CSA+ CH4 Security Architecture 1/2
Crystal is a security analyst for a company that hosts several web applications. She would like to identify a tool that runs within her browser and allows her to interactively modify session values during a live session. Which one of the following tools best meets Crystal's requirements? Tamper Data Acunetix Zap Burp
A. All of the tools listed would allow Crystal to modify session values. However, of these tools, only Tamper Data is a browser plug-in. It works within the Firefox browser and allows the user to modify session data before it is submitted to a web server.
Bruce is considering the acquisition of a software testing package that allows programmers to provide their source code as input. The package analyzes the code and identifies any potential security issues in the code based upon that analysis. What type of analysis is the package performing? Static analysis Fuzzing Dynamic analysis Fault injection
A. Static analysis of code involves manual or automated techniques that review the source code without executing it. Fuzzing and fault injection are examples of dynamic analysis that execute the code and attempt to induce flaws.
Which one of the following security controls is designed to help provide continuity for security responsibilities? Succession planning Separation of duties Mandatory vacation Dual control
A. Succession planning is designed to create a pool of reserve candidates ready to step into positions when a vacancy occurs. This is an important continuity control. The other security controls may have the incidental side effect of exposing employees to other responsibilities, but they are not designed to meet this goal.
Barney's organization mandates fuzz testing for all applications before deploying them into production. Which one of the following issues is this testing methodology most likely to detect? Incorrect firewall rules Unvalidated input Missing operating system patches Unencrypted data transmission
B. Fuzz testing works by dynamically manipulating input to an application in an effort to induce a flaw. This technique is useful in detecting places where an application does not perform proper input validation.
Lou would like to deploy a SIEM in his organization, but he does not have the funding available to purchase a commercial product. Which one of the following SIEMs uses an open source licensing model? AlienVault QRadar ArcSight OSSIM
D. OSSIM is an open source SIEM made by AlienVault. It is capable of pulling together information from a wide variety of open source security tools. QRadar, ArcSight, and AlienVault are all examples of commercial SIEM solutions.
Kyle is developing a web application that uses a database backend. He is concerned about the possibility of a SQL injection attack against his application and is consulting the OWASP proactive security controls list to identify appropriate controls. Which one of the following OWASP controls is least likely to prevent a SQL injection attack? Parameterize queries. Validate all input. Encode data. Implement logging and intrusion detection.
D. Query parameterization, input validation, and data encoding are all ways to prevent the database from receiving user-supplied input that injects unwanted commands into a SQL query. Logging and intrusion detection are important controls, but they would detect, rather than prevent, a SQL injection attack.
Eric is assessing the security of a Windows server and would like assistance with identifying the users who have access to a shared file directory. What Sysinternals tool can assist him with this task? AutoRuns SDelete Sysmon AccessEnum
D. The AccessEnum tool enumerates system access. It provides a view of who has permissions to files, directories, and other objects. AutoRuns shows what programs start at login or system boot. SDelete is a secure file deletion utility. Sysmon allows administrators to monitor processes and their activity in a searchable manner.
Jeff is preparing a password policy for his organization and would like it to be fully compliant with PCI DSS requirements. What is the minimum password length required by PCI DSS? 7 characters 8 characters 10 characters 12 characters
A. PCI DSS has a fairly short minimum password length requirement. Requirement 8.2.3 states that passwords must be a minimum of seven characters long and must include a mixture of alphabetic and numeric characters.
Tammy is reviewing alerts from her organization's intrusion prevention system and finds that there are far too many alerts to review. She would like to narrow down the results to attacks that had a high probability of success. What information source might she use to correlate with her IPS records to achieve the best results? Vulnerability scans Firewall rules Port scans IDS logs
A. Tammy can correlate the results of vulnerability scans with her IPS alerts to determine whether the systems targeted in attacks against her network are vulnerable to the attempted exploits. IDS logs would contain redundant, rather than correlated, information. Firewall rules and port scans may provide some useful information when correlated with IPS alerts, but the results of vulnerability scans would provide similar information enhanced with the actual vulnerabilities on particular systems.
Carol is the cybersecurity representative to a software development project. During the project kickoff meeting, the project manager used the figure shown here to illustrate their approach to development and invited Carol to contribute security requirements at each prototyping phase. Which software development methodology is this team using? Window shows boxes with columns for prototype I, prototype II, and prototype X with markings for business modeling, data modeling, process modeling, application generation, and testing and turnover. RAD Waterfall Agile Spiral
A. The rapid application development (RAD) approach uses an iterative approach to software development that generates a series of evolving prototypes in each phase.
Samantha is investigating a cybersecurity incident where an internal user used his computer to participate in a denial-of-service attack against a third party. What type of policy was most likely violated? AUP SLA BCP Information classification policy
A. This activity is almost certainly a violation of the organization's acceptable use policy, which should contain provisions describing appropriate use of networks and computing resources belonging to the organization.
Kaela's organization recently suffered a ransomware attack that was initiated through a phishing message. She does have a content filtering system in place designed to prevent users from accessing malicious websites. Which one of the following additional controls would be most effective at preventing these attacks from succeeding? Training Intrusion detection system with threat intelligence Application blacklisting Social engineering
A. User training is the most effective control against phishing attacks, as it encourages users to recognize and avoid phishing messages. An intrusion detection system may notice an attack taking place but cannot take action to prevent it. Application blacklisting would only work against ransomware if it were already known and included on the blacklist, which is not likely. Social engineering is an attack type, rather than a control.
Arnie is required to submit evidence from systems on his network to external legal counsel as part of a court case. What technology can he use to demonstrate that the copies of evidence he is producing are genuine? Disk duplicator Hash function Cloud storage service Write blocker
B. All of the technologies listed in this question may be used during the evidence collection and production process. However, the hash function is the only component that may be used to demonstrate the integrity of the evidence that Arnie collected.
Which one of the following security activities is not normally a component of the operations and maintenance phase of the SDLC? Vulnerability scans Disposition Patching Regression testing
B. Disposition is a separate SDLC phase that is designed to ensure that data is properly purged at the end of an application life cycle. Operations and maintenance activities include ongoing vulnerability scans, patching, and regression testing after upgrades.
Johann is troubleshooting a network connectivity issue and would like to determine the path that packets follow from his system to a remote host. Which tool would best assist him with this task? ping netstat tracert ipconfig
C. The tracert (or traceroute) command identifies the path of packet flow between two systems over a network. It would help Johann identify potential trouble points requiring further investigation.
Roger is the CISO for a midsize manufacturing firm. His boss, the CIO, recently returned from a meeting of the board of directors where she had an in-depth discussion about cybersecurity. One member of the board, familiar with ISO standards in manufacturing quality control, asked if there was an ISO standard covering cybersecurity. Which standard is most relevant to the director's question? ISO 9000 ISO 17799 ISO 27001 ISO 30170
C. ISO 27001 is the current standard governing cybersecurity requirements. ISO 9000 is a series of quality management standards. ISO 17799 covered information security issues but is outdated and has been withdrawn. ISO 30170 covers the Ruby programming language.
Which one of the following requirements is often imposed by organizations as a way to achieve their original control objective when they approve an exception to a security policy? Documentation of scope Limited duration Compensating control Business justification
C. Organizations may require all of these items as part of an approved exception request. However, the documentation of scope, duration of the exception, and business justification are designed to clearly describe and substantiate the exception request. The compensating control, on the other hand, is designed to ensure that the organization meets the intent and rigor of the original requirement.
Which of the following protocols is best suited to provide authentication on an open network? TACACS RADIUS TACACS+ Kerberos
D. Kerberos is the only answer that provides automatic protection for authentication traffic. TACACS is outdated, and TACACS+ is considered unsafe in most circumstances, meaning that it should be used on secure networks only if it must be used. RADIUS can be secured but is not secure by default.
Paul is selecting an interception proxy to include in his organization's cybersecurity toolkit. Which one of the following tools would not meet this requirement? ZAP Vega Burp Snort
D. ZAP, Vega, and Burp are all interception proxies useful for the penetration testing of web applications. Snort is an intrusion detection system and does not have this capability.
Mike's organization adopted the COBIT standard, and Mike would like to find a way to measure their progress toward implementation. Which one of the following COBIT components is useful as an assessment tool? Process descriptions Control objectives Management guideline Maturity models
D. While all the COBIT components are useful to an organization seeking to implement the COBIT framework, only the maturity models offer an assessment tool that helps the organization assess its progress.
Berta is reviewing the security procedures surrounding the use of a cloud-based online payment service by her company. She set the access permissions for this service so that the same person cannot add funds to the account and transfer funds out of the account. What security principle is most closely related to Berta's action? Least privilege Security through obscurity Separation of duties Dual control
C. This is an example of separation of duties. Someone who has the ability to transfer funds into the account and issue payments could initiate a very large fund transfer, so Berta has separated these responsibilities into different roles. Separation of duties goes beyond least privilege by intentionally changing jobs to minimize the access that an individual has, rather than granting them the full permissions necessary to perform their job. This is not an example of dual control because each action may still be performed by a single individual.
Warren is working with a law enforcement agency on a digital forensic investigation and needs to perform a forensic analysis of a phone obtained from a suspect. Which one of the following tools is specifically designed for mobile forensics? FTK EnCase Cellebrite Helix
C. While all of these tools may have the ability to perform forensic analysis on mobile devices, Cellebrite is a purpose-built tool designed specifically for mobile forensics.
What are the four implementation tiers of the NIST Cybersecurity Framework, ordered from least mature to most mature? Partial, Risk Informed, Repeatable, Adaptive Partial, Repeatable, Risk Informed, Adaptive Partial, Risk Informed, Managed, Adaptive Partial, Managed, Risk Informed, Adaptive
A. The NIST Cybersecurity Framework uses four implementation tiers to describe an organization's progress toward achieving cybersecurity objectives. The first stage, tier 1, is Partial. This is followed by the Risk Informed, Repeatable, and Adaptive tiers.
Frank's organization recently underwent a security audit that resulted in a finding that the organization fails to promptly remove the accounts associated with users who have left the organization. This resulted in at least one security incident where a terminated user logged into a corporate system and took sensitive information. What identity and access management control would best protect against this risk? Automated deprovisioning Quarterly user account reviews Separation of duties Two-person control
A. Automated deprovisioning ties user account removal to human resources systems. Once a user is terminated in the human resources system, the identity and access management infrastructure automatically removes the account. Quarterly user access reviews may identify accounts that should have been disabled, but they would take a long time to do so, so they are not the best solution to the problem. Separation of duties and two-person control are designed to limit the authority of a user account and would not remove access.
Colin would like to find a reputable source of information about software vulnerabilities that was recently updated. Which one of the following sources would best meet his needs? OWASP SANS Microsoft Google
A. The Open Web Application Security Project (OWASP) maintains a listing of common application vulnerabilities. The SANS Institute maintained a similar list but stopped updating it in 2011. Microsoft and Google do not publish a similar list.
Laura is working on improving the governance structures for enterprise architecture in her organization in an effort to increase the communication between the architects and the security team. In the TOGAF framework, which of the four domains is Laura operating? Business architecture Applications architecture Data architecture Technical architecture
A. Business architecture defines governance and organization and explains the interaction between enterprise architecture and business strategy. Applications architecture includes the applications and systems that an organization deploys, the interactions between those systems, and their relation to business processes. Data architecture provides the organization's approach to storing and managing information assets. Technical architecture describes the infrastructure needed to support the other architectural domains.
Martin is developing the security infrastructure for a new business venture that his organization is launching. The business will be developing new products that are considered trade secrets, and it is of the utmost importance that the plans for those products not fall into the hands of competitors. Several employees will need to travel with sensitive information on their laptops. Martin is concerned that one of those laptops may be lost or stolen. Which one of the following controls would best protect the data on stolen devices? FDE Strong passwords Cable lock IPS
A. Full disk encryption prevents anyone who gains possession of a device from accessing the data it contains, making it an ideal control to meet Martin's goal. Strong passwords may be bypassed by directly accessing the disk. Cable locks are not effective for devices used by travelers. Intrusion prevention systems are technical controls that would not affect someone who gained physical access to a device.
Kaitlyn's organization recently set a new password policy that requires that all passwords have a minimum length of 10 characters and meet certain complexity requirements. She would like to enforce this requirement for the Windows systems in her domain. What type of control would most easily allow this? Group Policy object Organizational unit Active Directory forest Domain controller
A. Group Policy objects (GPOs) are used to enforce security and configuration requirements within Active Directory. Active Directory forests and organizational units (OUs) are designed to organize systems and users hierarchically and do not directly allow security configurations, although GPOs may be applied to them. Domain controllers (DCs) are the servers that are responsible for providing Active Directory services to the organization and would be the point for applying and enforcing the GPO.
Which one of the following systems is not normally considered a component of identity management infrastructure? HR system LDAP Provisioning engine Auditing system
A. LDAP directory servers, provisioning engines, and auditing systems are all typically considered part of an identity management infrastructure. HR systems are generally considered a data source for the identity management infrastructure but not a component of the infrastructure itself.
Carl does not have sufficient staff to conduct 24/7 security monitoring of his network. He wants to augment his team with a managed security operations center service. Which one of the following providers would be best suited to provide this service? MSSP IaaS PaaS SaaS
A. Managed security service providers (MSSPs) provide security as a service (SECaaS). The infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) offerings do not include the managed security offering that Carl seeks.
Jose is concerned that his organization is falling victim to a large number of social engineering attacks. Which one of the following controls is least likely to be effective against these attacks? Network firewall Multifactor authentication Security awareness Content filtering
A. Network firewalls are not likely to be effective against social engineering attacks because they are designed to allow legitimate traffic, and attackers waging social engineering attacks typically steal the credentials of legitimate users who would have authorized access through the firewall. Multifactor authentication is an effective defense because it requires an additional layer of authentication on top of passwords, which may be stolen in social engineering. Security awareness raises social engineering in users' consciousness and makes them less susceptible to attack. Content filtering may block phishing messages from entering the organization and may block users from accessing phishing websites.
Jim is helping a software development team integrate security reviews into their code review process. He would like to implement a real-time review technique. Which one of the following approaches would best meet his requirements? Pair programming Pass-around code review Tool-assisted review Formal code review
A. Pair programming is a real-time technique that places two developers at a workstation where one reviews the code that the other writes in real-time. Pass-around reviews, tool-assisted reviews, and formal code reviews are asynchronous processes.
Bob is considering the deployment of OpenSSL in his environment and would like to select a secure cipher suite. Which one of the following ciphers should not be used with OpenSSL? DES AES RSA ECC
A. The Data Encryption Standard (DES) is an outdated encryption algorithm that should not be used for secure applications. The Advanced Encryption Standard (AES), Rivest-Shamir-Adelman (RSA), and Elliptic Curve Cryptosystem (ECC) are all secure alternatives.
Which one of the following connection status messages reported by netstat indicates an active connection between two systems? ESTABLISHED LISTENING LAST_ACK CLOSE_WAIT
A. The ESTABLISHED status message indicates that a connection is active between two systems. LISTENING indicates that a system is waiting for a connection. LAST_ACK and CLOSE_WAIT are two status messages that appear in different stages of closing a connection.
Suzanne is the CISO at a major nonprofit hospital group. Which one of the following regulations most directly covers the way that her organization handles medical records? HIPAA FERPA GLBA SOX
A. The Health Insurance Portability and Accountability Act (HIPAA) covers the handling of protected health information (PHI) by healthcare providers, insurers, and health information clearinghouses. The Gramm-Leach-Bliley Act (GLBA) includes regulations covering the cybersecurity programs at financial institutions, including banks. The Family Educational Rights and Privacy Act (FERPA) applies to educational institutions. The Sarbanes-Oxley Act (SOX) applies to publicly traded companies.
Kyle runs the netstat command on a Linux server and sees the results shown here. Which one of the folllowing services is being used for an active remote connection to this server? Sheet shows active Internet connections (servers and established) where table on top displays columns for proto, local address, et cetera, and table on bottom displays columns for proto, RefCnt, flags, type, state, et cetera. SSH HTTPS MySQL NTP
A. The netstat results show an active SSH connection on the server, as well as several active HTTP connections. The server is listening for HTTPS, MySQL, and NTP connections, but there are no active sessions.
Travis is troubleshooting the firewall rulebase that appears here: Rule Action Protocol Source IP Source Port Destination IP Destination Port 1 allow UDP any any 10.15.1.1 25 2 block TCP any any 10.15.1.2 80 3 allow TCP 10.20.0.0/16any 10.15.1.2 80 4 allow TCP any any 10.15.1.3 22 Users are reporting that inbound mail is not reaching their accounts. Travis believes that rule 1 should provide this access. The organization's SMTP server is located at 10.15.1.1. What component of this rule is incorrect? Protocol Source port Destination IP Destination port
A. The only error in this rule is the protocol. SMTP does run on port 25, and inbound connections should be accepted from any port and IP address. The destination IP address (10.15.1.1) is correct. However, SMTP uses the TCP transport protocol, not UDP.
What encryption key does the certificate contain? The website's public key The website's private key Tom's public key Tom's private key
A. The purpose of a digital certificate is to provide the subject's public key to the world. In this case, the subject is the nd.edu website (as well as subdomains of nd.edu), and the certificate presents that site's public key.
Lydia worked as a database administrator for her organization for several years before being hired by another internal group to serve as a software developer. During a recent user access review, the security team discovered that Lydia still had administrative rights on the database that were not needed for her current job. Which term best describes this situation? Privilege creep Security through obscurity Least privilege Separation of duties
A. The situation where a user retains unnecessary permissions from a previous role is known as privilege creep. Privilege creep is a violation of the principle of least privilege (rather than an example of least privilege) and may also be a violation of separation of duties, depending upon the specific privileges involved. Security through obscurity occurs when the security of a control depends upon the secrecy of its details, which is not the case in this example.
Brenda would like to select a tool that will assist with the automated testing of applications that she develops. She is specifically looking for a tool that will automatically generate large volumes of inputs to feed to the software. Which one of the following tools would best meet her needs? Peach Burp ZAP ModSecurity
A. The type of tool that Brenda seeks is known as a fuzzer. The Peach Fuzzer is a solution that meets these requirements. Burp and ZAP are interception proxies. ModSecurity is a web application firewall tool.
Gavin is tracing the activity of an attacker who compromised a system on Gavin's network. The attacker appears to have used the credentials belonging to a janitor. After doing so, the attacker entered some strange commands with very long strings of text and then began using the sudo command to carry out other actions. What type of attack appears to have taken place? Privilege escalation Phishing Social engineering Session hijacking
A. The use of very long query strings points to a buffer overflow attack that was used to compromise a local application to perform privilege escalation. The use of the sudo command confirms the elevated privileges after the buffer overflow attack. Phishing, social engineering, and session hijacking are all possible ways that the attacker compromised the janitor's account originally, but there is no evidence pointing at any of these in particular.
Greg is investigating reports of difficulty connecting to the CompTIA website and runs a traceroute command. He receives the results shown here. What conclusion can Greg reach from these results? Image shows programming codes which reads laptop:~: traceroute www.comptia.org, traceroute to www.comptia.org, et cetera. The web server appears to be up and running on the network. The *s in the results indicates a network failure on Greg's network. The *s in the results indicates a network failure on the CompTIA network. The *s in the results indicates a network failure between Greg's network and the CompTIA network.
A. These results show an active network path between Greg's system and the CompTIA web server. The asterisks in the intermediate results do not indicate a network failure but are a common occurrence when intermediate nodes are not configured to respond to traceroute requests.
Norm is troubleshooting connectivity between a security device on his network and a remote SIEM service that is not receiving logs from the device. He runs several diagnostic commands from the security device and captures the network traffic while he is running those diagnostics. The following image shows the result of capturing some of that traffic with Wireshark. What does the currently inspected packet indicate? Window shows capturing from Wi-Fi where table shows columns for number, time, source, destination, protocol, length, and info, section for Internet protocol version 4, Internet control message protocol, et cetera. The remote server is reachable over the network. The remote server is not connected to the Internet. Norm's device is not connected to the Internet. Norm does not have enough information to draw one of the conclusions listed here.
A. This is an ICMP Echo Reply packet, which is a response to a ping request. If Norm sees a response to a ping, that means the basic connectivity between the two systems is functioning properly.
Bruce is concerned about access to the master account for a cloud service that his company uses to manage payment transactions. He decides to implement a new process for multifactor authentication to that account where an individual on the IT team has the password to the account, while an individual in the accounting group has the token. What security principle is Bruce using? Dual control Separation of duties Least privilege Security through obscurity
A. This is an example of dual control (or two-person control) where performing a sensitive action (logging onto the payment system) requires the cooperation of two individuals. Separation of duties is related but would involve not allowing the same person to perform two actions that, when combined, could be harmful.
Which one of the following statements about web proxy servers is incorrect? Web proxy servers decrease the speed of loading web pages. Web proxy servers reduce network traffic. Web proxy servers can filter malicious content. Web proxy servers can enforce content restrictions.
A. Web proxy servers actually increase the speed of loading web pages by creating local caches of those pages, preventing repeated trips out to remote Internet servers. For this same reason, they reduce network traffic. Web proxies may also serve as content filters, blocking both malicious traffic and traffic that violates content policies.
Gwen would like to deploy an intrusion detection system on her network but does not have funding available to license a commercial product. Which one of the following is an open source IDS? Sourcefire Bro TippingPoint Proventia
B. Bro is an open source intrusion detection and prevention system. Sourcefire is a commercial company associated with the Snort IDS, but Sourcefire is not itself an open source product. TippingPoint and Proventia are IDS/IPS solutions from HP and IBM, respectively.
Hank would like to deploy an intrusion prevention system to protect his organization's network. Which one of the following tools is least likely to meet his needs? Snort Burp Sourcefire Bro
B. Burp is a web interception proxy, not an intrusion prevention system. Snort, Sourcefire, and Bro are all intrusion detection and prevention systems.
Martin is developing the security infrastructure for a new business venture that his organization is launching. The business will be developing new products that are considered trade secrets, and it is of the utmost importance that the plans for those products not fall into the hands of competitors. Martin would like to install a network control that would block the potential exfiltration of sensitive information from the venture's facility. Which one of the following controls would be most effective to achieve that goal? IPS DLP system Firewall IDS
B. All of the controls listed are network security controls. Of those listed, a data loss prevention system is specifically designed for the purpose of identifying and blocking the exfiltration of sensitive information and would be the best control to meet Martin's goal. Intrusion prevention systems may be able to perform this function on a limited basis, but it is not their intent. Intrusion detection systems are even more limited in that they are detective controls only and would not prevent the exfiltration of information. Firewalls are not designed to serve this purpose.
Tim is the CIO of a midsize company and is concerned that someone on the IT team may be embezzling funds from the organization by modifying database contents in an unauthorized fashion. What group could investigate this providing the best balance between cost, effectiveness, and independence? Internal assessment by the IT manager Internal audit External audit Law enforcement
B. Internal audit provides the ability to perform the investigation with internal resources, which typically reduces cost. External auditors would normally be quite expensive and bring a degree of independence that is unnecessary for an internal investigation. The IT manager would not be a good candidate for performing the assessment because he may be involved in the embezzlement or may have close relationships with the affected employees. There is no need to bring in law enforcement at this point, opening the company to unnecessary scrutiny and potential business disruption.
Rick is assessing the security of his organization's directory services environment. As part of that assessment, he is conducting a threat identification exercise. Which one of the following attacks specifically targets directory servers? Man-in-the-middle LDAP injection SASL skimming XSS
B. LDAP injection attacks use improperly filtered user input via web applications to send arbitrary LDAP queries to directory servers. SASL is a password storage scheme for directory services, but there is no attack type known as SASL skimming. Man-in-the-middle attacks may be used against directory servers, but they are not specific to directory environments. Cross-site scripting (XSS) attacks are waged against web servers.
Ryan is concerned about the possibility of a distributed denial-of-service attack against his organization's customer-facing web portal. Which one of the following types of tests would best evaluate the portal's susceptibility to this type of attack? Regression testing Load testing Integration testing User acceptance testing
B. Load testing, also known as stress testing, places an application under a high load using simulated users. This type of testing would most closely approximate the type of activity that might occur during a denial-of-service attack.
John is planning to deploy a new application that his company acquired from a vendor. He is unsure whether the hardware he selected for the application is adequate to support the number of users that will simultaneously connect during peak periods. What type of testing can help him evaluate this issue? User acceptance testing Load testing Regression testing Fuzz testing
B. Load testing, or stress testing, evaluates an application's performance under full load conditions. It is the best type of testing to meet John's requirements, as the other test types do not simulate a high-demand situation.
Karen would also like to implement controls that would help detect potential malfeasance by existing employees. Which one of the following controls is least likely to detect malfeasance? Mandatory vacations Background investigations Job rotation Privilege use reviews
B. Mandatory vacations and job rotation plans are able to detect malfeasance by requiring an employee's absence from his or her normal duties and exposing them to other employees. Privilege use reviews have a manager review the actions of an employee with privileged system access and would detect misuse of those privileges. Background investigations uncover past acts and would not be helpful in detecting active fraud. They are also typically performed only for new hires.
John is reviewing his organization's procedures for applying security patches and is attempting to align them with best practices. Which one of the following statements is not a best practice for patching? Security patches should be applied as soon as possible. Patches should be applied to production systems first. Patches should be thoroughly tested for unintended consequences. Patches should follow a change management process.
B. Patches should be applied in test environments prior to deploying them in production. It is best practice to apply security patches as soon as possible and test them thoroughly. Patches should also be applied through the organization's normal change management process.
Tammy would like to ensure that her organization's cybersecurity team review the architecture of a new ERP application that is under development. During which SDLC phase should Tammy expect the security architecture to be completed? Analysis and requirements definition Design Development Testing and integration
B. Security artifacts created during the design phase include security architecture documentation and data flow diagrams.
Karen is the CISO of a major manufacturer of industrial parts. She is currently performing an assessment of the firm's financial controls, with an emphasis on implementing security practices that will reduce the likelihood of theft from the firm. Karen would like to ensure that the same individual is not able to both create a new vendor in the system and authorize a payment to that vendor. She is concerned that an individual who could perform both of these actions would be able to send payments to false vendors. What type of control should Karen implement? Mandatory vacations Separation of duties Job rotation Two-person control
B. Separation of duties is a principle that prevents individuals from having two different privileges that, when combined, could be misused. Separating the ability to create vendors and authorize payments is an example of two-person control.
Which one of the following Sysinternals tools may be used to determine the permissions that individual users have on a Windows registry key? Sysmon AccessEnum AutoRuns ProcDump
B. The AccessEnum tool provides a view into which users and groups have permissions to read and modify files, directories, and registry entries. Sysmon and ProcDump are process monitoring tools that do not provide insight into the registry. AutoRuns provides a listing of the programs that start automatically when a system boots or a user logs into the system.
Chelsea recently accepted a new position as a cybersecurity analyst for a privately held bank. Which one of the following regulations will have the greatest impact on her cybersecurity program? HIPAA GLBA FERPA SOX
B. The Gramm-Leach-Bliley Act (GLBA) includes regulations covering the cybersecurity programs at financial institutions, including banks. The Health Insurance Portability and Accountability Act (HIPAA) covers healthcare providers, insurers, and health information clearinghouses. The Family Educational Rights and Privacy Act (FERPA) applies to educational institutions. The Sarbanes-Oxley Act (SOX) applies to publicly traded companies.
Brandy works in an organization that is adopting the ITIL service management strategy. Which ITIL core activity includes security management as a process? Service strategy Service design Service transition Service operation
B. The ITIL framework places security management into the service design core activity. The other processes in service design are design coordination, service catalog management, service-level management, availability management, capacity management, IT service continuity management, and supplier management.
Who created the digital signature shown in the last line of this digital certificate? Starfield Services Amazon nd.edu RSA
B. The certificate issuer is responsible for signing the digital certificate. In this case, the issuer, as shown in the certificate, is Amazon. Starfield Services is the root CA, meaning that it issued the certificate to Amazon and allows it to issue certificates to end users. nd.edu is the subject of the certificate, while RSA is an encryption algorithm used in the certificate.
Which role in a SAML authentication flow validates the identity of the user? The SP The IDP The principal The RP
B. The identity provider (IDP) provides the authentication in a SAML-based authentication flow. A service provider (SP) provides services to a user, while the user is typically the principal. A relying party (RP) leverages an IDP to provide authentication services.
Allan is building a database server that will provide analytics support to a data science team within his organization. The current layout of his organization's network is shown here. Which network zone would be the most appropriate location for this server? Diagram shows Internet connected to border router, which is connected to DMZ (switch, web, DNS, and email servers), firewall, and internal network. Internet Internal network DMZ New network connected to the firewall
B. The internal network is the most appropriate zone for this server, as it serves only internal clients on the data science team. Adding an additional network for this server is costly, and there is no indication that the effort and expense would be justified. A database server should never be placed on the Internet, and there is no public access required, which would justify placing it in the DMZ.
Daniel is hiring a third-party consultant who will have remote access to the organization's data center, but he would like to approve that access each time it occurs. Which one of the following solutions would meet Daniel's needs in a practical manner? Daniel should keep the consultant's password himself and provide it to the consultant when needed and then immediately change the password after each use. Daniel should provide the consultant with the password but configure his own device to approve logins via multifactor authentication. Daniel should provide the consultant with the password but advise the consultant that she must advise him before using the account and then audit those attempts against access logs. Daniel should create a new account for the consultant each time she needs to access the data center.
B. The most practical approach is for Daniel to implement two-factor authentication on the account and retain the approval device himself. This allows him to approve each request but does not require modifying or re-creating the account for each use. The approach where the consultant must advise Daniel before using the account does not meet the requirement of Daniel approving each use.
Nadine works for a company that runs an e-commerce website. She recently discovered a hacking website that contains password hashes stolen from another e-commerce site. The two sites have a significant number of common users. What user behavior creates significant risk for Nadine's organization? Use of weak hash functions Reuse of passwords Unencrypted communications Use of federated identity providers
B. The primary risk to Nadine's organization from this attack is that if the password hashes are reversed, accounts may be compromised on Nadine's site because users commonly use the same passwords on multiple sites.
Jean is deploying a new application that will process sensitive health information about her organization's clients. To protect this information, the organization is building a new network that does not share any hardware or logical access credentials with the organization's existing network. What approach is Jean adopting? Network interconnection Network segmentation Virtual LAN (VLAN) isolation Virtual private network (VPN)
B. The strategy outlined by Jean is one of network segmentation—placing separate functions on separate networks. She is explicitly not interconnecting the two networks. VPNs and VLANs are also technologies that could assist with the goal of protecting sensitive information, but they use shared hardware and would not necessarily achieve the level of isolation that Jean requires.
Rob is planning the security testing for a new service being built by his organization's IT team. He would like to conduct rigorous testing of the finished product before it is released for use. Which environment would be the most appropriate place to conduct this testing? Development Test Staging Production
B. The test environment contains a complete version of the code, as the developers intend to release it. This is the best place to conduct rigorous testing, such as security analysis. The development environment is constantly in a state of flux and not a good environment for formalized testing. Code should be released to production only when it is ready for use by clients, and security testing should take place before code is placed in a production environment. Staging environments are holding areas used as part of the code release process.
Al is a cybersecurity analyst for a company that runs a website that allows public postings. Users recently began complaining that the website is showing them pop-up messages asking for their passwords that don't seem legitimate. At the same time, there has been an uptick in compromised user accounts. What type of attack is likely occurring against Al's website? SQL injection Cross-site scripting Cross-site request forgery Rootkit
B. This scenario has all of the hallmarks of a cross-site scripting attack. The most likely case is that the site allows users to post messages containing HTML code and that it does not perform input validation to remove scripts from that code. The attacker is likely using a script to create a pop-up window that collects passwords and then using that information to compromise accounts.
Rob is an auditor reviewing the payment process used by a company to issue checks to vendors. He notices that Helen, a staff accountant, is the person responsible for creating new vendors. Norm, another accountant, is responsible for issuing payments to vendors. Helen and Norm are cross-trained to provide backup for each other. What security issue, if any, exists in this situation? Least privilege violation Separation of duties violation Dual control violation No issue
B. This situation violates the principle of separation of duties. The company appears to have designed the controls to separate the creation of vendors from the issuance of payments, which is a good fraud-reduction practice. However, the fact that they are cross-trained to back each other up means that they have the permissions assigned to violate this principle.
Bryan is selecting a firewall to protect his organization's internal infrastructure from network-based attacks. Which one of the following products is not suitable to meet this need? Cisco NGFW HP TippingPoint CheckPoint appliance Palo Alto NGFW
B. TippingPoint is an intrusion prevention system. Cisco's NGFW, Palo Alto's NGFW, and CheckPoint's appliances are all firewall solutions.
Travis is troubleshooting the firewall rulebase that appears here: Rule Action Protocol Source IP Source Port Destination IP Destination Port 1 allow UDP any any 10.15.1.1 25 2 block TCP any any 10.15.1.2 80 3 allow TCP 10.20.0.0/16any 10.15.1.2 80 4 allow TCP any any 10.15.1.3 22 The firewall rule creators intended to block access to a website hosted at 10.15.1.2 except from hosts located on the 10.20.0.0/16 subnet. However, users on that subnet report that they cannot access the site. What is wrong? The protocol is incorrect. The rules are misordered. The source port is not specified. There is no error in the rule, and Travis should check for other issues.
B. Travis can correct this error by switching the positions of rules 2 and 3. Rule 3, which permits access from the 10.20.0.0/16 subnet, will never be triggered because any traffic from that subnet also matches rule 2, which blocks it.
Martin is developing the security infrastructure for a new business venture that his organization is launching. The business will be developing new products that are considered trade secrets, and it is of the utmost importance that the plans for those products not fall into the hands of competitors. Martin would like to take steps to confirm the reliability of employees and avoid situations where employees might be susceptible to blackmail attempts to obtain the plans. Which one of the following controls would be most effective to achieve that goal? Firewall DLP system Background investigation Nondisclosure agreement
C. All of these controls would be effective ways to prevent the loss of information. However, only a background investigation is likely to uncover information that might make a potential employee susceptible to blackmail.
Lorissa is investigating a potential DNS poisoning attack and uses the dig command to look up the IP address associated with the CompTIA.org website. She receives the results shown here. Which statement is true about these results? Image shows programming codes which reads ; ; global options: plus cmd, ; ; question section:, et cetera. The DNS query was answered by a server located at 198.134.5.6, which is not authoritative for the domain. The DNS query was answered by a server located at 198.134.5.6, which is authoritative for the domain. The DNS query was answered by a server located at 172.30.25.8, which is not authoritative for the domain. The DNS query was answered by a server located at 172.30.25.8, which is authoritative for the domain.
C. Analyzing these dig results, you see that the DNS server (identified in the SERVER line) is 172.30.25.8. 198.134.5.6 is the query response, indicating that it is the CompTIA.org web server. The AUTHORITY value in this result is 0, indicating that the DNS server is not authoritative for the CompTIA.org domain.
Angela wants to implement multifactor authentication for her organization and has been offered a number of choices. Which of the following choices is not an example of multifactor authentication? Password and retina scan PIN and SMS token Password and security questions Password and SMS token
C. Angela should not select the password and security questions option since they are both examples of knowledge-based factors. Each of the other answers includes different factors, providing a greater level of security.
Jay is the CISO for his organization and is responsible for conducting periodic reviews of the organization's information security policy. The policy was written three years ago and has undergone several minor revisions after audits and assessments. Which one of the following would be the most reasonable frequency to conduct formal reviews of the policy? Monthly Quarterly Annually Every five years
C. Annual reviews of security policies are an industry standard and are sufficient unless there are special circumstances, such as a new policy or major changes in the environment. Monthly or quarterly reviews would occur too frequently, while waiting five years for the review is likely to miss important changes in the environment.
Gerry would like to find a physical security control that will protect his organization against an attack where an individual drives a vehicle through the glass doors on the front of the building. Which one of the following would be the most effective way to protect against this type of attack? Mantraps Security guards Bollards Intrusion alarm
C. Bollards are physical barriers designed to prevent vehicles from crossing into an area. Mantraps are designed to prevent piggybacking by individuals and would not stop a vehicle. Security guards and intrusion alarms may detect an intruder but would not be able to stop a moving vehicle.
Which one of the following events is least likely to trigger the review of an organization's information security program? Security incident Changes in compliance obligations Changes in team members Changes in business processes
C. Changes in team members may cause someone to initiate a review, but it is more likely that a review would be initiated based upon changes in the processes protected by the security program, control requirements (such as compliance obligations), or a control failure (such as a security incident).
In the Sherwood Applied Business Security Architecture (SABSA), which view corresponds to the physical security architecture layer? Architect's view Designer's view Builder's view Tradesman's view
C. In the SABSA model, the Builder's view corresponds to the physical security architecture. The Designer's view corresponds to the logical security architecture layer. The Architect's view corresponds to the conceptual security architecture layer. The Tradesman's view corresponds to the component security architecture layer.
In the Sherwood Applied Business Security Architecture (SABSA), which view corresponds to the logical security architecture? Builder's view Tradesman's view Designer's view Architect's view
C. In the SABSA model, the Designer's view corresponds to the logical security architecture layer. The Builder's view corresponds to the physical security architecture. The Architect's view corresponds to the conceptual security architecture layer. The Tradesman's view corresponds to the component security architecture layer.
Glenn is conducting a security assessment of his organization's Active Directory-based identity and access management infrastructure. Which of the following services/protocols represents the greatest security risk to Glenn's organization if used in conjunction with Active Directory? LDAPS ADFS NTLMv1 Kerberos
C. NT LAN Manager (NTLM) version 1 contains serious vulnerabilities and exposes hashed passwords to compromise. LDAPS is an encrypted, secure version of the Lightweight Directory Access Protocol (LDAP). Active Directory Federation Services (ADFS) and Kerberos are both secure components of Active Directory.
Tim is tasked with implementing multifactor authentication to bring his organization into compliance with an industry security regulation. Which one of the following combinations of systems would make the strongest multifactor authentication solution? Password and security question answers Fingerprint and retinal scan ID badge and PIN Password and PIN
C. Of the choices listed, only the combination of an ID badge and PIN is a multifactor solution. ID badges are "something you have," and a PIN is "something you know." Passwords, PINs, and security question answers are all "something you know" factors, so combining them does not create multifactor authentication. Fingerprints and retinal scans are both examples of "something you are."
Which one of the following items is not normally included in a request for an exception to security policy? Description of a compensating control Description of the risks associated with the exception Proposed revision to the security policy Business justification for the exception
C. Requests for an exception to a security policy would not normally include a proposed revision to the policy. Exceptions are documented variances from the policy because of specific technical and/or business requirements. They do not alter the original policy, which remains in force for systems not covered by the exception.
Emily is charged with the security of her organization's website. After a conversation with her manager, Emily learned that the organization's highest priority for her work is the availability of the website in the event of an equipment failure. Which one of the following controls would be most effective in meeting this objective? RAID Web application firewall Load balancing Intrusion prevention systems
C. The Gramm-Leach-Bliley Act (GLBA) includes regulations covering the cybersecurity programs at financial institutions, including banks. The Health Insurance Portability and Accountability Act (HIPAA) covers healthcare providers, insurers, and health information clearinghouses. The Family Educational Rights and Privacy Act (FERPA) applies to educational institutions. The Sarbanes-Oxley Act (SOX) applies to publicly traded companies.
Which one of the following vulnerability scanning tools is limited to collecting information from systems running a specific operating system? Nikto OpenVAS MBSA Qualys
C. The Microsoft Baseline Security Analyzer (MBSA) works only with Microsoft operating systems. The other products listed are all capable of scanning systems running any operating system.
In the TOGAF Architecture Development Model, shown here, what element should occupy the blank line in the center circle? Flow diagram shows prelim: framework and principles leads to A: architecture vision, which leads to B: business architecture, C: information system architecture, D: technology architecture, et cetera. Security Architecture Requirements Controls
C. The TOGAF Architecture Development Model is centered on requirements. The requirements inform each of the other phases of the model.
Under the U.S. government's data classification scheme, which one of the following is the lowest level of classified information? Private Top Secret Confidential Secret
C. The classification levels under the U.S. government information classification scheme are, in ascending order, Confidential, Secret, and Top Secret. Private is not a government classification.
Ursula is considering redesigning her network to use a dual firewall approach, such as the one shown here. Which one of the following is an advantage of this approach over a triple-homed firewall? Diagram shows Internet connected to border router, which is connected to firewall, DMZ switch (web, DNS, and email servers), firewall, and internal network. Increased redundancy Decreased cost Hardware diversity Simplified administration
C. The dual firewall approach allows an organization to achieve hardware diversity by using firewalls from different vendors. This approach typically increases, rather than decreases, both the cost and complexity of administration. There is no indication that the proposed design would increase redundancy over the existing environment.
Alvin is working with a new security tool, as shown here. This tool collects information from a variety of sources and allows him to correlate records to identify potential security issues. What type of tool is Alvin using? Window shows AlienVault with sections for dashboards (selected), analysis, et cetera, tabs for executive, tickets, security (selected), et cetera, and graphs show top 10 promiscuous hosts, security events: top 5 alarms, et cetera. IPS IDS SIEM DLP
C. The image is a dashboard from AlienVault, a security information and event management (SIEM) solution. SIEMs correlate security information gathered from other sources and provide a centralized analysis interface.
Roger is a cybersecurity analyst at a bank. He recently conducted a forensic analysis of the workstation belonging to an IT staff member who was engaged in illicit activity. Roger discovered that the employee was capturing and storing cookies from user sessions as they were sent between backend systems. What type of attack might the employee have been conducting? Privilege escalation Covert channel Session hijacking SQL injection
C. The most likely reason that an employee would be storing cookies is to use the session IDs stored in those cookies to engage in a session hijacking attack, allowing him to impersonate the user and conduct financial transactions.
Roberta is designing a password policy for her organization and wants to include a control that will limit the length of exposure of an account with a compromised password. Which one of the following controls would best meet Roberta's goal? Minimum password length Password history Password expiration Password complexity
C. The primary control used to limit the length of exposure of compromised passwords is a password expiration policy. This policy would force a password change at a defined interval and would either lock out the intruder (if the legitimate user changes the password) or alert the legitimate user to the compromise (if the intruder changes the password). Password history would arguably prevent the future reuse of a compromised password, but this is not as direct a control for the given scenario as password expiration. Password length and complexity requirements are designed to prevent the compromise of a password and are not effective controls once the password has already been compromised.
Sonia is investigating a server on her network that is behaving suspiciously. She used Process Explorer from the Sysinternals toolkit and found the results shown here. What service on this system is responsible for the most memory usage? Window shows process explorer with tabs for file, options, view, process, find, users, and help, and columns for process, CPU, private bytes, working set, PID, description, and company name (Microsoft Corporation). Internet Explorer Process Explorer Database server Web server
C. The processes consuming the most memory on this server are the SQL Server core process and the SQL Server Management Studio application. These are all components of the database service.
Which one of the following is not one of the four domains of COBIT control objectives? Plan and Organize Acquire and Implement Design and Secure Deliver and Support
C. There is no explicit security domain in the COBIT standard. The four COBIT domains are Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.
Which one of the following websites would not be covered by this certificate? nd.edu www.nd.edu www.business.nd.edu All of these sites would be covered by the certificate.
C. This is a wildcard certificate, meaning that it is valid for the subject domain (nd.edu) as well as any subdomains of that domain (e.g., www.nd.edu). It would not, however, be valid for subsubdomains. A wildcard certificate for *.business.nd.edu would cover www.business.nd.edu.
Karen is the CISO of a major manufacturer of industrial parts. She is currently performing an assessment of the firm's financial controls, with an emphasis on implementing security practices that will reduce the likelihood of theft from the firm. The accounting department has a policy that requires the signatures of two individuals on checks valued over $5,000. What type of control do they have in place? Mandatory vacations Separation of duties Job rotation Two-person control
D. Two-person control is a principle that requires the concurrence of two different employees to perform a single sensitive action. Requiring two signatures on a check is an example of a two-person control.
What policy should contain provisions for removing user access upon termination? Data ownership policy Data classification policy Data retention policy Account management policy
D. Account management policies describe the account life cycle from provisioning through active use and decommissioning, including removing access upon termination. Data ownership policies clearly state the ownership of information created or used by the organization. Data classification policies describe the classification structure used by the organization and the process used to properly assign classifications to data. Data retention policies outline what information the organization will maintain and the length of time different categories of information will be retained prior to destruction.
Carol is running an nmap scan and is confused by the results. It appears that nmap is not scanning a port where she expects to find a running service. What ports does nmap scan if nothing is specified on the command line? 1-1024 1-65535 Only ports listed in the nmap-services file Ports from 1-1024 and those listed in the nmap-services file
D. By default, nmap scans all of the low-numbered ports (1-1024) and those that are specifically listed in the nmap-services file.
Catherine is responding to a request for materials from auditors who will be reviewing her organization's security. She received a request for a list of physical security controls used to protect her organization's data center. Which one of the following controls does not meet this criteria? Fire suppression system Perimeter fence Exterior lighting Visitor log reviews
D. Visitor log reviews are a procedural mechanism that an organization follows to implement sound security management practices and, therefore, are an example of an administrative control. The other controls listed are all examples of physical security controls.
Amy is creating application accounts for her company's suppliers to use to access an inventory management website. She is concerned about turnover at the vendor. Which one of the following approaches would provide a good balance of security and usability for Amy? Amy should create a single account for the vendor and require the password be changed whenever an employee with knowledge of the password leaves the vendor. Amy should create individual accounts for each vendor employee and require that the vendor inform her when an employee leaves. Amy should create individual accounts for each vendor employee and require that the vendor immediately change the password for the account of any employee who leaves. Amy should create a master account for a responsible individual at the vendor and allow them to create and manage individual user accounts.
D. In this situation, the best case for Amy would be to delegate management of the individual user accounts to the vendor. Amy should avoid a situation where she must create the individual accounts to reduce the burden on her. Using a single account violates many principles of security and eliminates accountability for individual user actions. If Amy implements the delegated account approach, she may want to supplement it with auditing to verify that accounts are properly managed.
Ian is designing an authorization scheme for his organization's deployment of a new accounting system. He is considering putting a control in place that would require that two accountants approve any payment request over $100,000. What security principle is Ian seeking to enforce? Security through obscurity Least privilege Separation of duties Dual control
D. It is sometimes difficult to distinguish between cases of least privilege, separation of duties, and dual control. Least privilege means that an employee should only have the access rights necessary to perform their job. That is not the case in this scenario because accountants need to be able to approve payments. Separation of duties occurs when the same employee does not have permission to perform two different actions that, when combined, could undermine security. That is not the case here because both employees are performing the same action: approving the payment. Dual control occurs when two employees must jointly authorize the same action. That is the case in this scenario. Security through obscurity occurs when the security of a control depends upon the secrecy of its mechanism.
Colin would like to implement a security control in his accounting department that is specifically designed to detect cases of fraud that are able to occur despite the presence of other security controls. Which one of the following controls is best suited to meet Colin's need? Separation of duties Least privilege Dual control Mandatory vacations
D. Mandatory vacations are designed to force individuals to take time away from the office to allow fraudulent activity to come to light in their absence. The other controls listed here (separation of duties, least privilege, and dual control) are all designed to prevent, rather than detect, fraud.
Roland received a security assessment report from a third-party assessor, and it indicated that one of the organization's web applications is susceptible to an OAuth redirect attack. What type of attack would this vulnerability allow an attacker to wage? Privilege escalation Cross-site scripting SQL injection Impersonation
D. OAuth redirects are an authentication attack that allows an attacker to impersonate another user.
Travis is troubleshooting the firewall rulebase that appears here: Rule Action Protocol Source IP Source Port Destination IP Destination Port 1 allow UDP any any 10.15.1.1 25 2 block TCP any any 10.15.1.2 80 3 allow TCP 10.20.0.0/16any 10.15.1.2 80 4 allow TCP any any 10.15.1.3 22 Rule 4 is designed to allow ssh access from external networks to the server located at 10.15.1.3. Users are reporting that they cannot access the server. What is wrong? The protocol is incorrect. The rules are misordered. The destination port is incorrect. There is no error in the rule, and Travis should check for other issues.
D. Rule 4 is correctly designed to allow SSH access from external networks to the server located at 10.15.1.3. The error is not with the firewall rulebase, and Travis should search for other causes.
After Tom initiates a connection to the website, what key is used to encrypt future communications from the web server to Tom? The website's public key The website's private key Tom's public key The session key
D. TLS uses public key cryptography to initiate an encrypted connection but then switches to symmetric cryptography for the communication that takes place during the session. The key used for this communication is known as the session key or the ephemeral key.
Alec is a cybersecurity analyst working on analyzing network traffic. He is using Wireshark to analyze live traffic, as shown here. He would like to reassemble all of the packets associated with the highlighted connection. Which one of the following options from the drop-down menu in the figure should he choose first in order to most easily achieve his goal? Window shows capturing from Wi-Fi where table shows columns for number, time, source, destination, protocol, length, and info, section for Internet protocol version 4, transmission control protocol, et cetera. Apply As A Filter Prepare A Filter Conversation Filter Follow
D. The Follow option will allow Alec to follow the TCP stream, reassembling the payloads from all of the packets in the stream in an easy-to-view manner.
Eric leads a team of software developers and would like to help them understand the most important security issues in web application development. Which one of the following sources would provide Eric with the most useful resource? CVE CPE CCE OWASP
D. The Open Web Application Security Project (OWASP) provides developer-friendly descriptions of the top web application security issues. The Common Vulnerability Enumeration (CVE), Common Platform Enumeration (CPE), and Common Configuration Enumeration (CCE) tools provide a taxonomy for describing vulnerabilities, platforms, and configurations, but they are not educational tools and do not focus on web application security.
What cryptographic algorithm is used to protect communications between Tom and the web server that take place using the key identified in question 63? RSA SHA-256 AES It is not possible to determine this information.
D. The symmetric algorithm used to communicate between the client and server is negotiated during the TLS session establishment. This information is not contained in the digital certificate.
What identity management protocol is typically paired with OAuth2 to provide authentication services in a federated identity management solution on the Web? Kerberos ADFS SAML OpenID
D. While OAuth may be paired with almost any authentication provider, the most common approach is to pair OAuth and OpenID Connect to provide a complete authentication and authorization solution.
