Professional Documents
Culture Documents
(Sample Simulation – On the real exam for this type of question, you would receive 3-5
pictures and be asked to drag and drop them into place next to the correct term.)
Larger image
A. SYN flood
B. Smurf attack
C. Ping flood
D. DDoS
Question 2:
Ted, a file server administrator, has noticed that a large number of sensitive files have been
transferred from a corporate workstation to an IP address outside of the local area network. Ted
looks up the IP address and determines that it is located in a foreign country. Ted contacts his
company’s security analyst, who verifies that the workstation’s anti-malware solution is up-to-date,
and the network’s firewall is properly configured. What type of attack most likely occurred to
allow the exfiltration of the files from the workstation?
A. Session hijacking
B. Zero-day
C. MAC spoofing
D. Impersonation
Question 3:
You are reviewing the IDS logs and notice the following log entry:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
A. XML injection
B. SQL injection
C. Header manipulation
D. Cross-site scripting
Question 4:
Your intrusion detection system has produced an alert based on its review of a series of
network packets. After analysis, it is determined that the network packets did not contain
any malicious activity. How should you classify this alert?
A. True positive
B. True negative
C. False positive
D. False negative
Question 5:
You are conducting threat hunting on your organization's network. Every workstation on
the network uses the same configuration baseline and contains a 500 GB HDD, 4 GB of
RAM, and the Windows 10 Enterprise operating system. You know from previous
experience that most of the workstations only use 40 GB of space on the hard drives since
most users save their files on the file server instead of the local workstation. You discovered
one workstation that has over 250 GB of data stored on it. Which of the following is a likely
hypothesis of what is happening, and how would you verify it?
A. The host might be the victim of a remote access trojan -- you should reimage the machine
immediately
B. The host might use as a staging area for data exfiltration -- you should conduct volume-
based trend analysis on the host's storage device
C. The host might be offline and conducted backups locally -- you should contact a system
administrator to have it analyzed
D. The host might be used as a command and control node for a botnet -- you should
immediately disconnect the host from the network
Question 6:
Fail to Pass Systems has just become the latest victim in a large scale data breach by an
APT. Your initial investigation confirms a massive exfiltration of customer data has
occurred. Which of the following actions do you recommend to the CEO of Fail to Pass
Systems in handling this data breach?
A. Provide a statement to the press that minimizes the scope of the breach
B. Conduct notification to all affected customers within 72 hours of the discovery of the
breach
C. Purchase a cyber insurance policy, alter the date of the incident in the log files, and file
an insurance claim
D. Conduct a ‘hack-back' of the attacker in order to retrieve the stolen information
Question 7:
Several users have contacted the help desk to report that they received an email from a well-known
bank stating that their accounts have been compromised and they need to "click here" to reset
their banking password. Some of these users are not even customers of this particular bank,
though. Which of the following social engineering principles is being utilized as a part of this
phishing campaign?
A. Intimidation
B. Familiarity
C. Consensus
D. Urgency
Question 8:
You are conducting a code review of a program and observe the following calculation of
0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what
type of exploit could be created against this program?
A. SQL injection
B. Impersonation
C. Integer overflow attack
D. Password spraying
Question 9:
Which of the following methods should a cybersecurity analyst use to locate any instances
on the network where passwords are being sent in cleartext?
A cybersecurity analyst notices that an attacker is trying to crack the WPS pin associated
with a wireless printer. The device logs show that the attacker tried 00000000, 00000001,
00000002 and continued to increment by 1 number each time until they found the correct
PIN of 13252342. Which of the following type of password cracking was being performed
by the attacker?
A. Rainbow table
B. Dictionary
C. Hybrid
D. Brute-force
Question 11:
Several users have contacted the help desk to report that they received an email from a
well-known bank stating that their accounts have been compromised and they need to
"click here" to reset their banking password. Some of these users are not even customers of
this particular bank, though. Which of the following best describes this type of attack?
A. Phishing
B. Spear phishing
C. Whaling
D. Brute force
Question 12:
During your annual cybersecurity awareness training in your company, the instructor states that employees
should be careful about what information they post on social media. According to the instructor, if you post
too much personal information on social media, such as your name, birthday, hometown, and other personal
details, it is much easier for an attacker to conduct which type of attack to break your passwords?
A. Birthday attack
B. Brute force attack
C. Cognitive password attack
D. Rainbow table attack
Question 13:
You are creating a script to filter some logs so that you can detect any suspected malware
beaconing. Which of the following is NOT a typical means of identifying a malware
beacons behavior on the network?
Alexa is an analyst for a large bank that has offices in multiple states. She wants to create
an alert to detect when an employee from one bank office logs into a workstation located at
an office in another state. What type of detection and analysis is Alexa configuring?
A. Trend
B. Anomaly
C. Heuristic
D. Behavior
Question 15:
Nick is participating in a security exercise as part of the network defense team for his
organization. Which team is Nick playing on?
A. Red team
B. White team
C. Blue team
D. Yellow team
Question 16:
Yoyodyne Systems has recently bought out its competitor, Whamiedyne Systems, which
went out of business due to a series of data breaches. As a cybersecurity analyst for
Yoyodyne, you are assessing Whamiedyne's existing applications and infrastructure.
During your analysis, you discover the following URL is used to access an application:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
https://www.whamiedyne.com/app/accountInfo?acct=12345
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
You change the URL to end with 12346 and notice that a different user's account
information is now displayed. Which of the following type of vulnerabilities or threats have
you discovered?
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=-
-=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=-
Based on the report above, which of the following servers do you suspect has been
compromised and should be investigated further?
A. web01
B. webdev02
C. dbsvr01
D. marketing01
Question 19:
Which type of method is used to collect information during the passive reconnaissance?
A. Social engineering
B. Network traffic sniffing
C. Man in the middle attacks
D. Publicly accessible sources
Question 20:
Dave's company utilizes Google's G-Suite environment for file sharing and office
productivity, Slack for internal messaging, and AWS for hosting their web servers. Which
of the following cloud models type of cloud deployment models is being used?
A. Multi-cloud
B. Community
C. Private
D. Public
Question 21:
You want to create a new mobile application and develop it in the cloud. You just signed up
for a cloud-based service provider's offering to allow you to develop it using their
programming environment. Which of the following best describes which type of service you
have just purchased?
A. DaaS
B. PaaS
C. IaaS
D. SaaS
Question 22:
Which of the following biometric authentication factors relies on matching patterns on the
eye's surface using near-infrared imaging?
A. Retinal scan
B. Facial recognition
C. Iris scan
D. Pupil dilation
Question 23:
A. MD-5
B. SHA-1
C. RIPEMD
D. SHA-2
Question 24:
You are working as part of the server team for an online retail store. Due to the upcoming
holidays, your boss is worried that the current servers may not be able to handle the
increased demand during a big sale. Which of the following cloud computing concepts can
quickly allow services to scale upward during busy periods and scale down during slower
periods based on the changing user demand?
A. Resource pooling
B. On-demand
C. Rapid elasticity
D. Metered services
Question 25:
Which term is used in software development to refer to the method in which app and
platform updates are committed to a production environment rapidly?
A. Continuous delivery
B. Continuous integration
C. Continuous deployment
D. Continuous monitoring
Question 26:
You want to create a website for your new technical support business. You decide to
purchase an on-demand cloud-based server and install Linux, Apache, and WordPress on
it to run your website. Which of the following best describes which type of service you have
just purchased?
A. DaaS
B. PaaS
C. IaaS
D. SaaS
Question 27:
Which of the following is the most important feature to consider when designing a system
on a chip?
You are developing a containment and remediation strategy to prevent the spread of an
APT within your network. Your plan suggests creating a mirror of the company’s
databases, routing all externally sourced network traffic to it, and gradually updating with
pseudo-realistic data to confuse and deceive the APT as they attempt to exfiltrate the data.
Once the attacker has downloaded the corrupted database, your company would then
conduct remediation actions on the network and restore the correct database information
to the production system. Which of the following types of containment strategies does the
plan utilize?
Question 29:
Sarah is working at a startup that is focused on making secure banking apps for
smartphones. Her company needs to select an asymmetric encryption algorithm to encrypt
the data being used by the app. Due to the need for high security of the banking data, the
company needs to ensure that whatever encryption they use is considered strong, but also
need to minimize the processing power required since it will be running on a mobile device
with lower computing power. Which algorithm should Sarah choose to provide the same
level of high encryption strength with a lower overall key length?
A. Diffie-Hellman
B. RSA
C. ECC
D. Twofish
Question 30:
Frank and John have started a secret club together. They want to ensure that when they
send messages to each other, they are truly unbreakable. What encryption key would
provide the STRONGEST and MOST secure encryption?
You have recently been hired as a security analyst at Dion Training. On your first day,
your supervisor begins to explain the way their network is configured, showing you the
physical and logical placement of each firewall, IDS sensor, host-based IPS installations,
the networked spam filter, and the DMZ. What best describes how these various devices
are placed into the network for the highest level of security?
A. Network segmentation
B. Defense in depth
C. UTM
D. Load balancer
Question 32:
Which of the following vulnerabilities involves leveraging access from a single virtual
machine to other machines on a hypervisor?
A. VM escape
B. VM migration
C. VM sprawl
D. VM data remnant
Question 33:
Your company has just finished replacing all of its computers with brand new
workstations. Colleen, one of your coworkers, has asked the company's owner if she can
have the old computers that are about to be thrown away. Colleen would like to refurbish
the old computers by reinstalling a new operating system and donate them to a local
community center for disadvantaged children in the neighborhood. The owner thinks this
is a great idea but is concerned that the private and sensitive corporate data on the old
computer’s hard drives might be placed at risk of exposure. You have been asked to choose
the best solution to sanitize or destroy the data while ensuring the computers will still be
usable by the community center. What type of data destruction or sanitization method do
you recommend?
A. Degaussing
B. Wiping
C. Purging
D. Shredding
Question 34:
A. AES
B. RC4
C. DSA
D. DES
Question 35:
A. AES
B. RC4
C. Blowfish
D. DES
Question 36:
A. Configuration management
B. Vulnerability scanning
C. Scan and patch the device
D. Automatic updates
Question 37:
Dion Training wants to reduce the management and administrative costs of using multiple
digital certificates for all of their subdomains of diontraining.com. Which of the following
solutions would allow the company to use one digital certificate for all of its subdomains?
A. Wildcards
B. CRL
C. Key escrow
D. OCSP
Question 38:
(Sample Simulation – On the real exam for this type of question, you would have to
rearrange the steps into the proper order by dragging and dropping them into place.)
Larger image
You are working as part of a cyber incident response team. An ongoing attack has been
identified on your webserver. Your company wants to take legal action against the
criminals who have hacked your server, so they have brought a forensic analyst from the
FBI to collect the evidence from the server. In what order should the digital evidence be
collected based on the order of volatility?
A. Hard Drive or USB Drive, Swap File, Random Access Memory, Processor Cache
B. Processor Cache, Swap File, Random Access Memory, Hard Drive or USB Drive
C. Processor Cache, Random Access Memory, Swap File, Hard Drive or USB Drive
D. Swap File, Processor Cache, Random Access Memory, Hard Drive or USB Drive
Question 39:
A. The list of individuals who made contact with files leading to the investigation
B. The list of former owners/operators of the workstation involved in the investigation
C. Any individual who worked with evidence during the investigation
D. The law enforcement agent who was first on the scene
Question 40:
You are attending a cybersecurity conference and just watched a security researcher
demonstrating the exploitation of a web interface on a SCADA/ICS component. This
caused the device to malfunction and be destroyed. You recognize that the same component
is used throughout your company’s manufacturing plants. Which of the following
mitigation strategies would provide you with the most immediate protection against this
emergent threat?
A. Demand that the manufacturer of the component release a patch immediately and deploy
the patch as soon as possible
B. Logically or physically isolate the SCADA/ICS component from the enterprise network
C. Evaluate if the web interface must remain open for the system to function; if it isn’t
needed, block the web interface
D. Replace the affected SCADA/ICS components with more secure models from a different
manufacturer
Question 41:
A. A compensating control
B. An engineering tradeoff
C. A policy
D. Access requirements
Question 42:
A. HIPAA
B. FERPA
C. SOX
D. GLBA
Question 43:
You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the
following regulations would have the greatest impact on your bank's cybersecurity
program?
A. HIPAA
B. GLBA
C. FERPA
D. SOX
Question 44:
Dion Training has performed an assessment as part of their disaster recovery planning.
The assessment found that the organization's RAID takes, on average, about 8 hours to
repair when two drives within the RAID fail. Which of the following metrics would best
represent this time period?
A. RTO
B. RPO
C. MTTR
D. MTBF
Question 45:
Dion Training conducts weekly vulnerability scanning of their network and patches any
identified issues within 24 hours. Which of the following best describes the company's risk
response strategy?
A. Avoidance
B. Transference
C. Acceptance
D. Mitigation
Question 46:
Which of the following security policies could help detect fraudulent cases that occur even
when other security controls are already in place?
A. Separation of duties
B. Least privilege
C. Dual control
D. Mandatory vacations
Question 47:
After completing an assessment, you create a chart listing the associated risks based on the
vulnerabilities identified with your organization's privacy policy. The chart contains
listings such as high, medium, and low. It also utilizes red, yellow, and green colors based
on the likelihood and impact of a given incident. Which of the following types of
assessments did you just complete?
Question 49:
Every new employee at Dion Training must sign a document to show they understand the
proper rules for using the company's computers. This document states that the new
employee has read the policy that dictates what can and cannot be done from the corporate
workstations. Which of the following documents BEST describes this policy?
A. MOU
B. AUP
C. SOW
D. SLA
Question 50:
What process is used to conduct an inventory of critical systems, components, and devices
within an organization?
A. Change management
B. Patch management
C. Asset management
D. Vulnerability management
Question 51:
Which of the following categories would contain information about a French citizen's race
or ethnic origin?
A. PII
B. SPI
C. PHI
D. DLP
Question 52:
A. MD-5
B. SHA-1
C. NTLM
D. SHA-2
Question 53:
You are helping to set up a backup plan for your organization. The current plan states that
all of the organization's servers must have a daily backup conducted. These backups are
then saved to a local NAS device. You have been asked to recommend a method to ensure
the backups will work when needed for restoration. Which of the following should you
recommend?
Question 54:
To improve the Dion Training corporate network's security, a security administrator wants
to update the configuration of their wireless network to have IPSec built into the protocol
by default. Additionally, the security administrator would like for NAT to no longer be
required for extending the number of IP addresses available. What protocol should the
administrator implement on the wireless network to achieve their goals?
A. WEP
B. WPA2
C. IPv4
D. IPv6
Question 55:
Which of the following secure coding best practices ensures special characters like <, >, /,
and ‘ are not accepted from the user via a web form?
A. Session management
B. Output encoding
C. Error handling
D. Input validation
Question 56:
You suspect that your server has been the victim of a web-based attack. Which of the
following ports would most likely be seen in the logs to indicate the attack's target?
A. 389
B. 3389
C. 443
D. 21
Question 57:
You need to determine the best way to test operating system patches in a lab environment
before deploying them to your automated patch management system. Unfortunately, your
network has several different operating systems in use, but you only have one machine
available to test the patches on. What is the best environment to utilize to perform the
testing of the patches before deployment?
A. Sandboxing
B. Virtualization
C. Purchase additional workstations
D. Bypass testing and deploy patches directly into the production environment
Question 58:
You are conducting an incident response and have traced the attack source to some
compromised user credentials. After performing log analysis, you discover that the attack
was successfully authenticated from an unauthorized foreign country. Your management is
now asking for you to implement a solution to help mitigate this type of attack from
occurring again. Which of the following should you implement?
Michelle has just finished installing a new database application on her server. She then
proceeds to uninstall the sample configuration files, properly configures the application
settings, and updates the software to the latest version according to her company's policy.
What best describes the actions Michelle just took?
A. Patch management
B. Input validation
C. Application hardening
D. Vulnerability scanning
Question 60:
Which of the following protocols is commonly used to collect information about CPU
utilization and memory usage from network devices?
A. NetFlow
B. SMTP
C. MIB
D. SNMP
Question 61:
Which of the following does a User Agent request a resource from when conducting a
SAML transaction?
Question 63:
Which of the following ports should you block at the firewall if you want to prevent a
remote login to a server from occurring?
A. 23
B. 25
C. 110
D. 443
Question 64:
Your company has created a baseline image for all of its workstations using Windows 10. Unfortunately, the
image included a copy of Solitaire, and the CIO has created a policy to prevent anyone from playing the game
on the company’s computers. You have been asked to create a technical control to enforce the policy
(administrative control) that was recently published. What should you implement?
A. Application whitelist
B. Disable removable media
C. Application blacklist
D. Application hardening
Question 65:
Which of the following ports should you block at the firewall if you want to prevent a
remote login to a server from occurring?
A. 21
B. 22
C. 80
D. 143
Question 66:
Question 67:
A. OpenID Connect
B. LDAP
C. OAuth
D. Facebook Connect
Question 68:
Which operating system feature is designed to detect malware that is loaded early in the
system startup process or before the operating system can load itself?
A. Advanced anti-malware
B. Startup Control
C. Measured boot
D. Master Boot Record analytics
Question 69:
Which of the following password policies defines the number of previous passwords that
cannot be reused when resetting a user's password?
A. Password complexity
B. Password length
C. Password history
D. Password expiration
Question 70:
The management at Steven’s work is concerned about rogue devices being attached to the
network. Which of the following solutions would quickly provide the most accurate
information that Steve could use to identify rogue devices on a wired network?
.
Question 71:
What control provides the best protection against both SQL injection and cross-site
scripting attacks?
A. Hypervisors
B. Network layer firewalls
C. CSRF
D. Input validation
Question 72:
A. Preparation
B. Detection and analysis
C. Containment, eradication, and recovery
D. Post-incident activity
Question 73:
Which command on a macOS or Linux system is used to change the permissions of a file?
A. chmod
B. sudo
C. chown
D. pwd
Question 74:
You are in the recovery steps of an incident response. Your analysis revealed that the
attacker exploited an unpatched vulnerability on a public-facing web server as the initial
intrusion vector in this incident. Which of the following mitigations should be implemented
first during the recovery?
Question 75:
You have run a vulnerability scan and received the following output:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
CVE-2011-3389
QID 42366 - SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Your organization has recently been the target of a spearphishing campaign. You have
identified the website associated with the link in the spearphishing emails and want to
block it. Which of the following techniques would be the MOST effective in this situation?
A. Containment
B. Application blacklist
C. URL filter
D. Quarantine
Question 77:
An attacker is searching in Google for Cisco VPN configuration files by using the
filetype:pcf modifier. The attacker could locate several of these configuration files and now
wants to decode any connectivity passwords that they might contain. What tool should the
attacker use?
A. Nmap
B. Nessus
C. Cain and Abel
D. Netcat
Question 78:
You are in the recovery steps of an incident response. Throughout the incident, your team
never successfully determined the root cause of the network compromise. Which of the
following options would you LEAST likely perform as part of your recovery and
remediation actions?
You are notified by an external organization that an IP address associated with your
company's email server has been sending spam emails requesting funds as part of a lottery
collection scam. An investigation into the incident reveals the email account used was
Connor from the sales department and that Connor's email account was only used from
one workstation. You analyze Connor's workstation and discover several unknown
processes running, but netflow analysis reveals no attempted lateral movement to other
workstations on the network. Which containment strategy would be most effective to use in
this scenario?
A. Isolate the workstation computer by disabling the switch port and reset Connor's
username/password
B. Isolate the network segment Connor is on and conduct a forensic review of all
workstations in the sales department
C. Unplug the workstation's network cable and conduct a complete reimaging of the
workstation
D. Request disciplinary action for Connor for causing this incident
Question 80:
Consider the following snippet from a log file collected on the host with the IP address of
10.10.3.6.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Time: Jun 12, 2020 09:24:12 Port:20 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:14 Port:21 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:16 Port:22 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:18 Port:23 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:20 Port:25 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:22 Port:80 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-