enforce a company-wide access control policy. * Reduce the scope of threats. Which of the following is the systems administrator setting up? A. Zero Trust B. AAA C. Non-repudiation D. CIA Answer: A Explanation: Zero Trust is a security concept based on the idea that organizations should not automatically trust anything inside or outside their perimeters and must verify anything and everything trying to connect to its systems before granting access. It emphasizes strict access controls and verification processes, effectively creating secure zones within the network while reducing the scope of potential threats. NO.15 An administrator notices that several users are logging in from suspicious IP addresses. After speaking with the users, the administrator determines that the employees were not logging in from those IP addresses and resets the affected users' passwords. Which of the following should the administrator implement to prevent this type of attack from succeeding in the future? A. Multifactor authentication B. Permissions assignment C. Access management D. Password complexity Answer: A Explanation: 10 IT Certification Guaranteed, The Easy Way! The correct answer is A because multifactor authentication (MFA) is a method of verifying a user's identity by requiring more than one factor, such as something the user knows (e.g., password), something the user has (e.g., token), or something the user is (e.g., biometric). MFA can prevent unauthorized access even if the user's password is compromised, as the attacker would need to provide another factor to log in. The other options are incorrect because they do not address the root cause of the attack, which is weak authentication. NO.16 An enterprise is trying to limit outbound DNS traffic originating from its internal network. Outbound DNS requests will only be allowed from one device with the IP address 10.50.10.25. Which of the following firewall ACLs will accomplish this goal? A. Access list outbound permit 0.0.0.0/0 0.0.0.0/0 port 53 Access list outbound deny 10.50.10.25/32 0.0.0.0/0 port 53 B. Access list outbound permit 0.0.0.0/0 10.50.10.25/32 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53 C. Access list outbound permit 0.0.0.0/0 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 10.50.10.25/32 port 53 D. Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53 Answer: D Explanation: A firewall ACL (access control list) is a set of rules that determines which traffic is allowed or denied by the firewall. The rules are processed in order, from top to bottom, until a match is found. The syntax of a firewall ACL rule is: Access list To limit outbound DNS traffic originating from the internal network, the firewall ACL should allow only the device with the IP address 10.50.10.25 to send DNS requests to any destination on port 53, and deny all other outbound traffic on port 53. The correct firewall ACL is: Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53 The first rule permits outbound traffic from the source address 10.50.10.25/32 (a single host) to any destination address (0.0.0.0/0) on port 53 (DNS). The second rule denies all other outbound traffic on port 532. 11 IT Certification Guaranteed, The Easy Way! NO.17 Employees in the research and development business unit receive extensive training to ensure they understand how to best protect company data. Which of the following is the type of data these employees are most likely to use in day-to-day work activities? A. Encrypted B. Intellectual property C. Critical D. Data in transit Answer: B Explanation: Employees in the research and development (R&D) business unit are likely to work with intellectual property data on a day-to-day basis. Intellectual property refers to creations of the mind, such as inventions, designs, processes, or information, which can be legally protected. In an R&D environment, employees are often involved in creating, refining, and managing intellectual property, making it crucial for them to understand how to best protect such data. NO.18 A technician is opening ports on a firewall for a new system being deployed and supported by a SaaS provider. Which of the following is a risk in the new system? A. Default credentials B. Non-segmented network C. Supply chain vendor D. Vulnerable software Answer: C Explanation: A supply chain vendor is a third-party entity that provides goods or services to an organization, such as a SaaS provider. A supply chain vendor can pose a risk to the new system if the vendor has poor security practices, breaches, or compromises that could affect the confidentiality, integrity, or availability of the system or its data. The organization should perform due diligence and establish a service level agreement with the vendor to mitigate this risk. The other options are not specific to the scenario of using a SaaS provider, but rather general risks that could apply to any system. NO.19 An organization is struggling with scaling issues on its VPN concentrator and internet circuit due to remote work. The organization is looking for a software solution that will allow it to reduce traffic on the VPN and internet circuit, while still providing encrypted tunnel access to the data center and monitoring of remote employee internet traffic. Which of the following will help achieve these objectives? A. Deploying a SASE solution to remote employees B. Building a load-balanced VPN solution with redundant internet C. Purchasing a low-cost SD-WAN solution for VPN traffic D. Using a cloud provider to create additional VPN concentrators 12 IT Certification Guaranteed, The Easy Way! Answer: A Explanation: SASE stands for Secure Access Service Edge. It is a cloud-based service that combines network and security functions into a single integrated solution. SASE can help reduce traffic on the VPN and internet circuit by providing secure and optimized access to the data center and cloud applications for remote employees. SASE can also monitor and enforce security policies on the remote employee internet traffic, regardless of their location or device. SASE can offer benefits such as lower costs, improved performance, scalability, and flexibility compared to traditional VPN solutions. NO.20 An employee clicked a link in an email from a payment website that asked the employee to update contact information. The employee entered the log-in information but received a "page not found" error message. Which of the following types of social engineering attacks occurred? A. Brand impersonation B. Pretexting C. Typosquatting D. Phishing Answer: D Explanation: Phishing is a type of social engineering attack that involves sending fraudulent emails that appear to be from legitimate sources, such as payment websites, banks, or other trusted entities. The goal of phishing is to trick the recipients into clicking on malicious links, opening malicious attachments, or providing sensitive information, such as log-in credentials, personal data, or financial details. In this scenario, the employee received an email from a payment website that asked the employee to update contact information. The email contained a link that directed the employee to a fake website that mimicked the appearance of the real one. The employee entered the log-in information, but received a "page not found" error message. This indicates that the employee fell victim to a phishing attack, and the attacker may have captured the employee's credentials for the payment website.. NO.21 Which of the following vulnerabilities is associated with installing software outside of a manufacturer's approved software repository? A. Jailbreaking B. Memory injection C. Resource reuse D. Side loading Answer: D Explanation: Side loading is the process of installing software outside of a manufacturer's approved software repository. This can expose the device to potential vulnerabilities, such as malware, spyware, or unauthorized 13 IT Certification Guaranteed, The Easy Way! access. Side loading can also bypass security controls and policies that are enforced by the manufacturer or the organization. Side loading is often done by users who want to access applications or features that are not available or allowed on their devices. NO.22 A company is concerned about weather events causing damage to the server room and downtime. Which of the following should the company consider? A. Clustering servers B. Geographic dispersion C. Load balancers D. Off-site backups Answer: B Explanation: Geographic dispersion is a strategy that involves distributing the servers or data centers across different geographic locations. Geographic dispersion can help the company to mitigate the risk of weather events causing damage to the server room and downtime, as well as improve the availability, performance, and resilience of the network. Geographic dispersion can also enhance the disaster recovery and business continuity capabilities of the company, as it can provide backup and failover options in case of a regional outage or disruption NO.23 After an audit, an administrator discovers all users have access to confidential data on a file server. Which of the following should the administrator use to restrict access to the data quickly? A. Group Policy B. Content filtering C. Data loss prevention D. Access control lists 14 IT Certification Guaranteed, The Easy Way! Answer: D Explanation: Access control lists (ACLs) are rules that specify which users or groups can access which resources on a file server. They can help restrict access to confidential data by granting or denying permissions based on the identity or role of the user. In this case, the administrator can use ACLs to quickly modify the access rights of the users and prevent them from accessing the data they are not authorized to see. References: NO.24 A company is working with a vendor to perform a penetration test Which of the following includes an estimate about the number of hours required to complete the engagement? A. SOW B. BPA C. SLA D. NDA Answer: A Explanation: A statement of work (SOW) is a document that defines the scope, objectives, deliverables, timeline, and costs of a project or service. It typically includes an estimate of the number of hours required to complete the engagement, as well as the roles and responsibilities of the parties involved. A SOW is often used for penetration testing projects to ensure that both the client and the vendor have a clear and mutual understanding of what is expected and how the work will be performed. NO.25 A systems administrator receives the following alert from a file integrity monitoring tool: The hash of the cmd.exe file has changed. The systems administrator checks the OS logs and notices that no patches were applied in the last two months. Which of the following most likely occurred? A. The end user changed the file permissions. B. A cryptographic collision was detected. C. A snapshot of the file system was taken. D. A rootkit was deployed. Answer: D Explanation: A rootkit is a type of malware that modifies or replaces system files or processes to hide its presence and activity. A rootkit can change the hash of the cmd.exe file, which is a command-line interpreter for Windows systems, to avoid detection by antivirus or file integrity monitoring tools. A rootkit can also grant the attacker remote access and control over the infected system, as well as perform malicious actions such as stealing data, installing backdoors, or launching attacks on other systems. A rootkit is one of the most difficult types of malware to remove, as it can persist even after rebooting 15 IT Certification Guaranteed, The Easy Way! or reinstalling the OS. NO.26 Which of the following has been implemented when a host-based firewall on a legacy Linux system allows connections from only specific internal IP addresses? A. Compensating control B. Network segmentation C. Transfer of risk D. SNMP traps Answer: A Explanation: A compensating control is a security measure that is implemented to mitigate the risk of a vulnerability or a weakness that cannot be resolved by the primary control. A compensating control does not prevent or eliminate the vulnerability or weakness, but it can reduce the likelihood or impact of an attack. A host-based firewall on a legacy Linux system that allows connections from only specific internal IP addresses is an example of a compensating control, as it can limit the exposure of the system to potential threats from external or unauthorized sources. A host-based firewall is a software application that monitors and filters the incoming and outgoing network traffic on a single host, based on a set of rules or policies. A legacy Linux system is an older version of the Linux operating system that may not be compatible with the latest security updates or patches, and may have known vulnerabilities or weaknesses that could be exploited by attackers. NO.27 Which of the following is required for an organization to properly manage its restore process in the event of system failure? A. IRP B. DRP C. RPO D. SDLC Answer: B Explanation: A disaster recovery plan (DRP) is a set of policies and procedures that aim to restore the normal operations of an organization in the event of a system failure, natural disaster, or other emergency. 16 IT Certification Guaranteed, The Easy Way! NO.28 A security analyst receives alerts about an internal system sending a large amount of unusual DNS queries to systems on the internet over short periods of time during non-business hours. Which of the following is most likely occurring? A. A worm is propagating across the network. B. Data is being exfiltrated. C. A logic bomb is deleting data. D. Ransomware is encrypting files. Answer: B Explanation: Data exfiltration is a technique that attackers use to steal sensitive data from a target system or network by transmitting it through DNS queries and responses. This method is often used in advanced persistent threat (APT) attacks, in which attackers seek to persistently evade detection in the target environment. A large amount of unusual DNS queries to systems on the internet over short periods of time during non-business hours is a strong indicator of data exfiltration. NO.29 Which of the following security concepts is the best reason for permissions on a human resources fileshare to follow the principle of least privilege? A. Integrity B. Availability C. Confidentiality D. Non-repudiation Answer: C Explanation: Confidentiality is the security concept that ensures data is protected from unauthorized access or disclosure. 17 IT Certification Guaranteed, The Easy Way! NO.30 A security analyst is investigating an application server and discovers that software on the server is behaving abnormally. The software normally runs batch jobs locally and does not generate traffic, but the process is now generating outbound traffic over random high ports. Which of the following vulnerabilities has likely been exploited in this software? A. Memory injection B. Race condition C. Side loading D. SQL injection Answer: A Explanation: Memory injection vulnerabilities allow unauthorized code or commands to be executed within a software program, leading to abnormal behavior such as generating outbound traffic over random high ports. This issue often arises from software not properly validating or encoding input, which can be exploited by attackers to inject malicious code. NO.31 Which of the following factors are the most important to address when formulating a training curriculum plan for a security awareness program? (Select two). A. Channels by which the organization communicates with customers B. The reporting mechanisms for ethics violations C. Threat vectors based on the industry in which the organization operates D. Secure software development training for all personnel E. Cadence and duration of training events F. Retraining requirements for individuals who fail phishing simulations Answer: C E Explanation: A training curriculum plan for a security awareness program should address the following factors: * The threat vectors based on the industry in which the organization operates. This will help the employees to understand the specific risks and challenges that their organization faces, and how to protect themselves and the organization from cyberattacks. For example, a healthcare organization may face different threat vectors than a financial organization, such as ransomware, data breaches, or medical device hacking1. * The cadence and duration of training events. This will help the employees to retain the information and skills they learn, and to keep up with the changing security landscape. The training events should be frequent enough to reinforce the key concepts and behaviors, but not too long or too short to lose the attention or interest of the employees. For example, a security awareness program may include monthly newsletters, quarterly webinars, annual workshops, or periodic quizzes2. 18 IT Certification Guaranteed, The Easy Way! NO.32 Which of the following is the most likely to be used to document risks, responsible parties, and thresholds? A. Risk tolerance B. Risk transfer C. Risk register D. Risk analysis Answer: C Explanation: A risk register is a document that records and tracks the risks associated with a project, system, or organization. A risk register typically includes information such as the risk description, the risk owner, the risk probability, the risk impact, the risk level, the risk response strategy, and the risk status. A risk register can help identify, assess, prioritize, monitor, and control risks, as well as communicate them to relevant stakeholders. A risk register can also help document the risk tolerance and thresholds of an organization, which are the acceptable levels of risk exposure and the criteria for escalating or mitigating risks. NO.33 A cyber operations team informs a security analyst about a new tactic malicious actors are using to compromise networks. SIEM alerts have not yet been configured. Which of the following best describes what the security analyst should do to identify this behavior? A. [Digital forensics B. E-discovery C. Incident response D. Threat hunting Answer: D Explanation: Threat hunting is the process of proactively searching for signs of malicious activity or compromise in a network, rather than waiting for alerts or indicators of compromise (IOCs) to appear. Threat hunting can help identify new tactics, techniques, and procedures (TTPs) used by malicious actors, as well as uncover hidden or stealthy threats that may have evaded detection by security tools. Threat hunting requires a combination of skills, tools, and methodologies, such as hypothesis generation, data collection and analysis, threat intelligence, and incident response.. 19 IT Certification Guaranteed, The Easy Way! Answer: 21 IT Certification Guaranteed, The Easy Way! 22 IT Certification Guaranteed, The Easy Way! NO.35 A newly appointed board member with cybersecurity knowledge wants the board of directors to receive a quarterly report detailing the number of incidents that impacted the organization. The systems administrator is creating a way to present the data to the board of directors. Which of the following should the systems administrator use? A. Packet captures B. Vulnerability scans C. Metadata D. Dashboard Answer: D Explanation: A dashboard is a graphical user interface that provides a visual representation of key performance indicators, metrics, and trends related to security events and incidents. A dashboard can help the board of directors to understand the number and impact of incidents that affected the organization in a given period, as well as the status and effectiveness of the security controls and processes. A dashboard can also allow the board of directors to drill down into specific details or filter the data by various criteria 23 IT Certification Guaranteed, The Easy Way! NO.36 A systems administrator wants to prevent users from being able to access data based on their responsibilities. The administrator also wants to apply the required access structure via a simplified format. Which of the following should the administrator apply to the site recovery resource group? A. RBAC B. ACL C. SAML D. GPO Answer: A Explanation: RBAC stands for Role-Based Access Control, which is a method of restricting access to data and resources based on the roles or responsibilities of users. Job / Task / Function NO.37 Which of the following threat actors is the most likely to be hired by a foreign government to attack critical systems located in other countries? A. Hacktivist B. Whistleblower C. Organized crime D. Unskilled attacker Answer: C Explanation: Organized crime is a type of threat actor that is motivated by financial gain and often operates across national borders. Organized crime groups may be hired by foreign governments to conduct cyberattacks on critical systems located in other countries, such as power grids, military networks, or financial institutions. Should be APTs NO.38 Which of the following is a primary security concern for a company setting up a BYOD program? A. End of life B. Buffer overflow 24 IT Certification Guaranteed, The Easy Way! C. VM escape D. Jailbreaking Answer: D Explanation: Jailbreaking is a primary security concern for a company setting up a BYOD (Bring Your Own Device) program. Jailbreaking is the process of removing the manufacturer's or the carrier's restrictions on a device, such as a smartphone or a tablet, to gain root access and install unauthorized or custom software. Jailbreaking can compromise the security of the device and the data stored on it, as well as expose it to malware, viruses, or hacking. Jailbreaking can also violate the warranty and the terms of service of the device, and make it incompatible with the company's security policies and standards. Therefore, a company setting up a BYOD program should prohibit jailbreaking and enforce device compliance and encryption. NO.39 A security analyst locates a potentially malicious video file on a server and needs to identify both the creation date and the file's creator. Which of the following actions would most likely give the security analyst the information required? A. Obtain the file's SHA-256 hash. B. Use hexdump on the file's contents. C. Check endpoint logs. D. Query the file's metadata. Answer: D Explanation: Metadata is data that describes other data, such as its format, origin, creation date, author, and other attributes. NO.40 A security administrator would like to protect data on employees' laptops. Which of the following encryption techniques should the security administrator use? A. Partition 25 IT Certification Guaranteed, The Easy Way! B. Asymmetric C. Full disk D. Database Answer: C Explanation: Full disk encryption (FDE) is a technique that encrypts all the data on a hard drive, including the operating system, applications, and files. FDE protects the data from unauthorized access in case the laptop is lost, stolen, or disposed of without proper sanitization. NO.41 Which of the following must be considered when designing a high-availability network? (Choose two). A. Ease of recovery B. Ability to patch C. Physical isolation D. Responsiveness E. Attack surface F. Extensible authentication Answer: A E Explanation: 26 IT Certification Guaranteed, The Easy Way! A. Ease of recovery: High-availability networks should be designed with redundancy and failover mechanisms to minimize downtime in the event of failures. Ease of recovery refers to how quickly and efficiently the network can be restored to normal operation following a failure. E. Attack surface: High-availability networks should be designed to minimize the attack surface, which is the sum of all possible points where an attacker can try to enter or extract data from a system. By reducing the attack surface, the network becomes more resilient to potential security threats and less susceptible to downtime caused by malicious activities. NO.42 Which of the following can best protect against an employee inadvertently installing malware on a company system? A. Host-based firewall B. System isolation C. Least privilege D. Application allow list Answer: D Explanation: An application allow list is a security technique that specifies which applications are authorized to run on a system and blocks all other applications. An application allow list can best protect against an employee inadvertently installing malware on a company system because it prevents the execution of any unauthorized or malicious software, such as viruses, worms, trojans, ransomware, or spyware. An application allow list can also reduce the attack surface and improve the performance of the system. NO.43 A company is expanding its threat surface program and allowing individuals to security test the company's internet-facing application. The company will compensate researchers based on the vulnerabilities discovered. Which of the following best describes the program the company is setting up? 27 IT Certification Guaranteed, The Easy Way! A. Open-source intelligence B. Bug bounty C. Red team D. Penetration testing Answer: B Explanation: A bug bounty is a program that rewards security researchers for finding and reporting vulnerabilities in an application or system. Bug bounties are often used by companies to improve their security posture and incentivize ethical hacking. A bug bounty program typically defines the scope, rules, and compensation for the researchers. NO.44 An employee receives a text message from an unknown number claiming to be the company's Chief Executive Officer and asking the employee to purchase several gift cards. Which of the following types of attacks does this describe? A. Vishing B. Smishing C. Pretexting D. Phishing Answer: B Explanation: Smishing is a type of phishing attack that uses text messages or common messaging apps to trick victims into clicking on malicious links or providing personal information. NO.45 The marketing department set up its own project management software without telling the appropriate departments. Which of the following describes this scenario? A. Shadow IT B. Insider threat C. Data exfiltration D. Service disruption Answer: A Explanation: Shadow IT is the term used to describe the use of unauthorized or unapproved IT resources within an organization. The marketing department set up its own project management software without telling the appropriate departments, such as IT, security, or compliance. This could pose a risk to the organization's security posture, data integrity, and regulatory compliance1. 28 IT Certification Guaranteed, The Easy Way! NO.46 A security analyst scans a company's public network and discovers a host is running a remote desktop that can be used to access the production network. Which of the following changes should the security analyst recommend? A. Changing the remote desktop port to a non-standard number B. Setting up a VPN and placing the jump server inside the firewall C. Using a proxy for web connections from the remote desktop server D. Connecting the remote server to the domain and increasing the password length Answer: B Explanation: A VPN is a virtual private network that creates a secure tunnel between two or more devices over a public network. A VPN can encrypt and authenticate the data, as well as hide the IP addresses and locations of the devices. A jump server is a server that acts as an intermediary between a user and a target server, such as a production server. A jump server can provide an additional layer of security and access control, as well as logging and auditing capabilities. NO.47 An administrator finds that all user workstations and servers are displaying a message that is associated with files containing an extension of.ryk. Which of the following types of infections is present on the systems? A. Virus B. Trojan C. Spyware D. Ransomware Answer: D Explanation: Ransomware is a type of malware that encrypts the victim's files and demands a ransom for the decryption key. The ransomware usually displays a message on the infected system with instructions on how to pay the ransom and recover the files. The.ryk extension is associated with a ransomware variant called Ryuk, which targets large organizations and demands high ransoms NO.48 A security operations center determines that the malicious activity detected on a server is normal. Which of the following activities describes the act of ignoring detected activity in the future? A. Tuning B. Aggregating C. Quarantining D. Archiving 29 IT Certification Guaranteed, The Easy Way! Answer: A Explanation: Tuning is the activity of adjusting the configuration or parameters of a security tool or system to optimize its performance and reduce false positives or false negatives. Tuning can help to filter out the normal or benign activity that is detected by the security tool or system, and focus on the malicious or anomalous activity that requires further investigation or response. Tuning can also help to improve the efficiency and effectiveness of the security operations center by reducing the workload and alert fatigue of the analysts NO.49 A security engineer is implementing FDE for all laptops in an organization. Which of the following are the most important for the engineer to consider as part of the planning process? (Select two). A. Key escrow B. TPM presence C. Digital signatures D. Data tokenization E. Public key management F. Certificate authority linking Answer: E B * B. TPM presence: Trusted Platform Module (TPM) is a hardware-based security feature that provides a secure foundation for encryption keys. It ensures that encryption keys are stored securely and are not accessible to unauthorized users, thereby enhancing the security of FDE implementations. * E. Public key management: Public key management is crucial for securely encrypting and decrypting data in FDE systems. It involves managing the public keys used for encryption and ensuring that authorized users have access to the appropriate keys to decrypt data when needed. NO.50 During the onboarding process, an employee needs to create a password for an intranet account. The password must include ten characters, numbers, and letters, and two special characters. Once the password is created, the company will grant the employee access to other company-owned websites based on the intranet profile. Which of the following access management concepts is the company most likely using to safeguard 30 IT Certification Guaranteed, The Easy Way! intranet accounts and grant access to multiple sites based on a user's intranet account? (Select two). A. Federation B. Identity proofing C. Password complexity D. Default password changes E. Password manager F. Open authentication Answer: A C Explanation: Federation is an access management concept that allows users to authenticate once and access multiple resources or services across different domains or organizations. Federation relies on a trusted third party that stores the user's credentials and provides them to the requested resources or services without exposing them. Password complexity is a security measure that requires users to create passwords that meet certain criteria, such as length, character types, and uniqueness. Password complexity can help prevent brute-force attacks, password guessing, and credential stuffing by making passwords harder to crack or guess. NO.51 Which of the following roles, according to the shared responsibility model, is responsible for securing the company's database in an IaaS model for a cloud environment? A. Client B. Third-party vendor C. Cloud provider D. DBA Answer: A Explanation: According to the shared responsibility model, the client and the cloud provider have different roles and responsibilities for securing the cloud environment, depending on the service model. In an IaaS (Infrastructure as a Service) model, the cloud provider is responsible for securing the physical infrastructure, such as the servers, storage, and network devices, while the client is responsible for securing the operating systems, applications, and data that run on the cloud infrastructure. Therefore, the client is responsible for securing the company's database in an IaaS model for a cloud environment, as the database is an application that stores data. NO.52 Which of the following describes the process of concealing code or text inside a graphical image? A. Symmetric encryption B. Hashing 31 IT Certification Guaranteed, The Easy Way! C. Data masking D. Steganography Answer: D Explanation: Steganography is the process of hiding information within another medium, such as an image, audio, video, or text file. The hidden information is not visible or noticeable to the casual observer, and can only be extracted by using a specific technique or key. Steganography can be used for various purposes, such as concealing secret messages, watermarking, or evading detection by antivirus NO.53 An organization recently updated its security policy to include the following statement: Regular expressions are included in source code to remove special characters such as $, |, ;. &, `, and ? from variables set by forms in a web application. Which of the following best explains the security technique the organization adopted by making this addition to the policy? A. Identify embedded keys B. Code debugging C. Input validation D. Static code analysis Answer: C Explanation: Input validation is a security technique that checks the user input for any malicious or unexpected data before processing it by the application. Input validation can prevent various types of attacks, 's 32 IT Certification Guaranteed, The Easy Way! NO.54 A company's legal department drafted sensitive documents in a SaaS application and wants to ensure the documents cannot be accessed by individuals in high-risk countries. Which of the following is the most effective way to limit this access? A. Data masking B. Encryption C. Geolocation policy D. Data sovereignty regulation Answer: C Explanation: A geolocation policy is a policy that restricts or allows access to data or resources based on the geographic location of the user or device. A geolocation policy can be implemented using various methods, such as IP address filtering, GPS tracking, or geofencing. NO.55 A bank insists all of its vendors must prevent data loss on stolen laptops. Which of the following strategies is the bank requiring? A. Encryption at rest B. Masking C. Data classification D. Permission restrictions Answer: A Explanation: Encryption at rest is a strategy that protects data stored on a device, such as a laptop, by converting it into an unreadable format that can only be accessed with a decryption key or password. 33 IT Certification Guaranteed, The Easy Way! NO.56 A security consultant needs secure, remote access to a client environment. Which of the following should the security consultant most likely use to gain access? A. EAP B. DHCP C. IPSec D. NAT Answer: C Explanation: IPSec is a protocol suite that provides secure communication over IP networks. IPSec can be used to create virtual private networks (VPNs) that encrypt and authenticate the data exchanged between two or more parties. IPSec can also provide data integrity, confidentiality, replay protection, and access control. NO.57 A technician needs to apply a high-priority patch to a production system. Which of the following steps should be taken first? A. Air gap the system. B. Move the system to a different network segment. C. Create a change control request. D. Apply the patch to the system. Answer: C Explanation: = A change control request is a document that describes the proposed change to a system, the reason for the change, the expected impact, the approval process, the testing plan, the implementation plan, the rollback plan, and the communication plan. A change control request is a best practice for applying any patch to a production system, especially a high-priority one, as it ensures that the change is authorized, documented, tested, and communicated. 34 IT Certification Guaranteed, The Easy Way! NO.58 An administrator assists the legal and compliance team with ensuring information about customer transactions is archived for the proper time period. Which of the following data policies is the administrator carrying out? A. Compromise B. Retention C. Analysis D. Transfer E. Inventory Answer: B Explanation: A data retention policy is a set of rules that defines how long data should be stored and when it should be deleted or archived. NO.59 A hacker gained access to a system via a phishing attempt that was a direct result of a user clicking a suspicious link. The link laterally deployed ransomware, which laid dormant for multiple weeks, across the network. Which of the following would have mitigated the spread? A. IPS B. IDS C. WAF D. UAT Answer: A Explanation: IPS stands for intrusion prevention system, which is a network security device that monitors and blocks malicious traffic in real time.. I NO.60 A systems administrator is creating a script that would save time and prevent human error when performing account creation for a large number of end users. Which of the following would be a good use case for this task? A. Off-the-shelf software B. Orchestration C. Baseline D. Policy enforcement Answer: B Explanation: 35 IT Certification Guaranteed, The Easy Way! Orchestration is the process of automating multiple tasks across different systems and applications. It can help save time and reduce human error by executing predefined workflows and scripts. NO.61 Visitors to a secured facility are required to check in with a photo ID and enter the facility through an access control vestibule Which of the following but describes this form of security control? A. Physical B. Managerial C. Technical D. Operational Answer: A Explanation: A physical security control is a device or mechanism that prevents unauthorized access to a physical location or asset. An access control vestibule, also known as a mantrap, is a physical security control that consists of a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens. NO.62 An administrator discovers that some files on a database server were recently encrypted. The administrator sees from the security logs that the data was last accessed by a domain user. Which of the following best describes the type of attack that occurred? A. Insider threat B. Social engineering C. Watering-hole D. Unauthorized attacker Answer: A Explanation: An insider threat is a type of attack that originates from someone who has legitimate access to an organization's network, systems, or data. In this case, the domain user who encrypted the files on the database server is an example of an insider threat, as they abused their access privileges to cause harm to the organization. Insider threats can be motivated by various factors, such as financial gain, revenge, espionage, or sabotage. NO.63 An organization disabled unneeded services and placed a firewall in front of a business- critical legacy system. 36 IT Certification Guaranteed, The Easy Way! Which of the following best describes the actions taken by the organization? A. Risk transfer B. Exception C. Compensating controls D. Segmentation Answer: C NO.64 A technician wants to improve the situational and environmental awareness of existing users as they transition from remote to in-office work. Which of the following is the best option? A. Send out periodic security reminders. B. Update the content of new hire documentation. C. Modify the content of recurring training. D Implement a phishing campaign Answer: C Explanation: Recurring training is a type of security awareness training that is conducted periodically to refresh and update the knowledge and skills of the users. Recurring training can help improve the situational and environmental awareness of existing users as they transition from remote to in-office work, as it can cover the latest threats, best practices, and policies that are relevant to their work environment. NO.65 A company prevented direct access from the database administrators' workstations to the network segment that contains database servers. Which of the following should a database administrator use to access the database servers? A. Jump server B. RADIUS C. HSM D. Load balancer Answer: A Explanation: A jump server is a device or virtual machine that acts as an intermediary between a user's workstation and a remote network segment. A jump server can be used to securely access servers or devices that are not directly reachable from the user's workstation, such as database servers. A jump server can also provide audit logs and access control for the remote connections. A jump server is also known as a jump box or a jump host 37 IT Certification Guaranteed, The Easy Way! NO.66 A healthcare organization wants to provide a web application that allows individuals to digitally report health emergencies. Which of the following is the most important consideration during development? A. Scalability B. Availability C. Cost D. Ease of deployment Answer: B Explanation: Availability is the ability of a system or service to be accessible and usable when needed. For a web application that allows individuals to digitally report health emergencies, availability is the most important consideration during development, because any downtime or delay could have serious consequences for the health and safety of the users. The web application should be designed to handle high traffic, prevent denial-of-service attacks, and have backup and recovery plans in case of failures NO.67 Which of the following would be the best way to block unknown programs from executing? A. Access control list B. Application allow list. C. Host-based firewall D. DLP solution Answer: B Explanation: An application allow list is a security technique that specifies which applications are permitted to run on a system or a network. An application allow list can block unknown programs from executing by only allowing the execution of programs that are explicitly authorized and verified. An application allow list can prevent malware, unauthorized software, or unwanted applications from running and compromising the security of the system or the network12. 38 IT Certification Guaranteed, The Easy Way! * NO.68 A newly identified network access vulnerability has been found in the OS of legacy loT devices. Which of the following would best mitigate this vulnerability quickly? A. Insurance B. Patching C. Segmentation D. Replacement Answer: C Explanation: Segmentation is a technique that divides a network into smaller subnetworks or segments, each with its own security policies and controls. Segmentation can help mitigate network access vulnerabilities in legacy loT devices by isolating them from other devices and systems, reducing their attack surface and limiting the potential impact of a breach. NO.69 Which of the following describes the maximum allowance of accepted risk? A. Risk indicator B. Risk level C. Risk score D. Risk threshold Answer: D Explanation: Risk threshold is the maximum amount of risk that an organization is willing to accept for a given 39 IT Certification Guaranteed, The Easy Way! NO.70 An analyst is evaluating the implementation of Zero Trust principles within the data plane. Which of the following would be most relevant for the analyst to evaluate? A. Secured zones B. Subject role C. Adaptive identity D. Threat scope reduction Answer: A Explanation: Secured zones are a key component of the Zero Trust data plane, which is the layer where data is stored, processed, and transmitted. Secured zones are logical or physical segments of the network that isolate data and resources based on their sensitivity and risk. Secured zones enforce granular policies and controls to prevent unauthorized access and lateral movement within the network. NO.71 A security analyst reviews domain activity logs and notices the following: Which of the following is the best explanation for what the security analyst has discovered? A. The user jsmith's account has been locked out. B. A keylogger is installed on [smith's workstation C. An attacker is attempting to brute force ismith's account. D. Ransomware has been deployed in the domain. Answer: C Explanation: Brute force is a type of attack that tries to guess the password or other credentials of a user account by using a large number of possible combinations. An attacker can use automated tools or scripts to perform a brute force attack and gain unauthorized access to the account. 40 IT Certification Guaranteed, The Easy Way! NO.72 Which of the following automation use cases would best enhance the security posture of an organization by rapidly updating permissions when employees leave a company? A. Provisioning resources B. Disabling access C. Reviewing change approvals D. Escalating permission requests Answer: B Explanation: Disabling access is an automation use case that would best enhance the security posture of an organization by rapidly updating permissions when employees leave a company. Disabling access is the process of revoking or suspending the access rights of a user account, such as login credentials, email, VPN, cloud services, etc. Disabling access can prevent unauthorized or malicious use of the account by former employees or attackers who may have compromised the account. NO.73 A Chief Information Security Officer (CISO) wants to explicitly raise awareness about the increase of ransomware-as-a-service in a report to the management team. Which of the following best describes the threat actor in the CISO's report? A. Insider threat B. Hacktivist C. Nation-state D. Organized crime Answer: D Explanation: Ransomware-as-a-service is a type of cybercrime where hackers sell or rent ransomware tools or services to other criminals who use them to launch attacks and extort money from victims. This is a typical example of organized crime, which is a group of criminals who work together to conduct illegal activities for profit. O NO.74 Which of the following vulnerabilities is exploited when an attacker overwrites a register with a malicious address? A. VM escape B. SQL injection C. Buffer overflow 41 IT Certification Guaranteed, The Easy Way! D. Race condition Answer: C Explanation: A buffer overflow is a vulnerability that occurs when an application writes more data to a memory buffer than it can hold, causing the excess data to overwrite adjacent memory locations. A register is a small storage area in the CPU that holds temporary data or instructions. An attacker can exploit a buffer overflow to overwrite a register with a malicious address that points to a shellcode, which is a piece of code that gives the attacker control over the system. NO.75 A company's end users are reporting that they are unable to reach external websites. After reviewing the performance data for the DNS severs, the analyst discovers that the CPU, disk, and memory usage are minimal, but the network interface is flooded with inbound traffic. Network logs show only a small number of DNS queries sent to this server. Which of the following best describes what the security analyst is seeing? A. Concurrent session usage B. Secure DNS cryptographic downgrade C. On-path resource consumption D. Reflected denial of service Answer: D Explanation: A reflected denial of service (RDoS) attack is a type of DDoS attack that uses spoofed source IP addresses to send requests to a third-party server, which then sends responses to the victim server. The attacker exploits the difference in size between the request and the response, which can amplify the amount of traffic sent to the victim server. The attacker also hides their identity by using the victim's IP address as the source. A RDoS attack can target DNS servers by sending forged DNS queries that generate large DNS responses. This can flood the network interface of the DNS server and prevent it from serving legitimate requests from end users. NO.76 A security analyst is reviewing alerts in the SIEM related to potential malicious network traffic coming from an employee's corporate laptop. The security analyst has determined that additional data about the executable running on the machine is necessary to continue the investigation. Which of the following logs should the analyst use as a data source? A. Application B. IPS/IDS C. Network D. Endpoint Answer: D Explanation: An endpoint log is a file that contains information about the activities and events that occur on an end-user device, such as a laptop, desktop, tablet, or smartphone. Endpoint logs can provide valuable 42 IT Certification Guaranteed, The Easy Way! data for security analysts, such as the processes running on the device, the network connections established, the files accessed or modified, the user actions performed, and the applications installed or updated. Endpoint logs can also record the details of any executable files running on the device, such as the name, path, size, hash, signature, and permissions of the executable. NO.77 Users at a company are reporting they are unable to access the URL for a new retail website because it is flagged as gambling and is being blocked. Which of the following changes would allow users to access the site? A. Creating a firewall rule to allow HTTPS traffic B. Configuring the IPS to allow shopping C. Tuning the DLP rule that detects credit card data D. Updating the categorization in the content filter Answer: D Explanation: A content filter is a device or software that blocks or allows access to web content based on predefined rules or categories. In this case, the new retail website is mistakenly categorized as gambling by the content filter, which prevents users from accessing it. To resolve this issue, the content filter's categorization needs to be updated to reflect the correct category of the website, such as shopping or retail. This will allow the content filter to allow access to the website instead of blocking it. NO.78 A company's web filter is configured to scan the URL for strings and deny access when 43 IT Certification Guaranteed, The Easy Way! matches are found. Which of the following search strings should an analyst employ to prohibit access to non-encrypted websites? A. encryption=off\ B. http:// C. www.*.com D. :443 Answer: B Explanation: A web filter is a device or software that can monitor, block, or allow web traffic based on predefined rules or policies. One of the common methods of web filtering is to scan the URL for strings and deny access when matches are found. The port is an optional number that identifies the specific service or application running on the web server, such as 80 for HTTP or 443 for HTTPS. 44 IT Certification Guaranteed, The Easy Way! NO.79 An organization wants a third-party vendor to do a penetration test that targets a specific device. The organization has provided basic information about the device. Which of the following best describes this kind of penetration test? A. Partially known environment B. Unknown environment C. Integrated D. Known environment Answer: A Explanation: A partially known environment is a type of penetration test where the tester has some information about the target, such as the IP address, the operating system, or the device type. This can help the tester focus on specific vulnerabilities and reduce the scope of the test. NO.80 An organization is leveraging a VPN between its headquarters and a branch location. Which of the following is the VPN protecting? A. Data in use B. Data in transit C. Geographic restrictions D. Data sovereignty Answer: B Explanation: Data in transit is data that is moving from one location to another, such as over a network or through the air. NO.81 A U.S.-based cloud-hosting provider wants to expand its data centers to new international locations. Which of the following should the hosting provider consider first? A. Local data protection regulations B. Risks from hackers residing in other countries C. Impacts to existing contractual obligations D. Time zone differences in log correlation Answer: A Explanation: Local data protection regulations are the first thing that a cloud-hosting provider should consider before expanding its data centers to new international locations. Data protection regulations are laws or standards that govern how personal or sensitive data is collected, stored, processed, and transferred across borders. 45 IT Certification Guaranteed, The Easy Way! NO.82 A company purchased cyber insurance to address items listed on the risk register. Which of the following strategies does this represent? A. Accept B. Transfer C. Mitigate D. Avoid Answer: B Explanation: Cyber insurance is a type of insurance that covers the financial losses and liabilities that result from cyberattacks, NO.83 Which of the following exercises should an organization use to improve its incident response process? A. Tabletop B. Replication 46 IT Certification Guaranteed, The Easy Way! C. Failover D. Recovery Answer: A Explanation: A tabletop exercise is a simulated scenario that tests the organization's incident response plan and procedures. It involves key stakeholders and decision-makers who discuss their roles and actions in response to a hypothetical incident. It can help identify gaps, weaknesses, and improvement areas in the incident response process. NO.84 Which of the following agreement types defines the time frame in which a vendor needs to respond? A. SOW B. SLA C. MOA D. MOU Answer: B Explanation: A service level agreement (SLA) is a type of agreement that defines the expectations and responsibilities between a service provider and a customer. It usually includes the quality, availability, and performance metrics of the service, as well as the time frame in which the provider needs to respond to service requests, incidents, or complaints. NO.85 Which of the following security control types does an acceptable use policy best represent? A. Detective B. Compensating C. Corrective D. Preventive Answer: D Explanation: An acceptable use policy (AUP) is a set of rules that govern how users can access and use a corporate network or the internet. The AUP helps companies minimize their exposure to cyber security threats and limit other risks. The AUP also serves as a notice to users about what they are not allowed to do and protects the company against misuse of their network. Users usually have to acknowledge that they understand and agree to the rules before accessing the network 47 IT Certification Guaranteed, The Easy Way! NO.86 A security team is reviewing the findings in a report that was delivered after a third party performed a penetration test. One of the findings indicated that a web application form field is vulnerable to cross-site scripting. Which of the following application security techniques should the security analyst recommend the developer implement to prevent this vulnerability? A. Secure cookies B. Version control C. Input validation D. Code signing Answer: C Explanation: Input validation is a technique that checks the user input for any malicious or unexpected data before processing it by the web application. Input validation can prevent cross-site scripting (XSS) attacks, which exploit the vulnerability of a web application to execute malicious scripts in the browser of a victim. 48 IT Certification Guaranteed, The Easy Way! NO.87 In order to strengthen a password and prevent a hacker from cracking it, a random string of 36 characters was added to the password. Which of the following best describes this technique? A. Key stretching B. Tokenization C. Data masking D. Salting Answer: D Explanation: Adding a random string of characters, known as a "salt," to a password before hashing it is known as salting. This technique strengthens passwords by ensuring that even if two users have the same password, their hashes will be different due to the unique salt, making it much harder for attackers to crack passwords using rainbow tables.References: NO.88 Which of the following is the most likely outcome if a large bank fails an internal PCI DSS compliance assessment? A. Fines B. Audit findings C. Sanctions D. Reputation damage Answer: A Explanation: PCI DSS is the Payment Card Industry Data Security Standard, which is a set of security requirements for organizations that store, process, or transmit cardholder data. PCI DSS aims to protect the confidentiality, integrity, and availability of cardholder data and prevent fraud, identity theft, and data breaches. PCI DSS is enforced by the payment card brands, s If a large bank fails an internal PCI DSS compliance assessment, the most likely outcome is that the bank will face fines from the payment card brands. 49 IT Certification Guaranteed, The Easy Way! NO.89 A company is planning a disaster recovery site and needs to ensure that a single natural disaster would not result in the complete loss of regulated backup data. Which of the following should the company consider? A. Geographic dispersion B. Platform diversity C. Hot site 50 IT Certification Guaranteed, The Easy Way! D. Load balancing Answer: A Explanation: Geographic dispersion is the practice of having backup data stored in different locations that are far enough apart to minimize the risk of a single natural disaster affecting both sites. This ensures that the company can recover its regulated data in case of a disaster at the primary site. NO.90 Which of the following enables the use of an input field to run commands that can view or manipulate data? A. Cross-site scripting B. Side loading C. Buffer overflow D. SQL injection Answer: D Explanation: = SQL injection is a type of attack that enables the use of an input field to run commands that can view or manipulate data in a database. SQL stands for Structured Query Language NO.91 Which of the following describes a security alerting and monitoring tool that collects system, application, and network logs from multiple sources in a centralized system? A. SIEM B. DLP C. IDS D. SNMP Answer: A Explanation: SIEM stands for Security Information and Event Management. It is a security alerting and monitoring tool that collects system, application, and network logs from multiple sources in a centralized system. SIEM can analyze the collected data, correlate events, generate alerts, and provide reports and dashboards. 51 IT Certification Guaranteed, The Easy Way! NO.92 Which of the following risk management strategies should an enterprise adopt first if a legacy application is critical to business operations and there are preventative controls that are not yet implemented? A. Mitigate B. Accept C. Transfer D. Avoid Answer: A Explanation: Mitigate is the risk management strategy that involves reducing the likelihood or impact of a risk. If a legacy application is critical to business operations and there are preventative controls that are not yet implemented, the enterprise should adopt the mitigate strategy first to address the existing vulnerabilities and gaps in the application. NO.93 Which of the following would be best suited for constantly changing environments? A. RTOS B. Containers C. Embedded systems D. SCADA Answer: B Explanation: Containers are a method of virtualization that allows applications to run in isolated environments with their own dependencies, libraries, and configurations. Containers are best suited for constantly changing environments because they are lightweight, portable, scalable, and easy to deploy and update. Containers can also support microservices architectures, which enable faster and more frequent delivery of software features. NO.94 Which of the following would help ensure a security analyst is able to accurately measure the overall risk to an organization when a new vulnerability is disclosed? A. A full inventory of all hardware and software B. Documentation of system classifications C. A list of system owners and their departments 52 IT Certification Guaranteed, The Easy Way! D. Third-party risk assessment documentation Answer: A Explanation: A full inventory of all hardware and software is essential for measuring the overall risk to an organization when a new vulnerability is disclosed, because it allows the security analyst to identify which systems are affected by the vulnerability and prioritize the remediation efforts. Without a full inventory, the security analyst may miss some vulnerable systems or waste time and resources on irrelevant ones. NO.95 A software development manager wants to ensure the authenticity of the code created by the company. Which of the following options is the most appropriate? A. Testing input validation on the user input fields B. Performing code signing on company-developed software C. Performing static code analysis on the software D. Ensuring secure cookies are use Answer: B Explanation: Code signing is a technique that uses cryptography to verify the authenticity and integrity of the code created by the company. Code signing involves applying a digital signature to the code using a private key that only the company possesses. The digital signature can be verified by anyone who has the corresponding public key, which can be distributed through a trusted certificate authority. NO.96 The local administrator account for a company's VPN appliance was unexpectedly used to log in to the remote management interface. Which of the following would have most likely prevented this from happening'? A. Using least privilege B. Changing the default password C. Assigning individual user IDs D. Reviewing logs more frequently Answer: B Explanation: Changing the default password for the local administrator account on a VPN appliance is a basic security measure that would have most likely prevented the unexpected login to the remote management interface. Default passwords are often easy to guess or publicly available, and attackers can use them to gain unauthorized access to devices and systems. 53 IT Certification Guaranteed, The Easy Way! NO.97 A company is planning to set up a SIEM system and assign an analyst to review the logs on a weekly basis. Which of the following types of controls is the company setting up? A. Corrective B. Preventive C. Detective D. Deterrent Answer: C Explanation: A detective control is a type of control that monitors and analyzes the events and activities in a system or a network, and alerts or reports when an incident or a violation occurs. A SIEM (Security Information and Event Management) system is a tool that collects, correlates, and analyzes the logs from various sources, such as firewalls, routers, servers, or applications, and provides a centralized view of the security status and incidents. NO.98 A systems administrator is looking for a low-cost application-hosting solution that is cloud- based. Which of the following meets these requirements? A. Serverless framework B. Type 1 hvpervisor C. SD-WAN D. SDN Answer: A Explanation: A serverless framework is a cloud-based application-hosting solution that meets the requirements of low-cost and cloud-based. A serverless framework is a type of cloud computing service that allows developers to run applications without managing or provisioning any servers. The cloud provider handles the server-side infrastructure, such as scaling, load balancing, security, and maintenance, and charges the developer only for the resources consumed by the application. A serverless framework enables developers to focus on the application logic and functionality, and reduces the operational costs and complexity of hosting applications. 54 IT Certification Guaranteed, The Easy Way! NO.99 An attacker posing as the Chief Executive Officer calls an employee and instructs the employee to buy gift cards. Which of the following techniques is the attacker using? A. Smishing B. Disinformation C. Impersonating D. Whaling Answer: C Explanation: Whaling is a type of phishing attack that targets high-profile individuals, such as executives, celebrities, or politicians. The attacker impersonates someone with authority or influence and tries to trick the victim into performing an action, such as transferring money, revealing sensitive information, or clicking on a malicious link. NO.100 A security administrator needs a method to secure data in an environment that includes some form of checks so that the administrator can track any changes. Which of the following should the administrator set up to achieve this goal? A. SPF B. GPO C. NAC 55 IT Certification Guaranteed, The Easy Way! D. FIM Answer: D Explanation: FIM stands for File Integrity Monitoring, which is a method to secure data by detecting any changes or modifications to files, directories, or registry keys. FIM can help a security administrator track any unauthorized or malicious changes to the data, as well as verify the integrity and compliance of the data. FIM can also alert the administrator of any potential breaches or incidents involving the data. Some of the benefits of FIM are: NO.101 A security manager created new documentation to use in response to various types of security incidents. Which of the following is the next step the manager should take? A. Set the maximum data retention policy. B. Securely store the documents on an air-gapped network. C. Review the documents' data classification policy. D. Conduct a tabletop exercise with the team. Answer: D Explanation: A tabletop exercise is a simulated scenario that tests the effectiveness of a security incident response plan. NO.102 While troubleshooting a firewall configuration, a technician determines that a "deny any" policy should be added to the bottom of the ACL. The technician updates the policy, but the new policy causes several company servers to become unreachable. Which of the following actions would prevent this issue? A. Documenting the new policy in a change request and submitting the request to change 56 IT Certification Guaranteed, The Easy Way! management B. Testing the policy in a non-production environment before enabling the policy in the production network C. Disabling any intrusion prevention signatures on the 'deny any* policy prior to enabling the new policy D. Including an 'allow any1 policy above the 'deny any* policy Answer: B Explanation: A firewall policy is a set of rules that defines what traffic is allowed or denied on a network. A firewall policy should be carefully designed and tested before being implemented, as a misconfigured policy can cause network disruptions or security breaches. NO.103 Which of the following incident response activities ensures evidence is properly handied? A. E-discovery B. Chain of custody C. Legal hold D. Preservation Answer: B Explanation: 57 IT Certification Guaranteed, The Easy Way! Chain of custody is the process of documenting and preserving the integrity of evidence collected during an incident response. It involves recording the details of each person who handled the evidence, the time and date of each transfer, and the location where the evidence was stored. Chain of custody ensures that the evidence is admissible in legal proceedings and can be traced back to its source. NO.104 Security controls in a data center are being reviewed to ensure data is properly protected and that human life considerations are included. Which of the following best describes how the controls should be set up? A. Remote access points should fail closed. B. Logging controls should fail open. C. Safety controls should fail open. D. Logical security controls should fail closed. Answer: C Explanation: Safety controls are security controls that are designed to protect human life and physical assets from harm or damage. NO.105 After reviewing the following vulnerability scanning report: Server:192.168.14.6 58 IT Certification Guaranteed, The Easy Way! Service: Telnet Port: 23 Protocol: TCP Status: Open Severity: High Vulnerability: Use of an insecure network protocol A security analyst performs the following test: nmap -p 23 192.168.14.6 -script telnet-encryption PORT STATE SERVICE REASON 23/tcp open telnet syn-ack I telnet encryption: | _ Telnet server supports encryption Which of the following would the security analyst conclude for this reported vulnerability? A. It is a false positive. B. A rescan is required. C. It is considered noise. D. Compensating controls exist. Answer: A Explanation: A false positive is a result that indicates a vulnerability or a problem when there is none. In this case, the vulnerability scanning report shows that the telnet service on port 23 is open and uses an insecure network protocol. However, the security analyst performs a test using nmap and a script that checks for telnet encryption support. The result shows that the telnet server supports encryption, which means that the data transmitted between the client and the server can be protected from eavesdropping. Therefore, the reported vulnerability is a false positive and does not reflect the actual security posture of the server. NO.106 Which of the following scenarios describes a possible business email compromise attack? A. An employee receives a gift card request in an email that has an executive's name in the display field of the email. B. Employees who open an email attachment receive messages demanding payment in order to access files. C. A service desk employee receives an email from the HR director asking for log-in credentials to a cloud administrator account. D. An employee receives an email with a link to a phishing site that is designed to look like the company's email portal. Answer: A Explanation: A business email compromise (BEC) attack is a type of phishing attack that targets employees who have access to company funds or sensitive information. The attacker impersonates a trusted person, such as an executive, a vendor, or a client, and requests a fraudulent payment, a wire transfer, or confidential data. The attacker often uses social engineering techniques, such as urgency, pressure, or familiarity, to convince the victim to comply with the request12. In this scenario, option A describes a possible BEC attack, where an employee receives a gift card request in an email that has an executive's name in the display field of the email. The email may look 59 IT Certification Guaranteed, The Easy Way! like it is coming from the executive, but the actual email address may be spoofed or compromised. The attacker may claim that the gift cards are needed for a business purpose, such as rewarding employees or clients, and ask the employee to purchase them and send the codes. This is a common tactic used by BEC attackers to steal money from unsuspecting victims NO.107 A company is developing a business continuity strategy and needs to determine how many staff members would be required to sustain the business in the case of a disruption. Which of the following best describes this step? A. Capacity planning B. Redundancy C. Geographic dispersion D. Tablet exercise Answer: A Explanation: Capacity planning is the process of determining the resources needed to meet the current and future demands of an organization. Capacity planning can help a company develop a business continuity strategy by estimating how many staff members would be required to sustain the business in the case of a disruption, NO.108 Several employees received a fraudulent text message from someone claiming to be the Chief Executive Officer (CEO). The message stated: "I'm in an airport right now with no access to email. I need you to buy gift cards for employee recognition awards. Please send the gift cards to following email address." Which of the following are the best responses to this situation? (Choose two). A. Cancel current employee recognition gift cards. B. Add a smishing exercise to the annual company training. C. Issue a general email warning to the company. D. Have the CEO change phone numbers. E. Conduct a forensic investigation on the CEO's phone. F. Implement mobile device management. Answer: B C Explanation: 60 IT Certification Guaranteed, The Easy Way! This situation is an example of smishing, which is a type of phishing that uses text messages (SMS) to entice individuals into providing personal or sensitive information to cybercriminals. The best responses to this situation are to add a smishing exercise to the annual company training and to issue a general email warning to the company. A smishing exercise can help raise awareness and educate employees on how to recognize and avoid smishing attacks. An email warning can alert employees to the fraudulent text message and remind them to verify the identity and legitimacy of any requests for information or money. NO.109 A security analyst is reviewing the following logs: Which of the following attacks is most likely occurring? A. Password spraying B. Account forgery C. Pass-t he-hash D. Brute-force Answer: A Explanation: Password spraying is a type of brute force attack that tries common passwords across several accounts to find a match. 61 IT Certification Guaranteed, The Easy Way! NO.110 Which of the following threat actors is the most likely to use large financial resources to attack critic