Lauren’s multinational company is planning a new cloud deployment and wants to ensure compliance with the EU GDPR. Which principle states that the individual should have the right to receive personal information concerning himself or herself and share it with another data controller?

1. Onward transfer
2. Data integrity
3. Enforcement
4. Data portability

Tiffany needs to assess the patch level of a Windows 2012 server and wants to use a freely available tool to check the system for security issues. Which of the following tools will provide the most detail about specific patches installed or missing from her machine?

1. Nmap
2. Nessus
3. MBSA
4. Metasploit

Maria wants to deploy an anti-malware tool to detect zero-day malware. What type of detection method should she look for in her selected tool?

1. Signature-based
2. Heuristic-based
3. Trend-based
4. Availability-based

Cameron is configuring his organization’s Internet router and would like to enable anti-spoofing technology. Which one of the following source IP addresses on an inbound packet should trigger anti-spoofing controls?

1. 192.168.163.109
2. 13.5.102.5
3. 124.70.14.100
4. 222.222.222.222

As part of her malware analysis process, Caitlyn diagrams the high-level functions and processes that the malware uses to accomplish its goals. What is this process known as?

1. Static analysis
2. Composition
3. Dynamic analysis
4. Decomposition

The company that Lauren works for is making significant investments in infrastructure as a service hosting to replace its traditional data center. Members of her organization’s management have expressed concerns about data remanence when Lauren’s team moves from one virtual host to another in their cloud service provider’s environment. What should she instruct her team to do to avoid this concern?

1. Zero-wipe drives before moving systems.
2. Use full disk encryption.
3. Use data masking.
4. Span multiple virtual disks to fragment data.

Lucca wants to prevent workstations on his network from attacking each other. If Lucca’s corporate network looks like the network shown here, what technology should he select to prevent laptop A from being able to attack workstation B?

1. IPS
2. IDS
3. HIPS
4. HIDS

The company that Dan works for has recently migrated to a Service as a Service provider for its enterprise resource planning (ERP) software. In its traditional on-site ERP environment, Dan conducted regular port scans to help with security validation for the systems. What will Dan most likely have to do in this new environment?

1. Use a different scanning tool.
2. Rely on vendor testing and audits.
3. Engage a third-party tester.
4. Use a VPN to scan inside the vendor’s security perimeter.

While investigating a malware infection, Lauren discovers that the hosts file for the system she is reviewing contains multiple entries as shown here:

Why would the malware make this change?

1. To redirect 0.0.0.0 to known sites
2. To prevent antivirus updates
3. To prevent other attackers from compromising the system
4. To enable remote access to the system

Geoff is responsible for hardening systems on his network and discovers that a number of network appliances have exposed services including telnet, FTP, and web servers. What is his best option to secure these systems?

1. Enable host firewalls.
2. Install patches for those services.
3. Turn off the services for each appliance.
4. Place a network firewall between the devices and the rest of the network.

Tim needs to lock down a Windows workstation that has recently been scanned using nmap with the results shown here. He knows that the workstation needs to access websites and that the system is part of a Windows domain. What ports should he allow through the system’s firewall for externally initiated connections?

1. He should allow ports 80, 135, 139, and 445.
2. He should allow ports 80, 445, and 3389.
3. He should allow ports 135, 139, and 445.
4. No ports should be open.

What major issue would Charles face if he relied on hashing malware packages to identify malware packages?

1. Hashing can be spoofed.
2. Collisions can result in false positives.
3. Hashing cannot identify unknown malware.
4. Hashing relies on unencrypted malware samples.

As part of her system hardening process for a Windows 10 workstation, Lauren runs the Microsoft Baseline System Analyzer. She sees the following result after MBSA runs. What can she determine from this scan?

1. The system has been compromised, and shares allow all users to read and execute administrative files.
2. The system has default administrative shares enabled.
3. The system is part of a domain that uses administrative shares to manage systems.
4. The shares are properly secured and pose no threat to the system.

Susan is reviewing files on a Windows workstation and believes that cmd.exe has been replaced with a malware package. Which of the following is the best way to validate her theory?

1. Submit cmd.exe to VirusTotal.
2. Compare the hash of cmd.exe to a known good version.
3. Check the file using the National Software Reference Library.
4. Run cmd.exe to make sure its behavior is normal.

Chris wants to prevent users from running a popular game on Windows workstations he is responsible for. How can Chris accomplish this for Windows 10 Pro workstations?

1. Using application whitelisting to prevent all unallowed programs from running
2. Using Windows Defender and adding the game to the blacklist file
3. By listing in the Blocked Programs list via secpol.msc
4. You cannot blacklist applications in Windows 10 without a third-party application.

Ian’s company has an internal policy requiring that it perform regular port scans of all of its servers. Ian has been part of a recent effort to move his organization’s servers to an infrastructure as a service provider. What change will Ian most likely need to make to his scanning efforts?

1. Change scanning software.
2. Follow the service provider’s scan policies.
3. Sign a security contract with the provider.
4. Discontinue port scanning.

Isaac wants to prevent hosts from connecting to known malware distribution domains. What type of solution can he use to do this without deploying endpoint protection software or an IPS?

1. Route poisoning
2. Anti-malware router filters
3. Subdomain whitelisting
4. DNS blackholing

Senior management in Adam’s company recently read a number of articles about massive ransomware attacks that successfully targeted organizations like the one that Adam is part of. Adam’s organization already uses layered security solutions including a border IPS, firewalls between network zones, local host firewalls, antivirus software, and a configuration management system that applies recommended operating system best practice settings to their workstations. What should Adam recommend to minimize the impact of a similar ransomware outbreak at his organization?

1. Honeypots
2. Backups
3. Anti-malware software
4. A next-generation firewall appliance

Lauren’s screenshot shows behavioral analysis of the executed code. From this, we can determine that the tool she used is a dynamic analysis sandbox that runs the malware sample to determine what it does while also analyzing the file.

1. A reverse engineering tool
2. A static analysis sandbox
3. A dynamic analysis sandbox
4. A decompiler sandbox

Questions 20 through 22 refer to the bare-metal virtualization environment shown here.

What component is identified by A in the image?

1. Hypervisor
2. Host operating system
3. Guest operating system
4. Physical hardware

What component is identified by B in the image?

1. Hypervisor
2. Host operating system
3. Guest operating system
4. Physical hardware

What component is identified by C in the image?

1. Hypervisor
2. Host operating system
3. Guest operating system
4. Physical hardware

Frank discovers a missing Windows security patch during a vulnerability scan of a server in his organization’s data center. Upon further investigation, he discovers that the system is virtualized. Where should he apply the patch?

1. To the virtualized system
2. The patch is not necessary.
3. To the domain controller
4. To the virtualization platform

Mike runs a vulnerability scan against his company’s virtualization environment and finds the vulnerability shown here in several of the virtual hosts. What action should Mike take?

1. No action is necessary because this is an informational report.
2. Mike should disable HTTP on the affected devices.
3. Mike should upgrade the version of OpenSSL on the affected devices.
4. Mike should immediately upgrade the hypervisor.

During a recent vulnerability scan, Ed discovered that a web server running on his network has access to a database server that should be restricted. Both servers are running on his organization’s VMware virtualization platform. Where should Ed look first to configure a security control to restrict this access?

1. VMware
2. Data center firewall
3. Perimeter (Internet) firewall
4. Intrusion prevention system

Which one of the following protocols might be used within a virtualization platform for monitoring and managing the network?

1. SNMP
2. SMTP
3. BGP
4. EIGRP

Don completed a vulnerability scan of his organization’s virtualization platform from an external host and discovered the vulnerability shown here. How should Don react?

1. This is a critical issue that requires immediate adjustment of firewall rules.
2. This issue has a very low severity and does not require remediation.
3. This issue should be corrected as time permits.
4. This is a critical issue, and Don should shut down the platform until it is corrected.

While conducting a vulnerability scan of his organization’s data center, Renee discovers that the management interface for the organization’s virtualization platform is exposed to the scanner. In typical operating circumstances, what is the proper exposure for this interface?

1. Internet
2. Internal networks
3. No exposure
4. Management network

Angela wants to understand what a malware package does and executes it in a virtual machine that is instrumented using tools that will track what the program does, what changes it makes, and what network traffic it sends while allowing her to make changes on the system or to click on files as needed. What type of analysis has Angela performed?

1. Manual code reversing
2. Interactive behavior analysis
3. Static property analysis
4. Dynamic code analysis

Derek sets up a series of virtual machines that are automatically created in a completely isolated environment. Once created, the systems are used to run potentially malicious software and files. The actions taken by those files and programs are recorded and then reported. What technique is Derek using?

1. Sandboxing
2. Reverse engineering
3. Malware disassembly
4. Darknet analysis

Ian is reviewing the security architecture shown here. This architecture is designed to connect his local data center with an IaaS service provider that his company is using to provide overflow services. What component can be used at the points marked by question marks to provide a secure encrypted network connection?

1. Firewall
2. VPN
3. IPS
4. DLP

Which one of the following statements is true about virtualized operating systems?

1. In bare-metal virtualization, all guest operating systems must be the same version.
2. In bare-metal virtualization, all guest operating systems must be the same platform (e.g., Windows, RedHat, CentOS).
3. In bare-metal virtualization, the host operating system and guest operating system platforms must be consistent.
4. None of these statements is correct.

While reviewing output from netstat, John sees the following output. What should his next action be?

[minesweeper.exe] TCP 127.0.0.1:62522 dynamo:0 LISTENING
[minesweeper.exe] TCP 192.168.1.100 151.101.2.69:https ESTABLISHED

1. To capture traffic to 151.101.2.69 using Wireshark
2. To initiate the organization’s incident response plan
3. To check to see whether 151.101.2.69 is a valid Microsoft address
4. To ignore it; this is a false positive.

As Lauren prepares her organization’s security practices and policies, she wants to address as many threat vectors as she can using an awareness program. Which of the following threats can be most effectively dealt with via awareness?

1. Attrition
2. Impersonation
3. Improper usage
4. Web

Which one of the following mobile device strategies is most likely to result in the introduction of vulnerable devices to a network?

1. COPE
2. TLS
3. BYOD
4. MDM

Jarett needs to protect an application server against resource exhaustion attacks. Which of the following techniques is best suited to surviving a large-scale DDoS attack?

1. Enable application sharding.
2. Review each query and implement query optimization.
3. Implement aggressive aging at the organization’s firewall.
4. Employ a CDN.

Jennifer is an Active Directory domain administrator for her company and knows that a quickly spreading botnet relies on a series of domain names for command and control and that preventing access to those domain names will cause the malware infection that connects to the botnet to fail to take further action. Which of the following actions is her best option if she wants to prevent off-site Windows users from connecting to botnet command-and-control systems?

1. Force a BGP update.
2. Set up a DNS sinkhole.
3. Modify the hosts file.
4. Install an anti-malware application.

Several employees will need to travel with sensitive information on their laptops. Martin is concerned that one of those laptops may be lost or stolen. Which one of the following controls would best protect the data on stolen devices?

1. FDE
2. Strong passwords
3. Cable lock
4. IPS

For questions 39–41, please refer to the following scenario.

Ben is an information security professional at an organization that is replacing its physical servers with virtual machines. As the organization builds its virtual environment, it is decreasing the number of physical servers it uses while purchasing more powerful servers to act as the virtualization platforms.

The IDS Ben is responsible for is used to monitor communications in the data center using a mirrored port on the data center switch. What traffic will Ben see once the majority of servers in the data center have been virtualized?

1. The same traffic he currently sees
2. All inter-VM traffic
3. Only traffic sent outside the VM environment
4. All inter-hypervisor traffic

The VM administrators recommend enabling cut and paste between virtual machines. What security concern should Ben raise about this practice?

1. It can cause a denial-of-service condition.
2. It can serve as a covert channel.
3. It can allow viruses to spread.
4. It can bypass authentication controls.

Ben is concerned about exploits that allow VM escape. What option should Ben suggest to help limit the impact of VM escape exploits?

1. Separate virtual machines onto separate physical hardware based on task or data types.
2. Use VM escape detection tools on the underlying hypervisor.
3. Restore machines to their original snapshots on a regular basis.
4. Use a utility like Tripwire to look for changes in the virtual machines.

Michael is responsible for forensic investigations and is investigating a medium-severity security incident that involved the defacement of a corporate website. The web server in question ran on a virtualization platform, and the marketing team would like to get the website up and running as quickly as possible. What would be the most reasonable next step for Michael to take?

1. Keep the website offline until the investigation is complete.
2. Take the virtualization platform offline as evidence.
3. Take a snapshot of the compromised system and use that for the investigation.
4. Ignore the incident and focus on quickly restoring the website.

Sonia recently removed an encrypted hard drive from a laptop and moved it to a new device because of a hardware failure. She is having difficulty accessing encrypted content on the drive despite that she knows the user’s password. What hardware security feature is likely causing this problem?

1. TCB
2. TPM
3. NIACAP
4. RSA

In an infrastructure as a service (IaaS) environment where a vendor supplies a customer with access to storage services, who is normally responsible for removing sensitive data from drives that are taken out of service?

1. Customer’s security team
2. Customer’s storage team
3. Customer’s vendor management team
4. Vendor

Gary is concerned about applying consistent security settings to the many mobile devices used throughout his organization. What technology would best assist with this challenge?

1. MDM
2. IPS
3. IDS
4. SIEM

In a software as a service cloud computing environment, who is normally responsible for ensuring that appropriate firewall controls are in place to protect the application?

1. Customer’s security team
2. Vendor
3. Customer’s networking team
4. Customer’s infrastructure management team

Grace would like to implement application control technology in her organization. Users often need to install new applications for research and testing purposes, and she does not want to interfere with that process. At the same time, she would like to block the use of known malicious software. What type of application control would be appropriate in this situation?

1. Blacklisting
2. Graylisting
3. Whitelisting
4. Bluelisting

In a virtualized computing environment, what component is responsible for enforcing separation between guest machines?

1. Guest operating system
2. Hypervisor
3. Kernel
4. Protection manager

During a third-party vulnerability scan and security test, Danielle’s employer recently discovered that the embedded systems that were installed to manage her company’s new buildings have a severe remote access vulnerability. The manufacturer has gone out of business, and there is no patch or update for the devices. What should Danielle recommend that her employer do about the hundreds of devices that are vulnerable?

1. Identify a replacement device model and replace every device
2. Turn off all the devices
3. Move the devices to a secured network segment
4. Reverse engineer the devices and build an in-house patch

Lauren’s networking team has been asked to identify a technology that will allow them to dynamically change the organization’s network by treating the network like code. What type of architecture should she recommend?

1. A network that follows the 5-4-3 rule
2. A converged network
3. A software-defined network
4. A hypervisor-based network

Ben’s organization has had an issue with unauthorized access to applications and workstations during the lunch hour when employees aren’t at their desk. What are the best types of session management solutions for Ben to recommend to help prevent this type of access?

1. Use session IDs for all access and verify system IP addresses of all workstations.
2. Set session timeouts for applications and use password-protected screensavers with inactivity time-outs on workstations.
3. Use session IDs for all applications and use password protected screensavers with inactivity timeouts on workstations.
4. Set session timeouts for applications and verify system IP addresses of all workstations.

Harold recently added an input validation routine to a web application that is designed to remove any instances of the <SCRIPT> tag in user input. What type of attack is Harold attempting to mitigate?

1. SQL injection
2. CSRF
3. XSS
4. Man-in-the-middle

Under what virtualization model does the virtualization platform separate the network control plane from the data plane and replace complex network devices with simpler devices that simply receive instructions from the controller?

1. Virtual machines
2. VSAN
3. VLAN
4. SDN

Which one of the following terms is often used to describe a collection of unrelated patches released in a large collection?

1. Hotfix
2. Update
3. Security fix
4. Service pack

Brian recently joined an organization that runs the majority of its services on a virtualization platform located in its own data center but also leverages an IaaS provider for hosting its web services and an SaaS email system. What term best describes the type of cloud environment this organization uses?

1. Public cloud
2. Dedicated cloud
3. Private cloud
4. Hybrid cloud

Mark is considering replacing his organization’s customer relationship management (CRM) solution with a new product that is available in the cloud. This new solution is completely managed by the vendor, and Mark’s company will not have to write any code or manage any physical resources. What type of cloud solution is Mark considering?

1. IaaS
2. CaaS
3. PaaS
4. SaaS

Which one of the following statements best describes a zero-day vulnerability?

1. An attacker who is new to the world of hacking
2. A database attack that places the date 00/00/0000 in data tables in an attempt to exploit flaws in business logic
3. An attack previously unknown to the security community
4. An attack that sets the operating system date and time to 00/00/0000 and 00:00:00

Melanie suspects that someone is using malicious software to steal computing cycles from her company. Which one of the following security tools would be in the best position to detect this type of incident?

1. NIDS
2. Firewall
3. HIDS
4. DLP

Brandon observes that an authorized user of a system on his network recently misused his account to exploit a system vulnerability against a shared server that allowed him to gain root access to that server. What type of attack took place?

1. Denial-of-service
2. Privilege escalation
3. Reconnaissance
4. Brute force

Roger recently accepted a new position as a security professional at a company that runs its entire IT infrastructure within an IaaS environment. Which one of the following would most likely be the responsibility of Roger’s firm?

1. Configuring the network firewall
2. Applying hypervisor updates
3. Patching operating systems
4. Wiping drives prior to disposal

Renee is a software developer who writes code in Node.js for her organization. The company is considering moving from a self-hosted Node.js environment to one where Renee will run her code on application servers managed by a cloud vendor. What type of cloud solution is Renee’s company considering?

1. IaaS
2. CaaS
3. PaaS
4. SaaS

Lauren wants to ensure that her users run only the software that her organization has approved. What technology should she deploy?

1. Blacklisting
2. Configuration management
3. Whitelisting
4. Graylisting

Which one of the following files is most likely to contain a macro virus?

1. projections.doc
2. command.com
3. command.exe
4. loopmaster.exe

What type of malware is characterized by spreading from system to system under its own power by exploiting vulnerabilities that do not require user intervention?

1. Trojan horse
2. Virus
3. Logic bomb
4. Worm

Martin is inspecting a system where the user reported unusual activity, including disk activity when the system is idle, and abnormal CPU and network usage. He suspects that the machine is infected by a virus but scans come up clean. What malware technique might be in use here that would explain the clean scan results?

1. File infector virus
2. MBR virus
3. Service injection virus
4. Stealth virus

TJ is inspecting a system where the user reported a strange error message and the inability to access files. He sees the window shown here. What type of malware should TJ suspect?

1. Service injection
2. Encrypted virus
3. SQL injection
4. Ransomware