Q121.Which of the following identifies the point in time when an organization will recover data in the event of an outage?

A. ALE
B. RPO
C. MTBF
D. ARO

Q122.A police department is using the cloud to share information with city officials. Which of the following cloud models describes this scenario?

A. Hybrid
B. Private
C. Public
D. Community

Q123.A user reports that a bank’s website no longer displays a padlock symbol. A security analyst views the user’s screen and notices the connection is using HTTP instead of HTTPS. Which of the following attacks is most likely occurring?

A. Memory leak
B. SSL stripping
C. API
D. Pass the hash

Q124.A data center has experienced an increase in under-voltage events following electrical grid maintenance outside the facility. These events are leading to occasional losses of system availability. Which of the following would be the most cost-effective solution for the data center to implement?

A. Uninterruptible power supplies with battery backup
B. Managed power distribution units to track these events
C. A generator to ensure consistent, normalized power delivery
D. Dual power supplies to distribute the load more evenly

Q125.Cloud security engineers are planning to allow and deny access to specific features in order to increase data security. Which of the following cloud features is the most appropriate to ensure access is granted properly?

A. API integrations
B. Auditing
C. Resource policies
D. Virtual networks

Q126.A security operations technician is searching the log named /var/messages for any events that were associated with a workstation with the IP address 10.1.1.1. Which of the following would provide this information?

A. cat /var/messages | grep 10.1.1.1
B. grep 10.1.1.1 | cat /var/messages
C. grep /var/messages | cat 10.1.1.1
D. cat 10.1.1.1 | grep /var/messages

Q127.Which of the following can be used to detect a hacker who is stealing company data over port 80?

A. Web application scan
B. Threat intelligence
C. Log aggregation
D. Packet capture

Q128.An organization has been experiencing outages during holiday sales and needs to ensure availability of its point-of-sale systems. The IT administrator has been asked to improve both server-data fault tolerance and site availability under high consumer load. Which of the following are the best options to accomplish this objective? (Choose two.)

A. Load balancing
B. Incremental backups
C. UPS
D. RAID
E. Dual power supply
F. VLAN

Q129.A company that provides an online streaming service made its customers’ personal data, including names and email addresses, publicly available in a cloud storage service. As a result, the company experienced an increase in the number of requests to delete user accounts. Which of the following BEST describes the consequence of this data disclosure?

A. Regulatory fines
B. Reputation damage
C. Increased insurance costs
D. Financial loss

Q130.A security analyst is investigating a report from a penetration test. During the penetration test, consultants were able to download sensitive data from a back-end server. The back-end server was exposing an API that should have only been available from the company’s mobile application. After reviewing the back-end server logs, the security analyst finds the following entries:

Which of the following is the most likely cause of the security control bypass?

A. IP address allow list
B. User-agent spoofing
C. WAF bypass
D. Referrer manipulation

Q131: A user reset the password for a laptop but has been unable to log in to it since then. In addition, several unauthorized emails were sent on the user’s behalf recently. The security team investigates the issue and identifies the following findings:

• Firewall logs show excessive traffic from the laptop to an external site.
• Unknown processes were running on the laptop.
• RDP connections that appeared to be authorized were made to other network devices from the laptop.
• High bandwidth utilization alerts from that user’s username.

Which of the following is most likely installed on the laptop?

A. Worm
B. Keylogger
C. Trojan
D. Logic bomb

Q132.A user is trying to upload a tax document which the corporate finance department requested but a security program is prohibiting the upload. A security analyst determines the file contains PII. Which of the following steps can the analyst take to correct this issue?

A. Create a URL filter with an exception for the destination website
B. Add a firewall rule to the outbound proxy to allow file uploads
C. Issue a new device certificate to the user’s workstation
D. Modify the exception list on the DLP to allow the upload

Q133.A Chief Security Officer (CSO) is concerned that cloud-based services are not adequately protected from advanced threats and malware. The CSO believes there is a high risk that a data breach could occur in the near future due to the lack of detective and preventive controls. Which of the following should be implemented to BEST address the CSO’s concerns? (Choose two.)

A. A WAF
B. A CASB
C. An NG-SWG
D. Segmentation
E. Encryption
F. Containerization

Q134.Which of the following types of controls is a CCTV camera that is not being monitored?

A. Detective
B. Deterrent
C. Physical
D. Preventive

Q135.A security analyst reviews web server logs and notices the following line:

Which of the following vulnerabilities is the attacker trying to exploit?

A. SSRF
B. CSRF
C. XSS
D. SQLi

Q136.A security analyst has identified malware spreading through the corporate network and has activated the CSIRT. Which of the following should the analyst do NEXT?

A. Review how the malware was introduced to the network.
B. Attempt to quarantine all infected hosts to limit further spread.
C. Create help desk tickets to get infected systems reimaged.
D. Update all endpoint antivirus solutions with the latest updates.

Q137.A security analyst is working on a project to implement a solution that monitors network communications and provides alerts when abnormal behavior is detected. Which of the following is the security analyst MOST likely implementing?

A. Vulnerability scans
B. User behavior analysis
C. Security orchestration, automation, and response
D. Threat hunting

Q138.An organization has hired a red team to simulate attacks on its security posture. Which of the following will the blue team do after detecting an IoC?

A. Reimage the impacted workstations.
B. Activate runbooks for incident response.
C. Conduct forensics on the compromised system.
D. Conduct passive reconnaissance to gather information.

Q139.A systems engineer thinks a business system has been compromised and is being used to exfiltrate data to a competitor. The engineer contacts the CSIRT. The CSIRT tells the engineer to immediately disconnect the network cable and to not do anything else. Which of the following is the most likely reason for this request?

A. The CSIRT thinks an insider threat is attacking the network.
B. Outages of business-critical systems cost too much money.
C. The CSIRT does not consider the systems engineer to be trustworthy.
D. Memory contents, including fileless malware, are lost when the power is turned off.

Q140.A security analyst needs to determine how an attacker was able to use User3 to gain a foothold within a company’s network. The company’s lockout policy requires that an account be locked out for a minimum of 15 minutes after three unsuccessful attempts. While reviewing the log files, the analyst discovers the following:

Which of the following attacks MOST likely occurred?

A. Dictionary
B. Credential-stuffing
C. Password-spraying
D. Brute-force

Q141.SIMULATION –
An attack has occurred against a company.
INSTRUCTIONS –
You have been tasked to do the following:
✑ Identify the type of attack that is occurring on the network by clicking on the attacker’s tablet and reviewing the output.
✑ Identify which compensating controls a developer should implement on the assets, in order to reduce the effectiveness of future attacks by dragging them to the correct server.
All objects will be used, but not all placeholders may be filled. Objects may only be used once.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Q142.Which of the following best describes a technique that compensates researchers for finding vulnerabilities?

A. Penetration testing
B. Code review
C. Wardriving
D. Bug bounty

Q143.An engineer recently deployed a group of 100 web servers in a cloud environment. Per the security policy, all web-server ports except 443 should be disabled.
Which of the following can be used to accomplish this task?

A. Application allow list
B. SWG
C. Host-based firewall
D. VPN

Q144.Which of the following biometric authentication methods is the most accurate?

A. Gait
B. Retina
C. Signature
D. Voice

Q145.A security architect is working on an email solution that will send sensitive data. However, funds are not currently available in the budget for building additional infrastructure. Which of the following should the architect choose?

A. POP
B. IPSec
C. IMAP
D. PGP

Q146.Which of the following types of controls is a turnstile?

A. Physical
B. Detective
C. Corrective
D. Technical

Q147.A major manufacturing company updated its internal infrastructure and just recently started to allow OAuth applications to access corporate data. Data leakage is now being reported. Which of the following MOST likely caused the issue?

A. Privilege creep
B. Unmodified default settings
C. TLS protocol vulnerabilities
D. Improper patch management

Q148.A security analyst is investigating what appears to be unauthorized access to a corporate web application. The security analyst reviews the web server logs and finds the flowing entries:

Which of the following password attacks is taking place?

A. Dictionary
B. Brute-force
C. Rainbow table
D. Spraying

Q149.Which of the following would provide guidelines on how to label new network devices as part of the initial configuration?

A. IP schema
B. Application baseline configuration
C. Standard naming convention policy
D. Wireless LAN and network perimeter diagram

Q150.Which of the following best describes the situation where a successfully onboarded employee who is using a fingerprint reader is denied access at the company’s main gate?

A. Crossover error rate
B. False match rate
C. False rejection
D. False positive

Q151.A cybersecurity analyst at Company A is working to establish a secure communication channel with a counterpart at Company B, which is 3,000 miles (4,828 kilometers) away. Which of the following concepts would help the analyst meet this goal in a secure manner?

A. Digital signatures
B. Key exchange
C. Salting
D. PPTP

Q152.A company recently enhanced mobile device configuration by implementing a set of security controls biometrics context-aware authentication and full device encryption. Even with these settings in place, an unattended phone was used by a malicious actor to access corporate data. Which of the following additional controls should be put in place first?

A. GPS tagging
B. Remote wipe
C. Screen lock timer
D. SEAndroid

Q153.Which of the following should customers who are involved with UI developer agreements be concerned with when considering the use of these products on highly sensitive projects?

A. Weak configurations
B. Integration activities
C. Unsecure user accounts
D. Outsourced code development

Q154.A security analyst is hardening a network infrastructure. The analyst is given the following requirements:

• Preserve the use of public IP addresses assigned to equipment on the core router.
• Enable “in transport” encryption protection to the web server with the strongest ciphers.

Which of the following should the analyst implement to meet these requirements? (Choose two.)

A. Configure VLANs on the core router.
B. Configure NAT on the core router.
C. Configure BGP on the core router.
D. Enable AES encryption on the web server.
E. Enable 3DES encryption on the web server.
F. Enable TLSv2 encryption on the web server.

Q155.A security analyst is investigating an incident to determine what an attacker was able to do on a compromised laptop. The analyst reviews the following SIEM log:

Which of the following describes the method that was used to compromise the laptop?

A. An attacker was able to move laterally from PC1 to PC2 using a pass-the-hash attack.
B. An attacker was able to bypass application whitelisting by emailing a spreadsheet attachment with an embedded PowerShell in the file.
C. An attacker was able to install malware to the C:\asdf234 folder and use it to gain administrator rights and launch Outlook.
D. An attacker was able to phish user credentials successfully from an Outlook user profile

Q156.A security analyst is assisting a team of developers with best practices for coding. The security analyst would like to defend against the use of SQL injection attacks. Which of the following should the security analyst recommend first?

A. Tokenization
B. Input validation
C. Code signing
D. Secure cookies

Q157.A security architect is designing a remote access solution for a business partner. The business partner needs to access one Linux server at the company. The business partner wants to avoid managing a password for authentication and additional software installation. Which of the following should the architect recommend?

A. Soft token
B. Smart card
C. CSR
D. SSH key

Q158.A systems analyst is responsible for generating a new digital forensics chain-of-custody form. Which of the following should the analyst include in this documentation? (Choose two).

A. The order of volatility
B. A forensics NDA
C. The provenance of the artifacts
D. The vendor’s name
E. The date and time
F. A warning banner

Q159.A company is providing security awareness training regarding the importance of not forwarding social media messages from unverified sources. Which of the following risks would this training help to prevent?

A. Hoaxes
B. SPIMs
C. Identity fraud
D. Credential harvesting

Q160.A security analyst is investigating some users who are being redirected to a fake website that resembles www.comptia.org. The following output was found on the naming server of the organization:

Which of the following attacks has taken place?

A. Domain reputation
B. Domain hijacking
C. Disassociation
D. DNS poisoning

Q161.A security analyst reviews web server logs and notices the following lines:

Which of the following vulnerabilities has the attacker exploited? (Choose two.)

A. Race condition
B. LFI
C. Pass the hash
D. XSS
E. RFI
F. Directory traversal

Q162.During a security incident investigation, an analyst consults the company’s SIEM and sees an event concerning high traffic to a known, malicious command-and-control server. The analyst would like to determine the number of company workstations that may be impacted by this issue. Which of the following can provide this information?

A. WAF logs
B. DNS logs
C. System logs
D. Application logs

Q163.Which of the following processes would most likely help an organization that has conducted an incident response exercise to improve performance and identify challenges?

A. Lessons learned
B. Identification
C. Simulation
D. Containment

Q164.After multiple on premises security solutions were migrated to the cloud, the incident response time increased. The analysts are spending a long time trying to trace information on different cloud consoles and correlating data in different formats. Which of the following can be used to optimize the incident response time?

A. CASB
B. VPC
C. SWG
D. CMS

Q165.An organization is planning to open other data centers to sustain operations in the event of a natural disaster. Which of the following considerations would BEST support the organization’s resiliency?

A. Geographic dispersal
B. Generator power
C. Fire suppression
D. Facility automation

Q166.Which of the following describes the exploitation of an interactive process to gain access to restricted areas?

A. Persistence
B. Buffer overflow
C. Privilege escalation
D. Pharming

Q167.Digital signatures use asymmetric encryption. This means the message is encrypted with:

A. the sender’s private key and decrypted with the sender’s public key.
B. the sender’s public key and decrypted with the sender’s private key.
C. the sender’s private key and decrypted with the recipient’s public key.
D. the sender’s public key and decrypted with the recipient’s private key.

Q168.A social media company based in North America is looking to expand into new global markets and needs to maintain compliance with international standards.
With which of the following is the company’s data protection officer MOST likely concerned?

A. NIST Framework
B. ISO 27001
C. GDPR
D. PCI-DSS

Q169.SIMULATION –
A systems administrator needs to install a new wireless network for authenticated guest access. The wireless network should support 802.1X using the most secure encryption and protocol available.

INSTRUCTIONS –
Perform the following steps:
4. Configure the RADIUS server.
5. Configure the WiFi controller.
6. Preconfigure the client for an incoming guest. The guest AD credentials are:

User: guest01 –

Password: guestpass –
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Hint answer:

Q170.A security analyst is reviewing the vulnerability scan report for a web server following an incident. The vulnerability that was used to exploit the server is present in historical vulnerability scan reports, and a patch is available for the vulnerability. Which of the following is the MOST likely cause?

A. Security patches were uninstalled due to user impact.
B. An adversary altered the vulnerability scan reports
C. A zero-day vulnerability was used to exploit the web server
D. The scan reported a false negative for the vulnerability

Q171.A new plug-and-play storage device was installed on a PC in the corporate environment. Which of the following safeguards will BEST help to protect the PC from malicious files on the storage device?

A. Change the default settings on the PC.
B. Define the PC firewall rules to limit access.
C. Encrypt the disk on the storage device.
D. Plug the storage device in to the UPS.

Q172.The president of a regional bank likes to frequently provide SOC tours to potential investors. Which of the following policies BEST reduces the risk of malicious activity occurring after a tour?

A. Password complexity
B. Acceptable use
C. Access control
D. Clean desk

Q173.A company recently experienced an inside attack using a corporate machine that resulted in data compromise. Analysis indicated an unauthorized change to the software circumvented technological protection measures. The analyst was tasked with determining the best method to ensure the integrity of the systems remains intact and local and remote boot attestation can take place. Which of the following would provide the BEST solution?

A. HIPS
B. FIM
C. TPM
D. DLP

Q174.Which of the following is the MOST likely reason for securing an air-gapped laboratory HVAC system?

A. To avoid data leakage
B. To protect surveillance logs
C. To ensure availability
D. To facilitate third-party access

Q175.Which of the following prevents an employee from seeing a colleague who is visiting an inappropriate website?

A. Job rotation policy
B. NDA
C. AUP
D. Separation of duties policy

Q176.A well-known organization has been experiencing attacks from APTs. The organization is concerned that custom malware is being created and emailed into the company or installed on USB sticks that are dropped in parking lots. Which of the following is the BEST defense against this scenario?

A. Configuring signature-based antivirus to update every 30 minutes
B. Enforcing S/MIME for email and automatically encrypting USB drives upon insertion
C. Implementing application execution in a sandbox for unknown software
D. Fuzzing new files for vulnerabilities if they are not digitally signed

Q177.Which of the following documents provides guidance regarding the recommended deployment of network security systems from the manufacturer?

A. Cloud control matrix
B. Reference architecture
C. NIST RMF
D. CIS Top 20

Q178.A large bank with two geographically dispersed data centers is concerned about major power disruptions at both locations. Every day each location experiences very brief outages that last for a few seconds. However, during the summer a high risk of intentional brownouts that last up to an hour exists, particularly at one of the locations near an industrial smelter. Which of the following is the BEST solution to reduce the risk of data loss?

A. Dual supply
B. Generator
C. UPS
D. POU
E. Daily backups

Q179.An organization implemented a process that compares the settings currently configured on systems against secure configuration guidelines in order to identify any gaps. Which of the following control types has the organization implemented?

A. Compensating
B. Corrective
C. Preventive
D. Detective

Q180.A systems administrator is required to enforce MFA for corporate email account access, relying on the possession factor. Which of the following authentication methods should the systems administrator choose? (Choose two.)

A. Passphrase
B. Time-based one-time password
C. Facial recognition
D. Retina scan
E. Hardware token
F. Fingerprints