Updated CompTIA Security+ SY0-501 Exam Questions

1. During an incident, a company’s CIRT determines it is necessary to observe the continued network-based transactions between a callback domain and the malware running on an enterprise PC.

Which of the following techniques would be BEST to enable this activity while reducing the risk of lateral spread and the risk that the adversary would notice any changes?

2. An organization has a policy in place that states the person who approves firewall controls/changes cannot be the one implementing the changes.

Which of the following is this an example of?

3. An organization just experienced a major cyberattack incident. The attack was well coordinated, sophisticated, and highly skilled.

Which of the following targeted the organization?

4. HOTSPOT

The security administration has installed a new firewall which implements an implicit DENY policy by default.



INSTRUCTIONS

Click on the firewall and configure it to allow ONLY the following communication:

- The Accounting workstation can ONLY access the web server on the public network over the default HTTPS port. The accounting workstation should not access other networks.

- The HR workstation should be restricted to communicate with the Financial server ONLY, over the default SCP port.

- The Admin workstation should ONLY be able to access the server on the secure network over the default TFTP port.

The firewall will process the rules in a top-down manner in order as a first match. The port number must be typed in and only one port number can be entered per rule. Type ANY for all ports.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

5. An organization has decided to host its web application and database in the cloud.

Which of the following BEST describes the security concerns for this decision?

6. Which of the following describes the ability of code to target a hypervisor from inside a guest OS?

7. An auditor is performing an assessment of a security appliance with an embedded OS that was vulnerable during the last two assessments.

Which of the following BEST explains the appliance’s vulnerable state?

8. Which of the following BEST describes a security exploit for which a vendor patch is not readily available?

9. A systems administrator needs to install the same X.509 certificate on multiple servers.

Which of the following should the administrator use?

10. A network administrator has been alerted that web pages are experiencing long load times.

After determining it is not a routing or DNS issue, the administrator logs in to the router, runs a command, and receives the following output:





Which of the following is the router experiencing?

11. The Chief Executive Officer (CEO) of an organization would like staff members to have the flexibility to work from home anytime during business hours, including during a pandemic or crisis. However, the CEO is concerned that some staff members may take advantage of the flexibility and work from high-risk countries while on holiday or outsource work to a third-party organization in another country. The Chief Information Officer (CIO) believes the company can implement some basic controls to mitigate the majority of the risk.

Which of the following would be BEST to mitigate the CEO’s concerns? (Choose two.)

12. Which of the following scenarios would make a DNS sinkhole effective in thwarting an attack?

13. While reviewing the wireless router, the systems administrator of a small business determines someone is spoofing the MAC address of an authorized device.

Given the table below:





Which of the following should be the administrator’s NEXT step to detect if there is a rogue system without impacting availability?

14. A university is opening a facility in a location where there is an elevated risk of theft. The university wants to protect the desktops in its classrooms and labs.

Which of the following should the university use to BEST protect these assets deployed in the facility?

15. Which of the following is the primary reason for implementing layered security measures in a cybersecurity architecture?

16. Which of the following attacks can be used to exploit a vulnerability that was created by untrained users?

17. A company uses an enterprise desktop imaging solution to manage deployment of its desktop computers. Desktop computer users are only permitted to use software that is part of the baseline image.

Which of the following technical solutions was MOST likely deployed by the company to ensure only known-good software can be installed on corporate desktops?

18. A company recently experienced a security incident in which its domain controllers were the target of a DoS attack.

In which of the following steps should technicians connect domain controllers to the network and begin authenticating users again?

19. Which of the following explains why a vulnerability scan might return a false positive?

20. An organization has implemented a two-step verification process to protect user access to data that is stored in the cloud. Each employee now uses an email address or mobile number to receive a code to access the data.

Which of the following authentication methods did the organization implement?

21. Which of the following policies would help an organization identify and mitigate potential single points of failure in the company’s IT/security operations?

22. Which of the following may indicate a configuration item has reached end-of-life?

23. Using an ROT13 cipher to protect confidential information for unauthorized access is known as:

24. A company is implementing a tool to mask all PII when moving data from a production server to a testing server.

Which of the following security techniques is the company applying?

25. A security analyst has received several reports of an issue on an internal web application. Users state they are having to provide their credentials twice to log in. The analyst checks with the application team and notes this is not an expected behavior.

After looking at several logs, the analyst decides to run some commands on the gateway and obtains the following output:





Which of the following BEST describes the attack the company is experiencing?

26. A technician needs to document which application versions are listening on open ports.

Which of the following is MOST likely to return the information the technician needs?

27. A government contracting company issues smartphones to employees to enable access to corporate resources. Several employees will need to travel to a foreign country for business purposes and will require access to their phones. However, the company recently received intelligence that its intellectual property is highly desired by the same country’s government.

Which of the following MDM configurations would BEST reduce the disk of compromise while on foreign soil?

28. A security analyst is performing a manual audit of captured data from a packet analyzer. The analyst looks for Base64 encoded strings and applies the filter http.authbasic.

Which of the following BEST describes what the analyst is looking for?

29. Which of the following impacts are associated with vulnerabilities in embedded systems? (Choose two.)

30. Given the output:





Which of the following account management practices should the security engineer use to mitigate the identified risk?

31. An organization wants to separate permissions for individuals who perform system changes from individuals who perform auditing of those system changes.

Which of the following access control approaches is BEST suited for this?

32. Which of the following concepts ensure ACL rules on a directory are functioning as expected? (Choose two.)

33. A datacenter engineer wants to ensure an organization’s servers have high speed and high redundancy and can sustain the loss of two physical disks in an array.

Which of the following RAID configurations should the engineer implement to deliver this functionality?

34. An organization requires secure configuration baselines for all platforms and technologies that are used. If any system cannot conform to the secure baseline, the organization must process a risk acceptance and receive approval before the system is placed into production. It may have non-conforming systems in its lower environments (development and staging) without risk acceptance, but must receive risk approval before the system is placed in production. Weekly scan reports identify systems that do not conform to any secure baseline.

The application team receives a report with the following results:





There are currently no risk acceptances for baseline deviations. This is a mission-critical application, and the organization cannot operate if the application is not running. The application fully functions in the development and staging environments.

Which of the following actions should the application team take?

35. A company is having issues with intellectual property being sent to a competitor from its system. The information being sent is not random but has an identifiable pattern.

Which of the following should be implemented in the system to stop the content from being sent?

36. A network technician needs to monitor and view the websites that are visited by an employee. The employee is connected to a network switch.

Which of the following would allow the technician to monitor the employee’s web traffic?

37. A security administrator is adding a NAC requirement for all VPN users to ensure the connecting devices are compliant with company policy.

Which of the following items provides the HIGHEST assurance to meet this requirement?

38. A company wants to configure its wireless network to require username and password authentication.

Which of the following should the systems administrator implement?

39. An organization is struggling to differentiate threats from normal traffic and access to systems. A security engineer has been asked to recommend a system that will aggregate data and provide metrics that will assist in identifying malicious actors or other anomalous activity throughout the environment.

Which of the following solutions should the engineer recommend?

40. The concept of connecting a user account across the systems of multiple enterprises is BEST known as:

41. A junior systems administrator noticed that one of two hard drives in a server room had a red error notification. The administrator removed the hard drive to replace it but was unaware that the server was configured in an array.

Which of the following configurations would ensure no data is lost?

42. Joe, a user at a company, clicked an email link that led to a website that infected his workstation. Joe was connected to the network, and the virus spread to the network shares. The protective measures failed to stop this virus, and it has continued to evade detection.

Which of the following should a security administrator implement to protect the environment from this malware?

43. A systems administrator wants to implement a secure wireless network requiring wireless clients to pre-register with the company and install a PKI client certificate prior to being able to connect to the wireless network.

Which of the following should the systems administrator configure?

44. A systems administrator wants to replace the process of using a CRL to verify certificate validity. Frequent downloads are becoming problematic.

Which of the following would BEST suit the administrator’s needs?

45. Which of the following attacks can be mitigated by proper data retention policies?

46. Resolve issues at the DR site.

The ruleset order cannot be modified due to outside constraints.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

47. DRAG DROP

A security engineer is setting up passwordless authentication for the first time.



INSTRUCTIONS

Use the minimum set of commands to set this up and verify that it works. Commands cannot be reused.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

48. A security analyst discovers that a company’s username and password database was posted on an Internet forum. The username and passwords are stored in plain text.

Which of the following would mitigate the damage done by this type of data exfiltration in the future?

49. While checking logs, a security engineer notices a number of end users suddenly downloading files with the .tar.gz extension. Closer examination of the files reveals they are PE32 files. The end users state they did not initiate any of the downloads. Further investigation reveals the end users all clicked on an external email containing an infected MHT file with an href link a week prior.

Which of the following is MOST likely occurring?

50. A consultant is configuring a vulnerability scanner for a large, global organization in multiple countries. The consultant will be using a service account to scan systems with administrative privileges on a weekly basis, but there is a concern that hackers could gain access to the account and pivot throughout the global network.

Which of the following would be BEST to help mitigate this concern?

51. The IT department’s on-site developer has been with the team for many years. Each time an application is released, the security team is able to identify multiple vulnerabilities.

Which of the following would BEST help the team ensure the application is ready to be released to production?

52. In a lessons-learned report, it is suspected that a well-organized, well-funded, and extremely sophisticated group of attackers may have been responsible for a breach at a nuclear facility.

Which of the following describes the type of actors that may have been implicated?

53. The Chief Security Officer (CSO) at a major hospital wants to implement SSO to help improve security in the environment and protect patient data, particularly at shared terminals. The Chief Risk Officer (CRO) is concerned that training and guidance have not been provided to frontline staff, and a risk analysis has not been performed.

Which of the following is the MOST likely cause of the CRO’s concerns?

54. Which of the following control types are alerts sent from a SIEM fulfilling based on vulnerability signatures?

55. An attacker is attempting to harvest user credentials on a client’s website. A security analyst notices multiple attempts of random usernames and passwords.

When the analyst types in a random username and password, the logon screen displays the following message:





Which of the following should the analyst recommend be enabled?

56. A root cause analysis reveals that a web application outage was caused by one of the company’s developers uploading a newer version of the third-party libraries that were shared among several applications.

Which of the following implementations would be BEST to prevent this issue from reoccurring?

57. A systems administrator is implementing a remote access method for the system that will utilize GUI.

Which of the following protocols would be BEST suited for this?

58. A systems administrator wants to configure an enterprise wireless solution that supports authentication over HTTPS and wireless encryption using AES.

Which of the following should the administrator configure to support these requirements? (Choose two.)

59. During an audit, the auditor requests to see a copy of the identified mission-critical applications as well as their disaster recovery plans. The company being audited has an SLA around the applications it hosts.

With which of the following is the auditor MOST likely concerned?

60. When a malicious user is able to retrieve sensitive information from RAM, the programmer has failed to implement:

61. A commercial cyber-threat intelligence organization observes IoCs across a variety of unrelated customers.

Prior to releasing specific threat intelligence to other paid subscribers, the organization is MOST likely obligated by contracts to:

62. After patching computers with the latest application security patches/updates; users are unable to open certain applications.

Which of the following will correct the issue?

63. A company that processes sensitive information has implemented a BYOD policy and an MDM solution to secure sensitive data that is processed by corporate and personally owned mobile devices.

Which of the following should the company implement to prevent sensitive data from being stored on mobile devices?

64. A security analyst needs to be proactive in understanding the types of attacks that could potentially target the company’s executives.

Which of the following intelligence sources should the security analyst review?

65. A threat actor motivated by political goals that is active for a short period of time but has virtually unlimited resources is BEST categorized as a:

66. Which of the following vulnerabilities can lead to unexpected system behavior, including the bypassing of security controls, due to differences between the time of commitment and the time of execution?

67. A coffee company has hired an IT consultant to set up a WiFi network that will provide Internet access to customers who visit the company’s chain of cafés. The coffee company has provided no requirements other than that customers should be granted access after registering via a web form and accepting the terms of service.

Which of the following is the MINIMUM acceptable configuration to meet this single requirement?

68. An analyst has determined that a server was not patched and an external actor exfiltrated data on port 139.

Which of the following sources should the analyst review to BEST ascertain how the incident could have been prevented?

69. A technician has been asked to document which services are running on each of a collection of 200 servers.

Which of the following tools BEST meets this need while minimizing the work required?

70. A recent audit uncovered a key finding regarding the use of a specific encryption standard in a web application that is used to communicate with business customers. Due to the technical limitations of its customers, the company is unable to upgrade the encryption standard.

Which of the following types of controls should be used to reduce the risk created by this scenario?

71. A security analyst runs a monthly file integrity check on the main web server.

When analyzing the logs, the analyst observed the following entry:





No OS patches were applied to this server during this period. Considering the log output, which of the following is the BEST conclusion?

72. A security technician is configuring a new firewall appliance for a production environment. The firewall must support secure web services for client workstations on the 10.10.10.0/24 network. The same client workstations are configured to contact a server at 192.168.1.15/24 for domain name resolution.

Which of the following rules should the technician add to the firewall to allow this connectivity for the client workstations? (Choose two.)

73. A small enterprise decides to implement a warm site to be available for business continuity in case of a disaster.

Which of the following BEST meets its requirements?

74. Which of the following algorithms would be used to provide non-repudiation of a file transmission?

75. A cybersecurity analyst needs to implement secure authentication to third-party websites without users’ passwords.

Which of the following would be the BEST way to achieve this objective?

76. A user receives a security alert pop-up from the host-based IDS, and a few minutes later notices a document on the desktop has disappeared and in its place is an odd filename with no icon image. When clicking on this icon, the user receives a system notification that it cannot find the correct program to use to open this file.

Which of the following types of malware has MOST likely targeted this workstation?

77. A security engineer at a manufacturing company is implementing a third-party cloud application. Rather than creating users manually in the application, the engineer decides to use the SAML protocol.

Which of the following is being used for this implementation?

78. Which of the following are the BEST selection criteria to use when assessing hard drive suitability for time-sensitive applications that deal with large amounts of critical information? (Choose two.)

79. A security analyst needs to generate a server certificate to be used for 802.1X and secure RDP connections. The analyst is unsure what is required to perform the task and solicits help from a senior colleague.

Which of the following is the FIRST step the senior colleague will most likely tell the analyst to perform to accomplish this task?

80. A company has just experienced a malware attack affecting a large number of desktop users. The antivirus solution was not able to block the malware, but the HIDS alerted to C2 calls as ‘Troj.Generic’ . Once the security team found a solution to remove the malware, they were able to remove the malware files successfully, and the HIDS stopped alerting. The next morning, however, the HIDS once again started alerting on the same desktops, and the security team discovered the files were back.

Which of the following BEST describes the type of malware infecting this company’s network?

81. An accountant is attempting to log in to the internal accounting system and receives a message that the website’s certificate is fraudulent. The accountant finds instructions for manually installing the new trusted root onto the local machine.

Which of the following would be the company’s BEST option for this situation in the future?

82. A hospital has received reports from multiple patients that their PHI was stolen after completing forms on the hospital’s website. Upon investigation, the hospital finds a packet analyzer was used to steal data.

Which of the following protocols would prevent this attack from reoccurring?

83. A security consultant was asked to revise the security baselines that are utilized by a large organization. Although the company provides different platforms for its staff, including desktops, laptops, and mobile devices, the applications do not vary by platform.

Which of the following should the consultant recommend? (Choose two.)

84. Which of the following types of attack is being used when an attacker responds by sending the MAC address of the attacking machine to resolve the MAC to IP address of a valid server?

85. A security researcher is tracking an adversary by noting its attacks and techniques based on its capabilities, infrastructure, and victims.

Which of the following is the researcher MOST likely using?

86. A system in the network is used to store proprietary secrets and needs the highest level of security possible.

Which of the following should a security administrator implement to ensure the system cannot be reached from the Internet?

87. Which of the following implements two-factor authentication on a VPN?

88. Which of the following is a component of multifactor authentication?

89. A technician is auditing network security by connecting a laptop to open hardwired jacks within the facility to verify they cannot connect.

Which of the following is being tested?

90. A network technician discovered the usernames and passwords used for network device configuration have been compromised by a user with a packet sniffer.

Which of the following would secure the credentials from sniffing?

91. A company is looking for an all-in-one solution to provide identification, authentication, authorization, and accounting services.

Which of the following technologies should the company use?

92. An organization has the following password policies:

- Passwords must be at least 16 characters long.

- A password cannot be the same as any previous 20 passwords.

- Three failed login attempts will lock the account for five minutes.

- Passwords must have one uppercase letter, one lowercase letter, and one non-alphanumeric symbol.

A database server was recently breached, and the incident response team suspects the passwords were

compromised. Users with permission on that database server were forced to change their passwords for

that server. Unauthorized and suspicious logins are now being detected on a completely separate server.

Which of the following is MOST likely the issue and the best solution?

93. Ann, a user, reports she is receiving emails that appear to be from organizations to which she belongs, but the emails contain links to websites that do not belong to those organizations.

Which of the following security scenarios does this describe?

94. An application developer is working on a new calendar and scheduling application. The developer wants to test new functionality that is time/date dependent and set the local system time to one year in the future. The application also has a feature that uses SHA-256 hashing and AES encryption for data exchange. The application attempts to connect to a separate remote server using SSL, but the connection fails.

Which of the following is the MOST likely cause and next step?

95. A network administrator is trying to provide the most resilient hard drive configuration in a server. With five hard drives, which of the following is the MOST fault-tolerant configuration?

96. A company is deploying a wireless network. It is a requirement that client devices must use X.509 certifications to mutually authenticate before connecting to the wireless network.

Which of the following protocols would be required to accomplish this?

97. A security analyst is implementing mobile device security for a company. To save money, management has decided on a BYOD model. The company is most concerned with ensuring company data will not be exposed if a phone is lost or stolen.

Which of the following techniques BEST accomplish this goal? (Choose two.)

98. Which of the following is an algorithm family that was developed for use cases in which power consumption and lower computing power are constraints?

99. An organization has created a review process to determine how to best handle data with different sensitivity levels.

The process includes the following requirements:

- Soft copy PII must be encrypted.

- Hard copy PII must be placed in a locked container.

- Soft copy PHI must be encrypted and audited monthly.

- Hard copy PHI must be placed in a locked container and inventoried monthly.

Locked containers must be approved and designated for document storage. Any violations must be reported to the Chief Security Officer (CSO).

While searching for coffee in the kitchen, an employee unlocks a cabinet and discovers a list of customer names and phone numbers.

Which of the following actions should the employee take?

100. The Chief Information Officer (CIO) has decided to add two-factor authentication along with the use of passwords when logging on to the network.

Which of the following should be implemented to BEST accomplish this requirement?

101. A Chief Executive Officer (CEO) is staying at a hotel during a business trip. The hotel’s wireless network does not show a lock symbol.

Which of the following precautions should the CEO take? (Choose two.)

102. A company occupies the third floor of a leased building that has other tenants. The path from the demarcation point to the company’s controlled space runs through unsecured areas managed by other companies.

Which of the following could be used to protect the company’s cabling as it passes through uncontrolled spaces?

103. An organization discovers that unauthorized applications have been installed on company-provided mobile phones. The organization issues these devices, but some users have managed to bypass the security controls.

Which of the following is the MOST likely issue, and how can the organization BEST prevent this from happening?

104. A user is unable to obtain an IP address from the corporate DHCP server.

Which of the following is MOST likely the cause?

105. A security engineer is concerned about susceptibility to HTTP downgrade attacks because the current customer portal redirects users from port 80 to the secure site on port 443.

Which of the following would be MOST appropriate to mitigate the attack?

106. A help desk technician is trying to determine the reason why several high-level officials’ account passwords need to be reset shortly after implementing a self-service password reset process.

Which of the following would BEST explain the issue?

107. Which of the following controls is implemented in lieu of the primary security controls?

108. A transitive trust:

109. An email systems administrator is configuring the mail server to prevent spear phishing attacks through email messages.

Which of the following refers to what the administrator is doing?

110. Which of the following BEST explains why a development environment should have the same database server secure baseline that exists in production even if there is no PII in the database?

111. After running an online password cracking tool, an attacker recovers the following password:

gh ;j SKSTOi;618&

Based on the above information, which of the following technical controls have been implemented? (Choose two.)

112. A company notices that at 10 a.m. every Thursday, three users’ computers become inoperable. The security analyst team discovers a file called where.pdf.exe that runs on system startup.

The contents of where.pdf.exe are shown below:

@echo off

if [c:file.txt] deltree C:

Based on the above information, which of the following types of malware was discovered?

113. A network administrator was provided the following output from a vulnerability scan:





The network administrator has been instructed to prioritize remediation efforts based on overall risk to the enterprise.

Which of the following plugin IDs should be remediated FIRST?

114. A security administrator wants to better prepare the incident response team for possible security events. The IRP has been updated and distributed to incident response team members.

Which of the following is the BEST option to fulfill the administrator’s objective?

115. A company hired a firm to test the security posture of its database servers and determine if any vulnerabilities can be exploited. The company provided limited information pertaining to the infrastructure and database server.

Which of the following forms of testing does this BEST describe?

116. Which of the following is the purpose of an industry-standard framework?

117. Which of the following physical security controls is MOST effective when trying to prevent tailgating?

118. A penetration tester has successfully accessed a web server using an exploit in the user-agent string for Apache Struts. The tester then brute forces a credential that provides access to the back-end database server in a different subnet. This is an example of:

119. A software development company needs to augment staff by hiring consultants for a high-stakes project.

The project has the following requirements:

- Consultants will have access to highly confidential, proprietary data.

- Consultants will not be provided with company-owned assets.

- Work needs to start immediately.

- Consultants will be provided with internal email addresses for communications.

Which of the following solutions is the BEST method for controlling data exfiltration during this project?

120. In which of the following ways does phishing and smishing differ?

121. A security analyst is determining the point of compromise after a company was hacked. The analyst checks the server logs and sees that a user account was logged in at night, and several large compressed files were exfiltrated. The analyst then discovers the user last logged in four years ago and was terminated.

Which of the following should the security analyst recommend to prevent this type of attack in the future?

(Choose two.)

122. An analysis of a threat actor, which has been active for several years, reveals the threat actor has high levels of funding, motivation, and sophistication.

Which of the following types of threat actors does this BEST describe?

123. Given the following output:





Which of the following BEST describes the scanned environment?

124. When an initialization vector is added to each encryption cycle, it is using the:

125. During a routine check, a security analyst discovered the script responsible for the backup of the corporate file server has been changed to the following:





Which of the following BEST describes the type of malware the analyst discovered?

126. An organization requires three separate factors for authentication to sensitive systems.

Which of the following would BEST satisfy the requirement?

127. A security analyst has been asked to implement secure protocols to prevent cleartext credentials from being transmitted over the internal network.

Which of the following protocols is the security analyst MOST likely to implement? (Choose two.)

128. Buffer overflow can be avoided using proper:

129. Which of the following systems, if compromised, may cause great danger to the integrity of water supplies and their chemical levels?

130. An organization has the following written policies:

- Users must request approval for non-standard software installation.

- Administrators will perform all software installations.

- Software must be installed from a trusted repository.

A recent security audit identified crypto-currency software installed on one user’s machine. There are no indications of compromise on this machine.

Which of the following is the MOST likely cause of this policy violation and the BEST remediation to prevent a reoccurrence?

131. Penetration testing is distinct from vulnerability scanning primarily because penetration testing:

132. Employees receive a benefits enrollment email from the company’s human resources department at the beginning of each year. Several users have reported receiving the email but are unable to log in to the website with their usernames and passwords. Users who enter the URL for the human resources website can log in without issue.

Which of the following security issues is occurring?

133. An engineer is configuring a wireless network using PEAP for the authentication protocol.

Which of the following is required?

134. An organization is setting up a satellite office and wishes to extend the corporate network to the new site.

Which of the following is the BEST solution to allow the users to access corporate resources while focusing on usability and security?

135. A NIPS administrator needs to install a new signature to observe the behavior of a worm that may be spreading over SMB.

Which of the following signatures should be installed on the NIPS?

136. An organization uses an antivirus scanner from Company A on its firewall, an email system antivirus scanner from Company B, and an endpoint antivirus scanner from Company C. This is an example of:

137. Exploitation of a system using widely known credentials and network addresses that results in DoS is an example of:

138. Which of the following is an example of the second A in the AAA model?

139. Which of the following threat actors is motivated primarily by a desire for personal recognition and a sense of accomplishment?

140. An attacker has gained control of several systems on the Internet and is using them to attack a website, causing it to stop responding to legitimate traffic.

Which of the following BEST describes the attack?

141. A company has users and printers in multiple geographic locations, and the printers are located in common areas of the offices. To preserve the confidentiality of PII, a security administrator needs to implement the appropriate controls.

Which of the following would BEST meet the confidentiality requirements of the data?

142. The website of a bank that an organization does business with is being reported as untrusted by the organization’s web browser. A security analyst has been assigned to investigate. The analyst discovers the bank recently merged with another local bank and combined names. Additionally, the user’s bookmark automatically redirects to the website of the newly named bank.

Which of the following is the MOST likely cause of the issue?

143. A Chief Information Officer (CIO) wants to eliminate the number of calls the help desk is receiving for password resets when users log on to internal portals.

Which of the following is the BEST solution?

144. A company recently experienced a security breach. The security staff determined that the intrusion was due to an out-of-date proprietary software program running on a non-compliant server. The server was imaged and copied onto a hardened VM, with the previous connections re-established.

Which of the following is the NEXT step in the incident response process?

145. Which of the following types of vulnerability scans typically returns more detailed and thorough insights into actual system vulnerabilities?

146. A security team received reports of increased latency on a highly utilized e-commerce server. This led to eventual service unavailability as a result of internal scanning activity.

The following web-server log was shared with the team to support this claim:





Which of the following actions would BEST address the service impact caused by scanning?

147. A developer has just finished coding a custom web application and would like to test it for bugs by automatically injecting mailformed data into it.

Which of the following is the developer looking to perform?

148. Which of the following is the BEST example of a reputation impact identified during a risk assessment?

149. An auditor requiring an organization to perform real-time validation of SSL certificates.

Which of the following should the organization implement?

150. Which of the following is a resiliency strategy that allows a system to automatically adapt to workload changes?

151. A penetration tester was able to connect to a company’s internal network and perform scans and staged attacks for the duration of the testing period without being noticed. The SIEM did not alert the security team to the presence of the penetration tester’s devices on the network.

Which of the following would provide the security team with notification in a timely manner?

152. Which of the following involves the use of targeted and highly crafted custom attacks against a population of users who may have access to a particular service or program?

153. When building a hosted datacenter, which of the following is the MOST important consideration for physical security within the datacenter?

154. An organization would like to set up a more robust network access system. The network administrator suggests the organization move to a certificate-based authentication setup in which a client-side certificate is used while connecting.

Which of the following EAP types should be used to meet these criteria?

155. Which of the following is MOST likely the security impact of continuing to operate end-of-life systems?

156. After downloading third-party software, a user begins receiving continuous pop-up messages stating the Windows antivirus is outdated. The user is unable to access any files or programs until the subscription is renewed with Bitcoin.

Which of the following types of attacks is being executed?

157. As a security measure, an organization has disabled all external media from accessing the network. Since some users may have data that needs to be transferred to the network, which of the following would BEST assist a security administrator with transferring the data while keeping the internal network secure?

158. A technician is implementing 802.1X with dynamic VLAN assignment based on a user Active Directory group membership.

Which of the following configurations supports the VLAN definitions?

159. Which of the following agreement types is a non-contractual agreement between two or more parties and outlines each party’s requirements and responsibilities?

160. A technician wants to implement PKI-based authentication on an enterprise wireless network.

Which of the following should the technician configure to enforce the use of client-side certificates?

161. A company has forbidden the use of external media within its headquarters location. A security analyst is working on adding additional repositories to a server in the environment when the analyst notices some odd processes running on the system.

The analyst runs a command and sees the following:





Given this output, which of the following security issues has been discovered?

162. During certain vulnerability scanning scenarios, it is possible for the target system to react in unexpected ways.

This type of scenario is MOST commonly known as:

163. An organization prefers to apply account permissions to groups and not individual users, but allows for exceptions that are justified. Some systems require a machine-to-machine data exchange and an associated account to perform this data exchange. One particular system has data in a folder that must be modified by another system. No user requires access to this folder; only the other system needs access to this folder.

Which of the following is the BEST account management practice?

164. A user attempts to send an email to an external domain and quickly receives a bounce-back message. The user then contacts the help desk stating the message is important and needs to be delivered immediately.

While digging through the email logs, a systems administrator finds the email and bounce-back details:

Your email has been rejected because it appears to contain SSN information. Sending SSN information via email to external recipients violates company policy.

Which of the following technologies successfully stopped the email from being sent?

165. Which of the following controls does a mantrap BEST represent?

166. A security administrator has created a new group policy object that utilizes the trusted platform module to compute a hash of system files and compare the value to a known-good value.

Which of the following security concepts is this an example of?

167. A network administrator wants to gather information on the security of the network servers in the DMZ.

The administrator runs the following command:

Telnet www.example.com 80

Which of the following actions is the administrator performing?

168. Which of the following should be implemented to stop an attacker from interacting with the hypervisor through another guest?

169. An internal intranet site is required to authenticate users and restrict access to content to only those who are authorized to view it. The site administrator previously encountered issues with credential spoofing when using the default NTLM setting and wants to move to a system that will be more resilient to replay attacks.

Which of the following should the administrator implement?

170. A security consultant is analyzing data from a recent compromise.

The following data points are documented:

- Access to data on share drives and certain networked hosts was lost after an employee logged in to an interactive session as a privileged user.

- The data was unreadable by any known commercial software.

- The issue spread through the enterprise via SMB only when certain users accessed data.

- Removal instructions were not available from any major antivirus vendor.

Which of the following types of malware is this an example of?

171. An organization handling highly confidential information needs to update its systems.

Which of the following is the BEST method to prevent data compromise?

172. A security administrator is working with the human resources department to classify data held by the company. The administrator has determined the data contains a variety of data types, including health information, employee names and addresses, trade secrets, and confidential customer information.

Which of the following should the security administrator do NEXT?

173. A security administrator has been conducting an account permissions review that has identified several users who belong to functional groups and groups responsible for auditing the functional groups’ actions. Several recent outages have not been able to be traced to any user.

Which of the following should the security administrator recommend to preserve future audit log integrity?

174. Joe, a new employee, discovered a thumb drive with the company’s logo on it while walking in the parking lot. Joe was curious as to the contents of the drive and placed it into his work computer. Shortly after accessing the contents, he noticed the machine was running slower, started to reboot, and displayed new icons on the screen.

Which of the following types of attacks occurred?

175. In the event of a security incident, which of the following should be captured FIRST?

176. A security analyst receives the following output:





Which of the following MOST likely occurred to produce this output?

177. Which of the following BEST explains “likelihood of occurrence”?

178. When choosing a hashing algorithm for storing passwords in a web database, which of the following is the BEST explanation for choosing HMAC-MD5 over simple MD5?

179. Given the following:





Which of the following concepts of cryptography is shown?

180. A law firm wants to protect its customers’ individual information, which is stored at a remote facility, from inadvertently being compromised through a violation of the security objectives.

Which of the following BEST describes the customer information that is being stored at this facility?

181. A technician wants to configure a wireless router at a small office that manages a family-owned dry cleaning business. The router will support five laptops, personal smartphones, a wireless printer, and occasional guests.

Which of the following wireless configurations is BEST implemented in this scenario?

182. A systems administrator just issued the ssh-keygen Ct rsa command on a Linux terminal.

Which of the following BEST describes what the rsa portion of the command represents?

183. A newly hired Chief Security Officer (CSO) is reviewing the company’s IRP and notices the procedures for zero-day malware attacks are being poorly executed, resulting in the CSIRT failing to address and coordinate malware removal from the system.

Which of the following phases would BEST address these shortcomings?

184. A security analyst has identified malware that is propagating automatically to multiple systems on the network.

Which of the following types of malware is MOST likely impacting the network?

185. An organization allows the use of open-source software as long as users perform a file integrity check on the executables and verify the file against hashes of known malware.

A user downloads the following files from an open-source website:





After submitting the hashes to the malware registry, the user is alerted that 2f40 3221 33ad 8f34 1032 1adc 13ef 51a4 matches a known malware signature. The organization has been running all of the above software with no known issues.

Which of the following actions should the user take and why?

186. An administrator needs to protect five websites with SSL certificates. Three of the websites have different domain names, and two of the websites share the domain name but have different subdomain prefixes.

Which of the following SSL certificates should the administrator purchase to protect all the websites and be able to administer them easily at a later time?

187. A security administrator begins assessing a network with software that checks for available exploits against a known database, using both credentials and external scripts. A report will be compiled and used to confirm patching levels.

This is an example of:

188. While testing a new application, a developer discovers that the inclusion of an apostrophe in a username causes the application to crash.

Which of the following secure coding techniques would be MOST useful to avoid this problem?

189. A company recently contracted a penetration testing firm to conduct an assessment. During the assessment, the penetration testers were able to capture unencrypted communication between directory servers. The penetration testers recommended encrypting this communication to fix the vulnerability.

Which of the following protocols should the company implement to close this finding?

190. Which of the following are disadvantages of full backups? (Choose three.)

191. A security analyst performs a vulnerability scan on the local network. Several items are flagged on the report as being critical issues. The security analyst researches each of the vulnerabilities and discovers that one of the critical issues on the report was mitigated in a previous scan.

Which of the following MOST likely happened?

192. A coffee company, which operates a chain of stores across a large geographical area, is deploying tablets to use as point-of-sale devices.

A security consultant has been given the following requirements:

- The cashiers must be able to log in to the devices quickly.

- The devices must be compliant with applicable regulations for credit card usage.

- The risk of loss or theft of the devices must be minimized.

- If devices are lost or stolen, all data must be removed from the device.

- The devices must be capable of being managed from a centralized location.

Which of the following should the security consultant configure in the MDM polices for the tablets? (Choose two.)

193. Which of the following should a company require prior to performing a penetration test?

194. An employee on the Internet-facing part of a company’s website submits a 20-character phrase in a small textbox on a web form. The website returns a message back to the browser stating

Error: Table ‘advprofile’ entry into column ‘lname’ has exceeded number of allowed characters. Error saving database information.

Of which of the following is this an example?

195. Which of the following cloud models is used to share resources and information with business partners and like businesses without allowing everyone else access?

196. A security team has completed the installation of a new server. The OS and applications have been patched and tested, and the server is ready to be deployed.

Which of the following actions should be taken before deploying the new server?

197. A red team initiated a DoS attack on the management interface of a switch using a known vulnerability. The monitoring solution then raised an alert, prompting a network engineer to log in to the switch to diagnose the issue. When the engineer logged in, the red team was able to capture the credentials and subsequently log in to the switch.

Which of the following actions should the network team take to prevent this type of breach from reoccurring?

198. A security engineer deploys a certificate from a commercial CA to the RADIUS server for use with the EAP-TLS wireless network.

Authentication is failing, so the engineer examines the certificate's properties:

Issuer: (A commercial CA)

Valid from: (yesterday's date)

Valid to: (one year from yesterday's date)

Subject: CN=smithco.com

Public key: RSA (2048 bits)

Enhanced key usage: Client authentication (1.3.6.1.5.5.7.3.2)

Key usage: Digital signature, key encipherment (a0)

Which of the following is the MOST likely cause of the failure?

199. A security analyst is investigating a report from an employee in the human resources (HR) department who is having sporadic issues with Internet access.

When the security analyst pulls the UTM logs for the IP addresses in the HR group, the following activity is shown:





Which of the following actions should the security analyst take?

200. Which of the following provides the ability to attest to the integrity of a system from the initiation of an incident to the time the incident is litigated?

201. Exercising various programming responses for the purpose of gaining insight into a system's security posture without exploiting the system is BEST described as:

202. A company is implementing a remote access portal so employees can work remotely from home. The company wants to implement a solution that would securely integrate with a third party.

Which of the following is the BEST solution?

203. A network administrator is configuring a honeypot in a company's DMZ. To provide a method for hackers to access the system easily, the company needs to configure a plaintext authentication method that will send only the username and password to a service in the honeypot.

Which of the following protocols should the company use?

204. During the penetration testing of an organization, the tester was provided with the names of a few key servers, along with their IP address.

Which of the following is the organization conducting?

205. A company would like to transition its directory service from an Open LDAP solution to Active Directory. The main goal for this project is security. All authentications to the domain controllers must be as secure as possible.

Which of the following should the company use to achieve this goal?

206. A security administrator is reviewing the following information from a file that was found on a compromised host:

cat suspiciousfile.txt

www.CompTIA.orgnjohnmiloveyoun$200nWorking LatenJohnnI%20will%20be%20in% 20the%20office%20till%206pm%20to%20finish%20the%20reportn

Which of the following types of malware is MOST likely installed on the compromised host?

207. Which of the following can be used to increase the time needed to brute force a hashed password?

208. Ann, a security analyst from a large organization, has been instructed to use another, more effective scanning tool. After installing the tool on her desktop, she started a full vulnerability scan. After running the scan for eight hours. Ann finds that there were no vulnerabilities identified.

Which of the following is the MOST likely cause of not receiving any vulnerabilities on the network?

209. A network administrator needs to prevent users from accessing the accounting department records. All users are connected to the same Layer 2 device and access the Internet through the same router.

Which of the following should be implemented to segment the accounting department from the rest of the users?

210. Proprietary information was sent by an employee to a distribution list that included external email addresses.

Which of the following BEST describes the incident that occurred and the threat actor in this scenario?

211. A company recently changed its security policy to allow access to only pre-approved websites and setup to occur without any end-user configuration.

Which of the follow is the BEST configuration for implementing the new security policy?

212. Which of the following models is considered an iterative approach with frequent testing?

213. A company wants to provide a guest wireless system for its visitors. The system should have a captive portal for guest self-registration and protect guest devices from spreading malware to other connected devices.

Which of the following should be done on the wireless network to satisfy these requirements? (Choose two.)

214. After a breach, a company has decided to implement a solution to better understand the technique used by the attackers.

Which of the following is the BEST solution to be deployed?

215. A security analyst is investigating a security breach involving the loss of sensitive data. A user passed the information through social media as vacation photos.

Which of the following methods was used to encode the data?

216. When conducting a penetration test, a pivot is used to describe a scenario in which

217. A network administrator needs to restrict the users of the company's WAPs to the sales department. The network administrator changes and hides the SSID and then discovers several employees had connected their personal devices to the wireless network.

Which of the following would limit access to the wireless network to only organization-owned devices in the sales department?

218. A security engineer wants to further secure a sensitive VLAN on the network by introducing MFA.

Which of the following is the BEST example of this?

219. A malicious actor compromises a legitimate website, configuring it to deliver malware to visitors of the website.

Which of the following attacks does this describe?

220. Which of the following BEST describes why an air gap is a useful security control?

221. A security analyst is asked to check the configuration of the company's DNS service on the server.

Which of the following command line tools should the analyst use to perform the initial assessment?

222. A company help desk has received several reports that employees have experienced identity theft and compromised accounts. This occurred several days after receiving an email asking them to update their personal bank information.

Which of the following is a vulnerability that has been exploited?

223. A systems administrator wants to enforce the use of HTTPS on a new website.

Which of the following should the systems administrator do NEXT after generating the CSR?

224. A penetration tester has been hired to scan a company's network for potentially active hosts. The company's IPS system blocks the ICMP echo reply and echo request packets.

Which of the following can be used to scan the network?

225. A company uses WPA2-PSK, and it appears there are multiple unauthorized devices connected to the wireless network. A technician suspects this is because the wireless password has been shared with unauthorized individuals.

Which of the following should the technician implement to BEST reduce the risk of this happening in the future?

226. A new PKI is being built at a company, but the network administrator has concerns about spikes of traffic occurring twice a day due to clients checking the status of the certificates.

Which of the following should be implemented to reduce the spikes in traffic?

227. A security analyst received an after-hours alert indicating that a large number of accounts with the suffix "admin" were locked out. The accounts were all locked out after five unsuccessful login attempts, and no other accounts on the network triggered the same alert.

Which of the following is the BEST explanation for these alerts?

228. A developer is creating a new web application on a public cloud platform and wants to ensure the application can respond to increases in load while minimizing costs during periods of low usage.

Which of the following strategies is MOST relevant to the use-case?

229. A tester was able to leverage a pass-the-hash attack during a recent penetration test. The tester gained a foothold and moved laterally through the network.

Which of the following would prevent this type of attack from reoccurring?

230. A critical enterprise component whose loss or destruction would significantly impede business operations or have an outsized impact on corporate revenue is known as:

231. A pass-the-hash attack is commonly used to:

232. Which of the following enables a corporation to extend local security policies to corporate resources hosted in a CSP’s infrastructure?

233. Which of the following is the main difference between symmetric and asymmetric cryptographic algorithms?

234. An organization with very high security needs wants to implement a biometric system. It is required to minimize unauthorized access by ensuring authorized personnel are not denied access.

Which of the following solutions will work?

235. Which of the following has the potential to create a DoS attack on a system?

236. Which of the following generates reports that show the number of systems that are associated with POODLE, 3DES, and SMBv1 listings?

237. An organization's Chief Information Officer (CIO) read an article that identified leading hacker trends and attacks, one of which is the alteration of URLs to IP addresses resulting in users being redirected to malicious websites.

To reduce the chances of this happening in the organization, which of the following secure protocols should be implemented?

238. The phones at a business are being replaced with VoIP phones that get plugged in-line between the switch and PC. The voice and data networks still need to be kept separate.

Which of the following would allow for this?

239. A security analyst recommends implementing SSL for an existing web service. A technician installs the SSL certificate and successfully tests the connection on the server. Soon after, the help desk begins receiving calls from users who are unable to log in. After further investigation, it becomes clear that no users have successfully connected to the web server since the certificate installation.

Which of the following is MOST likely the issue?

240. Which of the following impacts MOST likely results from poor exception handling?

241. After deploying an antivirus solution on some network-isolated industrial computers, the service desk team received a trouble ticket about the following message being displayed on the computers’ screens:

Your AV protection has blocked an unknown application while performing suspicious activities. The application was put in quarantine.

Which of the following would be the SAFEST next step to address the issue?

242. During incident response procedures, technicians capture a unique identifier for a piece of malware running in memory.

This captured information is referred to as:

243. A user's laptop is experiencing general slowness following the user's return from an extended time out of the office. After a week, the security team looks at the laptop, but nothing appears out of order. The only noticeable issue is that svchost.exe keeps launching even after the security team kills the process. After running netstat , the team notes svchost.exe is listening on port 443.

Using an IoC creation tool, a security analyst does the following:

OR--

File MD5 contains adf321122abce28873aad3e12f262a12c

AND

PROCESS name contains svchost.exe

PROCESS arguments does not contain -k

AND

FILENAME contains svchost.exe

FILE DIRECTORY is not %system32%

Based on the IoCs created and the netstat output, which of the following types of malware is present?

244. An analyst is reviewing the following web-server log after receiving an alert from the DLP system about multiple PII records being transmitted in cleartext:





Which of the following IP addresses is MOST likely involved in the data leakage attempt?

245. A security analyst needs a solution that can execute potential malware in a restricted and isolated environment for analysis.

In which of the following technologies is the analyst interested?

246. A penetration tester is testing passively for vulnerabilities on a company's network.

Which of the following tools should the penetration tester use? (Choose two.)

247. A security analyst wants to prevent current employees who previously worked in different departments from accessing resources that are no longer necessary for their present job roles.

Which of the following policies would meet this objective?

248. A company is determining where to host a hot site, and one of the locations being considered is in another country.

Which of the following should be considered when evaluating this option?

249. DRAG DROP

A data owner has been tasked with assigning proper data classifications and destruction methods for various types of data contained within the environment.



INSTRUCTIONS

From the options below, drag each item to its appropriate classification as well as the MOST appropriate form of disposal.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

250. DRAG DROP

Leveraging the information supplied below, complete the CSR for the server to set up TLS (HTTPS).

- Hostname: ws01

- Domain: comptia.org

- IPv4: 10.1.9.50

- IPv4: 10.2.10.50

- Root: home.aspx

- DNS CNAME: homesite



INSTRUCTIONS

Drag the various data points to the correct locations within the CSR. Extension criteria belong in the left-hand column and values belong in the corresponding row in the right-hand column.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

251. DRAG DROP

A security administrator wants to implement strong security on the company smart phones and terminal servers located in the data center.



INSTRUCTIONS

Drag and drop the applicable controls to each asset type.

Controls can be used multiple times and not all placeholders need to be filled.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

252. HOTSPOT

Select the appropriate attack from each drop down list to label the corresponding illustrated attack.

Instructions:

Attacks may only be used once, and will disappear from drop down list if selected.

When you have completed the simulation, please select the Done button to submit.

253. DRAG DROP

You have been tasked with designing a security plan for your company.



INSTRUCTIONS

Drag and drop the appropriate security controls on the floor plan.

All objects must be used and all place holders must be filled. Order does not matter.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.