CASP+ STUDY SET #1
The OS on several servers crashed around the same time for an unknown reason. The servers were restored to working conditions and all file integrity was verified. Which of the following should the incident response team perform to understand the crash and prevent it in the future? A. Root cause analysis B. Continuity of operations plan C. After-action report D. Lessons learned
A. Root cause analysis
A security engineer discovers a PC may have been breached and accessed by an outside agent. The engineer wants to find out how this breach occurred before remediating the damage. Which of the following should the security engineer do FIRST to begin this investigation? A. Create an image of the hard drive B. Capture the incoming and outgoing network traffic C. Dump the contents of the RAM D. Parse the PC logs for information on the attacker
B. Capture the incoming and outgoing network traffic
Within change management, which of the following ensures functions are carried out by multiple employees? A. Least privilege B. Mandatory vacation C. Separation of duties D. Job rotation
A. Least privilege
A company's Chief Operating Officer is concerned about the potential for competitors to infer proprietary information gathered from employees' social media accounts. Which of the following methods should the company use to gauge its own social media threat level without targeting individual employees? A. Utilize insider threat consultants to provide expertise B. Require that employees divulge social media accounts C. Detect employee use of open-source intelligence reconnaissance tools D. Perform social engineering test to evaluate employee awareness
D. Perform social engineering test to evaluate employee awareness
An attacker wants to gain information about a company's database structure by probing thedatabase structure by probing the database listener. The attacker tries to manipulate the company's database to see if it has any vulnerabilities that can be exploited to help carry out an attack. To prevent this type of attack, which of the following should the company do to secure its database? A. Mask the database banner B. Tighten database authentication and limit table access C. Harden web and internet resources D. Implement challenge-based authentication
A. Mask the database banner
As part of a systems modernization program, the use of a weak encryption algorithm is identified in a web services API. The client using the API is unable to upgrade the system on its end, which would support the use of a secure algorithm set. As a temporary workaround, the client provides its IP space, and the network administrator limits access to the API via an ACL to only the IP space held by the client. Which of the following is the use of the ACL in this situation an example of? A. Avoidance B. Transference C. Mitigation D. Acceptance E. Assessment
C. Mitigation
The Chief Information Security Officer is preparing a requirements matrix scorecard for a new security tool the company plans to purchase. Feedback from which of the following documents will provide input for the requirements matrix scorecared during the vendor selection process? A. MSA B. RFQ C. RFI D. RFP
C. RFI
A company has implemented an exemption process to document variations from its policies and standards. Which of the following is the MOST critical aspect of the exemption process for managing organizational risk? A. Obtaining the signature of the approving authority B. Monitoring which business units obtain exemptions C. Regularly reviewing and assessing exemptions D. A plan of action for mitigating the exempted variation
C. Regularly reviewing and assessing exemptions
A Chief Information Security (CISO) is reviewing the security team's risk recommendations. The CISO agrees with all the recommendations to mitigate risks, with one exception. The security team proposes the purchase of a $10,000 security appliance to mitigate a potential impact that has an ALE of $260. Instead of mitigating the risk, which of the following risk decisions is the CISO MOST likely to take? A. Accept B. Avoid C. Exempt D. Remediate
A. Accept
The Chief Information Security Officer of a small, local bank has a compliance requirement that a third-party penetration test of the core banking application must be conducted annually. Which of the following services would fulfill the compliance requirement with the LOWEST resource usage? A. Black-box testing B. Gray-box testing C. Red-team hunting D. White-box testing E. Blue-team exercises
A. Black-box testing
An employee decides to log into an authorized system. The system does not prompt the employee for authentication prior to granting access to the console, and it cannot authenticate the network resources. Which of the following attack types can this lead to if it is not mitigated? A. Memory leak B. Race condition C. Smurf D. Resource exhaustion
A. Memory leak
An attacker has been compromising banking institution targets across a regional area. The Chief Information Security Officer at a local bank wants to detect and prevent an attack before the bank becomes a victim. Which of the following actions should the CISO take? A. Utilize cloud-based threat analytics to identify anomalous behavior in the company's B2B and vendor traffic B. Purchase a CASB solution to identify and control access to cloud-based applications and services and integrate them with on-premises legacy security monitoring C. Instruct a security engineer to configure the IDS to consume threat intelligence feeds from an information-sharing association in the banking sector D. Attend and present at the regional banking association lobbying group meetings each month and facilitate a discussion on the topic
A. Utilize cloud-based threat analytics to identify anomalous behavior in the company's B2B and vendor traffic
A security analyst receives an email from a peer that includes a sample of code from a piece of malware found in an application running in the organization's staging environment. During the incident response process, it is determined the code was introduced into the environment as a result of a compromised laptop being used to harvest credentials and access the organization's code repository. While the laptop itself was not used to access the code repository, an attacker was able to leverage the harvested credentials from another system in the development environment to bypass the ACLs limiting access to the repositories. Which of the following controls MOST likely would have interrupted the kill chain in this attack? A. IP whitelisting on the perimeter firewall B. MFA for developer access C. Dynamic analysis scans in the production environment D. Blue team engagement in peer review activities E. Time-based restrictions on developer access to code repositories
B. MFA for developer access
A developer has executed code for a website that allows users to search for employees' phone numbers by last numbers by last name. The query string sent by the browser is as follows: http://www.companywebsite.com/search.php?q=SMITH The developer has implemented a well-known JavaScript sanitization library and stored procedures, but a penetration test shows the website is vulnerable to XSS. Which of the following should the developer implement NEXT to prevent XSS? (Select TWO). A. Sanitization library B. Secure cookies C. TLS encryption D. Input serialization E. Output encoding F. PUT form submission
B. Secure cookies C. TLS encryption
A new security policy states all wireless and wired authentication must include the use of certificates when connecting to internal resources within the enterprise LAN by all employees. Which of the following should be configured to comply with the new security policy? (select TWO) A. SSO B. New pre-shared key C. 802.1x D. OAuth E. Push-based authentication F. PKI
C. 802.1x E. Push-based authentication
An organization's mobile device inventory recently provided notification that a zero-day vulnerability was identified in the code used to control the baseband of the devices. The device manufacturer is expediting a patch, but the rollout will take several months. Additionally, several mobile users recently returned from an overseas trip and report their phones now contain unknown applications, slowing device performance. Users have been unable to uninstall these applications, which persist after wiping the devices. Which of the following MOST likely occurred and provides mitigation until the patches are released? A. Unauthentic firmware was installed; disable OTA updates and carrier roaming via MDM B. Users opened a spear-phishing email; disable third-party application stores and validate all signed code prior to execution C. An attacker downloaded monitoring applications; perform a full factory reset of the affected devices D. Users received an improperly encoded emergency broadcast message, leading to an integrity loss condition; disable emergency broadcast messages
C. An attacker downloaded monitoring applications; perform a full factory reset of the affected devices
An organization implemented a secure boot on its most critical application servers, which produce content and capability for other consuming servers. A recent incident, however, led the organization to implement a centralized attestation service for these critical servers. Which of the following MOST likely explains the nature of the incident that caused the organization to implement this remediation? A. An attacker masqueraded as an internal DNS server B. An attacker leveraged a heap overflow vulnerability in the OS C. An attacker was able to overwrite an OS integrity measurement register D. An attacker circumvented IEEE 802.1x network-level authentication requirements
C. An attacker was able to overwrite an OS integrity measurement register
A company is updating its acceptable use and security policies to allow personal devices to be connected to the network as long as certain security parameters can be enforced. Which of the following describes this new policy change? A. COPE B. CYOD C. BYOD D. POTS
C. BYOD
During an audit, an information security analyst discovers accounts that are still assigned toemployees who no longer work for the company and new accounts that need to be verified against a list of authorized users. This type of auditing supports the development of : A. Information classification B. Continuous monitoring C. Employment and termination procedures D. Least privilege
C. Employment and termination procedures
A company is outsourcing to an MSSP that performs managed detection and response services. The MSSP requires a server to be placed inside the network as a log aggregator and shows remote access to MSSP analysts. Critical devices send logs to the log aggregator, where data is stored for 12 months locally being archived to a multitenant cloud. The data is then sent from the log aggregator to a public IP address in the MSSP's datacenter for analysis. A security engineer is concerned about the security of the solution and notes the following. The critical devices send cleartext logs to the aggregator The log aggregator utilizes full disk encryption The log aggregator sends to the analysis server via port 80 MSSP analysts utilize an SSL VPN with MFA to access the log aggregator remotely The data is compressed and encrypted prior to being archived in the cloud Which of the following should be the security engineer's GREATEST concern? A. Hardware vulnerabilities introduced by the log aggregator server B. Network bridging from a remote access VPN C. Encryption of data in transit D. Multitenancy and data remnants in the cloud
C. Encryption of data in transit
Which of the following is the BEST reason to implement a separation of duties policy? A. It minimizes the risk of DOS due to continuous monitoring B. It eliminates the need to enforce least privilege by logging all actions C. It increases the level of difficulty for a single employee to perpetrate fraud D. It removes barriers to collusion and collaboration between business units
C. It increases the level of difficulty for a single employee to perpetrate fraud
As a result of a recent breach, a systems administrator is asked to review the security controls in place for an organization's cloud-based environment. The organization runs numerous instances and maintains several separate accounts for managing cloud-based resources. As part of the review, the systems administrator finds MFA is enabled for production-level systems but not staging systems. Which of the following is the primary risk associated with this configuration? A. Pivoting between staging and production instances B. The use of staging to harvest production-level account credentials C. The loss of data integrity within the code repositories being migrated to staging D. The accidental disclosure of data in production due to the use of unsecure protocols
C. The loss of data integrity within the code repositories being migrated to staging
A systems administrator recently conducted a vulnerability scan of the intranet. Subsequently, the organization was successfully attacked by an adversary. Which of the following is the MOST likely explanation for why the organization's network was compromised? A. There was a false positive since the network was fully patched B. The systems administrator did not perform a full system scan C. The systems administrator performed a credentialed scan D. The vulnerability database was not updated
C. The systems administrator performed a credentialed scan
A penetration tester is trying to gain access to a building after hours as part of a physical assessment of an office complex. The tester notes that each employee touches a badge near a small black box outside the side door, and the door unlocks. The tester uses a software-defined radio tool to determine a 125khz signal is used during this process. Which of the following technical solutions would be BEST to help the penetration tester gain access to the building? A. Generate a 125khz tone B. Compromise the ICS/SCADA system C. Utilize an RFID duplicator D. Obtain a lock pick set
C. Utilize an RFID duplicator
A company's employees are not permitted to access company systems while traveling internationally. The company email system is configured to block logins based on geographic location, but some employees report their mobile phones continue to sync email while traveling. Which of the following is the most likely explanation? (Select TWO) A. Outdated geographic IP information B. Privilege escalation attack C. VPN on the mobile device D. Unrestricted email administrator accounts E. Client use of UDP protocols F. Disabled GPS on mobile devices
C. VPN on the mobile device F. Disabled GPS on mobile devices
A security administrator wants to implement an MDM solution to secure access to company email and files in a BYOD environment. The solution must support the following requirements: Company administrators should not have access to employees' personal information A rooted or jailbroken device should not have access to company sensitive information Which of the following BEST addresses the associated risks? A. Code signing B. VPN C. FDE D. Containerization
D. Containerization
A server was compromised recently and two unauthorized daemons were set up to listen for incoming connections. In addition, CPU cycles were being used by an additional unauthorized cron job. Which of the following would have prevented the breach if it was properly configured? A. Set up log forwarding and utilize a SIEM for centralized management and alerting B. Use a patch management system to close the vulnerabilities in a shorter time frame C. Implement a NIDS/NIPS D. Deploy SELinux using the system baseline as the starting point E. Configure the host firewall to block unauthorized inbound connections
D. Deploy SELinux using the system baseline as the starting point
An application development company implements object reuse to reduce life-cycle costs for the company and its clients. Despite the overall cost savings, which of the following BEST describes a security risk to customers inherent within this model? A. Configurations of applications will affect multiple products B. Reverse engineering of applications will lead to intellectual property loss C. Software patch deployment will occur less often D. Homogeneous vulnerabilities will occur across multiple products
D. Homogeneous vulnerabilities will occur across multiple products
A security administrator is opening connectivity on a firewall between Organization A and Organization B. Organization B just acquired Organization A. Which of the following risk mitigation strategies should the administrator implement to reduce the risk involved with this change? A. DLP on internal network nodes B. A network traffic analyzer for incoming traffic C. A proxy server to examine outgoing web traffic D. IPS/IDS monitoring on the new connection
D. IPS/IDS monitoring on the new connection
A small firm's newly created website has several design flaws. The developer created the website to be fully compatible with ActiveX scripts in order to use various digital certificates and trusting certificate authorities. However, vulnerability testing indicates sandboxes were enabled, which restricts the code's access to resources within the user's computer. Which of the following is the MOST likely cause of the error? A. The developer inadvertently used java applets B. The developer established a corporate account with a non-reputable certification authority C. The developer used fuzzy logic to determine how the web browser would respond once ports 80 and 443 were both open D. The developer did not consider that mobile code would be transmitted across the network
D. The developer did not consider that mobile code would be transmitted across the network
A major OS vendor implements and IDE-integrated tool that alerts developers on the use of insecure and deprecated C code functions. Using which of the following functions would yield an alert to the developer? A. char B. errno_t C. strcat_s D. strcpy
D. strcpy
While conducting online research about a company to prepare for an upcoming penetration test, a security analyst discovers detailed financial information on an investor website the company did not make public. The analyst shares this information with the Chief Financial Officer, who confirms the information is accurate, as it was recently discussed at a board of directors meeting. Many of the details are verbatim discussions comments captured by the board secretary for purposes of transcription on a mobile device. Which of the following would MOST likely prevent a similar breach in the future? A. Remote wipe B. FDE C. Geolocation D. eFuse E. VPN
E. VPN
A PaaS provider deployed a new product using a DevOps methodology. Because DevOps is used to support both development and production assets, inherent separation of duties is limited. To ensure compliance with security frameworks that require a specific set of controls relating to separation of duties, the organization must design and implement an appropriate compensating control. Which of the following would be MOST suitable in this scenario? A. Configuration of increased levels of logging, monitoring, and alerting on production access B. Configuration of MFA and context-based login restrictions for all DevOps personnel C. Development of standard code libraries and usage of the WS-security module on all web servers D. Implementation of peer review, static code analysis, and web application penetration testing against the staging environment
A. Configuration of increased levels of logging, monitoring, and alerting on production access
A creative services firm has a limited security budget and staff. Due to its business model, the company sends and receives a high volume of files every day through the preferred method defined by its customers. These include email, secure file transfers, and various cloud service providers. Which of the following would BEST reduce the risk of malware infection while meeting the company's resource requirements and maintaining its current workflow? A. Configure a network based intrusion prevention system B. Contract a cloud-based sandbox security service C. Enable customers to send and receive files via SFTP D. Implement appropriate DLP systems with strict policies
A. Configure a network based intrusion prevention system
Which of the following risks does expanding business into a foreign country carry? A. Data sovereignty laws could result in unexpected liability B. Export controls might decrease software costs C. Data ownership might revert to the regulatory entities in the new country D. Some security tools might be monitored by legal authorities
A. Data sovereignty laws could result in unexpected liability
A company wants to secure a newly developed application that is used to access sensitive information and data from corporate resources. The application was developed by a third-party organization, and it is now being used heavily, despite lacking the following controls. Certificate pinning Tokenization Biometric authentication The company has already implemented the following controls. Full device encryption Screen lock Device password Remote wipe The company wants to defend against interception of data attacks. Which of the following compensating controls should the company implement NEXT? A. Enforce the use of a VPN when using the newly developed application B. Implement a geofencing solution that disbles the application according to company requirements C. Implement an out-of-band second factor to authenticate authorized users D. Install the application in a secure container requiring additional authentication controls
A. Enforce the use of a VPN when using the newly developed application
During an audit, it was determined form a sample that four out of 20 former employees were sill accessing their email accounts. An information security analyst is reviewing the access to determine if the audit was valid. Which of the following would assist with the validation and provide the necessary documentation to audit? A. Examining the termination notification process from human resources and employee account access logs B. Checking social media platforms for disclosure of company sensitive and proprietary information C. Sending the test email to the former employees to document and undeliverable email and review the ERP access D. Reviewing the email global account list and the collaboration platform for recent activity
A. Examining the termination notification process from human resources and employee account access logs
A secure facility has a server room that currently is controlled by a simple lock and key, and several administrators have copies of the key. To maintain regulatory compliance, a second lock, which is controlled by an application on the administrators' smartphones, is purchased and installed. The application has various authentication methods that can be used. The criteria for choosing the most appropriate method are: It cannot be invasive to the end user It must be utilized as a second factor Information sharing must be avoided It must have a low false acceptance rate Which of the following BEST meets the criteria? A. Facial recognition B. Swipe pattern C. Fingerprint scanning D. Complex passcode E. Token Card
A. Facial recognition
A penetration tester is given an assignment to gain physical access to a secure facility with perimeter cameras. The secure facility does not accept visitors, and entry is available only through a door protected by an RFID key and a guard stationed inside the door. Which of the following would be BEST for the penetration tester to attempt? A. Gain entry into the building by posing as a contractor who is performing routine building maintenance B. Tailgate into the facility with an employee who has a valid RFID badge to enter C. Duplicate an employee's RFID badge and use an IR camera to see when the guard leaves the post D. Look for an open window that can be used to gain unauthorized entry into the facility
A. Gain entry into the building by posing as a contractor who is performing routine building maintenance
An enterprise is configuring an SSL client-based VPN for certificate authentication. The trusted root certificate from the CA is imported into the firewall, and the VPN configuration in the firewall is configured for certificate authentication. Signed certificates from the trusted CA are distributed to user devices. The CA certificate is set as trusted on the end-user devices, and the VPN client is configured on the end-user devices. When the end users attempt to connect, however, the firewall rejects the connection after a brief period. Which of the following is the MOST likely reason the firewall rejects the connection? A. In the firewall, compatible cipher suites must be enabled B. In the VPN client, the CA CRL address needs to be specified manually C. In the router, IPSec traffic needs to be allowed in bridged mode D. In the CA, the SAN field must be set for the root CA certificate, and then reissued
A. In the firewall, compatible cipher suites must be enabled
The Chief Information Officer (CIO) wants to establish a non binding agreement with a third party that outlines the objectives of the mutual arrangement dealing with data transfers between both organizations before establishing a formal partnership. Which of the following would MOST likely be used? A. MOU B. OLA C. NDA D. SLA
A. MOU
A new corporate policy requires that all employees have access to corporate resources on personal mobile devices. The information assurance manager is concerned about the potential for inadvertent and malicious data disclosure if a device is lost, while users are concerned about corporate overreach. Which of the following controls would address these concerns and should be reflected in the company's mobile device policy? A. Place corporate applications in a container B. Enable geolocation on all devices C. Install remote wiping capabilities D. Ensure all company communications use a VPN
A. Place corporate applications in a container
The latest security scan of a web application reported multiple reported multiple high vulnerabilities in session management. Which of the following is the BEST way to mitigate the problem? A. Prohibiting session hijacking of cookies B. Using secure cookie storage and transmission C. Performing state management on the server D. Using secure and HttpOnly settings on cookies
A. Prohibiting session hijacking of cookies
A security manager wants to implement a policy that will provide management with the ability to monitor employees' activities with minimum impact of productivity. Which of the following policies is BEST suited for this scenario? A. Separation of duties B. Mandatory vacations C. Least privilege D. Incident response
A. Separation of duties
A financial services company has proprietary trading algorithms, which were created and are maintained by a team of developers on their private source repository. If the details of this operation became known to competitors, the company's ability to profit from its trading would disappear immediately. Which of the following would the company MOST likely use to protect its trading algorithms? A. Single-tenancy cloud B. Managed security service providers C. Virtual desktop infrastructure D. Cloud security broker
A. Single-tenancy cloud
While the code is still in the development environment, a security architect is testing the code stored in the code repository to ensure the top ten OWASP secure coding practices are being followed. Which of the following code analyzers will produce the desired results? A. Static B. Dynamic C. Fuzzer D. Peer review
A. Static
A systems engineer is reviewing output from a web application vulnerability scan. The engineer has determined data is entering the application from an untrusted source and is being used to construct a query dynamically. Which of the following code snippets would BEST protect the application against an SQL injection attack? A. String input = request.getPrameter ("SeqNo") ; String characterPattern = " [0-9a-zA-z] "; If (! Input. Matches (characterPattern)) { out.printIn ("Invalid Input") ; } B. <input type="text" maxlength="30" bname="ecsChangePwdForm" size="40" redonly="true" Value=' <%=ESAPI.encoder () .encodeForHTML (request.getParameter("username") ) %>'/> C. catch (Exception e) { if(log.isDebugEnabled () ) log.debug (context, EVENTS.ADHOC, "Caught InvalidGSMException Exception -" + e.toString () ); } D. <asp:TextBox TabIndex="6" runat="server" Width="206px" MaxLength="11" TextMode="Password"></asp:TextBox>
A. String input = request.getPrameter ("SeqNo") ; String characterPattern = " [0-9a-zA-z] "; If (! Input. Matches (characterPattern)) { out.printIn ("Invalid Input") ; }
While traveling to another state, the Chief Financial Officer (CFO) forgot to submit payroll for the company. The CFO quickly gained access to the corporate network through the high speed wireless network provided by the hotel and completed the task. Upon returning from the business trip, the CFO was told no one received their weekly pay due to a malware attack on the system. Which of the following is the MOST likely cause of the security breach? A. The security manager did not enforce automatic VPN connection. B. The company's server did not have endpoint security enabled. C. The hotel did not require a wireless password to authenticate D. The laptop did not have the host-based firewall properly configured.
A. The security manager did not enforce automatic VPN connection.
A security analyst is reviewing weekly email reports and finds an average of 1,000 emails received daily from the internal security alert email address. Which of the following should be implement? A. Tuning the networking monitoring service B. Separation of duties for systems administrators C. Machine learning algorithms D. DoS attack prevention
A. Tuning the networking monitoring service
A researcher is working to identify what appears to be a new variant of an existing piece of malware commonly used in ransomware attacks. While it is not identical to the malware previously evaluated, it has a number of similarities including language, payload, and algorithms. Which of the following would help the researcher safely compare the code base of the two variants? A. Virtualized sandbox B. Vulnerability scanner C. Software-defined network D. HTTP interceptor
A. Virtualized sandbox
Following a recent security incident on a web server, the security analyst takes HTTP traffic captures for further investigation. The analyst suspects certain .jpg files have important data hidden within them. Which of the following tools will help get all the pictures from within the HTTP traffic captured to a specified folder? A. tshark B. memdump C. nbstat D. dd
A. tshark
A security engineer is making certain URLs from an internal application available on the internet. The development team requires the following: The URLs are accessible only from internal IP addresses Certain countries are restricted TLS is implemented System users transparently access internal application services in a rond robin to maximize performance. Which of the following should the security engineer deploy? A. DNS to direct traffic and a WAF with only the specific external URLs configured B. A load balancer with GeoIP restrictions and least-load-sensing traffic distribution C. An application-aware firewall with geofencing and certificate services using DNS for traffic direction D. A load balancer with IP ACL restrictions and a commercially available PKI certificate
B. A load balancer with GeoIP restrictions and least-load-sensing traffic distribution
The Chief Information Security Officer of a company that has highly sensitive corporate locations wants its security engineers to find a solution to growing concerns regarding mobile devices. The CISO mandates the following requirements: The devices must be owned by the company for legal purposes The device must be as full functional as possible when off site Corporate email must be maintained separately from personal email Employees must be able to install their own applications Which of the following will BEST meet the CISO's mandate? (Select TWO) A. Disable the device's camera B. Allow only corporate resources in a container C. Use an MDM to wipe the devices remotely D. Block all sideloading of applications on devices E. Use geofencing on certain applications F. Deploy phones in a BYOD model
B. Allow only corporate resources in a container E. Use geofencing on certain applications
A company is implementing a new secure identity application, given the following requirements: The cryptographic secrets used in the application must never be exposed to users or the OS The application must work on mobile devices The application must work with the company's badge reader system Which of the following mobile device specifications are required for this design? (Select TWO) A. Secure element B. Biometrics C. UEFI D. SEAndroid E. NFC F. HSM
B. Biometrics E. NFC
A Chief Information Security Officer (CISO) has created a survey that will be distributed to managers of mission-critical functions across the organization. The survey requires the managers to determine how long their respective units can operate in the event of an extended IT outage before the organization suffers monetary losses from the outage. To which of the following is the survey question related? (Select TWO). A. Risk avoidance B. Business impact C. Risk assessment D. Recovery point objective E. Recovery time objective F. Mean time between failures
B. Business impact D. Recovery point objective
A developer implements the following code snippet: catch .(Exception e) ( if(log.isDebugEnabled( ) ) Log.Debug (Context, EVENTS.ADHOC, "Caught InvalidGSMExecption Exception - -" + e.tostring() ); Which of the following vulnerabilities does this code snippet resolve? A. SQL injection B. Buffer overflow C. Missing session limit D. Information leakage
C. Missing session limit
An energy company runs a closed network with site-to-site VPNs over the internet. The VPN implementation is based on a common open-source crypto library. Following a cyber-risk assessment, the findings show latent vulnerabilities in the VPN implementation may lead to APT's being able to access these links and cause a major impact. Assuming an APT is able to overcome the protections, which of the following architecture changes will increase the difficulty for the adversary to achieve an impact? A. Obfuscate power-plant commands within email, web, and other routine-looking enterprise traffic B. Configure the concentrator to perform authentication on IPSec headers C. Move to a closed-source VPN solution leveraging internally designed cryptography D. Implement a second "inner" VPN using a different vendor than that of the "outer" VPN
B. Configure the concentrator to perform authentication on IPSec headers
Over the last 90 days, many private storage services have been exposed in the cloud services environments, and the security team does not have the ability to see who is creating these instances. Shadow IT is creating data services and instances faster than the small security team can keep up with them. The Chief Information Security Officer (CISO) has asked the security lead architect to recommend solutions to this problem. Which of the following BEST addresses the problem with the least amount of administrative effort? A. Compile a list of firewall requests and compare them against interesting cloud services. B. Implement a CASB solution and track cloud service use cases for greater visibility. C. Implement a user-behavior analytics system to associate user events with cloud service creation events. D. Capture all logs and feed them to a SIEM, and then analyze for cloud service events.
B. Implement a CASB solution and track cloud service use cases for greater visibility.
An organization is integrating an ICS and wants to ensure the system is cyber resilient. Unfortunately, many of the specialized components are legacy systems that cannot be patched. The existing enterprise consists of mission-critical systems that require 99.9% uptime. To assist in the appropriate design of the system given the constraints, which of the following MUST be assumed? A. Vulnerable components B. Operational impact due to attack C. Time criticality of systems D. Presence of open-source software
B. Operational impact due to attack
A company provides guest WIFI access to the internet and physically separates the guest network from the company's internal WIFI. Due to recent incident in which an attacker gained access to the company's internal WIFI, the company plans to configure WPA2 Enterprise in an EAP-TLS configuration. Which of the following must be installed on authorized hosts for this new configuration to work properly? A. Active Directory GPOs B. PKI certificates C. Host-based firewall D. NAC persistent agent
B. PKI certificates
Following the most recent patch deployment, a security engineer receives reports that the ERP application is no longer accessible. The security engineer reviews the situation and determines a critical security patch that was applied to the ERP server is the cause. The patch is subsequently back out. Which of the following security controls would be BEST to implement to mitigate the threat caused by the missing patch? A. Anti-malware B. Patch testing C. HIPS D. Vulnerability scanner
B. Patch testing
Joe, an application security engineer, is performing an audit of an environmental control application. He has implemented a robust SDLC process and is reviewing API calls available to the application. During the review, Joe finds the following in a log file: POST/API/Data/Username=Jim&Password=Rustly&PowerKW&Efficiency POST/API/Data/Username=John&Password=Doe&Uptime&temperature POST/API/Data/Username=OTManager&Password=1gudPW§or5Sensor2=Off&Sector5sensor2statu s Which of the following would BEST mitigate the issue Joe has found? A. Ensure the API uses SNMPv1 B. Perform authentication via a secure channel C. Verify the API uses HTTP Get instead of POST D. Deploy a WAF in front of the API and implement rate limiting
B. Perform authentication via a secure channel
A security engineer is helping the web developers assess a new corporate web application. The application will be internet facing, so the engineer makes the following recommendation: In an .htaccess file or the site config, add: HeadereditSet_Cookie ^(.*)$ $1;HttpOnly; Secure or add to the location block: proxy_cookie_path / "/; HttpOnly; Secure; SameSite=strict"; Which of the following is the security engineer trying to accomplish via cookies? (Select TWO) A. Ensure session IDs are generated dynamically with each cookie request B. Prevent cookies from being transmitted to other domain names C. Create a temporary space on the user's drive root for ephemeral cookie storage D. Enforce the use of plain text HTTP transmission with secure local cookie storage E. Add a sequence ID to the cookie session ID while in transit to prevent CSRF F. Allow cookie creation or updates only over TLS connections
B. Prevent cookies from being transmitted to other domain names D. Enforce the use of plain text HTTP transmission with secure local cookie storage
A government entity is developing requirements for an RFP to acquire a biometric authentication system. When developing these requirements, which of the following consideration is MOST critical to the verification and validation of the SRTM? A. Local and national laws and regulations B. Secure software development requirements C. Environmental constraint requirements D. Testability of requirements
B. Secure software development requirements
A security analyst is validating the MAC policy on a set of Android devices. The policy was written to ensure non-critical applications are unable to access certain resources. When reviewing dmesg, the analyst notes many entries, such as: avc: denied { open } for pid=1018 comm="irc" path="/dev/if0" dev="tmpfs" scontext=u:r:irc:s0 tcontext=u:object_r:default:s0 tclass=chr_file permissive=1 Despite the deny message, this action was still permitted. Which of the following is the MOST likely fix for this issue? A. Add the objects of concern to the default context B. Set the devices to enforcing mode C. Create separate domain and context files for irc D. Rebuild the sepolicy, reinstall, and test
B. Set the devices to enforcing mode
A security administrator wants to stand up a NIPS that is multilayered and can incorporate many security technologies into a single platform. The product should have diverse capabilities such as antivirus, VPN, and firewall services, and be able to be updated in a timely manner to meet evolving threats. Which of the following network prevention system types can be used to satisfy the requirements? A. Application firewall B. Unified threat management C. Enterprise firewall D. Content-based IPS
B. Unified threat management
A company is in the process of re-architecting its sensitive system infrastructure to take advantage of on-demand computing through a public cloud provider. The system to be migrated is sensitive with respect to latency, availability, and integrity. The infrastructure team agreed to the following: Application and middleware servers will migrate to the cloud Database servers will remain on-site Data backup will be stored in the cloud Which of the following solutions would ensure system and security requirements are met? A. Implement a direct connection from the company to the cloud provider B. Use a cloud orchestration tool and implement appropriate change control processes C. Implement a standby database on the cloud using a CASB for data-at-rest security D. Use multizone geographic distribution with satellite relays
B. Use a cloud orchestration tool and implement appropriate change control processes
An organization relies heavily on third-party mobile applications for official use within a BYOD deployment scheme. An excerpt from an approved text-based-chat client application AndroidManifest.xml is as follows: <manifest xmlns:android=http://schemas.android.com/apk/res/android package="a.company.ircclient"> ... <uses-permission android:name="android.permission.RECORD_AUDIO" /> <uses-permission android:name="android.permission.SEND_SMS" /> </manifest> Which of the following would restrict application permissions while minimizing the impact to normal device operations? A. Add the application to the enterprise mobile whitelist B. Use the MDM to disable the devices' recording microphones and SMS C. Wrap the application before deployment D. Install the application outside of the corporate container.
B. Use the MDM to disable the devices' recording microphones and SMS
A company's human resources department recently had its own shadow IT department spin up ten VMs that host a mixture of differently labeled data types (confidential and restricted) on the same VMs. Which of the following cloud and virtualization considerations would BEST address the issue presented in this scenario? A. Vulnerabilities associated with a single platform hosting multiple data types on VMs should have been considered B. Vulnerabilities associated with a single server hosting multiple data types should have been considered C. Type 1 vs. Type 2 hypervisor approaches should have been considered D. Vulnerabilities associated with shared hosting services provided by the IT department should have been considered
B. Vulnerabilities associated with a single server hosting multiple data types should have been considered
A security engineer is assessing a new IoT product. The product interfaces with the ODBII port of a vehicle and uses a Bluetooth connection to relay data to an onboard data logger located in the vehicle. The data logger can only transfer data over a custom USB cable. The engineer suspects a replay attack is possible against the cryptographic implementation used to secure messages between segments of the system. Which of the following tools should the engineer use to confirm the analysis? A. Vulnerability scanner B. Wireless protocol analyzer C. Log analysis and reduction tools D. Network-based fuzzer
B. Wireless protocol analyzer
A security analyst has been assigned incident response duties and must instigate the response on a Windows device that appears to be compromised. Which of the following commands should be executed on the client FIRST? A. c:\>psexec.exe \\localhost -u Acct\IRSRVAcct -p IRResponse1! -c mdd_1.3.exe -oo F:\memory.dmp B. c:\>dc3dd.exe if=\\.\c: of=d: \response\img1.dd hash=md5 log=F:\response\logs.log C. c:\>fciv.exe -v -md5sum -xml hashlogs.xml D. c:\>wmic.exe /ActPC01:\\root\default path SystemRestore Call createRestorePoint "10Jan208" Allowsr /t
B. c:\>dc3dd.exe if=\\.\c: of=d: \response\img1.dd hash=md5 log=F:\response\logs.log
A security administrator is investigating an incident involving suspicious word processing documents on an employee's computer, which was found powered off in the employee's office. Which of the following tools is BEST suited for extracting full or partial word processing documents form unallocated disk space? A. memdump B. foremost C. dd D. nc
B. foremost
A security tester is performing a black-box assessment of an RFID access control system. The tester has a handful of RFID tags and is able to access the reader. However, the tester cannot disaaemble the reader because it is in use by the company. Which of the following shows the steps the tester should take to assess the RFID access control system in the correct order? A. 1. Attempt to eavesdrop and replay RFID communications 2. Determine the protocols being used between the tag and the reader. 3. Retrieve the RFID tag identifier and manufacturer details. 4. Take apart an RFID tag and analyze the chip. B. 1. Determine the protocols being used between the tag and the reader. 2. Take apart an RFID tag and analyze the chip 3. Retrieve the RFID tag identifier and manufacturer details. 4. Attempt to eavesdrop and replay RFID communications C. 1. Retrieve the RFID tag identifier and manufacturer details. 2. Determine the protocols being used between the tag and the reader. 3. Attempt to eavesdrop and replay RFID communications. 4. Take apart an RFID tag and analyze the chip. D. 1. Take apart an RFID tag and analyze the chip. 2. Retrieve the RFID tag identifier and manufacturer details 3. Determine the protocols being used between the tag and the reader 4. Attempt to eavesdrop and replay RFID communications
C. 1. Retrieve the RFID tag identifier and manufacturer details. 2. Determine the protocols being used between the tag and the reader. 3. Attempt to eavesdrop and replay RFID communications. 4. Take apart an RFID tag and analyze the chip.
A developer needs to provide feedback on a peer's work during the SDLC. While reviewing the code changes, the developer discovers session ID tokens for a web application will be transmitted over an unsecure connection. Which of the following code snippets should the developer recommend implementing to correct the vulnerability? A. Cookie cookie = new cookie ("primary"); cookie.secure (true); B. String input = request.getParameter ("input"); String character Pattern = "[./a-zA-zo-9?"=&]"; If (! Input. Matches (character Pattern)) { out.println ("Invalid Input"); } C. <webapp> <session-con*g> <session-timeout>15</session-timeout> </session-con*g> </webapp> D. <input type="text" maxlength="30" name="ecsSessionPW" size="40" redonly="true" value='<%=ESAPI.encoder() .encoderForHTML (request.getParameter ("SessionPW"))%>'/>
C. <webapp> <session-con*g> <session-timeout>15</session-timeout> </session-con*g> </webapp>
As part of the asset management life cycle, a company engages a certified equipment disposal vendor to appropriately recycle and destroy company assets that are no longer in use. As part of the company's vendor due diligence, which of the following would be MOST important to obtain from the vendor? A. A copy of the vendor's information security policies B. A copy of the current audit reports and certifications held by the vendor C. A signed NDA that covers all the data contained on the corporate systems D. A copy of the procedures used to demonstrate compliance with certification requirements
C. A signed NDA that covers all the data contained on the corporate systems
An information security officer reviews a report and notices a steady increase in outbound network traffic over the past ten months. There is no clear explanation for the increase. The security officer interviews several business units and discovers an unsanctioned cloud storage provider was used to share marketing materials with potential customers. Which of the following services would be BEST for the security officer to recommend to the company? A. NIDS B. HIPS C. CASB D. SFTP
C. CASB
The email administrator must reduce the number of phishing emails by utilizing more appropriate security controls. The following configurations already are in place: Keyword blocking based on word lists URL rewriting and protection Stripping executable files from messages Which of the following is the BEST configuration change for the administrator to make? A. Configure more robust word lists for blocking suspicious emails B. Configure appropriate regular expression rules per suspicious email received C. Configure Bayesian filtering to block suspicious inbound email D. Configure the email gateway to strip any attachments
C. Configure Bayesian filtering to block suspicious inbound email
A company recently experienced a period of rapid growth, and it now needs to move to a more scalable cloud-based solution. Historically, salespeople have maintained separate systems for information on competing customers to prevent the inadvertent disclosure of one customer's information to another customer. Which of the following would be the BEST method to provide secure data separation? A. Use a CRM tool to separate data stores B. Migrate to a single-tenancy cloud infrastructure C. Employ network segmenting to provide isolation among salespeople D. Implement an open-source public cloud CRM
C. Employ network segmenting to provide isolation among salespeople
A Chief Information Security Officer (CISO) has launched an initiative to create a robust BCP/DR plan for the entire company. As part of the initiative, the security team must gather data supporting operational importance for the application used by the business and determine the order in which the applications must be brought back online. Which of the following should be the FIRST step taken by the team? A. Perform a review of all policies and procedures related to BCP and DR and create an educational module that can be assigned to all employees to provide training on BCP/DR events B. Create an SLA for each application that states when the application will come back online and distribute this information to the business units C. Have each business unit conduct a BIA and categorize the applications according to the cumulative gathered D. Implement replication of all server and application data to back up datacenters that are geographically dispersed from the central datacenter and release an updated BPA to all clients
C. Have each business unit conduct a BIA and categorize the applications according to the cumulative gathered
The Chief Executive Officer of a fast-growing company no longer knows all the employees and is concerned about the company's intellectual property being stolen by an employee. Employees are allowed to work remotely with flexible hours, creating unpredictable schedules. Roles are poorly defined due to frequent shifting needs across the company. Which of the following new initiatives by the information security team would BEST secure the company and mitigate the CEO's concerns? A. Begin simulated phishing campaigns for employees and follow up with additional security awareness training. B. Seed company fileshares and servers with text documents containing fake passwords and then monitor for their use. C. Implement DLP to monitor data transfer between employee accounts and external parties and services D. Report data from a user-behavior monitoring tool and assign security analysis to review it daily
C. Implement DLP to monitor data transfer between employee accounts and external parties and services
After an employee was terminated, the company discovered the employee still had attached content that should have been destroyed during the off-boarding. The employee's laptop and cell phone were confiscated and accounts were disabled promptly. Forensic investigation suggests the company's DLP was effective, and the content in questions was not sent outside of work or transferred to removable media. Personally owned devices are not permitted to access company systems or information. Which of the following would be the MOST efficient control to prevent this from occurring in the future? A. Install application whitelisting on mobile devices B. Disallow side loading of applications on mobile devices C. Restrict access to company systems to expected times of day and geographic locations D. Prevent backup of mobile devices to personally owned computers E. Perform unannounced insider threat testing on high-risk employees
C. Restrict access to company systems to expected times of day and geographic locations
An organization contracts a security consultant to perform an external test against the organization's overall security posture. The consultant is asked to access a secured, public-facing customer management database, while generating the fewest log files or alerts possible. Which of the following would BEST meet the requirements? A. Pivoting from a vulnerability found in a legacy hosting platform B. Performing a spear-phishing attack against a known database user C. Running a passive vulnerability scan against the database server D. Breaking into the datacenter and accessing the console directly
C. Running a passive vulnerability scan against the database server
A hospital is using a functional magnetic resonance imaging (fMRI) scanner, which is controlled by a legacy desktop connected to the network. The manufacturer of the fMRI will not support patching of the legacy system. The legacy desktop needs to be network accessible on TCP port 445. A security administrator is concerned the legacy system will be vulnerable to exploits. Which of the following would be the BEST strategy to reduce the risk of an outage while still providing for security? A. Install HIDS and disable unused services B. Enable application whitelisting and disable SMB C. Segment the network and configure a controlled interface D. Apply only critical security patches for known vulnerabilities
C. Segment the network and configure a controlled interface
A company suspects a web server may have been infiltrated by a rival corporation. The security engineer reviews the web server logs and finds the following: ls -1 1a /usr/Heinz/public; cat ./config/db.yml The security engineer looks at the code with a developer, and they determine the log entry is created when the following line is run: system ("ls -1 -a #(path)") Which of the following is an appropriate security control the company should implement? A. Restrict directory permissions to read-only access B. Use server-side processing to avoid XSS vulnerabilities in path input C. Separate the items in the system call to prevent command injection D. Parameterize a query in the path variable to prevent SQL injection
C. Separate the items in the system call to prevent command injection
A company makes consumer health devices and needs to maintain strict confidentiality of unreleased product designs. Recently, unauthorized photos of products still in development have been for sale on the dark web. The Chief Information Security Officer suspects an insider threat, but the team that uses the secret outdoor testing area has been vetted many times, and nothing suspicious has been found. Which of the following is the MOST likely cause of the unauthorized photos? A. The location of the testing facility was discovered by analyzing fitness device information the test engineers posted on a website B. One of the test engineers is working for a competitor and covertly installed a RAT on the marketing department's servers C. The company failed to implement least privilege on network devices, and a hactivist published stolen public relations photos D. Pre-release marketing materials for a single device were accidentally left in a public location
C. The company failed to implement least privilege on network devices, and a hactivist published stolen public relations photos
A Chief Information Security Officer is creating a security committee involving multiple business units of the cooperation. Which of the following is the BEST justification to ensure collaboration across business units? A. A risk to one business unit is a risk avoided by all business units, and liberal BYOD policies create new and unexpected avenues for attackers to exploit enterprises. B. A single point of coordination is required to ensure cybersecurity issues are addressed in protected, compartmentalized groups C. Without business unit collaboration, risks introduced by one unit that affect another unit may go without compensating controls D. The CISO is uniquely positioned to control the flow of vulnerability information between business units
C. Without business unit collaboration, risks introduced by one unit that affect another unit may go without compensating controls
An engineering team is developing and deploying a fleet of mobile devices to be used for specialized inventory management purposes. These devices should: Be based on open-source Android for user familiarity and ease Provide a single application for inventory management of physical assets Permit use of the camera by only the inventory application for the purposes of scanning Disallow any and all configuration baseline modifications Restrict all access to any device resource other than those required for use of theinventory management application Which of the following approaches would BEST meet these security requirements? A. Set an application wrapping policy, wrap the application, distribute the inventory APK via the MAM tool, and test the application restrictions. B. Write a MAC sepolicy that defines domains with rules, label the inventory application, build the policy, and set to enforcing mode C. Swap out Android's Linux kernel version for >2.4.0, build the kernel, build the Android, remove unnecessary functions via MDM, configure to block network access, and perform integration testing. D. Build and install an Android middleware policy with requirements added, copy the file into /usr/init, and then build the inventory application
D. Build and install an Android middleware policy with requirements added, copy the file into /usr/init, and then build the inventory application
An organization based in the United States is planning to expand its operations into the European market later in the year. Legal counsel is exploring the additional requirements that must be established as a result of the expansion. The BEST course of action would be to: A. Revise the employee provisioning and deprovisioning procedures B. Complete a qualitative risk assessment C. Draft a memorandum of understanding D. Complete a security questionnaire focused on data privacy
D. Complete a security questionnaire focused on data privacy
Users of a newly deployed VoIP solution report multiple instances of dropped or garbled calls. Thirty users connect to the primary site via a site-to-site VPN, and the primary site supplies a dial tone to all satellite locations. The network engineer who installed the equipment copied the configuration from a site that has two users on a low bandwidth DSL connection. Which of the following is MOST likely to restore telephone availability at the 30-user site? A. Disable layer 2 encryption on the site-to-sire VPNs throughout the company B. Provision new firewalls at all sites to enable QoS management of VoIP traffic C. Enable point-to-point tunneling for all VoIP traffic at the new site D. Configure QoS settings to support the larger bandwidth available E. Prioritize ICMP and TCP traffic over UDP traffic using QoS
D. Configure QoS settings to support the larger bandwidth available
An organization is moving internal core data-processing functions related to customer data to a global public cloud provider that uses aggregated services from other partner organizations. Which of the following compliance issues will MOST likely be introduced as a result of the migration? A. Internal data integrity standards and outsourcing contracts and partnerships B. Data ownership, internal data classification, and risk profiling of outsources C. Company audit functions, cross-boarding jurisdictional challenges, and export controls D. Data privacy regulations, data sovereignty, and third-party providers
D. Data privacy regulations, data sovereignty, and third-party providers
An organization is facing budget constraints. The Chief Technology Officer wants to add a new marketing platform, but the organization does not have the resources to obtain separate servers to run the new platform. The CTO recommends running the new marketing platform on a virtualized video-conferencing server because video conferencing is rarely used. The Chief Information Security Officer denies this request. Which of the following BEST explains the reason why the CISO has not approved the request? A. Privilege escalation attacks B. Performance and availability C. Weak DAR encryption D. Disparate security requirements
D. Disparate security requirements
A company's user community is being adversely affected by various types of email whose authenticity cannot be trusted. The Chief Information Security Officer must address the problem. Which of the following solutions would BEST support trustworthy communication solutions? A. Enabling spam filtering and DMARC B. Using MFA when logging into email clients and the domain C. Enforcing HTTPS everywhere so web traffic, including email, is secure D. Enabling SPF and DKIM on company servers E. Enforcing data classification labels before an email is sent to an outside party
D. Enabling SPF and DKIM on company servers
A healthcare company wants to increase the value of the data it collects on its patients by making the data available to third-party researchers for a fee. Which of the following BEST mitigates the risk to the company? A. Log all access to the data and correlate with the researcher B. Anonymize identifiable information using keyed strings C. Ensure all data is encrypted in transit to the researcher D. Ensure all researchers sign and abide by non-disclosure agreements E. Sanitize date and time stamp information in the records
D. Ensure all researchers sign and abide by non-disclosure agreements
A red team is able to connect a laptop with penetration testing tools directly into an open network port. The team then is able to take advantage of vulnerability on the domain controller to create and promote a new enterprise administrator. Which of the following technologies would MOST likely eliminate this attack vector in the future? A. Monitor for anomalous creations of privileged domain accounts B. Install a NIPS with rules appropriate to drop most exploit traffic C. Ensure the domain controller has the latest security patches D. Implement 802.1x with certificate-based authentication
D. Implement 802.1x with certificate-based authentication
During the migration of a company's human resources application to a PaaS provider, the Cyber Privacy Officer (CPO) expresses concern the vendor's staff may be able to access data within the migrating applications. The application stack includes a multitier architecture and uses commercially available, vendor-supported software packages. Which of the following BEST addresses the CPO's concerns? A. Execute non-disclosure agreements and background checks on vendor staff. B. Ensure the platform vendor implements data-at-rest encryption on its storage. C. Enable MFA to the vendor's tier of the architecture. D. Implement a CASB that tokenizes company data in transit to the migrated applications.
D. Implement a CASB that tokenizes company data in transit to the migrated applications.
An enterprise solution requires a central monitoring platform to address the growing networks of various departments and agencies that connect to the network. The current vendor products are not adequate due to the growing number of heterogeneous devices. Which of the following is the primary concern? A. Scalability B. Usability C. Accountability D. Performance
D. Performance
A company has experience negative publicity associated with users giving out their credentials accidentally or sharing intellectual secrets that were not properly defined. The company recently implemented some new policies and is now testing their effectiveness. Over the last three months, the number of phishing victims dropped from 100 to only two in the last test. The DLP solution that was implemented catches potential material leaks, and the user responsible is retained. Personal email accounts and USB drives are restricted from the corporate network. Given the improvements, which of the following would a security engineer identify as being needed in a gap analysis? A. Additional corporate-wide training on phishing B. A policy outlining what is and is not acceptable on social media C. Notifications when a user falls victim to a phishing attack D. Positive DLP preventions with stronger enforcement
D. Positive DLP preventions with stronger enforcement
A consultant is planning an assessment of a customer-developed system. The system consists of a custom-engineered board with modified open-source drivers and a one-off management GUI. The system relies on two-factor authentication for interactive sessions, employs strong certificatebased data-in-transit encryption, and randomly switches ports for each session. Which of the following would yield the MOST useful information? A. Password cracker B. Wireless network analyzer C. Fuzzing tools D. Reverse engineering principles
D. Reverse engineering principles
The SOC has noticed an unusual volume of traffic coming from an open WiFi guest network that appears correlated with a broader network slowdown. The network team is unavailable to capture traffic, but logs from network services are available. No users have authenticated recently through the guest network's captive portal DDoS mitigation systems are not alerting DNS resolver logs show some very long domain names Which of the following is the BEST step for a security analyst to take next? A. Block all outbound traffic from the guest network at the border firewall B. Verify the passphrase on the guest network has not been changed C. Search antivirus logs for evidence of a compromised company device D. Review access point logs to identify potential zombie services
D. Review access point logs to identify potential zombie services
A manufacturing company's security engineer is concerned a remote actor may be able to access the ICS that is used to monitor the factory lines. The security engineer recently proposed some techniques to reduce the attack surface of the ICS to the Chief Information Security Officer. Which of the following would BEST track the reductions to show the CISO the engineer's plan is successful during each phase? A. Conducting tabletop exercises to evaluate system risk B. Contracting a third-party auditor after the project is finished C. Performing pre- and post-implementation penetration tests D. Running frequent vulnerability scans during the project
D. Running frequent vulnerability scans during the project
A cybersecurity analyst receives a ticket that indicates a potential incident is occurring. There has been a large increase in log files generated by a website containing a "Contact US" form. The analyst must determine if the increase in website traffic is due to a recent marketing campaign or if this is a potential incident. Which of the following would BEST assist the analyst? A. Ensuring proper input validation is configured on the "Contact Us" form B. Deploying a WAF in front of the public website C. Checking for new rules from the inbound network IPS vendor D. Running the website log files through a log reduction and analysis tool
D. Running the website log files through a log reduction and analysis tool
A security engineer is investigating a compromise that occurred between two internal computers. The engineer has determined during the investigation that one computer infected another. While reviewing the IDS logs, the engineer can view the outbound callback traffic but sees no traffic between the two computers. Which of the following would BEST address the IDS visibility gap? A. Install network taps at the edge of the network B. Send syslog from the IDS into the SIEM C. Install an enterprise antivirus system on each computer D. SPAN traffic from the network core into the IDS
D. SPAN traffic from the network core into the IDS
A security analyst is trying to identify the source of a recent data loss incident. The analyst has reviewed all the logs for the time surrounding the incident and identified all the assets on the network at the time of the data loss. The analyst suspects the key to finding the source was obfuscated in an application. Which of the following tools should the analyst use NEXT? A. Software decompiler B. Network enumerator C. Log reduction and analysis tool D. Static code analysis
D. Static code analysis
A development team releases updates to an application regularly. The application is compiled with several standard, open-source security products that require a minimum version for compatibility. During the security review portion of the development cycle, which of the following should be done to minimize possible application vulnerabilities? A. The developers should require an exact version of the open-source security products, preventing the introduction of new vulnerabilities B. The application development team should move to an Agile development approach to identify security concerns faster. C. The change logs for the third-party libraries should be reviewed for security patches, which may need to be included in the release. D. The application should eliminate the use of open-source libraries and products to prevent known vulnerabilities from being included.
D. The application should eliminate the use of open-source libraries and products to prevent known vulnerabilities from being included.
A regional transportation and logistics company recently hired its first Chief Information Security Officer. The CISO's first project after onboarding involved performing a vulnerability assessment against the company's public-facing network. The completed scan found a legacy collaboration platform application with a critically rated vulnerability. While discussing this issue with the line of business, the CISO learns the vulnerable application cannot be updated without the company incurring significant losses due to downtime or new software purchases. Which of the following BEST addresses these concerns? A. The company should plan future maintenance windows where such legacy applications can be updated as needed. B. Then CISO must accept the risk of the legacy application, as the cost of replacing the application greatly exceeds the risk to the company C. The company should implement a WAF in front of the vulnerable application to filter out any traffic attempting to exploit the vulnerability D. The company should build a parallel system and perform a cutover from the old application to the new application, with less downtime that an upgrade
D. The company should build a parallel system and perform a cutover from the old application to the new application, with less downtime that an upgrade
A company has made it a spending priority to implement security architectures that will be resilient during an attack. Recent incidents have involved attackers leveraging latent vulnerabilities in cryptographic implementations and VPN concentrators to be able to compromise sensitive information. Which of the following approaches would be BEST to increase enterprise resilience during similar future attacks? A. Implement appliances and software from diverse manufacturers. B. Segment remote VPN users logically from the production LAN C. Maximize open-source software to benefit from swifter patch releases. D. Upgrade the cryptographic ciphers used on the VPN concentrators.
D. Upgrade the cryptographic ciphers used on the VPN concentrators.
A Chief Information Officer (CISO) is working with a consultant to perform a gap assessment prior to an upcoming audit. It is determined during the assessment that the organization lacks controls to effectively assess regulatory compliance by third-party service providers. Which of the following should be revised to address this gap? A. Privacy policy B. Work breakdown structure C. Incident response plan D. Vendor management plan E. Audit report
D. Vendor management plan
A cybersecurity engineer analyzed a system for vulnerabilities. The tool created an OVAL Results document as output. Which of the following would enable the engineer to interpret the results in a human readable form? (Select TWO) A. Text editor B. OOXML editor C. Event viewer D. XML style sheet E. SCAP tool F. Debugging utility
D. XML style sheet E. SCAP tool
A manufacturing company employs SCADA systems to drive assembly lines across geographically dispersed sites. Therefore, the company must use the internet to transport control messages and responses. Which of the following architectural changes, when integrated, will BEST reduce the manufacturing control system's attack surface? (Select TWO) A. Design a patch management capability for control systems B. Implement supply chain security C. Integrate message authentication D. Add sensors and collectors at the internet boundary E. Isolate control systems from enterprise systems F. Implement a site-to-site VPN across sites
E. Isolate control systems from enterprise systems F. Implement a site-to-site VPN across sites
A security administrator is concerned about employees connecting their personal devices to the company network. Doing so is against company policy. The network does not have a NAC solution. The company uses a GPO that disables the firewall on all company-owned devices while they are connected to the internal network. Additionally, all company-owned devices implement a standard naming convention that uses the device's serial number. The security administrator wants to identify active personal devices and write a custom script to disconnect them from the network. Which of the following should the script use to BEST accomplish this task? A. Recursive DNS logs B. DHCP logs C. AD authentication logs D. RADIUS logs E. Switch and router ARP tables
E. Switch and router ARP tables
As part of an organization's ongoing vulnerability assessment program, the Chief Information Security Officer (CISO) wants to evaluate the organization's systems, personnel, and facilities for various threats. As part of the assessment, the CISO plans to engage an independent cybersecurity assessment firm to perform social engineering and physical penetration testing against the organization's corporate offices and remote locations. Which of the following techniques would MOST likely be employed as part of this assessment? (Select THREE). A. Privilege escalation B. SQL injection C. TOC/TOU explitation D. Rogue AP substitution E. Tailgating F. Vulnerability scanning G. Vishing H. Badge skimming
E. Tailgating G. Vishing H. Badge skimming