CASP 5 – Flashcard
Unlock all answers in this set
Unlock answersquestion
A security company is developing a new cloud-based log analytics platform. Its purpose is to allow: Customers to upload their log files to the "big data" platform Customers to perform remote log search Customers to integrate into the platform using an API so that third party business intelligence tools can be used for the purpose of trending, insights, and/or discovery Which of the following are the BEST security considerations to protect data from one customer being disclosed to other customers? (Select THREE). A. Secure storage and transmission of API keys B. Secure protocols for transmission of log files and search results C. At least two years retention of log files in case of e-discovery requests D. Multi-tenancy with RBAC support E. Sanitizing filters to prevent upload of sensitive log file contents F. Encrypted storage of all customer log files
answer
A. Secure storage and transmission of API keys B. Secure protocols for transmission of log files and search results D. Multi-tenancy with RBAC support
question
A penetration tester is assessing a mobile banking application. Man-in-the-middle attempts via a HTTP intercepting proxy are failing with SSL errors. Which of the following controls has likely been implemented by the developers? A. SSL certificate revocation B. SSL certificate pinning C. Mobile device root-kit detection D. Extended Validation certificates
answer
B. SSL certificate pinning
question
During a software development project review, the cryptographic engineer advises the project manager that security can be greatly improved by significantly slowing down the runtime of a hashing algorithm and increasing the entropy by passing the input and salt back during each iteration. Which of the following BEST describes what the engineer is trying to achieve? A. Monoalphabetic cipher B. Confusion C. Root of trust D. Key stretching E. Diffusion
answer
D. Key stretching
question
The threat abatement program manager tasked the software engineer with identifying the fastest implementation of a hash function to protect passwords with the least number of collisions. Which of the following should the software engineer implement to best meet the requirements? A. hash = sha512(password + salt); for (k = 0; k < 4000; k++) { hash = sha512 (hash); } B. hash = md5(password + salt); for (k = 0; k < 5000; k++) { hash = md5 (hash); } C. hash = sha512(password + salt); for (k = 0; k < 3000; k++) { hash = sha512 (hash + password + salt);} D. hash1 = sha1(password + salt); hash = sha1 (hash1);
answer
C. hash = sha512(password + salt); for (k = 0; k < 3000; k++) { hash = sha512 (hash + password + salt);}
question
A security engineer at a bank has detected a Zeus variant, which relies on covert communication channels to receive new instructions and updates from the malware developers. As a result, NIPS and AV systems did not detect the configuration files received by staff in emails that appeared as normal files. Which of the following BEST describes the technique used by the malware developers? A. Perfect forward secrecy B. Stenography C. Diffusion D. Confusion E. Transport encryption
answer
B. Stenography
question
A security engineer wants to implement forward secrecy but still wants to ensure the number of requests handled by the web server is not drastically reduced due to the larger computational overheads. Browser compatibility is not a concern; however system performance is. Which of the following, when implemented, would BEST meet the engineer's requirements? A. DHE B. ECDHE C. AES128-SHA D. DH
answer
B. ECDHE
question
An IT administrator has been tasked by the Chief Executive Officer with implementing security using a single device based on the following requirements: 1. Selective sandboxing of suspicious code to determine malicious intent. 2. VoIP handling for SIP and H.323 connections. 3. Block potentially unwanted applications. Which of the following devices would BEST meet all of these requirements? A. UTM B. HIDS C. NIDS D. WAF E. HSM
answer
A. UTM
question
The Chief Executive Officer (CEO) has asked the IT administrator to protect the externally facing web server from SQL injection attacks and ensure the backend database server is monitored for unusual behavior while enforcing rules to terminate unusual behavior. Which of the following would BEST meet the CEO's requirements? A. WAF and DAM B. UTM and NIDS C. DAM and SIEM D. UTM and HSM E. WAF and SIEM
answer
A. WAF and DAM
question
The risk manager has requested a security solution that is centrally managed, can easily beupdated, and protects end users' workstations from both known and unknown malicious attacks when connected to either the office or home network. Which of the following would BEST meet this requirement? A. HIPS B. UTM C. Antivirus D. NIPS E. DLP
answer
A. HIPS
question
An IT administrator has been tasked with implementing an appliance-based web proxy server to control external content accessed by internal staff. Concerned with the threat of corporate data leakage via web-based email, the IT administrator wants to decrypt all outbound HTTPS sessions and pass the decrypted content to an ICAP server for inspection by the corporate DLP software. Which of the following is BEST at protecting the internal certificates used in the decryption process? A. NIPS B. HSM C. UTM D. HIDS E. WAF F. SIEM
answer
B. HSM
question
A security manager is concerned about performance and patch management, and, as a result, wants to implement a virtualization strategy to avoid potential future OS vulnerabilities in the host system. The IT manager wants a strategy that would provide the hypervisor with direct communications with the underlying physical hardware allowing the hardware resources to be paravirtualized and delivered to the guest machines. Which of the following recommendations from the server administrator BEST meets the IT and security managers' requirements? (Select TWO). A. Nested virtualized hypervisors B. Type 1 hypervisor C. Hosted hypervisor with a three layer software stack D. Type 2 hypervisor E. Bare metal hypervisor with a software stack of two layers
answer
B. Type 1 hypervisor E. Bare metal hypervisor with a software stack of two layers
question
Joe, a hacker, has discovered he can specifically craft a webpage that when viewed in a browser crashes the browser and then allows him to gain remote code execution in the context of the victim's privilege level. The browser crashes due to an exception error when a heap memory that is unused is accessed. Which of the following BEST describes the application issue? A. Integer overflow B. Click-jacking C. Race condition D. SQL injection E. Use after free F. Input validation
answer
E. Use after free
question
A large hospital has implemented BYOD to allow doctors and specialists the ability to access patient medical records on their tablets. The doctors and specialists access patient records over the hospital's guest WiFi network which is isolated from the internal network with appropriate security controls. The patient records management system can be accessed from the guest network and requires two factor authentication. Using a remote desktop type interface, the doctors and specialists can interact with the hospital's system. Cut and paste and printing functions are disabled to prevent the copying of data to BYOD devices. Which of the following are of MOST concern? (Select TWO). A. Privacy could be compromised as patient records can be viewed in uncontrolled areas. B. Device encryption has not been enabled and will result in a greater likelihood of data loss. C. The guest WiFi may be exploited allowing non-authorized individuals access to confidential patient data. D. Malware may be on BYOD devices which can extract data via key logging and screen scrapes. E. Remote wiping of devices should be enabled to ensure any lost device is rendered inoperable.
answer
A. Privacy could be compromised as patient records can be viewed in uncontrolled areas. D. Malware may be on BYOD devices which can extract data via key logging and screen scrapes.
question
A high-tech company dealing with sensitive data seized the mobile device of an employee suspected of leaking company secrets to a competitive organization. Which of the following is the BEST order for mobile phone evidence extraction? A. Device isolation, evidence intake, device identification, data processing, verification of data accuracy, documentation, reporting, presentation and archival. B. Evidence intake, device identification, preparation to identify the necessary tools, device isolation, data processing, verification of data accuracy, documentation, reporting, presentation and archival. C. Evidence log, device isolation ,device identification, preparation to identify the necessary tools, data processing, verification of data accuracy, presentation and archival. D. Device identification, evidence log, preparation to identify the necessary tools, data processing, verification of data accuracy, device isolation, documentation, reporting, presentation and archival.
answer
B. Evidence intake, device identification, preparation to identify the necessary tools, device isolation, data processing, verification of data accuracy, documentation, reporting, presentation and archival.
question
A company is in the process of implementing a new front end user interface for its customers, the goal is to provide them with more self service functionality. The application has been written by developers over the last six months and the project is currently in the test phase. Which of the following security activities should be implemented as part of the SDL in order to provide the MOST security coverage over the solution? (Select TWO). A. Perform unit testing of the binary code B. Perform code review over a sampling of the front end source code C. Perform black box penetration testing over the solution D. Perform grey box penetration testing over the solution E. Perform static code review over the front end source code
answer
D. Perform grey box penetration testing over the solution E. Perform static code review over the front end source code
question
A company is in the process of outsourcing its customer relationship management system to a cloud provider. It will host the entire organization's customer database. The database will be accessed by both the company's users and its customers. The procurement department has asked what security activities must be performed for the deal to proceed. Which of the following are the MOST appropriate security activities to be performed as part of due diligence? (Select TWO). A. Physical penetration test of the datacenter to ensure there are appropriate controls. B. Penetration testing of the solution to ensure that the customer data is well protected. C. Security clauses are implemented into the contract such as the right to audit. D. Review of the organizations security policies, procedures and relevant hosting certifications. E. Code review of the solution to ensure that there are no back doors located in the software.
answer
C. Security clauses are implemented into the contract such as the right to audit. D. Review of the organizations security policies, procedures and relevant hosting certifications.
question
A developer is determining the best way to improve security within the code being developed. The developer is focusing on input fields where customers enter their credit card details. Which of the following techniques, if implemented in the code, would be the MOST effective in protecting the fields from malformed input? A. Client side input validation B. Stored procedure C. Encrypting credit card details D. Regular expression matching
answer
D. Regular expression matching
question
The audit department at a company requires proof of exploitation when conducting internal network penetration tests. Which of the following provides the MOST conclusive proof of compromise without further compromising the integrity of the system? A. Provide a list of grabbed service banners. B. Modify a file on the system and include the path in the test's report. C. Take a packet capture of the test activity. D. Add a new test user account on the system.
answer
C. Take a packet capture of the test activity.
question
A security administrator was doing a packet capture and noticed a system communicating with an address within the 2001::/32 prefix. The network administrator confirms there is no IPv6 routing into or out of the network. Which of the following is the BEST course of action? A. Investigate the network traffic and block UDP port 3544 at the firewall B. Remove the system from the network and disable IPv6 at the router C. Locate and remove the unauthorized 6to4 relay from the network D. Disable the switch port and block the 2001::/32 traffic at the firewall
answer
A. Investigate the network traffic and block UDP port 3544 at the firewall
question
An organization is finalizing a contract with a managed security services provider (MSSP) that is responsible for primary support of all security technologies. Which of the following should the organization require as part of the contract to ensure the protection of the organization's technology? A. An operational level agreement B. An interconnection security agreement C. A non-disclosure agreement D. A service level agreement
answer
B. An interconnection security agreemen
question
An administrator is trying to categorize the security impact of a database server in the case of a security event. There are three databases on the server. Current Financial Data = High level of damage if data is disclosed. Moderate damage if the system goes offline Archived Financial Data = No need for the database to be online. Low damage for integrity loss Public Website Data = Low damage if the site goes down. Moderate damage if the data is corrupted Given these security categorizations of each database, which of the following is the aggregate security categorization of the database server? A. Database server = {(Confidentiality HIGH),(Integrity High),(Availability High)} B. Database server = {(Confidentiality HIGH),(Integrity Moderate),(Availability Moderate)} C. Database server = {(Confidentiality HIGH),(Integrity Moderate),(Availability Low)} D. Database server = {(Confidentiality Moderate),(Integrity Moderate),(Availability Moderate)}
answer
B. Database server = {(Confidentiality HIGH),(Integrity Moderate),(Availability Moderate)}
question
Every year, the accounts payable employee, Ann, takes a week off work for a vacation. She typically completes her responsibilities remotely during this week. Which of the following policies, when implemented, would allow the company to audit this employee's work and potentially discover improprieties? A. Job rotation B. Mandatory vacations C. Least privilege D. Separation of duties
answer
A. Job rotation
question
A new web based application has been developed and deployed in production. A security engineer decides to use an HTTP interceptor for testing the application. Which of the following problems would MOST likely be uncovered by this tool? A. The tool could show that input validation was only enabled on the client side B. The tool could enumerate backend SQL database table and column names C. The tool could force HTTP methods such as DELETE that the server has denied D. The tool could fuzz the application to determine where memory leaks occur
answer
A. The tool could show that input validation was only enabled on the client side
question
A security consultant is investigating acts of corporate espionage within an organization. Each time the organization releases confidential information to high-ranking engineers, the information is soon leaked to competing companies. Which of the following techniques should the consultant use to discover the source of the information leaks? A. Digital watermarking B. Steganography C. Enforce non-disclosure agreements D. Digital rights management
answer
A. Digital watermarking
question
A security administrator is investigating the compromise of a SCADA network that is not physically connected to any other network. Which of the following is the MOST likely cause of the compromise? A. Outdated antivirus definitions B. Insecure wireless C. Infected USB device D. SQL injection
answer
C. Infected USB device
question
The Chief Information Security Officer (CISO) at a company knows that many users store business documents on public cloud-based storage; and realizes this is a risk to the company. In response, the CISO implements a mandatory training course in which all employees are instructed on the proper use of cloud-based storage. Which of the following risk strategies did the CISO implement? A. Avoid B. Accept C. Mitigate D. Transfer
answer
C. Mitigate
question
A security administrator is investigating the compromise of a software distribution website. Forensic analysis shows that several popular files are infected with malicious code. However, comparing a hash of the infected files with the original, non-infected files which were restored from backup, shows that the hash is the same. Which of the following explains this? A. The infected files were using obfuscation techniques to evade detection by antivirus software. B. The infected files were specially crafted to exploit a collision in the hash function. C. The infected files were using heuristic techniques to evade detection by antivirus software. D. The infected files were specially crafted to exploit diffusion in the hash function.
answer
B. The infected files were specially crafted to exploit a collision in the hash function.
question
A court order has ruled that your company must surrender all the email sent and received by a certain employee for the past five years. After reviewing the backup systems, the IT administrator concludes that email backups are not kept that long. Which of the following policies MUST be reviewed to address future compliance? A. Tape backup policies B. Offsite backup policies C. Data retention policies D. Data loss prevention policies
answer
C. Data retention policies
question
A system administrator needs to meet the maximum amount of security goals for a new DNS infrastructure. The administrator deploys DNSSEC extensions to the domain names and infrastructure. Which of the following security goals does this meet? (Select TWO). A. Availability B. Authentication C. Integrity D. Confidentiality E. Encryption
answer
B. Authentication C. Integrity
question
The risk manager is reviewing a report which identifies a requirement to keep a business critical legacy system operational for the next two years. The legacy system is out of support because the vendor and security patches are no longer released. Additionally, this is a proprietary embedded system and little is documented and known about it. Which of the following should the Information Technology department implement to reduce the security risk from a compromise of this system? A. Virtualize the system and migrate it to a cloud provider. B. Segment the device on its own secure network. C. Install an antivirus and HIDS on the system. D. Hire developers to reduce vulnerabilities in the code.
answer
B. Segment the device on its own secure network.
question
Two separate companies are in the process of integrating their authentication infrastructure into a unified single sign-on system. Currently, both companies use an AD backend and two factor authentication using TOTP. The system administrators have configured a trust relationship between the authentication backend to ensure proper process flow. How should the employees request access to shared resources before the authentication integration is complete? A. They should logon to the system using the username concatenated with the 6-digit code and their original password. B. They should logon to the system using the newly assigned global username: first.lastname#### where #### is the second factor code. C. They should use the username format: LANfirst.lastname together with their original password and the next 6-digit code displayed when the token button is depressed. D. They should use the username format: [email protected], together with a password and their 6-digit code.
answer
D. They should use the username format: [email protected], together with a password and their 6-digit code.
question
The Chief Risk Officer (CRO) has requested that the MTD, RTO and RPO for key business applications be identified and documented. Which of the following business documents would MOST likely contain the required values? A. MOU B. BPA C. RA D. SLA E. BIA
answer
E. BIA
question
An organization is selecting a SaaS provider to replace its legacy, in house Customer Resource Management (CRM) application. Which of the following ensures the organization mitigates the risk of managing separate user credentials? A. Ensure the SaaS provider supports dual factor authentication. B. Ensure the SaaS provider supports encrypted password transmission and storage. C. Ensure the SaaS provider supports secure hash file exchange. D. Ensure the SaaS provider supports role-based access control. E. Ensure the SaaS provider supports directory services federation.
answer
E. Ensure the SaaS provider supports directory services federation.
question
A forensic analyst receives a hard drive containing malware quarantined by the antivirus application. After creating an image and determining the directory location of the malware file, which of the following helps to determine when the system became infected? A. The malware file's modify, access, change time properties. B. The timeline analysis of the file system. C. The time stamp of the malware in the swap file. D. The date/time stamp of the malware detection in the antivirus logs.
answer
B. The timeline analysis of the file system.
question
After a security incident, an administrator would like to implement policies that would help reduce fraud and the potential for collusion between employees. Which of the following would help meet these goals by having co-workers occasionally audit another worker's position? A. Least privilege B. Job rotation C. Mandatory vacation D. Separation of duties
answer
B. Job rotation
question
A security engineer at a software development company has identified several vulnerabilities in a product late in the development cycle. This causes a huge delay for the release of the product. Which of the following should the administrator do to prevent these issues from occurring in the future? A. Recommend switching to an SDLC methodology and perform security testing during eachmaintenance iteration B. Recommend switching to a spiral software development model and perform security testing during the requirements gathering C. Recommend switching to a waterfall development methodology and perform security testing during the testing phase D. Recommend switching to an agile development methodology and perform security testing during iterations
answer
D. Recommend switching to an agile development methodology and perform security testing during iterations
question
Company XYZ is building a new customer facing website which must access some corporate resources. The company already has an internal facing web server and a separate server supporting an extranet to which suppliers have access. The extranet web server is located in a network DMZ. The internal website is hosted on a laptop on the internal corporate network. The internal network does not restrict traffic between any internal hosts. Which of the following locations will BEST secure both the intranet and the customer facing website? A. The existing internal network segment B. Dedicated DMZ network segments C. The existing extranet network segment D. A third-party web hosting company
answer
B. Dedicated DMZ network segments
question
A security architect is locked into a given cryptographic design based on the allowable software at the company. The key length for applications is already fixed as is the cipher and algorithm in use. The security architect advocates for the use of well-randomized keys as a mitigation to brute force and rainbow attacks. Which of the following is the security architect trying to increase in the design? A. Key stretching B. Availability C. Entropy D. Root of trust E. Integrity
answer
C. Entropy
question
Noticing latency issues at its connection to the Internet, a company suspects that it is being targeted in a Distributed Denial of Service attack. A security analyst discovers numerous inbound monlist requests coming to the company's NTP servers. Which of the following mitigates this activity with the LEAST impact to existing operations? A. Block in-bound connections to the company's NTP servers. B. Block IPs making monlist requests. C. Disable the company's NTP servers. D. Disable monlist on the company's NTP servers.
answer
D. Disable monlist on the company's NTP servers.
question
The Chief Executive Officer (CEO) of an Internet service provider (ISP) has decided to limit the company's contribution to worldwide Distributed Denial of Service (DDoS) attacks. Which of the following should the ISP implement? (Select TWO). A. Block traffic from the ISP's networks destined for blacklisted IPs. B. Prevent the ISP's customers from querying DNS servers other than those hosted by the ISP. C. Block traffic with a source IP not allocated to the ISP from exiting the ISP's network. D. Scan the ISP's customer networks using an up-to-date vulnerability scanner. E. Notify customers when services they run are involved in an attack.
answer
C. Block traffic with a source IP not allocated to the ISP from exiting the ISP's network. E. Notify customers when services they run are involved in an attack.
question
For companies seeking to move to cloud services, variances in regulation between jurisdictions can be addressed in which of the following ways? A. Ensuring the cloud service provides high availability spanning multiple regions. B. Using an international private cloud model as opposed to public IaaS. C. Encrypting all data moved to or processed in a cloud-based service. D. Tagging VMs to ensure they are only run in certain geographic regions.
answer
D. Tagging VMs to ensure they are only run in certain geographic regions.
question
A large organization that builds and configures every data center against distinct requirements loses efficiency, which results in slow response time to resolve issues. However, total uniformity presents other problems. Which of the following presents the GREATEST risk when consolidating to a single vendor or design solution? A. Competitors gain an advantage by increasing their service offerings. B. Vendor lock in may prevent negotiation of lower rates or prices. C. Design constraints violate the principle of open design. D. Lack of diversity increases the impact of specific events or attacks.
answer
D. Lack of diversity increases the impact of specific events or attacks.
question
The Chief Executive Officer (CEO) of a company that allows telecommuting has challenged the Chief Security Officer's (CSO) request to harden the corporate network's perimeter. The CEO argues that the company cannot protect its employees at home, so the risk at work is no different. Which of the following BEST explains why this company should proceed with protecting its corporate network boundary? A. The corporate network is the only network that is audited by regulators and customers. B. The aggregation of employees on a corporate network makes it a more valuable target for attackers. C. Home networks are unknown to attackers and less likely to be targeted directly. D. Employees are more likely to be using personal computers for general web browsing when they are at home.
answer
B. The aggregation of employees on a corporate network makes it a more valuable target for attackers.
question
An industry organization has implemented a system to allow trusted authentication between all of its partners. The system consists of a web of trusted RADIUS servers communicating over the Internet. An attacker was able to set up a malicious server and conduct a successful man-in-themiddle attack. Which of the following controls should be implemented to mitigate the attack in the future? A. Use PAP for secondary authentication on each RADIUS server B. Disable unused EAP methods on each RADIUS server C. Enforce TLS connections between RADIUS servers D. Use a shared secret for each pair of RADIUS servers
answer
C. Enforce TLS connections between RADIUS servers
question
An organization would like to allow employees to use their network username and password to access a third-party service. The company is using Active Directory Federated Services for their directory service. Which of the following should the company ensure is supported by the thirdparty? (Select TWO). A. LDAP/S B. SAML C. NTLM D. OAUTH E. Kerberos
answer
B. SAML E. Kerberos
question
An extensible commercial software system was upgraded to the next minor release version to patch a security vulnerability. After the upgrade, an unauthorized intrusion into the system was detected. The software vendor is called in to troubleshoot the issue and reports that all core components were updated properly. Which of the following has been overlooked in securing the system? (Select TWO). A. The company's IDS signatures were not updated. B. The company's custom code was not patched. C. The patch caused the system to revert to http. D. The software patch was not cryptographically signed. E. The wrong version of the patch was used. F. Third-party plug-ins were not patched.
answer
B. The company's custom code was not patched. F. Third-party plug-ins were not patched.
question
A security officer is leading a lessons learned meeting. Which of the following should be components of that meeting? (Select TWO). A. Demonstration of IPS system B. Review vendor selection process C. Calculate the ALE for the event D. Discussion of event timeline E. Assigning of follow up items
answer
D. Discussion of event timeline E. Assigning of follow up items
question
A network administrator with a company's NSP has received a CERT alert for targeted adversarial behavior at the company. In addition to the company's physical security, which of the following can the network administrator use to scan and detect the presence of a malicious actor physically accessing the company's network or information systems from within? (Select TWO). A. RAS B. Vulnerability scanner C. HTTP intercept D. HIDS E. Port scanner F. Protocol analyzer
answer
D. HIDS E. Port scanner
question
An administrator's company has recently had to reduce the number of Tier 3 help desk technicians available to support enterprise service requests. As a result, configuration standards have declined as administrators develop scripts to troubleshoot and fix customer issues. The administrator has observed that several default configurations have not been fixed through applied group policy or configured in the baseline. Which of the following are controls the administrator should recommend to the organization's security manager to prevent an authorized user from conducting internal reconnaissance on the organization's network? (Select THREE). A. Network file system B. Disable command execution C. Port security D. TLS E. Search engine reconnaissance F. NIDS G. BIOS security H. HIDS I. IdM
answer
B. Disable command execution G. BIOS security I. IdM
question
A mature organization with legacy information systems has incorporated numerous new processes and dependencies to manage security as its networks and infrastructure are modernized. The Chief Information Office has become increasingly frustrated with frequent releases, stating that the organization needs everything to work completely, and the vendor should already have those desires built into the software product. The vendor has been in constant communication with personnel and groups within the organization to understand its business process and capture new software requirements from users. Which of the following methods of software development is this organization's configuration management process using? A. Agile B. SDL C. Waterfall D. Joint application development
answer
A. Agile
question
Joe, the Chief Executive Officer (CEO), was an Information security professor and a Subject Matter Expert for over 20 years. He has designed a network defense method which he says is significantly better than prominent international standards. He has recommended that the company use his cryptographic method. Which of the following methodologies should be adopted? A. The company should develop an in-house solution and keep the algorithm a secret. B. The company should use the CEO's encryption scheme. C. The company should use a mixture of both systems to meet minimum standards. D. The company should use the method recommended by other respected information security organizations.
answer
D. The company should use the method recommended by other respected information security organizations.
question
The security engineer receives an incident ticket from the helpdesk stating that DNS lookup requests are no longer working from the office. The network team has ensured that Layer 2 and Layer 3 connectivity are working. Which of the following tools would a security engineer use to make sure the DNS server is listening on port 53? A. PING B. NESSUS C. NSLOOKUP D. NMAP
answer
D. NMAP
question
A large organization has recently suffered a massive credit card breach. During the months of Incident Response, there were multiple attempts to assign blame as to whose fault it was that the incident occurred. In which part of the incident response phase would this be addressed in a controlled and productive manner? A. During the Identification Phase B. During the Lessons Learned phase C. During the Containment Phase D. During the Preparation Phase
answer
B. During the Lessons Learned phase
question
A security administrator needs to deploy a remote access solution for both staff and contractors. Management favors remote desktop due to ease of use. The current risk assessment suggests protecting Windows as much as possible from direct ingress traffic exposure. Which of the following solutions should be selected? A. Deploy a remote desktop server on your internal LAN, and require an active directory integrated SSL connection for access. B. Change remote desktop to a non-standard port, and implement password complexity for the entire active directory domain. C. Distribute new IPSec VPN client software to applicable parties. Virtualize remote desktop services functionality. D. Place the remote desktop server(s) on a screened subnet, and implement two-factor authentication.
answer
D. Place the remote desktop server(s) on a screened subnet, and implement two-factor authentication.
question
Due to compliance regulations, a company requires a yearly penetration test. The Chief Information Security Officer (CISO) has asked that it be done under a black box methodology. Which of the following would be the advantage of conducting this kind of penetration test? A. The risk of unplanned server outages is reduced. B. Using documentation provided to them, the pen-test organization can quickly determine areas to focus on. C. The results will show an in-depth view of the network and should help pin-point areas of internal weakness. D. The results should reflect what attackers may be able to learn about the company.
answer
D. The results should reflect what attackers may be able to learn about the company.
question
The IT manager is evaluating IPS products to determine which would be most effective at stopping network traffic that contains anomalous content on networks that carry very specific types of traffic. Based on the IT manager's requirements, which of the following types of IPS products would be BEST suited for use in this situation? A. Signature-based B. Rate-based C. Anomaly-based D. Host-based
answer
A. Signature-based
question
A software project manager has been provided with a requirement from the customer to place limits on the types of transactions a given user can initiate without external interaction from another user with elevated privileges. This requirement is BEST described as an implementation of: A. An administrative control B. Dual control C. Separation of duties D. Least privilege E. Collusion
answer
C. Separation of duties
question
Which of the following is the information owner responsible for? A. Developing policies, standards, and baselines. B. Determining the proper classification levels for data within the system. C. Integrating security considerations into application and system purchasing decisions. D. Implementing and evaluating security controls by validating the integrity of the data.
answer
B. Determining the proper classification levels for data within the system.
question
A Chief Information Security Officer (CISO) is approached by a business unit manager who heard a report on the radio this morning about an employee at a competing firm who shipped a VPN token overseas so a fake employee could log into the corporate VPN. The CISO asks what can be done to mitigate the risk of such an incident occurring within the organization. Which of the following is the MOST cost effective way to mitigate such a risk? A. Require hardware tokens to be replaced on a yearly basis. B. Implement a biometric factor into the token response process. C. Force passwords to be changed every 90 days. D. Use PKI certificates as part of the VPN authentication process.
answer
B. Implement a biometric factor into the token response process.
question
Two universities are making their 802.11n wireless networks available to the other university's students. The infrastructure will pass the student's credentials back to the home school for authentication via the Internet. The requirements are: Mutual authentication of clients and authentication server The design should not limit connection speeds Authentication must be delegated to the home school No passwords should be sent unencrypted The following design was implemented: WPA2 Enterprise using EAP-PEAP-MSCHAPv2 will be used for wireless security RADIUS proxy servers will be used to forward authentication requests to the home school The RADIUS servers will have certificates from a common public certificate authority A strong shared secret will be used for RADIUS server authentication Which of the following security considerations should be added to the design? A. The transport layer between the RADIUS servers should be secured B. WPA Enterprise should be used to decrease the network overhead C. The RADIUS servers should have local accounts for the visiting students D. Students should be given certificates to use for authentication to the network
answer
A. The transport layer between the RADIUS servers should be secured
question
A company has decided to move to an agile software development methodology. The company gives all of its developers security training. After a year of agile, a management review finds that the number of items on a vulnerability scan has actually increased since the methodology change. Which of the following best practices has MOST likely been overlooked in the agile implementation? A. Penetration tests should be performed after each sprint. B. A security engineer should be paired with a developer during each cycle. C. The security requirements should be introduced during the implementation phase. D. The security requirements definition phase should be added to each sprint.
answer
D. The security requirements definition phase should be added to each sprint.
question
A system administrator has a responsibility to maintain the security of the video teleconferencing system. During a self-audit of the video teleconferencing room, the administrator notices that speakers and microphones are hard-wired and wireless enabled. Which of the following security concerns should the system administrator have about the existing technology in the room? A. Wired transmissions could be intercepted by remote users. B. Bluetooth speakers could cause RF emanation concerns. C. Bluetooth is an unsecure communication channel. D. Wireless transmission causes interference with the video signal.
answer
C. Bluetooth is an unsecure communication channel.
question
A security engineer is a new member to a configuration board at the request of management. The company has two new major IT projects starting this year and wants to plan security into the application deployment. The board is primarily concerned with the applications' compliance with federal assessment and authorization standards. The security engineer asks for a timeline to determine when a security assessment of both applications should occur and does not attend subsequent configuration board meetings. If the security engineer is only going to perform a security assessment, which of the following steps in system authorization has the security engineer omitted? (Select TWO). A. Establish the security control baseline to be assessed B. Build the application according to software development security standards C. Write the systems functionality requirements into the security requirements traceability matrix D. Review the results of user acceptance testing E. Categorize the applications according to use F. Consult with the stakeholders to determine which standards can be omitted
answer
A. Establish the security control baseline to be assessed E. Categorize the applications according to use
question
A security manager is collecting RFQ, RFP, and RFI publications to help identify the technology trends which a government will be moving towards in the future. This information is available to the public. By consolidating the information, the security manager will be able to combine several perspectives into a broader view of technology trends. This is an example of which of the following? (Select TWO). A. Supervisory control and data acquisition B. Espionage C. Hacktivism D. Data aggregation E. Universal description discovery and integration F. Open source intelligence gathering
answer
D. Data aggregation F. Open source intelligence gathering
question
As a cost saving measure, a company has instructed the security engineering team to allow all consumer devices to be able to access the network. They have asked for recommendations on what is needed to secure the enterprise, yet offer the most flexibility in terms of controlling applications, and stolen devices. Which of the following is BEST suited for the requirements? A. MEAP with Enterprise Appstore B. Enterprise Appstore with client-side VPN software C. MEAP with TLS D. MEAP with MDM
answer
D. MEAP with MDM
question
A company uses a custom Line of Business (LOB) application to facilitate all back-end manufacturing control. Upon investigation, it has been determined that the database used by the LOB application uses a proprietary data format. The risk management group has flagged this as a potential weakness in the company's operational robustness. Which of the following would be the GREATEST concern when analyzing the manufacturing control application? A. Difficulty backing up the custom database B. Difficulty migrating to new hardware C. Difficulty training new admin personnel D. Difficulty extracting data from the database
answer
D. Difficulty extracting data from the database
question
An asset manager is struggling with the best way to reduce the time required to perform asset location activities in a large warehouse. A project manager indicated that RFID might be a valid solution if the asset manager's requirements were supported by current RFID capabilities. Which of the following requirements would be MOST difficult for the asset manager to implement? A. The ability to encrypt RFID data in transmission B. The ability to integrate environmental sensors into the RFID tag C. The ability to track assets in real time as they move throughout the facility D. The ability to assign RFID tags a unique identifier
answer
A. The ability to encrypt RFID data in transmission
question
Ann, a systems engineer, is working to identify an unknown node on the corporate network. To begin her investigative work, she runs the following nmap command string: user@hostname:~$ sudo nmap -O 192.168.1.54 Based on the output, nmap is unable to identify the OS running on the node, but the following ports are open on the device: TCP/22 TCP/111 TCP/512-514 TCP/2049 TCP/32778 Based on this information, which of the following operating systems is MOST likely running on the unknown node? A. Linux B. Windows C. Solaris D. OSX
answer
C. Solaris
question
A security analyst is tasked to create an executive briefing, which explains the activity and motivation of a cyber adversary. Which of the following is the MOST important content for the brief for management personnel to understand? A. Threat actor types, threat actor motivation, and attack tools B. Unsophisticated agents, organized groups, and nation states C. Threat actor types, attack sophistication, and the anatomy of an attack D. Threat actor types, threat actor motivation, and the attack impact
answer
D. Threat actor types, threat actor motivation, and the attack impact
question
A security engineer has inherited an authentication project which integrates 1024-bit PKI certificates into the company infrastructure and now has a new requirement to integrate 2048-bit PKI certificates so that the entire company will be interoperable with its vendors when the project is completed. The project is now 25% complete, with 15% of the company staff being issued 1024- bit certificates. The provisioning of network based accounts has not occurred yet due to other project delays. The project is now expected to be over budget and behind its original schedule. Termination of the existing project and beginning a new project is a consideration because of the change in scope. Which of the following is the security engineer's MOST serious concern with implementing this solution? A. Succession planning B. Performance C. Maintainability D. Availability
answer
C. Maintainability
question
A company has migrated its data and application hosting to a cloud service provider (CSP). To meet its future needs, the company considers an IdP. Why might the company want to select an IdP that is separate from its CSP? (Select TWO). A. A circle of trust can be formed with all domains authorized to delegate trust to an IdP B. Identity verification can occur outside the circle of trust if specified or delegated C. Replication of data occurs between the CSP and IdP before a verification occurs D. Greater security can be provided if the circle of trust is formed within multiple CSP domains E. Faster connections can occur between the CSP and IdP without the use of SAML
answer
A. A circle of trust can be formed with all domains authorized to delegate trust to an IdP D. Greater security can be provided if the circle of trust is formed within multiple CSP domains
question
An internal committee comprised of the facilities manager, the physical security manager, the network administrator, and a member of the executive team has been formed to address a recent breach at a company's data center. It was discovered that during the breach, an HVAC specialist had gained entry to an area that contained server farms holding sensitive financial data. Although the HVAC specialist was there to fix a legitimate issue, the investigation concluded security be provided for the two entry and exit points for the server farm. Which of the following should be implemented to accomplish the recommendations of the investigation? A. Implement a policy that all non-employees should be escorted in the data center. B. Place a mantrap at the points with biometric security. C. Hire an HVAC person for the company, eliminating the need for external HVAC people. D. Implement CCTV cameras at both points.
answer
B. Place a mantrap at the points with biometric security.
question
During a recent audit of servers, a company discovered that a network administrator, who required remote access, had deployed an unauthorized remote access application that communicated over common ports already allowed through the firewall. A network scan showed that this remote access application had already been installed on one third of the servers in the company. Which of the following is the MOST appropriate action that the company should take to provide a more appropriate solution? A. Implement an IPS to block the application on the network B. Implement the remote application out to the rest of the servers C. Implement SSL VPN with SAML standards for federation D. Implement an ACL on the firewall with NAT for remote access
answer
C. Implement SSL VPN with SAML standards for federation
question
A company wishes to purchase a new security appliance. A security administrator has extensively researched the appliances, and after presenting security choices to the company's management team, they approve of the proposed solution. Which of the following documents should be constructed to acquire the security appliance? A. SLA B. RFQ C. RFP D. RFI
answer
B. RFQ
question
A small retail company recently deployed a new point of sale (POS) system to all 67 stores. The core of the POS is an extranet site, accessible only from retail stores and the corporate office over a split-tunnel VPN. An additional split-tunnel VPN provides bi-directional connectivity back to the main office, which provides voice connectivity for store VoIP phones. Each store offers guest wireless functionality, as well as employee wireless. Only the staff wireless network has access to the POS VPN. Recently, stores are reporting poor response times when accessing the POS application from store computers as well as degraded voice quality when making phone calls. Upon investigation, it is determined that three store PCs are hosting malware, which is generating excessive network traffic. After malware removal, the information security department is asked to review the configuration and suggest changes to prevent this from happening again. Which of the following denotes the BEST way to mitigate future malware risk? A. Deploy new perimeter firewalls at all stores with UTM functionality. B. Change antivirus vendors at the store and the corporate office. C. Move to a VDI solution that runs offsite from the same data center that hosts the new POS solution. D. Deploy a proxy server with content filtering at the corporate office and route all traffic through it.
answer
A. Deploy new perimeter firewalls at all stores with UTM functionality.
question
Executive management is asking for a new manufacturing control and workflow automation solution. This application will facilitate management of proprietary information and closely guarded corporate trade secrets. The information security team has been a part of the department meetings and come away with the following notes: -Human resources would like complete access to employee data stored in the application. They would like automated data interchange with the employee management application, a cloud-based SaaS application. -Sales is asking for easy order tracking to facilitate feedback to customers. -Legal is asking for adequate safeguards to protect trade secrets. They are also concerned with data ownership questions and legal jurisdiction. -Manufacturing is asking for ease of use. Employees working the assembly line cannot be bothered with additional steps or overhead. System interaction needs to be quick and easy. -Quality assurance is concerned about managing the end product and tracking overall performance of the product being produced. They would like read-only access to the entire workflow process for monitoring and baselining. The favored solution is a user friendly software application that would be hosted onsite. It has extensive ACL functionality, but also has readily available APIs for extensibility. It supports readonly access, kiosk automation, custom fields, and data encryption. Which of the following departments' request is in contrast to the favored solution? A. Manufacturing B. Legal C. Sales D. Quality assurance E. Human resources
answer
E. Human resources
question
News outlets are beginning to report on a number of retail establishments that are experiencing payment card data breaches. The data exfiltration is enabled by malware on a compromised computer. After the initial exploit network mapping and fingerprinting occurs in preparation for further exploitation. Which of the following is the MOST effective solution to protect against unrecognized malware infections, reduce detection time, and minimize any damage that might be done? A. Remove local admin permissions from all users and change anti-virus to a cloud aware, push technology. B. Implement an application whitelist at all levels of the organization. C. Deploy a network based heuristic IDS, configure all layer 3 switches to feed data to the IDS for more effective monitoring. D. Update router configuration to pass all network traffic through a new proxy server with advanced malware detection.
answer
B. Implement an application whitelist at all levels of the organization.
question
The Chief Information Security Officer (CISO) is asking for ways to protect against zero-day exploits. The CISO is concerned that an unrecognized threat could compromise corporate data and result in regulatory fines as well as poor corporate publicity. The network is mostly flat, with split staff/guest wireless functionality. Which of the following equipment MUST be deployed to guard against unknown threats? A. Cloud-based antivirus solution, running as local admin, with push technology for definition updates. B. Implementation of an offsite data center hosting all company data, as well as deployment of VDI for all client computing needs. C. Host based heuristic IPS, segregated on a management VLAN, with direct control of the perimeter firewall ACLs. D. Behavior based IPS with a communication link to a cloud based vulnerability and threat feed.
answer
D. Behavior based IPS with a communication link to a cloud based vulnerability and threat feed.
question
A small company's Chief Executive Officer (CEO) has asked its Chief Security Officer (CSO) to improve the company's security posture with regard to targeted attacks. Which of the following should the CSO conduct FIRST? A. Survey threat feeds from analysts inside the same industry. B. Purchase multiple threat feeds to ensure diversity and implement blocks for malicious traffic. C. Conduct an internal audit against industry best practices to perform a gap analysis. D. Deploy a UTM solution that receives frequent updates from a trusted industry vendor.
answer
A. Survey threat feeds from analysts inside the same industry.
question
The sales team is considering the deployment of a new CRM solution within the enterprise. The IT and Security teams are members of the project; however, neither team has expertise or experience with the proposed system. Which of the following activities should be performed FIRST? A. Visit a company who already has the technology, sign an NDA, and read their latest risk assessment. B. Contact the top vendor, assign IT and Security to work together to implement a demo and pen test the system. C. Work with Finance to do a second ROI calculation before continuing further with the project. D. Research the market, select the top vendors and solicit RFPs from those vendors.
answer
D. Research the market, select the top vendors and solicit RFPs from those vendors.
question
A security administrator notices a recent increase in workstations becoming compromised by malware. Often, the malware is delivered via drive-by downloads, from malware hosting websites, and is not being detected by the corporate antivirus. Which of the following solutions would provide the BEST protection for the company? A. Increase the frequency of antivirus downloads and install updates to all workstations. B. Deploy a cloud-based content filter and enable the appropriate category to prevent further infections. C. Deploy a NIPS to inspect and block all web traffic which may contain malware and exploits. D. Deploy a web based gateway antivirus server to intercept viruses before they enter the network.
answer
B. Deploy a cloud-based content filter and enable the appropriate category to prevent further infections.
question
The helpdesk manager wants to find a solution that will enable the helpdesk staff to better serve company employees who call with computer-related problems. The helpdesk staff is currently unable to perform effective troubleshooting and relies on callers to describe their technology problems. Given that the helpdesk staff is located within the company headquarters and 90% of the callers are telecommuters, which of the following tools should the helpdesk manager use to make the staff more effective at troubleshooting while at the same time reducing company costs? (Select TWO). A. Web cameras B. Email C. Instant messaging D. BYOD E. Desktop sharing F. Presence
answer
C. Instant messaging E. Desktop sharing
question
A security manager has started a new job and has identified that a key application for a new client does not have an accreditation status and is currently not meeting the compliance requirement for the contract's SOW. The security manager has competing priorities and wants to resolve this issue quickly with a system determination and risk assessment. Which of the following approaches presents the MOST risk to the security assessment? A. The security manager reviews the system description for the previous accreditation, but does not review application change records. B. The security manager decides to use the previous SRTM without reviewing the system description. C. The security manager hires an administrator from the previous contract to complete the assessment. D. The security manager does not interview the vendor to determine if the system description is accurate.
answer
B. The security manager decides to use the previous SRTM without reviewing the system description.
question
A security administrator was recently hired in a start-up company to represent the interest of security and to assist the network team in improving security in the company. The sales team is continuously contacting the security administrator to answer security questions posed by potential customers/clients. Which of the following is the BEST strategy to minimize the frequency of these requests? A. Request the major stakeholder hire a security liaison to assist the sales team with securityrelated questions. B. Train the sales team about basic security, and make them aware of the security policies and procedures of the company. C. The job description of the security administrator is to assist the sales team; thus the process should not be changed. D. Compile a list of the questions, develop an FAQ on the website, and train the sales team about basic security concepts.
answer
D. Compile a list of the questions, develop an FAQ on the website, and train the sales team about basic security concepts.
question
An organization has decided to reduce labor costs by outsourcing back office processing of credit applications to a provider located in another country. Data sovereignty and privacy concerns raised by the security team resulted in the third-party provider only accessing and processing the data via remote desktop sessions. To facilitate communications and improve productivity, staff at the third party has been provided with corporate email accounts that are only accessible via the remote desktop sessions. Email forwarding is blocked and staff at the third party can only communicate with staff within the organization. Which of the following additional controls should be implemented to prevent data loss? (Select THREE). A. Implement hashing of data in transit B. Session recording and capture C. Disable cross session cut and paste D. Monitor approved credit accounts E. User access audit reviews F. Source IP whitelisting
answer
C. Disable cross session cut and paste E. User access audit reviews F. Source IP whitelisting
question
A company has received the contract to begin developing a new suite of software tools to replace an aging collaboration solution. The original collaboration solution has been in place for nine years, contains over a million lines of code, and took over two years to develop originally. The SDLC has broken the primary delivery stages into eight different deliverables, with each section requiring an in-depth risk analysis before moving on to the next phase. Which of the following software development methods is MOST applicable? A. Spiral model B. Incremental model C. Waterfall model D. Agile model
answer
D. Agile model
question
The manager of the firewall team is getting complaints from various IT teams that firewall changes are causing issues. Which of the following should the manager recommend to BEST address these issues? A. Set up a weekly review for relevant teams to discuss upcoming changes likely to have a broad impact. B. Update the change request form so that requesting teams can provide additional details about the requested changes. C. Require every new firewall rule go through a secondary firewall administrator for review before pushing the firewall policy. D. Require the firewall team to verify the change with the requesting team before pushing the updated firewall policy.
answer
A. Set up a weekly review for relevant teams to discuss upcoming changes likely to have a broad impact.
question
An intruder was recently discovered inside the data center, a highly sensitive area. To gain access, the intruder circumvented numerous layers of physical and electronic security measures. Company leadership has asked for a thorough review of physical security controls to prevent this from happening again. Which of the following departments are the MOST heavily invested in rectifying the problem? (Select THREE). A. Facilities management B. Human resources C. Research and development D. Programming E. Data center operations F. Marketing G. Information technology
answer
A. Facilities management E. Data center operations G. Information technology
question
The helpdesk department desires to roll out a remote support application for internal use on all company computers. This tool should allow remote desktop sharing, system log gathering, chat, hardware logging, inventory management, and remote registry access. The risk management team has been asked to review vendor responses to the RFQ. Which of the following questions is the MOST important? A. What are the protections against MITM? B. What accountability is built into the remote support application? C. What encryption standards are used in tracking database? D. What snapshot or "undo" features are present in the application? E. What encryption standards are used in remote desktop and file transfer functionality?
answer
B. What accountability is built into the remote support application?
question
A software development manager is taking over an existing software development project. The team currently suffers from poor communication, and this gap is resulting in an above average number of security-related bugs making it into production. Which of the following development methodologies involves daily stand-ups designed to improve communication? A. Spiral B. Agile C. Waterfall D. Rapid
answer
B. Agile
question
A software development manager is taking over an existing software development project. The team currently suffers from poor communication due to a long delay between requirements documentation and feature delivery. This gap is resulting in an above average number of securityrelated bugs making it into production. Which of the following development methodologies is the team MOST likely using now? A. Agile B. Waterfall C. Scrum D. Spiral
answer
B. Waterfall
question
A security manager has received the following email from the Chief Financial Officer (CFO): "While I am concerned about the security of the proprietary financial data in our ERP application, we have had a lot of turnover in the accounting group and I am having a difficult time meeting our monthly performance targets. As things currently stand, we do not allow employees to work from home but this is something I am willing to allow so we can get back on track. What should we do first to securely enable this capability for my group?" Based on the information provided, which of the following would be the MOST appropriate response to the CFO? A. Remote access to the ERP tool introduces additional security vulnerabilities and should not be allowed. B. Allow VNC access to corporate desktops from personal computers for the users working from home. C. Allow terminal services access from personal computers after the CFO provides a list of the users working from home. D. Work with the executive management team to revise policies before allowing any remote access.
answer
D. Work with the executive management team to revise policies before allowing any remote access.