Security

A helpdesk technician receives a call from a user who reports that their antivirus software is disabled and cannot be re-enabled. Additionally, the user's files have been renamed with a '.encrypted' extension. Which type of malware is most likely responsible?

A small business owner calls a technician after discovering that all files on their Windows 10 workstation have been renamed with a '.crypt' extension. A ransom note demands payment in Bitcoin within 72 hours or the files will be permanently lost. The business has no recent backups. Which action should the technician take FIRST?

A user receives an email that appears to be from their bank, stating that their account has been compromised and they must click a link to verify their identity. The user notices the sender's email address does not match the bank's official domain. What is the BEST immediate action for the user to take?

A security administrator notices that a user's workstation is sending outbound traffic to a known malicious IP address at regular intervals. The user reports no unusual activity. The technician has already run a full antivirus scan with no detections. Which of the following should the technician do NEXT to investigate the persistent network connection?

A user reports that their Windows 10 workstation suddenly cannot access any network resources. A technician remotely views the system and notices a popup that mimics a Windows Security alert, stating the system is infected. The technician checks the IP configuration and sees the workstation has an APIPA address (169.254.x.x). The network adapter shows no physical link issues. Which of the following is the MOST likely cause of the issue?

A security audit reveals that a legacy application running on a Windows 10 workstation transmits sensitive data over an unencrypted protocol. The application is critical for business operations and cannot be updated or replaced. The workstation is located in a secured server room with restricted physical access. Which of the following would BEST mitigate the risk of data interception for this legacy application?

A security analyst discovers that an employee's workstation is infected with a rootkit. The technician has attempted to remove the rootkit using standard antivirus and anti-malware tools, but the rootkit persists after each reboot. Which of the following is the MOST effective next step to eradicate the rootkit?

A help desk technician receives a call from an employee who says they just received a phone call from someone claiming to be from the company's IT department. The caller stated there was a security breach and needed the employee's password to 'verify their account.' The employee did not provide the password but is now concerned. Which of the following BEST describes this type of social engineering attack, and what should the technician advise the employee to do NEXT?

A technician removes a ransomware popup from a user's Windows 10 workstation by booting into Safe Mode with Networking and running a malware scan. After a successful removal and reboot, the popup is gone, but the user's browser homepage has changed and several unwanted browser extensions are present. Which of the following should the technician do NEXT?

A help desk technician receives a call from a user who received an email with an attachment labeled 'Invoice_2024.exe'. The user opened the attachment, but nothing appeared to happen. The email appeared to come from a known vendor, but the sender's email address contains misspellings. Which of the following BEST describes this type of attack, and what should the technician advise the user to do NEXT?

A company's file server was infected with ransomware, and all files were encrypted. The IT team has daily backups stored on a separate network-attached storage (NAS) appliance. However, the backups were also encrypted because the backup service account had full write permissions to the NAS share. The backup account was a domain administrator account. Which of the following should the organization implement to BEST prevent this scenario from recurring?

A security technician has reimaged a user's Windows 10 workstation twice using a standard company image, but the machine continues to exhibit symptoms of a rootkit infection after each reimage. The technician has verified that the removable media used to deploy the image is clean and that the network boot server is not compromised. Which of the following is the MOST likely reason the rootkit persists?

An employee finds a USB flash drive in the company parking lot and inserts it into their workstation out of curiosity. Immediately, the system begins exhibiting unusual behavior, including pop-ups and slowdowns. Which type of social engineering attack is this an example of?

A company wants to implement multi-factor authentication (MFA) for remote access to its VPN. Which of the following combinations represents a valid MFA setup?

A security analyst discovers that a user's workstation has been infected with a keylogger delivered via a phishing email. The keylogger has captured the user's login credentials for several corporate systems. According to incident response best practices, which of the following should the analyst do FIRST?

A technician observes an individual closely following an employee through a secured door that requires a badge swipe. The individual does not use a badge and enters behind the employee. Which social engineering technique is being exhibited?

The IT director wants to ensure that all HR workstations are consistently configured with the same security settings, such as password policies and firewall rules. The workstations are all running Windows 10 Pro and are part of an Active Directory domain. Which method should the technician use to enforce these settings automatically?

A user receives an email that appears to be from their bank, warning about a fraudulent transaction. The email contains an attachment named 'Statement.docm'. When the user attempts to open the attachment, Windows Defender detects and quarantines a Trojan. Which of the following BEST describes the attack vector that was prevented?

A company wants to enforce stronger password policies on all domain-joined Windows 10 workstations. The IT administrator configures a Group Policy Object (GPO) in Active Directory that requires a minimum password length of 12 characters and a password history of 10. After applying the GPO, several users report they can still set passwords with only 8 characters. Which of the following is the MOST likely cause?

A security analyst reviews logs after a ransomware incident. The infection started on a user's workstation and spread to network shares using the user's credentials. The user had been granted local administrator rights on their workstation six months ago for a software installation, and the rights were never removed. Which security principle was most directly violated?

A user's web browser frequently redirects to unfamiliar search engines and displays persistent pop-up ads. The technician runs a full antivirus scan, which removes several threats, but the behavior continues. Upon inspection, the technician finds that the browser's proxy settings have been altered. Which type of malware is most likely responsible?

A company's receptionist receives a phone call from someone claiming to be from the IT help desk. The caller states there is a critical security issue with the receptionist's computer and requests the receptionist's username and password to fix it remotely. Which type of social engineering attack is this?

A user receives a phone call from an individual claiming to be from the company's IT security team. The caller states there is a breach and asks the user to verify their account by providing their username and password. Which social engineering technique is being used?

A company policy requires that all mobile devices used for work be managed via Microsoft Intune. An employee loses a company-issued smartphone. The IT administrator needs to remotely wipe the device to prevent data loss. Which prerequisite must have been completed on the device for this action to be possible?

An employee receives an email that appears to be from the company's HR department, requesting that they click a link to verify their login credentials for a new payroll system. The link leads to a fraudulent website that captures the employee's username and password. Which type of social engineering attack is this?

A company has a data retention policy that requires all security logs to be retained for 90 days. A security incident occurred 60 days ago, but when the incident response team tries to retrieve logs from that period, they find that the logs have been overwritten due to insufficient storage capacity. Which security principle has been most directly compromised?

An employee is walking into the office building holding a coffee and their phone. A person in a uniform, carrying a clipboard, approaches and says they are from the HVAC company and need to check the thermostat on the third floor. The employee holds the door open and lets them in. This is an example of which type of social engineering attack?

A security analyst is reviewing logs after a malware infection on a user's workstation. The logs show that the malware attempted to contact multiple external IP addresses on port 445 (SMB) and also made several attempts to write to files with extensions like .docx, .xlsx, .pdf. The antivirus prevented the malware from executing but the analyst wants to contain the threat. According to incident response best practices, what should the analyst do FIRST?

A security analyst is reviewing logs from a user's workstation that show regular outbound connections to a known malicious IP address on port 443. Antivirus scans on the workstation report no threats. Which type of malware is most likely present?

A user receives an email from their bank stating that there has been suspicious activity on their account and they must click a link to verify their identity. The email address looks slightly off, and the user is suspicious. Which type of social engineering attack is this?

A security analyst suspects that a user's workstation is infected with a rootkit that has compromised the kernel. The workstation is still operational, and the analyst needs to capture forensic evidence. Which of the following actions should the analyst take FIRST to preserve the integrity of the evidence?

A company is decommissioning several old workstations that contain sensitive client data. The hard drives will be disposed of. The company's data security policy requires that data be rendered unrecoverable. Which of the following methods would BEST achieve this goal?

A user receives a text message on their company-issued smartphone. The message appears to be from the IT department and states that the user's email account will be deactivated unless they click a link to verify their credentials. The user clicks the link and enters their username and password. Which type of social engineering attack is this?

A security analyst notices that the CFO of the company received an email that appears to be from the company's external legal counsel. The email requests that the CFO click a link to review an urgent contract. The email address is spoofed to look similar to the real one. Which type of social engineering attack is this?

A security analyst suspects that a workstation is infected with a kernel-level rootkit. The workstation is currently running and the analyst needs to preserve evidence for forensic analysis. Which of the following actions should the analyst take FIRST?

A user has forgotten the BitLocker recovery key for their Windows 10 laptop and is unable to boot after a BIOS update. The laptop is protected by BitLocker Drive Encryption. The user stored the recovery key in a safe, but the safe is inaccessible during a disaster. What is the BEST first step for the technician to attempt?

A help desk technician receives a phone call from an individual who claims to be a representative from the company's primary software vendor. The caller states there is a critical security vulnerability in the software and requests the technician's administrative username and password to install an emergency patch immediately. The technician suspects social engineering. Which type of social engineering attack is being attempted?

A company uses a policy of least privilege. A user needs to install a software application that requires administrative privileges. The technician has verified the software is approved and safe. What is the BEST way to provide the necessary access?

A security analyst is investigating a compromised workstation that is suspected of having a kernel-level rootkit. The workstation is currently running and the analyst needs to preserve evidence for forensic analysis. Which of the following actions should the analyst take FIRST?

A user receives a phone call from an individual claiming to be a help desk technician. The caller says the user's computer is infected with a virus and asks the user to download remote access software so the caller can fix it. The user complies and grants access. Which type of social engineering attack is this?

A company's security policy mandates that all mobile devices be encrypted. A technician enables full-disk encryption on a user's company-issued Android smartphone. Later, the user reports that the phone now prompts for a password before booting and wants to remove this requirement without compromising security. What should the technician explain?

An employee holds the door for a person who claims to have forgotten their badge. The person does not present any identification but is allowed into the secure area. Later, it is discovered that the person was an unauthorized individual. Which type of social engineering attack occurred?

A user finds a USB drive labeled 'Employee Bonus Info' in the parking lot and plugs it into their workstation to view the contents. The workstation is immediately infected with malware that encrypts files and displays a ransom note. Which type of social engineering attack was this?

A user receives an email that appears to be from the company's Human Resources department. The email states that the user must click a link and log in to view an updated benefits package. The link leads to a website that closely resembles the company's internal portal but is actually a fake page. When the user enters their credentials, the information is captured by an attacker. Which type of social engineering attack is this?

A user receives an email from an unknown sender with an attachment labeled 'Invoice_2024.zip'. The user opens the attachment, which contains an executable file. The user runs the executable, and the workstation starts encrypting files. Which type of social engineering attack is this?

A technician detects that an attacker has gained unauthorized access to a file server using a stolen user account. The technician can see active connections from the attacker in the server logs. According to incident response best practices, which action should the technician take FIRST?

A user receives an email that appears to be from their bank, warning of a security breach and asking them to click a link to verify their account. The link directs to a website that looks identical to the bank's login page but is a fraudulent site. The user enters their credentials, which are then stolen. Which type of social engineering attack is this?

A security analyst discovers that an attacker has exploited a vulnerability to gain remote access to a file server. The analyst has identified active shell connections from the attacker's IP address. The server contains critical business data that cannot be lost, and there is a verified backup from the previous night. According to incident response best practices, what should the analyst do FIRST?

A user receives a text message on their company-issued smartphone that appears to be from the IT department. The message states that the user's email account will be suspended unless they click a link and enter their credentials to verify the account. The user clicks the link, enters their username and password, and later discovers that their account has been compromised. Which type of social engineering attack is this?

A technician is configuring a new Windows 10 Pro workstation that is not part of a domain. The company's security policy requires that user passwords must be at least 8 characters and expire every 90 days. Which built-in tool should the technician use to enforce these requirements on this local workstation?

A user reports that their workstation is displaying pop-up messages claiming to be from a federal law enforcement agency, stating that the computer has been locked due to illegal activity and demanding payment of a fine. The user cannot close the pop-up or access any programs. Which type of malware is this?

A user receives a phone call from someone claiming to be from the IT help desk. The caller states that they are conducting a security audit and need the user's domain password to verify the account. The caller sounds professional and uses the user's name and department. The user provides the password. Later, the user's account is used to access sensitive data. Which type of social engineering attack occurred?

A user receives a phone call from someone claiming to be from the IT help desk. The caller asks for the user's domain password to perform a security audit. The user provides the password. Later, the user's account is used to access sensitive data. Which type of social engineering attack occurred?

A technician discovers an unknown user account with administrative privileges on a Windows 10 workstation during a routine security audit. The account was created two days ago, but no one in the IT department authorized its creation. According to incident response best practices, what should the technician do FIRST?

A user receives an email with an attachment named 'Invoice_2024.pdf.exe'. When the user opens the attachment, it downloads and installs additional malicious software on the system without the user's knowledge. Which type of malware is this?

A user notices an unknown person following closely behind them through a secured door that requires a badge. The person does not badge in but gains entry. Which type of social engineering attack is this?

A user reports that their Windows 10 workstation is displaying a full-screen message claiming to be from the Federal Bureau of Investigation (FBI), stating that the computer has been locked due to illegal activity and demanding a $500 fine paid via cryptocurrency. The user cannot close the message or access any programs. Which type of malware is this?

A technician finds a USB flash drive in the company parking lot with a label reading '2025 Bonus Information'. The technician plugs the drive into a workstation to view the contents. Immediately, the workstation begins to behave erratically, and security software alerts to a malware infection. Which type of social engineering attack does this describe?

A security administrator is tasked with implementing application whitelisting on a fleet of Windows 10 Pro workstations that are not joined to a domain. The goal is to allow only approved applications to run and block all others. The administrator needs a solution that is built into Windows 10 Pro and can be configured locally. Which feature should the administrator use?

A user reports receiving an email that appears to be from the company's HR department, asking employees to click a link to verify their login credentials for a new benefits portal. The email contains the company logo and the user's full name. The user clicked the link and entered their username and password. Which type of social engineering attack has occurred?

A technician discovers that a user's workstation is infected with ransomware. Following the incident response plan, the technician isolates the system from the network. What should the technician do NEXT?

A user reports that their Windows 10 workstation has been displaying a warning message stating that all files have been encrypted by the IT department due to a security breach. The message instructs the user to call a premium-rate phone number to receive the decryption key. The user reports that they cannot open any documents, and file extensions have been changed to .encrypted. Which type of malware is this?

A user reports receiving a phone call from someone claiming to be from the IT department. The caller asks the user to install a remote access tool to help fix a network issue. The user complies. Later, the technician discovers that the remote access tool was used to install malware. Which type of social engineering attack is this?

A security administrator needs to securely erase data from an SSD before repurposing it in another department. The company policy requires that data be completely unrecoverable. Which method should the administrator use?

A user receives a text message on their company-issued smartphone claiming they won a gift card and must click a link to claim it. The link leads to a fake login page that harvests credentials. Which type of social engineering attack is this?

A user reports receiving multiple emails that appear to be from a colleague asking the user to wire money urgently for a business deal. The emails have slight spelling errors, and the sender's email address is subtly different from the colleague's real address. Which type of social engineering attack is this?

A security administrator notices that multiple user workstations are infected with the same strain of ransomware. The administrator isolates the infected systems from the network. Which of the following should the administrator do NEXT according to incident response procedures?

A company policy requires that all company-issued smartphones can be remotely wiped in case of loss or theft. Which of the following should a technician enable on the devices to meet this requirement?

A user reports that their workstation is displaying a pop-up message claiming to be from 'Microsoft Support' stating that the computer is infected and to call a toll-free number. The user called the number and allowed remote access, after which the computer began acting erratically. The technician has run an antivirus scan which removed some PUPs but the issue persists. Which additional step should the technician take to secure the system?

A security incident has occurred. A malware infection was detected on a server that stores encrypted customer PII. The server was immediately isolated from the network. According to the incident response plan, which step should the technician take NEXT after preserving evidence?

A user reports receiving a phone call from someone claiming to be from the company's help desk. The caller stated that there was a critical security issue and asked the user to provide their domain password to perform an emergency reset. The user complied. Which type of social engineering attack is this?

A user receives an email that appears to come from the company's CEO, asking the user to purchase several gift cards for a client appreciation event and to reply with the activation codes. The email address is similar to the CEO's but has an extra character. Which type of social engineering attack is this?

A security technician observes that a user's workstation is making numerous outbound connections to a known malicious IP address. The technician confirms the system is infected with a trojan. According to the incident response process, after isolating the system from the network, what should the technician do NEXT?

A user reports that they received a phishing email and clicked a link that downloaded a file. The user ran the file and now the computer is sluggish and displaying pop-up ads. The technician has already disconnected the network cable from the workstation. According to the incident response procedure, what should the technician do NEXT after containing the incident?

A technician receives a phone call from someone who claims to be from the company's IT security team. The caller states that there is an urgent audit and asks the technician to provide their domain password to verify their identity. The technician provides the password. Which type of social engineering attack is this?

A security technician confirms that a user's workstation is infected with malware that is making outbound connections to a known command-and-control server. The technician has already isolated the workstation from the network. According to standard incident response procedures, what should the technician do NEXT?

A technician receives an email that appears to come from the company's HR department, stating that all employees must update their direct deposit information immediately by clicking a link and authenticating with their corporate credentials. The sender's email address is 'hr@cornpany.com' (note the 'rn' instead of 'm'). The technician suspects a phishing attack. What should the technician do FIRST?

A technician discovers that a user's workstation is infected with a Trojan that is logging keystrokes and capturing login credentials. The technician has already disconnected the computer from the network. According to standard incident response procedures, what should the technician do NEXT?

A technician receives an email at work that appears to come from the company's payroll department. The email states that the recipient must verify their direct deposit information by clicking a link and logging in with their corporate credentials. The technician notices the sender's email address is 'payroll@cornpany.com' instead of 'payroll@company.com'. What is the BEST first action for the technician to take?

A user receives an email that appears to be from the company's payroll department. The email states that all employees must click a link and log in with their corporate credentials to verify their direct deposit information. The technician notices the sender's email address is 'payroll@cornpany.com' (with 'rn' instead of 'm'). Which type of social engineering attack is this?

A security analyst confirms that a user's workstation is infected with a rootkit that is actively hiding malicious processes and network connections. The analyst has already isolated the system by disconnecting it from the network and has created a forensic image of the hard drive for evidence. According to industry best practices for incident response, what should the analyst do NEXT?

A help desk technician receives a call from a user who says their computer is acting strangely. The user reports that they received a pop-up message from 'Windows Security' stating that their computer is infected and to call a number for support. The user called the number and gave the 'technician' remote access. Now the computer is asking for a payment to unlock files. Which type of social engineering attack is this, and what is the BEST immediate action for the technician to take?

A user reports that they are unable to access a shared folder on the network. The technician verifies that the user's account has been locked out due to multiple failed login attempts. The technician unlocks the account and advises the user to change their password. The user changes the password successfully. Which of the following additional steps should the technician take to prevent future lockouts?

A user receives an email that appears to be from the company's CEO, requesting that the user purchase several gift cards for a client and reply with the codes. The email address is 'ceo@cornpany.com' (note the 'rn') instead of the legitimate 'ceo@company.com'. The user follows the request and sends the gift card codes. Which type of social engineering attack has occurred?

A security analyst is investigating a workstation that is suspected of being compromised. The analyst has disconnected the network cable and created a forensic image of the hard drive using a write-blocker. Which of the following should the analyst do NEXT to preserve evidence integrity?

A user reports receiving several emails from an external vendor with malicious attachments. The technician has already removed the offending emails from the user's mailbox and performed a full antivirus scan on the workstation with no detections. Which of the following should the technician do NEXT to prevent future incidents of this nature?

A user receives a text message on their company-issued smartphone. The message appears to be from the IT department and states that the user's email password will expire in 24 hours and they must click a link to renew it. The link leads to a website that looks identical to the company's login page. The user is suspicious and reports it. Which type of social engineering attack is this?

A user receives an email that appears to be from the company's HR department, asking the user to click a link and enter their login credentials to view a new benefits document. The technician notices the sender's domain is 'hr@cornpany.com' (with 'rn' instead of 'm'). The user did not click the link. According to best practices, what should the technician do FIRST?

A user reports that their computer is running very slowly and a security pop-up claims the system is infected. The technician runs an antivirus scan which detects a Trojan. The technician quarantines the Trojan. What is the NEXT step in the malware removal process?

A user reports that their email account is sending spam to contacts. The technician identifies that the user's credentials were phished. What is the FIRST step the technician should take?

A user reports receiving an email that appears to be from their bank asking them to verify their account by clicking a link. The user did not click the link. The technician investigates and confirms the email is a phishing attempt. According to incident response best practices, what should the technician do FIRST?

A user receives a text message on their company-issued smartphone that appears to be from the CEO, asking the user to purchase gift cards and reply with the codes. The user notices the number is not the CEO's known number and reports it. Which type of social engineering attack is this?

A user receives a phone call from someone claiming to be from the company's IT support desk. The caller states there is a critical security issue with the user's account and requests the user's login credentials and a verification code sent to their phone. The user provides the information. Which type of social engineering attack has occurred?

A user receives an email that appears to be from a regular vendor, containing an invoice attachment. The user opens the attachment, but nothing seems to happen. The user reports the incident to the help desk. The technician confirms the email is a phishing attempt and that the attachment likely contained malware. No immediate signs of infection are visible. According to incident response best practices, what should the technician do FIRST?

A security analyst is investigating a potential data breach. The analyst has identified that an employee's workstation was infected with a keylogger that captured credentials. The analyst has already isolated the workstation from the network and created a forensic image. The analyst needs to determine exactly what data was exfiltrated. Which of the following is the BEST next step?

A user receives a phone call from someone claiming to be from the company's IT help desk. The caller states that the user's account has been compromised and they need the user to install a remote desktop application to perform emergency repairs. The user complies and grants the caller access. Which type of social engineering attack has occurred?

A company policy requires that all laptops be encrypted to protect data in case of theft. A technician enables BitLocker Drive Encryption on a Windows 10 Pro laptop equipped with a TPM 2.0 chip. After encryption completes, which of the following is the MOST secure method to protect the BitLocker recovery key?

A user reports that they received a phone call from someone claiming to be from the company's IT help desk. The caller stated there was a security issue and requested the user's login credentials and a multi-factor authentication (MFA) code. The user provided the information. Which of the following should the technician do FIRST as part of the incident response?

A company has a policy requiring that all employees use multi-factor authentication (MFA) when accessing the corporate VPN. An employee is setting up MFA on their smartphone and is presented with several options. Which of the following MFA methods provides the HIGHEST level of security?

A workstation in a corporate environment has been infected with ransomware. The user reports that files are being encrypted and a ransom note is displayed. The technician arrives at the workstation. Which of the following is the FIRST action the technician should take to minimize further damage?

A technician sees a person wearing a visitor badge wandering alone in a secure server room. According to security best practices, which of the following should the technician do first?

A user reports receiving an email that appears to be from a well-known shipping company. The email states that a package delivery could not be completed and asks the user to click a link to reschedule. The user clicks the link, which opens a webpage that looks like the shipping company's login page, and enters their email address and password. Which type of social engineering attack has occurred?

A technician needs to enforce a strong password policy on a standalone Windows 10 Pro workstation. The policy must require passwords to be at least 12 characters long and include uppercase letters, lowercase letters, numbers, and special characters. Which built-in tool should the technician use?

A technician is cleaning a workstation that was infected with a rootkit. The technician has booted into a trusted recovery environment and run anti-malware scans. After removing the rootkit, the technician wants to ensure no remnants remain. Which of the following is the BEST next step?

An employee receives an email that appears to be from the company's CEO, asking the employee to urgently purchase gift cards for a client and reply with the redemption codes. The email address is slightly misspelled (e.g., ceo@cornpany.com instead of ceo@company.com). The employee complies. Which type of social engineering attack is this?

A user reports that their web browser frequently redirects to unwanted advertisement pages and pop-ups appear even when browsing trusted websites. The technician runs antivirus and anti-malware scans, removing several potentially unwanted programs (PUPs). After a reboot, the redirects continue. Which of the following should the technician check NEXT?

A user receives a phone call from someone claiming to be from the company's IT help desk. The caller states there is a security breach and asks the user to confirm their login password and read back a multi-factor authentication code from their phone. The user complies. Which type of social engineering attack has occurred?

A technician is walking through the office and sees a person without a visible ID badge following closely behind an employee who just swiped their badge to enter a secured area. The person does not have a badge and is not recognized by the employee. Which type of social engineering attack is likely occurring?

A technician is decommissioning a server that contained customer financial records. The server's hard drives will be recycled. Which of the following is the MOST secure method to ensure data is unrecoverable?

A company enforces BitLocker full disk encryption on all laptops. A user forgets their BitLocker password and is unable to provide the recovery key. The laptop is domain-joined and the user has administrative credentials. Which of the following is the BEST action for the technician to take to regain access to the data?

A user calls the help desk, very agitated, stating that a full-screen popup on their workstation says 'SYSTEM LOCKED' and demands $500 in Bitcoin to unlock. The user cannot perform any other actions because the popup covers the screen. The technician remotely views the screen and confirms it is a ransomware warning. The technician has already instructed the user to disconnect the network cable. According to best practices, what should the technician do NEXT?

A user receives an email that appears to be from the company's IT department, stating that their email password will expire in 24 hours and asks them to click a link to renew it. The link goes to a page that looks exactly like the company's login portal, but the URL is slightly different. The user enters their credentials and submits. Later, the user receives another email from their bank asking to confirm a large transaction. Which TWO types of attacks have occurred in this scenario? (Choose two.)

A user receives a phone call from someone claiming to be from the company's help desk. The caller states that the user's computer has been sending suspicious network traffic and that the user must immediately install remote access software to allow the technician to fix it. The user complies. Which type of social engineering attack is this?

A technician receives an unexpected email from the company's Human Resources department with an attachment named 'Employee_Salary_Review.xlsx'. The technician did not request this information and was not expecting any HR communications. According to security best practices, which of the following is the MOST appropriate action for the technician to take?

A user receives an email that appears to be from the company's IT department, stating that their email password will expire in 24 hours and asks them to click a link to renew it. The link goes to a page that looks exactly like the company's login portal, but the URL is slightly different. The user enters their credentials. Which type of social engineering attack has occurred?

A user receives an email that appears to be from the company's CEO. The email states that the CEO is in a meeting and urgently needs the user to purchase several gift cards and email the redemption codes to the CEO. The email address is slightly different from the CEO's actual email address (e.g., ceo@cornpany.com instead of ceo@company.com). The user suspects this is a social engineering attack. Which type of social engineering attack is this?

A user reports that a legitimate business application is being blocked by Windows Security (Windows Defender). The technician needs to add an exception for the application's executable file. Which section in Windows Security should the technician navigate to?

A user receives an unsolicited phone call from a person claiming to be from a software vendor. The caller says the user's computer is infected and requests remote access to fix it. The user provides remote access. Which type of social engineering attack is this?

A technician suspects that a malware infection on a Windows 10 workstation is communicating with a remote command-and-control server. The technician needs to identify which process is making outbound connections. Which built-in Windows tool is best suited for this task?

A technician is entering a secured server room using their badge. They notice an unfamiliar person slips in behind them before the door closes, without using any credentials. The person is wearing a lanyard with a generic company logo but no visible photo ID. Which of the following actions should the technician take FIRST?

A user reports that while working on a spreadsheet, the Windows 10 workstation suddenly displays a User Account Control (UAC) prompt requesting permission for an application named 'svch0st.exe' to make changes. The user did not launch any application. Which of the following is the MOST likely scenario?

A user receives an email from an unknown external sender with an attachment named 'Invoice_0934.pdf'. The user is not expecting any invoices. The user reports this to the help desk technician. According to security best practices, what should the technician instruct the user to do?

A user receives a phone call from someone claiming to be from the IT security team. The caller states that the user's account has been compromised and asks the user to verify their password to confirm identity. The user provides the password. Which type of social engineering attack is this?

A user receives an email that appears to come from the company's payroll department. The email states that the user's salary has been updated and includes an attachment named 'Salary_Review_Q1.xlsx'. The user was not expecting this email and notices that the sender's email address is 'payroll@cornpany.com' instead of 'payroll@company.com'. The email content addresses the user by their full name and references the user's correct job title. Which type of social engineering attack is this?

A remote user's Windows 10 laptop is encrypted with BitLocker and joined to Azure Active Directory (Azure AD). The laptop fails to boot and displays the BitLocker recovery screen, asking for the recovery key. The user does not have the recovery key and is not available to check email. The technician has access to the Azure AD portal with Global Administrator privileges. Which of the following is the MOST appropriate method to retrieve the BitLocker recovery key?

A technician is removing malware from a Windows 10 workstation. After isolating the system from the network, what is the next recommended step in the malware removal process?

An employee receives a phone call from someone claiming to be from the IT department. The caller states there has been a security breach and asks the employee to provide their domain password to verify the account. What type of social engineering attack is this?

Which of the following passwords is considered the strongest according to standard security best practices?

Which of the following scenarios best describes a tailgating attack?

Which encryption standard is used by BitLocker To Go to protect data on removable drives such as USB flash drives?

A security analyst detects that an attacker is attempting to gain unauthorized access to a system by systematically trying every possible password for a user account. Which type of attack is this?

A company wants to ensure that sensitive data on laptops is protected in case the laptop is lost or stolen. Which technology provides full-disk encryption for Windows 10?

An HR manager receives an email that appears to be from the CEO requesting that all employee W-2 forms be emailed directly to the sender. The email address is ce0@company.com (using a zero instead of the letter 'o'). Which type of social engineering attack is this?

A security audit reveals that an employee's laptop is infected with a rootkit that has been logging keystrokes for the past month. According to standard malware removal best practices, what should the technician do FIRST?

An organization requires full disk encryption on all laptops. One laptop does not have a TPM chip installed. Which method can still be used to encrypt the entire hard drive on Windows 10 Pro?

A user receives a phone call from someone claiming to be from the company's IT help desk. The caller says they are performing a security audit and need the user's login credentials to verify their account access. Which type of social engineering attack is this?

A company wants to prevent unauthorized personnel from entering a secured server room. Which of the following physical security controls is the MOST effective at preventing unauthorized access?

A user reports that their Windows 10 computer shows a ransomware message demanding payment to decrypt files. According to standard incident response procedures, what should the technician do FIRST?

An organization requires that all laptops have full-disk encryption to protect data in case of theft. Which Windows 10 feature should be used to meet this requirement?

A technician is configuring Windows Defender Firewall on a Windows 10 workstation. The technician needs to allow inbound Remote Desktop (RDP) connections only from a specific IP address, 192.168.1.100. All other inbound connections should be blocked. How should the technician configure the rules?

A company's security policy requires that data on all decommissioned hard drives be completely destroyed to prevent any possibility of future data recovery. Which method is the MOST secure for destroying data on magnetic hard drives?

A technician needs to ensure that a laptop's data is protected in case the laptop is stolen. The laptop has a TPM 2.0 chip and runs Windows 10 Pro. Which Windows feature should be configured to provide full-disk encryption?

A user receives a text message claiming to be from their bank, asking them to click a link to verify their account due to suspicious activity. Which type of social engineering attack is this?

A company policy requires that all laptops be configured to lock and require a password after 15 minutes of inactivity. Which Windows feature should the technician configure to enforce this policy?

A technician receives an email that appears to be from the company's Chief Financial Officer (CFO), requesting an urgent wire transfer to a new vendor. The email includes the CFO's correct name and signature, but the reply-to address is different. Which type of social engineering attack best describes this scenario?

A technician receives an email that appears to be from the company's CEO. The email asks for the social security numbers of all employees, claiming it is needed for a compliance audit. The recipient knows the CEO is currently on vacation. Which type of social engineering attack is this?

An employee receives a phone call from someone claiming to be a vendor's technical support representative. The caller says they need the employee's domain administrator password to 'apply a critical security patch'. The employee recognizes the vendor's name but is suspicious. Which type of social engineering attack is this?

A user reports that a former employee's account can still access the company's cloud storage. Which security practice has been violated?

A company's security policy requires that all data stored in the cloud be encrypted before upload to ensure the cloud provider cannot read it. Which encryption method satisfies this requirement?

A user receives an email with an attachment titled 'Invoice_4352.zip'. The sender's email address is 'support@amaz0n-billing.com', but the user recognizes this is not the legitimate Amazon domain. The email urges the user to open the attachment to view the invoice. Which type of social engineering attack does this describe?

A company wants to protect the data on its fleet of laptops. The security policy requires that if a laptop is stolen, the data on the internal hard drive must be unreadable even if the drive is removed and placed into another computer. Which technology, available on Windows 10 Pro, meets this requirement?

An annual security audit reveals that multiple user accounts belonging to former employees who left the company over a year ago are still active. This oversight could allow unauthorized access. Which process failure is most directly responsible for this security risk?

A security auditor finds that a user's workstation has a scheduled task that runs a PowerShell script every hour. The script connects to an external IP address and downloads a file. The user claims no knowledge of the task. Which of the following is the most likely cause?

A user receives an email that appears to be from the IT department asking them to verify their account by clicking a link and entering their password. The email has a sense of urgency, stating the account will be disabled within 24 hours. Which type of social engineering attack is this?

A user reports that they received a pop-up warning that their computer is infected with a virus and to call a number for assistance. The pop-up will not close. Which type of malware is this?

A security auditor discovers that a user's workstation has a scheduled task that runs a PowerShell script every hour connecting to an external IP and downloading a file. The user denies knowledge. Which is the most likely cause?

A company policy requires that all data on laptops be encrypted so that if a laptop is stolen, the data cannot be read even if the hard drive is removed. Which Windows 10 feature provides this?

A user receives a phone call from an individual claiming to be from the company's IT help desk. The caller states that there is a critical security update and asks the user for their login credentials to apply the update. Which type of social engineering attack is this?

A security administrator needs to enforce a policy that prevents users from running unauthorized applications on their Windows 10 workstations. Which of the following is the most effective method?

A company implements a policy requiring employees to use a smart card and a PIN to log into their workstations. This security measure is an example of which of the following?

A security audit reveals that several workstations have unauthorized applications installed. The users claim they did not install the software. Which security control would have been MOST effective in preventing this situation?

A security administrator notices that several employees have plugged in USB drives they received in the mail into their work computers, resulting in malware infections. The USB drives were labeled "Employee Bonus Information." What type of social engineering attack does this describe?

A company wants to prevent unauthorized individuals from entering the server room by following closely behind an authorized employee. Which of the following physical security controls would be MOST effective at preventing this type of breach?

A user receives an email that appears to be from a known vendor, requesting payment for an invoice. The email includes a Microsoft Word document attachment. When the user opens the document, a macro runs and installs a backdoor on the system. Which type of malware is this?

A company security policy prohibits users from connecting unauthorized USB storage devices to their workstations. Which Group Policy setting should the administrator configure to enforce this policy?

The company firewall logs show repeated connection attempts from a single external IP address to TCP port 3389 on several internal workstations over the past hour. The workstations all have Remote Desktop enabled for administrative purposes. Which of the following is the MOST effective immediate action to mitigate this threat?

A company's security policy requires that all laptops have full-disk encryption. A technician has enabled BitLocker on a Windows 10 laptop. To ensure the recovery key is accessible if the user forgets their PIN, which action should the technician take?

A security audit reveals that several employees have been using weak passwords that can be easily guessed. The company wants to enforce stronger password policies on all Windows 10 domain-joined computers. Which tool should the administrator use to configure and enforce password complexity requirements?

A user receives a phone call from someone claiming to be from the IT department. The caller asks the user to provide their login credentials so a security update can be applied immediately. The user complies. Which type of social engineering attack has occurred?

A company has a policy that requires all workstations to have antivirus software installed and keep it up to date. A technician finds that several computers have disabled their antivirus services. Which security control would have MOST effectively prevented users from disabling the antivirus?

A security administrator wants to prevent users from running unauthorized portable applications (e.g., a portable web browser on a USB drive) on their Windows 10 workstations. Which security policy implementation would be MOST effective?

A user receives an email that appears to be from their bank, asking them to verify their account by clicking a link that leads to a fake login page. The user enters their credentials, which are then stolen. What type of attack is this?

A company's security policy requires that all data on laptops be encrypted. A technician has enabled BitLocker on a laptop and saved the recovery key to the user's Microsoft account. After a motherboard failure, the laptop is replaced and the technician tries to access the old drive via a USB enclosure. The recovery key is not available because the user's Microsoft account was deleted. What could have been done to prevent this situation?

A user receives a phone call from someone claiming to be from the company's help desk, stating that their account has been compromised and they need to reset their password immediately. The caller asks for the user's current password to verify their identity. Which type of social engineering attack is this?

A security auditor reports that several company laptops are missing critical security patches. The laptops are not connected to the corporate network for long periods. Which technology should the administrator use to ensure these laptops receive updates even when offline?

A company's security policy requires that all mobile devices be encrypted and capable of being wiped remotely if lost or stolen. Which mobile management solution should the organization implement?

A user receives an email that appears to be from the company's CEO, requesting an urgent wire transfer. The email address is slightly different from the CEO's actual address. Which type of social engineering attack is this?

A security audit reveals that many user passwords are being cracked using offline brute-force attacks. The current password policy requires a minimum of 8 characters with uppercase, lowercase, and numbers. Which configuration change would MOST significantly increase resistance to brute-force password cracking?

After reinstalling Windows 10, a user reports that they cannot open several files that were previously accessible. The files are stored on the local drive and appear with a yellow lock icon. What is the most likely cause?

A user receives an email that appears to be from their bank, asking them to click a link and verify their account information due to suspicious activity. The email address is slightly misspelled (e.g., 'support@bankk.com' instead of 'support@bank.com'). Which type of social engineering attack is this?

A user receives a phone call from someone claiming to be from the IT help desk. The caller says there is a security problem with the user's account and asks the user to provide their password to resolve the issue. Which type of social engineering attack does this describe?

A company's security policy requires that all laptops used by field employees have the entire operating system drive encrypted to protect data in case of theft. Which Windows feature should be enabled to meet this requirement?

A user calls the help desk stating that a pop-up message has appeared claiming all files on the computer have been encrypted and that a payment is required to unlock them. The user admits to opening an email attachment from an unknown sender earlier. What is the FIRST action the technician should take?

A company's security policy requires that all laptop hard drives be encrypted to protect data in case of theft. Which Windows 10 feature should a technician enable to meet this requirement?

A company's password policy requires a minimum length of 14 characters with complexity (uppercase, lowercase, numbers, and special characters). Users find these passwords difficult to remember and frequently reset them. Which alternative approach would BEST enhance security while reducing the user burden?

A user receives a phone call from an individual claiming to be a member of the company's IT support team. The caller states that the user's email account has been compromised and requests the user's password to 'verify the account.' Which type of social engineering attack does this describe?

A company's multifactor authentication policy requires two different factors. Which of the following combinations satisfies this requirement?

A company's security audit reveals that several employees are using weak passwords that can be easily guessed. The current password policy requires a minimum of 8 characters but does not enforce complexity. Which change to the password policy would be MOST effective in increasing security against brute-force attacks?

A company's current password policy requires a minimum of 14 characters with complexity (uppercase, lowercase, numbers, and special characters). Users frequently forget these complex passwords and submit help desk reset requests. Which alternative approach would BEST enhance security while reducing the burden on users?

A company wants to allow employees to securely access internal resources from home via the internet. Which method provides the highest level of security for remote desktop connections?

A security administrator is evaluating authentication methods. Which of the following is NOT an example of multifactor authentication?

A user receives an email that appears to be from the company's HR department asking the user to click a link and enter their login credentials to view an updated benefits statement. The user suspects this is a phishing attempt. Which characteristic of the email most strongly indicates a phishing attack?

A company's security policy requires all employees to use multi-factor authentication (MFA) when accessing the corporate VPN. An employee uses a smart card (something you have) and a PIN (something you know). Which of the following is true about this MFA implementation?

A technician suspects a computer is infected with ransomware that has encrypted files and displays a ransom note. Which step should the technician take FIRST according to best practices for malware removal?

A user is able to access a shared folder containing financial reports that are not required for their job role. Which security principle is being violated?

A company's security policy requires that no unauthorized removable storage devices be connected to company workstations. Which method should be used to enforce this policy on all Windows 10 computers?

A user's Windows 10 computer prompts for a BitLocker recovery key after a firmware update. The user does not remember the recovery key. The user's Microsoft account is linked to the device. What is the best action for the technician to take?

A company's password policy requires complex passwords changed every 30 days. Users frequently write their passwords on sticky notes. Which security enhancement would BEST reduce the risk of password compromise?

A technician receives a phone call from someone claiming to be from the company's help desk. The caller states there is a problem with the technician's account and asks for the technician's username and password to 'run a test'. Which type of social engineering attack is this?

A company's security policy requires that all laptops with sensitive data use full disk encryption. Which technology is built into Windows 10 Pro to meet this requirement?

A user reports that they cannot access a shared folder. The user is a member of the 'Sales' group. The NTFS permissions allow 'Sales' group 'Read', and the share permissions allow 'Everyone' 'Full Control'. What is the user's effective access?

A user receives a phone call from someone claiming to be from the IT department. The caller says there is a security breach and asks the user to provide their username and password immediately. Which type of social engineering attack is this?

A company's security policy requires that all USB storage devices be automatically blocked from being used on Windows 10 workstations. Which tool should an administrator use to enforce this setting across multiple computers?

A user reports that their computer displays a pop-up claiming their files are encrypted and demanding payment in Bitcoin to decrypt them. The user did not click on any suspicious links. The technician suspects ransomware. What is the FIRST step the technician should take?

A company implements a policy requiring employees to use smart cards for authentication. Which security principle does this primarily address?

A company's security policy mandates that all workstations must have full disk encryption. Which Windows feature provides full disk encryption?

A company wants to ensure that users must provide two different types of authentication factors when accessing sensitive data. Which term describes this requirement?

A security audit reveals that an employee's workstation has software installed that was not approved. The employee claims they downloaded it from the internet. Which principle of least privilege or security policy should prevent unauthorized software installation?

A user reports receiving multiple phishing emails that appear to come from the company's CEO. The emails ask the user to wire money to an account for a business acquisition. Which type of social engineering attack is this?

An employee is working at their desk when a person wearing a visitor badge and carrying boxes asks the employee to hold the door open so they can enter the secured office area. The employee complies. Which type of security breach has occurred?

A company's IT policy mandates that all employee smartphones used for work must be capable of being completely erased if the device is lost or stolen. The company uses a Mobile Device Management (MDM) solution. Which MDM feature should the administrator use to satisfy this requirement?

A user cannot log into their Windows 10 computer because they forgot their password. The computer is not part of a domain. Which method allows the technician to regain access without reinstalling the operating system?

A company requires employees to present both a smart card and a PIN to log into their workstations. Which authentication principle is being implemented?

A security audit reveals that multiple workstations have unauthorized software installed despite a policy allowing only approved software. Users have local administrative rights. Which security control would best prevent this in the future?

A company security policy requires that all laptops have full-disk encryption. A technician is configuring a laptop that has a TPM chip enabled. Which Windows feature should the technician use to meet this requirement?

A user receives an email that appears to be from the company's IT department, requesting that the user click a link to verify their account password due to a security breach. The user notices the email address is from "it-support@company-update.com". Which type of social engineering attack is this?

A security analyst discovers that a malicious actor has been exfiltrating data from a company's internal network by encoding the stolen data into DNS queries sent to an external domain. Which type of attack is this?

A company policy requires that all sensitive data stored on laptops must be encrypted. A technician enables BitLocker on a laptop, but after a reboot, the system prompts for a recovery key. The technician suspects the TPM is not being recognized. Which pre-operating system security feature should the technician check in the BIOS/UEFI?

A user receives an email claiming there is a suspicious login attempt on their account. The email asks the user to click a link immediately to verify their identity. The link leads to a website that looks identical to the company's login page but has a slightly different URL. Which type of social engineering attack is this?

A user reports that their workstation displays a message demanding payment in Bitcoin to unlock files. The technician boots the computer into Safe Mode with Networking, but the ransom message still appears. What should the technician do next?

A security audit reveals that sensitive customer data was emailed to a third-party vendor without encryption. The company policy mandates that all sensitive data must be encrypted at rest and in transit. Which security control should be implemented to prevent such incidents in the future?

A technician finds a USB flash drive in the company parking lot. Out of curiosity, the technician plugs it into a workstation. Immediately, a program runs automatically and installs malware. Which security configuration could have prevented the automatic execution of the malware?

A company policy requires that all printed documents containing sensitive customer data must be collected immediately from the printer. A technician observes that an employee printed a report containing customer Personally Identifiable Information (PII) and left it in the printer tray for over an hour. Which security principle has been violated?

During a security review, it is discovered that an employee's credentials were used to log into the company's webmail system from an unrecognized IP address. The employee insists they did not log in from that location. The help desk finds that the employee had recently clicked a link in an email that led to a fake login page. Which security control would have best mitigated the impact of this credential theft?

A technician is configuring a Windows 10 workstation for a remote worker who will handle sensitive data. The company requires device encryption. The technician enables BitLocker, but it fails, stating 'The system cannot find the file specified.' The technician verifies the TPM is enabled and initialized. What is the most likely cause?

A technician is securing a small office network. The technician wants to ensure that only authorized devices can connect to the wired network ports. Which security control should the technician implement?

A technician observes that an employee printed a report containing customer Personally Identifiable Information (PII) and left it in the printer tray for over an hour. Which security principle has been violated?

A security auditor discovers that an unauthorized individual gained access to a secure area by tailgating through a mantrap that requires two-factor authentication. The individual entered by closely following an authorized employee who scanned their badge and entered a PIN. Which additional security control would most effectively prevent this attack?

A security analyst reviews logs and discovers that a user's account was used to log into the corporate VPN from a foreign country at 3 AM, even though the user was at home in the US and claims they were asleep. Which security control is best designed to detect and alert on this type of anomalous activity?

A technician needs to protect a laptop's data so that it is unreadable if the laptop is stolen. The laptop has a TPM 2.0 chip. Which technology should the technician use to encrypt the entire operating system drive?

A user receives an email that appears to be from a well-known shipping company, asking them to download an invoice attachment. The attachment contains a macro-enabled Word document. What type of malware is most likely being delivered?

A company wants to prevent unauthorized devices from connecting to the wired network. The network switches support 802.1X. What additional component is required to implement 802.1X authentication?

A company's security policy requires that all laptops have full disk encryption. A technician is configuring BitLocker on a Windows 10 Pro laptop. The laptop does not have a TPM chip. Which additional step must the technician take to enable BitLocker?

A security auditor discovers that a Windows 10 workstation has the Guest account enabled and is a member of the Administrators group. Which security principle has been violated?

A technician is working on a reception PC and needs to respond to possible MFA fatigue attack. Which two actions are appropriate? (Choose two.)

A technician is supporting a finance laptop. The immediate goal is to store unique complex passwords securely. Which tool, control, or procedure is the best fit?

A technician is supporting a field engineer tablet. The immediate goal is to grant users only the access needed for their job. Which tool, control, or procedure is the best fit?

A technician is supporting a shared training-room workstation. The immediate goal is to slow repeated password guessing. Which tool, control, or procedure is the best fit?

A technician is supporting a warehouse desktop. The immediate goal is to protect unattended workstations. Which tool, control, or procedure is the best fit?

A technician is supporting a remote worker laptop. The immediate goal is to handle suspicious email without clicking links. Which tool, control, or procedure is the best fit?

A technician is supporting a service-desk jump box. The immediate goal is to respond to browser hijacking or suspected infection. Which tool, control, or procedure is the best fit?

A technician is supporting a clinic workstation. The immediate goal is to unlock an encrypted Windows drive after security-state change. Which tool, control, or procedure is the best fit?

A technician is working on a reception PC and needs to troubleshoot a certificate warning for an internal site. Which two actions are appropriate? (Choose two.)

A technician is supporting a field engineer tablet. The immediate goal is to respond to possible MFA fatigue attack. Which tool, control, or procedure is the best fit?

A technician is supporting a shared training-room workstation. The immediate goal is to store unique complex passwords securely. Which tool, control, or procedure is the best fit?

A technician is supporting a warehouse desktop. The immediate goal is to grant users only the access needed for their job. Which tool, control, or procedure is the best fit?

A technician is supporting a remote worker laptop. The immediate goal is to slow repeated password guessing. Which tool, control, or procedure is the best fit?