CISSP - More Questions - Part Two
A company has decided that they need to begin maintaining assets deployed in the enterprise. What approach should be followed to determine and maintain ownership information to bring the company into compliance? A. Enterprise asset management framework B. Asset baseline using commercial off the shelf software C. Asset ownership database using domain login records D. A script to report active user logins on assets
A
A company was ranked as high in the following National Institute of Standards and Technology (NIST) functions: Protect, Detect, Respond and Recover. However, a low maturity grade was attributed to the Identify function. In which of the following the controls categories does this company need to improve when analyzing its processes individually? A. Asset Management, Business Environment, Governance and Risk Assessment B. Access Control, Awareness and Training, Data Security and Maintenance C. Anomalies and Events, Security Continuous Monitoring and Detection Processes D. Recovery Planning, Improvements and Communications
A
A development operations team would like to start building new applications delegating the cybersecurity responsibility as much as possible to the service provider. Which of the following environments BEST fits their need? A. Cloud Virtual Machines (VM) B. Cloud application container within a Virtual Machine (VM) C. On premises Virtual Machine (VM) D. Self-hosted Virtual Machine (VM)
A
A security architect is responsible for the protection of a new home banking system. Which of the following solutions can BEST improve the confidentiality and integrity of this external system? A. Intrusion Prevention System (IPS) B. Denial of Service (DoS) protection solution C. One-time Password (OTP) token D. Web Application Firewall (WAF)
A
A user downloads a file from the Internet, then applies the Secure Hash Algorithm 3 (SHA-3) to it. Which of the following is the MOST likely reason for doing so? A. It verifies the integrity of the file. B. It checks the file for malware. C. It ensures the entire file downloaded. D. It encrypts the entire file.
A
A user sends an e-mail request asking for read-only access to files that are not considered sensitive. A Discretionary Access Control (DAC) methodology is in place. Which is the MOST suitable approach that the administrator should take? A. Administrator should request data owner approval to the user access B. Administrator should request manager approval for the user access C. Administrator should directly grant the access to the non-sensitive files D. Administrator should assess the user access need and either grant or deny the access
A
A vulnerability in which of the following components would be MOST difficult to detect? A. Kernel B. Shared libraries C. Hardware D. System application
A
An organization discovers that its Secure File Transfer Protocol (SFTP) server has been accessed by an unauthorized person to download an unreleased game. A recent security audit found weaknesses in some of the organization's general Information Technology (IT) controls, specifically pertaining to software change control and security patch management, but not in other control areas. Which of the following is the MOST probable attack vector used in the security breach? A. Buffer overflow B. Distributed Denial of Service (DDoS) C. Cross-Site Scripting (XSS) D. Weak password due to lack of complexity rules
A
An organization that has achieved a Capability Maturity Model Integration (CMMI) level of 4 has done which of the following? A. Achieved optimized process performance B. Achieved predictable process performance C. Addressed the causes of common process variance D. Addressed continuous innovative process improvement
A
As users switch roles within an organization, their accounts are given additional permissions to perform the duties of their new position. After a recent audit, it was discovered that many of these accounts maintained their old permissions as well. The obsolete permissions identified by the audit have been remediated and accounts have only the appropriate permissions to complete their jobs. Which of the following is the BEST way to prevent access privilege creep? A. Implementing Identity and Access Management (IAM) solution B. Time-based review and certification C. Internet audit D. Trigger-based review and certification
A
Attack trees are MOST useful for which of the following? A. Determining system security scopes B. Generating attack libraries C. Enumerating threats D. Evaluating Denial of Service (DoS) attacks
A
Change management policies and procedures belong to which of the following types of controls? A. Directive B. Detective C. Corrective D. Preventative
A
Compared with hardware cryptography, software cryptography is generally A. less expensive and slower. B. more expensive and faster. C. more expensive and slower. D. less expensive and faster.
A
Directive controls are a form of change management policy and procedures. Which of the following subsections are recommended as part of the change management process? A. Build and test B. Implement security controls C. Categorize Information System (IS) D. Select security controls
A
During which of the following processes is least privilege implemented for a user account? A. Provision B. Approve C. Request D. Review
A
For the purpose of classification, which of the following is used to divide trust domain and trust boundaries? A. Network architecture B. Integrity C. Identity Management (IdM) D. Confidentiality management
A
How can an attacker exploit a stack overflow to execute arbitrary code? A. Modify a function's return address. B. Move the stack pointer C. Substitute elements in the stack. D. Alter the address of the stack.
A
In general, servers that are facing the Internet should be placed in a demilitarized zone (DMZ). What is MAIN purpose of the DMZ? A. Reduced risk to internal systems. B. Prepare the server for potential attacks. C. Mitigate the risk associated with the exposed server. D. Bypass the need for a firewall.
A
In order for application developers to detect potential vulnerabilities earlier during the Software Development Life Cycle (SDLC), which of the following safeguards should be implemented FIRST as part of a comprehensive testing framework? A. Source code review B. Acceptance testing C. Threat modeling D. Automated testing
A
Network-based logging has which advantage over host-based logging when reviewing malicious activity about a victim machine? A. Addresses and protocols of network-based logs are analyzed. B. Host-based system logging has files stored in multiple locations. C. Properly handled network-based logs may be more reliable and valid. D. Network-based systems cannot capture users logging into the console.
A
Once the types of information have been identified, who should an information security practitioner work with to ensure that the information is properly categorized? A. Information Owner (IO) B. System Administrator C. Business Continuity (BC) Manager D. Chief Information Officer (CIO)
A
What balance MUST be considered when web application developers determine how informative application error messages should be constructed? A. Risk versus benefit B. Availability versus auditability C. Confidentiality versus integrity D. Performance versus user satisfaction
A
What capability would typically be included in a commercially available software package designed for access control? A. Password encryption B. File encryption C. Source library control D. File authentication
A
What determines the level of security of a combination lock? A. Complexity of combination required to open the lock B. Amount of time it takes to brute force the combination C. The number of barrels associated with the internal mechanism D. The hardness score of the metal lock material
A
What is a consideration when determining the potential impact an organization faces in the event of the loss of confidentiality of Personally Identifiable Information (PII)? A. Quantity B. Availability C. Quality D. Criticality
A
What is the best way for mutual authentication of devices belonging to the same organization? A. Token B. Certificates C. User ID and passwords D. Biometric
A
What is the process of removing sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique? A. Purging B. Encryption C. Destruction D. Clearing
A
When developing solutions for mobile devices, in which phase of the Software Development Life Cycle (SDLC) should technical limitations related to devices be specified? A. Implementation B. Initiation C. Review D. Development
A
Where would an organization typically place an endpoint security solution? A. Web server and individual devices B. Intrusion Detection System (IDS) and web server C. Central server and individual devices D. Intrusion Detection System (IDS) and central sever
A
Which of the following BEST describes Recovery Time Objective (RTO)? A. Time of application resumption after disaster B. Time of application verification after disaster. C. Time of data validation after disaster. D. Time of data restoration from backup after disaster.
A
Which of the following BEST describes a chosen plaintext attack? A. The cryptanalyst can generate ciphertext from arbitrary text. B. The cryptanalyst examines the communication being sent back and forth. C. The cryptanalyst can choose the key and algorithm to mount the attack. D. The cryptanalyst is presented with the ciphertext from which the original message is determined.
A
Which of the following BEST represents the concept of least privilege? A. Access to an object is denied unless access is specifically allowed. B. Access to an object is only available to the owner. C. Access to an object is allowed unless it is protected by the information security policy. D. Access to an object is only allowed to authenticated users via an Access Control List (ACL).
A
Which of the following are important criteria when designing procedures and acceptance criteria for acquired software? A. Code quality, security, and origin B. Architecture, hardware, and firmware C. Data quality, provenance, and scaling D. Distributed, agile, and bench testing
A
Which of the following encryption types is used in Hash Message Authentication Code (HMAC) for key distribution? A. Symmetric B. Asymmetric C. Ephemeral D. Permanent
A
Which of the following is PRIMARILY adopted for ensuring the integrity of information is preserved? A. Data at rest protection B. Transport Layer Security (TLS) C. Role Based Access Control (RBAC) D. One-way encryption
A
Which of the following is a benefit in implementing an enterprise Identity and Access Management (IAM) solution? A. Password requirements are simplified. B. Risk associated with orphan accounts is reduced. C. Segregation of duties is automatically enforced. D. Data confidentiality is increased.
A
Which of the following is a credible source to validate that security testing of Commercial Off-The-Shelf (COTS) software has been performed with international standards? A. Common Criteria (CC) B. Evaluation Assurance Level (EAL) C. National Information Assurance Partnership (NIAP) D. International Standards Organization (ISO)
A
Which of the following is a weakness of Wired Equivalent Privacy (WEP)? A. Length of Initialization Vector (IV) B. Protection against message replay C. Detection of message tampering D. Built-in provision to rotate keys
A
Which of the following is the BEST definition of Cross-Site Request Forgery (CSRF)? A. An attack which forces an end user to execute unwanted actions on a web application in which they are currently authenticated B. An attack that injects a script into a web page to execute a privileged command C. An attack that makes an illegal request across security zones and thereby forges itself into the security database of the system D. An attack that forges a false Structure Query Language (SQL) command across systems
A
Which of the following is the BEST method to reduce the effectiveness of phishing attacks? A. User awareness B. Two-factor authentication C. Anti-phishing software D. Periodic vulnerability scan
A
Which of the following is the MOST important activity an organization performs to ensure that security is part of the overall organization culture? A. Perform formal reviews of security incidents. B. Work with senior management to meet business goals. C. Ensure security policies are issued to all employees. D. Manage a program of security audits.
A
Which of the following is the PRIMARY reason a sniffer operating on a network is collecting packets only from its own host? A. An Intrusion Detection System (IDS) has dropped the packets. B. The network is connected using switches. C. The network is connected using hubs. D. The network's firewall does not allow sniffing.
A
Which of the following is the primary advantage of segmenting Virtual Machines (VM) using physical networks? A. Simplicity of network configuration and network monitoring B. Removes the need for decentralized management solutions C. Removes the need for dedicated virtual security controls D. Simplicity of network configuration and network redundancy
A
Which of the following needs to be taken into account when assessing vulnerability? A. Risk identification and validation B. Threat mapping C. Risk acceptance criteria D. Safeguard selection
A
Which of the following techniques is known to be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections? A. Automated dynamic analysis B. Automated static analysis C. Manual code review D. Fuzzing
A
Which of the following would BEST describe the role directly responsible for data within an organization? A. Data custodian B. Information owner C. Database administrator D. Quality control
A
Which step of the Risk Management Framework (RMF) identifies the initial set of baseline security controls? A. Selection B. Monitoring C. Implementation D. Assessment
A
Continuity of operations is BEST supported by which of the following? A. Confidentiality, availability, and reliability B. Connectivity, reliability, and redundancy C. Connectivity, reliability, and recovery D. Confidentiality, integrity, and availability
B
A financial company has decided to move its main business application to the Cloud. The legal department objects, arguing that the move of the platform should comply with several regulatory obligations such as the General Data Protection (GDPR) and ensure data confidentiality. The Chief Information Security Officer (CISO) says that the cloud provider has met all regulations requirements and even provides its own encryption solution with internally-managed encryption keys to address data confidentiality. Did the CISO address all the legal requirements in this situation? A. No, because the encryption solution is internal to the cloud provider. B. Yes, because the cloud provider meets all regulations requirements. C. Yes, because the cloud provider is GDPR compliant. D. No, because the cloud provider is not certified to host government data.
B
A group of organizations follows the same access standards and practices. One manages the verification and due diligence processes for the others. For a user to access a resource from one of the organizations, a check is made to see if that user has been certified. Which Federated Identity Management (FIM) process is this an example of? A. One-time authentication B. Web based access management C. Cross-certification model D. Bridge model
B
A security team member was selected as a member of a Change Control Board (CCB) for an organization. Which of the following is one of their responsibilities? A. Approving or disapproving the change B. Determining the impact of the change C. Carrying out the requested change D. Logging the change
B
A system administration office desires to implement the following rules: ✑ An administrator that is designated as a skill level 3, with 5 years of experience, is allowed to perform system backups, upgrades, and local administration. ✑ An administrator that is designated as a skill level 5, with 10 years of experience, is permitted to perform all actions related to system administration. Which of the following access control methods MUST be implemented to achieve this goal? A. Discretionary Access Control (DAC) B. Role Based Access Control (RBAC) C. Mandatory Access Control (MAC) D. Attribute Based Access Control (ABAC)
B
The security accreditation task of the System Development Life Cycle (SDLC) process is completed at the end of which phase? A. System acquisition and development B. System operations and maintenance C. System initiation D. System implementation
B
An Internet software application requires authentication before a user is permitted to utilize the resource. Which testing scenario BEST validates the functionality of the application? A. Reasonable data testing B. Input validation testing C. Web session testing D. Allowed data bounds and limits testing
B
An employee receives a promotion that entities them to access higher-level functions on the company's accounting system, as well as keeping their access to the previous system that is no longer needed or applicable. What is the name of the process that tries to remove this excess privilege? A. Access provisioning B. Segregation of Duties (SoD) C. Access certification D. Access aggregation
B
An organization has outsourced its financial transaction processing to a Cloud Service Provider (CSP) who will provide them with Software as a Service (SaaS). If there was a data breach who is responsible for monetary losses? A. The Data Protection Authority (DPA) B. The Cloud Service Provider (CSP) C. The application developers D. The data owner
B
An organization plan on purchasing a custom software product developed by a small vendor to support its business model. Which unique consideration should be made part of the contractual agreement potential long-term risks associated with creating this dependency? A. A source code escrow clause B. Right to request an independent review of the software source code C. Due diligence form requesting statements of compliance with security requirements D. Access to the technical documentation
B
As a best practice, the Security Assessment Report (SAR) should include which of the following sections? A. Data classification policy B. Software and hardware inventory C. Remediation recommendations D. Names of participants
B
Between which pair of Open System Interconnection (OSI) Reference Model layers are routers used as a communications device? A. Transport and Session B. Data-Link and Transport C. Network and Session D. Physical and Data-Link
B
How should an organization determine the priority of its remediation efforts after a vulnerability assessment has been conducted? A. Use an impact-based approach. B. Use a risk-based approach. C. Use a criticality-based approach. D. Use a threat-based approach.
B
Physical assets defined in an organization's Business Impact Analysis (BIA) could include which of the following? A. Personal belongings of organizational staff members B. Supplies kept off-site at a remote facility C. Cloud-based applications D. Disaster Recovery (DR) line-item revenues
B
Reciprocal backup site agreements are considered to be A. a better alternative than the use of warm sites. B. difficult to test for complex systems. C. easy to implement for similar types of organizations. D. easy to test and implement for complex systems.
B
The PRIMARY purpose of accreditation is to: A. comply with applicable laws and regulations. B. allow senior management to make an informed decision regarding whether to accept the risk of operating the system. C. protect an organization's sensitive data. D. verify that all security controls have been implemented properly and are operating in the correct manner.
B
The application of a security patch to a product previously validate at Common Criteria (CC) Evaluation Assurance Level (EAL) 4 would A. require an update of the Protection Profile (PP). B. require recertification. C. retain its current EAL rating. D. reduce the product to EAL 3.
B
The process of "salting" a password is designed to increase the difficulty of cracking which of the following? A. Specific password B. Password hash function C. Password algorithm D. Maximum password length
B
The restoration priorities of a Disaster Recovery Plan (DRP) are based on which of the following documents? A. Service Level Agreement (SLA) B. Business Continuity Plan (BCP) C. Business Impact Analysis (BIA) D. Crisis management plan
B
What is the MAIN purpose for writing planned procedures in the design of Business Continuity Plans (BCP)? A. Establish lines of responsibility. B. Minimize the risk of failure. C. Accelerate the recovery process. D. Eliminate unnecessary decision making.
B
What is the MOST common component of a vulnerability management framework? A. Risk analysis B. Patch management C. Threat analysis D. Backup management
B
What is the MOST important element when considering the effectiveness of a training program for Business Continuity (BC) and Disaster Recovery (DR)? A. Management support B. Consideration of organizational need C. Technology used for delivery D. Target audience
B
What operations role is responsible for protecting the enterprise from corrupt or contaminated media? A. Information security practitioner B. Information librarian C. Computer operator D. Network administrator
B
What type of wireless network attack BEST describes an Electromagnetic Pulse (EMP) attack? A. Radio Frequency (RF) attack B. Denial of Service (DoS) attack C. Data modification attack D. Application-layer attack
B
Which concept might require users to use a second access token or to re-enter passwords to gain elevated access rights in the identity and access provisioning life cycle? A. Time-based B. Enrollment C. Least privilege D. Access review
B
Which of the following MUST a security policy include to be effective within an organization? A. A list of all standards that apply to the policy B. Owner information and date of last revision C. Disciplinary measures for non-compliance D. Strong statements that clearly define the problem
B
Which of the following Service Organization Control (SOC) report types should an organization request if they require a period of time report covering security and availability for a particular system? A. SOC 1 Type 1 B. SOC 1 Type 2 C. SOC 2 Type 1 D. SOC 2 Type 2
B
Which of the following adds end-to-end security inside a Layer 2 Tunneling Protocol (L2TP) Internet Protocol Security (IPSec) connection? A. Temporal Key Integrity Protocol (TKIP) B. Secure Hash Algorithm (SHA) C. Secure Shell (SSH) D. Transport Layer Security (TLS)
B
Which of the following global privacy legislation principles ensures that data handling policies and the name of the data controller are easily accessible to the public? A. Use limitation B. Openness C. Purpose specification D. Individual participation
B
Which of the following information MUST be provided for user account provisioning? A. Full name B. Unique identifier C. Security question D. Date of birth
B
Which of the following is BEST suited for exchanging authentication and authorization messages in a multi-party decentralized environment? A. Lightweight Directory Access Protocol (LDAP) B. Security Assertion Markup Language (SAML) C. Internet Mail Access Protocol D. Transport Layer Security (TLS)
B
Which of the following is MOST important when deploying digital certificates? A. Validate compliance with X.509 digital certificate standards B. Establish a certificate life cycle management framework C. Use a third-party Certificate Authority (CA) D. Use no less than 256-bit strength encryption when creating a certificate
B
Which of the following is a characteristic of the initialization vector when using Data Encryption Standard (DES)? A. It must be known to both sender and receiver. B. It can be transmitted in the clear as a random number. C. It must be retained until the last block is transmitted. D. It can be used to encrypt and decrypt information.
B
Which of the following is a strategy of grouping requirements in developing a Security Test and Evaluation (ST&E)? A. Tactical, strategic, and financial B. Management, operational, and technical C. Documentation, observation, and manual D. Standards, policies, and procedures
B
Which of the following is an advantage of on-premise Credential Management Systems? A. Lower infrastructure capital costs B. Control over system configuration C. Reduced administrative overhead D. Improved credential interoperability
B
Which of the following is considered a secure coding practice? A. Use concurrent access for shared variables and resources B. Use checksums to verify the integrity of libraries C. Use new code for common tasks D. Use dynamic execution functions to pass user supplied data
B
Which of the following is the BEST reason for the use of security metrics? A. They ensure that the organization meets its security objectives. B. They provide an appropriate framework for Information Technology (IT) governance. C. They speed up the process of quantitative risk assessment. D. They quantify the effectiveness of security processes.
B
Which of the following is the BEST type of authentication and encryption for a Secure Shell (SSH) implementation when network traffic traverses between a host and an infrastructure device? A. Lightweight Directory Access Protocol (LDAP) B. Public-key cryptography C. Remote Authentication Dial-In User Service (RADIUS) D. Private-key cryptography
B
Which of the following is the FIRST thing to consider when reviewing Information Technology (IT) internal controls? A. The risk culture of the organization B. The impact of the control C. The nature of the risk D. The cost of the control
B
Which of the following is the MOST common method of memory protection? A. Compartmentalization B. Segmentation C. Error correction D. Virtual Local Area Network (VLAN) tagging
B
Which of the following is the MOST effective practice in managing user accounts when an employee is terminated? A. Implement processes for automated removal of access for terminated employees. B. Delete employee network and system IDs upon termination. C. Manually remove terminated employee user-access to all systems and applications. D. Disable terminated employee network ID to remove all access.
B
Which of the following is the MOST important security goal when performing application interface testing? A. Confirm that all platforms are supported and function properly B. Evaluate whether systems or components pass data and control correctly to one another C. Verify compatibility of software, hardware, and network connections D. Examine error conditions related to external interfaces to prevent application details leakage
B
Which of the following is the PRIMARY benefit of a formalized information classification program? A. It minimized system logging requirements. B. It supports risk assessment. C. It reduces asset vulnerabilities. D. It drives audit processes.
B
Which of the following is the PRIMARY reason to perform regular vulnerability scanning of an organization network? A. Provide vulnerability reports to management. B. Validate vulnerability remediation activities. C. Prevent attackers from discovering vulnerabilities. D. Remediate known vulnerabilities.
B
Which of the following is the final phase of the identity and access provisioning lifecycle? A. Recertification B. Revocation C. Removal D. Validation
B
Which of the following is the key requirement for test results when implementing forensic procedures? A. The test results must be cost-effective. B. The test result must be authorized. C. The test results must be quantifiable. D. The test results must be reproducible.
B
Which of the following is true of Service Organization Control (SOC) reports? A. SOC 1 Type 2 reports assess the security, confidentiality, integrity, and availability of an organization's controls B. SOC 2 Type 2 reports include information of interest to the service organization's management C. SOC 2 Type 2 reports assess internal controls for financial reporting D. SOC 3 Type 2 reports assess internal controls for financial reporting
B
Which of the following media sanitization techniques is MOST likely to be effective for an organization using public cloud services? A. Low-level formatting B. Secure-grade overwrite erasure C. Cryptographic erasure D. Drive degaussing
B
Which of the following processes has the PRIMARY purpose of identifying outdated software versions, missing patches, and lapsed system updates? A. Penetration testing B. Vulnerability management C. Software Development Life Cycle (SDLC) D. Life cycle management
B
Which of the following processes is used to align security controls with business functions? A. Data mapping B. Standards selection C. Scoping D. Tailoring
B
Which of the following provides for the STRONGEST protection of data confidentiality in a Wi-Fi environment? A. Wi-Fi Protected Access (WPA) + Temporal Key Integrity Protocol (TKIP) B. Wi-Fi Protected Access 2 (WPA2) + Advanced Encryption Standard (AES) C. Wi-Fi Protected Access 2 (WPA2) + Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) D. Wired Equivalent Privacy (WEP) + Advanced Encryption Standard (AES)
B
Which of the following questions will be addressed through the use of a Privacy Impact Assessment (PIA)? A. How the information is to be maintained B. Why the information is to be collected C. What information is to be destroyed D. Where the information is to be stored
B
Which of the following restricts the ability of an individual to carry out all the steps of a particular process? A. Job rotation B. Separation of duties C. Least privilege D. Mandatory vacations
B
Which of the following techniques BEST prevents buffer overflows? A. Boundary and perimeter offset B. Character set encoding C. Code auditing D. Variant type and bit length
B
Which one of the following activities would present a significant security risk to organizations when employing a Virtual Private Network (VPN) solution? A. VPN bandwidth B. Simultaneous connection to other networks C. Users with Internet Protocol (IP) addressing conflicts D. Remote users with administrative rights
B
Why is planning the MOST critical phase of a Role Based Access Control (RBAC) implementation? A. The criteria for measuring risk is defined. B. User populations to be assigned to each role is determined. C. Role mining to define common access patterns is performed. D. The foundational criteria are defined.
B
At which layer of the Open Systems Interconnect (OSI) model are the source and destination address for a datagram handled? A. Transport Layer B. Data-Link Layer C. Network Layer D. Application Layer
C
A security architect plans to reference a Mandatory Access Control (MAC) model for implementation. This indicates that which of the following properties are being prioritized? A. Confidentiality B. Integrity C. Availability D. Accessibility
C
A security consultant has been hired by a company to establish its vulnerability management program. The consultant is now in the deployment phase. Which of the following tasks is part of this process? A. Select and procure supporting technologies. B. Determine a budget and cost analysis for the program. C. Measure effectiveness of the program's stated goals. D. Educate and train key stakeholders.
C
A security practitioner has just been assigned to address an ongoing Denial of Service (DoS) attack against the company's network, which includes an e- commerce web site. The strategy has to include defenses for any size of attack without rendering the company network unusable. Which of the following should be a PRIMARY concern when addressing this issue? A. Deal with end user education and training. B. Pay more for a dedicated path to the Internet. C. Allow legitimate connections while blocking malicious connections. D. Ensure the web sites are properly backed up on a daily basis.
C
Although code using a specific program language may not be susceptible to a buffer overflow attack, A. most calls to plug-in programs are susceptible. B. most supporting application code is susceptible. C. the graphical images used by the application could be susceptible. D. the supporting virtual machine could be susceptible.
C
An application team is running tests to ensure that user entry fields will not accept invalid input of any length. What type of negative testing is this an example of? A. Reasonable data B. Population of required fields C. Allowed number of characters D. Session testing
C
An organization regularly conducts its own penetration tests. Which of the following scenarios MUST be covered for the test to be effective? A. Third-party vendor with access to the system B. System administrator access compromised C. Internal attacker with access to the system D. Internal user accidentally accessing data
C
Asymmetric algorithms are used for which of the following when using Secure Sockets Layer/Transport Layer Security (SSL/TLS) for implementing network security? A. Peer authentication B. Payload data encryption C. Session encryption D. Hashing digest
C
Determining outage costs caused by a disaster can BEST be measured by the A. cost of redundant systems and backups. B. cost to recover from an outage. C. overall long-term impact of the outage. D. revenue lost during the outage.
C
Lack of which of the following options could cause a negative effect on an organization's reputation, revenue, and result in legal action, if the organization fails to perform due diligence? A. Threat modeling methodologies B. Service Level Requirement (SLR) C. Service Level Agreement (SLA) D. Third-party risk management
C
The design review for an application has been completed and is ready for release. What technique should an organization use to assure application integrity? A. Application authentication B. Input validation C. Digital signing D. Device encryption
C
Vulnerability scanners may allow for the administrator to assign which of the following in order to assist in prioritizing remediation activities? A. Definitions for each exposure type B. Vulnerability attack vectors C. Asset values for networks D. Exploit code metrics
C
What is the BEST approach to annual safety training? A. Base safety training requirements on staff member job descriptions. B. Safety training should address any gaps in a staff member's skill set. C. Ensure that staff members in positions with known safety risks are given proper training. D. Ensure that all staff members are provided with identical safety training.
C
What is the MAIN reason for having a developer sign a Non-Disclosure Agreement (NDA)? A. Signing the NDA always gives consent to the developer to access tools and privileged company information to do their work. B. Signing the NDA allows the developer to use their developed coding methods. C. Signing the NDA protects confidential, technical, or Intellectual Property (IP) from disclosure to others. D. Signing the NDA is legally binding for up to one year of employment.
C
What is the MOST efficient way to verify the integrity of database backups? A. Test restores on a regular basis. B. Restore every file in the system to check its health. C. Use checksum as part of the backup operation to make sure that no corruption has occurred. D. Run DBCC CHECKDB on a regular basis to check the logical and physical integrity of the database objects.
C
What principle requires that changes to the plaintext affect many parts of the ciphertext? A. Encapsulation B. Permutation C. Diffusion D. Obfuscation
C
What should be the FIRST action for a security administrator who detects an intrusion on the network based on precursors and other indicators? A. Isolate and contain the intrusion. B. Notify system and application owners. C. Apply patches to the Operating Systems (OS). D. Document and verify the intrusion.
C
What testing technique enables the designer to develop mitigation strategies for potential vulnerabilities? A. Manual inspections and reviews B. Penetration testing C. Threat modeling D. Source code review
C
When conveying the results of a security assessment, which of the following is the PRIMARY audience? A. Information System Security Officer (ISSO) B. Authorizing Official (AO) C. Information System Security Manager (ISSM) D. Security Control Assessor (SCA)
C
When should the software Quality Assurance (QA) team feel confident that testing is complete? A. When release criteria are met B. When the time allocated for testing the software is met C. When senior management approves the test results D. When the software has zero security vulnerabilities
C
When writing security assessment procedures, what is the MAIN purpose of the test outputs and reports? A. To force the software to fail and document the process B. To find areas of compromise in confidentiality and integrity C. To allow for objective pass or fail decisions D. To identify malware or hidden code within the test results
C
Which of the following BEST describes how access to a system is granted to federated user accounts? A. With the federation assurance level B. Based on defined criteria by the Relying Party (RP) C. Based on defined criteria by the Identity Provider (IdP) D. With the identity assurance level
C
Which of the following alarm systems is recommended to detect intrusions through windows in a high-noise, occupied environment? A. Acoustic sensor B. Motion sensor C. Shock sensor D. Photoelectric sensor
C
Which of the following are effective countermeasures against passive network-layer attacks? A. Federated security and authenticated access controls B. Trusted software development and run time integrity controls C. Encryption and security enabled applications D. Enclave boundary protection and computing environment defense
C
Which of the following are the FIRST two steps to securing employees from threats involving workplace violence and acts of terrorism? A. Physical barriers impeding unauthorized access and security guards at each entrance B. Physical barriers and the ability to identify people as they enter the workplace C. Security guards and metal detectors posted at each entrance D. Metal detectors and the ability to identify people as they enter the workplace
C
Which of the following benefits does Role Based Access Control (RBAC) provide for the access review process? A. Lowers the amount of access requests after review B. Gives more control into the revocation phase C. Gives more fine-grained access analysis to accesses D. Lowers the number of items to be reviewed
C
Which of the following countermeasures is the MOST effective in defending against a social engineering attack? A. Mandating security policy acceptance B. Changing individual behavior C. Evaluating security awareness training D. Filtering malicious e-mail content
C
Which of the following is the PRIMARY mechanism used to limit the range of objects available to a given subject within different execution domains? A. Process isolation B. Data hiding and abstraction C. Use of discrete layering and Application Programming Interfaces (API) D. Virtual Private Network (VPN)
C
Which of the following does Secure Sockets Layer (SSL) encryption protect? A. Data availability B. Data at rest C. Data in transit D. Data integrity
C
Which of the following is MOST effective in detecting information hiding in Transmission Control Protocol/Internet Protocol (TCP/IP) traffic? A. Packet-filter firewall B. Content-filtering web proxy C. Stateful inspection firewall D. Application-level firewall
C
Which of the following is a process in the access provisioning lifecycle that will MOST likely identify access aggregation issues? A. Test B. Assessment C. Review D. Peer review
C
Which of the following is a remote access protocol that uses a static authentication? A. Point-to-Point Tunneling Protocol (PPTP) B. Routing Information Protocol (RIP) C. Password Authentication Protocol (PAP) D. Challenge Handshake Authentication Protocol (CHAP)
C
Which of the following is held accountable for the risk to organizational systems and data that result from outsourcing Information Technology (IT) systems and services? A. The acquiring organization B. The service provider C. The risk executive (function) D. The IT manager
C
Which of the following is mobile device remote fingerprinting? A. Installing an application to retrieve common characteristics of the device B. Storing information about a remote device in a cookie file C. Identifying a device based on common characteristics shared by all devices of a certain type D. Retrieving the serial number of the mobile device
C
Which of the following is needed to securely distribute symmetric cryptographic keys? A. Officially approved Public-Key Infrastructure (PKI) Class 3 or Class 4 certificates B. Officially approved and compliant key management technology and processes C. An organizationally approved communication protection policy and key management plan D. Hardware tokens that protect the user's private key.
C
Which of the following is the BEST reason to apply patches manually instead of automated patch management? A. The cost required to install patches will be reduced. B. The time during which systems will remain vulnerable to an exploit will be decreased. C. The target systems reside within isolated networks. D. The ability to cover large geographic areas is increased.
C
Which of the following is the MOST important consideration when developing a Disaster Recovery Plan (DRP)? A. The dynamic reconfiguration of systems B. The cost of downtime C. A recovery strategy for all business processes D. A containment strategy
C
Which of the following is the MOST important part of an awareness and training plan to prepare employees for emergency situations? A. Having emergency contacts established for the general employee population to get information B. Conducting business continuity and disaster recovery training for those who have a direct role in the recovery C. Designing business continuity and disaster recovery training programs for different audiences D. Publishing a corporate business continuity and disaster recovery plan on the corporate website
C
Which of the following is the MOST relevant risk indicator after a penetration test? A. Lists of hosts vulnerable to remote exploitation attacks B. Details of vulnerabilities and recommended remediation C. Lists of target systems on the network identified and scanned for vulnerabilities D. Details of successful vulnerability exploitations
C
Which of the following offers the BEST security functionality for transmitting authentication tokens? A. JavaScript Object Notation (JSON) B. Terminal Access Controller Access Control System (TACACS) C. Security Assertion Markup Language (SAML) D. Remote Authentication Dial-In User Service (RADIUS)
C
Which of the following sets of controls should allow an investigation if an attack is not blocked by preventive controls or detected by monitoring? A. Logging and audit trail controls to enable forensic analysis B. Security incident response lessons learned procedures C. Security event alert triage done by analysts using a Security Information and Event Management (SIEM) system D. Transactional controls focused on fraud prevention
C
Which of the following trust services principles refers to the accessibility of information used by the systems, products, or services offered to a third-party provider's customers? A. Security B. Privacy C. Access D. Availability
C
Which one of the following considerations has the LEAST impact when considering transmission security? A. Network availability B. Node locations C. Network bandwidth D. Data integrity
C
Which one of the following is an advantage of an effective release control strategy form a configuration control standpoint? A. Ensures that a trace for all deliverables is maintained and auditable B. Enforces backward compatibility between releases C. Ensures that there is no loss of functionality between releases D. Allows for future enhancements to existing features
C
Which type of security testing is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test? A. Reversal B. Gray box C. Blind D. White box
C
Who has the PRIMARY responsibility to ensure that security objectives are aligned with organization goals? A. Senior management B. Information security department C. Audit committee D. All users
C
Why might a network administrator choose distributed virtual switches instead of stand-alone switches for network segmentation? A. To standardize on a single vendor B. To ensure isolation of management traffic C. To maximize data plane efficiency D. To reduce the risk of configuration errors
C
Which layer of the Open System Interconnection (OSI) model is reliant on other layers and is concerned with the structure, interpretation and handling of information? A. Presentation Layer B. Session Layer C. Application Layer D. Transport Layer
D
Which of the following approaches is the MOST effective way to dispose of data on multiple hard drives? A. Delete every file on each drive. B. Destroy the partition table for each drive using the command line. C. Degauss each drive individually. D. Perform multiple passes on each drive using approved formatting methods.
D
A data owner determines the appropriate job-based access for an employee to perform their duties. Which type of access control is this? A. Discretionary Access Control (DAC) B. Non-discretionary access control C. Mandatory Access Control (MAC) D. Role-based access control (RBAC)
D
A database administrator is asked by a high-ranking member of management to perform specific changes to the accounting system database. The administrator is specifically instructed to not track or evidence the change in a ticket. Which of the following is the BEST course of action? A. Ignore the request and do not perform the change. B. Perform the change as requested, and rely on the next audit to detect and report the situation. C. Perform the change, but create a change ticket regardless to ensure there is complete traceability. D. Inform the audit committee or internal audit directly using the corporate whistleblower process.
D
A new Chief Information Officer (CIO) created a group to write a data retention policy based on applicable laws. Which of the following is the PRIMARY motivation for the policy? A. To back up data that is used on a daily basis B. To dispose of data in order to limit liability C. To reduce costs by reducing the amount of retained data D. To classify data according to what it contains
D
A proxy firewall operates at what layer of the Open System Interconnection (OSI) model? A. Transport B. Data link C. Network D. Application
D
A security engineer is tasked with implementing a new identity solution. The client doesn't want to install or maintain the infrastructure. Which of the following would qualify as the BEST solution? A. Microsoft Identity Manager (MIM) B. Azure Active Directory (AD) C. Active Directory Federation Services (ADFS) D. Active Directory (AD)
D
A security professional recommends that a company integrate threat modeling into its Agile development processes. Which of the following BEST describes the benefits of this approach? A. Reduce application development costs. B. Potential threats are addressed later in the Software Development Life Cycle (SDLC). C. Improve user acceptance of implemented security controls. D. Potential threats are addressed earlier in the Software Development Life Cycle (SDLC).
D
What is the BEST way to encrypt web application communications? A. Secure Hash Algorithm 1 (SHA-1) B. Secure Sockets Layer (SSL) C. Cipher Block Chaining Message Authentication Code (CBC-MAC) D. Transport Layer Security (TLS)
D
As part of the security assessment plan, the security professional has been asked to use a negative testing strategy on a new website. Which of the following actions would be performed? A. Use a web scanner to scan for vulnerabilities within the website. B. Perform a code review to ensure that the database references are properly addressed. C. Establish a secure connection to the web server to validate that only the approved ports are open. D. Enter only numbers in the web form and verify that the website prompts the user to enter a valid input.
D
For network based evidence, which of the following contains traffic details of all network sessions in order to detect anomalies? A. Alert data B. User data C. Content data D. Statistical data
D
In order to assure authenticity, which of the following are required? A. Confidentiality and authentication B. Confidentiality and integrity C. Authentication and non-repudiation D. Integrity and non-repudiation
D
In the Software Development Life Cycle (SDLC), maintaining accurate hardware and software inventories is a critical part of A. systems integration. B. risk management. C. quality assurance. D. change management.
D
In which identity management process is the subject's identity established? A. Trust B. Provisioning C. Authorization D. Enrollment
D
Security categorization of a new system takes place during which phase of the Systems Development Life Cycle (SDLC)? A. System implementation B. System initiation C. System operations and maintenance D. System acquisition and development
D
The PRIMARY outcome of a certification process is that it provides documented A. interconnected systems and their implemented security controls. B. standards for security assessment, testing, and process evaluation. C. system weakness for remediation. D. security analyses needed to make a risk-based decision.
D
What Service Organization Controls (SOC) report can be freely distributed and used by customers to gain confidence in a service organization's systems? A. SOC 1 Type 1 B. SOC 1 Type 2 C. SOC 2 D. SOC 3
D
What access control scheme uses fine-grained rules to specify the conditions under which access to each data item or applications is granted? A. Mandatory Access Control (MAC) B. Discretionary Access Control (DAC) C. Role Based Access Control (RBAC) D. Attribute Based Access Control (ABAC)
D
What information will BEST assist security and financial analysts in determining if a security control is cost effective to mitigate a vulnerability? A. Annualized Loss Expectancy (ALE) and the cost of the control B. Single Loss Expectancy (SLE) and the cost of the control C. Annual Rate of Occurrence (ARO) and the cost of the control D. Exposure Factor (EF) and the cost of the control
D
What is the FIRST action a security professional needs to take while assessing an organization's asset security in order to properly classify and protect access to data? A. Verify the various data classification models implemented for different environments. B. Determine the level of access for the data and systems. C. Verify if confidential data is protected with cryptography. D. Determine how data is accessed in the organization.
D
What is the PRIMARY role of a scrum master in agile development? A. To choose the primary development language B. To choose the integrated development environment C. To match the software requirements to the delivery plan D. To project manage the software delivery
D
What is the difference between media marking and media labeling? A. Media marking refers to the use of human-readable security attributes, while media labeling refers to the use of security attributes in internal data structures. B. Media labeling refers to the use of human-readable security attributes, while media marking refers to the use of security attributes in internal data structures. C. Media labeling refers to security attributes required by public policy/law, while media marking refers to security required by internal organizational policy. D. Media marking refers to security attributes required by public policy/law, while media labeling refers to security attributes required by internal organizational policy.
D
What is the motivation for use of the Online Certificate Status Protocol (OCSP)? A. To return information on multiple certificates B. To control access to Certificate Revocation List (CRL) requests C. To provide timely up-to-date responses to certificate queries D. To issue X.509v3 certificates more quickly
D
Which action is MOST effective for controlling risk and minimizing maintenance costs in the software supply chain? A. Selecting redundant suppliers B. Selecting suppliers based on business requirements C. Selecting fewer, more reliable suppliers D. Selecting software suppliers with the fewest known vulnerabilities
D
Which of the following is a document that identifies each item seized in an investigation, including date and time seized, full name and signature or initials of the person who seized the item, and a detailed description of the item? A. Property book B. Chain of custody form C. Search warrant return D. Evidence tag
D
Which of the following is the MAIN reason for using configuration management? A. To provide centralized administration B. To reduce the number of changes C. To reduce errors during upgrades D. To provide consistency in security controls
D
Which of the following is the MOST important goal of information asset valuation? A. Developing a consistent and uniform method of controlling access on information assets B. Developing appropriate access control policies and guidelines C. Assigning a financial value to an organization's information assets D. Determining the appropriate level of protection
D
Which of the following is the MOST important output from a mobile application threat modeling exercise according to Open Web Application Security Project (OWASP)? A. The likelihood and impact of a vulnerability B. Application interface entry and endpoints C. Countermeasures and mitigations for vulnerabilities D. A data flow diagram for the application and attack surface analysis
D
Which of the following is the PRIMARY reason for employing physical security personnel at entry points in facilities where card access is in operation? A. To verify that only employees have access to the facility. B. To identify present hazards requiring remediation. C. To monitor staff movement throughout the facility. D. To provide a safe environment for employees.
D
Which of the following open source software issues pose the MOST risk to an application? A. The software is beyond end of life and the vendor is out of business. B. The software is not used or popular in the development community. C. The software has multiple Common Vulnerabilities and Exposures (CVE) and only some are remediated. D. The software has multiple Common Vulnerabilities and Exposures (CVE) but the CVEs are classified as low risks.
D
Which of the following statements is TRUE regarding state-based analysis as a functional software testing technique? A. It is characterized by the stateless behavior of a process implemented in a function B. Test inputs are obtained from the derived boundaries of the given functional specifications C. An entire partition can be covered by considering only one representative value from that partition D. It is useful for testing communications protocols and graphical user interfaces
D
Which of the following steps should be performed FIRST when purchasing Commercial Off-The-Shelf (COTS) software? A. undergo a security assessment as part of authorization process B. establish a risk management strategy C. harden the hosting server, and perform hosting and application vulnerability scans D. establish policies and procedures on system and services acquisition
D
Which of the following would an internal technical security audit BEST validate? A. Whether managerial controls are in place B. Support for security programs by executive management C. Appropriate third-party system hardening D. Implementation of changes to a system
D
Why are mobile devices sometimes difficult to investigate in a forensic examination? A. There are no forensics tools available for examination. B. They may contain cryptographic protection. C. They have password-based security at logon. D. They may have proprietary software installed to protect them.
D