Question 1:

The Pass Certs Fast corporation has recently been embarrassed by several high profile
data breaches. The CIO proposes improving the company's cybersecurity posture by
migrating images of all the current servers and infrastructure into a cloud-based
environment. What, if any, is the flaw in moving forward with this approach?

A. This approach assumes that the cloud will provide better security than is currently done
on-site
B. This approach only changes the location of the network and not the attack surface of it
C. The company has already paid for the physical servers and will not fully realize their ROI
on them due to the migration
D. This is a reasonable approach that will increase the security of the servers and
infrastructure

Question 2:
You are conducting a review of a VPN device's logs and found the following URL being
accessed:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

https://sslvpn/dana-na/../diontraining/html5acc/teach/../../../../../../etc/passwd?/
diontraining/html5acc/teach/

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Based upon this log entry alone, which of the following most likely occurred?

A. The /etc/passwd file was downloaded using a directory traversal attack

B. An XML injection attack caused the VPN server to return the password file
C. The /etc/passwd file was downloaded using a directory traversal attack if input validation
of the URL was not conducted
D. An SQL injection attack caused the VPN server to return the password file,
Question 3:
You are analyzing the SIEM for your company's e-commerce server when you notice the
following URL in the logs of your SIEM:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

https://www.diontraining.com/add_to_cart.php?
itemId=5"+perItemPrice="0.00"+quantity="100"+/><item+id="5&quantity=0

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Based on this line, what type of attack do you expect has been attempted?

A. SQL injection
B. Buffer overflow
C. XML injection
D. Session hijacking

Question 4:

Recently, you discovered an unauthorized device during a search of your corporate

network. The device provides nearby wireless hosts to access the corporate network's
resources. What type of attack is being utilized?

A. Bluesnarfing
B. Bluejacking
C. IV attack
D. Rogue access point

Question 5:

What kind of attack is an example of IP spoofing?

A. SQL injections
B. Man-in-the-middle
C. Cross-site scripting
D. ARP poisoning
Question 6:
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URLs:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

https://test.diontraining.com/profile.php?userid=1546

https://test.diontraining.com/profile.php?userid=5482

https://test.diontraining.com/profile.php?userid=3618

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What type of vulnerability does this website have?

A. Race condition
B. Insecure direct object reference
C. Improper error handling
D. Weak or default configurations

Question 7:

During a penetration test, you find a hash value related to malware associated with an
APT. What best describes what you have found?

A. Indicator of compromise
B. Botnet
C. SQL injection
D. XSRF

Question 8:

A cybersecurity analyst has received an alert that sensors continuously observe well-known
call home messages at their network boundary. Still, the organization's proxy firewall is
properly configured to successfully drop the messages before leaving the network. Which
of the following is MOST likely the cause of the call home messages being sent?

A. An attacker is performing reconnaissance the organization's workstations

B. An infected workstation is attempting to reach a command and control server
C. A malicious insider is trying to exfiltrate information to a remote network
D. Malware is running on a company workstation or server
Question 9:

A user has reported that their workstation is running very slowly. A technician begins to
investigate the issue and notices a lot of unknown processes running in the background.
The technician determines that the user has recently downloaded a new application from
the internet and may have become infected with malware. Which of the following types of
infections does the workstation MOST likely have?

A. Rootkit
B. Keylogger
C. Trojan
D. Ransomware

Question 10:
(Sample Simulation – On the real exam for this type of question, you might receive a list of
attack vectors and targets. Based on these, you would select the type of attack that
occurred.)

(1) An attacker has been collecting credit card details by calling victims and using false
pretexts to trick them.

(2) An attacker sends out to 100,000 random email addresses. In the email the attacker
sent, it claims that “Your Bank of America account is locked out. Please click here to reset
your password.”

What types of attacks have occurred in (1) and (2)?

A. (1) Vishing and (2) Phishing

B. (1) Spearphishing and (2) Pharming
C. (1) Hoax and (2) Spearphishing
D. (1) Pharming and (2) Phishing
Question 11:
You have just finished running a vulnerability scan of the network and are reviewing the
results. The first result in the report shows the following vulnerability:
Larger image

You log into the MySQL server and verify that you are currently running version 3.5.3.
Based on the item shown on the image, what best describes how you should categorize this
finding?

A. True negative
B. True positive
C. False negative
D. False positive

Question 12:

A new smartphone supports users' ability to transfer a photograph by simply placing their
phones near each other and "tapping" the two phones together. What type of technology
does this most likely rely on?

A. NFC
B. RF
C. IR
D. BT
Question 13:

Jennifer decided that the licensing cost for a piece of video editing software was too
expensive. Instead, she decided to download a keygen program to generate her own license
key and install a pirated version of the editing software. After she runs the keygen, a license
key is created, but her system performance becomes very sluggish, and her antimalware
suite begins to display numerous alerts. Which type of malware might her computer be
infected with?

A. Worm
B. Trojan
C. Adware
D. Logic bomb

Question 14:

You have been asked to determine if Dion Training’s web server is vulnerable to a recently
discovered attack on an older version of SSH. Which technique should you use to
determine the current version of SSH running on their web server?

A. Vulnerability scan
B. Protocol analysis
C. Passive scan
D. Banner grabbing

Question 15:

Barbara received a phone call from a colleague asking why she sent him an email with lewd
and unusual content. Barbara doesn't remember sending the email to the colleague. What
is Barbara MOST likely the victim of?

A. Spear phishing
B. Ransomware
C. Phishing
D. Hijacked email
Question 16:

A cybersecurity analyst is working at a college that wants to increase its network's security
by implementing vulnerability scans of centrally managed workstations, student laptops,
and faculty laptops. Any proposed solution must scale up and down as new students and
faculty use the network. Additionally, the analyst wants to minimize the number of false
positives to ensure accuracy in their results. The chosen solution must also be centrally-
managed through an enterprise console. Which of the following scanning topologies would
be BEST able to meet these requirements?

A. Passive scanning engine located at the core of the network infrastructure

B. Combination of cloud-based and server-based scanning engines
C. Combination of server-based and agent-based scanning engines
D. Active scanning engine installed on the enterprise console

Question 17:

A penetration tester has been hired to conduct an assessment, but the company wants to
exclude social engineering from the list of authorized activities. Which of the following
documents would include this limitation?

A. Acceptable use policy

B. Service level agreement
C. Rules of engagement
D. Memorandum of understanding

Question 18:

While performing a vulnerability scan, Christina discovered an administrative interface to

a storage system is exposed to the internet. She looks through the firewall logs and attempts
to determine whether any access attempts have occurred from external sources. Which of
the following IP addresses in the firewall logs would indicate a connection attempt from an
external source?

A. 10.15.1.100
B. 192.186.1.100
C. 172.16.1.100
D. 192.168.1.100
Question 19:

Which of the following vulnerability scans would provide the best results if you want to
determine if the target's configuration settings are ?

A. Non-credentialed scan
B. Credentialed scan
C. External scan
D. Internal scan

Question 20:

Which of the following cryptographic algorithms is classified as symmetric?

A. ECC
B. Blowfish
C. PGP
D. RSA

Question 21:

You were conducting a forensic analysis of an iPad backup and discovered that only some
of the information is within the backup file. Which of the following best explains why some
of the data is missing?

A. The backup was interrupted

B. The backup is encrypted
C. The backup is a differential backup
D. The backup is stored in iCloud.

Question 22:

Dion Training has just suffered a website defacement of its public-facing webserver. The
CEO believes the company’s biggest competitor may have done this act of vandalism. The
decision has been made to contact law enforcement so that evidence can be collected
properly for use in a potential court case. Laura is a digital forensics investigator assigned
to collect the evidence. She creates a bit-by-bit disk image of the web server’s hard drive as
part of her evidence collection. What technology should Laura use after creating the disk
image to verify the copy's data integrity matches that of the original web server’s hard
disk?

A. SHA-256
B. RSA
C. AES
D. 3DES
Question 23:

Which of the following type of threats did the Stuxnet attack rely on to cross an airgap
between a business and an industrial control system network?

A. Directory traversal
B. Cross-site scripting
C. Removable media
D. Session hijacking

Question 24:

Your company has decided to move all of its data into the cloud. Your company is small
and has decided to purchase some on-demand cloud storage resources from a commercial
provider (such as Google Drive) as its primary cloud storage solution. Which of the
following types of clouds is your company using?

A. Hybrid
B. Private
C. Public
D. Community

Question 25:

Which of the following cryptographic algorithms is classified as asymmetric?

A. ECC
B. RC4
C. Twofish
D. DES

Question 26:
(Sample Simulation – On the real exam for this type of question, you would be required to
drag and drop the authentication factor into the spot for the  category.)
Larger image
How would you appropriately categorize the authentication method being displayed here?

A. Fingerprint, PIN, GPS Coordinates, Smart Card, Signature

B. PIN, Smart Card, Fingerprint, Signature, GPS Coordinates
C. Smart card, Signature, GPS Coordinates, PIN, Fingerprint
D. PIN, Signature, Fingerprint, Smart Card, GPS Coordinates
Question 27:
(Sample Simulation – On the real exam for this type of question, you would receive 3-5
pictures and be asked to drag and drop them into place next to the  term.)
Larger image

How would you appropriately categorize the authentication method being displayed here?
(Note: the hardware token is being by itself used for authentication.)

A. Biometric authentication
B. One-time password authentication
C. Multifactor authentication
D. PAP authentication
Question 28:

Which of the following describes the overall accuracy of a biometric authentication system?

A. False acceptance rate

B. False positive rate
C. False rejection rate
D. Crossover error rate

Explanation

OBJ-2.4: The Crossover Error Rate (CER) describes the point where the False Reject Rate
(FRR) and False Accept Rate (FAR) are equal. CER is also known as the Equal Error Rate
(EER). The Crossover Error Rate describes the overall accuracy of a biometric system.
Question 29:

Which of the following describes the security method used when users enter their username
and password only once and gain access to multiple applications?

A. SSO
B. Permission propagation
C. Inheritance
D. Multifactor authentication

Question 30:

You are working for a government contractor who requires all users to use a PIV device
when sending digitally signed and encrypted emails. Which of the following physical
security measures is being implemented?

A. Smart card
B. Key fob
C. Biometric reader
D. Cable lock
Question 31:

Which of the following cryptographic algorithms is classified as asymmetric?

A. AES
B. RC4
C. Diffie-Hellman
D. Blowfish

Question 32:

An electronics store was recently the victim of a robbery where an employee was injured,
and some property was stolen. The store's IT department hired an external supplier to
expand its network to include a physical access control system. The system has video
surveillance, intruder alarms, and remotely monitored locks using an appliance-based
system. Which of the following long-term cybersecurity risks might occur based on these
actions?

A. There are no new risks due to the install and the company has a stronger physical security
posture
B. These devices should be isolated from the rest of the enterprise network
C. These devices should be scanned for viruses before installation
D. These devices are insecure and should be isolated from the internet

Question 33:

Aymen is creating a procedure for the remediation of vulnerabilities discovered within his
organization. He wants to ensure that any vendor patches are tested before deploying them
into the production environment. What type of environment should his organization
establish?

A. Staging
B. Honeypot
C. Honeynet
D. Development
Question 34:

When conducting forensic analysis of a hard drive, what tool would BEST prevent
changing the hard drive contents during your analysis?

A. Forensic drive duplicator

B. Hardware write blocker
C. Software write blocker
D. Degausser

Question 35:

You have just completed identifying, analyzing, and containing an incident. You have
verified that the company uses self-encrypting drives as part of its default configuration. 
As you begin the eradication and recovery phase, you must sanitize the storage devices'
data before restoring the data from known-good backups. Which of the following methods
would be the most efficient to use to sanitize the affected hard drives?

A. Incinerate and replace the storage devices

B. Conduct zero-fill on the storage devices
C. Use a secure erase (SE) utility on the storage devices
D. Perform a cryptographic erase (CE) on the storage devices

Question 36:

Which of the following policies should contain the requirements for removing a user's
access when an employee is terminated?

A. Data ownership policy

B. Data classification policy
C. Data retention policy
D. Account management policy
Question 37:

Which of the following types of data breaches would require that the US Department of
Health and Human Services and the media be notified if more than 500 individuals are
affected by a data breach?

A. Credit card information

B. Protected health information
C. Personally identifiable information
D. Trade secret information

Question 38:

(Sample Simulation – On the real exam for this type of question, you would have to
rearrange the steps into the proper order by dragging and dropping them into place.)
What is the  order of the Incident Response process?

A. Identification, Containment, Eradication, Preparation, Recovery, and Lessons Learned

B. Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned
C. Containment, Eradication, Identification, Lessons learned, Preparation, and Recovery
D. Lessons Learned, Recovery, Preparation, Identification, Containment, and Eradication
Question 39:

Which analysis framework provides the most explicit detail regarding how to mitigate or
detect a given threat?

 MITRE ATT&CK framework

 Diamond Model of Intrusion Analysis
 Lockheed Martin cyber kill chain
 OpenIOC

Question 40:

You are working as a security administrator and need to respond to an ongoing

spearphishing campaign against your organization. Which of the following should be used
as a checklist of actions to perform to detect and respond to this particular incident?

A. Runbook
B. Incident response plan
C. Playbook
D. DRP

Question 41:
(Sample Simulation – On the real exam for this type of question, you would have access to
the log files to determine which server on a network might have been affected, and then
choose the appropriate actions.) 

A cybersecurity analyst has determined that an attack has occurred against your
company’s network. Fortunately, your company uses a good logging system with a
centralized Syslog server, so all the logs are available, collected, and stored properly.
According to the cybersecurity analyst, the logs indicate that the database server was the
only company server on the network that appears to have been attacked. The network is a
critical production network for your organization. Therefore, you have been asked to
choose the LEAST disruptive actions on the network while performing the appropriate
incident response actions. Which actions do you recommend as part of the response
efforts?

A. Capture network traffic using a sniffer, schedule a period of downtime to image and
remediate the affected server, and maintain the chain of custody
B. Isolate the affected server from the network immediately, format the database server,
reinstall from a known good backup
C. Immediately remove the database server from the network, create an image of its hard
disk, and maintain the chain of custody
D. Conduct a system restore of the database server, image the hard drive, and maintain the
chain of custody
Question 42:

Which of the following actions should be done FIRST after forensically imaging a hard
drive for evidence in an investigation?

A. Digitally sign the image file to provide non-repudiation of the collection

B. Encrypt the source drive to ensure an attacker cannot modify its contents
C. Create a hash digest of the source drive and the image file to ensure they match
D. Encrypt the image file to ensure it maintains data integrity
Question 43:

When you are managing a risk, what is considered an acceptable option?

A. Reject it
B. Deny it
C. Mitigate it
D. Initiate it

Question 44:

What should be done NEXT if the final set of security controls does not eliminate all of the
risks in a given system?

A. You should continue to apply additional controls until there is zero risk
B. You should ignore any remaining risk
C. You should accept the risk if the residual risk is low enough
D. You should remove the current controls since they are not completely effective
Question 45:

When you purchase an exam voucher at diontraining.com, the system only collects your
name, email, and credit card information. Which of the following privacy methods is being
used by Dion Training?

A. Data masking
B. Tokenization
C. Data minimization
D. Anonymization
Question 46:

Your organization is updating its incident response communications plan. A business

analyst in the working group recommends that if the company discovers they are the
victims of a data breach, they should only notify the affected parties to minimize media
attention and bad publicity. Which of the following recommendations do you provide in
response to the business analyst’s statement?

A. The first responder should contact law enforcement upon confirmation of a security
incident in order for a forensic team to preserve the chain of custody
B. Guidance from laws and regulations should be considered when deciding who must be
notified in order to avoid fines and judgments from non-compliance
C. An externally hosted website should be prepared in advance to ensure that when an
incident occurs, victims have timely access to notifications from a non-compromised
resource
D. The Human Resources department should have information security personnel who are
involved in the investigation of the incident sign non-disclosure agreements so the
company cannot be held liable for customer data that is viewed during an investigation
Question 47:

What is the term for the amount of risk that an organization is willing to accept or
tolerate?

A. Risk appetite
B. Risk avoidance
C. Risk deterrence
D. Risk transference

Question 48:

Christina is auditing the security procedures related to the use of a cloud-based online
payment service. She notices that the access permissions are set so that a single person can
not add funds to the account and transfer funds out of the account. What security principle
is most closely related to this scenario?

A. Least privilege
B. Security through obscurity
C. Separation of duties
D. Dual control authentication

Question 49:

You are applying for a job at a cybersecurity firm. The application requests you enter your
social security number, date of birth, and email address to conduct a background check as
part of the hiring process. Which of the following types of information has you been asked
to provide?

A. PHI
B. IP
C. PII
D. CUI
Question 50:

Which of the following terms is used to describe the period of time following a disaster that
an individual IT system may remain offline?

A. RPO
B. MTTR
C. RTO
D. MTBF
Question 51:

Your organization is updating its Acceptable User Policy (AUP) to implement a new
password standard that requires a guest's wireless devices to be sponsored before receiving
authentication. Which of the following should be added to the AUP to support this new
requirement?

A. Sponsored guest passwords must be at least 14 alphanumeric characters containing a

mixture of uppercase, lowercase, and special characters
B. Open authentication standards should be implemented on all wireless infrastructure
C. All guests must provide valid identification when registering their wireless devices for
use on the network
D. Network authentication of all guest users should occur using the 802.1x protocol as
authenticated by a RADIUS server

Question 52:

You are attempting to prioritize your vulnerability scans based on the data's criticality.
This will be determined by the asset value of the data contained in each system. Which of
the following would be the most appropriate metric to use in this prioritization?

A. Cost of acquisition of the system

B. Cost of hardware replacement of the system
C. Type of data processed by the system
D. Depreciated hardware cost of the system
Question 53:

Dion Training is concerned with the possibility of a data breach causing a financial loss to
the company. After performing a risk analysis, the COO decides to purchase data breach
insurance to protect the company in an incident. Which of the following best describes the
company's risk response?

A. Avoidance
B. Transference
C. Acceptance
D. Mitigation

Question 54:

Which of the following is not considered an authentication factor?

 Something you know

 Something you are
 Something you have
 Something you want

Question 55:

Which type of threat actor can accidentally or inadvertently cause a security incident in
your organization?

A. Insider threat
B. Hacktivist
C. Organized Crime
D. APT
Question 56:

An analyst reviews the logs from the network and notices that there have been multiple
attempts from the open wireless network to access the networked HVAC control system.
The open wireless network must remain openly available so that visitors can access the
internet. How can this type of attack be prevented from occurring in the future?

A. Implement a VLAN to separate the HVAC control system from the open wireless
network
B. Install an IDS to protect the HVAC system
C. Enable NAC on the open wireless network
D. Enable WPA2 security on the open wireless network

Question 57:

The digital certificate on the Dion Training web server is about to expire. Which of the
following should Jason submit to the CA in order to renew the server's certificate?

A. OCSP
B. CSR
C. Key escrow
D. CRL

Question 58:

Which authentication mechanism does 802.1x usually rely upon?

A. HOTP
B. EAP
C. TOTP
D. RSA
Question 59:

Dion Training utilizes a wired network throughout the building to provide network
connectivity. Jason is concerned that a visitor might plug their laptop into a CAT 5e wall
jack in the lobby and access the corporate network. What technology should be utilized to
prevent users from gaining access to network resources if they can plug their laptops into
the network?

A. UTM
B. NAC
C. DMZ
D. VPN

Question 60:

You are trying to select the best device to install to proactively stop outside attackers from
reaching your internal network. Which of the following devices would be the BEST for you
to select?

A. IDS
B. IPS
C. Proxy server
D. Syslog server

Question 61:

A cybersecurity analyst is working for a university that is conducting a big data medical
research project. The analyst is concerned about the possibility of an inadvertent release of
PHI data. Which of the following strategies should be used to prevent this?

A. Use DevSecOps to build the application that processes the PHI

B. Utilize formal methods of verification against the application processing the PHI
C. Utilize a SaaS model to process the PHI data instead of an on-premise solution
D. Conduct tokenization of the PHI data before ingesting it into the big data application
Question 62:

Jason has installed multiple virtual machines on a single physical server. He needs to
ensure that the traffic is logically separated between each virtual machine. How can Jason
best implement this requirement?

A. Configure a virtual switch on the physical server and create VLANs

B. Conduct system partitioning on the physical server to ensure the virtual disk images are
on different partitions
C. Create a virtual router and disable the spanning tree protocol
D. Install a virtual firewall and establish an access control list

Question 63:

A web developer wants to protect their new web application from a man-in-the-middle
attack. Which of the following controls would best prevent an attacker from stealing tokens
stored in cookies?

 Forcing the use of TLS for the web application

 Forcing the use of SSL for the web application
 Setting the secure attribute on the cookie
 Hashing the cookie value

Question 64:

A software assurance laboratory performs a dynamic assessment on an application by

automatically generating random data sets and inputting them in an attempt to cause an
error or failure condition. Which of the following is the laboratory performing?

A. Fuzzing
B. Stress testing
C. User acceptance testing
D. Security regression testing

Question 65:

David noticed that port 3389 was open on one of the POS terminals in a store during a
scheduled PCI compliance scan. Based on the scan results, what service should he expect to
find enabled on this terminal?

A. MySQL
B. RDP
C. LDAP
D. IMAP
Question 66:

Your company wants to provide a secure SSO solution for accessing both the corporate
wireless network and its network resources. Which of the following technologies should be
used?

A. WPA2
B. WEP
C. WPS
D. RADIUS

Question 67:

You are working as a network administrator for Dion Training. The company has decided
to allow employees to connect their devices to the corporate wireless network under a new
BYOD policy. You have been asked to separate the corporate network into an
administrative network (for corporate-owned devices) and an untrusted network (for
employee-owned devices). Which of the following technologies should you implement to
achieve this goal?

A. VPN
B. VLAN
C. WPA2
D. MAC filtering

Question 68:

A corporate workstation was recently infected with malware. The malware was able to
access the workstation's credential store and steal all the usernames and passwords from
the machine. Then, the malware began to infect other workstations on the network using
the usernames and passwords it stole from the first workstation. The IT Director has
directed its IT staff to develop a plan to prevent this issue from occurring again. Which of
the following would BEST prevent this from reoccurring?

A. Install a host-based intrusion detection system on all of the corporate workstations

B. Install an anti-virus or anti-malware solution that uses heuristic analysis
C. Install a Unified Threat Management system on the network to monitor for suspicious
traffic
D. Monitor all workstations for failed login attempts and forward them to a centralized
SYSLOG server
Question 69:

Windows file servers commonly hold sensitive files, databases, passwords, and more. What
common vulnerability is usually used against a Windows file server to expose sensitive files,
databases, and passwords?

A. Cross-site scripting
B. SQL injection
C. Missing patches
D. CRLF injection

Question 70:

You are configuring the ACL for the network perimeter firewall. You have just finished
adding all the proper allow and deny rules. What should you place at the end of your ACL
rules?

A. An implicit allow statement

B. An implicit deny statement
C. A time of day restriction
D. A SNMP deny string
Question 71:

A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this
has begun to approach full utilization at various times of the day. If the security team does
not have additional money in their budget to purchase a more capable collector, which of
the following options could they use to collect useful data?

A. Enable QoS
B. Enable NetFlow compression
C. Enable sampling of the data
D. Enable full packet capture

Question 72:

Which of the following access control methods utilizes a set of organizational roles in which
users are assigned to gain permissions and access rights?

A. MAC
B. RBAC
C. DAC
D. ABAC

Question 73:

Ryan needs to verify the installation of a critical Windows patch on his organization's
workstations. Which method would be the most efficient to validate the current patch
status for all of the organization's Windows 10 workstations?

A. Check the Update History manually

B. Conduct a registry scan of each workstation to validate the patch was installed
C. Create and run a PowerShell script to search for the specific patch in question
D. Use SCCM to validate patch status for each machine on the domain
Question 74:

Which of the following authentication protocols was developed by Cisco to provide

authentication, authorization, and accounting services?

A. RADIUS
B. CHAP
C. TACACS+
D. Kerberos

Question 75:

Dion Training wants to ensure that none of its computers can run a peer-to-peer file-
sharing program on its office computers. Which of the following practices should be
implemented to achieve this?

 Application whitelisting
 Enable NAC
 Application blacklisting
 MAC filtering

Question 76:

What containment technique is the strongest possible response to an incident?

 Segmentation
 Isolating affected systems
 Isolating the attacker
 Enumeration

Question 77:

Which of the following utilizes a well-written set of carefully developed and tested scripts to
orchestrate runbooks and generate consistent server builds across an enterprise?

 Software as a Service (SaaS)

 Infrastructure as a Service (IaaS)
 Infrastructure as Code (IaC)
 Software Defined Networking (SDN)
Question 78:

Which of the following elements is LEAST likely to be included in an organization's data

retention policy?

A. Minimum retention period

B. Maximum retention period
C. Description of information that needs to be retained
D. Classification of information

Question 79:

Which of the following proprietary tools is used to create forensic disk images without
making changes to the original evidence?

A. FTK Imager
B. dd
C. Memdump
D. Autopsy

Question 80:

A cybersecurity analyst conducts an incident response at a government agency when she

discovers that attackers had exfiltrated PII. Which of the following types of breaches has
occurred?

A. Financial breach
B. Privacy breach
C. Proprietary breach
D. Integrity breach