CASP

The Chief Executive Officer of a corporation purchased the latest mobile device and wants to connect it to the company's internal network. The Chief Information Security Officer was told to research and recommend how to secure this device. Which of the following recommendations would be BEST to implement in order to keep the device from posing a security risk to the company?

A. A corporate policy should be drafted and technical controls implemented to prohibit sensitive information from residing on a mobile device and require mobile device management.

A solution architect attempts to make an update to a server and is prevented from changing the application. Additionally, the server would not allow the architect to see application errors related to the issue. The security log reports that file attributes can only be changed by the web server application and not the solution architect's custom application. The architect verifies that all file system permissions are correct and all application services are running properly. Which of the following is MOST likely being used on the server and is causing this issue?

A. A trusted operating system

A security manager is not satisfied with the documented mitigations that the team has been submitting. Mitigations for host-based applications specify that boundary defenses are in place to mitigate the threat of vulnerabilities, without specifying host controls or procedures. Which of the following examples of mitigations would the security manager believe to be valid? (Select TWO).

A. A zero-day router OS vulnerability which could allow traffic to pass and has not been filtered by an ACL, would be mitigated by a NIPS on the same network segment as the router's interfaces, and a boundary firewall at the ingress/egress points in the network. C. A zero-day OS kernel vulnerability would be mitigated by the presence of integrity checking software on the host, a HIPS client, and antivirus / malware detection software.

Corporate policy prohibits employees from connecting SOHO routers to their office. Using a network analyzer, a security administrator is conducting an assessment to verify if SOHO routers are connected to the enterprise network. The security administrator is analyzing the following PCAP file: 01:04:23.001265 10.234.7.22.50212 >www.comptia.org.80:P 23939443:23939443 (0) ack 23939442 win 4128<mss 556> (ttl 62, id 5433) 01:04:23.091265 10.234.7.22.4033 >www.comptia.org.80:P 39438485:39438485 (0) ack 39438484 win 4128<mss 556> (ttl 126, id 20110) 01:04:23.301265 10.234.7.22.403350212 >www.comptia.org.80:P 39438495:3943848539438495 (0) ack 39438494 win 4128<mss 556> (ttl 126, id 20110) Which of the following can the security administrator infer from the above network capture?

A. An employee has installed a wireless SOHO router and is allowing other employees onto the network through the SOHO wireless.

A company provides on-demand cloud computing resources for a sensitive project. The company implements a fully virtualized datacenter and terminal server access with two-factor authentication for customer access to the administrative website. The security administrator at the company has uncovered a breach in data confidentiality. Sensitive data from customer A was found on a hidden directory within the VM of company B. Company B is not in the same industry as company A and the two are not competitors. Which of the following has MOST likely occurred?

A. Both VMs were left unsecured and an attacker was able to exploit network vulnerabilities to access each and move the data.

A routine internal vulnerability scan locates a rogue device in the finance VLAN. Upon further investigation, it is determined that a user has deployed a network attached storage device for local file sharing. Which of the following would BEST describe the concerns of an information security professional?

A. Breaking of default IPSec policies

The management at an organization is being investigated by an industry regulator. As a consequence of the investigation, the regulator has requested copies of all management emails for the last seven years as per current regulations. Current company policies state that all emails must be retained for only five years. The IT department has advised that most company emails going back ten years have been archived to a now obsolete tape format. Which of the following is the BEST course of action?

A. Classify who in the organization is a manager based on title, supply five years of emails plus copies of tapes containing the additional two years, update the corporate data retention policy and advise data owners.

A security administrator is scheduling an internal network vulnerability scan for the first time. The administrator has scheduled a one-week scanning window, but is not known how long the scan will take. Which of the following BEST explains what the administrator should do to reduce the risk of causing unknown impacts to the environment? (Select TWO)

A. Commence the scan at the start of the scanning window and ensure DoS signatures are disabled. C. Update the plugins to the latest versions and disable time-consuming or resource-consuming plugins

QUESTION 21 During a routine audit of the organization's information systems, the auditing team notified the organization of a new requirement in another country which requires all financial transaction data to be encrypted in transit as well as at rest. The organization does business in this country, but the data is hosted at a set of redundant data centers which are outside of the country in question. Based on the scenario provided, which of the following is the MOST appropriate course of action for the Chief Information Security Officer (CISO) to take in addressing this new requirement?

A. Conduct further research to determine the scope and details of the new requirement.

An audit report against a sensitive database system lists a number of vulnerabilities that must be addressed by the system administrator. More specifically, the system administrator must address specific operating system configuration lockdown to ensure the confidentiality, integrity, and availability of the information stored within the system. Which of the following should the administrator address to secure the operating system? (Select THREE).

A. Configuring IPv4 and IPv6 dual stack G. Monitoring file permissions H. Enabling database record encryption

Servers on a network are experiencing an NTP amplification attack. In which of the following ways would a security engineer provide protection from this attack on a perimeter firewall?

A. Create a strict ACL for NTP sources.

QUESTION 38 While analyzing network traffic, a security engineer discovers that confidential emails were passing between two users who should not have had this information. The two users deny sending confidential emails to each other. Which of the following security practices would allow for non-repudiation and prevent the users from removing emails such as these from their accounts? (Select TWO).

A. Digital Signature C. Legal hold

Company, XYZ finds itself using more cloud-based business tools, and password management is becoming onerous. Security is important to the company; as a result, password replication and shared accounts are not acceptable. Which of the following implementations addresses the distributed login with centralized authentication and has wide compatibility among SaaS vendors?

A. Establish a cloud-based authentication service that supports SAML.

QUESTION 77 A generator upgrade is scheduled for the building hosting a company's datacenter. The current building generator is scheduled to be taken offline at 8:00 am and the new building generator is projected to be online at 8:10 am on the same day. The current datacenter's UPS battery backup displays a runtime of 15 minutes. The Information Security Officer is concerned with possible issues that may delay the generator's cut-over time beyond the battery backup runtime. Which of the following business units are MOST critical, and should be on standby in case the generator's cut-over time exceeds the UPS battery backup runtime? (Select TWO)

A. Facilities management D. Technical service owner

A reduction in business growth forced a large business to adopt cloud services to reduce the number of IT staff employed. The Chief Financial Officer (CFO) is very happy with the changes as it has driven down capital expenditure, making the company more attractive for acquisition by a large hedge fund. Six months after the adoption of the cloud services the risk manager is concerned by the move as a recent audit of the provider revealed a mixture of findings: The main software repository used by developers appears well maintained and has the latest security patches integrated. A number of security intrusions were detected by the provider, but not reported to the business in a timely manner. Application log management and application alerting has not been occurring as agreed with the provider. Based on the findings, which of the following services were purchased by the business? (Select TWO).

A. IaaS E. MaaS

A security analyst has been asked to perform a risk assessment on a human resources workflow and give a recommendation to improve the security. While performing the analysis, the security analyst finds the human resources department needs to quickly share employee information with a third-party vendor in an ongoing fashion. The human resources manager is concerned that any modification to the workflow will prevent the data from being received in time. At the end of the assessment, which of the following is the BEST solution?

A. Implement a secure email gateway solution

QUESTION 40 A security administrator has moved several confidential servers into a new data center that is completely virtualized. The administrator is concerned that if the virtual machine is compromised, an attacker may be able to attack other hosted virtual machines. Which of the following should the administrator do to help mitigate this type of virtualization attack?

A. Isolate virtual machine from each other into specific security zones

QUESTION 16 When performing mobile device forensics, which of the following is the MOST critical reason for performing device isolation before commencing examination?

A. It prevents the destruction of data through remote wiping

Two competing IT manufacturing companies decide to create a partnership to enter the IT services industry. Since both company's share suppliers, the companies agree to use the supplier's regulated network to support hosting of data for customers with regulatory requirements. Which of the following does each company need from the supplier in order to use the supplier's network? (Select TWO).

A. Non-disclosure agreement C. Service level agreement

Which of the following encryption methodologies should be implemented in an environment where all users need access to bulk storage, but not all users have authorized access to each individual database entry?

A. Row-level encryption

Company A agrees to provide perimeter protection, power, and environmental support for Company B, but will not be responsible for user authentication nor patching of operating systems within the perimeter. Which of the following is being described?

A. Service Level Agreement

A developer is able to quickly create applications for clients by reusing several modules of code developed from other clients. The developer creates separate signed modules for all security-sensitive code and unsigned modules for non-security sensitive code. Recently, a client discovered that an attacker was able to use the developer's code to launch a mix-and-match attack to execute privileged code on the client's systems. Which of the following should the developer do to BEST continue rapid application development while keeping products secure?

A. Sign both the sensitive and non-sensitive modules

A large company has recently merged with a smaller company. The smaller company primarily uses certificate based authentication for connecting its users to its web-based services and back-end applications. The larger company has mainly terminal service-based applications that rely on Active Directory for a Single Sign-On solution. The security administrator for the merged organization has decided to federate the companies to support the delegated administration, authorization, and authentication. Which of the following solutions will the administrator MOST likely select?

A. The administrator will need to reconfigure one of the company's servers to support the others's authentication type. Then the administrator can use SAML to meet the goals of federation.

A company wants to allow employees to bring in their own devices to access company resources. Which of the following can be implemented to ensure the company can control the resources that are being accessed from personal devices?

A. VDI

An education institution is partnering with service providers to allow students access to various services and research information. Students must be authenticated before the third-party authorizes the access. Some of the services require the institution to provide information about the student that must be protected by privacy laws. Which of the following technologies is MOST appropriate for this scenario?

A. WAYF for consent attributes

A storage as a service company implements both encryption at rest as well as encryption in transit of customers' data. The security administrator is concerned with the overall security of the encrypted customer data stored by the company servers and wants the development team to implement a solution that will strengthen the customer's encryption key. Which of the following, if implemented, will MOST increase the time an offline password attack against the customers' data would take?

A. key = NULL ; for (int i=0;i<5000;i++) { key = sha(key + password) }

An administrator wishes to allow users to use scp and sftp to copy files to a Unix server, but does not want to grant shell access to the users. Which of the following should the administrator use?

A. rssh

A system administrator is parsing through the log files from the web server. The administrator notices a large number of 403 error response codes originating from the same IP address. Which of the following is the MOST likely explanation?

B. A hacker is attempting to access the web server.

A security administrator wants to implement a shared storage system for sensitive company data. The data owner has rated the data as being highly sensitive with respect to confidentiality and availability. Business users must be able to securely access such data from remote locations using employee BYOD technologies. Which of the following solutions will BEST address the data owner requirements?

B. A local SAN where data is accessed via VPN and encrypted while in transit via IPSec policies.

A security analyst is inspecting the results of a recent internal vulnerability scan that was performed against intranet services. The scan report includes the following critical-rated vulnerability: Title: Remote Command Execution vulnerability in web server Rating: Critical (CVSS 10.0) Threat actor: any remote user of the web server Confidence: certain Recommendation: apply vendor patches Which of the following actions should the security analyst perform FIRST?

B. Apply organizational context to the risk rating.

Which of the following is MOST likely to occur when debug output settings are not properly configured?

B. Attacks targeted against specific vulnerable software versions

A company has contracted with a public SaaS cloud provider to utilize an open source web application that is shared with other tenants. A security architect at the company has been tasked with performing a risk assessment of the solution. Which of the following are MOST likely to be residual risks in this scenario? (Select TWO).

B. Compliance breaches may occur due to lack of data sovereignty. C. Penetration testing by the customer is not allowed by the cloud provider.

Company XYZ maintains a number of legacy SCADA systems that only support local username and password authentication. The systems are only accessible from the corporate network or a VPN connection into the corporate network. As the company is migrating to more cloud-based business applications, they are considering deploying a next-generation authentication system. Which of the following implementations will ensure that employees will be able to access legacy systems?

B. Configure the authentication server to support OAUTH between itself and the legacy systems.

A forensic investigator has run into difficulty recovering usable files from a SAN drive. Which of the following SAN features might have caused the problem?

B. Deduplication

Company XYZ and Company ABC are merging into one company and consolidating IT assets and systems. The systems of each company are at different security levels, built-on different operating systems, and contain customized applications. The new security administrator for the merged company must use caution when planning the consolidation so that confidentiality, integrity, and availability are maintained and uninterrupted. Which of the following BEST describes the possible security related impacts the administrator could face when connecting two corporate domains together?

B. Disruptions of service, data loss, unintentional data disclosures, and lost system capability.

The Chief Executive Officer has requested a report on the disadvantages or limitations of implementing a comprehensive DLP solution. Which of the following should be included in the report? (Select TWO)

B. Growing adoption of cloud computing will be a challenge for the control of data. C. Endpoint monitoring and management of agents is more complex than web and email monitoring.

A security administrator needs an external vendor to correct an urgent issue with an organization's physical access control system (PACS). The PACS does not currently have internet access because it is running a legacy operating system. Which of the following methods should the security administrator select that BEST balances security and efficiency?

B. Have the external vendor come onsite and provide access to the PACS directly.

The Chief Information Security Officer (CISO) wants to implement a solution to measure IT performance and ensure that IT goals are in line with business goals. The CISO decides to implement company-wide policies to ensure the IT department provides input on new company projects and approval for IT-related purchases. Which of the following is the CISO implementing within the company? (Select TWO).

B. IT governance C. Portfolio management

The IT Department at a company permits 20% of its annual staff to attend remote training sites and conferences. At this year's conference, a new client-side exploit is revealed to the conference attendees, which affects a previously upgraded version of a web browser deployed on the enterprise. No patch is currently available for the browser, but the IT department believes it is critical to take immediate action due to the ease of exploitation and the high likelihood of compromise. Which of the following is the BEST action the IT department should take now to protect the enterprise?

B. Install a new web browser and issue a group policy to prevent the use of the vulnerable web browser.

A company is investigating a data compromise where data exfiltration occurred. Prior to the investigation, the supervisor terminates an employee as a result of the suspected data loss. During the investigation, the supervisor is absent for the interview, and little evidence can be provided from the role-based authentication system in use by the company. This situation can be identified for future mitigation as which of the following?

B. Log failure

QUESTION 32 A system administrator has the responsibility to manage the company's contracts with the cloud service provider as a result of outsourcing. The administrator knows that previous applications in use at the company seemed to lifecycle every three years due to the nature of the business. Which of the following should be the administrator's long-term concerns? (Select TWO).

B. Portability and lock-in to proprietary systems D. Loss of control over the use of technologies

The IT department is charged with developing a solution that will enable all employees to quickly reach other employees and communicate securely amongst them in real time. The solution must implement encrypted file transfer and voice communication and must integrate with the existing email and calendaring system. Which of the following MUST the solution implement to ensure employees can make educated decisions about when to contact other employees?

B. Presence

A security engineer is faced with competing requirements from the networking group and database administrators. The database administrators would like ten application servers on the same subnet for ease of administration, whereas the networking group would like to segment all applications from one another. Which of the following should the security administrator do to rectify this issue?

B. Recommend classifying each application into like security groups and segmenting the groups from one another.

A more granular approach to determine which groups can access which resources, even down to the exact command that can be run on supported devices, is developed using custom Attribute Value Pairs (AVP). The requirements are: 1. Eliminate non-engineer AD OUs from running the "clear" or "delete" command on firewalls. 2. Allow non-engineer AD OUs to run the command "no shut", but not "shut", on routers. 3. Allow authentication from a mobile device where the function of specific users is unknown until they access a resource on the network. 4. Have the ability to allow proxy server support. Given the above requirements, which of the following AAA protocols is BEST suited and should be set up by the security administrator?

B. TACACS+

A hacker is actively targeting a database server that runs a command line operating system. The hacker notices that twice each hour, a script is run that uses elevated privileges to send data to a secure backup. Utilizing a small piece of code executed during the scheduled task, the hacker notices that he is able to temporarily gain administrative privileges. Which of the following describes how the hacker was able to exploit the server?

B. The hacker took advantage of a TOCTOU race condition.

A security architect receives a 42-page document of project specifications from the lead developer. According to corporate policy, the message is sent using the PKI system. While the architect is able to read the document, the digital signature has failed validation. The architect calls the developer to see if the document can be sent again. The developer says this happens all the time and the document is probably fine. Which of the following should the architect be concerned about?

B. The integrity of the document and non-repudiation of the sender are lost without a valid digital signature.

An organization has configured a set of hosts in such a way that only authorized programs and tools are allowed to execute for all accounts. After an intrusion was detected on one of the fully patched hosts, it was discovered that malware was able to execute in spite of this configuration being active. Which of the following may have occurred? (Select TWO).

B. The malware was injected into the running process of an allowed application C. The whitelist used only executable names for enforcement

A customer of a cloud provider has requested the security engineering team to open ports 21 and 22 to a legacy FTP server from their public IP address space. The customer has indicated this should be a good control since only their IP address can access the legacy FTP server from the Internet. The security engineering team requires a VPN tunnel to be established between the cloud provider and the customer in order to provide the most secure implementation for a protocol that has many known vulnerabilities. Which of the following has occurred in the risk management process?

B. The proposed solution mitigates the risk of the request from the customer.

A system administrator clones an unpatched guest VM in an effort to meet a backlog of project requests for new servers to be used as database servers and public facing web servers. Once the servers are online, an attack exploits an application on the web server by crafting a stack frame which is executed by the host kernel after a general protection fault. Which of the following BEST explains the issue and type of vulnerability exploited by the attacker?

B. The unpatched guest was used to compromise the hypervisor thus providing the attacker with ring-0 access to multiple VM hosts at once. A VMEscape occurred due to the guest's stack data being executed by they hypervisor.

A penetration tester is preparing for a client engagement in which the tester must provide data that proves and validates the scanning tools' results. Which of the following is the BEST method for collecting this information?

B. Use a protocol analyzer to log all pertinent network traffic.

An administrator is installing an enterprise Human Resources Management (HRM) system. The HRM system will integrate with the existing LDAP directory and will use LDAP for both authentication and authorization. The HRM system requires a secure connection for authentication and several custom attributes in the user object class to store role data for authorization. Which of the following are the BEST options for the administrator to complete this integration?

B. Use an SSL connection on port 636 for authentication, and extend the LDAP schema to store authorization data.

Senior management wants to prevent sensitive data from being leaked onto the web; however, they cannot afford a mature DLP solution. A security administrator has been tasked with finding an alternative solution. After researching multiple products, the security administrator recommends implementing a:

B. WAF.

Which of the following technologies is the MOST appropriate to deploy to specifically protect an application from attacks, while delivering information from a backend database?

B. Web application firewall

One of the items discussed in a risk assessment is the concern about the finance department's process for originating wire transfers and other similar online banking processes. The processes are being performed on the same computers employees use to do their daily work, and they are not utilizing the extra security measures that the bank offers. Which of the following is the MOST appropriate response to the finding?

B. Work with the leadership in the finance department to list the control gaps and opportunities for improvement and to plan and prioritize the implementation plan, including training employees on any changes.

In an effort to minimize costs, the management of a small candy company wishes to explore a cloud service option for the development of its online applications. The company does not wish to invest heavily in IT infrastructure. Which of the following solutions should be recommended?

B.. A public PaaS

A risk assessor is calculating the required escrow a company should keep to ensure that the company's new SAN meets availability requirements. The vendor documentation indicates the expected lifespan of each hard drive is four years and the expense of each hard drive is $100. The SAN contains 50 1 TB hard drives. Which of the following is the ALE for the SAN?

C. $1250

An SLA between a company and a public cloud hosting provider will MOST likely influence which of the following security areas?

C. Availability

A security assurance officer is preparing a plan to measure the technical state of a customer's enterprise. The testers employed to perform the audit will be given access to the customer facility and network. The testers will not be given access to the details of custom developed software used by the customer. However, the testers will have access to the source code for several open source applications and pieces of networking equipment used at the facility; but these items will not be within the scope of the audit. Which of the following BEST describes the appropriate method of testing or technique to use in this scenario? (Select TWO).

C. Black box E. Penetration

A company has recently discovered the integrity of its data was compromised 7 days ago. The logs indicate the changes were occurring from an account with privileged access. Further analysis has determined the account is associated with a former employee who left 4 weeks ago. Which of the following could have prevented this compromise?

C. Deprovisioning process

Company XYZ has a large sales force that works from home. To increase sales effectiveness and reduce travel costs, the company purchased video conferencing equipment for all home offices. Since using the video conferencing equipment, some customers have begun to demand lower prices. The company's senior officers suspect these customers know the company's margins, because members of the sales force keep printed proprietary information in their home offices. Which of the following represents the BEST immediate response action while the security team develops a more complete response?

C. Enforce a clear field of view policy during customer teleconferences.

A facility's security manager has observed that an executive officer within the company is seldom absent and fails to meet the compliance of organization security and training events due to business demands. To complicate the issue, the security manager is a direct report to that executive officer. Which of the following are the methods to ensure that the conflict of interest is mitigated in the future? (Select TWO).

C. Enforce organizational policy by requiring the most senior executive in the organization to authorize IT policy D. Link policy compliance activities to computer/network use account

QUESTION 39 During an audit of firewall rules, an auditor noted that there was no way to find out who had allowed port 3389 to be available to the Internet. The auditor gave the company a negative mark on their audit, and requested that within 30 days the company produce a written plan to deal with such items in the future. Given the scenario, which of the following will be MOST effective in securing the firewall?

C. Implement a detailed change management system.

A company Chief Information Officer (CIO) is unsure which set of standards should govern the company's IT policy. The CIO has hired consultants to develop use cases to test against various government and industry security standards. The CIO is convinced that there is large overlap between the configuration checks and security controls governing each set of standards. Which of the following selections represent the BEST option for the CIO?

C. Issue a policy specifying best practice security standards and a baseline to be implemented across the company.

A shipping company will be upgrading their wireless infrastructure to support the new COTS forklift-mounted PCs and warehouse management system they just purchased. The solution must also be compatible with the existing employee laptops. Which of the following should the security administrator recommend to BEST protect the warehouse management system communications?

C. Move the wireless VLAN behind a firewall to restrict access to only permit communications with the warehouse management system.

Company ABC is looking to use an application that company XYZ owns. The application queries the billing information of company ABC's clients. Company ABC would like to establish a site-to-site VPN with company XYZ to allow its users to access the application. Which of the following documents are BEST to use during this process to determine if it is feasible to establish the connection without any security concerns? (Select THREE).

C. NDA E. ISA F. RA

Which of the following delineates why it is important to perform egress filtering and monitoring on Internet connected security zones or interfaces on the firewall?

C. Outbound traffic could be communicating to known botnet sources.

QUESTION 62 A user at a company frequently receives desktop notifications from the remote access software installed by the helpdesk. The notifications appear to be random, so the user checks to see if a connection can be established from the user's computer to someone else. The user is successful in the attempt without escalating privileges for the account. Which of the following is the BEST solution for the issue?

C. Secure the RDP client.

A software developer firm has outsourced a large development project to an organization that utilizes waterfall software development models. The developers have estimated a 12 month time frame to completion and are currently 6 months into the project. Prior to testing the current progress on the application, the developers have requested that the security architect review their progress and make recommendations on how to secure the application. Which of the following is true about the current project status?

C. The development should have involved the security architect early on in the project. At this point in the project, any security recommendations that require major changes will have large impacts on project times, resources and costs.

Which of the following BEST describes the initial processing phase used in mobile device forensics?

C. The mobile device should be examined first, then removable storage and lastly the phone without

The online banking credentials of the Chief Executive Officer (CEO) of a research company were recently compromised. Despite the fact that banks no longer require frequent password changes, the CEO frequently changed this password. Now, because of the experience, the CEO questions the value of routine password changes at the company. Which of the following communicates the BEST approach for the company's security policies?

C. The nature of the research company's threat may be different from banks, so the company should consider the specific threats it needs to address.

A developer has implemented a piece of client-side JavaScript code to sanitize a user's provided input to a web page login screen. The code ensures that only the upper case and lower case letters are entered in the username field, and that only a 6-digit PIN is entered in the password field. A security administrator is concerned with the following web server log: 10.235.62.11 - - (02/Mar/2014:06:13:04) "GET /site/script.php?user=admin&pass=pass%20or%201=1 HTTP/1.1" 200 5724 Given this log, which of the following is the security administrator concerned with and which fix should be implemented by the developer?

C. The security administrator is concerned with SQL injection, and the developer should implement server side input validation.

An administrator is reviewing the pluggable authentication modules configuration on a Linux-based server. auth sufficient otp_generator_authentication.so auth sufficient pam_unix.so auth required pam_env.so account required pam_unix.so password required pam_cracklib.so retry=3 password required pam_unix.so shadow use_authtok session required pam_unix.so Given the output above, how should users of this system provide the proper authentication to log in?

C. Users will need a username and either a password OR a one-time PIN.

A security architect has convened a meeting to discuss an organization's key management policy. The organization has a reliable internal key management system, and some argue that it would be best to manage the cryptographic keys internally as opposed to using a solution from a third party. The company should use:

C. risk benefits analysis results to make a determination.

A security architect is looking into the following vendor proposal for implementing a secure code scanning platform. Proposal Software purchase with license fee of $40,000 and a 30% support fee per annum from year 2 onwards. Requires internal hardware hosting which is $5,000 Which of the following is the TCO for this proposal after five years?

D. $93,000

When reviewing the various logs on a mission-critical application server, the server administrator first reviews the system log and determines that everything appears normal. Next, the administrator reviews the security log and finds a period of eight hours where no events have been recorded. What is the MOST likely explanation?

D. Audit logging has been turned off.

A security analyst finds the following web logs after a breach of sensitive information: http://www.data.com/gender.php?val=male http://www.data.com/gender.php?val=female http://www.data.com/gender.php?val=ABC female http://www.data.com/gender.php?val=GHI http://www.data.com/gender.php?val=ORSfemale Which of the following describes the attack being performed?

D. Blind SQL injection

Joe, a system administrator, submits a brief helpdesk request to the information security team about implementing a site-to-site VPN from his home to the office in order to get more done at home. After analyzing the risks of doing the task, the information security team should take which of the following actions?

D. Deny the request but implement a popular remote desktop application of HTTPS.

The security administrator is compiling the incident timeline of a security breach which occurred on a virtualized payment gateway server running on shared hardware and shared iSCSI storage. The company implements data deduplication on the back-end storage and uses snapshots taken every Sunday at 2:00 am. Incident timeline: Tuesday, 10:00 p.m. - Security patches are downloaded and installed on all servers. Thursday, 4:00 a.m. - The network IDS detects possible payment gateway server compromise. Thursday, 9:00 a.m. - The helpdesk receives multiple calls to report payment issues. Thursday, 2:00 p.m. - The security administrator returns the payment server to the last snapshot. Friday, 10:00 a.m. - The security administrator submits the report to the external forensic team. Which of the following should be the response of the forensic team?

D. Forensic analysis of the payment gateway server cannot be conducted to determine the cause of the compromise.

QUESTION 80 A parent company consists of multiple independent companies and has several business partners. Board members of each of these enterprises should be able to securely log in to the company's extranet site with personal credentials or company credentials. Each of the independent companies has made its own technology decisions and uses its chosen IT partners. The parent company does not offer a centralized authentication scheme and wants to enable access with minimal investment to its system. Which of the following is the MOST suitable solution for the extranet?

D. Identity federation with a trusted third-party service provider

A security administrator is assisting law enforcement in collecting evidence of a computer crime. The administrator has access to the latest forensics tools. The computer system being examined is still running and has not been tampered with since law enforcement arrived. The security administrator needs to collect as much information as possible before transporting the computer to a laboratory. Which of the following is the BEST order in which to proceed?

D. Image RAM, image the HDD/SSD while running the OS, copy system NVRAM, shutdown the system for transport.

The data backup window has expanded into the morning hours and has begun to affect production users. The main bottleneck in the process is the time it takes to replicate the backups to separate servers at the offsite data center. Which of the following uses of deduplication could be implemented to reduce the backup window?

D. Implement deduplication on both the local and remote servers

During a new desktop refresh, all hosts are hardened at the OS level before deployment to comply with policy. Six months later, the company is audited for compliance to regulations. The audit discovers that 30 percent of the desktops do not meet regulations because the devices are consistently being changed to override settings that do not meet policy. Which of the following is the BEST solution to correct the issue and prevent future noncompliance?

D. Implement group policy to enforce configuration setting

A systems administrator inherits an older fibre channel SAN for use in the testing lab. The administrator would like to test the performance of file-level versus block-level encryption over the network. While there are ten servers in the testing lab, only one server has a HBA. How would the administrator use the SAN in the testing lab?

D. Install NAS server software on the server with a HBA.

A hacker has targeted a health care conglomerate, and has gained access to their internal network. The hacker has disabled various security controls and has now located the patient database. Which of the following is the NEXT step that a hacker might take?

D. Package the patient data and FTP it to a remote site.

A company has a security policy that specifies all endpoint computing devices should be assigned a unique identifier that can be tracked via an inventory management system. Recent changes to airline security regulations have caused many executives in the company to travel with mini tablet devices instead of laptops. These mini tablet devices are difficult to tag and track. An RDP application is used from the tablet to connect into the company network. Which of the following should be implemented in order to meet the security policy requirements?

D. RFID tagging system E. MDM software

Security architects often have to design systems for environments where different stakeholders have competing requirements. In addition to internal influences and competitors, which of the following often has a major effect on mandatory system design features?

D. Regulatory entities

A developer has just released into production a new financial application. This application is web based, uses REST web services and transmits information in the JSON format. The security engineer is worried that this web service could be easily manipulated by an attacker. Which of the following should the security engineer recommend the developer do to secure the web service? (Select TWO).

D. Require the web application to maintain a secure session state F. Require REST traffic to use TLS

A number of organizations are collaborating on a common project and are using federation for access to a subset of their applications. One organization is taking the lead role in provisioning sponsored guest accounts on behalf of the other organizations. Which of the following should ALL organizations support to ensure that the organization provisioning the guest accounts on behalf of the requester is able to do so by provisioning and updating credentials and account information?

D. SPML

A major healthcare provider was recently fined for not following regulatory compliance. The Chief Information Security Officer is concerned that the organization is not trained and aware of cybersecurity related issues. Which of the following is the MOST effective method of gaining access to the organization's sensitive information?

D. Social engineering

An employee from finance was dismissed when it was discovered that the employee had been committing financial fraud for several years. The most trusted senior manager in finance has been reassigned the duty of performing wire transfers. The Chief Financial Officer (CFO) is asking the Chief Information Security Officer (CISO) to implement stronger controls to secure how the transfers are performed. Which of the following responses should the CISO deliver?

D. Suggest detective controls and separation of duties and explain why they may be more effective mitigation strategies.

A company has hired a new Chief Financial Officer (CFO) who has requested to be shown the ALE for a project implemented 4 years ago. The project had implemented a clustered pair of high end firewalls that cost $164,000 each at the beginning of the project. 2 years after the project was implemented, two line cards were added to each firewall that cost $3,000 each. The ARO of a fire in the area is 0.1, and the EF for a fire is 50%. Given that no fire has occurred since implementation, which of the following is the ALE?

D. The ALE is 8,500

An existing financial system has identified vulnerabilities and the vendor has recommended an upgrade. The company, however, has planned to replace the system with a competing product costing $200,000 within 3 years. The security engineer has estimated that a breach of the existing system would have an ARO of 2 and a SLE of $40,000. The Chief Information Officer (CIO) continues with the plan to upgrade in 3 years. Which of the following BEST describes how the CIO addressed the risk of the existing product?

D. The CIO accepted the risk.

After installing a new Linux 'sudo' application, the security administrator runs the following command: Linux-box:~$ ldd /user/bin/sudo linux-gate.so.1 => (0xb7792000) libpam.so.0 => /tmp/limpam.so.0 (0xb776d000) libdl.so.2 => /tmp/libdl.so.2 (0xb7769000) libc.so.6 => /tmp/libc.so.6 (0xb760b000) libcrypt.so.1 => /tmp/libcrypt.so.1 (0xb75d9000) /lib/ld-linus.so.2 (0xb7793000) Which of the following can be deduced about the security of the system and application based on the above output?

D. The application is prone to exploitation by any user with access to the system.

QUESTION 54 After solely reviewing the below output: user@linux:/usr/local/bin$ ls-al total 376 drwxr-xr-x 2 user user 4096 2010-09-29 11:35 . drwxrwxrwt 20 root root 348160 2010-09-29 11:35 . . -rwsr-xr-x 1 root user 26188 2010-09-29 11:23 newprog Which of the following can the administrator conclude about the program?

D. The program may lead to a privilege escalation.

Six months into development, the core team assigned to implement a new internal piece of software must convene to discuss a new requirement with the stakeholders. A stakeholder identified a missing feature critical to the organization, which must be implemented. The team needs to validate the feasibility of the newly introduced requirement and ensure it does not introduce new vulnerabilities to the software and other applications that will integrate with it. Which of the following BEST describes what the company is implementing at this time?

D. The system development phase of the SDLC

Company XYZ has decided to make use of a cloud-based service that requires mutual, certificate-based authentication with its users. The company uses SSL-inspecting IDS at its network boundary and is concerned about the confidentiality of the mutual authentication. Which of the following models prevents the IDS from capturing credentials used to authenticate users to the new service or keys to decrypt that communication?

D. Use of a third-party, SAML-based authentication service for attestation

Several critical servers are unresponsive after an update was installed. Other computers that have not yet received the same update are operational, but are vulnerable against the vulnerability being patched. The security administrator is required to ensure all systems have the right updates while minimizing any downtime. The BEST risk mitigation strategy is to use a centrally controlled patch management system where all updates are tested in a lab environment and then:

D. distributed to all systems so as to mitigate the exposure.

While in the process of investigating unusually high bandwidth usage on corporate WAN connections, the network administrator identifies an application server which appears to be sending and receiving large amounts of data during overnight hours when few users are on the network. Which of the following actions would be MOST appropriate action for the network administrator to take to address this finding?

E. Notify the incident response team using the process identified in the incident response plan.

A project manager needs to decide between options to proceed with implementation. The three options are outlined as: Option 1: Cost to implement: $2,000. SLE: $4,000. Likelihood of occurrence: once per quarter Option 2: Cost to implement: $5,000. SLE: $4,000. Likelihood of occurrence: once every two years Option 3: Cost to implement: $1,000. SLE: $1,000. Likelihood of occurrence: once every 6 months Which of the following options gives the LOWEST TCO?

Option 3 - CTE:1000, SLE:1000

The company develops a wide array of proprietary software for its clients utilizing an agile development methodology. Many of the company's prominent products use various open source libraries. Recently, a vulnerability in an open source security library allowed malicious attackers to bypass certificate revocation lists to compromise secure data. Which of the following is BEST implemented to help prevent this in the future?

The company should include the open source libraries in its code review process at regular intervals during the SDLC.