CASP+ 5
A company recently implemented a new cloud storage solution and installed the required synchronization client on all company devices. A few months later, a breach of sensitive data was discovered. Root cause analysis shows the data breach happened from a lost personal mobile device. Which of the following controls can the organization implement to reduce the risk of similar breaches? A. Biometric authentication B. Cloud storage encryption C. Application containerization D. Hardware anti-tamper
Biometric authentication
A company uses an application in its warehouse that works with several commercially available tablets and can only be accessed inside the warehouse. The support department would like the selection of tablets to be limited to three models to provide better support and ensure spares are on hand. Users often keep the tablets after they leave the department, as many of them store personal media items. Which of the following should the security engineer recommend to meet these requirements? A. COPE with geofencing B. BYOD with containerization C. MDM with remote wipe D. CYOD with VPN
COPE with geofencing
An organization wants to arm its cybersecurity defensive suite automatically with intelligence on zero-day threats shortly after they emerge. Acquiring tools and services that support which of the following data standards would BEST enable the organization to meet this objective? A. XCCDF B. OVAL C. STIX D. CWE E. CVE
CVE
An enterprise is trying to secure a specific web-based application by forcing the use of multifactor authentication. Currently, the enterprise cannot change the application's sign-in page to include an extra field. However, the web-based application supports SAML. Which of the following would BEST secure the application? A. Using an SSO application that supports mutlifactor authentication B. Enabling the web application to support LDAP integration C. Forcing higher-complexity passwords and frequent changes D. Deploying Shibboleth to all web-based applications in the enterprise
Deploying Shibboleth to all web-based applications in the enterprise
While conducting online research about a company to prepare for an upcoming penetration test, a security analyst discovers detailed financial information on an investor website the company did not make public. The analyst shares this information with the Chief Financial Officer (CFO), who confirms the information is accurate, as it was recently discussed at a board of directors meeting. Many of the details are verbatim discussion comments captured by the board secretary for purposes of transcription on a mobile device. Which of the following would MOST likely prevent a similar breach in the future? A. Remote wipe B. FDE C. Geolocation D. eFuse E. VPN
FDE
A penetration testing manager is contributing to an RFP for the purchase of a new platform. The manager has provided the following requirements: - Must be able to MITM web-based protocols - Must be able to find common misconfigurations and security holes Which of the following types of testing should be included in the testing platform? (Choose two.) A. Reverse engineering tool B. HTTP intercepting proxy C. Vulnerability scanner D. File integrity monitor E. Password cracker F. Fuzzer
HTTP intercepting proxy Vulnerability scanner
A developer emails the following output to a security administrator for review:** Which of the following tools might the security administrator use to perform further security assessment of this issue? A. Port scanner B. Vulnerability scanner C. Fuzzer D. HTTP interceptor
HTTP interceptor
Following a recent outage, a systems administrator is conducting a study to determine a suitable bench stock on server hard drives. Which of the following metrics is MOST valuable to the administrator in determining how many hard drives to keep-on hand? A. TTR B. ALE C. MTBF D. SLE E. RPO
MTBF
A vulnerability was recently announced that allows a malicious user to gain root privileges on other virtual machines running within the same hardware cluster. Customers of which of the following cloud-based solutions should be MOST concerned about this vulnerability? A. Single-tenant private cloud B. Multitenant SaaS cloud C. Single-tenant hybrid cloud D. Multitenant IaaS cloud E. Multitenant PaaS cloud F. Single-tenant public cloud
Multitenant PaaS cloud
Ann, a retiring employee, cleaned out her desk. The next day, Ann's manager notices company equipment that was supposed to remain at her desk is now missing. Which of the following would reduce the risk of this occurring in the future? A. Regular auditing of the clean desk policy B. Employee awareness and training policies C. Proper employee separation procedures D. Implementation of an acceptable use policy
Proper employee separation procedures
Following a recent and very large corporate merger, the number of log files an SOC needs to review has approximately tripled. The Chief Information Security Officer (CISO) has not been allowed to hire any more staff for the SOC, but is looking for other ways to automate the log review process so the SOC receives less noise. Which of the following would BEST reduce log noise for the SOC? A. SIEM filtering B. Machine learning C. Outsourcing D. Centralized IPS
SIEM filtering
A security administrator is updating corporate policies to respond to an incident involving collusion between two systems administrators that went undetected for more than six months. Which of the following policies would have MOST likely uncovered the collusion sooner? (Choose two.) A. Mandatory vacation B. Separation of duties C. Continuous monitoring D. Incident response E. Time-of-day restrictions F. Job rotation
Separation of duties Job rotation
A software development company lost customers recently because of a large number of software issues. These issues were related to integrity and availability defects, including buffer overflows, pointer dereferences, and others. Which of the following should the company implement to improve code quality? (Choose two.) A. Development environment access controls B. Continuous integration C. Code comments and documentation D. Static analysis tools E. Application containerization F. Code obfuscation
Static analysis tools Code obfuscation
A systems administrator has deployed the latest patches for Windows-based machines. However, the users on the network are experiencing exploits from various threat actors, which the patches should have corrected. Which of the following is the MOST likely scenario? A. The machines were infected with malware. B. The users did not reboot the computer after the patches were deployed. C. The systems administrator used invalid credentials to deploy the patches. D. The patches were deployed on non-Windows-based machines.
The users did not reboot the computer after the patches were deployed.
A company relies on an ICS to perform equipment monitoring functions that are federally mandated for operation of the facility. Fines for non-compliance could be costly. The ICS has known vulnerabilities and can no longer be patched or updated. Cyber-liability insurance cannot be obtained because insurance companies will not insure this equipment. Which of the following would be the BEST option to manage this risk to the company's production environment? A. Avoid the risk by removing the ICS from production B. Transfer the risk associated with the ICS vulnerabilities C. Mitigate the risk by restricting access to the ICS D. Accept the risk and upgrade the ICS when possible
Transfer the risk associated with the ICS vulnerabilities
A security analyst works for a defense contractor that produces classified research on drones. The contractor faces nearly constant attacks from sophisticated nation-state actors and other APIs. Which of the following would help protect the confidentiality of the research data? A. Use diverse components in layers throughout the architecture B. Implement non-heterogeneous components at the network perimeter C. Purge all data remnants from client devices' volatile memory at regularly scheduled intervals D. Use only in-house developed applications that adhere to strict SDLC security requirements
Use diverse components in layers throughout the architecture
A security architect is reviewing the code for a company's financial website. The architect suggests adding the following HTML element, along with a server-side function, to generate a random number on the page used to initiate a funds transfer: <input type="hidden" name="token" value=generateRandomNumber()> Which of the following attacks is the security architect attempting to prevent? A. SQL injection B. XSRF C. XSS D. Clickjacking
XSRF
An organization is evaluating options related to moving organizational assets to a cloud-based environment using an IaaS provider. One engineer has suggested connecting a second cloud environment within the organization's existing facilities to capitalize on available datacenter space and resources. Other project team members are concerned about such a commitment of organizational assets, and ask the Chief Security Officer (CSO) for input. The CSO explains that the project team should work with the engineer to evaluate the risks associated with using the datacenter to implement: A. a hybrid cloud. B. an on-premises private cloud. C. a hosted hybrid cloud. D. a private cloud.
a hosted hybrid cloud.
A security engineer is assessing the controls that are in place to secure the corporate-Internet-facing DNS server. The engineer notices that security ACLs exist but are not being used properly. The DNS server should respond to any source but only provide information about domains it has authority over. Additionally, the DNS administrator have identified some problematic IP addresses that should not be able to make DNS requests. Given the ACLs below:** Which of the following should the security administrator configure to meet the DNS security needs?
zone "company.com" in { type "master"; file "company.host"; allow-query {any; !blacklist-ips; }; allow-transfer { secondary-dns; }; } ;
A new security policy states all wireless and wired authentication must include the use of certificates when connecting to internal resources within the enterprise LAN by all employees. Which of the following should be configured to comply with the new security policy? (Choose two.) A. SSO B. New pre-shared key C. 802.1X D. OAuth E. Push-based authentication F. PKI
802.1X PKI
An organization's network security administrator has been using an SSH connection to manage switches and routers for several years. After attempting to connect to a router, an alert appears on the terminal emulation software, warning that the SSH key has changed. After confirming the administrator is using the typical workstation and the router has not been replaced, which of the following are the MOST likely explanations for the warning message? (Choose two.) A. The SSH keys were given to another department. B. A MITM attack is being performed by an APT. C. The terminal emulator does not support SHA-256. D. An incorrect username or password was entered. E. A key rotation has occurred as a result of an incident. F. The workstation is not syncing with the correct NTP server.
A MITM attack is being performed by an APT. A key rotation has occurred as a result of an incident.
As part of the asset management life cycle, a company engages a certified equipment disposal vendor to appropriately recycle and destroy company assets that are no longer in use. As part of the company's vendor due diligence, which of the following would be MOST important to obtain from the vendor? A. A copy of the vendor's information security policies. B. A copy of the current audit reports and certifications held by the vendor. C. A signed NDA that covers all the data contained on the corporate systems. D. A copy of the procedures used to demonstrate compliance with certification requirements.
A copy of the procedures used to demonstrate compliance with certification requirements.
An enterprise's Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) are meeting to discuss ongoing capacity and resource planning issues. The enterprise has experienced rapid, massive growth over the last 12 months, and the technology department is stretched thin for resources. A new accounting service is required to support the enterprise's growth, but the only available compute resources that meet the accounting service requirements are on the virtual platform, which is hosting the enterprise's website. Which of the following should the CISO be MOST concerned about? A. Poor capacity planning could cause an oversubscribed host, leading to poor performance on the company's website. B. A security vulnerability that is exploited on the website could expose the accounting service. C. Transferring as many services as possible to a CSP could free up resources. D. The CTO does not have the budget available to purchase required resources and manage growth.
A security vulnerability that is exploited on the website could expose the accounting service.
An online bank has contracted with a consultant to perform a security assessment of the bank's web portal. The consultant notices the login page is linked from the main page with HTTPS, but when the URL is changed to HTTP, the browser is automatically redirected back to the HTTPS site. Which of the following is a concern for the consultant, and how can it be mitigated? A. XSS could be used to inject code into the login page during the redirect to the HTTPS site. The consultant should implement a WAF to prevent this. B. The consultant is concerned the site is using an older version of the SSL 3.0 protocol that is vulnerable to a variety of attacks. Upgrading the site to TLS 1.0 would mitigate this issue. C. The HTTP traffic is vulnerable to network sniffing, which could disclose usernames and passwords to an attacker. The consultant should recommend disabling HTTP on the web server. D. A successful MITM attack Could intercept the redirect and use sslstrip to decrypt further HTTPS traffic. Implementing HSTS on the web server would prevent this.
A successful MITM attack Could intercept the redirect and use sslstrip to decrypt further HTTPS traffic. Implementing HSTS on the web server would prevent this.
A core router was manipulated by a credentialed bypass to send all network traffic through a secondary router under the control of an unauthorized user connected to the network by WiFi. Which of the following would BEST reduce the risk of this attack type occurring? A. Implement a strong, complex password policy for user accounts that have access to the core router. B. Deploy 802.1X as the NAC system for the WiFi infrastructure. C. Add additional port security settings for the switching environment connected to the core router. D. Allow access to the core router management interface only through an out-of-band channel.
Allow access to the core router management interface only through an out-of-band channel.
An organization is deploying IoT locks, sensors, and cameras, which operate over 802.11, to replace legacy building access control systems. These devices are capable of triggering physical access changes, including locking and unlocking doors and gates. Unfortunately, the devices have known vulnerabilities for which the vendor has yet to provide firmware updates. Which of the following would BEST mitigate this risk? A. Direct wire the IoT devices into physical switches and place them on an exclusive VLAN. B. Require sensors to sign all transmitted unlock control messages digitally. C. Associate the devices with an isolated wireless network configured for WPA2 and EAP-TLS. D. Implement an out-of-band monitoring solution to detect message injections and attempts.
Associate the devices with an isolated wireless network configured for WPA2 and EAP-TLS.
A firewall specialist has been newly assigned to participate in red team exercises and needs to ensure the skills represent real-world threats. Which of the following would be the BEST choice to help the new team member learn bleeding-edge techniques? A. Attend hacking conventions. B. Research methods while using Tor. C. Interview current red team members. D. Attend web-based training.
Attend hacking conventions.
A large, public university has recently been experiencing an increase in ransomware attacks against computers connected to its network. Security engineers have discovered various staff members receiving seemingly innocuous files in their email that are being run. Which of the following would BEST mitigate this attack method? A. Improving organizations email filtering B. Conducting user awareness training C. Upgrading endpoint anti-malware software D. Enabling application whitelisting
Conducting user awareness training
Following a complete outage of the electronic medical record system for more than 18 hours, the hospital's Chief Executive Officer (CEO) has requested that the Chief Information Security Officer (CISO) perform an investigation into the possibility of a disgruntled employee causing the outage maliciously. To begin the investigation, the CISO pulls all event logs and device configurations from the time of the outage. The CISO immediately notices the configuration of a top-of-rack switch from one day prior to the outage does not match the configuration that was in place at the time of the outage. However, none of the event logs show who changed the switch configuration, and seven people have the ability to change it. Because of this, the investigation is inconclusive. Which of the following processes should be implemented to ensure this information is available for future investigations? A. Asset inventory management B. Incident response plan C. Test and evaluation D. Configuration and change management
Configuration and change management
A technician is reviewing the following log:** Which of the following tools should the organization implement to reduce the highest risk identified in this log? A. NIPS B. DLP C. NGFW D. SIEM
DLP
An organization is currently working with a client to migrate data between a legacy ERP system and a cloud-based ERP tool using a global PaaS provider. As part of the engagement, the organization is performing data deduplication and sanitization of client data to ensure compliance with regulatory requirements. Which of the following is the MOST likely reason for the need to sanitize the client data? (Choose two.) A. Data aggregation B. Data sovereignty C. Data isolation D. Data volume E. Data analytics F. Data precision
Data sovereignty Data precision
An incident responder wants to capture volatile memory comprehensively from a running machine for forensic purposes. The machine is running a very recent release of the Linux OS. Which of the following technical approaches would be the MOST feasible way to accomplish this capture? A. Run the memdump utility with the -k flag. B. Use a loadable kernel module capture utility, such as LiME. C. Run dd on/dev/mem. D. Employ a stand-alone utility, such as FTK Imager.
Employ a stand-alone utility, such as FTK Imager.
A security administrator wants to implement controls to harden company-owned mobile devices. Company policy specifies the following requirements: - Mandatory access control must be enforced by the OS. - Devices must only use the mobile carrier data transport. Which of the following controls should the security administrator implement? (Choose three.) A. Enable DLP B. Enable SEAndroid C. Enable EDR D. Enable secure boot E. Enable remote wipe F. Disable Bluetooth G. Disable 802.11 H. Disable geotagging
Enable SEAndroid Disable Bluetooth Disable 802.11
A security engineer is working to secure an organization's VMs. While reviewing the workflow for creating VMs on demand, the engineer raises a concern about the integrity of the secure boot process of the VM guest. Which of the following would BEST address this concern? A. Configure file integrity monitoring of the guest OS. B. Enable the vTPM on a Type 2 hypervisor. C. Only deploy servers that are based on a hardened image. D. Protect the memory allocation of a Type 1 hypervisor.
Enable the vTPM on a Type 2 hypervisor.
A company's user community is being adversely affected by various types of emails whose authenticity cannot be trusted. The Chief Information Security Officer (CISO) must address the problem. Which of the following solutions would BEST support trustworthy communication solutions? A. Enabling spam filtering and DMARC. B. Using MFA when logging into email clients and the domain. C. Enforcing HTTPS everywhere so web traffic, including email, is secure. D. Enabling SPF and DKIM on company servers. E. Enforcing data classification labels before an email is sent to an outside party.
Enabling spam filtering and DMARC.
After significant vulnerabilities and misconfigurations were found in numerous production web applications, a security manager identified the need to implement better development controls. Which of the following controls should be verified? (Choose two.) A. Input validation routines are enforced on the server side. B. Operating systems do not permit null sessions. C. Systems administrators receive application security training. D. VPN connections are terminated after a defined period of time. E. Error-handling logic fails securely. F. OCSP calls are handled effectively.
Input validation routines are enforced on the server side. Error-handling logic fails securely.
A new database application was added to a company's hosted VM environment. Firewall ACLs were modified to allow database users to access the server remotely. The company's cloud security broker then identified abnormal from a database user on-site. Upon further investigation, the security team noticed the user ran code on a VM that provided access to the hypervisor directly and access to other sensitive data. Which of the following should the security team do to help mitigate future attacks within the VM environment? (Choose two.) A. Install the appropriate patches. B. Install perimeter NGFW. C. Configure VM isolation. D. Deprovision database VM. E. Change the user's access privileges. F. Update virus definitions on all endpoints.
Install the appropriate patches. Install perimeter NGFW.
Ann, a security administrator, is conducting an assessment on a new firewall, which was placed at the perimeter of a network containing PII. Ann runs the following commands on a server (10.0.1.19) behind the firewall:** From her own workstation (192.168.2.45) outside the firewall, Ann then runs a port scan against the server and records the following packet capture of the port scan:** Connectivity to the server from outside the firewall worked as expected prior to executing these commands. Which of the following can be said about the new firewall? A. It is correctly dropping all packets destined for the server. B. It is not blocking or filtering any traffic to the server. C. Iptables needs to be restarted. D. The IDS functionality of the firewall is currently disabled.
It is correctly dropping all packets destined for the server.
An organization is implementing a virtualized thin-client solution for normal user computing and access. During a review of the architecture, concerns were raised that an attacker could gain access to multiple user environments by simply gaining a foothold on a single one with malware. Which of the following reasons BEST explains this? A. Malware on one virtual environment could enable pivoting to others by leveraging vulnerabilities in the hypervisor. B. A worm on one virtual environment could spread to others by taking advantage of guest OS networking services vulnerabilities. C. One virtual environment may have one or more application-layer vulnerabilities, which could allow an attacker to escape that environment. D. Malware on one virtual user environment could be copied to all others by the attached network storage controller.
Malware on one virtual environment could enable pivoting to others by leveraging vulnerabilities in the hypervisor.
A vendor develops a mobile application for global customers. The mobile application supports advanced encryption of data between the source (the mobile device) and the destination (the organization's ERP system). As part of the vendor's compliance program, which of the following would be important to take into account? A. Mobile tokenization B. Export controls C. Device containerization D. Privacy policies
Mobile tokenization
A request has been approved for a vendor to access a new internal server using only HTTPS and SSH to manage the back-end system for the portal. Internal users just need HTTP and HTTPS access to all internal web servers. All other external access to the new server and its subnet is not allowed. The security manager must ensure proper access is configured.** Below is a snippet from the firewall related to that server (access is provided in a top-down model):** Which of the following lines should be configured to allow the proper access? (Choose two.) A. Move line 3 below line 4 and change port 80 to 443 on line 4. B. Move line 3 below line 4 and add port 443 to line. C. Move line 4 below line 5 and add port 80 to 8080 on line 2. D. Add port 22 to line 2. E. Add port 22 to line 5. F. Add port 443 to line 2. G. Add port 443 to line 5.
Move line 3 below line 4 and add port 443 to line. Add port 443 to line 2.
Due to a recent acquisition, the security team must find a way to secure several legacy applications. During a review of the applications, the following issues are documented: - The applications are considered mission-critical. - The applications are written in code languages not currently supported by the development staff. - Security updates and patches will not be made available for the applications. - Username and passwords do not meet corporate standards. - The data contained within the applications includes both PII and PHI. - The applications communicate using TLS 1.0. - Only internal users access the applications. Which of the following should be utilized to reduce the risk associated with these applications and their current architecture? A. Update the company policies to reflect the current state of the applications so they are not out of compliance. B. Create a group policy to enforce password complexity and username requirements. C. Use network segmentation to isolate the applications and control access. D. Move the applications to virtual servers that meet the password and account standards.
Move the applications to virtual servers that meet the password and account standards.
A security consultant was hired to audit a company's password are account policy. The company implements the following controls: - Minimum password length: 16 - Maximum password age: 0 - Minimum password age: 0 - Password complexity: disabled - Store passwords in plain text: disabled - Failed attempts lockout: 3 - Lockout timeout: 1 hour The password database uses salted hashes and PBKDF2. Which of the following is MOST likely to yield the greatest number of plain text passwords in the shortest amount of time? A. Offline hybrid dictionary attack B. Offline brute-force attack C. Online hybrid dictionary password spraying attack D. Rainbow table attack E. Online brute-force attack F. Pass-the-hash attack
Online hybrid dictionary password spraying attack
An analyst is investigating anomalous behavior on a corporate-owned, corporate-managed mobile device with application whitelisting enabled, based on a name string. The employee to whom the device is assigned reports the approved email client is displaying warning messages that can launch browser windows and is adding unrecognized email addresses to the "compose" window. Which of the following would provide the analyst the BEST chance of understanding and characterizing the malicious behavior? A. Reverse engineer the application binary. B. Perform static code analysis on the source code. C. Analyze the device firmware via the JTAG interface. D. Change to a whitelist that uses cryptographic hashing. E. Penetration test the mobile application.
Perform static code analysis on the source code.
A laptop is recovered a few days after it was stolen. Which of the following should be verified during incident response activities to determine the possible impact of the incident? A. Full disk encryption status B. TPM PCR values C. File system integrity D. Presence of UEFI vulnerabilities
Presence of UEFI vulnerabilities
A security analyst for a bank received an anonymous tip on the external banking website showing the following: Protocols supported - TLS 1.0 - SSL 3 - SSL 2 Cipher suites supported - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA-ECDH p256r1 - TLS_DHE_RSA_WITH_AES_256_CBC_SHA-DH 1024bit - TLS_RSA_WITH_RC4_128_SHA TLS_FALLBACK_SCSV non supported POODLE Weak PFS OCSP stapling supported Which of the following should the analyst use to reproduce these findings comprehensively? A. Query the OCSP responder and review revocation information for the user certificates. B. Review CA-supported ciphers and inspect the connection through an HTTP proxy. C. Perform a POODLE (SSLv3) attack using an exploitations framework and inspect the output. D. Inspect the server certificate and simulate SSL/TLS handshakes for enumeration.
Query the OCSP responder and review revocation information for the user certificates.
An external red team member conducts a penetration test, attempting to gain physical access to a large organization's server room in a branch office. During reconnaissance, the red team member sees a clearly marked door to the server room, located next to the lobby, with a tumbler lock. Which of the following is BEST for the red team member to bring on site to open the locked door as quickly as possible without causing significant damage? A. Screwdriver set B. Bump key C. RFID duplicator D. Rake picking
Rake picking
During a sprint, developers are responsible for ensuring the expected outcome of a change is thoroughly evaluated for any security impacts. Any impacts must be reported to the team lead. Before changes are made to the source code, which of the following MUST be performed to provide the required information to the team lead? A. Risk assessment B. Regression testing C. User story development D. Data abstraction E. Business impact assessment
Regression testing
A cybersecurity consulting company supports a diverse customer base. Which of the following types of constraints is MOST important for the consultancy to consider when advising a regional healthcare provider versus a global conglomerate? A. Return on investment B. Regulatory standards C. Pre-existing service agreements D. Insider threats
Regulatory standards
A school contracts with a vendor to devise a solution that will enable the school library to lend out tablet computers to students while on site. The tablets must adhere to string security and privacy practices. The school's key requirements are to: - Maintain privacy of students in case of loss - Have a theft detection control in place - Be compliant with defined disability requirements - Have a four-hour minimum battery life Which of the following should be configured to BEST meet the requirements? (Choose two.) A. Remote wiping B. Geofencing C. Antivirus software D. TPM E. FDE F. Tokenization
Remote wiping TPM
An organization wants to allow its employees to receive corporate email on their own smartphones. A security analyst is reviewing the following information contained within the file system of an employee's smartphone: FamilyPix.jpg Taxreturn.tax paystub.pdf employeesinfo.xls SoccerSchedule.doc RecruitmentPlan.xls Based on the above findings, which of the following should the organization implement to prevent further exposure? (Choose two.) A. Remote wiping B. Side loading C. VPN D. Containerization E. Rooting F. Geofencing G. Jailbreaking
Remote wiping VPN
An infrastructure team within an energy organization is at the end of a procurement process and has selected a vendor's SaaS platform to deliver services. As part of the legal negotiation, there are a number of outstanding risks, including: 1. There are clauses that confirm a data retention period in line with what is in the energy organization's security policy. 2. The data will be hosted and managed outside of the energy organization's geographical location. The number of users accessing the system will be small, and no sensitive data will be hosted in the SaaS platform. Which of the following should the project's security consultant recommend as the NEXT step? A. Develop a security exemption, as the solution does not meet the security policies of the energy organization. B. Require a solution owner within the energy organization to accept the identified risks and consequences. C. Mititgate the risks by asking the vendor to accept the in-country privacy principles and modify the retention period. D. Review the procurement process to determine the lessons learned in relation to discovering risks toward the end of the process.
Require a solution owner within the energy organization to accept the identified risks and consequences.
An infrastructure team is at the end of a procurement process and has selected a vendor. As part of the final negotiation, there are a number of outstanding issues, including: 1. Indemnity clauses have identified the maximum liability. 2. The data will be hosted and managed outside of the company's geographical location. The number of users accessing the system will be small, and no sensitive data will be hosted in the solution. As the security consultant of the project, which of the following should the project's security consultant recommend as the NEXT step? A. Develop a security exemption, as it does not meet the security policies. B. Require the solution owner to accept the identified risks and consequences. C. Mitigate the risk by asking the vendor to accept the in-country privacy principles. D. Review the procurement process to determine the lessons learned.
Require the solution owner to accept the identified risks and consequences.
After an employee was terminated, the company discovered the employee still had access to emails and attached content that should have been destroyed during the off-boarding. The employee's laptop and cell phone were confiscated and accounts were disabled promptly. Forensic investigation suggests the company's DLP was effective, and the content in question was not sent outside of work or transferred to removable media. Personality owned devices are not permitted to access company systems or information. Which of the following would be the MOST efficient control to prevent this from occurring in the future? A. Install application whitelist on mobile devices. B. Disallow side loading of applications on mobile devices. C. Restrict access to company systems to expected times of day and geographic locations. D. Prevent backup of mobile devices to personally owned computers. E. Perform unannounced insider threat testing on high-risk employees.
Restrict access to company systems to expected times of day and geographic locations.
A project manager is working with a software development group to collect and evaluate user scenarios related to the organization's internally designed data analytics tool. While reviewing stakeholder input, the project manager would like to formally document the needs of the various stakeholders and the associated organizational compliance objectives supported by the project. Which of the following would be MOST appropriate to use? A. Roles matrix B. Peer review C. BIA D. SRTM
SRTM
A penetration tester is trying to gain access to a remote system. The tester is able to see the secure login page and knows one user account and email address, but has not yet discovered a password. Which of the following would be the EASIEST method of obtaining a password for the known account? A. Man-in-the-middle B. Reverse engineering C. Social engineering D. Hash cracking
Social engineering
The audit team was only provided the physical and logical addresses of the network without any type of access credentials. Which of the following methods should the audit team use to gain initial access during the security assessment? (Choose two.) A. Tabletop exercise B. Social engineering C. Runtime debugging D. Reconnaissance E. Code review F. Remote access tool
Social engineering Remote access tool
A regional transportation and logistics company recently hired its first Chief Information Security Officer (CISO). The CISO's first project after onboarding involved performing a vulnerability assessment against the company's public facing network. The completed scan found a legacy collaboration platform application with a critically rated vulnerability. While discussing this issue with the line of business, the CISO learns the vulnerable application cannot be updated without the company incurring significant losses due to downtime or new software purchases. Which of the following BEST addresses these concerns? A. The company should plan future maintenance windows such legacy application can be updated as needed. B. The CISO must accept the risk of the legacy application, as the cost of replacing the application greatly exceeds the risk to the company. C. The company should implement a WAF in front of the vulnerable application to filter out any traffic attempting to exploit the vulnerability. D. The company should build a parallel system and perform a cutover from the old application to the new application, with less downtime than an upgrade.
The company should implement a WAF in front of the vulnerable application to filter out any traffic attempting to exploit the vulnerability.
A company is moving all of its web applications to an SSO configuration using SAML. Some employees report that when signing in to an application, they get an error message on the login screen after entering their username and password, and are denied access. When they access another system that has been converted to the new SSO authentication model, they are able to authenticate successfully without being prompted for login. Which of the following is MOST likely the issue? A. The employees are using an old link that does not use the new SAML authentication. B. The XACML for the problematic application is not in the proper format or may be using an older schema. C. The web services methods and properties are missing the required WSDL to complete the request after displaying the login page. D. A threat actor is implementing an MITM attack to harvest credentials.
The employees are using an old link that does not use the new SAML authentication.
During a recent incident, sensitive data was disclosed and subsequently destroyed through a properly secured, cloud-based storage platform. An incident response technician is working with management to develop an after action report that conveys critical metrics regarding the incident. Which of the following would be MOST important to senior leadership to determine the impact of the breach? A. The likely per-record cost of the breach to the organization B. The legal or regulatory exposure that exists due to the breach C. The amount of downtime required to restore the data D. The number of records compromised
The legal or regulatory exposure that exists due to the breach
Company leadership believes employees are experiencing an increased number of cyber attacks; however, the metrics do not show this. Currently, the company uses "Number of successful phishing attacks" as a KRI, but it does not show an increase. Which of the following additional information should be the Chief Information Security Officer (CISO) include in the report? A. The ratio of phishing emails to non-phishing emails B. The number of phishing attacks per employee C. The number of unsuccessful phishing attacks D. The percent of successful phishing attacks
The percent of successful phishing attacks
A security appliance vendor is reviewing an RFP that is requesting solutions for the defense of a set of web-based applications. This RFP is from a financial institution with very strict performance requirements. The vendor would like to respond with its solutions. Before responding, which of the following factors is MOST likely to have an adverse effect on the vendor's qualifications? A. The solution employs threat information-sharing capabilities using a proprietary data model. B. The RFP is issued by a financial institution that is headquartered outside of the vendor's own country. C. The overall solution proposed by the vendor comes in less that the TCO parameter in the RFP. D. The vendor's proposed solution operates below the KPPs indicated in the RFP.
The vendor's proposed solution operates below the KPPs indicated in the RFP.
A financial institution's information security officer is working with the risk management officer to determine what to do with the institution's residual risk after all security controls have been implemented. Considering the institution's very low risk tolerance, which of the following strategies would be BEST? A. Transfer the risk. B. Avoid the risk C. Mitigate the risk. D. Accept the risk.
Transfer the risk.
A company recently implemented a variety of security services to detect various types of traffic that pose a threat to the company. The following services were enabled within the network: • Scan of specific subsets for vulnerabilities • Categorizing and logging of website traffic • Enabling specific ACLs based on application traffic • Sending suspicious files to a third-party site for validation A report was sent to the security team that identified multiple incidents of users sharing large amounts of data from an on-premise server to a public site. A small percentage of that data also contained malware and spyware Which of the following services MOST likely identified the behavior and sent the report? A. Content filter B. User behavioral analytics C. Application sandbox D. Web application firewall E. Endpoint protection F. Cloud security broker
User behavioral analytics
A product manager is concerned about the unintentional sharing of the company's intellectual property through employees' use of social media. Which of the following would BEST mitigate this risk? A. Virtual desktop environment B. Network segmentation C. Web application firewall D. Web content filter
Web content filter
A Chief Information Security Officer (CISO) is creating a security committee involving multiple business units of the corporation. Which of the following is the BEST justification to ensure collaboration across business units? A. A risk to one business unit is a risk avoided by all business units, and liberal BYOD policies create new and unexpected avenues for attackers to exploit enterprises. B. A single point of coordination is required to ensure cybersecurity issues are addressed in protected, compartmentalized groups. C. Without business unit collaboration, risks introduced by one unit that affect another unit may go without compensating controls. D. The CISO is uniquely positioned to control the flow of vulnerability information between business units.
Without business unit collaboration, risks introduced by one unit that affect another unit may go without compensating controls.
When implementing a penetration testing program, the Chief Information Security Officer (CISO) designates different organizational groups within the organization as having different responsibilities, attack vectors, and rules of engagement. First, the CISO designates a team to operate from within the corporate environment. This team is commonly referred to as: A. the blue team. B. the white team. C. the operations team. D. the read team. E. the development team.
the white team.
