Q1: Which of the following is the most common data loss path for an

air-gapped network?

A. Bastion host
B. Unsecured Bluetooth
C. Unpatched OS
D. Removable devices

Answer1: D

Q2: A software development manager wants to ensure the

authenticity of the code created by the company. Which of the
following options is the most appropriate?

A. Testing input validation on the user input fields

B. Performing static code analysis on the software
C. Ensuring secure cookies are used
D. Performing code signing on company-developed software

Answer2: D

Q3: Which of the following should a systems administrator use to

ensure an easy deployment of resources within the cloud provider?

A. Infrastructure as code
B. Software as a service
C. Software-defined networking
D. Internet of Things

Answer3: C

1
Q4: Security controls in a data center are being reviewed to ensure
data is properly protected and that human life considerations are
included. Which of the following best describes how the controls
should be set up?

A. Safety controls should fail open

B. Logging controls should fail open
C. Remote access points should fail closed
D. Logical Security controls should fail closed

Answer4: D

Q5: A technician notices an HTTP log-in page on a vulnerability scan

report. Upon accessing the log-in page, the technician uses "admin"
as both the username and the password to log in and access a security
camera feed. Which of the following best describes the attack vector?

A. Open service ports

B. Default credentials
C. Typosquatting
D. Impersonation

Answer5: B

Q6: Which of the following would be the best resource for a software
developer who is looking to improve secure coding practices for web
applications?

A. NIST CSF
B. Third-party libraries
C. OWASP
D. Vulnerability scan results

Answer6: C

2
Q7: A website visitor is required to provide property formatted
information in a specific field on a website form. Which of the
following security measures is most likely used for this mandate?

A. Code signing
B. Form submission
C. Input validation
D. SQL injection

Answer7: C

Q8: A systems technician is setting up a public-facing web server that

needs to ensure. Which of the following steps should the systems
technician take to begin the process?

A. Wildcard creation
B. DNS filtering
C. CSR generation
D. Domain validation

Answer8: C

Q9: A company is developing a business continuity strategy and

needs to determine how many staff members would be required to
sustain the business in the case of a disruption. Which of the
following best describes this step?

A. Capacity planning
B. Redundancy
C. Geographic dispersion
D. Tabletop Exercise

Answer9: A

3
Q10: An applications security engineer is working to address issues
stemming from situations where necessary approvals and testing
were not done before code was introduced unto the production
environment. Which of the following would be the most appropriate
for the engineer to configure

A. Impact analysis B not C

B. Change control Board
C. Regression testing
D. Branch protection

Answer10: D

Q11: Which of the following is the best risk management decision

when the cost to mitigate a risk is greater than the value added?

A. Avoid
B. Accept
C. Remediate
D. Transfer

Answer12: B

4
Q12: A company wants to deploy PKI on its Internet-facing website.
The applications that are currently deployed are:

www.company.com (main website)

contactus.company.com (for locating a nearby location)

quotes.company.com (for requesting a price quote)

The company wants to purchase one SSL certificate that will work
for all the existing applications and any future applications that
follow the same naming conventions, such as store company.com.
Which of the following certificate types would BEST meet the
requirements?

A. Extended validation
B. Wildcard
C. SAN
D. Self-signed

Answer12: B

Q13: A company needs to centralize its logs to create a baseline and

have visibility on its security events. Which of the following
technologies will accomplish this objective?

A. Security information and event management

B. A vulnerability Scanner
C. A next-generation firewall
D. A web application firewall

Answer13: A

5
Q14: Which of the following cloud models provides clients with
servers, storage, and networks but nothing else?

A. SaaS
B. PaaS
C. DaaS
D. laaS

Answer14: D

Q15: A security analyst discovers that a company username and

password database was posted on an internet forum. The username
and password are stored in plain text. Which of the following would
mitigate the damage done by this type of data exfiltration in the
future?

A. Configure the web content filter to block access to forum

B. Implement Salting and Hashing
C. Increase password complexity requirements
D. Create DLP controls that prevent documents from leaving the
network

Answer15: B

Q16: The Following is an administrative control that would be

MOST effective to reduce the occurrence of malware execution?

A. Security awareness training

B. EDR reporting cycle
C. Frequency of NIDS Updates
D. Change control procedures

Answer16: A

6
Q17: A network engineer is troubleshooting wireless network
connectivity issues that were reported by users. The issues are
occurring only in the sections of the building that is closest to the
parking lot. Users are intermittently experiencing slow speeds when
accessing websites and are unable to connect to network drives. The
issues appear to increase when laptop users return desks after using
their devices in other areas of the building. There have also been
reports of users being required to enter their credentials on web
pages in order to gain access for them.

Which of the following is the MOST likely cause of this issue?

A. An External Access point is engaging in an evil-twin attack.

B. The certificates have expired on the devices and need to be
reinstalled.
C. The users in that section of the building are on a VLAN that is
being blocked by the firewall.
D. The Signal on the WAP needs to be increased in that section of the
building.

Answer17: A

Q18: Which of the following will provide the BEST physical security
countermeasures to stop intruders? (Select TWO)

A. Sensors
B. Mantraps
C. Signage
D. Lighting
E. Alarms
F. Fencing

Answer18: BF

7
Q19: Which of the following types of controls is a turnstile?

A. Corrective
B. Detective
C. Technical
D. Physical

Answer19: D

Q20: A security analyst needs to implement an MDM solution for

BYOD users that will allow the company to retain control over
company emails residing on the devices and limit data exfiltration
that might occur if the devices are lost or stolen

Which of the following would BEST meet these requirements? (Select

TWO)

A. Geafencing
B. Full0device encryption
C. Network usage rules
D. Remote control
E. Containerization
F. Application whitelisting

Answer20: BC

8
Q21: A security analyst is reviewing logs on a server and observes the
following output:

Which of the following is the security analyst observing?

A. A dictionary attack
B. A password-spraying attack
C. A rainbow table attack
D. A keylogger attack

Answer21: A

Q22: To reduce costs and overhead, an organization wants to move

from an on-premises email solution to cloud-based email solution. At
this time, no other services will be moving.

Which of the following cloud models would BEST meet the needs of
the organization?

A. laaS
B. MaaS
C. SaaS
D. PaaS

Answer22: C

9
Q23: A user enters a password to log in to a workstation and is then
prompted to enter an authentication code. Which of the following
MFA factors or attributes are being utilized in the authentication
process? (Select TWO)

A. Something you have

B. Somewhere you are
C. Someone you are
D. Something you are
E. Something you know
F. Something you can do

Answer23: AE

Q24: An organization's Chief Security Officer (CSO) wants to

validate the business's involvement in the incident response plan to
ensure its validity and thoroughness. Which of the following will the
CSO MOST likely use?

A. A bug bounty program

B. A red-team engagement
C. A tabletop exercise
D. An external security assessment

Answer24: C

10
Q25: A user reports constant lag and performance issues with the
wireless network when working at a local coffee shop. A security
analyst walks the user through an installation of wireshark and get a
five-minute pcap to analyze. The analyst observes the following
output:

Which of the Following attacks does the analyst MOST likely see in
this packet capture?

A. Session replay
B. Evil twin
C. ARP poisoning
D. Bluejacking

Answer25: B

Q26: A critical file server is being upgraded and the systems

administrator must determine which RAID level the new server will
need to achieve and handle two simultaneous disk failures. Which of
the Following RAID levels meets this requirements?

A. RAID 5
B. RAID 2
C. RAID 0+1
D. Raid 6

Answer26: A

11
Q27: An enterprise has hired an outside security firm to conduct
penetration testing on its network and application. The firm has only
been given the documentation to the customers of the applications.
Which of the Following BEST represents the type of testing that will
occur?

A. Bug Bounty
B. Black-box
C. White-box
D. Gray-box

Answer27: C

Q28: The IT department's on-site developer has been with the team
for many years. Each time an application is released, the security
team is able to identify multiple vulnerabilities . Which of the
Following Would BEST help the team ensure the application is ready
to be released to production?

A. Obfuscate the source code

B. Prevent data exposure queries
C. Submit the application to QA before releasing it
D. Limit the use of third-party libraries

Answer28: C

12
Q29: A retail executive recently accepted a job with a major
competitor. The following week, a security analyst reviews the
security logs and identifies successful logon attempts to access the
departed executive's accounts . Which of the Following security
practices would have addressed the issue?

A. A non-disclosure agreement
B. Least privilege
C. An Acceptable use policy
D. Ofboarding

Answer29: D

Q30: A cybersecurity analyst reviews the log files from a web server
and sees a series of files that indicates a directory-traversal attack
has occurred. Which of the Following is the analyst MOST likely
Seeing?

Answer30: A

13
Q31: An organization is concerned that is hosted web servers are not
running the most updated version of the software. Which of the
following would work BEST to help identify potential
vulnerabilities?

A. Nslookup –port=80 comtia org

B. Nc -1 –v comptia, org –p 80
C. Hping3 –s comptia, org –p 80
D. Nmp comptia, org –p 80 -aV

Answer31: D

Q32: An organization routes all of its traffic through a VPN Most

users are remote and connect into a corporate datacenter that houses
confidential information. There is firewall at the internet border
followed by a DIP appliance, the VPN server and the datacenter
itself.

Which of the Following is the WEAKEST design element?

A. The DLP Appliance should be integrated into a NGFW.

B. Encrypted VPN traffic will not be inspected when entering or
leaving the network.
C. Split-tunnel connections can negatively impact the DLP appliance's
performance.
D. Adding two hops in the VPN tunnel may slow down remote
connections.

Answer32: B

14
Q33: A Chief Information Security Officer (CISO) needs to create a
policy set the meets international standards for data privacy and
sharing. Which of the Following should the CISO read and
understand before writing the policies?

A. PCI DSS
B. NIST
C. ISO 31000
D. GDPR

Answer33: D

Q34: A large industrial system's smart generator monitors the

system status and sends alerts to third-party maintenance personnel
when critical failures occur. While reviewing the network logs the
company's security manager notices the generator's IP is sending
packets to an internal files server's IP. Which of the Following
mitigations would be BEST for the security manager to implement
while alerting capabilities?

A. isolation
B. Firewall whitelisting
C. Containment
D. Segmentation

Answer34: D

15
 severity

Q35: A security analyst is looking for a solution to help communicate

to the leadership team the seventy levels of the organization's
vulnerabilities. Which of the Following would BEST meet this need?

A. CVSS
B. CVE
C. SIEM
D. SOAR

Answer35: A

Q36: A network administrator has been alerted that web pages are
experiencing long load times. After determining it is not a routing or
DNS issue, the administrator logs in to the router, runs a command ,
and receives the following output:

CPU 0 percent busy, from 300 sec ago

1 sec ave: 99 percent busy

5 sec ave: 97 percent busy

1min ave: 83 percent busy

Which of the Following is the router experiencing?

A. Resource exhaustion
B. Memory leak
C. Buffer overflow
D. DDoS attack

Answer36: A

16
Q37: A company is implementing MFA for all applications that store
data. The IT manager wants MFA to be non-disruptive and user
friendly. Which of the Following technologies should the IT manager
use implementing MFA?

A. Email Tokens
B. Hardware authentications
C. Push notifications
D. One-time passwords

Answer37: C

Q38: A security analyst is investigating an incident to determine

what an attacker was able to do on a compromised laptop. The
analyst reviews the following SIEM log:

Which of the Following describes the method that was used to

compromise the laptop?

17
 A. An attacker was able to bypass application whitelisting by emailing
a spreadsheet attachment with an embedded PowerShell in the file
B. An attacker was able to install malware to the CAasdf234 folder
and use it to gam administrator nights and launch Outlook
C. An attacker was able to move laterally from PC1 to PC2 using a
pass-the-hash attack
D. An attacker was able to phish user credentials successfully from an
Outlook user profile

Answer38: C

Q39: A malicious actor recently penetration a company's network

and moved laterally to the datacenter. Upon investigation, a forensics
firm wants to know was in the memory on the compromised server.
Which of the Following files should be given to the forensics firm?

A. Security
B. Application
C. Syslog
D. Dump

Answer39: D

Q40: A cybersecurity administrator is using iptables as an enterprise

firewall. The administrator created some rules, but the network now
seems to be unresponsive All connections are being dropped by the
firewall. Which of the Following would be the BEST option to
remove the rules?

A. # iptables –t mangle -X
B. # iptables -Z
C. # iptables –P INPUT –j DROP
D. # iptables -F

Answer40: C

18
Q41: Which of the following is MOST likely to contain ranked and
ordered information the likelihood and potential impact of
catastrophic events that may affect business processes and systems,
while also highlighting the residual risk that need to be managed
after migrating controls have been implemented?

A. A business impact analysis

B. An asset value register
C. A risk register
D. An RTO report
E. A disaster recovery plan

Answer41: C

Q42: A company uses specially configured workstations for any work

that requires administrator privileges to its tier 0 and tier 1 systems.
The company follows a strict process to harden systems immediately
upon delivery. Even with these strict security measures in place, an
incident occurred from one of the workstations. The rool cause
appears to be that the SoC was tampered with or replaced. Which of
the following MOST Likely occurred?

A. A supply-chain attack
B. Misconfigured BIOS
C. A downgrade attack
D. A logic bomb
E. Fileless malware

Answer42: A

19
Q43: A manufacturing company has several one-off legacy
information systems that cannot be migrated to newer OS due to
software compatibility issues. The Oss are still supported by the
vendor, but the industrial software is no longer supported. The Chief
Information Security Officer (CISO) has created a resiliency plan for
these that will allow OS patches to be installed in a non-production
environment, while also creating backups of the systems for recovery.

Which of the following resiliency techniques will provide these

capabilities?

A. RAID 1+5
B. Virtual machines
C. Redundancy
D. Full backups

Answer43: D

Q44: A worldwide manufacturing company has been experiencing

email account compromises. In one incident, a user logged in from
the corporate office in France, but then seconds later, the same user
account attempted a login from Brazil. Which of the following
account policies would BEST prevent this type of attack?

A. Geofencing
B. Geolocation
C. Impossible travel time
D. Network location

Answer44: A

20
Q45: An analyst is trying to identify insecure services that are
running on the internal network After performing a port scan, the
analyst identifies that a server has some insecure services enabled on
default ports. Which of the following BEST describes the services
that are currently running and the secure alternatives for replacing
them? (Select THREE)

A. SNMPv1, SNMPv2
B. Telnet, SSH
C. Login, rlogin
D. HTTP, HTTPS
E. SNMPv2, SNMPV3
F. TLS, SSL
G. POP, IMAP
H. TFTP, FTP
I. SFTP, FTPS

Answer45: BDE

Q46: A user received an SMS on a mobile phone that asked for bank
details. Which of the following social-engineering techniques was
used in this case?

A. Smishing
B. SPIM
C. Spear phishing
D. Vishing

Answer46: A

21
Q47: While reviewing pcap data, a network security analyst is able to
locate plaintext username and passwords being sent from
workstations to network switches . Which of the following is the
security analyst MOST likely observing?

A. An SSH connection
B. A Telnet session
C. SNMP traps
D. SFTP traffic

Answer47: B

Q48: A security analyst is hardening a network infrastructure. The

analyst is given the following requirements:

Preserve the use of public IP addresses assigned to equipment on the

core router.

Enable "in transport: encryption protection to the web server with

strongest ciphers.

Which of the following should the analyst implement to meet these

requirements? (Select TWO)

A. Enable TLSv2 encryption on the web server.

B. Configure NAT on the core router.
C. Configure BGP on the core router.
D. Enable 3DES encryption on the web server.
E. Configure VLANS on the core router.
F. Enable AES encryption on the web server.

Answer48: DE

22
Q49: A company wants to modify its current backup strategy to
minimize the number of backups that would need to be restored in
case of data loss. Which of the following would be the BEST backup
strategy to implement?

A. Incremental backups followed by differential backups

B. Incremental backups followed by delta backups
C. Full backups followed by differential backups
D. Full backups followed by incremental backups
E. Delta backups followed by differential backups

Answer49: D

Q50: During a security assessment, a security analyst finds a file with

overly permissive permissions. Which of the following tools allow the
analyst to reduce the permissions for the existing users and groups
and remove the set-user-ID bit from the file?

A. chflage
B. chmod
C. ls
D. setuid
E. lsof

Answer50: B

23
Q51: A security administrator needs to inspect in-transit files on the
enterprise network to search for Pll, Credit Card data, and
classification words. Which of the following would be the BEST to
use?

A. EDR Solution
B. IDS Solution
C. Network DLP solution
D. HIPS software solution

Answer51: C

Q52: The concept of connecting a user account across the systems of

multiple enterprises is BEST known as:

A. Multifactor authentication.
B. A remote access policy.
C. federation
D. single sign-on

Answer52: C

Q53: An organization would like to remediate the risk associated

with its cloud service provider not meeting its advertised 99 999%
availability metrics. Which of the following should the organization
consult for the exact requirements for the cloud provider?

A. BPA
B. SLA
C. MOU
D. NDA

Answer53: B

24
Q54: Ann, a customer, received a notification from her mortgage
company stating her Pll may be shared with partners, affiliates, and
associates to maintain day-today business operations. Which of the
following documents did the Ann receive?

A. An annual privacy notice

B. A non-disclosure agreement
C. A memorandum of understanding
D. A privileged-user agreement

Answer54: C

Q55: A customer called a company's security team to report that all

invoices the customer has received over the last five days from the
company appear to have fraudulent banking details. An
investigations into the matter reveals the following:

- The manager of the accounts payable department is using the

same password across multiple external websites and the
corporate account.
- One of the websites the manager used recently experienced a
data breach.
- The manager's corporate email account was successfully
accessed in the last five days by an IP address located in a
foreign country.

Which of the following attacks has MOST likely been used to

compromise the manager's corporate account?

A. Brute-force
B. Credential stuffing
C. Remote access Trojan
D. Dictionary
E. Password spraying

Answer55: B

25
Q56: Which of the following terms should ne included in a contract
to help a company monitor the ongoing security maturity of a new
vendor?

A. Integration of threat intelligence in the company's AV

B. Requirements for event logs to be kept for a minimum of 30 days
C. A data breach clause requiring disclosure of significant data loss
D. A night-to-audit clause allowing for annual security audits

Answer56: D

Q57: A security analyst is concerned about traffic initiated to the

dark web from the corporate LAN Which of the following networks
should the analyst monitor?

A. AIS
B. Tor
C. IoC
D. SFTP

Answer57: B

Q58: Which of the following is the BEST method for ensuring non-
repudiation?

A. Digital certificate
B. SSH key
C. SSO
D. Token

Answer58: A

26
Q59: A large financial services firm recently released information
regarding a security breach within its corporate network that began
several years before. During the time frame in which the breach
occurred, indicators show an attacker gained administrative access to
the network through a file downloaded from a social media site and
subsequently installed it without the user's knowledge. Since the
compromise, the attacker was able to take command and control of
the computer systems anonymously while obtaining sensitive
corporate and personal employee information. Which of the
following methods did the attacker MOST likely use to gain Access?

A. A fileless virus
B. A logic bomb
C. A bot
D. A RAT

Answer59: C

Q60: An organization is concerned about intellectual property theft

by employees who leave the organization. Which of the following will
the organization MOST likely implement?

A. CBT
B. AUP
C. NDA
D. MOU

Answer60: C

27
Q61: Recent changes to a company's BYOD policy require all
personal mobile devices to use a two-factor authentication method
that is not something you know or have . which of the following will
meet this requirement?

A. PKI certificate
B. Smart card
C. Six-digit PIN
D. Facial recognition

Answer61: C

Q62: After segmenting the network, the network manager wants to

control the traffic between the segments . Which the following should
the manager use to control the network traffic?

A. An ACL
B. A VLAN
C. A DMZ
D. A VPN

Answer62: A

Q63: A security engineer obtained the following output from a threat

intelligence source that recently performed an attack on the
company’s server

GET index.php?page=..2f..2..2f..2f..2f..2f..2f..2f..2fpasswd

GET index.php?page=..2f..2f..2f..2f..2f..2..2f..2f..2..2fetc2fpasswd

GET index.php?page=..2f..2..2f..2f..2f..2f..2f..2..2f..2f..2fetc2fpasswd

Which of the following BEST describes this kind of attack?

28
 A. API
B. Request forgery
C. SQL injection
D. Directory traversal

Answer63: B

Q64: An organization’s corporate offices were destroyed due to a

natural disaster , so the organization is now setting up offices in a
temporary work space Which of the following will the organization
MOST likely consult?

A. The disaster recovery plan

B. The business continuity plan
C. The communications plan
D. The incident response plan

Answer64: B

Q65: A company’s help desk received several AV alerts indicating

Mimikatz attempted to fun on the remote systems. Several users also
reported that the new company flash drives they picked up in the
break room only have 512KB of storage . Which of the following is
MOST likely the cause?

A. The new flash drives are incorrectly partitioned and the systems are
automatically trying to use an unapproved application to repartition
the drives
B. The new flash drives need a driver that is being blocked by the AV
software because the flash drives are not on the application’s allow
list , temporarily restricting the drives to 512KB of storage

29
 C. The GPO prevents the use of flash drives, which triggers a false
positive AV indication and restricts the drives to only 512KB
storage.
D. The GPO blocking the flash drives is being bypassed by a
malicious flash drive that is attempting to harvest plaintext
credentials from memory

Answer65: D

Q66: A network manager is concerned that business may be

negatively impacted if the firewall in its datacenter goes offline. The
manager would like to implement a high availability pair to :

A. Reduce the recovery time objective.

B. Cut down the mean time to repair.
C. Decrease the mean time between failures
D. Remove the single point of failure

Answer66: D

Q67: An organization is having difficulty corelating events from its

individual AV , EDR , DLP , SWG , WIAF , NDMA HIPS and CASB
systems .

Which of the following is the BEST way to improve the situation?

A. Utilize a SIEM to centralize logs and dashboards

B. Remove expensive systems that generate few alerts
C. Implement a new syslog/NetFlow appliance.
D. Modify the systems to alert only on critical issues

Answer67: A

30
Q68: An information security officer at a credit card transaction
company is conducting a framework-mapping exercise with the
internal controls The company recently established a new office in
Europe. To which of the following frameworks should the security
officer map the existing controls? (Select TWO)

A. PCI DSS
B. ISO
C. SOC
D. GDPR
E. NIST
F. CSA

Answer68: AD

Q69: A backdoor was detected on the containerized application

environment The investigation detected that a zero-day vulnerability
was introduced when the latest container image version was
downloaded from a public registry. Which of the following is the
BEST solution to prevent this type of incident occurring again?

A. Define a vulnerability scan to access container images before being

introduced on the environment
B. Deploy an IPS solution capable of detecting signatures of attacks
targeting containers
C. Enforce the use of a controlled trusted source of container images
D. Create a dedicated VPC for the containerized environment

Answer69: C

31
Q70: A external forensics investigator has been hired to investigate a
data breach at a large enterprise with numerous assets. It is known
that the breach started in the DMZ and moved to the sensitive
information generating multiple logs as the attacker traversed
through the network. Which of the following will BEST assist with
this investigation?

A. Perform a vulnerability scan to identify the weak spots.

B. Require access to the routers to view current sessions.
C. Use a packet analyzer to investigate NetFlow traffic.
D. Check the SIEM to review the correlated logs.

Answer70: C

Q71: A security analyst reports a company policy violation in a case

in which a large amount of sensitive data is being downloaded after
hours from various mobile devices to an external site. Upon futher
investigation , the analyst notices that successful login attempts are
being conducted with impossible travel times during the same time
periods when the unauthorized downloads are occurring. The analyst
also discovers a couple of WAPs are using the same SSID , but they
have non-standard DHCP configurations and an overlapping
channel. Which of the following attacks being conducted?

A. DNS poisoning
B. jamming
C. bluesnarfing
D. DDoS
E. Evil twin

Answer71: E

32
Q72: Which of the following is an example of risk avoidance ?

A. Buying insurance to prepare for financial loss associated with

exploits
B. Not installing new software to prevent compatibility errors
C. Installing security updates directly in production to expedite
vulnerability fixes
D. Not taking preventive measures to stop the theft of equipment

Answer72: B

Q73: A engineer needs to deploy a security measure to identify and

prevent data tampering within the enterprise. Which of the following
will accomplish this goal?

A. FTP
B. FIM
C. IPS
D. Antivirus

Answer73: B

Q74: A developer is building a new portal to deliver single-pane-of-

glass management capabilities to customers with multiple firewalls.
To improve the use experience, the developer wants to implements an
authentication and authentication standard that uses security tokens
that contain assertions to pass information between nodes. Which of
the following roles should the developer configure to meet these
requirements ? (Select TWO )

A. Identity provider
B. Notarized requestor
C. Service provider
D. Tokenized resource
E. Identity processor

Answer74: AD

33
Q75: Which of the following would be used to find the MOST
common web-application vulnerabilities?

A. MITRE ATT&CK
B. Cyber Kill Chain
C. OWASP
D. SDLC

Answer75: C

Q76: The compliance team requires an annual recertification of

privileged and non-privileged user access. However, multiple users
who left the company six months ago still have access Which of the
following would have prevented this compliance violation?

A. Password reuse
B. SSO
C. Account audits
D. AUP

Answer76: C

Q77: Developers are writing code and merging it into shared

repositories several times a day, where it is tested automatically.
Which of the following concepts does this BEST represent ?

A. Elasticity
B. Stored procedures
C. Continuous integration
D. Functional testing

Answer77: C

34
Q78: A company wants to deploy decoy system alongside production
system in order to entice threat actors and to learn more about
attackers. Which of the following BEST describes these systems?

A. Neural network
B. Virtual machines
C. Honeypots
D. DNS sinkholes

Answer78: C

Q79: A new plug and-play storage device was installed on a PC in the

corporate environment Which of the following Safeguards will BEST
help to protect the PC from malicious files on the storage device?

A. Encrypt the disk on the storage device

B. Change the default settings on the PC
C. Define the PC firewall rules to limit access
D. Plug the storage device in to the UPS

Answer79: A

Q80: Which of the following BEST helps to demonstrate integrity

during a forensic investigation?

A. Hashing
B. Snapshots
C. Event logs
D. Encryption

Answer80: A

35
Q81: law enforcement officials sent a company a notification that
states electronically stored information and paper documents can't
be destroyed which of the following explains this process?

A. Accountability
B. Data breach notification
C. Legal hold
D. Chain of custody

Answer81: D

Q82: During an internal penetration a security analyst identified a

network device that had accepted cleartext authentication and was
configured with a default credential which of the following
recommendations should the security analyst make to secure this
device?

A. Configure SNMPv3
B. Configure SNMPv1
C. Configure the default community string
D. Configure SNMPv2c

Answer82: A

Q83: two organizations are discussing a possible merger Both

organization' Chief financial of officers would like to safely share
payroll data with each other to determine if the pay scale for
different roles and similar at both organizations. which of the
following techniques would be best to protect employee data while
allowing the companies to successfully share this informations ?

A. Encryption
B. Pseudo-anonymization
C. Data masking
D. Tokenization

Answer83: B

36
Q83: two organizations are discussing a possible merger Both
organization' Chief financial of officers would like to safely share
payroll data with each other to determine if the pay scale for
different roles and similar at both organizations. which of the
following techniques would be best to protect employee data while
allowing the companies to successfully share this informations ?

A. Encryption
B. Pseudo-anonymization
C. Data masking
D. Tokenization

Answer83: B

Q84: A security analyst is taking part in an evaluation process that

analyzes and categorizes therat actors of real-world events in order
to improve the incident response team’s process. Which of the
following is the analyst Most likely participating?

A. Walk-through
B. Purple team
C. Read team
D. TAXII
E. MITER ATT&CK

Answer84: C

37
Q85: Which of the following would MOST be identified by a
credentialed scan but would be missed by an uncredentialed scan?

A. Critical infrastructure vulnerabilities on non-IP protocols.

B. Missing patches for third-party software on Windows workstations
and servers.
C. Vulnerabilities with a CVSS score greater than 6.9 .
D. CVEs related to non-Microsoft systems such as printers and
switches.

Answer85: B

Q86: A security is investigating a malware incident at a company.

The malware is accessing a command -and-control website at
www.comptia.com. All outbound internet traffic is logged to a syslog
server and stored in /logfiles/ messages. Which of the following
commands would be BEST for the analyst to use on the syslog server
to search for recent traffic to the command-and-control website?

A. cat/logfiles/messages|tail-500 www.comptia.com
B. grep -500 /logfiles/messages | cat www.comptia.com
C. head – 500 www.comptia.com
D. tail -500/logfiles/messages | grep ww.comptia.com

Answer86: D

38
Q87: The Chief information Security Officer directed a risk
reduction in Shadow IT and created a policy requiring all
unsanctioned high-risk SaaS applications to be blocked from user
access. Which of the following is the BEST security solution to reduce
this risk?

A. CASB
B. VPN concentrator
C. MFA
D. VPC endpoint

Answer87: A

Q88: An organization is concerned about hackers potentially

entering a facility and plugging in a remotely accessible Kali Linux
box. Which of the following should be the first line of defense against
such an attack? (Select TWO)

A. Guards
B. Access control vestibules
C. MAC filtering
D. Zero Trust segmentation
E. Network access control
F. Bollards

Answer88: DE

39
Q89: Which of the following is the GREATEST security concern
when outsourcing code development to third-party contractors for an
internet-facing application?

A. Quality assurance
B. Elevated privileges
C. Unknown backdoor
D. Intellectual property theft

Answer89: C

40
Q90: An organization has hired a red team to simulate attacks on its
security posture. Which of the following will the blue team do after
detecting an IoC?

A. Contact forensics on the compromised system.

B. Conduct passive reconnaissance to gather information.
C. Reimage the impacted workstations.
D. Activate runbooks for incident response.

Answer90: D

Q91: A web server has been compromised due to a ransomware attack.

Further investigation reveals the ransomware has been in the server for
the past 72 hour. The systems administrator needs to get the services back
up as soon as possible. Which of the following should the administrator
use to restore services to a secure state?

A. The last full backup that was conducted seven days ago
B. The baseline OS configuration
C. The last known-good configuration stored by the operating system
D. The last incremental backup that was conducted 72 hours ago

Answer91: C

Q92: Which of the following are common VoIP-associated

vulnerabilities? (Select TWO)

A. Tailgating
B. Credential harvesting
F - B NOT C
C. SPIM
D. Hopping
E. Phishing
F. Vishing

Answer92: CF

41
Q93: Which of the following components can be used to consolidate and
forward inbound internet traffic to multiple cloud environments though a
single firewall?

A. DNS sinkhole
B. Edge computing
C. Cloud hot site
D. Transit gateway

Answer93: D

Q94: Which of the following organizations sets frameworks and controls

for optimal security configuration on systems?

A. PCI DSS
B. ISO
C. GDPR
D. NIST

Answer94: D

Q95: A security analyst receives an alert from the company's SIEM that
anomalous activity is coming from a local Source IP address of
192.168.34.26. The Chief Information Security Officer asks the analyst to
block the originating source. Several days later, another employee opens
an internal ticket stating that vulnerability scans are no longer being
performed properly. The IP address the employee provides is
192.168.4.26. Which of the following describes this type of alert?

A. True positive
B. False positive
C. True negative
D. False negative

Answer95: B

42
Q96: A company has installed badge readers for building access but is
finding unauthorized individuals roaming the hallways. Which of the
following is the MOST likely cause?

A. Phishing
B. Identity fraud
C. Tailgating
D. Shoulder surfing

Answer96: C

Q97: Which of the following will increase cryptographic security?

A. Hashing
B. High data entropy
C. Longer key longevity
D. Algorithms that require less computing power

Answer97: B

Q98: A large retail store’s network was breached recently, and this news
was made public. The store did not lose any intellectual property, and no
customer information was stolen. Although no fines were incurred as a
result, the store lost revenue after breach. Which of the following is the
MOST likely reason for this issue?

A. Reputation damage
B. Leadership changes
C. Employee training
D. Identity theft

Answer98: A

43
Q99: A security analyst wants to fingerprint a web server. Which of the
following tools will the security analyst MOST likely use to accomplish
this task?

A. ping 192.168.0.10
B. curl –head http://192.168.0.10
C. nmap –pl-65535 192.168.0.10
D. dig 192.168.0.10

Answer99: B

Q100: After multiple on premises security solutions were migrated to the

cloud, the incident response time increased. The analysts are spending a
long time trying to trace information on different cloud consoles and
correlating data in different formats. Which of the following can be used
to optimize the incident response time?

A. CASB
B. CMS
C. VPC
D. SWG

Answer100: A

44
Q101: Security analysts notice a server login from a user who has been
on vacation for two weeks. The Analysts confirm that the user did not log
in to the system while on vacation. After reviewing packet capture logs,
the analysts notice the following:

Username: ….smithJA….

Password: 944d3697d8880ed40lb5ba2e77811

Which of the following occurred?

A. An insider threat with username smithJA logged in to the account

B. An attacker used a pass-the-hash attack to gain access
C. The user's account was compromised, and an attacker changed the
login credentials
D. A buffer overflow was exploited to gain unauthorized access

Answer101: B

Q102: A company wants the ability to restrict web access and monitor the
websites that employees visit. Which of the following would BEST meet
these requirements?

A. Internet proxy
B. WAF
C. VPN
D. Firewall

Answer102: A

45
Q103: An administrator is configuring a firewall rule set for a subnet to
only access DHCP, web pages, and SFTP, and to specifically block FTP.
Which of the following would BEST accomplish this goal?

A. [Permission Source Destination Port]

Allow: Any Any 80
Allow: Any Any 443
Deny: Any Any 67
Deny: Any Any 68
Deny: Any Any 21
Deny: Any Any

B. [Permission Source Destination Port]

Allow: Any Any 80
Allow: Any Any 443
Allow: Any Any 67
Allow: Any Any 68
Deny: Any Any 22
Allow: Any Any 21
Deny: Any Any

C. [Permission Source Destination Port]

Allow: Any Any 80
Allow: Any Any 443
Allow: Any Any 67
Allow: Any Any 68
Allow: Any Any 22
Deny: Any Any 21
Deny: Any Any

46
 D. [Permission Source Destination Port]
Allow: Any Any 80
Allow: Any Any 443
Deny: Any Any 67
Allow: Any Any 68
Allow: Any Any 22
Allow: Any Any 21
Allow: Any Any

Answer103: C

Q104: An organization is planning to roll out a new mobile device policy

and issue each employee a new laptop. These laptops would access the
users' corporate operating system remotely and allow them to use the
laptops for purposes outside of their job roles. Which of the following
deployment models is being utilized?

A. MDM and applications management

B. COPE and VDI
C. CYOD and VMs
D. BYOD and containers

Answer104: B

Q105: A security engineer is concerned about using an agent on devices

that relies completely on defined known-bad signatures. The security
engineer wants to implement a tool with multiple components including
the ability to track, analyze, and monitor devices without reliance on
definitions alone. Which of the following solutions BEST fits this use
case?

47
 A. EDR
B. NGFW
C. DLP
D. HIPS

Answer105: A

Q106: Server administrators want to configure a cloud solution so that

computing memory and processor usage is maximized most efficiently
across a number of virtual servers. They also need to avoid potential
denial-of-service situations caused by availability. Which of the
following should administrators configure to maximize system
availability while efficiently utilizing available computing power?

A. High availability
B. Dynamic resource allocation
C. Segmentation
D. Container security

Answer106: B

Q107: An attacker replaces a digitally signed document with another

version that goes unnoticed. Upon reviewing the document's contents, the
author notices some additional verbiage that was not originally in the
document but cannot validate an integrity issue. Which of the following
attacks was used?

A. Collision
B. Prepending
C. Cryptornalware
D. Phishing

Answer107: A

48
Q108: A company wants to build a new website to sell products online.
The website will host a storefront application that will allow visitors to
add products to a shopping cart and pay for the products using a credit
card. Which of the following protocols would be the MOST secure to
implement?

A. SNMP
B. SFTP
C. SSL
D. TLS

Answer108: D

Q109: A company has a flat network that is deployed in the cloud.

Security policy states that all production and development servers must
be segmented. Which of the following should be used to design the
network to meet the security requirements?

A. Screened subnet
B. VLAN
C. VPN
D. WAF

Answer109: B

49
Q110: A security analyst is evaluating the risks of authorizing multiple
security solutions to collect data from the company's cloud environment.
Which of the following is an immediate consequence of these
integrations?

A. Mandatory deployment of a SIEM solution

B. Loss of the vendor's interoperability support
C. Increase in the attack surface
D. Non-compliance with data sovereignty rules

Answer110: C

Q111: A company recently decided to allow its employees to use their

personally owned devices for tasks like checking email and messaging
via mobile applications. The company would like to use MDM, but
employees are concerned about the loss of personal data. Which of the
following should the IT department implement to BEST protect the
company against company data loss while still addressing the employees’
concerns?

A. Configure MDM for FDE without enabling the lock screen.

B. Perform a factory reset on the phone before installing the
company's applications.
C. Configure the MDM software to enforce the use of PINs to access
the phone.
D. Enable the remote-wiping option in the MDM software in case the
phone is stolen.

Answer111: D

50
Q112: A large bank with two geographically dispersed data centers is
concerned about major power disruptions at both locations. Every day
each location experiences very brief outages that last for a few seconds.
However, during the summer a high risk of intentional brownouts that last
up to an hour exists, particularly at one of the locations near an industrial
smelter. Which of the following is the BEST solution to reduce the risk of
data loss?

A. Generator
B. Dual supply
C. PDU
D. Daily backups

Answer112: A

Q113: An annual information security assessment has revealed that

several OS-level configurations are not in compliance due to outdated
hardening standards the company is using. Which of the following would
be BEST to use to update and reconfigure the OS-level security
configurations?

A. GDPR guidance
B. CIS benchmarks
C. ISO 27001 standards
D. Regional regulations

Answer113: B

51
Q114: As part of the building process for a web application, the
compliance team requires that all PKI certificates are rotated annually and
can only contain wildcards at the secondary subdomain level. Which of
the following certificate properties will meet these requirements?

A. HTTPS://*.comptia.org, Valid from April 10 00:00:00 2021 - April

8 12:00:00 2022
B. HTTPS://* .app1.comptia.org, Valid from April 10 00:00:00 2021-
April 8 12:00:00 2022
C. HTTPS://*.comptia.org, Valid from April 10 00:00:00 2021 - April
8 12:00:00
D. HTTPS://app1.comptia.org, Valid from April 10 00:00:00 2021-
April 8 12:00:00 2022

Answer114: D

Q115: A user is attempting to navigate to a website from inside the

company network using a desktop. When the user types in the URL,
https://www.site.com, the user is presented with a certificate mismatch
warning from the browser. The user does not receive a warning when
visiting http://www.anothersite.com. Which of the following describes
this attack?

A. Domain hijacking
B. DNS poisoning
C. On-path
D. Evil twin

Answer115: B

52
Q116: An organization is repairing the damage after an incident. Which
of the following controls is being implemented?

A. Detective
B. Corrective
C. Compensating
D. Preventive

Answer116: B

Q117: To reduce and limit software and infrastructure costs, the Chief
Information Officer has requested to move email services to the cloud.
The cloud provider and the organization must have security controls to
protect sensitive data. Which of the following cloud services would
BEST accommodate the request?

A. PaaS
B. SaaS
C. DaaS
D. laaS

Answer117: B

Q118: A vulnerability has been discovered and a known patch to address

the vulnerability does not exist. Which of the following controls works
BEST until a proper fix is released?

A. Corrective
B. Detective
C. Deterrent
D. Compensating

Answer118: C

53
Q119: The new Chief Information Security Officer at a company has
asked the security team to implement stronger user account policies. The
new policies require:
Users to choose a password unique to their last ten passwords
Users to not log in from certain high-risk countries

Which of the following should the security team implement? (Select

TWO)

A. Geotagging
B. Geolocation
C. Password reuse
D. Password complexity
E. Password history
F. Geofencing

Answer119: EF

Q120: A security analyst has been reading about a newly discovered

cyberattack from a known threat actor. Which of the following would
BEST support the analyst's review of the tactics, techniques, and
protocols the threat actor was observed using in previous campaigns?

A. The MITRE ATT&CK framework

B. The Diamond Model of Intrusion Analysis
C. Security research publications
D. The Cyber Kill Chain

Answer120: A

54
Q121: Which of the following supplies non-repudiation during a
forensics investigation?

A. Duplicating a drive with dd

B. Logging everyone in contact with evidence
C. Encrypted sensitive data
D. Dumping volatile memory contents first
E. Using a SHA-2 signature of a drive image

Answer121: E

Q122: The help desk has received calls from users in multiple locations
who are unable to access core network services. The network team has
identified and turned off the network switches using remote commands.
Which of the following actions should the network team take NEXT?

A. Send response teams to the network switch locations to perform

updates.
B. Turn on all the network switches by using the centralized
management software.
C. Disconnect all external network connections from the firewall.
D. Initiate the organization's incident response plan.

Answer122: D

55
Q123: A research company discovered that an unauthorized piece of
software has been detected on a small number of machines in its lab. The
researchers collaborate with other machines using port 445 and, on the
Internet, using port 443. The unauthorized software is starting to be seen
on additional machines outside of the lab and is making outbound
communications using HTTPS and SMB. The security team has been
instructed to resolve the problem as issue as possible while causing
minimal disruption to the researchers. Which of the following contains
the BEST course of action in this scenario?

A. Place the unauthorized application in a blocklist.

B. Update the host firewalls to block outbound SMB.
C. Implement a content filter to block the unauthorized software
communication.
D. Place the machines with the unapproved software in containment.

Answer123: C

Q124: An audit identified PII being utilized in the development

environment of a critical application. The Chief Privacy Officer (CPO) is
adamant that this data must be removed; however, the developers are
concerned that without real data they cannot perform functionality tests
and search for specific data. Which of the following should a security
professional implement to BEST satisfy both the CPO's and the
development team's requirements?

A. Data tokenization
B. Data masking
C. Data purge
D. Data encryption

Answer124: A

56
Q125: The local administrator account for a company's VPN appliance
was unexpectedly used to log in to the remote management interface.
Which of the following would have prevented this from happening?

A. Implementing multifactor authentication

B. Changing the default password
C. Using least privilege
D. Assigning individual user IDs

Answer125: B

Q126: A company performed an assessment of its security posture and

found a lack of controls to adequately protect from exploitation legacy
systems at manufacturing sites. Which of the following controls should
be set up for this type of environment? (Select two)

A. Antivirus
B. Segmentation
C. Application allow list
D. Patching
E. IDS
F. Jump server

Answer126: BD

57
Q127: A company's help desk has received calls about the wireless
network being down and users being unable to connect to it. The network
administrator says all access points are up and running. One of the help
desk technicians notices the affected users are working in a building near
the parking lot. Which of the following is the most likely reason for the
outage?

A. The APs in the affected area have been unplugged from the
network.
B. A user has set up a rogue access point near the building.
C. Someone near the building is jamming the signal.
D. Someone set up an evil twin access point in the affected area.

Answer127: C

Q128: A user's login credentials were recently compromised. During the

investigation, the security analyst determined the user input credentials
into a pop-up window when prompted to confirm the username and
password. However the trusted website does not use a pop-up for entering
user credentials. Which of the following attacks occurred?

A. SQL injection
B. Cross-site scripting
C. DNS poisoning
D. Certificate forgery

Answer128: B

58
Q129: A security assessment found that several embedded systems are
running unsecure protocols. These Systems were purchased two years ago
and the company that developed them is no longer in business Which of
the following constraints BEST describes the reason the findings cannot
be remediated?

A. Unavailable patch
B. Inability to authenticate
C. Lack of computing power
D. Implied trust

Answer129: A

Q130: Several users have opened tickets with the help desk. The help
desk has reassigned the tickets to a security analyst for further review.
The security analyst reviews the following metrics:

Which of the following is MOST likely the result of the security analyst's
review?

A. An on-path attack is taking place between PCs and the router.

B. The ISP is dropping outbound connections.
C. The user of the Sales-PC fell for a phishing attack.
D. Corporate PCs have been turned into a botnet.

Answer130: A

59
Q131: A company is adopting a BYOD policy and is looking for a
comprehensive solution to protect company information on user devices.
Which of the following solutions would BEST support the policy?

A. Full device encryption

B. Biometrics
C. Remote wipe
D. Mobile device management

Answer131: D

Q132: A government organization is developing an advanced AI defense

system. Developers are using information collected from third-party
providers. Analysts are noticing inconsistencies in the expected progress
of the AI learning and attribute the outcome to a recent attack on one of
the suppliers. Which of the following is the most likely reason for the
inaccuracy of the system?

A. Fileless virus
B. Tainted training data
C. Improper algorithms security
D. Cyptomalware

Answer132: B

Q133: Which of the following describes effective change management

procedures?

A. Using an automatic change control bypass for security updates

B. Approving the change after successful deployment
C. Having a backout plan when a patch fails
D. Using a ticket system for tracking changes

Answer133: D

60
Q134: An employee receives a text message that appears to have been
sent by the payroll department and is asking for credential verification.
Which of the following social engineering techniques are being
attempted? (Select Two).

A. Typosquatting
B. Misinformation
C. Impersonation
D. Phishing
E. Smishing
F. Vishing

Answer134: DE

Q135: An enterprise has been experiencing attacks on exploiting

vulnerabilities in older browser versions with well-known exploits.
Which of the following security solutions should be configured to best
provide the ability to monitor and block these known signature-based
attacks?

A. DIP
B. IDS
C. IPS
D. ACL

Answer135: C

61
Q136: A company performed an assessment of its security posture and
found a lack of controls to adequately protect from exploitation legacy
systems at manufacturing sites. Which of the following controls should
be set up for this type of environment? (Select two)

A. Jump server
B. Antivirus
C. IDS
D. Segmentation
E. Patching
F. Application allow list

Answer136: DE

Q137: A company's help desk has received calls about the wireless
network being down and users being unable to connect to it. The network
administrator says all access points are up and running. One of the help
desk technicians notices the affected users are working in a building near
the parking lot. Which of the following is the most likely reason for the
outage?

A. Someone near the building is jamming the signal.

B. The APs in the affected area have been unplugged from the
network.
C. A user has set up a rogue access point near the building.
D. Someone set up an evil twin access point in the affected area.

Answer137: A

62
Q138: A user's login credentials were recently compromised During the
investigation, the security analyst determined the user input credentials
into a pop-up window when prompted to confirm the username and
password. However the trusted website does not use a pop-up for entering
user credentials. Which of the following attacks occurred?

A. DNS poisoning
B. Certificate forgery
C. SQL injection
D. Cross-site scripting

Answer138: D

Q139: One of a company's vendors sent an analyst a security bulletin that

recommends a BIOS update. Which of the following vulnerability types
is being addressed by the patch?

A. Firmware
B. Virtualization
C. Operating system
D. Application

Answer139: A

Q140: All security analysts' workstations at a company have network

access to a critical server VLAN. The information security manager
wants to further enhance the controls by requiring that all access to the
secure VLAN be authorized only from a given single location. Which of
the following will the information security manager MOST likely
implement?

A. A jump server
B. A stateful firewall server
C. A reverse proxy server
D. A forward proxy server

Answer140: A

63
Q141: A company is discarding a classified storage array and hires an
outside vendor to complete the disposal. Which of the following should
the company request from the vendor?

A. Inventory list
B. Proof of ownership
C. Certification
D. Classification

Answer141: C

Q142: An analyst is evaluating the implementation of zero trust principles

within the data plane. Which of the following would be most relevant for
the analyst to evaluate?

A. Threat scope reduction

B. Secured zones
C. Subject role
D. Adaptive identity

Answer142: B

Q143: A cloud architect is working to address the management team's

concerns about cloud diversity. Which of the following is the most
appropriate aspect of the organization's usage for the architect to
consider?

A. Multiple providers to promote resilience

B. Microservices to promote availability
C. Containerization and autoscaling to promote availability
D. Load balancers to promote resilience

Answer143: A

64
Q144: Which of the following risk management strategies should an
enterprise adopt first if a legacy application is critical to operations?

A. Mitigate
B. Transfer
C. Avoid
D. Accept

Answer144: D

Q145: Which of the following provides a catalog of security and privacy

controls related to the United States federal information systems?

A. ISO 27000
B. GDPR
C. PCIDSS
D. NIST 800-53

Answer145: D

Q146: which of the following would be MOST effective to contain a

rapidly spreading attack that is affecting a large number of organizations?

A. Honeypot
B. Blocklist
C. Machine learning
D. DNS sinkhole

Answer146: A

65
Q147: An engineer is setting up a VDI environment for a factory
location, and the business wants to deploy a low-cost solution to enable
users on the shop floor to log in the VDI environment directly. Which of
the following should the engineer select to meet these requirements?

A. Containers
B. Laptops
C. Workstations
D. Thin clients

Answer147: D

Q148: An organization with a low tolerance for user inconvenience wants

to protect laptop hard drives against loss or data theft. Which of the
following would be the MOST acceptable?

A. DLP
B. SED
C. TPM
D. HSM

Answer148: B

Q149: A security analyst receives a SIEM alert that someone logged in to

the appadmin test account, which is only used for the early detection of
attacks. The security analyst then reviews the following application log:

Which of the following can the security analyst conclude?

66
 A. A replay attack is being conducted against the application.
B. A credentialed vulnerability scanner attack is testing several CVEs
against the application.
C. A service account password may have been changed, resulting in
continuous failed logins within the application.
D. An injection attack is being conducted against a user authentication
system.

Answer149: C

Q150: Which of the following holds staff accountable while escorting

unauthorized personnel?

A. Cameras
B. Visitor logs
C. Badges
D. Locks

Answer150: C

Q151: An organization has expanded its operations by opening a remote

office. The new office is fully furnished with office resources to support
up to 50 employees working on any given day. Which of the following
VPN solutions would BEST support the new office?

A. Site-to-site
B. Full tunnel
C. Always On
D. Remote access

Answer151: A

67
Q152: An application owner reports suspicious activity on an internal
financial application from various internal users within the past 14 days.
- Financial transactions were occurring during irregular time frames and
outside of business hours by unauthorized users.
- Internal users in question were changing their passwords frequently
during that time period.
- A jump box that several domain administrator users use to connect to
remote devices was recently compromised.
- The authentication method used in the environment is NTLM.
Which of the following types of attacks is MOST likely being used to
gain unauthorized access?

A. Directory traversal
B. Pass-the-hash
C. Brute-force
D. Replay

Answer152: D

Q153: Several universities are participating in a collaborative research

project and need to share compute and storage resources. Which of the
following cloud deployment strategies would BEST meet this need?

A. Community
B. Private
C. Hybrid
D. Public

Answer153: A

68
Q154: A security engineer needs to recommend a solution to defend
against malicious actors misusing protocols and being allowed through
network defenses. Which of the following will the engineer MOST likely
recommend?

A. An IDS
B. A content filter
C. A WAF
D. A next-generation firewall

Answer154: D

Q155: A security analyst needs to implement security features across

smartphones, laptops, and tablets. Which of the following be the MOST
effective across heterogeneous platforms?

A. Enforcing encryption
B. Applying MDM software
C. Removing administrative permissions
D. Deploying GPOs

Answer155: B

Q156: The Chief Executive Officer (CEO) of an organization would like

staff members to have the flexibility to work from home anytime during
business hours, incident during a pandemic or crisis. However, the CEO
is concerned that some staff members may take advantage of the
flexibility and work from high-risk countries while on holiday work to a
third-party organization in another country. The Chief Information
Officer (CIO) believes the company can implement some basic controls
to mitigate the majority of the risk. Which of the following would be
BEST to mitigate the CEO's concern? (Select TWO)

69
 A. Geolocation
B. Geotagging
C. Time-of-day restrictions
D. Tokens
E. Certificates
F. Role-based access controls

Answer156: AB

Q157: When implementing automation with IoT devices, which of the

following should be considered FIRST to keep the network secure?

A. Communication protocols
B. Z-Wave compatibility
C. Network range
D. Zigbee configuration

Answer157: A

Q158: An attacker is attempting to harvest user credentials on a client's

website. A security analyst notices multiple attempts of random
usernames and passwords. When the analyst types in a random username
and password, the logon screen displays the following message:
The username you entered does not exist.
Which of the following should the analyst recommend be enabled?

A. Input validation
B. Obfuscation
C. Error handling
D. Username lockout

Answer158: B

70
Q159: A company recently suffered a breach in which an attacker was
able to access the internal mail servers and directly access several user
inboxes. A large number of email messages were later posted online.
Which of the following would BEST prevent email contents from being
released should another breach occur?

A. Implement S/MIME to encrypt the emails at rest

B. Configure web traffic to only use TLS-enabled channels
C. Enable full disk encryption on the mail servers.
D. Use digital certificates when accessing email via the web

Answer159: A

Q160: A security analyst discovers that one of the web APIs is being
abused by an unknown third party. Logs indicate that the third party is
attempting to manipulate the parameters being passed to the API
endpoint. Which of the following solutions would BEST help to protect
against the attack?

A. NIDS
B. SIEM
C. DLP
D. WAF

Answer160: D

71
Q161: A security analyst was asked to evaluate a potential attack that
occurred on a publicly accessible section of the company's website. The
malicious actor posted an entry in an attempt to trick users into clicking
the following:

https://www.cOmptla.com/contact-
us/3Fname%3D%3Cscript%3Ealert(document. cookie)
%3C%2Fscript%3E

Which of the following was MOST likely observed?

A. SOLi
B. Session replay
C. XSS
D. DLL injection

Answer161: C

Q162: A company's Chief Information Security Officer (CISO) recently

warned the security manager that the company's Chief Executive Officer
(CEO) is planning to publish a controversial opinion article in a national
newspaper, which may result in new cyberattacks.

Which of the following would be BEST for the security manager to use in
a threat model?

A. Hacktivists
B. White-hat hackers
C. Script kiddies
D. Insider threats

Answer162: A

72
Q163: An organization is outlining data stewardship roles and
responsibilities. Which of the following employee roles would determine
the purpose of data and how to process it?

A. Data controller
B. Data custodian
C. Data protection officer
D. Data processor

Answer163: A

Q164: A grocery store is expressing security and reliability concerns

regarding the on-site backup strategy currently being performed by
locally attached disks. The main concerns are the physical security of the
backup media and its durability of the data stored on these devices.
Which of the following is a cost-effective approach to address these
concerns?

A. Migrate to a cloud backup solution.

B. Move data to a tape library and store the tapes off site.
C. Enhance resiliency by adding a hardware RAID.
D. Install a local network-attached storage.

Answer164: B

Q165: A global pandemic is forcing a private organization to close some

business units and reduce staffing at others. Which of the following
would be BEST to help the organization's executives determine their next
course of action?

A. A disaster recovery plan

B. An incident response plan
C. A communications plan
D. A business continuity plan

Answer165: D

73
Q166: A company prevented direct access from the database
administrators' workstations to the network segment that contains
database servers. Which of the following should a database administrator
use to access the database servers?

A. HSM
B. Load balancer
C. Jump server
D. RADIUS

Answer166: C

Q167: Which of the following would help ensure a security analyst is

able to accurately measure the overall risk to an organization when a new
vulnerability is disclosed?

A. A full inventory of all hardware and software

B. A list of system owners and their departments
C. Documentation of system classifications
D. Third-party risk assessment documentation

Answer167: C

Q168: a business development team reports that files are missing from
the database system and the server log-in screens are showing a lock
symbol that requires users to contact an email address to access the
system and data. Which of the following attacks is the company facing?

A. Rootkit
B. Spyware
C. Bloatware
D. Ransomware

Answer168: D

74
Q169: An organization is building a new backup data center with cost-
benefit as the primary requirement and RTO and RPO values around two
days. Which of the following types of sites is the best for this scenario?

A. Warm
B. Real-time recovery
C. Hot
D. Cold

Answer169: B

Q170: A user would like to install software and features that are not
available with a mobile device's default software. Which of the following
would all the user to install unauthorized software and enable new
features?

A. Jailbreaking
B. Side loading
C. Cross-site scripting
D. SQLi

Answer170: A

Q171: which of the following roles according to the shared responsibility

model, is responsible for securing the company's database in an laaS
model for a cloud environment?

A. Cloud provider
B. Client
C. DBA
D. Third-party vendor

Answer171: B

75
Q172: Which of the following is the BEST reason to maintain a
functional and effective asset management policy that aids in ensuring the
security of an organization?

A. To standardize by selecting one laptop model for all users in the

organization
B. To only allow approved, organization-owned devices onto the
business network
C. To provide data to quantify risk based on the organization's
systems
D. To keep all software and hardware fully patched for known
vulnerabilities

Answer172: D

Q173: An analyst is concerned about data leaks and wants to restrict

access to Internet services to authorized users only. The analyst also
wants to control the actions each user can perform on each service.
Which of the following would be the BEST technology for the analyst to
consider implementing?

A. DLP
B. VPC
C. CASB
D. ACL

Answer173: A

76
Q174: During an incident, an EDR system detects an increase in the
number of encrypted outbound connections from multiple hosts. A
firewall is also reporting an increase in outbound connections that use
random high ports. An analyst plans to review the correlated logs to find
the source of the incident. Which of the following tools will BEST assist
the analyst?

A. A NGFW
B. A SIEM
C. The Windows Event Viewer
D. A vulnerability scanner

Answer174: B

Q175: An incident response technician collected a mobile device during

an investigation. Which of the following should the technician do to
maintain chain of custody?

A. Lock the device in a safe or other secure location to prevent theft or

alteration.
B. Record the collection in a blockchain-protected public ledger.
C. Place the device in a Faraday cage to prevent corruption of the
data.
D. Document the collection and require a sign-off when possession
changes.

Answer175: D

77
Q176: Which of the following BEST reduces the security risks introduced
when running systems that have expired vendor support and lack an
immediate replacement?

A. Classify the system as shadow IT

B. Initiate a bug bounty program.
C. Implement proper network access restrictions.
D. Increase the frequency of vulnerability scans.

Answer176: A

Q177: A company recently experienced a data breach and the source was
determined to be an executive who was charging a phone in a public area.
Which of the following would MOST likely have prevented this breach?

A. A device pin
B. A USB data blocker
C. A firewall
D. Biometrics

Answer177: B

Q178: An attacker was eavesdropping on a user who was shopping

online. The attacker was able to spoof the IP address associated with the
shopping site. Later, the user received an email regarding the credit card
statement with unusual purchases. Which of the following attacks took
place?

A. Domain hijacking
B. On-path attack
C. Protocol poisoning
D. Bluejacking

Answer178: C

78
Q179: A company is auditing the manner in which its European
customers’ personal information is handled. Which of the following
should the company consult?

A. NIST
B. ISO
C. PCI DSS
D. GDPR

Answer179: D

Q180: A new vulnerability in the SMB protocol on the Windows systems

was recently discovered, but no patches are currently available to resolve
the issue. The security administrator is concerned that servers in the
company's DMZ will be vulnerable to external attack; however, the
administrator cannot disable the service on the servers, as SMB is used by
a number of internal systems and applications on the LAN. Which of the
following TCP ports should be blocked for all external inbound
connections to the DMZ as a workaround to protect the servers? (Select
TWO)

A. 445
B. 135
C. 143
D. 161
E. 443
F. 139

Answer180: AF

79
Q181: A dynamic application vulnerability scan identified code injection
could be performed using a web form. Which of the following will be
BEST remediation to prevent this vulnerability?

A. Implement input validations

B. Utilize a WAF
C. Deploy MFA
D. Configure HIPS

Answer181: A

Q182: A financial institution would like to store its customer data in a

cloud but still allow the data to be accessed and manipulated while
encrypted. Doing so would prevent the cloud service provider from being
able to decipher the data due to its sensitivity. The financial institution is
not concerned about computational overheads and slow speeds. Which of
the following cryptographic techniques would BEST meet the
requirement?

A. Homomorphic
B. Symmetric
C. Asymmetric
D. Ephemeral

Answer182: A

Q183: A security engineer is building a file transfer solution to send files

to a business partner. The users would like to drop off the files in a
specific directory and have the server send the file to the business partner.
The connection to the business partner is over the internet and needs to be
secure. Which of the following can be used?

80
 A. LDAPS
B. S/MIME
C. SRTP
D. SSH

Answer183: A

Q184: A security architect is required to deploy to conference rooms

some workstations that will allow sensitive data to be displayed on large
screens. Due to the nature of the data, it cannot be stored in the
conference rooms. The file share is located in a local data center. Which
of the following should the security architect recommend to BEST meet
the requirement?

A. Full drive encryption and thick clients

B. Private cloud and DLP
C. Fog computing and KVIMs
D. VDI and thin clients

Answer184: D

Q185: The manager who is responsible for a data set has asked a security
engineer to apply encryption to the data on a hard disk. The security
engineer is an example of a:

A. Data custodian
B. Data owner
C. Data processor
D. Data controller

Answer185: A

81
Q186: Which of the following technologies is used to actively monitor
for specific file types being transmitted on the network?

A. Honeynets
B. Data loss prevention
C. Tcpreplay
D. File integrity monitoring

Answer186: D

Q187: A company recently experienced a significant data loss when

proprietary information was leaked to a competitor. The company took
special precautions by using proper labels; however, email filter logs do
not have any record of the incident. An investigation confirmed the
corporate network was not breached, but documents were downloaded
from an employee's COPE tablet and passed to the competitor via cloud
storage. Which of the following is the BEST remediation for this data
leak?

A. MDM
B. User training
C. CASB
D. EDR

Answer187: D

82
Q188: An analyst is working on an email security incident in which the
target opened an attachment containing a worm. The analyst wants to
implement mitigation techniques to prevent further spread. Which of the
following is the BEST course of action for the analyst to take?

A. Isolate the infected attachment

B. Utilize email content filtering
C. Apply a DLP solution.
D. Implement network segmentation

Answer188: A

Q189: A company is required to continue using legacy software to

support a critical service. Which of the following BEST explains a risk of
this practice?

A. Default system configuration

B. Unsecure protocols
C. Weak encryption
D. Lack of vendor support

Answer189: D

Q190: A company recently experienced a major breach. An investigation

concludes that customer credit card data was stolen and exfiltrated
through a dedicated business partner connection to a vendor, who is not
held to the same security control standards. Which of the following is the
MOST likely source of the breach?

A. Supply chain
B. Cryptographer downgrade
C. Side channel
D. Malware

Answer190: D

83
Q191: Which of the following environments utilizes dummy data and is
MOST likely to be installed locally on a system that allows code to be
assessed directly and modified easily with each build?

A. Development
B. Staging
C. Production
D. Test

Answer191: D

Q192: Which of the following specifically describes the exploitation of

an interactive process to gain access to restricted areas ?

A. Privilege escalation
B. Buffer overflow
C. Pharming
D. Persistence

Answer192: A

Q193: A local server recently crashed, and the team is attempting to

restore the server from a backup. During the restore process, the team
notices the file size of each daily backup is large and will run out of space
at the current rate. The current solution appears to do a full backup every
right. Which of the following would use the LEAST amount of storage
space for backups?

A. A weekly, full backup with daily differential backups

B. A weekly, full backup with daily with daily snapshot backups
C. A weekly, incremental backup with daily differential backups
D. A weekly, full backup with daily incremental backups

Answer193: D

84
Q194: If a current private key is compromised, which of the following
would ensure it cannot be used to decrypt all historical data?

A. Perfect forward secrecy

B. Key stretching
C. Elliptic-curve cryptography
D. Homomorphic encryption

Answer194: A

Q195: An organization relies on third-party video conferencing to

conduct daily business. Recent security changes now require all remote
workers to utilize a VPN to corporate resources. Which of the following
would BEST maintain high-quality video conferencing while minimizing
latency when connected to the VPN?

A. Using geographic diversity to have VPN terminations closer to end

users
B. Configuring QoS properly on the VPN accelerators
C. Utilizing split tunneling so only traffic for corporate resources is
encrypted
D. Purchasing higher-bandwidth connections to meet the increased
demand

Answer195: B

Q196: An attacker is trying to gain access by installing malware on a

website that is known to be visited by the target victims. Which of the
following is the attacker MOST likely attempting?

A. Typo squatting
B. A watering-hole attack
C. A spear-phishing attack
D. A phishing attack

Answer196: B

85
Q197: A security analyst discovers several .jpg photos from a cellular
phone during a forensics investigation involving a compromised system.
The analyst runs a forensics tool to gather file metadata. Which of the
following would be part of the images if all the metadata is still intact?

A. The number of copies made

B. The GPS location
C. The total number of print jobs
D. When the file was deleted

Answer197: B

Q198: An employee receives an email stating he won the lottery. The

email includes a link that requests a name, mobile phone number,
address, and date of birth be provided to confirm employee 's identity
before sending him the prize. Which of the following BEST describes this
type of email?

A. Phishing
B. Whaling
C. Vishing
D. Spear phishing

Answer198: A

86
Q199: A well-known organization has been experiencing attacks from
APIs. The organization is concerned that custom malware is being
created and emailed into the company or installed on USB sticks that are
dropped in parking lots. Which of the following is the BEST defense
against this scenario?

A. Configuring signature-based antivirus io update every 30 minutes

B. Enforcing S/MIME for email and automatically encrypting USB
drives upon insertion.
C. Implementing application execution in a sandbox for unknown
software.
D. Fuzzing new files for vulnerabilities if they are not digitally signed

Answer199: C

Q200: A company would like to provide flexibility for employees on

device preference. However, the company is concerned about supporting
too many different types of hardware. Which of the following
deployment models will provide the needed flexibility with the
GREATEST amount of control and security over company data and
infrastructure?

A. COPE
B. CYOD
C. BYOD
D. VDI

Answer200: C

87
Q201: A security administrator is trying to determine whether a server is
vulnerable to a range of attacks. After using a tool, the administrator
obtains the following output:

Which of the following attacks was successfully implemented based on

the output?

A. Memory leak
B. SQL injection
C. Directory traversal
D. Race conditions

Answer201: C

Q202: An organization recently ac quired an ISO 27001 certification.

which of the following would MOST likely by considered a benefit of
this certification ?

A. It certifies the organization can work with foreign entities that

require a security clearance.
B. It allows for the sharing of digital forensics data across
organizations
C. It provides Insurance in case of a data breach
D. It assures customers that the organization meets security
standards.
E. It provides complimentary training and certification resources to
IT security staff

Answer202: D

88
Q203: A financial analyst is expecting an email containing sensitive
information from a client when the email arrives the analyst receives an
error and is unable to open the encrypted message. which of the following
is the MOST likely causes of the issue?

A. Secure IMAP was not implemented

B. The SMME plug-in is not enabled
C. pop3s is not supported
D. The SLL certificate has expired

Answer203: B

Q204: During a recent security assessment a vulnerability was found in a

common OS The OS vendor was unaware the issue and Promised to
release a patch within the next quarter. Which of the following BEST
describes this type of vulnerability ?

A. Zero day
B. Legacy operating system
C. Supply chain
D. Weak configuration

Answer204: A

Q205: which of the following threat actors is MOST likely to be

motivated by ideology ?

A. Script kiddie
B. Hacktivist
C. Business competitor
D. Criminal syndicate
E. Disgruntled employee

Answer205: B

89
Q206: which of the following is the correct order of volatility from
MOST to LEAST volatile?

A. Memory, disk, temporary filesystems, cache, archival media

B. Cache, disk, temporary filesystems, network storage, archival
media
C. Memory, temporary filesystems, routing tables, disk, network
storage
D. Cache, memory, temporary filesystems, disk archival media

Answer206: D

Q207: A security professional want to enhance the protection of a critical

environment that is used to store and mange a company's encryption
keys, The selected technology should be Tamper resistant. Which of the
following should the security professional Implement to achieve the
goal?

A. FIM
B. HSM
C. CA
D. DLP

Answer207: A

Q208: A report delivered to the chief information security Officer (CISO)

shows that some user credentials could be exfiltrated. The report also
indicates that users tend to choose the same credentials on different
systems and applications. Which of the following policies should the
CISO use to prevent someone from using the exfiltrated credentials

A. MFA
B. Password history
C. Time-based logins
D. Lockout

Answer208: B

90
Q209: A user downloaded an extension for a browser and the user's
device later become infected the analyst who is investigating the incident
saw various logs where the attacker was hiding activity by deleting data
the following was observed running

New-partition -diskNumber 2 -UseMaximumsize -AssignDriveLetter CI

Forma t-volume -DriveLetter C -FileSystemLabel “New” -Filesysatem
NTFS – Full – Force – Confirm:$false

which of the following is the malware using to execute the attack?

A. Python
B. Macros
C. Bash
D. PowerShell

Answer209: D

Q201: which of the following is a hardware-specific vulnerability?

A. Buffer overflow
B. Firmware version
C. SQL injection
D. Cross-site scripting

Answer012: B

Q211: Which of the following threat Vectors Would appear to be the

most legitimate when used by a malicious actor to impersonate a
company?

A. Phone call
B. Email
C. Text message
D. Instant message

Answer211: B

91
Q212: Which of the following examples would be best mitigated by input
sanitization?

A. Email messages: “Click this link to get your free gift card.”
B. Browser messages: “your connection is not private.”
C. nmap -p- 10.11.1.130
D. <script> alert(“Warning!”); </script>

Answer212: B

Q213: A security analyst locates a potentially Malicious video file on a

server and needs to Identify both the creation dates and the file's creator.
Which of the following actions with most likely give the security analyst
the information required ?

A. Check endpoint logs.

B. Obtain the file’s SHA-256 hash.
C. Query the file’s metadata
D. Use hexdump on the file’s contents

Answer213: C

Q214: A company's legal department drafted sensitive documents in SaaS

application and wants to ensure the documents can't be accessed by
individuals in high-risk countries. Which of the following is the most
effective way to limit this access?

A. Encryption
B. Data masking
C. Geolocation policy
D. Data sovereignty regulation

Answer214: C

92
Q215: A security analyst is scanning a company's public network and
discovers a host is running a remote desktop that can be used to access
the production Network. Which of the following changes should the
security analyst recommend?

A. Setting up a VPN placing the jump server inside the firewall

B. Using a proxy for web connections from the remote desktop server
C. Changing the remote desktop port to a non-standard number
D. Connecting the remote server to the domain and increasing the
password length

Answer215: A

Q216: An IT manager informs the entire help disk stuff that only the IT
manager and the help desk lead will have access to the administrator
Console of the help desk software which of the following security
techniques in the IT manager setting up?

A. Configuration enforcement
B. Employee monitonng
C. Hardening
D. Least privilege

Answer216: D

Q217: Malware Spread across a company's Network after an employee

visited a compromised industry blog. Which of the following best
describes this type of attack?

A. Smishing
B. disinformation
C. impersonation
D. Watering-hole

Answer217: D

93
Q218: Which of the following strategies shifts risks that are not covered
in an organization's risk strategy?

A. Risk acceptance
B. Risk mitigation
C. Risk avoidance
D. Risk transference

Answer218: A

Q219: An organization purchased and configured spare devices for all

critical network infrastructure. Which of the following nest describes the
organization's reason for these actions?

A. Decentralization
B. Software-defined networking
C. Scalability
D. High availability

Answer219: D

Q220: An administrator reviewed the log files after a recent ransomware

attack on a company's system and discovered vulnerabilities that resulted
in the loss of a database server. The administrator applied a patch to the
server to resolve the CVE score. Which of the following controls did the
administrator use?

A. Deterrent
B. Compensating
C. Directive
D. Corrective

Answer220: D

94
Q221: A company is planning to install a guest wireless network so
visitors will be able to access the Internet. The stakeholders want the
network to be easy to connect to so time is not wasted during meetings.
The WAPs are configured so that power levels and antennas cover only
the conference rooms where visitors will attend meetings. Which of the
following would BEST protect the company's Internal wireless network
against visitors accessing company resources?

A. Decrease the power levels of the access points for the guest
wireless network.
B. Change the password for the guest wireless network every month.
C. Enable WPA2 using 802.1X for logging on to the guest wireless
network.
D. Configure the guest wireless network to be on a separate VLAN
from the company's internal wireless network.

Answer221: D

Q222: A junior security analyst is reviewing web server logs and

identifies the following pattern in the log file:
http://comptia.org/../../../etc/passwd

Which of the following types of attacks is being attempted and how can it
be mitigated?

A. CSRF; implement an IPS

B. SQL injection; implement an IDS
C. Directory traversal; implement a WAF
D. XSS; implement a SIEM

Answer222: C

95
Q223: Which of the following threat vectors would appear to be the most
legitimate when used by a malicious actor to impersonate a company?

A. Phone call
B. Text message
C. Instant message
D. Email

Answer223: D

Q224: Which of the following scenarios BEST describes a risk reduction

technique?

A. A security control objective cannot be met through a technical

change, so the Chief Information Officer decides to sign off on the
risk.
B. A security control objective cannot be met through a technical
change, so the company performs regular audits to determine if
violations have occurred.
C. A security control objective cannot be met through a technical
change, so the company implements a policy to train users on a
more secure method of operation.
D. A security control objective cannot be met through a technical
change, so the company purchases insurance and is no longer
concerned about losses from data breaches.

Answer224: C

Q225: A system administrator set up an automated process that checks

for vulnerabilities across the entire environment every morning. Which of
the following activities is the systems administrator conducting?

A. Reporting
B. Alerting
C. Scanning
D. Archiving

Answer225: C

96
Q226: A security administrator is setting up a SIEM to help monitor for
notable events across the enterprise. Which of the following control types
does this BEST represent?

A. Detective
B. Compensating
C. Corrective
D. Preventive

Answer226: A

Q227: A help desk technician receives a phone call from someone

claiming to be a part of the organization's cybersecurity incident response
team. The caller asks the technician to verify the network's internal
firewall IP Address. Which of the following is the technician's BEST
course of action?

A. Ask for the caller's name, verify the person's identity in the email
directory, and provide the requested information over the phone.
B. Direct the caller to stop by the help desk in person and hang up
declining any further requests from the caller.
C. Request the caller send an email for identity verification and
provide the requested information via email to the caller.
D. Write down the phone number of the caller if possible, the name of
the person requesting the information, hang up, and notify the
organization's cybersecurity officer.

Answer227: D

97
Q228: A host was infected with malware. During the incident response,
Joe, a user, reported that he did not receive any emails with links, but he
had been browsing the Internet all day. Which of the following would
MOST likely show where the malware originated?

A. The SNMP logs

B. The web server logs
C. The SIP traffic logs
D. The DNS logs

Answer228: D

Q229: A network administrator added a new router to the network. Which

of the following should the administrator do first when configuring the
router?

A. Remove unnecessary software

B. Change the default passwords
C. Apply patches
D. Isolate the router

Answer229: B

Q230: A bakery has a secret recipe that it wants to protect. Which of the
following objectives should be added to the company's security
awareness training?

A. Phishing awareness
B. Risk analysis
C. Insider threat detection
D. Business continuity planning

Answer230: C

98
Q231: Which of the following teams combines both offensive and
defensive testing techniques to protect an organization's critical systems?

A. Yellow
B. Red
C. Purple
D. Blue

Answer231: C

Q232: A technician wants to improve the situational and environmental

awareness of existing users as they transition from remote to in-office
work. Which of the following is the best option?

A. Send out periodic security reminders.

B. Implement a phishing campaign.
C. Update the content of new hire documentation.
D. Modify the content of recumng training.

Answer232: B

Q233: Which of the following security concepts should an e-commerce

organization apply for protection against erroneous purchases?

A. Privacy
B. Availability
C. Integrity
D. Confidentiality

Answer233: C

99
Q234: An endpoint protection application contains critical elements that
are used to protect a system from infection. Which of the following must
be updated before completing a weekly endpoint check?

A. Policy engine
B. Policy updates
C. Policy definitions
D. Policy signatures

Answer234: D

Q235: A security administrator would like to protect data on employees'

laptops. Which of the following encryption techniques should the security
administrator use?

A. Database
B. Partition
C. Full disk
D. Asymmetric

Answer235: C

Q236: Which of the following describes the reason root cause analysis
should be conducted as part of incident response?

A. To discover which systems have been affected

B. To prevent future incidents of the same nature
C. To eradicate any trace of malware on the network
D. To gather IoCs for the investigation

Answer236: B

100
Q237: During onboarding process, an employee needs to create a
password for an intranet account. The password must include ten
characters, numbers, and letters, and two special characters. Once the
passwords is created, the company will grant the employee access to
other company-owned websites based on the interanet profile. Which of
the following access management concepts is the company most likely
using to safeguard intranet accounts and grant access to multiple sites
based on a user's intranet account? (Select TWO)

A. Identity proofing
B. Default password changes
C. Federation
D. Password manager
E. Open authentication
F. Password complexity

Answer237: ACD

Q238: Which of the following must be considered when designing a

high-availability network? (Select TWO)

A. Ease of recovery
B. Ability to patch
C. Extensible authentication
D. Physical isolation
E. Attack surface
F. Responsiveness

Answer238: ADF

101
Q239: An audit report indicates multiple suspicious attempts to access
company resources were made. These attempts were not detected by the
company. Which of the following would be the best solution to
implement on the company's network?

A. Jump server
B. Intrusion prevention system
C. Proxy server
D. Security zones

Answer239: D

Q240: An attacker tricks a user into providing confidential information.

Which of the following describes this form of malicious reconnaissance?

A. Phishing
B. Typosquatting
C. Smishing
D. Social engineering

Answer240: A

Q241: An organization is building a new headquarters and has placed

fake camera around the building in an attempt to discourage potential
intruders. Which of the following kinds of controls describes this security
method?

A. Directive
B. Corrective
C. Detective
D. Deterrent

Answer241: C

102
Q242: An attacker posing as the Chief Executive Officer calls an
employee and instructs the employee to buy gift cards. Which of the
following techniques is attacker using?

A. Impersonating
B. Phishing
C. Smishing
D. Vishing

Answer242: A

Q243: A new plug-and-play storage device was installed on a PC in the

corporate environment. Which of the following safeguards will best help
to protect the PC from malicious files on the storage device?

A. Encrypt the disk on the storage device.

B. Change the default settings on the PC.
C. Define the PC firewall rules limit access.
D. Plug the storage device in to the UPS.

Answer243: A

Q244: A company located in an area prone to humcanes is developing a

disaster recovery plan and looking at site considerations that allow the
company to quickly continue operations. Which of the following is the
best type of site for this company?

A. Tertiary
B. Cold
C. Hot
D. Warm

Answer244: C

103
Q245: A threat actor used a sophisticated attack to breach a well-know
ride-sharing company. The threat actor posted media that this action was
in response to the company's treatment of its drivers. Which of the
following best describes this type of threat actor?

A. Nation-state
B. Organized crime
C. Hacktivist
D. Shadow IT

Answer245: C

Q246: An organization is concerned that its hosted web servers are not
running the most updated version of the software. Which of the following
would work best to help identify potential vulnerabilities?

A. nmap comptia org –p 80 -sV

B. hping3 -9 comptia org –p 80
C. nc -1 –v comptia org –p 80
D. nslookup port=80 comptia org

Answer246: A

Q247: A company hired a consultant to perform an offensive security

assessment covering penetration testing and social engineering. Which of
the following teams will conduct this assessment activity?

A. Red
B. Blue
C. Purple
D. White

Answer247: B

104
Q248: Which of the following requirements apply to a CYOD policy?
(Select Two)

A. The end users can supply their own personal devices.

B. Employee-owned devices must run antivirus.
C. The company should support only one model of phone.
D. The user can request to customize the device.
E. Personal applications cannot be loaded on the phone.
F. The company retains ownership of the phone.

Answer248: DF

105
Q249: Select the appropriate attack and remediation from each drop-
down list to label the corresponding attack with its remediation.
INSTRUCTIONS
Not all attacks and remediation actions will be used.
If at any time you would like to bring back the initial state of the
simulation, please click the Reset All button.

106
Answer249:

107
Q250: A systems administrator needs to install a new wireless network
for authenticated guest access. The wireless network should support
802.1X using the most secure encryption and protocol available.

INSTRUCTIONS
Perform the following steps:
1. Configure the RADIUS server.
2. Configure the WiFi controller.
3. Preconfigure the client for an incoming guest.

The guest AD credentials are:

User: guest01
Password: guestpass

108
Answer250:

109
Q251: Leveraging the information supplied below, complete the CSR for
the server to set up TLS (HTTPS)
• Hostname: ws01
• Domain: comptia.org
• IPv4: 10.1.9.50
• IPV4: 10.2.10.50
• Root: home.aspx
• DNS CNAME: homesite

INSTRUCTIONS
Drag the various data points to the correct locations within the CSR.
Extension criteria belong in the left-hand column and values belong in the
corresponding row in the right-hand column.

110
Answer251:

Q252: A newly purchased corporate WAP needs to be configured in the

MOST secure manner possible.

INSTRUCTIONS
Please click on the below items on the network diagram and configure
them accordingly:
- WAP
- DHCP Server
- AAA Server
- Wireless Controller
- LDAP Server
If at any time you would like to bring back the initial state of the
simulation, please click the Reset All button.

111
112
Answer252:

113
Q253: An attack has occurred against a company.
INSTRUCTIONS
You have been tasked to do the following:
- Identify the type of attack that is occurring on the network by clicking
on the attacker's tablet and reviewing the output.
- Identify which compensating controls a developer should implement
on the assets, in order to reduce the effectiveness of future attacks by
dragging them to the correct server.
All objects will be used, but not all placeholders may be filled. Objects
may only be used once.
If at any time you would like to bring back the initial state of the
simulation, please click the Reset All button.

114
Answer253:

Q254: A company recently added a DR site and is redesigning the

network. Users at the DR site are having issues browsing websites.

INSTRUCTIONS
Click on each firewall to do the following:
1. Deny cleartext web traffic.
2. Ensure secure management protocols are used.
3. Resolve issues at the DR site.
The ruleset order cannot be modified due to outside constraints.
If at any time you would like to bring back the initial state of the
simulation, please click the Reset All button.

115
116
117
118
119
Answer254:

Q255: An incident has occurred in the production environment.

Analyze the command outputs and identify the type of compromise.

If at any time you would like to bring back the initial state of the
simulation, please click the Reset All button.

A. RAT
B. SQL injection
C. Backdoor
D. Logic bomb
E. Rootkit

Answer255: D

120
Q256: An incident has occurred in the production environment.

Analyze the command outputs and identify the type of compromise.

If at any time you would like to bring back the initial state of the
simulation, please click the Reset All button.

A. Rootkit
B. RAT
C. Logic bomb
D. SQL injection
E. Backdoor

Answer256: A

Q257: You received the output of a recent vulnerability assessment.

Review the assessment and scan output and determine the appropriate
remediation(s) for each device. Remediation options may be selected
multiple times, and some devices may require more than one
remediation. If at any time you would like to bring bake the initial state
of the simulation, please dick me Reset All button.

121
122
123
124
125
126
127
Answer257:

128
Q258: A data owner has been tasked with assigning proper data
classifications and destruction methods for various types of data
contained within the environment.

Answer258:

129
Q259: A security engineer is setting up passwordless authentication for
the first time.

Use the minimum set of commands to set this up and verify that it
works. Commands cannot be reused.
If at any time you would like to bring back the initial state of the
simulation, please click the Reset All button.

Answer259:

130
Q260: You are a security administrator investigating a potential infection
on a network.

INSTRUCTIONS

Click on each host and firewall. Review all logs to determine which host
originated the infection and then identify if each remaining host is clean
or infected. If at any time you would like to bring back the initial state of
the simulation, please click the Reset All button.

131
132
133
Answer260:

134