Question 1:

(Sample Simulation – On the real exam for this type of question, you would receive 3-5
pictures and be asked to drag and drop them into place next to the correct term.)
Larger image

Based on the image provided, what type of attack is occurring?

A. SYN flood
B. Smurf attack
C. Ping flood
D. DDoS

Question 2:

Ted, a file server administrator, has noticed that a large number of sensitive files have been
transferred from a corporate workstation to an IP address outside of the local area network. Ted
looks up the IP address and determines that it is located in a foreign country. Ted contacts his
company’s security analyst, who verifies that the workstation’s anti-malware solution is up-to-date,
and the network’s firewall is properly configured. What type of attack most likely occurred to
allow the exfiltration of the files from the workstation?

A. Session hijacking
B. Zero-day
C. MAC spoofing
D. Impersonation
Question 3:
You are reviewing the IDS logs and notice the following log entry:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

(where email=support@diontraining.com and password=‘ or 7==7’)

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What type of attack is being performed?

A. XML injection
B. SQL injection
C. Header manipulation
D. Cross-site scripting

Question 4:

Your intrusion detection system has produced an alert based on its review of a series of
network packets. After analysis, it is determined that the network packets did not contain
any malicious activity. How should you classify this alert?

A. True positive
B. True negative
C. False positive
D. False negative

Question 5:

You are conducting threat hunting on your organization's network. Every workstation on
the network uses the same configuration baseline and contains a 500 GB HDD, 4 GB of
RAM, and the Windows 10 Enterprise operating system. You know from previous
experience that most of the workstations only use 40 GB of space on the hard drives since
most users save their files on the file server instead of the local workstation. You discovered
one workstation that has over 250 GB of data stored on it. Which of the following is a likely
hypothesis of what is happening, and how would you verify it?

A. The host might be the victim of a remote access trojan -- you should reimage the machine
immediately
B. The host might use as a staging area for data exfiltration -- you should conduct volume-
based trend analysis on the host's storage device
C. The host might be offline and conducted backups locally -- you should contact a system
administrator to have it analyzed
D. The host might be used as a command and control node for a botnet -- you should
immediately disconnect the host from the network
Question 6:

Fail to Pass Systems has just become the latest victim in a large scale data breach by an
APT. Your initial investigation confirms a massive exfiltration of customer data has
occurred. Which of the following actions do you recommend to the CEO of Fail to Pass
Systems in handling this data breach?

A. Provide a statement to the press that minimizes the scope of the breach
B. Conduct notification to all affected customers within 72 hours of the discovery of the
breach
C. Purchase a cyber insurance policy, alter the date of the incident in the log files, and file
an insurance claim
D. Conduct a ‘hack-back' of the attacker in order to retrieve the stolen information

Question 7:

Several users have contacted the help desk to report that they received an email from a well-known
bank stating that their accounts have been compromised and they need to "click here" to reset
their banking password. Some of these users are not even customers of this particular bank,
though. Which of the following social engineering principles is being utilized as a part of this
phishing campaign?

A. Intimidation
B. Familiarity
C. Consensus
D. Urgency

Question 8:

You are conducting a code review of a program and observe the following calculation of
0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what
type of exploit could be created against this program?

A. SQL injection
B. Impersonation
C. Integer overflow attack
D. Password spraying

Question 9:

Which of the following methods should a cybersecurity analyst use to locate any instances
on the network where passwords are being sent in cleartext?

A. Full packet capture

B. Net flow capture
C. SIEM event log monitoring
D. Software design documentation review
Question 10:

A cybersecurity analyst notices that an attacker is trying to crack the WPS pin associated
with a wireless printer. The device logs show that the attacker tried 00000000, 00000001,
00000002 and continued to increment by 1 number each time until they found the correct
PIN of 13252342. Which of the following type of password cracking was being performed
by the attacker?

A. Rainbow table
B. Dictionary
C. Hybrid
D. Brute-force

Question 11:

Several users have contacted the help desk to report that they received an email from a
well-known bank stating that their accounts have been compromised and they need to
"click here" to reset their banking password. Some of these users are not even customers of
this particular bank, though. Which of the following best describes this type of attack?

A. Phishing
B. Spear phishing
C. Whaling
D. Brute force

Question 12:

During your annual cybersecurity awareness training in your company, the instructor states that employees
should be careful about what information they post on social media. According to the instructor, if you post
too much personal information on social media, such as your name, birthday, hometown, and other personal
details, it is much easier for an attacker to conduct which type of attack to break your passwords?

A. Birthday attack
B. Brute force attack
C. Cognitive password attack
D. Rainbow table attack

Question 13:

You are creating a script to filter some logs so that you can detect any suspected malware
beaconing. Which of the following is NOT a typical means of identifying a malware
beacons behavior on the network?

A. The beacon's persistence

B. The beacon's protocol
C. The beaconing interval
D. The removal of known traffic
Question 14:

Alexa is an analyst for a large bank that has offices in multiple states. She wants to create
an alert to detect when an employee from one bank office logs into a workstation located at
an office in another state. What type of detection and analysis is Alexa configuring?

A. Trend
B. Anomaly
C. Heuristic
D. Behavior

Question 15:

Nick is participating in a security exercise as part of the network defense team for his
organization. Which team is Nick playing on?

A. Red team
B. White team
C. Blue team
D. Yellow team

Question 16:
Yoyodyne Systems has recently bought out its competitor, Whamiedyne Systems, which
went out of business due to a series of data breaches.  As a cybersecurity analyst for
Yoyodyne, you are assessing  Whamiedyne's existing applications and infrastructure.
During your analysis, you discover the following URL is used to access an application:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

https://www.whamiedyne.com/app/accountInfo?acct=12345

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

You change the URL to end with 12346 and notice that a different user's account
information is now displayed. Which of the following type of vulnerabilities or threats have
you discovered?

A. Insecure direct object reference

B. XML injection
C. Race condition
D. SQL injection
Question 17:
You walked up behind a penetration tester in your organization and saw the following
output on their Kali Linux terminal:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

[ATTEMPT] target 192.168.1.142 – login “root” – pass “abcde” 1 of 10

[ATTEMPT] target 192.168.1.142 – login “root” – pass “efghi” 2 of 10

[ATTEMPT] target 192.168.1.142 – login “root” – pass “12345” 3 of 10

[ATTEMPT] target 192.168.1.142 – login “root” – pass “67890” 4 of 10

[ATTEMPT] target 192.168.1.142 – login “root” – pass “a1b2c” 5 of 10

[ATTEMPT] target 192.168.1.142 – login “user” – pass “abcde” 6 of 10

[ATTEMPT] target 192.168.1.142 – login “user” – pass “efghi” 7 of 10

[ATTEMPT] target 192.168.1.142 – login “user” – pass “12345” 8 of 10

[ATTEMPT] target 192.168.1.142 – login “user” – pass “67890” 9 of 10

[ATTEMPT] target 192.168.1.142 – login “user” – pass “a1b2c” 10 of 10

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What type of test is the penetration tester currently conducting?

A. Conducting a port scan of 192.168.1.142

B. Conducting a brute force login attempt of a remote service on 192.168.1.142
C. Conducting a ping sweep of 192.168.1.142/24
D. Conducting a Denial of Service attack on 192.168.1.142
Question 18:
You are analyzing the following network utilization report because you suspect one of the
servers has been compromised.

-=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=-

IP Address      Name                   Uptime               Historical   Current

192.168.20.2   web01            7D 12H 32M 06S     42.6 GB     44.1 GB

192.168.20.3   webdev02      4D 07H 12M 45S     1.95 GB     2.13 GB

192.168.20.4   dbsvr01        12D 02H 46M 14S     3.15 GB     24.6 GB

192.168.20.5   marketing01   2D 17H 18M 41S       5.2 GB       4.9 GB

-=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=-

Based on the report above, which of the following servers do you suspect has been
compromised and should be investigated further?

A. web01
B. webdev02
C. dbsvr01
D. marketing01

Question 19:

Which type of method is used to collect information during the passive reconnaissance?

A. Social engineering
B. Network traffic sniffing
C. Man in the middle attacks
D. Publicly accessible sources
Question 20:

Dave's company utilizes Google's G-Suite environment for file sharing and office
productivity, Slack for internal messaging, and AWS for hosting their web servers. Which
of the following cloud models type of cloud deployment models is being used?

A. Multi-cloud
B. Community
C. Private
D. Public

Question 21:

You want to create a new mobile application and develop it in the cloud. You just signed up
for a cloud-based service provider's offering to allow you to develop it using their
programming environment. Which of the following best describes which type of service you
have just purchased?

A. DaaS
B. PaaS
C. IaaS
D. SaaS

Question 22:

Which of the following biometric authentication factors relies on matching patterns on the
eye's surface using near-infrared imaging?

A. Retinal scan
B. Facial recognition
C. Iris scan
D. Pupil dilation

Question 23:

Which of the following hashing algorithms results in a 128-bit fixed output?

A. MD-5
B. SHA-1
C. RIPEMD
D. SHA-2
Question 24:

You are working as part of the server team for an online retail store. Due to the upcoming
holidays, your boss is worried that the current servers may not be able to handle the
increased demand during a big sale. Which of the following cloud computing concepts can
quickly allow services to scale upward during busy periods and scale down during slower
periods based on the changing user demand?

A. Resource pooling
B. On-demand
C. Rapid elasticity
D. Metered services

Question 25:

Which term is used in software development to refer to the method in which app and
platform updates are committed to a production environment rapidly?

A. Continuous delivery
B. Continuous integration
C. Continuous deployment
D. Continuous monitoring

Question 26:

You want to create a website for your new technical support business. You decide to
purchase an on-demand cloud-based server and install Linux, Apache, and WordPress on
it to run your website. Which of the following best describes which type of service you have
just purchased?

A. DaaS
B. PaaS
C. IaaS
D. SaaS

Question 27:

Which of the following is the most important feature to consider when designing a system
on a chip?

A. Type of real-time operating system in use

B. Space and power savings
C. Ability to interface with industrial control systems
D. Ability to be reconfigured after manufacture
Question 28:

You are developing a containment and remediation strategy to prevent the spread of an
APT within your network. Your plan suggests creating a mirror of the company’s
databases, routing all externally sourced network traffic to it, and gradually updating with
pseudo-realistic data to confuse and deceive the APT as they attempt to exfiltrate the data.
Once the attacker has downloaded the corrupted database, your company would then
conduct remediation actions on the network and restore the correct database information
to the production system. Which of the following types of containment strategies does the
plan utilize?

A. Segmentation-based containment disrupts the APT by using a hack-back approach

B. Isolation-based containment by removing the affected database from production
C. Segmentation-based containment that deceives the attack into believing their attack was
successful
D. Isolation-based containment by disconnecting the APT from the affected network

Question 29:

Sarah is working at a startup that is focused on making secure banking apps for
smartphones. Her company needs to select an asymmetric encryption algorithm to encrypt
the data being used by the app. Due to the need for high security of the banking data, the
company needs to ensure that whatever encryption they use is considered strong, but also
need to minimize the processing power required since it will be running on a mobile device
with lower computing power. Which algorithm should Sarah choose to provide the same
level of high encryption strength with a lower overall key length?

A. Diffie-Hellman
B. RSA
C. ECC
D. Twofish

Question 30:

Frank and John have started a secret club together. They want to ensure that when they
send messages to each other, they are truly unbreakable. What encryption key would
provide the STRONGEST and MOST secure encryption?

A. DES with a 56-bit key

B. AES with a 256-bit key
C. ECC with a 256-bit key
D. Randomized one-time use pad
Question 31:

You have recently been hired as a security analyst at Dion Training. On your first day,
your supervisor begins to explain the way their network is configured, showing you the
physical and logical placement of each firewall, IDS sensor, host-based IPS installations,
the networked spam filter, and the DMZ. What best describes how these various devices
are placed into the network for the highest level of security?

A. Network segmentation
B. Defense in depth
C. UTM
D. Load balancer

Question 32:

Which of the following vulnerabilities involves leveraging access from a single virtual
machine to other machines on a hypervisor?

A. VM escape
B. VM migration
C. VM sprawl
D. VM data remnant

Question 33:

Your company has just finished replacing all of its computers with brand new
workstations. Colleen, one of your coworkers, has asked the company's owner if she can
have the old computers that are about to be thrown away. Colleen would like to refurbish
the old computers by reinstalling a new operating system and donate them to a local
community center for disadvantaged children in the neighborhood. The owner thinks this
is a great idea but is concerned that the private and sensitive corporate data on the old
computer’s hard drives might be placed at risk of exposure. You have been asked to choose
the best solution to sanitize or destroy the data while ensuring the computers will still be
usable by the community center. What type of data destruction or sanitization method do
you recommend?

A. Degaussing
B. Wiping
C. Purging
D. Shredding
Question 34:

Which of the following cryptographic algorithms is classified as asymmetric?

A. AES
B. RC4
C. DSA
D. DES

Question 35:

Which of the following cryptographic algorithms is classified as stream cipher?

A. AES
B. RC4
C. Blowfish
D. DES

Question 36:

A new security appliance was installed on a network as part of a managed service

deployment. The vendor controls the appliance, and the IT team cannot log in or configure
it. The IT team is concerned about the appliance receiving the necessary updates. Which of
the following mitigations should be performed to minimize the concern for the appliance
and updates?

A. Configuration management
B. Vulnerability scanning
C. Scan and patch the device
D. Automatic updates

Question 37:

Dion Training wants to reduce the management and administrative costs of using multiple
digital certificates for all of their subdomains of diontraining.com. Which of the following
solutions would allow the company to use one digital certificate for all of its subdomains?

A. Wildcards
B. CRL
C. Key escrow
D. OCSP
Question 38:
(Sample Simulation – On the real exam for this type of question, you would have to
rearrange the steps into the proper order by dragging and dropping them into place.)
Larger image

You are working as part of a cyber incident response team. An ongoing attack has been
identified on your webserver. Your company wants to take legal action against the
criminals who have hacked your server, so they have brought a forensic analyst from the
FBI to collect the evidence from the server. In what order should the digital evidence be
collected based on the order of volatility?

A. Hard Drive or USB Drive, Swap File, Random Access Memory, Processor Cache
B. Processor Cache, Swap File, Random Access Memory, Hard Drive or USB Drive
C. Processor Cache, Random Access Memory, Swap File, Hard Drive or USB Drive
D. Swap File, Processor Cache, Random Access Memory, Hard Drive or USB Drive

Question 39:

What information should be recorded on a chain of custody form during a forensic

investigation?

A. The list of individuals who made contact with files leading to the investigation
B. The list of former owners/operators of the workstation involved in the investigation
C. Any individual who worked with evidence during the investigation
D. The law enforcement agent who was first on the scene
Question 40:

You are attending a cybersecurity conference and just watched a security researcher
demonstrating the exploitation of a web interface on a SCADA/ICS component. This
caused the device to malfunction and be destroyed. You recognize that the same component
is used throughout your company’s manufacturing plants. Which of the following
mitigation strategies would provide you with the most immediate protection against this
emergent threat?

A. Demand that the manufacturer of the component release a patch immediately and deploy
the patch as soon as possible
B. Logically or physically isolate the SCADA/ICS component from the enterprise network
C. Evaluate if the web interface must remain open for the system to function; if it isn’t
needed, block the web interface
D. Replace the affected SCADA/ICS components with more secure models from a different
manufacturer

Question 41:

If an administrator cannot fully remediate a vulnerability, which of the following should

they implement?

A. A compensating control
B. An engineering tradeoff
C. A policy
D. Access requirements

Question 42:

What regulation protects the privacy of student educational records?

A. HIPAA
B. FERPA
C. SOX
D. GLBA

Question 43:

You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the
following regulations would have the greatest impact on your bank's cybersecurity
program?

A. HIPAA
B. GLBA
C. FERPA
D. SOX
Question 44:

Dion Training has performed an assessment as part of their disaster recovery planning.
The assessment found that the organization's RAID takes, on average, about 8 hours to
repair when two drives within the RAID fail. Which of the following metrics would best
represent this time period?

A. RTO
B. RPO
C. MTTR
D. MTBF

Question 45:

Dion Training conducts weekly vulnerability scanning of their network and patches any
identified issues within 24 hours. Which of the following best describes the company's risk
response strategy?

A. Avoidance
B. Transference
C. Acceptance
D. Mitigation

Question 46:

Which of the following security policies could help detect fraudulent cases that occur even
when other security controls are already in place?

A. Separation of duties
B. Least privilege
C. Dual control
D. Mandatory vacations

Question 47:

After completing an assessment, you create a chart listing the associated risks based on the
vulnerabilities identified with your organization's privacy policy. The chart contains
listings such as high, medium, and low. It also utilizes red, yellow, and green colors based
on the likelihood and impact of a given incident. Which of the following types of
assessments did you just complete?

A. Quantitative risk assessment

B. Privacy assessment
C. Supply chain assessment
D. Qualitative risk assessment
Question 48:

A competitor recently bought Dion Training's ITIL 4 Foundation training course,

transcribed the video captions into a document, re-recorded the course exactly word for
word as an audiobook, then published this newly recorded audiobook for sale on Audible.
How would you classify this situation as a risk to Dion Training? Which of the following
terms would you use?

A. Mission essential function

B. IP theft
C. Data breach
D. Identity theft

Question 49:

Every new employee at Dion Training must sign a document to show they understand the
proper rules for using the company's computers. This document states that the new
employee has read the policy that dictates what can and cannot be done from the corporate
workstations. Which of the following documents BEST describes this policy?

A. MOU
B. AUP
C. SOW
D. SLA

Question 50:

What process is used to conduct an inventory of critical systems, components, and devices
within an organization?

A. Change management
B. Patch management
C. Asset management
D. Vulnerability management

Question 51:

Which of the following categories would contain information about a French citizen's race
or ethnic origin?

A. PII
B. SPI
C. PHI
D. DLP
Question 52:

Which of the following hashing algorithms results in a 160-bit fixed output?

A. MD-5
B. SHA-1
C. NTLM
D. SHA-2

Question 53:

You are helping to set up a backup plan for your organization. The current plan states that
all of the organization's servers must have a daily backup conducted. These backups are
then saved to a local NAS device. You have been asked to recommend a method to ensure
the backups will work when needed for restoration. Which of the following should you
recommend?

A. Create an additional copy of the backups in an off-site datacenter

B. Set up scripts to automatically reattempt any failed backup jobs
C. Frequently restore the server from backup files to test them
D. Attempt to restore to a test server from one of the backup files to verify them

Question 54:

To improve the Dion Training corporate network's security, a security administrator wants
to update the configuration of their wireless network to have IPSec built into the protocol
by default. Additionally, the security administrator would like for NAT to no longer be
required for extending the number of IP addresses available. What protocol should the
administrator implement on the wireless network to achieve their goals?

A. WEP
B. WPA2
C. IPv4
D. IPv6

Question 55:

Which of the following secure coding best practices ensures special characters like <, >, /,
and ‘ are not accepted from the user via a web form?

A. Session management
B. Output encoding
C. Error handling
D. Input validation
Question 56:

You suspect that your server has been the victim of a web-based attack. Which of the
following ports would most likely be seen in the logs to indicate the attack's target?

A. 389
B. 3389
C. 443
D. 21

Question 57:

You need to determine the best way to test operating system patches in a lab environment
before deploying them to your automated patch management system. Unfortunately, your
network has several different operating systems in use, but you only have one machine
available to test the patches on. What is the best environment to utilize to perform the
testing of the patches before deployment?

A. Sandboxing
B. Virtualization
C. Purchase additional workstations
D. Bypass testing and deploy patches directly into the production environment

Question 58:

You are conducting an incident response and have traced the attack source to some
compromised user credentials. After performing log analysis, you discover that the attack
was successfully authenticated from an unauthorized foreign country. Your management is
now asking for you to implement a solution to help mitigate this type of attack from
occurring again. Which of the following should you implement?

A. Self-service password reset

B. Single sign-on
C. Context-based authentication
D. Password complexity
Question 59:

Michelle has just finished installing a new database application on her server. She then
proceeds to uninstall the sample configuration files, properly configures the application
settings, and updates the software to the latest version according to her company's policy.
What best describes the actions Michelle just took?

A. Patch management
B. Input validation
C. Application hardening
D. Vulnerability scanning

Question 60:

Which of the following protocols is commonly used to collect information about CPU
utilization and memory usage from network devices?

A. NetFlow
B. SMTP
C. MIB
D. SNMP

Question 61:

A supplier needs to connect several laptops to an organization’s network as part of their

service agreement. These laptops will be operated and maintained by the supplier. Victor, a
cybersecurity analyst for the organization, is concerned that these laptops could contain
some vulnerabilities that could weaken the network's security posture. What can Victor do
to mitigate the risk to other devices on the network without having direct administrative
access to the supplier’s laptops?

A. Scan the laptops for vulnerabilities and patch them

B. Increase the encryption level of VPN used by the laptops
C. Implement a jumpbox system
D. Require 2FA (two-factor authentication) on the laptops
Question 62:

Which of the following does a User Agent request a resource from when conducting a
SAML transaction?

A. Relying party (RP)

B. Identity provider (IdP)
C. Service provider (SP)
D. Single sign-on (SSO)

Question 63:

Which of the following ports should you block at the firewall if you want to prevent a
remote login to a server from occurring?

A. 23
B. 25
C. 110
D. 443

Question 64:

Your company has created a baseline image for all of its workstations using Windows 10. Unfortunately, the
image included a copy of Solitaire, and the CIO has created a policy to prevent anyone from playing the game
on the company’s computers. You have been asked to create a technical control to enforce the policy
(administrative control) that was recently published. What should you implement?

A. Application whitelist
B. Disable removable media
C. Application blacklist
D. Application hardening

Question 65:

Which of the following ports should you block at the firewall if you want to prevent a
remote login to a server from occurring?

A. 21
B. 22
C. 80
D. 143
Question 66:

A firewall administrator has configured a new DMZ to allow public systems to be

segmented from the organization's internal network. The firewall now has three security
zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (DMZ) [161.212.71.0/24]; Trusted
(Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote
desktop access from a fixed IP on the remote network to a remote desktop server in the
DMZ for the Chief Security Officer to work from his home office after hours. The CSO's
home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a
public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall?

A. Permit 143.27.43.0/24 161.212.71.0/24 RDP 3389

B. Permit 143.27.43.32 161.212.71.14 RDP 3389
C. Permit 143.27.43.32 161.212.71.0/24 RDP 3389
D. Permit 143.27.43.0/24 161.212.71.14 RDP 3389

Question 67:

Which of the following technologies is NOT a shared authentication protocol?

A. OpenID Connect
B. LDAP
C. OAuth
D. Facebook Connect

Question 68:

Which operating system feature is designed to detect malware that is loaded early in the
system startup process or before the operating system can load itself?

A. Advanced anti-malware
B. Startup Control
C. Measured boot
D. Master Boot Record analytics

Question 69:

Which of the following password policies defines the number of previous passwords that
cannot be reused when resetting a user's password?

A. Password complexity
B. Password length
C. Password history
D. Password expiration
Question 70:

The management at Steven’s work is concerned about rogue devices being attached to the
network. Which of the following solutions would quickly provide the most accurate
information that Steve could use to identify rogue devices on a wired network?

A. A discovery scan using a port scanner

B. Router and switch-based MAC address reporting
C. A physical survey
D. Reviewing a central administration tool like a SCCM

.
Question 71:

What control provides the best protection against both SQL injection and cross-site
scripting attacks?

A. Hypervisors
B. Network layer firewalls
C. CSRF
D. Input validation

Question 72:

During which incident response phase is the preservation of evidence performed?

A. Preparation
B. Detection and analysis
C. Containment, eradication, and recovery
D. Post-incident activity

Question 73:

Which command on a macOS or Linux system is used to change the permissions of a file?

A. chmod
B. sudo
C. chown
D. pwd
Question 74:

You are in the recovery steps of an incident response. Your analysis revealed that the
attacker exploited an unpatched vulnerability on a public-facing web server as the initial
intrusion vector in this incident. Which of the following mitigations should be implemented
first during the recovery?

A. Disable unused user account and reset the administrator credentials

B. Restrict shell commands per user or per host for least privilege purposes
C. Scan the network for additional instances of this vulnerability and patch the affected
assets
D. Restrict host access to peripheral protocols like USB and Bluetooth

Question 75:
You have run a vulnerability scan and received the following output:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

CVE-2011-3389

QID 42366 - SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side vulnerability

Check with: openssl s_client -connect login.diontraining.com:443 - tls -cipher

“AES:CAMELLISA:SEED:3DES:DES”

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which of the following categories should this be classified as?

A. PKI transfer vulnerability

B. Active Directory encryption vulnerability
C. Web application cryptography vulnerability
D. VPN tunnel vulnerability
Question 76:

Your organization has recently been the target of a spearphishing campaign. You have
identified the website associated with the link in the spearphishing emails and want to
block it. Which of the following techniques would be the MOST effective in this situation?

A. Containment
B. Application blacklist
C. URL filter
D. Quarantine

Question 77:

An attacker is searching in Google for Cisco VPN configuration files by using the
filetype:pcf modifier. The attacker could locate several of these configuration files and now
wants to decode any connectivity passwords that they might contain. What tool should the
attacker use?

A. Nmap
B. Nessus
C. Cain and Abel
D. Netcat

Question 78:

You are in the recovery steps of an incident response. Throughout the incident, your team
never successfully determined the root cause of the network compromise. Which of the
following options would you LEAST likely perform as part of your recovery and
remediation actions?

A. Disable unused user accounts

B. Review and enhance patch management policies
C. Proactively sanitize and reimage all of your routers and switches
D. Restrict host access to peripheral protocols like USB or Bluetooth
Question 79:

You are notified by an external organization that an IP address associated with your
company's email server has been sending spam emails requesting funds as part of a lottery
collection scam. An investigation into the incident reveals the email account used was
Connor from the sales department and that Connor's email account was only used from
one workstation. You analyze Connor's workstation and discover several unknown
processes running, but netflow analysis reveals no attempted lateral movement to other
workstations on the network. Which containment strategy would be most effective to use in
this scenario?

A. Isolate the workstation computer by disabling the switch port and reset Connor's
username/password
B. Isolate the network segment Connor is on and conduct a forensic review of all
workstations in the sales department
C. Unplug the workstation's network cable and conduct a complete reimaging of the
workstation
D. Request disciplinary action for Connor for causing this incident
Question 80:
Consider the following snippet from a log file collected on the host with the IP address of
10.10.3.6.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Time: Jun 12, 2020 09:24:12 Port:20 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP

Time: Jun 12, 2020 09:24:14 Port:21 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP

Time: Jun 12, 2020 09:24:16 Port:22 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP

Time: Jun 12, 2020 09:24:18 Port:23 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP

Time: Jun 12, 2020 09:24:20 Port:25 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP

Time: Jun 12, 2020 09:24:22 Port:80 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP

Time: Jun 12, 2020 09:24:24 Port:135 Source: 10.10.3.2 Destination:10.10.3.6

Protocol:TCP

Time: Jun 12, 2020 09:24:26 Port:443 Source: 10.10.3.2 Destination:10.10.3.6

Protocol:TCP

Time: Jun 12, 2020 09:24:26 Port:445 Source: 10.10.3.2 Destination:10.10.3.6

Protocol:TCP

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What type of activity occurred based on the output above?

A. Port scan targeting 10.10.3.2

B. Fragmentation attack targeting 10.10.3.6
C. Denial of service attack targeting 10.10.3.6
D. Port scan targeting 10.10.3.6