Which of the following are the MOST likely vectors for the unauthorized or unintentional inclusion of vulnerable code in a software company's final software releases? (Choose two.)


A. Unsecure protocols
B. Use of penetration-testing utilities
C. Weak passwords
D. Included third-party libraries
E. Vendors/supply chain
F. Outdated anti-malware software

An administrator assists the legal and compliance team with ensuring information about customer transactions is archived for the proper time period. Which of the following data policies is the administrator carrying out?


A. Compromise
B. Retention
C. Analysis
D. Transfer
E. Inventory

An organization experiences a cybersecurity incident involving a command-and-control server. Which of the following logs should be analyzed to identify the impacted host? (Choose two.)


A. Application
B. Authentication
C. Error
D. Network
E. Firewall
F. System

A company is expanding its threat surface program and allowing individuals to security test the company's internet-facing application. The company will compensate researchers based on the vulnerabilities discovered.
Which of the following best describes the program the company is setting up?


A. Open-source intelligence
B. Bug bounty
C. Red team
D. Penetration testing

A company is adding a clause to its AUP that states employees are not allowed to modify the operating system on mobile devices. Which of the following vulnerabilities is the organization addressing?


A. Cross-site scripting
B. Buffer overflow
C. Jailbreaking
D. Side loading

An organization would like to store customer data on a separate part of the network that is not accessible to users on the mam corporate network. Which of the following should the administrator use to accomplish this goal?


A. Segmentation
B. Isolation
C. Patching
D. Encryption

Which of the following examples would be best mitigated by input sanitization?


A. <script>alert("Warning!");</script>
B. nmap -p- 10.11.1.130
C. Email message: "Click this link to get your free gift card."
D. Browser message: "Your connection is not private."

A large bank with two geographically dispersed data centers is concerned about major power disruptions at both locations. Every day each location experiences very brief outages that last for a few seconds. However, during the summer a high risk of intentional under-voltage events that could last up to an hour exists, particularly at one of the locations near an industrial smelter. Which of the following is the best solution to reduce the risk of data loss?


A. Dual supply
B. Generator
C. PDU
D. Daily backups

An attacker tricks a user into providing confidential information. Which of the following describes this form of malicious reconnaissance?


A. Phishing
B. Social engineering
C. Typosquatting
D. Smishing

Which of the following has been implemented when a host-based firewall on a legacy Linux system allows connections from only specific internal IP addresses?


A. Compensating control
B. Network segmentation
C. Transfer of risk
D. SNMP traps